feat(mcp): granular OAuth scopes and per-client rate limiting

- Split `media:read` into `geo:read` and `weather:read` scopes
- Add dedicated `atlas:read/write` scopes (previously under `places`)
- Add dedicated `todos:read/write` scopes (previously under `collab`)
- Rate limiting now keyed by userId+clientId instead of userId alone
- Bind MCP sessions to the OAuth client that created them
- Log MCP tool calls to audit log with clientId
- Invalidate all MCP sessions on addon state change
- Reduce session sweep interval from 10min to 1min
- Update all translations with new scope labels

server/src/mcp/index.ts

@@ -10,6 +10,7 @@ import { ADDON_IDS } from '../addons';
 import { registerResources } from './resources';
 import { registerTools } from './tools';
 import { McpSession, sessions, revokeUserSessions, revokeUserSessionsForClient } from './sessionManager';
+import { writeAudit, getClientIp } from '../services/auditLog';
 
 export { revokeUserSessions, revokeUserSessionsForClient };
 
@@ -102,13 +103,14 @@ interface RateLimitEntry {
   count: number;
   windowStart: number;
 }
-const rateLimitMap = new Map<number, RateLimitEntry>();
+const rateLimitMap = new Map<string, RateLimitEntry>();
 
-function isRateLimited(userId: number): boolean {
+function isRateLimited(userId: number, clientId: string | null): boolean {
+  const key = `${userId}:${clientId ?? 'native'}`;
   const now = Date.now();
-  const entry = rateLimitMap.get(userId);
+  const entry = rateLimitMap.get(key);
   if (!entry || now - entry.windowStart > RATE_LIMIT_WINDOW_MS) {
-    rateLimitMap.set(userId, { count: 1, windowStart: now });
+    rateLimitMap.set(key, { count: 1, windowStart: now });
     return false;
   }
   entry.count += 1;
@@ -136,13 +138,13 @@ const sessionSweepInterval = setInterval(() => {
     }
   }
   const rateCutoff = Date.now() - RATE_LIMIT_WINDOW_MS;
-  for (const [uid, entry] of rateLimitMap) {
-    if (entry.windowStart < rateCutoff) rateLimitMap.delete(uid);
+  for (const [key, entry] of rateLimitMap) {
+    if (entry.windowStart < rateCutoff) rateLimitMap.delete(key);
   }
   if (cleaned > 0 || sessions.size > 0) {
     console.log(`[MCP] Session sweep: cleaned ${cleaned}, active ${sessions.size}`);
   }
-}, 10 * 60 * 1000); // sweep every 10 minutes
+}, 60 * 1000); // sweep every 1 minute
 
 // Prevent the interval from keeping the process alive if nothing else is running
 sessionSweepInterval.unref();
@@ -185,6 +187,20 @@ function verifyToken(authHeader: string | undefined): VerifyTokenResult | null {
   return { user, scopes: null, clientId: null, isStaticToken: false };
 }
 
+function logToolCallAudit(req: Request, userId: number, clientId: string | null): void {
+  const body = req.body as Record<string, unknown> | undefined;
+  if (body?.method !== 'tools/call') return;
+  const toolName = (body?.params as Record<string, unknown> | undefined)?.name;
+  if (typeof toolName !== 'string') return;
+  writeAudit({
+    userId,
+    action: 'mcp.tool_call',
+    resource: toolName,
+    details: { clientId: clientId ?? 'native' },
+    ip: getClientIp(req),
+  });
+}
+
 export async function mcpHandler(req: Request, res: Response): Promise<void> {
   if (!isAddonEnabled(ADDON_IDS.MCP)) {
     res.status(403).json({ error: 'MCP is not enabled' });
@@ -198,7 +214,7 @@ export async function mcpHandler(req: Request, res: Response): Promise<void> {
   }
   const { user, scopes, clientId, isStaticToken } = tokenResult;
 
-  if (isRateLimited(user.id)) {
+  if (isRateLimited(user.id, clientId)) {
     res.status(429).json({ error: 'Too many requests. Please slow down.' });
     return;
   }
@@ -216,7 +232,12 @@ export async function mcpHandler(req: Request, res: Response): Promise<void> {
       res.status(403).json({ error: 'Session belongs to a different user' });
       return;
     }
+    if (session.clientId !== clientId) {
+      res.status(403).json({ error: 'Session was created with a different OAuth client' });
+      return;
+    }
     session.lastActivity = Date.now();
+    logToolCallAudit(req, user.id, clientId);
     try {
       await session.transport.handleRequest(req, res, req.body);
     } catch (err) {
@@ -279,17 +300,28 @@ export async function mcpHandler(req: Request, res: Response): Promise<void> {
     },
   });
 
+  logToolCallAudit(req, user.id, clientId);
   try {
     await server.connect(transport);
     await transport.handleRequest(req, res, req.body);
   } catch (err) {
     console.error('[MCP] transport.handleRequest error:', err);
     if (!res.headersSent) {
-      res.status(500).json({ error: 'Internal MCP error', detail: String(err) });
+      res.status(500).json({ error: 'Internal MCP error' });
     }
   }
 }
 
+/** Invalidate all active MCP sessions (call when addon state changes so sessions re-create with updated tools). */
+export function invalidateMcpSessions(): void {
+  for (const [sid, session] of sessions) {
+    try { session.server.close(); } catch { /* ignore */ }
+    try { session.transport.close(); } catch { /* ignore */ }
+    sessions.delete(sid);
+  }
+  console.log('[MCP] All sessions invalidated due to addon state change');
+}
+
 /** Close all active MCP sessions (call during graceful shutdown). */
 export function closeMcpSessions(): void {
   clearInterval(sessionSweepInterval);

server/src/mcp/resources.ts

@@ -200,7 +200,7 @@ export function registerResources(server: McpServer, userId: number, scopes: str
   );
 
   // Trip to-do list
-  if (isAddonEnabled(ADDON_IDS.PACKING) && canRead(scopes, 'collab')) server.registerResource(
+  if (isAddonEnabled(ADDON_IDS.PACKING) && canRead(scopes, 'todos')) server.registerResource(
     'trip-todos',
     new ResourceTemplate('trek://trips/{tripId}/todos', { list: undefined }),
     { description: 'To-do items for a trip, ordered by position', mimeType: 'application/json' },
@@ -224,7 +224,7 @@ export function registerResources(server: McpServer, userId: number, scopes: str
   );
 
   // User's bucket list
-  if (isAddonEnabled(ADDON_IDS.ATLAS) && canRead(scopes, 'places')) server.registerResource(
+  if (isAddonEnabled(ADDON_IDS.ATLAS) && canRead(scopes, 'atlas')) server.registerResource(
     'bucket-list',
     'trek://bucket-list',
     { description: 'Your personal travel bucket list', mimeType: 'application/json' },
@@ -235,7 +235,7 @@ export function registerResources(server: McpServer, userId: number, scopes: str
   );
 
   // User's visited countries
-  if (isAddonEnabled(ADDON_IDS.ATLAS) && canRead(scopes, 'places')) server.registerResource(
+  if (isAddonEnabled(ADDON_IDS.ATLAS) && canRead(scopes, 'atlas')) server.registerResource(
     'visited-countries',
     'trek://visited-countries',
     { description: 'Countries you have marked as visited in Atlas', mimeType: 'application/json' },
@@ -296,7 +296,7 @@ export function registerResources(server: McpServer, userId: number, scopes: str
   );
 
   // Atlas stats and regions (addon-gated)
-  if (isAddonEnabled(ADDON_IDS.ATLAS) && canRead(scopes, 'places')) {
+  if (isAddonEnabled(ADDON_IDS.ATLAS) && canRead(scopes, 'atlas')) {
     server.registerResource(
       'atlas-stats',
       'trek://atlas/stats',

server/src/mcp/scopes.ts

@@ -9,8 +9,12 @@ export const SCOPES = {
   TRIPS_SHARE:         'trips:share',
   PLACES_READ:         'places:read',
   PLACES_WRITE:        'places:write',
+  ATLAS_READ:          'atlas:read',
+  ATLAS_WRITE:         'atlas:write',
   PACKING_READ:        'packing:read',
   PACKING_WRITE:       'packing:write',
+  TODOS_READ:          'todos:read',
+  TODOS_WRITE:         'todos:write',
   BUDGET_READ:         'budget:read',
   BUDGET_WRITE:        'budget:write',
   RESERVATIONS_READ:   'reservations:read',
@@ -21,7 +25,8 @@ export const SCOPES = {
   NOTIFICATIONS_WRITE: 'notifications:write',
   VACAY_READ:          'vacay:read',
   VACAY_WRITE:         'vacay:write',
-  MEDIA_READ:          'media:read',
+  GEO_READ:            'geo:read',
+  WEATHER_READ:        'weather:read',
 } as const;
 
 export type Scope = typeof SCOPES[keyof typeof SCOPES];
@@ -36,24 +41,29 @@ export interface ScopeInfo {
 
 export const SCOPE_INFO: Record<Scope, ScopeInfo> = {
   'trips:read':          { label: 'View trips & itineraries',   description: 'Read trips, days, day notes, and members',                              group: 'Trips' },
-  'trips:write':         { label: 'Edit trips & itineraries',   description: 'Create and update trips, days, notes, and manage members',                  group: 'Trips' },
-  'trips:delete':        { label: 'Delete trips',               description: 'Permanently delete entire trips — this action is irreversible',              group: 'Trips' },
-  'trips:share':         { label: 'Manage share links',         description: 'Create, update, and revoke public share links for trips',                   group: 'Trips' },
-  'places:read':         { label: 'View places & map data',     description: 'Read places, day assignments, tags, categories, and visited countries',      group: 'Places' },
-  'places:write':        { label: 'Manage places',              description: 'Create, update, and delete places, assignments, tags, and atlas entries',    group: 'Places' },
-  'packing:read':        { label: 'View packing lists',         description: 'Read packing items, bags, and category assignees',                          group: 'Packing' },
-  'packing:write':       { label: 'Manage packing lists',       description: 'Add, update, delete, toggle, and reorder packing items and bags',            group: 'Packing' },
-  'budget:read':         { label: 'View budget',                description: 'Read budget items and expense breakdown',                                    group: 'Budget' },
-  'budget:write':        { label: 'Manage budget',              description: 'Create, update, and delete budget items',                                    group: 'Budget' },
-  'reservations:read':   { label: 'View reservations',          description: 'Read reservations and accommodation details',                                group: 'Reservations' },
-  'reservations:write':  { label: 'Manage reservations',        description: 'Create, update, delete, and reorder reservations',                          group: 'Reservations' },
-  'collab:read':         { label: 'View collaboration',         description: 'Read collab notes, polls, messages, and to-do items',                       group: 'Collaboration' },
-  'collab:write':        { label: 'Manage collaboration',       description: 'Create, update, and delete collab notes, todos, polls, and messages',        group: 'Collaboration' },
-  'notifications:read':  { label: 'View notifications',         description: 'Read in-app notifications and unread counts',                               group: 'Notifications' },
-  'notifications:write': { label: 'Manage notifications',       description: 'Mark notifications as read and respond to them',                            group: 'Notifications' },
-  'vacay:read':          { label: 'View vacation plans',        description: 'Read vacation planning data, entries, and stats',                           group: 'Vacation' },
-  'vacay:write':         { label: 'Manage vacation plans',      description: 'Create and manage vacation entries, holidays, and team plans',              group: 'Vacation' },
-  'media:read':          { label: 'Maps & weather data',        description: 'Search locations, resolve map URLs, and fetch weather forecasts',           group: 'Media' },
+  'trips:write':         { label: 'Edit trips & itineraries',   description: 'Create and update trips, days, notes, and manage members',              group: 'Trips' },
+  'trips:delete':        { label: 'Delete trips',               description: 'Permanently delete entire trips — this action is irreversible',          group: 'Trips' },
+  'trips:share':         { label: 'Manage share links',         description: 'Create, update, and revoke public share links for trips',               group: 'Trips' },
+  'places:read':         { label: 'View places & map data',     description: 'Read places, day assignments, tags, and categories',                    group: 'Places' },
+  'places:write':        { label: 'Manage places',              description: 'Create, update, and delete places, assignments, and tags',              group: 'Places' },
+  'atlas:read':          { label: 'View Atlas',                 description: 'Read visited countries, regions, and bucket list',                      group: 'Atlas' },
+  'atlas:write':         { label: 'Manage Atlas',               description: 'Mark countries and regions visited, manage bucket list',                group: 'Atlas' },
+  'packing:read':        { label: 'View packing lists',         description: 'Read packing items, bags, and category assignees',                      group: 'Packing' },
+  'packing:write':       { label: 'Manage packing lists',       description: 'Add, update, delete, toggle, and reorder packing items and bags',       group: 'Packing' },
+  'todos:read':          { label: 'View to-do lists',           description: 'Read trip to-do items and category assignees',                          group: 'To-dos' },
+  'todos:write':         { label: 'Manage to-do lists',         description: 'Create, update, toggle, delete, and reorder to-do items',               group: 'To-dos' },
+  'budget:read':         { label: 'View budget',                description: 'Read budget items and expense breakdown',                               group: 'Budget' },
+  'budget:write':        { label: 'Manage budget',              description: 'Create, update, and delete budget items',                               group: 'Budget' },
+  'reservations:read':   { label: 'View reservations',          description: 'Read reservations and accommodation details',                           group: 'Reservations' },
+  'reservations:write':  { label: 'Manage reservations',        description: 'Create, update, delete, and reorder reservations',                     group: 'Reservations' },
+  'collab:read':         { label: 'View collaboration',         description: 'Read collab notes, polls, and messages',                               group: 'Collaboration' },
+  'collab:write':        { label: 'Manage collaboration',       description: 'Create, update, and delete collab notes, polls, and messages',          group: 'Collaboration' },
+  'notifications:read':  { label: 'View notifications',         description: 'Read in-app notifications and unread counts',                          group: 'Notifications' },
+  'notifications:write': { label: 'Manage notifications',       description: 'Mark notifications as read and respond to them',                       group: 'Notifications' },
+  'vacay:read':          { label: 'View vacation plans',        description: 'Read vacation planning data, entries, and stats',                      group: 'Vacation' },
+  'vacay:write':         { label: 'Manage vacation plans',      description: 'Create and manage vacation entries, holidays, and team plans',          group: 'Vacation' },
+  'geo:read':            { label: 'Maps & geocoding',           description: 'Search locations, resolve map URLs, and reverse geocode coordinates',  group: 'Geo' },
+  'weather:read':        { label: 'Weather forecasts',          description: 'Fetch weather forecasts for trip locations and dates',                  group: 'Weather' },
 };
 
 // ---------------------------------------------------------------------------

server/src/mcp/tools/_shared.ts

@@ -2,7 +2,7 @@ import { broadcast } from '../../websocket';
 
 export function safeBroadcast(tripId: number, event: string, payload: Record<string, unknown>): void {
   try {
-    broadcast(tripId, event, payload);
+    broadcast(tripId, event, { ...payload, _source: 'mcp' });
   } catch (err) {
     console.error(`[MCP] broadcast failed for ${event}:`, err?.message ?? err);
   }

server/src/mcp/tools/assignments.ts

@@ -111,6 +111,8 @@ export function registerAssignmentTools(server: McpServer, userId: number, scope
     async ({ tripId, assignmentId, newDayId, oldDayId, orderIndex }) => {
       if (isDemoUser(userId)) return demoDenied();
       if (!canAccessTrip(tripId, userId)) return noAccess();
+      if (!getAssignmentForTrip(assignmentId, tripId)) return { content: [{ type: 'text' as const, text: 'Assignment not found.' }], isError: true };
+      if (!getDay(newDayId, tripId)) return { content: [{ type: 'text' as const, text: 'Day not found.' }], isError: true };
       const result = moveAssignment(assignmentId, newDayId, orderIndex ?? 0, oldDayId);
       safeBroadcast(tripId, 'assignment:moved', { assignment: result.assignment, oldDayId: result.oldDayId });
       return ok({ assignment: result.assignment });
@@ -129,6 +131,7 @@ export function registerAssignmentTools(server: McpServer, userId: number, scope
     },
     async ({ tripId, assignmentId }) => {
       if (!canAccessTrip(tripId, userId)) return noAccess();
+      if (!getAssignmentForTrip(assignmentId, tripId)) return { content: [{ type: 'text' as const, text: 'Assignment not found.' }], isError: true };
       const participants = getAssignmentParticipants(assignmentId);
       return ok({ participants });
     }
@@ -148,6 +151,7 @@ export function registerAssignmentTools(server: McpServer, userId: number, scope
     async ({ tripId, assignmentId, userIds }) => {
       if (isDemoUser(userId)) return demoDenied();
       if (!canAccessTrip(tripId, userId)) return noAccess();
+      if (!getAssignmentForTrip(assignmentId, tripId)) return { content: [{ type: 'text' as const, text: 'Assignment not found.' }], isError: true };
       const participants = setAssignmentParticipants(assignmentId, userIds);
       safeBroadcast(tripId, 'assignment:participants', { assignmentId, participants });
       return ok({ participants });

server/src/mcp/tools/atlas.ts

@@ -16,8 +16,8 @@ import {
 import { canRead, canWrite } from '../scopes';
 
 export function registerAtlasTools(server: McpServer, userId: number, scopes: string[] | null): void {
-  const R = canRead(scopes, 'places');
-  const W = canWrite(scopes, 'places');
+  const R = canRead(scopes, 'atlas');
+  const W = canWrite(scopes, 'atlas');
 
   if (!isAddonEnabled(ADDON_IDS.ATLAS)) return;
 

server/src/mcp/tools/days.ts

@@ -78,6 +78,7 @@ export function registerDayTools(server: McpServer, userId: number, scopes: stri
     async ({ tripId, dayId }) => {
       if (isDemoUser(userId)) return demoDenied();
       if (!canAccessTrip(tripId, userId)) return noAccess();
+      if (!getDay(dayId, tripId)) return { content: [{ type: 'text' as const, text: 'Day not found.' }], isError: true };
       deleteDay(dayId);
       safeBroadcast(tripId, 'day:deleted', { id: dayId });
       return ok({ success: true });
@@ -152,6 +153,7 @@ export function registerDayTools(server: McpServer, userId: number, scopes: stri
     async ({ tripId, accommodationId }) => {
       if (isDemoUser(userId)) return demoDenied();
       if (!canAccessTrip(tripId, userId)) return noAccess();
+      if (!getAccommodation(accommodationId, tripId)) return { content: [{ type: 'text' as const, text: 'Accommodation not found.' }], isError: true };
       const { linkedReservationId } = deleteAccommodation(accommodationId);
       safeBroadcast(tripId, 'accommodation:deleted', { id: accommodationId, linkedReservationId });
       return ok({ success: true, linkedReservationId });

server/src/mcp/tools/mapsWeather.ts

@@ -9,11 +9,12 @@ import {
 import { canRead } from '../scopes';
 
 export function registerMapsWeatherTools(server: McpServer, userId: number, scopes: string[] | null): void {
-  if (!canRead(scopes, 'media')) return;
+  const canGeo     = canRead(scopes, 'geo');
+  const canWeather = canRead(scopes, 'weather');
 
   // --- MAPS EXTRAS ---
 
-  server.registerTool(
+  if (canGeo) server.registerTool(
     'get_place_details',
     {
       description: 'Fetch detailed information about a place by its Google Place ID.',
@@ -30,7 +31,7 @@ export function registerMapsWeatherTools(server: McpServer, userId: number, scop
     }
   );
 
-  server.registerTool(
+  if (canGeo) server.registerTool(
     'reverse_geocode',
     {
       description: 'Get a human-readable address for given coordinates.',
@@ -48,7 +49,7 @@ export function registerMapsWeatherTools(server: McpServer, userId: number, scop
     }
   );
 
-  server.registerTool(
+  if (canGeo) server.registerTool(
     'resolve_maps_url',
     {
       description: 'Resolve a Google Maps share URL to coordinates and place name.',
@@ -66,7 +67,7 @@ export function registerMapsWeatherTools(server: McpServer, userId: number, scop
 
   // --- WEATHER ---
 
-  server.registerTool(
+  if (canWeather) server.registerTool(
     'get_weather',
     {
       description: 'Get weather forecast for a location and date.',
@@ -88,7 +89,7 @@ export function registerMapsWeatherTools(server: McpServer, userId: number, scop
     }
   );
 
-  server.registerTool(
+  if (canWeather) server.registerTool(
     'get_detailed_weather',
     {
       description: 'Get hourly/detailed weather forecast for a location and date.',

server/src/mcp/tools/tags.ts

@@ -1,7 +1,7 @@
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp';
 import { z } from 'zod';
 import { isDemoUser } from '../../services/authService';
-import { listTags, createTag, updateTag, deleteTag } from '../../services/tagService';
+import { listTags, createTag, getTagByIdAndUser, updateTag, deleteTag } from '../../services/tagService';
 import {
   TOOL_ANNOTATIONS_READONLY, TOOL_ANNOTATIONS_WRITE,
   TOOL_ANNOTATIONS_DELETE, TOOL_ANNOTATIONS_NON_IDEMPOTENT,
@@ -58,6 +58,7 @@ export function registerTagTools(server: McpServer, userId: number, scopes: stri
     },
     async ({ tagId, name, color }) => {
       if (isDemoUser(userId)) return demoDenied();
+      if (!getTagByIdAndUser(tagId, userId)) return { content: [{ type: 'text' as const, text: 'Tag not found.' }], isError: true };
       const tag = updateTag(tagId, name, color);
       if (!tag) return { content: [{ type: 'text' as const, text: 'Tag not found.' }], isError: true };
       return ok({ tag });
@@ -75,6 +76,7 @@ export function registerTagTools(server: McpServer, userId: number, scopes: stri
     },
     async ({ tagId }) => {
       if (isDemoUser(userId)) return demoDenied();
+      if (!getTagByIdAndUser(tagId, userId)) return { content: [{ type: 'text' as const, text: 'Tag not found.' }], isError: true };
       deleteTag(tagId);
       return ok({ success: true });
     }

server/src/mcp/tools/todos.ts

@@ -17,8 +17,8 @@ import { isAddonEnabled } from '../../services/adminService';
 import { ADDON_IDS } from '../../addons';
 
 export function registerTodoTools(server: McpServer, userId: number, scopes: string[] | null): void {
-  const R = canRead(scopes, 'collab');
-  const W = canWrite(scopes, 'collab');
+  const R = canRead(scopes, 'todos');
+  const W = canWrite(scopes, 'todos');
 
   if (!isAddonEnabled(ADDON_IDS.PACKING)) return;
 

server/src/mcp/tools/trips.ts

@@ -167,8 +167,9 @@ export function registerTripTools(server: McpServer, userId: number, scopes: str
       const canReadBudget  = budgetEnabled  && canRead(scopes, 'budget');
       const canReadPacking = packingEnabled && canRead(scopes, 'packing');
       const canReadCollab  = collabEnabled  && canRead(scopes, 'collab');
+      const canReadTodos   = packingEnabled && canRead(scopes, 'todos');
       const canReadRes     = canRead(scopes, 'reservations');
-      const todos = canReadPacking ? listTodoItems(tripId) : [];
+      const todos = canReadTodos ? listTodoItems(tripId) : [];
       let pollCount = 0;
       let messageCount = 0;
       if (canReadCollab) {

server/src/routes/admin.ts

@@ -3,6 +3,7 @@ import { authenticate, adminOnly } from '../middleware/auth';
 import { AuthRequest } from '../types';
 import { writeAudit, getClientIp, logInfo } from '../services/auditLog';
 import * as svc from '../services/adminService';
+import { invalidateMcpSessions } from '../mcp';
 import { getPreferencesMatrix, setAdminPreferences } from '../services/notificationPreferencesService';
 
 const router = express.Router();
@@ -292,6 +293,8 @@ router.put('/addons/:id', (req: Request, res: Response) => {
     ip: getClientIp(req),
     details: result.auditDetails,
   });
+  // Invalidate all MCP sessions so they re-create with the updated addon tool set
+  invalidateMcpSessions();
   res.json({ addon: result.addon });
 });
 

server/src/routes/oauth.ts

@@ -193,8 +193,11 @@ oauthPublicRouter.post('/oauth/register', dcrLimiter, (req: Request, res: Respon
   const authMethod = typeof body.token_endpoint_auth_method === 'string' ? body.token_endpoint_auth_method : 'client_secret_post';
   const isPublic = authMethod === 'none';
 
-  // Resolve requested scopes — default to all supported scopes if not specified
-  const rawScope = typeof body.scope === 'string' ? body.scope : ALL_SCOPES.join(' ');
+  // Resolve requested scopes — scope is required; no implicit full-access grant
+  if (typeof body.scope !== 'string' || body.scope.trim() === '') {
+    return res.status(400).json({ error: 'invalid_client_metadata', error_description: 'scope is required' });
+  }
+  const rawScope = body.scope;
   const requestedScopes = rawScope.split(' ').filter(s => (ALL_SCOPES as string[]).includes(s));
   if (requestedScopes.length === 0) {
     return res.status(400).json({ error: 'invalid_client_metadata', error_description: 'No valid scopes requested' });
@@ -351,6 +354,10 @@ oauthApiRouter.post('/authorize', requireCookieAuth, (req: Request, res: Respons
     codeChallengeMethod: 'S256',
   });
 
+  if (!code) {
+    return res.status(503).json({ error: 'server_error', error_description: 'Authorization server is temporarily unavailable' });
+  }
+
   const url = new URL(redirect_uri);
   url.searchParams.set('code', code);
   if (state) url.searchParams.set('state', state);

server/src/services/oauthService.ts

@@ -33,6 +33,7 @@ interface PendingCode {
   expiresAt: number;
 }
 
+const MAX_PENDING_CODES = 500;
 const pendingCodes = new Map<string, PendingCode>();
 
 setInterval(() => {
@@ -89,11 +90,11 @@ function timingSafeEqualHex(a: string, b: string): boolean {
 }
 
 function generateAccessToken(): string {
-  return 'trekoa_' + randomBytes(24).toString('hex');
+  return 'trekoa_' + randomBytes(32).toString('hex');
 }
 
 function generateRefreshToken(): string {
-  return 'trekrf_' + randomBytes(24).toString('hex');
+  return 'trekrf_' + randomBytes(32).toString('hex');
 }
 
 // ---------------------------------------------------------------------------
@@ -244,7 +245,8 @@ export function createAuthCode(params: {
   scopes: string[];
   codeChallenge: string;
   codeChallengeMethod: 'S256';
-}): string {
+}): string | null {
+  if (pendingCodes.size >= MAX_PENDING_CODES) return null;
   const rawCode = randomBytes(32).toString('hex');
   pendingCodes.set(rawCode, { ...params, expiresAt: Date.now() + AUTH_CODE_TTL_MS });
   return rawCode;

server/tests/unit/mcp/scopes.test.ts

@@ -24,14 +24,21 @@ describe('ALL_SCOPES', () => {
     expect(ALL_SCOPES).toContain('trips:write');
     expect(ALL_SCOPES).toContain('trips:delete');
     expect(ALL_SCOPES).toContain('trips:share');
+    expect(ALL_SCOPES).toContain('places:read');
+    expect(ALL_SCOPES).toContain('places:write');
+    expect(ALL_SCOPES).toContain('atlas:read');
+    expect(ALL_SCOPES).toContain('atlas:write');
     expect(ALL_SCOPES).toContain('budget:read');
     expect(ALL_SCOPES).toContain('budget:write');
     expect(ALL_SCOPES).toContain('packing:read');
     expect(ALL_SCOPES).toContain('packing:write');
+    expect(ALL_SCOPES).toContain('todos:read');
+    expect(ALL_SCOPES).toContain('todos:write');
     expect(ALL_SCOPES).toContain('collab:read');
     expect(ALL_SCOPES).toContain('collab:write');
-    expect(ALL_SCOPES).toContain('places:read');
-    expect(ALL_SCOPES).toContain('places:write');
+    expect(ALL_SCOPES).toContain('geo:read');
+    expect(ALL_SCOPES).toContain('weather:read');
+    expect(ALL_SCOPES).not.toContain('media:read');
   });
 
   it('is a non-empty array', () => {

server/tests/unit/mcp/tools-days-accommodations.test.ts

@@ -131,7 +131,7 @@ describe('Tool: delete_day', () => {
       });
       const data = parseToolResult(result) as any;
       expect(data.success).toBe(true);
-      expect(broadcastMock).toHaveBeenCalledWith(trip.id, 'day:deleted', { id: day.id });
+      expect(broadcastMock).toHaveBeenCalledWith(trip.id, 'day:deleted', expect.objectContaining({ id: day.id }));
       expect(testDb.prepare('SELECT id FROM days WHERE id = ?').get(day.id)).toBeUndefined();
     });
   });