@genlobe/mcp-server 3.3.0 → 3.3.1

package/README.md

@@ -1,34 +1,38 @@
 # Genlobe MCP Server
 
-A Model Context Protocol (MCP) server that turns AI-enabled IDEs (Cursor, Claude Code, GitHub Copilot, Windsurf, etc.) into informed Genlobe API clients. The server hands the assistant up-to-date API docs, ready-to-use SDK templates, security guidance, and stack recommendations — so when a developer says *"build me a login screen"* or *"add a checkout flow"*, the assistant doesn't hallucinate endpoints.
+A Model Context Protocol (MCP) server that documents the [Genlobe](https://genlobe.ai) API so AI assistants in your IDE (Cursor, Claude Code, Windsurf, Claude Desktop, …) can build real clients against it — without hallucinating endpoints, shapes, or auth headers.
+
+Paste it into your MCP config and ask your assistant *"build me a login screen"* or *"add a checkout flow"*. It will pull the right endpoints, headers, and code patterns straight from this server.
 
 [![npm version](https://img.shields.io/npm/v/@genlobe/mcp-server.svg)](https://www.npmjs.com/package/@genlobe/mcp-server)
 [![Node](https://img.shields.io/node/v/@genlobe/mcp-server.svg)](https://nodejs.org)
 
 ---
 
-## Two API surfaces — read this before installing
+## What it documents
 
-The Genlobe API exposes **two separate sets of endpoints**, and this MCP only documents one of them:
+The Genlobe API has two surfaces. This server only exposes the one your end-user app should call:
 
-| Surface | Path prefix | Auth | Audience | Documented by this MCP? |
-|---|---|---|---|---|
-| **End-user API** | `/v1/auth/*`, `/v1/agents/*`, `/v1/organizations/*`, `/v1/external-agents/*`, … | `X-API-Key` + end-user JWT | What you build *for your customers* | ✅ Yes — this is what AI assistants need |
-| **Tenant/Dashboard API** | `/v1/tenant-auth/*`, `/v1/dashboard/*` | Tenant member JWT | Internal tenant-admin dashboard | ❌ No — intentionally excluded |
+| Surface | Path prefix | Auth | Documented here? |
+|---|---|---|---|
+| **End-user API** | `/v1/auth/*`, `/v1/agents/*`, `/v1/organizations/*`, `/v1/external-agents/*`, … | `X-API-Key` + end-user JWT | Yes |
+| Tenant / Dashboard API | `/v1/tenant-auth/*`, `/v1/dashboard/*` | Tenant member JWT | No — by design |
 
-**If your assistant ever suggests calling `/v1/dashboard/...` or `/v1/tenant-auth/...` from your end-user frontend, it's wrong.** The MCP server never returns those paths; that's by design.
+If the assistant ever suggests calling `/v1/dashboard/...` or `/v1/tenant-auth/...` from your end-user frontend, it's wrong: those endpoints exist for tenant admins, not for the apps you build on Genlobe.
 
 ---
 
 ## Install
 
-Pick the snippet that matches your IDE.
+Pick the snippet that matches your IDE. Drop in your API key (get one from [genlobe.ai](https://genlobe.ai) → your Tenant Dashboard → API Keys), restart the IDE, and the `genlobe` server will appear in its MCP server list.
+
+### Cursor / Claude Code / Windsurf
 
-### Cursor / Claude Code / Windsurf (`.vscode/mcp.json` or equivalent)
+Edit `.cursor/mcp.json`, `~/.config/claude-code/mcp.json`, or your equivalent client config:
 
 ```json
 {
-  "servers": {
+  "mcpServers": {
     "genlobe": {
       "command": "npx",
       "args": ["-y", "@genlobe/mcp-server"],
@@ -41,7 +45,9 @@ Pick the snippet that matches your IDE.
 }
 ```
 
-### Claude Desktop (`claude_desktop_config.json`)
+### Claude Desktop
+
+Edit `claude_desktop_config.json`:
 
 ```json
 {
@@ -58,63 +64,57 @@ Pick the snippet that matches your IDE.
 }
 ```
 
-Restart the IDE and the `genlobe` server will show up in the MCP server list.
-
-> The package is published as `@genlobe/mcp-server` on the public npm registry; `npx -y` always pulls the latest version unless you pin one (`@genlobe/mcp-server@3.1.0`).
+`npx -y` always pulls the latest version unless you pin one (`@genlobe/mcp-server@3.3.1`).
 
 ---
 
 ## Environment variables
 
-| Variable | Required | What it's for |
+| Variable | Required | Value |
 |---|---|---|
-| `SAAS_API_URL` | yes | Base URL of the Genlobe API. Use **`https://api-core.genlobe.ai`** in production. |
-| `SAAS_API_KEY` | optional | Tenant API key. **Optional** for documentation tools, **required** for the live tools that actually call the API (`validate_credentials`, `list_end_users`, `list_oauth_providers`, `get_openapi_spec` against protected paths). Accepts both `pk_live_*` (public) and `sk_live_*` (secret). |
+| `SAAS_API_URL` | yes | `https://api-core.genlobe.ai` |
+| `SAAS_API_KEY` | optional | Your Genlobe API key. Accepts both `pk_live_*` (public) and `sk_live_*` (secret). Without it, only the offline documentation tools work — the four live tools (`validate_credentials`, `list_end_users`, `list_oauth_providers`, `get_openapi_spec`) need it. |
 
 `API_URL` and `API_KEY` (without the `SAAS_` prefix) are accepted as aliases for backward compatibility.
 
-> If `SAAS_API_URL` is not set, the server falls back to `http://localhost:8001` — useful only if you're running the Genlobe backend yourself in development (see [Local development](#local-development) below). For any normal install from npm, set `SAAS_API_URL` explicitly.
-
 ---
 
 ## Tools
 
-The server exposes 14 tools. They split into three categories:
+14 tools, in three groups.
 
-### Documentation tools (offline, no API key needed)
+### Documentation (offline, no API key needed)
 
-| Tool | What it returns |
+| Tool | Returns |
 |---|---|
-| `get_api_overview` | High-level architecture: the two API surfaces, auth model, key concepts, recommended call order. **Start here.** |
-| `get_end_user_endpoints` | Detailed reference for every end-user endpoint, optionally filtered by category (`authentication`, `organizations`, `subscriptions`, `billing`, `usage`, `agents`, `users`, `plans`, `ai`, `entities`, `departments`, `files`, `external_agents`). |
-| `get_request_headers` | The exact HTTP headers required for end-user requests, with examples (`X-API-Key`, `Authorization: Bearer …`, `Content-Type`, etc.). |
-| `get_authentication_flow` | Step-by-step guide for register → login → refresh → logout, including token storage rules and refresh-on-401 patterns. |
-| `get_common_patterns` | Frontend implementation patterns: pagination, error handling, optimistic updates, file upload, RAG queries, agent execution. |
+| `get_api_overview` | High-level architecture, auth model, key concepts, recommended call order. **Start here.** |
+| `get_end_user_endpoints` | Reference for every end-user endpoint, filterable by category (`authentication`, `organizations`, `subscriptions`, `billing`, `usage`, `agents`, `users`, `plans`, `ai`, `entities`, `departments`, `files`, `external_agents`). |
+| `get_request_headers` | The exact HTTP headers required for end-user requests, with examples. |
+| `get_authentication_flow` | Step-by-step register → login → refresh → logout, including token storage and refresh-on-401 patterns. |
+| `get_common_patterns` | Pagination, error handling, optimistic updates, file upload, RAG queries, agent execution. |
 | `get_sdk_template` | A ready-to-paste TypeScript SDK module (`fetch`-based, typed) covering auth, agents, organizations, files, billing. |
-| `search_endpoints` | Keyword search across path, summary, and description (e.g. `"login"`, `"organization"`, `"checkout"`). |
-| `get_endpoint_details` | Full request/response schema of a specific `(method, path)`. |
+| `search_endpoints` | Keyword search across path, summary, and description. |
+| `get_endpoint_details` | Full request/response schema for a specific `(method, path)`. |
 
-### Live tools (require `SAAS_API_KEY`)
+### Live (require `SAAS_API_KEY`)
 
-| Tool | What it does |
+| Tool | Does |
 |---|---|
 | `validate_credentials` | Probes the API with the configured key. Reports the detected key type (`pk_live_*` vs `sk_live_*`), masked prefix, success/failure of a sample call, and the resolved API URL. **Run this first in any session.** |
-| `get_openapi_spec` | Fetches the live `/v1/openapi.json` from the configured `SAAS_API_URL`. Reflects the deployed version of the API exactly. |
+| `get_openapi_spec` | Fetches the live `/v1/openapi.json` from `SAAS_API_URL`. Reflects the deployed API exactly. |
 | `list_end_users` | `GET /v1/auth/users` — paginated list of end-users in the tenant. Requires `sk_live_*`. |
-| `list_oauth_providers` | Lists the OAuth providers (Google, …) the tenant has enabled for end-user social login. Friendly empty-state when none are configured. |
+| `list_oauth_providers` | Lists the OAuth providers (Google, …) enabled for end-user social login. |
 
-### Security & architecture tools (key-aware, work without making calls)
+### Security & architecture (key-aware, no network calls)
 
-| Tool | What it does |
+| Tool | Does |
 |---|---|
-| `get_security_guide` | Returns a key-type-specific safe-usage cheat sheet. For `pk_live_*`: the allowed endpoints and the "may be exposed in browser bundles" rule. For `sk_live_*`: leak vectors (frontend bundle, repo, client logs) and the server-only architecture pattern. |
-| `recommend_stack` | Given an `app_type` (`frontend_only`, `fullstack`, `backend_service`, `mobile_app`, `cli_tool`, `desktop_app`) plus the detected key type, returns a framework recommendation that *physically prevents the key from leaking*. Covers Next.js (App Router), Remix, SvelteKit, Nuxt, Astro for fullstack+secret; appropriate alternatives for the other shapes. |
+| `get_security_guide` | Key-type-specific safe-usage cheat sheet. For `pk_live_*`: allowed endpoints and the "may be exposed in browser bundles" rule. For `sk_live_*`: leak vectors and the server-only architecture pattern. |
+| `recommend_stack` | Given an `app_type` (`frontend_only`, `fullstack`, `backend_service`, `mobile_app`, `cli_tool`, `desktop_app`) plus the detected key type, returns a framework recommendation that physically prevents the key from leaking (Next.js App Router, Remix, SvelteKit, Nuxt, Astro for fullstack + secret; appropriate alternatives elsewhere). |
 
 ---
 
-## Recommended call order for AI assistants
-
-This is also what the startup banner of the server prints:
+## Recommended call order
 
 ```
 1. validate_credentials       → confirm SAAS_API_KEY works, learn its type
@@ -126,39 +126,17 @@ This is also what the startup banner of the server prints:
 7. get_sdk_template           → start writing real code
 ```
 
-For *targeted* questions ("how do I list organizations?"), `search_endpoints` + `get_endpoint_details` is faster than scrolling through `get_end_user_endpoints`.
+For targeted questions ("how do I list organizations?"), `search_endpoints` + `get_endpoint_details` is faster than scrolling through `get_end_user_endpoints`.
 
 ---
 
-## Local development
-
-```bash
-cd mcp-server
-npm install
-npm run build      # tsc → dist/
-npm run dev        # tsx, hot-reload
-npm pack           # build a local .tgz to test in your IDE before publishing
-```
-
-To point your IDE at a local build instead of npm:
+## Support
 
-```json
-{
-  "servers": {
-    "genlobe-local": {
-      "command": "node",
-      "args": ["/absolute/path/to/mcp-server/dist/index.js"],
-      "env": {
-        "SAAS_API_URL": "http://localhost:8001",
-        "SAAS_API_KEY": "pk_live_xxx"
-      }
-    }
-  }
-}
-```
+- Sign up and manage API keys: [genlobe.ai](https://genlobe.ai)
+- Issues and feature requests: [github.com/KleioTechnology/saas-multi-agent-tenant-ui/issues](https://github.com/KleioTechnology/saas-multi-agent-tenant-ui/issues) (this single tracker covers the whole Genlobe platform, including this MCP server)
 
 ---
 
 ## License
 
-MIT — see [package.json](./package.json).
+MIT.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@genlobe/mcp-server",
-  "version": "3.3.0",
+  "version": "3.3.1",
   "description": "MCP Server for GenLobe SaaS API - Provides AI assistants with comprehensive API documentation for building frontend applications",
   "main": "dist/index.js",
   "bin": {