Void-Homelab/docs/superpowers/plans/2026-06-04-mcp-http-transport.md

# MCP HTTP/SSE Transport Implementation Plan

> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.

**Goal:** Expose Void's tool registry to external agents over MCP Streamable HTTP — authenticated, read + suggest-only, hard-scoped to one Space.

**Architecture:** A new in-app endpoint `POST/GET /mcp` runs a stateless `StreamableHTTPServerTransport` serving a dedicated `externalRegistry` (search/read/context/propose_change). A `mcpAuth` middleware requires a Void agent bearer (owner/CF-only rejected) bound to a Space via `scopes.space_id`. Reads are filtered to that Space; `propose_change` already routes to the `pending_changes` inbox.

**Tech Stack:** Node 22 ESM, Express 5, `@modelcontextprotocol/sdk` 1.x, Postgres, vitest + supertest (serial).

**Spec:** `docs/superpowers/specs/2026-06-04-mcp-http-transport-design.md`

---

## File Structure

- `lib/ai/agent/tools/read.js` — **modify**: space-scope enforcement.
- `lib/mcp/context.js` — **modify**: add `buildCtxFromAgent(agent)`.
- `lib/mcp/external-registry.js` — **create**: curated registry (4 tools).
- `lib/mcp/http.js` — **create**: transport-free helpers + `createExternalMcpServer` + `handleMcp`.
- `lib/api/middleware/mcp_auth.js` — **create**: bearer→agent→space-scope gate + rate limit.
- `server.js` — **modify**: mount `/mcp`; bump VERSION.
- `package.json` — **modify**: bump version.
- Tests under `tests/mcp/` and `tests/api/`.

---

### Task 1: Space-scope the `read` tool

**Files:**
- Modify: `lib/ai/agent/tools/read.js`
- Test: `tests/ai/agent/tools/read_scope.test.js`

- [ ] **Step 1: Write the failing test**

```js
// tests/ai/agent/tools/read_scope.test.js
import { describe, it, expect, beforeAll } from 'vitest';
import { pool } from '../../../../lib/db/pool.js';
import { resetDb } from '../../../helpers/db.js';
import { migrateUp } from '../../../../lib/db/migrate.js';
import { readTool } from '../../../../lib/ai/agent/tools/read.js';

let spaceA, spaceB, pageInA, convoId;
beforeAll(async () => {
  await resetDb(); await migrateUp();
  ({ rows: [{ id: spaceA }] } = await pool.query(`INSERT INTO spaces(slug,name) VALUES('a','A') RETURNING id`));
  ({ rows: [{ id: spaceB }] } = await pool.query(`INSERT INTO spaces(slug,name) VALUES('b','B') RETURNING id`));
  ({ rows: [{ id: pageInA }] } = await pool.query(
    `INSERT INTO pages(space_id,slug,title,body_md) VALUES($1,'p','P','body') RETURNING id`, [spaceA]));
  ({ rows: [{ id: convoId }] } = await pool.query(
    `INSERT INTO conversations(title) VALUES('c') RETURNING id`));
});

describe('read tool space scoping', () => {
  it('reads an in-space page', async () => {
    const out = await readTool.handler({ kind: 'page', id: pageInA }, { space_id: spaceA });
    expect(out.title).toBe('P');
  });
  it('blocks a cross-space page (scoped caller)', async () => {
    const out = await readTool.handler({ kind: 'page', id: pageInA }, { space_id: spaceB });
    expect(out.error).toMatch(/not found/i);
  });
  it('blocks unprovable kinds (conversation) for spaceScoped callers', async () => {
    const out = await readTool.handler({ kind: 'conversation', id: convoId }, { space_id: spaceA, spaceScoped: true });
    expect(out.error).toMatch(/not found/i);
  });
  it('owner (no space bound) reads anything', async () => {
    const out = await readTool.handler({ kind: 'page', id: pageInA }, {});
    expect(out.title).toBe('P');
  });
});
```

- [ ] **Step 2: Run it, verify it fails**

Run: `npx vitest run tests/ai/agent/tools/read_scope.test.js`
Expected: FAIL — cross-space + conversation cases return the row instead of not-found.

- [ ] **Step 3: Implement the scoping**

Replace the `handler` in `lib/ai/agent/tools/read.js` (keep imports + `TABLE` + descriptor):

```js
  async handler({ kind, id }, ctx = {}) {
    const table = TABLE[kind];
    if (!table) return { error: `unknown kind "${kind}"` };
    const { rows: [row] } = await pool.query(`SELECT * FROM ${table} WHERE id=$1`, [id]);
    if (!row) return { error: `${kind} ${id} not found` };
    // Space scoping. When a Space is bound (external scoped agents — and Dross,
    // which operates within one Space), an entity that carries space_id must
    // match it. Kinds without a space_id column (conversations) can't be proven
    // in-scope, so they're denied to spaceScoped callers (external agents) only.
    // Owner/Dross with no bound Space (ctx.space_id == null) → unrestricted.
    if (ctx.space_id != null) {
      if (row.space_id !== undefined) {
        if (row.space_id !== ctx.space_id) return { error: `${kind} ${id} not found` };
      } else if (ctx.spaceScoped) {
        return { error: `${kind} ${id} not found` };
      }
    }
    return row;
  }
```

- [ ] **Step 4: Run tests (new + existing read/search), verify pass**

Run: `npx vitest run tests/ai/agent/tools/read_scope.test.js tests/ai/agent/tools/read_search.test.js`
Expected: PASS (existing `read_search` still green — it passes a matching `space_id`).

- [ ] **Step 5: Commit**

```bash
git add lib/ai/agent/tools/read.js tests/ai/agent/tools/read_scope.test.js
git commit -m "feat(mcp): space-scope the read tool for bound callers"
```

---

### Task 2: External registry, ctx builder, transport-free helpers

**Files:**
- Create: `lib/mcp/external-registry.js`
- Modify: `lib/mcp/context.js`
- Create: `lib/mcp/http.js`
- Test: `tests/mcp/external_registry.test.js`

- [ ] **Step 1: Write the failing test**

```js
// tests/mcp/external_registry.test.js
import { describe, it, expect, beforeAll } from 'vitest';
import { pool } from '../../lib/db/pool.js';
import { resetDb } from '../helpers/db.js';
import { migrateUp } from '../../lib/db/migrate.js';
import * as agentsRepo from '../../lib/db/repos/agents.js';
import { buildCtxFromAgent } from '../../lib/mcp/context.js';
import { listExternalTools, callExternalTool } from '../../lib/mcp/http.js';

let spaceId, otherSpace, pageInOther, agent;
const owner = { kind: 'user', id: null };
beforeAll(async () => {
  await resetDb(); await migrateUp();
  ({ rows: [{ id: spaceId }] } = await pool.query(`INSERT INTO spaces(slug,name) VALUES('s','S') RETURNING id`));
  ({ rows: [{ id: otherSpace }] } = await pool.query(`INSERT INTO spaces(slug,name) VALUES('o','O') RETURNING id`));
  ({ rows: [{ id: pageInOther }] } = await pool.query(
    `INSERT INTO pages(space_id,slug,title,body_md) VALUES($1,'sec','Secret','hidden') RETURNING id`, [otherSpace]));
  agent = await agentsRepo.create({
    slug: `ext-${Date.now()}`, name: 'Ext', kind: 'claude', model: 'sonnet',
    capabilities: { read: true, suggest: true }, scopes: { space_id: spaceId }
  }, owner);
});

describe('external registry', () => {
  it('exposes exactly the four read+suggest tools', () => {
    const names = listExternalTools().map(t => t.name).sort();
    expect(names).toEqual(['context', 'propose_change', 'read', 'search']);
  });
  it('buildCtxFromAgent forces the agent bound space + spaceScoped', () => {
    const ctx = buildCtxFromAgent(agent);
    expect(ctx.space_id).toBe(spaceId);
    expect(ctx.spaceScoped).toBe(true);
    expect(ctx.agent.id).toBe(agent.id);
  });
  it('read cannot reach another space', async () => {
    const ctx = buildCtxFromAgent(agent);
    const out = await callExternalTool('read', { kind: 'page', id: pageInOther }, ctx);
    expect(out.error).toMatch(/not found/i);
  });
  it('propose_change lands in pending_changes with agent + space, applied:false', async () => {
    const ctx = buildCtxFromAgent(agent);
    const out = await callExternalTool('propose_change',
      { entity_type: 'page', action: 'create', payload: { slug: 'np', title: 'New', body_md: 'b' }, reason: 'r' }, ctx);
    expect(out.applied).toBe(false);
    expect(out.pending_change_id).toBeTruthy();
    const { rows: [pc] } = await pool.query(`SELECT * FROM pending_changes WHERE id=$1`, [out.pending_change_id]);
    expect(pc.agent_id).toBe(agent.id);
    expect(pc.payload.space_id).toBe(spaceId);
  });
  it('unknown tool throws', async () => {
    await expect(callExternalTool('nope', {}, buildCtxFromAgent(agent))).rejects.toThrow(/unknown tool/i);
  });
});
```

- [ ] **Step 2: Run it, verify it fails**

Run: `npx vitest run tests/mcp/external_registry.test.js`
Expected: FAIL — `lib/mcp/http.js` and `buildCtxFromAgent` don't exist yet.

- [ ] **Step 3: Create the external registry**

```js
// lib/mcp/external-registry.js
// Curated registry exposed to EXTERNAL agents over MCP HTTP. Deliberately
// separate from companionRegistry (Dross) so new Dross tools never auto-leak
// to the internet. Read + suggest-only: search/read/context + propose_change
// (which always routes to the pending_changes inbox).
import { createRegistry } from '../ai/agent/registry.js';
import { searchTool } from '../ai/agent/tools/search.js';
import { readTool } from '../ai/agent/tools/read.js';
import { contextTool } from '../ai/agent/tools/context.js';
import { proposeChangeTool } from '../ai/agent/tools/propose_change.js';

export const externalRegistry = createRegistry();
externalRegistry.registerTool(searchTool);
externalRegistry.registerTool(readTool);
externalRegistry.registerTool(contextTool);
externalRegistry.registerTool(proposeChangeTool);
```

- [ ] **Step 4: Add `buildCtxFromAgent` to `lib/mcp/context.js`**

Append to `lib/mcp/context.js`:

```js
/**
 * Builds the tool ctx for an authenticated EXTERNAL agent. The Space is taken
 * from the agent's own scope (never client-supplied) and `spaceScoped` is set
 * so read() denies entities it can't prove are in-Space.
 * @param {{id:string, capabilities?:object, scopes?:object}} agent
 */
export function buildCtxFromAgent(agent) {
  const actor = {
    kind: 'agent',
    id: agent.id,
    capabilities: agent.capabilities || {},
    scopes: agent.scopes || {}
  };
  return {
    agent: actor,
    space_id: (agent.scopes && agent.scopes.space_id) || null,
    view: null,
    spaceScoped: true,
    actor
  };
}
```

- [ ] **Step 5: Create `lib/mcp/http.js` (helpers + server factory; transport handler added in Task 4-step)**

```js
// lib/mcp/http.js
import { Server } from '@modelcontextprotocol/sdk/server/index.js';
import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
import { ListToolsRequestSchema, CallToolRequestSchema } from '@modelcontextprotocol/sdk/types.js';
import { externalRegistry } from './external-registry.js';
import { buildCtxFromAgent } from './context.js';
import { recordAudit } from '../db/repos/audit_stub.js';

// --- transport-free helpers (exported for tests) ---
export function listExternalTools() {
  return externalRegistry.listTools().map(({ name, description, input_schema }) =>
    ({ name, description, input_schema }));
}
export async function callExternalTool(name, args, ctx) {
  const tool = externalRegistry.getTool(name);
  if (!tool) throw new Error(`Unknown tool: ${name}`);
  return tool.handler(args, ctx);
}

// --- MCP server factory (one per request in stateless mode) ---
export function createExternalMcpServer(ctx) {
  const server = new Server(
    { name: 'void-external', version: '1.0.0' },
    { capabilities: { tools: {} } }
  );
  server.setRequestHandler(ListToolsRequestSchema, () => ({
    tools: listExternalTools().map(({ name, description, input_schema }) =>
      ({ name, description, inputSchema: input_schema }))
  }));
  server.setRequestHandler(CallToolRequestSchema, async (request) => {
    const { name, arguments: args = {} } = request.params;
    try {
      const result = await callExternalTool(name, args, ctx);
      recordAudit(ctx.actor, 'mcp_tool_call', 'agent', ctx.agent.id, null,
        { tool: name, space_id: ctx.space_id }).catch(() => {});
      return { content: [{ type: 'text', text: JSON.stringify(result) }], structuredContent: result };
    } catch (err) {
      return { content: [{ type: 'text', text: err.message ?? String(err) }], isError: true };
    }
  });
  return server;
}

// --- Express handler: stateless Streamable HTTP. Requires req.mcpAgent (mcpAuth). ---
export async function handleMcp(req, res) {
  const ctx = buildCtxFromAgent(req.mcpAgent);
  const server = createExternalMcpServer(ctx);
  const transport = new StreamableHTTPServerTransport({
    sessionIdGenerator: undefined,   // stateless
    enableJsonResponse: true
  });
  res.on('close', () => { try { transport.close(); } catch {} try { server.close(); } catch {} });
  await server.connect(transport);
  await transport.handleRequest(req, res, req.body);
}
```

- [ ] **Step 6: Run tests, verify pass**

Run: `npx vitest run tests/mcp/external_registry.test.js`
Expected: PASS (5/5).

- [ ] **Step 7: Commit**

```bash
git add lib/mcp/external-registry.js lib/mcp/context.js lib/mcp/http.js tests/mcp/external_registry.test.js
git commit -m "feat(mcp): external registry + agent ctx + Streamable HTTP server"
```

---

### Task 3: `mcpAuth` middleware (bearer → agent → space scope)

**Files:**
- Create: `lib/api/middleware/mcp_auth.js`
- Test: `tests/mcp/mcp_auth.test.js`

- [ ] **Step 1: Write the failing test**

```js
// tests/mcp/mcp_auth.test.js
import { describe, it, expect, beforeAll, vi } from 'vitest';
import { resetDb } from '../helpers/db.js';
import { migrateUp } from '../../lib/db/migrate.js';
import * as agentsRepo from '../../lib/db/repos/agents.js';
import { mcpAuth, _resetMcpRate } from '../../lib/api/middleware/mcp_auth.js';

const owner = { kind: 'user', id: null };
function mockRes() {
  return { statusCode: 200, body: null,
    status(c) { this.statusCode = c; return this; },
    json(b) { this.body = b; return this; } };
}
async function run(headers) {
  const req = { headers };
  const res = mockRes();
  const next = vi.fn();
  await mcpAuth(req, res, next);
  return { req, res, next };
}

let scopedToken, unscopedToken;
beforeAll(async () => {
  await resetDb(); await migrateUp();
  process.env.OWNER_TOKEN = 'test-token';
  const { rows: [{ id: spaceId }] } = await (await import('../../lib/db/pool.js')).pool
    .query(`INSERT INTO spaces(slug,name) VALUES('s','S') RETURNING id`);
  const scoped = await agentsRepo.create({ slug: `s-${Date.now()}`, name: 'S', kind: 'claude', model: 'sonnet',
    capabilities: { read: true, suggest: true }, scopes: { space_id: spaceId } }, owner);
  ({ token: scopedToken } = await agentsRepo.createToken(scoped.id, 'mcp'));
  const unscoped = await agentsRepo.create({ slug: `u-${Date.now()}`, name: 'U', kind: 'claude', model: 'sonnet',
    capabilities: { read: true, suggest: true }, scopes: {} }, owner);
  ({ token: unscopedToken } = await agentsRepo.createToken(unscoped.id, 'mcp'));
});

describe('mcpAuth', () => {
  it('missing bearer → 401', async () => {
    const { res, next } = await run({}); expect(res.statusCode).toBe(401); expect(next).not.toHaveBeenCalled();
  });
  it('owner token → 401 agent_required', async () => {
    const { res } = await run({ authorization: 'Bearer test-token' });
    expect(res.statusCode).toBe(401); expect(res.body.error.code).toBe('agent_required');
  });
  it('invalid token → 401', async () => {
    const { res } = await run({ authorization: 'Bearer vk_nope.nope' }); expect(res.statusCode).toBe(401);
  });
  it('agent without space scope → 403 no_space_scope', async () => {
    const { res } = await run({ authorization: `Bearer ${unscopedToken}` });
    expect(res.statusCode).toBe(403); expect(res.body.error.code).toBe('no_space_scope');
  });
  it('valid scoped agent → next() + req.mcpAgent', async () => {
    const { req, next } = await run({ authorization: `Bearer ${scopedToken}` });
    expect(next).toHaveBeenCalled(); expect(req.mcpAgent.scopes.space_id).toBeTruthy();
  });
  it('rate limit → 429 past the cap', async () => {
    _resetMcpRate(); process.env.MCP_RATE_LIMIT = '2';
    await run({ authorization: `Bearer ${scopedToken}` });
    await run({ authorization: `Bearer ${scopedToken}` });
    const { res } = await run({ authorization: `Bearer ${scopedToken}` });
    expect(res.statusCode).toBe(429);
    delete process.env.MCP_RATE_LIMIT;
  });
});
```

- [ ] **Step 2: Run it, verify it fails**

Run: `npx vitest run tests/mcp/mcp_auth.test.js`
Expected: FAIL — module doesn't exist.

- [ ] **Step 3: Implement the middleware**

```js
// lib/api/middleware/mcp_auth.js
// Auth gate for /mcp. External agents must present a Void agent bearer token
// bound to a Space (scopes.space_id). Owner / CF-Access identities are NOT
// accepted here — external agents never inherit owner powers. CF Access service
// tokens are enforced at the edge (Cloudflare policy on mcp.void.hynesy.com).
import * as agents from '../../db/repos/agents.js';

// Minimal fixed-window in-memory rate limit per token (defense-in-depth; the
// real gate is CF Access + bearer). Window is 60s.
const WINDOW_MS = 60_000;
const hits = new Map(); // token -> { count, resetAt }
export function _resetMcpRate() { hits.clear(); }
function rateLimited(token) {
  const limit = Number(process.env.MCP_RATE_LIMIT || 120);
  const now = Date.now();
  let h = hits.get(token);
  if (!h || now > h.resetAt) { h = { count: 0, resetAt: now + WINDOW_MS }; hits.set(token, h); }
  h.count += 1;
  return h.count > limit;
}

export async function mcpAuth(req, res, next) {
  const auth = req.headers.authorization || '';
  const [scheme, token] = auth.split(' ');
  if (scheme !== 'Bearer' || !token) {
    return res.status(401).json({ error: { code: 'unauthorized', message: 'missing bearer token' } });
  }
  if (process.env.OWNER_TOKEN && token === process.env.OWNER_TOKEN) {
    return res.status(401).json({ error: { code: 'agent_required', message: 'owner token not valid for MCP' } });
  }
  if (rateLimited(token)) {
    return res.status(429).json({ error: { code: 'rate_limited', message: 'too many requests' } });
  }
  let agent;
  try { agent = await agents.verifyToken(token); }
  catch (e) { return next(e); }
  if (!agent) {
    return res.status(401).json({ error: { code: 'unauthorized', message: 'invalid token' } });
  }
  if (!(agent.scopes && agent.scopes.space_id)) {
    return res.status(403).json({ error: { code: 'no_space_scope', message: 'agent has no space scope' } });
  }
  req.mcpAgent = agent;
  next();
}
```

- [ ] **Step 4: Run tests, verify pass**

Run: `npx vitest run tests/mcp/mcp_auth.test.js`
Expected: PASS (6/6).

- [ ] **Step 5: Commit**

```bash
git add lib/api/middleware/mcp_auth.js tests/mcp/mcp_auth.test.js
git commit -m "feat(mcp): mcpAuth middleware — agent bearer + space scope + rate limit"
```

---

### Task 4: Mount `/mcp` + integration tests

**Files:**
- Modify: `server.js`
- Test: `tests/mcp/mcp_http.test.js`

- [ ] **Step 1: Write the failing test**

```js
// tests/mcp/mcp_http.test.js
import { describe, it, expect, beforeAll } from 'vitest';
import request from 'supertest';
import { setup } from '../api/helpers.js';
import * as agentsRepo from '../../lib/db/repos/agents.js';
import { pool } from '../../lib/db/pool.js';

let app, ownerHeaders, scopedToken;
const owner = { kind: 'user', id: null };
const ACCEPT = 'application/json, text/event-stream';
const init = {
  jsonrpc: '2.0', id: 1, method: 'initialize',
  params: { protocolVersion: '2025-03-26', capabilities: {}, clientInfo: { name: 't', version: '1' } }
};

beforeAll(async () => {
  ({ app, ownerHeaders } = await setup());
  const { rows: [{ id: spaceId }] } = await pool.query(`INSERT INTO spaces(slug,name) VALUES('s','S') RETURNING id`);
  const agent = await agentsRepo.create({ slug: `m-${Date.now()}`, name: 'M', kind: 'claude', model: 'sonnet',
    capabilities: { read: true, suggest: true }, scopes: { space_id: spaceId } }, owner);
  ({ token: scopedToken } = await agentsRepo.createToken(agent.id, 'mcp'));
});

describe('POST /mcp', () => {
  it('no bearer → 401', async () => {
    const res = await request(app).post('/mcp').set('Accept', ACCEPT).send(init);
    expect(res.status).toBe(401);
  });
  it('owner token → 401 agent_required', async () => {
    const res = await request(app).post('/mcp').set(ownerHeaders).set('Accept', ACCEPT).send(init);
    expect(res.status).toBe(401);
    expect(res.body.error.code).toBe('agent_required');
  });
  it('scoped agent initialize → 200 with serverInfo', async () => {
    const res = await request(app).post('/mcp')
      .set('Authorization', `Bearer ${scopedToken}`).set('Accept', ACCEPT).send(init);
    expect(res.status).toBe(200);
    expect(res.body.result.serverInfo.name).toBe('void-external');
  });
});
```

- [ ] **Step 2: Run it, verify it fails**

Run: `npx vitest run tests/mcp/mcp_http.test.js`
Expected: FAIL — `/mcp` returns 404 (not mounted).

- [ ] **Step 3: Mount the route in `server.js`**

Add imports near the other imports in `server.js`:

```js
import { mcpAuth } from './lib/api/middleware/mcp_auth.js';
import { handleMcp } from './lib/mcp/http.js';
```

Inside `createApp()`, after `mountApi(app);` and **before** the 404 handler (`app.use((_req, res) => res.status(404)...)`), add:

```js
  // MCP Streamable HTTP for external agents (read + suggest-only, space-scoped).
  app.all('/mcp', mcpAuth, handleMcp);
```

- [ ] **Step 4: Run tests, verify pass**

Run: `npx vitest run tests/mcp/mcp_http.test.js`
Expected: PASS (3/3). If `initialize` returns a 406, confirm the test sends `Accept: application/json, text/event-stream` (the transport requires it).

- [ ] **Step 5: Commit**

```bash
git add server.js tests/mcp/mcp_http.test.js
git commit -m "feat(mcp): mount /mcp Streamable HTTP endpoint"
```

---

### Task 5: Version bump + changelog

**Files:**
- Modify: `package.json`, `server.js`, `CHANGELOG.md`

- [ ] **Step 1: Bump version**

In `package.json` set `"version": "2.0.0-alpha.14"`. In `server.js` set `const VERSION = '2.0.0-alpha.14';`.

- [ ] **Step 2: Add a CHANGELOG entry**

Prepend under the changelog's top section:

```markdown
## 2.0.0-alpha.14

- **MCP HTTP/SSE transport** — external agents can connect over MCP Streamable HTTP at `/mcp`, authenticated by a Space-scoped Void agent bearer (owner/CF-only rejected). Read + suggest-only: search/read/context + propose_change (routes to the pending-changes inbox). Reads are hard-scoped to the agent's bound Space; the `read` tool now enforces space membership.
```

- [ ] **Step 3: Run the full suite**

Run: `npx vitest run`
Expected: all green (serial; `fileParallelism:false`).

- [ ] **Step 4: Commit**

```bash
git add package.json server.js CHANGELOG.md
git commit -m "chore: release 2.0.0-alpha.14 (MCP HTTP transport)"
```

---

### Task 6: Deploy + Cloudflare infra + provision the first external agent

**Files:** none in-repo (infra + DB). Run from the workspace.

- [ ] **Step 1: Deploy via the hardened pipeline**

Run: `bash deploy/push.sh` (snapshots prev, rsync, `npm install --omit=dev`, `npm run migrate`, restart, `/health` version gate for `2.0.0-alpha.14`, auto-rollback on failure).
Expected: `/health` reports `version: 2.0.0-alpha.14`, `db_ok: true`.

- [ ] **Step 2: Add the tunnel ingress hostname** `mcp.void.hynesy.com` → the void-server origin (same origin as the existing void hostname, path `/mcp` reachable). Use the existing void tunnel config (CF API creds in memory `reference_cloudflare_api`). Verify DNS/route resolves.

- [ ] **Step 3: Create a CF Access application** for `mcp.void.hynesy.com` with a **Service Auth** policy (service token), no interactive IdP. Create a service token; record its Client-Id/Secret in the secrets store (Vaultwarden followup / env). This is the edge gate.

- [ ] **Step 4: Provision the first external agent (DB)**

On the app host (CT 311), in a `node` REPL or a one-off script using `lib/db/repos/agents.js`:

```js
import * as agents from './lib/db/repos/agents.js';
const a = await agents.create({
  slug: 'external-research', name: 'External Research', kind: 'external', model: 'n/a',
  capabilities: { read: true, suggest: true },           // propose-only (no write/apply)
  scopes: { space_id: '<TARGET_SPACE_UUID>' }
}, { kind: 'user', id: null });
const { token } = await agents.createToken(a.id, 'mcp-external');
console.log('AGENT BEARER:', token);   // store in the secrets store; give to the external client
```

- [ ] **Step 5: Smoke-test end-to-end**

```bash
# initialize through the edge (service token + agent bearer)
curl -sS https://mcp.void.hynesy.com/mcp \
  -H 'CF-Access-Client-Id: <id>' -H 'CF-Access-Client-Secret: <secret>' \
  -H "Authorization: Bearer <AGENT_BEARER>" \
  -H 'Accept: application/json, text/event-stream' -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2025-03-26","capabilities":{},"clientInfo":{"name":"curl","version":"1"}}}'
```
Expected: JSON-RPC result with `serverInfo.name = "void-external"`. Confirm a no-bearer request → 401, and a request without the CF service token → blocked at the edge (CF Access page).

- [ ] **Step 6: Record outcome** in memory (`project_void_v2_roadmap` / a new `reference` note): hostname, CF Access app id, service-token id, the external-agent slug + bound space. Redact secrets.

---

## Self-Review

**Spec coverage:** Transport (Streamable HTTP, stateless) → Task 2/4. Auth CF+bearer, owner rejected → Task 3 + Task 6 edge. Space scoping (read.js the crux) → Task 1, enforced in ctx Task 2. Dedicated external registry → Task 2. propose-only via canAct + pending_changes → Task 2 test. Error handling (401/403/429, isError) → Tasks 3/4 + http.js. Audit → http.js CallTool. Testing split (transport-free unit + HTTP integration) → Tasks 1–4. Deploy + hostname + service token + provision → Task 6. Version bump → Task 5. All covered.

**Placeholder scan:** Only intentional infra placeholders in Task 6 (`<TARGET_SPACE_UUID>`, `<id>/<secret>`, CF app creation) — these are runtime/secret values, not code gaps.

**Type consistency:** `buildCtxFromAgent` returns `{agent, space_id, view, spaceScoped, actor}`; `read.js` reads `ctx.space_id`/`ctx.spaceScoped`; `propose_change` reads `ctx.agent.id`/`ctx.agent` (actor-shaped with kind/capabilities/scopes) — consistent. `listExternalTools`/`callExternalTool`/`createExternalMcpServer`/`handleMcp` names match across http.js + tests. `mcpAuth` sets `req.mcpAgent`; `handleMcp` reads `req.mcpAgent` — consistent.