AI Connect for XenForo - WebMCP Bridge 1.2.21

Re-uploading v1.2.21 as a direct file attachment. Functionality is identical to the previous release — no code changes.

### Version 1.2.21 — 2026-04-14
* Fixed: Users with useTools = Never can no longer access the AI Connect info page or generate tokens

### Version 1.2.20 — 2026-04-14
* Fixed: Navigation link and footer icon are now automatically hidden for users/groups with useTools = Never

### Version 1.2.19 — 2026-04-14

• Fixed: Admin CP permission greying now works on fresh installs — switched to direct click listeners matching XenForo's own PermissionChoice approach
• Fixed: js/chgold/aiconnect/admin-permissions.js was missing from the release ZIP on fresh installs (added build.json with additional_files)

### Version 1.2.18 — 2026-04-14
* Fixed: PRO tool phrases were incorrectly stored under the free addon's addon_id, causing XenForo phrase validation errors (a-z, A-Z, 0-9, _ only) on fresh installs of external sites

### Version 1.2.17 — 2026-04-14

• Added: Generic prompt metadata system — each module declares its own getToolPromptMeta() so future tools appear automatically in the personalised prompt
• Improved: buildPersonalizedPrompt() collects tool hints and URL examples from modules at runtime instead of a hardcoded table

### Version 1.2.16 — 2026-04-14

• Security: allowUnauthenticatedAccess() returning false added to the Tools API controller — unauthenticated tool execution is now explicitly blocked at the framework level
• Fixed: Admin CP permission JS file path corrected to js/chgold/aiconnect/admin-permissions.js per XenForo static file conventions

### Version 1.2.15 — 2026-04-13
* Added: Admin CP visual permission UI — per-tool rows grey out automatically when useTools is set to Never, matching XenForo's native depend_permission_id behaviour

### Version 1.2.14 — 2026-04-13

• Added: Permission-aware manifest — authenticated requests to /api/aiconnect-manifest return only tools the token owner can use; anonymous requests return the full list for discovery
• Added: Permission-aware prompt generator — /ai-connect/generate-token returns a personalised prompt filtered to accessible tools

### Version 1.2.13 — 2026-04-12

• Added: Full 3-tier permission system: viewAiConnect, useTools (master switch), per-package (use_package_{id}), per-tool (tool_{module}_{tool})
• Added: Two Admin CP permission interface groups: AI Connect and AI Connect — Tools
• Added: syncToolPermissions() and syncPackagePermissions() — auto-registered on install/upgrade; third-party addons can hook in via ai_connect_sync_tool_permissions

### Version 1.2.10–1.2.12 — 2026-04-12

• Added: viewNavLink permission for controlling navigation link visibility per user group
• Added: Session-based OAuth flow (/api/aiconnect-oauth/start + /api/aiconnect-oauth/poll)
• Fixed: Footer template uses link() and base_url() instead of hardcoded paths

This release covers all changes since v1.1.9 — a large update with new features, major improvements, and several important bug fixes.

---

New Features

• AI Connect Info Page (/ai-connect/) — A public page on your forum showing the manifest URL, OAuth authorize URL, and step-by-step instructions for connecting AI agents. Visitors see a clean landing page; logged-in users get a ready-to-paste prompt.

• Token Generator (/ai-connect/generate-token) — Logged-in forum members can generate a Bearer token in one click via the info page, no OAuth flow required. Useful for personal API access.

• Translation Provider Admin Setting — Choose between AI Self-Translate (default, no external API), MyMemory API (~5,000 chars/day free tier), or Disabled. Configurable under Admin CP → Options → AI Connect.

• Footer Icon & Navigation Entry — AI Connect icon appears in the forum footer (next to RSS) and optionally in the top navigation bar. Both default to on; configurable in Admin CP.

• ?token= Query Parameter Auth — AI agents that can't set HTTP headers (e.g. web-based agents using URL fetching) can now authenticate via ?token=YOUR_TOKEN in the URL. Authorization: Bearer header takes priority when present.

• Claude Desktop / webmcp-client Setup — Built-in instructions in the info page and README for connecting via the webmcp-client npm package.

---

Improvements

• Universal Tool Schemas (v1.2.0) — Date filters now accept natural language ("today", "yesterday", "1week", "1month"), dynamic durations ("3d", "6h", "2w"), ISO dates ("2026-03-15"), or "all" for full history. Tools also now accept username and user_id filters, and translation uses standard ISO language codes.

• until= Date Filter (v1.2.2) — Closed time windows: combine since= and until= to search within a specific date range (e.g. since=1week&until=yesterday).

• Fuzzy client_id Matching — Supports common AI client variants: gemini_client, claude_ai, chatgpt_client, openai, google, etc. All resolve to the correct registered client automatically.

• Registered Clients in Manifest — The manifest now exposes the list of registered client IDs, so AI agents can discover the correct client_id to use without guessing.

• Improved AI Agent Prompts — The info page and generated token prompts include better documentation: tool examples, date filter syntax, username search, MCP connection instructions.

---

Bug Fixes

• [Critical] Rate Limiter — isRateLimited() was returning a truthy array instead of a boolean, causing every request to return HTTP 429 Too Many Requests. All API calls were being blocked regardless of actual usage.

• [Critical] tools_endpoint URL — The manifest was pointing tool calls to the wrong controller (/api/ai-connect/v1/tools/ instead of /api/aiconnect-tools). All tool executions were silently failing with 404.

• [Critical] ?token= Auth Placement — Token query param was being checked before the auth middleware could handle it. Fixed by moving the check to the correct layer (BearerAuth).

• Fix: Duplicate Port — Info page URLs were doubling the port number when running on non-standard ports (HTTP_HOST already includes the port).

• Fix: Base URL — Info page was using the boardUrl admin option (often set to "localhost") instead of the actual request host/scheme.

• Fix: Navigation Template Variable — The conditional nav display was using $xf->options->... which caused PHP warnings; corrected to the proper template variable format.

• Fix: client_id variant aliases pre-registered on fresh install — Common variants (gemini_client, claude, claude_client, chatgpt_client) are now registered during installation so fuzzy matching works from day one.

---

Full changelog: https://github.com/chgold/xf-ai-connect/commits/main