feat(agents): explicit MCP-tools listing for vercel-preview-auditor + ci-triage-engineer

[dackclup]

Summary

Surfaced by the post-PR-#225 live-fire of the three new sub-agents on 2026-05-23 (session 4):

• ⚠️ vercel-preview-auditor returned a clean WAIT (MCP access gap — not a deployment failure) verdict — could not reach Vercel MCP tools at all.
• ⚠️ ci-triage-engineer worked around the same gap by falling back to git history + the squash-merge commit body (correct fallback discipline) but hit GitHub API rate-limits on the unauthenticated fallback.
• ✅ literature-searcher worked correctly (its tools: already lists WebSearch, WebFetch explicitly — that's why it worked).

Root cause: the Claude Code sub-agent runtime does NOT auto-inherit MCP tools from the parent session. Each sub-agent is restricted to the tools listed in its tools: frontmatter field; MCP tools must be enumerated by full name (mcp__<server>__<tool>). The original two agents both described themselves as MCP-driven but their tools: field only listed Read, Bash, Grep, Glob.

Two-part fix

(a) tools: frontmatter extended on both agents

Agent	Added MCP tools
vercel-preview-auditor	7 Vercel MCP (mcp__0addee55-...__*): list_deployments · get_deployment · get_deployment_build_logs · get_runtime_logs · web_fetch_vercel_url · get_project · list_projects
ci-triage-engineer	6 GitHub MCP (mcp__github__*): pull_request_read · list_pull_requests · list_commits · get_commit · search_pull_requests · search_code

(b) Hard-constraint bullets for MCP-access-gap failure mode

Agent	New constraint
vercel-preview-auditor	If Vercel MCP tools NOT in context → surface as WAIT (MCP access gap — not a deployment failure) + escalate to main agent. Do NOT fabricate deployment status. (Vercel UUID is OAuth-connection-specific → a fresh clone by a different user would have a different UUID + this pinned frontmatter would silently fail to match → escalation path keeps agent useful in that scenario.)
ci-triage-engineer	If GitHub MCP unavailable → may fall back to local git history (squash-merge commit body, refs) as primary evidence — but MUST explicitly cite the access gap in the report; never fabricate check-run IDs or log URLs. The fallback is acceptable when local primary evidence is authoritative; not acceptable when the failure mode requires the actual log.

Docs

• CLAUDE.md §Gotchas — new bullet documenting the sub-agent MCP inheritance limitation; calls out the GitHub stable-namespace (mcp__github__*) vs OAuth-UUID-based connector distinction so future agent authors don't repeat the gap.
• CLAUDE.md §Phase status — new in-flight entry for this PR + reworded 2 stale in flight (this PR) headers from PR docs+agent: post-Dependabot-wave doc fixes (W1 FORM4_FETCH_SKIP + W3 literature-searcher injection guard) #226 (Dependabot triage) + PR test(form4_signals): PR-#224 review-nit polish — 2 of 3 quantrank-reviewer WARNs land #227 (review-nit polish) to merged via PR #N for post-merge accuracy.
• AGENTS.md §Phase + version state — mirrored in-flight entry + same PR test(form4_signals): PR-#224 review-nit polish — 2 of 3 quantrank-reviewer WARNs land #227 stale-header reword. Cross-tool note that the underlying limitation is Claude-Code-runtime-specific (not relevant to Copilot / Cursor / Devin).

Files touched

File	Δ
.claude/agents/vercel-preview-auditor.md	+12 / −1 (frontmatter + hard-constraint)
.claude/agents/ci-triage-engineer.md	+13 / −1 (frontmatter + hard-constraint)
CLAUDE.md	+50 / −4 (§Gotchas + §Phase status)
AGENTS.md	+27 / −2 (§Phase + version state)

Doc-only — no compute / schema / scoring / valuation / frontend / Python / TS production-code change. Tests unchanged. ruff trivially passes.

Test plan

• Edits made + git diff --stat confirms 4 files / +105 −8
• No code surface → ruff / schema_check / pytest trivially unaffected
• Frontend (build) CI green (doc-only)
• Python (lint + test) CI green (doc-only)
• Vercel preview deploys green
• docs-reviewer substance check before flipping to Ready
• After CI green + reviewer pass → flip Draft → Ready

Verification (post-merge follow-up)

A second live-fire of vercel-preview-auditor after this merges should confirm:

1. The sub-agent now sees the 7 Vercel MCP tools in its context
2. list_deployments returns the actual deployment list
3. The 3-route UA probe completes without escalation

If the UUID 0addee55-c9d7-44a2-b1b2-355b2d3fc4fd does NOT match this Claude installation's actual Vercel MCP server registration, the new hard-constraint will trigger the WAIT escalation — keeping the regression visible.

Out of scope (follow-ups)

• Pattern-check the other 16 agents for similar MCP-tool gaps (none of them describe themselves as MCP-wrapper agents, but a sweep would catch any that quietly call MCP tools through Bash gh shells)
• Fix feat(phase-1): universe + prices + momentum stub #3 (_FOOTNOTES_REQUIRED_ATTRS extension) — still needs @network verify
• W2 (compute-rankings.yml workflow-perm narrowing) + W4 (log-bash.sh scrub) — low-priority deferred security WARNs

https://claude.ai/code/session_01JwntEE4PNAXSMkZxRA9BB4

---

Generated by Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
quantrank	Ready	Preview, Comment	May 24, 2026 2:55am