npm - @socialneuron/mcp-server - Versions diffs - 1.2.0 → 1.2.1 - Mend

@socialneuron/mcp-server 1.2.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,21 @@
 All notable changes to `@socialneuron/mcp-server` will be documented in this file.
+## [1.2.1] - 2026-03-11
+### Fixed
+- **README**: Removed phantom "MCP API $19/mo" plan — pricing now matches actual tiers (Trial/Starter/Pro/Team)
+- **README**: Rewrote scopes section with tool-to-scope mapping
+- **README**: Security section now shows trust signals instead of implementation internals
+- **README**: Added telemetry section with opt-out instructions (`DO_NOT_TRACK=1`)
+- **README**: Added MCP vs CLI distinction, npx usage note, fixed tool count to 51
+- **Device auth**: Removed decorative PKCE from device code flow (code_challenge was sent but never verified on exchange)
+- **Logout**: Message now honestly says "removed from this device" with link to server-side revocation
+- **LICENSE**: Added trade name "(trading as Social Neuron)" to copyright holder
+- **SECURITY.md**: Removed phantom 1.1.x from supported versions (never published to npm)
+- **CONTRIBUTING.md**: Added Developer Certificate of Origin (DCO) section
 ## [1.2.0] - 2026-03-10
 ### Added

package/LICENSE CHANGED Viewed

@@ -1,6 +1,6 @@
 MIT License
-Copyright (c) 2026 Cosmocodex Ltd
+Copyright (c) 2026 Cosmocodex Ltd (trading as Social Neuron)
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # @socialneuron/mcp-server
-> 50+ MCP tools for AI-powered social media management. Create content, schedule posts, track analytics, and optimize performance — all from Claude Code or any MCP client.
+> 51 MCP tools for AI-powered social media management. Create content, schedule posts, track analytics, and optimize performance — all from Claude Code or any MCP client.
 [![npm version](https://img.shields.io/npm/v/@socialneuron/mcp-server)](https://www.npmjs.com/package/@socialneuron/mcp-server)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
@@ -13,7 +13,7 @@
 npx -y @socialneuron/mcp-server login --device
 ```
-This opens your browser to authorize access. Requires a paid Social Neuron plan (MCP API $19/mo or higher).
+This opens your browser to authorize access. Requires a Social Neuron plan ([free trial available](https://socialneuron.com/pricing)).
 ### 2. Add to Claude Code
@@ -94,6 +94,8 @@ Ask Claude things like:
 ## Tool Categories (51 tools)
+These tools are available to AI agents (Claude, Cursor, etc.) via the MCP protocol.
 ### Content Lifecycle
 | Category | Tools | What It Does |
@@ -161,31 +163,36 @@ Keys are stored in your OS keychain (macOS Keychain, Linux secret-tool) or file
 ## Pricing
-MCP access requires a paid Social Neuron plan:
-| Plan    | Price   | MCP Scopes               | Credits |
-| ------- | ------- | ------------------------ | ------- |
-| MCP API | $19/mo  | Full access              | 400     |
-| Starter | $29/mo  | Read + Analytics         | 800     |
-| Pro     | $79/mo  | Full access              | 2,000   |
-| Team    | $199/mo | Full access + Multi-user | 6,500   |
+| Plan | Price | Credits/mo | MCP Access |
+|------|-------|-----------|------------|
+| Trial | Free (7 days) | 500 | Read + Write + Analytics + Comments |
+| Starter | $29/mo | 800 | Read + Analytics |
+| Pro | $79/mo | 2,000 | Full access |
+| Team | $199/mo | 6,500 | Full access + Multi-user |
-**No free tier for MCP.** Sign up at [socialneuron.com/pricing](https://socialneuron.com/pricing).
+Start with a [free trial](https://socialneuron.com/pricing) — no credit card required.
 ## Scopes
-| Scope            | Access                                 |
-| ---------------- | -------------------------------------- |
-| `mcp:full`       | All operations                         |
-| `mcp:read`       | Read-only (analytics, insights, lists) |
-| `mcp:write`      | Content generation                     |
-| `mcp:distribute` | Publishing and scheduling              |
-| `mcp:analytics`  | Performance data                       |
-| `mcp:comments`   | Social engagement                      |
-| `mcp:autopilot`  | Automated scheduling                   |
+Each API key inherits scopes from your plan. Tools require specific scopes to execute.
+| Scope | What you can do |
+|-------|----------------|
+| `mcp:read` | Analytics, insights, brand profiles, content plans, quality checks, screenshots, usage stats, credit balance |
+| `mcp:write` | Generate content (video, image, voiceover, carousel), create storyboards, save brand profiles, plan content |
+| `mcp:distribute` | Schedule posts, publish content plans |
+| `mcp:analytics` | Refresh analytics, YouTube deep analytics |
+| `mcp:comments` | List, reply, post, moderate, delete comments |
+| `mcp:autopilot` | Configure and monitor automated scheduling |
+| `mcp:full` | All of the above |
 ## CLI Reference
+These commands run directly in your terminal — no AI agent needed. Useful for scripts, CI/CD, and quick checks.
+> After global install (`npm i -g @socialneuron/mcp-server`), use `socialneuron-mcp` directly.
+> Otherwise, prefix with `npx @socialneuron/mcp-server`.
 ```bash
 # Auth
 socialneuron-mcp login [--device|--paste]
@@ -226,13 +233,22 @@ Each iteration produces smarter content as performance data feeds back into the
 ## Security
-- API keys are SHA-256 hashed with random salt before storage
-- PKCE (S256) challenge verification for browser auth
-- Timing-safe hash comparison prevents side-channel attacks
-- SSRF protection on all URL parameters
-- Rate limiting: 100 req/min per user, per-tool limits for expensive operations
-- Agent loop detection (>5 identical calls in 30s)
-- Credentials stored in OS keychain (macOS/Linux) or env var. On Windows, use `SOCIALNEURON_API_KEY` env var for secure storage
+- All API keys are hashed before storage — we never store plaintext keys
+- Credentials stored in your OS keychain (macOS Keychain, Linux secret-tool) or environment variable
+- SSRF protection on all URL parameters with DNS rebinding prevention
+- Rate limiting per user with per-tool limits for expensive operations
+- Agent loop detection prevents runaway automation
+- Set `DO_NOT_TRACK=1` to disable anonymous usage telemetry
+See [SECURITY.md](./SECURITY.md) for our vulnerability disclosure policy and credential safety details.
+## Telemetry
+This package collects anonymous usage metrics (tool name, duration, success/failure) to improve the product. Your user ID is hashed before transmission.
+**To disable**: Set `DO_NOT_TRACK=1` or `SOCIALNEURON_NO_TELEMETRY=1` in your environment.
+No personal content, API keys, or request payloads are ever collected.
 ## Examples

package/dist/http.js CHANGED Viewed

@@ -6214,7 +6214,7 @@ init_supabase();
 import { z as z14 } from "zod";
 // src/lib/version.ts
-var MCP_VERSION = "1.2.0";
+var MCP_VERSION = "1.2.1";
 // src/tools/usage.ts
 function asEnvelope10(data) {

package/dist/index.js CHANGED Viewed

@@ -2121,8 +2121,8 @@ async function completePkceExchange(codeVerifier, state) {
 }
 async function runSetup() {
   console.error("");
-  console.error("  Social Neuron MCP Server Setup");
-  console.error("  ==============================");
+  console.error("  Social Neuron\u2122 MCP Server Setup");
+  console.error("  ===============================");
   console.error("");
   console.error("  Privacy Notice:");
   console.error("  - Your API key is stored locally in your OS keychain");
@@ -2337,11 +2337,10 @@ async function runLoginDevice() {
   console.error("  ====================================");
   console.error("");
   const supabaseUrl = getDefaultSupabaseUrl2();
-  const { codeChallenge } = generatePKCE();
   const response = await fetch(`${supabaseUrl}/functions/v1/mcp-auth?action=device-code`, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ code_challenge: codeChallenge })
+    body: JSON.stringify({})
   });
   if (!response.ok) {
     const text = await response.text();
@@ -2412,7 +2411,10 @@ async function runLogoutCommand() {
       const serviceKey = process.env.SOCIALNEURON_SERVICE_KEY || process.env.SUPABASE_SERVICE_ROLE_KEY || "";
       const validation = await validateApiKey(apiKey);
       if (validation.valid) {
-        console.error("  Key revoked locally.");
+        console.error("  Key removed from this device.");
+        console.error(
+          "  Note: To revoke the key server-side, visit socialneuron.com/settings/developer"
+        );
       }
     } catch {
     }
@@ -2576,7 +2578,7 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 // src/lib/version.ts
-var MCP_VERSION = "1.2.0";
+var MCP_VERSION = "1.2.1";
 // src/auth/scopes.ts
 var SCOPE_HIERARCHY = {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@socialneuron/mcp-server",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "description": "MCP server for Social Neuron - AI content creation platform",
   "type": "module",
   "main": "dist/index.js",
@@ -62,16 +62,16 @@
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.27.1",
     "@supabase/supabase-js": "2.98.0",
-    "open": "10.0.0",
-    "posthog-node": "^5.28.0",
     "express": "^5.1.0",
     "jose": "^6.2.1",
+    "open": "10.0.0",
+    "posthog-node": "^5.28.0",
     "zod": "3.24.0"
   },
   "devDependencies": {
     "@types/node": "^25.3.5",
     "esbuild": "^0.27.3",
-    "typescript": "^5.7.0",
+    "typescript": "^5.9.3",
     "vitest": "^3.0.0"
   },
   "engines": {