ThinkWatchProject
diff --git a/‎src/components/SiteHeader.astro‎
Lines changed: 1 addition & 0 deletions b/‎src/components/SiteHeader.astro‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎src/components/sections/MCPAdvantage.astro‎
Lines changed: 183 additions & 0 deletions b/‎src/components/sections/MCPAdvantage.astro‎
Lines changed: 183 additions & 0 deletions
diff --git a/‎src/content/changelog/en/2026-05-08-v0.3.0.md‎
Lines changed: 44 additions & 0 deletions b/‎src/content/changelog/en/2026-05-08-v0.3.0.md‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎src/content/changelog/zh-CN/2026-05-08-v0.3.0.md‎
Lines changed: 44 additions & 0 deletions b/‎src/content/changelog/zh-CN/2026-05-08-v0.3.0.md‎
Lines changed: 44 additions & 0 deletions
@@ -21,6 +21,7 @@ const homeAnchor = (hash: string) => (isHome ? hash : `${homePath}${hash}`);
 const links = [
   { href: homeAnchor("#how"), label: s.nav.how },
   { href: homeAnchor("#features"), label: s.nav.features },
+  { href: homeAnchor("#mcp"), label: s.nav.mcp },
   { href: homeAnchor("#dashboard"), label: s.nav.console },
   { href: homeAnchor("#pricing"), label: s.nav.pricing },
   { href: localePath(lang, "/docs"), label: s.nav.docs },
 
@@ -0,0 +1,183 @@
+---
+import { getLang, t } from "~/i18n";
+
+const s = t(getLang(Astro)).mcpAdvantage;
+
+// Map raw cell values to (label, treatment) so the table renders consistently
+// across en / zh-CN. Treatment drives color: positive = green, neutral = amber,
+// negative = dim red.
+type Treatment = "positive" | "neutral" | "negative";
+const cellMap: Record<string, { label: string; treatment: Treatment }> = {
+  yes:           { label: "✓",                 treatment: "positive" },
+  no:            { label: "—",                 treatment: "negative" },
+  shared:        { label: s.legendShared ?? "shared account",  treatment: "negative" },
+  partial:       { label: s.legendPartial ?? "partial",        treatment: "neutral"  },
+  limited:       { label: s.legendLimited ?? "limited",        treatment: "neutral"  },
+  "hosted-only": { label: s.legendHostedOnly ?? "hosted-only", treatment: "neutral"  },
+  "n/a":         { label: "n/a",               treatment: "negative" },
+  saas:          { label: s.legendSaas ?? "SaaS-only",         treatment: "neutral"  },
+  varies:        { label: s.legendVaries ?? "varies",          treatment: "neutral"  },
+  english:       { label: s.legendEnglish ?? "English-only",   treatment: "neutral"  },
+  proprietary:   { label: s.legendProprietary ?? "proprietary",treatment: "neutral"  },
+  oss:           { label: s.legendOss ?? "OSS",                treatment: "neutral"  },
+};
+
+function cell(raw: string) {
+  return cellMap[raw] ?? { label: raw, treatment: "neutral" as Treatment };
+}
+
+const treatmentClass: Record<Treatment, string> = {
+  positive: "text-[var(--color-brand-1)]",
+  neutral:  "text-amber-300/80",
+  negative: "text-[var(--color-dim)]",
+};
+---
+
+<section id="mcp" class="py-20 sm:py-28 border-t border-white/5 relative overflow-hidden">
+  <!-- Subtle radial accent so the section reads as the marquee MCP pitch -->
+  <div
+    class="pointer-events-none absolute inset-0 -z-0"
+    aria-hidden="true"
+    style="background: radial-gradient(60% 50% at 80% 0%, rgba(61, 219, 217, 0.07), transparent 60%), radial-gradient(50% 40% at 10% 100%, rgba(168, 85, 247, 0.06), transparent 60%);"
+  ></div>
+
+  <div class="container-page relative z-10">
+    <div class="max-w-3xl">
+      <div class="text-xs uppercase tracking-[0.18em] text-[var(--color-brand-1)] font-medium mb-4">
+        {s.eyebrow}
+      </div>
+      <h2 class="text-3xl sm:text-4xl md:text-5xl font-semibold tracking-tight">
+        {s.title}<span class="text-gradient">{s.titleHighlight}</span>.
+      </h2>
+      <p class="mt-4 sm:mt-5 text-base sm:text-lg text-[var(--color-muted)] leading-relaxed">
+        {s.sub}
+      </p>
+    </div>
+
+    <!-- Comparison table -->
+    <div class="mt-14">
+      <div class="text-xs uppercase tracking-[0.18em] text-[var(--color-muted)] mb-4">
+        {s.tableTitle}
+      </div>
+
+      <div class="rounded-2xl border border-white/10 bg-[var(--color-surface)]/60 overflow-hidden">
+        <div class="overflow-x-auto">
+          <table class="w-full text-sm min-w-[720px]">
+            <thead>
+              <tr class="border-b border-white/10 bg-white/[0.02]">
+                {s.columns.map((col, i) => (
+                  <th
+                    scope="col"
+                    class:list={[
+                      "text-left px-5 py-4 text-xs uppercase tracking-[0.14em] font-medium",
+                      i === 0 ? "text-[var(--color-muted)]" : "",
+                      i === 1 ? "text-white" : "",
+                      i > 1 ? "text-[var(--color-dim)]" : "",
+                    ]}
+                  >
+                    {i === 1 ? (
+                      <span class="inline-flex items-center gap-1.5">
+                        <span class="w-1.5 h-1.5 rounded-full bg-[var(--color-brand-1)] shadow-[0_0_8px_var(--color-brand-1)]" aria-hidden="true"></span>
+                        {col}
+                      </span>
+                    ) : (
+                      col
+                    )}
+                  </th>
+                ))}
+              </tr>
+            </thead>
+            <tbody>
+              {s.rows.map((row, rIdx) => (
+                <tr class:list={["border-b border-white/5 last:border-b-0", rIdx % 2 === 1 ? "bg-white/[0.015]" : ""]}>
+                  <td class="px-5 py-3.5 text-[var(--color-muted)]">{row.label}</td>
+                  {row.values.map((raw, cIdx) => {
+                    const c = cell(raw);
+                    return (
+                      <td
+                        class:list={[
+                          "px-5 py-3.5 font-mono text-[13px] tabular-nums",
+                          treatmentClass[c.treatment],
+                          cIdx === 0 ? "font-semibold" : "",
+                        ]}
+                      >
+                        {c.label}
+                      </td>
+                    );
+                  })}
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        </div>
+      </div>
+
+      <p class="mt-3 text-xs text-[var(--color-dim)]">{s.tableNote}</p>
+    </div>
+
+    <!-- Differentiator cards -->
+    <div class="mt-14 sm:mt-16">
+      <div class="text-xs uppercase tracking-[0.18em] text-[var(--color-muted)] mb-4">
+        {s.cardsTitle}
+      </div>
+      <div class="grid gap-4 sm:gap-5 sm:grid-cols-2">
+        {s.cards.map((card, i) => (
+          <div
+            class="mcp-card group relative rounded-2xl border border-white/10 bg-[var(--color-surface)]/60 p-6 hover:border-white/25 transition-colors overflow-hidden"
+            style={`--mcp-delay:${i * 80}ms`}
+          >
+            <div class="flex items-start justify-between mb-4">
+              <span class="font-mono text-[11px] tracking-[0.18em] text-[var(--color-brand-1)]">
+                0{i + 1}
+              </span>
+              <span class="font-mono text-[10px] uppercase tracking-[0.18em] text-[var(--color-dim)]">
+                ThinkWatch
+              </span>
+            </div>
+            <h3 class="text-lg font-semibold tracking-tight mb-2">{card.title}</h3>
+            <p class="text-sm text-[var(--color-muted)] leading-relaxed">{card.body}</p>
+            <div class="absolute bottom-0 left-0 right-0 h-px bg-gradient-to-r from-transparent via-cyan-400/40 to-transparent opacity-0 group-hover:opacity-100 transition-opacity"></div>
+          </div>
+        ))}
+      </div>
+    </div>
+  </div>
+</section>
+
+<style>
+  .mcp-card {
+    opacity: 0;
+    transform: translateY(14px);
+  }
+  .mcp-card.is-visible {
+    animation: mcpFadeUp 600ms cubic-bezier(.2,.7,.25,1) both;
+    animation-delay: var(--mcp-delay, 0ms);
+  }
+  @keyframes mcpFadeUp {
+    from { opacity: 0; transform: translateY(14px); }
+    to   { opacity: 1; transform: translateY(0); }
+  }
+  @media (prefers-reduced-motion: reduce) {
+    .mcp-card { opacity: 1; transform: none; animation: none !important; }
+  }
+</style>
+
+<script>
+  const cards = document.querySelectorAll(".mcp-card");
+  if (cards.length && "IntersectionObserver" in window) {
+    const obs = new IntersectionObserver(
+      (entries) => {
+        for (const entry of entries) {
+          if (entry.isIntersecting) {
+            entry.target.classList.add("is-visible");
+            obs.unobserve(entry.target);
+          }
+        }
+      },
+      { threshold: 0.15 }
+    );
+    cards.forEach((c) => obs.observe(c));
+  } else {
+    cards.forEach((c) => c.classList.add("is-visible"));
+  }
+</script>
@@ -0,0 +1,44 @@
+---
+version: "0.3.0"
+date: 2026-05-08
+type: feature
+title: MCP, the per-user way
+highlights:
+  - Per-user upstream credentials — every developer authenticates as themselves to GitHub, Linear, Slack
+  - One-paste OAuth onboarding via Dynamic Client Registration
+  - MCP Store with bilingual templates (Linear OAuth seeded out of the box)
+  - Step-by-step registration wizard + auth-mode-aware edit form
+  - Three-tier upstream subject resolution (JWT + userinfo + discovery)
+  - Per-credential Test Connection on /connections
+  - Per-user tool catalogs — different users see different tools based on upstream permissions
+  - MCP response cache scoped per (user, account_label) — no cross-user leakage
+  - Security hardening from review — SSRF, cache, rate limits, audit
+---
+
+## Per-user upstream credentials
+
+The MCP gateway no longer pretends every user is the same upstream service account. Each developer authenticates as themselves — via OAuth or PAT — to GitHub, Linear, Slack, and any other MCP-enabled service. The upstream audit trail finally works end-to-end: tickets are assigned to real people, GitHub issues are created by the engineer who actually filed them. Per-key account overrides let one user maintain multiple identities (personal + work GitHub) and pick which one a given API key uses.
+
+## One-paste OAuth onboarding
+
+Paste an MCP server URL into the registration wizard. ThinkWatch handles **Dynamic Client Registration** with the upstream OAuth server, runs the auth probe, captures the OAuth client credentials at install time, and walks you through the consent screen. 401/403 from anonymous probes is correctly classified as `auth_required` (with an amber status indicator on the catalog tile) rather than a hard failure, so partially-protected servers register cleanly.
+
+## MCP Store
+
+A bilingual template registry is now built into the gateway. Templates ship with sensible defaults, the necessary OAuth scopes, and end-user-facing notes. The Linear OAuth template is seeded out of the box; more popular services follow. **Display labels** disambiguate multi-install templates so a personal GitHub install and a work GitHub install appear as distinct tiles instead of two indistinguishable entries.
+
+## Step-by-step registration wizard
+
+MCP server registration was reworked into a guided wizard with auth-mode-aware screens. The edit form refuses to save fields that don't belong to the current auth mode, and tool-call / install errors are now surfaced in plain language with actionable next steps instead of raw JSON-RPC error codes.
+
+## Three-tier upstream subject resolution
+
+When an upstream MCP server uses OAuth, ThinkWatch resolves the upstream user identity through a three-tier strategy: parse the JWT if present, fall back to the OAuth userinfo endpoint, fall back again to issuer discovery. The resolved subject becomes the cache and audit key, so two users who share an MCP server stay strictly separated downstream.
+
+## Per-credential Test Connection
+
+The `/connections` page surfaces a per-credential **Test Connection** button. Verify your OAuth/PAT actually works against the upstream server before committing to it; the result is structured (auth_ok / auth_required / unreachable / tool_call_ok) rather than a single green/red dot, so you know exactly which step is broken.
+
+## Security hardening
+
+Following an internal security review, the MCP path now has SSRF protection on probe URLs, the response cache is scoped per `(user, account_label)` so OAuth/PAT data never leaks across users, rate limits are applied at every gateway hop, audit records are emitted on tool-call boundaries, and admin foot-gun guards prevent the most common misconfigurations (verifying static tokens at paste time, blocking obviously-wrong credential combinations).
@@ -0,0 +1,44 @@
+---
+version: "0.3.0"
+date: 2026-05-08
+type: feature
+title: MCP，按用户的方式
+highlights:
+  - 按用户的上游凭证——每位开发者以自己的身份连接 GitHub、Linear、Slack
+  - Dynamic Client Registration 一键 OAuth 接入
+  - MCP Store 双语模板市场（Linear OAuth 模板开箱预置）
+  - 分步注册向导 + 鉴权模式感知的编辑表单
+  - 三层上游身份解析（JWT + userinfo + discovery）
+  - /connections 页面提供逐凭证 Test Connection
+  - 按用户的工具目录——不同用户根据上游权限看到不同工具集
+  - MCP 响应缓存按 (user, account_label) 隔离——无跨用户串扰
+  - 安全评审加固 —— SSRF、缓存隔离、限流、审计
+---
+
+## 按用户的上游凭证
+
+MCP 网关不再假装所有用户都是同一个上游服务账号。每位开发者以自己的身份——通过 OAuth 或 PAT——连接 GitHub、Linear、Slack 以及任何启用了 MCP 的服务。上游审计轨迹终于端到端贯通：工单分配给真实的人、GitHub Issue 由实际提交者创建。逐密钥账号覆盖（per-key account override）让同一用户可同时维护多个身份（个人 + 工作 GitHub），并指定某个 API 密钥使用哪一个。
+
+## 一键 OAuth 接入
+
+在注册向导中粘贴 MCP 服务器 URL，ThinkWatch 自动与上游 OAuth 服务器完成 **Dynamic Client Registration**，运行鉴权探测，在安装时收集 OAuth 客户端凭证，并引导你完成授权页面。匿名探测的 401/403 被正确识别为 `auth_required`（在目录卡片上显示琥珀色状态指示），而不是硬性失败——部分受保护的服务器也能干净地注册。
+
+## MCP Store
+
+网关内置双语模板注册表。模板自带合理默认值、所需 OAuth scope，以及面向终端用户的说明。Linear OAuth 模板开箱预置，更多主流服务陆续加入。**Display Label** 让多次安装的模板区分清晰：个人 GitHub 安装与工作 GitHub 安装显示为独立卡片，而不是两个无法分辨的条目。
+
+## 分步注册向导
+
+MCP 服务器注册重构为分步引导式向导，鉴权模式不同呈现不同界面。编辑表单拒绝保存与当前鉴权模式不匹配的字段；工具调用与安装错误以易懂的语言展示并给出可执行的下一步建议，而不是原始 JSON-RPC 错误码。
+
+## 三层上游身份解析
+
+当上游 MCP 服务器使用 OAuth 时，ThinkWatch 通过三层策略解析上游用户身份：先解析 JWT，回落到 OAuth userinfo 端点，再回落到 issuer discovery。解析得到的 subject 作为缓存和审计的关键键值，让共用同一个 MCP 服务器的两位用户在下游严格分离。
+
+## 逐凭证 Test Connection
+
+`/connections` 页面为每个凭证提供 **Test Connection** 按钮。在正式提交前先验证你的 OAuth/PAT 是否真的能连上上游服务器；结果是结构化的（auth_ok / auth_required / unreachable / tool_call_ok），不再是单一红绿点——你能精确知道哪一步出了问题。
+
+## 安全加固
+
+经过一次内部安全评审，MCP 路径新增：探测 URL 的 SSRF 防护；响应缓存按 `(user, account_label)` 隔离，OAuth/PAT 数据绝不跨用户泄露；每一跳网关都启用限流；工具调用边界发出结构化审计；管理员防误操作护栏（粘贴时验证静态 Token、阻止明显错误的凭证组合）。