mcp-coordinator 0.6.0 → 0.7.0

package/dist/src/serve-http.js

@@ -14,12 +14,12 @@ const __dirname = path.dirname(__filename);
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { createServices, createMcpServer } from "./server-setup.js";
 import { createLogger } from "./logger.js";
-import { initAuth, authenticateRequest, createToken, refreshToken, revokeAgent, setAuthLogger, verifyToken } from "./auth.js";
+import { initAuth, authenticateRequest, createToken, refreshToken, revokeAgent, setAuthLogger } from "./auth.js";
 import { safeJoinUnderRoot } from "./path-guard.js";
 import { handleRest as handleRestExt } from "./http/handle-rest.js";
 import { handleLivez, handleReadyz, handleHealth } from "./http/handle-health.js";
 import { serveMetrics } from "./metrics.js";
-import { parseBody as parseBodyShared, json as jsonShared } from "./http/utils.js";
+import { parseBody as parseBodyShared, json as jsonShared, jsonAuthError as jsonAuthErrorShared } from "./http/utils.js";
 import { getVersion } from "../cli/version.js";
 const VERSION = getVersion();
 import { startEmbeddedMqttBroker } from "./mqtt-broker.js";
@@ -44,7 +44,14 @@ const MQTT_TCP_PORT = parseInt(process.env.COORDINATOR_MQTT_TCP_PORT || "1883");
 const MQTT_WS_PATH = process.env.COORDINATOR_MQTT_WS_PATH || "/mqtt";
 const AUTH_ENABLED = process.env.COORDINATOR_AUTH_ENABLED === "true";
 const JWT_SECRET = process.env.COORDINATOR_JWT_SECRET || "";
+// Capture whether the env var was EXPLICITLY set at startup. Do not derive this
+// from the runtime signing key — `initAuth()` may have generated a random
+// per-boot secret, in which case the key's length is > 0 but the operator did
+// not provide one. `/healthz` must report the operator's intent, not the
+// random fallback.
+const JWT_SECRET_EXPLICITLY_SET = !!process.env.COORDINATOR_JWT_SECRET;
 const JWT_EXPIRY = process.env.COORDINATOR_JWT_EXPIRY || "24h";
+const JWT_PREV_SECRET = process.env.COORDINATOR_JWT_PREV_SECRET || "";
 const REGISTRATION_SECRET = process.env.COORDINATOR_REGISTRATION_SECRET || "";
 const ADMIN_SECRET = process.env.COORDINATOR_ADMIN_SECRET || "";
 let services;
@@ -57,6 +64,7 @@ let currentRunConfig = null;
 // startServer) can keep using `parseBody` / `json` without changes.
 const parseBody = parseBodyShared;
 const json = jsonShared;
+const jsonAuthError = jsonAuthErrorShared;
 function decodeJwtPayload(token) {
     // Used only on tokens we just minted ourselves (to read the `exp` claim
     // before returning it to the client). Real verification of inbound tokens
@@ -73,11 +81,13 @@ function safeEqual(a, b) {
 // startServer's call site stable while the 382-line REST router lives in its
 // own module. currentRunConfig stays here as the single mutable owner; the
 // extracted function reads/writes via getRunConfig/setRunConfig accessors.
-async function handleRest(req, res) {
+// claims: always populated by the caller (synthetic legacy claims when AUTH_ENABLED=false).
+async function handleRest(req, res, claims) {
     const ctx = {
         services,
         httpLog,
         authEnabled: AUTH_ENABLED,
+        claims,
         getRunConfig: () => currentRunConfig,
         setRunConfig: (cfg) => { currentRunConfig = cfg; },
     };
@@ -119,24 +129,30 @@ async function handleAuth(req, res) {
     else if (url === "/api/auth/refresh" && req.method === "POST") {
         const authHeader = req.headers.authorization;
         if (!authHeader || !authHeader.startsWith("Bearer ")) {
+            // RFC 6750 §3: 401 from a Bearer-protected endpoint must include
+            // WWW-Authenticate. /api/auth/refresh doesn't go through
+            // authenticateRequest (it consumes the prior token, doesn't enforce
+            // current validity), so we set the header manually here.
+            res.setHeader("WWW-Authenticate", 'Bearer realm="mcp-coordinator", error="invalid_token"');
             json(res, { error: "Bearer token required" }, 401);
             return;
         }
         try {
-            const newToken = await refreshToken(authHeader.slice(7));
+            const newToken = await refreshToken(authHeader.slice(7), { authEnabled: AUTH_ENABLED });
             const payload = decodeJwtPayload(newToken);
             const expiresAt = new Date(payload.exp * 1000).toISOString();
             authLog.info({ agent_id: payload.sub }, "Token refreshed");
             json(res, { token: newToken, expires_at: expiresAt });
         }
         catch {
+            res.setHeader("WWW-Authenticate", 'Bearer realm="mcp-coordinator", error="invalid_token"');
             json(res, { error: "Invalid or expired token (beyond grace period)" }, 401);
         }
     }
     else if (url === "/api/auth/revoke" && req.method === "POST") {
-        const authResult = await authenticateRequest(req);
+        const authResult = await authenticateRequest(req, { authEnabled: AUTH_ENABLED });
         if (!authResult.ok) {
-            json(res, { error: authResult.error }, authResult.status);
+            jsonAuthError(res, authResult);
             return;
         }
         const { agent_id } = body;
@@ -187,7 +203,26 @@ const SSE_HEARTBEAT_MS = (() => {
     const n = parseInt(raw, 10);
     return Number.isFinite(n) && n > 0 ? n : 30_000;
 })();
-function handleSse(req, res) {
+async function handleSse(req, res) {
+    // Task 21.5: authenticate SSE GET requests. EventSource does not send
+    // Authorization headers, so we also accept a ?token= query param on GET.
+    // The ?token= fallback is handled inside authenticateRequest (GET-only,
+    // Authorization header takes precedence when both are present).
+    const authResult = await authenticateRequest(req, { authEnabled: AUTH_ENABLED });
+    if (!authResult.ok) {
+        const headers = {
+            "Content-Type": "application/json",
+            "Access-Control-Allow-Origin": "*",
+        };
+        if (authResult.wwwAuthenticate) {
+            headers["WWW-Authenticate"] = authResult.wwwAuthenticate;
+        }
+        res.writeHead(authResult.status, headers);
+        res.end(JSON.stringify({ error: authResult.error }));
+        services.metrics.recordHttpRequest("/api/events", authResult.status);
+        return;
+    }
+    const orgId = authResult.claims.org;
     res.writeHead(200, {
         "Content-Type": "text/event-stream",
         "Cache-Control": "no-cache",
@@ -199,13 +234,13 @@ function handleSse(req, res) {
     // Use Last-Event-ID for resumption, otherwise send last 50
     const lastEventId = parseInt(req.headers["last-event-id"] || "0", 10);
     const events = lastEventId > 0
-        ? services.sseEmitter.getEventsSince(lastEventId)
-        : services.sseEmitter.getEventsSince(0).slice(-50);
+        ? services.sseEmitter.getEventsSince(orgId, lastEventId)
+        : services.sseEmitter.getEventsSince(orgId, 0).slice(-50);
     for (const event of events) {
         writeSseEvent(res, event);
     }
     // Listen for new events
-    const unsubscribe = services.sseEmitter.addListener((event) => {
+    const unsubscribe = services.sseEmitter.addListener(orgId, (event) => {
         writeSseEvent(res, event);
     });
     // P3: heartbeat. Browsers ignore the `:` comment line per the SSE spec,
@@ -232,6 +267,31 @@ function handleSse(req, res) {
         services.metrics.decSseClients();
     });
 }
+/**
+ * MCP per-request auth gate (Task 23).
+ *
+ * Called on EVERY POST /mcp — both new-session and existing-session branches.
+ * Returns claims on success, or writes 401 + returns null so the caller can
+ * immediately `return` without further processing.
+ *
+ * When AUTH_ENABLED=false (open-coordinator mode) returns synthetic legacy
+ * claims so that tool handlers (Task 23.5+) always have a claims object keyed
+ * by org='default'. Does NOT stash claims on `req` — RequestHandlerExtra in
+ * the MCP SDK does not expose IncomingMessage to tool handlers. Task 23.5
+ * will populate a sessionClaims Map<sessionId, AuthClaims> instead.
+ */
+async function authenticateMcpRequest(req, res) {
+    if (!AUTH_ENABLED) {
+        // Open-coordinator mode: synthetic legacy claims.
+        return { sub: "legacy", user_id: "legacy", org: "default", role: "admin", jti: "legacy" };
+    }
+    const authResult = await authenticateRequest(req, { authEnabled: AUTH_ENABLED });
+    if (!authResult.ok) {
+        jsonAuthError(res, authResult);
+        return null;
+    }
+    return authResult.claims;
+}
 export async function startServer(opts) {
     const port = opts?.port ?? PORT;
     const dataDir = opts?.dataDir ?? DATA_DIR;
@@ -257,11 +317,14 @@ export async function startServer(opts) {
             log.fatal("COORDINATOR_ADMIN_SECRET is required when auth is enabled");
             process.exit(1);
         }
-        initAuth(JWT_SECRET, JWT_EXPIRY);
+        initAuth(JWT_SECRET, JWT_EXPIRY, JWT_PREV_SECRET ? { prevSecret: JWT_PREV_SECRET } : {});
         log.info("Auth enabled (JWT HS256)");
     }
     // Multi-session: one transport+server per MCP client session
     const sessions = new Map();
+    // Task 23.5: per-session claims map. Populated when a session is opened or
+    // re-verified (mid-session JWT rotation); evicted when the transport closes.
+    const sessionClaims = new Map();
     const httpServer = createServer(async (req, res) => {
         const url = req.url || "";
         // CORS preflight
@@ -325,7 +388,10 @@ export async function startServer(opts) {
                 services.metrics.recordHttpRequest("/readyz", res.statusCode || 0);
             }
             else if (url === "/health") {
-                handleHealth(req, res);
+                await handleHealth(req, res, {
+                    authEnabled: AUTH_ENABLED,
+                    jwtSecretSet: JWT_SECRET_EXPLICITLY_SET,
+                });
                 services.metrics.recordHttpRequest("/health", 200);
             }
             else if (url === "/metrics" && req.method === "GET") {
@@ -333,10 +399,10 @@ export async function startServer(opts) {
                 services.metrics.recordHttpRequest("/metrics", 200);
             }
             else if (url === "/api/events" && req.method === "GET") {
-                handleSse(req, res);
+                await handleSse(req, res);
             }
             else if (url.startsWith("/api/auth/")) {
-                if (!AUTH_ENABLED) {
+                if (!AUTH_ENABLED && url !== "/api/auth/refresh") {
                     json(res, { error: "Authentication is not enabled on this coordinator" }, 501);
                 }
                 else {
@@ -346,35 +412,40 @@ export async function startServer(opts) {
             else if (url === "/mcp") {
                 const sessionId = req.headers["mcp-session-id"];
                 if (sessionId && sessions.has(sessionId)) {
-                    // Existing session — already authenticated, route directly
+                    // Existing-session branch — AUTH-GATED ON EVERY REQUEST per spec §J.
+                    const claims = await authenticateMcpRequest(req, res);
+                    if (!claims)
+                        return; // 401 already written
+                    // Task 23.5: update stored claims to support mid-session JWT rotation.
+                    // The latest verified claims always win.
+                    sessionClaims.set(sessionId, claims);
                     await sessions.get(sessionId).handleRequest(req, res);
                 }
                 else if (req.method === "POST" && !sessionId) {
-                    // New session — auth guard required
-                    let authenticatedAgent;
-                    if (AUTH_ENABLED) {
-                        const authResult = await authenticateRequest(req);
-                        if (!authResult.ok) {
-                            authLog.warn({ reason: authResult.error, url, ip: req.socket.remoteAddress }, "Auth rejected");
-                            json(res, { error: authResult.error }, authResult.status);
-                            return;
-                        }
-                        authenticatedAgent = authResult.claims.sub;
-                    }
+                    // New-session branch — also gated.
+                    const claims = await authenticateMcpRequest(req, res);
+                    if (!claims)
+                        return; // 401 already written
+                    const authenticatedAgent = claims.sub;
                     // Create transport + server
                     const transport = new StreamableHTTPServerTransport({ sessionIdGenerator: () => randomUUID() });
-                    const mcpServer = createMcpServer(services);
+                    // Task 23.5: pass a getter so tool handlers can look up per-session claims.
+                    const mcpServer = createMcpServer(services, (sid) => sessionClaims.get(sid) ?? null);
                     await mcpServer.connect(transport);
                     transport.onclose = () => {
                         const sid = transport.sessionId;
-                        if (sid)
+                        if (sid) {
                             sessions.delete(sid);
+                            sessionClaims.delete(sid); // Task 23.5: evict claims on session close
+                        }
                         mcpLog.info({ session_id: sid, remaining: sessions.size }, "MCP session closed");
                     };
                     await transport.handleRequest(req, res);
-                    if (transport.sessionId) {
-                        sessions.set(transport.sessionId, transport);
-                        mcpLog.info({ session_id: transport.sessionId, total: sessions.size, agent_id: authenticatedAgent }, "MCP session opened");
+                    const sid = transport.sessionId;
+                    if (sid) {
+                        sessions.set(sid, transport);
+                        sessionClaims.set(sid, claims); // Task 23.5: stash claims after sessionId is assigned
+                        mcpLog.info({ session_id: sid, total: sessions.size, agent_id: authenticatedAgent }, "MCP session opened");
                     }
                 }
                 else {
@@ -382,18 +453,18 @@ export async function startServer(opts) {
                 }
             }
             else {
-                // Auth guard for protected routes
-                if (AUTH_ENABLED) {
-                    const authResult = await authenticateRequest(req);
-                    if (!authResult.ok) {
-                        authLog.warn({ reason: authResult.error, url, ip: req.socket.remoteAddress }, "Auth rejected");
-                        services.metrics.recordAuthRejected();
-                        json(res, { error: authResult.error }, authResult.status);
-                        return;
-                    }
+                // Always authenticate — under AUTH_ENABLED=false this returns synthetic legacy claims
+                // so handlers can always read claims.org. Required for Tasks 15-19 which scope every
+                // database query by claims.org.
+                const authResult = await authenticateRequest(req, { authEnabled: AUTH_ENABLED });
+                if (!authResult.ok) {
+                    authLog.warn({ reason: authResult.error, url, ip: req.socket.remoteAddress }, "Auth rejected");
+                    services.metrics.recordAuthRejected();
+                    jsonAuthError(res, authResult);
+                    return;
                 }
                 if (url.startsWith("/api/") && (req.method === "POST" || req.method === "GET")) {
-                    await handleRest(req, res);
+                    await handleRest(req, res, authResult.claims);
                     services.metrics.recordHttpRequest((url.split("?")[0] || ""), res.statusCode || 0);
                 }
                 else {
@@ -413,25 +484,28 @@ export async function startServer(opts) {
     // B3 fix: when AUTH_ENABLED, gate every MQTT CONNECT by JWT in the password
     // field. Anonymous connections are rejected. Default off (essaim and any
     // client without auth keep working unchanged).
-    const mqttAuth = AUTH_ENABLED
-        ? async (_username, password) => {
-            if (!password)
-                return false;
-            try {
-                await verifyToken(password.toString("utf-8"));
-                return true;
-            }
-            catch {
-                return false;
-            }
-        }
-        : undefined;
+    // Only install the verifier (and therefore the ACL hooks) when auth is enabled.
+    // Without this guard, AUTH_ENABLED=false would still reject anonymous v0.6
+    // MQTT clients at the authenticate hook, breaking backward compatibility.
     const broker = await startEmbeddedMqttBroker({
         tcpPort: mqttTcpPort,
         httpServer,
         wsPath: mqttWsPath,
         logger: log.child({ component: "mqtt-broker" }),
-        authenticate: mqttAuth,
+        ...(AUTH_ENABLED ? {
+            authenticate: async (_username, password) => {
+                if (!password)
+                    return { ok: false };
+                try {
+                    const { verifyTokenStrict } = await import("./auth.js");
+                    const { claims } = await verifyTokenStrict(password.toString("utf-8"));
+                    return { ok: true, org: claims.org };
+                }
+                catch {
+                    return { ok: false };
+                }
+            },
+        } : {}),
     });
     // B3: when AUTH_ENABLED, the internal coordinator client must authenticate
     // too. Mint a short-lived admin token for the bridge.
@@ -445,13 +519,18 @@ export async function startServer(opts) {
         agentId: "coordinator-internal",
     });
     services.mqttBridge.onOffline((agentId) => {
-        services.registry.setOffline(agentId);
+        // TODO(Task 22): MQTT topics carry no org_id today, so setOffline("default", id) silently
+        // no-ops for any agent registered under a non-default org. Acceptable in single-tenant Phase 1
+        // (everything is "default"); becomes a correctness bug the moment multi-org goes live. Task 22
+        // (MQTT topic scoping + Aedes ACL hook) will thread the real org from the topic prefix.
+        services.registry.setOffline("default", agentId);
         services.consultation.handleAgentDeparture(agentId);
         // Clear in-flight working_files AFTER consultation cleanup so any future
         // consultation logic that might inspect working_files state for this agent
         // sees the pre-cleanup view.
         services.workingFiles.clearForAgent(agentId);
-        services.sseEmitter.emit("agent_offline", { agent_id: agentId });
+        // TODO(Task 22): MQTT offline path has no org_id context; using "default" for single-tenant Phase 1.
+        services.sseEmitter.emit("agent_offline", { agent_id: agentId }, { org_id: "default" });
     });
     // Wait for the HTTP server to be actually listening before resolving the
     // returned handle. Otherwise callers (tests, essaim) may try to connect

package/dist/src/server-setup.d.ts

@@ -1,4 +1,5 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { AuthClaims } from "./auth.js";
 import { AgentRegistry } from "./agent-registry.js";
 import { Consultation } from "./consultation.js";
 import { ConflictDetector } from "./conflict-detector.js";
@@ -38,5 +39,14 @@ export interface CoordinatorServices {
 }
 /** Create shared services (once at startup). */
 export declare function createServices(config: CoordinatorConfig): CoordinatorServices;
-/** Create a new McpServer bound to the shared services (one per MCP session). */
-export declare function createMcpServer(services: CoordinatorServices): McpServer;
+/** Create a new McpServer bound to the shared services (one per MCP session).
+ *
+ * @param getSessionClaims - Looks up per-session claims by sessionId. In STDIO
+ *   mode there are no sessions so this defaults to a no-op that always returns
+ *   null, which causes tool handlers to throw "Session has no captured claims"
+ *   (expected — STDIO mode is single-tenant and unauthenticated; tool callers
+ *   in that mode should rely on the AUTH_ENABLED=false synthetic-claims path
+ *   added to authenticateMcpRequest, which is not invoked for STDIO).
+ *   Pass a real getter in serve-http.ts's streamable-HTTP path.
+ */
+export declare function createMcpServer(services: CoordinatorServices, getSessionClaims?: (sessionId: string) => AuthClaims | null): McpServer;

package/dist/src/server-setup.js

@@ -42,7 +42,7 @@ export function createServices(config) {
     const conflictDetector = new ConflictDetector(consultation, depMap, fileTracker, logger.child({ component: "conflict" }));
     const contextProvider = new SummaryContextProvider(registry, consultation, fileTracker);
     const sseEmitter = new SseEmitter();
-    const mqttBridge = new MqttBridge(logger.child({ component: "mqtt" }));
+    const mqttBridge = new MqttBridge("default", logger.child({ component: "mqtt" }));
     const treeSitter = new TreeSitterExtractor(metrics);
     treeSitter.load().catch(() => { });
     const repoRoot = process.env.COORDINATOR_REPO_ROOT;
@@ -57,7 +57,8 @@ export function createServices(config) {
             retryMs: parseInt(process.env.COORDINATOR_LAYER4_RETRY_MS || "300000", 10),
         })
         : null;
-    gitCochange?.startScheduler();
+    // TODO(Task 22): boot-time builder uses 'default' org because no auth context exists at startup; multi-org cochange (Phase 5) will require per-org boot or on-demand build.
+    gitCochange?.startScheduler("default");
     // Quota cache — macOS-only for now, Linux/Windows stubs return 503 via the
     // /api/quota handler so raids keep running without a quota guardrail there.
     // onRefresh fans the new data out to dashboard (SSE) + any live listener (MQTT)
@@ -65,12 +66,14 @@ export function createServices(config) {
     const quotaCache = new QuotaCache({
         logger: logger.child({ component: "quota" }),
         onRefresh: (info) => {
+            // TODO(Task 22): quota_update has no org context at the quota-cache callback level;
+            // using "default" (single-tenant Phase 1). Multi-org Phase 5 will require per-org quota.
             sseEmitter.emit("quota_update", {
                 five_hour: info.fiveHour,
                 seven_day: info.sevenDay,
                 seven_day_sonnet: info.sevenDaySonnet,
                 fetched_at: info.fetchedAt,
-            });
+            }, { org_id: "default" });
             mqttBridge.publishQuotaUpdate(info);
         },
     });
@@ -78,7 +81,9 @@ export function createServices(config) {
     // SSE events for agent_online/agent_offline since they're already emitted by
     // the REST handler on /api/register and the offline hook. Avoids plumbing a
     // dedicated observer through AgentRegistry.
-    sseEmitter.addListener((event) => {
+    // TODO(Task 22): quota observer uses "default" org — single-tenant Phase 1 only.
+    // Multi-org Phase 5 will require per-org quota listeners.
+    sseEmitter.addListener("default", (event) => {
         if (event.type === "agent_online")
             quotaCache.onAgentActive();
         else if (event.type === "agent_offline")
@@ -87,6 +92,8 @@ export function createServices(config) {
     // Centralized resolution → SSE + MQTT + metrics
     consultation.onResolve((event) => {
         metrics.recordThreadResolved(event.resolution_type);
+        // Approach (a): event.org_id is threaded from emitResolution via getThreadCrossOrg,
+        // so the correct org is always available here without an extra DB lookup.
         sseEmitter.emit("thread_resolved", {
             thread_id: event.thread_id,
             resolution_type: event.resolution_type,
@@ -96,7 +103,7 @@ export function createServices(config) {
             created_at: event.created_at,
             resolved_at: event.resolved_at,
             had_messages: event.had_messages,
-        });
+        }, { org_id: event.org_id });
         if (event.resolution_type !== "auto_resolved") {
             mqttBridge.publishResolution(event.thread_id, "resolved", event.resolution_summary || "");
         }
@@ -111,8 +118,17 @@ export function createServices(config) {
         depMap, fileTracker, impactScorer, workingFiles, introspection, contextProvider, sseEmitter, mqttBridge, quotaCache, metrics, treeSitter, gitCochange,
     };
 }
-/** Create a new McpServer bound to the shared services (one per MCP session). */
-export function createMcpServer(services) {
+/** Create a new McpServer bound to the shared services (one per MCP session).
+ *
+ * @param getSessionClaims - Looks up per-session claims by sessionId. In STDIO
+ *   mode there are no sessions so this defaults to a no-op that always returns
+ *   null, which causes tool handlers to throw "Session has no captured claims"
+ *   (expected — STDIO mode is single-tenant and unauthenticated; tool callers
+ *   in that mode should rely on the AUTH_ENABLED=false synthetic-claims path
+ *   added to authenticateMcpRequest, which is not invoked for STDIO).
+ *   Pass a real getter in serve-http.ts's streamable-HTTP path.
+ */
+export function createMcpServer(services, getSessionClaims = () => null) {
     const { registry, activityTracker, consultation, conflictDetector, depMap, fileTracker, impactScorer, introspection, contextProvider, sseEmitter, mqttBridge } = services;
     const mcpLog = services.logger.child({ component: "mcp" });
     const server = new McpServer({
@@ -120,13 +136,15 @@ export function createMcpServer(services) {
         version: VERSION,
     });
     // S1: all 23 MCP tools registered via per-domain modules under src/tools/.
-    // Each register*Tools function takes (server, services, mcpLog) and wires
-    // its tool group; nothing else lives here. See src/tools/*.ts for behavior.
-    registerAgentTools(server, services, mcpLog);
-    registerConsultationTools(server, services, mcpLog);
-    registerFilesTools(server, services, mcpLog);
-    registerDependenciesTools(server, services, mcpLog);
-    registerStatusTools(server, services, mcpLog);
-    registerMqttTools(server, services, mcpLog);
+    // Each register*Tools function takes (server, services, mcpLog, getSessionClaims)
+    // and wires its tool group. See src/tools/*.ts for behavior.
+    // Task 23.5: getSessionClaims is threaded into each tool registration so
+    // handlers can scope DB queries to claims.org instead of the literal "default".
+    registerAgentTools(server, services, mcpLog, getSessionClaims);
+    registerConsultationTools(server, services, mcpLog, getSessionClaims);
+    registerFilesTools(server, services, mcpLog, getSessionClaims);
+    registerDependenciesTools(server, services, mcpLog, getSessionClaims);
+    registerStatusTools(server, services, mcpLog, getSessionClaims);
+    registerMqttTools(server, services, mcpLog, getSessionClaims);
     return server;
 }

package/dist/src/sse-emitter.d.ts

@@ -1,12 +1,15 @@
 import type { CoordinatorEvent, EventType } from "./types.js";
 type EventListener = (event: CoordinatorEvent) => void;
+interface EmitOptions {
+    org_id: string;
+}
 export declare const MAX_SSE_CLIENTS: number;
 export declare class SseEmitter {
-    private listeners;
+    private entries;
     private rejectedCount;
-    emit(type: EventType, payload: Record<string, unknown>): void;
-    getEventsSince(lastId: number): CoordinatorEvent[];
-    addListener(listener: EventListener): () => void;
+    emit(type: EventType, payload: Record<string, unknown>, options: EmitOptions): void;
+    getEventsSince(orgId: string, lastId: number): CoordinatorEvent[];
+    addListener(orgId: string, listener: EventListener): () => void;
     removeAllListeners(): void;
     /** P3: introspection for tests + ops dashboards. */
     listenerCount(): number;

package/dist/src/sse-emitter.js

@@ -16,31 +16,36 @@ export const MAX_SSE_CLIENTS = (() => {
 })();
 const NOOP = () => { };
 export class SseEmitter {
-    listeners = [];
+    entries = [];
     // P3: track refusals so operators can see when the cap is being hit.
     // Also lets tests assert "we refused without throwing" without scraping logs.
     rejectedCount = 0;
-    emit(type, payload) {
+    emit(type, payload, options) {
         const db = getDb();
-        const payloadStr = JSON.stringify(payload);
+        // The spread `{ ...payload, org_id: options.org_id }` deliberately OVERWRITES any
+        // caller-supplied `org_id` field in `payload`. The authoritative source is
+        // `options.org_id` (derived from `claims.org` in the handler), so callers cannot
+        // smuggle a different org through the payload. This is intentional.
+        const payloadWithOrg = { ...payload, org_id: options.org_id };
+        const payloadStr = JSON.stringify(payloadWithOrg);
         const result = db
-            .prepare("INSERT INTO events (type, payload) VALUES (?, ?)")
-            .run(type, payloadStr);
+            .prepare("INSERT INTO events (org_id, type, payload) VALUES (?, ?, ?)")
+            .run(options.org_id, type, payloadStr);
         const event = {
             id: result.lastInsertRowid,
             type,
             payload: payloadStr,
             created_at: new Date().toISOString(),
         };
-        // P3: async fan-out via setImmediate so a slow listener (e.g. a stalled
-        // SSE client whose socket buffer is full) cannot block siblings or the
-        // emit() caller. Snapshot the array first so a listener that unsubscribes
-        // mid-loop doesn't shift indices under us.
-        const snapshot = this.listeners.slice();
-        for (const listener of snapshot) {
+        // Snapshot + filter by org_id, then fan-out via setImmediate so a slow
+        // listener (e.g. a stalled SSE client whose socket buffer is full) cannot
+        // block siblings or the emit() caller. Snapshot the array first so a
+        // listener that unsubscribes mid-loop doesn't shift indices under us.
+        const snapshot = this.entries.filter((e) => e.orgId === options.org_id);
+        for (const entry of snapshot) {
             setImmediate(() => {
                 try {
-                    listener(event);
+                    entry.listener(event);
                 }
                 catch {
                     // Listener errors must not crash the emitter or affect siblings.
@@ -50,31 +55,32 @@ export class SseEmitter {
             });
         }
     }
-    getEventsSince(lastId) {
+    getEventsSince(orgId, lastId) {
         const db = getDb();
         return db
-            .prepare("SELECT * FROM events WHERE id > ? ORDER BY id")
-            .all(lastId);
+            .prepare("SELECT * FROM events WHERE org_id = ? AND id > ? ORDER BY id")
+            .all(orgId, lastId);
     }
-    addListener(listener) {
+    addListener(orgId, listener) {
         // P3: refuse-with-no-op when the cap is reached. Returning a no-op
         // keeps the caller's unsubscribe contract intact (no special-casing
         // upstream) while preventing the array from growing past MAX_SSE_CLIENTS.
-        if (this.listeners.length >= MAX_SSE_CLIENTS) {
+        if (this.entries.length >= MAX_SSE_CLIENTS) {
             this.rejectedCount++;
             return NOOP;
         }
-        this.listeners.push(listener);
+        const entry = { orgId, listener };
+        this.entries.push(entry);
         return () => {
-            this.listeners = this.listeners.filter((l) => l !== listener);
+            this.entries = this.entries.filter((e) => e !== entry);
         };
     }
     removeAllListeners() {
-        this.listeners = [];
+        this.entries = [];
     }
     /** P3: introspection for tests + ops dashboards. */
     listenerCount() {
-        return this.listeners.length;
+        return this.entries.length;
     }
     /** P3: count of addListener calls refused due to MAX_SSE_CLIENTS. */
     getRejectedCount() {

package/dist/src/tools/agents-tools.d.ts

@@ -1,8 +1,9 @@
 import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import type { CoordinatorServices } from "../server-setup.js";
 import type { Logger } from "../logger.js";
+import type { AuthClaims } from "../auth.js";
 /**
  * S1: agent registry MCP tools (4 tools).
  * register_agent, list_agents, heartbeat, agent_activity.
  */
-export declare function registerAgentTools(server: McpServer, services: CoordinatorServices, mcpLog: Logger): void;
+export declare function registerAgentTools(server: McpServer, services: CoordinatorServices, mcpLog: Logger, getSessionClaims: (sessionId: string) => AuthClaims | null): void;