agentfront · frontegg-david · Dec 1, 2025 · Nov 26, 2025 · Nov 26, 2025 · Nov 26, 2025
diff --git a/.github/workflows/codex-mintlify-docs.yml b/.github/workflows/codex-mintlify-docs.yml
@@ -66,6 +66,8 @@ jobs:
         run: |
           set -euo pipefail
           mkdir -p .github/codex/mcp-context
+          CODEX_HOME="${RUNNER_TEMP}/codex-home"
+          mkdir -p "$CODEX_HOME"
 
           echo "Setting up Mintlify MCP context..."
 
@@ -103,8 +105,26 @@ jobs:
           - Include tags for filtering ("latest", "version X.Y")
           GUIDELINES
 
-          echo "✓ MCP context prepared"
+          cat > "$CODEX_HOME/config.toml" << 'EOF'
+          [features]
+          # Enable the Rust MCP client (needed for HTTP/OAuth MCP support)
+          rmcp_client = true
+
+          # --- Mintlify Documentation Server ---
+          # Provides access to Mintlify documentation best practices
+          [mcp_servers.mintlify_docs]
+          type = "http"
+          url = "https://mintlify.com/docs/mcp"
+          http_headers = { "X-MCP-Readonly" = "true" }
+          startup_timeout_sec = 30
+          tool_timeout_sec = 60
+          EOF
+
+          echo "✓ MCP context prepared and Codex home configured"
           echo "mcp_enabled=true" >> "$GITHUB_OUTPUT"
+          echo "codex_home=${CODEX_HOME}" >> "$GITHUB_OUTPUT"
+        env:
+          RUNNER_TEMP: ${{ runner.temp }}
 
       - name: Prepare diff context for Codex
         id: ctx
@@ -586,6 +606,7 @@ jobs:
         uses: openai/codex-action@v1
         with:
           openai-api-key: ${{ secrets.CODEX_OPENAI_KEY }}
+          codex-home: ${{ steps.mcp.outputs.codex_home }}
           prompt-file: .github/codex/prompts/update-docs.md
           output-file: ${{ env.CODEX_OUT }}
           model: "gpt-5.1-codex"

diff --git a/CLAUDE.md b/CLAUDE.md
@@ -18,10 +18,10 @@ Located in `/libs/*`:
 
 Located in `/libs/*`:
 
-- **ast-guard** (`libs/ast-guard`) - JavaScript AST security validation with extensible rules
 - **json-schema-to-zod-v3** (`libs/json-schema-to-zod-v3`) - JSON Schema to Zod converter
 - **mcp-from-openapi** (`libs/mcp-from-openapi`) - Generate MCP servers from OpenAPI specs
-- **vectoriadb** (`libs/vectoriadb`) - Lightweight in-memory vector database
+
+> **Note:** `ast-guard`, `vectoriadb`, and `enclave-vm` have been moved to the [enclave monorepo](https://github.com/agentfront/enclave).
 
 ### Demo Apps
 
@@ -84,23 +84,6 @@ export * from './errors';
 
 ### Helper/Independent Libraries
 
-#### ast-guard
-
-- **Type**: Helper library (independent, publishable)
-- **Purpose**: Bank-grade JavaScript validation using AST analysis
-- **Security Model**: Four-tier preset system (STRICT > SECURE > STANDARD > PERMISSIVE)
-- **Test Count**: 188 tests with 95.11% coverage
-- **Key Rules**: DisallowedIdentifier, NoEval, NoAsync, CallArgumentValidation, etc.
-- **Documentation**: SECURITY-AUDIT.md documents all 67 blocked attack vectors
-- **Usage**: Can be used by @frontmcp packages or independently
-
-#### vectoriadb
-
-- **Type**: Helper library (independent, publishable)
-- **Purpose**: Lightweight in-memory vector database for embeddings
-- **Use Case**: Semantic search, RAG systems, similarity matching
-- **Usage**: Can be used by @frontmcp packages or independently
-
 #### json-schema-to-zod-v3
 
 - **Type**: Helper library (independent, publishable)

diff --git a/README.md b/README.md
@@ -301,31 +301,37 @@ FrontMCP][3])
 
 ### Servers
 
-`@FrontMcp({...})` defines **info**, **apps**, **http**, **logging**, **session**, and optional **auth**. Keep it
-minimal or scale up with providers and plugins. ([The FrontMCP Server - FrontMCP][5])
+The FrontMCP server is defined with a single decorator: `@FrontMcp({...})`. It configures **info**, **apps**, **http**,
+**logging**, **session**, and optional **auth**. Start minimal and scale up with providers and plugins.
+([The FrontMCP Server - FrontMCP][5])
 
 ### Apps
 
-Use `@App` to group **tools**, **resources**, **prompts**, plus **providers**, **adapters**, and **plugins**. With
-`splitByApp: true`, each app gets its own scope/base path and, if needed, its own auth surface. ([Apps - FrontMCP][6])
+Apps are the **organizational units** for capabilities. Each app groups related **tools**, **resources**, and **prompts**
+into a cohesive domain, along with **providers**, **adapters**, and **plugins**. With `splitByApp: true`, apps get
+isolated scopes and auth surfaces. ([Apps - FrontMCP][6])
 
 ### Tools
 
-Typed actions with schemas (class `@Tool` or inline `tool({...})(handler)`). Use the Zod‑field **shape** style for
-`inputSchema`. ([Tools - FrontMCP][4])
+Tools are **typed actions** that execute operations with side effects. They're the primary way to enable an AI model to
+interact with external systems—calling APIs, modifying data, performing calculations, or triggering workflows. Use the
+class `@Tool` decorator or inline `tool({...})(handler)` with Zod schemas. ([Tools - FrontMCP][4])
 
 ### Resources
 
-Readable data by URI or RFC6570 template (see `@Resource` / `@ResourceTemplate`). ([Resources - FrontMCP][7])
+Resources expose **readable data** to an AI model's context. Unlike tools that execute actions with side effects,
+resources are designed for read-only data retrieval—configuration files, user profiles, documents, or any content
+the model needs to reference. ([Resources - FrontMCP][7])
 
 ### Prompts
 
-Reusable templates returning MCP `GetPromptResult`, with typed arguments. ([Prompts - FrontMCP][8])
+Prompts provide **reusable message templates** for AI interactions. They return MCP `GetPromptResult` with typed
+arguments, enabling consistent conversation patterns. ([Prompts - FrontMCP][8])
 
 ### Providers / Adapters / Plugins
 
-Inject shared services, generate tools from OpenAPI, and add cross‑cutting behavior like caching and hooks. ([Add
-OpenAPI Adapter - FrontMCP][9])
+Inject shared services, generate tools from OpenAPI specs, and add cross‑cutting behavior like caching and hooks.
+([Add OpenAPI Adapter - FrontMCP][9])
 
 ---
 

diff --git a/apps/auth/demo-orchestrated-auth/e2e/orchestrated-auth.e2e.test.ts b/apps/auth/demo-orchestrated-auth/e2e/orchestrated-auth.e2e.test.ts
@@ -12,7 +12,6 @@ import { test, expect } from '@frontmcp/testing';
 test.describe('Orchestrated Auth Mode E2E', () => {
   test.use({
     server: './src/main.ts',
-    port: 3105,
   });
 
   test.describe('Unauthenticated Access', () => {
@@ -139,10 +138,7 @@ test.describe('Orchestrated Auth Mode E2E', () => {
     });
   });
 
-  // TODO: Prompts registration for apps needs to be implemented
-  // The prompts capability is advertised but prompts/list returns "Method not found"
-  // This is a pre-existing issue to be fixed separately
-  test.describe.skip('Prompt Access', () => {
+  test.describe('Prompt Access', () => {
     test('should list prompts for authenticated user', async ({ server, auth }) => {
       const token = await auth.createToken({
         sub: 'user-123',

diff --git a/apps/auth/demo-orchestrated-auth/jest.e2e.config.ts b/apps/auth/demo-orchestrated-auth/jest.e2e.config.ts
@@ -5,6 +5,7 @@ export default {
   testEnvironment: 'node',
   testMatch: ['<rootDir>/e2e/**/*.e2e.test.ts'],
   testTimeout: 60000,
+  maxWorkers: 1,
   setupFilesAfterEnv: ['<rootDir>/../../../libs/testing/src/setup.ts'],
   transform: {
     '^.+\\.[tj]s$': [

diff --git a/apps/auth/demo-public/e2e/public-auth.e2e.test.ts b/apps/auth/demo-public/e2e/public-auth.e2e.test.ts
@@ -11,7 +11,6 @@ import { test, expect } from '@frontmcp/testing';
 test.describe('Public Auth Mode E2E', () => {
   test.use({
     server: './src/main.ts',
-    port: 3103,
     publicMode: true,
   });
 
@@ -81,10 +80,7 @@ test.describe('Public Auth Mode E2E', () => {
     });
   });
 
-  // TODO: Prompts registration for apps needs to be implemented
-  // The prompts capability is advertised but prompts/list returns "Method not found"
-  // This is a pre-existing issue to be fixed separately
-  test.describe.skip('Prompt Access', () => {
+  test.describe('Prompt Access', () => {
     test('should list prompts without auth', async ({ mcp }) => {
       const prompts = await mcp.prompts.list();
 

diff --git a/apps/auth/demo-public/jest.e2e.config.ts b/apps/auth/demo-public/jest.e2e.config.ts
@@ -5,6 +5,7 @@ export default {
   testEnvironment: 'node',
   testMatch: ['<rootDir>/e2e/**/*.e2e.test.ts'],
   testTimeout: 60000,
+  maxWorkers: 1,
   setupFilesAfterEnv: ['<rootDir>/../../../libs/testing/src/setup.ts'],
   transform: {
     '^.+\\.[tj]s$': [

diff --git a/apps/auth/demo-public/src/main.ts b/apps/auth/demo-public/src/main.ts
@@ -19,6 +19,8 @@ const port = parseInt(process.env['PORT'] ?? '3003', 10);
       enableStreamableHttp: true,
       enableStatelessHttp: false,
       requireSessionForStreamable: false,
+      enableLegacySSE: true, // Enable legacy SSE endpoint (/sse)
+      enableSseListener: true, // Enable SSE listener for modern SSE with session
     },
   },
 })

diff --git a/apps/auth/demo-transparent-auth/e2e/transparent-auth.e2e.test.ts b/apps/auth/demo-transparent-auth/e2e/transparent-auth.e2e.test.ts
@@ -13,9 +13,7 @@
 import { TestServer } from '@frontmcp/testing';
 import { expect } from '@jest/globals';
 
-const PORT = 3104;
 const ENV = {
-  PORT: String(PORT),
   IDP_PROVIDER_URL: 'https://auth.example.com',
   IDP_EXPECTED_AUDIENCE: 'https://api.example.com',
 };
@@ -25,7 +23,6 @@ describe('Transparent Auth Mode E2E', () => {
 
   beforeAll(async () => {
     server = await TestServer.start({
-      port: PORT,
       command: 'npx tsx ./src/main.ts',
       env: ENV,
       startupTimeout: 30000,
@@ -41,7 +38,7 @@ describe('Transparent Auth Mode E2E', () => {
 
   describe('Unauthorized Access', () => {
     it('should return 401 for unauthorized requests', async () => {
-      const response = await fetch(`http://localhost:${PORT}/`, {
+      const response = await fetch(`${server!.info.baseUrl}/`, {
         method: 'POST',
         headers: {
           'Content-Type': 'application/json',
@@ -62,7 +59,7 @@ describe('Transparent Auth Mode E2E', () => {
 
   describe('Protected Resource Metadata', () => {
     it('should expose protected resource metadata endpoint', async () => {
-      const response = await fetch(`http://localhost:${PORT}/.well-known/oauth-protected-resource`, {
+      const response = await fetch(`${server!.info.baseUrl}/.well-known/oauth-protected-resource`, {
         method: 'GET',
         headers: { Accept: 'application/json' },
         redirect: 'manual', // Disable automatic redirect following

diff --git a/apps/demo-showcase/jest.e2e.config.ts → .../demo-transparent-auth/jest.e2e.config.ts b/apps/demo-showcase/jest.e2e.config.ts → .../demo-transparent-auth/jest.e2e.config.ts
@@ -1,11 +1,12 @@
 /* eslint-disable */
-/* eslint-disable */
+/* eslint-disable import/no-default-export */
-/* eslint-disable */
+/* eslint-disable import/no-default-export */
 export default {
-  displayName: 'demo-showcase-e2e',
-  preset: '../../jest.preset.js',
+  displayName: 'demo-transparent-auth-e2e',
+  preset: '../../../jest.preset.js',
   testEnvironment: 'node',
-  testMatch: ['<rootDir>/e2e/**/*.e2e.ts'],
-  testTimeout: 30000,
-  setupFilesAfterEnv: ['<rootDir>/../../libs/testing/src/setup.ts'],
+  testMatch: ['<rootDir>/e2e/**/*.e2e.test.ts'],
+  testTimeout: 60000,
+  maxWorkers: 1,
+  setupFilesAfterEnv: ['<rootDir>/../../../libs/testing/src/setup.ts'],
   transform: {
     '^.+\\.[tj]s$': [
       '@swc/jest',
@@ -36,11 +37,12 @@ export default {
   moduleFileExtensions: ['ts', 'js', 'html'],
   transformIgnorePatterns: ['node_modules/(?!(jose)/)'],
   moduleNameMapper: {
-    '^@frontmcp/testing$': '<rootDir>/../../libs/testing/src/index.ts',
-    '^@frontmcp/testing/setup$': '<rootDir>/../../libs/testing/src/setup.ts',
-    '^@frontmcp/sdk$': '<rootDir>/../../libs/sdk/src/index.ts',
-    '^@frontmcp/adapters$': '<rootDir>/../../libs/adapters/src/index.ts',
-    '^@frontmcp/plugins$': '<rootDir>/../../libs/plugins/src/index.ts',
+    '^@frontmcp/testing$': '<rootDir>/../../../libs/testing/src/index.ts',
+    '^@frontmcp/testing/setup$': '<rootDir>/../../../libs/testing/src/setup.ts',
+    '^@frontmcp/sdk$': '<rootDir>/../../../libs/sdk/src/index.ts',
+    '^@frontmcp/sdk/(.*)$': '<rootDir>/../../../libs/sdk/src/$1',
+    '^@frontmcp/adapters$': '<rootDir>/../../../libs/adapters/src/index.ts',
+    '^@frontmcp/plugins$': '<rootDir>/../../../libs/plugins/src/index.ts',
   },
   coverageDirectory: 'test-output/jest/coverage-e2e',
 };
diff --git a/apps/auth/demo-transparent-auth/src/main.ts b/apps/auth/demo-transparent-auth/src/main.ts
@@ -13,10 +13,10 @@ const port = parseInt(process.env['PORT'] ?? '3004', 10);
   auth: {
     mode: 'transparent',
     remote: {
-      provider: process.env['IDP_PROVIDER_URL'] || 'https://auth.example.com',
+      provider: process.env['IDP_PROVIDER_URL'] || 'https://sample-app.frontegg.com',
       dcrEnabled: false,
     },
-    expectedAudience: process.env['IDP_EXPECTED_AUDIENCE'] || 'https://api.example.com',
+    expectedAudience: process.env['IDP_EXPECTED_AUDIENCE'] || 'https://sample-app.frontegg.com',
     requiredScopes: [],
     allowAnonymous: false,
     anonymousScopes: ['anonymous'],

diff --git a/apps/demo-showcase/e2e/openapi.e2e.ts b/apps/demo-showcase/e2e/openapi.e2e.ts