Consolidate 5 plugins into AgentKit + SaaSKit

.cursor-plugin/marketplace.json

@@ -1,49 +1,30 @@
 {
-  "name": "scalekit-authstack",
+  "name": "scalekit-auth-stack",
   "owner": {
     "name": "Scalekit Inc",
     "email": "support@scalekit.com"
   },
   "metadata": {
-    "description": "Everything that you need to add authstack to your projects. MCP Auth, Agent Auth, Full Stack Auth, Enterprise SSO, User Provisioning, and more.",
-    "version": "1.0.0",
+    "description": "Scalekit Auth Stack for Cursor — AgentKit and SaaSKit plugins. Add agent auth, tool calling, SSO, SCIM, MCP auth, and session management from Cursor.",
+    "version": "2.0.0",
     "pluginRoot": "plugins"
   },
   "plugins": [
     {
-      "name": "mcp-auth",
-      "source": "mcp-auth",
-      "description": "Guides users through adding production-ready OAuth 2.1 authorization to Model Context Protocol (MCP) servers",
-      "category": "testing",
-      "homepage": "https://docs.scalekit.com/authenticate/mcp/start-mcp-auth-coding-agents"
-    },
-    {
-      "name": "agent-auth",
-      "source": "agent-auth",
-      "description": "Implements Scalekit Agent Auth so AI agents can act in third-party apps (Gmail, Slack, Calendar, Notion) on behalf of users.",
+      "name": "agentkit",
+      "source": "agentkit",
+      "description": "Authentication for AI agents. OAuth flows, token vault, 100+ connectors (Gmail, Slack, Salesforce, etc.), tool discovery, and live testing — so agents can act on behalf of users.",
       "category": "agent auth",
-      "homepage": "https://docs.scalekit.com/authenticate/agent/start-agent-auth-coding-agents"
+      "homepage": "https://docs.scalekit.com/agentkit/overview",
+      "logo": "../assets/logo.svg"
     },
     {
-      "name": "full-stack-auth",
-      "source": "full-stack-auth",
-      "description": "Adds end-to-end authentication to B2B and AI apps including user management, organization handling, session management, RBAC, and login flows.",
+      "name": "saaskit",
+      "source": "saaskit",
+      "description": "Production-ready auth for B2B SaaS apps. Login, sessions, SSO (Okta, Azure AD, Google), SCIM provisioning, RBAC, MCP server auth, and API key management.",
       "category": "auth",
-      "homepage": "https://docs.scalekit.com"
-    },
-    {
-      "name": "modular-sso",
-      "source": "modular-sso",
-      "description": "Integrates with all popular SSO providers (Okta, JumpCloud, Entra ID, etc.) and allows users to login to your app using their existing identity provider.",
-      "category": "enterprise auth",
-      "homepage": "https://docs.scalekit.com"
-    },
-    {
-      "name": "modular-scim",
-      "source": "modular-scim",
-      "description": "Automates user and group provisioning and deprovisioning via SCIM 2.0 with identity providers like Okta, Entra ID, and JumpCloud.",
-      "category": "enterprise auth",
-      "homepage": "https://docs.scalekit.com"
+      "homepage": "https://docs.scalekit.com",
+      "logo": "../assets/logo.svg"
     }
   ]
 }

AGENTS.md

@@ -27,104 +27,49 @@ plugins/<plugin-name>/
   agents/                       Optional: custom sub-agents
   rules/                        Optional: Cursor rules (.mdc files with frontmatter)
   commands/                     Optional: slash commands
-  .mcp.json                     Optional: MCP server configuration
+  mcp.json                      Optional: MCP server configuration
+  hooks/hooks.json               Optional: lifecycle hooks
 ```
 
 ## Plugins
 
-### mcp-auth
+### agentkit
 
-OAuth 2.1 authorization for MCP servers using Scalekit.
+Authentication for AI agents. OAuth flows, token vault, 100+ connectors, tool discovery, and live testing.
 
 Skills:
-- `add-mcp-auth` — adds OAuth 2.1 auth to any MCP server
-- `mcp-auth-expressjs-scalekit` — Express.js MCP server with OAuth
-- `mcp-auth-fastapi-fastmcp-scalekit` — FastAPI + FastMCP with OAuth
-- `mcp-auth-fastmcp-scalekit` — FastMCP with Scalekit provider
-- `production-readiness-scalekit` — MCP auth production readiness checklist
+- `integrating-agentkit` — core integration: SDK setup, connected accounts, OAuth flows, token fetching, agent frameworks
+- `discovering-connector-tools` — live tool metadata discovery, schema inspection, tool set narrowing
+- `exposing-agentkit-via-mcp` — expose AgentKit tools through MCP for compatible runtimes
+- `production-readiness-agentkit` — production readiness checklist for AgentKit integrations
 
-Agents: `setup-auth.md`, `validate-mcp-auth.md`
+Rules: `terminology.mdc`, `live-metadata-first.mdc`, `tool-selection.mdc`
 
-Rules: `mcp-oauth-discovery.mdc`, `mcp-scope-authorization.mdc`, `mcp-secrets-hygiene.mdc`, `mcp-token-validation.mdc`, `no-secrets.mdc`
+References: `connected-accounts.md`, `code-samples.md`, `connectors.md`, `connections.md`, `byoc.md`, `redirects.md`, `tool-discovery.md`
 
-### agent-auth
+### saaskit
 
-Implements Scalekit Agent Auth so AI agents can act in third-party apps (Gmail, Slack, Calendar, Notion) on behalf of users.
+Production-ready auth for B2B SaaS apps. Login, sessions, SSO, SCIM, MCP server auth.
 
 Skills:
-- `agent-auth` — integrates Scalekit Agent Auth (OAuth flows, token storage, auto-refresh)
-- `building-agent-mcp-server` — creates Scalekit MCP servers with authenticated tool access
-- `production-readiness-scalekit` — agent auth production readiness checklist
+- `implementing-saaskit` — core auth flow: login, signup, callback, token exchange, session management, logout
+- `implementing-modular-sso` — enterprise SSO (SAML/OIDC) with 20+ IdPs, admin portal, JIT provisioning
+- `implementing-scim-provisioning` — SCIM 2.0 webhooks, user/group lifecycle, directory API
+- `adding-mcp-oauth` — OAuth 2.1 for MCP servers (FastMCP, Express, FastAPI reference files included)
+- `adding-api-auth` — API keys and client credentials for machine-to-machine auth
+- `implementing-access-control` — RBAC and permission enforcement using token claims
+- `implementing-saaskit-nextjs` — Next.js App Router integration
+- `implementing-saaskit-python` — Django, FastAPI, Flask integration
+- `managing-saaskit-sessions` — token storage, validation, refresh, revocation
+- `migrating-to-saaskit` — migration planner from existing auth systems
+- `testing-auth-setup` — validates auth config with the dryrun CLI
+- `production-readiness-saaskit` — unified production checklist across all SaaSKit domains
 
-Agents: `setup-scalekit.md`
+Agents: `setup-scalekit.md`, `scalekit-mcp-auth-troubleshooter.md`
 
-Rules: `oauth-security.mdc`
+Rules: `terminology.mdc`, `redirect-urls.mdc`
 
-References: `agent-connectors/` (connector-specific docs), `connected-accounts.md`, `code-samples.md`, `providers.md`, `connections.md`, `byoc.md`, `redirects.md`
-
-### full-stack-auth
-
-Production-ready authentication flows using Scalekit full-stack auth across common stacks.
-
-Skills:
-- `full-stack-auth` — complete auth flow (sign-up, login, logout, sessions)
-- `implementing-scalekit-nextjs-auth` — Next.js App Router integration
-- `implementing-scalekit-django-auth` — Django integration
-- `implementing-scalekit-fastapi-auth` — FastAPI integration
-- `implementing-scalekit-flask-auth` — Flask integration
-- `implementing-scalekit-go-auth` — Go (Gin) integration
-- `implementing-scalekit-springboot-auth` — Spring Boot integration
-- `implementing-scalekit-laravel-auth` — Laravel integration
-- `implement-logout` — complete logout flows across stacks
-- `implementing-access-control` — RBAC and permission checks
-- `implementing-admin-portal` — self-serve SSO/SCIM customer portal
-- `adding-api-key-auth` — API key creation, validation, and revocation
-- `adding-oauth2-to-apis` — OAuth 2.0 client-credentials for machine-to-machine auth
-- `manage-user-sessions` — secure session storage and token refresh
-- `migrating-to-scalekit-auth` — incremental migration from existing auth
-- `production-readiness-scalekit` — production readiness checklist
-
-Agents: `setup-scalekit.md`, `sdk-version-advisor.md`, `session-management-reviewer.md`, `scalekit-mcp-helper.md`
-
-Commands: `dryrun.md`
-
-Rules: `web-auth-security.mdc`
-
-References: `redirects.md`, `scalekit-logs.md`, `scalekit-user-profiles.md`
-
-### modular-sso
-
-Modular SSO flows using Scalekit for apps with existing user management.
-
-Skills:
-- `modular-sso` — complete SSO and authentication flows, IdP-initiated login, enterprise onboarding
-- `implementing-admin-portal` — self-serve SSO configuration portal
-- `production-readiness-scalekit` — SSO production readiness checklist
-
-Agents: `setup-scalekit.md`, `sso-validate.md`
-
-Commands: `dryrun-sso.md`
-
-Rules: `sso-security.mdc`
-
-References: `redirects.md`
-
-### modular-scim
-
-SCIM webhook provisioning with Scalekit for real-time user and group lifecycle management.
-
-Skills:
-- `modular-scim` — SCIM user provisioning via Scalekit's Directory API and webhooks
-- `implementing-admin-portal` — self-serve SCIM configuration portal
-- `production-readiness-scalekit` — SCIM production readiness checklist
-
-Agents: `setup-scalekit.md`, `scim-validate.md`
-
-Commands: `dryrun-scim.md`
-
-Rules: `scim-security.mdc`
-
-References: `redirects.md`
+References: `bring-your-own-auth.md`, `redirects.md`, `scalekit-logs.md`, `scalekit-mcp-server.md`, `scalekit-user-profiles.md`, `session-management-patterns.md`
 
 ## Non-negotiable rules
 
@@ -172,7 +117,7 @@ Context budget:
 
 ## MCP rules
 
-- `.mcp.json` must use environment variables for secrets, never inline credentials.
+- `mcp.json` must use environment variables for secrets, never inline credentials.
 - Tools must be outcome-focused and handle common failures inside the tool.
 - Validate all tool inputs at boundaries.
 

README.md

@@ -2,8 +2,8 @@
 
 <img src="./images/scalekit.jpg" alt="Scalekit" height="64">
 
-<p><strong>Scalekit Auth Plugins for Cursor — the auth stack for agents.</strong><br>
-Add SSO, SCIM, MCP Auth, agent auth, and tool-calling from your Cursor editor.</p>
+<p><strong>Scalekit Auth Stack for Cursor — AgentKit and SaaSKit plugins.</strong><br>
+Add agent auth, tool calling, SSO, SCIM, MCP auth, and session management from Cursor.</p>
 
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](./LICENSE)
 [![PRs Welcome](https://img.shields.io/badge/PRs-welcome-brightgreen.svg)](https://github.com/scalekit-inc/cursor-authstack/pulls)
@@ -14,27 +14,24 @@ Add SSO, SCIM, MCP Auth, agent auth, and tool-calling from your Cursor editor.</
 
 ---
 
-A Cursor plugin marketplace that brings production-ready authentication to your existing projects — right from inside Cursor.
+Setting up auth for B2B and AI apps is complex. Between agent OAuth flows, SSO providers, SCIM provisioning, MCP server auth, and session management, most developers spend weeks on auth instead of shipping features.
 
-Pick the auth you need: MCP auth, SSO, SCIM provisioning, agent auth, or full-stack authentication — and let Cursor's agent do the wiring for you.
+This marketplace adds the complete Scalekit auth stack to your projects — whether that's an AI agent, a B2B SaaS app, or an MCP server — directly from Cursor.
 
 ---
 
-### Plugins
+### Available Plugins
 
-| Plugin | What it does | Status |
-|--------|--------------|--------|
-| `mcp-auth` | OAuth 2.1 authorization for MCP servers — discovery endpoint, token validation, scope enforcement | Available |
-| `agent-auth` | Scalekit Agent Auth so AI agents can act in third-party apps (Gmail, Slack, Calendar, Notion) on behalf of users | Available |
-| `full-stack-auth` | Full-stack web authentication — login pages, sessions, protected routes, RBAC, and more | Available |
-| `modular-sso` | Enterprise SSO with 20+ identity providers (Okta, Entra ID, JumpCloud) via SAML/OIDC | Available |
-| `modular-scim` | SCIM 2.0 user provisioning, group sync, and directory lifecycle management | Available |
+| Plugin | Description |
+|--------|-------------|
+| **AgentKit** | Authentication for AI agents. OAuth flows, token vault, 100+ connectors (Gmail, Slack, Salesforce, etc.), tool discovery, and live testing — so agents can act on behalf of users. |
+| **SaaSKit** | Production-ready auth for B2B SaaS apps. Login, sessions, SSO (Okta, Azure AD, Google), SCIM provisioning, RBAC, MCP server auth, and API key management. |
 
 ---
 
 ### Installation
 
-The plugin bundle is currently **under review for the [Cursor Marketplace](https://cursor.com/marketplace)**. Once approved, you you will be able to install it directly from the Cursor plugin panel in a single click.
+The plugin bundle is currently **under review for the [Cursor Marketplace](https://cursor.com/marketplace)**. Once approved, you will be able to install it directly from the Cursor plugin panel in a single click.
 
 Until then, use the bootstrap installer:
 
@@ -73,43 +70,18 @@ If you prefer a manual install, each plugin can also be copied into `~/.cursor/p
 
 ---
 
-### Plugin Details
+### Repository Structure
 
-#### mcp-auth
-
-The `mcp-auth` plugin adds production-ready OAuth 2.1 authorization to any MCP server. Once installed, Cursor's agent will:
-
-- Serve a `/.well-known/oauth-protected-resource` discovery endpoint so MCP clients (Claude Desktop, Cursor, VS Code) can automatically find your authorization server
-- Add a Bearer token validation middleware that checks audience, issuer, expiry, and scopes before any MCP tool runs
-- Wire up per-tool scope enforcement so each tool only executes for users with the right permissions
-- Support both **Node.js** (Express / FastMCP) and **Python** (FastAPI / FastMCP) out of the box
-
-This plugin uses [Scalekit](https://docs.scalekit.com/authenticate/mcp/start-mcp-auth-coding-agents/) as the OAuth 2.1 authorization server.
-
-#### agent-auth
-
-The `agent-auth` plugin implements Scalekit Agent Auth — so your AI agents can act on behalf of users in Gmail, Slack, Notion, Google Calendar, and 40+ other connected services.
-
-Skills:
-- `agent-auth` — integrates Scalekit Agent Auth with OAuth flows and automatic token refresh
-- `building-agent-mcp-server` — creates a Scalekit MCP server with multi-service tool access
-- `production-readiness-scalekit` — production readiness checklist for agent OAuth flows
-
-#### full-stack-auth
-
-The `full-stack-auth` plugin adds end-to-end authentication to B2B and AI apps using Scalekit. One integration enables: social sign-in, magic links, enterprise SSO, workspaces, MCP authentication, SCIM provisioning, and user management.
-
-Skills for major stacks: Next.js, Django, FastAPI, Flask, Go (Gin), Spring Boot, Laravel.
-
-Additional skills: logout, access control, admin portal, API key auth, OAuth2 for APIs, session management, auth migration, and production readiness.
-
-#### modular-sso
-
-The `modular-sso` plugin integrates enterprise SSO with existing user management systems. It handles IdP-initiated and SP-initiated login, attribute mapping, JIT provisioning, and enterprise customer onboarding via the admin portal.
-
-#### modular-scim
-
-The `modular-scim` plugin adds SCIM 2.0 directory sync to applications. It handles real-time user provisioning, deprovisioning, and group membership changes from enterprise identity providers.
+```
+.
+├── plugins/
+│   ├── agentkit/         # AI agent authentication (AgentKit)
+│   └── saaskit/          # B2B SaaS authentication (SaaSKit)
+├── images/               # Documentation images
+├── scripts/              # Install scripts
+├── AGENTS.md             # Contribution guidelines
+└── LICENSE               # MIT License
+```
 
 ---
 
@@ -119,16 +91,18 @@ The `modular-scim` plugin adds SCIM 2.0 directory sync to applications. It handl
 - Cursor installed and configured
 - Project where you want to add authentication
 
+> **Windows**: install.sh requires macOS or Linux (or WSL on Windows). Native Windows PowerShell install is not yet supported.
+
 ---
 
 ### Helpful Links
 
 #### Documentation
 
 - [Scalekit Documentation](https://docs.scalekit.com) — Complete guides and API reference
-- [SSO Quickstart](https://docs.scalekit.com/sso/quickstart/) — Implement enterprise SSO
-- [MCP Auth Guide](https://docs.scalekit.com/mcp-auth/quickstart/) — Secure MCP servers
-- [Agent Auth Guide](https://docs.scalekit.com/agent-auth/quickstart/) — Authentication for AI agents
+- [Modular SSO guide](https://docs.scalekit.com/authenticate/sso/add-modular-sso/) — Implement enterprise SSO
+- [MCP Auth guide](https://docs.scalekit.com/authenticate/mcp/quickstart/) — Secure MCP servers
+- [AgentKit overview](https://docs.scalekit.com/agentkit/overview) — Connect agents to authenticated tools
 
 #### Resources
 

install.sh

@@ -7,7 +7,7 @@ REPO_REF="${CURSOR_AUTHSTACK_REF:-main}"
 SOURCE_DIR="${CURSOR_AUTHSTACK_SOURCE_DIR:-}"
 
 if [[ -n "$SOURCE_DIR" ]]; then
-  exec "${SOURCE_DIR%/}/scripts/install_locally.sh"
+  exec "${SOURCE_DIR%/}/scripts/install.sh"
 fi
 
 TMP_DIR="$(mktemp -d)"
@@ -27,9 +27,10 @@ tar -xzf "$ARCHIVE_PATH" -C "$TMP_DIR"
 
 EXTRACTED_DIR="$(find "$TMP_DIR" -mindepth 1 -maxdepth 1 -type d | head -n 1)"
 
-if [[ -z "$EXTRACTED_DIR" ]] || [[ ! -x "$EXTRACTED_DIR/scripts/install_locally.sh" ]]; then
+if [[ -z "$EXTRACTED_DIR" ]] || [[ ! -f "$EXTRACTED_DIR/scripts/install.sh" ]]; then
   echo "Failed to find installer in downloaded archive." >&2
   exit 1
 fi
 
-exec "$EXTRACTED_DIR/scripts/install_locally.sh"
+chmod +x "$EXTRACTED_DIR/scripts/install.sh"
+exec "$EXTRACTED_DIR/scripts/install.sh"