@genlobe/mcp-server 3.3.0 → 3.4.0

package/README.md

@@ -1,34 +1,38 @@
 # Genlobe MCP Server
 
-A Model Context Protocol (MCP) server that turns AI-enabled IDEs (Cursor, Claude Code, GitHub Copilot, Windsurf, etc.) into informed Genlobe API clients. The server hands the assistant up-to-date API docs, ready-to-use SDK templates, security guidance, and stack recommendations — so when a developer says *"build me a login screen"* or *"add a checkout flow"*, the assistant doesn't hallucinate endpoints.
+A Model Context Protocol (MCP) server that documents the [Genlobe](https://genlobe.ai) API so AI assistants in your IDE (Cursor, Claude Code, Windsurf, Claude Desktop, …) can build real clients against it — without hallucinating endpoints, shapes, or auth headers.
+
+Paste it into your MCP config and ask your assistant *"build me a login screen"* or *"add a checkout flow"*. It will pull the right endpoints, headers, and code patterns straight from this server.
 
 [![npm version](https://img.shields.io/npm/v/@genlobe/mcp-server.svg)](https://www.npmjs.com/package/@genlobe/mcp-server)
 [![Node](https://img.shields.io/node/v/@genlobe/mcp-server.svg)](https://nodejs.org)
 
 ---
 
-## Two API surfaces — read this before installing
+## What it documents
 
-The Genlobe API exposes **two separate sets of endpoints**, and this MCP only documents one of them:
+The Genlobe API has two surfaces. This server only exposes the one your end-user app should call:
 
-| Surface | Path prefix | Auth | Audience | Documented by this MCP? |
-|---|---|---|---|---|
-| **End-user API** | `/v1/auth/*`, `/v1/agents/*`, `/v1/organizations/*`, `/v1/external-agents/*`, … | `X-API-Key` + end-user JWT | What you build *for your customers* | ✅ Yes — this is what AI assistants need |
-| **Tenant/Dashboard API** | `/v1/tenant-auth/*`, `/v1/dashboard/*` | Tenant member JWT | Internal tenant-admin dashboard | ❌ No — intentionally excluded |
+| Surface | Path prefix | Auth | Documented here? |
+|---|---|---|---|
+| **End-user API** | `/v1/auth/*`, `/v1/agents/*`, `/v1/organizations/*`, `/v1/external-agents/*`, … | `X-API-Key` + end-user JWT | Yes |
+| Tenant / Dashboard API | `/v1/tenant-auth/*`, `/v1/dashboard/*` | Tenant member JWT | No — by design |
 
-**If your assistant ever suggests calling `/v1/dashboard/...` or `/v1/tenant-auth/...` from your end-user frontend, it's wrong.** The MCP server never returns those paths; that's by design.
+If the assistant ever suggests calling `/v1/dashboard/...` or `/v1/tenant-auth/...` from your end-user frontend, it's wrong: those endpoints exist for tenant admins, not for the apps you build on Genlobe.
 
 ---
 
 ## Install
 
-Pick the snippet that matches your IDE.
+Pick the snippet that matches your IDE. Drop in your API key (get one from [genlobe.ai](https://genlobe.ai) → your Tenant Dashboard → API Keys), restart the IDE, and the `genlobe` server will appear in its MCP server list.
+
+### Cursor / Claude Code / Windsurf
 
-### Cursor / Claude Code / Windsurf (`.vscode/mcp.json` or equivalent)
+Edit `.cursor/mcp.json`, `~/.config/claude-code/mcp.json`, or your equivalent client config:
 
 ```json
 {
-  "servers": {
+  "mcpServers": {
     "genlobe": {
       "command": "npx",
       "args": ["-y", "@genlobe/mcp-server"],
@@ -41,7 +45,9 @@ Pick the snippet that matches your IDE.
 }
 ```
 
-### Claude Desktop (`claude_desktop_config.json`)
+### Claude Desktop
+
+Edit `claude_desktop_config.json`:
 
 ```json
 {
@@ -58,63 +64,57 @@ Pick the snippet that matches your IDE.
 }
 ```
 
-Restart the IDE and the `genlobe` server will show up in the MCP server list.
-
-> The package is published as `@genlobe/mcp-server` on the public npm registry; `npx -y` always pulls the latest version unless you pin one (`@genlobe/mcp-server@3.1.0`).
+`npx -y` always pulls the latest version unless you pin one (`@genlobe/mcp-server@3.3.1`).
 
 ---
 
 ## Environment variables
 
-| Variable | Required | What it's for |
+| Variable | Required | Value |
 |---|---|---|
-| `SAAS_API_URL` | yes | Base URL of the Genlobe API. Use **`https://api-core.genlobe.ai`** in production. |
-| `SAAS_API_KEY` | optional | Tenant API key. **Optional** for documentation tools, **required** for the live tools that actually call the API (`validate_credentials`, `list_end_users`, `list_oauth_providers`, `get_openapi_spec` against protected paths). Accepts both `pk_live_*` (public) and `sk_live_*` (secret). |
+| `SAAS_API_URL` | no | Defaults to `https://api-core.genlobe.ai`. Override only if you point at a local or on-prem backend. |
+| `SAAS_API_KEY` | optional | Your Genlobe API key. Accepts both `pk_live_*` (public) and `sk_live_*` (secret). Without it, only the offline documentation tools work — the four live tools (`validate_credentials`, `list_end_users`, `list_oauth_providers`, `get_openapi_spec`) need it. |
 
 `API_URL` and `API_KEY` (without the `SAAS_` prefix) are accepted as aliases for backward compatibility.
 
-> If `SAAS_API_URL` is not set, the server falls back to `http://localhost:8001` — useful only if you're running the Genlobe backend yourself in development (see [Local development](#local-development) below). For any normal install from npm, set `SAAS_API_URL` explicitly.
-
 ---
 
 ## Tools
 
-The server exposes 14 tools. They split into three categories:
+14 tools, in three groups.
 
-### Documentation tools (offline, no API key needed)
+### Documentation (offline, no API key needed)
 
-| Tool | What it returns |
+| Tool | Returns |
 |---|---|
-| `get_api_overview` | High-level architecture: the two API surfaces, auth model, key concepts, recommended call order. **Start here.** |
-| `get_end_user_endpoints` | Detailed reference for every end-user endpoint, optionally filtered by category (`authentication`, `organizations`, `subscriptions`, `billing`, `usage`, `agents`, `users`, `plans`, `ai`, `entities`, `departments`, `files`, `external_agents`). |
-| `get_request_headers` | The exact HTTP headers required for end-user requests, with examples (`X-API-Key`, `Authorization: Bearer …`, `Content-Type`, etc.). |
-| `get_authentication_flow` | Step-by-step guide for register → login → refresh → logout, including token storage rules and refresh-on-401 patterns. |
-| `get_common_patterns` | Frontend implementation patterns: pagination, error handling, optimistic updates, file upload, RAG queries, agent execution. |
+| `get_api_overview` | High-level architecture, auth model, key concepts, recommended call order. **Start here.** |
+| `get_end_user_endpoints` | Reference for every end-user endpoint, filterable by category (`authentication`, `organizations`, `subscriptions`, `billing`, `usage`, `agents`, `users`, `plans`, `ai`, `entities`, `departments`, `files`, `external_agents`). |
+| `get_request_headers` | The exact HTTP headers required for end-user requests, with examples. |
+| `get_authentication_flow` | Step-by-step register → login → refresh → logout, including token storage and refresh-on-401 patterns. |
+| `get_common_patterns` | Pagination, error handling, optimistic updates, file upload, RAG queries, agent execution. |
 | `get_sdk_template` | A ready-to-paste TypeScript SDK module (`fetch`-based, typed) covering auth, agents, organizations, files, billing. |
-| `search_endpoints` | Keyword search across path, summary, and description (e.g. `"login"`, `"organization"`, `"checkout"`). |
-| `get_endpoint_details` | Full request/response schema of a specific `(method, path)`. |
+| `search_endpoints` | Keyword search across path, summary, and description. |
+| `get_endpoint_details` | Full request/response schema for a specific `(method, path)`. |
 
-### Live tools (require `SAAS_API_KEY`)
+### Live (require `SAAS_API_KEY`)
 
-| Tool | What it does |
+| Tool | Does |
 |---|---|
 | `validate_credentials` | Probes the API with the configured key. Reports the detected key type (`pk_live_*` vs `sk_live_*`), masked prefix, success/failure of a sample call, and the resolved API URL. **Run this first in any session.** |
-| `get_openapi_spec` | Fetches the live `/v1/openapi.json` from the configured `SAAS_API_URL`. Reflects the deployed version of the API exactly. |
+| `get_openapi_spec` | Fetches the live `/v1/openapi.json` from `SAAS_API_URL`. Reflects the deployed API exactly. |
 | `list_end_users` | `GET /v1/auth/users` — paginated list of end-users in the tenant. Requires `sk_live_*`. |
-| `list_oauth_providers` | Lists the OAuth providers (Google, …) the tenant has enabled for end-user social login. Friendly empty-state when none are configured. |
+| `list_oauth_providers` | Lists the OAuth providers (Google, …) enabled for end-user social login. |
 
-### Security & architecture tools (key-aware, work without making calls)
+### Security & architecture (key-aware, no network calls)
 
-| Tool | What it does |
+| Tool | Does |
 |---|---|
-| `get_security_guide` | Returns a key-type-specific safe-usage cheat sheet. For `pk_live_*`: the allowed endpoints and the "may be exposed in browser bundles" rule. For `sk_live_*`: leak vectors (frontend bundle, repo, client logs) and the server-only architecture pattern. |
-| `recommend_stack` | Given an `app_type` (`frontend_only`, `fullstack`, `backend_service`, `mobile_app`, `cli_tool`, `desktop_app`) plus the detected key type, returns a framework recommendation that *physically prevents the key from leaking*. Covers Next.js (App Router), Remix, SvelteKit, Nuxt, Astro for fullstack+secret; appropriate alternatives for the other shapes. |
+| `get_security_guide` | Key-type-specific safe-usage cheat sheet. For `pk_live_*`: allowed endpoints and the "may be exposed in browser bundles" rule. For `sk_live_*`: leak vectors and the server-only architecture pattern. |
+| `recommend_stack` | Given an `app_type` (`frontend_only`, `fullstack`, `backend_service`, `mobile_app`, `cli_tool`, `desktop_app`) plus the detected key type, returns a framework recommendation that physically prevents the key from leaking (Next.js App Router, Remix, SvelteKit, Nuxt, Astro for fullstack + secret; appropriate alternatives elsewhere). |
 
 ---
 
-## Recommended call order for AI assistants
-
-This is also what the startup banner of the server prints:
+## Recommended call order
 
 ```
 1. validate_credentials       → confirm SAAS_API_KEY works, learn its type
@@ -126,39 +126,17 @@ This is also what the startup banner of the server prints:
 7. get_sdk_template           → start writing real code
 ```
 
-For *targeted* questions ("how do I list organizations?"), `search_endpoints` + `get_endpoint_details` is faster than scrolling through `get_end_user_endpoints`.
+For targeted questions ("how do I list organizations?"), `search_endpoints` + `get_endpoint_details` is faster than scrolling through `get_end_user_endpoints`.
 
 ---
 
-## Local development
-
-```bash
-cd mcp-server
-npm install
-npm run build      # tsc → dist/
-npm run dev        # tsx, hot-reload
-npm pack           # build a local .tgz to test in your IDE before publishing
-```
-
-To point your IDE at a local build instead of npm:
+## Support
 
-```json
-{
-  "servers": {
-    "genlobe-local": {
-      "command": "node",
-      "args": ["/absolute/path/to/mcp-server/dist/index.js"],
-      "env": {
-        "SAAS_API_URL": "http://localhost:8001",
-        "SAAS_API_KEY": "pk_live_xxx"
-      }
-    }
-  }
-}
-```
+- Sign up and manage API keys: [genlobe.ai](https://genlobe.ai)
+- Issues and feature requests: [github.com/KleioTechnology/saas-multi-agent-tenant-ui/issues](https://github.com/KleioTechnology/saas-multi-agent-tenant-ui/issues)
 
 ---
 
 ## License
 
-MIT — see [package.json](./package.json).
+MIT.

package/dist/index.js

@@ -29,7 +29,12 @@ import { createRequire } from "module";
 const require = createRequire(import.meta.url);
 const pkg = require("../package.json");
 const SERVER_VERSION = pkg.version;
-const API_URL = process.env.SAAS_API_URL || process.env.API_URL || "http://localhost:8001";
+// Default to the public Genlobe API for npm-distributed installs (#268). A
+// developer who installs this package and forgets to set SAAS_API_URL gets
+// a working install pointed at production instead of `connection refused`.
+// Override with `SAAS_API_URL=http://localhost:8001` when running against
+// a local backend in development.
+const API_URL = process.env.SAAS_API_URL || process.env.API_URL || "https://api-core.genlobe.ai";
 const API_KEY = process.env.SAAS_API_KEY || process.env.API_KEY || "";
 // Cache for API responses
 const cache = new Map();
@@ -1190,20 +1195,24 @@ const END_USER_ENDPOINTS = {
                     {
                         id: "uuid",
                         tenant_id: "uuid",
+                        organization_id: "uuid - Org this agent belongs to. Tenant-catalog agents live in the Tenant's root Org; private agents live in customer Orgs (ADR-0006 v2 Hybrid Catalog)",
+                        is_public: "boolean - true when this agent is in the Tenant's catalog (visible to all customer Orgs of the Tenant)",
+                        forked_from_agent_id: "uuid | null - if this agent is a fork of a catalog agent, points to the source. Forks are independent (no template sync)",
                         name: "string",
                         description: "string | null",
                         system_prompt: "string",
                         response_type: "text | audio | video",
                         rag_provider: "NONE | GOOGLE_FILE_SEARCH",
+                        rag_role: "string | null - declarative tag matched against KnowledgeBase.role_tag in the caller's Org at runtime. Replaces the legacy single-store rag_config.store_id path (closes cross-org RAG leak G5)",
                         is_active: "boolean",
-                        rag_config: "object | null",
+                        rag_config: "object | null - DEPRECATED. New agents should use rag_role + a per-Org KnowledgeBase",
                         mcp_servers: "array of MCP server configs",
                         created_by: "uuid",
                         created_at: "ISO datetime",
                         updated_at: "ISO datetime"
                     }
                 ],
-                note: "Returns only active agents that the tenant has made available"
+                note: "Returns only active agents visible to the calling Organization: the Org's own private agents UNION public agents in the Tenant's catalog (root Org). End-user JWT context determines the Org via current_user.default_organization_id."
             },
             {
                 method: "GET",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@genlobe/mcp-server",
-  "version": "3.3.0",
+  "version": "3.4.0",
   "description": "MCP Server for GenLobe SaaS API - Provides AI assistants with comprehensive API documentation for building frontend applications",
   "main": "dist/index.js",
   "bin": {