diff --git a/backend/src/mcp/note-tools.test.ts b/backend/src/mcp/note-tools.test.ts index 32b23ac..36cd31f 100644 --- a/backend/src/mcp/note-tools.test.ts +++ b/backend/src/mcp/note-tools.test.ts @@ -178,6 +178,21 @@ describe('note executable MCP tools', () => { expect(createNoteMock).toHaveBeenCalledTimes(1); expect(createNoteAgentActionMock).toHaveBeenCalledTimes(1); + expect(createNoteAgentActionMock).toHaveBeenCalledWith( + expect.objectContaining({ + productId: 'bytelyst-notes', + workspaceId: 'ws_1', + userId: 'user_1', + actorId: 'agent_1', + actorType: 'agent', + toolName: NOTES_MCP_TOOL_NAMES.createDraft, + actionType: 'create', + state: 'proposed', + idempotencyKey: 'idem_1', + correlationId: 'corr_1', + workflowId: 'req_1', + }) + ); expect(result).toMatchObject({ dryRun: false, state: 'draft', diff --git a/docs/roadmaps/05_MCP_AGENT_ROADMAP.md b/docs/roadmaps/05_MCP_AGENT_ROADMAP.md index a902b25..ede7de9 100644 --- a/docs/roadmaps/05_MCP_AGENT_ROADMAP.md +++ b/docs/roadmaps/05_MCP_AGENT_ROADMAP.md @@ -35,10 +35,10 @@ Parent: `docs/ROADMAP.md` # Phase A3 — Operational Hardening - [x] Workspace/product scoping guardrails -- [ ] Audit verification for mutating tools -- [ ] Safe usage docs and runbooks +- [x] Audit verification for mutating tools +- [x] Safe usage docs and runbooks - [x] Regression tests for mutating tool paths -- [ ] Review `mcp-server` integration against auth boundaries +- [x] Review `mcp-server` integration against auth boundaries # A2A Follow-On Work @@ -76,6 +76,19 @@ Parent: `docs/ROADMAP.md` - executable tools now reject mismatched `productId` scope at runtime - regression coverage now asserts mutating calls do not persist when scope is invalid - core tools remain workspace-scoped through input contracts and repository calls +- 2026-03-10 — Shared-server auth-boundary review completed against `learning_ai_common_plat/services/mcp-server`: + - shared `toolRoutes` performs role checks before `execute()` + - shared `toolRoutes` validates arguments via `safeParse` before `execute()` + - shared `toolRoutes` passes `jwtPayload`, `authorization`, and `requestId` into tool execution + - product-side note tools additionally enforce authenticated user presence and `productId` scope before repository access + +# Safe Usage Rules + +- Read-only note tools may run with `viewer` or above. +- Mutating note tools must require `admin` or above. +- Mutating note tools must remain workspace-scoped and product-scoped. +- Mutating note tools must persist an audit/proposal record before the workflow can be considered complete. +- Shared `mcp-server` hookup must preserve the request `jwtPayload`, auth header, and request ID passed to product-side tools. # Open Questions @@ -86,7 +99,6 @@ Parent: `docs/ROADMAP.md` # Blockers - Shared `mcp-server` registration hookup has not been implemented in the common platform repo yet. -- Shared-server auth-boundary review is still pending. # Deferred @@ -99,5 +111,5 @@ Parent: `docs/ROADMAP.md` - [x] MCP tools cover core note workflows at the product-backend execution layer - [x] Product-side MCP tools are exportable in a shared-server-compatible registration shape -- [ ] Mutating tool paths are auditable and scoped -- [ ] Coding agents have clear contracts for using tools safely +- [x] Mutating tool paths are auditable and scoped for the current `create_draft` path +- [x] Coding agents have clear contracts for using tools safely at the product-backend layer