npm - vantage-peers-mcp - Versions diffs - 2.4.3 → 2.4.8 - Mend

vantage-peers-mcp 2.4.3 → 2.4.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/src/tools.js +27 -5
package/package.json +1 -1

package/dist/src/tools.js CHANGED Viewed

@@ -865,6 +865,9 @@ export function registerTools(server, convex, oauthCtx) {
         type: memoryTypeSchema
             .optional()
             .describe("Filter to a specific type — omit to return all types"),
+        createdBy: assigneeSchema
+            .optional()
+            .describe("Filter by creator/orchestrator role — mirrors list_tasks pattern for cross-tool consistency."),
         limit: z
             .number()
             .int()
@@ -878,7 +881,7 @@ export function registerTools(server, convex, oauthCtx) {
         openWorldHint: false,
         destructiveHint: false,
         title: "List memories",
-    }, async ({ namespace, type, limit }) => {
+    }, async ({ namespace, type, createdBy, limit }) => {
         try {
             const nsDenied = guardRead(namespace);
             if (nsDenied)
@@ -886,6 +889,7 @@ export function registerTools(server, convex, oauthCtx) {
             const memories = await convex.query("memories:listMemories", {
                 namespace,
                 type,
+                createdBy,
                 limit: limit ?? 20,
             });
             const rawList = Array.isArray(memories)
@@ -2058,12 +2062,19 @@ export function registerTools(server, convex, oauthCtx) {
             const fromDenied = guardFrom(orchestrator);
             if (fromDenied)
                 return fromDenied;
+            // v2.4.8: derive createdBy from auth context (oauthCtx.userId).
+            // This is the anti-spoof authored-by — distinct from orchestrator
+            // (writer-intent label, client-supplied). On the no-auth path
+            // (master-scope bearer / local dev), oauthCtx is undefined and
+            // createdBy gracefully degrades to undefined (transition period).
+            const createdBy = oauthCtx?.userId;
             const diaryId = await convex.mutation("diary:write", {
                 date,
                 orchestrator,
                 content,
                 highlights: toArray(highlights),
                 blockers: toArray(blockers),
+                createdBy,
             });
             return {
                 content: [
@@ -2133,6 +2144,9 @@ export function registerTools(server, convex, oauthCtx) {
         orchestrator: creatorSchema
             .optional()
             .describe("Filter to a specific orchestrator — omit for all"),
+        createdBy: assigneeSchema
+            .optional()
+            .describe("Filter by auth-derived author (v2.4.8+, anti-spoof). Distinct from `orchestrator` which is the writer-intent label. Pre-v2.4.8 entries are backfilled with orchestrator as best-guess."),
         limit: z
             .number()
             .int()
@@ -2146,16 +2160,24 @@ export function registerTools(server, convex, oauthCtx) {
         openWorldHint: false,
         destructiveHint: false,
         title: "List diary entries",
-    }, async ({ orchestrator, limit }) => {
+    }, async ({ orchestrator, createdBy, limit }) => {
         try {
-            // Non-master: must scope to own orchestrator id.
+            // v2.4.8: orchestrator (writer-intent) and createdBy (auth-derived
+            // author) are separate filters — NOT aliases. Forward both independently.
+            // Non-master: REQUIRE at least one explicit self-scope — undefined passes
+            // through are forbidden. Mirrors v2.4.7 effectiveOrchestrator shortcircuit:
+            // undefined !== myId → Forbidden. No silent fleet-read for non-master callers.
             if (oauthCtx && !isMasterScope(oauthCtx)) {
-                if (orchestrator !== oauthCtx.userId) {
-                    return mcpError(`Forbidden: list_diaries requires orchestrator='${oauthCtx.userId}' for non-master scope (current: ${oauthCtx.scopeProfile}).`);
+                const myId = oauthCtx.userId;
+                const orchestratorScoped = orchestrator === myId;
+                const createdByScoped = createdBy === myId;
+                if (!orchestratorScoped && !createdByScoped) {
+                    return mcpError(`Forbidden: list_diaries requires orchestrator='${myId}' OR createdBy='${myId}' for non-master scope (current scope: ${oauthCtx.scopeProfile}).`);
                 }
             }
             const entries = await convex.query("diary:list", {
                 orchestrator,
+                createdBy,
                 limit: limit ?? 20,
             });
             return {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "vantage-peers-mcp",
-  "version": "2.4.3",
+  "version": "2.4.8",
   "description": "MCP server for VantagePeers — shared memory, messaging, and task coordination for AI agent teams",
   "type": "module",
   "main": "./dist/server.js",