@expanse-ade/mcp 0.9.0

package/README.md

@@ -0,0 +1,144 @@
+# canvas-ade-mcp
+
+The **MCP (Model Context Protocol) layer** for Canvas ADE — the tool/resource/prompt contract that
+lets AI coding agents running _inside_ Canvas ADE boards orchestrate the canvas itself. This is what
+turns the canvas from a human-driven cockpit into an **AI-orchestratable swarm environment** with a
+**command board** (an orchestrator agent) driving a fleet of worker agents.
+
+> **Status:** planning / docs only. No code yet. Build order lives in [`docs/roadmap.md`](docs/roadmap.md).
+
+---
+
+## What this is (and is NOT)
+
+- **IS:** a **standalone package with its own git repo**, living at `Z:\canvas-ade-mcp` — a
+  **sibling of the Canvas ADE repo, NOT nested inside it**. It owns the MCP _contract_ — tool +
+  resource + prompt schemas, the streamable-HTTP transport, auth (per-board bearer tokens), and the
+  capability tier-factory (orchestrator vs worker).
+- **IS NOT:** a standalone _app_. The MCP server has nothing to orchestrate on its own — every tool
+  needs live access to PTYs, git worktrees, `WebContentsView`s, and the canvas store, all of which
+  live in **Canvas ADE's Electron MAIN process**. Canvas ADE **consumes this package as a dependency**
+  (a local linked / path dependency during dev; published + pinned later) and MAIN binds the contract
+  to the real implementations.
+
+```
+Z:\
+├─ Canvas ADE\        ← the Electron app (its own git repo) — CONSUMES canvas-ade-mcp as a dep
+└─ canvas-ade-mcp\    ← THIS repo (separate git repo, sibling — never nested in Canvas ADE)
+```
+
+**Why separate:** keeps the MCP contract versioned + testable on its own, and avoids nesting a second
+git repo inside the Canvas ADE working tree. The two repos are wired only by a dependency edge + the
+live test harness.
+
+```
+┌──────────────────────────── Canvas ADE (Electron) ────────────────────────────┐
+│                                                                                 │
+│   MAIN process                                                                  │
+│   ┌─────────────────────────┐        ┌──────────────────────────────────────┐  │
+│   │  CanvasOrchestrator      │◄──────►│  canvas-ade-mcp (THIS PACKAGE)       │  │
+│   │  (board state · git ·    │  binds │  · tool/resource/prompt schemas      │  │
+│   │   PTY control · status)  │  impls │  · streamable-HTTP transport (/mcp)  │  │
+│   └─────────────────────────┘        │  · per-board token auth + tier factory│  │
+│            ▲                          └──────────────────────────────────────┘  │
+│            │ IPC                                   ▲                             │
+│   ┌────────┴───────────┐                           │ loopback HTTP (127.0.0.1)   │
+│   │ renderer (human UI) │                           │ Bearer <per-board token>    │
+│   │ glyph · queue · diff │             ┌────────────┴───────────────┐            │
+│   └─────────────────────┘             │  Terminal boards' agents     │            │
+│                                       │  (Claude Code / Codex / …)   │            │
+│                                       │  = MCP CLIENTS               │            │
+│                                       │  command board = orchestrator│            │
+│                                       │  others        = workers     │            │
+│                                       └──────────────────────────────┘            │
+└─────────────────────────────────────────────────────────────────────────────────┘
+```
+
+**Two views of one core:** the same `CanvasOrchestrator` is exposed to **humans** (renderer UI over
+IPC) and to **agents** (this MCP server over loopback HTTP). The MCP is the second interface.
+
+---
+
+## The non-negotiable rule: every tool is tested against Canvas ADE
+
+No MCP tool/resource ships until **both** layers are green. This is the project's whole point —
+it keeps the agent↔canvas connection real, not theoretical.
+
+1. **Contract test** — the tool against a mock `CanvasOrchestrator`. Fast, isolated, validates the
+   schema + auth + tier gating + error shapes.
+2. **Live test** — drive the **real running Canvas ADE** (reuse the `CANVAS_SMOKE=e2e` in-process
+   harness; later the planned Playwright `_electron` harness) and assert the tool actually moved the
+   canvas: a board appeared, a prompt landed in a PTY, a diff came back, the camera flew.
+
+Each phase ends **runnable + committed**, with its live-against-Canvas-ADE test passing — mirroring
+the Canvas ADE roadmap convention.
+
+---
+
+## Core architectural decisions (locked by research, 2026-05-30)
+
+These are validated against real prior art (Claude Code Agent Teams, Cursor 3, Warp, Anthropic's
+multi-agent research system, the MCP spec). Full reasoning in the sibling Canvas ADE repo's
+`docs/feature-proposals.md` research + the two research workflows that produced this.
+
+| Decision                                                                                     | Why                                                                                                                                                                                                                       |
+| -------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Transport = streamable-HTTP on a loopback `localServer` in MAIN**                          | stdio is process-per-client; we need ONE shared bus for many board-agents → one MAIN. Spec defines streamable-HTTP exactly for this.                                                                                      |
+| **Control plane only — PTY data stays on MessagePort**                                       | MessagePort isn't reachable on `127.0.0.1`; avoids head-of-line blocking of high-volume terminal bytes on shared SSE.                                                                                                     |
+| **Capability tiers enforced SERVER-SIDE by token, never by annotation/prompt**               | Tool annotations "don't enforce anything." Build a fresh `McpServer` per session from a **factory that registers only the allowed tier's tools** (orchestrator vs worker), decided from the bearer token at `initialize`. |
+| **Command board = orchestrator (elevated tools); other boards = workers (read-only/scoped)** | Canonical lead/subagent pattern. Workers cannot dispatch, spawn, or do git writes.                                                                                                                                        |
+| **Read-only context = resources; mutating actions = tools**                                  | Spec-correct. `boards/status/attention/diff/output/console` are resources; `spawn/send_prompt/commit/merge` are tools with accurate destructive/openWorld annotations.                                                    |
+| **Risky tools gated: human-confirm + nonce + audit_log**                                     | `send_prompt`/`answer_permission`/git-writes can write into another agent's shell or touch git. Human-in-the-loop is a MUST, not a SHOULD.                                                                                |
+| **No OAuth discovery endpoints**                                                             | We're a trusted local server with static per-board tokens; advertising `/.well-known/oauth-*` makes Claude Code falsely flag "needs authentication."                                                                      |
+
+### Security model (inherited + extended)
+
+The orchestrator board **is the lethal trifecta** at the system level: it reads untrusted worker
+output + holds dispatch power + has external comms (commit/PR/navigate). Therefore:
+
+- **Treat all worker-originated resources as TAINTED.** Never let worker output _auto-trigger_
+  `send_prompt`/`broadcast`/`commit`/`open_pr` — always human-confirm.
+- **`answer_permission` = unconditional human-confirm, no auto-answer.** (Approving a prompt inside
+  another agent's shell is irreversible.)
+- **Provenance tagging** on every cross-agent message (unspoofable "this came from the orchestrator,
+  not your operator") + worker instruction hardening. No single defense suffices.
+- **Replay protection:** single-use nonce + monotonic sequence per dispatch; bind to **opaque
+  server-issued board ids, never agent-chosen labels.**
+- **Hard runtime boundary:** every git/file op scoped to the board's own `canvas-ade/<board-id>`
+  worktree, server-enforced. Validate `Origin` (403 on bad → blocks DNS-rebinding); bind
+  `127.0.0.1`, never `0.0.0.0`.
+- Preserves Canvas ADE's locked invariant: **Browser-board content must never reach the PTY write
+  channel**; orchestrator prompt text is trusted-user-only and fully audit-logged.
+
+---
+
+## Dependency on Canvas ADE phases
+
+The MCP build can **start now** for the transport/auth/observation layers, but the dispatch + git
+layers bind to features still on the Canvas ADE roadmap:
+
+| MCP phase                                     | Needs from Canvas ADE                                              |
+| --------------------------------------------- | ------------------------------------------------------------------ |
+| 0–3 (transport, auth, observation, lifecycle) | nothing hard — board state + spawn exist today                     |
+| 4 (dispatch)                                  | the `pty.write` channel (exists); persistence for audit (Phase 3)  |
+| 6 (git tools)                                 | **git-worktrees-per-board + per-board ports (Canvas ADE Phase 3)** |
+| 8 (best-of-N + merge queue)                   | worktrees + Duplicate/fan-out (Canvas ADE Phase 3)                 |
+
+See [`docs/roadmap.md`](docs/roadmap.md) for the full phase-by-phase plan.
+
+---
+
+## Layout (planned)
+
+```
+Z:\canvas-ade-mcp\          ← its own git repo (sibling of Z:\Canvas ADE)
+  README.md              ← this file
+  docs/
+    roadmap.md           ← phased build plan (0 → full), per-phase test gate
+    decisions/           ← ADRs specific to the MCP layer (transport, auth, safety)
+  src/                   ← (added Phase 0) schemas · transport · auth · tier-factory
+  test/
+    contract/            ← tool-vs-mock-orchestrator tests
+    live/                ← tool-vs-real-Canvas-ADE tests (drives Z:\Canvas ADE: CANVAS_SMOKE=e2e / Playwright)
+  package.json           ← (added Phase 0) standalone package, MCP SDK dep
+```

package/dist/index.d.ts

@@ -0,0 +1,336 @@
+import { Server } from 'node:http';
+import { Express } from 'express';
+
+/** Capability tier of a board's MCP session. */
+type Tier = 'orchestrator' | 'worker';
+/** A coarse permission scope string (refined in later phases). */
+type Scope = string;
+/** Opaque server-issued board id. */
+type BoardId = string;
+/** A row in the per-board token store: what a minted bearer token grants. */
+interface AuthRow {
+    boardId: BoardId;
+    tier: Tier;
+    scopes: Scope[];
+    /** Seconds since epoch. Set to board lifetime so long agent runs don't expire. */
+    expiresAt?: number;
+}
+
+/** Minimal board projection exposed to agents. */
+interface BoardSummary {
+    id: BoardId;
+    /** Board type — 'terminal' | 'browser' | 'planning' (open string for forward types). */
+    type: string;
+    /** User-facing board title (trusted-user content; no page/whiteboard content). */
+    title: string;
+    status: string;
+}
+/**
+ * One capped, tail-anchored page of a board's plain-text scrollback (T1.4). The
+ * host strips ANSI escape codes server-side (control-sequence injection surface)
+ * and slices the last `MAX_OUTPUT_PAGE` chars; older content is reached by passing
+ * the returned `nextCursor` back as the next read's cursor. NEVER the raw ring.
+ */
+interface BoardOutput {
+    /** ANSI-stripped scrollback for this page, in chronological order. */
+    text: string;
+    /** Total chars currently available (the full clean ring length). */
+    total: number;
+    /** Chars in this page (`text.length`; always ≤ `MAX_OUTPUT_PAGE`). */
+    returned: number;
+    /**
+     * Tail-anchored cursor (chars-from-end already consumed) for the NEXT, OLDER
+     * page; absent once the oldest available char has been returned.
+     */
+    nextCursor?: number;
+    /**
+     * True when older output has been discarded by the host's capped ring (honest
+     * truncation — the buffer was saturated, so the head is gone for good).
+     */
+    droppedOlder: boolean;
+}
+/**
+ * A board's structured last result (T1.5) — references and a verdict, NOT raw logs
+ * (raw scrollback is `BoardOutput`). v1 is an observational shell: until M4's
+ * `write_result` tool lets a worker record one, every board reads `{ present: false }`.
+ * Designed so M4 fills the optional fields without changing the contract.
+ */
+interface BoardResult {
+    /** Whether a result has been recorded for this board (false until M4 writes one). */
+    present: boolean;
+    /** Verdict of the last completed task, e.g. 'success' | 'failure' (open string). */
+    status?: string;
+    /** One-line human summary (references, not raw logs). */
+    summary?: string;
+    /** Structured references the worker produced — file paths, PR/issue URLs, etc. */
+    refs?: string[];
+    /** ISO-8601 timestamp when the result was recorded. */
+    at?: string;
+}
+/**
+ * A coarse per-board status change (M5 event-driven attention). `status` is a status
+ * bucket value (`idle`/`running`/`awaiting-review`/`blocked`/`failed`/`static`) or
+ * `'gone'` when the board left the canvas. `result` is attached by the host when the
+ * board settles to `idle` and a `write_result` exists (so a barrier can return it).
+ */
+interface BoardStatusChange {
+    id: BoardId;
+    status: string;
+    result?: BoardResult;
+}
+/**
+ * The fields a worker may record for its OWN board via `write_result` (T4.4) — a verdict,
+ * a one-line summary, and structured references (NOT raw logs). All optional. The host
+ * stamps `present: true` + `at` and binds the board id to the caller's token, producing
+ * the {@link BoardResult} the `canvas://board/{id}/result` resource then serves.
+ */
+interface BoardResultInput {
+    /** Verdict of the last completed task, e.g. 'success' | 'failure' (open string). */
+    status?: string;
+    /** One-line human summary (references, not raw logs). */
+    summary?: string;
+    /** Structured references the worker produced — file paths, PR/issue URLs, etc. */
+    refs?: string[];
+}
+/**
+ * A read-only slice of the project's persistent memory (T1.7) — the project index
+ * (`canvas://memory`) or a per-board summary (`canvas://board/{id}/summary`). It is
+ * produced by the sibling Brain/Memory engine's `.canvas/memory/`; 🔒 PASSIVE context
+ * only — it grants no action. When that subsystem hasn't written anything (it ships on
+ * a separate track), the doc is the empty shell `{ present: false, text: '' }` — the
+ * resource gracefully empties, never errors.
+ */
+interface MemoryDoc {
+    /** Whether the memory engine has produced this document. */
+    present: boolean;
+    /** The markdown content (empty when absent). */
+    text: string;
+}
+/**
+ * Durable per-type config an orchestrator may change on a board (T3.3). All optional —
+ * only the supplied fields are applied. Host-side, off-type/identity keys are dropped
+ * (the canvas patch is filtered by the board's patchable keys), so this is the safe set.
+ */
+interface BoardConfig {
+    /** Terminal shell (Win: pwsh|powershell|cmd; *nix: $SHELL/zsh/bash). */
+    shell?: string;
+    /** First PTY line written after the shell starts (the agentic CLI / command). */
+    launchCommand?: string;
+    /** Working directory for the board. */
+    cwd?: string;
+}
+/**
+ * The canvas control surface injected by Canvas ADE MAIN. Phase 0 defines the
+ * shape; tools wire to it in later phases. Keeping it an interface (with a mock)
+ * lets canvas-ade-mcp build + test standalone, with no Electron dependency.
+ */
+interface Orchestrator {
+    listBoards(): Promise<BoardSummary[]>;
+    spawnBoard(input: {
+        type: string;
+        prompt?: string;
+        cwd?: string;
+    }): Promise<{
+        id: BoardId;
+    }>;
+    /**
+     * Close a board (T3.2). The host drains the board's PTY gracefully (not an abrupt
+     * SIGKILL) before removing it from the canvas. Idempotent: closing an absent board
+     * resolves. The dirty-worktree prompt arrives with Feature Workspaces (M6).
+     */
+    closeBoard(boardId: BoardId): Promise<void>;
+    /**
+     * Change a board's durable config (T3.3) — shell / launchCommand / cwd. Only the
+     * supplied fields change; the host filters to the board type's patchable keys.
+     */
+    configureBoard(boardId: BoardId, config: BoardConfig): Promise<void>;
+    dispatchPrompt(boardId: BoardId, text: string): Promise<void>;
+    /**
+     * 🔒 Record the calling worker's OWN board result (M4 T4.4, worker-tier WRITE). The
+     * `boardId` is the caller's token-bound board (never client-supplied), so a worker can
+     * only write its own result. Feeds the `canvas://board/{id}/result` resource (T1.5).
+     */
+    writeResult(boardId: BoardId, result: BoardResultInput): Promise<void>;
+    /**
+     * 🔒 Interrupt the target terminal board (M4 T4.5) — send Ctrl-C (`\x03`) to its PTY to
+     * stop a runaway/long-running command. Orchestrator-tier only. The host gates it behind
+     * a single-use nonce + a mandatory human confirm + an audit entry, and rejects any
+     * non-terminal target (Browser/Planning never reach a PTY). Content-less.
+     */
+    interrupt(boardId: BoardId): Promise<void>;
+    /**
+     * 🔒 Agent-to-agent relay (M4 T4.6) — dispatch `text` from board `sourceId` to board
+     * `targetId`, expressed by an ORCHESTRATION connector `sourceId → targetId` (the cable
+     * is the route + intent). Orchestrator-tier only. The host validates the directed edge
+     * exists and is **terminal → terminal** (never Browser → PTY), then gates the write
+     * behind a single-use nonce + a mandatory human confirm + an audit entry. Fire-and-forget.
+     */
+    relayPrompt(sourceId: BoardId, targetId: BoardId, text: string): Promise<void>;
+    /**
+     * 🔒 Blocking hand-off (M4 T4.3): write `text` into the target terminal board's PTY,
+     * wait until it goes idle, and return its structured last result. Orchestrator-tier
+     * only. The host gates it behind a single-use nonce + a mandatory human confirm +
+     * an audit entry, and rejects any non-terminal target (Browser/Planning content
+     * never reaches a PTY). Resolves to the {@link BoardResult} the target produced.
+     */
+    handoffPrompt(boardId: BoardId, text: string): Promise<BoardResult>;
+    gitDiff(boardId: BoardId): Promise<string>;
+    boardStatus(boardId: BoardId): Promise<string>;
+    /**
+     * Read one capped page of a board's scrollback (T1.4, read-only). `cursor` is the
+     * tail-anchored offset from a prior page's `nextCursor`; omit for the newest tail.
+     */
+    boardOutput(boardId: BoardId, opts?: {
+        cursor?: number;
+    }): Promise<BoardOutput>;
+    /**
+     * Read a board's structured last result (T1.5, read-only). Returns the empty shell
+     * `{ present: false }` until a result has been recorded (M4 `write_result`).
+     */
+    boardResult(boardId: BoardId): Promise<BoardResult>;
+    /**
+     * Read the project memory index (T1.7, 🔒 read-only passive context). Empty shell
+     * when the memory engine is absent — graceful, never an error.
+     */
+    projectMemory(): Promise<MemoryDoc>;
+    /**
+     * Read a board's memory summary (T1.7, 🔒 read-only passive context). Empty shell
+     * when absent.
+     */
+    boardSummary(boardId: BoardId): Promise<MemoryDoc>;
+    /**
+     * Subscribe to per-board coarse status changes (M5). MAIN forwards
+     * `boardRegistry.ts`'s `subscribeBoardStatus`, attaching the last result when a board
+     * settles to `idle`. Returns an unsubscribe fn. Barriers + the attention notifier wake
+     * on this instead of polling. SYNCHRONOUS (returns the unsubscribe directly, not a Promise).
+     */
+    subscribeStatus(listener: (change: BoardStatusChange) => void): () => void;
+}
+
+/**
+ * In-memory per-board token store. Tokens are minted out-of-band when a board
+ * spawns and revoked when it closes — no OAuth flow. In-memory by design:
+ * sessions die on MAIN restart (correct for a single-user desktop app).
+ */
+declare class TokenStore {
+    private readonly rows;
+    mint(token: string, row: AuthRow): void;
+    revoke(token: string): void;
+    get(token: string): AuthRow | undefined;
+}
+
+interface McpServerDeps {
+    orchestrator: Orchestrator;
+    tokens: TokenStore;
+    /**
+     * Optional single command-orchestrator board id (BUG-021). When set, `relay_prompt` is
+     * restricted to the token bound to this board, so a second orchestrator-tier token can't
+     * drive orchestration cables it doesn't own. Omit to keep the prior open-to-any-orchestrator
+     * behaviour (correct for a single-orchestrator-token deployment).
+     */
+    commandBoardId?: BoardId;
+}
+interface RunningMcpServer {
+    app: Express;
+    httpServer: Server;
+    port: number;
+    setAllowedOrigins(origins: readonly string[]): void;
+    close(): Promise<void>;
+}
+/**
+ * Creates the loopback streamable-HTTP MCP server and starts listening on an
+ * ephemeral 127.0.0.1 port. Pipeline: originGuard -> requireBearerAuth -> /mcp.
+ * NO OAuth discovery routes are mounted (resourceMetadataUrl is left unset), so
+ * MCP clients use the static per-board bearer token without a "needs auth" flag.
+ */
+declare function createMcpHttpServer(deps: McpServerDeps): Promise<RunningMcpServer>;
+
+interface MintedToken {
+    token: string;
+    row: AuthRow;
+}
+/**
+ * Mint a crypto-random per-board bearer token, store it, and return token + row.
+ * Scopes come from the tier (ADR 0002, D2). Always carries a board-lifetime
+ * `expiresAt` (the SDK requires a numeric expiry); override with `ttlSeconds`.
+ */
+declare function mintBoardToken(store: TokenStore, input: {
+    boardId: BoardId;
+    tier: Tier;
+    ttlSeconds?: number;
+}): MintedToken;
+
+declare const SCOPE_READ: Scope;
+declare const SCOPE_DISPATCH: Scope;
+declare const SCOPE_SPAWN: Scope;
+declare const SCOPE_GIT_WRITE: Scope;
+declare const SCOPE_ANSWER_PERMISSION: Scope;
+/** Default scopes granted to a freshly-minted token of the given tier. */
+declare function defaultScopesFor(tier: Tier): Scope[];
+
+interface McpJson {
+    mcpServers: {
+        'canvas-ade': {
+            type: 'http';
+            url: string;
+            headers: {
+                Authorization: string;
+            };
+        };
+    };
+}
+/**
+ * Pure builder for a board worktree's project-scoped .mcp.json: a single loopback
+ * streamable-HTTP server entry carrying the board's bearer token. No OAuth
+ * discovery is referenced (ADR 0001) — the static bearer token is the authority.
+ */
+declare function buildMcpJson(port: number, token: string): McpJson;
+/**
+ * Write .mcp.json into a board's worktree dir. Returns the written file path.
+ * Written owner-only (0600): the file embeds a plaintext bearer token, so it must
+ * not be world-readable on a multi-user box. (POSIX mode is a no-op on Windows.)
+ */
+declare function writeMcpJson(dir: string, port: number, token: string): string;
+
+/** A no-op Orchestrator for contract tests and standalone runs. */
+declare class MockOrchestrator implements Orchestrator {
+    listBoards(): Promise<BoardSummary[]>;
+    spawnBoard(_input: {
+        type: string;
+        prompt?: string;
+        cwd?: string;
+    }): Promise<{
+        id: BoardId;
+    }>;
+    closeBoard(_boardId: BoardId): Promise<void>;
+    configureBoard(_boardId: BoardId, _config: BoardConfig): Promise<void>;
+    dispatchPrompt(_boardId: BoardId, _text: string): Promise<void>;
+    writeResult(_boardId: BoardId, _result: BoardResultInput): Promise<void>;
+    interrupt(_boardId: BoardId): Promise<void>;
+    relayPrompt(_sourceId: BoardId, _targetId: BoardId, _text: string): Promise<void>;
+    handoffPrompt(_boardId: BoardId, _text: string): Promise<BoardResult>;
+    gitDiff(_boardId: BoardId): Promise<string>;
+    boardStatus(_boardId: BoardId): Promise<string>;
+    boardOutput(_boardId: BoardId, _opts?: {
+        cursor?: number;
+    }): Promise<BoardOutput>;
+    boardResult(_boardId: BoardId): Promise<BoardResult>;
+    projectMemory(): Promise<MemoryDoc>;
+    boardSummary(_boardId: BoardId): Promise<MemoryDoc>;
+    /** @internal subscribers for the M5 status stream. */
+    private readonly statusListeners;
+    subscribeStatus(listener: (change: BoardStatusChange) => void): () => void;
+    /** Test seam: drive a status change through the subscription fan-out. */
+    __emitStatus(change: BoardStatusChange): void;
+}
+
+/**
+ * Hard cap on the chars returned by ONE `canvas://board/{id}/output` page (T1.4 🔒).
+ * The MCP output budget is ~25k; we never emit a larger page even if the host
+ * over-returns. MUST match the app accessor's page size (`MAX_OUTPUT_PAGE` in
+ * `src/main/ptyOutput.ts`) so the tail-anchored cursor math lines up across the
+ * two repos. Unit = UTF-16 code units (JS `String.length`), matching the host ring.
+ */
+declare const MAX_OUTPUT_PAGE = 25000;
+
+export { type AuthRow, type BoardId, type BoardOutput, type BoardResult, type BoardResultInput, type BoardStatusChange, type BoardSummary, MAX_OUTPUT_PAGE, type McpJson, type McpServerDeps, type MemoryDoc, type MintedToken, MockOrchestrator, type Orchestrator, type RunningMcpServer, SCOPE_ANSWER_PERMISSION, SCOPE_DISPATCH, SCOPE_GIT_WRITE, SCOPE_READ, SCOPE_SPAWN, type Scope, type Tier, TokenStore, buildMcpJson, createMcpHttpServer, defaultScopesFor, mintBoardToken, writeMcpJson };