Test/cloudrun (#24)

* docs: add OAuth authentication design document

OAuth 2.0認証（ユーザー権限）のサポートを追加する設計を策定

主な内容
- Authorization Code Flow with PKCEの採用
- 証明書認証との共存（環境変数で切り替え）
- トークンの永続化とリフレッシュ
- HTTPエンドポイントの設計
- streamable-http専用対応
- セキュリティ考慮事項

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* feat: implement OAuth authentication with FastMCP

Implement two-layer OAuth authentication using FastMCP's OIDCProxy:
- Layer 1: MCP client authenticates with FastMCP server
- Layer 2: User's token accesses SharePoint APIs

Key changes:
- Add AzureOIDCProxyForSharePoint class extending OIDCProxy
  - Removes unsupported 'resource' parameter for Azure AD v2.0
  - Uses SharePointTokenVerifier for opaque tokens
- Add SimpleTokenAuth wrapper for OAuth tokens
- Support both certificate and OAuth authentication modes
- Upgrade FastMCP to 2.12.4 for OIDCProxy support
- Update documentation (README.md, README_ja.md, .env.example)
- Remove OAUTH_DESIGN.md (consolidated into READMEs)

Authentication flow:
1. MCP client performs OAuth with Azure AD via FastMCP proxy
2. FastMCP validates user and issues token
3. SharePoint tools use the token to access SharePoint APIs

Security features:
- PKCE (Proof Key for Code Exchange)
- Dynamic client registration with localhost wildcard URIs
- Token validation through OAuth flow (not JWT verification)

Closes #XX

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* refactor: clean up unused code and improve type safety

Remove unused code and improve type annotations:
- Delete unused src/sharepoint_oauth_auth.py (old implementation)
- Remove unused config: oauth_redirect_uri, token_cache_path
- Fix incorrect comments (AzureProvider → OIDCProxy)
- Simplify code structure (remove unnecessary else blocks)
- Add AuthClient Protocol for better type safety

Changes:
- src/config.py: Remove 2 unused environment variables
- src/server.py: Fix comments and simplify _get_auth_client()
- src/sharepoint_search.py: Add Protocol for auth client abstraction

Quality checks: ✅ All PASS (type check, lint, tests)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* chore: ignore .vscode directory

Add .vscode/ to .gitignore as it contains user-specific IDE settings.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* docs: reorganize documentation - slim down README and separate details into docs/

- Reduce README from 500+ lines to ~100 lines (80% reduction)
- Separate detailed content into docs/ directory
  - Setup guide: Azure AD configuration and environment setup
  - Usage guide: MCP client integration and search examples
  - Development guide: Project structure and commands
  - Troubleshooting guide: Common issues and debugging
- Both English and Japanese versions provided
- README now focuses on quick start with links to detailed docs

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* refactor: simplify AzureOIDCProxyForSharePoint.authorize() to use super() call

- Call super().authorize() instead of completely overriding implementation
- Parse returned URL and remove only the 'resource' parameter
- Reduces code from ~60 lines to ~30 lines
- Better maintainability and forward compatibility with FastMCP updates
- Remove unused imports (secrets, time)
- All tests and type checks pass

This approach is more resilient to FastMCP version changes as it relies on
the parent class implementation for most of the logic.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* refactor: improve authorize() method efficiency with early return

- Return URL as-is if 'resource' parameter doesn't exist (early return)
- Use urlencode's doseq=True for cleaner list handling
- Remove unnecessary isinstance check
- Reduce nesting and improve readability
- All tests and type checks pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* docs: address PR review comments

- Add clarification note to SharePointTokenVerifier about simplified validation
- Fix OAuth login endpoint URL from /oauth/login to /auth/login in error messages
- Improve documentation about token verification approach

These changes address feedback from Gemini Code Assist and GitHub Copilot reviewers.
Other review comments were already addressed in previous commits:
- oauth_redirect_uri was already removed from config.py
- authorize() method already refactored to use super()
- AuthClient Protocol already implemented
- README already restructured (no duplicates)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* docs: improve .env.example with bilingual comments

- Add English/Japanese bilingual comments throughout
- Simplify explanations (details in docs/)
- Improve section organization and readability
- Remove redundant explanations
- Keep clear structure with consistent formatting

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* chore: bump version to 0.3.0

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* refactor: address PR review comments and migrate to absolute imports

Address unresolved AI review feedback and improve code quality:
- Fix test fixture to preserve existing environment variables (conftest.py)
- Simplify URL encoding logic using dict() in server.py
- Move OAuth validation before register_tools() for early validation
- Dynamically construct OAuth login URL from config
- Migrate from relative imports to absolute imports across all src modules

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* feat: add docker setting

* feat: add configurable OAuth redirect URIs for production deployment

Allow OAuth redirect URIs to be configured via environment variable
SHAREPOINT_OAUTH_ALLOWED_REDIRECT_URIS for flexible deployment to
Cloud Run and other production environments.

Changes:
- Add SHAREPOINT_OAUTH_ALLOWED_REDIRECT_URIS environment variable
- Add get_oauth_allowed_redirect_uris() method to config
- Use config value instead of hardcoded localhost URIs
- Add debug logging for OAuth redirect URIs
- Update .env.example with usage examples for Claude.ai

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* docs: add SHAREPOINT_OAUTH_ALLOWED_REDIRECT_URIS documentation

Update English and Japanese documentation to include the new
SHAREPOINT_OAUTH_ALLOWED_REDIRECT_URIS environment variable for
configuring allowed OAuth redirect URIs.

Updated files:
- README.md: Added OAuth redirect URIs configuration example
- README_ja.md: Added OAuth redirect URIs configuration example (Japanese)
- docs/setup.md: Added detailed explanation and usage examples
- docs/setup_ja.md: Added detailed explanation and usage examples (Japanese)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* docs: add documentation guidelines to CLAUDE.md

Add requirement to update both English and Japanese versions when
modifying documentation files to ensure consistency.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* feat: add warning for empty OAuth redirect URIs

Add warning log when SHAREPOINT_OAUTH_ALLOWED_REDIRECT_URIS is empty
in OAuth mode to help developers detect configuration issues early.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* docs: clarify OAUTH_ALLOWED_REDIRECT_URIS behavior

Update documentation to clearly explain that:
- If not set: All redirect URIs are allowed (convenient for dev)
- If set: Only specified patterns are allowed (recommended for production)

Updated files:
- .env.example: Add detailed comments with examples
- README.md / README_ja.md: Add inline comment
- docs/setup.md / docs/setup_ja.md: Add comprehensive explanation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* refactor: improve OAuth redirect URI configuration

Address review comments from Copilot and Gemini:
- Change SHAREPOINT_OAUTH_ALLOWED_REDIRECT_URIS default to None (allow all URIs for development)
- Distinguish None (allow all) from empty list (deny all)
- Improve get_oauth_allowed_redirect_uris() to handle None properly
- Update warning message to only trigger for empty list
- Simplify oauth_client_id property using 'or' operator

This aligns with FastMCP conventions and improves developer experience.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

* fix: address additional review comments for security and code quality

Address Copilot and Gemini review feedback:
1. Remove unnecessary dict() conversion in urlencode (query_params is already a dict)
2. Fail fast when OAuth config is incomplete (high priority security fix)
   - Change from warning + return None to error + raise ValueError
   - Prevents accidentally running server without authentication
3. Add security audit logging for token verification
   - Log warning when accepting tokens without full cryptographic validation
   - Add TODO for future claim validation improvement

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: Claude <[email protected]>

Author: k-ibaraki