feat: Release v5.0.0 with MCP Server and comprehensive documentation

[vscarpenter]

Summary

Major release adding Model Context Protocol (MCP) server integration and comprehensive documentation updates for v5.0.0.

This PR introduces AI-powered task management capabilities through Claude Desktop integration and documents the complete OAuth cloud sync implementation.

New Features

✨ MCP Server Integration

• AI-powered task management with natural language queries
• 6 MCP tools for reading and analyzing tasks (list_tasks, get_task, search_tasks, get_sync_status, list_devices, get_task_stats)
• Local decryption with encryption passphrase stored only in Claude Desktop config
• Read-only access (safe exploration without modification)
• Privacy-preserved end-to-end encryption

✨ API Enhancements

• New GET /api/auth/encryption-salt endpoint for MCP server decryption
• Enables secure task access from Claude Desktop without compromising zero-knowledge architecture

Documentation Updates

📚 CLAUDE.md

• Added v5.0.0 overview with Cloud Sync and MCP Server sections
• Documented Cloud Sync architecture (OAuth, encryption, sync protocol)
• Documented MCP Server architecture (tools, configuration, security model)
• Added development notes for Worker deployment and MCP server testing

📚 README.md

• Updated to v5.0.0 with MCP Server features
• Added MCP Server section with use cases and setup instructions
• Updated cloud sync section (marked as "Fully Implemented")
• Streamlined feature list formatting

📚 gsd-task-manager-spec.md

• Complete rewrite to reflect v5.0.0 tech stack
• Added Cloud Sync Architecture section
• Added MCP Server Architecture section
• Updated tech stack with all dependencies
• Expanded feature descriptions

📚 New Documentation Files

• MCP_SERVER_SUMMARY.md - Complete MCP implementation details
• MCP_V0.2_SUMMARY.md - Protocol v0.2 updates
• gsd-cascade-sync.md - Sync protocol documentation

📦 packages/mcp-server/

• Complete MCP server source code
• README with setup instructions
• Testing scripts and documentation
• Example configuration files

Version Bump

• package.json: 4.8.0 → 5.0.0

Cleanup

🗑️ Removed Files

• SECURITY-AUDIT-REPORT.md (migrated to issues)

Testing

• All existing tests passing
• MCP server tested with Claude Desktop
• OAuth sync fully functional in production

Related Issues

Closes any open documentation issues related to v5.0.0 release.

---

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[claude]

Code Review: v5.0.0 MCP Server Integration

This PR introduces a major feature for v5.0.0: an MCP server that enables AI-powered task management through Claude Desktop. Overall, this is a well-architected addition with comprehensive documentation.

✅ Strengths

• Zero-knowledge preservation: MCP server correctly maintains E2E encryption by decrypting tasks locally
• Read-only approach: Smart security decision to prevent accidental data corruption
• Clean separation: MCP server as standalone package follows good monorepo practices
• Proper crypto implementation: Uses Web Crypto API with OWASP-recommended 600k PBKDF2 iterations
• Exceptional documentation: CLAUDE.md, README.md updates, and MCP_SERVER_SUMMARY.md are comprehensive

⚠️ Critical Issues

1. CRITICAL: Hardcoded Device ID (tools.ts:223)

deviceId: '9Sc6Q_f_mj_pjhRkDM-vZg' will fail for all users except one device. Extract device ID from JWT token claims instead.

2. Security: Missing Rate Limiting (worker/src/index.ts:50-72)

The new /api/auth/encryption-salt endpoint lacks rate limiting, allowing potential enumeration attacks.

3. Missing Tests

No test files found in packages/mcp-server/. Per project guidelines, need ≥80% coverage.

4. Environment Variable Mismatch (index.ts:128)

Code reads GSD_API_URL but docs use GSD_API_BASE_URL everywhere.

Other Issues

• Performance: No caching - every listTasks call fetches and decrypts all tasks
• Error handling: Silent decryption failures (tools.ts:273-276)
• Task stats: Calculates from sync queue counts, not actual task counts

Recommendations

Must Fix Before Merge:

1. Remove hardcoded device ID
2. Fix environment variable name
3. Add rate limiting to encryption-salt endpoint
4. Add basic test coverage

Should Fix:
5. Implement task caching (1-5 min TTL)
6. Surface decryption errors to users

Summary

Recommendation: 🟡 Request Changes

This is a solid foundation with good architecture. The hardcoded device ID is a blocker that breaks functionality for all users. Fix the critical issues and add basic tests, and this will be ready to merge.

🤖 Review generated with Claude Code