vantage-peers-mcp 2.2.0 → 2.3.1

package/CHANGELOG.md

@@ -0,0 +1,61 @@
+# Changelog
+
+## 2.3.1 — 2026-05-26
+
+### Fixed (Eta PR #530 delta-review)
+- `status="all"` now actually returns every row (no filter applied). Previously advertised in 2.3.0 docs but the Convex `expandTaskStatuses` / `expandMissionStatuses` helpers rejected it as invalid.
+- `status=["all"]` (alias inside an array) now correctly throws `ConvexError` — same conservative-rejection rule as `"open"` / `"active"`.
+- `setPendingAliasReleases` on the Convex backend converted from `mutation` to `internalMutation`. It was a public DoS surface against the auto-IRP pipeline; it is a lifecycle operation only and must not be reachable via MCP.
+
+## 2.3.0 — 2026-05-26
+
+### Added
+- `list_tasks`, `list_missions`, `list_tasks_by_mission`, `list_briefing_notes` now accept `fields=lite` for compact payloads.
+- Status filters on `list_tasks`, `list_tasks_by_mission`, and `list_missions` now accept arrays and aliases:
+  - `status=["todo","in_progress"]` — multi-value array
+  - `status="open"` — expands to non-terminal statuses (tasks: todo+in_progress+review+blocked; missions: brainstorm+plan+execute+validate)
+  - `status="active"` — in_progress only on tasks; plan+execute on missions
+  - `status="all"` — no filter applied
+
+### Backward compat
+- Single-string status still accepted unchanged.
+- Omitting `fields` defaults to `"full"` — existing callers unaffected.
+
+---
+
+## 2.2.0 — 2026-05-07
+
+- 4 new fix-pattern tools: `create_fix_pattern`, `add_fix_attempt`, `validate_fix`, `link_issue_to_pattern`
+- Detailed per-tool docs with arg tables and example calls in README
+- New "Fix patterns cycle" section documenting the KB learning loop
+- 41 new Zod input-validation unit tests for fix-pattern tools
+
+## 2.1.1 — 2026-05-04
+
+- Defense-in-depth `memoryIdSchema` validation for `create_briefing_note` and `update_briefing_note`
+
+## 2.1.0 — 2026-04-25
+
+- `update_briefing_note` MCP tool with RBAC
+
+## 2.0.2 — 2026-04-14
+
+- Added badges (npm version, downloads, license, tool count) to the published README
+- Added Orchestrator Roles reference table including alpha, lambda, victor
+- Added note that any custom lowercase role name is accepted
+- Added `bugs` URL and additional keywords to `package.json`
+
+## 2.0.1 — 2026-04-14
+
+- Docstring fix in server.ts (minor)
+
+## 2.0.0
+
+- Type-safe `api.ts` export for cross-deployment calls (`vantage-peers-mcp/api`)
+- Deploy key authentication guide
+- Mission Templates category (1 tool: `update_mission_template`)
+- Programmatic API section in README
+
+## 1.x
+
+- Initial public release with 82 MCP tools

package/README.md

@@ -50,6 +50,22 @@ Add to `~/.claude.json` or project `.claude/settings.json`:
 }
 ```
 
+## OAuth 2.1 DCR endpoints
+
+VantagePeers ships a built-in OAuth 2.1 authorization server so Claude.ai web can connect via "Add custom integration" without any extra configuration.
+
+| Method | Path | Description |
+|--------|------|-------------|
+| `GET` | `/.well-known/oauth-authorization-server` | Authorization Server Metadata (RFC 8414) — advertises supported grant types, endpoints, and capabilities |
+| `GET` | `/.well-known/oauth-protected-resource` | Protected Resource Metadata (RFC 9728) — links back to the authorization server |
+| `POST` | `/register` | Dynamic Client Registration (RFC 7591) — Claude.ai registers itself automatically on first connect |
+| `GET` | `/authorize` | Authorization endpoint — redirects the user to grant access |
+| `POST` | `/token` | Token endpoint — issues access tokens per OAuth 2.1 |
+
+**RFCs implemented:** RFC 8414 (AS Metadata), RFC 9728 (Protected Resource Metadata), RFC 7591 (Dynamic Client Registration), OAuth 2.1 draft.
+
+**Backward compatibility:** the `BEARER_SECRET_MASTER` env var still works unchanged. Claude Code and Claude Desktop users do not need to change anything — static bearer auth remains the default for those clients. OAuth 2.1 DCR is used exclusively when a client initiates the discovery flow (e.g. Claude.ai web).
+
 ## Environment variables
 
 | Variable | Required | Description |
@@ -212,6 +228,70 @@ Example:
 ### Session (1)
 `set_summary`
 
+## Compact payloads and status aliases (v2.3.0)
+
+### `fields=lite` — reduced token payloads
+
+`list_tasks`, `list_tasks_by_mission`, `list_missions`, and `list_briefing_notes` accept an optional `fields` parameter:
+
+| Value | Behaviour |
+|-------|-----------|
+| `"full"` | Default. Returns the complete document (backward-compatible). |
+| `"lite"` | Returns a compact projection — significantly fewer tokens. |
+
+Lite projections per entity:
+
+| Tool | Lite fields |
+|------|------------|
+| `list_tasks` / `list_tasks_by_mission` | `_id`, `_creationTime`, `title`, `status`, `priority`, `assignedTo`, `missionId` |
+| `list_missions` | `_id`, `_creationTime`, `name`, `status`, `pilot`, `priority`, `project` |
+| `list_briefing_notes` | `_id`, `_creationTime`, `topic`, `title`, `participants`, `createdBy` |
+
+Example (tasks lite):
+```json
+{
+  "tool": "list_tasks",
+  "arguments": { "assignedTo": "sigma", "fields": "lite", "limit": 20 }
+}
+```
+Returns:
+```json
+[
+  { "_id": "k17e2r...", "title": "Prepare MCP v2.3.0", "status": "in_progress", "priority": "high", "assignedTo": "sigma", "missionId": "k572a..." }
+]
+```
+
+### `status` arrays and aliases
+
+`list_tasks`, `list_tasks_by_mission`, and `list_missions` now accept `status` as a single string, an array, or one of the aliases below.
+
+#### Task status aliases
+
+| Alias | Expands to |
+|-------|-----------|
+| `"open"` | `["todo", "in_progress", "review", "blocked"]` — everything except `done` |
+| `"active"` | `["todo", "in_progress"]` |
+| `"all"` | No filter — returns all statuses |
+
+#### Mission status aliases
+
+| Alias | Expands to |
+|-------|-----------|
+| `"open"` | `["brainstorm", "plan", "execute", "validate"]` — everything except `complete` |
+| `"active"` | `["plan", "execute"]` |
+| `"all"` | No filter — returns all statuses |
+
+Examples:
+
+```json
+{ "tool": "list_tasks", "arguments": { "status": "open" } }
+{ "tool": "list_tasks", "arguments": { "status": ["todo", "in_progress"] } }
+{ "tool": "list_missions", "arguments": { "status": "active", "fields": "lite" } }
+{ "tool": "list_tasks_by_mission", "arguments": { "missionId": "k572a...", "status": "all", "fields": "lite" } }
+```
+
+Single-string status values still work unchanged — fully backward-compatible.
+
 ## Fix patterns cycle
 
 A fix pattern is a validated learning extracted from a resolved bug — symptom, root cause, and the fix that worked — stored in the VantagePeers knowledge base. Patterns accumulate across projects and agents so that the same bug is never debugged twice from scratch.
@@ -320,6 +400,11 @@ All orchestrator names are open strings — any lowercase name is accepted. The
 
 ## Changelog
 
+### 2.3.0 — 2026-05-26
+- `list_tasks`, `list_missions`, `list_tasks_by_mission`, `list_briefing_notes` now accept `fields=lite` for compact payloads (less tokens).
+- Status filters now accept arrays and aliases: `status=["todo","in_progress"]`, `status="open"` (expands to non-terminal), `status="active"` (in_progress only on tasks; plan+execute on missions), `status="all"` (no filter).
+- Single-string status still accepted unchanged (backward-compatible).
+
 ### 2.2.0 — 2026-05-07
 - 4 new fix-pattern tools: `create_fix_pattern`, `add_fix_attempt`, `validate_fix`, `link_issue_to_pattern`
 - Detailed per-tool docs with arg tables and example calls in README

package/dist/server-http.js

@@ -24,6 +24,7 @@
  *   PORT                  — HTTP port (default 3000)
  *   NODE_ENV              — set to "production" on Railway
  */
+import { readFileSync } from "node:fs";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { WebStandardStreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js";
 import { ConvexHttpClient } from "convex/browser";
@@ -31,10 +32,19 @@ import { Hono } from "hono";
 import { cors } from "hono/cors";
 import { bearerAuthMiddleware, internalClient, masterOnlyMiddleware, sha256Base64Url, sha256Hex, } from "./src/auth.js";
 import { registerTools } from "./src/tools.js";
+let pkg;
+try {
+    // Source mode: server-http.ts → ./package.json = mcp-server/package.json
+    pkg = JSON.parse(readFileSync(new URL("./package.json", import.meta.url), "utf-8"));
+}
+catch {
+    // Dist mode: dist/server-http.js → ../package.json = mcp-server/package.json
+    pkg = JSON.parse(readFileSync(new URL("../package.json", import.meta.url), "utf-8"));
+}
 // ─────────────────────────────────────────────────────────────────────────────
 // Constants
 // ─────────────────────────────────────────────────────────────────────────────
-const PUBLIC_BASE_URL = process.env.PUBLIC_BASE_URL ??
+const PUBLIC_BASE_URL_FALLBACK = process.env.PUBLIC_BASE_URL ??
     "https://vantage-peers-production.up.railway.app";
 const ACCESS_TOKEN_TTL_SECONDS = 3600; // 1 hour
 const REFRESH_TOKEN_TTL_SECONDS = 30 * 24 * 3600; // 30 days
@@ -46,9 +56,34 @@ const DEFAULT_PUBLIC_DCR_PROFILE = "client-generic";
 // ─────────────────────────────────────────────────────────────────────────────
 // Helpers
 // ─────────────────────────────────────────────────────────────────────────────
+/**
+ * Compute the issuer/base URL dynamically from the incoming request's Host
+ * header + protocol. Falls back to PUBLIC_BASE_URL env var when Host is absent
+ * (e.g., in curl smoke tests without a Host header).
+ *
+ * RFC 8414 §2: the issuer MUST be the URL the client uses to reach the server,
+ * so deriving it from the request is more correct than a hard-coded constant,
+ * especially when deployed behind a Railway/Cloudflare proxy that rewrites Host.
+ */
+function resolveIssuer(req) {
+    const host = req.headers.get("host");
+    if (host) {
+        // Use x-forwarded-proto when behind a reverse proxy; fall back to https.
+        const proto = req.headers.get("x-forwarded-proto") ??
+            (host.startsWith("localhost") || host.startsWith("127.")
+                ? "http"
+                : "https");
+        return `${proto}://${host}`;
+    }
+    return PUBLIC_BASE_URL_FALLBACK;
+}
 function randomOpaqueToken() {
-    // 2× UUID → ~256 bits of entropy. Strip dashes for compactness.
-    return `${crypto.randomUUID()}${crypto.randomUUID()}`.replace(/-/g, "");
+    // 256-bit entropy via getRandomValues (32 bytes → 64 hex chars).
+    const bytes = new Uint8Array(32);
+    crypto.getRandomValues(bytes);
+    return Array.from(bytes)
+        .map((b) => b.toString(16).padStart(2, "0"))
+        .join("");
 }
 async function loadScopeProfile(profileId) {
     return (await internalClient().query(
@@ -76,34 +111,65 @@ app.use("*", cors({
 // OAuth 2.0 discovery (unauthenticated)
 // ─────────────────────────────────────────────────────────────────────────────
 // RFC 9728 — OAuth 2.0 Protected Resource Metadata
-app.get("/.well-known/oauth-protected-resource", (c) => c.json({
-    resource: `${PUBLIC_BASE_URL}/mcp`,
-    authorization_servers: [PUBLIC_BASE_URL],
-    bearer_methods_supported: ["header"],
-    scopes_supported: ["vantage:read", "vantage:write"],
-}));
+app.get("/.well-known/oauth-protected-resource", (c) => {
+    const issuer = resolveIssuer(c.req.raw);
+    return c.json({
+        resource: issuer,
+        authorization_servers: [issuer],
+        scopes_supported: ["mcp:full"],
+    });
+});
 // RFC 8414 — OAuth 2.0 Authorization Server Metadata
-app.get("/.well-known/oauth-authorization-server", (c) => c.json({
-    issuer: PUBLIC_BASE_URL,
-    authorization_endpoint: `${PUBLIC_BASE_URL}/authorize`,
-    token_endpoint: `${PUBLIC_BASE_URL}/token`,
-    registration_endpoint: `${PUBLIC_BASE_URL}/register`,
-    response_types_supported: ["code"],
-    grant_types_supported: ["authorization_code", "refresh_token"],
-    code_challenge_methods_supported: ["S256"],
-    token_endpoint_auth_methods_supported: [
-        "client_secret_post",
-        "client_secret_basic",
-        "none",
-    ],
-    scopes_supported: ["vantage:read", "vantage:write"],
-}));
+app.get("/.well-known/oauth-authorization-server", (c) => {
+    const issuer = resolveIssuer(c.req.raw);
+    return c.json({
+        issuer,
+        authorization_endpoint: `${issuer}/authorize`,
+        token_endpoint: `${issuer}/token`,
+        registration_endpoint: `${issuer}/register`,
+        response_types_supported: ["code"],
+        grant_types_supported: ["authorization_code", "refresh_token"],
+        code_challenge_methods_supported: ["S256"],
+        token_endpoint_auth_methods_supported: [
+            "client_secret_basic",
+            "client_secret_post",
+        ],
+        scopes_supported: ["mcp:full"],
+    });
+});
+const registerRateBuckets = new Map();
+const REGISTER_RATE_LIMIT = 5;
+const REGISTER_RATE_WINDOW_MS = 60_000;
+function checkRegisterRateLimit(ip) {
+    const now = Date.now();
+    const bucket = registerRateBuckets.get(ip);
+    if (!bucket || now - bucket.windowStart >= REGISTER_RATE_WINDOW_MS) {
+        registerRateBuckets.set(ip, { count: 1, windowStart: now });
+        return true;
+    }
+    if (bucket.count < REGISTER_RATE_LIMIT) {
+        bucket.count++;
+        return true;
+    }
+    return false;
+}
 // ─────────────────────────────────────────────────────────────────────────────
 // RFC 7591 — Dynamic Client Registration
 // Anonymous registrations get DEFAULT_PUBLIC_DCR_PROFILE ("client-generic").
 // Pi must elevate the client via admin endpoint before real scopes are granted.
 // ─────────────────────────────────────────────────────────────────────────────
 app.post("/register", async (c) => {
+    // S2: rate limit by IP — 5 req/min
+    const clientIp = c.req.header("x-forwarded-for")?.split(",")[0]?.trim() ??
+        c.req.header("x-real-ip") ??
+        "unknown";
+    if (!checkRegisterRateLimit(clientIp)) {
+        c.header("Retry-After", "60");
+        return c.json({
+            error: "too_many_requests",
+            error_description: "Rate limit exceeded. Max 5 registrations per minute per IP.",
+        }, 429);
+    }
     let body = {};
     try {
         body = await c.req.json();
@@ -150,8 +216,8 @@ app.post("/register", async (c) => {
         token_endpoint_auth_method: "client_secret_post",
         grant_types: ["authorization_code", "refresh_token"],
         response_types: ["code"],
-        scope: "vantage:read vantage:write",
-        scope_profile: scopeProfile,
+        // SC: standardized on mcp:full — consistent with well-known metadata
+        scope: "mcp:full",
     }, 201);
 });
 // ─────────────────────────────────────────────────────────────────────────────
@@ -164,7 +230,8 @@ app.get("/authorize", async (c) => {
     const codeChallenge = q.code_challenge;
     const codeChallengeMethod = q.code_challenge_method ?? "S256";
     const state = q.state;
-    const scope = q.scope ?? "vantage:read vantage:write";
+    // SC: standardize scope — always mcp:full regardless of requested value
+    const scope = "mcp:full";
     const responseType = q.response_type;
     if (!clientId || !redirectUri || !codeChallenge) {
         return c.json({
@@ -357,7 +424,8 @@ app.post("/token", async (c) => {
             tokenHash: accessTokenHash,
             clientId: record.clientId,
             userId: record.userId,
-            scopes: ["vantage:read", "vantage:write"],
+            // SC: standardized on mcp:full
+            scopes: ["mcp:full"],
             scopeProfile: profile.profileId,
             fromAllowList: profile.fromAllowList,
             namespaceReadPrefixes: profile.namespaceReadPrefixes,
@@ -370,7 +438,8 @@ app.post("/token", async (c) => {
             token_type: "Bearer",
             expires_in: ACCESS_TOKEN_TTL_SECONDS,
             refresh_token: refreshTokenRaw, // reused
-            scope: "vantage:read vantage:write",
+            // SC: standardized on mcp:full
+            scope: "mcp:full",
         });
     }
     return c.json({ error: "unsupported_grant_type" }, 400);
@@ -381,9 +450,10 @@ app.post("/token", async (c) => {
 app.get("/health", (c) => c.json({
     status: "ok",
     service: "vantage-peers-mcp-http",
-    version: "2.1.0",
+    version: pkg.version,
     transport: "streamable-http",
-    oauth: "scoped-tokens",
+    oauth: "supported",
+    scopes: ["mcp:full"],
 }));
 // ─────────────────────────────────────────────────────────────────────────────
 // Admin endpoints — master token only
@@ -490,7 +560,7 @@ app.all("/mcp", bearerAuthMiddleware(), async (c) => {
     // Fresh McpServer per request — stateless mode, no session leakage
     const server = new McpServer({
         name: "vantage-peers",
-        version: "2.1.0",
+        version: pkg.version,
     });
     registerTools(server, convex, oauthCtx);
     const transport = new WebStandardStreamableHTTPServerTransport();

package/dist/server.js

@@ -433,7 +433,10 @@ server.tool("update_profile", "Create or update an orchestrator profile. Provide
 // ─────────────────────────────────────────────────────────────────────────────
 server.tool("list_memories", "List active memories for a namespace, ordered newest first. " +
     "Only returns isLatest=true memories (superseded memories are excluded by default). " +
-    "Use type to filter to a specific memory category.", {
+    "Use type to filter to a specific memory category. " +
+    "Returns { value: Memory[], continueCursor: string|null, isDone: boolean }. " +
+    "Pass paginationOpts.cursor from a previous response to fetch the next page. " +
+    "Without paginationOpts, returns ≤50 rows with continueCursor=null and isDone=true.", {
     namespace: z
         .string()
         .describe("Namespace to list memories from — e.g. 'global', 'orchestrator/pi'"),
@@ -447,19 +450,36 @@ server.tool("list_memories", "List active memories for a namespace, ordered newe
         .max(200)
         .optional()
         .default(20)
-        .describe("Maximum number of memories to return (default 20)"),
-}, async ({ namespace, type, limit }) => {
+        .describe("Maximum number of memories to return when paginationOpts is not provided (default 20, max 200)"),
+    paginationOpts: z
+        .object({
+        numItems: z
+            .number()
+            .int()
+            .min(1)
+            .max(200)
+            .describe("Number of items per page (max 200)"),
+        cursor: z
+            .union([z.string(), z.null()])
+            .describe("Cursor from a previous response continueCursor field, or null for the first page"),
+    })
+        .optional()
+        .describe("Optional cursor-based pagination. Pass { numItems, cursor: null } for the first page, " +
+        "then { numItems, cursor: <continueCursor from response> } for subsequent pages. " +
+        "When provided, isDone=false means more pages exist."),
+}, async ({ namespace, type, limit, paginationOpts }) => {
     try {
-        const memories = await convex.query("memories:listMemories", {
+        const result = await convex.query("memories:listMemories", {
             namespace,
             type,
             limit: limit ?? 20,
+            paginationOpts,
         });
         return {
             content: [
                 {
                     type: "text",
-                    text: JSON.stringify(memories, null, 2),
+                    text: JSON.stringify(result, null, 2),
                 },
             ],
         };
@@ -831,14 +851,25 @@ server.tool("create_task", "Create a task in VantagePeers. Tasks are assigned to
 // Tool: list_tasks
 // ─────────────────────────────────────────────────────────────────────────────
 server.tool("list_tasks", "List tasks from VantagePeers with optional filters. " +
-    "Filter by assignee, instance, status, and/or project. Returns newest first.", {
+    "Filter by assignee, instance, status, and/or project. Returns newest first. " +
+    "status accepts a single value or an array, plus aliases: " +
+    "'open' (todo+in_progress+review+blocked), 'active' (todo+in_progress), 'all' (no filter). " +
+    "fields='lite' returns compact payloads ({_id,title,status,priority,assignedTo,missionId}) — fewer tokens.", {
     assignedTo: assigneeSchema.optional().describe("Filter by assignee"),
     assignedToInstance: z
         .string()
         .optional()
         .describe("Filter by instance — e.g. 'pi-vps'. Returns only tasks assigned to that instance."),
-    status: taskStatusSchema.optional().describe("Filter by status"),
+    status: z
+        .union([taskStatusSchema, z.array(z.string()), z.string()])
+        .optional()
+        .describe("Filter by status. Single value, array, or alias: " +
+        "'open' (non-terminal), 'active' (in_progress only), 'all' (no filter)."),
     project: z.string().optional().describe("Filter by project name"),
+    fields: z
+        .enum(["lite", "full"])
+        .optional()
+        .describe("'lite' = compact payload (less tokens), 'full' = default with all fields"),
     limit: z
         .number()
         .int()
@@ -847,13 +878,14 @@ server.tool("list_tasks", "List tasks from VantagePeers with optional filters. "
         .optional()
         .default(50)
         .describe("Maximum number of tasks to return (default 50)"),
-}, async ({ assignedTo, assignedToInstance, status, project, limit }) => {
+}, async ({ assignedTo, assignedToInstance, status, project, fields, limit }) => {
     try {
         const tasks = await convex.query("tasks:list", {
             assignedTo,
             assignedToInstance,
             status,
             project,
+            fields,
             limit: limit ?? 50,
         });
         return {
@@ -1102,9 +1134,20 @@ server.tool("add_task_dependency", "Add a dependency to a task. The task cannot
 // ─────────────────────────────────────────────────────────────────────────────
 // Tool: list_tasks_by_mission
 // ─────────────────────────────────────────────────────────────────────────────
-server.tool("list_tasks_by_mission", "List all tasks linked to a specific mission. Optionally filter by status.", {
+server.tool("list_tasks_by_mission", "List all tasks linked to a specific mission. Optionally filter by status. " +
+    "status accepts a single value or an array, plus aliases: " +
+    "'open' (todo+in_progress+review+blocked), 'active' (todo+in_progress), 'all' (no filter). " +
+    "fields='lite' returns compact payloads ({_id,title,status,priority,assignedTo,missionId}) — fewer tokens.", {
     missionId: z.string().describe("Convex document ID of the mission"),
-    status: taskStatusSchema.optional().describe("Filter by task status"),
+    status: z
+        .union([taskStatusSchema, z.array(z.string()), z.string()])
+        .optional()
+        .describe("Filter by task status. Single value, array, or alias: " +
+        "'open' (non-terminal), 'active' (in_progress only), 'all' (no filter)."),
+    fields: z
+        .enum(["lite", "full"])
+        .optional()
+        .describe("'lite' = compact payload (less tokens), 'full' = default with all fields"),
     limit: z
         .number()
         .int()
@@ -1113,11 +1156,12 @@ server.tool("list_tasks_by_mission", "List all tasks linked to a specific missio
         .optional()
         .default(50)
         .describe("Maximum number of tasks to return (default 50)"),
-}, async ({ missionId, status, limit }) => {
+}, async ({ missionId, status, fields, limit }) => {
     try {
         const tasks = await convex.query("tasks:listByMission", {
             missionId: missionId,
             status,
+            fields,
             limit: limit ?? 50,
         });
         return {
@@ -1191,10 +1235,21 @@ server.tool("create_mission", "Create a mission in VantagePeers. Missions group
 // Tool: list_missions
 // ─────────────────────────────────────────────────────────────────────────────
 server.tool("list_missions", "List missions from VantagePeers with optional filters. " +
-    "Filter by project, pilot, and/or status. Returns newest first.", {
+    "Filter by project, pilot, and/or status. Returns newest first. " +
+    "status accepts a single value or an array, plus aliases: " +
+    "'open' (brainstorm+plan+execute+validate), 'active' (plan+execute), 'all' (no filter). " +
+    "fields='lite' returns compact payloads ({_id,name,status,pilot,priority,project}) — fewer tokens.", {
     project: z.string().optional().describe("Filter by project name"),
     pilot: creatorSchema.optional().describe("Filter by pilot orchestrator"),
-    status: missionStatusSchema.optional().describe("Filter by status"),
+    status: z
+        .union([missionStatusSchema, z.array(z.string()), z.string()])
+        .optional()
+        .describe("Filter by status. Single value, array, or alias: " +
+        "'open' (non-terminal), 'active' (plan+execute), 'all' (no filter)."),
+    fields: z
+        .enum(["lite", "full"])
+        .optional()
+        .describe("'lite' = compact payload (less tokens), 'full' = default with all fields"),
     limit: z
         .number()
         .int()
@@ -1203,12 +1258,13 @@ server.tool("list_missions", "List missions from VantagePeers with optional filt
         .optional()
         .default(50)
         .describe("Maximum number of missions to return (default 50)"),
-}, async ({ project, pilot, status, limit }) => {
+}, async ({ project, pilot, status, fields, limit }) => {
     try {
         const missions = await convex.query("missions:list", {
             project,
             pilot,
             status,
+            fields,
             limit: limit ?? 50,
         });
         return {
@@ -1413,6 +1469,31 @@ server.tool("list_diaries", "List diary entries, optionally filtered by orchestr
     }
 });
 // ─────────────────────────────────────────────────────────────────────────────
+// Tool: delete_diary
+// ─────────────────────────────────────────────────────────────────────────────
+server.tool("delete_diary", "Permanently delete a diary entry by ID. Only the owner (or system) can delete.", {
+    diaryId: z.string().describe("Convex document ID of the diary entry to delete"),
+    callerOrchestrator: creatorSchema.optional().describe("Optional RBAC — must be the owner or system"),
+}, async ({ diaryId, callerOrchestrator }) => {
+    try {
+        const result = await convex.mutation("diary:deleteDiary", {
+            diaryId: diaryId,
+            callerOrchestrator,
+        });
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: JSON.stringify(result, null, 2),
+                },
+            ],
+        };
+    }
+    catch (error) {
+        return mcpError(error.message ?? String(error));
+    }
+});
+// ─────────────────────────────────────────────────────────────────────────────
 // Tool: create_briefing_note
 // ─────────────────────────────────────────────────────────────────────────────
 server.tool("create_briefing_note", "Create a briefing note — a structured record of a topic discussion, with participants, " +
@@ -1511,11 +1592,16 @@ server.tool("update_briefing_note", "Update an existing briefing note. Partial-u
 // ─────────────────────────────────────────────────────────────────────────────
 // Tool: list_briefing_notes
 // ─────────────────────────────────────────────────────────────────────────────
-server.tool("list_briefing_notes", "List briefing notes, optionally filtered by topic. Returns newest first.", {
+server.tool("list_briefing_notes", "List briefing notes, optionally filtered by topic. Returns newest first. " +
+    "fields='lite' returns compact payloads ({_id,topic,title,participants,createdBy}) — fewer tokens.", {
     topic: z
         .string()
         .optional()
         .describe("Filter to a specific topic — omit for all"),
+    fields: z
+        .enum(["lite", "full"])
+        .optional()
+        .describe("'lite' = compact payload (less tokens), 'full' = default with all fields"),
     limit: z
         .number()
         .int()
@@ -1524,10 +1610,11 @@ server.tool("list_briefing_notes", "List briefing notes, optionally filtered by
         .optional()
         .default(20)
         .describe("Maximum notes to return (default 20)"),
-}, async ({ topic, limit }) => {
+}, async ({ topic, fields, limit }) => {
     try {
         const notes = await convex.query("briefingNotes:list", {
             topic,
+            fields,
             limit: limit ?? 20,
         });
         return {
@@ -1544,6 +1631,31 @@ server.tool("list_briefing_notes", "List briefing notes, optionally filtered by
     }
 });
 // ─────────────────────────────────────────────────────────────────────────────
+// Tool: delete_briefing_note
+// ─────────────────────────────────────────────────────────────────────────────
+server.tool("delete_briefing_note", "Permanently delete a briefing note by ID. Only the creator (or system) can delete.", {
+    noteId: z.string().describe("Convex document ID of the briefing note to delete"),
+    callerOrchestrator: creatorSchema.optional().describe("Optional RBAC — must be creator or system"),
+}, async ({ noteId, callerOrchestrator }) => {
+    try {
+        const result = await convex.mutation("briefingNotes:deleteBriefingNote", {
+            noteId: noteId,
+            callerOrchestrator,
+        });
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: JSON.stringify(result, null, 2),
+                },
+            ],
+        };
+    }
+    catch (error) {
+        return mcpError(error.message ?? String(error));
+    }
+});
+// ─────────────────────────────────────────────────────────────────────────────
 // Tool: register_component
 // ─────────────────────────────────────────────────────────────────────────────
 server.tool("register_component", "Register or update a component (agent, skill, hook, or plugin) in the registry. " +

package/dist/src/auth.js

@@ -212,7 +212,48 @@ export function bearerAuthMiddleware() {
             await next();
             return;
         }
-        // ── (3) Legacy internal bearer — mcpTenants table ───────────────────────
+        // ── (3) DCR OAuth token — check oauthTokens via oauthDcr:validateAccessToken
+        // Uses raw token (not hashed) — the DCR table stores tokens in plaintext.
+        // This path handles Claude.ai clients registered via POST /register.
+        let dcrResult = null;
+        try {
+            dcrResult = (await internalClient().query(
+            // biome-ignore lint/suspicious/noExplicitAny: Convex string API
+            "oauthDcr:validateAccessToken", { accessToken: token }));
+        }
+        catch (err) {
+            const message = err instanceof Error ? err.message : String(err);
+            console.warn("[auth] DCR OAuth lookup skipped:", message);
+        }
+        if (dcrResult?.valid === true) {
+            const internalUrl = process.env.CONVEX_URL_INTERNAL;
+            if (!internalUrl) {
+                console.error("[auth] CONVEX_URL_INTERNAL not set — cannot route DCR OAuth token");
+                return c.json({ error: "Server misconfigured: internal deployment URL missing" }, 500);
+            }
+            // Map DCR single-scope string → OAuthContext fields.
+            // DCR tokens always carry "mcp:full" which maps to full access.
+            const scopes = dcrResult.scope.split(/\s+/).filter(Boolean);
+            const isFull = scopes.includes("mcp:full");
+            c.set("tenant", {
+                tenantName: `dcr:${dcrResult.clientId}`,
+                convexUrl: internalUrl,
+            });
+            c.set("oauthContext", {
+                clientId: dcrResult.clientId,
+                userId: dcrResult.clientId,
+                scopes,
+                scopeProfile: isFull ? "master" : "client-generic",
+                fromAllowList: isFull ? ["*"] : [],
+                namespaceReadPrefixes: isFull ? ["*"] : [],
+                namespaceWritePrefixes: isFull ? ["*"] : [],
+                expiresAt: dcrResult.expiresAt,
+                isMaster: false,
+            });
+            await next();
+            return;
+        }
+        // ── (4) Legacy internal bearer — mcpTenants table ───────────────────────
         let tenant;
         try {
             tenant = (await internalClient().query(

package/dist/src/tools.js

@@ -59,7 +59,7 @@ const memoryTypeSchema = z
     .describe("Memory classification type");
 export const creatorSchema = z
     .string()
-    .describe("Orchestrator role name (e.g. pi, tau, phi, sigma, omega, zeta, eta, kappa, alpha, lambda, victor, laurent, or any custom client role (lowercase string)). " +
+    .describe("Orchestrator role name (e.g. pi, tau, phi, sigma, omega, zeta, eta, kappa, alpha, lambda, victor, epsilon, omicron, upsilon, laurent, or any custom client role (lowercase string)). " +
     "New internal orchestrators use Greek letters (lowercase); external client orchestrators use free lowercase strings.");
 export const severitySchema = z
     .enum(["critical", "major", "minor"])
@@ -105,7 +105,7 @@ export const updateBriefingNoteSchema = z.object({
 });
 const assigneeSchema = z
     .string()
-    .describe("Orchestrator to assign to (e.g. pi, tau, phi, sigma, omega, zeta, eta, kappa, alpha, lambda, victor, laurent, or any custom client role (lowercase string)). " +
+    .describe("Orchestrator to assign to (e.g. pi, tau, phi, sigma, omega, zeta, eta, kappa, alpha, lambda, victor, epsilon, omicron, upsilon, laurent, or any custom client role (lowercase string)). " +
     "New internal orchestrators use Greek letters (lowercase); external client orchestrators use free lowercase strings.");
 const prioritySchema = z
     .enum(["urgent", "high", "medium", "low"])
@@ -615,7 +615,7 @@ export function registerTools(server, convex, oauthCtx) {
     server.tool("send_message", "Send a message to one, many, or all orchestrators. " +
         "channel: 'broadcast' = all, 'tau' = role DM, 'pi-vps' = instance DM, 'tau,phi' = multi. " +
         "Creates message + one receipt per recipient. Replaces claude-peers send_message.", {
-        from: creatorSchema.describe("Sender role (e.g. pi, tau, phi, sigma, omega, zeta, eta, kappa, alpha, lambda, victor, or any custom role)"),
+        from: creatorSchema.describe("Sender role (e.g. pi, tau, phi, sigma, omega, zeta, eta, kappa, alpha, lambda, victor, epsilon, omicron, upsilon, or any custom role)"),
         fromInstanceId: z
             .string()
             .optional()
@@ -673,7 +673,7 @@ export function registerTools(server, convex, oauthCtx) {
     server.tool("check_messages", "Check for unread messages. Returns messages with receiptIds for marking as read. " +
         "If recipientInstanceId is provided, returns instance-targeted + role-level messages. " +
         "Replaces claude-peers check_messages.", {
-        recipient: creatorSchema.describe("Orchestrator role (e.g. pi, tau, phi, sigma, omega, zeta, eta, kappa, alpha, lambda, victor, or any custom role)"),
+        recipient: creatorSchema.describe("Orchestrator role (e.g. pi, tau, phi, sigma, omega, zeta, eta, kappa, alpha, lambda, victor, epsilon, omicron, upsilon, or any custom role)"),
         recipientInstanceId: z
             .string()
             .optional()
@@ -2536,7 +2536,7 @@ export function registerTools(server, convex, oauthCtx) {
     server.tool("add_repo_mapping", "Add or update a GitHub repo → orchestrator mapping. Used by the webhook pipeline to route GitHub events to the right orchestrator.", {
         repo: z
             .string()
-            .describe("Full repo name — e.g. 'elpiarthera/vantage-peers'"),
+            .describe("Full repo name — e.g. 'vantageos-agency/vantage-peers'"),
         orchestrator: z
             .string()
             .describe("Target orchestrator — e.g. 'sigma', 'omega', 'tau'"),
@@ -2590,7 +2590,7 @@ export function registerTools(server, convex, oauthCtx) {
     server.tool("remove_repo_mapping", "Remove a GitHub repo mapping by repo name. Stops routing webhook events for this repo.", {
         repo: z
             .string()
-            .describe("Full repo name to remove — e.g. 'elpiarthera/vantage-peers'"),
+            .describe("Full repo name to remove — e.g. 'vantageos-agency/vantage-peers'"),
     }, async ({ repo }) => {
         try {
             const result = await convex.mutation("githubRepoMapping:remove", {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vantage-peers-mcp",
-  "version": "2.2.0",
+  "version": "2.3.1",
   "description": "MCP server for VantagePeers — shared memory, messaging, and task coordination for AI agent teams",
   "type": "module",
   "main": "./dist/server.js",
@@ -16,7 +16,8 @@
   },
   "files": [
     "dist/",
-    "README.md"
+    "README.md",
+    "CHANGELOG.md"
   ],
   "scripts": {
     "generate:api": "cd .. && npx convex-helpers ts-api-spec --prod --output-file mcp-server/api.ts",
@@ -56,7 +57,7 @@
   "author": "ElPi Corp",
   "license": "FSL-1.1-Apache-2.0",
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.27.1",
+    "@modelcontextprotocol/sdk": "^1.29.0",
     "convex": "^1.34.0",
     "dotenv": "^17.4.2",
     "zod": "^4.3.6"
@@ -68,6 +69,9 @@
     "typescript": "^5.9.3",
     "@types/node": "^24.12.2"
   },
+  "overrides": {
+    "path-to-regexp": "^8.4.0"
+  },
   "engines": {
     "node": ">=18"
   },