docs: add phase4-plan.md (m-dev-tools-mcp MCP server)

[rafael5]

Summary

• Implementation plan for AI-discoverability-plan.md §7 Phase 4 — ship m-dev-tools-mcp as a GitHub-Release wheel exposing route_intent / describe / verify over the org catalog.
• Narrows Phase 4 to the MCP-server piece only: tier-3 repo onboarding already shipped in PR profile/tools.json: tier-3 trio now ships Phase 0 contract #13, and PyPI publishing is deferred per parent plan §5.3 and PR docs: defer PyPI publishing for m-dev-tools-mcp (Phase 4) #18.
• Follows the phase0/phase1/phase3 plan structure (track layout → per-track stages → stage matrix → calling convention → risk notes → done-definition).

Plan shape

Section	Content
§0	Blocking dependencies — Phase 1 + Phase 2 closed; Phase 3 C2 is the soft blocker for Track B (handshake-test helpers Track B's route_intent will reuse)
§1	Five tracks (A scaffold → B tools → C+D parallel → E close-out) with parallel-safety matrix
§2–§6	Per-track stage breakdowns with verification commands and TDD checkpoints
§7	Single-glance stage matrix with explicit blockers
§8	Calling convention (run A, run B3, run C+D in parallel)
§9	Risk notes — MCP SDK volatility; verify execution-vs-listing security call (Phase 4 ships listing only, not exec); PyPI namespace squat; catalog network latency; Phase 3 dependency timing
§10	Gantt — ~6 weeks single-threaded, ~5 with one parallel pair
§11	10-point definition of done; Phase 5 unblocked when all true

Key design calls

• verify is command-listing only, not execution. Parent plan §5.3 originally said "verify runs verification_commands and returns status," but executing arbitrary commands from a catalog blob is exactly the prompt-injection vector MCP servers are warned about. Phase 4 ships verify as a listing tool; actual execution is the client's responsibility (the agent, with user consent). Documented in the §9 risk register and proposed for the new repo's AGENTS.md.
• Track B blocks on Phase 3 C2 (the test-discovery-protocol.py implementation) because Track B's route_intent reuses its lookup helpers. Tracks A and D can start immediately.
• PyPI namespace defense is called out as out-of-scope (per the deferral in PR docs: defer PyPI publishing for m-dev-tools-mcp (Phase 4) #18) with a documented mitigation option (0.0.0 placeholder upload) if name-squatting becomes a real concern.

Test plan

• Markdown lints clean (no broken internal anchors)
• Matches phase3-plan.md structural conventions (§0 launch state, §1 track layout ASCII, §7 stage matrix, §11 done-definition)
• All referenced PRs (profile/tools.json: tier-3 trio now ships Phase 0 contract #13, docs: add phase3-plan.md (recipes + handshake test, Layer 3) #15, phase1-D: make catalog + check-catalog + CI wiring (closes Phase 1) #16, chore(history): rehost archived m-tools design docs under .github/docs/history/ #17, docs: defer PyPI publishing for m-dev-tools-mcp (Phase 4) #18) verified against origin/main git log
• §0 blocker statuses match origin/main reality as of 2026-05-11
• No execution gates on this PR — it's a planning doc; the implementation gates land per-track in follow-up PRs against m-dev-tools-mcp (Tracks A–C) and .github (Tracks D–E)

🤖 Generated with Claude Code