@genlobe/mcp-server 3.1.8 → 3.3.1

package/README.md

@@ -1,34 +1,38 @@
 # Genlobe MCP Server
 
-A Model Context Protocol (MCP) server that turns AI-enabled IDEs (Cursor, Claude Code, GitHub Copilot, Windsurf, etc.) into informed Genlobe API clients. The server hands the assistant up-to-date API docs, ready-to-use SDK templates, security guidance, and stack recommendations — so when a developer says *"build me a login screen"* or *"add a checkout flow"*, the assistant doesn't hallucinate endpoints.
+A Model Context Protocol (MCP) server that documents the [Genlobe](https://genlobe.ai) API so AI assistants in your IDE (Cursor, Claude Code, Windsurf, Claude Desktop, …) can build real clients against it — without hallucinating endpoints, shapes, or auth headers.
+
+Paste it into your MCP config and ask your assistant *"build me a login screen"* or *"add a checkout flow"*. It will pull the right endpoints, headers, and code patterns straight from this server.
 
 [![npm version](https://img.shields.io/npm/v/@genlobe/mcp-server.svg)](https://www.npmjs.com/package/@genlobe/mcp-server)
 [![Node](https://img.shields.io/node/v/@genlobe/mcp-server.svg)](https://nodejs.org)
 
 ---
 
-## Two API surfaces — read this before installing
+## What it documents
 
-The Genlobe API exposes **two separate sets of endpoints**, and this MCP only documents one of them:
+The Genlobe API has two surfaces. This server only exposes the one your end-user app should call:
 
-| Surface | Path prefix | Auth | Audience | Documented by this MCP? |
-|---|---|---|---|---|
-| **End-user API** | `/v1/auth/*`, `/v1/agents/*`, `/v1/organizations/*`, `/v1/external-agents/*`, … | `X-API-Key` + end-user JWT | What you build *for your customers* | ✅ Yes — this is what AI assistants need |
-| **Tenant/Dashboard API** | `/v1/tenant-auth/*`, `/v1/dashboard/*` | Tenant member JWT | Internal tenant-admin dashboard | ❌ No — intentionally excluded |
+| Surface | Path prefix | Auth | Documented here? |
+|---|---|---|---|
+| **End-user API** | `/v1/auth/*`, `/v1/agents/*`, `/v1/organizations/*`, `/v1/external-agents/*`, … | `X-API-Key` + end-user JWT | Yes |
+| Tenant / Dashboard API | `/v1/tenant-auth/*`, `/v1/dashboard/*` | Tenant member JWT | No — by design |
 
-**If your assistant ever suggests calling `/v1/dashboard/...` or `/v1/tenant-auth/...` from your end-user frontend, it's wrong.** The MCP server never returns those paths; that's by design.
+If the assistant ever suggests calling `/v1/dashboard/...` or `/v1/tenant-auth/...` from your end-user frontend, it's wrong: those endpoints exist for tenant admins, not for the apps you build on Genlobe.
 
 ---
 
 ## Install
 
-Pick the snippet that matches your IDE.
+Pick the snippet that matches your IDE. Drop in your API key (get one from [genlobe.ai](https://genlobe.ai) → your Tenant Dashboard → API Keys), restart the IDE, and the `genlobe` server will appear in its MCP server list.
+
+### Cursor / Claude Code / Windsurf
 
-### Cursor / Claude Code / Windsurf (`.vscode/mcp.json` or equivalent)
+Edit `.cursor/mcp.json`, `~/.config/claude-code/mcp.json`, or your equivalent client config:
 
 ```json
 {
-  "servers": {
+  "mcpServers": {
     "genlobe": {
       "command": "npx",
       "args": ["-y", "@genlobe/mcp-server"],
@@ -41,7 +45,9 @@ Pick the snippet that matches your IDE.
 }
 ```
 
-### Claude Desktop (`claude_desktop_config.json`)
+### Claude Desktop
+
+Edit `claude_desktop_config.json`:
 
 ```json
 {
@@ -58,63 +64,57 @@ Pick the snippet that matches your IDE.
 }
 ```
 
-Restart the IDE and the `genlobe` server will show up in the MCP server list.
-
-> The package is published as `@genlobe/mcp-server` on the public npm registry; `npx -y` always pulls the latest version unless you pin one (`@genlobe/mcp-server@3.1.0`).
+`npx -y` always pulls the latest version unless you pin one (`@genlobe/mcp-server@3.3.1`).
 
 ---
 
 ## Environment variables
 
-| Variable | Required | What it's for |
+| Variable | Required | Value |
 |---|---|---|
-| `SAAS_API_URL` | yes | Base URL of the Genlobe API. Use **`https://api-core.genlobe.ai`** in production. |
-| `SAAS_API_KEY` | optional | Tenant API key. **Optional** for documentation tools, **required** for the live tools that actually call the API (`validate_credentials`, `list_end_users`, `list_oauth_providers`, `get_openapi_spec` against protected paths). Accepts both `pk_live_*` (public) and `sk_live_*` (secret). |
+| `SAAS_API_URL` | yes | `https://api-core.genlobe.ai` |
+| `SAAS_API_KEY` | optional | Your Genlobe API key. Accepts both `pk_live_*` (public) and `sk_live_*` (secret). Without it, only the offline documentation tools work — the four live tools (`validate_credentials`, `list_end_users`, `list_oauth_providers`, `get_openapi_spec`) need it. |
 
 `API_URL` and `API_KEY` (without the `SAAS_` prefix) are accepted as aliases for backward compatibility.
 
-> If `SAAS_API_URL` is not set, the server falls back to `http://localhost:8001` — useful only if you're running the Genlobe backend yourself in development (see [Local development](#local-development) below). For any normal install from npm, set `SAAS_API_URL` explicitly.
-
 ---
 
 ## Tools
 
-The server exposes 14 tools. They split into three categories:
+14 tools, in three groups.
 
-### Documentation tools (offline, no API key needed)
+### Documentation (offline, no API key needed)
 
-| Tool | What it returns |
+| Tool | Returns |
 |---|---|
-| `get_api_overview` | High-level architecture: the two API surfaces, auth model, key concepts, recommended call order. **Start here.** |
-| `get_end_user_endpoints` | Detailed reference for every end-user endpoint, optionally filtered by category (`authentication`, `organizations`, `subscriptions`, `billing`, `usage`, `agents`, `users`, `plans`, `ai`, `entities`, `departments`, `files`, `external_agents`). |
-| `get_request_headers` | The exact HTTP headers required for end-user requests, with examples (`X-API-Key`, `Authorization: Bearer …`, `Content-Type`, etc.). |
-| `get_authentication_flow` | Step-by-step guide for register → login → refresh → logout, including token storage rules and refresh-on-401 patterns. |
-| `get_common_patterns` | Frontend implementation patterns: pagination, error handling, optimistic updates, file upload, RAG queries, agent execution. |
+| `get_api_overview` | High-level architecture, auth model, key concepts, recommended call order. **Start here.** |
+| `get_end_user_endpoints` | Reference for every end-user endpoint, filterable by category (`authentication`, `organizations`, `subscriptions`, `billing`, `usage`, `agents`, `users`, `plans`, `ai`, `entities`, `departments`, `files`, `external_agents`). |
+| `get_request_headers` | The exact HTTP headers required for end-user requests, with examples. |
+| `get_authentication_flow` | Step-by-step register → login → refresh → logout, including token storage and refresh-on-401 patterns. |
+| `get_common_patterns` | Pagination, error handling, optimistic updates, file upload, RAG queries, agent execution. |
 | `get_sdk_template` | A ready-to-paste TypeScript SDK module (`fetch`-based, typed) covering auth, agents, organizations, files, billing. |
-| `search_endpoints` | Keyword search across path, summary, and description (e.g. `"login"`, `"organization"`, `"checkout"`). |
-| `get_endpoint_details` | Full request/response schema of a specific `(method, path)`. |
+| `search_endpoints` | Keyword search across path, summary, and description. |
+| `get_endpoint_details` | Full request/response schema for a specific `(method, path)`. |
 
-### Live tools (require `SAAS_API_KEY`)
+### Live (require `SAAS_API_KEY`)
 
-| Tool | What it does |
+| Tool | Does |
 |---|---|
 | `validate_credentials` | Probes the API with the configured key. Reports the detected key type (`pk_live_*` vs `sk_live_*`), masked prefix, success/failure of a sample call, and the resolved API URL. **Run this first in any session.** |
-| `get_openapi_spec` | Fetches the live `/v1/openapi.json` from the configured `SAAS_API_URL`. Reflects the deployed version of the API exactly. |
+| `get_openapi_spec` | Fetches the live `/v1/openapi.json` from `SAAS_API_URL`. Reflects the deployed API exactly. |
 | `list_end_users` | `GET /v1/auth/users` — paginated list of end-users in the tenant. Requires `sk_live_*`. |
-| `list_oauth_providers` | Lists the OAuth providers (Google, …) the tenant has enabled for end-user social login. Friendly empty-state when none are configured. |
+| `list_oauth_providers` | Lists the OAuth providers (Google, …) enabled for end-user social login. |
 
-### Security & architecture tools (key-aware, work without making calls)
+### Security & architecture (key-aware, no network calls)
 
-| Tool | What it does |
+| Tool | Does |
 |---|---|
-| `get_security_guide` | Returns a key-type-specific safe-usage cheat sheet. For `pk_live_*`: the allowed endpoints and the "may be exposed in browser bundles" rule. For `sk_live_*`: leak vectors (frontend bundle, repo, client logs) and the server-only architecture pattern. |
-| `recommend_stack` | Given an `app_type` (`frontend_only`, `fullstack`, `backend_service`, `mobile_app`, `cli_tool`, `desktop_app`) plus the detected key type, returns a framework recommendation that *physically prevents the key from leaking*. Covers Next.js (App Router), Remix, SvelteKit, Nuxt, Astro for fullstack+secret; appropriate alternatives for the other shapes. |
+| `get_security_guide` | Key-type-specific safe-usage cheat sheet. For `pk_live_*`: allowed endpoints and the "may be exposed in browser bundles" rule. For `sk_live_*`: leak vectors and the server-only architecture pattern. |
+| `recommend_stack` | Given an `app_type` (`frontend_only`, `fullstack`, `backend_service`, `mobile_app`, `cli_tool`, `desktop_app`) plus the detected key type, returns a framework recommendation that physically prevents the key from leaking (Next.js App Router, Remix, SvelteKit, Nuxt, Astro for fullstack + secret; appropriate alternatives elsewhere). |
 
 ---
 
-## Recommended call order for AI assistants
-
-This is also what the startup banner of the server prints:
+## Recommended call order
 
 ```
 1. validate_credentials       → confirm SAAS_API_KEY works, learn its type
@@ -126,39 +126,17 @@ This is also what the startup banner of the server prints:
 7. get_sdk_template           → start writing real code
 ```
 
-For *targeted* questions ("how do I list organizations?"), `search_endpoints` + `get_endpoint_details` is faster than scrolling through `get_end_user_endpoints`.
+For targeted questions ("how do I list organizations?"), `search_endpoints` + `get_endpoint_details` is faster than scrolling through `get_end_user_endpoints`.
 
 ---
 
-## Local development
-
-```bash
-cd mcp-server
-npm install
-npm run build      # tsc → dist/
-npm run dev        # tsx, hot-reload
-npm pack           # build a local .tgz to test in your IDE before publishing
-```
-
-To point your IDE at a local build instead of npm:
+## Support
 
-```json
-{
-  "servers": {
-    "genlobe-local": {
-      "command": "node",
-      "args": ["/absolute/path/to/mcp-server/dist/index.js"],
-      "env": {
-        "SAAS_API_URL": "http://localhost:8001",
-        "SAAS_API_KEY": "pk_live_xxx"
-      }
-    }
-  }
-}
-```
+- Sign up and manage API keys: [genlobe.ai](https://genlobe.ai)
+- Issues and feature requests: [github.com/KleioTechnology/saas-multi-agent-tenant-ui/issues](https://github.com/KleioTechnology/saas-multi-agent-tenant-ui/issues) (this single tracker covers the whole Genlobe platform, including this MCP server)
 
 ---
 
 ## License
 
-MIT — see [package.json](./package.json).
+MIT.

package/dist/index.js

@@ -64,8 +64,13 @@ There are TWO types of authentication contexts:
 - These endpoints ARE for building end-user frontends
 
 ## API Key Types
-- \`pk_live_*\`: Public key - safe to expose in frontend code (LIMITED to auth endpoints only)
-- \`sk_live_*\`: Secret key - backend only, never expose (FULL API access)
+
+- \`pk_live_*\`: Public key — safe to expose in frontend code.
+  - **By itself** (no JWT) the key only unlocks \`/v1/auth/*\` (register, login, refresh, logout, me, forgot-password, reset-password). These are the seven scopes auto-assigned to public keys.
+  - **Combined with an end-user JWT** returned by \`/v1/auth/login\`, the same public key unlocks the full end-user API: \`/v1/user/agents/*\`, \`/v1/entity/records/*\`, \`/v1/plans\`, \`/v1/billing/*\`, \`/v1/users/me\`, etc. Once the JWT is in play, the JWT carries end-user identity and the public key just keeps verifying the tenant context.
+  - Restricted by an Origin allowlist (configured per key) and per-IP rate limits.
+
+- \`sk_live_*\`: Secret key — backend-only, never expose. Required for server-to-server work that no end-user JWT can cover: defining entity schemas (\`/v1/entity/schemas/*\`), bulk record operations (\`/v1/entity/records/bulk\`, \`/v1/entity/records/search\`), webhooks, batch jobs, and other admin tooling on the tenant's own server.
 
 ## API Key Organization Scope (B2B2C)
 
@@ -102,6 +107,38 @@ If you're building a frontend application for end-users, you should:
 2. Use the public API key (pk_live_*) for client-side requests
 3. Include X-API-Key header in ALL requests
 4. After login, also include Authorization: Bearer <jwt> for authenticated requests
+
+## End-User App Flow (the canonical two-phase pattern)
+
+A common confusion: the public key looks restricted to \`/v1/auth/*\`, so developers assume they need to ship the secret key in their frontend to call agents or records. They don't. The pattern is two phases:
+
+\`\`\`
+[Tenant's app frontend in the user's browser]
+  │
+  │ Phase 1 — auth gateway (public key alone is enough)
+  │ X-API-Key: pk_live_xxx
+  ▼
+POST /v1/auth/register   ─┐
+POST /v1/auth/login       ├─ returns { access_token (JWT), refresh_token, user }
+POST /v1/auth/refresh    ─┘
+  │
+  │ Phase 2 — end-user features (public key + JWT)
+  │ X-API-Key: pk_live_xxx
+  │ Authorization: Bearer <end-user JWT>
+  ▼
+GET  /v1/user/agents/available
+POST /v1/user/agents/{id}/chat
+GET/POST/PUT/DELETE /v1/entity/records/...     ← custom-entity records as your app's DB
+GET  /v1/plans
+POST /v1/billing/checkout
+GET  /v1/users/me
+\`\`\`
+
+The \`sk_live_*\` key never reaches the browser. It lives only on the tenant's own server, used for:
+- defining entity schemas (\`/v1/entity/schemas/*\`),
+- bulk record operations (\`/v1/entity/records/bulk\`, \`/search\`),
+- receiving webhooks from the platform,
+- cron jobs and admin tooling.
 `,
     base_url: API_URL,
     documentation_urls: {
@@ -787,7 +824,7 @@ const END_USER_ENDPOINTS = {
         ]
     },
     billing: {
-        description: "Billing operations - checkout, plan changes, cancellation. All endpoints require SECRET key (sk_live_*) only.",
+        description: "Billing operations. Two flavors:\n\n- **Tier 1 (legacy / platform-level)**: endpoints under /v1/billing/* use the platform's Stripe and a SECRET key (sk_live_*) only. They were originally for Genlobe → Tenant billing and a since-superseded Tier 2 prototype; keep using them for tenant-internal flows.\n\n- **Tier 3 (Organization → end-user, Epic #209)**: each Organization runs its OWN Stripe (BYO key). End-users subscribe via /v1/organizations/{org_id}/billing/* (api key + JWT + active OrganizationMember). The Org's plan catalog is read via the public /v1/organizations/{org_id}/plans (api key only — no JWT). See the master spec at specs/features/billing/three-tier-billing.spec.md.",
         endpoints: [
             {
                 method: "GET",
@@ -880,6 +917,91 @@ const END_USER_ENDPOINTS = {
                     total_invoices: "number"
                 },
                 note: "Returns 404 if organization not found or doesn't belong to tenant."
+            },
+            // ---------------------------------------------------------------
+            // Tier 3 endpoints (Epic #209). Each Organization runs its OWN
+            // Stripe (BYO key). These run against the org's Stripe, not the
+            // platform's, and require an active OrganizationMember of the path's
+            // org. Plans are sold by the Organization to its end-users.
+            // ---------------------------------------------------------------
+            {
+                method: "GET",
+                path: "/v1/organizations/{organization_id}/plans",
+                summary: "List the Organization's active plans (Tier 3) — public to anonymous visitors of the org's app",
+                auth: { api_key: "pk_live_* or sk_live_*", jwt: false },
+                response: {
+                    items: "array of OrganizationPlan: id (uuid), organization_id (uuid), name (string), slug (string), description (string | null), price_amount (decimal), currency (ISO-4217), billing_interval ('month' | 'year'), stripe_product_id (string | null), stripe_price_id (string | null), stripe_price_id_yearly (string | null), features (array of strings), limits (object<string, int | null>), is_active (boolean), created_at (ISO datetime), updated_at (ISO datetime)",
+                    total: "number"
+                },
+                note: "Tenant-scoped: returns 404 if the Organization doesn't belong to the API key's tenant (no existence leak across tenants). Only plans with is_active=true and stripe_price_id != null are returned — use one of those plan ids when calling /billing/checkout-session.",
+                example_request: `GET /v1/organizations/660e8400-e29b-41d4-a716-446655440001/plans`
+            },
+            {
+                method: "POST",
+                path: "/v1/organizations/{organization_id}/billing/checkout-session",
+                summary: "Start a Stripe Checkout subscription flow for the calling end-user against an Org plan (Tier 3)",
+                auth: { api_key: "pk_live_* or sk_live_*", jwt: true },
+                request_body: {
+                    plan_id: "uuid (required) — OrganizationPlan id (NOT a Stripe price id). Get it from /v1/organizations/{organization_id}/plans.",
+                    success_url: "string url (required) — Stripe redirects here on success.",
+                    cancel_url: "string url (required) — Stripe redirects here if the user cancels."
+                },
+                response: {
+                    checkout_url: "string — Stripe-hosted Checkout URL (redirect the user here).",
+                    session_id: "string — Stripe Checkout session id (cs_*)."
+                },
+                errors: {
+                    "403": "Caller is not an active OrganizationMember of the path's org.",
+                    "404": "Plan not found / belongs to a different org / inactive (collapsed to the same 404 to avoid cross-org existence leaks).",
+                    "409": "Plan has no stripe_price_id yet OR the Organization has no Stripe configured (the Org Owner must finish setup first)."
+                },
+                note: "The caller becomes the end-user customer in the Organization's Stripe account, not in the platform's. The actual Subscription row is created by the webhook handler after Stripe fires checkout.session.completed.",
+                example_request: `{
+  "plan_id": "770e8400-e29b-41d4-a716-446655440002",
+  "success_url": "https://claude.example.com/billing/success?cs={CHECKOUT_SESSION_ID}",
+  "cancel_url": "https://claude.example.com/pricing"
+}`
+            },
+            {
+                method: "POST",
+                path: "/v1/organizations/{organization_id}/billing/customer-portal-session",
+                summary: "Open a Stripe Customer Portal session for the calling end-user (Tier 3, manage / cancel)",
+                auth: { api_key: "pk_live_* or sk_live_*", jwt: true },
+                request_body: {
+                    return_url: "string url (required) — Stripe redirects here when the user closes the Portal."
+                },
+                response: {
+                    portal_url: "string — Stripe-hosted Customer Portal URL."
+                },
+                errors: {
+                    "403": "Caller is not an active OrganizationMember of the path's org.",
+                    "409": "Caller has no Subscription / no Stripe customer for this Organization yet, OR the Organization has no Stripe configured."
+                },
+                note: "Portal allowed actions (cancel / update payment method / etc.) are configured by the Organization Owner in their own Stripe Dashboard."
+            },
+            {
+                method: "GET",
+                path: "/v1/organizations/{organization_id}/billing/subscription",
+                summary: "Read the calling end-user's current subscription in this Organization (Tier 3)",
+                auth: { api_key: "pk_live_* or sk_live_*", jwt: true },
+                response: {
+                    id: "uuid",
+                    organization_id: "uuid",
+                    user_id: "uuid",
+                    plan_id: "uuid | null",
+                    status: "string | null — Stripe Subscription.status (active, past_due, canceled, …)",
+                    billing_cycle: "string — 'monthly' or 'yearly'",
+                    current_period_start: "ISO datetime | null",
+                    current_period_end: "ISO datetime | null",
+                    cancel_at_period_end: "boolean",
+                    canceled_at: "ISO datetime | null",
+                    trial_start: "ISO datetime | null",
+                    trial_end: "ISO datetime | null"
+                },
+                errors: {
+                    "403": "Caller is not an active OrganizationMember of the path's org.",
+                    "404": "Caller has no Subscription for this Organization yet."
+                }
             }
         ]
     },
@@ -1026,6 +1148,29 @@ const END_USER_ENDPOINTS = {
                     error: "string | null"
                 },
                 note: "Returns 402 Payment Required if usage limits exceeded."
+            },
+            {
+                method: "GET",
+                path: "/v1/organizations/{organization_id}/usage",
+                summary: "Get aggregate usage for one Organization in the queried period",
+                auth: { api_key: "pk_live_* or sk_live_*", jwt: true },
+                query_params: {
+                    period_start: "ISO datetime (optional) - Inclusive start of the aggregation window (UTC). Defaults to the current calendar month.",
+                    period_end: "ISO datetime (optional) - Exclusive end of the aggregation window (UTC). Must be supplied together with period_start.",
+                },
+                response: {
+                    organization_id: "uuid",
+                    organization_name: "string | null - Human-readable name from organizations row, null if the org row was deleted",
+                    organization_slug: "string | null",
+                    period_start: "ISO datetime - resolved window start",
+                    period_end: "ISO datetime - resolved window end",
+                    messages_count: "number - Sum of messages_count across plan_usages rows for the org in the period",
+                    tokens_count: "number - Sum of tokens_count (input + output)",
+                    input_tokens_count: "number",
+                    output_tokens_count: "number",
+                    cost_usd: "string - Decimal as string (e.g. '12.345600')",
+                },
+                note: "Auth requires the caller to be an active OrganizationMember of the path's org. Returns a zero row when the org had no activity in the period, so callers can always render a header without a 404 fallback. Read-only — does not consume usage.",
             }
         ]
     },

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@genlobe/mcp-server",
-  "version": "3.1.8",
+  "version": "3.3.1",
   "description": "MCP Server for GenLobe SaaS API - Provides AI assistants with comprehensive API documentation for building frontend applications",
   "main": "dist/index.js",
   "bin": {