vantage-peers-mcp 2.4.13 → 2.5.0

package/CHANGELOG.md

@@ -1,5 +1,44 @@
 # Changelog
 
+## [2.5.0] — 2026-06-06 — Day 92 VP MCP quality overhaul (mission k57a36y8)
+
+Day 92 mission `k57a36y8w5t085bqr23dsmvb2d882506` ships a fleet-wide VP MCP quality bump
+across audit, docs, hooks, security, and consistency dimensions. 15 PRs merged to main.
+
+### Phase A — Audit + new tools
+- **A1** Day 92 VP MCP tools audit matrix (85 tools, 14 P0 zero-auth gaps) — `docs/test-reports/day92-vp-mcp-audit-matrix.md`.
+- **A2** Consistency analysis report — `docs/test-reports/day92-vp-mcp-consistency-analysis.md`.
+- **A3** New `whoami` LECTURE tool — first per-tool `outputSchema` export precedent.
+- **A4** Consolidated gap matrix — `docs/test-reports/day92-vp-mcp-gap-matrix-consolidated.md`.
+
+### Phase B — Documentation
+- **B1** `docs/cloud/security-multi-tenant.md` §4 scope-aware filter framework rewrite.
+- **B2** `docs/cloud/tools-quality-standard.md` (NEW) — 12-section bilingual quality standard.
+- **B3** `docs/cloud/onboarding-customer.md` (NEW) — customer onboarding guide (bilingual FR+EN).
+
+### Phase C — Consistency
+- **C0** 14 P0 zero-auth write tools secured with `guardMasterOnly` (C0.1 → C0.6, 6 PRs).
+- **C1** 87 Zod `outputSchema` exports per per-family envelope standard (B2 §3).
+- **C2** Orchestrator-id NFC normalization + case-insensitive matching; idempotent prod migration `convex/migrations/c2-normalize-orchestrator-ids.ts` (7 tables).
+- **C3** 97 tool descriptions standardized + 10 canonical aliases gated through `guardMasterOnly` (security regression fixed in iter 2) + alias-c0-gate-coverage test (15/15 PASS).
+- **C4** Legacy `claude-peers` references removed repo-wide + `grep-gate` CI workflow.
+
+### Phase F — Hooks + plugin
+- **F1** New consolidated `validate_task_payload` MCP tool + TypeScript validator library (replaces 5 single-axis hooks).
+- **F2** Plugin propagation runbook + `plugin-vs-workspace-hooks.md` doctrine.
+
+### Scope-aware filtering
+- `list_tasks` `fromAllowList[]` + case-insensitive matching (PR #654, #661).
+- 3 admin endpoints reinstated for Marie cohort (prior session).
+
+### Tenant trio
+- Persistent test tenant trio (alpha/beta/gamma) seeded on prod with bearers, scope_profiles, and seed data for cross-orchestrator E2E.
+
+### Deploy authorization
+- `PI_AUTHORIZED_TASK_ID=k1751nfs27t9f9mpvg3ppd6xad884r59` (Day 82 doctrine).
+- Mission: `k57a36y8w5t085bqr23dsmvb2d882506`.
+- Branch: `release/v2.5.0` opened against `main` at HEAD `18a5530`.
+
 ## [2.4.13] — 2026-06-02 — Post-public republish: attribution + CHANGELOG day-numbers + RULE #7 narrative scrub
 
 Repository visibility flip to PUBLIC on 2026-06-02 (mission D62 `k57e4t21sr55rhz8ng554eseb987wvh3`). This patch republishes the npm package so the published README + CHANGELOG + attribution match the now-public source.

package/README.md

@@ -3,11 +3,11 @@
 [![npm version](https://img.shields.io/npm/v/vantage-peers-mcp)](https://www.npmjs.com/package/vantage-peers-mcp)
 [![npm downloads](https://img.shields.io/npm/dm/vantage-peers-mcp)](https://www.npmjs.com/package/vantage-peers-mcp)
 [![License: FSL-1.1-Apache-2.0](https://img.shields.io/badge/license-FSL--1.1--Apache--2.0-blue)](https://github.com/vantageos-agency/vantage-peers/blob/main/LICENSE)
-[![Tests: 84/84](https://img.shields.io/badge/MCP_tools-84_registered-green)]()
+[![Tests: 97/97](https://img.shields.io/badge/MCP_tools-97_registered-green)]()
 
 MCP server for [VantagePeers](https://vantagepeers.com) — shared memory, messaging, and task coordination for AI agent teams.
 
-84 tools across 18 categories: memory, profiles, tasks, missions, mission templates, messages, diary, briefing notes, search (RAG), issues, fix patterns, error monitoring, deployments, business units, components, mandates, recurring tasks, and session. All tools ship with ChatGPT Apps SDK annotations (`readOnlyHint`, `openWorldHint`, `destructiveHint`) for native UX in ChatGPT custom connectors.
+97 tools across 18 categories: memory, profiles, tasks, missions, mission templates, messages, diary, briefing notes, search (RAG), issues, fix patterns, error monitoring, deployments, business units, components, mandates, recurring tasks, and session. All tools ship with ChatGPT Apps SDK annotations (`readOnlyHint`, `openWorldHint`, `destructiveHint`) for native UX in ChatGPT custom connectors.
 
 ## Quick start
 
@@ -17,6 +17,20 @@ npx vantage-peers-mcp
 
 Requires `CONVEX_URL` pointing to your VantagePeers Convex deployment.
 
+## What's new in v2.5.0
+
+Day 92 VP MCP quality overhaul (mission `k57a36y8w5t085bqr23dsmvb2d882506`, PR #678):
+
+- **C0 — 14 P0 zero-auth write tools secured** with master-only gates (`guardMasterOnly` / `checkFromAllowed`); all 14 tools identified in the A1 audit matrix (commit `d03d2d7`) now require an explicit scope gate before any mutation reaches Convex.
+- **C1 — 87 Zod `outputSchema` exports** following the per-family envelope standard (`create_*` → `{id,...}`, `list_*` → `{items,cursor}`, `delete_*` → `{id,deleted:true}`, etc.) based on the `whoamiOutputSchema` precedent (commit `5231811`).
+- **C2 — Unicode NFC normalization + case-insensitive orchestrator-ID matching** applied at all write paths and filter comparisons; closes the NFD/NFC silent mismatch class discovered in the Hélios/helios production regression.
+- **C3 — 97 tool descriptions standardized** (1-line summary + WHEN clause + concrete EXAMPLE, 80–500 chars) + 10 canonical aliases aligned to the `verb_noun_snake` whitelist.
+- **C4 — `claude-peers` legacy references removed** from source and docs + grep-gate CI check to prevent reintroduction.
+- **A3 — `whoami` LECTURE tool** (PR #661, commit `5231811`) — returns `suggested_orchestrator_id`, `scope_profile`, and `namespace_read_prefixes` so skills auto-resolve identity without prompting the user.
+- **F1 — `validate_task_payload` validator tool** (commit `cf6c961`) — client-side payload validation before any write reaches Convex.
+
+See `mcp-server/CHANGELOG.md` for the full per-PR list.
+
 ## Install
 
 ### Option 1: npx (no install)
@@ -74,7 +88,7 @@ VantagePeers ships a built-in OAuth 2.1 authorization server so Claude.ai web ca
 
 The server also reads `CONVEX_URL` from `.env.local` in the parent directory if not set via environment.
 
-## Tools (84)
+## Tools (97)
 
 ### Memory (6)
 `store_memory`, `recall`, `list_memories`, `soft_delete_memory`, `get_memory`, `store_episode`

package/dist/server-http.d.ts

@@ -24,4 +24,18 @@
  *   PORT                  — HTTP port (default 3000)
  *   NODE_ENV              — set to "production" on Railway
  */
-export {};
+import { Hono } from "hono";
+/**
+ * D6 helper — extract client_secret from either the Authorization: Basic header
+ * (RFC 6749 §2.3.1 client_secret_basic) or the form body (client_secret_post).
+ * Returns { clientId, clientSecret } when present, else nulls.
+ *
+ * Basic header format: "Basic base64(client_id:client_secret)".
+ * Per RFC 6749 §2.3.1 the values are form-urlencoded before being colon-joined.
+ */
+export declare function parseBasicAuthSecret(authHeader: string | undefined, body: Record<string, string>): {
+    clientId: string | null;
+    clientSecret: string | null;
+};
+export declare function redirectUriMatches(registeredUri: string, presentedUri: string): boolean;
+export declare const app: Hono<import("hono/types").BlankEnv, import("hono/types").BlankSchema, "/">;