Added
- API Tokens: optional per-module permission scopes. An admin can restrict a token to individual modules and access levels (
<module>:read/<module>:write, where write implies read) instead of granting the creator's full access. This matters most for tokens handed to an off-device AI/MCP client — for example a token that may write the calendar but can never read the health module. Tokens created without scopes keep full role-based access, so existing tokens are unaffected.
Security
- API Tokens: scoped tokens are enforced across both the REST API and the MCP endpoint. A scoped token can only reach modules on its allow-list — every other
/api/v1path is denied,tools/listhides MCP tools the token cannot use, out-of-scopetools/callis refused, and the OpenAPI bridge inherits the same limits because it loops back through the REST layer with the same token.