Add debug-mcp-deploy skill for diagnosing staging/prod issues

Covers Helm values layering, SOPS secrets inspection, auth flow
debugging, JWKS verification, and common failure modes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: RafaelPo

.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "everyrow",
   "description": "Claude Code plugin for the everyrow SDK - AI-powered data processing utilities for transforming, deduping, merging, ranking, and screening dataframes",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "author": {
     "name": "FutureSearch"
   },

.claude/skills/debug-mcp-deploy/SKILL.md

@@ -0,0 +1,182 @@
+---
+name: debug-mcp-deploy
+description: Debug MCP server deployment issues on staging and production. Use when investigating pod failures, auth errors, JWKS verification failures, token mismatches, Helm deploy issues, or environment config problems. Triggers on debug deploy, staging error, pod logs, auth failure, JWKS, 401.
+---
+
+# Debugging MCP Server Deployments
+
+Commands below use `<staging-namespace>` as a placeholder. Resolve it from `values.staging.yaml` and the deploy workflow (the Helm release name and namespace match).
+
+## Deployment Architecture
+
+The MCP server uses a Helm chart with layered values and SOPS-encrypted secrets.
+
+### Environments
+
+Production and staging namespaces, hosts, and Redis DBs are defined in `values.yaml` and `values.staging.yaml`. Check those files for current values.
+
+Both environments hit the **same production EveryRow API** (there is no staging API). This means Supabase JWTs must be verifiable by the production API.
+
+### Values Layering
+
+```
+helm upgrade <staging-namespace> . \
+  -f values.yaml                    # Base config
+  -f values.staging.yaml            # Staging overrides (MCP_SERVER_URL, REDIS_DB, host)
+  -f values.secrets.staging.yaml    # Decrypted from secrets.staging.enc.yaml
+```
+
+### Key Files
+
+| File | Purpose |
+|---|---|
+| `everyrow-mcp/deploy/chart/values.yaml` | Base Helm values |
+| `everyrow-mcp/deploy/chart/values.staging.yaml` | Staging overrides |
+| `everyrow-mcp/deploy/chart/secrets.enc.yaml` | Production secrets (SOPS) |
+| `everyrow-mcp/deploy/chart/secrets.staging.enc.yaml` | Staging secrets (SOPS) |
+| `.github/workflows/deploy-mcp.yaml` | CI/CD workflow |
+
+## Debugging Workflow
+
+### Step 1: Check pod status and logs
+
+```bash
+# Pod status
+kubectl get pods -n <staging-namespace> -o wide
+
+# Recent logs (INFO level by default)
+kubectl logs -n <staging-namespace> -l app=<staging-namespace> --tail=200
+
+# Filter for errors
+kubectl logs -n <staging-namespace> -l app=<staging-namespace> --tail=500 | grep -iE "error|warn|401|500|fail"
+```
+
+Note: `verify_token` logs JWT failures at DEBUG level only. If you suspect auth issues but see no errors, the token verification is silently returning `None`.
+
+### Step 2: Inspect pod environment
+
+```bash
+# Check all relevant env vars
+kubectl exec -n <staging-namespace> deploy/<staging-namespace> -- env | grep -iE "SUPABASE|MCP_SERVER|REDIS|EVERYROW_API"
+```
+
+### Step 3: Compare secrets across environments
+
+```bash
+# Decrypt and compare
+sops -d everyrow-mcp/deploy/chart/secrets.enc.yaml          # Production
+sops -d everyrow-mcp/deploy/chart/secrets.staging.enc.yaml   # Staging
+```
+
+### Step 4: Update a secret value
+
+```bash
+sops --set '["secrets"]["data"]["KEY_NAME"] "new-value"' everyrow-mcp/deploy/chart/secrets.staging.enc.yaml
+```
+
+## Auth Flow Debugging
+
+The MCP server uses a 3-leg OAuth flow: Google → Supabase → MCP Server → Claude.
+
+### Token verification path
+
+1. Client sends Bearer token (a Supabase JWT) with each `/mcp` request
+2. `SupabaseTokenVerifier.verify_token()` fetches JWKS from `{SUPABASE_URL}/auth/v1/.well-known/jwks.json`
+3. Finds signing key by matching JWT header `kid` against JWKS keys
+4. Decodes JWT with issuer=`{SUPABASE_URL}/auth/v1`, audience=`authenticated`
+5. If valid, the JWT is also used as Bearer token for EveryRow API calls (`app.py:_http_client_factory`)
+
+### Test JWKS endpoint from inside the pod
+
+```bash
+kubectl exec -n <staging-namespace> deploy/<staging-namespace> -- python3 -c "
+import httpx, json, os
+url = os.environ['SUPABASE_URL']
+r = httpx.get(f'{url}/auth/v1/.well-known/jwks.json')
+print(json.dumps(r.json(), indent=2))
+"
+```
+
+### Test token verification end-to-end
+
+```bash
+kubectl exec -n <staging-namespace> deploy/<staging-namespace> -- python3 -c "
+import httpx, os
+api = os.environ.get('EVERYROW_API_URL', 'https://everyrow.io/api/v0')
+r = httpx.post(f'{api}/sessions',
+    headers={'Authorization': 'Bearer fake.test.token', 'Content-Type': 'application/json'},
+    json={}, timeout=10)
+print(f'Status: {r.status_code}')
+print(f'Body: {r.text[:300]}')
+"
+```
+
+## Common Issues
+
+### "No matching signing key found in JWKS"
+
+**Symptom**: Tool calls fail with 401: `{"detail":"Error verifying token: No matching signing key found in JWKS"}`
+
+**Root cause**: Supabase project mismatch. The MCP server authenticates via one Supabase project but the EveryRow API verifies tokens against a different project's JWKS. The JWT `kid` doesn't match.
+
+**Diagnosis**:
+1. Check which Supabase project staging uses: `sops -d secrets.staging.enc.yaml | grep SUPABASE_URL`
+2. Check which project production uses: `sops -d secrets.enc.yaml | grep SUPABASE_URL`
+3. If they differ, staging JWTs won't be accepted by the production EveryRow API
+
+**Fix**: Staging must use the same Supabase project as production (since both hit the same EveryRow API):
+```bash
+sops --set '["secrets"]["data"]["SUPABASE_URL"] "https://<prod-project>.supabase.co"' secrets.staging.enc.yaml
+sops --set '["secrets"]["data"]["SUPABASE_ANON_KEY"] "<prod-anon-key>"' secrets.staging.enc.yaml
+```
+
+### Silent 401s with no error in logs
+
+**Symptom**: `/mcp` requests return 401 but no error appears in pod logs.
+
+**Root cause**: `SupabaseTokenVerifier.verify_token()` catches all `PyJWTError` exceptions and logs at DEBUG level only, then returns `None`. The MCP SDK middleware sees `None` and returns 401.
+
+**Diagnosis**: Exec into the pod and manually test token verification, or temporarily increase log level.
+
+### Token works initially then stops
+
+**Symptom**: Tools work right after OAuth, then start returning 401 after ~1 hour.
+
+**Root cause**: Supabase JWTs expire after 1 hour. The MCP client should use the refresh token to get a new JWT. Check if the refresh flow works.
+
+**Diagnosis**: Look for `grant_type=refresh_token` requests in logs and check their status codes.
+
+### Pod can't reach Supabase JWKS
+
+**Symptom**: JWKS fetch times out (logged as "JWKS fetch timed out (10s)").
+
+**Diagnosis**: Test network from inside the pod:
+```bash
+kubectl exec -n <staging-namespace> deploy/<staging-namespace> -- python3 -c "
+import httpx, os
+r = httpx.get(f'{os.environ[\"SUPABASE_URL\"]}/auth/v1/.well-known/jwks.json', timeout=10)
+print(r.status_code, r.text[:200])
+"
+```
+
+## Deploying a Fix
+
+After updating secrets or config:
+
+1. Commit and push to the branch
+2. Trigger the deploy workflow:
+   ```bash
+   gh workflow run deploy-mcp.yaml -f branch=<branch> -f deploy_staging=true
+   ```
+3. Monitor the deployment:
+   ```bash
+   kubectl rollout status deploy/<staging-namespace> -n <staging-namespace> --timeout=5m
+   ```
+4. Verify the fix by checking logs for successful auth flows
+
+## Gotchas
+
+- **No staging EveryRow API**: `values.staging.yaml` intentionally does NOT override `EVERYROW_API_URL`. Both environments use production.
+- **SOPS KMS access**: Decryption requires GCP IAM permissions on the KMS key referenced in the `.sops` metadata of each encrypted file. Run `gcloud auth application-default login` if it fails.
+- **Redis DB isolation**: Staging and production use different Redis DB indices (see `values.yaml` / `values.staging.yaml`). They share the same Redis Sentinel cluster.
+- **`_UNSAFE_decode_server_jwt`**: Hardcodes `algorithms=["RS256"]` but this is only for trusted server-to-server token inspection (signature verification disabled). It does NOT affect client-facing token verification.

.github/workflows/skill-version-check.yaml

@@ -3,7 +3,7 @@ name: Skill Version Check
 on:
   pull_request:
     paths:
-      - "**/skills/**"
+      - "skills/**"
 
 jobs:
   check-version-bump: