M55.1Released May 15, 2026

Production-grade /settings/mcp UX

Endpoint-visibility row, three-step quick-start wizard, server-status panel, recent-activity widget, and an in-page verify-connection tester on /settings/mcp.

MCP UX

Highlights

Endpoint-visibility row at the top of /settings/mcp with a one-tap copy button on the full MCP URL.
Three-step Quick Start wizard: generate API key → add to Claude → verify. Step 1 ticks green when the workspace already has an active key.
Server-status panel — operational / degraded / unconfigured pill, recent success-rate %, last-checked timestamp. Honest 'n/a' when there are no events; no fabricated uptime.
Recent MCP activity widget — last 5 audit rows with action labels + tool names + tone dots.
Verify-connection block — in-page tools/list tester (paste plaintext key; outcome renders tool count + first tool name only) plus a copy-able curl snippet.

Why this matters

M54 shipped the MCP endpoint. M55.1 made it usable by non-developer operators. Endpoint URL, quick-start path, status feedback, and a verification round-trip are all surfaced in one place so the operator can answer 'is MCP working for me?' without reading source code.

Honest-status contract

ServerStatusPanel derives state deterministically from env + audit log. Three states: unconfigured (NEXT_PUBLIC_DASHBOARD_URL missing), degraded (DB unreachable, audit query throws, or < 60% recent success), operational (everything else). 'Success rate' is the share of recent tools/call attempts that did NOT fail — `n/a` when there are no events.

Operator-confidence design

The in-page tester sends the pasted key only to the MCP endpoint (same origin in production) and clears it from React state on success. The outcome renders tool count + first tool name only — the raw response body (which can carry site domains) is never echoed back.

Security notes

Pasted plaintext keys cleared from client state on success.
Tester response rendered narrowly: no raw JSON echo.
Endpoint URL respects the M53 NEXT_PUBLIC_DASHBOARD_URL fail-loudly behaviour — no localhost emission in production.

Identity + operator visibility

Operator profile in the sidebar, workspace switcher, identity / memberships / security / privacy sections on /settings/account.

Workspace switcher at the top of the dashboard sidebar with HttpOnly-cookie-persisted selection and full server-side membership validation.
Operator profile in the sidebar footer: user badge, role pill, plan pill, copyable user ID, and dropdown menu.
/settings/account redesigned with Identity, Memberships, Security, and Privacy sections plus a Recent operator activity widget.
+ 1 more — see the release page

Read release notes →

M54May 15, 2026

MCPAgentSecurity

Real MCP server for WebmasterID Core

Production MCP HTTP endpoint at /api/agent/mcp with ten read-only tools, Bearer auth via the api_keys table, plan gating, audit logging, payload caps, and a per-key rate limit.

POST /api/agent/mcp — JSON-RPC 2.0 over HTTP. Methods: initialize, tools/list, tools/call.
Ten read-only tools: sites, summary, recent events, bot intelligence, AI referrals, top pages, recommendations, repo mappings, execution sessions, plan status.
Workspace-scoped Bearer auth against the api_keys table; revoked keys rejected and audited.
+ 2 more — see the release page

Read release notes →