npm - @algosuite/vo-mcp - Versions diffs - 0.2.0-beta.1 → 0.2.0-beta.4 - Mend

@algosuite/vo-mcp 0.2.0-beta.1 → 0.2.0-beta.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/dist/cli.js CHANGED Viewed

@@ -15,500 +15,222 @@ var __export = (target, all) => {
     __defProp(target, name, { get: all[name], enumerable: true });
 };
-// src/cloud/auth-token-source.ts
-var auth_token_source_exports = {};
-__export(auth_token_source_exports, {
-  FIREBASE_SECURETOKEN_URL: () => FIREBASE_SECURETOKEN_URL,
-  FIREBASE_TOKEN_REFERER: () => FIREBASE_TOKEN_REFERER,
-  createAuthTokenSourceFromEnv: () => createAuthTokenSourceFromEnv,
-  createFirebaseRefreshTokenSource: () => createFirebaseRefreshTokenSource,
-  createStaticTokenSource: () => createStaticTokenSource
+// ../vo-arch-defaults/src/schema/rule-v1.ts
+import { z } from "zod";
+function parseRule(input) {
+  return ArchitecturalDefaultRuleSchema.parse(input);
+}
+var EvidenceMatcherKind, EvidenceMatcher, ChangeType, AppliesWhen, Reference, IsoDate, RuleId, ArchitecturalDefaultRuleSchema;
+var init_rule_v1 = __esm({
+  "../vo-arch-defaults/src/schema/rule-v1.ts"() {
+    "use strict";
+    EvidenceMatcherKind = z.enum([
+      "regex",
+      "import-detector",
+      "package-json-field",
+      "file-size",
+      "ast-pattern",
+      "custom"
+    ]);
+    EvidenceMatcher = z.object({
+      kind: EvidenceMatcherKind,
+      pattern: z.string().optional(),
+      config: z.record(z.string(), z.unknown()).optional(),
+      description: z.string().min(1)
+    }).strict().refine(
+      (m) => m.kind !== "regex" || typeof m.pattern === "string" && m.pattern.length > 0,
+      { message: "regex matcher requires non-empty pattern" }
+    );
+    ChangeType = z.enum(["new-file", "edit", "delete", "rename", "any"]);
+    AppliesWhen = z.object({
+      stack: z.array(z.string().min(1)).optional(),
+      change_types: z.array(ChangeType).optional(),
+      file_globs: z.array(z.string().min(1)).optional(),
+      not_file_globs: z.array(z.string().min(1)).optional()
+    }).strict();
+    Reference = z.object({
+      type: z.enum(["framework-doc", "internal-doc", "pr", "incident", "external"]),
+      url: z.string().min(1),
+      description: z.string().min(1)
+    }).strict();
+    IsoDate = z.string().regex(/^\d{4}-\d{2}-\d{2}$/, "last_verified must be ISO date YYYY-MM-DD").refine((s) => {
+      const d = /* @__PURE__ */ new Date(s + "T00:00:00Z");
+      return !Number.isNaN(d.getTime()) && d.toISOString().startsWith(s);
+    }, "last_verified must be a real calendar date");
+    RuleId = z.string().regex(/^[a-z][a-z0-9-]*\/[a-z][a-z0-9-]*$/, {
+      message: "rule_id must be `<category>/<kebab-name>`"
+    });
+    ArchitecturalDefaultRuleSchema = z.object({
+      schema_version: z.literal(1),
+      rule_id: RuleId,
+      rule_version: z.number().int().positive(),
+      category: z.string().min(1),
+      severity: z.enum(["blocker", "warning", "info"]),
+      title: z.string().min(1),
+      rationale: z.string().min(1),
+      applies_when: AppliesWhen,
+      evidence_of_violation: z.array(EvidenceMatcher).min(1, {
+        message: "rule must declare at least one evidence matcher"
+      }),
+      remediation: z.string().min(1),
+      references: z.array(Reference),
+      last_verified: IsoDate,
+      tags: z.array(z.string().min(1))
+    }).strict();
+  }
 });
-function createStaticTokenSource(token, kind = "admin-token") {
-  const value = token.trim();
-  return { kind, getToken: async () => value.length > 0 ? value : null };
+// ../vo-arch-defaults/src/schema/override-v1.ts
+import { z as z2 } from "zod";
+function parseOverride(input) {
+  return TenantOverrideSchema.parse(input);
 }
-function createFirebaseRefreshTokenSource(opts) {
-  const refreshToken = opts.refreshToken.trim();
-  const apiKey = opts.apiKey.trim();
-  const now = opts.now ?? (() => Date.now());
-  const fetchFn = opts.fetchFn ?? globalThis.fetch;
-  let cachedToken = null;
-  let expiresAtMs = 0;
-  let inFlight = null;
-  async function refresh() {
-    try {
-      const res = await fetchFn(`${FIREBASE_SECURETOKEN_URL}?key=${encodeURIComponent(apiKey)}`, {
-        method: "POST",
-        headers: {
-          "content-type": "application/x-www-form-urlencoded",
-          referer: FIREBASE_TOKEN_REFERER
-        },
-        body: `grant_type=refresh_token&refresh_token=${encodeURIComponent(refreshToken)}`
-      });
-      const text = await res.text();
-      if (res.status < 200 || res.status >= 300) {
-        cachedToken = null;
-        return null;
-      }
-      const parsed = JSON.parse(text);
-      const idToken = typeof parsed.id_token === "string" ? parsed.id_token : "";
-      if (!idToken) {
-        cachedToken = null;
-        return null;
-      }
-      const expiresInSec = Number(parsed.expires_in);
-      const ttlMs = Number.isFinite(expiresInSec) && expiresInSec > 0 ? expiresInSec * 1e3 : 36e5;
-      cachedToken = idToken;
-      expiresAtMs = now() + ttlMs;
-      return idToken;
-    } catch {
-      cachedToken = null;
-      return null;
-    }
+var PartialRuleSchema, TenantOverrideSchema;
+var init_override_v1 = __esm({
+  "../vo-arch-defaults/src/schema/override-v1.ts"() {
+    "use strict";
+    init_rule_v1();
+    PartialRuleSchema = ArchitecturalDefaultRuleSchema.partial();
+    TenantOverrideSchema = z2.object({
+      schema_version: z2.literal(1),
+      suppressed_rule_ids: z2.array(z2.string().min(1)),
+      modified_rules: z2.record(z2.string().min(1), PartialRuleSchema),
+      added_rules: z2.array(ArchitecturalDefaultRuleSchema),
+      /**
+       * Per-tenant stack override (added 2026-05-24 — audit HIGH
+       * "DEFAULT_STACK hardcoded for Nexus repo"). When set, downstream
+       * consumers (vo-mcp KB pre-filter, vo-arch-check CLI) use this list
+       * instead of their built-in default. Lets external tenants whose
+       * repo isn't `firebase+react+pnpm` get useful KB rule matches by
+       * dropping a `~/.claude/vo-arch-defaults.local.json` with their own
+       * stack identifiers — no code change required.
+       *
+       * Open string union — values are not constrained beyond non-empty
+       * strings so out-of-tree tenants can declare their own
+       * (e.g. `vercel-edge`, `next-15`, `drizzle-postgres`).
+       *
+       * Optional. Undefined / omitted preserves pre-2026-05-24 behavior
+       * (consumer falls back to its hardcoded default stack).
+       */
+      tenant_stack: z2.array(z2.string().min(1)).optional()
+    }).strict();
   }
-  return {
-    kind: "firebase-refresh",
-    async getToken() {
-      if (cachedToken && now() < expiresAtMs - REFRESH_SKEW_MS) return cachedToken;
-      if (!inFlight) {
-        inFlight = refresh().finally(() => {
-          inFlight = null;
-        });
-      }
-      return inFlight;
-    }
-  };
+});
+// ../vo-arch-defaults/src/schema/index.ts
+var init_schema = __esm({
+  "../vo-arch-defaults/src/schema/index.ts"() {
+    "use strict";
+    init_rule_v1();
+    init_override_v1();
+  }
+});
+// ../vo-arch-defaults/src/storage/load-bundled.ts
+import { readdirSync, readFileSync, statSync, existsSync } from "node:fs";
+import { dirname, join } from "node:path";
+import { fileURLToPath } from "node:url";
+function resolveBundledCorpusDir() {
+  const here = dirname(fileURLToPath(import.meta.url));
+  const candidates = [
+    join(here, "..", "corpus"),
+    // dist/corpus next to dist/storage
+    join(here, "..", "..", "corpus")
+    // src/corpus next to src/storage (under vitest)
+  ];
+  for (const c of candidates) {
+    if (existsSync(c) && statSync(c).isDirectory()) return c;
+  }
+  throw new Error(
+    `vo-arch-defaults: could not locate bundled corpus directory. Tried: ${candidates.join(", ")}`
+  );
 }
-function createAuthTokenSourceFromEnv(env = process.env, fetchFn, readStoredCred = () => null) {
-  const refreshToken = env["VO_USER_REFRESH_TOKEN"]?.trim();
-  const apiKey = env["VO_FIREBASE_API_KEY"]?.trim();
-  const idToken = env["VO_USER_ID_TOKEN"]?.trim();
-  const adminToken = env["VO_CONTROL_PLANE_ADMIN_TOKEN"]?.trim();
-  if (refreshToken || apiKey) {
-    if (!refreshToken || !apiKey) {
-      throw new Error(
-        "Per-user refresh auth requires BOTH VO_USER_REFRESH_TOKEN and VO_FIREBASE_API_KEY"
-      );
+function walkJson(dir, out) {
+  for (const entry of readdirSync(dir)) {
+    const full = join(dir, entry);
+    const st = statSync(full);
+    if (st.isDirectory()) {
+      walkJson(full, out);
+    } else if (entry.endsWith(".json")) {
+      out.push(full);
     }
-    return createFirebaseRefreshTokenSource({
-      refreshToken,
-      apiKey,
-      ...fetchFn ? { fetchFn } : {}
-    });
-  }
-  if (idToken) return createStaticTokenSource(idToken, "firebase-id-token");
-  const stored = readStoredCred();
-  if (stored?.vo_credential && stored.vo_credential.trim()) {
-    return createStaticTokenSource(stored.vo_credential.trim(), "vo-credential");
   }
-  if (stored && stored.refresh_token?.trim() && stored.api_key?.trim()) {
-    return createFirebaseRefreshTokenSource({
-      refreshToken: stored.refresh_token.trim(),
-      apiKey: stored.api_key.trim(),
-      ...fetchFn ? { fetchFn } : {}
-    });
+}
+function loadBundledCorpus(opts = {}) {
+  const dir = opts.corpusDir ?? resolveBundledCorpusDir();
+  const files = [];
+  walkJson(dir, files);
+  files.sort();
+  const rules = [];
+  const seenIds = /* @__PURE__ */ new Set();
+  for (const file of files) {
+    const raw = readFileSync(file, "utf8");
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch (err) {
+      const m = err instanceof Error ? err.message : String(err);
+      throw new Error(`vo-arch-defaults: invalid JSON in ${file}: ${m}`, { cause: err });
+    }
+    try {
+      const rule = parseRule(parsed);
+      if (seenIds.has(rule.rule_id)) {
+        throw new Error(
+          `vo-arch-defaults: duplicate rule_id '${rule.rule_id}' (second occurrence in ${file})`
+        );
+      }
+      seenIds.add(rule.rule_id);
+      rules.push(rule);
+    } catch (err) {
+      const m = err instanceof Error ? err.message : String(err);
+      throw new Error(`vo-arch-defaults: schema validation failed for ${file}: ${m}`, { cause: err });
+    }
   }
-  if (adminToken) return createStaticTokenSource(adminToken, "admin-token");
-  return null;
+  return { rules, source_paths: files };
 }
-var FIREBASE_SECURETOKEN_URL, FIREBASE_TOKEN_REFERER, REFRESH_SKEW_MS;
-var init_auth_token_source = __esm({
-  "src/cloud/auth-token-source.ts"() {
+var init_load_bundled = __esm({
+  "../vo-arch-defaults/src/storage/load-bundled.ts"() {
     "use strict";
-    FIREBASE_SECURETOKEN_URL = "https://securetoken.googleapis.com/v1/token";
-    FIREBASE_TOKEN_REFERER = "https://algosuite.ai/";
-    REFRESH_SKEW_MS = 6e4;
+    init_schema();
   }
 });
-// src/cloud/keychain.ts
-import { createRequire } from "node:module";
-function loadKeyring() {
-  if (cached !== void 0) return cached;
-  try {
-    const req = createRequire(import.meta.url);
-    const mod = req("@napi-rs/keyring");
-    cached = mod && typeof mod.Entry === "function" ? mod : null;
-  } catch {
-    cached = null;
-  }
-  return cached;
-}
-function keychainAvailable() {
-  return loadKeyring() !== null;
+// ../vo-arch-defaults/src/storage/load-override.ts
+import { existsSync as existsSync2, readFileSync as readFileSync2 } from "node:fs";
+import { homedir } from "node:os";
+import { join as join2 } from "node:path";
+function defaultOverridePath() {
+  return join2(homedir(), ".claude", "vo-arch-defaults.local.json");
 }
-function keychainGet() {
-  const k = loadKeyring();
-  if (!k) return null;
-  try {
-    return new k.Entry(SERVICE, ACCOUNT).getPassword();
-  } catch {
-    return null;
+function loadTenantOverride(opts = {}) {
+  const path3 = opts.path ?? defaultOverridePath();
+  if (!existsSync2(path3)) {
+    return { override: null, source_path: null };
   }
-}
-function keychainSet(secret) {
-  const k = loadKeyring();
-  if (!k) return false;
+  const raw = readFileSync2(path3, "utf8");
+  let parsed;
   try {
-    new k.Entry(SERVICE, ACCOUNT).setPassword(secret);
-    return true;
-  } catch {
-    return false;
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    const m = err instanceof Error ? err.message : String(err);
+    throw new Error(`vo-arch-defaults: invalid JSON in override ${path3}: ${m}`, { cause: err });
   }
-}
-function keychainDelete() {
-  const k = loadKeyring();
-  if (!k) return false;
   try {
-    return new k.Entry(SERVICE, ACCOUNT).deletePassword();
-  } catch {
-    return false;
+    const override = parseOverride(parsed);
+    return { override, source_path: path3 };
+  } catch (err) {
+    const m = err instanceof Error ? err.message : String(err);
+    throw new Error(`vo-arch-defaults: override schema validation failed for ${path3}: ${m}`, { cause: err });
   }
 }
-var SERVICE, ACCOUNT, cached;
-var init_keychain = __esm({
-  "src/cloud/keychain.ts"() {
+var init_load_override = __esm({
+  "../vo-arch-defaults/src/storage/load-override.ts"() {
     "use strict";
-    SERVICE = "vo-mcp";
-    ACCOUNT = "refresh-credential";
+    init_schema();
   }
 });
-// src/cloud/credential-store.ts
-var credential_store_exports = {};
-__export(credential_store_exports, {
-  KEYCHAIN_LOCATION: () => KEYCHAIN_LOCATION,
-  credentialPath: () => credentialPath,
-  readStoredCredential: () => readStoredCredential,
-  writeStoredCredential: () => writeStoredCredential
-});
-import { homedir as homedir3 } from "node:os";
-import { join as join5, dirname as dirname4 } from "node:path";
-import {
-  existsSync as existsSync3,
-  mkdirSync as mkdirSync2,
-  readFileSync as readFileSync5,
-  writeFileSync as writeFileSync2,
-  chmodSync as chmodSync2,
-  rmSync
-} from "node:fs";
-function credentialPath(env = process.env) {
-  const override = env["VO_MCP_CREDENTIALS_PATH"]?.trim();
-  if (override) return override;
-  return join5(homedir3(), ".config", "vo-mcp", "credentials.json");
-}
-function keychainEnabled(env, keychain) {
-  const disabled = (env["VO_MCP_DISABLE_KEYCHAIN"] ?? "").trim().toLowerCase();
-  if (disabled === "1" || disabled === "true" || disabled === "yes") return false;
-  return keychain.available();
-}
-function deserialize(raw) {
-  try {
-    const parsed = JSON.parse(raw);
-    const refresh = typeof parsed.refresh_token === "string" ? parsed.refresh_token.trim() : "";
-    const apiKey = typeof parsed.api_key === "string" ? parsed.api_key.trim() : "";
-    const voCred = typeof parsed.vo_credential === "string" ? parsed.vo_credential.trim() : "";
-    if (!voCred && (!refresh || !apiKey)) return null;
-    return {
-      ...refresh ? { refresh_token: refresh } : {},
-      ...apiKey ? { api_key: apiKey } : {},
-      ...voCred ? { vo_credential: voCred } : {},
-      ...typeof parsed.vo_credential_expires_at === "string" ? { vo_credential_expires_at: parsed.vo_credential_expires_at } : {},
-      ...typeof parsed.email === "string" ? { email: parsed.email } : {},
-      ...typeof parsed.stored_at === "string" ? { stored_at: parsed.stored_at } : {}
-    };
-  } catch {
-    return null;
-  }
-}
-function readFromFile(env) {
-  try {
-    const p = credentialPath(env);
-    if (!existsSync3(p)) return null;
-    return deserialize(readFileSync5(p, "utf8"));
-  } catch {
-    return null;
-  }
-}
-function readStoredCredential(env = process.env, keychain = realKeychain) {
-  if (keychainEnabled(env, keychain)) {
-    const raw = keychain.get();
-    const fromKeychain = raw ? deserialize(raw) : null;
-    if (fromKeychain) return fromKeychain;
-  }
-  return readFromFile(env);
-}
-function deleteFile(env) {
-  try {
-    rmSync(credentialPath(env), { force: true });
-  } catch {
-  }
-}
-function writeToFile(payload, env) {
-  const p = credentialPath(env);
-  mkdirSync2(dirname4(p), { recursive: true });
-  writeFileSync2(p, `${JSON.stringify(payload, null, 2)}
-`, { mode: 384 });
-  try {
-    chmodSync2(p, 384);
-  } catch {
-  }
-  return p;
-}
-function writeStoredCredential(cred, storedAt, env = process.env, keychain = realKeychain) {
-  const payload = {
-    ...cred.refresh_token ? { refresh_token: cred.refresh_token } : {},
-    ...cred.api_key ? { api_key: cred.api_key } : {},
-    ...cred.vo_credential ? { vo_credential: cred.vo_credential } : {},
-    ...cred.vo_credential_expires_at ? { vo_credential_expires_at: cred.vo_credential_expires_at } : {},
-    ...cred.email ? { email: cred.email } : {},
-    stored_at: cred.stored_at ?? storedAt
-  };
-  if (keychainEnabled(env, keychain) && keychain.set(JSON.stringify(payload))) {
-    deleteFile(env);
-    return KEYCHAIN_LOCATION;
-  }
-  const p = writeToFile(payload, env);
-  if (keychainEnabled(env, keychain)) keychain.delete();
-  return p;
-}
-var realKeychain, KEYCHAIN_LOCATION;
-var init_credential_store = __esm({
-  "src/cloud/credential-store.ts"() {
-    "use strict";
-    init_keychain();
-    realKeychain = {
-      available: keychainAvailable,
-      get: keychainGet,
-      set: keychainSet,
-      delete: keychainDelete
-    };
-    KEYCHAIN_LOCATION = 'OS keychain (service "vo-mcp")';
-  }
-});
-// src/cli.ts
-import { homedir as homedir6, hostname } from "node:os";
-import { join as join8 } from "node:path";
-import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
-// src/server.ts
-import { randomUUID as randomUUID2 } from "node:crypto";
-import { Server } from "@modelcontextprotocol/sdk/server/index.js";
-import {
-  CallToolRequestSchema,
-  ListToolsRequestSchema
-} from "@modelcontextprotocol/sdk/types.js";
-// src/tools/common.ts
-import { createHash as createHash2, randomUUID } from "node:crypto";
-import { readFileSync as readFileSync4 } from "node:fs";
-import { dirname as dirname3, join as join4 } from "node:path";
-import { fileURLToPath as fileURLToPath2 } from "node:url";
-import { McpError, ErrorCode } from "@modelcontextprotocol/sdk/types.js";
-// src/logging/events-writer.ts
-import {
-  appendFileSync,
-  chmodSync,
-  mkdirSync,
-  readdirSync as readdirSync2,
-  readFileSync as readFileSync3,
-  statSync as statSync2,
-  unlinkSync,
-  writeFileSync
-} from "node:fs";
-import { homedir as homedir2 } from "node:os";
-import { basename, dirname as dirname2, join as join3 } from "node:path";
-import { gzipSync } from "node:zlib";
-// ../vo-arch-defaults/src/schema/rule-v1.ts
-import { z } from "zod";
-var EvidenceMatcherKind = z.enum([
-  "regex",
-  "import-detector",
-  "package-json-field",
-  "file-size",
-  "ast-pattern",
-  "custom"
-]);
-var EvidenceMatcher = z.object({
-  kind: EvidenceMatcherKind,
-  pattern: z.string().optional(),
-  config: z.record(z.string(), z.unknown()).optional(),
-  description: z.string().min(1)
-}).strict().refine(
-  (m) => m.kind !== "regex" || typeof m.pattern === "string" && m.pattern.length > 0,
-  { message: "regex matcher requires non-empty pattern" }
-);
-var ChangeType = z.enum(["new-file", "edit", "delete", "rename", "any"]);
-var AppliesWhen = z.object({
-  stack: z.array(z.string().min(1)).optional(),
-  change_types: z.array(ChangeType).optional(),
-  file_globs: z.array(z.string().min(1)).optional(),
-  not_file_globs: z.array(z.string().min(1)).optional()
-}).strict();
-var Reference = z.object({
-  type: z.enum(["framework-doc", "internal-doc", "pr", "incident", "external"]),
-  url: z.string().min(1),
-  description: z.string().min(1)
-}).strict();
-var IsoDate = z.string().regex(/^\d{4}-\d{2}-\d{2}$/, "last_verified must be ISO date YYYY-MM-DD").refine((s) => {
-  const d = /* @__PURE__ */ new Date(s + "T00:00:00Z");
-  return !Number.isNaN(d.getTime()) && d.toISOString().startsWith(s);
-}, "last_verified must be a real calendar date");
-var RuleId = z.string().regex(/^[a-z][a-z0-9-]*\/[a-z][a-z0-9-]*$/, {
-  message: "rule_id must be `<category>/<kebab-name>`"
-});
-var ArchitecturalDefaultRuleSchema = z.object({
-  schema_version: z.literal(1),
-  rule_id: RuleId,
-  rule_version: z.number().int().positive(),
-  category: z.string().min(1),
-  severity: z.enum(["blocker", "warning", "info"]),
-  title: z.string().min(1),
-  rationale: z.string().min(1),
-  applies_when: AppliesWhen,
-  evidence_of_violation: z.array(EvidenceMatcher).min(1, {
-    message: "rule must declare at least one evidence matcher"
-  }),
-  remediation: z.string().min(1),
-  references: z.array(Reference),
-  last_verified: IsoDate,
-  tags: z.array(z.string().min(1))
-}).strict();
-function parseRule(input) {
-  return ArchitecturalDefaultRuleSchema.parse(input);
-}
-// ../vo-arch-defaults/src/schema/override-v1.ts
-import { z as z2 } from "zod";
-var PartialRuleSchema = ArchitecturalDefaultRuleSchema.partial();
-var TenantOverrideSchema = z2.object({
-  schema_version: z2.literal(1),
-  suppressed_rule_ids: z2.array(z2.string().min(1)),
-  modified_rules: z2.record(z2.string().min(1), PartialRuleSchema),
-  added_rules: z2.array(ArchitecturalDefaultRuleSchema),
-  /**
-   * Per-tenant stack override (added 2026-05-24 — audit HIGH
-   * "DEFAULT_STACK hardcoded for Nexus repo"). When set, downstream
-   * consumers (vo-mcp KB pre-filter, vo-arch-check CLI) use this list
-   * instead of their built-in default. Lets external tenants whose
-   * repo isn't `firebase+react+pnpm` get useful KB rule matches by
-   * dropping a `~/.claude/vo-arch-defaults.local.json` with their own
-   * stack identifiers — no code change required.
-   *
-   * Open string union — values are not constrained beyond non-empty
-   * strings so out-of-tree tenants can declare their own
-   * (e.g. `vercel-edge`, `next-15`, `drizzle-postgres`).
-   *
-   * Optional. Undefined / omitted preserves pre-2026-05-24 behavior
-   * (consumer falls back to its hardcoded default stack).
-   */
-  tenant_stack: z2.array(z2.string().min(1)).optional()
-}).strict();
-function parseOverride(input) {
-  return TenantOverrideSchema.parse(input);
-}
-// ../vo-arch-defaults/src/storage/load-bundled.ts
-import { readdirSync, readFileSync, statSync, existsSync } from "node:fs";
-import { dirname, join } from "node:path";
-import { fileURLToPath } from "node:url";
-function resolveBundledCorpusDir() {
-  const here = dirname(fileURLToPath(import.meta.url));
-  const candidates = [
-    join(here, "..", "corpus"),
-    // dist/corpus next to dist/storage
-    join(here, "..", "..", "corpus")
-    // src/corpus next to src/storage (under vitest)
-  ];
-  for (const c of candidates) {
-    if (existsSync(c) && statSync(c).isDirectory()) return c;
-  }
-  throw new Error(
-    `vo-arch-defaults: could not locate bundled corpus directory. Tried: ${candidates.join(", ")}`
-  );
-}
-function walkJson(dir, out) {
-  for (const entry of readdirSync(dir)) {
-    const full = join(dir, entry);
-    const st = statSync(full);
-    if (st.isDirectory()) {
-      walkJson(full, out);
-    } else if (entry.endsWith(".json")) {
-      out.push(full);
-    }
-  }
-}
-function loadBundledCorpus(opts = {}) {
-  const dir = opts.corpusDir ?? resolveBundledCorpusDir();
-  const files = [];
-  walkJson(dir, files);
-  files.sort();
-  const rules = [];
-  const seenIds = /* @__PURE__ */ new Set();
-  for (const file of files) {
-    const raw = readFileSync(file, "utf8");
-    let parsed;
-    try {
-      parsed = JSON.parse(raw);
-    } catch (err) {
-      const m = err instanceof Error ? err.message : String(err);
-      throw new Error(`vo-arch-defaults: invalid JSON in ${file}: ${m}`, { cause: err });
-    }
-    try {
-      const rule = parseRule(parsed);
-      if (seenIds.has(rule.rule_id)) {
-        throw new Error(
-          `vo-arch-defaults: duplicate rule_id '${rule.rule_id}' (second occurrence in ${file})`
-        );
-      }
-      seenIds.add(rule.rule_id);
-      rules.push(rule);
-    } catch (err) {
-      const m = err instanceof Error ? err.message : String(err);
-      throw new Error(`vo-arch-defaults: schema validation failed for ${file}: ${m}`, { cause: err });
-    }
-  }
-  return { rules, source_paths: files };
-}
-// ../vo-arch-defaults/src/storage/load-override.ts
-import { existsSync as existsSync2, readFileSync as readFileSync2 } from "node:fs";
-import { homedir } from "node:os";
-import { join as join2 } from "node:path";
-function defaultOverridePath() {
-  return join2(homedir(), ".claude", "vo-arch-defaults.local.json");
-}
-function loadTenantOverride(opts = {}) {
-  const path3 = opts.path ?? defaultOverridePath();
-  if (!existsSync2(path3)) {
-    return { override: null, source_path: null };
-  }
-  const raw = readFileSync2(path3, "utf8");
-  let parsed;
-  try {
-    parsed = JSON.parse(raw);
-  } catch (err) {
-    const m = err instanceof Error ? err.message : String(err);
-    throw new Error(`vo-arch-defaults: invalid JSON in override ${path3}: ${m}`, { cause: err });
-  }
-  try {
-    const override = parseOverride(parsed);
-    return { override, source_path: path3 };
-  } catch (err) {
-    const m = err instanceof Error ? err.message : String(err);
-    throw new Error(`vo-arch-defaults: override schema validation failed for ${path3}: ${m}`, { cause: err });
-  }
-}
 // ../vo-arch-defaults/src/storage/merge.ts
-var IMMUTABLE_FIELDS = [
-  "schema_version",
-  "rule_id"
-];
 function applyModification(base, patch) {
   const cleanPatch = { ...patch };
   for (const k of IMMUTABLE_FIELDS) {
@@ -560,6 +282,16 @@ function mergeCorpusWithOverride(bundled, override) {
     added_count: addedCount
   };
 }
+var IMMUTABLE_FIELDS;
+var init_merge = __esm({
+  "../vo-arch-defaults/src/storage/merge.ts"() {
+    "use strict";
+    IMMUTABLE_FIELDS = [
+      "schema_version",
+      "rule_id"
+    ];
+  }
+});
 // ../vo-arch-defaults/src/query/applies-to-stack.ts
 function appliesToStack(rule, stacks) {
@@ -572,6 +304,11 @@ function appliesToStack(rule, stacks) {
   }
   return false;
 }
+var init_applies_to_stack = __esm({
+  "../vo-arch-defaults/src/query/applies-to-stack.ts"() {
+    "use strict";
+  }
+});
 // ../vo-arch-defaults/src/query/applies-to-change.ts
 function appliesToChangeType(rule, changeType) {
@@ -581,9 +318,13 @@ function appliesToChangeType(rule, changeType) {
   if (changeType === "any") return true;
   return required.includes(changeType);
 }
+var init_applies_to_change = __esm({
+  "../vo-arch-defaults/src/query/applies-to-change.ts"() {
+    "use strict";
+  }
+});
 // ../vo-arch-defaults/src/query/glob.ts
-var REGEX_META = /[.+^${}()|[\]\\]/g;
 function globToRegExp(glob) {
   let out = "";
   let i = 0;
@@ -636,6 +377,13 @@ function matchesAnyGlob(path3, globs) {
   }
   return false;
 }
+var REGEX_META;
+var init_glob = __esm({
+  "../vo-arch-defaults/src/query/glob.ts"() {
+    "use strict";
+    REGEX_META = /[.+^${}()|[\]\\]/g;
+  }
+});
 // ../vo-arch-defaults/src/query/applies-to-files.ts
 function appliesToFiles(rule, filePaths) {
@@ -656,8 +404,14 @@ function appliesToFiles(rule, filePaths) {
   }
   return false;
 }
-// ../vo-arch-defaults/src/analyze/diff-parser.ts
+var init_applies_to_files = __esm({
+  "../vo-arch-defaults/src/query/applies-to-files.ts"() {
+    "use strict";
+    init_glob();
+  }
+});
+// ../vo-arch-defaults/src/analyze/diff-parser.ts
 function stripPathPrefix(p) {
   if (p.startsWith("a/") || p.startsWith("b/")) return p.slice(2);
   return p;
@@ -727,9 +481,13 @@ function parseUnifiedDiff(text) {
   }
   return { files };
 }
+var init_diff_parser = __esm({
+  "../vo-arch-defaults/src/analyze/diff-parser.ts"() {
+    "use strict";
+  }
+});
 // ../vo-arch-defaults/src/analyze/evidence-matchers/regex-matcher.ts
-var MAX_EXCERPT = 200;
 function sanitizeLine(s) {
   let out = s.replace(/^\s+/, "");
   if (out.length > MAX_EXCERPT) out = out.slice(0, MAX_EXCERPT) + "\u2026";
@@ -757,12 +515,15 @@ function runRegexMatcher(matcher, file) {
   }
   return hits;
 }
+var MAX_EXCERPT;
+var init_regex_matcher = __esm({
+  "../vo-arch-defaults/src/analyze/evidence-matchers/regex-matcher.ts"() {
+    "use strict";
+    MAX_EXCERPT = 200;
+  }
+});
 // ../vo-arch-defaults/src/analyze/evidence-matchers/import-detector.ts
-var STATIC_IMPORT = /import\s+(?:[^'"\n]{0,200}?from\s+)?(['"])([^'"]+)\1/;
-var DYNAMIC_IMPORT = /import\(\s*(['"])([^'"]+)\1\s*\)/;
-var REQUIRE_CALL = /require\(\s*(['"])([^'"]+)\1\s*\)/;
-var MAX_EXCERPT2 = 200;
 function sanitize(s) {
   let out = s.replace(/^\s+/, "");
   if (out.length > MAX_EXCERPT2) out = out.slice(0, MAX_EXCERPT2) + "\u2026";
@@ -807,6 +568,16 @@ function runImportDetector(matcher, file) {
   }
   return hits;
 }
+var STATIC_IMPORT, DYNAMIC_IMPORT, REQUIRE_CALL, MAX_EXCERPT2;
+var init_import_detector = __esm({
+  "../vo-arch-defaults/src/analyze/evidence-matchers/import-detector.ts"() {
+    "use strict";
+    STATIC_IMPORT = /import\s+(?:[^'"\n]{0,200}?from\s+)?(['"])([^'"]+)\1/;
+    DYNAMIC_IMPORT = /import\(\s*(['"])([^'"]+)\1\s*\)/;
+    REQUIRE_CALL = /require\(\s*(['"])([^'"]+)\1\s*\)/;
+    MAX_EXCERPT2 = 200;
+  }
+});
 // ../vo-arch-defaults/src/analyze/evidence-matchers/file-size.ts
 function runFileSizeMatcher(matcher, file) {
@@ -827,6 +598,11 @@ function runFileSizeMatcher(matcher, file) {
     }
   ];
 }
+var init_file_size = __esm({
+  "../vo-arch-defaults/src/analyze/evidence-matchers/file-size.ts"() {
+    "use strict";
+  }
+});
 // ../vo-arch-defaults/src/analyze/evidence-matchers/package-json.ts
 function valueMatches(value, cfg) {
@@ -867,6 +643,11 @@ function runPackageJsonMatcher(matcher, file) {
   }
   return hits;
 }
+var init_package_json = __esm({
+  "../vo-arch-defaults/src/analyze/evidence-matchers/package-json.ts"() {
+    "use strict";
+  }
+});
 // ../vo-arch-defaults/src/analyze/evidence-matchers/index.ts
 function runEvidenceMatcher(matcher, file) {
@@ -886,9 +667,17 @@ function runEvidenceMatcher(matcher, file) {
       return [];
   }
 }
+var init_evidence_matchers = __esm({
+  "../vo-arch-defaults/src/analyze/evidence-matchers/index.ts"() {
+    "use strict";
+    init_regex_matcher();
+    init_import_detector();
+    init_file_size();
+    init_package_json();
+  }
+});
 // ../vo-arch-defaults/src/query/staleness.ts
-var DEFAULT_STALENESS_THRESHOLD_DAYS = 365;
 function computeStaleRules(rules, opts = {}) {
   const threshold = opts.thresholdDays ?? DEFAULT_STALENESS_THRESHOLD_DAYS;
   if (!Number.isFinite(threshold)) return [];
@@ -912,6 +701,13 @@ function computeStaleRules(rules, opts = {}) {
   out.sort((a, b) => b.days_stale - a.days_stale);
   return out;
 }
+var DEFAULT_STALENESS_THRESHOLD_DAYS;
+var init_staleness = __esm({
+  "../vo-arch-defaults/src/query/staleness.ts"() {
+    "use strict";
+    DEFAULT_STALENESS_THRESHOLD_DAYS = 365;
+  }
+});
 // ../vo-arch-defaults/src/query/run-query.ts
 function findApplicableRules(input, opts = {}) {
@@ -970,9 +766,28 @@ function findApplicableRules(input, opts = {}) {
     stale_rules
   };
 }
+var init_run_query = __esm({
+  "../vo-arch-defaults/src/query/run-query.ts"() {
+    "use strict";
+    init_load_bundled();
+    init_load_override();
+    init_merge();
+    init_applies_to_stack();
+    init_applies_to_change();
+    init_applies_to_files();
+    init_diff_parser();
+    init_evidence_matchers();
+    init_staleness();
+  }
+});
 // ../vo-arch-defaults/src/query/corpus-version.ts
 import { createHash } from "node:crypto";
+var init_corpus_version = __esm({
+  "../vo-arch-defaults/src/query/corpus-version.ts"() {
+    "use strict";
+  }
+});
 // ../vo-arch-defaults/src/query/resolve-stack.ts
 function resolveStack(override, fallback) {
@@ -981,9 +796,13 @@ function resolveStack(override, fallback) {
   }
   return fallback;
 }
+var init_resolve_stack = __esm({
+  "../vo-arch-defaults/src/query/resolve-stack.ts"() {
+    "use strict";
+  }
+});
 // ../vo-arch-defaults/src/pii-sanitize.ts
-var SANITIZE_DEFAULT_MAX_LEN = 200;
 function sanitizeExcerpt(raw, maxLen = SANITIZE_DEFAULT_MAX_LEN) {
   let s = raw;
   s = s.replace(/eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{5,}/g, "[REDACTED_JWT]");
@@ -999,10 +818,49 @@ function sanitizeExcerpt(raw, maxLen = SANITIZE_DEFAULT_MAX_LEN) {
   if (s.length > maxLen) s = s.slice(0, maxLen) + "\u2026";
   return s;
 }
+var SANITIZE_DEFAULT_MAX_LEN;
+var init_pii_sanitize = __esm({
+  "../vo-arch-defaults/src/pii-sanitize.ts"() {
+    "use strict";
+    SANITIZE_DEFAULT_MAX_LEN = 200;
+  }
+});
+// ../vo-arch-defaults/src/index.ts
+var init_src = __esm({
+  "../vo-arch-defaults/src/index.ts"() {
+    init_schema();
+    init_load_bundled();
+    init_load_override();
+    init_merge();
+    init_applies_to_stack();
+    init_applies_to_change();
+    init_applies_to_files();
+    init_run_query();
+    init_glob();
+    init_corpus_version();
+    init_resolve_stack();
+    init_staleness();
+    init_diff_parser();
+    init_evidence_matchers();
+    init_pii_sanitize();
+  }
+});
 // src/logging/events-writer.ts
-var DEFAULT_EVENTS_MAX_BYTES = 50 * 1024 * 1024;
-var DEFAULT_EVENTS_KEEP_ROTATED = 10;
+import {
+  appendFileSync,
+  chmodSync,
+  mkdirSync,
+  readdirSync as readdirSync2,
+  readFileSync as readFileSync3,
+  statSync as statSync2,
+  unlinkSync,
+  writeFileSync
+} from "node:fs";
+import { homedir as homedir2 } from "node:os";
+import { basename, dirname as dirname2, join as join3 } from "node:path";
+import { gzipSync } from "node:zlib";
 function defaultEventsPath() {
   const envPath = process.env["VO_MCP_EVENTS_PATH"];
   if (envPath && envPath.length > 0) return envPath;
@@ -1109,19 +967,38 @@ function createFileEventsWriter(opts = {}) {
     }
   };
 }
+var DEFAULT_EVENTS_MAX_BYTES, DEFAULT_EVENTS_KEEP_ROTATED;
+var init_events_writer = __esm({
+  "src/logging/events-writer.ts"() {
+    "use strict";
+    init_src();
+    DEFAULT_EVENTS_MAX_BYTES = 50 * 1024 * 1024;
+    DEFAULT_EVENTS_KEEP_ROTATED = 10;
+  }
+});
 // src/tools/common.ts
+import { createHash as createHash2, randomUUID } from "node:crypto";
+import { readFileSync as readFileSync4 } from "node:fs";
+import { dirname as dirname3, join as join4 } from "node:path";
+import { fileURLToPath as fileURLToPath2 } from "node:url";
+import { McpError, ErrorCode } from "@modelcontextprotocol/sdk/types.js";
 function readVoMcpVersion() {
   try {
     const here = dirname3(fileURLToPath2(import.meta.url));
-    const pkgPath = join4(here, "..", "..", "package.json");
-    const pkg = JSON.parse(readFileSync4(pkgPath, "utf8"));
-    return typeof pkg.version === "string" ? pkg.version : "0.0.0-unknown";
+    for (const rel of ["..", ["..", ".."], ["..", "..", ".."]]) {
+      try {
+        const segs = Array.isArray(rel) ? rel : [rel];
+        const pkg = JSON.parse(readFileSync4(join4(here, ...segs, "package.json"), "utf8"));
+        if (pkg.name === "@algosuite/vo-mcp" && typeof pkg.version === "string") return pkg.version;
+      } catch {
+      }
+    }
+    return "0.0.0-unknown";
   } catch {
     return "0.0.0-unknown";
   }
 }
-var VO_MCP_VERSION = readVoMcpVersion();
 function bytesOf(s) {
   return Buffer.byteLength(s, "utf8");
 }
@@ -1209,6 +1086,521 @@ function toEventSynthesizedVerdict(src) {
     reasoning_excerpt: sanitizeExcerpt(src.reasoning_excerpt)
   };
 }
+var VO_MCP_VERSION;
+var init_common = __esm({
+  "src/tools/common.ts"() {
+    "use strict";
+    init_events_writer();
+    VO_MCP_VERSION = readVoMcpVersion();
+  }
+});
+// src/cloud/auth-token-source.ts
+var auth_token_source_exports = {};
+__export(auth_token_source_exports, {
+  FIREBASE_SECURETOKEN_URL: () => FIREBASE_SECURETOKEN_URL,
+  FIREBASE_TOKEN_REFERER: () => FIREBASE_TOKEN_REFERER,
+  createAuthTokenSourceFromEnv: () => createAuthTokenSourceFromEnv,
+  createFirebaseRefreshTokenSource: () => createFirebaseRefreshTokenSource,
+  createStaticTokenSource: () => createStaticTokenSource
+});
+function createStaticTokenSource(token, kind = "admin-token") {
+  const value = token.trim();
+  return { kind, getToken: async () => value.length > 0 ? value : null };
+}
+function createFirebaseRefreshTokenSource(opts) {
+  const refreshToken = opts.refreshToken.trim();
+  const apiKey = opts.apiKey.trim();
+  const now = opts.now ?? (() => Date.now());
+  const fetchFn = opts.fetchFn ?? globalThis.fetch;
+  let cachedToken = null;
+  let expiresAtMs = 0;
+  let inFlight = null;
+  async function refresh() {
+    try {
+      const res = await fetchFn(`${FIREBASE_SECURETOKEN_URL}?key=${encodeURIComponent(apiKey)}`, {
+        method: "POST",
+        headers: {
+          "content-type": "application/x-www-form-urlencoded",
+          referer: FIREBASE_TOKEN_REFERER
+        },
+        body: `grant_type=refresh_token&refresh_token=${encodeURIComponent(refreshToken)}`
+      });
+      const text = await res.text();
+      if (res.status < 200 || res.status >= 300) {
+        cachedToken = null;
+        return null;
+      }
+      const parsed = JSON.parse(text);
+      const idToken = typeof parsed.id_token === "string" ? parsed.id_token : "";
+      if (!idToken) {
+        cachedToken = null;
+        return null;
+      }
+      const expiresInSec = Number(parsed.expires_in);
+      const ttlMs = Number.isFinite(expiresInSec) && expiresInSec > 0 ? expiresInSec * 1e3 : 36e5;
+      cachedToken = idToken;
+      expiresAtMs = now() + ttlMs;
+      return idToken;
+    } catch {
+      cachedToken = null;
+      return null;
+    }
+  }
+  return {
+    kind: "firebase-refresh",
+    async getToken() {
+      if (cachedToken && now() < expiresAtMs - REFRESH_SKEW_MS) return cachedToken;
+      if (!inFlight) {
+        inFlight = refresh().finally(() => {
+          inFlight = null;
+        });
+      }
+      return inFlight;
+    }
+  };
+}
+function createAuthTokenSourceFromEnv(env = process.env, fetchFn, readStoredCred = () => null) {
+  const refreshToken = env["VO_USER_REFRESH_TOKEN"]?.trim();
+  const apiKey = env["VO_FIREBASE_API_KEY"]?.trim();
+  const idToken = env["VO_USER_ID_TOKEN"]?.trim();
+  const adminToken = env["VO_CONTROL_PLANE_ADMIN_TOKEN"]?.trim();
+  if (refreshToken || apiKey) {
+    if (!refreshToken || !apiKey) {
+      throw new Error(
+        "Per-user refresh auth requires BOTH VO_USER_REFRESH_TOKEN and VO_FIREBASE_API_KEY"
+      );
+    }
+    return createFirebaseRefreshTokenSource({
+      refreshToken,
+      apiKey,
+      ...fetchFn ? { fetchFn } : {}
+    });
+  }
+  if (idToken) return createStaticTokenSource(idToken, "firebase-id-token");
+  const stored = readStoredCred();
+  if (stored?.vo_credential && stored.vo_credential.trim()) {
+    return createStaticTokenSource(stored.vo_credential.trim(), "vo-credential");
+  }
+  if (stored && stored.refresh_token?.trim() && stored.api_key?.trim()) {
+    return createFirebaseRefreshTokenSource({
+      refreshToken: stored.refresh_token.trim(),
+      apiKey: stored.api_key.trim(),
+      ...fetchFn ? { fetchFn } : {}
+    });
+  }
+  if (adminToken) return createStaticTokenSource(adminToken, "admin-token");
+  return null;
+}
+var FIREBASE_SECURETOKEN_URL, FIREBASE_TOKEN_REFERER, REFRESH_SKEW_MS;
+var init_auth_token_source = __esm({
+  "src/cloud/auth-token-source.ts"() {
+    "use strict";
+    FIREBASE_SECURETOKEN_URL = "https://securetoken.googleapis.com/v1/token";
+    FIREBASE_TOKEN_REFERER = "https://algosuite.ai/";
+    REFRESH_SKEW_MS = 6e4;
+  }
+});
+// src/cloud/keychain.ts
+import { createRequire } from "node:module";
+function loadKeyring() {
+  if (cached !== void 0) return cached;
+  try {
+    const req = createRequire(import.meta.url);
+    const mod = req("@napi-rs/keyring");
+    cached = mod && typeof mod.Entry === "function" ? mod : null;
+  } catch {
+    cached = null;
+  }
+  return cached;
+}
+function keychainAvailable() {
+  return loadKeyring() !== null;
+}
+function keychainGet() {
+  const k = loadKeyring();
+  if (!k) return null;
+  try {
+    return new k.Entry(SERVICE, ACCOUNT).getPassword();
+  } catch {
+    return null;
+  }
+}
+function keychainSet(secret) {
+  const k = loadKeyring();
+  if (!k) return false;
+  try {
+    new k.Entry(SERVICE, ACCOUNT).setPassword(secret);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function keychainDelete() {
+  const k = loadKeyring();
+  if (!k) return false;
+  try {
+    return new k.Entry(SERVICE, ACCOUNT).deletePassword();
+  } catch {
+    return false;
+  }
+}
+var SERVICE, ACCOUNT, cached;
+var init_keychain = __esm({
+  "src/cloud/keychain.ts"() {
+    "use strict";
+    SERVICE = "vo-mcp";
+    ACCOUNT = "refresh-credential";
+  }
+});
+// src/cloud/credential-store.ts
+var credential_store_exports = {};
+__export(credential_store_exports, {
+  KEYCHAIN_LOCATION: () => KEYCHAIN_LOCATION,
+  credentialPath: () => credentialPath,
+  readStoredCredential: () => readStoredCredential,
+  writeStoredCredential: () => writeStoredCredential
+});
+import { homedir as homedir3 } from "node:os";
+import { join as join5, dirname as dirname4 } from "node:path";
+import {
+  existsSync as existsSync3,
+  mkdirSync as mkdirSync2,
+  readFileSync as readFileSync5,
+  writeFileSync as writeFileSync2,
+  chmodSync as chmodSync2,
+  rmSync
+} from "node:fs";
+function credentialPath(env = process.env) {
+  const override = env["VO_MCP_CREDENTIALS_PATH"]?.trim();
+  if (override) return override;
+  return join5(homedir3(), ".config", "vo-mcp", "credentials.json");
+}
+function keychainEnabled(env, keychain) {
+  const disabled = (env["VO_MCP_DISABLE_KEYCHAIN"] ?? "").trim().toLowerCase();
+  if (disabled === "1" || disabled === "true" || disabled === "yes") return false;
+  return keychain.available();
+}
+function deserialize(raw) {
+  try {
+    const parsed = JSON.parse(raw);
+    const refresh = typeof parsed.refresh_token === "string" ? parsed.refresh_token.trim() : "";
+    const apiKey = typeof parsed.api_key === "string" ? parsed.api_key.trim() : "";
+    const voCred = typeof parsed.vo_credential === "string" ? parsed.vo_credential.trim() : "";
+    if (!voCred && (!refresh || !apiKey)) return null;
+    return {
+      ...refresh ? { refresh_token: refresh } : {},
+      ...apiKey ? { api_key: apiKey } : {},
+      ...voCred ? { vo_credential: voCred } : {},
+      ...typeof parsed.vo_credential_expires_at === "string" ? { vo_credential_expires_at: parsed.vo_credential_expires_at } : {},
+      ...typeof parsed.email === "string" ? { email: parsed.email } : {},
+      ...typeof parsed.stored_at === "string" ? { stored_at: parsed.stored_at } : {}
+    };
+  } catch {
+    return null;
+  }
+}
+function readFromFile(env) {
+  try {
+    const p = credentialPath(env);
+    if (!existsSync3(p)) return null;
+    return deserialize(readFileSync5(p, "utf8"));
+  } catch {
+    return null;
+  }
+}
+function readStoredCredential(env = process.env, keychain = realKeychain) {
+  if (keychainEnabled(env, keychain)) {
+    const raw = keychain.get();
+    const fromKeychain = raw ? deserialize(raw) : null;
+    if (fromKeychain) return fromKeychain;
+  }
+  return readFromFile(env);
+}
+function deleteFile(env) {
+  try {
+    rmSync(credentialPath(env), { force: true });
+  } catch {
+  }
+}
+function writeToFile(payload, env) {
+  const p = credentialPath(env);
+  mkdirSync2(dirname4(p), { recursive: true });
+  writeFileSync2(p, `${JSON.stringify(payload, null, 2)}
+`, { mode: 384 });
+  try {
+    chmodSync2(p, 384);
+  } catch {
+  }
+  return p;
+}
+function writeStoredCredential(cred, storedAt, env = process.env, keychain = realKeychain) {
+  const payload = {
+    ...cred.refresh_token ? { refresh_token: cred.refresh_token } : {},
+    ...cred.api_key ? { api_key: cred.api_key } : {},
+    ...cred.vo_credential ? { vo_credential: cred.vo_credential } : {},
+    ...cred.vo_credential_expires_at ? { vo_credential_expires_at: cred.vo_credential_expires_at } : {},
+    ...cred.email ? { email: cred.email } : {},
+    stored_at: cred.stored_at ?? storedAt
+  };
+  if (keychainEnabled(env, keychain) && keychain.set(JSON.stringify(payload))) {
+    deleteFile(env);
+    return KEYCHAIN_LOCATION;
+  }
+  const p = writeToFile(payload, env);
+  if (keychainEnabled(env, keychain)) keychain.delete();
+  return p;
+}
+var realKeychain, KEYCHAIN_LOCATION;
+var init_credential_store = __esm({
+  "src/cloud/credential-store.ts"() {
+    "use strict";
+    init_keychain();
+    realKeychain = {
+      available: keychainAvailable,
+      get: keychainGet,
+      set: keychainSet,
+      delete: keychainDelete
+    };
+    KEYCHAIN_LOCATION = 'OS keychain (service "vo-mcp")';
+  }
+});
+// src/tools/memory/sync-config.ts
+var sync_config_exports = {};
+__export(sync_config_exports, {
+  TOOL_NAME: () => TOOL_NAME22,
+  deriveProjectSlug: () => deriveProjectSlug,
+  description: () => description22,
+  getMemoryDir: () => getMemoryDir,
+  handleSyncConfig: () => handleSyncConfig,
+  inputSchema: () => inputSchema22,
+  isNoopSyncReason: () => isNoopSyncReason,
+  runMemorySync: () => runMemorySync
+});
+import { homedir as homedir5 } from "node:os";
+import { join as join7 } from "node:path";
+import { existsSync as existsSync5, mkdirSync as mkdirSync4, readFileSync as readFileSync7, writeFileSync as writeFileSync3, readdirSync as readdirSync4 } from "node:fs";
+function isToolInput22(v) {
+  if (typeof v !== "object" || v === null) return false;
+  const o = v;
+  if (o["action"] !== "pull" && o["action"] !== "push") return false;
+  if (o["cwd"] !== void 0 && typeof o["cwd"] !== "string") return false;
+  return true;
+}
+function deriveProjectSlug(cwd) {
+  return cwd.replace(/\\/g, "/").replace(/\/+$/g, "").replace(/^([a-zA-Z]):/, (_m, drive) => `${drive.toUpperCase()}:`).replace(/[^a-zA-Z0-9]/g, "-");
+}
+function getMemoryDir(cwd) {
+  const slug = deriveProjectSlug(cwd);
+  return join7(homedir5(), ".claude", "projects", slug, "memory");
+}
+async function pullMemory(controlPlaneUrl, token, memoryDir, fetchFn) {
+  const url = `${controlPlaneUrl}/api/v1/agent-config/memory/me`;
+  const response = await fetchFn(url, {
+    method: "GET",
+    headers: {
+      authorization: `Bearer ${token}`
+    }
+  });
+  if (response.status !== 200) {
+    const text = await response.text();
+    throw new Error(`GET /api/v1/agent-config/memory/me returned HTTP ${response.status}: ${text.slice(0, 200)}`);
+  }
+  const data = JSON.parse(await response.text());
+  if (!data.ok || !Array.isArray(data.entries)) {
+    throw new Error("GET /api/v1/agent-config/memory/me response missing ok=true or entries array");
+  }
+  mkdirSync4(memoryDir, { recursive: true });
+  const files = [];
+  for (const entry of data.entries) {
+    const filePath = join7(memoryDir, entry.file_name);
+    writeFileSync3(filePath, entry.content, "utf8");
+    files.push(entry.file_name);
+  }
+  return { pulled: data.entries.length, files };
+}
+async function pushMemory(controlPlaneUrl, token, memoryDir, sessionId, fetchFn) {
+  if (!existsSync5(memoryDir)) {
+    return { pushed: 0, created: 0, updated: 0 };
+  }
+  const localFiles = readdirSync4(memoryDir).filter((f) => f.endsWith(".md")).map((f) => ({
+    file_name: f,
+    content: readFileSync7(join7(memoryDir, f), "utf8"),
+    entry_type: f === "MEMORY.md" ? "index" : "topic"
+  }));
+  if (localFiles.length === 0) {
+    return { pushed: 0, created: 0, updated: 0 };
+  }
+  const getUrl = `${controlPlaneUrl}/api/v1/agent-config/memory/me`;
+  const getResponse = await fetchFn(getUrl, {
+    method: "GET",
+    headers: {
+      authorization: `Bearer ${token}`
+    }
+  });
+  const existingMap = /* @__PURE__ */ new Map();
+  if (getResponse.status === 200) {
+    const getData = JSON.parse(await getResponse.text());
+    if (getData.ok && Array.isArray(getData.entries)) {
+      for (const entry of getData.entries) {
+        existingMap.set(entry.file_name, entry.memory_id);
+      }
+    }
+  }
+  let created = 0;
+  let updated = 0;
+  for (const localFile of localFiles) {
+    const memoryId = existingMap.get(localFile.file_name);
+    if (memoryId) {
+      const updateUrl = `${controlPlaneUrl}/api/v1/agent-config/memory/${memoryId}`;
+      const updateBody = {
+        content: localFile.content,
+        session_id: sessionId
+      };
+      const updateResponse = await fetchFn(updateUrl, {
+        method: "PUT",
+        headers: {
+          authorization: `Bearer ${token}`,
+          "content-type": "application/json"
+        },
+        body: JSON.stringify(updateBody)
+      });
+      if (updateResponse.status !== 200) {
+        const text = await updateResponse.text();
+        throw new Error(
+          `PUT /api/v1/agent-config/memory/${memoryId} returned HTTP ${updateResponse.status}: ${text.slice(0, 200)}`
+        );
+      }
+      const updateData = JSON.parse(await updateResponse.text());
+      if (!updateData.ok) {
+        throw new Error(`PUT /api/v1/agent-config/memory/${memoryId} returned ok=false`);
+      }
+      updated++;
+    } else {
+      const createUrl = `${controlPlaneUrl}/api/v1/agent-config/memory/me`;
+      const createBody = {
+        entry_type: localFile.entry_type,
+        file_name: localFile.file_name,
+        content: localFile.content,
+        session_id: sessionId
+      };
+      const createResponse = await fetchFn(createUrl, {
+        method: "POST",
+        headers: {
+          authorization: `Bearer ${token}`,
+          "content-type": "application/json"
+        },
+        body: JSON.stringify(createBody)
+      });
+      if (createResponse.status !== 200 && createResponse.status !== 201) {
+        const text = await createResponse.text();
+        throw new Error(
+          `POST /api/v1/agent-config/memory/me returned HTTP ${createResponse.status}: ${text.slice(0, 200)}`
+        );
+      }
+      const createData = JSON.parse(await createResponse.text());
+      if (!createData.ok) {
+        throw new Error("POST /api/v1/agent-config/memory/me returned ok=false");
+      }
+      created++;
+    }
+  }
+  return { pushed: localFiles.length, created, updated };
+}
+function isNoopSyncReason(reason) {
+  if (!reason) return false;
+  return /not set|No auth configured|Failed to obtain auth token/.test(reason);
+}
+async function runMemorySync(action, cwd, sessionId, fetchFn = globalThis.fetch) {
+  const controlPlaneUrl = process.env["VO_CONTROL_PLANE_URL"];
+  if (!controlPlaneUrl) {
+    return { synced: false, reason: "VO_CONTROL_PLANE_URL not set \u2014 cloud mode disabled" };
+  }
+  const { createAuthTokenSourceFromEnv: createAuthTokenSourceFromEnv2 } = await Promise.resolve().then(() => (init_auth_token_source(), auth_token_source_exports));
+  const { readStoredCredential: readStoredCredential2 } = await Promise.resolve().then(() => (init_credential_store(), credential_store_exports));
+  const tokenSource = createAuthTokenSourceFromEnv2(process.env, fetchFn, () => readStoredCredential2(process.env));
+  if (!tokenSource) {
+    return { synced: false, reason: "No auth configured. Run `vo-mcp login` to authenticate as an operator." };
+  }
+  const token = await tokenSource.getToken();
+  if (!token) {
+    return { synced: false, reason: "Failed to obtain auth token. Run `vo-mcp login` to re-authenticate." };
+  }
+  const memoryDir = getMemoryDir(cwd);
+  const baseUrl = controlPlaneUrl.replace(/\/+$/, "");
+  try {
+    if (action === "pull") {
+      const result2 = await pullMemory(baseUrl, token, memoryDir, fetchFn);
+      return { synced: true, action: "pull", pulled: result2.pulled, files: result2.files, memory_dir: memoryDir };
+    }
+    const result = await pushMemory(baseUrl, token, memoryDir, sessionId, fetchFn);
+    return {
+      synced: true,
+      action: "push",
+      pushed: result.pushed,
+      created: result.created,
+      updated: result.updated,
+      memory_dir: memoryDir
+    };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { synced: false, reason: `Sync failed: ${message}` };
+  }
+}
+async function handleSyncConfig(deps, rawInput, _signal, fetchFn = globalThis.fetch) {
+  if (!isToolInput22(rawInput)) {
+    throw invalidParams(
+      TOOL_NAME22,
+      'invalid input. Required: { action: "pull" | "push" }. Optional: { cwd: "<path>" }.'
+    );
+  }
+  const cwd = rawInput.cwd?.trim() || process.cwd();
+  const result = await runMemorySync(rawInput.action, cwd, deps.session.sessionId, fetchFn);
+  return jsonContent({ tool: TOOL_NAME22, schema_version: 1, payload: result });
+}
+var TOOL_NAME22, inputSchema22, description22;
+var init_sync_config = __esm({
+  "src/tools/memory/sync-config.ts"() {
+    "use strict";
+    init_common();
+    TOOL_NAME22 = "vo_sync_config";
+    inputSchema22 = {
+      type: "object",
+      properties: {
+        action: {
+          type: "string",
+          enum: ["pull", "push"],
+          description: "pull: download cloud memory to local files. push: upload local files to cloud."
+        },
+        cwd: {
+          type: "string",
+          description: "Working directory to derive project slug from (default: process.cwd())."
+        }
+      },
+      required: ["action"],
+      additionalProperties: false
+    };
+    description22 = "Syncs memory entries between local ~/.claude/projects/<slug>/memory/ and cloud control-plane /api/v1/agent-config/memory/me. Requires operator auth (vo-mcp login). Actions: pull (cloud\u2192local), push (local\u2192cloud). Idempotent; push creates/updates as needed.";
+  }
+});
+// src/cli.ts
+import { homedir as homedir6, hostname } from "node:os";
+import { randomUUID as randomUUID5 } from "node:crypto";
+import { join as join8 } from "node:path";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+// src/server.ts
+init_common();
+import { randomUUID as randomUUID2 } from "node:crypto";
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import {
+  CallToolRequestSchema,
+  ListToolsRequestSchema
+} from "@modelcontextprotocol/sdk/types.js";
 // src/modes/local.ts
 function createLocalMode() {
@@ -1223,6 +1615,7 @@ function createLocalMode() {
 }
 // src/tools/check-assertion-strength.ts
+init_common();
 var TOOL_NAME = "vo_check_assertion_strength";
 var GATE_TYPE = "ratchet";
 var MAX_SOURCE_BYTES = 512 * 1024;
@@ -1319,7 +1712,11 @@ async function handleCheckAssertionStrength(deps, rawInput, _signal) {
   return jsonContent(envelope);
 }
+// src/tools/check-hollow-test.ts
+init_common();
 // src/tools/architecture-review-kb-prefilter.ts
+init_src();
 var DEFAULT_STACK = [
   "node",
   "node-pnpm-monorepo",
@@ -1405,6 +1802,7 @@ function formatRulesForPrompt(hits, truncated, domainLabel = "ARCHITECTURAL") {
 }
 // src/tools/kb-metadata-prefilter.ts
+init_src();
 function findRulesByMetadata(opts) {
   if (opts.category === void 0 && opts.tagsAny === void 0) {
     return {
@@ -1598,6 +1996,7 @@ async function handleCheckHollowTest(deps, rawInput, signal) {
 }
 // src/tools/verify-answer.ts
+init_common();
 var TOOL_NAME3 = "vo_verify_answer";
 var SHALLOW_GATE = "mid-exec-verify";
 var DEEP_GATE = "final-deep-verify";
@@ -1779,6 +2178,9 @@ async function handleVerifyAnswer(deps, rawInput, signal) {
   return jsonContent(envelope);
 }
+// src/tools/consensus-judgment.ts
+init_common();
 // src/consensus/gate-types.ts
 var LEGACY_GATE_TYPES = [
   "test_assertion",
@@ -2036,6 +2438,8 @@ async function handleConsensusJudgment(deps, rawInput, signal) {
     ...engineResult.synthesized_verdict.confidence_badge !== void 0 ? { confidence_badge: engineResult.synthesized_verdict.confidence_badge } : {},
     // Feature 1 (agreement-gate) — fan-out diagnostics (present iff the gate ran).
     ...engineResult.fan_out_diagnostics !== void 0 ? { fan_out_diagnostics: engineResult.fan_out_diagnostics } : {},
+    // Stage A7-shadow — adaptive-vs-incumbent comparison (PII-free; present iff shadow on).
+    ...engineResult.shadow_synthesis !== void 0 ? { shadow_synthesis: engineResult.shadow_synthesis } : {},
     // Source-grounded Tier-4 outputs (present iff the call was source-grounded).
     ...engineResult.source_grounded === true ? { source_grounded: true } : {},
     ...engineResult.citation_grade !== void 0 ? { citation_grade: engineResult.citation_grade } : {},
@@ -2056,6 +2460,8 @@ async function handleConsensusJudgment(deps, rawInput, signal) {
 }
 // src/tools/architecture-review.ts
+init_common();
+init_events_writer();
 var TOOL_NAME5 = "vo_architecture_review";
 var GATE_TYPE3 = "architecture-review";
 var MAX_DIFF_BYTES = 1024 * 1024;
@@ -3300,6 +3706,7 @@ function partitionByAllowlist(findings, allowlist) {
 }
 // src/tools/check-ratchets.ts
+init_common();
 var TOOL_NAME6 = "vo_check_ratchets";
 var GATE_TYPE4 = "ratchet";
 var ALL_RATCHET_IDS = [
@@ -3432,6 +3839,7 @@ function buildSummary(report) {
 }
 // src/tools/decompose-dispatch.ts
+init_common();
 var TOOL_NAME7 = "vo_decompose_dispatch";
 var GATE_TYPE5 = "plan-review";
 var MAX_GOAL_BYTES = 32 * 1024;
@@ -3709,6 +4117,9 @@ Produce the JSON dispatch plan now.`;
   return jsonContent(envelope);
 }
+// src/tools/heal/trigger-heal.ts
+init_common();
 // src/cloud/admin-callable-client.ts
 init_auth_token_source();
 init_credential_store();
@@ -3838,6 +4249,7 @@ function buildAdminCallableClientFromEnv(env = process.env) {
 }
 // src/tools/cloud-call.ts
+init_common();
 var ADMIN_READONLY_GATE_REASON = "admin callables are in read-only mode (VO_ADMIN_CALLABLES_READONLY) \u2014 this write tool is gated to its stub. Unset VO_ADMIN_CALLABLES_READONLY to enable write tools.";
 async function buildCloudOrStubResponse(args) {
   const inputJson = JSON.stringify(args.normalizedInput);
@@ -3911,6 +4323,7 @@ async function buildCloudOrStubResponse(args) {
 }
 // src/tools/heal/common-heal.ts
+init_common();
 var HEAL_STUB_REASON = 'cloud-mode not yet wired; tool surface is live, admin-callable wiring pending vo-cloud-tenant-model dispatch (see packages/vo-mcp/src/modes/cloud.ts + EXTRACTION_AUDIT.md "Stub remaining")';
 var HEAL_GATE_TYPE = "admin-action";
@@ -3970,6 +4383,7 @@ async function handleTriggerHeal(deps, rawInput, _signal) {
 }
 // src/tools/heal/fix-retry.ts
+init_common();
 var TOOL_NAME9 = "vo_fix_retry";
 var MAX_BATCH = 50;
 var ADMIN_PATH_SINGLE = "/api/v1/admin/heal/retry-attempt";
@@ -4062,6 +4476,7 @@ async function handleFixRetry(deps, rawInput, _signal) {
 }
 // src/tools/heal/fix-clear.ts
+init_common();
 var TOOL_NAME10 = "vo_fix_clear";
 var CALLABLE_NAME2 = "voClearFixAttempt";
 var ADMIN_PATH2 = "/api/v1/admin/heal/clear-attempt";
@@ -4105,6 +4520,7 @@ async function handleFixClear(deps, rawInput, _signal) {
 }
 // src/tools/heal/stop-workflow.ts
+init_common();
 var TOOL_NAME11 = "vo_stop_workflow";
 var CALLABLE_NAME3 = "voStopWorkflow";
 var ADMIN_PATH3 = "/api/v1/admin/workflow/stop";
@@ -4160,6 +4576,7 @@ async function handleStopWorkflow(deps, rawInput, _signal) {
 }
 // src/tools/heal/get-workflow-runs.ts
+init_common();
 var TOOL_NAME12 = "vo_get_workflow_runs";
 var CALLABLE_NAME4 = "voGetWorkflowRuns";
 var ADMIN_PATH4 = "/api/v1/admin/workflow/runs";
@@ -4190,7 +4607,11 @@ async function handleGetWorkflowRuns(deps, rawInput, _signal) {
   });
 }
+// src/tools/pr/list-pending-prs.ts
+init_common();
 // src/tools/pr/common-pr.ts
+init_common();
 var PR_STUB_REASON = 'cloud-mode not yet wired; tool surface is live, admin-callable wiring pending vo-cloud-tenant-model dispatch (see packages/vo-mcp/src/modes/cloud.ts + EXTRACTION_AUDIT.md "Stub remaining")';
 var PR_GATE_TYPE = "admin-action";
@@ -4225,6 +4646,7 @@ async function handleListPendingPRs(deps, rawInput, _signal) {
 }
 // src/tools/pr/merge-pr.ts
+init_common();
 var TOOL_NAME14 = "vo_merge_pr";
 var CALLABLE_NAME6 = "voMergePR";
 var ADMIN_PATH6 = "/api/v1/admin/pr/merge";
@@ -4269,6 +4691,7 @@ async function handleMergePR(deps, rawInput, _signal) {
 }
 // src/tools/pr/reject-pr.ts
+init_common();
 var TOOL_NAME15 = "vo_reject_pr";
 var CALLABLE_NAME7 = "voRejectPR";
 var ADMIN_PATH7 = "/api/v1/admin/pr/reject";
@@ -4313,6 +4736,7 @@ async function handleRejectPR(deps, rawInput, _signal) {
 }
 // src/tools/pr/approve-all-fixes.ts
+init_common();
 var TOOL_NAME16 = "vo_approve_all_fixes";
 var CALLABLE_NAME8 = "voApproveAllFixes";
 var ADMIN_PATH8 = "/api/v1/admin/pr/approve-all";
@@ -4341,6 +4765,7 @@ async function handleApproveAllFixes(deps, rawInput, _signal) {
 }
 // src/tools/pr/reject-and-retry.ts
+init_common();
 var TOOL_NAME17 = "vo_reject_and_retry";
 var CALLABLE_NAME9 = "voRejectAndRetry";
 var ADMIN_PATH9 = "/api/v1/admin/pr/reject-retry";
@@ -4385,6 +4810,7 @@ async function handleRejectAndRetry(deps, rawInput, _signal) {
 }
 // src/tools/pr/review-merge.ts
+init_common();
 var TOOL_NAME18 = "vo_review_merge";
 var LIST_PATH = "/api/v1/admin/pr/list";
 var ENGINE_GATE = "final-deep-verify";
@@ -4563,6 +4989,9 @@ async function handleReviewMerge(deps, rawInput, signal) {
   });
 }
+// src/tools/session/report-session-state.ts
+init_common();
 // src/tools/session/directive.ts
 var SESSION_DIRECTIVE_THRESHOLDS = {
   prepare_handoff_pct: 70,
@@ -4644,7 +5073,7 @@ var inputSchema19 = {
   required: ["operator_id", "session_id", "agent_type", "context_used_pct"],
   additionalProperties: false
 };
-var description19 = "Reports per-session context-window utilization to VO and returns a directive: 'continue' (under 70%), 'prepare_handoff' (70-84%), or 'execute_handoff_now' (\u226585%). Implements V1 launch gate #9 (fleet context lifecycle management) per the official VO roadmap. V1 backend is stub-local \u2014 computes the directive purely from `context_used_pct` against the documented thresholds without a network call. Phase 3 wires this to the deployed vo-control-plane HTTP API; the response shape stays stable across the cutover (`backend_mode` field in the payload tells the caller which mode produced the verdict).";
+var description19 = "Reports per-session context-window utilization to VO and returns a directive: 'continue' (under 70%), 'prepare_handoff' (70-84%), or 'execute_handoff_now' (\u226585%). Implements V1 launch gate #9 (fleet context lifecycle management) per the official VO roadmap. Cloud-control-plane mode when VO_CONTROL_PLANE_URL + VO_CONTROL_PLANE_ADMIN_TOKEN + VO_TENANT_ID are set; auto-allocates the session on first report so interactive agents (Claude Code, Cursor, Codex, Continue) appear on the live fleet whiteboard. Stub-local fallback when cloud config is absent or fails. The response shape stays stable across modes (`backend_mode` field in the payload tells the caller which mode produced the verdict).";
 function isStringArray2(v, maxItems) {
   if (!Array.isArray(v)) return false;
   if (v.length > maxItems) return false;
@@ -4672,30 +5101,62 @@ function isToolInput19(v) {
 function getCloudConfig() {
   const url = process.env["VO_CONTROL_PLANE_URL"];
   const token = process.env["VO_CONTROL_PLANE_ADMIN_TOKEN"];
-  if (!url || !token) return null;
-  return { url, token };
+  const tenant_id = process.env["VO_TENANT_ID"];
+  if (!url || !token || !tenant_id) return null;
+  return { url, token, tenant_id };
 }
 async function tryCloudReportState(cloud, input) {
   try {
-    const body = {
+    const reportBody = {
       context_used_pct: input.context_used_pct
     };
-    if (input.current_goal !== void 0) body["current_goal"] = input.current_goal;
+    if (input.current_goal !== void 0) reportBody["current_goal"] = input.current_goal;
     if (input.recent_files_touched !== void 0) {
-      body["recent_files_touched"] = input.recent_files_touched;
+      reportBody["recent_files_touched"] = input.recent_files_touched;
     }
     if (input.recent_tool_uses !== void 0) {
-      body["recent_tool_uses"] = input.recent_tool_uses;
+      reportBody["recent_tool_uses"] = input.recent_tool_uses;
     }
-    const url = `${cloud.url}/api/v1/session/${input.session_id}/report-state`;
-    const response = await fetch(url, {
+    const reportUrl = `${cloud.url}/api/v1/session/${input.session_id}/report-state`;
+    let response = await fetch(reportUrl, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
         "Authorization": `Bearer ${cloud.token}`
       },
-      body: JSON.stringify(body)
+      body: JSON.stringify(reportBody)
     });
+    if (response.status === 404) {
+      const allocateBody = {
+        operator_id: input.operator_id,
+        tenant_id: cloud.tenant_id,
+        agent_type: input.agent_type,
+        current_goal: input.current_goal ?? "Interactive session"
+      };
+      if (input.context_used_pct > 0) {
+        allocateBody["initial_context_used_pct"] = input.context_used_pct;
+      }
+      const allocateUrl = `${cloud.url}/api/v1/session`;
+      const allocateResponse = await fetch(allocateUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${cloud.token}`
+        },
+        body: JSON.stringify(allocateBody)
+      });
+      if (!allocateResponse.ok) {
+        return null;
+      }
+      response = await fetch(reportUrl, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${cloud.token}`
+        },
+        body: JSON.stringify(reportBody)
+      });
+    }
     if (!response.ok) {
       return null;
     }
@@ -4751,6 +5212,7 @@ async function handleReportSessionState(deps, rawInput, _signal) {
 }
 // src/tools/session/spawn-successor.ts
+init_common();
 import { spawn } from "node:child_process";
 import { homedir as homedir4 } from "node:os";
 import { join as join6 } from "node:path";
@@ -4885,6 +5347,9 @@ async function handleSpawnSuccessor(_deps, rawInput, _signal, spawnImpl = spawn)
   });
 }
+// src/tools/concierge/dispatch.ts
+init_common();
 // src/tools/concierge/common-concierge.ts
 var CONCIERGE_STUB_REASON = "cloud mode not active in this MCP runtime \u2014 set VO_CONTROL_PLANE_URL + VO_CONTROL_PLANE_ADMIN_TOKEN to enable. The server-side /api/v1/admin/concierge/dispatch endpoint IS built + deployed (vo-control-plane #5724/#5734); in cloud mode this tool returns the routed pack README + file index.";
 var CONCIERGE_GATE_TYPE = "concierge-dispatch";
@@ -4966,255 +5431,8 @@ async function handleConciergeDispatch(deps, rawInput, _signal) {
   });
 }
-// src/tools/memory/sync-config.ts
-import { homedir as homedir5 } from "node:os";
-import { join as join7 } from "node:path";
-import { existsSync as existsSync5, mkdirSync as mkdirSync4, readFileSync as readFileSync7, writeFileSync as writeFileSync3, readdirSync as readdirSync4 } from "node:fs";
-var TOOL_NAME22 = "vo_sync_config";
-var inputSchema22 = {
-  type: "object",
-  properties: {
-    action: {
-      type: "string",
-      enum: ["pull", "push"],
-      description: "pull: download cloud memory to local files. push: upload local files to cloud."
-    },
-    cwd: {
-      type: "string",
-      description: "Working directory to derive project slug from (default: process.cwd())."
-    }
-  },
-  required: ["action"],
-  additionalProperties: false
-};
-var description22 = "Syncs memory entries between local ~/.claude/projects/<slug>/memory/ and cloud control-plane /api/v1/agent-config/memory/me. Requires operator auth (vo-mcp login). Actions: pull (cloud\u2192local), push (local\u2192cloud). Idempotent; push creates/updates as needed.";
-function isToolInput22(v) {
-  if (typeof v !== "object" || v === null) return false;
-  const o = v;
-  if (o["action"] !== "pull" && o["action"] !== "push") return false;
-  if (o["cwd"] !== void 0 && typeof o["cwd"] !== "string") return false;
-  return true;
-}
-function deriveProjectSlug(cwd) {
-  const normalized = cwd.replace(/\\/g, "/");
-  return normalized.replace(/^([A-Z]):/i, (_, drive) => `${drive.toUpperCase()}-`).replace(/\/$/g, "").split("/").join("--").replace(/\s+/g, "-");
-}
-function getMemoryDir(cwd) {
-  const slug = deriveProjectSlug(cwd);
-  return join7(homedir5(), ".claude", "projects", slug, "memory");
-}
-async function pullMemory(controlPlaneUrl, token, memoryDir, sessionId, fetchFn) {
-  const url = `${controlPlaneUrl}/api/v1/agent-config/memory/me`;
-  const response = await fetchFn(url, {
-    method: "GET",
-    headers: {
-      authorization: `Bearer ${token}`
-    }
-  });
-  if (response.status !== 200) {
-    const text = await response.text();
-    throw new Error(`GET /api/v1/agent-config/memory/me returned HTTP ${response.status}: ${text.slice(0, 200)}`);
-  }
-  const data = JSON.parse(await response.text());
-  if (!data.ok || !Array.isArray(data.entries)) {
-    throw new Error("GET /api/v1/agent-config/memory/me response missing ok=true or entries array");
-  }
-  mkdirSync4(memoryDir, { recursive: true });
-  const files = [];
-  for (const entry of data.entries) {
-    const filePath = join7(memoryDir, entry.file_name);
-    writeFileSync3(filePath, entry.content, "utf8");
-    files.push(entry.file_name);
-  }
-  return { pulled: data.entries.length, files };
-}
-async function pushMemory(controlPlaneUrl, token, memoryDir, sessionId, fetchFn) {
-  if (!existsSync5(memoryDir)) {
-    return { pushed: 0, created: 0, updated: 0 };
-  }
-  const localFiles = readdirSync4(memoryDir).filter((f) => f.endsWith(".md")).map((f) => ({
-    file_name: f,
-    content: readFileSync7(join7(memoryDir, f), "utf8"),
-    entry_type: f === "MEMORY.md" ? "index" : "topic"
-  }));
-  if (localFiles.length === 0) {
-    return { pushed: 0, created: 0, updated: 0 };
-  }
-  const getUrl = `${controlPlaneUrl}/api/v1/agent-config/memory/me`;
-  const getResponse = await fetchFn(getUrl, {
-    method: "GET",
-    headers: {
-      authorization: `Bearer ${token}`
-    }
-  });
-  const existingMap = /* @__PURE__ */ new Map();
-  if (getResponse.status === 200) {
-    const getData = JSON.parse(await getResponse.text());
-    if (getData.ok && Array.isArray(getData.entries)) {
-      for (const entry of getData.entries) {
-        existingMap.set(entry.file_name, entry.memory_id);
-      }
-    }
-  }
-  let created = 0;
-  let updated = 0;
-  for (const localFile of localFiles) {
-    const memoryId = existingMap.get(localFile.file_name);
-    if (memoryId) {
-      const updateUrl = `${controlPlaneUrl}/api/v1/agent-config/memory/${memoryId}`;
-      const updateBody = {
-        content: localFile.content,
-        session_id: sessionId
-      };
-      const updateResponse = await fetchFn(updateUrl, {
-        method: "PUT",
-        headers: {
-          authorization: `Bearer ${token}`,
-          "content-type": "application/json"
-        },
-        body: JSON.stringify(updateBody)
-      });
-      if (updateResponse.status !== 200) {
-        const text = await updateResponse.text();
-        throw new Error(
-          `PUT /api/v1/agent-config/memory/${memoryId} returned HTTP ${updateResponse.status}: ${text.slice(0, 200)}`
-        );
-      }
-      const updateData = JSON.parse(await updateResponse.text());
-      if (!updateData.ok) {
-        throw new Error(`PUT /api/v1/agent-config/memory/${memoryId} returned ok=false`);
-      }
-      updated++;
-    } else {
-      const createUrl = `${controlPlaneUrl}/api/v1/agent-config/memory/me`;
-      const createBody = {
-        entry_type: localFile.entry_type,
-        file_name: localFile.file_name,
-        content: localFile.content,
-        session_id: sessionId
-      };
-      const createResponse = await fetchFn(createUrl, {
-        method: "POST",
-        headers: {
-          authorization: `Bearer ${token}`,
-          "content-type": "application/json"
-        },
-        body: JSON.stringify(createBody)
-      });
-      if (createResponse.status !== 200 && createResponse.status !== 201) {
-        const text = await createResponse.text();
-        throw new Error(
-          `POST /api/v1/agent-config/memory/me returned HTTP ${createResponse.status}: ${text.slice(0, 200)}`
-        );
-      }
-      const createData = JSON.parse(await createResponse.text());
-      if (!createData.ok) {
-        throw new Error("POST /api/v1/agent-config/memory/me returned ok=false");
-      }
-      created++;
-    }
-  }
-  return { pushed: localFiles.length, created, updated };
-}
-async function handleSyncConfig(deps, rawInput, _signal, fetchFn = globalThis.fetch) {
-  if (!isToolInput22(rawInput)) {
-    throw invalidParams(
-      TOOL_NAME22,
-      'invalid input. Required: { action: "pull" | "push" }. Optional: { cwd: "<path>" }.'
-    );
-  }
-  const controlPlaneUrl = process.env["VO_CONTROL_PLANE_URL"];
-  if (!controlPlaneUrl) {
-    return jsonContent({
-      tool: TOOL_NAME22,
-      schema_version: 1,
-      payload: {
-        synced: false,
-        reason: "VO_CONTROL_PLANE_URL not set \u2014 cloud mode disabled"
-      }
-    });
-  }
-  const { createAuthTokenSourceFromEnv: createAuthTokenSourceFromEnv2 } = await Promise.resolve().then(() => (init_auth_token_source(), auth_token_source_exports));
-  const { readStoredCredential: readStoredCredential2 } = await Promise.resolve().then(() => (init_credential_store(), credential_store_exports));
-  const tokenSource = createAuthTokenSourceFromEnv2(process.env, fetchFn, () => readStoredCredential2(process.env));
-  if (!tokenSource) {
-    return jsonContent({
-      tool: TOOL_NAME22,
-      schema_version: 1,
-      payload: {
-        synced: false,
-        reason: "No auth configured. Run `vo-mcp login` to authenticate as an operator."
-      }
-    });
-  }
-  const token = await tokenSource.getToken();
-  if (!token) {
-    return jsonContent({
-      tool: TOOL_NAME22,
-      schema_version: 1,
-      payload: {
-        synced: false,
-        reason: "Failed to obtain auth token. Run `vo-mcp login` to re-authenticate."
-      }
-    });
-  }
-  const cwd = rawInput.cwd?.trim() || process.cwd();
-  const memoryDir = getMemoryDir(cwd);
-  try {
-    if (rawInput.action === "pull") {
-      const result = await pullMemory(
-        controlPlaneUrl.replace(/\/+$/, ""),
-        token,
-        memoryDir,
-        deps.sessionId,
-        fetchFn
-      );
-      return jsonContent({
-        tool: TOOL_NAME22,
-        schema_version: 1,
-        payload: {
-          synced: true,
-          action: "pull",
-          pulled: result.pulled,
-          files: result.files,
-          memory_dir: memoryDir
-        }
-      });
-    } else {
-      const result = await pushMemory(
-        controlPlaneUrl.replace(/\/+$/, ""),
-        token,
-        memoryDir,
-        deps.sessionId,
-        fetchFn
-      );
-      return jsonContent({
-        tool: TOOL_NAME22,
-        schema_version: 1,
-        payload: {
-          synced: true,
-          action: "push",
-          pushed: result.pushed,
-          created: result.created,
-          updated: result.updated,
-          memory_dir: memoryDir
-        }
-      });
-    }
-  } catch (err) {
-    const message = err instanceof Error ? err.message : String(err);
-    return jsonContent({
-      tool: TOOL_NAME22,
-      schema_version: 1,
-      payload: {
-        synced: false,
-        reason: `Sync failed: ${message}`
-      }
-    });
-  }
-}
 // src/server.ts
+init_sync_config();
 function buildToolRegistry() {
   return {
     [TOOL_NAME]: {
@@ -5569,6 +5787,9 @@ function createSqliteCache(options) {
   };
 }
+// src/cli.ts
+init_events_writer();
 // src/ratchets/stub-client.ts
 var HOLLOW_PATTERNS = [
   {
@@ -5656,6 +5877,8 @@ function buildSummary2(args) {
 }
 // src/consensus/engine-client.ts
+init_events_writer();
+init_common();
 import { randomUUID as randomUUID3 } from "node:crypto";
 // src/consensus/null-client.ts
@@ -5724,6 +5947,25 @@ function mapFanOutDiagnostics(fd) {
     refused: fd.refused
   };
 }
+var SHADOW_SYNTHESIS_ENV_VAR = "VO_CONSENSUS_SHADOW";
+function shadowEnabled(env) {
+  const raw = (env ?? {})[SHADOW_SYNTHESIS_ENV_VAR];
+  if (raw === void 0) return true;
+  const norm = raw.trim().toLowerCase();
+  return !(norm === "0" || norm === "false" || norm === "no" || norm === "off" || norm === "");
+}
+function mapShadowSynthesis(s) {
+  if (s === void 0) return void 0;
+  return {
+    incumbent: { verdict: s.incumbent.verdict, confidence: s.incumbent.confidence, synthesizer: s.incumbent.synthesizer },
+    adaptive: {
+      verdict: s.adaptive.verdict,
+      confidence: s.adaptive.confidence,
+      ...s.adaptive.calibrated_confidence !== void 0 ? { calibrated_confidence: s.adaptive.calibrated_confidence } : {}
+    },
+    agree: s.agree
+  };
+}
 function mapCitationGrade(cg) {
   if (cg === void 0) return void 0;
   return {
@@ -5864,7 +6106,12 @@ function createEngineConsensusClient(options) {
         const engineOptions = {
           panel,
           ...options.per_model_timeout_ms !== void 0 ? { per_model_timeout_ms: options.per_model_timeout_ms } : {},
-          ...agreementGate !== void 0 ? { agreement_gate: agreementGate } : {}
+          ...agreementGate !== void 0 ? { agreement_gate: agreementGate } : {},
+          // Stage A7-shadow: run the adaptive verdict alongside the live one for grading.
+          // Cheap (pure log-odds over already-fetched verdicts; no extra model calls),
+          // PII-free, and never alters the live verdict. ON by default; kill with
+          // VO_CONSENSUS_SHADOW=0. Cold-start has no skill registry → neutral priors.
+          shadow_synthesis: { enabled: shadowEnabled(options.env) }
         };
         const sources = request.source_urls;
         const useSourceGrounded = sources !== void 0 && sources.length > 0 && typeof engine.runSourceGroundedConsensus === "function";
@@ -5920,6 +6167,8 @@ function createEngineConsensusClient(options) {
           ...sourceExtras?.escalation_reason !== void 0 ? { escalation_reason: sourceExtras.escalation_reason } : response.escalation_reason !== void 0 ? { escalation_reason: response.escalation_reason } : {},
           // Feature 1 (agreement-gate) — fan-out diagnostics (additive telemetry).
           ...mapFanOutDiagnostics(response.fan_out_diagnostics) !== void 0 ? { fan_out_diagnostics: mapFanOutDiagnostics(response.fan_out_diagnostics) } : {},
+          // Stage A7-shadow — adaptive-vs-incumbent comparison (PII-free; present iff shadow on).
+          ...mapShadowSynthesis(response.shadow_synthesis) !== void 0 ? { shadow_synthesis: mapShadowSynthesis(response.shadow_synthesis) } : {},
           // Source-grounded additive outputs (Tier-4 features).
           ...useSourceGrounded ? { source_grounded: true } : {},
           ...sourceExtras?.citation_grade !== void 0 ? { citation_grade: sourceExtras.citation_grade } : {},
@@ -6354,6 +6603,7 @@ async function exchangeForVoCredential(opts) {
 }
 // src/cli.ts
+init_common();
 function defaultCacheDbPath() {
   const env = process.env["VO_MCP_DB_PATH"];
   if (env && env.length > 0) return env;
@@ -6486,6 +6736,31 @@ if (process.argv[2] === "login") {
     console.error("[vo-mcp] login failed:", err instanceof Error ? err.message : String(err));
     process.exit(1);
   });
+} else if (process.argv[2] === "sync") {
+  const action = process.argv[3];
+  if (action !== "push" && action !== "pull") {
+    console.error("[vo-mcp] usage: vo-mcp sync <push|pull> [--cwd <path>]");
+    process.exit(2);
+  }
+  const cwdFlag = process.argv.indexOf("--cwd");
+  const cwd = cwdFlag >= 0 && typeof process.argv[cwdFlag + 1] === "string" ? process.argv[cwdFlag + 1] : process.cwd();
+  const sessionId = randomUUID5();
+  Promise.resolve().then(() => (init_sync_config(), sync_config_exports)).then(async ({ runMemorySync: runMemorySync2, isNoopSyncReason: isNoopSyncReason2 }) => {
+    const r = await runMemorySync2(action, cwd, sessionId);
+    if (r.synced) {
+      console.error(`[vo-mcp] sync ${action} ok: ${JSON.stringify(r)}`);
+      process.exit(0);
+    }
+    if (isNoopSyncReason2(r.reason)) {
+      console.error(`[vo-mcp] sync ${action} skipped: ${r.reason}`);
+      process.exit(0);
+    }
+    console.error(`[vo-mcp] sync ${action} failed: ${r.reason}`);
+    process.exit(1);
+  }).catch((err) => {
+    console.error("[vo-mcp] sync fatal:", err instanceof Error ? err.message : String(err));
+    process.exit(1);
+  });
 } else {
   main().catch((err) => {
     console.error("[vo-mcp] fatal:", err);