@genlobe/mcp-server 3.1.0 → 3.1.1

package/README.md

@@ -1,86 +1,193 @@
-# 🔌 MCP Server for Multi-tenant SaaS API
+# Genlobe MCP Server
 
-This MCP Server provides AI-enabled IDEs (GitHub Copilot, Cursor, Claude, etc.) with comprehensive API documentation to help build frontend applications.
+A Model Context Protocol (MCP) server that turns AI-enabled IDEs (Cursor, Claude Code, GitHub Copilot, Windsurf, etc.) into informed Genlobe API clients. The server hands the assistant up-to-date API docs, ready-to-use SDK templates, security guidance, and stack recommendations — so when a developer says *"build me a login screen"* or *"add a checkout flow"*, the assistant doesn't hallucinate endpoints.
 
-## ⚠️ Important: Two Types of Endpoints
+[![npm version](https://img.shields.io/npm/v/@genlobe/mcp-server.svg)](https://www.npmjs.com/package/@genlobe/mcp-server)
+[![Node](https://img.shields.io/node/v/@genlobe/mcp-server.svg)](https://nodejs.org)
 
-This API has **TWO types of endpoints**:
+---
+
+## Two API surfaces — read this before installing
 
-1. **Tenant/Dashboard endpoints** (`/v1/tenant-auth/*`, `/v1/dashboard/*`)
-   - For tenant admins managing their SaaS account
-   - Uses JWT from tenant login
-   - **NOT for end-user frontends**
+The Genlobe API exposes **two separate sets of endpoints**, and this MCP only documents one of them:
 
-2. **End-user endpoints** (`/v1/auth/*`, `/v1/organizations/*`, etc.)
-   - For building frontend applications
-   - Uses API Key (`X-API-Key`) + User JWT
-   - **USE THESE for end-user frontends**
+| Surface | Path prefix | Auth | Audience | Documented by this MCP? |
+|---|---|---|---|---|
+| **End-user API** | `/v1/auth/*`, `/v1/agents/*`, `/v1/organizations/*`, `/v1/external-agents/*`, … | `X-API-Key` + end-user JWT | What you build *for your customers* | ✅ Yes — this is what AI assistants need |
+| **Tenant/Dashboard API** | `/v1/tenant-auth/*`, `/v1/dashboard/*` | Tenant member JWT | Internal tenant-admin dashboard | ❌ No — intentionally excluded |
 
-## 🚀 Installation
+**If your assistant ever suggests calling `/v1/dashboard/...` or `/v1/tenant-auth/...` from your end-user frontend, it's wrong.** The MCP server never returns those paths; that's by design.
+
+---
 
-Add this to your project's `.vscode/mcp.json`:
+## Install
+
+Pick the snippet that matches your IDE.
+
+### Cursor / Claude Code / Windsurf (`.vscode/mcp.json` or equivalent)
 
 ```json
 {
   "servers": {
-    "multiagent": {
+    "genlobe": {
       "command": "npx",
-      "args": ["-y", "https://api.your-domain.com/static/mcp-server.tgz"],
+      "args": ["-y", "@genlobe/mcp-server"],
       "env": {
-        "SAAS_API_URL": "https://api.your-domain.com"
+        "SAAS_API_URL": "https://api-core.genlobe.ai",
+        "SAAS_API_KEY": "pk_live_or_sk_live_xxx"
       }
     }
   }
 }
 ```
 
-Restart VS Code and you're ready!
+### Claude Desktop (`claude_desktop_config.json`)
+
+```json
+{
+  "mcpServers": {
+    "genlobe": {
+      "command": "npx",
+      "args": ["-y", "@genlobe/mcp-server"],
+      "env": {
+        "SAAS_API_URL": "https://api-core.genlobe.ai",
+        "SAAS_API_KEY": "pk_live_or_sk_live_xxx"
+      }
+    }
+  }
+}
+```
+
+Restart the IDE and the `genlobe` server will show up in the MCP server list.
+
+> The package is published as `@genlobe/mcp-server` on the public npm registry; `npx -y` always pulls the latest version unless you pin one (`@genlobe/mcp-server@3.1.0`).
 
 ---
 
-## 🛠️ Available Tools
+## Environment variables
 
-| Tool | Description |
-|------|-------------|
-| `get_api_overview` | High-level API architecture overview |
-| `get_end_user_endpoints` | Detailed documentation for end-user endpoints |
-| `get_request_headers` | Required HTTP headers for API requests |
-| `get_sdk_template` | Complete TypeScript SDK template |
-| `get_authentication_flow` | Step-by-step auth implementation guide |
-| `get_common_patterns` | Best practices for frontend development |
-| `search_endpoints` | Search endpoints by keyword |
-| `get_endpoint_details` | Get details of a specific endpoint |
-| `get_openapi_spec` | Full OpenAPI specification from live API |
+| Variable | Required | What it's for |
+|---|---|---|
+| `SAAS_API_URL` | yes | Base URL of the Genlobe API. Use **`https://api-core.genlobe.ai`** in production. |
+| `SAAS_API_KEY` | optional | Tenant API key. **Optional** for documentation tools, **required** for the live tools that actually call the API (`validate_credentials`, `list_end_users`, `list_oauth_providers`, `get_openapi_spec` against protected paths). Accepts both `pk_live_*` (public) and `sk_live_*` (secret). |
+
+`API_URL` and `API_KEY` (without the `SAAS_` prefix) are accepted as aliases for backward compatibility.
+
+> If `SAAS_API_URL` is not set, the server falls back to `http://localhost:8001` — useful only if you're running the Genlobe backend yourself in development (see [Local development](#local-development) below). For any normal install from npm, set `SAAS_API_URL` explicitly.
 
 ---
 
-## 📋 Quick Start for AI Assistants
+## Tools
+
+The server exposes 14 tools. They split into three categories:
 
-When building a frontend for end-users:
+### Documentation tools (offline, no API key needed)
 
-1. **Call `get_api_overview`** first to understand the architecture
-2. **Call `get_authentication_flow`** to implement login/register
-3. **Call `get_end_user_endpoints`** to see all available endpoints
-4. **Call `get_sdk_template`** to get a ready-to-use API client
+| Tool | What it returns |
+|---|---|
+| `get_api_overview` | High-level architecture: the two API surfaces, auth model, key concepts, recommended call order. **Start here.** |
+| `get_end_user_endpoints` | Detailed reference for every end-user endpoint, optionally filtered by category (`authentication`, `organizations`, `subscriptions`, `billing`, `usage`, `agents`, `users`, `plans`, `ai`, `entities`, `departments`, `files`, `external_agents`). |
+| `get_request_headers` | The exact HTTP headers required for end-user requests, with examples (`X-API-Key`, `Authorization: Bearer …`, `Content-Type`, etc.). |
+| `get_authentication_flow` | Step-by-step guide for register → login → refresh → logout, including token storage rules and refresh-on-401 patterns. |
+| `get_common_patterns` | Frontend implementation patterns: pagination, error handling, optimistic updates, file upload, RAG queries, agent execution. |
+| `get_sdk_template` | A ready-to-paste TypeScript SDK module (`fetch`-based, typed) covering auth, agents, organizations, files, billing. |
+| `search_endpoints` | Keyword search across path, summary, and description (e.g. `"login"`, `"organization"`, `"checkout"`). |
+| `get_endpoint_details` | Full request/response schema of a specific `(method, path)`. |
+
+### Live tools (require `SAAS_API_KEY`)
+
+| Tool | What it does |
+|---|---|
+| `validate_credentials` | Probes the API with the configured key. Reports the detected key type (`pk_live_*` vs `sk_live_*`), masked prefix, success/failure of a sample call, and the resolved API URL. **Run this first in any session.** |
+| `get_openapi_spec` | Fetches the live `/v1/openapi.json` from the configured `SAAS_API_URL`. Reflects the deployed version of the API exactly. |
+| `list_end_users` | `GET /v1/auth/users` — paginated list of end-users in the tenant. Requires `sk_live_*`. |
+| `list_oauth_providers` | Lists the OAuth providers (Google, …) the tenant has enabled for end-user social login. Friendly empty-state when none are configured. |
+
+### Security & architecture tools (key-aware, work without making calls)
+
+| Tool | What it does |
+|---|---|
+| `get_security_guide` | Returns a key-type-specific safe-usage cheat sheet. For `pk_live_*`: the allowed endpoints and the "may be exposed in browser bundles" rule. For `sk_live_*`: leak vectors (frontend bundle, repo, client logs) and the server-only architecture pattern. |
+| `recommend_stack` | Given an `app_type` (`frontend_only`, `fullstack`, `backend_service`, `mobile_app`, `cli_tool`, `desktop_app`) plus the detected key type, returns a framework recommendation that *physically prevents the key from leaking*. Covers Next.js (App Router), Remix, SvelteKit, Nuxt, Astro for fullstack+secret; appropriate alternatives for the other shapes. |
 
 ---
 
-## 📦 Local Development
+## Recommended call order for AI assistants
+
+This is also what the startup banner of the server prints:
+
+```
+1. validate_credentials       → confirm SAAS_API_KEY works, learn its type
+2. get_security_guide         → know what you can and can't do with that key
+3. recommend_stack            → pick a framework that won't leak the key
+4. get_api_overview           → understand the API at a high level
+5. get_authentication_flow    → wire up register / login / refresh
+6. get_end_user_endpoints     → see what's available for the feature you're building
+7. get_sdk_template           → start writing real code
+```
+
+For *targeted* questions ("how do I list organizations?"), `search_endpoints` + `get_endpoint_details` is faster than scrolling through `get_end_user_endpoints`.
+
+---
+
+## Local development
 
 ```bash
 cd mcp-server
 npm install
-npm run build
-npm pack  # Creates .tgz package
+npm run build      # tsc → dist/
+npm run dev        # tsx, hot-reload
+npm pack           # build a local .tgz to test in your IDE before publishing
+```
+
+To point your IDE at a local build instead of npm:
+
+```json
+{
+  "servers": {
+    "genlobe-local": {
+      "command": "node",
+      "args": ["/absolute/path/to/mcp-server/dist/index.js"],
+      "env": {
+        "SAAS_API_URL": "http://localhost:8001",
+        "SAAS_API_KEY": "pk_live_xxx"
+      }
+    }
+  }
+}
 ```
 
 ---
 
-## 🔧 Environment Variables
+## Releasing a new version
+
+The MCP version follows semver and is bumped independently of the backend API:
+
+- **patch** — bug fix in a tool's behavior, doc correction
+- **minor** — new tool, new optional field, new env var with a default
+- **major** — tool removed/renamed, env var removed, breaking change in returned shape
+
+Publish flow (works around the subtree quirk where `npm version` doesn't always commit cleanly):
 
-| Variable | Description | Required |
-|----------|-------------|----------|
-| `SAAS_API_URL` | API base URL | Yes |
-| `SAAS_API_KEY` | API Key for accessing protected docs | No |
+```bash
+cd mcp-server
+# 1. Move CHANGELOG [Unreleased] section under the new version header.
+# 2. Bump versions without letting npm touch git:
+npm version <patch|minor|major> --no-git-tag-version
+# 3. One commit + one tag, both intentional:
+git add package.json package-lock.json CHANGELOG.md
+git commit -m "chore(mcp): release vX.Y.Z"
+git tag -a vX.Y.Z -m "@genlobe/mcp-server vX.Y.Z"
+# 4. Publish (prepublishOnly runs `tsc` automatically):
+npm publish --access public
+# 5. Push commit + tag:
+git push origin main && git push origin vX.Y.Z
+```
+
+The CI workflow `.github/workflows/publish-mcp.yml` automates steps 4–5 when you push a `mcp-v*` tag (see [Automated publishing](#automated-publishing) below).
+
+---
 
+## License
 
+MIT — see [package.json](./package.json).

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@genlobe/mcp-server",
-  "version": "3.1.0",
+  "version": "3.1.1",
   "description": "MCP Server for GenLobe SaaS API - Provides AI assistants with comprehensive API documentation for building frontend applications",
   "main": "dist/index.js",
   "bin": {