feat: add Zuko MCP server

[Rishavraaj]

Summary

Exposes Zuko CRM data as MCP tools so AI coding agents can query and
mutate CRM records over the Model Context Protocol with full OAuth 2.0 /
PKCE authentication via BetterAuth.

• MCP Streamable HTTP endpoint at POST /api/mcp — stateless, per-request
  transport, multi-tenant safe via org scoping
• BetterAuth OAuth 2.0 / PKCE — mcp() plugin wired into auth.ts;
  withMcpAuth validates bearer tokens in-process
• 15 CRM tools across Deals, Contacts, Companies, and Tasks
  (list, get, create, update, delete)
• Settings UI — "Zuko MCP" row in Connections tab with PKCE connect flow
  and a per-agent Setup Guide modal
• Agent setup modal with config snippets for Claude Code, Cursor,
  Windsurf, Codex CLI, and Gemini CLI

---

Backend — apps/backend

File	Change
mcp/mcp.service.ts	McpServer with 15 tools; new server per request (stateless MCP)
mcp/mcp.module.ts	NestJS module; repositories provided via useFactory
mcp/mcp.bootstrap.ts	Registers OAuth discovery + /api/mcp on the Express adapter
main.ts	Simplified — delegates all MCP setup to registerMcpRoutes()
auth.ts	Added mcp() plugin with FRONTEND_URL-aware loginPage
mcp.service.spec.ts	Vitest unit tests for resolveOrganizationId and all 4 list tools

---

Database — libs/models

• Added Prisma models: OauthApplication, OauthAccessToken, OauthConsent
• Migration: 20260427000000_add_mcp_oauth_tables

---

Frontend — apps/web

File	Change
org-connections.tsx	PKCE connect/disconnect flow; useQuery + mutations; McpOAuthHandler in <Suspense>
mcp-setup-modal.tsx	New — tabbed Dialog with per-agent config snippets and copy button
server/fetch.ts	Server actions for GitHub status + linked accounts
server/query-options.ts	TanStack Query queryOptions wrappers
server/mutations.ts	useConnectAccount, useDisconnectAccount, useInstallGitHubApp
hooks/use-mcp-oauth.ts	PKCE helpers extracted as a reusable hook
public/icons/	Added mcp.svg, claude.svg, cursor.svg, gemini-cli.svg

---

Bug Fixes

• task.repository.ts — update and delete now scope by organizationId (security fix)
• task.repository.ts — findAll accepts status filter pushed to DB instead of post-filtering

---

Screen Recording

Screen.Recording.2026-04-28.at.2.46.15.PM.mov

Test Plan

• Run migration: npx prisma migrate deploy
• GET /.well-known/oauth-authorization-server — returns OAuth discovery JSON
• Settings → Connections → Connect on Zuko MCP — PKCE flow completes, row shows Connected
• Click Setup guide — modal shows correct endpoint and token per agent tab
• Add to Claude Code:
  claude mcp add --transport http ZukoCRM <endpoint> --header "Authorization: Bearer <token>"
• tools/list returns 15 tools; list_deals returns org-scoped results
• nx test backend — all MCP service specs pass