VantagePeers Docs

Changelog

Release history for vantage-peers-mcp.

Changelog

v2.13.1 — 2026-06-27

Fixed

  • CRITICAL — list_memories + list_episodes silently returning items: [] on every call — Day-114 audit (projects/vantage-peers/mcp-pagination-audit-day114.md) found both handlers reading memories?.page from the Convex listMemories return shape {value, continueCursor, isDone}. .page is undefined → empty results on every invocation regardless of stored data. Fixed in PR #978 (squash 0db28d5). Pre-2.13.1 callers MUST upgrade. See Day-114 release notes.

Added

  • MCP Tools Standard doctrine v1 — cross-fleet list_* pagination doctrine canonicalized as a versioned standard. PR #980 (squash d09fc5b). VantageRegistry runbook kd750j7z7tqre6hxqmfsa8s9ed89erng. Covers: mandatory Zod schema, return envelope, 7 banned anti-patterns, coverage matrix template, fleet compliance table, migration playbook.
  • Day-114 documentationCursor Pagination, Envelope Safety, Tools Catalogue, Day-114 release notes.

v2.12.0 — 2026-06-06 (current)

Security

  • D6 + D7 OAuth 2.1 hardening — confidential client_secret at /token (constant-time compare) and redirect_uri exact-match at /authorize. PR #621.
  • patchScopeProfileEmergency — master-token-gated mutation for tenant rename/scope-profile rewrite with D4 enforcement, D9 cascade, and append-only audit ledger. PRs #622, #623.
  • S3.1 scope-aware filter framework — row-level OAuth scope enforcement on list_memories, get_memory, list_briefing_notes, list_messages, list_peers. PRs #624, #625.
  • S2.3 D8masterOnlyMiddleware migrated to @vantageos/cloud-identity@0.1.0 shared brick (constant-time sha256 comparison). 254/254 tests PASS.

Added

  • Tool count reaches 114 — 17 net new tools since v2.5.0: episodes API (get_episode, list_episodes, search_episodes_by_keyword, search_episodes_by_semantic), single-entity getters (get_task, get_message, get_fix_pattern, get_mandate, get_recurring_task, get_repo_mapping, get_briefing_note), search tools (search_tasks_by_keyword, search_messages_by_keyword, search_briefing_notes_by_keyword), instantiate_template_into_mission, whoami, validate_task_payload, plus canonical aliases.
  • Cursor paging — all 19 list_* and search_* tools now support opaque cursor + nextCursor for draining past the 200-row cap. 3 documented exceptions (list_broadcast_status, search_components, search_fix_patterns).
  • Day 98 F4 — webhook issue_comment events routed Bridge-only, preventing double-processing. PR #796.

v2.5.0 — 2026-06-06

Added

  • Day 92 quality overhaul (C0–C4, A1–A4, B1–B3, F1–F2) — 14 P0 zero-auth write tools closed with master-only gates; 87 Zod outputSchema exports; Unicode NFC normalization at all write paths; 97 tool descriptions standardized (1-line + WHEN + EXAMPLE); whoami identity tool (PR #661); validate_task_payload MCP validator tool; tools-quality-standard doc.
  • S3.3 B8 cursor paginglist_tasks, list_memories, list_briefing_notes + 12 more list tools gain opaque cursor + nextCursor. Shared src/paging.ts utility. 302/302 tests PASS.
  • D90 kill-switch hardeningAUTO_IRP_PAUSED guard applied at all 3 auto-IRP pipeline entries; errorMonitorKillSwitch.ts with isKillSwitchActive() + startup health check.

v2.4.1 — 2026-05-30

Fixed

  • DCR auth path 401 regression (#556 / #557) — oauthDcr:validateAccessToken was declared internalQuery and unreachable via the HTTP client, so Path 3 DCR returned 401 even with a valid token. Now exposed as a public query. Claude.ai Custom Connectors via DCR works end-to-end.
  • WWW-Authenticate header format (#557) — emits Bearer resource_metadata="..." per MCP spec §Protected Resource Metadata Discovery. The prior Bearer resource="..." broke Claude.ai PRM bootstrap on 401.

Added

  • ChatGPT Apps SDK tool annotations (#555) — all MCP tools now ship with readOnlyHint, openWorldHint, and destructiveHint. ChatGPT custom connectors render confirmation prompts only on writes/destructive ops.
  • DCR scope isolation (#554) — new public-readonly profile + cross-tenant assertion tests. The DCR auto-discovery flow now resolves to scopeProfile=client-generic (never master), even if a legacy token row carries scope="mcp:full".
  • VantagePeers Cloud documentation (site #120) — dedicated /docs/cloud/ section for the hosted, multi-tenant version. Multi-client MCP: Claude.ai, ChatGPT, Claude Code, Codex, any MCP-supporting IDE.

v2.4.0 — 2026-05-29

Added

  • iframeEmbedSessions table + __VP_TOOL_RESULT__ stream marker (#545) — M3 milestone. Embedded ack-checklist UI primitive. 24 tests.
  • credentials:issueBearerFromClerk httpAction (#546) — server-side bearer issuance bound to a Clerk identity, with audit log. Iter 2 P1 fixes.

v2.3.1 — 2026-05-26

Added

  • list_tasks, list_missions, list_tasks_by_mission, and list_briefing_notes accept a fields parameter ("lite" or "full", default "full"). Lite returns a compact projection.
  • status filter on list_tasks, list_missions, and list_tasks_by_mission now accepts arrays and named aliases:
    • Tasks: "open" → todo+in_progress+review+blocked, "active" → todo+in_progress, "all" → no filter
    • Missions: "open" → brainstorm+plan+execute+validate (excludes complete), "active" → plan+execute, "all" → no filter

Backward compatibility

  • Single-string status is unchanged.
  • Omitting fields defaults to "full" — existing callers are unaffected.

Deprecation

  • vantage-peers-mcp@2.3.0 is deprecated. v2.3.0 shipped with two blockers caught in delta-review: status="all" was advertised but rejected by the backend, and setPendingAliasReleases was exposed as a public mutation. Upgrade to >=2.3.1.

On this page