@chartobserver/mcp-server 0.2.1 → 0.2.2

package/CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## 0.2.2 — 2026-06-12
+
+The self-serve credentials page is now live in production.
+
+- README, SECURITY.md, server instructions, and config error hints now point
+  to the real credentials page: https://chart.observer/integrations/mcp
+  (Integrations → AI Agent (MCP)) — masked webhook ID with reveal, copy
+  buttons, and a pre-filled MCP config snippet.
+- Removed the interim "ask Brian" fallback; the package is now fully
+  self-serve: sign up at https://chart.observer, copy credentials, connect.
+
 ## 0.2.1 — 2026-06-12
 
 Agent-facing signup guidance. No behavior changes to tools or transport.

package/README.md

@@ -45,9 +45,7 @@ Restart Claude Desktop. The tools become available in any conversation.
 
 ### Where to find your credentials
 
-Sign in at https://chart.observer and open **Settings → API & Integrations**. The page shows your webhook ID, UID, and username with copy buttons and a pre-filled config snippet.
-
-(Until that settings page ships, ask Brian for your three values.)
+Sign in at https://chart.observer and open **Integrations → AI Agent (MCP)** — or go directly to https://chart.observer/integrations/mcp. The page shows your webhook ID, UID, and username with copy buttons and a pre-filled config snippet you can paste straight into your MCP client.
 
 ## Environment variables
 
@@ -97,7 +95,7 @@ Sign in at https://chart.observer and open **Settings → API & Integrations**.
 - **`place_trade` defaults to dry-run.** The AI agent must explicitly pass `dry_run: false` to execute. You should be asked for confirmation before that happens.
 - **Live trades are validated.** Execution runs the same checks as the dry run (sufficient funds, position size, well-formed quantities) and refuses trades that would fail, without calling the API.
 - **Secret redaction.** Error text returned to the agent is sanitized; the webhook credential is redacted as defense-in-depth so it cannot leak into transcripts.
-- **Bearer-secret auth.** The webhook ID acts as a bearer token. If it leaks, anyone can act on your account. Don't paste it into screenshots, logs, or chat messages. If you suspect compromise, regenerate it from Settings → API & Integrations.
+- **Bearer-secret auth.** The webhook ID acts as a bearer token. If it leaks, anyone can act on your account. Don't paste it into screenshots, logs, or chat messages. If you suspect compromise, regenerate it from https://chart.observer/integrations/mcp.
 - **No account creation.** Sign up at https://chart.observer in a browser. Web signup requires a CAPTCHA, which a headless MCP server can't solve.
 
 ## What's not in v1

package/SECURITY.md

@@ -37,7 +37,7 @@ standing and visible portfolio, not real funds). Treat it like a password:
 - This server sanitizes its error output and redacts the credential from any
   text returned to the AI agent, as defense-in-depth.
 - If you suspect it leaked, regenerate it from your ChartObserver account
-  settings (Settings → API & Integrations) — the old value stops working
+  settings (https://chart.observer/integrations/mcp) — the old value stops working
   immediately.
 
 ## Reporting a vulnerability

package/dist/config.d.ts

@@ -8,6 +8,6 @@ export interface Config {
 }
 export declare const DEFAULT_API_BASE = "https://g2uyqqluc4.execute-api.us-east-2.amazonaws.com/dev";
 export declare const DEFAULT_TIMEOUT_MS = 15000;
-export declare const PACKAGE_VERSION = "0.2.1";
+export declare const PACKAGE_VERSION = "0.2.2";
 export declare const CREDENTIALS_HINT: string;
 export declare function loadConfig(env?: NodeJS.ProcessEnv): Config;

package/dist/config.js

@@ -1,11 +1,11 @@
 import { z } from "zod";
 export const DEFAULT_API_BASE = "https://g2uyqqluc4.execute-api.us-east-2.amazonaws.com/dev";
 export const DEFAULT_TIMEOUT_MS = 15_000;
-export const PACKAGE_VERSION = "0.2.1";
+export const PACKAGE_VERSION = "0.2.2";
 export const CREDENTIALS_HINT = "These values come from your chart.observer account: create one in a " +
     "browser at https://chart.observer (accounts cannot be created via this " +
-    "server), then copy your webhook ID, UID, and username from Settings → " +
-    "API & Integrations.";
+    "server), then copy your webhook ID, UID, and username from " +
+    "https://chart.observer/integrations/mcp (Integrations → AI Agent (MCP)).";
 // Validation messages must never echo the webhook value — they can end up in
 // MCP client logs.
 const configSchema = z.object({

package/dist/instructions.js

@@ -11,8 +11,9 @@ export const SERVER_INSTRUCTIONS = [
     "and must be done by the user in a browser at https://chart.observer).",
     "If the configured credentials are missing or invalid, tell the user to:",
     "(1) create an account at https://chart.observer in their browser, then",
-    "(2) copy their webhook ID, UID, and username from Settings → API &",
-    "Integrations into this server's environment variables (see the package",
+    "(2) copy their webhook ID, UID, and username from",
+    "https://chart.observer/integrations/mcp into this server's environment",
+    "variables (see the package",
     "README). All trading is simulated paper trading — no real funds move — but",
     "trades do affect the user's public leaderboard standing, so always confirm",
     "with the user before executing a trade (place_trade defaults to dry_run).",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@chartobserver/mcp-server",
-  "version": "0.2.1",
+  "version": "0.2.2",
   "description": "MCP server for the ChartObserver paper-trading platform. Lets an AI agent (Claude Desktop, etc.) read portfolio state, place trades, and check the leaderboard on behalf of the configured user.",
   "license": "MIT",
   "author": "ChartObserver Corp",