@askmesh/mcp 0.11.1 → 0.12.0

package/dist/agent/auto_responder.d.ts

@@ -4,8 +4,31 @@ import type { Server } from '@modelcontextprotocol/sdk/server/index.js';
 export declare class AutoResponder {
     private client;
     private mcpServer;
+    private profile;
     constructor(client: AskMeshClient);
     setServer(server: Server): void;
+    setProfile(profile: {
+        agentType: string;
+        allowedScopes: string[];
+    }): void;
+    /**
+     * Filter scopes by the requester's role.
+     *
+     * Scopes can be encoded with a minimum-role prefix:
+     *   "code"            → all members
+     *   "lead:db-schema"  → lead, admin, owner only
+     *   "admin:db-data"   → admin, owner only
+     *   "owner:secrets"   → owner only
+     *
+     * Returns the bare scope names that this requester is allowed to use.
+     */
+    private filterScopesByRole;
+    /**
+     * Build a scope-aware extension to the system prompt.
+     * Only applies for server agents — dev/ci agents are unrestricted.
+     * `requesterRole` is used to filter role-tiered scopes per request.
+     */
+    private scopePrompt;
     /**
      * Send a reply through the AskMesh client with a pre-send redaction scan.
      * If secrets are detected, the reply is blocked and a desktop notification +

package/dist/agent/auto_responder.js

@@ -22,12 +22,80 @@ Avoid quoting raw config values — describe them instead.`;
 export class AutoResponder {
     client;
     mcpServer = null;
+    profile = null;
     constructor(client) {
         this.client = client;
     }
     setServer(server) {
         this.mcpServer = server;
     }
+    setProfile(profile) {
+        this.profile = profile;
+    }
+    /**
+     * Filter scopes by the requester's role.
+     *
+     * Scopes can be encoded with a minimum-role prefix:
+     *   "code"            → all members
+     *   "lead:db-schema"  → lead, admin, owner only
+     *   "admin:db-data"   → admin, owner only
+     *   "owner:secrets"   → owner only
+     *
+     * Returns the bare scope names that this requester is allowed to use.
+     */
+    filterScopesByRole(rawScopes, requesterRole) {
+        const ROLE_RANK = { member: 1, lead: 2, admin: 3, owner: 4 };
+        const requesterRank = requesterRole ? (ROLE_RANK[requesterRole] || 0) : 0;
+        const result = [];
+        for (const raw of rawScopes) {
+            const idx = raw.indexOf(':');
+            if (idx === -1) {
+                // No prefix → available to everyone
+                result.push(raw);
+                continue;
+            }
+            const minRole = raw.slice(0, idx);
+            const scope = raw.slice(idx + 1);
+            const minRank = ROLE_RANK[minRole];
+            if (!minRank) {
+                // Unknown prefix → treat as plain scope (e.g. "http:something")
+                result.push(raw);
+                continue;
+            }
+            if (requesterRank >= minRank) {
+                result.push(scope);
+            }
+        }
+        return result;
+    }
+    /**
+     * Build a scope-aware extension to the system prompt.
+     * Only applies for server agents — dev/ci agents are unrestricted.
+     * `requesterRole` is used to filter role-tiered scopes per request.
+     */
+    scopePrompt(requesterRole = null) {
+        if (!this.profile || this.profile.agentType !== 'server')
+            return '';
+        const allScopes = this.profile.allowedScopes || [];
+        const scopes = this.filterScopesByRole(allScopes, requesterRole);
+        const roleHint = requesterRole ? ` (requester role: ${requesterRole})` : ' (requester role: unknown)';
+        if (scopes.length === 0) {
+            return [
+                '',
+                `SERVER AGENT — RESTRICTIVE MODE${roleHint}:`,
+                'No allowed scopes apply for this requester. Refuse to share any project content.',
+                'Reply with: "This server agent is not authorized to share information at your role level."',
+            ].join('\n');
+        }
+        const lines = ['', `SERVER AGENT — ALLOWED SCOPES${roleHint}:`];
+        lines.push('You are a restricted server agent. You may ONLY share information that falls within these scopes:');
+        for (const s of scopes) {
+            lines.push(`  • ${s}`);
+        }
+        lines.push('');
+        lines.push('Refuse anything outside these scopes with: "This server agent is not authorized to share that information."');
+        return lines.join('\n');
+    }
     /**
      * Send a reply through the AskMesh client with a pre-send redaction scan.
      * If secrets are detected, the reply is blocked and a desktop notification +
@@ -73,6 +141,7 @@ export class AutoResponder {
         if (this.mcpServer) {
             try {
                 const context = readLocalContext();
+                const scopeRules = this.scopePrompt(request.fromUserRole || null);
                 const result = (await this.mcpServer.request({
                     method: 'sampling/createMessage',
                     params: {
@@ -83,6 +152,7 @@ export class AutoResponder {
                                     type: 'text',
                                     text: [
                                         `A teammate @${request.fromUsername} is asking you a question via AskMesh.`,
+                                        scopeRules,
                                         ``,
                                         `Your project context:`,
                                         context,
@@ -150,6 +220,7 @@ export class AutoResponder {
     }
     async callAnthropicAPI(apiKey, request, context) {
         const model = process.env.ANTHROPIC_MODEL || 'claude-sonnet-4-20250514';
+        const fullSystem = SYSTEM_PROMPT + this.scopePrompt(request.fromUserRole || null);
         const response = await fetch('https://api.anthropic.com/v1/messages', {
             method: 'POST',
             headers: {
@@ -160,7 +231,7 @@ export class AutoResponder {
             body: JSON.stringify({
                 model,
                 max_tokens: 2048,
-                system: SYSTEM_PROMPT,
+                system: fullSystem,
                 messages: [
                     {
                         role: 'user',

package/dist/client/askmesh_client.d.ts

@@ -29,6 +29,7 @@ export declare class AskMeshClient {
             id: number;
             fromAgentId: number;
             fromUsername: string;
+            fromUserRole?: string | null;
             question: string;
             context: string | null;
             status: string;
@@ -54,6 +55,13 @@ export declare class AskMeshClient {
         status: string;
         lastSeenAt: string | null;
     }>;
+    getMe(): Promise<{
+        id: number;
+        username: string;
+        agentType: 'dev' | 'server' | 'ci';
+        requireApproval: boolean;
+        allowedScopes: string[];
+    }>;
     setContext(context: string): Promise<{
         message: string;
         context: string;

package/dist/client/askmesh_client.js

@@ -71,6 +71,14 @@ export class AskMeshClient {
             throw new Error(`getAgentStatus failed: ${res.status}`);
         return res.json();
     }
+    async getMe() {
+        const res = await fetch(`${this.baseUrl}/api/v1/agents/me`, {
+            headers: this.headers(),
+        });
+        if (!res.ok)
+            throw new Error(`getMe failed: ${res.status}`);
+        return res.json();
+    }
     async setContext(context) {
         const res = await fetch(`${this.baseUrl}/api/v1/agents/context`, {
             method: 'PUT',

package/dist/index.js

@@ -11,7 +11,7 @@ const TOKEN = process.env.ASKMESH_TOKEN;
 const URL = process.env.ASKMESH_URL || 'https://api.askmesh.dev';
 const server = new McpServer({
     name: 'askmesh',
-    version: '0.11.1',
+    version: '0.12.0',
 });
 if (!TOKEN) {
     // No token — start in setup-only mode
@@ -25,6 +25,18 @@ else {
     const autoResponder = new AutoResponder(client);
     registerAskMesh(server, client);
     autoResponder.setServer(server.server);
+    // Fetch agent profile (type, scopes) — used by auto-responder for prompt enforcement
+    client.getMe()
+        .then((me) => {
+        autoResponder.setProfile({ agentType: me.agentType, allowedScopes: me.allowedScopes || [] });
+        const scopeInfo = me.agentType === 'server'
+            ? ` — scopes: ${(me.allowedScopes || []).join(', ') || 'none (restrictive)'}`
+            : '';
+        console.error(`[AskMesh] Authenticated as @${me.username} (${me.agentType})${scopeInfo}`);
+    })
+        .catch((err) => {
+        console.error('[AskMesh] Failed to fetch agent profile:', err instanceof Error ? err.message : err);
+    });
     // Start SSE listener
     const sse = new SseListener();
     sse.start(URL, TOKEN, async (request) => {
@@ -49,7 +61,8 @@ else {
                     await autoResponder.handleRequest({
                         id: req.id,
                         fromAgentId: req.fromAgentId,
-                        fromUsername: `agent#${req.fromAgentId}`,
+                        fromUsername: req.fromUsername || `agent#${req.fromAgentId}`,
+                        fromUserRole: req.fromUserRole || null,
                         question: req.question,
                         context: req.context,
                     });

package/dist/sse/sse_listener.d.ts

@@ -2,6 +2,7 @@ export interface IncomingRequest {
     id: number;
     fromAgentId: number;
     fromUsername: string;
+    fromUserRole?: string | null;
     question: string;
     context: string | null;
 }

package/dist/tools/askmesh.js

@@ -282,7 +282,7 @@ Si l'utilisateur n'a pas encore de compte, dirige-le vers https://askmesh.dev po
         return text('Action inconnue.');
     });
 }
-const CURRENT_VERSION = '0.11.1';
+const CURRENT_VERSION = '0.12.0';
 async function checkUpdateAndSetup() {
     const lines = [];
     lines.push(`Version actuelle : ${CURRENT_VERSION}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@askmesh/mcp",
-  "version": "0.11.1",
+  "version": "0.12.0",
   "description": "AskMesh MCP server — connect your AI coding agent to your team's mesh network",
   "type": "module",
   "bin": {