AI Connect for XenForo - WebMCP Bridge 1.2.26

Version 1.2.26 — Permission system overhaul, Admin CP visual improvements, and critical bug fixes.

Critical Fixes

• Fixed: allowUnauthenticatedRequest must be public — PHP fatal error on every tool API call. The method visibility was protected instead of public, causing a crash when XenForo's API framework invoked it.
• Fixed: Missing permissions after upgrade — useTools and viewAiConnect could silently disappear from the database after an addon upgrade or manual admin panel reset. The installer now restores missing or "unset" critical permissions on every upgrade while preserving explicit admin choices (Allow/Deny).

New Features

• Three-state permission greying in Admin CP — The permission editor now shows three visual states for per-tool permissions:
  • Allow — normal (white, interactive)
  • Not Set — dimmed (60% opacity, help cursor, tooltip: "No effect while master switch is Not Set")
  • Never — disabled (35% opacity, clicks blocked, tooltip: "Blocked by Never")
  This helps administrators understand that setting tool permissions has no effect unless the master switch (useTools) is set to Allow.
  
• Info page permission-aware display — The /ai-connect page now shows context-appropriate messages instead of a generic 403 error:
  • Users with useTools: full page with Generate Token button
  • Logged-in without permission: page with "You do not have permission" message
  • Anonymous (toggle ON): page with "Log in to generate a token" link
  • Anonymous (toggle OFF): standard 403
• Permission descriptions in Admin CP — viewAiConnect now shows an explanatory note: "Controls visibility for guests only. Requires the navigation toggle to be enabled."

Permission Logic Changes

• Navigation link: Anonymous users see the link when aiconnect_nav_top is ON + viewAiConnect = Allow. Logged-in users need useTools permission.
• Info page access: Logged-in users always reach the page (template handles the message). Anonymous users are gated by the navigation toggle.
• Token generator + OAuth section: Only shown to users with useTools permission.

Upgrade Notes

• Standard addon upgrade: php cmd.php xf:addon-upgrade chgold/AIConnect
• If you previously had permission issues (403 on info page, missing nav link), this version auto-repairs the default permissions on upgrade.
• Clear browser cache to see the updated Admin CP permission greying (JS change).

Full changelog and source: GitHub | Documentation

Re-uploading v1.2.21 as a direct file attachment. Functionality is identical to the previous release — no code changes.

### Version 1.2.21 — 2026-04-14
* Fixed: Users with useTools = Never can no longer access the AI Connect info page or generate tokens

### Version 1.2.20 — 2026-04-14
* Fixed: Navigation link and footer icon are now automatically hidden for users/groups with useTools = Never

### Version 1.2.19 — 2026-04-14

• Fixed: Admin CP permission greying now works on fresh installs — switched to direct click listeners matching XenForo's own PermissionChoice approach
• Fixed: js/chgold/aiconnect/admin-permissions.js was missing from the release ZIP on fresh installs (added build.json with additional_files)

### Version 1.2.18 — 2026-04-14
* Fixed: PRO tool phrases were incorrectly stored under the free addon's addon_id, causing XenForo phrase validation errors (a-z, A-Z, 0-9, _ only) on fresh installs of external sites

### Version 1.2.17 — 2026-04-14

• Added: Generic prompt metadata system — each module declares its own getToolPromptMeta() so future tools appear automatically in the personalised prompt
• Improved: buildPersonalizedPrompt() collects tool hints and URL examples from modules at runtime instead of a hardcoded table

### Version 1.2.16 — 2026-04-14

• Security: allowUnauthenticatedAccess() returning false added to the Tools API controller — unauthenticated tool execution is now explicitly blocked at the framework level
• Fixed: Admin CP permission JS file path corrected to js/chgold/aiconnect/admin-permissions.js per XenForo static file conventions

### Version 1.2.15 — 2026-04-13
* Added: Admin CP visual permission UI — per-tool rows grey out automatically when useTools is set to Never, matching XenForo's native depend_permission_id behaviour

### Version 1.2.14 — 2026-04-13

• Added: Permission-aware manifest — authenticated requests to /api/aiconnect-manifest return only tools the token owner can use; anonymous requests return the full list for discovery
• Added: Permission-aware prompt generator — /ai-connect/generate-token returns a personalised prompt filtered to accessible tools

### Version 1.2.13 — 2026-04-12

• Added: Full 3-tier permission system: viewAiConnect, useTools (master switch), per-package (use_package_{id}), per-tool (tool_{module}_{tool})
• Added: Two Admin CP permission interface groups: AI Connect and AI Connect — Tools
• Added: syncToolPermissions() and syncPackagePermissions() — auto-registered on install/upgrade; third-party addons can hook in via ai_connect_sync_tool_permissions

### Version 1.2.10–1.2.12 — 2026-04-12

• Added: viewNavLink permission for controlling navigation link visibility per user group
• Added: Session-based OAuth flow (/api/aiconnect-oauth/start + /api/aiconnect-oauth/poll)
• Fixed: Footer template uses link() and base_url() instead of hardcoded paths

This release covers all changes since v1.1.9 — a large update with new features, major improvements, and several important bug fixes.

---

New Features

• AI Connect Info Page (/ai-connect/) — A public page on your forum showing the manifest URL, OAuth authorize URL, and step-by-step instructions for connecting AI agents. Visitors see a clean landing page; logged-in users get a ready-to-paste prompt.

• Token Generator (/ai-connect/generate-token) — Logged-in forum members can generate a Bearer token in one click via the info page, no OAuth flow required. Useful for personal API access.

• Translation Provider Admin Setting — Choose between AI Self-Translate (default, no external API), MyMemory API (~5,000 chars/day free tier), or Disabled. Configurable under Admin CP → Options → AI Connect.

• Footer Icon & Navigation Entry — AI Connect icon appears in the forum footer (next to RSS) and optionally in the top navigation bar. Both default to on; configurable in Admin CP.

• ?token= Query Parameter Auth — AI agents that can't set HTTP headers (e.g. web-based agents using URL fetching) can now authenticate via ?token=YOUR_TOKEN in the URL. Authorization: Bearer header takes priority when present.

• Claude Desktop / webmcp-client Setup — Built-in instructions in the info page and README for connecting via the webmcp-client npm package.

---

Improvements

• Universal Tool Schemas (v1.2.0) — Date filters now accept natural language ("today", "yesterday", "1week", "1month"), dynamic durations ("3d", "6h", "2w"), ISO dates ("2026-03-15"), or "all" for full history. Tools also now accept username and user_id filters, and translation uses standard ISO language codes.

• until= Date Filter (v1.2.2) — Closed time windows: combine since= and until= to search within a specific date range (e.g. since=1week&until=yesterday).

• Fuzzy client_id Matching — Supports common AI client variants: gemini_client, claude_ai, chatgpt_client, openai, google, etc. All resolve to the correct registered client automatically.

• Registered Clients in Manifest — The manifest now exposes the list of registered client IDs, so AI agents can discover the correct client_id to use without guessing.

• Improved AI Agent Prompts — The info page and generated token prompts include better documentation: tool examples, date filter syntax, username search, MCP connection instructions.

---

Bug Fixes

• [Critical] Rate Limiter — isRateLimited() was returning a truthy array instead of a boolean, causing every request to return HTTP 429 Too Many Requests. All API calls were being blocked regardless of actual usage.

• [Critical] tools_endpoint URL — The manifest was pointing tool calls to the wrong controller (/api/ai-connect/v1/tools/ instead of /api/aiconnect-tools). All tool executions were silently failing with 404.

• [Critical] ?token= Auth Placement — Token query param was being checked before the auth middleware could handle it. Fixed by moving the check to the correct layer (BearerAuth).

• Fix: Duplicate Port — Info page URLs were doubling the port number when running on non-standard ports (HTTP_HOST already includes the port).

• Fix: Base URL — Info page was using the boardUrl admin option (often set to "localhost") instead of the actual request host/scheme.

• Fix: Navigation Template Variable — The conditional nav display was using $xf->options->... which caused PHP warnings; corrected to the proper template variable format.

• Fix: client_id variant aliases pre-registered on fresh install — Common variants (gemini_client, claude, claude_client, chatgpt_client) are now registered during installation so fuzzy matching works from day one.

---

Full changelog: https://github.com/chgold/xf-ai-connect/commits/main