AI-Native Control for Worksection: Claude, Cursor, ChatGPT via M
AI-Native Control for Worksection: Claude, Cursor, ChatGPT via MCP
The Situation
The client ran their entire operation in Worksection: tasks, projects, comments, costs, team assignments. Their team had also gone all-in on AI assistants (Claude, Cursor, ChatGPT) for daily work. But the two worlds were disconnected. The AI knew nothing about Worksection, and Worksection knew nothing about the AI.
The Problem
Every interaction between the two tools was manual. A developer would ask Claude to draft a task description, then copy it into Worksection by hand. A PM would screenshot a project status and paste it into ChatGPT to summarize. The AI could think about the work, but it couldn't do the work. That copy-paste loop killed most of the productivity gain the client expected from AI in the first place. They needed the AI to read and write Worksection directly, with proper auth, no shared credentials, and no hand-rolled integration per team member.
The Solution
I built a production MCP (Model Context Protocol) server that sits between any MCP-compatible AI client and Worksection's API. The AI calls a named tool like post_task or get_projects, and the server handles auth, rate limiting, payload translation, and response shaping.
It ships as a multi-tenant SaaS: each team registers once, gets their own encrypted credentials and OAuth clients, and connects Claude or Cursor with a single URL. An admin panel (React + Vite) lets the operator manage tenants, rotate OAuth secrets, tune per-tenant rate limits, and see exactly which tools are being called and how often.
Three technical decisions defined the build. First, Worksection's API authenticates from the URL query string only (POST bodies are ignored by its hash validation), so every outbound call uses a two-pass encoding: raw string for MD5 hashing, re-encoded string for transport. Second, every tenant API key is encrypted at rest with AES-256-GCM; plaintext never touches the database. Third, API responses are actively compacted before returning to the AI, because raw Worksection payloads can overflow a model's context window on large projects.
Tech Stack: Node.js 20, TypeScript, Express, @ modelcontextprotocol/sdk, Supabase (PostgreSQL), OAuth2, AES-256-GCM, Zod, Winston, React, Vite, Docker, nginx, Hetzner VPS.
The Results
26 MCP tools live in production across 7 categories: tasks, projects, comments, members, costs, tags, files
Multi-tenant SaaS with OAuth2 auth, per-tenant rate limits, and encrypted credentials
Zero copy-paste between AI assistant and Worksection for daily project operations
30-day OAuth tokens tuned specifically for AI client usage patterns (no silent 401 failures mid-session)
Admin dashboard with tenant management, OAuth secret rotation, and per-tool usage analytics over 7/30/90 day windows
Production-hardened: Docker deployment, nginx reverse proxy, health endpoint with build metadata, structured logging
Active in production serving real tenants on a live VPS
How It Works
1. Tenant registers with their Worksection URL and API key; server encrypts the key and sends an OTP confirmation email
2. Tenant confirms via OTP, account activates
3. AI client (Claude, Cursor, ChatGPT) authenticates via OAuth2 and receives a 30-day bearer token
4. AI calls a tool (e.g., post_task); server validates the bearer token and resolves the tenant from cache
5. Server translates the call to a Worksection GET request with MD5-hashed auth, retries with backoff on failure
6. Compacted response returns to the AI; usage is logged to Supabase for analytics
The Situation
The client ran their entire operation in Worksection: tasks, projects, comments, costs, team assignments. Their team had also gone all-in on AI assistants (Claude, Cursor, ChatGPT) for daily work. But the two worlds were disconnected. The AI knew nothing about Worksection, and Worksection knew nothing about the AI.
The Problem
Every interaction between the two tools was manual. A developer would ask Claude to draft a task description, then copy it into Worksection by hand. A PM would screenshot a project status and paste it into ChatGPT to summarize. The AI could think about the work, but it couldn't do the work. That copy-paste loop killed most of the productivity gain the client expected from AI in the first place. They needed the AI to read and write Worksection directly, with proper auth, no shared credentials, and no hand-rolled integration per team member.
The Solution
I built a production MCP (Model Context Protocol) server that sits between any MCP-compatible AI client and Worksection's API. The AI calls a named tool like post_task or get_projects, and the server handles auth, rate limiting, payload translation, and response shaping.
It ships as a multi-tenant SaaS: each team registers once, gets their own encrypted credentials and OAuth clients, and connects Claude or Cursor with a single URL. An admin panel (React + Vite) lets the operator manage tenants, rotate OAuth secrets, tune per-tenant rate limits, and see exactly which tools are being called and how often.
Three technical decisions defined the build. First, Worksection's API authenticates from the URL query string only (POST bodies are ignored by its hash validation), so every outbound call uses a two-pass encoding: raw string for MD5 hashing, re-encoded string for transport. Second, every tenant API key is encrypted at rest with AES-256-GCM; plaintext never touches the database. Third, API responses are actively compacted before returning to the AI, because raw Worksection payloads can overflow a model's context window on large projects.
Tech Stack: Node.js 20, TypeScript, Express, @ modelcontextprotocol/sdk, Supabase (PostgreSQL), OAuth2, AES-256-GCM, Zod, Winston, React, Vite, Docker, nginx, Hetzner VPS.
The Results
26 MCP tools live in production across 7 categories: tasks, projects, comments, members, costs, tags, files
Multi-tenant SaaS with OAuth2 auth, per-tenant rate limits, and encrypted credentials
Zero copy-paste between AI assistant and Worksection for daily project operations
30-day OAuth tokens tuned specifically for AI client usage patterns (no silent 401 failures mid-session)
Admin dashboard with tenant management, OAuth secret rotation, and per-tool usage analytics over 7/30/90 day windows
Production-hardened: Docker deployment, nginx reverse proxy, health endpoint with build metadata, structured logging
Active in production serving real tenants on a live VPS
How It Works
1. Tenant registers with their Worksection URL and API key; server encrypts the key and sends an OTP confirmation email
2. Tenant confirms via OTP, account activates
3. AI client (Claude, Cursor, ChatGPT) authenticates via OAuth2 and receives a 30-day bearer token
4. AI calls a tool (e.g., post_task); server validates the bearer token and resolves the tenant from cache
5. Server translates the call to a Worksection GET request with MD5-hashed auth, retries with backoff on failure
6. Compacted response returns to the AI; usage is logged to Supabase for analytics
Харьков 
Свободен для работы