@ansvar/ch-livestock-mcp 0.1.0

package/.github/workflows/check-freshness.yml

@@ -0,0 +1,52 @@
+name: Check Data Freshness
+
+on:
+  schedule:
+    - cron: '0 8 * * *'  # Daily at 08:00 UTC
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  freshness:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: npm
+      - run: npm ci
+
+      - name: Check freshness
+        id: freshness
+        run: |
+          npm run freshness:check 2>&1 | tee freshness-output.txt
+          if grep -q '"status":"stale"' freshness-output.txt 2>/dev/null || grep -q '"status": "stale"' freshness-output.txt 2>/dev/null; then
+            echo "stale=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "stale=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create staleness issue
+        if: steps.freshness.outputs.stale == 'true'
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const existing = await github.rest.issues.listForRepo({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              labels: 'data-stale',
+              state: 'open',
+            });
+            if (existing.data.length === 0) {
+              await github.rest.issues.create({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                title: 'Data staleness detected -- ch-livestock-mcp',
+                body: 'The data freshness check detected stale data (>90 days since last ingest).\n\nRun `gh workflow run ingest.yml` to refresh.',
+                labels: ['data-stale'],
+              });
+            }

package/.github/workflows/ci.yml

@@ -0,0 +1,21 @@
+name: CI
+
+on:
+  push:
+    branches: [main, dev]
+  pull_request:
+    branches: [main]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: npm
+      - run: npm ci
+      - run: npm run typecheck
+      - run: npm run lint
+      - run: npm test

package/.github/workflows/codeql.yml

@@ -0,0 +1,31 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main, dev]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [javascript-typescript]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+      - uses: github/codeql-action/autobuild@v3
+      - uses: github/codeql-action/analyze@v3
+        with:
+          category: /language:${{ matrix.language }}

package/.github/workflows/ghcr-build.yml

@@ -0,0 +1,45 @@
+name: Build and Push to GHCR
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+concurrency:
+  group: build-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ch-livestock-mcp
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: ${{ env.REGISTRY }}/ansvar-systems/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}
+            type=sha,prefix=sha-,format=short
+      - uses: docker/build-push-action@v5
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          platforms: linux/amd64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

package/.github/workflows/gitleaks.yml

@@ -0,0 +1,23 @@
+name: Gitleaks
+
+on:
+  push:
+    branches: [main, dev]
+  pull_request:
+    branches: [main]
+
+permissions:
+  contents: read
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        with:
+          args: detect --source . --verbose
+        env:
+          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

package/.github/workflows/ingest.yml

@@ -0,0 +1,58 @@
+name: Ingest Data
+
+on:
+  schedule:
+    - cron: '0 3 1 */3 *'  # Quarterly: 1st day, every 3 months, 03:00 UTC
+  workflow_dispatch:
+    inputs:
+      mode:
+        description: 'Ingestion mode'
+        required: false
+        default: 'incremental'
+        type: choice
+        options:
+          - incremental
+          - full
+          - fetch-only
+          - diff-only
+
+permissions:
+  contents: write
+
+jobs:
+  ingest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: npm
+      - run: npm ci
+
+      - name: Run ingestion
+        run: |
+          MODE="${{ inputs.mode || 'incremental' }}"
+          case "$MODE" in
+            full)       npm run ingest:full ;;
+            fetch-only) npm run ingest:fetch ;;
+            diff-only)  npm run ingest:diff ;;
+            *)          npm run ingest ;;
+          esac
+
+      - name: Update coverage.json
+        run: npm run coverage:update
+
+      - name: Check for changes
+        id: changes
+        run: |
+          git diff --quiet data/ && echo "changed=false" >> "$GITHUB_OUTPUT" || echo "changed=true" >> "$GITHUB_OUTPUT"
+
+      - name: Commit updated data
+        if: steps.changes.outputs.changed == 'true'
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add data/
+          git commit -m "chore: ingest data update $(date -u +%Y-%m-%d)"
+          git push

package/.github/workflows/publish.yml

@@ -0,0 +1,24 @@
+name: Publish to npm
+
+on:
+  release:
+    types: [published]
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          registry-url: "https://registry.npmjs.org"
+      - run: npm ci
+      - run: npm run build
+      - run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/CHANGELOG.md

@@ -0,0 +1,24 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.0] - 2026-04-05
+
+### Added
+- Initial release with 11 tools (3 meta + 8 domain)
+- Welfare standards from TSchV (minimum) and DZV (RAUS/BTS programmes)
+- Stocking density data from TSchV Anhang 1
+- Housing requirement specifications (space, ventilation, flooring, temperature)
+- TVD movement rules (registration, transport, standstill, Soemmerung)
+- Feed requirements with GMF programme data
+- Animal health records (diseases, symptoms, prevention, regulatory status)
+- Swiss breed data from breed associations
+- Tiered FTS5 search with automatic fallback
+- Streamable HTTP transport (Docker) and stdio transport (npx)
+- Bilingual disclaimer (DE/EN)
+- Golden standard documentation (README, TOOLS.md, COVERAGE.md, DISCLAIMER.md)
+- CI/CD: CodeQL, Gitleaks, GHCR build, npm publish, ingestion, freshness checks
+- Test suite with seed database

package/CODEOWNERS

@@ -0,0 +1 @@
+* @Ansvar-Systems/mcp-team

package/COVERAGE.md

@@ -0,0 +1,62 @@
+# Data Coverage -- Switzerland Livestock MCP
+
+**Jurisdiction:** Switzerland (CH)
+**Last ingest:** 2026-04-05
+**Schema version:** 1.0
+
+## Summary
+
+| Table | Records | Description |
+|-------|---------|-------------|
+| welfare_standards | 45 | TSchV minimum + RAUS/BTS programme standards per species |
+| stocking_densities | 25 | Animals per m2 by species, age class, housing type (TSchV Anhang 1) |
+| housing_requirements | 14 | Space, ventilation, flooring, temperature specs |
+| movement_rules | 21 | TVD registration, transport, standstill, Soemmerung, Schlachtung |
+| breeds | 25 | Swiss breed records across 5 species |
+| feed_requirements | 14 | Nutritional requirements per species and production stage |
+| animal_health | 13 | Diseases, symptoms, prevention, regulatory reporting |
+| search_index (FTS) | 157 | Full-text search entries across all categories |
+
+**Total:** 157 indexed records, 11 tools
+
+## Species Coverage
+
+| Species (DE) | Species (EN) | Welfare | Stocking | Housing | Movement | Breeds | Feed | Health |
+|-------------|-------------|---------|----------|---------|----------|--------|------|--------|
+| Rinder | Cattle | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
+| Schweine | Pigs | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
+| Gefluegel | Poultry | Yes | Yes | Yes | Yes | No | Yes | Yes |
+| Schafe | Sheep | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
+| Ziegen | Goats | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
+| Pferde | Horses | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
+
+## Production Systems
+
+- **TSchV-Minimum** -- Legal minimum welfare standards per Tierschutzverordnung
+- **RAUS** -- Regelmaessiger Auslauf ins Freie (regular outdoor access), DZV direct payment programme
+- **BTS** -- Besonders tierfreundliche Stallhaltungssysteme (particularly animal-friendly housing systems), DZV direct payment programme
+- **GMF** -- Graslandbasierte Milch- und Fleischproduktion (grassland-based milk and meat production)
+
+## Data Sources
+
+| Source | Authority | Retrieval | Update Frequency |
+|--------|-----------|-----------|-----------------|
+| Tierschutzverordnung (TSchV, SR 455.1) | BLV | PDF extract | Periodic (amended as needed) |
+| Direktzahlungsverordnung (DZV) -- RAUS/BTS | BLW | PDF extract | Annual |
+| Tierverkehrsdatenbank (TVD) | Identitas / BLV | Public docs | Continuous |
+| Zuchtorganisationen | Braunvieh Schweiz, swissherdbook, Mutterkuh Schweiz, Suisseporcs | Public docs | Annual |
+
+## Known Gaps
+
+- **Cantonal extensions:** TSchV sets federal minimums. Some cantons impose stricter rules (e.g. BE, ZH). Not covered.
+- **Bio Suisse / IP-Suisse:** Organic and IP label standards are not included. Only TSchV + RAUS/BTS.
+- **Aquaculture:** Fish farming (Fischzucht) is not covered.
+- **Bees:** Apiculture (Bienenhaltung) is not covered.
+- **Camelids:** Lamas, alpacas, and other Neuweltkameliden are not covered.
+- **Wild animals in captivity:** Zoo and circus animal regulations are not covered.
+- **Historical amendments:** Only the current consolidated version of TSchV is indexed. Amendment history is not tracked.
+- **Enforcement data:** Cantonal inspection statistics and enforcement actions are not included.
+
+## Freshness
+
+Data staleness threshold: 90 days. Automated freshness check runs daily via `check-freshness.yml`. Ingestion is triggered via `ingest.yml` workflow (manual or scheduled).

package/DISCLAIMER.md

@@ -0,0 +1,41 @@
+# Haftungsausschluss / Disclaimer
+
+## Deutsch
+
+Diese Daten dienen ausschliesslich der Information und stellen keine Rechtsberatung, veterinaermedizinische Beratung oder behördliche Auskunft dar.
+
+**Massgebende Rechtsquellen:**
+- Tierschutzverordnung (TSchV, SR 455.1)
+- Tierschutzgesetz (TSchG, SR 455)
+- Direktzahlungsverordnung (DZV, SR 910.13) -- RAUS/BTS-Programme
+- Tierseuchenverordnung (TSV, SR 916.401)
+
+**Zustaendige Behoerden:**
+- Bundesamt fuer Lebensmittelsicherheit und Veterinaerwesen (BLV)
+- Bundesamt fuer Landwirtschaft (BLW)
+- Kantonale Veterinaerbehoerden
+
+Vor Entscheidungen zur Tierhaltung, Stallbau, Transport oder Zucht ist stets die zustaendige kantonale Veterinaerbehoerde oder eine anerkannte Fachberatung zu konsultieren. Die Daten koennen unvollstaendig, veraltet oder fehlerhaft sein. Kantonale Abweichungen von der Bundesgesetzgebung sind nicht abgedeckt.
+
+Die Nutzung erfolgt auf eigenes Risiko. Ansvar Systems uebernimmt keine Haftung fuer Schäden, die aus der Nutzung dieser Daten entstehen.
+
+---
+
+## English
+
+This data is provided for informational purposes only and does not constitute legal advice, veterinary advice, or official regulatory guidance.
+
+**Authoritative legal sources:**
+- Swiss Animal Welfare Ordinance (TSchV, SR 455.1)
+- Swiss Animal Welfare Act (TSchG, SR 455)
+- Direct Payments Ordinance (DZV, SR 910.13) -- RAUS/BTS programmes
+- Animal Diseases Ordinance (TSV, SR 916.401)
+
+**Responsible authorities:**
+- Federal Food Safety and Veterinary Office (BLV)
+- Federal Office for Agriculture (BLW)
+- Cantonal veterinary authorities
+
+Always consult the competent cantonal veterinary authority or a qualified professional before making decisions about animal husbandry, housing construction, transport, or breeding. Data may be incomplete, outdated, or contain errors. Cantonal deviations from federal legislation are not covered.
+
+Use at your own risk. Ansvar Systems accepts no liability for damages arising from the use of this data.

package/Dockerfile

@@ -0,0 +1,26 @@
+FROM node:20-slim AS builder
+RUN apt-get update && apt-get install -y python3 make g++ && rm -rf /var/lib/apt/lists/*
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY tsconfig.json ./
+COPY src/ src/
+RUN npm run build
+
+FROM node:20-slim
+RUN apt-get update && apt-get install -y python3 make g++ && rm -rf /var/lib/apt/lists/*
+RUN addgroup --system --gid 1001 nodejs && \
+    adduser --system --uid 1001 nodejs
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci --omit=dev && npm cache clean --force && apt-get purge -y python3 make g++ && apt-get autoremove -y
+COPY --from=builder /app/dist dist/
+COPY data/ data/
+RUN chown -R nodejs:nodejs /app/data
+USER nodejs
+ENV NODE_ENV=production
+ENV PORT=3000
+EXPOSE 3000
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD node -e "require('http').get('http://localhost:' + process.env.PORT + '/health', (r) => { process.exit(r.statusCode === 200 ? 0 : 1) })"
+CMD ["node", "dist/http-server.js"]

package/LICENSE

@@ -0,0 +1,17 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+   Copyright 2026 Ansvar Systems

package/PRIVACY.md

@@ -0,0 +1,28 @@
+# Privacy Policy
+
+## Data Processing
+
+The Switzerland Livestock MCP **does not collect, store, or process any personal data**. It is a read-only data server that serves Swiss livestock regulatory information.
+
+## What This Server Does
+
+- Serves pre-ingested Swiss livestock regulations (TSchV, DZV, TVD, breed data)
+- Responds to MCP tool calls with structured data from a local SQLite database
+- Does not log queries, IP addresses, or user identifiers
+- Does not make outbound network requests
+- Does not use cookies, tracking, or analytics
+
+## What This Server Does Not Do
+
+- Does not store any user data
+- Does not process personal data as defined by the Swiss Federal Act on Data Protection (nDSG)
+- Does not profile users
+- Does not share data with third parties
+
+## Data Sources
+
+All data originates from public Swiss federal sources (BLV, BLW, Identitas, breed associations). Source attribution is available via the `list_sources` tool.
+
+## Contact
+
+For privacy questions: privacy@ansvar.eu

package/README.md

@@ -0,0 +1,145 @@
+# Switzerland Livestock MCP
+
+Swiss livestock regulations via the Model Context Protocol. Covers welfare standards (TSchV), RAUS/BTS direct payment programmes, TVD animal movement rules, housing specifications, stocking densities, feed requirements, animal health, and breed data for cattle, pigs, poultry, sheep, goats, and horses.
+
+**Jurisdiction:** Switzerland (CH)
+**Sources:** BLV (Tierschutzverordnung), BLW (Direktzahlungsverordnung), Identitas (TVD), Swiss breed associations
+**Tools:** 11 (3 meta + 8 domain)
+**License:** Apache-2.0
+
+## Quick Start
+
+### npx (stdio)
+
+```bash
+npx -y @ansvar/ch-livestock-mcp
+```
+
+### Docker
+
+```bash
+docker run -p 3000:3000 ghcr.io/ansvar-systems/ch-livestock-mcp:latest
+```
+
+### Streamable HTTP (remote)
+
+```
+https://mcp.ansvar.eu/ch-livestock/mcp
+```
+
+No authentication required.
+
+## MCP Client Configuration
+
+### Claude Desktop / Cursor / Windsurf
+
+Add to your MCP client config:
+
+```json
+{
+  "mcpServers": {
+    "ch-livestock": {
+      "command": "npx",
+      "args": ["-y", "@ansvar/ch-livestock-mcp"]
+    }
+  }
+}
+```
+
+Or use the remote endpoint:
+
+```json
+{
+  "mcpServers": {
+    "ch-livestock": {
+      "url": "https://mcp.ansvar.eu/ch-livestock/mcp"
+    }
+  }
+}
+```
+
+## Tools
+
+11 tools covering Swiss livestock regulation and guidance:
+
+| Tool | Description |
+|------|-------------|
+| `about` | Server metadata: name, version, coverage, data sources |
+| `list_sources` | All data sources with authority, URL, license, freshness |
+| `check_data_freshness` | Staleness status and refresh command |
+| `search_livestock_guidance` | FTS across all livestock topics (welfare, housing, feeding, health, transport, breeds) |
+| `get_welfare_standards` | TSchV minimum and RAUS/BTS programme standards per species |
+| `get_stocking_density` | Animals per m2, space requirements by species, age class, housing type (TSchV Anhang 1) |
+| `get_feed_requirements` | Nutritional requirements per species and production stage, including GMF programme |
+| `search_animal_health` | Disease, symptom, prevention, and regulatory reporting search |
+| `get_housing_requirements` | Housing specs: space, ventilation, flooring, temperature (TSchV vs. BTS) |
+| `get_movement_rules` | TVD registration, transport, standstill, and Soemmerung rules |
+| `get_breeding_guidance` | Swiss breed data, breeding calendars, AI (kuenstliche Besamung), genetics |
+
+Full parameter documentation: [TOOLS.md](TOOLS.md)
+
+## Data Sources
+
+| Source | Authority | Coverage |
+|--------|-----------|----------|
+| Tierschutzverordnung (TSchV, SR 455.1) | BLV | Minimum welfare per species, space, housing, transport, slaughter |
+| Direktzahlungsverordnung (DZV) -- RAUS/BTS | BLW | Outdoor access (RAUS), housing standards (BTS), payment rates per GVE |
+| Tierverkehrsdatenbank (TVD) | Identitas / BLV | Animal registration, ear tags, movement reporting |
+| Zuchtorganisationen | Braunvieh Schweiz, swissherdbook, Mutterkuh Schweiz, Suisseporcs | Swiss cattle, pig, sheep, goat, horse breeds |
+
+## Data Coverage
+
+- 45 welfare standards across 6 species and 3 production systems (TSchV-Minimum, RAUS, BTS)
+- 25 stocking density records (TSchV Anhang 1)
+- 14 housing requirement specifications
+- 21 movement/transport rules (TVD, Transport, Soemmerung, Schlachtung)
+- 25 breed records across 5 species
+- 14 feed requirement specifications including GMF programme
+- 13 animal health records (diseases, prevention, regulatory status)
+- 157 FTS search index entries
+
+Full coverage breakdown: [COVERAGE.md](COVERAGE.md)
+
+## Development
+
+```bash
+npm install
+npm run build
+npm test
+npm run lint
+```
+
+### Ingestion
+
+```bash
+npm run ingest          # Standard incremental ingest
+npm run ingest:full     # Full re-ingest (--force)
+npm run ingest:fetch    # Fetch sources only (--fetch-only)
+npm run ingest:diff     # Show what changed (--diff-only)
+```
+
+### Running locally
+
+```bash
+npm run dev             # stdio mode (watch)
+npm run start:http      # HTTP mode on port 3000
+```
+
+## Disclaimer
+
+This data is provided for informational purposes only and does not constitute legal or veterinary advice. The authoritative sources are the Swiss Animal Welfare Ordinance (TSchV, SR 455.1), the Animal Welfare Act (TSchG, SR 455), and guidance from BLV and BLW. Always consult the cantonal veterinary authority before making livestock management decisions.
+
+Full bilingual disclaimer: [DISCLAIMER.md](DISCLAIMER.md)
+
+## Links
+
+- [Ansvar Open Agriculture](https://ansvar.eu/open-agriculture)
+- [MCP Network](https://ansvar.ai/mcp)
+- [TOOLS.md](TOOLS.md) -- Full tool documentation
+- [COVERAGE.md](COVERAGE.md) -- Data coverage details
+- [SECURITY.md](SECURITY.md) -- Security policy
+- [PRIVACY.md](PRIVACY.md) -- Privacy policy
+
+## License
+
+Apache-2.0 -- see [LICENSE](LICENSE)

package/SECURITY.md

@@ -0,0 +1,33 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported |
+|---------|-----------|
+| 0.1.x   | Yes       |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, please report it responsibly:
+
+**Email:** security@ansvar.eu
+**Subject:** `[ch-livestock-mcp] Vulnerability Report`
+
+Please include:
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+
+We aim to acknowledge reports within 48 hours and provide a fix within 7 days for critical issues.
+
+Do **not** open a public GitHub issue for security vulnerabilities.
+
+## Security Measures
+
+- **CodeQL** -- Static analysis on every push and PR
+- **Gitleaks** -- Secret detection in commits
+- **Dependency scanning** -- npm audit in CI
+- **Read-only data** -- SQLite database is read-only at runtime in Docker (data volume)
+- **Non-root container** -- Runs as UID 1001 (nodejs user)
+- **No network egress** -- Server does not make outbound requests at runtime
+- **No authentication data** -- Server stores no credentials, tokens, or user data