pulsemcp-cms-admin-mcp-server 0.9.24 → 0.9.27

package/build/shared/src/pulsemcp-admin-client/lib/create-api-key.js

@@ -24,7 +24,9 @@ export async function createApiKey(apiKey, baseUrl, params) {
             throw new Error('Invalid API key');
         }
         if (response.status === 403) {
-            throw new Error('User lacks write privileges');
+            const errorData = (await response.json().catch(() => ({})));
+            const message = errorData.errors?.join(', ') || errorData.error || `Forbidden: ${response.status}`;
+            throw new Error(message);
         }
         if (response.status === 404) {
             const errorData = (await response.json());

package/build/shared/src/pulsemcp-admin-client/lib/delete-api-key.js

@@ -13,7 +13,9 @@ export async function deleteApiKey(apiKey, baseUrl, id) {
             throw new Error('Invalid API key');
         }
         if (response.status === 403) {
-            throw new Error('User lacks write privileges');
+            const errorData = (await response.json().catch(() => ({})));
+            const message = errorData.errors?.join(', ') || errorData.error || `Forbidden: ${response.status}`;
+            throw new Error(message);
         }
         if (response.status === 422) {
             const errorData = (await response.json().catch(() => ({})));

package/build/shared/src/pulsemcp-admin-client/lib/delete-tenant.js

@@ -16,7 +16,9 @@ export async function deleteTenant(apiKey, baseUrl, params) {
             throw new Error('Invalid API key');
         }
         if (response.status === 403) {
-            throw new Error('User lacks write privileges');
+            const errorData = (await response.json().catch(() => ({})));
+            const message = errorData.errors?.join(', ') || errorData.error || `Forbidden: ${response.status}`;
+            throw new Error(message);
         }
         if (response.status === 404) {
             throw new Error(`Tenant ${params.id_or_slug} not found`);

package/build/shared/src/pulsemcp-admin-client/lib/set-known-missing-init-tools-list.js

@@ -0,0 +1,42 @@
+import { adminFetch } from './admin-fetch.js';
+export async function setKnownMissingInitToolsList(apiKey, baseUrl, id, knownMissingInitToolsList, knownMissingInitToolsListFilterTo) {
+    const url = new URL(`/api/mcp_servers/${id}/known_missing_init_tools_list`, baseUrl);
+    const body = {
+        known_missing_init_tools_list: knownMissingInitToolsList,
+    };
+    if (knownMissingInitToolsListFilterTo !== undefined) {
+        // null is sent as JSON null; the Rails controller treats nil/blank as "clear".
+        body.known_missing_init_tools_list_filter_to = knownMissingInitToolsListFilterTo;
+    }
+    const response = await adminFetch(url.toString(), {
+        method: 'POST',
+        headers: {
+            'X-API-Key': apiKey,
+            Accept: 'application/json',
+            'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(body),
+    });
+    if (!response.ok) {
+        if (response.status === 401) {
+            throw new Error('Invalid API key');
+        }
+        if (response.status === 403) {
+            throw new Error('User lacks write privileges');
+        }
+        if (response.status === 404) {
+            throw new Error(`MCP server not found: ${id}`);
+        }
+        if (response.status === 400) {
+            const errBody = (await response.json().catch(() => ({})));
+            throw new Error(errBody.error ?? 'Bad request');
+        }
+        if (response.status === 422) {
+            const errBody = (await response.json().catch(() => ({})));
+            const detailStr = errBody.details?.length ? ` (${errBody.details.join(', ')})` : '';
+            throw new Error(`${errBody.error ?? 'Validation failed'}${detailStr}`);
+        }
+        throw new Error(`Failed to set known_missing_init_tools_list: ${response.status} ${response.statusText}`);
+    }
+    return (await response.json());
+}

package/build/shared/src/pulsemcp-admin-client/pulsemcp-admin-client.integration-mock.js

@@ -1079,5 +1079,15 @@ export function createMockPulseMCPAdminClient(mockData) {
                 message: `Cache successfully refreshed for ${slug}.`,
             };
         },
+        async setKnownMissingInitToolsList(id, knownMissingInitToolsList, knownMissingInitToolsListFilterTo) {
+            return {
+                id,
+                slug: `mock-server-${id}`,
+                known_missing_init_tools_list: knownMissingInitToolsList,
+                known_missing_init_tools_list_filter_to: knownMissingInitToolsListFilterTo === undefined
+                    ? null
+                    : (knownMissingInitToolsListFilterTo ?? null),
+            };
+        },
     };
 }

package/build/shared/src/server.js

@@ -72,6 +72,7 @@ import { getMozMetrics } from './pulsemcp-admin-client/lib/get-moz-metrics.js';
 import { getMozBacklinks } from './pulsemcp-admin-client/lib/get-moz-backlinks.js';
 import { getMozStoredMetrics } from './pulsemcp-admin-client/lib/get-moz-stored-metrics.js';
 import { recacheMCPServer } from './pulsemcp-admin-client/lib/recache-mcp-server.js';
+import { setKnownMissingInitToolsList } from './pulsemcp-admin-client/lib/set-known-missing-init-tools-list.js';
 import { createTenant } from './pulsemcp-admin-client/lib/create-tenant.js';
 import { createApiKey } from './pulsemcp-admin-client/lib/create-api-key.js';
 import { deleteTenant } from './pulsemcp-admin-client/lib/delete-tenant.js';
@@ -245,6 +246,9 @@ export class PulseMCPAdminClient {
     async recacheMCPServer(slug) {
         return recacheMCPServer(this.apiKey, this.baseUrl, slug);
     }
+    async setKnownMissingInitToolsList(id, knownMissingInitToolsList, knownMissingInitToolsListFilterTo) {
+        return setKnownMissingInitToolsList(this.apiKey, this.baseUrl, id, knownMissingInitToolsList, knownMissingInitToolsListFilterTo);
+    }
     // Redirect REST API methods
     async getRedirects(params) {
         return getRedirects(this.apiKey, this.baseUrl, params);

package/build/shared/src/tools/set-known-missing-init-tools-list.js

@@ -0,0 +1,75 @@
+import { z } from 'zod';
+const PARAM_DESCRIPTIONS = {
+    id: 'The integer id of the MCP server (the "mirror id" used elsewhere in the proctor flow)',
+    known_missing_init_tools_list: 'Whether the MCP server is known to be missing the init/tools-list capability. true marks the server as known-missing (proctor will skip the init/tools-list exam); false clears the flag.',
+    known_missing_init_tools_list_filter_to: 'Optional. When set, scopes the known-missing flag to a specific entry (e.g., "remotes[0]" or "packages[0]"). Pass an empty string or null to clear the filter. Omit the parameter entirely to leave the existing value untouched.',
+};
+const SetKnownMissingInitToolsListSchema = z.object({
+    id: z.number().int().describe(PARAM_DESCRIPTIONS.id),
+    known_missing_init_tools_list: z
+        .boolean()
+        .describe(PARAM_DESCRIPTIONS.known_missing_init_tools_list),
+    known_missing_init_tools_list_filter_to: z
+        .string()
+        .nullable()
+        .optional()
+        .describe(PARAM_DESCRIPTIONS.known_missing_init_tools_list_filter_to),
+});
+export function setKnownMissingInitToolsList(_server, clientFactory) {
+    return {
+        name: 'set_known_missing_init_tools_list',
+        description: `Update the \`known_missing_init_tools_list\` flag on an MCP server. Optionally also updates the \`known_missing_init_tools_list_filter_to\` scoping value. Identifies the server by integer id (the "mirror id" used elsewhere in the proctor flow).
+
+Example request:
+{
+  "id": 27765,
+  "known_missing_init_tools_list": true,
+  "known_missing_init_tools_list_filter_to": "remotes[0]"
+}
+
+Use cases:
+- Mark a server as known-missing the init/tools-list capability so proctor skips that exam
+- Clear the known-missing flag once the server starts responding correctly
+- Scope the known-missing flag to a specific remote/package entry via the filter_to value`,
+        inputSchema: {
+            type: 'object',
+            properties: {
+                id: { type: 'integer', description: PARAM_DESCRIPTIONS.id },
+                known_missing_init_tools_list: {
+                    type: 'boolean',
+                    description: PARAM_DESCRIPTIONS.known_missing_init_tools_list,
+                },
+                known_missing_init_tools_list_filter_to: {
+                    type: ['string', 'null'],
+                    description: PARAM_DESCRIPTIONS.known_missing_init_tools_list_filter_to,
+                },
+            },
+            required: ['id', 'known_missing_init_tools_list'],
+        },
+        handler: async (args) => {
+            const validatedArgs = SetKnownMissingInitToolsListSchema.parse(args);
+            const client = clientFactory();
+            try {
+                const result = await client.setKnownMissingInitToolsList(validatedArgs.id, validatedArgs.known_missing_init_tools_list, validatedArgs.known_missing_init_tools_list_filter_to);
+                const filterDisplay = result.known_missing_init_tools_list_filter_to === null
+                    ? '(none)'
+                    : result.known_missing_init_tools_list_filter_to;
+                const text = `Updated MCP server ${result.slug} (id: ${result.id}):
+- known_missing_init_tools_list: ${result.known_missing_init_tools_list}
+- known_missing_init_tools_list_filter_to: ${filterDisplay}`;
+                return { content: [{ type: 'text', text }] };
+            }
+            catch (error) {
+                return {
+                    content: [
+                        {
+                            type: 'text',
+                            text: `Error setting known_missing_init_tools_list: ${error instanceof Error ? error.message : String(error)}`,
+                        },
+                    ],
+                    isError: true,
+                };
+            }
+        },
+    };
+}

package/build/shared/src/tools.js

@@ -70,6 +70,7 @@ import { runExamForMirror } from './tools/run-exam-for-mirror.js';
 import { getExamResult } from './tools/get-exam-result.js';
 import { saveResultsForMirror } from './tools/save-results-for-mirror.js';
 import { listProctorRuns } from './tools/list-proctor-runs.js';
+import { setKnownMissingInitToolsList } from './tools/set-known-missing-init-tools-list.js';
 import { getProctorMetadata } from './tools/get-proctor-metadata.js';
 // Discovered URLs tools
 import { listDiscoveredUrls } from './tools/list-discovered-urls.js';
@@ -184,13 +185,14 @@ const ALL_TOOLS = [
     { factory: getTenant, groups: ['tenants'], isWriteOperation: false },
     { factory: createTenant, groups: ['tenants'], isWriteOperation: true },
     { factory: createApiKey, groups: ['tenants'], isWriteOperation: true },
-    // revoke_api_key lives in the regular `tenants` group (not `tenants_destructive`) so
-    // it's exposed to read-write tenant management workflows like sub-registry credential
-    // re-issuance. The tool gates each call with MCP elicitation; if the connected client
-    // supports neither native elicitation nor an HTTP fallback, the elicitation library
-    // throws at runtime rather than silently destroying the key.
-    { factory: revokeApiKey, groups: ['tenants'], isWriteOperation: true },
-    // Destructive tenant tools — opt-in only, NOT in BASE_TOOL_GROUPS
+    // Destructive tenant tools — opt-in only, NOT in BASE_TOOL_GROUPS.
+    // revoke_api_key lives here (not in `tenants`) because it calls the same
+    // DELETE /api/api_keys/:id endpoint as delete_api_key and the Rails admin
+    // API gates that endpoint behind permission_level=all (full_access). The
+    // standard read-write admin credential cannot DELETE, so exposing
+    // revoke_api_key in the regular tenants group surfaced confusing 403s on
+    // workflows like sub-registry credential re-issuance.
+    { factory: revokeApiKey, groups: ['tenants_destructive'], isWriteOperation: true },
     { factory: deleteTenant, groups: ['tenants_destructive'], isWriteOperation: true },
     { factory: deleteApiKey, groups: ['tenants_destructive'], isWriteOperation: true },
     // Tenant -> recommended MCP server association tools
@@ -267,6 +269,13 @@ const ALL_TOOLS = [
     { factory: saveResultsForMirror, groups: ['proctor'], isWriteOperation: true },
     { factory: listProctorRuns, groups: ['proctor'], isWriteOperation: false },
     { factory: getProctorMetadata, groups: ['proctor'], isWriteOperation: false },
+    // setKnownMissingInitToolsList flips a flag on `mcp_server` records, so it lives in
+    // the mcp_servers / server_directory groups (alongside recacheMCPServer), not proctor.
+    {
+        factory: setKnownMissingInitToolsList,
+        groups: ['mcp_servers', 'server_directory'],
+        isWriteOperation: true,
+    },
     // Discovered URLs tools
     { factory: listDiscoveredUrls, groups: ['discovered_urls'], isWriteOperation: false },
     {
@@ -402,9 +411,9 @@ function shouldIncludeTool(toolDef, enabledGroups) {
  * - unofficial_mirrors: Unofficial mirror CRUD tools (read + write)
  * - unofficial_mirrors_readonly: Unofficial mirror tools (read only)
  * - official_mirrors_readonly: Official mirrors REST API tools (read only)
- * - tenants: Tenant management tools including API key provisioning + revoke_api_key (read + write). revoke_api_key is gated by MCP elicitation user approval before execution.
+ * - tenants: Tenant management tools including API key provisioning (read + write).
  * - tenants_readonly: Tenant tools (read only)
- * - tenants_destructive: Destructive tenant tools (delete_tenant, delete_api_key). NOT enabled by default; operators must opt in via TOOL_GROUPS. Each tool requires MCP elicitation user approval before execution.
+ * - tenants_destructive: Destructive tenant tools (delete_tenant, delete_api_key, revoke_api_key). NOT enabled by default; operators must opt in via TOOL_GROUPS. Each tool requires MCP elicitation user approval before execution.
  * - mcp_jsons: MCP JSON configuration tools (read + write)
  * - mcp_jsons_readonly: MCP JSON tools (read only)
  * - mcp_servers: Unified MCP server tools with abstracted interface (read + write)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pulsemcp-cms-admin-mcp-server",
-  "version": "0.9.24",
+  "version": "0.9.27",
   "description": "Local implementation of PulseMCP CMS Admin MCP server",
   "mcpName": "com.pulsemcp.servers/pulsemcp-cms-admin",
   "main": "build/index.js",

package/shared/elicitation-config.d.ts

@@ -8,13 +8,13 @@ import { type ElicitationConfig } from '@pulsemcp/mcp-elicitation';
  * 3. Per-action override: PULSEMCP_CMS_ADMIN_ELICITATION_DESTRUCTIVE
  *
  * Destructive elicitation gates the `tenants_destructive` tool group only
- * (delete_tenant, delete_api_key). All other write tools in the server are
- * not gated by elicitation.
+ * (delete_tenant, delete_api_key, revoke_api_key). All other write tools in
+ * the server are not gated by elicitation.
  */
 export interface CmsAdminElicitationConfig {
     /** Base elicitation config from the shared library */
     base: ElicitationConfig;
-    /** Whether to elicit confirmation for destructive operations (delete_tenant, delete_api_key) */
+    /** Whether to elicit confirmation for destructive operations (delete_tenant, delete_api_key, revoke_api_key) */
     destructiveElicitationEnabled: boolean;
 }
 /**

package/shared/pulsemcp-admin-client/lib/create-api-key.js

@@ -24,7 +24,9 @@ export async function createApiKey(apiKey, baseUrl, params) {
             throw new Error('Invalid API key');
         }
         if (response.status === 403) {
-            throw new Error('User lacks write privileges');
+            const errorData = (await response.json().catch(() => ({})));
+            const message = errorData.errors?.join(', ') || errorData.error || `Forbidden: ${response.status}`;
+            throw new Error(message);
         }
         if (response.status === 404) {
             const errorData = (await response.json());

package/shared/pulsemcp-admin-client/lib/delete-api-key.js

@@ -13,7 +13,9 @@ export async function deleteApiKey(apiKey, baseUrl, id) {
             throw new Error('Invalid API key');
         }
         if (response.status === 403) {
-            throw new Error('User lacks write privileges');
+            const errorData = (await response.json().catch(() => ({})));
+            const message = errorData.errors?.join(', ') || errorData.error || `Forbidden: ${response.status}`;
+            throw new Error(message);
         }
         if (response.status === 422) {
             const errorData = (await response.json().catch(() => ({})));

package/shared/pulsemcp-admin-client/lib/delete-tenant.js

@@ -16,7 +16,9 @@ export async function deleteTenant(apiKey, baseUrl, params) {
             throw new Error('Invalid API key');
         }
         if (response.status === 403) {
-            throw new Error('User lacks write privileges');
+            const errorData = (await response.json().catch(() => ({})));
+            const message = errorData.errors?.join(', ') || errorData.error || `Forbidden: ${response.status}`;
+            throw new Error(message);
         }
         if (response.status === 404) {
             throw new Error(`Tenant ${params.id_or_slug} not found`);

package/shared/pulsemcp-admin-client/lib/set-known-missing-init-tools-list.d.ts

@@ -0,0 +1,3 @@
+import type { SetKnownMissingInitToolsListResponse } from '../../types.js';
+export declare function setKnownMissingInitToolsList(apiKey: string, baseUrl: string, id: number, knownMissingInitToolsList: boolean, knownMissingInitToolsListFilterTo?: string | null): Promise<SetKnownMissingInitToolsListResponse>;
+//# sourceMappingURL=set-known-missing-init-tools-list.d.ts.map

package/shared/pulsemcp-admin-client/lib/set-known-missing-init-tools-list.js

@@ -0,0 +1,42 @@
+import { adminFetch } from './admin-fetch.js';
+export async function setKnownMissingInitToolsList(apiKey, baseUrl, id, knownMissingInitToolsList, knownMissingInitToolsListFilterTo) {
+    const url = new URL(`/api/mcp_servers/${id}/known_missing_init_tools_list`, baseUrl);
+    const body = {
+        known_missing_init_tools_list: knownMissingInitToolsList,
+    };
+    if (knownMissingInitToolsListFilterTo !== undefined) {
+        // null is sent as JSON null; the Rails controller treats nil/blank as "clear".
+        body.known_missing_init_tools_list_filter_to = knownMissingInitToolsListFilterTo;
+    }
+    const response = await adminFetch(url.toString(), {
+        method: 'POST',
+        headers: {
+            'X-API-Key': apiKey,
+            Accept: 'application/json',
+            'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(body),
+    });
+    if (!response.ok) {
+        if (response.status === 401) {
+            throw new Error('Invalid API key');
+        }
+        if (response.status === 403) {
+            throw new Error('User lacks write privileges');
+        }
+        if (response.status === 404) {
+            throw new Error(`MCP server not found: ${id}`);
+        }
+        if (response.status === 400) {
+            const errBody = (await response.json().catch(() => ({})));
+            throw new Error(errBody.error ?? 'Bad request');
+        }
+        if (response.status === 422) {
+            const errBody = (await response.json().catch(() => ({})));
+            const detailStr = errBody.details?.length ? ` (${errBody.details.join(', ')})` : '';
+            throw new Error(`${errBody.error ?? 'Validation failed'}${detailStr}`);
+        }
+        throw new Error(`Failed to set known_missing_init_tools_list: ${response.status} ${response.statusText}`);
+    }
+    return (await response.json());
+}

package/shared/pulsemcp-admin-client/pulsemcp-admin-client.integration-mock.js

@@ -1079,5 +1079,15 @@ export function createMockPulseMCPAdminClient(mockData) {
                 message: `Cache successfully refreshed for ${slug}.`,
             };
         },
+        async setKnownMissingInitToolsList(id, knownMissingInitToolsList, knownMissingInitToolsListFilterTo) {
+            return {
+                id,
+                slug: `mock-server-${id}`,
+                known_missing_init_tools_list: knownMissingInitToolsList,
+                known_missing_init_tools_list_filter_to: knownMissingInitToolsListFilterTo === undefined
+                    ? null
+                    : (knownMissingInitToolsListFilterTo ?? null),
+            };
+        },
     };
 }

package/shared/server.d.ts

@@ -1,5 +1,5 @@
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
-import type { Post, PostsResponse, CreatePostParams, UpdatePostParams, ImageUploadResponse, Author, AuthorsResponse, MCPServer, MCPClient, MCPImplementation, MCPImplementationsResponse, SaveMCPImplementationParams, CreateMCPImplementationParams, Provider, ProvidersResponse, OfficialMirrorQueueStatus, OfficialMirrorQueueResponse, OfficialMirrorQueueItemDetail, OfficialMirrorQueueActionResponse, UnofficialMirror, UnofficialMirrorsResponse, CreateUnofficialMirrorParams, UpdateUnofficialMirrorParams, OfficialMirrorRest, OfficialMirrorsResponse, Tenant, TenantsResponse, ListTenantServersResponse, BulkUpdateTenantServersParams, BulkUpdateTenantServersResponse, McpJson, McpJsonsResponse, CreateMcpJsonParams, UpdateMcpJsonParams, UnifiedMCPServer, UnifiedMCPServersResponse, UpdateUnifiedMCPServerParams, Redirect, RedirectsResponse, RedirectStatus, CreateRedirectParams, UpdateRedirectParams, GoodJob, GoodJobsResponse, GoodJobStatus, GoodJobCronSchedule, GoodJobProcess, GoodJobStatistics, GoodJobActionResponse, GoodJobCleanupResponse, ProctorRunExamParams, ProctorRunExamResponse, ProctorSaveResultsParams, ProctorSaveResultsResponse, ProctorRunsResponse, GetProctorRunsParams, ProctorMetadataResponse, DiscoveredUrlsResponse, MarkDiscoveredUrlProcessedParams, MarkDiscoveredUrlProcessedResponse, DiscoveredUrlStats, MozMetricsResponse, MozBacklinksResponse, MozStoredMetricsResponse, CreateTenantParams, ApiKey, CreateApiKeyParams, DeleteTenantParams, DeleteTenantResponse, DeleteApiKeyResponse, RecacheMCPServerResponse } from './types.js';
+import type { Post, PostsResponse, CreatePostParams, UpdatePostParams, ImageUploadResponse, Author, AuthorsResponse, MCPServer, MCPClient, MCPImplementation, MCPImplementationsResponse, SaveMCPImplementationParams, CreateMCPImplementationParams, Provider, ProvidersResponse, OfficialMirrorQueueStatus, OfficialMirrorQueueResponse, OfficialMirrorQueueItemDetail, OfficialMirrorQueueActionResponse, UnofficialMirror, UnofficialMirrorsResponse, CreateUnofficialMirrorParams, UpdateUnofficialMirrorParams, OfficialMirrorRest, OfficialMirrorsResponse, Tenant, TenantsResponse, ListTenantServersResponse, BulkUpdateTenantServersParams, BulkUpdateTenantServersResponse, McpJson, McpJsonsResponse, CreateMcpJsonParams, UpdateMcpJsonParams, UnifiedMCPServer, UnifiedMCPServersResponse, UpdateUnifiedMCPServerParams, Redirect, RedirectsResponse, RedirectStatus, CreateRedirectParams, UpdateRedirectParams, GoodJob, GoodJobsResponse, GoodJobStatus, GoodJobCronSchedule, GoodJobProcess, GoodJobStatistics, GoodJobActionResponse, GoodJobCleanupResponse, ProctorRunExamParams, ProctorRunExamResponse, ProctorSaveResultsParams, ProctorSaveResultsResponse, ProctorRunsResponse, GetProctorRunsParams, ProctorMetadataResponse, DiscoveredUrlsResponse, MarkDiscoveredUrlProcessedParams, MarkDiscoveredUrlProcessedResponse, DiscoveredUrlStats, MozMetricsResponse, MozBacklinksResponse, MozStoredMetricsResponse, CreateTenantParams, ApiKey, CreateApiKeyParams, DeleteTenantParams, DeleteTenantResponse, DeleteApiKeyResponse, RecacheMCPServerResponse, SetKnownMissingInitToolsListResponse } from './types.js';
 export interface IPulseMCPAdminClient {
     getPosts(params?: {
         search?: string;
@@ -135,6 +135,7 @@ export interface IPulseMCPAdminClient {
     getUnifiedMCPServer(slug: string): Promise<UnifiedMCPServer>;
     updateUnifiedMCPServer(implementationId: number, params: UpdateUnifiedMCPServerParams): Promise<UnifiedMCPServer>;
     recacheMCPServer(slug: string): Promise<RecacheMCPServerResponse>;
+    setKnownMissingInitToolsList(id: number, knownMissingInitToolsList: boolean, knownMissingInitToolsListFilterTo?: string | null): Promise<SetKnownMissingInitToolsListResponse>;
     getRedirects(params?: {
         q?: string;
         status?: RedirectStatus;
@@ -334,6 +335,7 @@ export declare class PulseMCPAdminClient implements IPulseMCPAdminClient {
     getUnifiedMCPServer(slug: string): Promise<UnifiedMCPServer>;
     updateUnifiedMCPServer(implementationId: number, params: UpdateUnifiedMCPServerParams): Promise<UnifiedMCPServer>;
     recacheMCPServer(slug: string): Promise<RecacheMCPServerResponse>;
+    setKnownMissingInitToolsList(id: number, knownMissingInitToolsList: boolean, knownMissingInitToolsListFilterTo?: string | null): Promise<SetKnownMissingInitToolsListResponse>;
     getRedirects(params?: {
         q?: string;
         status?: RedirectStatus;

package/shared/server.js

@@ -72,6 +72,7 @@ import { getMozMetrics } from './pulsemcp-admin-client/lib/get-moz-metrics.js';
 import { getMozBacklinks } from './pulsemcp-admin-client/lib/get-moz-backlinks.js';
 import { getMozStoredMetrics } from './pulsemcp-admin-client/lib/get-moz-stored-metrics.js';
 import { recacheMCPServer } from './pulsemcp-admin-client/lib/recache-mcp-server.js';
+import { setKnownMissingInitToolsList } from './pulsemcp-admin-client/lib/set-known-missing-init-tools-list.js';
 import { createTenant } from './pulsemcp-admin-client/lib/create-tenant.js';
 import { createApiKey } from './pulsemcp-admin-client/lib/create-api-key.js';
 import { deleteTenant } from './pulsemcp-admin-client/lib/delete-tenant.js';
@@ -245,6 +246,9 @@ export class PulseMCPAdminClient {
     async recacheMCPServer(slug) {
         return recacheMCPServer(this.apiKey, this.baseUrl, slug);
     }
+    async setKnownMissingInitToolsList(id, knownMissingInitToolsList, knownMissingInitToolsListFilterTo) {
+        return setKnownMissingInitToolsList(this.apiKey, this.baseUrl, id, knownMissingInitToolsList, knownMissingInitToolsListFilterTo);
+    }
     // Redirect REST API methods
     async getRedirects(params) {
         return getRedirects(this.apiKey, this.baseUrl, params);

package/shared/tools/set-known-missing-init-tools-list.d.ts

@@ -0,0 +1,38 @@
+import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+import type { ClientFactory } from '../server.js';
+export declare function setKnownMissingInitToolsList(_server: Server, clientFactory: ClientFactory): {
+    name: string;
+    description: string;
+    inputSchema: {
+        type: string;
+        properties: {
+            id: {
+                type: string;
+                description: "The integer id of the MCP server (the \"mirror id\" used elsewhere in the proctor flow)";
+            };
+            known_missing_init_tools_list: {
+                type: string;
+                description: "Whether the MCP server is known to be missing the init/tools-list capability. true marks the server as known-missing (proctor will skip the init/tools-list exam); false clears the flag.";
+            };
+            known_missing_init_tools_list_filter_to: {
+                type: string[];
+                description: "Optional. When set, scopes the known-missing flag to a specific entry (e.g., \"remotes[0]\" or \"packages[0]\"). Pass an empty string or null to clear the filter. Omit the parameter entirely to leave the existing value untouched.";
+            };
+        };
+        required: string[];
+    };
+    handler: (args: unknown) => Promise<{
+        content: {
+            type: string;
+            text: string;
+        }[];
+        isError?: undefined;
+    } | {
+        content: {
+            type: string;
+            text: string;
+        }[];
+        isError: boolean;
+    }>;
+};
+//# sourceMappingURL=set-known-missing-init-tools-list.d.ts.map

package/shared/tools/set-known-missing-init-tools-list.js

@@ -0,0 +1,75 @@
+import { z } from 'zod';
+const PARAM_DESCRIPTIONS = {
+    id: 'The integer id of the MCP server (the "mirror id" used elsewhere in the proctor flow)',
+    known_missing_init_tools_list: 'Whether the MCP server is known to be missing the init/tools-list capability. true marks the server as known-missing (proctor will skip the init/tools-list exam); false clears the flag.',
+    known_missing_init_tools_list_filter_to: 'Optional. When set, scopes the known-missing flag to a specific entry (e.g., "remotes[0]" or "packages[0]"). Pass an empty string or null to clear the filter. Omit the parameter entirely to leave the existing value untouched.',
+};
+const SetKnownMissingInitToolsListSchema = z.object({
+    id: z.number().int().describe(PARAM_DESCRIPTIONS.id),
+    known_missing_init_tools_list: z
+        .boolean()
+        .describe(PARAM_DESCRIPTIONS.known_missing_init_tools_list),
+    known_missing_init_tools_list_filter_to: z
+        .string()
+        .nullable()
+        .optional()
+        .describe(PARAM_DESCRIPTIONS.known_missing_init_tools_list_filter_to),
+});
+export function setKnownMissingInitToolsList(_server, clientFactory) {
+    return {
+        name: 'set_known_missing_init_tools_list',
+        description: `Update the \`known_missing_init_tools_list\` flag on an MCP server. Optionally also updates the \`known_missing_init_tools_list_filter_to\` scoping value. Identifies the server by integer id (the "mirror id" used elsewhere in the proctor flow).
+
+Example request:
+{
+  "id": 27765,
+  "known_missing_init_tools_list": true,
+  "known_missing_init_tools_list_filter_to": "remotes[0]"
+}
+
+Use cases:
+- Mark a server as known-missing the init/tools-list capability so proctor skips that exam
+- Clear the known-missing flag once the server starts responding correctly
+- Scope the known-missing flag to a specific remote/package entry via the filter_to value`,
+        inputSchema: {
+            type: 'object',
+            properties: {
+                id: { type: 'integer', description: PARAM_DESCRIPTIONS.id },
+                known_missing_init_tools_list: {
+                    type: 'boolean',
+                    description: PARAM_DESCRIPTIONS.known_missing_init_tools_list,
+                },
+                known_missing_init_tools_list_filter_to: {
+                    type: ['string', 'null'],
+                    description: PARAM_DESCRIPTIONS.known_missing_init_tools_list_filter_to,
+                },
+            },
+            required: ['id', 'known_missing_init_tools_list'],
+        },
+        handler: async (args) => {
+            const validatedArgs = SetKnownMissingInitToolsListSchema.parse(args);
+            const client = clientFactory();
+            try {
+                const result = await client.setKnownMissingInitToolsList(validatedArgs.id, validatedArgs.known_missing_init_tools_list, validatedArgs.known_missing_init_tools_list_filter_to);
+                const filterDisplay = result.known_missing_init_tools_list_filter_to === null
+                    ? '(none)'
+                    : result.known_missing_init_tools_list_filter_to;
+                const text = `Updated MCP server ${result.slug} (id: ${result.id}):
+- known_missing_init_tools_list: ${result.known_missing_init_tools_list}
+- known_missing_init_tools_list_filter_to: ${filterDisplay}`;
+                return { content: [{ type: 'text', text }] };
+            }
+            catch (error) {
+                return {
+                    content: [
+                        {
+                            type: 'text',
+                            text: `Error setting known_missing_init_tools_list: ${error instanceof Error ? error.message : String(error)}`,
+                        },
+                    ],
+                    isError: true,
+                };
+            }
+        },
+    };
+}

package/shared/tools.d.ts

@@ -18,8 +18,8 @@ import { ClientFactory } from './server.js';
  * - official_queue / official_queue_readonly: Official mirror queue tools (list, get, approve, reject, unlink)
  * - unofficial_mirrors / unofficial_mirrors_readonly: Unofficial mirror CRUD tools
  * - official_mirrors_readonly: Official mirrors read-only tools (REST API)
- * - tenants / tenants_readonly: Tenant management tools (CRUD + API key provisioning, including revoke_api_key for rolling keys after re-issuance)
- * - tenants_destructive: Destructive tenant tools (delete_tenant, delete_api_key). NOT enabled by default — operators must opt in via TOOL_GROUPS. Each tool requires MCP elicitation user approval before execution.
+ * - tenants / tenants_readonly: Tenant management tools (CRUD + API key provisioning)
+ * - tenants_destructive: Destructive tenant tools (delete_tenant, delete_api_key, revoke_api_key). NOT enabled by default — operators must opt in via TOOL_GROUPS. Each tool requires MCP elicitation user approval before execution. revoke_api_key lives here (not in `tenants`) because it calls the same DELETE /api/api_keys/:id endpoint as delete_api_key, which the Rails admin API gates behind permission_level=all.
  * - mcp_jsons / mcp_jsons_readonly: MCP JSON configuration tools
  * - mcp_servers / mcp_servers_readonly: Unified MCP server tools (abstracted interface)
  * - redirects / redirects_readonly: URL redirect management tools
@@ -61,9 +61,9 @@ export declare function parseEnabledToolGroups(enabledGroupsParam?: string): Too
  * - unofficial_mirrors: Unofficial mirror CRUD tools (read + write)
  * - unofficial_mirrors_readonly: Unofficial mirror tools (read only)
  * - official_mirrors_readonly: Official mirrors REST API tools (read only)
- * - tenants: Tenant management tools including API key provisioning + revoke_api_key (read + write). revoke_api_key is gated by MCP elicitation user approval before execution.
+ * - tenants: Tenant management tools including API key provisioning (read + write).
  * - tenants_readonly: Tenant tools (read only)
- * - tenants_destructive: Destructive tenant tools (delete_tenant, delete_api_key). NOT enabled by default; operators must opt in via TOOL_GROUPS. Each tool requires MCP elicitation user approval before execution.
+ * - tenants_destructive: Destructive tenant tools (delete_tenant, delete_api_key, revoke_api_key). NOT enabled by default; operators must opt in via TOOL_GROUPS. Each tool requires MCP elicitation user approval before execution.
  * - mcp_jsons: MCP JSON configuration tools (read + write)
  * - mcp_jsons_readonly: MCP JSON tools (read only)
  * - mcp_servers: Unified MCP server tools with abstracted interface (read + write)

package/shared/tools.js

@@ -70,6 +70,7 @@ import { runExamForMirror } from './tools/run-exam-for-mirror.js';
 import { getExamResult } from './tools/get-exam-result.js';
 import { saveResultsForMirror } from './tools/save-results-for-mirror.js';
 import { listProctorRuns } from './tools/list-proctor-runs.js';
+import { setKnownMissingInitToolsList } from './tools/set-known-missing-init-tools-list.js';
 import { getProctorMetadata } from './tools/get-proctor-metadata.js';
 // Discovered URLs tools
 import { listDiscoveredUrls } from './tools/list-discovered-urls.js';
@@ -184,13 +185,14 @@ const ALL_TOOLS = [
     { factory: getTenant, groups: ['tenants'], isWriteOperation: false },
     { factory: createTenant, groups: ['tenants'], isWriteOperation: true },
     { factory: createApiKey, groups: ['tenants'], isWriteOperation: true },
-    // revoke_api_key lives in the regular `tenants` group (not `tenants_destructive`) so
-    // it's exposed to read-write tenant management workflows like sub-registry credential
-    // re-issuance. The tool gates each call with MCP elicitation; if the connected client
-    // supports neither native elicitation nor an HTTP fallback, the elicitation library
-    // throws at runtime rather than silently destroying the key.
-    { factory: revokeApiKey, groups: ['tenants'], isWriteOperation: true },
-    // Destructive tenant tools — opt-in only, NOT in BASE_TOOL_GROUPS
+    // Destructive tenant tools — opt-in only, NOT in BASE_TOOL_GROUPS.
+    // revoke_api_key lives here (not in `tenants`) because it calls the same
+    // DELETE /api/api_keys/:id endpoint as delete_api_key and the Rails admin
+    // API gates that endpoint behind permission_level=all (full_access). The
+    // standard read-write admin credential cannot DELETE, so exposing
+    // revoke_api_key in the regular tenants group surfaced confusing 403s on
+    // workflows like sub-registry credential re-issuance.
+    { factory: revokeApiKey, groups: ['tenants_destructive'], isWriteOperation: true },
     { factory: deleteTenant, groups: ['tenants_destructive'], isWriteOperation: true },
     { factory: deleteApiKey, groups: ['tenants_destructive'], isWriteOperation: true },
     // Tenant -> recommended MCP server association tools
@@ -267,6 +269,13 @@ const ALL_TOOLS = [
     { factory: saveResultsForMirror, groups: ['proctor'], isWriteOperation: true },
     { factory: listProctorRuns, groups: ['proctor'], isWriteOperation: false },
     { factory: getProctorMetadata, groups: ['proctor'], isWriteOperation: false },
+    // setKnownMissingInitToolsList flips a flag on `mcp_server` records, so it lives in
+    // the mcp_servers / server_directory groups (alongside recacheMCPServer), not proctor.
+    {
+        factory: setKnownMissingInitToolsList,
+        groups: ['mcp_servers', 'server_directory'],
+        isWriteOperation: true,
+    },
     // Discovered URLs tools
     { factory: listDiscoveredUrls, groups: ['discovered_urls'], isWriteOperation: false },
     {
@@ -402,9 +411,9 @@ function shouldIncludeTool(toolDef, enabledGroups) {
  * - unofficial_mirrors: Unofficial mirror CRUD tools (read + write)
  * - unofficial_mirrors_readonly: Unofficial mirror tools (read only)
  * - official_mirrors_readonly: Official mirrors REST API tools (read only)
- * - tenants: Tenant management tools including API key provisioning + revoke_api_key (read + write). revoke_api_key is gated by MCP elicitation user approval before execution.
+ * - tenants: Tenant management tools including API key provisioning (read + write).
  * - tenants_readonly: Tenant tools (read only)
- * - tenants_destructive: Destructive tenant tools (delete_tenant, delete_api_key). NOT enabled by default; operators must opt in via TOOL_GROUPS. Each tool requires MCP elicitation user approval before execution.
+ * - tenants_destructive: Destructive tenant tools (delete_tenant, delete_api_key, revoke_api_key). NOT enabled by default; operators must opt in via TOOL_GROUPS. Each tool requires MCP elicitation user approval before execution.
  * - mcp_jsons: MCP JSON configuration tools (read + write)
  * - mcp_jsons_readonly: MCP JSON tools (read only)
  * - mcp_servers: Unified MCP server tools with abstracted interface (read + write)

package/shared/types.d.ts

@@ -891,6 +891,12 @@ export interface DeleteApiKeyResponse {
 export interface RecacheMCPServerResponse {
     message: string;
 }
+export interface SetKnownMissingInitToolsListResponse {
+    id: number;
+    slug: string;
+    known_missing_init_tools_list: boolean;
+    known_missing_init_tools_list_filter_to: string | null;
+}
 export interface MozMetrics {
     page_authority?: number;
     domain_authority?: number;