chore: auto-sync OpenAPI source to Gram (no manual uploads)

[tofikwest]

Why

Manually uploading the OpenAPI spec into Gram every time is an anti-pattern. This makes the hosted MCP's source auto-sync with the API.

What

• gram.json — declarative Gram deployment pointing at the clean public spec (packages/docs/openapi.json, which has the deny-list applied — not the raw /api/docs-json).
• .github/workflows/gram-sync.yml — runs gram push whenever packages/docs/openapi.json (or gram.json) changes on main, plus manual workflow_dispatch. New/changed endpoints flow into the hosted MCP automatically.

One-time setup required (then fully hands-off)

1. In Gram → Settings → API Keys, create a provider-scoped API key.
2. Add two GitHub repo secrets:
   • GRAM_API_KEY = that key
   • GRAM_PROJECT = your Gram project slug
3. After merge, run the workflow once via Actions → "Sync MCP source to Gram" → Run workflow to push the first time.

Note

First workflow_dispatch run validates the CLI install/flags — if gram isn't found (PATH) or a flag needs adjusting, it's a one-line fix (normal CLI bring-up).

🤖 Generated with Claude Code

---

Summary by cubic

Automates syncing the hosted MCP in Gram with the clean public OpenAPI spec. Removes manual uploads by pushing updates from packages/docs/openapi.json via CI.

• New Features

  • Added gram.json pointing to packages/docs/openapi.json (clean spec).
  • Added .github/workflows/gram-sync.yml to run gram push on changes or manual dispatch; exports GRAM_ORG and GRAM_PROJECT; sets least-privilege permissions: contents: read.

• Migration

  • Create a provider-scoped API key in Gram and add the GRAM_API_KEY repo secret.
  • If needed, update GRAM_ORG/GRAM_PROJECT in the workflow, then run “Sync MCP source to Gram” once to seed.

^{Written for commit e53e2af. Summary will update on new commits.}

Review in cubic

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
app	Ready	Preview, Comment	May 29, 2026 1:19am
comp-framework-editor	Ready	Preview, Comment	May 29, 2026 1:19am
portal	Ready	Preview, Comment	May 29, 2026 1:19am

[cubic-dev-ai]

1 issue found across 2 files

Confidence score: 4/5

• This PR is likely safe to merge, with one moderate security-hardening gap rather than a functional regression risk.
• In .github/workflows/gram-sync.yml, the missing explicit permissions block can leave GITHUB_TOKEN with broader default access (often write), which increases blast radius if the workflow or dependencies are compromised.
• Pay close attention to .github/workflows/gram-sync.yml - set least-privilege token permissions (for example, read-only contents) to reduce CI security risk.

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>

[tofikwest]

@cubic-dev-ai review it

[cubic-dev-ai]

@cubic-dev-ai review it

@tofikwest I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

No issues found across 2 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.

_{Re-trigger cubic}

[claudfuen]

🎉 This PR is included in version 3.66.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀