fix(mcp-server): make Vercel deployment actually work

apps/mcp-server/api/index.js

@@ -0,0 +1,5 @@
+// Thin JS wrapper — imports the pre-compiled handler from dist/ so @vercel/node
+// does not have to run TypeScript over the heavy imports in src/vercel-handler.ts.
+// The `bun run build` step (executed by Vercel before bundling functions)
+// produces dist/vercel-handler.js.
+export { default } from "../dist/vercel-handler.js";

apps/mcp-server/src/auth/oauth-handlers.ts

@@ -29,6 +29,8 @@ export interface OAuthConfig {
   calApiBaseUrl: string;
   /** Cal.com app base URL for authorize redirect (default: https://app.cal.com) */
   calAppBaseUrl?: string;
+  /** Space-separated Cal.com OAuth scopes (e.g. "BOOKING_READ BOOKING_WRITE") */
+  calOAuthScopes?: string;
 }
 
 const MAX_BODY_SIZE = 1024 * 1024; // 1 MB
@@ -186,6 +188,9 @@ export async function handleAuthorize(
     calAuthUrl.searchParams.set("code_challenge_method", "S256");
   }
   calAuthUrl.searchParams.set("response_type", "code");
+  if (config.calOAuthScopes) {
+    calAuthUrl.searchParams.set("scope", config.calOAuthScopes);
+  }
 
   res.writeHead(302, { Location: calAuthUrl.toString() });
   res.end();

apps/mcp-server/src/auth/oauth-metadata.ts

@@ -34,6 +34,9 @@ export function buildAuthorizationServerMetadata(config: OAuthServerConfig): Rec
 export function buildProtectedResourceMetadata(config: OAuthServerConfig): Record<string, unknown> {
   const serverUrl = config.serverUrl.replace(/\/+$/, "");
   return {
+    // resource is the server identifier (base URL). Per RFC 9728 §3 the client constructs
+    // the discovery URL as "https://host/.well-known/oauth-protected-resource" — no path
+    // suffix — so resource must stay as the base URL, not the /mcp endpoint path.
     resource: serverUrl,
     authorization_servers: [serverUrl],
     bearer_methods_supported: ["header"],

apps/mcp-server/src/config.ts

@@ -50,6 +50,11 @@ const httpSchema = baseSchema.extend({
     .regex(/^[0-9a-fA-F]+$/, "TOKEN_ENCRYPTION_KEY must be valid hex"),
   serverUrl: z.string().url("MCP_SERVER_URL must be a valid URL"),
   databaseUrl: z.string().min(1, "DATABASE_URL is required for HTTP mode"),
+  calOAuthScopes: z
+    .string()
+    .default(
+      "EVENT_TYPE_READ EVENT_TYPE_WRITE BOOKING_READ BOOKING_WRITE SCHEDULE_READ SCHEDULE_WRITE APPS_READ APPS_WRITE PROFILE_READ PROFILE_WRITE",
+    ),
   rateLimitWindowMs: z.coerce.number().int().positive().default(60_000),
   rateLimitMax: z.coerce.number().int().positive().default(30),
   maxSessions: z.coerce.number().int().positive().default(10_000),
@@ -84,6 +89,7 @@ function readEnv(): Record<string, unknown> {
     tokenEncryptionKey: process.env.TOKEN_ENCRYPTION_KEY || undefined,
     serverUrl: process.env.MCP_SERVER_URL || undefined,
     databaseUrl: process.env.DATABASE_URL || undefined,
+    calOAuthScopes: process.env.CAL_OAUTH_SCOPES || undefined,
     rateLimitWindowMs: process.env.RATE_LIMIT_WINDOW_MS || undefined,
     rateLimitMax: process.env.RATE_LIMIT_MAX || undefined,
     maxSessions: process.env.MAX_SESSIONS || undefined,

apps/mcp-server/src/index.ts

@@ -26,6 +26,7 @@ async function main(): Promise<void> {
         calOAuthClientSecret: httpConfig.calOAuthClientSecret,
         calApiBaseUrl: httpConfig.calApiBaseUrl,
         calAppBaseUrl: httpConfig.calAppBaseUrl,
+        calOAuthScopes: httpConfig.calOAuthScopes,
       },
       rateLimitWindowMs: httpConfig.rateLimitWindowMs,
       rateLimitMax: httpConfig.rateLimitMax,

apps/mcp-server/src/storage/db.ts

@@ -4,7 +4,10 @@ export const pool = createPool({
   connectionString: process.env.DATABASE_URL,
 });
 
-export const sql = pool.sql;
+// Bind so the tagged template keeps its `this` — destructuring `pool.sql`
+// loses the binding and @vercel/postgres then reads `connectionString` off
+// `undefined` at call time.
+export const sql = pool.sql.bind(pool);
 
 let initialized = false;