v0.1.0 — Phase 2.A complete

First public release

3 image/diagram MCP servers aggregated behind a single OAuth 2.1-protected subdomain.

What works

• openai-image / excalidraw / mermaid callable from Windows / WSL2 / remote Claude Code via Streamable HTTP
• OAuth 2.1 with Dynamic Client Registration + audience-bound JWT
• OPENAI_API_KEY lives only on the server, never on clients
• Docker Compose deployment, Caddy out front for TLS
• Day-1 budget guards: OpenAI auto-recharge OFF + monthly cap, LAN-only listen, .env excluded from git/backups

Lessons baked in (root-cause fixes, not band-aids)

1. Streamable HTTP, not SSE — SSE's event: endpoint emits absolute paths that break behind reverse proxies
2. Fetch-based reverse proxy — http-proxy-middleware v3 + Express 5 silently fail; node:fetch is 40 lines and reliable
3. chromium --no-sandbox wrapper — puppeteer in containers can't run as root; Dockerfile substitutes /usr/bin/chromium with a wrapper

What's next

• Week-2 guards (per-client rate limit, budget alerts, anomaly detection)
• Phase 2.B: /gallery UI, /dashboard, content-hash cache
• Phase 4: pipeline MCP, image→prompt vision MCP, fal.ai layer

See docs/PLAN-mcp-image-hub.md for the full roadmap.