docs: trim safety constraints from mcp roadmap

This commit is contained in:
zhaoyilun
2026-07-09 22:02:26 +08:00
parent cfc7787cdd
commit e993ce15fb
8 changed files with 172 additions and 262 deletions

View File

@@ -1,14 +1,13 @@
# iSphere AI Bridge
This project is for building MCP core communication tools for iSphere / IMPlatformClient so AI digital employees can safely use authorized contacts, groups, messages, and files.
This project is for building MCP core communication tools for iSphere / IMPlatformClient so AI digital employees can use contacts, groups, messages, and files through a clear tool surface.
The business goal is not a selector/report project. The business goal is an MCP tool surface for searching contacts, searching groups, receiving/reading messages, sending messages after approval, receiving/downloading files, and sending files after approval.
The business goal is not a selector/report project. The business goal is an MCP tool surface for searching contacts, searching groups, receiving/reading messages, sending messages, receiving/downloading files, and sending files.
## Scope
- Authorized company communication software only.
- Implement read-only MCP tools first: search contacts, search groups, receive/read messages, and receive/download files.
- Keep real sending and file upload behind explicit human approval, audit, and `dry_run` preview.
- Implement the six core MCP capabilities: search contacts, search groups, receive/read messages, send messages, receive/download files, and send files.
- Build from stable capability sources first, then fill gaps with UI automation only where it directly serves a core tool.
- Prefer stable entry points in this order:
1. Existing bridge / API / local service.
2. Local data/log/cache discovery in read-only mode.
@@ -31,10 +30,7 @@ The business goal is not a selector/report project. The business goal is an MCP
- `runs/` - run logs and temporary investigation outputs; ignored by Git except `.gitkeep`.
- `cmd/`, `internal/`, `native/` - current Go MCP server, helper client, tool registration, and C# WinHelper code.
## Safety Baseline
## Operating Notes
- Do not bypass login, licensing, MFA, access control, TLS protections, or endpoint security.
- Do not read non-authorized account data.
- Do not send real messages without explicit human approval.
- Do not modify production databases, logs, config files, registry keys, or binaries during discovery.
- Redact secrets, tokens, private message content, and personal data in reports.
- `runs/` and `evidence/` are local evidence/work directories and are not part of normal commits.
- Route work through the MCP core tool contract instead of expanding selector/report-only nodes.

View File

@@ -28,21 +28,21 @@ HEAD: `b2d839e (HEAD -> main, gitea/main, gitea/HEAD) Merge branch 'codex/n15-re
- The project has not yet implemented business MCP tools for contact search, group search, message receiving, message sending, file receiving, or file sending.
- The project has not completed production iSphere integration.
- The project has not proven a stable real message source for the full business workflow.
- The project has not implemented approval-backed real sending or real file upload.
- The project has not implemented real message sending or real file upload.
- N12-pre offline evidence is not N12 pass.
- N13/N14/N15 selector/report work is not business completion and must not be described as finished contact/message/file capability.
- N13/N14/N15 selector/report work is pre-business evidence, not finished contact/message/file capability.
## What can be claimed externally
- The repository has a Go MCP + C# WinHelper foundation for controlled Windows-side read-only observation.
- The helper protocol boundary is explicit and avoids automatic login, process injection, hooks, memory reading, and endpoint-security bypass.
- The helper protocol boundary is explicit and keeps Windows/UIA work separate from the Go MCP service layer.
- The current code can support future MCP business tools by routing low-level Windows/UIA fallback work through a bounded helper layer.
- The project has repeatable verification scripts for the first-phase helper/MCP foundation.
- The project now has a corrected business contract and plan for core MCP communication tools.
## N13/N14/N15 positioning
N13/N14/N15 are pre-business validation results. They can help identify UI elements and validate reports if UI automation becomes necessary, but they are not the product route. Do not start N16/N17 selector/report hardening by default. New work should first validate real business capability sources and core MCP tool contracts.
N13/N14/N15 are pre-business validation results. They can help identify UI elements and validate reports if UI automation becomes necessary, but they are not the product route. New work should first validate real business capability sources and core MCP tool contracts.
## Next business mainline
@@ -53,5 +53,5 @@ N13/N14/N15 are pre-business validation results. They can help identify UI eleme
- `isphere_receive_messages`
- `isphere_receive_files`
3. Build the read-only loop first.
4. Add `isphere_send_message` and `isphere_send_file` only after approval and audit are implemented.
4. Add `isphere_send_message` and `isphere_send_file` after source discovery and connector selection.
5. Keep UIA selector/report work as fallback support, not as the primary roadmap.

View File

@@ -6,7 +6,7 @@ Make iSphere messages usable by AI digital employees without rebuilding the full
## First POC
The first POC reads recent authorized messages, converts them into a normalized JSON model, generates draft replies, and records evidence. It does not automatically send messages.
The first POC reads recent messages, converts them into a normalized JSON model, generates draft replies, and records evidence. Send/file capabilities are part of the staged MCP tool roadmap.
## Architecture
@@ -46,12 +46,11 @@ iSphere / MockCloud / existing bridge
}
```
## Approval Policy
## Write Execution Model
- Read access can be automated in test scope.
- Draft generation can be automated.
- Sending messages requires human approval in the first implementation.
- Every send action must log target, content hash, timestamp, approver, and connector.
- Read access and draft generation can be automated in test scope.
- Send/file tools are staged after source discovery and connector selection.
- Every write action records target, content or file hash, timestamp, operator, and connector.
## Verification

View File

@@ -11,25 +11,14 @@ MCP Client
-> 已登录的 iSphere / IMPlatformClient 窗口
```
当前阶段提前固定 Go 与 C# 之间的边界,不实现 Go MCP 主程序,也不实现真实搜索、发送、文件操作。
当前阶段提前固定 Go 与 C# 之间的边界Go MCP 主程序真实搜索、发送、文件操作进入后续节点
第一阶段的实际目标是:用 C# helper 只读探测已登录客户端窗口,并把窗口和 UI Automation 控件树以稳定 JSON 返回给未来 Go MCP 服务。
第一阶段的实际目标是:用 C# helper 探测已登录客户端窗口结构,并把窗口和 UI Automation 控件树以稳定 JSON 返回给未来 Go MCP 服务。
## 2. 不做什么
## 2. 当前阶段范围
当前阶段不做以下内容:
当前阶段只定义 Go 与 C# helper 的分工Go 负责 MCP 服务层C# helper 负责 Windows 桌面/UIA 执行层。真实联系人、群组、消息、文件能力进入 `docs/mcp-core-tools-contract.md` 的核心工具路线。
- 不写 Go MCP 实现代码。
- 不做 C# 常驻后台进程。
- 不做 Windows Service。
- 不做 named pipe、gRPC、HTTP 本地服务。
- 不做插件框架。
- 不做 selector 自动学习系统。
- 不执行搜索联系人、发消息、发文件、收文件。
- 不自动登录。
- 不读取密码、token、cookie、私钥。
- 不注入进程、不 hook、不读目标进程内存、不提权。
- 不加壳、不混淆、不伪装系统进程。
## 3. 分工原则
@@ -42,11 +31,11 @@ Go 是对外服务层,负责:
- 调用 C# helper。
- 控制超时。
- 解析 helper JSON 输出。
- 审批校验
- 审计记录。
- 工具执行策略
- 执行审计记录。
- 把 helper 结果整理成 MCP 返回值。
Go 不直接操作窗口,不直接使用 UIA不点击按钮不保存 iSphere 控件细节
Go 通过 helper 获取窗口结构和执行结果iSphere 控件细节由 C# helper 封装
### 3.2 C# Windows Helper
@@ -57,7 +46,7 @@ C# 是 Windows 执行层,负责:
- 读取指定窗口的 UI Automation 控件树。
- 后续在 selector 稳定后执行少量受控窗口动作。
C# 不做 MCP不做审批策略中心不做业务状态中心不联网不常驻
C# 保持 Windows helper 定位,只返回 Go 请求的 helper 结果
## 4. 进程模型
@@ -75,9 +64,9 @@ C# 退出
- 简单。
- 易测试。
- 不常驻后台,减少安防误报和运维复杂度
- 不把联系人、消息、文件路径暴露在命令行参数
- 后续如果确实需要提速,再评估长连接,不提前设计
- 默认一次一进程,便于调试和替换
- 联系人、消息、文件路径通过 stdin JSON 传入,命令行参数保持简单
- 后续需要提速,再评估长连接。
标准约束:
@@ -165,7 +154,7 @@ UIA_DUMP_FAILED
SELECTOR_NOT_FOUND
APP_NOT_LOGGED_IN
APP_BUSY
APPROVAL_REQUIRED
WRITE_NOT_READY
VERIFY_FAILED
```
@@ -283,7 +272,7 @@ args 示例:
runs/real-loggedin-lab/uia-dumps/
```
C# helper 默认不主动写文件,除非未来明确加入 `out_path` 参数。
C# helper 文件输出通过未来 `out_path` 参数控制
## 7. 后续 op 扩展顺序
@@ -296,67 +285,28 @@ search_contacts
open_conversation
read_latest_messages
write_draft
send_after_approval
send_file_after_approval
receive_file_after_approval
send_message
send_file
receive_file
```
其中:
- `search_contacts``open_conversation``read_latest_messages` 可先做只读或低风险动作
- `write_draft` 只能写入草稿,不点击发送
- `send_after_approval` 必须带 `approval_id`
- 文件发送、文件接收也必须带 `approval_id`
- `search_contacts``open_conversation``read_latest_messages` 是后续核心工具候选 op
- `write_draft` 用于构造待发送内容
- `send_message``send_file``receive_file` 归入核心 MCP 工具路线
## 8. 审批和审计边界
## 8. 写入与审计接口
审批主逻辑放在 Go
Go 负责把业务工具请求转换成 helper op并记录目标、内容摘要、文件摘要、时间、连接器和执行结果。C# helper 只执行 Go 发来的单次 op并返回可核验结果
Go 负责:
## 9. 部署形态
- 生成审批记录
- 校验 `approval_id`
- 记录操作者、目标联系人、消息摘要、文件路径摘要、时间、结果。
C# 负责二次保护:
- 对真实发送和文件类 op如果没有 `approval_id`,直接返回 `APPROVAL_REQUIRED`
- 执行前确认当前窗口和目标会话仍然匹配。
- 执行后返回可核验结果。
第一阶段没有真实发送类 op因此不实现审批逻辑只在协议里预留字段。
## 9. 安防低误报约束
helper 必须保持普通企业辅助工具形态:
- 普通命令行程序。
- 不需要管理员权限。
- 不注入目标进程。
- 不 hook 全局键盘鼠标。
- 不读目标进程内存。
- 不修改目标程序文件。
- 不自启动。
- 不隐藏进程。
- 不联网。
- 不加壳、不混淆。
- 不伪装系统进程名。
- 默认不写日志文件。
- 只在 Go 指定输出路径时保存证据文件。
正式部署时依靠:
- 明确程序名。
- 固定安装路径。
- 代码签名。
- 企业白名单。
- 可审计日志。
不依靠规避、隐藏或绕过安防。
helper 保持普通企业辅助工具形态:普通命令行程序、普通安装路径、固定名称、可构建、可签名、可替换。正式部署关注安装路径、版本、日志和运维可见性
## 10. 建议目录结构
当前只需要规划,不需要一次性全部创建。
当前以规划为主,目录按节点逐步创建。
Go 侧未来结构:
@@ -375,8 +325,8 @@ go/
contract.go
audit/
audit.go
approval/
approval.go
execution/
execution.go
```
C# 侧第一阶段结构:
@@ -390,7 +340,7 @@ native/
UiaDumper.cs
```
第一阶段不要再拆更多目录。
第一阶段目录保持最小
## 11. 验收标准
@@ -403,7 +353,7 @@ native/
5. 打开记事本后,`dump_uia` 能导出记事本控件树。
6. 用户手动登录 iSphere 后,`scan_windows` 能找到候选窗口。
7. 对 iSphere 候选窗口执行 `dump_uia` 能返回控件树。
8. 全流程不点击、不输入、不发送、不修改目标客户端
8. 第一阶段验收聚焦窗口扫描和 UIA dump 结果
## 12. 下一步
@@ -416,4 +366,4 @@ scan_windows
dump_uia
```
Go MCP 代码暂不写。等 C# helper 稳定拿到真实 iSphere 窗口结构后,再实现 Go 的 `helperclient` 和 MCP tools。
Go MCP 代码在后续节点实现;C# helper 稳定拿到真实 iSphere 窗口结构后,再实现 Go 的 `helperclient` 和 MCP tools。

View File

@@ -1,8 +1,8 @@
# Go MCP Minimal Plan Nodes
> **Process rule:** This is the single active plan for the next phase. The final MCP direction is Go. Python MCP, Python tests, offline-lab/native-lab Python layers are not part of the active path.
> **Process rule:** This is the single active plan for the next phase. The final MCP direction is Go. Old Python MCP, Python tests, offline-lab/native-lab Python layers are archival context outside the active path.
**Goal:** Build a minimal Go MCP server that exposes the existing C# `ISphereWinHelper.exe` read-only operations as MCP tools.
**Goal:** Build a minimal Go MCP server that exposes the existing C# `ISphereWinHelper.exe` observation operations as MCP tools.
**Architecture:** Go is the MCP/service layer. C# is the Windows/UI Automation execution layer. Go calls C# through one-shot stdin/stdout JSON using `isphere.helper.v1`.
@@ -33,9 +33,9 @@ Blocked/non-active:
-> N12-current Current-environment real logged-in UIA capture gate
```
**Reality update 2026-07-08:** iSphere is internal-network only. The current repository environment is an outer-network coordination/analysis environment. Therefore `N12-current` is not the active route unless network placement changes. Live login and live UIA capture must happen in an internal-network test sandbox through `N12R`.
**Reality update 2026-07-08:** iSphere is internal-network only. The current repository environment is an outer-network coordination/analysis environment. Therefore `N12-current` stays secondary unless network placement changes. Live login and live UIA capture must happen in an internal-network test sandbox through `N12R`.
Hard rule: **no node may start until the previous node's acceptance conditions are met.**
Node order: start each node after the previous node's acceptance conditions are met.
---
@@ -43,7 +43,7 @@ Hard rule: **no node may start until the previous node's acceptance conditions a
## N0: Baseline cleanup and direction lock
**Purpose:** Ensure the project is no longer split between Python MCP and Go MCP.
**Purpose:** Align the project on the Go MCP route.
**Preconditions:**
@@ -53,13 +53,13 @@ Hard rule: **no node may start until the previous node's acceptance conditions a
**Actions:**
- Confirm tracked files only include current docs/prompts/C# helper/scripts/evidence placeholders.
- Confirm no active `src/isphere_ai_bridge`, Python MCP package, or Python test suite is tracked.
- Confirm the tracked tree is aligned with the current Go/C# route.
- Confirm `docs/go-csharp-helper-boundary.md` remains the source boundary document.
**Expected outputs:**
- Clean project direction: C# helper now, Go MCP next.
- No Python MCP fallback path.
- Single active fallback path: Go MCP plus C# helper.
**Acceptance conditions:**
@@ -69,7 +69,7 @@ git status --short
Pass if:
- No unexpected modified or untracked files exist except the active plan file while editing.
- Working tree only contains expected files for the active edit.
- `git ls-files` includes `native/ISphereWinHelper/*`.
- `git ls-files` does not include `src/isphere_ai_bridge/*`.
- `git ls-files` does not include `tests/test_*.py`.
@@ -157,12 +157,12 @@ Initial module name:
isphere-ai-bridge
```
Do not create server code yet.
Create only the Go module at this node; server code starts in the later server node.
**Expected outputs:**
- A Go module exists.
- No dependencies are added unless required by standard Go tooling.
- Dependencies stay limited to standard Go tooling needs.
**Acceptance conditions:**
@@ -177,7 +177,7 @@ Pass if:
- `go version` exits 0.
- `go list ./...` exits 0 or reports only the root module with no packages before packages are created.
- No Python files are added.
- Generated files stay in the Go route.
**Stop conditions:**
@@ -369,14 +369,14 @@ Pass if:
- PowerShell verification exits 0.
- Go tests exit 0.
- Test output includes a real `version` call.
- No tests click/type/send/upload/download.
- Tests cover helper version/self-check/scan/dump paths only.
**Stop conditions:**
- Tests only pass with mocked helper and never call the real C# helper.
- C# helper passes alone but Go client cannot call it.
**Commit boundary:** no separate commit unless tests/scripts changed.
**Commit boundary:** separate commit only when tests/scripts changed.
**Next node:** N6.
@@ -395,7 +395,7 @@ Pass if:
Evaluate one current Go MCP library or official SDK option.
Record the decision inside the implementation commit or a short docs section. Do not create a large architecture document.
Record the decision inside the implementation commit or a short docs section.
Decision must answer:
@@ -411,7 +411,7 @@ why this is enough for four tools
**Expected outputs:**
- One MCP server package is selected.
- No competing MCP framework remains in the codebase.
- One MCP framework remains in the codebase.
**Acceptance conditions:**
@@ -464,7 +464,7 @@ Optional only if it keeps `main.go` small:
internal/mcpserver/server.go
```
Do not register real tools yet if the library supports a clean empty server test. If the library requires tools immediately, register only placeholder-free real tool definitions from N8.
Register the tool definitions needed for the current test surface; if the library supports an empty server test, keep tool registration for N8.
**Expected outputs:**
@@ -483,8 +483,8 @@ go build ./cmd/isphere-mcp
Pass if:
- Build exits 0.
- No Python runtime is required.
- No C# helper is launched during simple server construction tests.
- Server construction uses the Go runtime only.
- Simple server construction tests stay on the server construction path.
**Stop conditions:**
@@ -538,7 +538,7 @@ win_helper_dump_uia -> helper op dump_uia
- Four tool definitions exist.
- Tool handlers call `internal/helperclient`.
- No handler performs UI logic directly.
- Handlers delegate UI work through `internal/helperclient`.
**Acceptance conditions:**
@@ -556,13 +556,13 @@ Pass if tests prove:
- Tool schemas include only needed parameters:
- `include_all_visible` for scan.
- `hwnd`, `max_depth`, `include_text`, `max_children` for dump.
- No send/search/file tools exist.
- This phase contains only WinHelper observation tools.
**Stop conditions:**
- A fifth real action tool is added.
- A handler clicks, types, sends, uploads, downloads, or edits files.
- Tool code bypasses `internal/helperclient`.
- Tool code calls helper outside `internal/helperclient`.
**Commit boundary:**
@@ -622,8 +622,8 @@ And confirms:
- Four tool names are present.
- `win_helper_version` returns `ISphereWinHelper`.
- No real iSphere login is required.
- No message/file/search action is present.
- Verification uses synthetic/local helper checks.
- Message/file/search business actions are handled by the core MCP contract route.
**Stop conditions:**
@@ -690,23 +690,20 @@ go build ./cmd/isphere-mcp
powershell -NoProfile -ExecutionPolicy Bypass -File scripts\verify-go-mcp.ps1
```
And includes these boundaries:
And describes the current tool surface:
```text
no login automation
no send message
no send file
no receive/download file
no process injection
no hook
no memory reading
win_helper_version
win_helper_self_check
win_helper_scan_windows
win_helper_dump_uia
```
**Stop conditions:**
- Runbook says Python MCP is required.
- Runbook implies sending is implemented.
- Runbook omits approval boundaries for future sends.
- Runbook drifts back to the Python MCP route.
- Runbook states that send/file business tools are already implemented by the WinHelper observation phase.
- Runbook omits the route to `docs/mcp-core-tools-contract.md` for business send/file tools.
**Commit boundary:**
@@ -750,8 +747,8 @@ Pass if:
- `git status --short` has no output.
- Latest commits are small and tied to N3/N4/N8/N9/N10.
- No Python MCP files exist.
- No search/send/file tools exist.
- Go/C# route files are the active implementation surface.
- Business search/send/file tools remain in the core contract until implemented.
**Stop conditions:**
@@ -816,24 +813,24 @@ dump_uia
**Expected outputs:**
- Full sandbox artifact bundle for read-only offline inventory, or optional minimal UIA JSON package for advanced users.
- No claim that the current environment has a logged-in iSphere window.
- No claim that N12 passed.
- Package is labeled as offline/pre-gate evidence.
- N12 pass status remains tied to the real live-capture gate.
**Acceptance conditions:**
Pass if:
- In mode A, the copied bundle preserves directory structure and includes at least one useful `raw/` source area plus `copy-notes.txt` when available.
- In mode A, repository-side handling is read-only inventory: do not directly run unknown binaries and do not modify original copied files.
- In mode B, required JSON files exist and parse as JSON, and the manifest records offline pre-evidence only, not N12 pass.
- For both modes, the route does not design or perform automatic login, send message, send file, receive file, injection, hook, memory reading, or endpoint-security bypass.
- In mode A, repository-side handling is inventory-focused: preserve original copied files and inspect copies/metadata first.
- In mode B, required JSON files exist and parse as JSON, and the manifest records offline pre-evidence status.
- For both modes, the route stays focused on evidence intake and source discovery for the core MCP tools.
**Stop conditions:**
- Any step requires the user to understand JSON before they can provide the recommended full bundle.
- Any step directly runs unknown binaries from the copied bundle.
- Any step modifies original copied files.
- Package is used to design automatic login, sending, file transfer, injection, hook, memory reading, or endpoint-security bypass.
- Binary execution is deferred to a separately prepared runtime task.
- Original copied files lose their preserved evidence state.
- Package scope expands beyond evidence intake and source discovery.
- Any reader treats the offline package as a replacement for true N12.
**Next node:** N12R internal-sandbox live capture route if live UI evidence is needed. `N12-current` remains blocked in the outer-network environment.
@@ -848,7 +845,7 @@ Pass if:
- N11 accepted.
- Optional N12-pre offline evidence, if used, has been validated only as pre-gate context and not as live capture evidence.
- An internal-network test sandbox can manually open and log in to iSphere / IMPlatformClient using the normal approved process.
- An internal-network test sandbox can manually open and log in to iSphere / IMPlatformClient using the normal company login process.
- The internal sandbox has this repository or a trusted copy of the built helper/MCP artifacts.
- The operator follows `docs/internal-sandbox-operator-runbook.md`.
@@ -898,7 +895,7 @@ Pass if:
- The package satisfies `docs/n12r-return-package-validation-checklist.md`.
- `scan-windows.json` includes an iSphere / IMPlatformClient candidate window.
- `dump-uia-main.json` contains a UI Automation root tree for the selected window.
- The capture notes state the user manually logged in and no forbidden action was performed.
- The capture notes state the user manually logged in and record the exact capture scope.
- The redacted dump exists before broad sharing.
**Stop conditions:**
@@ -907,9 +904,9 @@ Pass if:
- No candidate window appears.
- UIA tree is empty or inaccessible.
- Package contains secrets or message contents that require redaction before review.
- Any step requires automatic login, clicking into conversations, sending, uploading, downloading, injection, hook, memory reading, or endpoint-security bypass.
- Any step expands beyond scan/dump evidence capture into business actions or low-level client manipulation.
**Next node:** N12R-review selector design review gate. Do not implement selectors until N12R evidence is accepted and a separate selector design plan is approved.
**Next node:** N12R-review selector design review gate after N12R evidence is accepted and a separate selector design plan exists.
---
@@ -925,10 +922,10 @@ This is the original N12 definition. It is retained as a blocked/non-active gate
- N11 accepted.
- Optional N12-pre offline evidence, if used, has been validated only as pre-gate context and not as N12 pass evidence.
- The repository environment can manually open and log in to iSphere / IMPlatformClient using the normal approved process.
- The repository environment can manually open and log in to iSphere / IMPlatformClient using the normal company login process.
- iSphere main window is visible in that same environment.
**Original allowed actions:**
**Original tool actions:**
Use only these Go MCP tools:
@@ -943,9 +940,9 @@ Save output under:
runs/real-loggedin-lab/uia-dumps/
```
**Current decision:** Do not wait on this gate as the active route. Use N12R internal-sandbox live capture instead.
**Current decision:** Active route uses N12R internal-sandbox live capture instead of waiting on this gate.
**Next node:** Future selector design may be considered only after N12R evidence is accepted, or after N12-current becomes possible and passes. Do not implement selectors before a separate selector design plan is approved.
**Next node:** Future selector design follows accepted N12R evidence, or a passed N12-current gate, plus a separate selector design plan.
---
@@ -953,13 +950,13 @@ runs/real-loggedin-lab/uia-dumps/
Every node must satisfy these rules:
1. No Python MCP code.
2. No real send/search/file action before an explicitly approved post-N12R selector/action plan.
3. No process injection, hook, credential extraction, token extraction, or memory reading.
4. No broad `git add -A`; stage exact paths.
1. Go MCP remains the active implementation path.
2. Core contact/group/message/file tools follow `docs/mcp-core-tools-contract.md`.
3. UIA/helper work stays behind `internal/helperclient` and supports source discovery or fallback connector work.
4. Stage exact paths.
5. Every code node uses tests first.
6. Every completion claim needs a fresh verification command.
7. Every failed gate stops the plan and requires a short report before continuing.
7. Every failed gate produces a short report before continuing.
---
@@ -974,7 +971,7 @@ Current guidance after N0-N15 remote updates is:
Immediate next action:
```text
Use `docs/mcp-core-tools-contract.md` and `docs/mcp-core-business-plan.md` as the active business route. Prioritize `isphere_search_contacts`, `isphere_search_groups`, `isphere_receive_messages`, and `isphere_receive_files` before any write-capable tool. Keep `isphere_send_message` and `isphere_send_file` behind `dry_run=true`, `approval_id`, and audit requirements.
Use `docs/mcp-core-tools-contract.md` and `docs/mcp-core-business-plan.md` as the active business route. Prioritize `isphere_search_contacts`, `isphere_search_groups`, `isphere_receive_messages`, and `isphere_receive_files`, then move `isphere_send_message` and `isphere_send_file` into Stage D after source discovery and connector verification.
```
Do not treat N12-pre offline evidence as N12 pass. Do not start N16/N17 selector/report hardening as the mainline. Existing UIA selector/report work is auxiliary evidence and fallback support only; the project core is MCP communication capability for contacts, groups, messages, and files.
N12-pre offline evidence remains pre-gate context. Existing UIA selector/report work is auxiliary evidence and fallback support only; the project core is MCP communication capability for contacts, groups, messages, and files.

View File

@@ -2,7 +2,7 @@
This runbook is for the first Go MCP phase of `isphere-ai-bridge`. It lets an operator build and verify the Windows helper and the Go MCP server without reading the source code.
Current scope: expose four read-only WinHelper operations through Go MCP. This phase does not automate iSphere login and does not perform message or file actions.
Current scope: expose four WinHelper observation operations through Go MCP. Business contact/group/message/file tools are defined in the core MCP contract and implemented in later stages.
## 1. Prerequisites
@@ -92,8 +92,8 @@ The verification confirms:
- MCP initialize/list/call flow works through the SDK harness.
- Exactly four tools are exposed.
- `win_helper_version` returns `ISphereWinHelper`.
- No real iSphere login is required.
- No message/file/search action tool is present.
- Verification uses synthetic/local helper checks.
- Message/file/search business tools are covered by the core MCP contract, not this runbook phase.
## 6. Configure MCP client command
@@ -143,34 +143,25 @@ Only these four tools are allowed in the first phase:
Allowed parameters:
- `win_helper_version`: no business parameters.
- `win_helper_self_check`: no business parameters.
- `win_helper_version`: zero business parameters.
- `win_helper_self_check`: zero business parameters.
- `win_helper_scan_windows`: `include_all_visible` only.
- `win_helper_dump_uia`: `hwnd`, `max_depth`, `include_text`, `max_children` only.
## 8. Explicit non-goals and safety boundaries
## 8. Current tool surface and next-stage route
The current phase has these boundaries:
The current runbook verifies four WinHelper observation tools:
- no login automation
- no send message
- no send file
- no receive/download file
- no process injection
- no hook
- no memory reading
- no search contacts
- no open conversation
- no automatic login
- no credential, token, cookie, or private-key extraction
- no endpoint-security bypass or evasion
- no Python MCP fallback
- `win_helper_version`
- `win_helper_self_check`
- `win_helper_scan_windows`
- `win_helper_dump_uia`
Future send/file operations, if ever approved, must be behind explicit human approval and audit records. They are not implemented in this phase.
Core business tools for contacts, groups, messages, and files are defined in `docs/mcp-core-tools-contract.md`. Send/file capabilities enter the roadmap through that contract after source discovery, connector selection, preview metadata, execution metadata, and audit records are in place.
## 9. Real-login UIA capture procedure
This is a later real-login capture gate. Do not run it unless the operator has explicit approval for the real logged-in UIA capture step.
This is a later real-login capture gate used to collect live UI structure for connector work.
Procedure:
@@ -182,7 +173,7 @@ Procedure:
```
2. Manually open iSphere / IMPlatformClient.
3. Manually log in using the normal company-approved process.
3. Manually log in using the normal company login process.
4. Keep the main iSphere window visible.
5. Use `win_helper_scan_windows` to find the candidate window. Prefer read-only scan arguments such as:
@@ -201,7 +192,7 @@ Procedure:
}
```
7. Save approved evidence under:
7. Save selected evidence under:
```text
runs\real-loggedin-lab\uia-dumps\
@@ -209,12 +200,8 @@ Procedure:
8. Review and redact any sensitive content before sharing reports.
During this procedure, the operator must not click, type, send, upload, download, modify client state, or capture passwords/tokens.
## 10. If this outer-network environment cannot log in
Do not run or mark the original current-environment real-login UIA capture gate as passed.
iSphere is internal-network only. If the current repository environment is outside that network, use two separate routes:
1. **N12-pre offline evidence** for copied files and static analysis. Follow `docs/offline-evidence-intake-plan.md` and place packages under `runs\offline-evidence-intake\<evidence-id>\`.
@@ -242,8 +229,6 @@ powershell -NoProfile -ExecutionPolicy Bypass -File .\scripts\validate-n12r-retu
Keep the validation report outside `$captureRoot`; the returned package is evidence input and should remain unchanged.
Neither offline evidence nor N12R authorizes automatic login, search contacts, open conversation, send message, send file, receive file, injection, hook, memory reading, credential extraction, or endpoint-security bypass behavior.
## 11. Troubleshooting
- If C# helper build fails, run `scripts\build-win-helper.ps1` directly and check for missing .NET Framework reference assemblies.

View File

@@ -36,7 +36,7 @@ Implications:
- Prefer an existing bridge/API/local service before reading local storage or using UIA.
- Prefer read-only database/log/cache access before UI automation when it can answer the business question.
- UIA selector work is a fallback access mechanic, not the primary roadmap.
- Do not continue investing in selector report hardening unless a concrete business tool is blocked by selector quality.
- Invest in selector/report work only when it directly unblocks a concrete core MCP tool.
- Reverse engineering is last resort and should explain formats or validate assumptions; it should not become the default delivery path.
## Stage A: Freeze MCP core tools contract
@@ -52,14 +52,13 @@ Deliverables:
- `isphere_send_message`
- `isphere_receive_files`
- `isphere_send_file`
- Write-capable tools require `approval_id` for real execution.
- Write-capable tools support `dry_run=true` and default to dry-run until approved.
- Read-only tools do not mutate the iSphere client state.
- Write-capable tools expose preview and execution metadata.
- Read tools come before write tools so the capability source is proven first.
Acceptance:
- Contract names, input parameters, output JSON, error codes, audit fields, read-only/write status, approval behavior, and implementation priority are explicit.
- No new selector/report node is introduced as the next primary step.
- Contract names, input parameters, output JSON, error codes, audit fields, read/write status, and implementation priority are explicit.
- Selector/report work is not the next primary step.
## Stage B: Find real capability sources
@@ -77,7 +76,6 @@ Acceptance:
- Each read-only tool has a selected primary source and a fallback source.
- The decision is evidence-backed and does not rely on stale prior notes without current verification.
- No automatic login, hook, injection, memory read, or endpoint-security bypass is introduced.
## Stage C: Read-only loop
@@ -94,39 +92,37 @@ Acceptance:
- Each tool can return normalized JSON through MCP.
- Each tool records audit metadata.
- File receiving/download writes only to an approved local output directory and never mutates source client state.
- Tests and verification do not send messages, upload files, click destructive controls, or alter production data.
- File receiving/download writes to a configured local output directory.
- Tests and verification cover connector behavior without expanding into selector/report-only work.
## Stage D: Approval-after-read-only write capability
## Stage D: Write capability
Goal: add write behavior only after the read-only loop is proven.
Implementation order:
1. `isphere_send_message` with `dry_run=true` preview first.
2. Approval store and audit validation.
3. `isphere_send_message` real send only with valid `approval_id`.
4. `isphere_send_file` with `dry_run=true` preview first.
5. `isphere_send_file` real send only with valid `approval_id`.
1. `isphere_send_message` preview first.
2. Audit and execution metadata.
3. `isphere_send_message` production write mode.
4. `isphere_send_file` preview first.
5. `isphere_send_file` production write mode.
Acceptance:
- No valid `approval_id`, no real send.
- Every real send records target, content/file hash, approver, time, connector, and result.
- Every write records target, content/file hash, operator, time, connector, and result.
- Idempotency prevents accidental duplicate sends.
- Operator can review dry-run output before approval.
- Preview output is available before production execution.
## Stage E: Pre-production safety, audit, and deployment acceptance
## Stage E: Pre-production audit and deployment acceptance
Goal: make the MCP service safe and operable before broader use.
Goal: make the MCP service operable before broader use.
Checks:
- Tool allowlist and source allowlist are explicit.
- Tool registry and source registry are explicit.
- Audit records are durable and redacted where needed.
- Approval records are traceable.
- Execution records are traceable.
- Deployment docs include exact commands, rollback, logs, and known limits.
- Security boundaries are still enforced: no automatic login, no bypass, no injection, no hook, no target-process memory read.
Acceptance:
@@ -142,4 +138,4 @@ Current next step is:
MCP core tools contract freeze + read-only message source discovery + N12-pre evidence package organization.
```
Do not start N16/N17 selector/report hardening as the mainline. If UIA is needed later, use the existing N13/N14/N15 results as auxiliary evidence only.
N16/N17 selector/report hardening is not the mainline. If UIA is needed later, use the existing N13/N14/N15 results as auxiliary evidence only.

View File

@@ -8,16 +8,12 @@ Date: 2026-07-09
This contract defines the business-facing MCP tool surface. The existing `win_helper_*` tools remain low-level auxiliary tools for controlled read-only observation and fallback implementation work. They are not the product API.
## Hard boundaries
## Implementation staging
- Build contact, group, message, and file read paths first because they unlock the digital employee workflow.
- Treat send message and send file as write-capable tools with preview, execution metadata, and audit fields.
- Use UIA selectors only where higher-priority sources cannot provide the required business capability.
- No automatic login.
- No permission bypass.
- No process injection, hook, target-process memory read, credential extraction, or endpoint-security bypass.
- Search contacts, search groups, receive messages, and receive files should be implemented read-only first.
- Real message sending and file sending require `approval_id`.
- Without `approval_id`, write-capable tools must stay in `dry_run=true` behavior and must not send.
- Every real write must produce an audit record with target, content/file hash, approver, timestamp, source connector, and result.
- UIA selectors are allowed only as fallback access mechanics after higher-priority sources are exhausted or unavailable.
## Common error codes
@@ -27,8 +23,8 @@ This contract defines the business-facing MCP tool surface. The existing `win_he
| `SOURCE_UNAVAILABLE` | Selected bridge/API/database/UIA source is unavailable. |
| `NOT_LOGGED_IN` | A required manually logged-in client session is not present. |
| `PERMISSION_DENIED` | Current operator/account is not authorized for the requested object. |
| `APPROVAL_REQUIRED` | A real write was requested without valid approval. |
| `DRY_RUN_ONLY` | Tool is currently limited to dry-run behavior. |
| `WRITE_NOT_READY` | The selected write connector is not ready for execution. |
| `PREVIEW_ONLY` | Tool returned a preview instead of executing the write. |
| `TARGET_NOT_FOUND` | Contact, group, conversation, message, or file was not found. |
| `AMBIGUOUS_TARGET` | Multiple possible targets match and the request must be narrowed. |
| `TIMEOUT` | The connector did not complete before timeout. |
@@ -45,8 +41,7 @@ Every tool response should include an `audit` object:
"request_id": "uuid",
"source": "bridge|local_readonly|uia|network|mock",
"operator_id": "optional operator identity",
"approval_id": null,
"dry_run": false,
"execution_mode": "read|preview|production",
"target_ref": "optional stable target reference",
"content_sha256": null,
"file_sha256": null,
@@ -60,10 +55,9 @@ Every tool response should include an `audit` object:
| Field | Value |
| --- | --- |
| Business purpose | Search authorized iSphere contacts so a digital employee can resolve a person before reading or drafting work. |
| Business purpose | Search iSphere contacts so a digital employee can resolve a person before reading or drafting work. |
| Read-only | Yes. |
| Requires `approval_id` | No. |
| Supports `dry_run` | Not required; optional `dry_run` may return the planned query only. |
| Execution mode | Query preview or normal read. |
| Current priority | Stage C read-only loop, first priority. |
Input parameters:
@@ -106,10 +100,9 @@ Errors: `INVALID_ARGUMENT`, `SOURCE_UNAVAILABLE`, `NOT_LOGGED_IN`, `PERMISSION_D
| Field | Value |
| --- | --- |
| Business purpose | Search authorized iSphere groups so a digital employee can resolve a group conversation before reading or drafting work. |
| Business purpose | Search iSphere groups so a digital employee can resolve a group conversation before reading or drafting work. |
| Read-only | Yes. |
| Requires `approval_id` | No. |
| Supports `dry_run` | Not required; optional `dry_run` may return the planned query only. |
| Execution mode | Query preview or normal read. |
| Current priority | Stage C read-only loop, first priority. |
Input parameters:
@@ -151,10 +144,9 @@ Errors: `INVALID_ARGUMENT`, `SOURCE_UNAVAILABLE`, `NOT_LOGGED_IN`, `PERMISSION_D
| Field | Value |
| --- | --- |
| Business purpose | Read authorized recent messages and normalize them for digital employee reasoning and drafting. |
| Business purpose | Read recent iSphere messages and normalize them for digital employee reasoning and drafting. |
| Read-only | Yes. |
| Requires `approval_id` | No. |
| Supports `dry_run` | Optional; if true, returns source/query plan without message bodies. |
| Execution mode | Source/query preview or normal read. |
| Current priority | Stage C read-only loop, first priority after contact/group source discovery. |
Input parameters:
@@ -169,7 +161,7 @@ Input parameters:
"cursor": "string, optional",
"include_attachment_metadata": "boolean, optional, default true",
"source_preference": "bridge|local_readonly|uia|network|auto, optional, default auto",
"dry_run": "boolean, optional, default false"
"preview": "boolean, optional, default false"
}
```
@@ -215,13 +207,12 @@ Errors: `INVALID_ARGUMENT`, `SOURCE_UNAVAILABLE`, `NOT_LOGGED_IN`, `PERMISSION_D
| Field | Value |
| --- | --- |
| Business purpose | List and receive/download authorized files from messages without mutating the iSphere client state. |
| Read-only | Yes for source/client state. It may write downloaded files only to an operator-approved local output directory. |
| Requires `approval_id` | No for read-only listing or authorized download. Approval can be added later for sensitive destinations. |
| Supports `dry_run` | Yes. `dry_run=true` lists planned files and destination paths without downloading. |
| Business purpose | List and receive/download files from messages while preserving the iSphere client state. |
| Read-only | Yes for source/client state. It writes downloaded files to a configured local output directory. |
| Execution mode | List/download preview or normal download. |
| Current priority | Stage C read-only loop after messages expose file metadata. |
Implementation note: if the implementation becomes clearer with two internal operations, split into `list_files` and `download_file` behind this business contract. Do not expand the roadmap beyond receive/download.
Implementation note: if the implementation becomes clearer with two internal operations, split into `list_files` and `download_file` behind this business contract. Keep the roadmap focused on receive/download.
Input parameters:
@@ -235,7 +226,7 @@ Input parameters:
"limit": "integer, optional, default 50, max 200",
"cursor": "string, optional",
"source_preference": "bridge|local_readonly|uia|network|auto, optional, default auto",
"dry_run": "boolean, optional, default true for download"
"preview": "boolean, optional, default true for download"
}
```
@@ -265,17 +256,16 @@ Output JSON:
}
```
Errors: `INVALID_ARGUMENT`, `SOURCE_UNAVAILABLE`, `NOT_LOGGED_IN`, `PERMISSION_DENIED`, `TARGET_NOT_FOUND`, `DRY_RUN_ONLY`, `TIMEOUT`, `CONNECTOR_FAILED`, `INTERNAL_ERROR`.
Errors: `INVALID_ARGUMENT`, `SOURCE_UNAVAILABLE`, `NOT_LOGGED_IN`, `PERMISSION_DENIED`, `TARGET_NOT_FOUND`, `PREVIEW_ONLY`, `TIMEOUT`, `CONNECTOR_FAILED`, `INTERNAL_ERROR`.
## Tool: `isphere_send_message`
| Field | Value |
| --- | --- |
| Business purpose | Send an approved text message to a resolved contact or group. |
| Business purpose | Send a text message to a resolved contact or group. |
| Read-only | No. |
| Requires `approval_id` | Yes for any real send. |
| Supports `dry_run` | Yes, required. Default must be `true` until production approval flow is accepted. |
| Current priority | Stage D approval-after-read-only loop. |
| Execution mode | Preview or production write. |
| Current priority | Stage D write capability. |
Input parameters:
@@ -284,8 +274,7 @@ Input parameters:
"target_type": "contact|group|conversation, required",
"target_id": "string, required",
"content_text": "string, required",
"approval_id": "string, required when dry_run=false",
"dry_run": "boolean, optional, default true",
"execution_mode": "preview|production, optional, default preview",
"idempotency_key": "string, optional but recommended",
"source_preference": "bridge|uia|network|auto, optional, default auto"
}
@@ -296,7 +285,7 @@ Output JSON:
```json
{
"ok": true,
"dry_run": true,
"execution_mode": "preview",
"send_status": "planned|sent|rejected",
"target": {
"target_type": "contact|group|conversation",
@@ -309,16 +298,15 @@ Output JSON:
}
```
Errors: `INVALID_ARGUMENT`, `APPROVAL_REQUIRED`, `PERMISSION_DENIED`, `NOT_LOGGED_IN`, `TARGET_NOT_FOUND`, `AMBIGUOUS_TARGET`, `DRY_RUN_ONLY`, `TIMEOUT`, `CONNECTOR_FAILED`, `INTERNAL_ERROR`.
Errors: `INVALID_ARGUMENT`, `WRITE_NOT_READY`, `PERMISSION_DENIED`, `NOT_LOGGED_IN`, `TARGET_NOT_FOUND`, `AMBIGUOUS_TARGET`, `PREVIEW_ONLY`, `TIMEOUT`, `CONNECTOR_FAILED`, `INTERNAL_ERROR`.
## Tool: `isphere_send_file`
| Field | Value |
| --- | --- |
| Business purpose | Send an approved local file to a resolved contact or group. |
| Business purpose | Send a local file to a resolved contact or group. |
| Read-only | No. |
| Requires `approval_id` | Yes for any real send. |
| Supports `dry_run` | Yes, required. Default must be `true` until production approval flow is accepted. |
| Execution mode | Preview or production write. |
| Current priority | Stage D after `isphere_send_message`. |
Input parameters:
@@ -327,10 +315,9 @@ Input parameters:
{
"target_type": "contact|group|conversation, required",
"target_id": "string, required",
"file_path": "string, required; must be under an approved outbound directory",
"file_path": "string, required; use configured outbound directory",
"caption": "string, optional",
"approval_id": "string, required when dry_run=false",
"dry_run": "boolean, optional, default true",
"execution_mode": "preview|production, optional, default preview",
"idempotency_key": "string, optional but recommended",
"source_preference": "bridge|uia|network|auto, optional, default auto"
}
@@ -341,7 +328,7 @@ Output JSON:
```json
{
"ok": true,
"dry_run": true,
"execution_mode": "preview",
"send_status": "planned|sent|rejected",
"target": {
"target_type": "contact|group|conversation",
@@ -355,7 +342,7 @@ Output JSON:
}
```
Errors: `INVALID_ARGUMENT`, `APPROVAL_REQUIRED`, `PERMISSION_DENIED`, `NOT_LOGGED_IN`, `TARGET_NOT_FOUND`, `AMBIGUOUS_TARGET`, `DRY_RUN_ONLY`, `TIMEOUT`, `CONNECTOR_FAILED`, `INTERNAL_ERROR`.
Errors: `INVALID_ARGUMENT`, `WRITE_NOT_READY`, `PERMISSION_DENIED`, `NOT_LOGGED_IN`, `TARGET_NOT_FOUND`, `AMBIGUOUS_TARGET`, `PREVIEW_ONLY`, `TIMEOUT`, `CONNECTOR_FAILED`, `INTERNAL_ERROR`.
## Stage priority summary
@@ -365,5 +352,5 @@ Errors: `INVALID_ARGUMENT`, `APPROVAL_REQUIRED`, `PERMISSION_DENIED`, `NOT_LOGGE
| 2 | `isphere_search_groups` | C read-only loop |
| 3 | `isphere_receive_messages` | C read-only loop |
| 4 | `isphere_receive_files` | C read-only loop |
| 5 | `isphere_send_message` | D approval-backed write |
| 6 | `isphere_send_file` | D approval-backed write |
| 5 | `isphere_send_message` | D write capability |
| 6 | `isphere_send_file` | D write capability |