vantage-peers-mcp 2.1.0 → 2.3.0

package/CHANGELOG.md

@@ -0,0 +1,54 @@
+# Changelog
+
+## 2.3.0 — 2026-05-26
+
+### Added
+- `list_tasks`, `list_missions`, `list_tasks_by_mission`, `list_briefing_notes` now accept `fields=lite` for compact payloads.
+- Status filters on `list_tasks`, `list_tasks_by_mission`, and `list_missions` now accept arrays and aliases:
+  - `status=["todo","in_progress"]` — multi-value array
+  - `status="open"` — expands to non-terminal statuses (tasks: todo+in_progress+review+blocked; missions: brainstorm+plan+execute+validate)
+  - `status="active"` — in_progress only on tasks; plan+execute on missions
+  - `status="all"` — no filter applied
+
+### Backward compat
+- Single-string status still accepted unchanged.
+- Omitting `fields` defaults to `"full"` — existing callers unaffected.
+
+---
+
+## 2.2.0 — 2026-05-07
+
+- 4 new fix-pattern tools: `create_fix_pattern`, `add_fix_attempt`, `validate_fix`, `link_issue_to_pattern`
+- Detailed per-tool docs with arg tables and example calls in README
+- New "Fix patterns cycle" section documenting the KB learning loop
+- 41 new Zod input-validation unit tests for fix-pattern tools
+
+## 2.1.1 — 2026-05-04
+
+- Defense-in-depth `memoryIdSchema` validation for `create_briefing_note` and `update_briefing_note`
+
+## 2.1.0 — 2026-04-25
+
+- `update_briefing_note` MCP tool with RBAC
+
+## 2.0.2 — 2026-04-14
+
+- Added badges (npm version, downloads, license, tool count) to the published README
+- Added Orchestrator Roles reference table including alpha, lambda, victor
+- Added note that any custom lowercase role name is accepted
+- Added `bugs` URL and additional keywords to `package.json`
+
+## 2.0.1 — 2026-04-14
+
+- Docstring fix in server.ts (minor)
+
+## 2.0.0
+
+- Type-safe `api.ts` export for cross-deployment calls (`vantage-peers-mcp/api`)
+- Deploy key authentication guide
+- Mission Templates category (1 tool: `update_mission_template`)
+- Programmatic API section in README
+
+## 1.x
+
+- Initial public release with 82 MCP tools

package/README.md

@@ -50,6 +50,22 @@ Add to `~/.claude.json` or project `.claude/settings.json`:
 }
 ```
 
+## OAuth 2.1 DCR endpoints
+
+VantagePeers ships a built-in OAuth 2.1 authorization server so Claude.ai web can connect via "Add custom integration" without any extra configuration.
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/.well-known/oauth-authorization-server` | Authorization Server Metadata (RFC 8414) — advertises supported grant types, endpoints, and capabilities |
+| `GET` | `/.well-known/oauth-protected-resource` | Protected Resource Metadata (RFC 9728) — links back to the authorization server |
+| `POST` | `/register` | Dynamic Client Registration (RFC 7591) — Claude.ai registers itself automatically on first connect |
+| `GET` | `/authorize` | Authorization endpoint — redirects the user to grant access |
+| `POST` | `/token` | Token endpoint — issues access tokens per OAuth 2.1 |
+
+**RFCs implemented:** RFC 8414 (AS Metadata), RFC 9728 (Protected Resource Metadata), RFC 7591 (Dynamic Client Registration), OAuth 2.1 draft.
+
+**Backward compatibility:** the `BEARER_SECRET_MASTER` env var still works unchanged. Claude Code and Claude Desktop users do not need to change anything — static bearer auth remains the default for those clients. OAuth 2.1 DCR is used exclusively when a client initiates the discovery flow (e.g. Claude.ai web).
+
 ## Environment variables
 
 | Variable | Required | Description |
@@ -93,6 +109,104 @@ The server also reads `CONVEX_URL` from `.env.local` in the parent directory if
 ### Fix Patterns (5)
 `create_fix_pattern`, `list_fix_patterns`, `add_fix_attempt`, `validate_fix`, `link_issue_to_pattern`
 
+#### `create_fix_pattern`
+Create a new fix pattern in the knowledge base. Documents a bug symptom, root cause, and optional validated fix. Agents search the KB before fixing to avoid repeating known mistakes.
+
+| Arg | Type | Required | Description |
+|-----|------|----------|-------------|
+| `symptom` | string | yes | What the bug looks like — the user-visible problem |
+| `rootCause` | string | yes | Why the bug happens — the underlying technical cause |
+| `tags` | string or string[] | yes | Tags for categorization (e.g. `"react-hydration"`) |
+| `stack` | string or string[] | yes | Tech stack involved (e.g. `"next.js"`, `"convex"`) |
+| `sourceProject` | string | yes | Project where this was discovered |
+| `createdBy` | string | yes | Orchestrator name (e.g. `"sigma"`) |
+| `severity` | string | yes | `"critical"`, `"major"`, or `"minor"` |
+| `validatedFix` | string | no | The fix that worked — set later if not yet known |
+| `files` | string or string[] | no | Files involved in the fix |
+| `linkedIssueIds` | string or string[] | no | VantagePeers issue IDs linked to this pattern |
+
+Example:
+```json
+{
+  "tool": "create_fix_pattern",
+  "arguments": {
+    "symptom": "Convex subscription silently drops after 60s of inactivity",
+    "rootCause": "Missing keepAlive ping in useConvexQuery wrapper",
+    "tags": ["convex-subscription", "silent-failure"],
+    "stack": ["next.js", "convex"],
+    "sourceProject": "myreeldream",
+    "createdBy": "sigma",
+    "severity": "major",
+    "validatedFix": "Add 30s ping interval to the subscription hook"
+  }
+}
+```
+
+#### `add_fix_attempt`
+Log a fix attempt against an existing pattern. Documents what was tried, whether it worked, and why. If `worked: true` and the pattern has no `validatedFix`, auto-sets it.
+
+| Arg | Type | Required | Description |
+|-----|------|----------|-------------|
+| `patternId` | string | yes | ID of the fix pattern |
+| `description` | string | yes | What was tried — the fix approach |
+| `worked` | boolean | yes | Whether this fix resolved the issue |
+| `why` | string | yes | Why it worked or did not — the reasoning |
+| `createdBy` | string | yes | Orchestrator name |
+| `commit` | string | no | Git commit hash of this attempt |
+
+Example:
+```json
+{
+  "tool": "add_fix_attempt",
+  "arguments": {
+    "patternId": "k5708d9xxwj81v92e0x3hwv36985g4d7",
+    "description": "Added 30s ping interval to useConvexQuery",
+    "worked": true,
+    "why": "Keeps the WebSocket connection alive past the server idle timeout",
+    "createdBy": "sigma",
+    "commit": "e866274"
+  }
+}
+```
+
+#### `validate_fix`
+Promote a candidate fix to validated status on an existing pattern. Use after independently confirming the fix holds in production.
+
+| Arg | Type | Required | Description |
+|-----|------|----------|-------------|
+| `patternId` | string | yes | ID of the fix pattern |
+| `validatedFix` | string | yes | Description of the validated fix |
+
+Example:
+```json
+{
+  "tool": "validate_fix",
+  "arguments": {
+    "patternId": "k5708d9xxwj81v92e0x3hwv36985g4d7",
+    "validatedFix": "30s ping interval in subscription hook — verified stable over 48h in production"
+  }
+}
+```
+
+#### `link_issue_to_pattern`
+Link a VantagePeers issue to a fix pattern. Creates a bidirectional reference so the issue and pattern are discoverable from each other.
+
+| Arg | Type | Required | Description |
+|-----|------|----------|-------------|
+| `patternId` | string | yes | ID of the fix pattern |
+| `issueId` | string | yes | VantagePeers issue ID to link |
+
+Example:
+```json
+{
+  "tool": "link_issue_to_pattern",
+  "arguments": {
+    "patternId": "k5708d9xxwj81v92e0x3hwv36985g4d7",
+    "issueId": "m97ewrrqczew67kc6at3a59e7985ea7h"
+  }
+}
+```
+
 ### Error Monitoring (2)
 `list_errors`, `get_error`
 
@@ -114,6 +228,86 @@ The server also reads `CONVEX_URL` from `.env.local` in the parent directory if
 ### Session (1)
 `set_summary`
 
+## Compact payloads and status aliases (v2.3.0)
+
+### `fields=lite` — reduced token payloads
+
+`list_tasks`, `list_tasks_by_mission`, `list_missions`, and `list_briefing_notes` accept an optional `fields` parameter:
+
+| Value | Behaviour |
+|-------|-----------|
+| `"full"` | Default. Returns the complete document (backward-compatible). |
+| `"lite"` | Returns a compact projection — significantly fewer tokens. |
+
+Lite projections per entity:
+
+| Tool | Lite fields |
+|------|------------|
+| `list_tasks` / `list_tasks_by_mission` | `_id`, `_creationTime`, `title`, `status`, `priority`, `assignedTo`, `missionId` |
+| `list_missions` | `_id`, `_creationTime`, `name`, `status`, `pilot`, `priority`, `project` |
+| `list_briefing_notes` | `_id`, `_creationTime`, `topic`, `title`, `participants`, `createdBy` |
+
+Example (tasks lite):
+```json
+{
+  "tool": "list_tasks",
+  "arguments": { "assignedTo": "sigma", "fields": "lite", "limit": 20 }
+}
+```
+Returns:
+```json
+[
+  { "_id": "k17e2r...", "title": "Prepare MCP v2.3.0", "status": "in_progress", "priority": "high", "assignedTo": "sigma", "missionId": "k572a..." }
+]
+```
+
+### `status` arrays and aliases
+
+`list_tasks`, `list_tasks_by_mission`, and `list_missions` now accept `status` as a single string, an array, or one of the aliases below.
+
+#### Task status aliases
+
+| Alias | Expands to |
+|-------|-----------|
+| `"open"` | `["todo", "in_progress", "review", "blocked"]` — everything except `done` |
+| `"active"` | `["todo", "in_progress"]` |
+| `"all"` | No filter — returns all statuses |
+
+#### Mission status aliases
+
+| Alias | Expands to |
+|-------|-----------|
+| `"open"` | `["brainstorm", "plan", "execute", "validate"]` — everything except `complete` |
+| `"active"` | `["plan", "execute"]` |
+| `"all"` | No filter — returns all statuses |
+
+Examples:
+
+```json
+{ "tool": "list_tasks", "arguments": { "status": "open" } }
+{ "tool": "list_tasks", "arguments": { "status": ["todo", "in_progress"] } }
+{ "tool": "list_missions", "arguments": { "status": "active", "fields": "lite" } }
+{ "tool": "list_tasks_by_mission", "arguments": { "missionId": "k572a...", "status": "all", "fields": "lite" } }
+```
+
+Single-string status values still work unchanged — fully backward-compatible.
+
+## Fix patterns cycle
+
+A fix pattern is a validated learning extracted from a resolved bug — symptom, root cause, and the fix that worked — stored in the VantagePeers knowledge base. Patterns accumulate across projects and agents so that the same bug is never debugged twice from scratch.
+
+The cycle runs as follows:
+
+1. **Agent encounters a bug.** Before touching any code, call `search_fix_patterns` with a plain-language description of the symptom. The KB returns ranked matches using semantic vector search.
+2. **KB hit.** If a validated pattern is returned, apply the known fix directly. Log the reuse via `add_fix_attempt` (`worked: true`) so confidence scores stay current.
+3. **KB miss.** If no pattern matches, the agent fixes the bug manually using standard debugging. Once resolved, the learning is captured immediately via `create_fix_pattern` — symptom, root cause, severity, stack, and the working fix.
+4. **Validation.** After the fix holds in production (or after a second independent confirmation), call `validate_fix` to promote the pattern to validated status. This is the signal that downstream agents can trust the pattern without verification.
+5. **Issue linkage.** Call `link_issue_to_pattern` to attach the VantagePeers issue ID to the pattern. This creates a bidirectional reference: the issue record points to the pattern, and the pattern's `linkedIssueIds` list points back.
+
+The four tools that power this cycle are: `create_fix_pattern`, `add_fix_attempt`, `validate_fix`, and `link_issue_to_pattern`. The fifth tool, `search_fix_patterns`, is in the Search / RAG category and is the entry point agents should call first.
+
+On the agent side, the `/capitalize-fix` skill and the `inject-fix-patterns` hook automate steps 3-5: the hook fires on task completion events and prompts the orchestrator to capture the learning before closing the task. The cycle is designed to be low-friction — one tool call per step, all via MCP, no `npx convex run` required.
+
 ## Programmatic API (TypeScript)
 
 For external services that need type-safe access to VantagePeers functions:
@@ -206,6 +400,23 @@ All orchestrator names are open strings — any lowercase name is accepted. The
 
 ## Changelog
 
+### 2.3.0 — 2026-05-26
+- `list_tasks`, `list_missions`, `list_tasks_by_mission`, `list_briefing_notes` now accept `fields=lite` for compact payloads (less tokens).
+- Status filters now accept arrays and aliases: `status=["todo","in_progress"]`, `status="open"` (expands to non-terminal), `status="active"` (in_progress only on tasks; plan+execute on missions), `status="all"` (no filter).
+- Single-string status still accepted unchanged (backward-compatible).
+
+### 2.2.0 — 2026-05-07
+- 4 new fix-pattern tools: `create_fix_pattern`, `add_fix_attempt`, `validate_fix`, `link_issue_to_pattern`
+- Detailed per-tool docs with arg tables and example calls in README
+- New "Fix patterns cycle" section documenting the KB learning loop
+- 41 new Zod input-validation unit tests for fix-pattern tools
+
+### 2.1.1 — 2026-05-04
+- Defense-in-depth `memoryIdSchema` validation for `create_briefing_note` and `update_briefing_note`
+
+### 2.1.0 — 2026-04-25
+- `update_briefing_note` MCP tool with RBAC
+
 ### 2.0.2 — 2026-04-14
 - Added badges (npm version, downloads, license, tool count) to the published README
 - Added Orchestrator Roles reference table including alpha, lambda, victor (Day 39 additions)

package/dist/server-http.js

@@ -24,6 +24,7 @@
  *   PORT                  — HTTP port (default 3000)
  *   NODE_ENV              — set to "production" on Railway
  */
+import { readFileSync } from "node:fs";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
 import { ConvexHttpClient } from "convex/browser";
@@ -31,10 +32,19 @@ import { Hono } from "hono";
 import { cors } from "hono/cors";
 import { bearerAuthMiddleware, internalClient, masterOnlyMiddleware, sha256Base64Url, sha256Hex, } from "./src/auth.js";
 import { registerTools } from "./src/tools.js";
+let pkg;
+try {
+    // Source mode: server-http.ts → ./package.json = mcp-server/package.json
+    pkg = JSON.parse(readFileSync(new URL("./package.json", import.meta.url), "utf-8"));
+}
+catch {
+    // Dist mode: dist/server-http.js → ../package.json = mcp-server/package.json
+    pkg = JSON.parse(readFileSync(new URL("../package.json", import.meta.url), "utf-8"));
+}
 // ─────────────────────────────────────────────────────────────────────────────
 // Constants
 // ─────────────────────────────────────────────────────────────────────────────
-const PUBLIC_BASE_URL = process.env.PUBLIC_BASE_URL ??
+const PUBLIC_BASE_URL_FALLBACK = process.env.PUBLIC_BASE_URL ??
     "https://vantage-peers-production.up.railway.app";
 const ACCESS_TOKEN_TTL_SECONDS = 3600; // 1 hour
 const REFRESH_TOKEN_TTL_SECONDS = 30 * 24 * 3600; // 30 days
@@ -46,9 +56,34 @@ const DEFAULT_PUBLIC_DCR_PROFILE = "client-generic";
 // ─────────────────────────────────────────────────────────────────────────────
 // Helpers
 // ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Compute the issuer/base URL dynamically from the incoming request's Host
+ * header + protocol. Falls back to PUBLIC_BASE_URL env var when Host is absent
+ * (e.g., in curl smoke tests without a Host header).
+ *
+ * RFC 8414 §2: the issuer MUST be the URL the client uses to reach the server,
+ * so deriving it from the request is more correct than a hard-coded constant,
+ * especially when deployed behind a Railway/Cloudflare proxy that rewrites Host.
+ */
+function resolveIssuer(req) {
+    const host = req.headers.get("host");
+    if (host) {
+        // Use x-forwarded-proto when behind a reverse proxy; fall back to https.
+        const proto = req.headers.get("x-forwarded-proto") ??
+            (host.startsWith("localhost") || host.startsWith("127.")
+                ? "http"
+                : "https");
+        return `${proto}://${host}`;
+    }
+    return PUBLIC_BASE_URL_FALLBACK;
+}
 function randomOpaqueToken() {
-    // 2× UUID → ~256 bits of entropy. Strip dashes for compactness.
-    return `${crypto.randomUUID()}${crypto.randomUUID()}`.replace(/-/g, "");
+    // 256-bit entropy via getRandomValues (32 bytes → 64 hex chars).
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    return Array.from(bytes)
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
 }
 async function loadScopeProfile(profileId) {
     return (await internalClient().query(
@@ -76,34 +111,65 @@ app.use("*", cors({
 // OAuth 2.0 discovery (unauthenticated)
 // ─────────────────────────────────────────────────────────────────────────────
 // RFC 9728 — OAuth 2.0 Protected Resource Metadata
-app.get("/.well-known/oauth-protected-resource", (c) => c.json({
-    resource: `${PUBLIC_BASE_URL}/mcp`,
-    authorization_servers: [PUBLIC_BASE_URL],
-    bearer_methods_supported: ["header"],
-    scopes_supported: ["vantage:read", "vantage:write"],
-}));
+app.get("/.well-known/oauth-protected-resource", (c) => {
+    const issuer = resolveIssuer(c.req.raw);
+    return c.json({
+        resource: issuer,
+        authorization_servers: [issuer],
+        scopes_supported: ["mcp:full"],
+    });
+});
 // RFC 8414 — OAuth 2.0 Authorization Server Metadata
-app.get("/.well-known/oauth-authorization-server", (c) => c.json({
-    issuer: PUBLIC_BASE_URL,
-    authorization_endpoint: `${PUBLIC_BASE_URL}/authorize`,
-    token_endpoint: `${PUBLIC_BASE_URL}/token`,
-    registration_endpoint: `${PUBLIC_BASE_URL}/register`,
-    response_types_supported: ["code"],
-    grant_types_supported: ["authorization_code", "refresh_token"],
-    code_challenge_methods_supported: ["S256"],
-    token_endpoint_auth_methods_supported: [
-        "client_secret_post",
-        "client_secret_basic",
-        "none",
-    ],
-    scopes_supported: ["vantage:read", "vantage:write"],
-}));
+app.get("/.well-known/oauth-authorization-server", (c) => {
+    const issuer = resolveIssuer(c.req.raw);
+    return c.json({
+        issuer,
+        authorization_endpoint: `${issuer}/authorize`,
+        token_endpoint: `${issuer}/token`,
+        registration_endpoint: `${issuer}/register`,
+        response_types_supported: ["code"],
+        grant_types_supported: ["authorization_code", "refresh_token"],
+        code_challenge_methods_supported: ["S256"],
+        token_endpoint_auth_methods_supported: [
+            "client_secret_basic",
+            "client_secret_post",
+        ],
+        scopes_supported: ["mcp:full"],
+    });
+});
+const registerRateBuckets = new Map();
+const REGISTER_RATE_LIMIT = 5;
+const REGISTER_RATE_WINDOW_MS = 60_000;
+function checkRegisterRateLimit(ip) {
+    const now = Date.now();
+    const bucket = registerRateBuckets.get(ip);
+    if (!bucket || now - bucket.windowStart >= REGISTER_RATE_WINDOW_MS) {
+        registerRateBuckets.set(ip, { count: 1, windowStart: now });
+        return true;
+    }
+    if (bucket.count < REGISTER_RATE_LIMIT) {
+        bucket.count++;
+        return true;
+    }
+    return false;
+}
 // ─────────────────────────────────────────────────────────────────────────────
 // RFC 7591 — Dynamic Client Registration
 // Anonymous registrations get DEFAULT_PUBLIC_DCR_PROFILE ("client-generic").
 // Pi must elevate the client via admin endpoint before real scopes are granted.
 // ─────────────────────────────────────────────────────────────────────────────
 app.post("/register", async (c) => {
+    // S2: rate limit by IP — 5 req/min
+    const clientIp = c.req.header("x-forwarded-for")?.split(",")[0]?.trim() ??
+        c.req.header("x-real-ip") ??
+        "unknown";
+    if (!checkRegisterRateLimit(clientIp)) {
+        c.header("Retry-After", "60");
+        return c.json({
+            error: "too_many_requests",
+            error_description: "Rate limit exceeded. Max 5 registrations per minute per IP.",
+        }, 429);
+    }
     let body = {};
     try {
         body = await c.req.json();
@@ -150,8 +216,8 @@ app.post("/register", async (c) => {
         token_endpoint_auth_method: "client_secret_post",
         grant_types: ["authorization_code", "refresh_token"],
         response_types: ["code"],
-        scope: "vantage:read vantage:write",
-        scope_profile: scopeProfile,
+        // SC: standardized on mcp:full — consistent with well-known metadata
+        scope: "mcp:full",
     }, 201);
 });
 // ─────────────────────────────────────────────────────────────────────────────
@@ -164,7 +230,8 @@ app.get("/authorize", async (c) => {
     const codeChallenge = q.code_challenge;
     const codeChallengeMethod = q.code_challenge_method ?? "S256";
     const state = q.state;
-    const scope = q.scope ?? "vantage:read vantage:write";
+    // SC: standardize scope — always mcp:full regardless of requested value
+    const scope = "mcp:full";
     const responseType = q.response_type;
     if (!clientId || !redirectUri || !codeChallenge) {
         return c.json({
@@ -357,7 +424,8 @@ app.post("/token", async (c) => {
             tokenHash: accessTokenHash,
             clientId: record.clientId,
             userId: record.userId,
-            scopes: ["vantage:read", "vantage:write"],
+            // SC: standardized on mcp:full
+            scopes: ["mcp:full"],
             scopeProfile: profile.profileId,
             fromAllowList: profile.fromAllowList,
             namespaceReadPrefixes: profile.namespaceReadPrefixes,
@@ -370,7 +438,8 @@ app.post("/token", async (c) => {
             token_type: "Bearer",
             expires_in: ACCESS_TOKEN_TTL_SECONDS,
             refresh_token: refreshTokenRaw, // reused
-            scope: "vantage:read vantage:write",
+            // SC: standardized on mcp:full
+            scope: "mcp:full",
         });
     }
     return c.json({ error: "unsupported_grant_type" }, 400);
@@ -381,9 +450,10 @@ app.post("/token", async (c) => {
 app.get("/health", (c) => c.json({
     status: "ok",
     service: "vantage-peers-mcp-http",
-    version: "2.1.0",
+    version: pkg.version,
     transport: "streamable-http",
-    oauth: "scoped-tokens",
+    oauth: "supported",
+    scopes: ["mcp:full"],
 }));
 // ─────────────────────────────────────────────────────────────────────────────
 // Admin endpoints — master token only
@@ -490,7 +560,7 @@ app.all("/mcp", bearerAuthMiddleware(), async (c) => {
     // Fresh McpServer per request — stateless mode, no session leakage
     const server = new McpServer({
         name: "vantage-peers",
-        version: "2.1.0",
+        version: pkg.version,
     });
     registerTools(server, convex, oauthCtx);
     const transport = new WebStandardStreamableHTTPServerTransport();

package/dist/server.js

@@ -433,7 +433,10 @@ server.tool("update_profile", "Create or update an orchestrator profile. Provide
 // ─────────────────────────────────────────────────────────────────────────────
 server.tool("list_memories", "List active memories for a namespace, ordered newest first. " +
     "Only returns isLatest=true memories (superseded memories are excluded by default). " +
-    "Use type to filter to a specific memory category.", {
+    "Use type to filter to a specific memory category. " +
+    "Returns { value: Memory[], continueCursor: string|null, isDone: boolean }. " +
+    "Pass paginationOpts.cursor from a previous response to fetch the next page. " +
+    "Without paginationOpts, returns ≤50 rows with continueCursor=null and isDone=true.", {
     namespace: z
         .string()
         .describe("Namespace to list memories from — e.g. 'global', 'orchestrator/pi'"),
@@ -447,19 +450,36 @@ server.tool("list_memories", "List active memories for a namespace, ordered newe
         .max(200)
         .optional()
         .default(20)
-        .describe("Maximum number of memories to return (default 20)"),
-}, async ({ namespace, type, limit }) => {
+        .describe("Maximum number of memories to return when paginationOpts is not provided (default 20, max 200)"),
+    paginationOpts: z
+        .object({
+        numItems: z
+            .number()
+            .int()
+            .min(1)
+            .max(200)
+            .describe("Number of items per page (max 200)"),
+        cursor: z
+            .union([z.string(), z.null()])
+            .describe("Cursor from a previous response continueCursor field, or null for the first page"),
+    })
+        .optional()
+        .describe("Optional cursor-based pagination. Pass { numItems, cursor: null } for the first page, " +
+        "then { numItems, cursor: <continueCursor from response> } for subsequent pages. " +
+        "When provided, isDone=false means more pages exist."),
+}, async ({ namespace, type, limit, paginationOpts }) => {
     try {
-        const memories = await convex.query("memories:listMemories", {
+        const result = await convex.query("memories:listMemories", {
             namespace,
             type,
             limit: limit ?? 20,
+            paginationOpts,
         });
         return {
             content: [
                 {
                     type: "text",
-                    text: JSON.stringify(memories, null, 2),
+                    text: JSON.stringify(result, null, 2),
                 },
             ],
         };
@@ -831,14 +851,25 @@ server.tool("create_task", "Create a task in VantagePeers. Tasks are assigned to
 // Tool: list_tasks
 // ─────────────────────────────────────────────────────────────────────────────
 server.tool("list_tasks", "List tasks from VantagePeers with optional filters. " +
-    "Filter by assignee, instance, status, and/or project. Returns newest first.", {
+    "Filter by assignee, instance, status, and/or project. Returns newest first. " +
+    "status accepts a single value or an array, plus aliases: " +
+    "'open' (todo+in_progress+review+blocked), 'active' (todo+in_progress), 'all' (no filter). " +
+    "fields='lite' returns compact payloads ({_id,title,status,priority,assignedTo,missionId}) — fewer tokens.", {
     assignedTo: assigneeSchema.optional().describe("Filter by assignee"),
     assignedToInstance: z
         .string()
         .optional()
         .describe("Filter by instance — e.g. 'pi-vps'. Returns only tasks assigned to that instance."),
-    status: taskStatusSchema.optional().describe("Filter by status"),
+    status: z
+        .union([taskStatusSchema, z.array(z.string()), z.string()])
+        .optional()
+        .describe("Filter by status. Single value, array, or alias: " +
+        "'open' (non-terminal), 'active' (in_progress only), 'all' (no filter)."),
     project: z.string().optional().describe("Filter by project name"),
+    fields: z
+        .enum(["lite", "full"])
+        .optional()
+        .describe("'lite' = compact payload (less tokens), 'full' = default with all fields"),
     limit: z
         .number()
         .int()
@@ -847,13 +878,14 @@ server.tool("list_tasks", "List tasks from VantagePeers with optional filters. "
         .optional()
         .default(50)
         .describe("Maximum number of tasks to return (default 50)"),
-}, async ({ assignedTo, assignedToInstance, status, project, limit }) => {
+}, async ({ assignedTo, assignedToInstance, status, project, fields, limit }) => {
     try {
         const tasks = await convex.query("tasks:list", {
             assignedTo,
             assignedToInstance,
             status,
             project,
+            fields,
             limit: limit ?? 50,
         });
         return {
@@ -1102,9 +1134,20 @@ server.tool("add_task_dependency", "Add a dependency to a task. The task cannot
 // ─────────────────────────────────────────────────────────────────────────────
 // Tool: list_tasks_by_mission
 // ─────────────────────────────────────────────────────────────────────────────
-server.tool("list_tasks_by_mission", "List all tasks linked to a specific mission. Optionally filter by status.", {
+server.tool("list_tasks_by_mission", "List all tasks linked to a specific mission. Optionally filter by status. " +
+    "status accepts a single value or an array, plus aliases: " +
+    "'open' (todo+in_progress+review+blocked), 'active' (todo+in_progress), 'all' (no filter). " +
+    "fields='lite' returns compact payloads ({_id,title,status,priority,assignedTo,missionId}) — fewer tokens.", {
     missionId: z.string().describe("Convex document ID of the mission"),
-    status: taskStatusSchema.optional().describe("Filter by task status"),
+    status: z
+        .union([taskStatusSchema, z.array(z.string()), z.string()])
+        .optional()
+        .describe("Filter by task status. Single value, array, or alias: " +
+        "'open' (non-terminal), 'active' (in_progress only), 'all' (no filter)."),
+    fields: z
+        .enum(["lite", "full"])
+        .optional()
+        .describe("'lite' = compact payload (less tokens), 'full' = default with all fields"),
     limit: z
         .number()
         .int()
@@ -1113,11 +1156,12 @@ server.tool("list_tasks_by_mission", "List all tasks linked to a specific missio
         .optional()
         .default(50)
         .describe("Maximum number of tasks to return (default 50)"),
-}, async ({ missionId, status, limit }) => {
+}, async ({ missionId, status, fields, limit }) => {
     try {
         const tasks = await convex.query("tasks:listByMission", {
             missionId: missionId,
             status,
+            fields,
             limit: limit ?? 50,
         });
         return {
@@ -1191,10 +1235,21 @@ server.tool("create_mission", "Create a mission in VantagePeers. Missions group
 // Tool: list_missions
 // ─────────────────────────────────────────────────────────────────────────────
 server.tool("list_missions", "List missions from VantagePeers with optional filters. " +
-    "Filter by project, pilot, and/or status. Returns newest first.", {
+    "Filter by project, pilot, and/or status. Returns newest first. " +
+    "status accepts a single value or an array, plus aliases: " +
+    "'open' (brainstorm+plan+execute+validate), 'active' (plan+execute), 'all' (no filter). " +
+    "fields='lite' returns compact payloads ({_id,name,status,pilot,priority,project}) — fewer tokens.", {
     project: z.string().optional().describe("Filter by project name"),
     pilot: creatorSchema.optional().describe("Filter by pilot orchestrator"),
-    status: missionStatusSchema.optional().describe("Filter by status"),
+    status: z
+        .union([missionStatusSchema, z.array(z.string()), z.string()])
+        .optional()
+        .describe("Filter by status. Single value, array, or alias: " +
+        "'open' (non-terminal), 'active' (plan+execute), 'all' (no filter)."),
+    fields: z
+        .enum(["lite", "full"])
+        .optional()
+        .describe("'lite' = compact payload (less tokens), 'full' = default with all fields"),
     limit: z
         .number()
         .int()
@@ -1203,12 +1258,13 @@ server.tool("list_missions", "List missions from VantagePeers with optional filt
         .optional()
         .default(50)
         .describe("Maximum number of missions to return (default 50)"),
-}, async ({ project, pilot, status, limit }) => {
+}, async ({ project, pilot, status, fields, limit }) => {
     try {
         const missions = await convex.query("missions:list", {
             project,
             pilot,
             status,
+            fields,
             limit: limit ?? 50,
         });
         return {
@@ -1413,6 +1469,31 @@ server.tool("list_diaries", "List diary entries, optionally filtered by orchestr
     }
 });
 // ─────────────────────────────────────────────────────────────────────────────
+// Tool: delete_diary
+// ─────────────────────────────────────────────────────────────────────────────
+server.tool("delete_diary", "Permanently delete a diary entry by ID. Only the owner (or system) can delete.", {
+    diaryId: z.string().describe("Convex document ID of the diary entry to delete"),
+    callerOrchestrator: creatorSchema.optional().describe("Optional RBAC — must be the owner or system"),
+}, async ({ diaryId, callerOrchestrator }) => {
+    try {
+        const result = await convex.mutation("diary:deleteDiary", {
+            diaryId: diaryId,
+            callerOrchestrator,
+        });
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: JSON.stringify(result, null, 2),
+                },
+            ],
+        };
+    }
+    catch (error) {
+        return mcpError(error.message ?? String(error));
+    }
+});
+// ─────────────────────────────────────────────────────────────────────────────
 // Tool: create_briefing_note
 // ─────────────────────────────────────────────────────────────────────────────
 server.tool("create_briefing_note", "Create a briefing note — a structured record of a topic discussion, with participants, " +
@@ -1511,11 +1592,16 @@ server.tool("update_briefing_note", "Update an existing briefing note. Partial-u
 // ─────────────────────────────────────────────────────────────────────────────
 // Tool: list_briefing_notes
 // ─────────────────────────────────────────────────────────────────────────────
-server.tool("list_briefing_notes", "List briefing notes, optionally filtered by topic. Returns newest first.", {
+server.tool("list_briefing_notes", "List briefing notes, optionally filtered by topic. Returns newest first. " +
+    "fields='lite' returns compact payloads ({_id,topic,title,participants,createdBy}) — fewer tokens.", {
     topic: z
         .string()
         .optional()
         .describe("Filter to a specific topic — omit for all"),
+    fields: z
+        .enum(["lite", "full"])
+        .optional()
+        .describe("'lite' = compact payload (less tokens), 'full' = default with all fields"),
     limit: z
         .number()
         .int()
@@ -1524,10 +1610,11 @@ server.tool("list_briefing_notes", "List briefing notes, optionally filtered by
         .optional()
         .default(20)
         .describe("Maximum notes to return (default 20)"),
-}, async ({ topic, limit }) => {
+}, async ({ topic, fields, limit }) => {
     try {
         const notes = await convex.query("briefingNotes:list", {
             topic,
+            fields,
             limit: limit ?? 20,
         });
         return {
@@ -1544,6 +1631,31 @@ server.tool("list_briefing_notes", "List briefing notes, optionally filtered by
     }
 });
 // ─────────────────────────────────────────────────────────────────────────────
+// Tool: delete_briefing_note
+// ─────────────────────────────────────────────────────────────────────────────
+server.tool("delete_briefing_note", "Permanently delete a briefing note by ID. Only the creator (or system) can delete.", {
+    noteId: z.string().describe("Convex document ID of the briefing note to delete"),
+    callerOrchestrator: creatorSchema.optional().describe("Optional RBAC — must be creator or system"),
+}, async ({ noteId, callerOrchestrator }) => {
+    try {
+        const result = await convex.mutation("briefingNotes:deleteBriefingNote", {
+            noteId: noteId,
+            callerOrchestrator,
+        });
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: JSON.stringify(result, null, 2),
+                },
+            ],
+        };
+    }
+    catch (error) {
+        return mcpError(error.message ?? String(error));
+    }
+});
+// ─────────────────────────────────────────────────────────────────────────────
 // Tool: register_component
 // ─────────────────────────────────────────────────────────────────────────────
 server.tool("register_component", "Register or update a component (agent, skill, hook, or plugin) in the registry. " +

package/dist/src/auth.js

@@ -212,7 +212,48 @@ export function bearerAuthMiddleware() {
             await next();
             return;
         }
-        // ── (3) Legacy internal bearer — mcpTenants table ───────────────────────
+        // ── (3) DCR OAuth token — check oauthTokens via oauthDcr:validateAccessToken
+        // Uses raw token (not hashed) — the DCR table stores tokens in plaintext.
+        // This path handles Claude.ai clients registered via POST /register.
+        let dcrResult = null;
+        try {
+            dcrResult = (await internalClient().query(
+            // biome-ignore lint/suspicious/noExplicitAny: Convex string API
+            "oauthDcr:validateAccessToken", { accessToken: token }));
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.warn("[auth] DCR OAuth lookup skipped:", message);
+        }
+        if (dcrResult?.valid === true) {
+            const internalUrl = process.env.CONVEX_URL_INTERNAL;
+            if (!internalUrl) {
+                console.error("[auth] CONVEX_URL_INTERNAL not set — cannot route DCR OAuth token");
+                return c.json({ error: "Server misconfigured: internal deployment URL missing" }, 500);
+            }
+            // Map DCR single-scope string → OAuthContext fields.
+            // DCR tokens always carry "mcp:full" which maps to full access.
+            const scopes = dcrResult.scope.split(/\s+/).filter(Boolean);
+            const isFull = scopes.includes("mcp:full");
+            c.set("tenant", {
+                tenantName: `dcr:${dcrResult.clientId}`,
+                convexUrl: internalUrl,
+            });
+            c.set("oauthContext", {
+                clientId: dcrResult.clientId,
+                userId: dcrResult.clientId,
+                scopes,
+                scopeProfile: isFull ? "master" : "client-generic",
+                fromAllowList: isFull ? ["*"] : [],
+                namespaceReadPrefixes: isFull ? ["*"] : [],
+                namespaceWritePrefixes: isFull ? ["*"] : [],
+                expiresAt: dcrResult.expiresAt,
+                isMaster: false,
+            });
+            await next();
+            return;
+        }
+        // ── (4) Legacy internal bearer — mcpTenants table ───────────────────────
         let tenant;
         try {
             tenant = (await internalClient().query(

package/dist/src/tools.d.ts

@@ -27,6 +27,14 @@ export declare function assertContentSize(content: string, toolName: string): nu
  */
 export declare const convexIdPattern: RegExp;
 export declare const receiptIdSchema: z.ZodString;
+export declare const memoryIdSchema: z.ZodString;
+export declare const creatorSchema: z.ZodString;
+export declare const severitySchema: z.ZodEnum<{
+    critical: "critical";
+    major: "major";
+    minor: "minor";
+}>;
+export declare const flexArray: z.ZodUnion<readonly [z.ZodArray<z.ZodString>, z.ZodString]>;
 export declare const updateBriefingNoteDescription: string;
 export declare const updateBriefingNoteSchema: z.ZodObject<{
     noteId: z.ZodString;

package/dist/src/tools.js

@@ -51,17 +51,20 @@ export const convexIdPattern = /^[a-z0-9]{32}$/;
 export const receiptIdSchema = z
     .string()
     .regex(convexIdPattern, "receiptId must be a 32-char lowercase alphanumeric Convex ID");
+export const memoryIdSchema = z
+    .string()
+    .regex(convexIdPattern, "Invalid memory ID format (expected 32-char Convex ID)");
 const memoryTypeSchema = z
     .enum(["user", "feedback", "project", "reference", "episode"])
     .describe("Memory classification type");
-const creatorSchema = z
+export const creatorSchema = z
     .string()
-    .describe("Orchestrator role name (e.g. pi, tau, phi, sigma, omega, zeta, eta, kappa, alpha, lambda, victor, laurent, or any custom client role (lowercase string)). " +
+    .describe("Orchestrator role name (e.g. pi, tau, phi, sigma, omega, zeta, eta, kappa, alpha, lambda, victor, epsilon, omicron, upsilon, laurent, or any custom client role (lowercase string)). " +
     "New internal orchestrators use Greek letters (lowercase); external client orchestrators use free lowercase strings.");
-const severitySchema = z
+export const severitySchema = z
     .enum(["critical", "major", "minor"])
     .describe("Episode severity — critical = cross-orchestrator lesson");
-const flexArray = z.union([z.array(z.string()), z.string()]);
+export const flexArray = z.union([z.array(z.string()), z.string()]);
 const flexArrayOptional = flexArray.optional();
 // ─────────────────────────────────────────────────────────────────────────────
 // update_briefing_note — Zod schema + description
@@ -96,13 +99,13 @@ export const updateBriefingNoteSchema = z.object({
         .optional()
         .describe("Optional new decisions array — full replace, not append"),
     linkedMemoryIds: z
-        .array(z.string())
+        .array(memoryIdSchema)
         .optional()
-        .describe("Optional new linkedMemoryIds array — full replace, not append. Each ID must point to memories table."),
+        .describe("Optional new linkedMemoryIds array — full replace, not append. Each ID must point to memories table, NOT briefingNotes or any other table."),
 });
 const assigneeSchema = z
     .string()
-    .describe("Orchestrator to assign to (e.g. pi, tau, phi, sigma, omega, zeta, eta, kappa, alpha, lambda, victor, laurent, or any custom client role (lowercase string)). " +
+    .describe("Orchestrator to assign to (e.g. pi, tau, phi, sigma, omega, zeta, eta, kappa, alpha, lambda, victor, epsilon, omicron, upsilon, laurent, or any custom client role (lowercase string)). " +
     "New internal orchestrators use Greek letters (lowercase); external client orchestrators use free lowercase strings.");
 const prioritySchema = z
     .enum(["urgent", "high", "medium", "low"])
@@ -612,7 +615,7 @@ export function registerTools(server, convex, oauthCtx) {
     server.tool("send_message", "Send a message to one, many, or all orchestrators. " +
         "channel: 'broadcast' = all, 'tau' = role DM, 'pi-vps' = instance DM, 'tau,phi' = multi. " +
         "Creates message + one receipt per recipient. Replaces claude-peers send_message.", {
-        from: creatorSchema.describe("Sender role (e.g. pi, tau, phi, sigma, omega, zeta, eta, kappa, alpha, lambda, victor, or any custom role)"),
+        from: creatorSchema.describe("Sender role (e.g. pi, tau, phi, sigma, omega, zeta, eta, kappa, alpha, lambda, victor, epsilon, omicron, upsilon, or any custom role)"),
         fromInstanceId: z
             .string()
             .optional()
@@ -670,7 +673,7 @@ export function registerTools(server, convex, oauthCtx) {
     server.tool("check_messages", "Check for unread messages. Returns messages with receiptIds for marking as read. " +
         "If recipientInstanceId is provided, returns instance-targeted + role-level messages. " +
         "Replaces claude-peers check_messages.", {
-        recipient: creatorSchema.describe("Orchestrator role (e.g. pi, tau, phi, sigma, omega, zeta, eta, kappa, alpha, lambda, victor, or any custom role)"),
+        recipient: creatorSchema.describe("Orchestrator role (e.g. pi, tau, phi, sigma, omega, zeta, eta, kappa, alpha, lambda, victor, epsilon, omicron, upsilon, or any custom role)"),
         recipientInstanceId: z
             .string()
             .optional()
@@ -1626,7 +1629,8 @@ export function registerTools(server, convex, oauthCtx) {
     });
     // ── create_briefing_note ────────────────────────────────────────────────────
     server.tool("create_briefing_note", "Create a briefing note — a structured record of a topic discussion, with participants, " +
-        "content, optional decisions, and optional links to existing memories.", {
+        "content, optional decisions, and optional links to existing memories. " +
+        "linkedMemoryIds MUST contain IDs from the memories table only — NOT briefingNotes IDs or IDs from any other table.", {
         title: z.string().describe("Briefing note title"),
         topic: z
             .string()
@@ -1636,7 +1640,10 @@ export function registerTools(server, convex, oauthCtx) {
             .describe("Who participated — e.g. ['pi', 'sigma'] or 'pi'"),
         content: z.string().describe("Full briefing content"),
         decisions: flexArrayOptional.describe("Decisions made during the briefing"),
-        linkedMemoryIds: flexArrayOptional.describe("Convex document IDs of related memories"),
+        linkedMemoryIds: z
+            .array(memoryIdSchema)
+            .optional()
+            .describe("Convex document IDs of related memories — each must be a 32-char ID from the memories table, NOT briefingNotes or any other table"),
         createdBy: creatorSchema,
     }, async ({ title, topic, participants, content, decisions, linkedMemoryIds, createdBy, }) => {
         let contentBytes = 0;
@@ -2529,7 +2536,7 @@ export function registerTools(server, convex, oauthCtx) {
     server.tool("add_repo_mapping", "Add or update a GitHub repo → orchestrator mapping. Used by the webhook pipeline to route GitHub events to the right orchestrator.", {
         repo: z
             .string()
-            .describe("Full repo name — e.g. 'elpiarthera/vantage-peers'"),
+            .describe("Full repo name — e.g. 'vantageos-agency/vantage-peers'"),
         orchestrator: z
             .string()
             .describe("Target orchestrator — e.g. 'sigma', 'omega', 'tau'"),
@@ -2583,7 +2590,7 @@ export function registerTools(server, convex, oauthCtx) {
     server.tool("remove_repo_mapping", "Remove a GitHub repo mapping by repo name. Stops routing webhook events for this repo.", {
         repo: z
             .string()
-            .describe("Full repo name to remove — e.g. 'elpiarthera/vantage-peers'"),
+            .describe("Full repo name to remove — e.g. 'vantageos-agency/vantage-peers'"),
     }, async ({ repo }) => {
         try {
             const result = await convex.mutation("githubRepoMapping:remove", {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vantage-peers-mcp",
-  "version": "2.1.0",
+  "version": "2.3.0",
   "description": "MCP server for VantagePeers — shared memory, messaging, and task coordination for AI agent teams",
   "type": "module",
   "main": "./dist/server.js",
@@ -16,7 +16,8 @@
   },
   "files": [
     "dist/",
-    "README.md"
+    "README.md",
+    "CHANGELOG.md"
   ],
   "scripts": {
     "generate:api": "cd .. && npx convex-helpers ts-api-spec --prod --output-file mcp-server/api.ts",
@@ -56,7 +57,7 @@
   "author": "ElPi Corp",
   "license": "FSL-1.1-Apache-2.0",
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.27.1",
+    "@modelcontextprotocol/sdk": "^1.29.0",
     "convex": "^1.34.0",
     "dotenv": "^17.4.2",
     "zod": "^4.3.6"
@@ -68,6 +69,9 @@
     "typescript": "^5.9.3",
     "@types/node": "^24.12.2"
   },
+  "overrides": {
+    "path-to-regexp": "^8.4.0"
+  },
   "engines": {
     "node": ">=18"
   },