<feed xmlns='http://www.w3.org/2005/Atom'>
<title>food, branch mcp-api</title>
<subtitle>Meal planning system (Django)</subtitle>
<id>https://git.tomflux.xyz/food/atom?h=mcp-api</id>
<link rel='self' href='https://git.tomflux.xyz/food/atom?h=mcp-api'/>
<link rel='alternate' type='text/html' href='https://git.tomflux.xyz/food/'/>
<updated>2026-06-23T20:50:31+00:00</updated>
<entry>
<title>nginx: match the MCP location with or without a trailing slash</title>
<updated>2026-06-23T20:50:31+00:00</updated>
<author>
<name>Tom Flux</name>
<email>tom@tomflux.xyz</email>
</author>
<published>2026-06-23T20:50:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tomflux.xyz/food/commit/?id=fd5c1d12e96104ff748893f9b831b00260a5b5e5'/>
<id>urn:sha1:fd5c1d12e96104ff748893f9b831b00260a5b5e5</id>
<content type='text'>
claude.ai strips the trailing slash from the connector URL, so a
location of /mcp/&lt;secret&gt;/ missed and fell to the 301 catch-all. Use a
regex (^/mcp/&lt;secret&gt;/?(.*)$) that matches both and normalises onto the
FastMCP root.

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
</content>
</entry>
<entry>
<title>nginx: 404 the .well-known/ OAuth probes for the MCP connector</title>
<updated>2026-06-23T20:41:41+00:00</updated>
<author>
<name>Tom Flux</name>
<email>tom@tomflux.xyz</email>
</author>
<published>2026-06-23T20:40:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tomflux.xyz/food/commit/?id=9928a4a09766d994a7497d3a6152315c52fece90'/>
<id>urn:sha1:9928a4a09766d994a7497d3a6152315c52fece90</id>
<content type='text'>
claude.ai's custom-connector flow probes /.well-known/oauth-* during
setup. The catch-all 301 -&gt; /app/ made those return the Kitchen login
page (200), so claude.ai mistook it for an OAuth sign-in service, tried
Dynamic Client Registration, and failed. Returning 404 makes it treat
the server as authless and connect.

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
</content>
</entry>
<entry>
<title>fix service group</title>
<updated>2026-06-23T20:29:12+00:00</updated>
<author>
<name>Tom Flux</name>
<email>tom@tomflux.xyz</email>
</author>
<published>2026-06-23T20:29:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tomflux.xyz/food/commit/?id=4ddad857e9a7b7023177e6913a725ffced741683'/>
<id>urn:sha1:4ddad857e9a7b7023177e6913a725ffced741683</id>
<content type='text'>
</content>
</entry>
<entry>
<title>mcp group to uv</title>
<updated>2026-06-23T20:27:35+00:00</updated>
<author>
<name>Tom Flux</name>
<email>tom@tomflux.xyz</email>
</author>
<published>2026-06-23T20:27:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tomflux.xyz/food/commit/?id=f67ecf310829c545e26b7c3de22c0eb2c9e454db'/>
<id>urn:sha1:f67ecf310829c545e26b7c3de22c0eb2c9e454db</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Fix bulk-pantry-add crash on null unit (found in live MCP testing)</title>
<updated>2026-06-23T20:24:09+00:00</updated>
<author>
<name>Tom Flux</name>
<email>tom@tomflux.xyz</email>
</author>
<published>2026-06-23T20:24:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tomflux.xyz/food/commit/?id=eeeb1c5b34c058f2c1a7ea2f3c6b179f503d2aa4'/>
<id>urn:sha1:eeeb1c5b34c058f2c1a7ea2f3c6b179f503d2aa4</id>
<content type='text'>
End-to-end testing (MCP client -&gt; FastMCP -&gt; Django) surfaced a 500:
adding an item with an explicit `unit: null` (as add_to_pantry sends
for items without a unit) hit a NOT NULL violation, because
`item_data.get("unit", "items")` returns None when the key is present.

- views.bulk_pantry_add: `item_data.get("unit") or "items"` — tolerate
  null/empty unit.
- mcp_server add_to_pantry: omit quantity/unit from the payload when
  unset, so the API applies its own defaults.
- test: bulk-add with unit/quantity = null returns 201 (25 pass).

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
</content>
</entry>
<entry>
<title>Phase 3b: FastMCP "ai service" for claude.ai cooking mode</title>
<updated>2026-06-23T20:16:30+00:00</updated>
<author>
<name>Tom Flux</name>
<email>tom@tomflux.xyz</email>
</author>
<published>2026-06-23T20:16:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tomflux.xyz/food/commit/?id=eed90569f7dafa7eb9c8358c152efac1a49f0405'/>
<id>urn:sha1:eed90569f7dafa7eb9c8358c152efac1a49f0405</id>
<content type='text'>
A standalone MCP server (no Django import) exposing 7 tools over
Streamable HTTP, backed by the Django REST API via the caine token.

- mcp_server/: client.py (httpx wrapper over /api/), server.py (the
  tools + FastMCP app + main), __main__.py, tests.py.
- Tools: get_pantry, set_item_state, add_to_pantry, what_can_i_cook,
  get_recipes, log_cook (suggests, never mutates), create_meta_recipe
  (brainstorm -&gt; commit). Each description says when to call it.
- deploy/food-mcp.service: systemd unit (own process, runs .venv python
  -m mcp_server, loads /var/lib/food/.env).
- deploy/food.tomflux.xyz.nginx: current config + an authless
  /mcp/&lt;secret&gt;/ location proxying to 127.0.0.1:8765 (the URL secret is
  the credential; SSE-friendly buffering/timeout).
- pyproject: [dependency-groups] mcp = [fastmcp, httpx]; deploy with
  `uv sync --group mcp`.

Verified: 7 tools register on fastmcp 3.x, run() accepts transport/
host/port/path, 6 FoodClient unit tests pass (httpx MockTransport).

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
</content>
</entry>
<entry>
<title>Phase 3a: close the Django API gaps for the MCP server</title>
<updated>2026-06-23T20:07:18+00:00</updated>
<author>
<name>Tom Flux</name>
<email>tom@tomflux.xyz</email>
</author>
<published>2026-06-23T20:07:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tomflux.xyz/food/commit/?id=d118726d3010d5b0133c7665fc20008c055f2757'/>
<id>urn:sha1:d118726d3010d5b0133c7665fc20008c055f2757</id>
<content type='text'>
Backend prerequisites for the FastMCP service (mcp.md §6) — no model
changes, no migration.

- log_cook: accepts `rating`, validates via full_clean (enforces the
  exactly-one-recipe rule), and returns `used_ingredients` as a
  suggestion set instead of mutating the pantry. Auto-deduct path and
  _deduct_ingredient removed — pantry state changes only via set-state
  after the user confirms.
- New POST /api/pantry/set-state/ — set in/low/out by ingredient name
  (alias-aware), optional location; registered before the router so the
  pantry detail route doesn't capture "set-state" as a pk.
- what_can_i_cook: presence-based (exclude 'out', tolerate null
  quantity) so the API matcher agrees with the web one.
- bulk-pantry-add: restocks an existing ingredient+location row to 'in'
  instead of duplicating; quantity is an optional int.

Tests cover all four + that pantry `state` is serialized (24 pass).

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
</content>
</entry>
<entry>
<title>Add MCP server spec; mark phases 1-2 done in plan</title>
<updated>2026-06-23T20:02:26+00:00</updated>
<author>
<name>Tom Flux</name>
<email>tom@tomflux.xyz</email>
</author>
<published>2026-06-23T20:02:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tomflux.xyz/food/commit/?id=95c04f07c6b554baa88d539d57b6bea0c1caf336'/>
<id>urn:sha1:95c04f07c6b554baa88d539d57b6bea0c1caf336</id>
<content type='text'>
mcp.md specs the Phase 3 FastMCP "ai service": tools, the Django API
gaps to close, authless-connector + URL-secret auth, and the
brainstorm-&gt;commit path for meta-recipes and cook logs.

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
</content>
</entry>
<entry>
<title>auth: trust nginx HTTPS proxy for CSRF (SECURE_PROXY_SSL_HEADER + CSRF_TRUSTED_ORIGINS)</title>
<updated>2026-06-23T19:45:46+00:00</updated>
<author>
<name>Tom Flux</name>
<email>tom@tomflux.xyz</email>
</author>
<published>2026-06-23T19:45:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tomflux.xyz/food/commit/?id=cd0e10ed3cc591e1ac4d8743144750aa35c33a80'/>
<id>urn:sha1:cd0e10ed3cc591e1ac4d8743144750aa35c33a80</id>
<content type='text'>
Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
</content>
</entry>
<entry>
<title>Phase 2: session auth for the web UI</title>
<updated>2026-06-23T19:37:48+00:00</updated>
<author>
<name>Tom Flux</name>
<email>tom@tomflux.xyz</email>
</author>
<published>2026-06-23T19:37:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tomflux.xyz/food/commit/?id=d92deeab514a52e7c3416baef78f8969ade951cc'/>
<id>urn:sha1:d92deeab514a52e7c3416baef78f8969ade951cc</id>
<content type='text'>
Require login for /app/, with a long sliding session so you log in
once per device and effectively stay in.

- AppLoginRequiredMiddleware gates only /app/; /api/ keeps DRF token
  auth and /admin/ keeps its own login (a blanket LoginRequired would
  break token requests, whose user isn't resolved until the view runs).
- Login page (styled to the dark palette) via django.contrib.auth.urls;
  logout control in the nav.
- Session: ~1 year cookie, sliding (saved every request), survives
  browser close.
- Dropped every @csrf_exempt now that a real session + CSRF token are
  in place (HTMX already sends X-CSRFToken).
- SECRET_KEY and DEBUG now read from the environment (prod-safe
  defaults); systemd loads an optional /var/lib/food/.env.
- Tests authenticate, plus new coverage: /app/ redirects when logged
  out, login grants access, /api/ is not caught by the app gate.

Co-Authored-By: Claude Opus 4.8 &lt;noreply@anthropic.com&gt;
</content>
</entry>
</feed>
