npm - @hailer/mcp - Versions diffs - 1.1.12 → 1.1.14 - Mend

@hailer/mcp 1.1.12 → 1.1.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (269) hide show

package/CHANGELOG.md +0 -7
package/{.claude → dist}/CLAUDE.md +2 -2
package/dist/app.js +18 -5
package/dist/bot/bot-config.d.ts +10 -1
package/dist/bot/bot-config.js +64 -3
package/dist/bot/bot-manager.d.ts +2 -0
package/dist/bot/bot-manager.js +9 -2
package/dist/bot/bot.d.ts +33 -0
package/dist/bot/bot.js +461 -160
package/dist/bot/services/message-classifier.js +17 -0
package/dist/bot/services/permission-guard.d.ts +52 -0
package/dist/bot/services/permission-guard.js +149 -0
package/dist/bot/services/types.d.ts +5 -0
package/dist/bot/services/typing-indicator.d.ts +6 -1
package/dist/bot/services/typing-indicator.js +19 -3
package/dist/cli.js +0 -0
package/dist/config.d.ts +6 -1
package/dist/config.js +43 -0
package/dist/core.js +3 -6
package/dist/lib/discussion-lock.d.ts +42 -0
package/dist/lib/discussion-lock.js +110 -0
package/dist/mcp/UserContextCache.d.ts +5 -0
package/dist/mcp/UserContextCache.js +51 -19
package/dist/mcp/hailer-clients.d.ts +19 -1
package/dist/mcp/hailer-clients.js +158 -24
package/dist/mcp/session-store.d.ts +68 -0
package/dist/mcp/session-store.js +169 -0
package/dist/mcp/signal-handler.js +2 -0
package/dist/mcp/tool-registry.d.ts +17 -4
package/dist/mcp/tool-registry.js +37 -7
package/dist/mcp/tools/activity.js +99 -7
package/dist/mcp/tools/app-scaffold.js +304 -336
package/dist/mcp/tools/bot-config/constants.d.ts +23 -0
package/dist/mcp/tools/bot-config/constants.js +94 -0
package/dist/mcp/tools/bot-config/core.d.ts +253 -0
package/dist/mcp/tools/bot-config/core.js +2456 -0
package/dist/mcp/tools/bot-config/index.d.ts +10 -0
package/dist/mcp/tools/bot-config/index.js +59 -0
package/dist/mcp/tools/bot-config/tools.d.ts +7 -0
package/dist/mcp/tools/bot-config/tools.js +15 -0
package/dist/mcp/tools/bot-config/types.d.ts +50 -0
package/dist/mcp/tools/bot-config/types.js +6 -0
package/dist/mcp/tools/bug-fixer-tools.d.ts +45 -0
package/dist/mcp/tools/bug-fixer-tools.js +1096 -0
package/dist/mcp/tools/company.d.ts +9 -0
package/dist/mcp/tools/company.js +88 -0
package/dist/mcp/tools/discussion.js +68 -0
package/dist/mcp/tools/document.d.ts +11 -0
package/dist/mcp/tools/document.js +741 -0
package/dist/mcp/tools/investigate.d.ts +9 -0
package/dist/mcp/tools/investigate.js +254 -0
package/dist/mcp/tools/workflow-permissions.d.ts +15 -0
package/dist/mcp/tools/workflow-permissions.js +204 -0
package/dist/mcp/tools/workflow.js +57 -18
package/dist/mcp/utils/index.d.ts +2 -0
package/dist/mcp/utils/index.js +12 -1
package/dist/mcp/utils/role-utils.d.ts +74 -0
package/dist/mcp/utils/role-utils.js +151 -0
package/dist/mcp/utils/types.d.ts +43 -1
package/dist/mcp/utils/types.js +14 -0
package/dist/mcp/webhook-handler.d.ts +4 -0
package/dist/mcp/webhook-handler.js +8 -0
package/dist/mcp-server.d.ts +23 -2
package/dist/mcp-server.js +639 -127
package/dist/plugins/vipunen/client.d.ts +150 -0
package/dist/plugins/vipunen/client.js +535 -0
package/dist/plugins/vipunen/config/schema-config.json +19 -0
package/dist/plugins/vipunen/config/schema-doc.json +22 -0
package/dist/plugins/vipunen/index.d.ts +41 -0
package/dist/plugins/vipunen/index.js +88 -0
package/dist/plugins/vipunen/tools.d.ts +26 -0
package/dist/plugins/vipunen/tools.js +501 -0
package/dist/stdio-server.d.ts +14 -0
package/dist/stdio-server.js +101 -0
package/package.json +2 -1
package/.claude/agents/agent-ada-skill-builder.md +0 -94
package/.claude/agents/agent-alejandro-function-fields.md +0 -342
package/.claude/agents/agent-bjorn-config-audit.md +0 -103
package/.claude/agents/agent-builder-agent-creator.md +0 -130
package/.claude/agents/agent-code-simplifier.md +0 -53
package/.claude/agents/agent-dmitri-activity-crud.md +0 -159
package/.claude/agents/agent-giuseppe-app-builder.md +0 -247
package/.claude/agents/agent-gunther-mcp-tools.md +0 -39
package/.claude/agents/agent-helga-workflow-config.md +0 -204
package/.claude/agents/agent-igor-activity-mover-automation.md +0 -125
package/.claude/agents/agent-ingrid-doc-templates.md +0 -261
package/.claude/agents/agent-ivan-monolith.md +0 -154
package/.claude/agents/agent-kenji-data-reader.md +0 -86
package/.claude/agents/agent-lars-code-inspector.md +0 -102
package/.claude/agents/agent-marco-mockup-builder.md +0 -110
package/.claude/agents/agent-marcus-api-documenter.md +0 -323
package/.claude/agents/agent-marketplace-publisher.md +0 -280
package/.claude/agents/agent-marketplace-reviewer.md +0 -309
package/.claude/agents/agent-permissions-handler.md +0 -208
package/.claude/agents/agent-simple-writer.md +0 -48
package/.claude/agents/agent-svetlana-code-review.md +0 -171
package/.claude/agents/agent-tanya-test-runner.md +0 -333
package/.claude/agents/agent-ui-designer.md +0 -100
package/.claude/agents/agent-viktor-sql-insights.md +0 -212
package/.claude/agents/agent-web-search.md +0 -55
package/.claude/agents/agent-yevgeni-discussions.md +0 -45
package/.claude/agents/agent-zara-zapier.md +0 -159
package/.claude/commands/app-squad.md +0 -135
package/.claude/commands/audit-squad.md +0 -158
package/.claude/commands/autoplan.md +0 -563
package/.claude/commands/cleanup-squad.md +0 -98
package/.claude/commands/config-squad.md +0 -106
package/.claude/commands/crud-squad.md +0 -87
package/.claude/commands/data-squad.md +0 -97
package/.claude/commands/debug-squad.md +0 -303
package/.claude/commands/doc-squad.md +0 -65
package/.claude/commands/handoff.md +0 -137
package/.claude/commands/health.md +0 -49
package/.claude/commands/help.md +0 -29
package/.claude/commands/help:agents.md +0 -151
package/.claude/commands/help:commands.md +0 -78
package/.claude/commands/help:faq.md +0 -79
package/.claude/commands/help:plugins.md +0 -50
package/.claude/commands/help:skills.md +0 -93
package/.claude/commands/help:tools.md +0 -75
package/.claude/commands/hotfix-squad.md +0 -112
package/.claude/commands/integration-squad.md +0 -82
package/.claude/commands/janitor-squad.md +0 -167
package/.claude/commands/learn-auto.md +0 -120
package/.claude/commands/learn.md +0 -120
package/.claude/commands/mcp-list.md +0 -27
package/.claude/commands/onboard-squad.md +0 -140
package/.claude/commands/plan-workspace.md +0 -732
package/.claude/commands/prd.md +0 -130
package/.claude/commands/project-status.md +0 -82
package/.claude/commands/publish.md +0 -138
package/.claude/commands/recap.md +0 -69
package/.claude/commands/restore.md +0 -64
package/.claude/commands/review-squad.md +0 -152
package/.claude/commands/save.md +0 -24
package/.claude/commands/stats.md +0 -19
package/.claude/commands/swarm.md +0 -210
package/.claude/commands/tool-builder.md +0 -39
package/.claude/commands/ws-pull.md +0 -44
package/.claude/hooks/_shared-memory.cjs +0 -305
package/.claude/hooks/_utils.cjs +0 -108
package/.claude/hooks/agent-failure-detector.cjs +0 -383
package/.claude/hooks/agent-usage-logger.cjs +0 -204
package/.claude/hooks/app-edit-guard.cjs +0 -494
package/.claude/hooks/auto-learn.cjs +0 -304
package/.claude/hooks/bash-guard.cjs +0 -272
package/.claude/hooks/builder-mode-manager.cjs +0 -354
package/.claude/hooks/bulk-activity-guard.cjs +0 -271
package/.claude/hooks/context-watchdog.cjs +0 -230
package/.claude/hooks/delegation-reminder.cjs +0 -465
package/.claude/hooks/design-system-lint.cjs +0 -271
package/.claude/hooks/post-scaffold-hook.cjs +0 -181
package/.claude/hooks/prompt-guard.cjs +0 -354
package/.claude/hooks/publish-template-guard.cjs +0 -147
package/.claude/hooks/session-start.cjs +0 -35
package/.claude/hooks/shared-memory-writer.cjs +0 -147
package/.claude/hooks/skill-injector.cjs +0 -140
package/.claude/hooks/skill-usage-logger.cjs +0 -258
package/.claude/hooks/src-edit-guard.cjs +0 -240
package/.claude/hooks/sync-marketplace-agents.cjs +0 -346
package/.claude/settings.json +0 -257
package/.claude/skills/SDK-activity-patterns/SKILL.md +0 -428
package/.claude/skills/SDK-document-templates/SKILL.md +0 -1033
package/.claude/skills/SDK-function-fields/SKILL.md +0 -542
package/.claude/skills/SDK-generate-skill/SKILL.md +0 -92
package/.claude/skills/SDK-init-skill/SKILL.md +0 -127
package/.claude/skills/SDK-insight-queries/SKILL.md +0 -787
package/.claude/skills/SDK-ws-config-skill/SKILL.md +0 -1139
package/.claude/skills/agent-structure/SKILL.md +0 -98
package/.claude/skills/api-documentation-patterns/SKILL.md +0 -474
package/.claude/skills/chrome-mcp-reference/SKILL.md +0 -370
package/.claude/skills/delegation-routing/SKILL.md +0 -202
package/.claude/skills/frontend-design/SKILL.md +0 -254
package/.claude/skills/hailer-activity-mover/SKILL.md +0 -213
package/.claude/skills/hailer-api-client/SKILL.md +0 -518
package/.claude/skills/hailer-app-builder/SKILL.md +0 -1434
package/.claude/skills/hailer-apps-pictures/SKILL.md +0 -269
package/.claude/skills/hailer-design-system/SKILL.md +0 -235
package/.claude/skills/hailer-monolith-automations/SKILL.md +0 -686
package/.claude/skills/hailer-permissions-system/SKILL.md +0 -121
package/.claude/skills/hailer-project-protocol/SKILL.md +0 -488
package/.claude/skills/hailer-rest-api/SKILL.md +0 -61
package/.claude/skills/hailer-rest-api/hailer-activities.md +0 -184
package/.claude/skills/hailer-rest-api/hailer-admin.md +0 -473
package/.claude/skills/hailer-rest-api/hailer-calendar.md +0 -256
package/.claude/skills/hailer-rest-api/hailer-feed.md +0 -249
package/.claude/skills/hailer-rest-api/hailer-insights.md +0 -195
package/.claude/skills/hailer-rest-api/hailer-messaging.md +0 -276
package/.claude/skills/hailer-rest-api/hailer-workflows.md +0 -283
package/.claude/skills/insight-join-patterns/SKILL.md +0 -174
package/.claude/skills/integration-patterns/SKILL.md +0 -421
package/.claude/skills/json-only-output/SKILL.md +0 -72
package/.claude/skills/lsp-setup/SKILL.md +0 -160
package/.claude/skills/mcp-direct-tools/SKILL.md +0 -153
package/.claude/skills/optional-parameters/SKILL.md +0 -72
package/.claude/skills/publish-hailer-app/SKILL.md +0 -244
package/.claude/skills/testing-patterns/SKILL.md +0 -630
package/.claude/skills/tool-builder/SKILL.md +0 -250
package/.claude/skills/tool-parameter-usage/SKILL.md +0 -126
package/.claude/skills/tool-response-verification/SKILL.md +0 -92
package/.claude/skills/zapier-hailer-patterns/SKILL.md +0 -581
package/.mcp.json +0 -13
package/.opencode/agent/agent-ada-skill-builder.md +0 -35
package/.opencode/agent/agent-alejandro-function-fields.md +0 -39
package/.opencode/agent/agent-bjorn-config-audit.md +0 -36
package/.opencode/agent/agent-builder-agent-creator.md +0 -39
package/.opencode/agent/agent-code-simplifier.md +0 -31
package/.opencode/agent/agent-dmitri-activity-crud.md +0 -40
package/.opencode/agent/agent-giuseppe-app-builder.md +0 -37
package/.opencode/agent/agent-gunther-mcp-tools.md +0 -39
package/.opencode/agent/agent-helga-workflow-config.md +0 -203
package/.opencode/agent/agent-igor-activity-mover-automation.md +0 -46
package/.opencode/agent/agent-ingrid-doc-templates.md +0 -39
package/.opencode/agent/agent-ivan-monolith.md +0 -46
package/.opencode/agent/agent-kenji-data-reader.md +0 -53
package/.opencode/agent/agent-lars-code-inspector.md +0 -28
package/.opencode/agent/agent-marco-mockup-builder.md +0 -42
package/.opencode/agent/agent-marcus-api-documenter.md +0 -53
package/.opencode/agent/agent-marketplace-publisher.md +0 -44
package/.opencode/agent/agent-marketplace-reviewer.md +0 -42
package/.opencode/agent/agent-permissions-handler.md +0 -50
package/.opencode/agent/agent-simple-writer.md +0 -45
package/.opencode/agent/agent-svetlana-code-review.md +0 -39
package/.opencode/agent/agent-tanya-test-runner.md +0 -57
package/.opencode/agent/agent-ui-designer.md +0 -56
package/.opencode/agent/agent-viktor-sql-insights.md +0 -34
package/.opencode/agent/agent-web-search.md +0 -42
package/.opencode/agent/agent-yevgeni-discussions.md +0 -37
package/.opencode/agent/agent-zara-zapier.md +0 -53
package/.opencode/commands/app-squad.md +0 -135
package/.opencode/commands/audit-squad.md +0 -158
package/.opencode/commands/autoplan.md +0 -563
package/.opencode/commands/cleanup-squad.md +0 -98
package/.opencode/commands/config-squad.md +0 -106
package/.opencode/commands/crud-squad.md +0 -87
package/.opencode/commands/data-squad.md +0 -97
package/.opencode/commands/debug-squad.md +0 -303
package/.opencode/commands/doc-squad.md +0 -65
package/.opencode/commands/handoff.md +0 -137
package/.opencode/commands/health.md +0 -49
package/.opencode/commands/help-agents.md +0 -151
package/.opencode/commands/help-commands.md +0 -32
package/.opencode/commands/help-faq.md +0 -29
package/.opencode/commands/help-plugins.md +0 -28
package/.opencode/commands/help-skills.md +0 -7
package/.opencode/commands/help-tools.md +0 -40
package/.opencode/commands/help.md +0 -28
package/.opencode/commands/hotfix-squad.md +0 -112
package/.opencode/commands/integration-squad.md +0 -82
package/.opencode/commands/janitor-squad.md +0 -167
package/.opencode/commands/learn-auto.md +0 -120
package/.opencode/commands/learn.md +0 -120
package/.opencode/commands/mcp-list.md +0 -27
package/.opencode/commands/onboard-squad.md +0 -140
package/.opencode/commands/plan-workspace.md +0 -732
package/.opencode/commands/prd.md +0 -131
package/.opencode/commands/project-status.md +0 -82
package/.opencode/commands/publish.md +0 -138
package/.opencode/commands/recap.md +0 -69
package/.opencode/commands/restore.md +0 -64
package/.opencode/commands/review-squad.md +0 -152
package/.opencode/commands/save.md +0 -24
package/.opencode/commands/stats.md +0 -19
package/.opencode/commands/swarm.md +0 -210
package/.opencode/commands/tool-builder.md +0 -39
package/.opencode/commands/ws-pull.md +0 -44
package/.opencode/opencode.json +0 -28
package/SESSION-HANDOFF.md +0 -68
package/inbox/2026-03-04-bot-config-patterns.md +0 -24

package/dist/mcp/utils/role-utils.d.ts ADDED Viewed

@@ -0,0 +1,74 @@
+/**
+ * Role-Based Access Control Utilities
+ *
+ * Derives user role from workspace member flags and maps roles to ToolGroups.
+ * Used by UserContextCache to determine tool access at context creation time.
+ */
+import { ToolGroup } from '../tool-registry';
+import { UserRole, WorkspaceMember, WorkspaceInfo } from './types';
+/**
+ * Derive user role from workspace member flags
+ * Priority: owner > admin > guest > member
+ *
+ * @param member - Workspace member from v2.core.init
+ * @returns UserRole - 'owner' | 'admin' | 'guest' | 'member'
+ */
+export declare function deriveUserRole(member: WorkspaceMember): UserRole;
+/**
+ * Map user role to allowed ToolGroups
+ *
+ * @param role - User role derived from workspace member
+ * @param enableNuclear - Optional override to disable NUCLEAR even for owners
+ * @returns Array of ToolGroups the user can access
+ */
+export declare function getAllowedGroups(role: UserRole, enableNuclear?: boolean): ToolGroup[];
+/**
+ * Find current user in workspace members array
+ *
+ * @param members - Array of workspace members from init.network.members
+ * @param currentUserId - Current user's ID
+ * @returns WorkspaceMember if found, undefined otherwise
+ */
+export declare function findCurrentUserMember(members: WorkspaceMember[], currentUserId: string): WorkspaceMember | undefined;
+/**
+ * Extract user roles from all workspaces
+ * Returns a map of workspaceId → UserRole
+ *
+ * @param networks - Record of workspace ID to WorkspaceInfo from init.networks
+ * @param currentUserId - Current user's ID
+ * @returns Record mapping workspace IDs to UserRoles
+ */
+export declare function extractWorkspaceRoles(networks: Record<string, WorkspaceInfo>, currentUserId: string): Record<string, UserRole>;
+/**
+ * Get allowed groups for a specific workspace
+ *
+ * @param workspaceRoles - Map of workspace IDs to UserRoles
+ * @param workspaceId - Target workspace ID
+ * @param enableNuclear - Optional override to disable NUCLEAR even for owners
+ * @returns Array of ToolGroups the user can access in the specified workspace
+ */
+export declare function getAllowedGroupsForWorkspace(workspaceRoles: Record<string, UserRole>, workspaceId: string, enableNuclear?: boolean): ToolGroup[];
+/**
+ * Get the highest role across all workspaces
+ * Used to determine which tools to show at startup (max potential access)
+ *
+ * @param workspaceRoles - Map of workspace IDs to UserRoles
+ * @returns Highest UserRole across all workspaces
+ */
+export declare function getMaxRole(workspaceRoles: Record<string, UserRole>): UserRole;
+/**
+ * Check if user has access to a specific ToolGroup in a workspace
+ * Used for runtime permission validation when tools are called with workspaceId
+ *
+ * @param workspaceRoles - Map of workspace IDs to UserRoles
+ * @param currentWorkspaceId - Current default workspace ID
+ * @param targetWorkspaceId - Target workspace ID (or undefined to use current)
+ * @param requiredGroup - ToolGroup required for the operation
+ * @param enableNuclear - Optional override to disable NUCLEAR even for owners
+ * @returns Object with allowed boolean and optional reason string
+ */
+export declare function checkWorkspaceAccess(workspaceRoles: Record<string, UserRole>, currentWorkspaceId: string, targetWorkspaceId: string | undefined, requiredGroup: ToolGroup, enableNuclear?: boolean): {
+    allowed: boolean;
+    reason?: string;
+};
+//# sourceMappingURL=role-utils.d.ts.map

package/dist/mcp/utils/role-utils.js ADDED Viewed

@@ -0,0 +1,151 @@
+"use strict";
+/**
+ * Role-Based Access Control Utilities
+ *
+ * Derives user role from workspace member flags and maps roles to ToolGroups.
+ * Used by UserContextCache to determine tool access at context creation time.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deriveUserRole = deriveUserRole;
+exports.getAllowedGroups = getAllowedGroups;
+exports.findCurrentUserMember = findCurrentUserMember;
+exports.extractWorkspaceRoles = extractWorkspaceRoles;
+exports.getAllowedGroupsForWorkspace = getAllowedGroupsForWorkspace;
+exports.getMaxRole = getMaxRole;
+exports.checkWorkspaceAccess = checkWorkspaceAccess;
+const tool_registry_1 = require("../tool-registry");
+/**
+ * Derive user role from workspace member flags
+ * Priority: owner > admin > guest > member
+ *
+ * @param member - Workspace member from v2.core.init
+ * @returns UserRole - 'owner' | 'admin' | 'guest' | 'member'
+ */
+function deriveUserRole(member) {
+    if (member.owner)
+        return 'owner';
+    if (member.admin)
+        return 'admin';
+    if (member.guest)
+        return 'guest';
+    return 'member';
+}
+/**
+ * Map user role to allowed ToolGroups
+ *
+ * @param role - User role derived from workspace member
+ * @param enableNuclear - Optional override to disable NUCLEAR even for owners
+ * @returns Array of ToolGroups the user can access
+ */
+function getAllowedGroups(role, enableNuclear = true) {
+    switch (role) {
+        case 'owner':
+            return enableNuclear
+                ? [tool_registry_1.ToolGroup.READ, tool_registry_1.ToolGroup.WRITE, tool_registry_1.ToolGroup.PLAYGROUND, tool_registry_1.ToolGroup.NUCLEAR]
+                : [tool_registry_1.ToolGroup.READ, tool_registry_1.ToolGroup.WRITE, tool_registry_1.ToolGroup.PLAYGROUND];
+        case 'admin':
+            return [tool_registry_1.ToolGroup.READ, tool_registry_1.ToolGroup.WRITE, tool_registry_1.ToolGroup.PLAYGROUND];
+        case 'member':
+            return [tool_registry_1.ToolGroup.READ, tool_registry_1.ToolGroup.WRITE];
+        case 'guest':
+            return [tool_registry_1.ToolGroup.READ];
+    }
+}
+/**
+ * Find current user in workspace members array
+ *
+ * @param members - Array of workspace members from init.network.members
+ * @param currentUserId - Current user's ID
+ * @returns WorkspaceMember if found, undefined otherwise
+ */
+function findCurrentUserMember(members, currentUserId) {
+    return members.find(m => m.uid === currentUserId);
+}
+/**
+ * Extract user roles from all workspaces
+ * Returns a map of workspaceId → UserRole
+ *
+ * @param networks - Record of workspace ID to WorkspaceInfo from init.networks
+ * @param currentUserId - Current user's ID
+ * @returns Record mapping workspace IDs to UserRoles
+ */
+function extractWorkspaceRoles(networks, currentUserId) {
+    const roles = {};
+    for (const [wsId, network] of Object.entries(networks)) {
+        const members = (network.members || []);
+        const member = findCurrentUserMember(members, currentUserId);
+        roles[wsId] = member ? deriveUserRole(member) : 'guest';
+    }
+    return roles;
+}
+/**
+ * Get allowed groups for a specific workspace
+ *
+ * @param workspaceRoles - Map of workspace IDs to UserRoles
+ * @param workspaceId - Target workspace ID
+ * @param enableNuclear - Optional override to disable NUCLEAR even for owners
+ * @returns Array of ToolGroups the user can access in the specified workspace
+ */
+function getAllowedGroupsForWorkspace(workspaceRoles, workspaceId, enableNuclear = true) {
+    const role = workspaceRoles[workspaceId] || 'guest';
+    return getAllowedGroups(role, enableNuclear);
+}
+/**
+ * Get the highest role across all workspaces
+ * Used to determine which tools to show at startup (max potential access)
+ *
+ * @param workspaceRoles - Map of workspace IDs to UserRoles
+ * @returns Highest UserRole across all workspaces
+ */
+function getMaxRole(workspaceRoles) {
+    const roleOrder = ['guest', 'member', 'admin', 'owner'];
+    let maxRole = 'guest';
+    for (const role of Object.values(workspaceRoles)) {
+        if (roleOrder.indexOf(role) > roleOrder.indexOf(maxRole)) {
+            maxRole = role;
+        }
+    }
+    return maxRole;
+}
+/**
+ * Get minimum role required for a ToolGroup
+ * Used for error messages
+ */
+function getRequiredRoleForGroup(group) {
+    switch (group) {
+        case tool_registry_1.ToolGroup.READ:
+            return 'guest';
+        case tool_registry_1.ToolGroup.WRITE:
+            return 'member';
+        case tool_registry_1.ToolGroup.PLAYGROUND:
+            return 'admin';
+        case tool_registry_1.ToolGroup.NUCLEAR:
+            return 'owner';
+        default:
+            return 'owner';
+    }
+}
+/**
+ * Check if user has access to a specific ToolGroup in a workspace
+ * Used for runtime permission validation when tools are called with workspaceId
+ *
+ * @param workspaceRoles - Map of workspace IDs to UserRoles
+ * @param currentWorkspaceId - Current default workspace ID
+ * @param targetWorkspaceId - Target workspace ID (or undefined to use current)
+ * @param requiredGroup - ToolGroup required for the operation
+ * @param enableNuclear - Optional override to disable NUCLEAR even for owners
+ * @returns Object with allowed boolean and optional reason string
+ */
+function checkWorkspaceAccess(workspaceRoles, currentWorkspaceId, targetWorkspaceId, requiredGroup, enableNuclear = true) {
+    const effectiveWsId = targetWorkspaceId || currentWorkspaceId;
+    const role = workspaceRoles[effectiveWsId] || 'guest';
+    const allowedGroups = getAllowedGroups(role, enableNuclear);
+    if (!allowedGroups.includes(requiredGroup)) {
+        return {
+            allowed: false,
+            reason: `Insufficient permissions in workspace '${effectiveWsId.slice(-6)}'. Your role '${role}' doesn't have access to ${requiredGroup} tools. Required: ${getRequiredRoleForGroup(requiredGroup)} or higher.`
+        };
+    }
+    return { allowed: true };
+}
+//# sourceMappingURL=role-utils.js.map

package/dist/mcp/utils/types.d.ts CHANGED Viewed

@@ -2,6 +2,29 @@
  * Shared type definitions for Hailer MCP Server
  * Consolidates interfaces used across multiple files
  */
+/**
+ * User role in workspace (derived from member flags)
+ * Used to determine which ToolGroups are available to the user
+ */
+export type UserRole = 'guest' | 'member' | 'admin' | 'owner';
+/**
+ * Workspace member from v2.core.init response
+ * Contains role flags that determine user permissions
+ *
+ * Schema reference: hailer-api/src/validation/sharedSchemas.ts (validWorkspaceMemberSchema)
+ */
+export interface WorkspaceMember {
+    uid: string;
+    title?: string;
+    owner?: boolean;
+    admin?: boolean;
+    guest?: boolean;
+    inviter?: boolean;
+    feedAdmin?: boolean;
+    customRole?: string;
+    joined: number;
+    fields?: Record<string, string | string[] | null>;
+}
 export type { CleanActivity, FieldValue, WorkflowInfo, PhaseInfo, FieldInfo, UserInfo, } from './data-transformers';
 export interface HailerField {
     data: any[];
@@ -127,6 +150,12 @@ export interface HailerV2CoreInitResponse {
     users: Record<string, HailerUser>;
     [key: string]: any;
 }
+/**
+ * Normalize v2.core.init response: the API returns processes as an object
+ * keyed by process ID, but all tool code expects an array. This converts
+ * the object form to an array with _id set on each entry.
+ */
+export declare function normalizeInitProcesses(init: HailerV2CoreInitResponse): void;
 export interface McpTextContent {
     type: "text";
     text: string;
@@ -173,7 +202,7 @@ export interface WorkspaceInfo {
     _id: string;
     name: string;
     description?: string;
-    members?: string[];
+    members?: WorkspaceMember[];
     settings?: Record<string, any>;
 }
 export interface SignalData {
@@ -248,6 +277,19 @@ export interface DiscussionMessageParams {
     discussionId: string;
     content: string;
 }
+export interface OptimizedDiscussionMessage {
+    _id: string;
+    uid: string;
+    username: string;
+    created: string;
+    type: string;
+    msg: string;
+    replyTo?: string;
+    systemDescription?: string;
+    meta?: any;
+    forwardMessageId?: string;
+    forwardMessage?: OptimizedDiscussionMessage;
+}
 export interface FetchDiscussionParams {
     discussionId: string;
     limit?: number;

package/dist/mcp/utils/types.js CHANGED Viewed

@@ -4,4 +4,18 @@
  * Consolidates interfaces used across multiple files
  */
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizeInitProcesses = normalizeInitProcesses;
+/**
+ * Normalize v2.core.init response: the API returns processes as an object
+ * keyed by process ID, but all tool code expects an array. This converts
+ * the object form to an array with _id set on each entry.
+ */
+function normalizeInitProcesses(init) {
+    if (init.processes && !Array.isArray(init.processes)) {
+        init.processes = Object.entries(init.processes).map(([id, p]) => ({
+            _id: id,
+            ...p,
+        }));
+    }
+}
 //# sourceMappingURL=types.js.map

package/dist/mcp/webhook-handler.d.ts CHANGED Viewed

@@ -50,6 +50,8 @@ interface BotEntry {
     enabled: boolean;
     displayName?: string;
     systemPrompt?: string;
+    accessLevel?: string;
+    responseMode?: string;
 }
 interface WorkspaceConfig {
     workspaceId: string;
@@ -61,6 +63,8 @@ interface WorkspaceConfig {
         password: string;
         displayName?: string;
         systemPrompt?: string;
+        accessLevel?: string;
+        responseMode?: string;
     };
     specialists: BotEntry[];
     lastSynced: string;

package/dist/mcp/webhook-handler.js CHANGED Viewed

@@ -222,6 +222,9 @@ function handleBotConfigWebhook(payload) {
     const userId = getFieldValue(payload.fields, 'hailerProfile');
     const schemaConfigStr = getFieldValue(payload.fields, 'schemaConfig');
     const systemPrompt = getFieldValue(payload.fields, 'systemPrompt') || undefined;
+    const accessLevel = getFieldValue(payload.fields, 'accessLevel') || undefined;
+    // responseMode is stored inside schemaConfig JSON, not as a separate field
+    let responseMode;
     // Validate required fields
     if (!email || !password) {
         logger.warn('Webhook missing credentials', {
@@ -245,6 +248,7 @@ function handleBotConfigWebhook(payload) {
             const schemaConfig = JSON.parse(schemaConfigStr);
             deployedPhaseId = schemaConfig.deployedPhaseId;
             retiredPhaseId = schemaConfig.retiredPhaseId;
+            responseMode = schemaConfig.responseMode || undefined;
         }
         catch (e) {
             logger.warn('Failed to parse schemaConfig', { schemaConfigStr });
@@ -264,6 +268,8 @@ function handleBotConfigWebhook(payload) {
         enabled,
         displayName: payload.name, // Activity name from Agent Directory
         systemPrompt,
+        accessLevel,
+        responseMode,
     };
     let action;
     // Handle orchestrator
@@ -276,6 +282,8 @@ function handleBotConfigWebhook(payload) {
                 password,
                 displayName: payload.name,
                 systemPrompt,
+                accessLevel,
+                responseMode,
             };
             action = 'update';
             logger.info('Updated orchestrator', { workspaceId, email: (0, config_1.maskEmail)(email), displayName: payload.name });

package/dist/mcp-server.d.ts CHANGED Viewed

@@ -10,6 +10,7 @@ import { ToolRegistry } from './mcp/tool-registry';
 declare module 'express-serve-static-core' {
     interface Request {
         logger: Logger;
+        apiKey?: string;
     }
 }
 export interface MCPServerConfig {
@@ -22,18 +23,38 @@ export interface MCPServerConfig {
     }>>;
 }
 export declare class MCPServerService {
+    private static readonly ENDPOINTS;
     private app;
     private server?;
     private logger;
     private config;
     private toolRegistry;
+    private appConfig;
     constructor(config: MCPServerConfig);
     private setupMiddleware;
+    private escapeHtml;
+    private getBaseUrl;
     private setupRoutes;
+    private extractBearerToken;
+    private setupSseStream;
+    private generateSessionId;
     /**
-     * Check if agent has access to a specific tool
+     * Strict access control for /api/mcp — returns false on catch (no config = no access)
      */
-    private canAccessTool;
+    private canAccessToolStrict;
+    /**
+     * Permissive access control for Cowork — allows non-NUCLEAR tools on catch (OAuth sessions)
+     */
+    private canAccessToolPermissive;
+    /**
+     * Cowork MCP JSON-RPC handler for /api/cowork/mcp (OAuth multi-user).
+     * Permissive access control, contextType filter, OAuth 401 flow.
+     */
+    private handleCoworkMcp;
+    /**
+     * Send MCP success response via SSE
+     */
+    private sendMcpResult;
     /**
      * Send MCP error response
      */