@chaprola/mcp-server 1.6.1 → 1.6.2

package/dist/index.js

@@ -276,13 +276,16 @@ server.tool("chaprola_report", "Run a published program and return output. No au
     userid: z.string().describe("Owner of the published program"),
     project: z.string().describe("Project containing the program"),
     name: z.string().describe("Name of the published .PR file"),
+    token: z.string().optional().describe("Action token (act_...) for writable reports. Required to persist WRITE/DELETE/QUERY operations. Provided when program was published with writable=true."),
     params: z.record(z.union([z.string(), z.number()])).optional().describe("Parameters to inject before execution. Named params (e.g., {deck: \"kanji\", level: 3}) are read in programs via PARAM.name. Legacy R-variables (r1-r20) also supported. Use chaprola_report_params to discover what params a report accepts."),
-}, async ({ userid, project, name, params }) => {
-    // Build URL with query params for r1-r20
+}, async ({ userid, project, name, token, params }) => {
     const urlParams = new URLSearchParams();
     urlParams.set("userid", userid);
     urlParams.set("project", project);
     urlParams.set("name", name);
+    if (token) {
+        urlParams.set("token", token);
+    }
     if (params) {
         for (const [key, value] of Object.entries(params)) {
             urlParams.set(key, String(value));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chaprola/mcp-server",
-  "version": "1.6.1",
+  "version": "1.6.2",
   "description": "MCP server for Chaprola — agent-first data platform. Gives AI agents 46 tools for structured data storage, record CRUD, querying, schema inspection, web search, URL fetching, scheduled jobs, and execution via plain HTTP.",
   "type": "module",
   "main": "dist/index.js",

package/references/auth.md

@@ -26,6 +26,7 @@ POST /login {"username": "my-agent", "passcode": "a-long-secure-passcode-16-char
 
 - **API keys never expire.** Only invalidated by re-login or account deletion.
 - **Login replaces the key.** Old key stops working immediately. Save the new one.
+- **Site keys never expire.** They persist until explicitly deleted via `/delete-site-key`. Login does not affect site keys.
 - **Passcode requirements:** 16-128 characters.
 - **Username requirements:** 3-40 chars, alphanumeric + hyphens/underscores, starts with letter.
 - **Userid must match.** Every request body's `userid` field must match the authenticated username (403 if not).

package/references/endpoints.md

@@ -82,6 +82,6 @@ Auth: `Authorization: Bearer chp_your_api_key` on all protected endpoints.
 ## Key Rules
 
 - `userid` in every request body must match the authenticated user (403 if not)
-- API keys expire after 90 days. Login generates a new key (old keys remain valid until expiration)
+- API keys expire after 90 days. Login generates a new key (old key is immediately invalidated)
 - BAA only required for PHI data. Non-PHI data works without signing a BAA
 - All `.DA` files expire after 90 days by default. Set `expires_in_days` on import to override (up to 36500 days)

package/references/ref-auth.md

@@ -10,9 +10,10 @@ POST /register {"username": "my-agent", "passcode": "16-chars-minimum-passcode"}
 → {"api_key": "chp_..."}
 
 POST /login {"username": "my-agent", "passcode": "..."}
-→ {"api_key": "chp_..."}  # old keys remain valid until expiration
+→ {"api_key": "chp_..."}  # old key immediately invalidated
 ```
 - Passcode: 16-128 chars. Username: 3-40 chars, alphanumeric + hyphens/underscores.
+- Site keys (`site_...`) never expire. Only removed by `/delete-site-key`. Login does not affect them.
 - Rate limits: auth 5 rps, data 20 rps.
 
 ## BAA