feat(permissions): round out basic-usage for normal members

[viktormarinho]

Summary

Prerequisite for the planned capstone of removing "user" from the BUILTIN_ROLES bypass. Today the built-in user role bypasses all permission checks, so UI gating only truly bites custom roles. Once user is enforced, a normal member gets only basic-usage server-side — so basic-usage must cover everything a non-admin legitimately does first.

I traced every non-admin flow (chat, app-shell boot, viewing agents/connections, inbox, tasks, profile/preferences, global search, file picker, credits banner) to its MCP tool calls and found read/essential tools that work today only via the user-role bypass. This adds them to the basic-usage capability.

Added tools

Tool	Flow	Why safe
ORGANIZATION_SETTINGS_GET	App-shell boot (Suspense) + home	readOnlyHint; UI config only (sidebar, plugins, model tiers) — no secrets
USER_GET	"Created by" on agent/automation detail	readOnlyHint; handler scopes to shared-org members; returns public profile
LINK_CURRENT_GET	Header desktop indicator (polled), home, chat	Read; caller's own link status
BRAND_CONTEXT_LIST	Chat no-provider empty state branding	Read; org branding, no secrets
AI_PROVIDER_TOPUP_URL	Chat credits-exhausted banner "Top up"	Returns a checkout URL; lets any member self-serve credits
FILE_OBJECTS_LIST	File picker in sandbox/content editor	Lists object keys only — no credentials

Verified each tool's read-only-ness / output schema before adding. Write/management tools (CREATE/UPDATE/DELETE, provisioning, member/tag management, monitoring) were confirmed to be called only by gated admin UI and were left gated.

Notes

• Runtime-grant model: one-line edit to the basic-usage capability, no role-backfill migration (see BASIC_USAGE_TOOLS docs in registry-metadata.ts).
• The user-role enforcement flip itself is a separate follow-up — not in this PR.

Testing

• bun run check ✅
• bun run lint ✅ (0 warnings, 0 errors)
• bun run knip ✅ (no findings)
• bun run fmt ✅

No test added: per TESTING.md this is a one-line declarative capability change with no logic to unit-test, and adding a brittle snapshot of the set would not be meaningful.

🤖 Generated with Claude Code

---

Summary by cubic

Expands basic-usage permissions to include essential read-only tools normal members use, so enforcing the built-in user role won’t break core flows. Covers app shell boot, chat branding and credits, file picker, and user display info.

• New Features

  • ORGANIZATION_SETTINGS_GET — app shell config; read-only.
  • USER_GET — member display info; org-scoped; read-only.
  • LINK_CURRENT_GET — your desktop link status; read-only.
  • BRAND_CONTEXT_LIST — org branding for chat empty state; read-only.
  • AI_PROVIDER_TOPUP_URL — checkout URL for self-serve credits.
  • FILE_OBJECTS_LIST — list object keys for the file picker; no secrets.

• Migration

  • No data migration; runtime capability update in apps/mesh/src/tools/registry-metadata.ts.
  • Admin write/manage tools remain gated. The user role enforcement flip will be a follow-up.

^{Written for commit b77e0f4. Summary will update on new commits.}

[github-actions]

🧪 Benchmark

Should we run the Virtual MCP strategy benchmark for this PR?

React with 👍 to run the benchmark.

Reaction	Action
👍	Run quick benchmark (10 & 128 tools)

Benchmark will run on the next push after you react.

[github-actions]

Release Options

Suggested: Minor (2.386.0) — based on feat: prefix

React with an emoji to override the release type:

Reaction	Type	Next Version
👍	Prerelease	2.385.3-alpha.1
🎉	Patch	2.385.3
❤️	Minor	2.386.0
🚀	Major	3.0.0

Current version: 2.385.2

Note: If multiple reactions exist, the smallest bump wins. If no reactions, the suggested bump is used (default: patch).

[cubic-dev-ai]

No issues found across 1 file

_{Re-trigger cubic}