@tideorg/mcp 1.9.0 → 1.9.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +88 -81
- package/README.md +9 -6
- package/mcp-server/dist/server.js +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -1,81 +1,88 @@
|
|
|
1
|
-
# Changelog
|
|
2
|
-
|
|
3
|
-
All notable changes to `@tideorg/mcp` (the Tide Agent Pack) are documented here.
|
|
4
|
-
|
|
5
|
-
## 1.9.
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
- **
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
-
|
|
80
|
-
|
|
81
|
-
|
|
1
|
+
# Changelog
|
|
2
|
+
|
|
3
|
+
All notable changes to `@tideorg/mcp` (the Tide Agent Pack) are documented here.
|
|
4
|
+
|
|
5
|
+
## 1.9.1 — 2026-07-15
|
|
6
|
+
|
|
7
|
+
- Docs: refreshed `README.md` (the npm package page) for the 1.9.0 feature set —
|
|
8
|
+
security gap analysis and hosting guidance in the intro and capability list,
|
|
9
|
+
a security-analysis starter prompt, and corrected "What's inside" counts
|
|
10
|
+
(15 canon, 18 playbooks, 11 skills, 5 scenarios, 5 prompts). No code changes.
|
|
11
|
+
|
|
12
|
+
## 1.9.0 — 2026-07-15
|
|
13
|
+
|
|
14
|
+
The largest release since the pack's initial cut. It broadens the MCP from an
|
|
15
|
+
*integration helper* into a *security and hosting advisor*, migrates the IGA API
|
|
16
|
+
to the current surface, and adds a real pre-release quality gate. Also makes the
|
|
17
|
+
pack ready to list in the Claude directory.
|
|
18
|
+
|
|
19
|
+
### Highlights
|
|
20
|
+
|
|
21
|
+
- **Security gap analysis** — audit an existing (even non-Tide) system and map
|
|
22
|
+
its weaknesses to Tide capabilities.
|
|
23
|
+
- **Partner-hosted TideCloak via Skycloak** — a managed-hosting path alongside
|
|
24
|
+
self-hosting.
|
|
25
|
+
- **IGA API migration** to `/iga/change-requests/...` (replaces the legacy
|
|
26
|
+
`/tide-admin/change-set/...`).
|
|
27
|
+
- **Pre-release QA gate** (`npm test`) + GitHub Actions CI.
|
|
28
|
+
- **Read-only tool annotations** and a privacy policy — Claude-directory ready.
|
|
29
|
+
|
|
30
|
+
### New capabilities
|
|
31
|
+
|
|
32
|
+
- **`tide_security_analysis` tool** + `tide-security-analysis` prompt. Backed by
|
|
33
|
+
`canon/security-gap-mapping.md` (SG-01 … SG-18: a trust-concentration → Tide
|
|
34
|
+
capability → remediation → honesty-note table, plus a mandatory "what Tide does
|
|
35
|
+
NOT fix" section), `canon/security-runtime-probes.md` (opt-in, authorization-
|
|
36
|
+
gated live probing), and the `tide-security-analyst` skill.
|
|
37
|
+
- **`tide_hosting` tool** + `canon/hosting-options.md` and the
|
|
38
|
+
`provision-tidecloak-skycloak` playbook: self-host vs partner-hosted decision,
|
|
39
|
+
the trust model (partner-hosting is an availability/metadata trust, not an
|
|
40
|
+
integrity trust — the host can't forge tokens or decrypt data), and the
|
|
41
|
+
Skycloak provisioning API reference.
|
|
42
|
+
- **`tide-mcp-qa` skill + prompt** — the QA Engineer role that runs the gate,
|
|
43
|
+
audits for overclaiming, and issues a SHIP / BLOCK verdict.
|
|
44
|
+
|
|
45
|
+
The MCP now exposes **16 tools** and **5 prompts** (was 14 / 3).
|
|
46
|
+
|
|
47
|
+
### Changed
|
|
48
|
+
|
|
49
|
+
- **IGA change-request API** migrated to `/iga/change-requests/{id}/authorize|commit`
|
|
50
|
+
(per-id, `bulk-authorize` for batches), replacing the legacy
|
|
51
|
+
`/tide-admin/change-set/*/batch`. New authoritative reference
|
|
52
|
+
`canon/iga-change-requests-api.md`; reconciled across canon, playbooks,
|
|
53
|
+
bootstrap scripts, and reference-apps. Captures the **Tide vs Tideless** mode
|
|
54
|
+
split — IGA is cryptographic only in Tide (licensed) mode.
|
|
55
|
+
- **All tools now carry `readOnlyHint` annotations** (they are read-only).
|
|
56
|
+
|
|
57
|
+
### Fixed / internal
|
|
58
|
+
|
|
59
|
+
- **Deterministic QA gate** (`mcp-server/test/`, `npm test`): protocol smoke
|
|
60
|
+
tests (tools/prompts present, annotated, return sane content) + content
|
|
61
|
+
consistency (no stray legacy endpoints, referenced playbooks exist, SG-01…18
|
|
62
|
+
present, GAP counts sum, manifests valid, versions in sync). **113/113.**
|
|
63
|
+
- **GitHub Actions** `qa-gate.yml` runs the gate on every PR and on pushes to
|
|
64
|
+
`main`.
|
|
65
|
+
- **Claude directory readiness**: `PRIVACY.md` (no data collected), corrected +
|
|
66
|
+
validated plugin manifests (`claude plugin validate` passes), version
|
|
67
|
+
reconciliation so `server.ts`, both `package.json`s, and `plugin.json` all read
|
|
68
|
+
**1.9.0**.
|
|
69
|
+
- `npm run test:remote` verifies a live/hosted endpoint (tool count, annotation
|
|
70
|
+
coverage, version).
|
|
71
|
+
|
|
72
|
+
### Known follow-ups (require a live stack)
|
|
73
|
+
|
|
74
|
+
- **IGA bootstrap loop** (`bulk-authorize → commit`) is verified against the spec
|
|
75
|
+
but `REQUIRES_RUNTIME_VALIDATION` on a live iga-core instance. (GAP-065)
|
|
76
|
+
- **Skycloak-hosted Tide vendor surface** unconfirmed — provisioning is verified,
|
|
77
|
+
but whether a hosted cluster exposes `setUpTideRealm`/IGA/adapter-with-Tide-
|
|
78
|
+
extensions must be checked on a live cluster (`scripts/skycloak-smoke.sh`).
|
|
79
|
+
(GAP-066)
|
|
80
|
+
- Provisioning a **TideCloak** cluster via the Skycloak API needs the identity-
|
|
81
|
+
platform selector field confirmed with Skycloak; the documented API path
|
|
82
|
+
defaults to vanilla Keycloak.
|
|
83
|
+
|
|
84
|
+
### Upgrade notes
|
|
85
|
+
|
|
86
|
+
- If you script the TideCloak bootstrap, switch IGA approvals to the new
|
|
87
|
+
`/iga/change-requests/...` surface — see `canon/iga-change-requests-api.md`.
|
|
88
|
+
- No changes required to app-side SDK wiring.
|
package/README.md
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
|
|
5
5
|
AI coding agents that know how to implement [TideCloak](https://tidecloak.com) correctly.
|
|
6
6
|
|
|
7
|
-
This MCP server gives your AI assistant deep knowledge of Tide authentication, threshold cryptography, Forseti smart contracts
|
|
7
|
+
This MCP server gives your AI assistant deep knowledge of Tide authentication, threshold cryptography, end-to-end encryption, IGA governance, and Forseti smart contracts — plus a **security gap analysis** of your existing system and **self-host vs managed-hosting** guidance. Instead of guessing, your AI follows verified playbooks.
|
|
8
8
|
|
|
9
9
|
## Quick Start
|
|
10
10
|
|
|
@@ -115,11 +115,12 @@ Note: Codex CLI currently supports stdio-based MCP servers only — use the npx
|
|
|
115
115
|
|
|
116
116
|
Once connected, your AI assistant can:
|
|
117
117
|
|
|
118
|
+
- **Analyze your existing system** for security gaps and map each one to what Tide fixes (with an honest "what Tide does NOT fix" list)
|
|
118
119
|
- **Add Tide auth** to a new or existing Next.js/React app
|
|
119
120
|
- **Protect API routes** with server-side JWT + DPoP verification
|
|
120
121
|
- **Set up role-based access** with Tide's IGA governance
|
|
121
122
|
- **Deploy Forseti smart contracts** for policy-governed encryption and signing
|
|
122
|
-
- **Bootstrap TideCloak**
|
|
123
|
+
- **Bootstrap TideCloak** — self-hosted (Docker) or partner-hosted (Skycloak) — to a fully configured realm
|
|
123
124
|
- **Diagnose issues** like broken login, missing roles, CORS errors
|
|
124
125
|
- **Follow security invariants** that prevent common auth mistakes
|
|
125
126
|
|
|
@@ -127,6 +128,8 @@ Once connected, your AI assistant can:
|
|
|
127
128
|
|
|
128
129
|
After setup, try these prompts in your AI coding tool:
|
|
129
130
|
|
|
131
|
+
> Do a security analysis of my app and show what Tide would change
|
|
132
|
+
|
|
130
133
|
> Add Tide authentication to my Next.js app
|
|
131
134
|
|
|
132
135
|
> I have an existing app with auth — help me migrate to Tide
|
|
@@ -139,11 +142,11 @@ After setup, try these prompts in your AI coding tool:
|
|
|
139
142
|
|
|
140
143
|
| Category | Count | Examples |
|
|
141
144
|
|----------|-------|---------|
|
|
142
|
-
| Canon doctrine |
|
|
143
|
-
| Playbooks |
|
|
144
|
-
| Skills |
|
|
145
|
+
| Canon doctrine | 15 files | Security invariants, anti-patterns, security gap mapping, IGA change-request API, hosting options, framework matrix, troubleshooting |
|
|
146
|
+
| Playbooks | 18 step-by-step guides | Add auth, protect APIs, verify JWTs, deploy TideCloak, set up E2EE, provision hosted TideCloak |
|
|
147
|
+
| Skills | 11 composable roles | Setup, integration, security analysis, route/API protection, review, QA gate |
|
|
145
148
|
| Scenarios | 5 reference architectures | Password manager, signing service, encrypted chat, governance panel |
|
|
146
|
-
| Prompts |
|
|
149
|
+
| Prompts | 5 starter prompts | Security gap analysis, secure existing app, migrate auth, admin approval, customer portal |
|
|
147
150
|
|
|
148
151
|
## Remote Server (no install required)
|
|
149
152
|
|
|
@@ -162,7 +162,7 @@ const REFERENCE_APP_DIRS = listDirectories("reference-apps");
|
|
|
162
162
|
export function createServer() {
|
|
163
163
|
const server = new McpServer({
|
|
164
164
|
name: "@tideorg/mcp",
|
|
165
|
-
version: "1.9.
|
|
165
|
+
version: "1.9.1",
|
|
166
166
|
});
|
|
167
167
|
// 1. List available content
|
|
168
168
|
server.registerTool("tide_list", {
|
package/package.json
CHANGED