DB status: ✅ COMPLETE — frontend work remaining
The first_party_clients allow-list table (#78) and the DB helpers are live. Frontend middleware work is still outstanding.
Critical change since this issue was written: auth is WorkOS
Authentication for the Nyuchi ecosystem is moving to WorkOS (SSO, JWT, multi-tenancy). This is recorded in infrastructure_topology (service = 'auth', runtime = 'workos').
The resolveTenant middleware described here should ultimately validate WorkOS JWTs rather than SHA-256 hashing of bearer tokens against first_party_clients. The first_party_clients table remains valid as an allow-list for programmatic API access (CLI tools, CI pipelines) but the primary auth path for human users is WorkOS AuthKit.
Implementation note for the MCP whoami tool
The whoami tool on the MCP server will move to mcp.nyuchi.dev/design (Cloudflare Worker, Rust/WASM). In the interim, the existing TypeScript app/mcp/route.ts implementation is the target. The WorkOS JWT validation pattern is documented in the cloudflare-worker-rust skill in the skills table — fetch it via the Nyuchi Design MCP get_skill tool before implementing.
DB status: ✅ COMPLETE — frontend work remaining
The
first_party_clientsallow-list table (#78) and the DB helpers are live. Frontend middleware work is still outstanding.Critical change since this issue was written: auth is WorkOS
Authentication for the Nyuchi ecosystem is moving to WorkOS (SSO, JWT, multi-tenancy). This is recorded in
infrastructure_topology(service = 'auth',runtime = 'workos').The
resolveTenantmiddleware described here should ultimately validate WorkOS JWTs rather than SHA-256 hashing of bearer tokens againstfirst_party_clients. Thefirst_party_clientstable remains valid as an allow-list for programmatic API access (CLI tools, CI pipelines) but the primary auth path for human users is WorkOS AuthKit.Implementation note for the MCP whoami tool
The
whoamitool on the MCP server will move tomcp.nyuchi.dev/design(Cloudflare Worker, Rust/WASM). In the interim, the existing TypeScriptapp/mcp/route.tsimplementation is the target. The WorkOS JWT validation pattern is documented in thecloudflare-worker-rustskill in the skills table — fetch it via the Nyuchi Design MCPget_skilltool before implementing.