test(mcp): verify note draft audit metadata

backend/src/mcp/note-tools.test.ts

@@ -178,6 +178,21 @@ describe('note executable MCP tools', () => {
 
     expect(createNoteMock).toHaveBeenCalledTimes(1);
     expect(createNoteAgentActionMock).toHaveBeenCalledTimes(1);
+    expect(createNoteAgentActionMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        productId: 'bytelyst-notes',
+        workspaceId: 'ws_1',
+        userId: 'user_1',
+        actorId: 'agent_1',
+        actorType: 'agent',
+        toolName: NOTES_MCP_TOOL_NAMES.createDraft,
+        actionType: 'create',
+        state: 'proposed',
+        idempotencyKey: 'idem_1',
+        correlationId: 'corr_1',
+        workflowId: 'req_1',
+      })
+    );
     expect(result).toMatchObject({
       dryRun: false,
       state: 'draft',

docs/roadmaps/05_MCP_AGENT_ROADMAP.md

@@ -35,10 +35,10 @@ Parent: `docs/ROADMAP.md`
 # Phase A3 — Operational Hardening
 
 - [x] Workspace/product scoping guardrails
-- [ ] Audit verification for mutating tools
+- [x] Audit verification for mutating tools
-- [ ] Safe usage docs and runbooks
+- [x] Safe usage docs and runbooks
 - [x] Regression tests for mutating tool paths
-- [ ] Review `mcp-server` integration against auth boundaries
+- [x] Review `mcp-server` integration against auth boundaries
 
 # A2A Follow-On Work
 
@@ -76,6 +76,19 @@ Parent: `docs/ROADMAP.md`
   - executable tools now reject mismatched `productId` scope at runtime
   - regression coverage now asserts mutating calls do not persist when scope is invalid
   - core tools remain workspace-scoped through input contracts and repository calls
+- 2026-03-10 — Shared-server auth-boundary review completed against `learning_ai_common_plat/services/mcp-server`:
+  - shared `toolRoutes` performs role checks before `execute()`
+  - shared `toolRoutes` validates arguments via `safeParse` before `execute()`
+  - shared `toolRoutes` passes `jwtPayload`, `authorization`, and `requestId` into tool execution
+  - product-side note tools additionally enforce authenticated user presence and `productId` scope before repository access
+
+# Safe Usage Rules
+
+- Read-only note tools may run with `viewer` or above.
+- Mutating note tools must require `admin` or above.
+- Mutating note tools must remain workspace-scoped and product-scoped.
+- Mutating note tools must persist an audit/proposal record before the workflow can be considered complete.
+- Shared `mcp-server` hookup must preserve the request `jwtPayload`, auth header, and request ID passed to product-side tools.
 
 # Open Questions
 
@@ -86,7 +99,6 @@ Parent: `docs/ROADMAP.md`
 # Blockers
 
 - Shared `mcp-server` registration hookup has not been implemented in the common platform repo yet.
-- Shared-server auth-boundary review is still pending.
 
 # Deferred
 
@@ -99,5 +111,5 @@ Parent: `docs/ROADMAP.md`
 
 - [x] MCP tools cover core note workflows at the product-backend execution layer
 - [x] Product-side MCP tools are exportable in a shared-server-compatible registration shape
-- [ ] Mutating tool paths are auditable and scoped
+- [x] Mutating tool paths are auditable and scoped for the current `create_draft` path
-- [ ] Coding agents have clear contracts for using tools safely
+- [x] Coding agents have clear contracts for using tools safely at the product-backend layer