taskover-mcp 1.0.1 → 1.2.0

package/scripts/build-publish.sh

@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Build the publish artifact for taskover-mcp npm package.
+# This script assembles a clean directory containing ONLY cloud-mode files.
+# Local-mode files (data-store.js, db.js, etc.) are NEVER copied.
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+MCP_DIR="$(dirname "$SCRIPT_DIR")"
+PUBLISH_DIR="$MCP_DIR/publish"
+
+echo "[build] Cleaning publish directory..."
+mkdir -p "$PUBLISH_DIR"
+rm -f "$PUBLISH_DIR"/* 2>/dev/null || true
+
+echo "[build] Copying cloud-mode files..."
+cp "$MCP_DIR/index.js"          "$PUBLISH_DIR/index.js"
+cp "$MCP_DIR/cloud-adapter.js"  "$PUBLISH_DIR/cloud-adapter.js"
+cp "$MCP_DIR/tool-map.js"       "$PUBLISH_DIR/tool-map.js"
+
+echo "[build] Writing package.json..."
+cat > "$PUBLISH_DIR/package.json" << 'PKGJSON'
+{
+  "name": "taskover-mcp",
+  "version": "1.0.0",
+  "description": "MCP server for TaskOver.gg - connect your AI assistant to your game dev projects",
+  "main": "index.js",
+  "bin": "index.js",
+  "keywords": ["mcp", "taskover", "gamedev", "project-management", "claude"],
+  "author": "TaskOver, LLC <hello@taskover.gg>",
+  "license": "MIT",
+  "homepage": "https://taskover.gg",
+  "repository": { "type": "git", "url": "https://github.com/taskover/mcp" },
+  "engines": { "node": ">=20.0.0" },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0"
+  }
+}
+PKGJSON
+
+echo "[build] Writing README..."
+cat > "$PUBLISH_DIR/README.md" << 'README'
+# taskover-mcp
+
+MCP server for [TaskOver.gg](https://taskover.gg) - connect Claude Desktop, Claude Code, Cursor, or Windsurf to your game dev project data.
+
+## Setup
+
+1. Get your API key from taskover.gg -> Settings -> Security
+2. Add to your AI host config:
+
+```json
+{
+  "mcpServers": {
+    "taskover": {
+      "command": "npx",
+      "args": ["-y", "taskover-mcp@latest"],
+      "env": {
+        "TASKOVER_API_KEY": "tok_paste-your-key-here"
+      }
+    }
+  }
+}
+```
+
+3. Restart your AI host
+
+Your API key is stored in plaintext in the config file. For better security, use browser auth (the default) — it stores tokens in your OS keychain instead.
+README
+
+# SECURITY: Verify no local-mode files leaked into publish directory
+echo "[build] Safety check: verifying no local-mode files present..."
+for banned in data-store.js db.js "better-sqlite3" "package-lock.json"; do
+  if [ -e "$PUBLISH_DIR/$banned" ]; then
+    echo "[FATAL] Local-mode file '$banned' found in publish directory!"
+    exit 1
+  fi
+done
+
+# Verify cloud-adapter.js doesn't require data-store or db
+if grep -q "require.*data-store\|require.*\/db" "$PUBLISH_DIR/cloud-adapter.js"; then
+  echo "[FATAL] cloud-adapter.js contains local-mode require!"
+  exit 1
+fi
+
+echo "[build] Checking index.js for local-mode requires in cloud path..."
+# This is a rough check -- the actual cloud-mode code path must not require data-store
+# The local-mode require is behind an if (LOCAL_MODE) guard, which is acceptable
+
+echo "[build] Publish directory ready at: $PUBLISH_DIR"
+echo "[build] Contents:"
+ls -la "$PUBLISH_DIR"
+echo ""
+echo "[build] To publish: cd $PUBLISH_DIR && npm publish"
+echo "[build] To dry-run: cd $PUBLISH_DIR && npm publish --dry-run"

package/scripts/test-auth-failure.js

@@ -0,0 +1,68 @@
+#!/usr/bin/env node
+// test-auth-failure.js — Auth failure tests for all 52 write tools + 5 sample reads
+// Requires network access to api.taskover.gg (uses an invalid key)
+// Usage: node mcp-server/scripts/test-auth-failure.js
+//
+// Tests: Every write method with a bad key → AUTH_FAILED, no key in error
+
+"use strict";
+
+const adapter = require("../cloud-adapter.js");
+const { MCP_ALLOWED_WRITES, MCP_ALLOWED_READS } = require("../cloud-adapter.js");
+
+const BAD_KEY = "tok_definitely_invalid_for_auth_test";
+adapter.init(BAD_KEY);
+
+const results = [];
+
+// Sample 5 reads for auth failure verification
+const sampleReads = ["listProjects", "getTasks", "getBugs", "getSystems", "dashboard"];
+
+async function testMethod(method, args, type) {
+  try {
+    await adapter.callRpc(method, args);
+    results.push({ method, type, status: "FAIL", reason: "did not throw" });
+  } catch (err) {
+    const isAuthFailed = err.message === "AUTH_FAILED";
+    const keyLeaked = err.message.includes(BAD_KEY) || (err.stack && err.stack.includes(BAD_KEY));
+    if (isAuthFailed && !keyLeaked) {
+      results.push({ method, type, status: "PASS", reason: "" });
+    } else if (!isAuthFailed) {
+      results.push({ method, type, status: "FAIL", reason: `expected AUTH_FAILED, got: ${err.message.slice(0, 80)}` });
+    } else {
+      results.push({ method, type, status: "FAIL", reason: "key leaked in error" });
+    }
+  }
+}
+
+async function run() {
+  console.log("Testing auth failure with invalid key...\n");
+
+  // Test all 52 writes
+  for (const method of MCP_ALLOWED_WRITES) {
+    await testMethod(method, [{ projectId: "test", title: "should-fail" }], "write");
+  }
+
+  // Sample 5 reads
+  for (const method of sampleReads) {
+    const args = method === "listProjects" ? [] : ["test"];
+    await testMethod(method, args, "read-sample");
+  }
+
+  // Output
+  const passed = results.filter(r => r.status === "PASS").length;
+  const failed = results.filter(r => r.status === "FAIL").length;
+
+  console.log("\n| # | Method | Type | Status | Notes |");
+  console.log("|---|--------|------|--------|-------|");
+  results.forEach((r, i) => {
+    console.log(`| ${i + 1} | ${r.method} | ${r.type} | ${r.status} | ${r.reason} |`);
+  });
+
+  console.log(`\nPASS: ${passed}  FAIL: ${failed}  TOTAL: ${results.length}`);
+  console.log(`Writes: ${[...MCP_ALLOWED_WRITES].length}  Read samples: ${sampleReads.length}`);
+
+  if (failed > 0) process.exit(1);
+}
+
+run().catch(err => { console.error(err); process.exit(1); });

package/scripts/test-success.js

@@ -0,0 +1,232 @@
+#!/usr/bin/env node
+// test-success.js — Live success tests for all 85 cloud MCP tools
+// Requires: TASKOVER_API_KEY (valid key), TEST_PROJECT_ID (project with data)
+// Usage: TASKOVER_API_KEY=tok_xxx TEST_PROJECT_ID=village node mcp-server/scripts/test-success.js
+//
+// Tests:
+//   - Read tools: callRpc returns data without error
+//   - Write tools: callRpc succeeds, returns non-null
+//   - Roundtrip: add methods create records that appear in corresponding get
+
+"use strict";
+
+const adapter = require("../cloud-adapter.js");
+const { TOOL_MAP } = require("../tool-map.js");
+
+const API_KEY = process.env.TASKOVER_API_KEY;
+const PID = process.env.TEST_PROJECT_ID;
+
+if (!API_KEY) { console.error("Set TASKOVER_API_KEY"); process.exit(1); }
+if (!PID) { console.error("Set TEST_PROJECT_ID"); process.exit(1); }
+
+adapter.init(API_KEY);
+
+// Created record IDs from add operations — used by update/record tests
+const created = {};
+
+// ── Test data per tool ──
+// Each entry: { args: [...], expect: "array"|"object"|"string"|"any", skip?: true, reason?: string }
+// "any" means we just check for no error.
+
+function testData(toolName, mapping) {
+  const rpc = mapping.rpc;
+  const ts = Date.now().toString(36);
+
+  // ── Reads ──
+  if (rpc === "listProjects") return { args: [], expect: "array" };
+  if (rpc === "dashboard") return { args: [PID], expect: "object" };
+  if (rpc === "contextExport") return { args: [PID], expect: "any" };
+  if (rpc === "search") return { args: [PID, "test"], expect: "any" };
+  if (rpc === "getTasks") return { args: [PID], expect: "array" };
+  if (rpc === "getBugs") return { args: [PID], expect: "array" };
+  if (rpc === "getSystems") return { args: [PID], expect: "array" };
+  if (rpc === "getMilestones") return { args: [PID], expect: "array" };
+  if (rpc === "getSessions") return { args: [PID], expect: "array" };
+  if (rpc === "getChangelog") return { args: [PID], expect: "array" };
+  if (rpc === "getDecisions") return { args: [PID], expect: "array" };
+  if (rpc === "getBlueprints") return { args: [PID], expect: "array" };
+  if (rpc === "getNotes") return { args: [PID], expect: "array" };
+  if (rpc === "getBuildErrors") return { args: [PID], expect: "array" };
+  if (rpc === "getAssets") return { args: [PID], expect: "array" };
+  if (rpc === "getOptimizeItems") return { args: [PID], expect: "array" };
+  if (rpc === "getPerfBudget") return { args: [PID], expect: "array" };
+  if (rpc === "getLevels") return { args: [PID], expect: "array" };
+  if (rpc === "getMarketingItems") return { args: [PID], expect: "array" };
+  if (rpc === "getDialogues") return { args: [PID], expect: "array" };
+  if (rpc === "getSounds") return { args: [PID], expect: "array" };
+  if (rpc === "getControls") return { args: [PID], expect: "array" };
+  if (rpc === "getRefs") return { args: [PID], expect: "array" };
+  if (rpc === "getPlugins") return { args: [PID], expect: "array" };
+  if (rpc === "getShipChecked") return { args: [PID], expect: "any" };
+  if (rpc === "getIterations") return { args: [PID], expect: "array" };
+  if (rpc === "getPlaytests") return { args: [PID], expect: "array" };
+  if (rpc === "getOpenQuestions") return { args: [PID], expect: "array" };
+  if (rpc === "getWikiPages") return { args: [PID], expect: "array" };
+  if (rpc === "getStories") return { args: [PID], expect: "array" };
+  if (rpc === "getScenes") return { args: [PID], expect: "array" };
+  if (rpc === "getStoryBible") return { args: [PID], expect: "any" };
+
+  // getSceneContent needs a scene_id — defer to after addScene
+  if (rpc === "getSceneContent") return { args: [], expect: "any", deferred: "scene" };
+
+  // ── Writes: add methods ──
+  if (rpc === "addTask") return { args: [{ projectId: PID, title: `cloud-test-${ts}`, status: "todo", priority: "medium", createdBy: "Assistant" }], expect: "any", track: "task" };
+  if (rpc === "addBug") return { args: [{ projectId: PID, title: `cloud-bug-${ts}` }], expect: "any", track: "bug" };
+  if (rpc === "addSystem") return { args: [{ projectId: PID, name: `cloud-sys-${ts}` }], expect: "any", track: "system" };
+  if (rpc === "logSession") return { args: [{ projectId: PID, title: `cloud-session-${ts}` }], expect: "any" };
+  if (rpc === "addChangelog") return { args: [{ projectId: PID, title: `cloud-cl-${ts}`, changes: "test" }], expect: "any" };
+  if (rpc === "logDecision") return { args: [{ projectId: PID, decision: `cloud-dec-${ts}` }], expect: "any" };
+  if (rpc === "addBlueprint") return { args: [{ projectId: PID, name: `cloud-bp-${ts}` }], expect: "any", track: "blueprint" };
+  if (rpc === "addNote") return { args: [{ projectId: PID, content: `cloud-note-${ts}` }], expect: "any" };
+  if (rpc === "addBuildError") return { args: [{ projectId: PID, error: `cloud-err-${ts}` }], expect: "any", track: "buildError" };
+  if (rpc === "addLevel") return { args: [{ projectId: PID, name: `cloud-lvl-${ts}` }], expect: "any", track: "level" };
+  if (rpc === "addPlugin") return { args: [{ projectId: PID, name: `cloud-plug-${ts}` }], expect: "any", track: "plugin" };
+  if (rpc === "addOptimizeItem") return { args: [{ projectId: PID, title: `cloud-opt-${ts}` }], expect: "any", track: "optimizeItem" };
+  if (rpc === "addPerfBudget") return { args: [{ projectId: PID, scene: `cloud-perf-${ts}` }], expect: "any" };
+  if (rpc === "addPlaytest") return { args: [{ projectId: PID }], expect: "any" };
+  if (rpc === "addMilestone") return { args: [{ projectId: PID, title: `cloud-ms-${ts}` }], expect: "any", track: "milestone" };
+  if (rpc === "addIteration") return { args: [{ projectId: PID, feature: `cloud-iter-${ts}` }], expect: "any" };
+  if (rpc === "addDialogue") return { args: [{ projectId: PID, npc: `cloud-npc-${ts}` }], expect: "any", track: "dialogue" };
+  if (rpc === "addSound") return { args: [{ projectId: PID, name: `cloud-snd-${ts}` }], expect: "any", track: "sound" };
+  if (rpc === "addControl") return { args: [{ projectId: PID, key: "W", action: `cloud-ctrl-${ts}` }], expect: "any", track: "control" };
+  if (rpc === "addAsset") return { args: [{ projectId: PID, name: `cloud-asset-${ts}` }], expect: "any", track: "asset" };
+  if (rpc === "addRef") return { args: [{ projectId: PID, title: `cloud-ref-${ts}` }], expect: "any" };
+  if (rpc === "addMarketingItem") return { args: [{ projectId: PID, item: `cloud-mkt-${ts}` }], expect: "any", track: "marketingItem" };
+  if (rpc === "addWikiPage") return { args: [{ projectId: PID, title: `cloud-wiki-${ts}` }], expect: "any", track: "wikiPage" };
+  if (rpc === "addOpenQuestion") return { args: [{ projectId: PID, text: `cloud-q-${ts}` }], expect: "any", track: "question" };
+  if (rpc === "addStory") return { args: [{ projectId: PID, sectionId: `s-${ts}`, section: `cloud-story-${ts}` }], expect: "any", track: "story" };
+  if (rpc === "addScene") return { args: [{ projectId: PID, title: `cloud-scene-${ts}` }], expect: "any", track: "scene" };
+  if (rpc === "addStoryCharacter") return { args: [PID, { name: `cloud-char-${ts}` }], expect: "any" };
+  if (rpc === "logBackup") return { args: [{ projectId: PID, title: `cloud-bak-${ts}` }], expect: "any" };
+
+  // ── Writes: update/record methods (need created IDs) ──
+  if (rpc === "updateTask") return { args: [], expect: "any", deferred: "task" };
+  if (rpc === "moveTask") return { args: [], expect: "any", deferred: "task" };
+  if (rpc === "addTaskComment") return { args: [], expect: "any", deferred: "task" };
+  if (rpc === "fixBug") return { args: [], expect: "any", deferred: "bug" };
+  if (rpc === "updateSystem") return { args: [], expect: "any", deferred: "system" };
+  if (rpc === "updateBlueprint") return { args: [], expect: "any", deferred: "blueprint" };
+  if (rpc === "fixBuildError") return { args: [], expect: "any", deferred: "buildError" };
+  if (rpc === "updateLevel") return { args: [], expect: "any", deferred: "level" };
+  if (rpc === "addActor") return { args: [], expect: "any", deferred: "level" };
+  if (rpc === "removeActor") return { args: [], expect: "any", deferred: "level" };
+  if (rpc === "updatePlugin") return { args: [], expect: "any", deferred: "plugin" };
+  if (rpc === "updateOptimizeItem") return { args: [], expect: "any", deferred: "optimizeItem" };
+  if (rpc === "updateMilestone") return { args: [], expect: "any", deferred: "milestone" };
+  if (rpc === "updateDialogue") return { args: [], expect: "any", deferred: "dialogue" };
+  if (rpc === "updateSound") return { args: [], expect: "any", deferred: "sound" };
+  if (rpc === "updateControl") return { args: [], expect: "any", deferred: "control" };
+  if (rpc === "updateAsset") return { args: [], expect: "any", deferred: "asset" };
+  if (rpc === "updateMarketingItem") return { args: [], expect: "any", deferred: "marketingItem" };
+  if (rpc === "updateWikiPage") return { args: [], expect: "any", deferred: "wikiPage" };
+  if (rpc === "updateStoryBible") return { args: [PID, { title: `bible-${ts}` }], expect: "any" };
+  if (rpc === "updateStory") return { args: [], expect: "any", deferred: "story" };
+  if (rpc === "updateScene") return { args: [], expect: "any", deferred: "scene" };
+  if (rpc === "toggleShipCheck") return { args: [PID, "perf-check"], expect: "any" };
+  if (rpc === "toggleQuestion") return { args: [], expect: "any", deferred: "question" };
+
+  return { args: [], expect: "any", skip: true, reason: `no test data for ${rpc}` };
+}
+
+// Build deferred args once we have created IDs
+function deferredArgs(rpc, id) {
+  const ts = Date.now().toString(36);
+  if (rpc === "updateTask") return [id, { title: `updated-${ts}` }];
+  if (rpc === "moveTask") return [id, "doing"];
+  if (rpc === "addTaskComment") return [id, `comment-${ts}`];
+  if (rpc === "fixBug") return [id, `fixed-${ts}`];
+  if (rpc === "updateSystem") return [id, { name: `updated-${ts}` }];
+  if (rpc === "updateBlueprint") return [id, { name: `updated-${ts}` }];
+  if (rpc === "fixBuildError") return [id, `fix-${ts}`];
+  if (rpc === "updateLevel") return [id, { name: `updated-${ts}` }];
+  if (rpc === "addActor") return [id, { name: `actor-${ts}` }];
+  if (rpc === "removeActor") return [id, 0];
+  if (rpc === "updatePlugin") return [id, { name: `updated-${ts}` }];
+  if (rpc === "updateOptimizeItem") return [id, { title: `updated-${ts}` }];
+  if (rpc === "updateMilestone") return [id, { title: `updated-${ts}` }];
+  if (rpc === "updateDialogue") return [id, { npc: `updated-${ts}` }];
+  if (rpc === "updateSound") return [id, { name: `updated-${ts}` }];
+  if (rpc === "updateControl") return [id, { key: "E" }];
+  if (rpc === "updateAsset") return [id, { name: `updated-${ts}` }];
+  if (rpc === "updateMarketingItem") return [id, { item: `updated-${ts}` }];
+  if (rpc === "updateWikiPage") return [id, { title: `updated-${ts}` }];
+  if (rpc === "updateStory") return [id, { section: `updated-${ts}` }];
+  if (rpc === "updateScene") return [id, { title: `updated-${ts}` }];
+  if (rpc === "toggleQuestion") return [id];
+  if (rpc === "getSceneContent") return [id];
+  return null;
+}
+
+async function run() {
+  console.log(`Testing ${Object.keys(TOOL_MAP).length} tools against ${PID}...\n`);
+
+  const results = [];
+  const deferred = []; // { toolName, rpc, dependsOn }
+
+  // Phase 1: run reads + adds (collect IDs)
+  for (const [toolName, mapping] of Object.entries(TOOL_MAP)) {
+    const td = testData(toolName, mapping);
+    if (td.skip) {
+      results.push({ tool: toolName, rpc: mapping.rpc, status: "SKIP", reason: td.reason });
+      continue;
+    }
+    if (td.deferred) {
+      deferred.push({ toolName, rpc: mapping.rpc, dependsOn: td.deferred });
+      continue;
+    }
+
+    try {
+      const result = await adapter.callRpc(mapping.rpc, td.args);
+      let ok = true;
+      if (td.expect === "array" && !Array.isArray(result)) ok = false;
+      if (td.expect === "object" && (typeof result !== "object" || Array.isArray(result))) ok = false;
+
+      if (td.track && result && typeof result === "object") {
+        created[td.track] = result.id || result.insertedId || null;
+      }
+
+      results.push({ tool: toolName, rpc: mapping.rpc, status: ok ? "PASS" : "FAIL", reason: ok ? "" : `expected ${td.expect}, got ${typeof result}` });
+    } catch (err) {
+      results.push({ tool: toolName, rpc: mapping.rpc, status: "FAIL", reason: err.message.slice(0, 120) });
+    }
+  }
+
+  // Phase 2: run deferred (update/record methods using created IDs)
+  for (const { toolName, rpc, dependsOn } of deferred) {
+    const id = created[dependsOn];
+    if (!id) {
+      results.push({ tool: toolName, rpc, status: "SKIP", reason: `no ${dependsOn} ID from add phase` });
+      continue;
+    }
+
+    const args = deferredArgs(rpc, id);
+    if (!args) {
+      results.push({ tool: toolName, rpc, status: "SKIP", reason: `no deferred test data for ${rpc}` });
+      continue;
+    }
+
+    try {
+      await adapter.callRpc(rpc, args);
+      results.push({ tool: toolName, rpc, status: "PASS", reason: "" });
+    } catch (err) {
+      results.push({ tool: toolName, rpc, status: "FAIL", reason: err.message.slice(0, 120) });
+    }
+  }
+
+  // ── Output ──
+  const passed = results.filter(r => r.status === "PASS").length;
+  const failed = results.filter(r => r.status === "FAIL").length;
+  const skipped = results.filter(r => r.status === "SKIP").length;
+
+  console.log("\n| # | Tool | RPC | Status | Notes |");
+  console.log("|---|------|-----|--------|-------|");
+  results.forEach((r, i) => {
+    console.log(`| ${i + 1} | ${r.tool} | ${r.rpc} | ${r.status} | ${r.reason} |`);
+  });
+
+  console.log(`\nPASS: ${passed}  FAIL: ${failed}  SKIP: ${skipped}  TOTAL: ${results.length}`);
+
+  if (failed > 0) process.exit(1);
+}
+
+run().catch(err => { console.error(err); process.exit(1); });

package/scripts/test-validation.js

@@ -0,0 +1,105 @@
+#!/usr/bin/env node
+// test-validation.js — Schema validation tests for all 85 cloud MCP tools
+// Runs locally, no API key or network needed.
+// Usage: node mcp-server/scripts/test-validation.js
+//
+// Tests per tool:
+//   1. Missing each required field → errors
+//   2. Wrong type on first string field → errors
+//   3. Unknown field injection → stripped from cleaned output
+
+"use strict";
+
+const { TOOL_MAP, validateSchema } = require("../tool-map.js");
+
+let pass = 0;
+let fail = 0;
+const failures = [];
+
+function assert(cond, toolName, msg) {
+  if (cond) { pass++; return; }
+  fail++;
+  failures.push(`${toolName}: ${msg}`);
+}
+
+// Build minimal valid args for a given schema
+function buildValidArgs(schema) {
+  const args = {};
+  for (const [field, type] of Object.entries(schema.fields || {})) {
+    if (type === "string") args[field] = `test_${field}`;
+    else if (type === "number") args[field] = 1;
+    else if (type === "boolean") args[field] = true;
+    else if (type === "array") args[field] = [];
+    else if (type === "object") args[field] = {};
+    else args[field] = `test_${field}`;
+  }
+  return args;
+}
+
+// Find first string-typed field in schema
+function firstStringField(schema) {
+  for (const [field, type] of Object.entries(schema.fields || {})) {
+    if (type === "string") return field;
+  }
+  return null;
+}
+
+const toolNames = Object.keys(TOOL_MAP);
+console.log(`Testing ${toolNames.length} tools...\n`);
+
+for (const name of toolNames) {
+  const mapping = TOOL_MAP[name];
+  const { schema } = mapping;
+  const validArgs = buildValidArgs(schema);
+
+  // ── Test 1: Missing required fields ──
+  for (const field of (schema.required || [])) {
+    const args = { ...validArgs };
+    delete args[field];
+    const { errors } = validateSchema(args, schema);
+    assert(
+      errors.length > 0,
+      name,
+      `should reject missing required field: ${field}`
+    );
+    assert(
+      errors.some(e => e.includes(field)),
+      name,
+      `error message should name the missing field: ${field}`
+    );
+  }
+
+  // ── Test 2: Wrong type ──
+  const sf = firstStringField(schema);
+  if (sf) {
+    const args = { ...validArgs, [sf]: 99999 };
+    const { errors } = validateSchema(args, schema);
+    assert(
+      errors.length > 0,
+      name,
+      `should reject wrong type on field: ${sf} (sent number, expected string)`
+    );
+  }
+
+  // ── Test 3: Unknown field injection ──
+  const injected = { ...validArgs, userId: "injected", isAdmin: true, __proto__hack: "x" };
+  const { cleaned } = validateSchema(injected, schema);
+  assert(!("userId" in cleaned), name, "should strip injected 'userId'");
+  assert(!("isAdmin" in cleaned), name, "should strip injected 'isAdmin'");
+  assert(!("__proto__hack" in cleaned), name, "should strip injected '__proto__hack'");
+}
+
+// ── Summary ──
+console.log("─".repeat(60));
+console.log(`PASS: ${pass}`);
+console.log(`FAIL: ${fail}`);
+console.log(`TOOLS: ${toolNames.length}`);
+console.log("─".repeat(60));
+
+if (failures.length > 0) {
+  console.log("\nFAILURES:");
+  for (const f of failures) console.log(`  ✗ ${f}`);
+  process.exit(1);
+}
+
+console.log("\nAll validation tests passed.");

package/tool-map.js

@@ -1141,6 +1141,64 @@ const TOOL_MAP = {
   // Unblock path: fix RPC registry record:"scenes" → project:true
 
   // REMOVED: taskovergg_get_activity_feed — not in M0 matrix (no MCP tool in TOOLS array)
+
+  // ── Blueprint Intelligence ──
+  taskovergg_sync_blueprint_data: {
+    rpc: "syncDiscoveredBps",
+    schema: {
+      required: ["project_id", "schema_version", "blueprints"],
+      fields: { project_id: "string", schema_version: "number", blueprints: "array" },
+    },
+    args: (c, r) => [r.project_id, r.blueprints, r.schema_version],
+  },
+  taskovergg_sync_debug: {
+    rpc: "getSyncDebugInfo",
+    schema: { required: ["project_id"], fields: { project_id: "string" } },
+    args: (c, r) => [r.project_id],
+  },
+  taskovergg_get_discovered_bp_detail: {
+    rpc: "getDiscoveredBpDetail",
+    schema: { required: ["blueprint_id"], fields: { blueprint_id: "string", project_id: "string" } },
+    args: (c, r) => [r.blueprint_id],
+  },
+  taskovergg_blueprint_complexity: {
+    rpc: "computeBlueprintHealth",
+    schema: { required: [], fields: { project_id: "string", blueprint_id: "string" } },
+    args: (c, r) => [r.project_id],
+    // Note: For single-blueprint complexity, use via local MCP mode. Cloud routes to project-level health.
+  },
+  taskovergg_blueprint_timeline: {
+    rpc: "getBlueprintTimeline",
+    schema: { required: ["blueprint_id"], fields: { blueprint_id: "string", limit: "number", include_layout: "boolean" } },
+    args: (c, r) => [r.blueprint_id, c.limit, c.include_layout],
+  },
+  taskovergg_blueprint_summary: {
+    rpc: "generateBlueprintSummary",
+    schema: { required: ["blueprint_id"], fields: { blueprint_id: "string" } },
+    args: (c, r) => [r.blueprint_id],
+  },
+  taskovergg_blueprint_review: {
+    rpc: "computeProjectBlueprintReview",
+    schema: { required: [], fields: { project_id: "string", blueprint_id: "string" } },
+    args: (c, r) => [r.project_id],
+    // Note: For single-blueprint review, use via local MCP mode. Cloud routes to project-level review.
+  },
+  taskovergg_blueprint_standards: {
+    rpc: "getBlueprintStandards",
+    schema: { required: ["project_id", "action"], fields: { project_id: "string", action: "string", rule_id: "string", enabled: "boolean" } },
+    args: (c, r) => [r.project_id],
+    // Note: toggle/evaluate actions handled via local MCP mode. Cloud routes to get-standards.
+  },
+  taskovergg_blueprint_impact: {
+    rpc: "computeImpactAnalysis",
+    schema: { required: ["project_id", "blueprint_id"], fields: { project_id: "string", blueprint_id: "string" } },
+    args: (c, r) => [r.project_id, r.blueprint_id],
+  },
+  taskovergg_blueprint_dependencies: {
+    rpc: "buildBlueprintDependencyGraph",
+    schema: { required: ["project_id"], fields: { project_id: "string" } },
+    args: (c, r) => [r.project_id],
+  },
 };
 
 module.exports = { TOOL_MAP, validateSchema };