@tideorg/mcp 1.9.0 → 1.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,81 +1,88 @@
1
- # Changelog
2
-
3
- All notable changes to `@tideorg/mcp` (the Tide Agent Pack) are documented here.
4
-
5
- ## 1.9.0 — 2026-07-15
6
-
7
- The largest release since the pack's initial cut. It broadens the MCP from an
8
- *integration helper* into a *security and hosting advisor*, migrates the IGA API
9
- to the current surface, and adds a real pre-release quality gate. Also makes the
10
- pack ready to list in the Claude directory.
11
-
12
- ### Highlights
13
-
14
- - **Security gap analysis** audit an existing (even non-Tide) system and map
15
- its weaknesses to Tide capabilities.
16
- - **Partner-hosted TideCloak via Skycloak** a managed-hosting path alongside
17
- self-hosting.
18
- - **IGA API migration** to `/iga/change-requests/...` (replaces the legacy
19
- `/tide-admin/change-set/...`).
20
- - **Pre-release QA gate** (`npm test`) + GitHub Actions CI.
21
- - **Read-only tool annotations** and a privacy policy Claude-directory ready.
22
-
23
- ### New capabilities
24
-
25
- - **`tide_security_analysis` tool** + `tide-security-analysis` prompt. Backed by
26
- `canon/security-gap-mapping.md` (SG-01 … SG-18: a trust-concentration → Tide
27
- capability remediation honesty-note table, plus a mandatory "what Tide does
28
- NOT fix" section), `canon/security-runtime-probes.md` (opt-in, authorization-
29
- gated live probing), and the `tide-security-analyst` skill.
30
- - **`tide_hosting` tool** + `canon/hosting-options.md` and the
31
- `provision-tidecloak-skycloak` playbook: self-host vs partner-hosted decision,
32
- the trust model (partner-hosting is an availability/metadata trust, not an
33
- integrity trust the host can't forge tokens or decrypt data), and the
34
- Skycloak provisioning API reference.
35
- - **`tide-mcp-qa` skill + prompt** — the QA Engineer role that runs the gate,
36
- audits for overclaiming, and issues a SHIP / BLOCK verdict.
37
-
38
- The MCP now exposes **16 tools** and **5 prompts** (was 14 / 3).
39
-
40
- ### Changed
41
-
42
- - **IGA change-request API** migrated to `/iga/change-requests/{id}/authorize|commit`
43
- (per-id, `bulk-authorize` for batches), replacing the legacy
44
- `/tide-admin/change-set/*/batch`. New authoritative reference
45
- `canon/iga-change-requests-api.md`; reconciled across canon, playbooks,
46
- bootstrap scripts, and reference-apps. Captures the **Tide vs Tideless** mode
47
- split — IGA is cryptographic only in Tide (licensed) mode.
48
- - **All tools now carry `readOnlyHint` annotations** (they are read-only).
49
-
50
- ### Fixed / internal
51
-
52
- - **Deterministic QA gate** (`mcp-server/test/`, `npm test`): protocol smoke
53
- tests (tools/prompts present, annotated, return sane content) + content
54
- consistency (no stray legacy endpoints, referenced playbooks exist, SG-01…18
55
- present, GAP counts sum, manifests valid, versions in sync). **113/113.**
56
- - **GitHub Actions** `qa-gate.yml` runs the gate on every PR and on pushes to
57
- `main`.
58
- - **Claude directory readiness**: `PRIVACY.md` (no data collected), corrected +
59
- validated plugin manifests (`claude plugin validate` passes), version
60
- reconciliation so `server.ts`, both `package.json`s, and `plugin.json` all read
61
- **1.9.0**.
62
- - `npm run test:remote` verifies a live/hosted endpoint (tool count, annotation
63
- coverage, version).
64
-
65
- ### Known follow-ups (require a live stack)
66
-
67
- - **IGA bootstrap loop** (`bulk-authorize commit`) is verified against the spec
68
- but `REQUIRES_RUNTIME_VALIDATION` on a live iga-core instance. (GAP-065)
69
- - **Skycloak-hosted Tide vendor surface** unconfirmed provisioning is verified,
70
- but whether a hosted cluster exposes `setUpTideRealm`/IGA/adapter-with-Tide-
71
- extensions must be checked on a live cluster (`scripts/skycloak-smoke.sh`).
72
- (GAP-066)
73
- - Provisioning a **TideCloak** cluster via the Skycloak API needs the identity-
74
- platform selector field confirmed with Skycloak; the documented API path
75
- defaults to vanilla Keycloak.
76
-
77
- ### Upgrade notes
78
-
79
- - If you script the TideCloak bootstrap, switch IGA approvals to the new
80
- `/iga/change-requests/...` surface see `canon/iga-change-requests-api.md`.
81
- - No changes required to app-side SDK wiring.
1
+ # Changelog
2
+
3
+ All notable changes to `@tideorg/mcp` (the Tide Agent Pack) are documented here.
4
+
5
+ ## 1.9.1 — 2026-07-15
6
+
7
+ - Docs: refreshed `README.md` (the npm package page) for the 1.9.0 feature set —
8
+ security gap analysis and hosting guidance in the intro and capability list,
9
+ a security-analysis starter prompt, and corrected "What's inside" counts
10
+ (15 canon, 18 playbooks, 11 skills, 5 scenarios, 5 prompts). No code changes.
11
+
12
+ ## 1.9.0 — 2026-07-15
13
+
14
+ The largest release since the pack's initial cut. It broadens the MCP from an
15
+ *integration helper* into a *security and hosting advisor*, migrates the IGA API
16
+ to the current surface, and adds a real pre-release quality gate. Also makes the
17
+ pack ready to list in the Claude directory.
18
+
19
+ ### Highlights
20
+
21
+ - **Security gap analysis** audit an existing (even non-Tide) system and map
22
+ its weaknesses to Tide capabilities.
23
+ - **Partner-hosted TideCloak via Skycloak** — a managed-hosting path alongside
24
+ self-hosting.
25
+ - **IGA API migration** to `/iga/change-requests/...` (replaces the legacy
26
+ `/tide-admin/change-set/...`).
27
+ - **Pre-release QA gate** (`npm test`) + GitHub Actions CI.
28
+ - **Read-only tool annotations** and a privacy policy — Claude-directory ready.
29
+
30
+ ### New capabilities
31
+
32
+ - **`tide_security_analysis` tool** + `tide-security-analysis` prompt. Backed by
33
+ `canon/security-gap-mapping.md` (SG-01 SG-18: a trust-concentration Tide
34
+ capability remediation → honesty-note table, plus a mandatory "what Tide does
35
+ NOT fix" section), `canon/security-runtime-probes.md` (opt-in, authorization-
36
+ gated live probing), and the `tide-security-analyst` skill.
37
+ - **`tide_hosting` tool** + `canon/hosting-options.md` and the
38
+ `provision-tidecloak-skycloak` playbook: self-host vs partner-hosted decision,
39
+ the trust model (partner-hosting is an availability/metadata trust, not an
40
+ integrity trust — the host can't forge tokens or decrypt data), and the
41
+ Skycloak provisioning API reference.
42
+ - **`tide-mcp-qa` skill + prompt** the QA Engineer role that runs the gate,
43
+ audits for overclaiming, and issues a SHIP / BLOCK verdict.
44
+
45
+ The MCP now exposes **16 tools** and **5 prompts** (was 14 / 3).
46
+
47
+ ### Changed
48
+
49
+ - **IGA change-request API** migrated to `/iga/change-requests/{id}/authorize|commit`
50
+ (per-id, `bulk-authorize` for batches), replacing the legacy
51
+ `/tide-admin/change-set/*/batch`. New authoritative reference
52
+ `canon/iga-change-requests-api.md`; reconciled across canon, playbooks,
53
+ bootstrap scripts, and reference-apps. Captures the **Tide vs Tideless** mode
54
+ split IGA is cryptographic only in Tide (licensed) mode.
55
+ - **All tools now carry `readOnlyHint` annotations** (they are read-only).
56
+
57
+ ### Fixed / internal
58
+
59
+ - **Deterministic QA gate** (`mcp-server/test/`, `npm test`): protocol smoke
60
+ tests (tools/prompts present, annotated, return sane content) + content
61
+ consistency (no stray legacy endpoints, referenced playbooks exist, SG-01…18
62
+ present, GAP counts sum, manifests valid, versions in sync). **113/113.**
63
+ - **GitHub Actions** `qa-gate.yml` runs the gate on every PR and on pushes to
64
+ `main`.
65
+ - **Claude directory readiness**: `PRIVACY.md` (no data collected), corrected +
66
+ validated plugin manifests (`claude plugin validate` passes), version
67
+ reconciliation so `server.ts`, both `package.json`s, and `plugin.json` all read
68
+ **1.9.0**.
69
+ - `npm run test:remote` verifies a live/hosted endpoint (tool count, annotation
70
+ coverage, version).
71
+
72
+ ### Known follow-ups (require a live stack)
73
+
74
+ - **IGA bootstrap loop** (`bulk-authorize commit`) is verified against the spec
75
+ but `REQUIRES_RUNTIME_VALIDATION` on a live iga-core instance. (GAP-065)
76
+ - **Skycloak-hosted Tide vendor surface** unconfirmed — provisioning is verified,
77
+ but whether a hosted cluster exposes `setUpTideRealm`/IGA/adapter-with-Tide-
78
+ extensions must be checked on a live cluster (`scripts/skycloak-smoke.sh`).
79
+ (GAP-066)
80
+ - Provisioning a **TideCloak** cluster via the Skycloak API needs the identity-
81
+ platform selector field confirmed with Skycloak; the documented API path
82
+ defaults to vanilla Keycloak.
83
+
84
+ ### Upgrade notes
85
+
86
+ - If you script the TideCloak bootstrap, switch IGA approvals to the new
87
+ `/iga/change-requests/...` surface — see `canon/iga-change-requests-api.md`.
88
+ - No changes required to app-side SDK wiring.
package/README.md CHANGED
@@ -4,7 +4,7 @@
4
4
 
5
5
  AI coding agents that know how to implement [TideCloak](https://tidecloak.com) correctly.
6
6
 
7
- This MCP server gives your AI assistant deep knowledge of Tide authentication, threshold cryptography, Forseti smart contracts, and server-side security patterns. Instead of guessing, your AI follows verified playbooks.
7
+ This MCP server gives your AI assistant deep knowledge of Tide authentication, threshold cryptography, end-to-end encryption, IGA governance, and Forseti smart contracts — plus a **security gap analysis** of your existing system and **self-host vs managed-hosting** guidance. Instead of guessing, your AI follows verified playbooks.
8
8
 
9
9
  ## Quick Start
10
10
 
@@ -115,11 +115,12 @@ Note: Codex CLI currently supports stdio-based MCP servers only — use the npx
115
115
 
116
116
  Once connected, your AI assistant can:
117
117
 
118
+ - **Analyze your existing system** for security gaps and map each one to what Tide fixes (with an honest "what Tide does NOT fix" list)
118
119
  - **Add Tide auth** to a new or existing Next.js/React app
119
120
  - **Protect API routes** with server-side JWT + DPoP verification
120
121
  - **Set up role-based access** with Tide's IGA governance
121
122
  - **Deploy Forseti smart contracts** for policy-governed encryption and signing
122
- - **Bootstrap TideCloak** from Docker to fully configured realm
123
+ - **Bootstrap TideCloak** self-hosted (Docker) or partner-hosted (Skycloak) — to a fully configured realm
123
124
  - **Diagnose issues** like broken login, missing roles, CORS errors
124
125
  - **Follow security invariants** that prevent common auth mistakes
125
126
 
@@ -127,6 +128,8 @@ Once connected, your AI assistant can:
127
128
 
128
129
  After setup, try these prompts in your AI coding tool:
129
130
 
131
+ > Do a security analysis of my app and show what Tide would change
132
+
130
133
  > Add Tide authentication to my Next.js app
131
134
 
132
135
  > I have an existing app with auth — help me migrate to Tide
@@ -139,11 +142,11 @@ After setup, try these prompts in your AI coding tool:
139
142
 
140
143
  | Category | Count | Examples |
141
144
  |----------|-------|---------|
142
- | Canon doctrine | 12 files | Security invariants, anti-patterns, framework matrix, troubleshooting |
143
- | Playbooks | 17 step-by-step guides | Add auth, protect APIs, verify JWTs, deploy TideCloak, set up E2EE |
144
- | Skills | 9 composable roles | Setup, integration, security review, learning capture |
145
+ | Canon doctrine | 15 files | Security invariants, anti-patterns, security gap mapping, IGA change-request API, hosting options, framework matrix, troubleshooting |
146
+ | Playbooks | 18 step-by-step guides | Add auth, protect APIs, verify JWTs, deploy TideCloak, set up E2EE, provision hosted TideCloak |
147
+ | Skills | 11 composable roles | Setup, integration, security analysis, route/API protection, review, QA gate |
145
148
  | Scenarios | 5 reference architectures | Password manager, signing service, encrypted chat, governance panel |
146
- | Prompts | 4 starter prompts | Secure existing app, migrate auth, admin approval, customer portal |
149
+ | Prompts | 5 starter prompts | Security gap analysis, secure existing app, migrate auth, admin approval, customer portal |
147
150
 
148
151
  ## Remote Server (no install required)
149
152
 
@@ -162,7 +162,7 @@ const REFERENCE_APP_DIRS = listDirectories("reference-apps");
162
162
  export function createServer() {
163
163
  const server = new McpServer({
164
164
  name: "@tideorg/mcp",
165
- version: "1.9.0",
165
+ version: "1.9.1",
166
166
  });
167
167
  // 1. List available content
168
168
  server.registerTool("tide_list", {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@tideorg/mcp",
3
- "version": "1.9.0",
3
+ "version": "1.9.1",
4
4
  "description": "MCP server exposing Tide operational guidance — canon, playbooks, skills, prompts, adapters, and scenarios for AI coding agents",
5
5
  "type": "module",
6
6
  "bin": {