@chaprola/mcp-server 1.11.0 → 1.11.2

package/dist/index.js

@@ -509,9 +509,10 @@ server.tool("chaprola_systemhelp", "Send your program name and error message. Ch
     name: z.string().describe("Program name (without extension)"),
     error: z.string().optional().describe("Error message from compile or runtime (copy verbatim if available)"),
     request: z.string().describe("Plain-language description of the problem. Include context: what changed, what you expected, what happened instead."),
-}, async ({ project, name, error, request }) => withBaaCheck(async () => {
+    userid: z.string().optional().describe("Project owner's username. Required when accessing a shared project where you are a writer. Defaults to the authenticated user."),
+}, async ({ project, name, error, request, userid }) => withBaaCheck(async () => {
     const { username } = getCredentials();
-    const body = { userid: username, project, name, request };
+    const body = { userid: userid || username, project, name, request };
     if (error)
         body.error = error;
     const res = await authedFetch("/systemhelp", body);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chaprola/mcp-server",
-  "version": "1.11.0",
+  "version": "1.11.2",
   "description": "MCP server for Chaprola — agent-first data platform. Gives AI agents tools for structured data storage, record CRUD, querying, schema inspection, documentation lookup, web search, URL fetching, scheduled jobs, scoped site keys, and execution via plain HTTP.",
   "type": "module",
   "main": "dist/index.js",

package/references/cookbook.md

@@ -285,20 +285,24 @@ POST /run/status {userid, project, job_id}
 
 ## Public Apps: Use /report, Not /query
 
-Site keys require BAA signing. For public-facing web apps, use published reports (`/report`) instead of `/query` for all read operations. `/report` is public — no auth or BAA needed.
+**/query is NOT a public endpoint.** It requires authentication (API key) and is POST-only. It cannot be linked to from a browser, dashboard, or public page. A bare URL like `https://api.chaprola.org/query?userid=...&file=...` will return `{"message":"Not Found"}`.
+
+**/report IS a public endpoint.** It supports GET, works in browsers, requires no auth, and accepts parameters via URL query strings. For any data that needs to be visible in a browser or linked from a dashboard, write a .CS program with QUERY inside it, publish it, and link to `/report`.
 
 ```javascript
-// GOOD: public report — no auth needed
+// GOOD: public report — works in browsers, no auth needed
 const url = `${API}/report?userid=myapp&project=data&name=RESULTS&poll_id=${id}`;
 const response = await fetch(url);
 
-// BAD: /query with site key — fails if BAA not signed
+// BAD: /query is not public — requires auth, POST only, no browser access
 const response = await fetch(`${API}/query`, {
   headers: { 'Authorization': `Bearer ${SITE_KEY}` },
   body: JSON.stringify({ userid: 'myapp', project: 'data', file: 'votes', where: [...] })
 });
 ```
 
+**Pattern:** Move data logic into a .CS program (QUERY, TABULATE), publish it with `/publish`, and link to `/report` from dashboards and frontends. `/query` is for agents and backend code with API keys — never for browser links.
+
 ## Chart Data with TABULATE
 
 ```chaprola

package/references/gotchas.md

@@ -95,6 +95,9 @@ When numeric data is imported as strings, auto-detect (`OPEN "file" 0`) may misc
 
 ## API
 
+### /query is not a public endpoint — use /report for browser links
+`/query` is POST-only and requires an API key. A URL like `https://api.chaprola.org/query?userid=...&file=...` in a browser returns `{"message":"Not Found"}`. For anything that needs to be visible in a browser or linked from a dashboard, write a .CS program with QUERY, publish it, and use `/report` (which supports GET, no auth needed).
+
 ### userid must match authenticated user
 Every request body's `userid` must equal your username. 403 on mismatch.