Changelog
Release history for vantage-peers-mcp.
Changelog
v2.13.1 — 2026-06-27
Fixed
- CRITICAL —
list_memories+list_episodessilently returningitems: []on every call — Day-114 audit (projects/vantage-peers/mcp-pagination-audit-day114.md) found both handlers readingmemories?.pagefrom the ConvexlistMemoriesreturn shape{value, continueCursor, isDone}..pageis undefined → empty results on every invocation regardless of stored data. Fixed in PR #978 (squash0db28d5). Pre-2.13.1 callers MUST upgrade. See Day-114 release notes.
Added
- MCP Tools Standard doctrine v1 — cross-fleet
list_*pagination doctrine canonicalized as a versioned standard. PR #980 (squashd09fc5b). VantageRegistry runbookkd750j7z7tqre6hxqmfsa8s9ed89erng. Covers: mandatory Zod schema, return envelope, 7 banned anti-patterns, coverage matrix template, fleet compliance table, migration playbook. - Day-114 documentation — Cursor Pagination, Envelope Safety, Tools Catalogue, Day-114 release notes.
Links
- GitHub: vantageos-agency/vantage-peers
- npm: vantage-peers-mcp@2.13.1
- PR #978: github.com/vantageos-agency/vantage-peers/pull/978
- PR #980: github.com/vantageos-agency/vantage-peers/pull/980
v2.12.0 — 2026-06-06 (current)
Security
- D6 + D7 OAuth 2.1 hardening — confidential
client_secretat/token(constant-time compare) andredirect_uriexact-match at/authorize. PR #621. patchScopeProfileEmergency— master-token-gated mutation for tenant rename/scope-profile rewrite with D4 enforcement, D9 cascade, and append-only audit ledger. PRs #622, #623.- S3.1 scope-aware filter framework — row-level OAuth scope enforcement on
list_memories,get_memory,list_briefing_notes,list_messages,list_peers. PRs #624, #625. - S2.3 D8 —
masterOnlyMiddlewaremigrated to@vantageos/cloud-identity@0.1.0shared brick (constant-time sha256 comparison). 254/254 tests PASS.
Added
- Tool count reaches 114 — 17 net new tools since v2.5.0: episodes API (
get_episode,list_episodes,search_episodes_by_keyword,search_episodes_by_semantic), single-entity getters (get_task,get_message,get_fix_pattern,get_mandate,get_recurring_task,get_repo_mapping,get_briefing_note), search tools (search_tasks_by_keyword,search_messages_by_keyword,search_briefing_notes_by_keyword),instantiate_template_into_mission,whoami,validate_task_payload, plus canonical aliases. - Cursor paging — all 19
list_*andsearch_*tools now support opaquecursor+nextCursorfor draining past the 200-row cap. 3 documented exceptions (list_broadcast_status,search_components,search_fix_patterns). - Day 98 F4 — webhook
issue_commentevents routed Bridge-only, preventing double-processing. PR #796.
Links
- GitHub: vantageos-agency/vantage-peers
- npm: vantage-peers-mcp@2.12.0
v2.5.0 — 2026-06-06
Added
- Day 92 quality overhaul (C0–C4, A1–A4, B1–B3, F1–F2) — 14 P0 zero-auth write tools closed with master-only gates; 87 Zod
outputSchemaexports; Unicode NFC normalization at all write paths; 97 tool descriptions standardized (1-line + WHEN + EXAMPLE);whoamiidentity tool (PR #661);validate_task_payloadMCP validator tool; tools-quality-standard doc. - S3.3 B8 cursor paging —
list_tasks,list_memories,list_briefing_notes+ 12 more list tools gain opaquecursor+nextCursor. Sharedsrc/paging.tsutility. 302/302 tests PASS. - D90 kill-switch hardening —
AUTO_IRP_PAUSEDguard applied at all 3 auto-IRP pipeline entries;errorMonitorKillSwitch.tswithisKillSwitchActive()+ startup health check.
Links
v2.4.1 — 2026-05-30
Fixed
- DCR auth path 401 regression (#556 / #557) —
oauthDcr:validateAccessTokenwas declaredinternalQueryand unreachable via the HTTP client, so Path 3 DCR returned 401 even with a valid token. Now exposed as a publicquery. Claude.ai Custom Connectors via DCR works end-to-end. WWW-Authenticateheader format (#557) — emitsBearer resource_metadata="..."per MCP spec §Protected Resource Metadata Discovery. The priorBearer resource="..."broke Claude.ai PRM bootstrap on 401.
Added
- ChatGPT Apps SDK tool annotations (#555) — all MCP tools now ship with
readOnlyHint,openWorldHint, anddestructiveHint. ChatGPT custom connectors render confirmation prompts only on writes/destructive ops. - DCR scope isolation (#554) — new
public-readonlyprofile + cross-tenant assertion tests. The DCR auto-discovery flow now resolves toscopeProfile=client-generic(nevermaster), even if a legacy token row carriesscope="mcp:full". - VantagePeers Cloud documentation (site #120) — dedicated
/docs/cloud/section for the hosted, multi-tenant version. Multi-client MCP: Claude.ai, ChatGPT, Claude Code, Codex, any MCP-supporting IDE.
Links
- GitHub release: v2.4.1
- npm: vantage-peers-mcp@2.4.1
v2.4.0 — 2026-05-29
Added
iframeEmbedSessionstable +__VP_TOOL_RESULT__stream marker (#545) — M3 milestone. Embedded ack-checklist UI primitive. 24 tests.credentials:issueBearerFromClerkhttpAction (#546) — server-side bearer issuance bound to a Clerk identity, with audit log. Iter 2 P1 fixes.
Links
- GitHub release: v2.4.0
- npm: vantage-peers-mcp@2.4.0
v2.3.1 — 2026-05-26
Added
list_tasks,list_missions,list_tasks_by_mission, andlist_briefing_notesaccept afieldsparameter ("lite"or"full", default"full"). Lite returns a compact projection.statusfilter onlist_tasks,list_missions, andlist_tasks_by_missionnow accepts arrays and named aliases:- Tasks:
"open"→ todo+in_progress+review+blocked,"active"→ todo+in_progress,"all"→ no filter - Missions:
"open"→ brainstorm+plan+execute+validate (excludes complete),"active"→ plan+execute,"all"→ no filter
- Tasks:
Backward compatibility
- Single-string
statusis unchanged. - Omitting
fieldsdefaults to"full"— existing callers are unaffected.
Deprecation
vantage-peers-mcp@2.3.0is deprecated. v2.3.0 shipped with two blockers caught in delta-review:status="all"was advertised but rejected by the backend, andsetPendingAliasReleaseswas exposed as a public mutation. Upgrade to>=2.3.1.
Links
- GitHub release: v2.3.1
- npm: vantage-peers-mcp@2.3.1