jubnl cb3aeda8e0 fix(oauth): add public RFC 7591 DCR endpoint at POST /oauth/register ...

Claude.ai's start-auth flow POSTs to the registration_endpoint advertised
in the discovery document, but no public handler existed at /oauth/register
(only /api/oauth/register with browser cookie auth). This caused a
start_error redirect immediately on every connect attempt.

- Add POST /oauth/register to oauthPublicRouter following RFC 7591
- Make oauth_clients.user_id nullable via a raw (no-transaction) migration
  so anonymous DCR clients can be created without a user context
- Update migration runner to support { raw: () => void } migrations for
  DDL that requires PRAGMA foreign_keys = OFF outside a transaction
- Update createOAuthClient to accept userId: number | null with a global
  cap (500) for anonymous DCR clients in place of the per-user limit

2026-04-10 05:42:18 +02:00

..

public

chore(CRLF): normalize index.html line endings to LF

2026-04-05 04:35:17 +02:00

scripts

feat: add encryption key migration script and document it in README

2026-04-01 09:35:32 +02:00

src

fix(oauth): add public RFC 7591 DCR endpoint at POST /oauth/register

2026-04-10 05:42:18 +02:00

tests

security(oauth): harden OAuth 2.1/MCP implementation (Critical + High + Medium findings)

2026-04-10 02:03:27 +02:00

.env.example

feat(mcp): add MCP_MAX_SESSION_PER_USER env var and document it everywhere

2026-04-06 00:09:22 +02:00

package-lock.json

feat(mcp): introduce OAuth 2.1 auth and enforce addon gating

2026-04-09 22:25:58 +02:00

package.json

chore: bump version to 2.9.12 [skip ci]

2026-04-09 15:48:10 +00:00

reset-admin.js

Stabilize core: better-sqlite3, versioned migrations, graceful shutdown

2026-03-22 17:52:24 +01:00

tsconfig.json

some fixes

2026-03-30 06:59:24 +02:00

vitest.config.ts

refactor(mcp): replace direct DB access with service layer calls

2026-04-04 18:12:53 +02:00