@hailer/mcp 1.0.28 → 1.0.30

package/dist/cli.js

@@ -47,6 +47,9 @@ const os = __importStar(require("os"));
 const readline = __importStar(require("readline"));
 const CLAUDE_CONFIG_DIR = path.join(os.homedir(), 'Library', 'Application Support', 'Claude');
 const CLAUDE_CONFIG_FILE = path.join(CLAUDE_CONFIG_DIR, 'claude_desktop_config.json');
+// Credentials file for publish and other tools that need direct auth
+const HAILER_MCP_DIR = path.join(os.homedir(), '.hailer-mcp');
+const CREDENTIALS_FILE = path.join(HAILER_MCP_DIR, 'credentials.json');
 /**
  * Muted output stream for password input
  */
@@ -55,6 +58,10 @@ class MutedStream {
     muted = false;
     write() { return true; }
     end() { }
+    on() { return this; }
+    once() { return this; }
+    emit() { return true; }
+    removeListener() { return this; }
 }
 /**
  * Prompt user for input
@@ -199,8 +206,19 @@ async function runSetup() {
     }
     // Write config
     fs.writeFileSync(CLAUDE_CONFIG_FILE, JSON.stringify(config, null, 2));
+    // Save credentials to ~/.hailer-mcp/credentials.json for publish tool
+    if (!fs.existsSync(HAILER_MCP_DIR)) {
+        fs.mkdirSync(HAILER_MCP_DIR, { recursive: true });
+    }
+    const credentials = {
+        email,
+        password,
+        apiUrl,
+    };
+    fs.writeFileSync(CREDENTIALS_FILE, JSON.stringify(credentials, null, 2), { mode: 0o600 });
     console.log('\n✅ Configuration saved!');
-    console.log(`   File: ${CLAUDE_CONFIG_FILE}`);
+    console.log(`   Claude Desktop: ${CLAUDE_CONFIG_FILE}`);
+    console.log(`   Credentials: ${CREDENTIALS_FILE}`);
     console.log('\n🚀 Next steps:');
     console.log('   1. Quit Claude Desktop completely (Cmd+Q)');
     console.log('   2. Reopen Claude Desktop');

package/dist/mcp/UserContextCache.d.ts

@@ -1,6 +1,8 @@
 import { HailerClient } from './hailer-clients';
 import { WorkspaceCache } from './workspace-cache';
 import { HailerV2CoreInitResponse, HailerApiClient } from './utils/index';
+import { ToolGroup } from './tool-registry';
+import { UserRole } from './utils/index';
 export interface UserContext {
     client: HailerClient;
     hailer: HailerApiClient;
@@ -10,6 +12,9 @@ export interface UserContext {
     createdAt: number;
     email: string;
     password: string;
+    workspaceRoles: Record<string, UserRole>;
+    currentWorkspaceId: string;
+    allowedGroups: ToolGroup[];
 }
 /**
  * Cache for user-specific data (client connections, init data, workspace cache)

package/dist/mcp/UserContextCache.js

@@ -6,6 +6,7 @@ const workspace_cache_1 = require("./workspace-cache");
 const config_1 = require("../config");
 const logger_1 = require("../lib/logger");
 const index_1 = require("./utils/index");
+const index_2 = require("./utils/index");
 const logger = (0, logger_1.createLogger)({ component: 'user-context-cache' });
 /**
  * Cache for user-specific data (client connections, init data, workspace cache)
@@ -123,6 +124,21 @@ class UserContextCache {
             // Create workspace cache from init data
             const appConfig = (0, config_1.createApplicationConfig)();
             const workspaceCache = (0, workspace_cache_1.createWorkspaceCache)(init, appConfig.mcpConfig);
+            // Extract user roles from ALL workspaces
+            const currentUserId = await (0, hailer_clients_1.getCurrentUserId)(client);
+            const workspaceRoles = (0, index_2.extractWorkspaceRoles)(networks, currentUserId);
+            // Get current workspace ID
+            const currentWorkspaceId = init.network?._id || Object.keys(networks)[0] || '';
+            // Get role for current workspace (for backward compatibility and initial tool filtering)
+            const userRole = workspaceRoles[currentWorkspaceId] || 'guest';
+            const allowedGroups = (0, index_2.getAllowedGroups)(userRole, config_1.environment.ENABLE_NUCLEAR_TOOLS);
+            logger.info('User roles extracted from all workspaces', {
+                apiKey: apiKey.substring(0, 8) + '...',
+                workspaceCount: Object.keys(workspaceRoles).length,
+                currentWorkspaceId,
+                currentRole: userRole,
+                allRoles: Object.entries(workspaceRoles).map(([id, role]) => `${id.slice(-6)}:${role}`).join(', ')
+            });
             // Get credentials from config (for tools like publish_hailer_app that need external auth)
             const accountConfig = appConfig.getClientConfig(apiKey);
             const context = {
@@ -134,6 +150,9 @@ class UserContextCache {
                 createdAt: Date.now(),
                 email: accountConfig.email,
                 password: accountConfig.password,
+                workspaceRoles, // NEW: Map of workspaceId → role
+                currentWorkspaceId, // NEW: Current workspace ID
+                allowedGroups, // Keep for stdio-server compatibility
             };
             // Calculate and log cache sizes
             const rawInitSize = Buffer.byteLength(JSON.stringify(init), 'utf8');

package/dist/mcp/tool-registry.d.ts

@@ -27,6 +27,20 @@ export declare enum ToolGroup {
     NUCLEAR = "nuclear",
     BOT_INTERNAL = "bot_internal"
 }
+/**
+ * Tool annotations for MCP safety hints (per MCP spec)
+ * These hints help clients understand tool behavior for UI/UX decisions
+ */
+export interface ToolAnnotations {
+    /** If true, the tool does not modify any data (safe to run without confirmation) */
+    readOnlyHint?: boolean;
+    /** If true, the tool may perform destructive updates (delete, overwrite) */
+    destructiveHint?: boolean;
+    /** If true, the tool may interact with entities outside the user's control */
+    openWorldHint?: boolean;
+    /** If true, repeated calls with same args produce same result */
+    idempotentHint?: boolean;
+}
 /**
  * Tool definition interface
  */
@@ -35,6 +49,7 @@ export interface Tool<TSchema extends z.ZodType = z.ZodType> {
     group: ToolGroup;
     description: string;
     schema: TSchema;
+    annotations?: ToolAnnotations;
     execute: (args: z.infer<TSchema>, context: UserContext) => Promise<McpResponse>;
 }
 /**
@@ -44,6 +59,7 @@ export interface ToolDefinition {
     name: string;
     description: string;
     inputSchema: any;
+    annotations?: ToolAnnotations;
 }
 /**
  * ToolRegistry - Clean, testable, dependency-injected tool registry

package/dist/mcp/tool-registry.js

@@ -192,7 +192,8 @@ class ToolRegistry {
         return toolsToExpose.map(tool => ({
             name: tool.name,
             description: tool.description,
-            inputSchema: this.convertZodSchemaToJsonSchema(tool.schema)
+            inputSchema: this.convertZodSchemaToJsonSchema(tool.schema),
+            ...(tool.annotations && { annotations: tool.annotations })
         }));
     }
     /**
@@ -222,7 +223,8 @@ class ToolRegistry {
                 return {
                     name: tool.name,
                     description: `${tool.description} [Enum-constrained to valid workspace IDs]`,
-                    inputSchema: masterSchema
+                    inputSchema: masterSchema,
+                    ...(tool.annotations && { annotations: tool.annotations })
                 };
             }
         }
@@ -234,7 +236,8 @@ class ToolRegistry {
                 return {
                     name: tool.name,
                     description: `${tool.description} [Schema-constrained to ${workflowName}]`,
-                    inputSchema: workspaceSchema
+                    inputSchema: workspaceSchema,
+                    ...(tool.annotations && { annotations: tool.annotations })
                 };
             }
         }
@@ -242,7 +245,8 @@ class ToolRegistry {
         return {
             name: tool.name,
             description: tool.description,
-            inputSchema: this.convertZodSchemaToJsonSchema(tool.schema)
+            inputSchema: this.convertZodSchemaToJsonSchema(tool.schema),
+            ...(tool.annotations && { annotations: tool.annotations })
         };
     }
     /**

package/dist/mcp/tools/activity.js

@@ -436,6 +436,7 @@ exports.listActivitiesTool = {
     name: 'list_activities',
     group: tool_registry_1.ToolGroup.READ,
     description: `List activities from workflow phase`,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         workspaceId: zod_1.z.string().optional().describe("Workspace ID. If not provided, uses current workspace. Use list_my_workspaces to see available workspaces."),
         workflowId: zod_1.z.string().describe("Workflow ID to list activities from"),
@@ -584,6 +585,7 @@ exports.showActivityByIdTool = {
     name: 'show_activity_by_id',
     group: tool_registry_1.ToolGroup.READ,
     description: `Get activity by ID`,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         workspaceId: zod_1.z.string().optional().describe("Workspace ID. If not provided, uses current workspace. Use list_my_workspaces to see available workspaces."),
         activityId: zod_1.z.string().describe("Activity ID to load"),
@@ -631,6 +633,7 @@ exports.createActivityTool = {
     name: 'create_activity',
     group: tool_registry_1.ToolGroup.WRITE,
     description: createActivityDescription,
+    annotations: { readOnlyHint: false, destructiveHint: false },
     schema: zod_1.z.object({
         workspaceId: zod_1.z
             .string()
@@ -970,6 +973,7 @@ exports.updateActivityTool = {
     name: 'update_activity',
     group: tool_registry_1.ToolGroup.WRITE,
     description: updateActivityDescription,
+    annotations: { readOnlyHint: false, destructiveHint: false },
     schema: zod_1.z.object({
         workspaceId: zod_1.z
             .string()

package/dist/mcp/tools/app-core.js

@@ -23,6 +23,7 @@ exports.createAppTool = {
     name: 'create_app',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: createAppDescription,
+    annotations: { readOnlyHint: false, destructiveHint: false },
     schema: zod_1.z.object({
         workspaceId: zod_1.z
             .string()
@@ -141,6 +142,7 @@ exports.listAppsTool = {
     name: 'list_apps',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: listAppsDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         workspaceId: zod_1.z
             .string()
@@ -234,6 +236,7 @@ exports.updateAppTool = {
     name: 'update_app',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: updateAppDescription,
+    annotations: { readOnlyHint: false, destructiveHint: true },
     schema: zod_1.z.object({
         appId: zod_1.z
             .string()
@@ -347,6 +350,7 @@ exports.removeAppTool = {
     name: 'remove_app',
     group: tool_registry_1.ToolGroup.NUCLEAR,
     description: removeAppDescription,
+    annotations: { readOnlyHint: false, destructiveHint: true },
     schema: zod_1.z.object({
         appId: zod_1.z
             .string()

package/dist/mcp/tools/app-marketplace.js

@@ -22,6 +22,7 @@ exports.listTemplatesTool = {
     name: 'list_templates',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: listTemplatesDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         workspaceId: zod_1.z
             .string()
@@ -128,6 +129,7 @@ exports.createTemplateTool = {
     name: 'create_template',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: createTemplateDescription,
+    annotations: { readOnlyHint: false, destructiveHint: false },
     schema: zod_1.z.object({
         name: zod_1.z
             .string()
@@ -212,6 +214,7 @@ exports.installTemplateTool = {
     name: 'install_template',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: installTemplateDescription,
+    annotations: { readOnlyHint: false, destructiveHint: true },
     schema: zod_1.z.object({
         templateId: zod_1.z
             .string()
@@ -315,6 +318,7 @@ exports.getTemplateTool = {
     name: 'get_template',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: getTemplateDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         templateId: zod_1.z
             .string()
@@ -422,6 +426,7 @@ exports.publishTemplateTool = {
     name: 'publish_template',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: publishTemplateDescription,
+    annotations: { readOnlyHint: false, destructiveHint: true },
     schema: zod_1.z.object({
         productId: zod_1.z
             .string()
@@ -608,6 +613,7 @@ exports.getProductTool = {
     name: 'get_product',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: getProductDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         productId: zod_1.z
             .string()
@@ -669,6 +675,7 @@ exports.getProductManifestTool = {
     name: 'get_product_manifest',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: getProductManifestDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         productId: zod_1.z
             .string()
@@ -723,6 +730,7 @@ const publishAppDescription = `Publish app to Hailer marketplace`;
 exports.publishAppTool = {
     name: 'publish_app',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
+    annotations: { readOnlyHint: false, destructiveHint: true },
     description: publishAppDescription,
     schema: zod_1.z.object({
         appId: zod_1.z
@@ -912,6 +920,7 @@ exports.installMarketplaceAppTool = {
     name: 'install_marketplace_app',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: installMarketplaceAppDescription,
+    annotations: { readOnlyHint: false, destructiveHint: true },
     schema: zod_1.z.object({
         productId: zod_1.z
             .string()

package/dist/mcp/tools/app-member.js

@@ -18,6 +18,7 @@ exports.addAppMemberTool = {
     name: 'add_app_member',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: addAppMemberDescription,
+    annotations: { readOnlyHint: false, destructiveHint: false },
     schema: zod_1.z.object({
         appId: zod_1.z
             .string()
@@ -110,6 +111,7 @@ exports.removeAppMemberTool = {
     name: 'remove_app_member',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: removeAppMemberDescription,
+    annotations: { readOnlyHint: false, destructiveHint: true },
     schema: zod_1.z.object({
         appId: zod_1.z
             .string()

package/dist/mcp/tools/app-scaffold.js

@@ -125,6 +125,7 @@ exports.scaffoldHailerAppTool = {
     name: 'scaffold_hailer_app',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: scaffoldHailerAppDescription,
+    annotations: { readOnlyHint: false, destructiveHint: false },
     schema: zod_1.z.object({
         projectName: zod_1.z.string().min(1).describe("Project folder name"),
         template: zod_1.z.enum(['react-ts-style', 'react-ts-example', 'react-ts', 'vanilla']).describe("Template to use (react-ts-style recommended - includes Hailer theme)"),
@@ -497,6 +498,7 @@ exports.publishHailerAppTool = {
     name: 'publish_hailer_app',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: publishHailerAppDescription,
+    annotations: { readOnlyHint: false, destructiveHint: true },
     schema: zod_1.z.object({
         projectDirectory: zod_1.z.string().optional().describe("Path to app project (defaults to DEV_APPS_PATH or current directory)"),
         appId: zod_1.z.string().optional().describe("App ID to publish to (reads from manifest.json if not provided)"),
@@ -507,15 +509,28 @@ exports.publishHailerAppTool = {
     async execute(args, context) {
         const path = await Promise.resolve().then(() => __importStar(require('path')));
         const fs = await Promise.resolve().then(() => __importStar(require('fs')));
-        // Use provided credentials or fall back to session credentials
-        const email = args.email || context.email;
-        const password = args.password || context.password;
+        const os = await Promise.resolve().then(() => __importStar(require('os')));
+        // Try to read credentials from ~/.hailer-mcp/credentials.json (saved by hailer-mcp setup)
+        let savedCredentials = {};
+        const credentialsFile = path.join(os.homedir(), '.hailer-mcp', 'credentials.json');
+        try {
+            if (fs.existsSync(credentialsFile)) {
+                savedCredentials = JSON.parse(fs.readFileSync(credentialsFile, 'utf-8'));
+                logger.debug('Loaded credentials from ~/.hailer-mcp/credentials.json');
+            }
+        }
+        catch (error) {
+            logger.warn('Failed to read credentials file', { error });
+        }
+        // Priority: args > saved credentials > context
+        const email = args.email || savedCredentials.email || context.email;
+        const password = args.password || savedCredentials.password || context.password;
         const { publishToMarket } = args;
         if (!email || !password) {
             return {
                 content: [{
                         type: "text",
-                        text: `❌ **Credentials Required**\n\nNo credentials found in session or parameters.\n\n**Options:**\n1. Provide email/password parameters\n2. Configure CLIENT_CONFIGS in .env.local with credentials`,
+                        text: `❌ **Credentials Required**\n\nNo credentials found.\n\n**Run setup first:**\n\`\`\`bash\nhailer-mcp setup\n\`\`\`\n\nOr provide email/password parameters directly.`,
                     }],
             };
         }
@@ -649,7 +664,6 @@ exports.publishHailerAppTool = {
             responseText += `**Project:** ${projectDir}\n`;
             responseText += `**Marketplace:** ${publishToMarket ? 'Yes (will get targetId)' : 'No'}\n\n`;
             // Run the SDK publish script using `expect` for interactive automation
-            const os = await Promise.resolve().then(() => __importStar(require('os')));
             const result = await new Promise((resolve) => {
                 // Create temp expect script file
                 const tmpDir = os.tmpdir();

package/dist/mcp/tools/discussion.js

@@ -79,6 +79,7 @@ exports.listMyDiscussionsTool = {
     name: 'list_my_discussions',
     group: tool_registry_1.ToolGroup.READ,
     description: listMyDiscussionsDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({}),
     async execute(args, context) {
         try {
@@ -241,6 +242,7 @@ exports.fetchDiscussionMessagesTool = {
     name: 'fetch_discussion_messages',
     group: tool_registry_1.ToolGroup.READ,
     description: fetchDiscussionMessagesDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         discussionId: zod_1.z
             .string()
@@ -403,6 +405,7 @@ exports.fetchPreviousDiscussionMessagesTool = {
     name: 'fetch_previous_discussion_messages',
     group: tool_registry_1.ToolGroup.READ,
     description: fetchPreviousDiscussionMessagesDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         oldestMessageId: zod_1.z
             .string()
@@ -521,6 +524,7 @@ exports.joinDiscussionTool = {
     name: 'join_discussion',
     group: tool_registry_1.ToolGroup.WRITE,
     description: joinDiscussionDescription,
+    annotations: { readOnlyHint: false, destructiveHint: false },
     schema: zod_1.z.object({
         activityId: zod_1.z
             .string()
@@ -801,6 +805,7 @@ exports.leaveDiscussionTool = {
     name: 'leave_discussion',
     group: tool_registry_1.ToolGroup.WRITE,
     description: leaveDiscussionDescription,
+    annotations: { readOnlyHint: false, destructiveHint: false },
     schema: zod_1.z.object({
         activityId: zod_1.z
             .string()
@@ -910,6 +915,7 @@ exports.addDiscussionMessageTool = {
     name: 'add_discussion_message',
     group: tool_registry_1.ToolGroup.WRITE,
     description: addDiscussionMessageDescription,
+    annotations: { readOnlyHint: false, destructiveHint: false },
     schema: zod_1.z.object({
         discussionId: zod_1.z.string().min(24, "Discussion ID must be at least 24 characters").describe("The discussion ID where to post the message"),
         content: zod_1.z.string().min(1, "Message content cannot be empty").describe("The message text to post"),
@@ -952,6 +958,7 @@ exports.inviteDiscussionMembersTool = {
     name: 'invite_discussion_members',
     group: tool_registry_1.ToolGroup.WRITE,
     description: inviteDiscussionMembersDescription,
+    annotations: { readOnlyHint: false, destructiveHint: false },
     schema: zod_1.z.object({
         discussionId: zod_1.z
             .string()
@@ -1103,6 +1110,7 @@ exports.getActivityFromDiscussionTool = {
     name: 'get_activity_from_discussion',
     group: tool_registry_1.ToolGroup.READ,
     description: getActivityFromDiscussionDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         discussionId: zod_1.z
             .string()

package/dist/mcp/tools/file.js

@@ -62,6 +62,7 @@ exports.uploadFilesTool = {
     name: 'upload_files',
     group: tool_registry_1.ToolGroup.WRITE,
     description: uploadFilesDescription,
+    annotations: { readOnlyHint: false, destructiveHint: false },
     schema: zod_1.z.object({
         files: zod_1.z.union([
             zod_1.z.array(zod_1.z.object({
@@ -164,6 +165,7 @@ exports.downloadFileTool = {
     name: 'download_file',
     group: tool_registry_1.ToolGroup.READ,
     description: downloadFileDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         fileId: zod_1.z.string().describe("File ID to download"),
         savePath: zod_1.z.string().optional().describe("Optional: local path to save file to disk")

package/dist/mcp/tools/insight.js

@@ -96,6 +96,7 @@ exports.createInsightTool = {
     name: 'create_insight',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: createInsightDescription,
+    annotations: { readOnlyHint: false, destructiveHint: true },
     schema: zod_1.z.object({
         workspaceId: zod_1.z
             .string()
@@ -259,6 +260,7 @@ exports.previewInsightTool = {
     name: 'preview_insight',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: previewInsightDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         workspaceId: zod_1.z
             .string()
@@ -376,6 +378,7 @@ exports.getInsightDataTool = {
     name: 'get_insight_data',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: getInsightDataDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         insightId: zod_1.z
             .string()
@@ -472,6 +475,7 @@ exports.updateInsightTool = {
     name: 'update_insight',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: updateInsightDescription,
+    annotations: { readOnlyHint: false, destructiveHint: true },
     schema: zod_1.z.object({
         insightId: zod_1.z
             .string()
@@ -616,6 +620,7 @@ exports.removeInsightTool = {
     name: 'remove_insight',
     group: tool_registry_1.ToolGroup.NUCLEAR,
     description: removeInsightDescription,
+    annotations: { readOnlyHint: false, destructiveHint: true },
     schema: zod_1.z.object({
         insightId: zod_1.z
             .string()
@@ -743,6 +748,7 @@ const listInsightsDescription = `List all insights in workspace`;
 exports.listInsightsTool = {
     name: 'list_insights',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
+    annotations: { readOnlyHint: true },
     description: listInsightsDescription,
     schema: zod_1.z.object({
         workspaceId: zod_1.z

package/dist/mcp/tools/metrics.js

@@ -219,6 +219,7 @@ function formatAsChart(data, groupByLabel) {
 exports.queryMetricTool = {
     name: 'query_metric',
     group: tool_registry_1.ToolGroup.READ,
+    annotations: { readOnlyHint: true },
     description: `Query metrics from Victoria Metrics using PromQL. Available metrics:
 - hailer.activity.create - Activities created (labels: workspace, process, team, userRole)
 - hailer.message.create - Messages sent (labels: workspace, discussion, userRole)
@@ -329,6 +330,7 @@ exports.listMetricsTool = {
     name: 'list_metrics',
     group: tool_registry_1.ToolGroup.READ,
     description: 'List all available Hailer metrics from Victoria Metrics',
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({}),
     async execute(_args, _context) {
         try {
@@ -443,6 +445,7 @@ exports.searchWorkspaceForMetricsTool = {
     group: tool_registry_1.ToolGroup.READ,
     description: `Search for workspaces by name to get their IDs for metric queries.
 Use this tool when user mentions a workspace by name (e.g. "Sales Team") to find its ID for filtering metrics.`,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         name: zod_1.z.string().min(3).describe("Workspace name to search (min 3 characters)"),
         limit: zod_1.z.number().min(1).max(100).optional().default(20).describe("Maximum results to return (default 20, max 100)"),
@@ -495,6 +498,7 @@ exports.searchUserForMetricsTool = {
     group: tool_registry_1.ToolGroup.READ,
     description: `Look up user details by ID for metric analysis.
 Use this after getting user IDs from grouped metric results to see who they are.`,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         userIds: zod_1.z.preprocess((val) => {
             if (typeof val === 'string') {

package/dist/mcp/tools/user.js

@@ -22,6 +22,7 @@ exports.listMyWorkspacesTool = {
     name: 'list_my_workspaces',
     group: tool_registry_1.ToolGroup.READ,
     description: listMyWorkspacesDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({}),
     async execute(_args, context) {
         logger.debug('Listing user workspaces', {
@@ -41,7 +42,9 @@ exports.listMyWorkspacesTool = {
                 .map(([id, ws]) => {
                 const isCurrent = id === currentWorkspaceId;
                 const marker = isCurrent ? ' ← current' : '';
-                return `• **${ws.name}**${marker}\n  - ID: \`${id}\``;
+                const role = context.workspaceRoles[id] || 'guest';
+                const roleEmoji = role === 'owner' ? '👑' : role === 'admin' ? '⚙️' : role === 'member' ? '👤' : '👁️';
+                return `• **${ws.name}**${marker}\n  - ID: \`${id}\`\n  - Role: ${roleEmoji} ${role}`;
             })
                 .join('\n\n');
             const hint = workspaceList.length > 1
@@ -65,6 +68,7 @@ exports.searchWorkspaceUsersTool = {
     name: 'search_workspace_users',
     group: tool_registry_1.ToolGroup.READ,
     description: searchWorkspaceUsersDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         query: zod_1.z
             .string()
@@ -132,6 +136,7 @@ exports.getWorkspaceBalanceTool = {
     name: 'get_workspace_balance',
     group: tool_registry_1.ToolGroup.READ,
     description: getWorkspaceBalanceDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         workspaceId: zod_1.z
             .string()

package/dist/mcp/tools/workflow.js

@@ -57,6 +57,7 @@ exports.getWorkflowSchemaTool = {
     name: 'get_workflow_schema',
     group: tool_registry_1.ToolGroup.READ,
     description: getWorkflowSchemaDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         workflowId: zod_1.z.string().describe("Workflow ID to get schema from"),
         phaseId: zod_1.z.string().describe("Phase ID to get schema from (use list_workflow_phases to get available phases)"),
@@ -181,6 +182,7 @@ exports.listWorkflowPhasesTool = {
     name: 'list_workflow_phases',
     group: tool_registry_1.ToolGroup.READ,
     description: listWorkflowPhasesDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         workflowId: zod_1.z.string().describe("Workflow ID to get phases from"),
     }),
@@ -259,6 +261,7 @@ exports.listWorkflowsTool = {
     name: 'list_workflows',
     group: tool_registry_1.ToolGroup.READ,
     description: listWorkflowsDescription,
+    annotations: { readOnlyHint: true },
     schema: zod_1.z.object({
         workspace: zod_1.z.string().optional().describe("Optional workspace ID or name"),
         includeRelationships: zod_1.z.coerce.boolean().optional().default(true).describe("Show ActivityLink relationships between workflows"),
@@ -421,6 +424,7 @@ exports.installWorkflowTool = {
     name: 'install_workflow',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: installWorkflowDescription,
+    annotations: { readOnlyHint: false, destructiveHint: true },
     schema: installWorkflowSchema,
     async execute(args, context) {
         logger.debug('Installing workflow', {
@@ -560,6 +564,7 @@ exports.removeWorkflowTool = {
     name: 'remove_workflow',
     group: tool_registry_1.ToolGroup.NUCLEAR,
     description: removeWorkflowDescription,
+    annotations: { readOnlyHint: false, destructiveHint: true },
     schema: removeWorkflowSchema,
     async execute(args, context) {
         logger.debug('Removing workflow', {
@@ -710,6 +715,7 @@ exports.updateWorkflowFieldTool = {
     name: 'update_workflow_field',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: updateWorkflowFieldDescription,
+    annotations: { readOnlyHint: false, destructiveHint: true },
     schema: updateWorkflowFieldSchema,
     async execute(args, context) {
         logger.debug('Updating workflow field', {
@@ -838,6 +844,7 @@ exports.testFunctionFieldTool = {
     name: 'test_function_field',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: testFunctionFieldDescription,
+    annotations: { readOnlyHint: false, destructiveHint: true },
     schema: testFunctionFieldSchema,
     async execute(args, context) {
         logger.debug('Testing function field', {
@@ -1019,6 +1026,7 @@ exports.listWorkflowsMinimalTool = {
     name: 'list_workflows_minimal',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: listWorkflowsMinimalDescription,
+    annotations: { readOnlyHint: true },
     schema: listWorkflowsMinimalSchema,
     async execute(args, context) {
         logger.debug('Listing workflows (minimal)', {
@@ -1131,6 +1139,7 @@ exports.countActivitiesTool = {
     name: 'count_activities',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: countActivitiesDescription,
+    annotations: { readOnlyHint: true },
     schema: countActivitiesSchema,
     async execute(args, context) {
         logger.debug('Counting activities', {
@@ -1234,6 +1243,7 @@ exports.updateWorkflowPhaseTool = {
     name: 'update_workflow_phase',
     group: tool_registry_1.ToolGroup.PLAYGROUND,
     description: updateWorkflowPhaseDescription,
+    annotations: { readOnlyHint: false, destructiveHint: true },
     schema: updateWorkflowPhaseSchema,
     async execute(args, context) {
         logger.debug('Updating workflow phase', {

package/dist/mcp/utils/index.d.ts

@@ -12,5 +12,6 @@ export { transformActivity, transformActivities, transformFields, transformField
 export { textResponse, errorResponse, successResponse, jsonResponse, paginatedResponse, listResponse, getErrorMessage, withErrorHandling, isErrorResponse } from './response-builder';
 export { normalizePagination, calculatePaginationMeta, formatPaginationText } from './pagination';
 export type { PaginationMeta, PaginationOptions } from './pagination';
+export { deriveUserRole, getAllowedGroups, findCurrentUserMember, extractWorkspaceRoles, getAllowedGroupsForWorkspace, getMaxRole, checkWorkspaceAccess } from './role-utils';
 export type * from './types';
 //# sourceMappingURL=index.d.ts.map

package/dist/mcp/utils/index.js

@@ -4,7 +4,7 @@
  * Provides centralized access to all utility functions and types
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.formatPaginationText = exports.calculatePaginationMeta = exports.normalizePagination = exports.isErrorResponse = exports.withErrorHandling = exports.getErrorMessage = exports.listResponse = exports.paginatedResponse = exports.jsonResponse = exports.successResponse = exports.errorResponse = exports.textResponse = exports.formatActivityListResponse = exports.formatUserName = exports.formatTimestamp = exports.transformWorkflowFields = exports.transformPhases = exports.transformWorkflow = exports.findFieldByKey = exports.transformFieldValue = exports.transformFields = exports.transformActivities = exports.transformActivity = exports.HailerApiClient = exports.createSuccessResponse = exports.createErrorResponse = exports.handleApiResponse = exports.makeApiCall = exports.HailerApiError = exports.LogTag = exports.LogLevel = exports.logger = exports.createLogger = void 0;
+exports.checkWorkspaceAccess = exports.getMaxRole = exports.getAllowedGroupsForWorkspace = exports.extractWorkspaceRoles = exports.findCurrentUserMember = exports.getAllowedGroups = exports.deriveUserRole = exports.formatPaginationText = exports.calculatePaginationMeta = exports.normalizePagination = exports.isErrorResponse = exports.withErrorHandling = exports.getErrorMessage = exports.listResponse = exports.paginatedResponse = exports.jsonResponse = exports.successResponse = exports.errorResponse = exports.textResponse = exports.formatActivityListResponse = exports.formatUserName = exports.formatTimestamp = exports.transformWorkflowFields = exports.transformPhases = exports.transformWorkflow = exports.findFieldByKey = exports.transformFieldValue = exports.transformFields = exports.transformActivities = exports.transformActivity = exports.HailerApiClient = exports.createSuccessResponse = exports.createErrorResponse = exports.handleApiResponse = exports.makeApiCall = exports.HailerApiError = exports.LogTag = exports.LogLevel = exports.logger = exports.createLogger = void 0;
 // Logging utilities
 var logger_1 = require("../../lib/logger");
 Object.defineProperty(exports, "createLogger", { enumerable: true, get: function () { return logger_1.createLogger; } });
@@ -50,4 +50,13 @@ var pagination_1 = require("./pagination");
 Object.defineProperty(exports, "normalizePagination", { enumerable: true, get: function () { return pagination_1.normalizePagination; } });
 Object.defineProperty(exports, "calculatePaginationMeta", { enumerable: true, get: function () { return pagination_1.calculatePaginationMeta; } });
 Object.defineProperty(exports, "formatPaginationText", { enumerable: true, get: function () { return pagination_1.formatPaginationText; } });
+// Role-based access control
+var role_utils_1 = require("./role-utils");
+Object.defineProperty(exports, "deriveUserRole", { enumerable: true, get: function () { return role_utils_1.deriveUserRole; } });
+Object.defineProperty(exports, "getAllowedGroups", { enumerable: true, get: function () { return role_utils_1.getAllowedGroups; } });
+Object.defineProperty(exports, "findCurrentUserMember", { enumerable: true, get: function () { return role_utils_1.findCurrentUserMember; } });
+Object.defineProperty(exports, "extractWorkspaceRoles", { enumerable: true, get: function () { return role_utils_1.extractWorkspaceRoles; } });
+Object.defineProperty(exports, "getAllowedGroupsForWorkspace", { enumerable: true, get: function () { return role_utils_1.getAllowedGroupsForWorkspace; } });
+Object.defineProperty(exports, "getMaxRole", { enumerable: true, get: function () { return role_utils_1.getMaxRole; } });
+Object.defineProperty(exports, "checkWorkspaceAccess", { enumerable: true, get: function () { return role_utils_1.checkWorkspaceAccess; } });
 //# sourceMappingURL=index.js.map

package/dist/mcp/utils/role-utils.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Role-Based Access Control Utilities
+ *
+ * Derives user role from workspace member flags and maps roles to ToolGroups.
+ * Used by UserContextCache to determine tool access at context creation time.
+ */
+import { ToolGroup } from '../tool-registry';
+import { UserRole, WorkspaceMember, WorkspaceInfo } from './types';
+/**
+ * Derive user role from workspace member flags
+ * Priority: owner > admin > guest > member
+ *
+ * @param member - Workspace member from v2.core.init
+ * @returns UserRole - 'owner' | 'admin' | 'guest' | 'member'
+ */
+export declare function deriveUserRole(member: WorkspaceMember): UserRole;
+/**
+ * Map user role to allowed ToolGroups
+ *
+ * @param role - User role derived from workspace member
+ * @param enableNuclear - Optional override to disable NUCLEAR even for owners
+ * @returns Array of ToolGroups the user can access
+ */
+export declare function getAllowedGroups(role: UserRole, enableNuclear?: boolean): ToolGroup[];
+/**
+ * Find current user in workspace members array
+ *
+ * @param members - Array of workspace members from init.network.members
+ * @param currentUserId - Current user's ID
+ * @returns WorkspaceMember if found, undefined otherwise
+ */
+export declare function findCurrentUserMember(members: WorkspaceMember[], currentUserId: string): WorkspaceMember | undefined;
+/**
+ * Extract user roles from all workspaces
+ * Returns a map of workspaceId → UserRole
+ *
+ * @param networks - Record of workspace ID to WorkspaceInfo from init.networks
+ * @param currentUserId - Current user's ID
+ * @returns Record mapping workspace IDs to UserRoles
+ */
+export declare function extractWorkspaceRoles(networks: Record<string, WorkspaceInfo>, currentUserId: string): Record<string, UserRole>;
+/**
+ * Get allowed groups for a specific workspace
+ *
+ * @param workspaceRoles - Map of workspace IDs to UserRoles
+ * @param workspaceId - Target workspace ID
+ * @param enableNuclear - Optional override to disable NUCLEAR even for owners
+ * @returns Array of ToolGroups the user can access in the specified workspace
+ */
+export declare function getAllowedGroupsForWorkspace(workspaceRoles: Record<string, UserRole>, workspaceId: string, enableNuclear?: boolean): ToolGroup[];
+/**
+ * Get the highest role across all workspaces
+ * Used to determine which tools to show at startup (max potential access)
+ *
+ * @param workspaceRoles - Map of workspace IDs to UserRoles
+ * @returns Highest UserRole across all workspaces
+ */
+export declare function getMaxRole(workspaceRoles: Record<string, UserRole>): UserRole;
+/**
+ * Check if user has access to a specific ToolGroup in a workspace
+ * Used for runtime permission validation when tools are called with workspaceId
+ *
+ * @param workspaceRoles - Map of workspace IDs to UserRoles
+ * @param currentWorkspaceId - Current default workspace ID
+ * @param targetWorkspaceId - Target workspace ID (or undefined to use current)
+ * @param requiredGroup - ToolGroup required for the operation
+ * @param enableNuclear - Optional override to disable NUCLEAR even for owners
+ * @returns Object with allowed boolean and optional reason string
+ */
+export declare function checkWorkspaceAccess(workspaceRoles: Record<string, UserRole>, currentWorkspaceId: string, targetWorkspaceId: string | undefined, requiredGroup: ToolGroup, enableNuclear?: boolean): {
+    allowed: boolean;
+    reason?: string;
+};
+//# sourceMappingURL=role-utils.d.ts.map

package/dist/mcp/utils/role-utils.js

@@ -0,0 +1,151 @@
+"use strict";
+/**
+ * Role-Based Access Control Utilities
+ *
+ * Derives user role from workspace member flags and maps roles to ToolGroups.
+ * Used by UserContextCache to determine tool access at context creation time.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deriveUserRole = deriveUserRole;
+exports.getAllowedGroups = getAllowedGroups;
+exports.findCurrentUserMember = findCurrentUserMember;
+exports.extractWorkspaceRoles = extractWorkspaceRoles;
+exports.getAllowedGroupsForWorkspace = getAllowedGroupsForWorkspace;
+exports.getMaxRole = getMaxRole;
+exports.checkWorkspaceAccess = checkWorkspaceAccess;
+const tool_registry_1 = require("../tool-registry");
+/**
+ * Derive user role from workspace member flags
+ * Priority: owner > admin > guest > member
+ *
+ * @param member - Workspace member from v2.core.init
+ * @returns UserRole - 'owner' | 'admin' | 'guest' | 'member'
+ */
+function deriveUserRole(member) {
+    if (member.owner)
+        return 'owner';
+    if (member.admin)
+        return 'admin';
+    if (member.guest)
+        return 'guest';
+    return 'member';
+}
+/**
+ * Map user role to allowed ToolGroups
+ *
+ * @param role - User role derived from workspace member
+ * @param enableNuclear - Optional override to disable NUCLEAR even for owners
+ * @returns Array of ToolGroups the user can access
+ */
+function getAllowedGroups(role, enableNuclear = true) {
+    switch (role) {
+        case 'owner':
+            return enableNuclear
+                ? [tool_registry_1.ToolGroup.READ, tool_registry_1.ToolGroup.WRITE, tool_registry_1.ToolGroup.PLAYGROUND, tool_registry_1.ToolGroup.NUCLEAR]
+                : [tool_registry_1.ToolGroup.READ, tool_registry_1.ToolGroup.WRITE, tool_registry_1.ToolGroup.PLAYGROUND];
+        case 'admin':
+            return [tool_registry_1.ToolGroup.READ, tool_registry_1.ToolGroup.WRITE, tool_registry_1.ToolGroup.PLAYGROUND];
+        case 'member':
+            return [tool_registry_1.ToolGroup.READ, tool_registry_1.ToolGroup.WRITE];
+        case 'guest':
+            return [tool_registry_1.ToolGroup.READ];
+    }
+}
+/**
+ * Find current user in workspace members array
+ *
+ * @param members - Array of workspace members from init.network.members
+ * @param currentUserId - Current user's ID
+ * @returns WorkspaceMember if found, undefined otherwise
+ */
+function findCurrentUserMember(members, currentUserId) {
+    return members.find(m => m.uid === currentUserId);
+}
+/**
+ * Extract user roles from all workspaces
+ * Returns a map of workspaceId → UserRole
+ *
+ * @param networks - Record of workspace ID to WorkspaceInfo from init.networks
+ * @param currentUserId - Current user's ID
+ * @returns Record mapping workspace IDs to UserRoles
+ */
+function extractWorkspaceRoles(networks, currentUserId) {
+    const roles = {};
+    for (const [wsId, network] of Object.entries(networks)) {
+        const members = (network.members || []);
+        const member = findCurrentUserMember(members, currentUserId);
+        roles[wsId] = member ? deriveUserRole(member) : 'guest';
+    }
+    return roles;
+}
+/**
+ * Get allowed groups for a specific workspace
+ *
+ * @param workspaceRoles - Map of workspace IDs to UserRoles
+ * @param workspaceId - Target workspace ID
+ * @param enableNuclear - Optional override to disable NUCLEAR even for owners
+ * @returns Array of ToolGroups the user can access in the specified workspace
+ */
+function getAllowedGroupsForWorkspace(workspaceRoles, workspaceId, enableNuclear = true) {
+    const role = workspaceRoles[workspaceId] || 'guest';
+    return getAllowedGroups(role, enableNuclear);
+}
+/**
+ * Get the highest role across all workspaces
+ * Used to determine which tools to show at startup (max potential access)
+ *
+ * @param workspaceRoles - Map of workspace IDs to UserRoles
+ * @returns Highest UserRole across all workspaces
+ */
+function getMaxRole(workspaceRoles) {
+    const roleOrder = ['guest', 'member', 'admin', 'owner'];
+    let maxRole = 'guest';
+    for (const role of Object.values(workspaceRoles)) {
+        if (roleOrder.indexOf(role) > roleOrder.indexOf(maxRole)) {
+            maxRole = role;
+        }
+    }
+    return maxRole;
+}
+/**
+ * Get minimum role required for a ToolGroup
+ * Used for error messages
+ */
+function getRequiredRoleForGroup(group) {
+    switch (group) {
+        case tool_registry_1.ToolGroup.READ:
+            return 'guest';
+        case tool_registry_1.ToolGroup.WRITE:
+            return 'member';
+        case tool_registry_1.ToolGroup.PLAYGROUND:
+            return 'admin';
+        case tool_registry_1.ToolGroup.NUCLEAR:
+            return 'owner';
+        default:
+            return 'owner';
+    }
+}
+/**
+ * Check if user has access to a specific ToolGroup in a workspace
+ * Used for runtime permission validation when tools are called with workspaceId
+ *
+ * @param workspaceRoles - Map of workspace IDs to UserRoles
+ * @param currentWorkspaceId - Current default workspace ID
+ * @param targetWorkspaceId - Target workspace ID (or undefined to use current)
+ * @param requiredGroup - ToolGroup required for the operation
+ * @param enableNuclear - Optional override to disable NUCLEAR even for owners
+ * @returns Object with allowed boolean and optional reason string
+ */
+function checkWorkspaceAccess(workspaceRoles, currentWorkspaceId, targetWorkspaceId, requiredGroup, enableNuclear = true) {
+    const effectiveWsId = targetWorkspaceId || currentWorkspaceId;
+    const role = workspaceRoles[effectiveWsId] || 'guest';
+    const allowedGroups = getAllowedGroups(role, enableNuclear);
+    if (!allowedGroups.includes(requiredGroup)) {
+        return {
+            allowed: false,
+            reason: `Insufficient permissions in workspace '${effectiveWsId.slice(-6)}'. Your role '${role}' doesn't have access to ${requiredGroup} tools. Required: ${getRequiredRoleForGroup(requiredGroup)} or higher.`
+        };
+    }
+    return { allowed: true };
+}
+//# sourceMappingURL=role-utils.js.map

package/dist/mcp/utils/types.d.ts

@@ -2,6 +2,29 @@
  * Shared type definitions for Hailer MCP Server
  * Consolidates interfaces used across multiple files
  */
+/**
+ * User role in workspace (derived from member flags)
+ * Used to determine which ToolGroups are available to the user
+ */
+export type UserRole = 'guest' | 'member' | 'admin' | 'owner';
+/**
+ * Workspace member from v2.core.init response
+ * Contains role flags that determine user permissions
+ *
+ * Schema reference: hailer-api/src/validation/sharedSchemas.ts (validWorkspaceMemberSchema)
+ */
+export interface WorkspaceMember {
+    uid: string;
+    title?: string;
+    owner?: boolean;
+    admin?: boolean;
+    guest?: boolean;
+    inviter?: boolean;
+    feedAdmin?: boolean;
+    customRole?: string;
+    joined: number;
+    fields?: Record<string, string | string[] | null>;
+}
 export type { CleanActivity, FieldValue, WorkflowInfo, PhaseInfo, FieldInfo, UserInfo, } from './data-transformers';
 export interface HailerField {
     data: any[];
@@ -173,7 +196,7 @@ export interface WorkspaceInfo {
     _id: string;
     name: string;
     description?: string;
-    members?: string[];
+    members?: WorkspaceMember[];
     settings?: Record<string, any>;
 }
 export interface SignalData {

package/dist/stdio-server.js

@@ -32,15 +32,21 @@ async function startStdioServer(toolRegistry) {
         name: 'hailer-mcp-server',
         version: '1.0.0',
     });
-    // Get tool definitions (filtered by allowed groups, excluding NUCLEAR unless enabled)
+    // Get user context to determine role-based tool access
+    const userContext = await UserContextCache_1.UserContextCache.getContext(apiKey);
+    // Show ALL tools - permission checks happen at runtime via checkWorkspaceAccess()
+    // ENABLE_NUCLEAR_TOOLS still controls whether NUCLEAR tools are available at all
     const allowedGroups = config_1.environment.ENABLE_NUCLEAR_TOOLS
         ? [tool_registry_1.ToolGroup.READ, tool_registry_1.ToolGroup.WRITE, tool_registry_1.ToolGroup.PLAYGROUND, tool_registry_1.ToolGroup.NUCLEAR]
         : [tool_registry_1.ToolGroup.READ, tool_registry_1.ToolGroup.WRITE, tool_registry_1.ToolGroup.PLAYGROUND];
     // Get tools with their original Zod schemas - MCP SDK requires Zod, not JSON Schema
     const tools = toolRegistry.getToolsWithZodSchemas({ allowedGroups });
-    logger.info('Registering tools for stdio server', {
+    logger.info('Tools registered (runtime permission checks apply)', {
+        currentWorkspaceId: userContext.currentWorkspaceId,
+        currentRole: userContext.workspaceRoles[userContext.currentWorkspaceId] || 'guest',
         toolCount: tools.length,
-        allowedGroups,
+        workspaceCount: Object.keys(userContext.workspaceRoles).length,
+        nuclearEnabled: config_1.environment.ENABLE_NUCLEAR_TOOLS
     });
     // Register each tool with the MCP server using Zod schemas
     for (const tool of tools) {

package/manifest.json

@@ -0,0 +1,62 @@
+{
+  "mcpb_version": "0.1",
+  "name": "hailer-mcp",
+  "version": "1.0.29",
+  "display_name": "Hailer MCP",
+  "description": "Connect Claude to Hailer workspaces for workflow management, activity tracking, discussions, and insights",
+  "author": {
+    "name": "Hailer",
+    "url": "https://hailer.com"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hailer/hailer-mcp"
+  },
+  "server": {
+    "type": "stdio",
+    "entry_point": "dist/app.js",
+    "mcp_config": {
+      "command": "node",
+      "args": ["${serverPath}/dist/app.js"]
+    }
+  },
+  "user_config": [
+    {
+      "id": "mcp_client_api_key",
+      "name": "Client API Key",
+      "description": "Identifier for this client (any string, e.g. 'claude-desktop')",
+      "type": "string",
+      "required": true,
+      "default": "claude-desktop",
+      "env_var": "MCP_CLIENT_API_KEY"
+    },
+    {
+      "id": "hailer_email",
+      "name": "Hailer Email",
+      "description": "Your Hailer account email",
+      "type": "string",
+      "required": true,
+      "env_var": "HAILER_EMAIL"
+    },
+    {
+      "id": "hailer_password",
+      "name": "Hailer Password",
+      "description": "Your Hailer account password",
+      "type": "string",
+      "required": true,
+      "sensitive": true,
+      "env_var": "HAILER_PASSWORD"
+    },
+    {
+      "id": "hailer_api_url",
+      "name": "API URL",
+      "description": "Hailer API URL (default: https://api.hailer.com)",
+      "type": "string",
+      "required": false,
+      "default": "https://api.hailer.com",
+      "env_var": "HAILER_API_URL"
+    }
+  ],
+  "categories": ["productivity", "workflow", "collaboration"],
+  "keywords": ["hailer", "workflow", "activity", "discussion", "insight", "crm"]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hailer/mcp",
-  "version": "1.0.28",
+  "version": "1.0.30",
   "config": {
     "docker": {
       "registry": "registry.gitlab.com/hailer-repos/hailer-mcp"