feat: harden GBrain multi-agent MCP access

[chipoto69]

Summary

• hardens GBrain multi-agent MCP access with fine-grained token scopes and named Ryde token presets
• logs real MCP tool/operation names and adds request-log indexes / pg_partman partitioning guardrails
• replaces legacy auto-RLS posture with explicit service-role-only docs, doctor checks, and rollback/runbook notes

Test Plan

• git diff --check
• bun run typecheck
• bun run build:schema
• bun test test/oauth.test.ts test/scoped-tokens.test.ts test/migrate.test.ts test/rls-posture-migration.test.ts test/http-transport.test.ts test/token-last-used.test.ts test/doctor.test.ts — 197 pass
• multi-client MCP stdio smoke using MCP SDK Client with client names hermes, claude, codex: all list 43 tools and call list_pages

Migration / verification status

• Local PGLite/unit migration path passes through v39.
• No live production Postgres migration was applied by this PR hygiene pass.
• Phase 4 SQL verification to run after staging/prod migration:
  • SELECT token_name, scopes FROM access_tokens ORDER BY token_name;
  • SELECT operation, COUNT(*) FROM mcp_request_log GROUP BY operation ORDER BY 2 DESC;
  • SELECT COUNT(*) AS generic_mcp_request_rows FROM mcp_request_log WHERE operation = 'mcp_request';
  • SELECT indexname, indexdef FROM pg_indexes WHERE tablename = 'mcp_request_log' ORDER BY indexname;
  • EXPLAIN SELECT * FROM mcp_request_log WHERE token_name = 'agent-cto-ryde' ORDER BY created_at DESC LIMIT 50;
  • SELECT * FROM partman.part_config WHERE parent_table LIKE '%mcp_request_log%';
  • SELECT tablename, rowsecurity FROM pg_tables WHERE schemaname = 'public' ORDER BY tablename;
  • SELECT schemaname, tablename, policyname FROM pg_policies WHERE schemaname = 'public' ORDER BY tablename, policyname;

Rollback

• Request-log partition rollback is documented in docs/ops/mcp-request-log-partitioning-2026-05-06.md: rename partitioned table aside, restore mcp_request_log_legacy, recreate lookup indexes, then remove the pg_partman config only after continuity is verified.
• RLS posture rollback is code-level: revert v39/doctor posture changes before deployment; do not re-enable zero-policy RLS trapdoors manually.

Kanban: t_a14a0ff5 / Phase 4E.

---

^{Need help on this PR? Tag @codesmith with what you need.}

• Let Codesmith autofix CI failures and bot reviews

[chipoto69]

Phase 4E PR hygiene complete.

PR: #685
Head: cfc5000 (fix: remove stale scope validator import), branch phase4c/mcp-log-partition-cooling pushed from fork chipoto69:gbrain because upstream garrytan/gbrain denied direct push to chipoto69.
Worktree: /Users/rudlord/ORGANIZED/worktrees/gbrain-multi-agent-hardening-2026-05-06 clean.

Checks/smoke:

• git diff --check pass
• bun run typecheck pass
• bun run build:schema pass
• bun test test/oauth.test.ts test/scoped-tokens.test.ts test/migrate.test.ts test/rls-posture-migration.test.ts test/http-transport.test.ts test/token-last-used.test.ts test/doctor.test.ts pass: 197 tests
• Multi-client MCP stdio smoke pass via MCP SDK Client initialized as hermes, claude, and codex; each listed 43 tools and successfully called list_pages.

Migration status:

• Local PGLite/unit migration path passes through v39.
• No live production Postgres migration was applied in this pass.
• GitHub reports no checks for the fork branch yet; PR merge state is UNSTABLE only because no required status/check data exists, not because a failing check was observed.

Rollback:

• Request-log partition rollback is documented in docs/ops/mcp-request-log-partitioning-2026-05-06.md: rename partitioned table aside, restore mcp_request_log_legacy, recreate lookup indexes, and remove pg_partman config only after continuity is verified.
• RLS rollback is code-level: revert v39/doctor posture changes before deployment; do not manually restore zero-policy RLS trapdoors.

No secrets or cleartext bearer tokens were minted/logged.

[garrytan]

Thank you for this work @chipoto69 — closing as superseded by your own later PR #1316, which carries forward the Phase 4 multi-agent hardening scope this PR started.

#1316 itself stays open with a status comment explaining why the v0.41.3.0 wave (#1403) only extracts the pieces it can land without touching the v0.26.7 auto-RLS event trigger. The deny-by-default scope wiring + real operation names + last_used_at LRU debounce from your design are filed as TODOS T13a/T13b/T13c in TODOS.md, each citing #1316 as the cherry-pick starter.

The OAuth CORS lockdown + register-client validator surface in #1403 builds on the security-hardening direction your PRs introduced.