fix(server): align stored-query MCP discovery gates

2026-06-18 02:24:27 +02:00 · 2026-06-17 20:16:56 +02:00 · 2026-06-17 20:16:56 +02:00 · 916dc46c0e
commit 916dc46c0e
parent c06343362a
13 changed files with 392 additions and 80 deletions
--- a/docs/releases/v0.8.0.md
+++ b/docs/releases/v0.8.0.md
@ -80,8 +80,15 @@ carried in the query source:

 ## Upgrade notes

- **No breaking changes.** The REST surface, CLI, cluster config, and on-disk
-  format are unchanged. The MCP endpoint is additive.
+- **`GET /graphs/{id}/queries` is now `invoke_query`-gated (was `read`).** The
+  stored-query catalog uses the same authority as invocation and the MCP
+  `tools/list` surface, so discovery and invocation agree ("see the menu iff you
+  can order from it"). A caller with only `read` (and no `invoke_query`) now gets
+  `403` instead of a listing; in default-deny mode the endpoint returns `403`
+  until an `invoke_query` rule is configured. This is the one observable REST
+  behavior change in this release.
+- Otherwise no breaking changes: the rest of the REST surface, CLI, cluster
+  config, and on-disk format are unchanged. The MCP endpoint is additive.
 - **Pointing an agent at a graph:** configure your MCP client with the URL
  `https://<host>/graphs/<id>/mcp` and the same bearer token you use for REST.
  See [docs/user/operations/mcp.md](../user/operations/mcp.md) for the connect