@ateam-ai/mcp 0.3.50 → 0.3.52

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ateam-ai/mcp",
-  "version": "0.3.50",
+  "version": "0.3.52",
   "mcpName": "io.github.ariekogan/ateam-mcp",
   "description": "A-Team MCP Server — build, validate, and deploy multi-agent solutions from any AI environment",
   "type": "module",

package/src/tools.js

@@ -275,18 +275,18 @@ export const tools = [
     name: "ateam_test_notification",
     core: true,
     description:
-      "Fire a REAL notification at an existing actor in a deployed solution — for end-to-end testing of the system-initiated notification path (telegram/push/app channels + reply routing + engagement-flip).\n\n" +
+      "Fire a REAL notification at an existing actor in a deployed solution — for end-to-end testing of the system-initiated notification path (telegram/push/app channels).\n\n" +
       "Unlike ateam_test_skill (synthetic test actor with no channels) and ateam_conversation (user-initiated thread), this calls the /api/internal/notify-user path that PCM and other sibling services use — so the actor's real enabled channels actually receive the message.\n\n" +
       "Use for:\n" +
-      "  • Routing-hook tests (does user's next reply route to the right skill given reply_handler?)\n" +
-      "  • Engagement-flip tests (does the receiver-skill's tool call flip engaged:true on the right notification?)\n" +
-      "  • Channel fan-out smoke (does telegram/push/app actually receive it?)\n\n" +
+      "  • Channel fan-out smoke (does telegram/push/app actually receive it?)\n" +
+      "  • Delivery-result verification (per-channel ok/failed in the response).\n\n" +
+      "Auth: forwards your authed api_key to Core (no master-secret involvement). Tenant is pinned by the key itself — cross-tenant targeting is structurally impossible.\n\n" +
       "⚠️ SAFETY:\n" +
       "  • The text is prefixed with [TEST] in the actual notification — visible to the user, anti-phishing.\n" +
       "  • Rate-limited: 10 calls/min per session.\n" +
       "  • Every call is audited (caller, tenant, actor, content hash) regardless of outcome.\n" +
-      "  • actor_id is scoped to your tenant — cross-tenant targeting is rejected by Core.\n" +
-      "  • reply_handler is passed through unchanged (Core handles TTL). v2 will add a tenant allowlist + context schema validation; until then, only set reply_handler against skills you trust to receive arbitrary context.",
+      "  • actor_id is scoped to your tenant — cross-tenant targeting is rejected by Core's per-tenant Mongo isolation.\n" +
+      "  • reply_handler is NOT supported via api-key auth (Core ignores it). Routing the user's next reply to an arbitrary skill is a privilege-escalation surface. For routing/engagement tests, use ateam_test_skill.",
     inputSchema: {
       type: "object",
       properties: {
@@ -315,14 +315,6 @@ export const tools = [
           type: "object",
           description: "Optional metadata merged into message.metadata. Useful for correlation IDs.",
         },
-        reply_handler: {
-          type: "object",
-          description: "OPTIONAL — install a routing hook so the user's next reply goes to a specific skill with injected context. Shape: { skill: 'skill_id', context: { ...arbitrary } }. Common contexts: dialogueId, observationId, proposalId, candidateSpecs, patternId, mode.\n\n⚠️ This semantically hijacks the user's next reply. Only use against skills designed to receive notification replies (e.g. 'ui-companion', 'pcm-companion'). v2 will enforce a tenant allowlist.",
-          properties: {
-            skill: { type: "string", description: "Skill ID to route the next reply to." },
-            context: { type: "object", description: "Object injected into the receiving job's triggerContext." },
-          },
-        },
       },
       required: ["solution_id", "actor_id", "content"],
     },
@@ -2808,11 +2800,26 @@ const handlers = {
     return post(`/deploy/solutions/${solution_id}/skills/${skill_id}/test`, body, sid, { timeoutMs });
   },
 
-  ateam_test_notification: async ({ solution_id, actor_id, content, urgency, source, metadata, reply_handler }, sid) => {
+  ateam_test_notification: async ({ solution_id, actor_id, content, urgency, source, metadata, reply_handler, ...rest }, sid) => {
     if (!solution_id) throw new Error("solution_id required");
     if (!actor_id) throw new Error("actor_id required");
     if (!content || typeof content !== "string") throw new Error("content required (string)");
 
+    // v1: reply_handler is intentionally NOT supported (privilege-escalation
+    // surface — caller could route user's next reply to any skill with
+    // arbitrary context). Reject the field rather than silently dropping it,
+    // so callers know to stop relying on it. v2 will add allowlist + schema.
+    if (reply_handler !== undefined) {
+      throw new Error("reply_handler is not supported in v1 of ateam_test_notification (security: caller-supplied skill + context = privilege escalation). v2 will add a tenant skill allowlist + context schema. For routing/engagement tests, use ateam_test_skill instead.");
+    }
+    // Defense-in-depth: also reject any unknown field that might smuggle a
+    // reply_handler via case variants or aliases.
+    for (const k of Object.keys(rest || {})) {
+      if (/reply/i.test(k) || /handler/i.test(k)) {
+        throw new Error(`Unsupported field "${k}" in ateam_test_notification (likely a reply_handler alias — see v1 safety note).`);
+      }
+    }
+
     // Rate limit: 10 calls / minute / session. In-memory; bounded leak fine
     // for a test tool. Survives until process restart, which is acceptable
     // (the bound is per-session, not per-tenant).
@@ -2830,18 +2837,19 @@ const handlers = {
     entry.times.push(now);
     bucket.set(sid, entry);
 
-    // Get the authed tenant — used for X-ADAS-TENANT header (Core scopes
-    // the actor lookup by tenant, so cross-tenant targeting is rejected at
-    // Core regardless of what we pass).
+    // Forward the caller's authed api_key to Core. Tenant scoping is
+    // enforced by the key itself (Core's attachActor parses the tenant out
+    // of adas_<tenant>_<hex> and pins req.tenant). This removes the need
+    // for the MCP server to hold CORE_MCP_SECRET for this tool — the
+    // caller's own credential is what authorizes the action.
     const creds = getCredentials(sid);
     const tenant = creds?.tenant;
-    if (!tenant) throw new Error("No tenant in session — call ateam_auth first.");
+    const apiKey = creds?.apiKey;
+    if (!tenant || !apiKey) {
+      throw new Error("No api_key in session — call ateam_auth(api_key: \"adas_<tenant>_<hex>\") first. ateam_test_notification requires a tenant API key (master_key auth is not supported for this tool).");
+    }
 
     const coreUrl = process.env.ADAS_CORE_URL || "http://adas-backend:4000";
-    const coreSecret = process.env.CORE_MCP_SECRET;
-    if (!coreSecret) {
-      throw new Error("Server config error: CORE_MCP_SECRET not set. ateam_test_notification requires the platform shared secret (sibling-service auth). Contact platform admin.");
-    }
 
     // Force [TEST] prefix on the user-visible content. Anti-phishing rail:
     // even if a tenant admin api key were misused, the recipient sees
@@ -2859,29 +2867,23 @@ const handlers = {
       caller_session: sid?.slice(0, 8),
       content_preview: content.slice(0, 60),
       content_hash: contentHash,
-      reply_handler_skill: reply_handler?.skill || null,
       urgency: urgency || "normal",
       at: new Date().toISOString(),
     }));
 
-    if (reply_handler) {
-      console.warn(`[ateam_test_notification] reply_handler set → next user reply will route to skill="${reply_handler.skill}" with caller-supplied context. v2 will enforce a tenant allowlist + context schema validation.`);
-    }
-
     const body = {
       actorId: actor_id,
       content: safeContent,
       urgency: urgency || "normal",
       metadata: { ...(metadata || {}), source: source || "ateam-test", _test: true },
-      ...(reply_handler ? { reply_handler } : {}),
     };
 
     const res = await fetch(`${coreUrl}/api/internal/notify-user`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
-        "X-ADAS-TOKEN": coreSecret,
-        "X-ADAS-TENANT": tenant,
+        // api-key auth — tenant pinned by Core's attachActor from the key itself.
+        "x-api-key": apiKey,
         "X-ADAS-SERVICE": "ateam-mcp.test_notification",
       },
       body: JSON.stringify(body),
@@ -2906,7 +2908,6 @@ const handlers = {
       notification_id: data.dispatchId || null, // alias matching the spec
       results: data.results || [],
       content_preview: safeContent.slice(0, 80),
-      ...(reply_handler && { reply_handler_armed: { skill: reply_handler.skill } }),
     };
   },