feat: Subscribe to notifications/tools/list_changed for automatic too…

…l re-indexing (#212)

When an upstream MCP server sends a notifications/tools/list_changed notification,
MCPProxy now automatically triggers DiscoverAndIndexToolsForServer() to re-index
tools within seconds instead of waiting for the 5-minute polling cycle.

Implementation:
- Add onToolsChanged callback field and setter to core Client
- Add toolDiscoveryCallback field and setter to managed Client
- Register OnNotification handler after client.Start() in connectStdio/HTTP/SSE
- Wire callbacks through manager to runtime lifecycle
- Deduplicate rapid notifications using existing discoveryInProgress sync.Map
- 30-second timeout on discovery operations
- Graceful handling of nil callbacks and discovery errors

Logging:
- INFO: "Received tools/list_changed notification from upstream server"
- DEBUG: Server capability status after initialization
- WARN: Notification from server without listChanged capability
- DEBUG: Deduplication when discovery already in progress

Documentation:
- Add "Automatic Tool Discovery" section to docs/features/search-discovery.md
- Add "Tool Change Notifications" section to docs/api/mcp-protocol.md

Fixes #209

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.5 <[email protected]>

fix: Set httpapi.buildVersion via ldflags for correct version display (…

…#211)

The web UI, `mcpproxy doctor`, and version update detection were showing
"development" instead of the actual release version. This was because
the httpapi.buildVersion variable was never set via ldflags during builds.

Root cause:
- `cmd/mcpproxy/main.go` has `version` variable set via `-X main.version=`
- `internal/httpapi/server.go` has separate `buildVersion` variable (default: "development")
- Build scripts only set main.version but not httpapi.buildVersion

Fix:
- Add `-X mcpproxy-go/internal/httpapi.buildVersion=$VERSION` to ldflags in:
  - scripts/build.sh
  - Makefile (also adds version ldflags that were missing entirely)
  - .github/workflows/release.yml
  - .github/workflows/prerelease.yml
  - Homebrew formula generation in release.yml

This ensures the /api/v1/info endpoint returns the correct version, which is
used by:
- Web UI sidebar version display
- `mcpproxy doctor` command
- Tray app "New version available" detection
- Update checker for comparing against latest GitHub release

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.5 <[email protected]>

feat: Add tool cache invalidation with differential update logic and …

…manual discovery trigger (#208)

* feat(api): add server tool discovery functionality and auto cache invalidation of tools

- Implemented `discoverServerTools` method in APIService to trigger tool discovery for a specified server.
- Updated ServerDetail.vue to include a button for discovering tools, enhancing user interaction.
- Added backend support for tool discovery in the ServerController and integrated it into the routing.
- Introduced `GetToolsByServer` method in the index manager to retrieve tools associated with a server.
- Enhanced the OpenAPI documentation to reflect the new endpoint for tool discovery.

This feature allows users to manually trigger tool discovery, improving the management of server tools.

* fix: add missing DiscoverServerTools and GetToolsByServer to test mocks

- Add DiscoverServerTools method to MockServerController in contracts_test.go
- Add DiscoverServerTools method to baseController in security_test.go
- Add GetToolsByServer to TestIndexManagerContract expected methods

These methods were added to the interfaces in this PR but the test mocks
were not updated, causing CI failures.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

---------

Co-authored-by: Algis Dumbris <[email protected]>
Co-authored-by: Claude Opus 4.5 <[email protected]>

docs: update CLI and REST API docs for unified health status (#204)

Updated documentation to reflect the new unified health status feature:

- CLI management commands: Updated output format showing new columns
  (STATUS, ACTION) and health status emojis (✅ ⚠️ ❌ ⏸️ 🔒)
- REST API: Added `health` object to GET /api/v1/servers response
  with fields: level, admin_state, summary, detail, action

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.5 <[email protected]>

Add link to docs site

feat: auto-detect RFC 8707 resource parameter for OAuth flows (#188)

* Create spec

* docs: add RFC 8707 resource auto-detection specification and plan

Related #165

Add comprehensive specification and implementation plan for automatic
detection of the RFC 8707 resource parameter in OAuth flows. This enables
zero-config OAuth for providers like Runlayer that require the resource
parameter.

Artifacts:
- spec.md: Feature specification with user stories and requirements
- plan.md: Implementation plan with technical context
- research.md: Technical research and implementation approach
- data-model.md: Entity definitions and state transitions
- quickstart.md: Usage guide and troubleshooting
- checklists/requirements.md: Specification quality checklist

Key Decisions:
- Extract resource from RFC 9728 Protected Resource Metadata
- Fallback to server URL if metadata unavailable
- Inject params into auth URL after mcp-go constructs it
- Manual extra_params override auto-detected values

* docs: add implementation tasks for RFC 8707 resource auto-detection

Related #165

Add structured task list with 39 tasks organized by user story:
- Phase 1: Setup (1 task)
- Phase 2: Foundational - discovery layer (5 tasks)
- Phase 3: US1 - Zero-config auto-detection (15 tasks) - MVP
- Phase 4: US2 - Manual override (6 tasks)
- Phase 5: US3 - Token injection (4 tasks)
- Phase 6: US4 - Diagnostic visibility (3 tasks)
- Phase 7: Polish (5 tasks)

Tasks follow TDD approach per constitution requirements.

* feat: add DiscoverProtectedResourceMetadata for RFC 8707 resource detection

Related #165

Add new function that returns the full RFC 9728 Protected Resource Metadata
struct including the 'resource' field needed for RFC 8707 compliance.
Refactor DiscoverScopesFromProtectedResource to delegate to new function.

Changes:
- Add DiscoverProtectedResourceMetadata() returning *ProtectedResourceMetadata
- Refactor DiscoverScopesFromProtectedResource() as wrapper for backward compat
- Add comprehensive unit tests for new function

Testing:
- All TestDiscoverProtectedResourceMetadata_* tests pass
- Existing DiscoverScopesFromProtectedResource tests still pass

* feat(oauth): implement RFC 8707 resource auto-detection (User Story 1)

Add automatic detection of RFC 8707 resource parameter from Protected
Resource Metadata (RFC 9728). This enables zero-config OAuth with
providers like Runlayer that require the resource parameter.

Key changes:
- Add CreateOAuthConfigWithExtraParams() that returns both OAuth config
  and auto-detected extra params including resource
- Add autoDetectResource() helper that:
  - Makes preflight HEAD request to get WWW-Authenticate header
  - Extracts resource_metadata URL
  - Fetches Protected Resource Metadata
  - Uses metadata.resource or falls back to server URL
- Update handleOAuthAuthorization() to accept extraParams and inject
  them into authorization URL
- Update all 6 call sites to use new function and pass extraParams

Tests:
- TestCreateOAuthConfig_AutoDetectsResource: verifies resource extraction
- TestCreateOAuthConfig_FallsBackToServerURL: verifies fallback behavior
- E2E tests in e2e_oauth_zero_config_test.go

Part of #165 (RFC 8707 resource auto-detection for zero-config OAuth)

* feat(oauth): add tests for manual extra_params override (US2)

Tests verify that:
- T022: Manual extra_params.resource overrides auto-detected value
- T023: Manual extra_params are preserved while resource is auto-detected

Implementation was already complete from US1:
- T024-T026: Merge logic and logging in CreateOAuthConfigWithExtraParams

All tests pass: go test ./internal/oauth/... -v -run TestCreateOAuthConfig

* feat(oauth): pass auto-detected extraParams to transport wrapper (US3)

Enable auto-detected resource parameter injection into token requests:
- T029: OAuthTransportWrapper.injectFormParams() handles token exchange/refresh
- T030: createOAuthConfigInternal() accepts extraParams for wrapper injection
- T031: Existing TestInjectFormParams_TokenRequest covers token request injection

Key changes:
- CreateOAuthConfig() now delegates to createOAuthConfigInternal()
- CreateOAuthConfigWithExtraParams() passes auto-detected params to internal fn
- Transport wrapper uses passed extraParams instead of re-reading from config

This ensures zero-config OAuth flows inject resource into all OAuth requests:
- Authorization URL (via handleOAuthAuthorization)
- Token exchange (via transport wrapper)
- Token refresh (via transport wrapper)

* feat(oauth): add RFC 8707 resource visibility to diagnostics (US4)

* fix(oauth): use POST for resource auto-detection per MCP spec

MCP spec only requires POST support for the main endpoint. Use POST
directly for the preflight request to get WWW-Authenticate header
with resource_metadata URL.

Updated all tests to use POST method in mock handlers.

* fix(oauth): address code review feedback - add timeout, clarify comments, clean tests

* docs: add zero-config vs explicit OAuth examples, improve auth status output

fix: enable env_json, args_json, headers_json updates in patch/update…

… operations (#185)

* fix: enable env_json, args_json, headers_json updates in patch/update operations (#182)

This fix addresses two issues:

1. MCP tool handlers (internal/server/mcp.go):
   - handleUpdateUpstream and handlePatchUpstream now process env_json,
     args_json, headers_json, and command parameters
   - Added security logging when env vars are modified
   - Updated tool descriptions to clarify full replacement semantics
   - Removed unused patch_json parameter

2. Docker env var injection (internal/upstream/core/connection.go):
   - For direct Docker commands (not using isolation), env vars were only
     set on the Docker CLI process, not passed into the container
   - Added injectEnvVarsIntoDockerArgs() to inject -e KEY=VALUE flags
     into docker run commands

Closes #182

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* fix: CLI call tool command now works for upstream tools

Fixed multiple issues that prevented CLI tool calls from working:

1. CallToolDirect now handles upstream tools in server:tool format
   - Previously only built-in tools were handled
   - Now upstream tools are routed through handleCallTool

2. Fixed context timeout in runCallToolClientMode
   - Ping used a 2s timeout context that was reused for CallTool
   - CallTool now uses its own context with the configured timeout

3. Fixed switch statement bug in output formatting
   - case outputFormatPretty was empty, didn't fall through to default
   - Result output was never printed when format was "pretty" (default)

Fixes the issue reported in the conversation where:
./mcpproxy call tool --tool-name=everything-server:printEnv --json_args='{}'
returned "unknown tool" error.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

* test: add comprehensive tests for env_json, args_json, headers_json updates (#182)

Add unit tests, E2E tests, and API E2E bash script tests for the
env_json, args_json, headers_json update/patch functionality.

Unit tests (internal/server/mcp_test.go):
- TestEnvJsonParsing: Valid/invalid env_json parsing
- TestArgsJsonParsing: Valid/invalid args_json parsing
- TestHeadersJsonParsing: Valid/invalid headers_json parsing
- TestFullReplacementSemantics: Full replacement behavior

E2E tests (internal/server/e2e_test.go):
- TestE2E_UpdateServerEnvJson
- TestE2E_UpdateServerArgsJson
- TestE2E_UpdateServerHeadersJson
- TestE2E_PatchServerEnvJson
- TestE2E_ClearEnvWithEmptyJson

API E2E tests (scripts/test-api-e2e.sh):
- Tests 28-40: Add/update/patch env_json, args_json, headers_json
- Verify full replacement semantics
- Verify clearing values with empty JSON
- Error handling for invalid JSON and nonexistent servers

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

---------

Co-authored-by: Claude Opus 4.5 <[email protected]>

fix: improve HTTP server UI - show Login instead of Restart, use Reco…

…nnect in Actions (#184)

- Hide Restart button for HTTP servers on server cards (HTTP servers don't
  have a process to restart - use Login for OAuth or Reconnect instead)
- Show "Reconnect" instead of "Restart" in Actions menu for HTTP servers
- Fix Login button not appearing for HTTP servers with oauth: null config
  (HTTP servers always support OAuth via autodiscovery)
- Refactor isHttpProtocol to shared computed property in both components

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.5 <[email protected]>

feat: AI-powered release notes generation with Claude API (#183)

- Add generate-notes job to release workflow that calls Claude API
- Generate categorized release notes from commit messages since last tag
- Display generated notes at top of GitHub release page
- Include RELEASE_NOTES.md in macOS DMG installer
- Include RELEASE_NOTES.md in Windows installer (docs/ folder)
- Add standalone script for local testing (scripts/generate-release-notes.sh)
- Graceful fallback on API failure - releases never blocked

Requires ANTHROPIC_API_KEY secret in GitHub repository settings.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.5 <[email protected]>

docs: add OpenAPI coverage analysis and automated verification (#162)

* fix: enforce API key authentication and fix Swagger path duplication

Security Enhancements:
- SECURITY: Empty API keys are now rejected (never treated as "disabled")
- Auto-generated API keys are now saved to config file for persistence
- MCPPROXY_API_KEY environment variable properly overrides config file
- Added comprehensive API key protection tests (14 endpoints)
- Unix socket connections bypass API key (trusted via OS-level auth)

API Key Priority:
1. Non-empty MCPPROXY_API_KEY env var
2. Non-empty api_key in config file
3. Auto-generate + save to config (secure by default)

Swagger UI Fixes:
- Fixed path duplication: /api/v1/api/v1/* -> /api/v1/*
- Removed incorrect apiBasePath from server URL construction
- Updated swag import to v2

Tests:
- Added security_test.go with 6 comprehensive test suites
- All tests passing: EmptyKeyRejected, ValidKeyAccepted, QueryParamAuth,
  InvalidKeyRejected, TrayConnectionTrusted, HealthEndpointsUnprotected

Documentation:
- Updated CLAUDE.md to reflect secure-by-default behavior
- Removed outdated "disable authentication" examples
- Documented API key priority and auto-generation behavior

Fixes: Critical security vulnerability where empty API key allowed
unauthenticated access to REST API endpoints

* fix: update TestInfoEndpoint to use API key authentication

The test was failing because it tried to disable API key auth with empty
MCPPROXY_API_KEY, but the recent security changes now reject empty keys
and auto-generate them.

Updated the test to:
- Use a fixed test API key (test-api-key-for-e2e-tests)
- Include X-API-Key header in all HTTP requests to /api/v1/info

This ensures the test works with the new secure-by-default API key behavior.

* fix: update E2E tests to use explicit API key

The E2E tests were failing because they relied on empty API keys,
but the recent security changes now auto-generate API keys.

Fixed by:
- Setting explicit API key in NewTestEnvironment config
- Updating TestE2E_SSEEvents to use the test API key
- Ensures all E2E tests work with secure-by-default behavior

* docs: add OpenAPI verification script and specification

Added automated tooling and specification for OpenAPI/Swagger coverage:

- scripts/verify-oas-coverage.sh: Automated verification script for CI/CD
- specs/001-oas-endpoint-documentation/: Feature specification and checklists

This enables automated checks to prevent API documentation drift.