mcp-coordinator 0.6.0 → 0.7.0

package/README.md

@@ -818,6 +818,30 @@ curl -X POST http://localhost:3100/api/auth/revoke \
 
 `GET /health`, `POST /api/auth/register`, `POST /api/auth/refresh`, `GET /api/events` (SSE).
 
+### Migration to v0.7.0
+
+v0.7.0 reworks auth foundation: schema gains `org_id` everywhere, JWTs gain `user_id`/`org` claims, MQTT topics gain an org prefix.
+
+**Steps for an existing v0.6.x deployment**:
+
+1. Backup `coordinator.db`.
+2. Set `COORDINATOR_JWT_SECRET` explicitly (32+ chars). Without it the coordinator generates a random secret per boot — every restart invalidates all sessions.
+3. Deploy v0.7.0. Migration runs on first boot (~30-60s of locked writes on a large DB while `ALTER TABLE` runs).
+4. Existing clients keep working unchanged under `AUTH_ENABLED=false` (the default).
+5. External MQTT subscribers: update topic patterns from `coordinator/agents/...` to `coordinator/default/agents/...`.
+
+**Rolling JWT secrets without downtime**:
+
+```bash
+# In prod env config:
+export COORDINATOR_JWT_SECRET=new-secret-here
+export COORDINATOR_JWT_PREV_SECRET=old-secret-here
+# Restart coordinator. Wait for one JWT TTL (24h default).
+# Then remove COORDINATOR_JWT_PREV_SECRET and restart again.
+```
+
+**Rolling back to v0.6**: requires restoring from backup. The v0.6 binary refuses to boot a v0.7 DB (PRAGMA user_version guard).
+
 ---
 
 ## Test Results

package/dist/src/agent-activity.d.ts

@@ -10,18 +10,22 @@ interface GetActivityOptions {
 export declare class AgentActivityTracker {
     private registry;
     constructor(registry: AgentRegistry);
-    /** Report file edit activity → status becomes "working" */
-    reportFileActivity(agentId: string, filePath: string): void;
+    /** Report file edit activity -> status becomes "working" (org-scoped) */
+    reportFileActivity(orgId: string, agentId: string, filePath: string): void;
     /** Report agent is waiting on a consultation thread */
     reportWaiting(agentId: string, threadId: string): void;
-    /** Report agent went offline → clear all activity */
-    reportOffline(agentId: string): void;
-    /** Enriched heartbeat — derives status from current state */
+    /** Report agent went offline -> clear all activity (org-scoped) */
+    reportOffline(orgId: string, agentId: string): void;
+    /** Enriched heartbeat -- derives status from current state */
     heartbeat(agentId: string, payload: HeartbeatPayload): void;
-    /** Get activity for a single agent, with optional idle timeout */
-    getActivity(agentId: string, options?: GetActivityOptions): AgentActivity;
-    /** List activity for all online agents */
-    listAll(options?: GetActivityOptions): AgentActivity[];
+    /** Get raw status row for a single agent (org-scoped) */
+    getStatus(orgId: string, agentId: string): AgentActivity | null;
+    /** List all active agents in an org */
+    listActive(orgId: string): AgentActivity[];
+    /** Get activity for a single agent, with optional idle timeout (org-scoped) */
+    getActivity(orgId: string, agentId: string, options?: GetActivityOptions): AgentActivity;
+    /** List activity for all online agents in an org */
+    listAll(orgId: string, options?: GetActivityOptions): AgentActivity[];
     private upsert;
 }
 export {};

package/dist/src/agent-activity.js

@@ -4,19 +4,29 @@ export class AgentActivityTracker {
     constructor(registry) {
         this.registry = registry;
     }
-    /** Report file edit activity → status becomes "working" */
-    reportFileActivity(agentId, filePath) {
-        this.upsert(agentId, "working", filePath, null);
+    /** Report file edit activity -> status becomes "working" (org-scoped) */
+    reportFileActivity(orgId, agentId, filePath) {
+        const db = getDb();
+        // After Task 5.5, agent_activity_status PK is (org_id, agent_id). Composite conflict target.
+        db.prepare(`INSERT INTO agent_activity_status (org_id, agent_id, activity_status, current_file, last_activity_at)
+       VALUES (?, ?, 'working', ?, CURRENT_TIMESTAMP)
+       ON CONFLICT(org_id, agent_id) DO UPDATE SET
+         activity_status = 'working',
+         current_file = excluded.current_file,
+         current_thread = NULL,
+         last_activity_at = CURRENT_TIMESTAMP`).run(orgId, agentId, filePath);
     }
     /** Report agent is waiting on a consultation thread */
     reportWaiting(agentId, threadId) {
-        this.upsert(agentId, "waiting", null, threadId);
+        // TODO(Task 23.5): thread real org_id from MCP session claims; for now MCP uses 'default' (cross-org leak window — single-tenant only)
+        this.upsert("default", agentId, "waiting", null, threadId);
     }
-    /** Report agent went offline → clear all activity */
-    reportOffline(agentId) {
-        this.upsert(agentId, "offline", null, null);
+    /** Report agent went offline -> clear all activity (org-scoped) */
+    reportOffline(orgId, agentId) {
+        const db = getDb();
+        db.prepare("UPDATE agent_activity_status SET activity_status = 'offline', current_file = NULL, current_thread = NULL WHERE org_id = ? AND agent_id = ?").run(orgId, agentId);
     }
-    /** Enriched heartbeat — derives status from current state */
+    /** Enriched heartbeat -- derives status from current state */
     heartbeat(agentId, payload) {
         let status;
         if (payload.currentFile) {
@@ -28,20 +38,31 @@ export class AgentActivityTracker {
         else {
             status = "idle";
         }
-        this.upsert(agentId, status, payload.currentFile, payload.currentThread);
+        // TODO(Task 23.5): thread real org_id from MCP session claims; for now MCP uses 'default' (cross-org leak window — single-tenant only)
+        this.upsert("default", agentId, status, payload.currentFile, payload.currentThread);
+    }
+    /** Get raw status row for a single agent (org-scoped) */
+    getStatus(orgId, agentId) {
+        const db = getDb();
+        return db.prepare("SELECT * FROM agent_activity_status WHERE org_id = ? AND agent_id = ?").get(orgId, agentId);
+    }
+    /** List all active agents in an org */
+    listActive(orgId) {
+        const db = getDb();
+        return db.prepare("SELECT * FROM agent_activity_status WHERE org_id = ? AND activity_status = 'working' ORDER BY last_activity_at DESC").all(orgId);
     }
-    /** Get activity for a single agent, with optional idle timeout */
-    getActivity(agentId, options) {
-        const agent = this.registry.get(agentId);
+    /** Get activity for a single agent, with optional idle timeout (org-scoped) */
+    getActivity(orgId, agentId, options) {
+        const agent = this.registry.get(orgId, agentId);
         if (!agent || agent.status === "offline") {
             return { agent_id: agentId, activity_status: "offline", current_file: null, current_thread: null, last_activity_at: new Date().toISOString() };
         }
         const db = getDb();
-        const row = db.prepare("SELECT * FROM agent_activity_status WHERE agent_id = ?").get(agentId);
+        const row = db.prepare("SELECT * FROM agent_activity_status WHERE org_id = ? AND agent_id = ?").get(orgId, agentId);
         if (!row) {
             return { agent_id: agentId, activity_status: "idle", current_file: null, current_thread: null, last_activity_at: new Date().toISOString() };
         }
-        // Check idle timeout: if working but no activity for X minutes → idle
+        // Check idle timeout: if working but no activity for X minutes -> idle
         if (row.activity_status === "working" && options?.idleAfterMinutes) {
             const lastActivity = new Date(row.last_activity_at.replace(" ", "T") + "Z").getTime();
             const threshold = options.idleAfterMinutes * 60 * 1000;
@@ -51,20 +72,20 @@ export class AgentActivityTracker {
         }
         return row;
     }
-    /** List activity for all online agents */
-    listAll(options) {
-        const onlineAgents = this.registry.listOnline();
-        return onlineAgents.map((agent) => this.getActivity(agent.id, options));
+    /** List activity for all online agents in an org */
+    listAll(orgId, options) {
+        const onlineAgents = this.registry.listOnline(orgId);
+        return onlineAgents.map((agent) => this.getActivity(orgId, agent.id, options));
     }
-    // ── Private ──
-    upsert(agentId, status, file, thread) {
+    // -- Private --
+    upsert(orgId, agentId, status, file, thread) {
         const db = getDb();
-        db.prepare(`INSERT INTO agent_activity_status (agent_id, activity_status, current_file, current_thread, last_activity_at)
-       VALUES (?, ?, ?, ?, CURRENT_TIMESTAMP)
-       ON CONFLICT(agent_id) DO UPDATE SET
+        db.prepare(`INSERT INTO agent_activity_status (org_id, agent_id, activity_status, current_file, current_thread, last_activity_at)
+       VALUES (?, ?, ?, ?, ?, CURRENT_TIMESTAMP)
+       ON CONFLICT(org_id, agent_id) DO UPDATE SET
          activity_status = excluded.activity_status,
          current_file = excluded.current_file,
          current_thread = excluded.current_thread,
-         last_activity_at = CURRENT_TIMESTAMP`).run(agentId, status, file, thread);
+         last_activity_at = CURRENT_TIMESTAMP`).run(orgId, agentId, status, file, thread);
     }
 }

package/dist/src/agent-registry.d.ts

@@ -1,10 +1,10 @@
 import type { Agent } from "./types.js";
 export declare class AgentRegistry {
-    register(agentId: string, name: string, modules: string[]): Agent;
-    get(agentId: string): Agent | undefined;
-    listOnline(): Agent[];
-    listAll(): Agent[];
-    setOnline(agentId: string): void;
-    setOffline(agentId: string): void;
-    heartbeat(agentId: string): void;
+    register(orgId: string, agentId: string, name: string, modules: string[]): Agent;
+    get(orgId: string, agentId: string): Agent | undefined;
+    listOnline(orgId: string): Agent[];
+    listAll(orgId: string): Agent[];
+    setOnline(orgId: string, agentId: string): void;
+    setOffline(orgId: string, agentId: string): void;
+    heartbeat(orgId: string, agentId: string): void;
 }

package/dist/src/agent-registry.js

@@ -1,38 +1,39 @@
 import { getDb } from "./database.js";
 export class AgentRegistry {
-    register(agentId, name, modules) {
+    register(orgId, agentId, name, modules) {
         const db = getDb();
-        db.prepare(`INSERT INTO agents (id, name, modules, status, registered_at, last_seen_at)
-       VALUES (?, ?, ?, 'online', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)
-       ON CONFLICT(id) DO UPDATE SET
+        // After Task 5.5, agents PK is (org_id, id). Conflict target MUST be the composite key.
+        db.prepare(`INSERT INTO agents (id, org_id, name, modules, status, registered_at, last_seen_at)
+       VALUES (?, ?, ?, ?, 'online', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)
+       ON CONFLICT(org_id, id) DO UPDATE SET
          name = excluded.name,
          modules = excluded.modules,
          status = 'online',
-         last_seen_at = CURRENT_TIMESTAMP`).run(agentId, name, JSON.stringify(modules));
-        return this.get(agentId);
+         last_seen_at = CURRENT_TIMESTAMP`).run(agentId, orgId, name, JSON.stringify(modules));
+        return this.get(orgId, agentId);
     }
-    get(agentId) {
+    get(orgId, agentId) {
         const db = getDb();
-        return db.prepare("SELECT * FROM agents WHERE id = ?").get(agentId);
+        return db.prepare("SELECT * FROM agents WHERE org_id = ? AND id = ?").get(orgId, agentId);
     }
-    listOnline() {
+    listOnline(orgId) {
         const db = getDb();
-        return db.prepare("SELECT * FROM agents WHERE status = 'online' ORDER BY name").all();
+        return db.prepare("SELECT * FROM agents WHERE org_id = ? AND status = 'online' ORDER BY name").all(orgId);
     }
-    listAll() {
+    listAll(orgId) {
         const db = getDb();
-        return db.prepare("SELECT * FROM agents ORDER BY last_seen_at DESC").all();
+        return db.prepare("SELECT * FROM agents WHERE org_id = ? ORDER BY last_seen_at DESC").all(orgId);
     }
-    setOnline(agentId) {
+    setOnline(orgId, agentId) {
         const db = getDb();
-        db.prepare("UPDATE agents SET status = 'online', last_seen_at = CURRENT_TIMESTAMP WHERE id = ?").run(agentId);
+        db.prepare("UPDATE agents SET status = 'online', last_seen_at = CURRENT_TIMESTAMP WHERE org_id = ? AND id = ?").run(orgId, agentId);
     }
-    setOffline(agentId) {
+    setOffline(orgId, agentId) {
         const db = getDb();
-        db.prepare("UPDATE agents SET status = 'offline', last_seen_at = CURRENT_TIMESTAMP WHERE id = ?").run(agentId);
+        db.prepare("UPDATE agents SET status = 'offline', last_seen_at = CURRENT_TIMESTAMP WHERE org_id = ? AND id = ?").run(orgId, agentId);
     }
-    heartbeat(agentId) {
+    heartbeat(orgId, agentId) {
         const db = getDb();
-        db.prepare("UPDATE agents SET last_seen_at = CURRENT_TIMESTAMP WHERE id = ?").run(agentId);
+        db.prepare("UPDATE agents SET last_seen_at = CURRENT_TIMESTAMP WHERE org_id = ? AND id = ?").run(orgId, agentId);
     }
 }

package/dist/src/announce-workflow.d.ts

@@ -34,6 +34,7 @@ export interface CommonFlowResult {
     planQuality: PlanQualityResult;
 }
 export interface CommonFlowParams {
+    org_id: string;
     agent_id: string;
     subject: string;
     plan?: string;

package/dist/src/announce-workflow.js

@@ -10,6 +10,7 @@ export function runCommonAnnounceFlow(services, threadId, params) {
     const { registry, consultation, impactScorer, introspection, sseEmitter } = services;
     // 1. Score impact: categorize all online agents into concerned / gray_zone / pass.
     const categorized = impactScorer.categorize({
+        org_id: params.org_id,
         agent_id: params.agent_id,
         target_modules: params.target_modules,
         target_files: params.target_files,
@@ -31,14 +32,14 @@ export function runCommonAnnounceFlow(services, threadId, params) {
     // announce can match via Layer 0. Thread will timeout naturally if no one joins.
     const db = getDb();
     const concernedIds = categorized.concerned.map((s) => s.agent_id);
-    db.prepare("UPDATE threads SET expected_respondents = ? WHERE id = ?")
-        .run(JSON.stringify(concernedIds), threadId);
-    const otherOnlineCount = registry.listOnline().filter((a) => a.id !== params.agent_id).length;
+    db.prepare("UPDATE threads SET expected_respondents = ? WHERE id = ? AND org_id = ?")
+        .run(JSON.stringify(concernedIds), threadId, params.org_id);
+    const otherOnlineCount = registry.listOnline(params.org_id).filter((a) => a.id !== params.agent_id).length;
     const shouldAutoResolve = concernedIds.length === 0 && otherOnlineCount === 0;
-    const currentThread = consultation.getThread(threadId);
+    const currentThread = consultation.getThread(params.org_id, threadId);
     if (shouldAutoResolve && currentThread.status === "open" && !params.keep_open) {
-        db.prepare("UPDATE threads SET status = 'resolved', resolved_at = ? WHERE id = ?")
-            .run(new Date().toISOString(), threadId);
+        db.prepare("UPDATE threads SET status = 'resolved', resolved_at = ? WHERE id = ? AND org_id = ?")
+            .run(new Date().toISOString(), threadId, params.org_id);
         consultation.emitResolution(threadId, "auto_resolved");
     }
     // 3. Emit impact_scored SSE events for every scored agent.
@@ -50,18 +51,18 @@ export function runCommonAnnounceFlow(services, threadId, params) {
             score: s.score,
             reasons: s.reasons,
             category: scoredCategory(s),
-        });
+        }, { org_id: params.org_id });
     }
     // 4. Create introspection records and emit introspection_requested for gray_zone agents.
     for (const s of categorized.gray_zone) {
-        introspection.create({ thread_id: threadId, agent_id: s.agent_id, score: s.score, reasons: s.reasons });
+        introspection.create(params.org_id, { thread_id: threadId, agent_id: s.agent_id, score: s.score, reasons: s.reasons });
         sseEmitter.emit("introspection_requested", {
             thread_id: threadId,
             agent_id: s.agent_id,
             agent_name: s.agent_name,
             score: s.score,
             reasons: s.reasons,
-        });
+        }, { org_id: params.org_id });
     }
     // 5. Plan quality downgrade event — both transports emit this when a plan
     // was provided but quality was insufficient. Callers can re-emit if their
@@ -71,13 +72,13 @@ export function runCommonAnnounceFlow(services, threadId, params) {
         sseEmitter.emit("impact_scored", {
             thread_id: threadId,
             agent_id: params.agent_id,
-            agent_name: registry.get(params.agent_id)?.name || params.agent_id,
+            agent_name: registry.get(params.org_id, params.agent_id)?.name || params.agent_id,
             score: planQuality.score,
             reasons: [planDowngradeReason(planQuality)],
             category: "plan_quality",
-        });
+        }, { org_id: params.org_id });
     }
-    const updated = consultation.getThread(threadId);
+    const updated = consultation.getThread(params.org_id, threadId);
     const respondents = JSON.parse(updated.expected_respondents || "[]");
     return { updated, categorized, respondents, planQuality };
 }

package/dist/src/auth/providers/registry.d.ts

@@ -0,0 +1,4 @@
+import type { IdPProvider } from "./types.js";
+export declare const providers: Map<string, IdPProvider>;
+export declare function registerProvider(p: IdPProvider): void;
+export declare function getProvider(name: string): IdPProvider | null;

package/dist/src/auth/providers/registry.js

@@ -0,0 +1,7 @@
+export const providers = new Map();
+export function registerProvider(p) {
+    providers.set(p.name, p);
+}
+export function getProvider(name) {
+    return providers.get(name) ?? null;
+}

package/dist/src/auth/providers/types.d.ts

@@ -0,0 +1,11 @@
+export interface IdpUserInfo {
+    idp_user_id: string;
+    email: string;
+    name?: string;
+    idp_org_id?: string;
+}
+export interface IdPProvider {
+    name: string;
+    buildAuthUrl(state: string, redirectUri: string, codeChallenge?: string): string;
+    exchangeCode(code: string, redirectUri: string, codeVerifier?: string): Promise<IdpUserInfo>;
+}

package/dist/src/auth/providers/types.js

@@ -0,0 +1 @@
+export {};

package/dist/src/auth.d.ts

@@ -1,14 +1,32 @@
 import type { IncomingMessage } from "http";
 import { type Logger } from "./logger.js";
 export declare function setAuthLogger(logger: Logger): void;
+export type AuthRole = "agent" | "admin" | "member";
 export interface AuthClaims {
     sub: string;
-    role: "agent" | "admin";
+    user_id: string;
+    org: string;
+    role: AuthRole;
+    jti: string;
 }
-export declare function initAuth(secret: string, expiry?: string): void;
-export declare function createToken(agentId: string, role: "agent" | "admin", expiry?: string): Promise<string>;
+export interface CreateTokenOptions {
+    user_id?: string;
+    org?: string;
+}
+export interface InitAuthOptions {
+    prevSecret?: string;
+}
+export interface AuthenticateOptions {
+    authEnabled: boolean;
+}
+export declare function initAuth(secret: string, expiry?: string, options?: InitAuthOptions): void;
+export declare function createToken(agentId: string, role: AuthRole, expiry?: string, options?: CreateTokenOptions): Promise<string>;
 export declare function verifyToken(token: string): Promise<AuthClaims>;
-export declare function refreshToken(token: string, gracePeriod?: string): Promise<string>;
+export declare function verifyTokenStrict(token: string): Promise<{
+    claims: AuthClaims;
+    wasLegacy: boolean;
+}>;
+export declare function refreshToken(token: string, options: AuthenticateOptions, gracePeriod?: string): Promise<string>;
 export declare function isRevoked(agentId: string): boolean;
 export declare function revokeAgent(agentId: string, revokedBy: string): void;
 export type AuthResult = {
@@ -18,5 +36,6 @@ export type AuthResult = {
     ok: false;
     status: 401 | 403;
     error: string;
+    wwwAuthenticate?: string;
 };
-export declare function authenticateRequest(req: IncomingMessage): Promise<AuthResult>;
+export declare function authenticateRequest(req: IncomingMessage, options?: AuthenticateOptions): Promise<AuthResult>;