feat: align CLI to MCP-first surface and manifest-scoped release gate

Author: seanphan

.github/workflows/release-node.yaml

@@ -40,6 +40,14 @@ jobs:
         run: |
           bash scripts/release_readiness.sh --skip-tests --skip-node
 
+      - name: Run live 71-op release gate
+        if: ${{ secrets.AGENTICFLOW_PUBLIC_API_KEY != '' }}
+        env:
+          AGENTICFLOW_PUBLIC_API_KEY: ${{ secrets.AGENTICFLOW_PUBLIC_API_KEY }}
+          NEXT_PUBLIC_BASE_API_URL: ${{ secrets.AGENTICFLOW_BASE_URL }}
+        run: |
+          bash scripts/release_readiness.sh --skip-tests --skip-node --live-ops-gate
+
       - name: Setup Node
         uses: actions/setup-node@v4
         with:

.github/workflows/release-python.yaml

@@ -55,6 +55,14 @@ jobs:
         run: |
           bash scripts/release_readiness.sh --skip-node
 
+      - name: Run live 71-op release gate
+        if: ${{ secrets.AGENTICFLOW_PUBLIC_API_KEY != '' }}
+        env:
+          AGENTICFLOW_PUBLIC_API_KEY: ${{ secrets.AGENTICFLOW_PUBLIC_API_KEY }}
+          NEXT_PUBLIC_BASE_API_URL: ${{ secrets.AGENTICFLOW_BASE_URL }}
+        run: |
+          bash scripts/release_readiness.sh --skip-tests --skip-node --live-ops-gate
+
       - name: Install build tooling
         run: |
           python -m pip install --upgrade pip

README.md

@@ -31,23 +31,26 @@ This CLI should be documented against the bundled curated snapshot only.
 
 High-level commands in this section are SDK-driven. `call` is the only raw transport command that executes an operation directly from the loaded OpenAPI catalog.
 
+`public_ops_manifest.json` is MCP-first and policy-lean:
+
+- 26 operations total
+- 18 `supported-executed` (safe/read/query/public wrapper)
+- 8 `supported-blocked-policy` (known side-effectful or risky flows kept for intent visibility only)
+
 - Supported by snapshot-backed commands:
   - `catalog export --public-only --json`
   - `ops list --public-only`
   - `call --method GET --path /v1/health --dry-run`
   - `call --operation-id get_nodetype_models_v1_node_types__get --dry-run`
-  - `workflow create --workspace-id <workspace_id> --body @workflow.json --dry-run`
+  - `workflow list --workspace-id <workspace_id> --dry-run`
   - `workflow get --workflow-id <id> --dry-run`
-  - `workflow update --workspace-id <workspace_id> --workflow-id <id> --body @workflow-update.json --dry-run`
-  - `workflow run --workflow-id <id> --input '{}' --dry-run`
-  - `workflow run-status --workflow-run-id <id> --dry-run`
   - `workflow validate --body '{\"nodes\":[]}' --dry-run`
-  - `agent create --body @agent.json --dry-run`
+  - `workflow run-status --workflow-run-id <id> --dry-run`
   - `agent get --agent-id <id> --dry-run`
-  - `agent update --agent-id <id> --body @agent-update.json --dry-run`
-  - `agent stream --agent-id <id> --body '{\"messages\":[]}' --dry-run`
-  - `node-types dynamic-options --name <node_type> --field-name <field> --project-id <project_id> --input-config '{}' --dry-run`
+  - `node-types list --project-id <project_id> --dry-run`
   - `connections list --workspace-id <workspace_id> --project-id <project_id> --dry-run`
+  - `get_nodetype_models_v1_node_types__get` and `get_anonymous_messages_v1_agent_threads_anonymous__thread_id__messages_get` are available as anonymous MCP discovery/ops through `call`.
+  - `node-types dynamic-options` and workflow `create/run` are intentionally in `supported-blocked-policy` and must be blocked in automated coverage by default.
 
 Admin/internal endpoints are intentionally not included in the bundled snapshot.
 
@@ -116,14 +119,9 @@ Compatibility note:
 - `PYTHONPATH=. .venv/bin/python scripts/agenticflow_cli.py catalog export --public-only --json`
 - `PYTHONPATH=. .venv/bin/python scripts/agenticflow_cli.py call --method GET --path /v1/health --dry-run`
 - `PYTHONPATH=. .venv/bin/python scripts/agenticflow_cli.py ops show get_workflow_model_v1_workflows__workflow_id__get`
-- `PYTHONPATH=. .venv/bin/python scripts/agenticflow_cli.py workflow create --workspace-id ws_demo --body '{\"name\":\"demo\",\"nodes\":[],\"output_mapping\":{},\"input_schema\":{},\"project_id\":\"proj_demo\"}' --dry-run`
 - `PYTHONPATH=. .venv/bin/python scripts/agenticflow_cli.py workflow get --workflow-id wf_demo --dry-run`
-- `PYTHONPATH=. .venv/bin/python scripts/agenticflow_cli.py workflow run --workflow-id wf_demo --input '{}' --dry-run`
 - `PYTHONPATH=. .venv/bin/python scripts/agenticflow_cli.py workflow validate --body '{\"nodes\":[]}' --dry-run`
-- `PYTHONPATH=. .venv/bin/python scripts/agenticflow_cli.py agent create --body '{\"name\":\"demo\",\"tools\":[],\"project_id\":\"proj_demo\"}' --dry-run`
 - `PYTHONPATH=. .venv/bin/python scripts/agenticflow_cli.py agent get --agent-id ag_demo --dry-run`
-- `PYTHONPATH=. .venv/bin/python scripts/agenticflow_cli.py agent stream --agent-id ag_demo --body '{\"messages\":[]}' --dry-run`
-- `PYTHONPATH=. .venv/bin/python scripts/agenticflow_cli.py node-types dynamic-options --name google-drive --field-name folder --project-id proj_demo --input-config '{}' --dry-run`
 - `PYTHONPATH=. .venv/bin/python scripts/agenticflow_cli.py connections list --workspace-id ws_demo --project-id proj_demo --dry-run`
 
 ## Release Readiness Gate
@@ -136,6 +134,14 @@ bash scripts/release_readiness.sh
 
 This validates operation-id mappings, runs unit tests, executes CLI dry-run smoke checks, and verifies the Node wrapper.
 
+Optional live API coverage gate (26-op MCP-first public scope) with real key:
+
+```bash
+bash scripts/release_readiness.sh --live-ops-gate --env-file /path/to/.env
+```
+
+Release workflows (`release-python`, `release-node`) run this live gate automatically when GitHub secret `AGENTICFLOW_PUBLIC_API_KEY` is configured (optional `AGENTICFLOW_BASE_URL` for custom base URL).
+
 ## Unattended Minion Flow
 
 This repository includes a tmux-based one-shot multi-agent workflow for `gpt-5.3-codex-spark`.

docs/cli_secured_ops_baseline.md

@@ -2,78 +2,59 @@
 
 ## OpenAPI comparison
 
-- `agenticflow-cli/openapi.json` (before): `59` operations, all no-security/public.
+- `agenticflow-cli/openapi.json`: `71` operations total (`59` no-security/public, `12` authenticated).
 - `WorkflowChef-Web/openapi.json`: `407` operations total (`59` no-security/public, `348` secured).
 
 ## Baseline decision
 
-Use a curated bundled snapshot:
+Expose a MCP-first curated snapshot in `public_ops_manifest.json`:
 
-- Keep the existing `59` no-security/public operations.
-- Add authenticated operations required by current CLI wrappers.
-- Exclude admin/internal endpoints from the bundled snapshot.
+- Keep discovery-first and agent-operator workflows that are UI-equivalent and operationally useful.
+- Exclude legacy/noisy entries unless the CLI intentionally surfaces them.
+- Keep side-effectful MCP runtime helpers visible but blocked in automated policy.
 
 ## Declared public API vs CLI-supported coverage baseline
 
-- **Declared public API** is the bundled snapshot contract:
-  - `71` operations total (`59` public/no-security + `12` authenticated wrapper-backed operations).
-  - Exposed through `catalog`/`ops` and reflected in CLI command docs.
-- **CLI-supported coverage baseline** is the same operation set, with one `support_scope` per operation used by harness and release review.
+- Declared public API is the MCP-first snapshot contract (`src/agenticflow_cli/public_ops_manifest.json`).
+- CLI-supported coverage baseline is the same snapshot, with support classification applied per operation.
 
-## Support matrix (single source of truth)
+## MCP-first manifest scope
 
-The support scope baseline is stored in `src/agenticflow_cli/public_ops_manifest.json` on each operation record:
+Current manifest counts:
 
-- `support_scope`: one of `executed`, `blocked-by-policy`, or `unsupported/out-of-scope`.
-- `support_rationale`: operator-facing reason this operation is in its class.
+- `33` operations total.
+- `21` `supported-executed`.
+- `12` `supported-blocked-policy`.
+- `0` `unsupported/out-of-scope`.
 
-Current baseline totals:
+## Support matrix
 
-- `34` `executed`
-- `17` `blocked-by-policy`
-- `20` `unsupported/out-of-scope`
+The support scope in each manifest row is one of two values:
 
-Policy semantics:
+- `supported-executed`: safe read/query/validation/public-wrapper operations that are executed in coverage and release smoke.
+- `supported-blocked-policy`: command intent exists, but execution is intentionally blocked in automated coverage for safety/policy reasons.
 
-- `executed`: safe read/query/validation/public wrappers that coverage attempts as live API calls.
-- `blocked-by-policy`: command intent exists, but execution is intentionally blocked in harness for safety/policy.
-- `unsupported/out-of-scope`: intentionally not part of the CLI-supported public surface (internal, unsupported workflow, or unimplemented wrapper contract).
+## Release interpretation
 
-## Release interpretation of support rows
+- `supported-executed`: release as supported behavior; these operations are expected to remain runnable in public smoke.
+- `supported-blocked-policy`: include as high-value, command-intent-backed surface area, but gate execution in automated coverage and runbooks.
+- `unsupported/out-of-scope`: not included in this manifest unless a command family later requires explicit declaration.
 
-- `executed`: release as supported/available behavior. These operations are expected to remain runnable in public smoke checks.
-- `blocked-by-policy`: keep listed as “declared public API, unavailable by policy” in release notes and include policy rationale.
-- `unsupported/out-of-scope`: do not promote as supported features; these are intentionally outside the CLI contract even if visible in discovery.
+## Representative MCP-first authenticated operations still declared
 
-## Added authenticated operation IDs
-
-- `create_workflow_model_v1_workspaces__workspace_id__workflows_post`
+- `get_by_id_v1_agents__agent_id__get`
 - `get_workflow_model_v1_workflows__workflow_id__get`
-- `update_workflow_model_v1_workspaces__workspace_id__workflows__workflow_id__put`
-- `create_workflow_run_model_v1_workflow_runs__post`
 - `get_workflow_run_model_v1_workflow_runs__workflow_run_id__get`
-- `create_v1_agents__post`
-- `get_by_id_v1_agents__agent_id__get`
-- `update_v1_agents__agent_id__put`
-- `ai_sdk_stream_v2_v1_agents__agent_id__stream_post`
-- `get_dynamic_options_v1_node_types_name__node_type_name__dynamic_options_post`
-- `get_app_connections_v1_workspaces__workspace_id__app_connections__get`
-- `get_app_connection_categories_v1_workspaces__workspace_id__app_connections_categories_get`
-
-## Resulting bundled snapshot
-
-- `71` operations total.
-- `59` no-security/public operations.
-- `12` authenticated operations.
-
-## Commanding model
-
-High-level command families (`workflow`, `agent`, `node-types`, `connections`) are thin wrappers over `agenticflow_sdk` methods and use the operation IDs above in a UX-oriented form.  
-`call` is the raw OpenAPI command (`--operation-id` or `--method` + `--path`) and bypasses the high-level wrappers.
-
-## Runtime behavior
-
-- Commands with both anonymous and authenticated variants (`workflow get/run/run-status`, `agent get/stream`) now choose:
-  - authenticated operation when `AGENTICFLOW_PUBLIC_API_KEY` is present,
-  - anonymous operation when key is absent.
-- Lifecycle and workspace commands (`workflow create/update`, `agent create/update`, `node-types dynamic-options`, `connections list/categories`) now use authenticated operation IDs.
+- `validate_create_workflow_model_v1_workflows_utils_validate_create_workflow_model_post`
+- `get_nodetype_models_v1_node_types__get`
+- `get_nodetype_model_by_name_v1_node_types_name__name__get`
+- `get_dynamic_options_v1_node_types_name__node_type_name__dynamic_options_post` (blocked)
+- `get_supported_node_types_v1_workspaces__workspace_id__workforce_node_types_get`
+- `get_providers_v1_model_providers__get`
+- `get_anonymous...`, `get_agent_thread...`, and anonymous workflow/read telemetry rows for MCP runtime flows.
+
+## Runtime behavior contract
+
+- Declared entries are the MCP-first baseline in this repo.
+- Unsupported/out-of-scope rows are omitted by default so the catalog/policy surface is intentionally quieter.
+- Side-effectful operations remain discoverable in manifest and docs only when policy says blocked.