2) package.json (minimal)

Save as package.json (or merge with your existing)

{
  "name": "ibrandbiz-mcp",
  "version": "0.1.0",
  "main": "mcp-server.js",
  "scripts": {
    "start": "node mcp-server.js"
  },
  "dependencies": {
    "body-parser": "^1.20.2",
    "express": "^4.18.2",
    "node-fetch": "^2.6.7"
  }
}

3) Procfile (for Replit/Proc)
web: node mcp-server.js

4) Replit Secrets / Env vars to set

In your Replit project secrets (or Environment variables) set:

MCP_BEARER_TOKEN = a long random token (e.g., super-long-random-string)

GITHUB_TOKEN = Personal Access Token (repo: scopes) — only if you want PR creation

REPO_OWNER = github owner/org name (optional)

REPO_NAME = repository name (optional)

APP_LOG = path to your app log file (default used by server: logs/app.log)

Important: For permanent secret storage, use Replit Secrets (they’re not exposed in UI).

5) How to register this as a tool for ChatGPT / MCP

Once you have the server deployed (public HTTPS at https://ibrandbiz-mcp.<your-repl>.repl.co), add a tool in ChatGPT’s developer tools / MCP UI:

Tool Name: ibrandbiz-mcp

Base URL: https://ibrandbiz-mcp.<your-repl>.repl.co

Auth: Bearer token — set to MCP_BEARER_TOKEN

Capabilities: list endpoints /run, /logs/tail, /files/read, /files/write, /env/get, /env/set, /repo/pr, /ping.

For "destructive" endpoints, configure ChatGPT to require human approval (or set a policy that an extra header x-confirm: yes must be provided)

(If you want, I’ll generate the exact JSON you paste into the ChatGPT tool registration UI.)

6) How I will use it (examples)

After you register the tool, you can ask me to do things like:

Run tests:

POST /run
Body: { "cmdKey": "test" }
Headers: Authorization: Bearer <MCP_BEARER_TOKEN>


Tail logs (last 300 lines):

GET /logs/tail?lines=300


Read a file:

POST /files/read
Body: { "path": "src/pages/BrandKit/BrandKitPage.tsx" }


Write a file (requires confirmation header):

POST /files/write
Headers: x-confirm: yes
Body: { "path": "src/pages/BusinessNames/BusinessNameWizard.tsx", "content": "/* new file content */" }


Create a quick PR (branch must already exist):

POST /repo/pr
Body: { "branchName": "fix/business-wizard", "title": "Refactor Business Wizard (3 steps)", "body": "See changes" }

7) Guardrails & Safety (what I set up)

Whitelist commands only (no arbitrary shell).

Confirmation header (x-confirm: yes) required for file writes, env writes, and destructive commands such as seed:db.

Audit log (mcp-audit.log) saves who requested what and command outputs (first N chars)—helps track actions.

Secrets caution: Never store extremely sensitive secrets in plain process.env for long-term — prefer Replit Secrets UI.

Access control: Only use MCP_BEARER_TOKEN for your ChatGPT tool registration; rotate periodically.

8) Next steps (what I’ll do if you say GO)

I’ll create the Repl ibrandbiz-mcp with the files above (or you can paste them).

You set Replit Secrets: MCP_BEARER_TOKEN, GITHUB_TOKEN, REPO_OWNER, REPO_NAME.

Deploy the Repl (start).

Give me the public Repl URL and confirm token — I’ll register it on my side as a tool (if you authorize) and we’ll start running commands.

Important: I will never call destructive endpoints without explicit confirmation text you give me (I will always ask for the confirm header unless you explicitly tell me to proceed).

I’ll demonstrate by running pnpm test and reading src/pages/BrandKit/BrandKitPage.tsx and then create a PR with the Business Wizard refactor files.

9) Quick demo plan (first 3 ops I’ll do as VP)

GET /ping to verify connection.

POST /run cmdKey: "typecheck" to verify repo health.

POST /files/read to pull the current Business Name Wizard file.

Propose edits in chat and POST /files/write with x-confirm: yes only after you approve the diff.

Open PR via /repo/pr.