textus 0.30.0 → 0.38.0

data/lib/textus/manifest/data.rb

@@ -1,18 +1,19 @@
 require_relative "schema"
-require_relative "role_kinds"
+require_relative "capabilities"
 
 module Textus
   class Manifest
     # Immutable, parsed view of a manifest YAML document.
     #
-    # Holds raw structural data (zones, entries, audit_config, role_mapping)
+    # Holds raw structural data (zones, entries, audit_config, role_caps)
     # but no behaviour beyond accessors. Behaviour (zone authority, key
     # resolution, rules) lives on Manifest::Policy / Resolver / Rules.
     class Data
       AUDIT_DEFAULTS = { max_size: 10_485_760, keep: 5 }.freeze
 
-      attr_reader :raw, :root, :entries, :zones, :zone_readers, :declared_zone_kinds,
-                  :audit_config, :role_mapping, :policy
+      attr_reader :raw, :root, :entries, :declared_zone_kinds,
+                  :zone_descs, :zone_owners,
+                  :audit_config, :role_caps, :policy
 
       def self.validate_key!(key)
         raise UsageError.new("empty key") if key.nil? || key.empty?
@@ -34,16 +35,19 @@ module Textus
       def initialize(raw:, root:)
         @raw = raw
         @root = root
-        @zones = Array(raw["zones"]).to_h { |z| [z["name"], Array(z["write_policy"])] }
-        @zone_readers = Array(raw["zones"]).to_h do |z|
-          rp = z["read_policy"]
-          [z["name"], rp.nil? ? :all : Array(rp)]
-        end
+        # Write authority is derived from capabilities × zone-kind (ADR 0030),
+        # not a per-zone writer list. "Which zones are declared" lives in the
+        # one kind-keyed map below (declared_zone_kinds); membership checks by
+        # read-side callers (boot, maintenance/zone_mv) use its keyset (ADR 0034).
         @declared_zone_kinds = Array(raw["zones"]).to_h do |z|
           [z["name"], z["kind"]&.to_sym]
         end
+        @zone_descs  = Array(raw["zones"]).to_h { |z| [z["name"], z["desc"]] }
+        # Only zones that actually declare an owner — keep nil-tombstones out so a
+        # future `zone_owners.key?(name)` means "owner declared", not "zone exists".
+        @zone_owners = Array(raw["zones"]).to_h { |z| [z["name"], z["owner"]] }.compact
         @audit_config = build_audit_config(raw)
-        @role_mapping = RoleKinds.resolve(raw["roles"])
+        @role_caps = Capabilities.resolve(raw["roles"])
         # Policy is constructed before entries because Entry validators
         # call `entry.in_generator_zone?(policy)` and similar helpers
         # that take Policy as an argument.

data/lib/textus/manifest/policy.rb

@@ -2,28 +2,50 @@ module Textus
   class Manifest
     # Authority over zones and roles derived from a Manifest::Data snapshot.
     # Encapsulates the lookups previously living on Manifest itself
-    # (zone_writers, permission_for, role_kind, roles_with_kind). Derived /
+    # (zone_writers, permission_for). Write authority is derived from
+    # capabilities × zone-kind (ADR 0030): each zone-kind requires one verb
+    # (Schema::KIND_REQUIRES_VERB) and a role may write a zone iff its caps
+    # include that verb (verb_for_zone, roles_with_capability). Derived /
     # proposal-queue status is authoritative via the declared-kind family
-    # (declared_kind, derived_zone?, queue_zone?, queue_zone), not inferred
-    # from writers.
+    # (declared_kind, derived_zone?, queue_zone?, queue_zone).
     class Policy
       def initialize(data)
         @data = data
       end
 
-      def zone_writers(zone_name)
-        @data.zones[zone_name] or raise UsageError.new("undeclared zone '#{zone_name}'")
+      # The capability a zone's kind requires to be written, or nil if the
+      # zone declares no kind. declared_kind returns a Symbol; the table is
+      # keyed by String.
+      def verb_for_zone(zone_name)
+        kind = declared_kind(zone_name)
+        kind && Schema::KIND_REQUIRES_VERB[kind.to_s]
+      end
+
+      # Names of roles whose declared caps include `verb`.
+      def roles_with_capability(verb)
+        @data.role_caps.select { |_name, caps| caps.include?(verb) }.keys
+      end
+
+      # The conventional automated proposer: a role that can propose but is not
+      # the author-anchor (so it resolves to `agent`, not `human`, under the
+      # default mapping). Falls back to the first proposer, then nil.
+      def proposer_role
+        proposers = roles_with_capability("propose")
+        (proposers - roles_with_capability("author")).first || proposers.first
       end
 
-      def zone_readers
-        @data.zone_readers
+      # The roles authorized to write `zone_name`: those holding the verb its
+      # kind requires. Raises on an undeclared zone.
+      def zone_writers(zone_name)
+        raise UsageError.new("undeclared zone '#{zone_name}'") unless @data.declared_zone_kinds.key?(zone_name)
+
+        roles_with_capability(verb_for_zone(zone_name))
       end
 
       def permission_for(zone_name)
         Textus::Domain::Permission.new(
           zone: zone_name,
-          write_policy: zone_writers(zone_name),
-          read_policy: @data.zone_readers[zone_name] || :all,
+          writers: zone_writers(zone_name),
         )
       end
 
@@ -32,6 +54,12 @@ module Textus
         @data.declared_zone_kinds[zone_name]
       end
 
+      # Zone names declaring `kind` (a Symbol), in manifest order. Lets callers
+      # (boot) name a kind's live zone instance(s) instead of hardcoding names.
+      def zones_of_kind(kind)
+        @data.declared_zone_kinds.select { |_name, k| k == kind }.keys
+      end
+
       # The single zone declaring `kind: queue`, or nil. Schema guarantees <=1.
       def queue_zone
         @data.declared_zone_kinds.key(:queue)
@@ -47,18 +75,6 @@ module Textus
         declared_kind(zone_name) == :queue
       end
 
-      def role_mapping
-        @data.role_mapping
-      end
-
-      def role_kind(name)
-        @data.role_mapping[name]
-      end
-
-      def roles_with_kind(kind)
-        @data.role_mapping.each_with_object([]) { |(name, k), acc| acc << name if k == kind }
-      end
-
       # The zone a proposer role writes proposals into: the single zone that
       # declares kind: queue, when the role can write it. Returns nil if there
       # is no queue zone or the role cannot write it.

data/lib/textus/manifest/rules.rb

@@ -1,8 +1,8 @@
 module Textus
   class Manifest
     class Rules
-      RuleSet = ::Data.define(:refresh, :handler_allowlist, :promote, :retention)
-      EMPTY_SET = RuleSet.new(refresh: nil, handler_allowlist: nil, promote: nil, retention: nil)
+      RuleSet = ::Data.define(:fetch, :handler_allowlist, :guard, :retention)
+      EMPTY_SET = RuleSet.new(fetch: nil, handler_allowlist: nil, guard: nil, retention: nil)
 
       def self.parse(raw)
         new(Array(raw).map { |b| Block.new(b) })
@@ -15,16 +15,16 @@ module Textus
       attr_reader :blocks
 
       def for(key)
-        slots = { refresh: [], handler_allowlist: [], promote: [], retention: [] }
+        slots = { fetch: [], handler_allowlist: [], guard: [], retention: [] }
         @blocks.each do |b|
           next unless Textus::Domain::Policy::Matcher.matches?(b.match, key)
 
           slots.each_key { |slot| slots[slot] << b if b.public_send(slot) }
         end
         RuleSet.new(
-          refresh: pick(slots[:refresh], :refresh, key),
+          fetch: pick(slots[:fetch], :fetch, key),
           handler_allowlist: pick(slots[:handler_allowlist], :handler_allowlist, key),
-          promote: pick(slots[:promote], :promote, key),
+          guard: pick(slots[:guard], :guard, key),
           retention: pick(slots[:retention], :retention, key),
         )
       end
@@ -44,22 +44,22 @@ module Textus
       end
 
       class Block
-        attr_reader :match, :refresh, :handler_allowlist, :promote, :retention
+        attr_reader :match, :fetch, :handler_allowlist, :guard, :retention
 
         def initialize(raw)
           @match = raw["match"] or raise Textus::UsageError.new("rule block missing match:")
-          @refresh = parse_refresh(raw["refresh"])
+          @fetch = parse_fetch(raw["fetch"])
           @handler_allowlist = parse_handler_allowlist(raw["intake_handler_allowlist"])
-          @promote = parse_promotion(raw["promotion"])
+          @guard = parse_guard(raw["guard"])
           @retention = parse_retention(raw["retention"])
         end
 
         private
 
-        def parse_refresh(h)
+        def parse_fetch(h)
           return nil if h.nil?
 
-          Textus::Domain::Policy::Refresh.new(
+          Textus::Domain::Policy::Fetch.new(
             ttl: h["ttl"],
             on_stale: h["on_stale"] || "warn",
             sync_budget_ms: h["sync_budget_ms"],
@@ -73,12 +73,14 @@ module Textus
           Textus::Domain::Policy::HandlerAllowlist.new(handlers: arr)
         end
 
-        def parse_promotion(h)
+        # A guard: block is a map of transition => [predicate specs]. Predicate
+        # names are validated at GuardFactory build time via Predicates::Registry
+        # (ADR 0031); here we only assert the structural shape.
+        def parse_guard(h)
           return nil if h.nil?
+          raise Textus::BadManifest.new("guard: must be a map of transition => [predicates]") unless h.is_a?(Hash)
 
-          raise Textus::BadManifest.new("promotion: must be a hash with a 'requires:' array") unless h.is_a?(Hash) && h.key?("requires")
-
-          Textus::Domain::Policy::Promote.new(requires: Array(h["requires"]))
+          h
         end
 
         def parse_retention(h)

data/lib/textus/manifest/schema.rb

@@ -2,15 +2,26 @@ module Textus
   class Manifest
     module Schema
       ROOT_KEYS    = %w[version roles zones entries rules audit].freeze
-      ROLE_KEYS    = %w[name kind].freeze
-      ROLE_KINDS   = %w[accept_authority generator proposer runner].freeze
-      ZONE_KEYS    = %w[name kind write_policy read_policy].freeze
-      ZONE_KINDS   = %w[origin quarantine queue derived].freeze
-      KIND_REQUIRES_ROLE_KIND = {
-        "derived" => "generator",
-        "queue" => "proposer",
-        "quarantine" => "runner",
+      ROLE_KEYS    = %w[name can].freeze
+      ZONE_KEYS    = %w[name kind owner desc].freeze
+      # The closed coordination vocabulary (ADR 0028; completed at five in ADR
+      # 0033; unified here in ADR 0034). Each lane pairs a zone-kind with the
+      # single capability that authorizes originating bytes in it — a total
+      # bijection. This table is the ONE source of truth; the three legacy
+      # constants below are derived from it so a zone-kind and its required
+      # capability cannot drift. Key order is canon-first so the unknown-kind
+      # error message reads canon, workspace, quarantine, queue, derived.
+      LANES = {
+        "canon" => "author",
+        "workspace" => "keep",
+        "quarantine" => "fetch",
+        "queue" => "propose",
+        "derived" => "build",
       }.freeze
+
+      ZONE_KINDS         = LANES.keys.freeze
+      CAPABILITIES       = LANES.values.freeze
+      KIND_REQUIRES_VERB = LANES
       ENTRY_KEYS = %w[
         key path zone kind schema owner nested format
         compute template publish_to publish_each
@@ -18,11 +29,10 @@ module Textus
       ].freeze
       COMPUTE_KEYS = %w[kind select pluck sort_by limit transform command sources].freeze
       INTAKE_KEYS  = %w[handler config].freeze
-      RULE_KEYS    = %w[match refresh intake_handler_allowlist promotion retention].freeze
-      REFRESH_KEYS = %w[ttl on_stale sync_budget_ms fetch_timeout_seconds].freeze
+      RULE_KEYS    = %w[match fetch intake_handler_allowlist guard retention].freeze
+      FETCH_KEYS = %w[ttl on_stale sync_budget_ms fetch_timeout_seconds].freeze
       FETCH_TIMEOUT_SECONDS_CEILING = 3600
-      PROMOTION_KEYS  = %w[requires].freeze
-      RETENTION_KEYS  = %w[expire_after archive_after].freeze
+      RETENTION_KEYS = %w[expire_after archive_after].freeze
       AUDIT_KEYS = %w[max_size keep].freeze
 
       def self.validate!(raw)
@@ -34,7 +44,6 @@ module Textus
         validate_entries!(raw["entries"])
         validate_rules!(raw["rules"])
         walk(raw["audit"], AUDIT_KEYS, "$.audit") if raw["audit"].is_a?(Hash)
-        validate_zone_writers_declared!(raw)
         validate_single_queue!(raw)
         validate_zone_kind_consistency!(raw)
       end
@@ -66,52 +75,37 @@ module Textus
         Array(rules).each_with_index do |r, i|
           path = "$.rules[#{i}]"
           walk(r, RULE_KEYS, path)
-          if r["refresh"].is_a?(Hash)
-            walk(r["refresh"], REFRESH_KEYS, "#{path}.refresh")
-            validate_fetch_timeout!(r["refresh"]["fetch_timeout_seconds"], "#{path}.refresh.fetch_timeout_seconds")
+          if r["fetch"].is_a?(Hash)
+            walk(r["fetch"], FETCH_KEYS, "#{path}.fetch")
+            validate_fetch_timeout!(r["fetch"]["fetch_timeout_seconds"], "#{path}.fetch.fetch_timeout_seconds")
           end
-          walk(r["promotion"], PROMOTION_KEYS, "#{path}.promotion") if r["promotion"].is_a?(Hash)
           walk(r["retention"], RETENTION_KEYS, "#{path}.retention") if r["retention"].is_a?(Hash)
         end
       end
 
-      def self.validate_zone_writers_declared!(raw)
-        return if raw["roles"].nil? # default mapping is permissive
-
-        declared = Array(raw["roles"]).map { |r| r["name"] }.compact.to_set
-        Array(raw["zones"]).each do |z|
-          Array(z["write_policy"]).each_with_index do |w, j|
-            next if declared.include?(w)
-
-            raise BadManifest.new(
-              "zone '#{z["name"]}' write_policy[#{j}] references undeclared role '#{w}' " \
-              "(declared roles: #{declared.to_a.join(", ")})",
-            )
-          end
-        end
-      end
-
       def self.validate_roles!(roles)
         return if roles.nil?
         raise BadManifest.new("roles: must be a list") unless roles.is_a?(Array)
 
-        accept_authority_count = 0
         roles.each_with_index do |r, i|
           path = "$.roles[#{i}]"
           walk(r, ROLE_KEYS, path)
           name = r["name"] or raise BadManifest.new("role at '#{path}' missing name")
-          kind = r["kind"] or raise BadManifest.new("role '#{name}' at '#{path}' missing kind")
-          unless ROLE_KINDS.include?(kind)
-            raise BadManifest.new("unknown role kind '#{kind}' at '#{path}' (known: #{ROLE_KINDS.join(", ")})")
-          end
+          Array(r["can"]).each do |verb|
+            next if CAPABILITIES.include?(verb)
 
-          accept_authority_count += 1 if kind == "accept_authority"
+            raise BadManifest.new(
+              "unknown capability '#{verb}' for role '#{name}' at '#{path}' " \
+              "(known: #{CAPABILITIES.join(", ")})",
+            )
+          end
         end
-        return unless accept_authority_count > 1
+
+        author_holders = roles.count { |r| Array(r["can"]).include?("author") }
+        return if author_holders <= 1
 
         raise BadManifest.new(
-          "manifest declares #{accept_authority_count} accept_authority roles; " \
-          "at most one accept_authority role is allowed",
+          "manifest declares #{author_holders} roles with the author capability; at most one is allowed",
         )
       end
 
@@ -143,28 +137,24 @@ module Textus
         )
       end
 
+      # Write authority is derived from capabilities (ADR 0030): a zone of a
+      # given kind can only be written by a role that holds the kind's required
+      # verb. Reject a manifest declaring a zone whose required verb is held by
+      # no role. Capabilities.resolve returns the defaults when `roles:` is nil,
+      # so the capability union is all four verbs and every kind is satisfied.
       def self.validate_zone_kind_consistency!(raw)
-        mapping = role_kind_mapping(raw)
-        Array(raw["zones"]).each do |z|
-          required = KIND_REQUIRES_ROLE_KIND[z["kind"]] or next
-          writers  = Array(z["write_policy"])
-          next if writers.any? { |w| mapping[w] == required }
+        held = Capabilities.resolve(raw["roles"]).values.flatten.uniq
+
+        Array(raw["zones"]).each_with_index do |z, i|
+          verb = KIND_REQUIRES_VERB[z["kind"]]
+          next if verb.nil? || held.include?(verb)
 
           raise BadManifest.new(
-            "zone '#{z["name"]}' declares kind: #{z["kind"]} but no writer is a #{required} " \
-            "(writers: #{writers.join(", ")})",
+            "zone '#{z["name"]}' (#{z["kind"]}) at '$.zones[#{i}]' " \
+            "needs a role with capability '#{verb}'; none declared",
           )
         end
       end
-
-      # name => kind string, honouring an explicit roles: block or the default mapping.
-      def self.role_kind_mapping(raw)
-        if raw["roles"].nil?
-          RoleKinds::DEFAULT_MAPPING.transform_values(&:to_s)
-        else
-          Array(raw["roles"]).to_h { |r| [r["name"], r["kind"]] }
-        end
-      end
     end
   end
 end

data/lib/textus/manifest.rb

@@ -4,11 +4,11 @@ module Textus
   # Manifest is the composition record for a parsed manifest. It bundles
   # four collaborators:
   #
-  #   * data     — frozen value: raw, root, zones, entries, audit_config, role_mapping
+  #   * data     — frozen value: raw, root, zones, entries, audit_config, role_caps
   #   * resolver — resolves keys → entry + path
   #   * policy   — zone/role authority (zone_writers, declared_kind/derived_zone?/
   #     queue_zone?, permission_for, …)
-  #   * rules    — match-block rule engine (refresh, handler allowlist, promotion, …)
+  #   * rules    — match-block rule engine (fetch, handler allowlist, promotion, …)
   #
   # Use `manifest.data.entries`, `manifest.policy.declared_kind(z)`, etc.
   Manifest = Data.define(:data, :resolver, :policy, :rules)
@@ -18,7 +18,7 @@ require_relative "manifest/schema"
 require_relative "manifest/data"
 require_relative "manifest/policy"
 require_relative "manifest/resolver"
-require_relative "manifest/role_kinds"
+require_relative "manifest/capabilities"
 
 # Reopen Textus::Manifest (defined above as a Data.define) to attach
 # class-level loaders and helpers.

data/lib/textus/mcp/catalog.rb

@@ -0,0 +1,72 @@
+module Textus
+  module MCP
+    # Derives the entire MCP tool surface from the per-verb contracts
+    # (ADR 0039). `tool_schemas` feeds tools/list; `call` is the generic
+    # tools/call dispatch: map JSON args -> (positional, keyword) per the
+    # contract, invoke the verb through the role scope, then shape the
+    # return value with the contract's response block. No per-tool code.
+    module Catalog
+      module_function
+
+      # Contracts of every MCP-surfaced verb, in Dispatcher order.
+      def specs
+        Textus::Dispatcher::VERBS.values
+                                 .select { |k| k.respond_to?(:contract?) && k.contract? && k.contract.mcp? }
+                                 .map(&:contract)
+      end
+
+      def tool_schemas
+        specs.map do |s|
+          { name: s.verb.to_s, description: s.summary, inputSchema: s.input_schema }
+        end.freeze
+      end
+
+      def names
+        specs.map { |s| s.verb.to_s }
+      end
+
+      def call(name, session:, store:, args:)
+        klass = Textus::Dispatcher::VERBS[name.to_sym]
+        raise ToolError.new("unknown tool: #{name}") unless klass.respond_to?(:contract?) && klass.contract? && klass.contract.mcp?
+
+        spec = klass.contract
+        pos, kw = map_args(spec, args || {}, session)
+        result = store.as(session.role).public_send(spec.verb, *pos, **kw)
+        spec.response.call(result)
+      rescue ContractDrift, CursorExpired
+        raise
+      rescue Textus::Error => e
+        raise ToolError.new("#{name}: #{e.message}")
+      end
+
+      # Splits the raw JSON arg hash into the positional list and keyword hash
+      # the use-case expects, validating required presence first.
+      # Session-default args (session_default: :method_name) are injected from
+      # the session when absent from the wire; they are never treated as missing.
+      # Positional args are emitted in contract declaration order; use-case signatures must match.
+      def map_args(spec, raw, session = nil)
+        missing = spec.required_args.map { |a| a.name.to_s } - raw.keys
+        raise ToolError.new("#{spec.verb}: missing #{missing.join(", ")}") unless missing.empty?
+
+        positional = []
+        keyword = {}
+        spec.args.each do |a|
+          if raw.key?(a.name.to_s)
+            value = raw[a.name.to_s]
+          elsif a.session_default && session
+            value = session.public_send(a.session_default)
+          else
+            next
+          end
+
+          if a.positional
+            positional << value
+          else
+            keyword[a.name] = value
+          end
+        end
+        [positional, keyword]
+      end
+    end
+  end
+end

data/lib/textus/mcp/server.rb

@@ -49,8 +49,11 @@ module Textus
       end
 
       def handle_initialize(rid, _params)
-        proposer = @store.manifest.policy.roles_with_kind(:proposer).first
-        propose_zone = @store.manifest.policy.propose_zone_for(proposer)
+        # The acting role IS the resolved connection role (ADR 0040): the MCP
+        # transport defaults to `agent`, which can write the queue, so its
+        # propose_zone resolves directly. If a connection's role cannot propose,
+        # propose_zone is nil and the `propose` tool reports that honestly.
+        propose_zone = @store.manifest.policy.propose_zone_for(@role)
 
         @session = Session.new(
           role: @role,
@@ -67,7 +70,7 @@ module Textus
       end
 
       def handle_tools_list(rid)
-        emit_result(rid, { "tools" => ToolSchemas.all })
+        emit_result(rid, { "tools" => Catalog.tool_schemas })
       end
 
       def handle_tools_call(rid, params)
@@ -80,8 +83,8 @@ module Textus
 
         name = params["name"]
         args = params["arguments"] || {}
-        result = Tools.call(name, session: @session, store: @store, args: args)
-        @session = @session.advance_cursor(@store.audit_log.latest_seq) if name == "tick"
+        result = Catalog.call(name, session: @session, store: @store, args: args)
+        @session = @session.advance_cursor(@store.audit_log.latest_seq) if name == "pulse"
 
         emit_result(rid, {
                       "content" => [{ "type" => "text", "text" => JSON.dump(result) }],

data/lib/textus/mcp/session.rb

@@ -1,24 +1,7 @@
 module Textus
   module MCP
-    # Per-connection state held by the server. Immutable Data value;
-    # advance_cursor returns a new instance via #with.
-    Session = Data.define(:role, :cursor, :propose_zone, :manifest_etag) do
-      def advance_cursor(new_cursor) = with(cursor: new_cursor)
-
-      def check_etag!(observed_etag)
-        return if observed_etag == manifest_etag
-
-        raise ContractDrift.new(
-          "manifest changed (was #{short_etag(manifest_etag)}, now #{short_etag(observed_etag)}); re-run boot",
-        )
-      end
-
-      private
-
-      # First 8 hex chars after the "sha256:" prefix — a stable short id for
-      # the drift diagnostic. Tolerates non-prefixed values (delete_prefix is
-      # a no-op when the prefix is absent).
-      def short_etag(etag) = etag.to_s.delete_prefix("sha256:")[0, 8]
-    end
+    # The session value now lives in core (ADR 0036); retained here as an
+    # alias so existing MCP references keep resolving.
+    Session = Textus::Session
   end
 end

data/lib/textus/mcp/tool_schemas.rb

@@ -1,70 +1,14 @@
 module Textus
   module MCP
-    # JSON-Schema definitions for every MCP tool's inputSchema. Returned by
-    # the server in tools/list. Static today — a follow-up will enrich with
-    # manifest-derived enums for `zone`, `key`, etc.
+    # Kept for name stability (ADR 0039). The JSON schemas are DERIVED from
+    # per-verb contracts; this delegates to MCP::Catalog. The hand-written
+    # array is gone — a kwarg rename now updates the schema automatically (and
+    # the signature guard fails if the contract lags the use-case).
     module ToolSchemas
       module_function
 
-      def all # rubocop:disable Metrics/MethodLength
-        [
-          tool("boot", "Return the orientation contract: zones, entries, schemas, write_flows, agent_quickstart.", {}, []),
-          tool("tick", "Delta since cursor. Returns {cursor, changed, stale, pending_review, doctor}.",
-               { "since" => { "type" => "integer", "minimum" => 0 } }, []),
-          tool("find", "List keys filtered by zone and/or prefix.",
-               { "zone" => { "type" => "string" }, "prefix" => { "type" => "string" } }, []),
-          tool("read", "Read one entry. Returns the envelope (uid, etag, _meta, body, freshness).",
-               { "key" => { "type" => "string" } }, ["key"]),
-          tool("write", "Create or update an entry. Schema-validated. Returns {uid, etag}.",
-               {
-                 "key" => { "type" => "string" },
-                 "meta" => { "type" => "object" },
-                 "body" => { "type" => "string" },
-                 "content" => { "type" => "object" },
-                 "if_etag" => { "type" => "string" },
-               }, %w[key meta]),
-          tool("propose", "Write a proposal to the session's propose_zone. Auto-prefixes the key.",
-               {
-                 "key" => { "type" => "string", "description" => "Key relative to propose_zone, e.g. 'proposal.feature-x'" },
-                 "meta" => { "type" => "object" },
-                 "body" => { "type" => "string" },
-               }, %w[key meta]),
-          tool("refresh", "Run an intake refresh for one key. Returns the refresh Outcome.",
-               { "key" => { "type" => "string" } }, ["key"]),
-          tool("refresh_stale", "Refresh all stale intake entries, optionally scoped by zone/prefix.",
-               {
-                 "zone" => { "type" => "string" },
-                 "prefix" => { "type" => "string" },
-               }, []),
-          tool("schema", "Return the schema (field shape) for an entry family.",
-               { "family" => { "type" => "string" } }, ["family"]),
-          tool("rules", "Return effective rules for a key (refresh, promote, ...).",
-               { "key" => { "type" => "string" } }, ["key"]),
-          tool("key_mv_prefix",
-               "Bulk-rename every leaf key under from_prefix to to_prefix. Dry-run returns a Plan; apply with dry_run: false.",
-               { "from_prefix" => { "type" => "string" }, "to_prefix" => { "type" => "string" }, "dry_run" => { "type" => "boolean" } },
-               %w[from_prefix to_prefix]),
-          tool("key_delete_prefix", "Bulk-delete every leaf key under prefix.",
-               { "prefix" => { "type" => "string" }, "dry_run" => { "type" => "boolean" } },
-               ["prefix"]),
-          tool("zone_mv", "Rename a zone — manifest + files. Refuses if destination exists.",
-               { "from" => { "type" => "string" }, "to" => { "type" => "string" }, "dry_run" => { "type" => "boolean" } },
-               %w[from to]),
-          tool("rule_lint", "Diff candidate manifest YAML's rules against the live manifest. No writes.",
-               { "candidate_yaml" => { "type" => "string" } },
-               ["candidate_yaml"]),
-          tool("migrate", "Run a YAML migration plan (multi-op).",
-               { "plan_yaml" => { "type" => "string" }, "dry_run" => { "type" => "boolean" } },
-               ["plan_yaml"]),
-        ].freeze
-      end
-
-      def tool(name, description, properties, required)
-        {
-          name: name,
-          description: description,
-          inputSchema: { type: "object", properties: properties, required: required },
-        }
+      def all
+        Catalog.tool_schemas
       end
     end
   end