feat: add collab tool

[sammcj]

• feat: add new experimental collab tool for cross-agent communication tracking

---

This pull request introduces a new cross-agent collaboration tool, updates documentation and environment configuration to support it, and makes minor dependency and formatting changes. The collaboration tool enables session-based message exchange between AI agents via a shared filesystem mailbox, supporting workflows like API design coordination and bug reporting across projects.

Collaboration Tool Integration

• Added new collab and collab_wait tools for cross-agent communication, including session-based message exchange with UUID addressing, file locking, atomic writes, participant name resolution, and MCP notifications for message events. (CHANGELOG.md, internal/imports/tools.go, docs/tools/collab.md) [1] [2] [3]
• Updated documentation to explain the collaboration workflow, usage scenarios, and tool actions, including example interactions and configuration options. (docs/tools/collab.md, docs/tools/overview.md) [1] [2] [3]

Configuration and Documentation Updates

• Added collab to the list of additional tools in environment variable examples and tool tables, ensuring agents can enable it via ENABLE_ADDITIONAL_TOOLS. (README.md, docs/tools/overview.md) [1] [2]
• Improved guidance for updating the changelog after non-trivial changes, specifying formatting and grouping rules. (CLAUDE.md)

Dependency and Formatting Changes

• Updated github.com/mark3labs/mcp-go dependency to v0.44.0. (go.mod)
• Minor formatting fixes to tool tables in README.md. [1] [2]

These changes collectively enable robust multi-agent coordination workflows and ensure clear documentation and configuration for users.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​github.com/​mark3labs/​mcp-go@​v0.43.2 ⏵ v0.44.0	-1

View full report

[Copilot]

Pull request overview

Adds an experimental collab / collab_wait tool to support cross-agent coordination via a shared filesystem “mailbox”, plus documentation and enablement wiring so it can be turned on via ENABLE_ADDITIONAL_TOOLS.

Changes:

• Introduces new collab and collab_wait tools with filesystem-backed sessions, messages, and optional MCP notifications.
• Wires tool registration/imports and enablement aliasing so collab_wait is enabled when collab is enabled.
• Adds docs/tests and bumps github.com/mark3labs/mcp-go to v0.44.0.

Reviewed changes

Copilot reviewed 14 out of 15 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
internal/tools/collab/collab.go	Implements collab tool actions (create/join/post/check/read/list/close) and extended help.
internal/tools/collab/wait.go	Implements collab_wait polling tool.
internal/tools/collab/storage.go	Filesystem storage layer (sessions/messages, locking, atomic writes).
internal/tools/collab/types.go	Shared types and validation limits.
internal/tools/collab/notifications.go	Best-effort MCP client notification on new messages.
internal/imports/tools.go	Imports the new tool package for registration.
internal/registry/registry.go	Adds enablement alias so collab_wait is enabled when collab is enabled.
tests/tools/collab_test.go	Adds unit tests for collab + wait behaviours and filesystem permissions.
docs/tools/collab.md	Adds user documentation for the new tools and workflows.
docs/tools/overview.md	Adds collab workflow and enablement example update.
README.md	Adds collab to the additional tools table and tweaks table formatting.
go.mod / go.sum	Updates mcp-go dependency to v0.44.0.
CHANGELOG.md	Adds changelog entry for the new tool and related behaviour.
CLAUDE.md	Adds guidance about updating CHANGELOG.md.

[Copilot]

collab_wait sets baseline to the current total message count and only returns when the count increases. If the other agent has already posted messages before collab_wait starts, this will block until another message arrives (even though messages are already available). Consider accepting an optional participant name (or since_message_id) and returning immediately when there are unread messages (similar to collab action=check).

Suggested change

	baseline, err := w.storage.GetMessageCount(sessionID)
	if err != nil {
	return nil, fmt.Errorf("failed to load session: %w", err)
	}
	currentCount, err := w.storage.GetMessageCount(sessionID)
	if err != nil {
	return nil, fmt.Errorf("failed to load session: %w", err)
	}
	// By default we wait for messages newer than the current count, but allow
	// callers to specify a since_message_id to wait relative to a prior point
	// in the conversation. This ensures we do not ignore messages that were
	// already posted before collab_wait started.
	baseline := currentCount
	if rawSince, ok := args["since_message_id"]; ok && rawSince != nil {
	switch v := rawSince.(type) {
	case int:
	if v >= 0 && v <= currentCount {
	baseline = v
	}
	case int64:
	if v >= 0 && int(v) <= currentCount {
	baseline = int(v)
	}
	case float64:
	since := int(v)
	if since >= 0 && since <= currentCount {
	baseline = since
	}
	case string:
	if since, errConv := strconv.Atoi(v); errConv == nil {
	if since >= 0 && since <= currentCount {
	baseline = since
	}
	}
	}
	}

[Copilot]

maxContentLength is set to 100000, but the new tests (e.g. TestCollabTool_ContentTooLong) and docs/tools/collab.md state a 50,000 character limit. As written, posting 50,001 characters will succeed and the test will fail. Align the constant, tests, and documentation to the same limit.

Suggested change

	maxContentLength = 100000
	maxContentLength = 50000

[Copilot]

This tool performs filesystem reads/writes directly (session metadata and message files) without integrating with the security framework (e.g. security.CheckFileAccess / security.NewOperations(...).SafeFileRead/SafeFileWrite). That bypasses the repository’s access-control and content-analysis protections for file operations. Please route file IO through the security helpers (or at least check access for both final and temp paths used in atomic writes).

[Copilot]

The new CHANGELOG guidance is internally inconsistent: it says to use date +'%F %H:%M' but then gives an example ## [2026.2.71] (not a valid output format/date) and also conflicts with the dot-separated date format used in CHANGELOG.md (e.g. ## [2026.02.21]). Please pick one canonical heading format and update the example accordingly.

Suggested change

- CHANGELOG: After making anything other than minor or documentation changes update `CHANGELOG.md` to add entries under today's ## [YYYY.MM.DD] header, use date +'%F %H:%M' e.g. ## [2026.2.71]. Do NOT add version numbers. Do NOT duplicate headings or dates - simply update the existing date if today's date already exists as a heading. If the file gets over 1000 lines long, truncate the oldest releases, keep items concise, grouped under headings (Added/Changed/Fixed/Removed). Combine or update items refined within the same session.

- CHANGELOG: After making anything other than minor or documentation changes update `CHANGELOG.md` to add entries under today's ## [YYYY.MM.DD] header, use `date +'%Y.%m.%d'` e.g. `## [2026.02.21]`. Do NOT add version numbers. Do NOT duplicate headings or dates - simply update the existing date if today's date already exists as a heading. If the file gets over 1000 lines long, truncate the oldest releases, keep items concise, grouped under headings (Added/Changed/Fixed/Removed). Combine or update items refined within the same session.

[Copilot]

Pull request overview

Copilot reviewed 14 out of 15 changed files in this pull request and generated 3 comments.

[Copilot]

The CHANGELOG comment includes an example heading ## [2026.2.71], which is not a valid date and conflicts with the stated ## [YYYY.MM.DD] format. Please update the example to a valid date matching the intended heading format.

Suggested change

	<!-- AI agents: add entries under an ## [YYYY.MM.DD] header, use date +'%F %H:%M' e.g. ## [2026.2.71]. Do NOT add version numbers. Do NOT duplicate headings or dates - simply update the existing date if you're adding to it. If the file gets over 1000 lines long, truncate the oldest releases, keep items concise and leave this comment as-is-->
	<!-- AI agents: add entries under an ## [YYYY.MM.DD] header, use date +'%F %H:%M' e.g. ## [2026.02.21]. Do NOT add version numbers. Do NOT duplicate headings or dates - simply update the existing date if you're adding to it. If the file gets over 1000 lines long, truncate the oldest releases, keep items concise and leave this comment as-is-->

[Copilot]

If the caller provides a name but it fails validateParticipantName, the tool silently ignores it and falls back to baseline polling. This makes invalid input hard to diagnose and can lead to surprising behaviour. Consider returning a validation error when name is present but invalid (or at least logging a warning and documenting the fallback explicitly).

Suggested change

	}
	}
	} else {
	logger.WithFields(logrus.Fields{
	"session_id": sessionID,
	"name": name,
	}).Warn("collab_wait received invalid participant name")
	return nil, fmt.Errorf("invalid participant name %q: %w", name, valErr)

[Copilot]

check currently falls back to participant = "" when name is invalid, which then causes sinceID to remain 0 and returns all messages. This can be unexpectedly heavy and is likely not what the caller intended. Consider returning an error for invalid participant names (and/or for names that are not joined to the session) rather than treating it as an anonymous read-all.

[Copilot]

Pull request overview

Copilot reviewed 16 out of 17 changed files in this pull request and generated 4 comments.

[Copilot]

The parameter _ int (message ID) is named but unused. Consider removing the parameter name to make it clear it's intentionally ignored, or use the message ID in the notification data for better traceability.

[Copilot]

The response includes session_id which was provided as input by the agent. According to the coding guidelines, tool responses should avoid returning information that the agent already provided. Consider removing this field from responses where the session_id was required as input (postResponse, checkResponse, readResponse, closeResponse, waitResponse). The session context should be clear from the request.

[Copilot]

The description change from "2-4 concise sentences" to "1-3 concise sentences" makes the think tool more concise, which aligns with the coding guidelines for token efficiency. However, this is a breaking change in behavior that could affect existing workflows. Consider whether this change should be documented in the CHANGELOG.

[Copilot]

The tool description is approximately 550 characters, which exceeds the guideline of <200 characters for tool descriptions. Consider condensing the description to focus on what the tool does, moving workflow details to the Extended Help. For example: "Session-based message exchange between AI agents via shared filesystem. Enables coordination across related projects with structured messages (feature requests, bug reports, API changes, etc.)."