feat(mcp)!: drop lookup_order tool from MCP surface (#42)

`GET /orders/lookup` is StatusPro's customer-verification path — requires `number` + `email` because email is the auth factor for unauthenticated customer self-service. With a Bearer-token MCP caller, the email requirement adds friction without security benefit.

Removes the `lookup_order` MCP tool. `list_orders(search="…")` matches partial order number, name, or customer fields, which covers the operational lookup-by-number flow without needing customer email. The `Orders.lookup()` Python client helper is retained.

Closes #35.

BREAKING CHANGE: the `lookup_order` MCP tool no longer exists. Use `list_orders(search=…)` or `get_order(id=…)`.

Author: dougborg

statuspro_mcp_server/src/statuspro_mcp/resources/help.py

@@ -11,9 +11,8 @@
 
 | Tool | Endpoint | Purpose |
 | ---- | -------- | ------- |
-| `list_orders` | `GET /orders` | Paginated list with filters (search, status, tags, due-date range). Auto-paginates. |
+| `list_orders` | `GET /orders` | Paginated list with filters (search, status, tags, due-date range). Auto-paginates. `search` matches order number, name, or customer fields — use it to find an order from just an order number. |
 | `get_order` | `GET /orders/{id}` | Full detail for one order, including history. |
-| `lookup_order` | `GET /orders/lookup` | Look up an order by `number` + customer `email`. |
 | `get_viable_statuses` | `GET /orders/{id}/viable-statuses` | Valid status transitions for the order's current state. |
 | `update_order_status` | `POST /orders/{id}/status` | Change status. Two-step confirm. |
 | `add_order_comment` | `POST /orders/{id}/comment` | Add a history comment. Two-step confirm. 5/min. |

statuspro_mcp_server/src/statuspro_mcp/server.py

@@ -189,7 +189,7 @@ def _build_auth() -> "AuthProvider | None":
 ## Tool Selection Guide
 
 **Finding orders:**
-  list_orders (filter by status, date range, tags) | lookup_order (by order number + customer email) | get_order (by id)
+  list_orders (filter by status, date range, tags; `search` matches order number, name, or customer fields) | get_order (by id)
 
 **Changing status:**
   get_viable_statuses → update_order_status
@@ -223,7 +223,6 @@ def _build_auth() -> "AuthProvider | None":
 _READ_ONLY_TOOLS = [
     "list_orders",
     "get_order",
-    "lookup_order",
     "list_statuses",
     "get_viable_statuses",
 ]

statuspro_mcp_server/src/statuspro_mcp/tools/orders.py

@@ -1,12 +1,17 @@
 """MCP tools for StatusPro orders.
 
-7 tools mapping to the ``/orders*`` endpoints. Mutations use a two-step confirm
+6 tools mapping to the ``/orders*`` endpoints. Mutations use a two-step confirm
 pattern: call with ``confirm=False`` to see a preview, then ``confirm=True`` to
 execute (the client host elicits explicit user approval via ``ctx.elicit``).
 
 Three tools — ``list_orders``, ``get_order``, ``update_order_status`` — return
 a Prefab UI for MCP-Apps clients (Claude Desktop) via ``make_tool_result`` and
 ``meta=UI_META``. Others return plain Pydantic/dict responses.
+
+The ``GET /orders/lookup`` endpoint is intentionally not exposed: it is the
+public, customer-verification path (requires ``number`` + ``email``) and adds
+nothing for an authenticated MCP caller, who can already use ``list_orders``
+(``search`` matches order number) or ``get_order`` (by id).
 """
 
 from __future__ import annotations
@@ -273,21 +278,6 @@ async def get_order(
             history_table=history_table,
         )
 
-    @mcp.tool(
-        name="lookup_order",
-        description="Look up an order by order number + customer email.",
-    )
-    async def lookup_order(
-        context: Context,
-        number: Annotated[
-            str, Field(description="Order number, e.g. '1188' or '#1188'")
-        ],
-        email: Annotated[str, Field(description="Customer email address")],
-    ) -> OrderSummary:
-        services = get_services(context)
-        order = await services.client.orders.lookup(number=number, email=email)
-        return _to_summary(order)
-
     @mcp.tool(
         name="update_order_status",
         description=(