webcake-storefront-mcp 1.1.0 → 1.1.2

package/README.md

@@ -150,7 +150,7 @@ Base URLs come from a **named environment** — set `WEBCAKE_ENV` (or `--env`) a
 
 Override a preset with `WEBCAKE_API_URL` / `WEBCAKE_APP_URL`. Optional, configured server-side:
 `PEXELS_API_KEY` (search_images), `MONGO_URI` (image-alt cache). Token / session / site can also be set
-in chat via `update_auth` and `switch_site` — saved to a local SQLite db at `~/.webcake-storefront-mcp/`.
+in chat via `update_auth` and `switch_site` — saved to a local config file at `~/.webcake-storefront-mcp/`.
 
 <details>
 <summary><b>How to get your token + session</b></summary>

package/README.vi.md

@@ -149,7 +149,7 @@ URL gốc lấy theo **môi trường có tên** — đặt `WEBCAKE_ENV` (hoặ
 
 Override bằng `WEBCAKE_API_URL` / `WEBCAKE_APP_URL`. Tuỳ chọn, đặt phía server:
 `PEXELS_API_KEY` (search_images), `MONGO_URI` (cache alt ảnh). Token / session / site cũng có thể đặt
-trong chat bằng `update_auth` và `switch_site` — lưu vào SQLite tại `~/.webcake-storefront-mcp/`.
+trong chat bằng `update_auth` và `switch_site` — lưu vào file cấu hình tại `~/.webcake-storefront-mcp/`.
 
 <details>
 <summary><b>Cách lấy token + session</b></summary>

package/dist/auth/oauth-server.js

@@ -8,29 +8,47 @@
  * the authorization code and carried through to the access token so the HTTP
  * layer can inject BOTH x-webcake-jwt AND x-webcake-session-id headers.
  *
- * Store: in-memory only (no Postgres dependency in the storefront MCP). For a
- * multi-instance deploy, replace with a shared store behind the same interface.
+ * STORE: Postgres when DATABASE_URL is set (tokens survive a `serve` restart and
+ * are shared across instances behind a load balancer), else in-memory maps
+ * (single-instance `serve`, stdio/`npx`, offline tests). Both implement the same
+ * async `OAuthStore` interface; the rest of this module is backend-agnostic.
+ *
+ * CACHE: Redis (when REDIS_URL is set) caches access_token → {jwt,wsid} so
+ * /mcp requests avoid a Postgres round-trip on every call. Postgres remains the
+ * source of truth; a Redis miss just falls through to Postgres. On Redis
+ * absence / error the lookup goes directly to the store.
+ *
+ * All exported state functions are async — callers (src/http.ts) already await them.
+ * All exported function names and signatures are IDENTICAL to the previous version
+ * so http.ts requires no changes.
  */
 import { randomBytes, createHash } from "node:crypto";
-// ---- TTLs ------------------------------------------------------------------
+import { getPg, ensureOAuthSchema } from "../persistence/postgres.js";
+import { getRedis } from "../persistence/redis.js";
+// ---- TTLs (override via env where useful) ----------------------------------
 const TEN_MIN = 10 * 60 * 1000;
 const ACCESS_TTL = Number(process.env.WEBCAKE_OAUTH_ACCESS_TTL_MS) || 60 * 60 * 1000; // 1h
 const REFRESH_TTL = Number(process.env.WEBCAKE_OAUTH_REFRESH_TTL_MS) || 30 * 24 * 60 * 60 * 1000; // 30d
 const CODE_TTL = TEN_MIN;
 const PENDING_TTL = TEN_MIN;
+// Redis key prefix + TTL for the access-token cache (slightly shorter than ACCESS_TTL
+// so stale cache entries never outlive the canonical Postgres row).
+const REDIS_TOKEN_PREFIX = "wc:at:";
+const REDIS_TOKEN_TTL_MS = ACCESS_TTL - 60_000; // 1 min earlier than token expiry
 function now() {
     return Date.now();
 }
 function token(bytes = 32) {
     return randomBytes(bytes).toString("base64url");
 }
-// ---- In-memory store -------------------------------------------------------
+// ---- In-memory store (default; no DATABASE_URL) ----------------------------
 class MemoryStore {
     clients = new Map();
     pending = new Map();
     codes = new Map();
     access = new Map();
     refresh = new Map();
+    /** Lazy sweep of anything expired — cheap, called on the hot paths. */
     sweep() {
         const t = now();
         for (const [k, v] of this.pending)
@@ -46,24 +64,24 @@ class MemoryStore {
             if (v.expiresAt < t)
                 this.refresh.delete(k);
     }
-    putClient(c) { this.clients.set(c.client_id, c); }
-    getClient(id) { return this.clients.get(id); }
-    putPending(state, p) { this.sweep(); this.pending.set(state, p); }
-    takePending(state) {
+    async putClient(c) { this.clients.set(c.client_id, c); }
+    async getClient(id) { return this.clients.get(id); }
+    async putPending(state, p) { this.sweep(); this.pending.set(state, p); }
+    async takePending(state) {
         this.sweep();
         const p = this.pending.get(state);
         this.pending.delete(state);
         return p && p.expiresAt >= now() ? p : undefined;
     }
-    putCode(code, c) { this.codes.set(code, c); }
-    takeCode(code) {
+    async putCode(code, c) { this.codes.set(code, c); }
+    async takeCode(code) {
         this.sweep();
         const c = this.codes.get(code);
         this.codes.delete(code);
         return c && c.expiresAt >= now() ? c : undefined;
     }
-    putAccess(t, a) { this.access.set(t, a); }
-    getAccess(t) {
+    async putAccess(t, a) { this.access.set(t, a); }
+    async getAccess(t) {
         const a = this.access.get(t);
         if (a && a.expiresAt < now()) {
             this.access.delete(t);
@@ -71,23 +89,170 @@ class MemoryStore {
         }
         return a;
     }
-    putRefresh(t, r) { this.refresh.set(t, r); }
-    takeRefresh(t) {
+    async putRefresh(t, r) { this.refresh.set(t, r); }
+    async takeRefresh(t) {
         this.sweep();
         const r = this.refresh.get(t);
         this.refresh.delete(t);
         return r && r.expiresAt >= now() ? r : undefined;
     }
-    revoke(t) { this.access.delete(t); this.refresh.delete(t); }
+    async revoke(t) { this.access.delete(t); this.refresh.delete(t); }
+}
+// ---- Postgres store (when DATABASE_URL is set) -----------------------------
+class PgStore {
+    pool;
+    constructor(pool) {
+        this.pool = pool;
+    }
+    async putClient(c) {
+        await this.pool.query(`INSERT INTO oauth_clients (client_id, client_name, redirect_uris, created_at)
+       VALUES ($1,$2,$3,$4)
+       ON CONFLICT (client_id) DO UPDATE SET client_name=$2, redirect_uris=$3`, [c.client_id, c.client_name ?? null, JSON.stringify(c.redirect_uris), c.created_at]);
+    }
+    async getClient(id) {
+        const { rows } = await this.pool.query(`SELECT client_id, client_name, redirect_uris, created_at FROM oauth_clients WHERE client_id=$1`, [id]);
+        const r = rows[0];
+        if (!r)
+            return undefined;
+        return {
+            client_id: r.client_id,
+            client_name: r.client_name ?? undefined,
+            redirect_uris: Array.isArray(r.redirect_uris)
+                ? r.redirect_uris
+                : JSON.parse(r.redirect_uris),
+            created_at: Number(r.created_at),
+        };
+    }
+    async putPending(state, p) {
+        await this.pool.query(`INSERT INTO oauth_pending (state, client_id, redirect_uri, code_challenge, client_state, scope, expires_at)
+       VALUES ($1,$2,$3,$4,$5,$6,$7)`, [state, p.client_id, p.redirect_uri, p.code_challenge, p.state ?? null, p.scope ?? null, p.expiresAt]);
+    }
+    async takePending(state) {
+        const { rows } = await this.pool.query(`DELETE FROM oauth_pending WHERE state=$1
+       RETURNING client_id, redirect_uri, code_challenge, client_state, scope, expires_at`, [state]);
+        const r = rows[0];
+        if (!r || Number(r.expires_at) < now())
+            return undefined;
+        return {
+            client_id: r.client_id,
+            redirect_uri: r.redirect_uri,
+            code_challenge: r.code_challenge,
+            state: r.client_state ?? undefined,
+            scope: r.scope ?? undefined,
+            expiresAt: Number(r.expires_at),
+        };
+    }
+    async putCode(code, c) {
+        await this.pool.query(`INSERT INTO oauth_codes (code, client_id, redirect_uri, code_challenge, scope, jwt, wsid, expires_at)
+       VALUES ($1,$2,$3,$4,$5,$6,$7,$8)`, [code, c.client_id, c.redirect_uri, c.code_challenge, c.scope ?? null, c.cred.jwt, c.cred.wsid, c.expiresAt]);
+    }
+    async takeCode(code) {
+        const { rows } = await this.pool.query(`DELETE FROM oauth_codes WHERE code=$1
+       RETURNING client_id, redirect_uri, code_challenge, scope, jwt, wsid, expires_at`, [code]);
+        const r = rows[0];
+        if (!r || Number(r.expires_at) < now())
+            return undefined;
+        return {
+            client_id: r.client_id,
+            redirect_uri: r.redirect_uri,
+            code_challenge: r.code_challenge,
+            scope: r.scope ?? undefined,
+            cred: { jwt: r.jwt, wsid: r.wsid ?? "" },
+            expiresAt: Number(r.expires_at),
+        };
+    }
+    async putAccess(t, a) {
+        await this.pool.query(`INSERT INTO oauth_access_tokens (token, jwt, wsid, scope, expires_at) VALUES ($1,$2,$3,$4,$5)`, [t, a.cred.jwt, a.cred.wsid, a.scope ?? null, a.expiresAt]);
+    }
+    async getAccess(t) {
+        const { rows } = await this.pool.query(`SELECT jwt, wsid, scope, expires_at FROM oauth_access_tokens WHERE token=$1`, [t]);
+        const r = rows[0];
+        if (!r)
+            return undefined;
+        if (Number(r.expires_at) < now()) {
+            await this.pool.query(`DELETE FROM oauth_access_tokens WHERE token=$1`, [t]);
+            return undefined;
+        }
+        return {
+            cred: { jwt: r.jwt, wsid: r.wsid ?? "" },
+            scope: r.scope ?? undefined,
+            expiresAt: Number(r.expires_at),
+        };
+    }
+    async putRefresh(t, r) {
+        await this.pool.query(`INSERT INTO oauth_refresh_tokens (token, jwt, wsid, client_id, scope, expires_at) VALUES ($1,$2,$3,$4,$5,$6)`, [t, r.cred.jwt, r.cred.wsid, r.client_id, r.scope ?? null, r.expiresAt]);
+    }
+    async takeRefresh(t) {
+        const { rows } = await this.pool.query(`DELETE FROM oauth_refresh_tokens WHERE token=$1
+       RETURNING jwt, wsid, client_id, scope, expires_at`, [t]);
+        const r = rows[0];
+        if (!r || Number(r.expires_at) < now())
+            return undefined;
+        return {
+            cred: { jwt: r.jwt, wsid: r.wsid ?? "" },
+            client_id: r.client_id,
+            scope: r.scope ?? undefined,
+            expiresAt: Number(r.expires_at),
+        };
+    }
+    async revoke(t) {
+        await this.pool.query(`DELETE FROM oauth_access_tokens WHERE token=$1`, [t]);
+        await this.pool.query(`DELETE FROM oauth_refresh_tokens WHERE token=$1`, [t]);
+    }
+}
+// ---- Backend selection (memoized) ------------------------------------------
+const memoryStore = new MemoryStore();
+let storePromise;
+/** Resolve the active store ONCE: Postgres if configured + schema ready, else memory. */
+function getStore() {
+    if (storePromise)
+        return storePromise;
+    storePromise = (async () => {
+        const pool = getPg();
+        if (pool && (await ensureOAuthSchema(pool)))
+            return new PgStore(pool);
+        return memoryStore;
+    })().catch((e) => {
+        console.error("[oauth] store init failed, using in-memory:", e?.message ?? e);
+        return memoryStore;
+    });
+    return storePromise;
+}
+// ---- Redis cache helpers (access-token only) --------------------------------
+/** Write {jwt,wsid} to Redis with the access-token TTL. Fire-and-forget. */
+function redisCachePut(redis, tok, cred) {
+    const val = JSON.stringify(cred);
+    redis.set(REDIS_TOKEN_PREFIX + tok, val, "PX", REDIS_TOKEN_TTL_MS).catch((e) => {
+        console.error("[redis] cache put error:", e?.message ?? e);
+    });
+}
+/** Read {jwt,wsid} from Redis. Returns null on miss or error. */
+async function redisCacheGet(redis, tok) {
+    try {
+        const raw = await redis.get(REDIS_TOKEN_PREFIX + tok);
+        if (!raw)
+            return null;
+        return JSON.parse(raw);
+    }
+    catch {
+        return null;
+    }
+}
+/** Evict an access-token key from Redis. Fire-and-forget. */
+function redisCacheDel(redis, tok) {
+    redis.del(REDIS_TOKEN_PREFIX + tok).catch((e) => {
+        console.error("[redis] cache del error:", e?.message ?? e);
+    });
 }
-const store = new MemoryStore();
 // ---- PKCE ------------------------------------------------------------------
+/** base64url( SHA256(verifier) ) — the S256 transform. */
 export function s256(verifier) {
     return createHash("sha256").update(verifier).digest("base64url");
 }
 export function verifyPkce(verifier, challenge) {
     if (!verifier || !challenge)
         return false;
+    // Constant-time-ish compare on equal-length base64url strings.
     const a = s256(verifier);
     if (a.length !== challenge.length)
         return false;
@@ -96,7 +261,7 @@ export function verifyPkce(verifier, challenge) {
         diff |= a.charCodeAt(i) ^ challenge.charCodeAt(i);
     return diff === 0;
 }
-export function registerClient(body) {
+export async function registerClient(body) {
     const uris = Array.isArray(body?.redirect_uris)
         ? body.redirect_uris.filter((u) => typeof u === "string" && /^https?:\/\//i.test(u))
         : [];
@@ -109,16 +274,17 @@ export function registerClient(body) {
         redirect_uris: uris,
         created_at: now(),
     };
-    store.putClient(client);
+    (await getStore()).putClient(client).catch((e) => console.error("[oauth] putClient:", e?.message ?? e));
     return { ok: true, client };
 }
-export function getClient(clientId) {
+export async function getClient(clientId) {
     if (!clientId)
         return undefined;
-    return store.getClient(clientId);
+    return (await getStore()).getClient(clientId);
 }
-export function startAuthorize(p) {
-    const client = p.client_id ? store.getClient(p.client_id) : undefined;
+export async function startAuthorize(p) {
+    const store = await getStore();
+    const client = p.client_id ? await store.getClient(p.client_id) : undefined;
     if (!client) {
         return { ok: false, error: "invalid_client", error_description: "Unknown client_id. Register first via /register.", redirectable: false };
     }
@@ -132,7 +298,7 @@ export function startAuthorize(p) {
         return { ok: false, error: "invalid_request", error_description: "PKCE with code_challenge_method=S256 is required.", redirectable: true };
     }
     const internalState = token(24);
-    store.putPending(internalState, {
+    await store.putPending(internalState, {
         client_id: client.client_id,
         redirect_uri: p.redirect_uri,
         code_challenge: p.code_challenge,
@@ -146,8 +312,9 @@ export function startAuthorize(p) {
  * The consent page (/mcp-storefront) bounced back with the user's jwt + wsid and our
  * internalState. Mint a one-time authorization code bound to that credential pair.
  */
-export function completeAuthorize(internalState, jwt, wsid) {
-    const p = internalState ? store.takePending(internalState) : undefined;
+export async function completeAuthorize(internalState, jwt, wsid) {
+    const store = await getStore();
+    const p = internalState ? await store.takePending(internalState) : undefined;
     if (!p) {
         return { ok: false, error: "invalid_request", error_description: "Authorization session expired or unknown — restart the connection." };
     }
@@ -155,7 +322,7 @@ export function completeAuthorize(internalState, jwt, wsid) {
         return { ok: false, error: "access_denied", error_description: "No WebCake token returned from login." };
     }
     const code = token(32);
-    store.putCode(code, {
+    await store.putCode(code, {
         client_id: p.client_id,
         redirect_uri: p.redirect_uri,
         code_challenge: p.code_challenge,
@@ -165,16 +332,21 @@ export function completeAuthorize(internalState, jwt, wsid) {
     });
     return { ok: true, redirectUri: p.redirect_uri, code, state: p.state };
 }
-function issueTokens(cred, client_id, scope) {
+async function issueTokens(store, cred, client_id, scope) {
     const access = token(32);
     const refresh = token(32);
-    store.putAccess(access, { cred, scope, expiresAt: now() + ACCESS_TTL });
-    store.putRefresh(refresh, { cred, client_id, scope, expiresAt: now() + REFRESH_TTL });
+    await store.putAccess(access, { cred, scope, expiresAt: now() + ACCESS_TTL });
+    await store.putRefresh(refresh, { cred, client_id, scope, expiresAt: now() + REFRESH_TTL });
+    // Warm the Redis cache immediately after issuing so the first /mcp request is a cache hit.
+    const redis = getRedis();
+    if (redis)
+        redisCachePut(redis, access, cred);
     return { access_token: access, token_type: "Bearer", expires_in: Math.floor(ACCESS_TTL / 1000), refresh_token: refresh, scope };
 }
-export function exchangeToken(p) {
+export async function exchangeToken(p) {
+    const store = await getStore();
     if (p.grant_type === "authorization_code") {
-        const c = p.code ? store.takeCode(p.code) : undefined;
+        const c = p.code ? await store.takeCode(p.code) : undefined;
         if (!c) {
             return { ok: false, status: 400, error: "invalid_grant", error_description: "Unknown or expired authorization code." };
         }
@@ -187,29 +359,53 @@ export function exchangeToken(p) {
         if (!p.code_verifier || !verifyPkce(p.code_verifier, c.code_challenge)) {
             return { ok: false, status: 400, error: "invalid_grant", error_description: "PKCE verification failed." };
         }
-        return { ok: true, body: issueTokens(c.cred, c.client_id, c.scope) };
+        return { ok: true, body: await issueTokens(store, c.cred, c.client_id, c.scope) };
     }
     if (p.grant_type === "refresh_token") {
-        const r = p.refresh_token ? store.takeRefresh(p.refresh_token) : undefined;
+        const r = p.refresh_token ? await store.takeRefresh(p.refresh_token) : undefined;
         if (!r) {
             return { ok: false, status: 400, error: "invalid_grant", error_description: "Unknown or expired refresh token." };
         }
-        return { ok: true, body: issueTokens(r.cred, r.client_id, r.scope) };
+        return { ok: true, body: await issueTokens(store, r.cred, r.client_id, r.scope) };
     }
     return { ok: false, status: 400, error: "unsupported_grant_type", error_description: "grant_type must be authorization_code or refresh_token." };
 }
 // ---- Resource-server side: resolve a Bearer access token to the cred pair --
-/** Returns the { jwt, wsid } for a valid, unexpired access token, else undefined. */
-export function resolveAccessToken(accessToken) {
+/**
+ * Returns the { jwt, wsid } for a valid, unexpired access token, else undefined.
+ *
+ * Hot path — hit on every /mcp request. Resolution order:
+ *   1. Redis cache (sub-millisecond, no Postgres round-trip)
+ *   2. Postgres / in-memory store (source of truth, backfills Redis on hit)
+ */
+export async function resolveAccessToken(accessToken) {
     if (!accessToken)
         return undefined;
-    return store.getAccess(accessToken)?.cred;
+    // 1. Try Redis cache first.
+    const redis = getRedis();
+    if (redis) {
+        const cached = await redisCacheGet(redis, accessToken);
+        if (cached)
+            return cached;
+    }
+    // 2. Fall through to the store (Postgres or memory).
+    const a = await (await getStore()).getAccess(accessToken);
+    if (!a)
+        return undefined;
+    // Backfill the Redis cache for next time.
+    if (redis)
+        redisCachePut(redis, accessToken, a.cred);
+    return a.cred;
 }
 /** Revoke an access or refresh token (best-effort; for /revoke). */
-export function revokeToken(t) {
+export async function revokeToken(t) {
     if (!t)
         return;
-    store.revoke(t);
+    // Evict from Redis cache before hitting the store so the slot is gone immediately.
+    const redis = getRedis();
+    if (redis)
+        redisCacheDel(redis, t);
+    await (await getStore()).revoke(t);
 }
 // ---- Metadata documents (RFC 8414 / RFC 9728) ------------------------------
 export function authServerMetadata(issuer) {

package/dist/config.js

@@ -1,6 +1,6 @@
 // Central resolution of connection settings for every entry path (stdio, install,
 // login, remote HTTP). Precedence: explicit overrides > environment variables >
-// saved config in the local SQLite db.
+// saved config in the local config file.
 import { WebcakeCmsApi } from "./api.js";
 import { getSavedConfig } from "./tools/context.js";
 // Per-environment endpoints so you can switch with `--env <name>` / WEBCAKE_ENV

package/dist/db.js

@@ -1,96 +1,83 @@
-import Database from "better-sqlite3";
-import { mkdirSync } from "node:fs";
+// Tiny JSON-file persistence (no native deps) for: (1) the saved connection config
+// (token / session / site / api_url / confirm_mode) and (2) the image-alt cache.
+//
+// Stored under a stable home dir so it survives `npx` (ephemeral package cache) and
+// container restarts. Two flat JSON files instead of SQLite — keeps the package light
+// and works in any runtime (Alpine, Docker `--ignore-scripts`, serverless) with no
+// native binding to build. The API is synchronous to match the call sites.
+import { mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { homedir } from "node:os";
 import { join } from "node:path";
-// Persist in a stable home directory so saved config survives `npx` (where the
-// package lives in an ephemeral cache dir) and rebuilds.
 const CONFIG_DIR = process.env.WEBCAKE_CONFIG_DIR || join(homedir(), ".webcake-storefront-mcp");
 mkdirSync(CONFIG_DIR, { recursive: true });
-const DB_PATH = join(CONFIG_DIR, "webcake-mcp.db");
-const db = new Database(DB_PATH);
-// WAL mode for better concurrent reads
-db.pragma("journal_mode = WAL");
-// ── Schema ──
-db.exec(`
-  CREATE TABLE IF NOT EXISTS config (
-    key   TEXT PRIMARY KEY,
-    value TEXT NOT NULL
-  );
-`);
-// ── Simple key-value helpers ──
-const stmtGet = db.prepare("SELECT value FROM config WHERE key = ?");
-const stmtSet = db.prepare("INSERT OR REPLACE INTO config (key, value) VALUES (?, ?)");
-const stmtDel = db.prepare("DELETE FROM config WHERE key = ?");
-const stmtAll = db.prepare("SELECT key, value FROM config");
+const CONFIG_FILE = join(CONFIG_DIR, "config.json");
+const ALT_FILE = join(CONFIG_DIR, "image-alt-cache.json");
+function readJson(file, fallback) {
+    try {
+        return JSON.parse(readFileSync(file, "utf-8"));
+    }
+    catch {
+        return fallback;
+    }
+}
+function writeJson(file, data) {
+    try {
+        writeFileSync(file, JSON.stringify(data), "utf-8");
+    }
+    catch (e) {
+        console.error("[db] write failed:", e?.message ?? e);
+    }
+}
+// ── Config (key/value) ───────────────────────────────────────────────────────
+const config = readJson(CONFIG_FILE, {});
 export function getConfig(key) {
-    const row = stmtGet.get(key);
-    return row ? row.value : null;
+    return key in config ? config[key] : null;
 }
 export function setConfig(key, value) {
-    stmtSet.run(key, String(value));
+    config[key] = String(value);
+    writeJson(CONFIG_FILE, config);
 }
 export function delConfig(key) {
-    stmtDel.run(key);
+    delete config[key];
+    writeJson(CONFIG_FILE, config);
 }
 export function getAllConfig() {
-    const rows = stmtAll.all();
-    const result = {};
-    for (const row of rows)
-        result[row.key] = row.value;
-    return result;
+    return { ...config };
 }
-// ── Image alt cache ──
-db.exec(`
-  CREATE TABLE IF NOT EXISTS image_alt_cache (
-    url_key    TEXT PRIMARY KEY,
-    url        TEXT NOT NULL,
-    alt        TEXT NOT NULL,
-    source     TEXT,
-    updated_at INTEGER NOT NULL
-  );
-`);
-const stmtAltGet = db.prepare("SELECT url_key, url, alt, source, updated_at FROM image_alt_cache WHERE url_key = ?");
-const stmtAltSet = db.prepare(`
-  INSERT INTO image_alt_cache (url_key, url, alt, source, updated_at)
-  VALUES (@url_key, @url, @alt, @source, @updated_at)
-  ON CONFLICT(url_key) DO UPDATE SET
-    url = excluded.url,
-    alt = excluded.alt,
-    source = excluded.source,
-    updated_at = excluded.updated_at
-`);
-const stmtAltList = db.prepare("SELECT url_key, url, alt, source, updated_at FROM image_alt_cache ORDER BY updated_at DESC LIMIT ? OFFSET ?");
-const stmtAltCount = db.prepare("SELECT COUNT(*) AS n FROM image_alt_cache");
+const altCache = readJson(ALT_FILE, {});
 export function getImageAlt(urlKey) {
-    return stmtAltGet.get(urlKey) || null;
+    return altCache[urlKey] || null;
 }
 export function getImageAlts(urlKeys) {
     const out = new Map();
     for (const k of urlKeys) {
-        const row = stmtAltGet.get(k);
+        const row = altCache[k];
         if (row)
             out.set(k, row);
     }
     return out;
 }
 export function setImageAlt({ url_key, url, alt, source = "ai" }) {
-    stmtAltSet.run({ url_key, url, alt, source, updated_at: Date.now() });
+    altCache[url_key] = { url_key, url, alt, source, updated_at: Date.now() };
+    writeJson(ALT_FILE, altCache);
 }
-export const setImageAlts = db.transaction((items) => {
+export function setImageAlts(items) {
     for (const it of items) {
-        stmtAltSet.run({
+        altCache[it.url_key] = {
             url_key: it.url_key,
             url: it.url,
             alt: it.alt,
             source: it.source || "ai",
             updated_at: Date.now(),
-        });
+        };
     }
-});
+    writeJson(ALT_FILE, altCache);
+}
 export function listImageAlts(limit = 100, offset = 0) {
-    return stmtAltList.all(limit, offset);
+    return Object.values(altCache)
+        .sort((a, b) => b.updated_at - a.updated_at)
+        .slice(offset, offset + limit);
 }
 export function countImageAlts() {
-    return stmtAltCount.get().n;
+    return Object.keys(altCache).length;
 }
-export default db;

package/dist/http.js

@@ -11,7 +11,7 @@ import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/
 import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
 import { createServer } from "./server.js";
 import { makeApi, resolveEnv, ENVIRONMENTS, DEFAULT_ENV } from "./config.js";
-import { landingHtml, faviconSvg } from "./web-guide.js";
+import { landingHtml, faviconSvg, ogImageSvg, normalizeLang } from "./web-guide.js";
 import { privacyHtml, termsHtml } from "./legal.js";
 import { registerClient, startAuthorize, completeAuthorize, exchangeToken, resolveAccessToken, revokeToken, authServerMetadata, protectedResourceMetadata, } from "./auth/oauth-server.js";
 const MCP_PATH = "/mcp";
@@ -177,7 +177,7 @@ async function handleOAuth(req, res, path) {
         }
         const raw = await readRawBody(req);
         const body = parseBodyParams(raw, String(req.headers["content-type"] ?? ""));
-        const result = registerClient(body);
+        const result = await registerClient(body);
         if (!result.ok) {
             oauthError(res, 400, result.error, result.error_description);
             return true;
@@ -196,7 +196,7 @@ async function handleOAuth(req, res, path) {
     // ---- Authorize: validate + redirect to storefront consent page ----
     if (req.method === "GET" && path === OAUTH_AUTHORIZE) {
         const sp = new URL(req.url ?? "/", "http://x").searchParams;
-        const result = startAuthorize({
+        const result = await startAuthorize({
             client_id: sp.get("client_id"),
             redirect_uri: sp.get("redirect_uri"),
             response_type: sp.get("response_type"),
@@ -235,7 +235,7 @@ async function handleOAuth(req, res, path) {
         // Accept both 'token' and 'jwt' from the SPA (login.ts uses both aliases).
         const jwt = sp.get("token") || sp.get("jwt");
         const wsid = sp.get("wsid") || sp.get("session_id") || "";
-        const done = completeAuthorize(sp.get("state"), jwt, wsid);
+        const done = await completeAuthorize(sp.get("state"), jwt, wsid);
         if (!done.ok) {
             htmlError(res, 400, done.error_description);
             return true;
@@ -261,7 +261,7 @@ async function handleOAuth(req, res, path) {
         }
         const raw = await readRawBody(req);
         const body = parseBodyParams(raw, String(req.headers["content-type"] ?? ""));
-        const result = exchangeToken(body);
+        const result = await exchangeToken(body);
         if (!result.ok) {
             oauthError(res, result.status, result.error, result.error_description);
             return true;
@@ -295,6 +295,12 @@ export async function startHttpServer(port) {
             res.end(faviconSvg());
             return;
         }
+        // ---- OG social card ----
+        if (req.method === "GET" && path === "/og.svg") {
+            res.writeHead(200, { "content-type": "image/svg+xml", "cache-control": "public, max-age=86400" });
+            res.end(ogImageSvg());
+            return;
+        }
         // ---- Legal pages ----
         if (req.method === "GET" && (path === "/privacy" || path === "/privacy-policy")) {
             res.writeHead(200, { "content-type": "text/html; charset=utf-8", "cache-control": "public, max-age=3600" });
@@ -312,8 +318,9 @@ export async function startHttpServer(port) {
                 const accept = String(req.headers["accept"] ?? "");
                 const ua = String(req.headers["user-agent"] ?? "");
                 if (accept.includes("text/html") || BOT_UA.test(ua)) {
+                    const lang = normalizeLang(new URL(req.url ?? "/", "http://x").searchParams.get("lang"));
                     res.writeHead(200, { "content-type": "text/html; charset=utf-8" });
-                    res.end(landingHtml(publicBase(req)));
+                    res.end(landingHtml(publicBase(req), lang));
                     return;
                 }
             }
@@ -334,7 +341,7 @@ export async function startHttpServer(port) {
         // Resolve an OAuth Bearer access token to { jwt, wsid } and inject both headers
         // so apiFromRequest picks them up — existing header/query paths remain untouched.
         const bearer = bearerFrom(req);
-        const oauthCred = resolveAccessToken(bearer);
+        const oauthCred = await resolveAccessToken(bearer);
         if (oauthCred) {
             if (req.headers["x-webcake-jwt"] == null) {
                 req.headers["x-webcake-jwt"] = oauthCred.jwt;