@cloudgrid-io/mcp 0.2.5 → 0.2.7

package/README.md

@@ -6,8 +6,8 @@ It ships in two editions from one codebase:
 
 - **Local (stdio)** — runs on your machine, full toolset including the CLI-wrapping
   tools. This README covers it. For Claude Code, Cursor, Claude Desktop.
-- **Web (hosted HTTP)** — a light, CLI-free toolset (drop, claim, login) for
-  web clients like claude.ai. See [REMOTE.md](REMOTE.md).
+- **Web (hosted HTTP)** — a light, CLI-free toolset (drop, claim, login,
+  visibility) for web clients like claude.ai. See [REMOTE.md](REMOTE.md).
 
 The local edition wraps the `cloudgrid` CLI for authenticated operations (the CLI
 handles auth, org context, and error formatting) and calls the API directly for the
@@ -49,6 +49,7 @@ It speaks MCP over stdio. Point any MCP client at the `cloudgrid-mcp` command.
 | `cloudgrid_claim` | `POST /api/v2/anon-claim` | Claim an anonymous drop into the signed-in account. Direct API. |
 | `cloudgrid_login` | `GET /auth/login` | Start a CLI-free sign-in; returns a URL to open. Calls the API directly. |
 | `cloudgrid_login_status` | `GET /auth/status` | Finish the sign-in; saves the token to the shared CLI credentials. |
+| `cloudgrid_visibility` | `PATCH /api/v2/inspirations/<id>` | Change who can see a drop (private, space, authenticated, org, link). Needs sign-in. Direct API; also in the web edition. |
 | `cloudgrid_init` | `cloudgrid init` | Register an app or agent; optionally seed a web service. |
 | `cloudgrid_plug` | `cloudgrid plug` | Deploy a directory or URL. |
 | `cloudgrid_logs` | `cloudgrid logs` | Snapshot of recent logs. Does not stream. |
@@ -56,11 +57,15 @@ It speaks MCP over stdio. Point any MCP client at the `cloudgrid-mcp` command.
 | `cloudgrid_feedback` | `cloudgrid feedback list` | Read the org feedback feed. |
 | `cloudgrid_brain` | `cloudgrid brain refresh` | Re-run the Grid Brain hooks. |
 
-`cloudgrid_drop` and the two `cloudgrid_login` tools are the ones that do not wrap
-the CLI — both are about working without it. The anonymous drop has no identity to
-manage; login exists to get an identity without the CLI. Both call the API directly.
-`cloudgrid_login` writes the same `~/.cloudgrid/credentials` the CLI uses, so the two
-share one identity.
+`cloudgrid_drop`, `cloudgrid_claim`, `cloudgrid_visibility`, and the two
+`cloudgrid_login` tools do not wrap the CLI — they call the API directly, so they
+also work in the web edition where no CLI exists. `cloudgrid_login` writes the same
+`~/.cloudgrid/credentials` the CLI uses, so the two share one identity.
+
+`cloudgrid_share` and `cloudgrid_visibility` overlap on purpose: `cloudgrid_share`
+wraps the CLI and defaults to `link`; `cloudgrid_visibility` is direct API, takes an
+explicit scope, and defaults its target to the session's last drop — it is the one
+the web edition gets.
 
 ## Test
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudgrid-io/mcp",
-  "version": "0.2.5",
+  "version": "0.2.7",
   "description": "MCP server for CloudGrid. Two editions: a local stdio server (full toolset) and a hosted web server (light, CLI-free toolset) over MCP Streamable HTTP.",
   "type": "module",
   "bin": {
@@ -22,6 +22,7 @@
     "smoke:web": "node test/smoke-web.mjs",
     "smoke:redrop": "node test/smoke-redrop.mjs",
     "smoke:oauth": "node test/smoke-oauth.mjs",
+    "lint:cloudbuild": "npx -y yaml-lint cloudbuild.yaml",
     "test:auth": "node test/auth.test.mjs"
   },
   "dependencies": {

package/src/index.js

@@ -25,7 +25,7 @@ const ctx = {
   savedLocationNote: () => `Credentials saved to ${credentialsPath()}.`,
 };
 
-const server = new McpServer({ name: "cloudgrid-mcp", version: "0.2.2" });
+const server = new McpServer({ name: "cloudgrid-mcp", version: "0.2.7" });
 registerTools(server, ctx);
 
 const transport = new StdioServerTransport();

package/src/tools.js

@@ -139,10 +139,12 @@ async function runDrop(ctx, { html, path: filePath, filename, anonymous, org, fr
 
   const form = new FormData();
   // Redrop (anon-redrop spec §6): a re-drop in the same session updates the previous
-  // drop in place — same URL, new version. `fresh: true` forces a new drop. The
-  // platform validates ownership and silently falls back to create, so this never
-  // hard-fails. Field appended before the artifact so streaming parsers see it.
-  if (isAnonymousCall && fresh !== true && ctx.state.lastDrop?.entity_id) {
+  // drop in place — same URL, new version. `fresh: true` forces a new drop. Sent for
+  // BOTH anonymous and authed callers: the platform validates ownership and silently
+  // falls back to create, so this never hard-fails (authed in-place lands when the
+  // platform extends the gate; until then the fallback equals today's behavior).
+  // Field appended before the artifact so streaming parsers see it.
+  if (fresh !== true && ctx.state.lastDrop?.entity_id) {
     form.append("previous_id", ctx.state.lastDrop.entity_id);
   }
   form.append("artifact", new Blob([bytes], { type }), name);
@@ -177,14 +179,7 @@ async function runDrop(ctx, { html, path: filePath, filename, anonymous, org, fr
     .find((c) => c.startsWith("cg_anon_session="));
   if (anonCookie) ctx.state.anonCookie = anonCookie;
 
-  if (data.owned_by === "authenticated") {
-    ctx.state.lastAnonClaim = null;
-    const lines = [`Published to your org: ${data.url}`, "Owned by you."];
-    if (data.expires_at) lines.push(`Expires ${data.expires_at}.`);
-    return lines.join("\n");
-  }
-
-  // Anonymous: remember the drop for redrop continuity (any 2xx outcome).
+  // Remember the drop for redrop continuity — any caller class, any 2xx outcome.
   if (data.entity_id || data.url) {
     ctx.state.lastDrop = {
       entity_id: data.entity_id ?? ctx.state.lastDrop?.entity_id ?? null,
@@ -200,7 +195,16 @@ async function runDrop(ctx, { html, path: filePath, filename, anonymous, org, fr
   if (res.status === 200) {
     // Updated in place: same URL, new version, views/reactions intact.
     const lines = [`Updated in place — same link: ${data.url ?? ctx.state.lastDrop?.url ?? ""}`.trim()];
+    if (data.owned_by === "authenticated") lines.push("Owned by you.");
+    if (data.expires_at) lines.push(`Expires ${data.expires_at}.`);
+    return lines.join("\n");
+  }
+
+  if (data.owned_by === "authenticated") {
+    ctx.state.lastAnonClaim = null;
+    const lines = [`Published to your org: ${data.url}`, "Owned by you."];
     if (data.expires_at) lines.push(`Expires ${data.expires_at}.`);
+    lines.push("Drop again in this session to update it in place (same link); pass fresh to start a new one.");
     return lines.join("\n");
   }
 
@@ -273,6 +277,45 @@ async function runClaim(ctx, { claim_token, claim_url }) {
   return lines.join("\n");
 }
 
+
+// Change an inspiration's visibility. Authed, direct API — works on the hosted
+// edition where the CLI-wrapping share tool is unavailable. Defaults to the drop
+// made in this session, so "make it private" needs no ids.
+async function runVisibility(ctx, { target, visibility, org }) {
+  const token = await ctx.getToken();
+  if (!token) {
+    throw new Error("Changing visibility needs an owner. Run cloudgrid_login first.");
+  }
+  const id = target || ctx.state.lastDrop?.entity_id;
+  if (!id) {
+    throw new Error("No target. Pass the entity id, or drop something first in this session.");
+  }
+  const headers = { Authorization: `Bearer ${token}`, "Content-Type": "application/json" };
+  const orgSlug = org || (await ctx.getActiveOrg());
+  if (orgSlug) headers["X-CloudGrid-Org"] = orgSlug;
+  let res;
+  try {
+    res = await fetch(`${API_BASE}/api/v2/inspirations/${encodeURIComponent(id)}`, {
+      method: "PATCH",
+      headers,
+      body: JSON.stringify({ visibility }),
+    });
+  } catch (err) {
+    throw new Error(`Could not reach CloudGrid at ${API_BASE}: ${err.message}`);
+  }
+  const raw = await res.text();
+  let data = null;
+  try { data = JSON.parse(raw); } catch { /* handled below */ }
+  if (!res.ok) {
+    const msg = data?.error?.message || raw || `HTTP ${res.status}`;
+    const hint = data?.error?.details?.[0]?.hint;
+    throw new Error(`Visibility change failed (HTTP ${res.status}): ${msg}${hint ? ` ${hint}` : ""}`);
+  }
+  const lines = [`Visibility is now ${visibility}.`];
+  if (data?.url) lines.push(data.url);
+  return lines.join("\n");
+}
+
 // ── Registration ───────────────────────────────────────────────────────────────
 // Registers the tools onto `server`. ctx.edition decides whether the CLI-wrapping
 // tools are included (they need a local machine).
@@ -372,6 +415,23 @@ export function registerTools(server, ctx) {
     },
   );
 
+  server.tool(
+    "cloudgrid_visibility",
+    "Change who can see a CloudGrid inspiration: private, space, authenticated, org, or link (anyone with the URL). Use when the user wants to make a drop private, restrict who sees it, or open it up. Defaults to the drop made in this session. Requires sign-in. Calls the API directly.",
+    {
+      visibility: z.enum(["private", "space", "authenticated", "org", "link"]).describe("The new scope."),
+      target: z.string().optional().describe("Entity id. Defaults to this session's last drop."),
+      org: z.string().optional().describe("Org of the entity. Defaults to the active org."),
+    },
+    async (input) => {
+      try {
+        return ok(await runVisibility(ctx, input || {}));
+      } catch (err) {
+        return fail(err.message);
+      }
+    },
+  );
+
   if (ctx.edition !== "local") return; // web edition stops here — no CLI tools
 
   // ── CLI-wrapping tools (local edition only) ──

package/src/web.js

@@ -128,7 +128,7 @@ app.post("/mcp", async (req, res) => {
       delete sessionAuth[transport.sessionId];
     }
   };
-  const server = new McpServer({ name: "cloudgrid-mcp-web", version: "0.2.5" });
+  const server = new McpServer({ name: "cloudgrid-mcp-web", version: "0.2.7" });
   registerTools(server, makeWebContext(newSessionId));
   await server.connect(transport);
   await transport.handleRequest(req, res, req.body);