npm - vantage-peers-mcp - Versions diffs - 2.4.6 → 2.4.8 - Mend

vantage-peers-mcp 2.4.6 → 2.4.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -9,8 +9,6 @@ MCP server for [VantagePeers](https://vantagepeers.com) — shared memory, messa
 84 tools across 18 categories: memory, profiles, tasks, missions, mission templates, messages, diary, briefing notes, search (RAG), issues, fix patterns, error monitoring, deployments, business units, components, mandates, recurring tasks, and session. All tools ship with ChatGPT Apps SDK annotations (`readOnlyHint`, `openWorldHint`, `destructiveHint`) for native UX in ChatGPT custom connectors.
-**Companion plugin — 32 skills (target v2.7.0):** the `vantage-peers` Claude Code plugin wraps these 84 tools with 32 high-level skills split across three phases — Phase A (11 skills, v2.5.0): `dispatch-message`, `dispatch-task-create`, `dispatch-task-complete`, `dispatch-task-start`, `dispatch-subagent`, `identity-set`, `mission-bootstrap`, `check-messages` v5.1, `check-tasks` v2, `daily-start` v3, `close-day` v2 — Phase B (10 skills, v2.6.0): `memory-write`, `briefing-write`, `mission-template-apply`, `task-structure`, `component-register`, `component-discover`, `issue-triage`, `fix-pattern-cycle`, `episode-log`, `recall-deep` — Phase C (11 skills, v2.7.0): `briefing-recall`, `repo-link`, `recurring-schedule`, `deploy-track`, `profile-lookup`, `peers-discovery`, `mandate-lifecycle`, `bu-manage`, `messages-history`, `memory-edit`, `diary-discover`.
 ## Quick start
 ```bash

package/dist/src/tools.js CHANGED Viewed

@@ -2062,12 +2062,19 @@ export function registerTools(server, convex, oauthCtx) {
             const fromDenied = guardFrom(orchestrator);
             if (fromDenied)
                 return fromDenied;
+            // v2.4.8: derive createdBy from auth context (oauthCtx.userId).
+            // This is the anti-spoof authored-by — distinct from orchestrator
+            // (writer-intent label, client-supplied). On the no-auth path
+            // (master-scope bearer / local dev), oauthCtx is undefined and
+            // createdBy gracefully degrades to undefined (transition period).
+            const createdBy = oauthCtx?.userId;
             const diaryId = await convex.mutation("diary:write", {
                 date,
                 orchestrator,
                 content,
                 highlights: toArray(highlights),
                 blockers: toArray(blockers),
+                createdBy,
             });
             return {
                 content: [
@@ -2139,7 +2146,7 @@ export function registerTools(server, convex, oauthCtx) {
             .describe("Filter to a specific orchestrator — omit for all"),
         createdBy: assigneeSchema
             .optional()
-            .describe("Filter by creator/orchestrator role — alias of `orchestrator` for cross-tool consistency (mirrors list_tasks pattern). If both are passed, `createdBy` wins."),
+            .describe("Filter by auth-derived author (v2.4.8+, anti-spoof). Distinct from `orchestrator` which is the writer-intent label. Pre-v2.4.8 entries are backfilled with orchestrator as best-guess."),
         limit: z
             .number()
             .int()
@@ -2155,16 +2162,22 @@ export function registerTools(server, convex, oauthCtx) {
         title: "List diary entries",
     }, async ({ orchestrator, createdBy, limit }) => {
         try {
-            // createdBy is an alias of orchestrator (diary's author field). If both set, createdBy wins.
-            const effectiveOrchestrator = createdBy ?? orchestrator;
-            // Non-master: must scope to own orchestrator id.
+            // v2.4.8: orchestrator (writer-intent) and createdBy (auth-derived
+            // author) are separate filters — NOT aliases. Forward both independently.
+            // Non-master: REQUIRE at least one explicit self-scope — undefined passes
+            // through are forbidden. Mirrors v2.4.7 effectiveOrchestrator shortcircuit:
+            // undefined !== myId → Forbidden. No silent fleet-read for non-master callers.
             if (oauthCtx && !isMasterScope(oauthCtx)) {
-                if (effectiveOrchestrator !== oauthCtx.userId) {
-                    return mcpError(`Forbidden: list_diaries requires orchestrator='${oauthCtx.userId}' for non-master scope (current: ${oauthCtx.scopeProfile}).`);
+                const myId = oauthCtx.userId;
+                const orchestratorScoped = orchestrator === myId;
+                const createdByScoped = createdBy === myId;
+                if (!orchestratorScoped && !createdByScoped) {
+                    return mcpError(`Forbidden: list_diaries requires orchestrator='${myId}' OR createdBy='${myId}' for non-master scope (current scope: ${oauthCtx.scopeProfile}).`);
                 }
             }
             const entries = await convex.query("diary:list", {
-                orchestrator: effectiveOrchestrator,
+                orchestrator,
+                createdBy,
                 limit: limit ?? 20,
             });
             return {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "vantage-peers-mcp",
-  "version": "2.4.6",
+  "version": "2.4.8",
   "description": "MCP server for VantagePeers — shared memory, messaging, and task coordination for AI agent teams",
   "type": "module",
   "main": "./dist/server.js",