@askthew/mcp-plugin 0.2.8 → 0.4.0

package/dist/index.js

@@ -1,8 +1,11 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { z } from "zod";
-import * as fs from "node:fs";
-import * as path from "node:path";
-import { resolveFunctionalAreaFromToml, resolvePluginScope } from "./scope.js";
+import { resolvePluginScope } from "./scope.js";
+import { resolveMcpMode } from "./lib/free-tier-policy.js";
+import { LocalStore } from "./lib/local-store.js";
+import { analyzeLocalPatterns } from "./lib/tip-engine.js";
+import { buildTelemetryPayload, flushTelemetryOutbox } from "./lib/telemetry.js";
+import { paidDescription, paidFeatureNudge, toolJson } from "./lib/upgrade-nudge.js";
 const evidenceRoleSchema = z.enum(["user", "assistant", "system"]);
 const sessionSignalKindSchema = z.enum([
     "setup_complete",
@@ -41,85 +44,228 @@ export const provenanceSignalSchema = z.object({
     metadata: z.record(z.string(), z.unknown()).default({}),
 });
 const REDACTION_PATTERNS = [
-    /\bAKIA[0-9A-Z]{16}\b/g,
-    /\b(?:sk|rk)_(?:live|test)_[A-Za-z0-9]{16,}\b/g,
-    /\beyJ[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}\.[A-Za-z0-9_-]{20,}\b/g,
-    /\b[A-Za-z0-9_-]{32,}\b/g,
+    { name: "aws_access_key", pattern: /\bAKIA[0-9A-Z]{16}\b/g },
+    { name: "aws_secret_key", pattern: /\b[A-Za-z0-9+/]{40}\b/g },
+    { name: "gcp_api_key", pattern: /\bAIza[0-9A-Za-z\-_]{35}\b/g },
+    { name: "azure_storage_key", pattern: /[A-Za-z0-9+/]{86}==/g },
+    { name: "stripe_key", pattern: /\b(?:sk|rk|pk)_(?:live|test)_[A-Za-z0-9]{16,}\b/g },
+    { name: "sendgrid_key", pattern: /\bSG\.[A-Za-z0-9_-]{22,}\.[A-Za-z0-9_-]{22,}\b/g },
+    { name: "twilio_key", pattern: /\bSK[0-9a-fA-F]{32}\b/g },
+    { name: "slack_token", pattern: /\bxox[baprs]-[0-9A-Za-z\-]{10,}\b/g },
+    { name: "slack_webhook", pattern: /https:\/\/hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+/g },
+    { name: "openai_key", pattern: /\bsk-[A-Za-z0-9]{20,}\b/g },
+    { name: "anthropic_key", pattern: /\bsk-ant-[A-Za-z0-9\-_]{32,}\b/g },
+    { name: "github_pat_classic", pattern: /\bghp_[A-Za-z0-9]{36}\b/g },
+    { name: "github_pat_fine", pattern: /\bgithub_pat_[A-Za-z0-9_]{82}\b/g },
+    { name: "github_oauth", pattern: /\bgho_[A-Za-z0-9]{36}\b/g },
+    { name: "github_app_token", pattern: /\bghs_[A-Za-z0-9]{36}\b/g },
+    { name: "gitlab_pat", pattern: /\bglpat-[A-Za-z0-9\-_]{20,}\b/g },
+    { name: "jwt", pattern: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\b/g },
+    { name: "pem_private_key", pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g },
+    { name: "db_dsn_with_creds", pattern: /(?:postgres|postgresql|mysql|mongodb(?:\+srv)?|redis):\/\/[^:]+:[^@\s]+@[^\s"'`]+/gi },
+    { name: "atw_token", pattern: /\b(?:atw|askthew)_[a-z]+_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}_[0-9a-f]{16,}\b/gi },
+    { name: "uuid_token", pattern: /\b\w{2,20}_[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}(?:_[A-Za-z0-9]{8,})?\b/g },
+    { name: "env_var_assignment", pattern: /(?:^|[\s;|&])(?:export\s+)?[A-Z][A-Z0-9_]{4,}(?:_KEY|_TOKEN|_SECRET|_PASSWORD|_PASS|_CREDENTIAL|_API_KEY|_PRIVATE|_AUTH)\s*[=:]\s*["']?[A-Za-z0-9+/=._~-]{8,}["']?/gm },
+    { name: "email", pattern: /\b[A-Za-z0-9._%+\-]+@[A-Za-z0-9.\-]+\.[A-Za-z]{2,}\b/g },
+    { name: "us_phone", pattern: /\b(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]\d{3}[-.\s]\d{4}\b/g },
+    { name: "ssn", pattern: /\b(?!000|666|9\d{2})\d{3}[-\s](?!00)\d{2}[-\s](?!0{4})\d{4}\b/g },
+    { name: "credit_card", pattern: /\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12})\b/g },
 ];
-function redactSecrets(text) {
-    return REDACTION_PATTERNS.reduce((accumulator, pattern) => accumulator.replace(pattern, "[REDACTED]"), text);
-}
-function redactMetadata(value) {
-    if (typeof value === "string") {
-        return redactSecrets(value);
-    }
-    if (Array.isArray(value)) {
-        return value.map((entry) => redactMetadata(entry));
+const SENSITIVE_QUERY_PARAMS = new Set([
+    "token",
+    "key",
+    "api_key",
+    "apikey",
+    "secret",
+    "password",
+    "passwd",
+    "pass",
+    "auth",
+    "access_token",
+    "refresh_token",
+    "id_token",
+    "client_secret",
+    "authorization",
+    "credential",
+    "sig",
+    "signature",
+]);
+const SENSITIVE_FLAG_NAMES = new Set([
+    "token",
+    "password",
+    "passwd",
+    "pass",
+    "secret",
+    "key",
+    "api-key",
+    "apikey",
+    "api_key",
+    "auth",
+    "access-token",
+    "private-key",
+    "credential",
+    "credentials",
+    "authorization",
+    "client-secret",
+    "client_secret",
+]);
+const SENSITIVE_PATH_SEGMENTS = new Set([
+    ".env",
+    ".ssh",
+    ".aws",
+    ".gcp",
+    ".azure",
+    ".gnupg",
+    ".pgp",
+    "secrets",
+    "secret",
+    "credentials",
+    "credential",
+    "private",
+    "keys",
+    "certs",
+    "certificates",
+    "vault",
+    ".netrc",
+    ".npmrc",
+    ".pypirc",
+    ".docker",
+    "kubeconfig",
+    ".kube",
+]);
+const ENTROPY_THRESHOLD = 4.5;
+const ENTROPY_TOKEN_PATTERN = /[A-Za-z0-9+/=_\-]{20,}/g;
+function sanitizeUrl(raw) {
+    try {
+        const url = new URL(raw);
+        if (url.username || url.password) {
+            url.username = "[REDACTED]";
+            url.password = "[REDACTED]";
+        }
+        for (const key of Array.from(url.searchParams.keys())) {
+            if (SENSITIVE_QUERY_PARAMS.has(key.toLowerCase())) {
+                url.searchParams.set(key, "[REDACTED]");
+            }
+        }
+        return url.toString().replace(/%5BREDACTED%5D/gi, "[REDACTED]");
     }
-    if (typeof value === "object" && value !== null) {
-        return Object.fromEntries(Object.entries(value).map(([key, entry]) => [key, redactMetadata(entry)]));
+    catch {
+        return raw;
     }
-    return value;
 }
-export function inferFunctionalArea(signal) {
-    const explicit = process.env.ASKTHEW_FUNCTIONAL_AREA?.trim();
-    if (explicit) {
-        return explicit;
-    }
-    const configuredArea = resolveFunctionalAreaFromToml(process.cwd());
-    if (configuredArea) {
-        return configuredArea;
-    }
-    const files = (signal.filesAffected ?? []).map((file) => file.toLowerCase());
-    if (files.length > 0 && files.every((file) => file.includes("test"))) {
-        return "QA";
+function sanitizeUrls(text) {
+    return text.replace(/https?:\/\/[^\s"'`<>)\\]*/g, (match) => sanitizeUrl(match));
+}
+function scrubCommandFlags(command) {
+    let result = command.replace(/(-{1,2})([\w-]+)([ =])(["'])([^"']+)\4/g, (match, dashes, flagName, separator, quote) => SENSITIVE_FLAG_NAMES.has(String(flagName).toLowerCase())
+        ? `${dashes}${flagName}${separator}${quote}[REDACTED]${quote}`
+        : match);
+    result = result.replace(/(-{1,2})([\w-]+)([ =])([^\s"'`]+)/g, (match, dashes, flagName, separator) => SENSITIVE_FLAG_NAMES.has(String(flagName).toLowerCase())
+        ? `${dashes}${flagName}${separator}[REDACTED]`
+        : match);
+    return result;
+}
+function shannonEntropy(value) {
+    const freq = new Map();
+    for (const char of value) {
+        freq.set(char, (freq.get(char) ?? 0) + 1);
     }
-    if (files.length > 0 && files.every((file) => file.includes("marketing") || file.includes("content"))) {
-        return "Marketing";
+    let entropy = 0;
+    for (const count of freq.values()) {
+        const probability = count / value.length;
+        entropy -= probability * Math.log2(probability);
     }
-    if (files.length > 0 && files.every((file) => file.includes("design"))) {
-        return "Design";
+    return entropy;
+}
+function looksLikeSecret(token) {
+    const hasDigit = /\d/.test(token);
+    const hasUpper = /[A-Z]/.test(token);
+    const hasLower = /[a-z]/.test(token);
+    const hasSpecial = /[+/=_\-]/.test(token);
+    return hasDigit && hasLower && (hasUpper || hasSpecial);
+}
+function redactHighEntropyTokens(text) {
+    return text.replace(ENTROPY_TOKEN_PATTERN, (match) => {
+        if (match.includes("/") && match.length < 60) {
+            return match;
+        }
+        if (!looksLikeSecret(match)) {
+            return match;
+        }
+        return shannonEntropy(match) >= ENTROPY_THRESHOLD ? "[REDACTED]" : match;
+    });
+}
+function redactTargetedPatterns(text) {
+    return REDACTION_PATTERNS.reduce((accumulator, entry) => {
+        entry.pattern.lastIndex = 0;
+        return accumulator.replace(entry.pattern, "[REDACTED]");
+    }, text);
+}
+function redactRawSignalText(text) {
+    return redactTargetedPatterns(sanitizeUrls(text));
+}
+function redactOperationalContext(text) {
+    return redactHighEntropyTokens(scrubCommandFlags(redactRawSignalText(text)));
+}
+function sanitizeFilePath(filePath) {
+    let result = filePath.replace(/^(?:[A-Za-z]:\\|\/(?:Users|home|root|var|etc)\/[^/]+\/)/, "~/");
+    result = redactRawSignalText(result);
+    const segments = result.split(/[/\\]/);
+    if (segments.some((segment) => SENSITIVE_PATH_SEGMENTS.has(segment.toLowerCase()))) {
+        const basename = segments[segments.length - 1] ?? result;
+        return `[SENSITIVE_PATH]/${basename}`;
     }
-    if (fs.existsSync(path.resolve(process.cwd(), "figma.config")) || fs.existsSync(path.resolve(process.cwd(), ".sketch"))) {
-        return "Design";
+    return result;
+}
+function redactMetadata(value, key) {
+    if (typeof value === "string") {
+        const redacted = redactOperationalContext(value);
+        if (key && /(?:^|_)(?:path|root|file|dir|directory)(?:$|_)/i.test(key)) {
+            return sanitizeFilePath(redacted);
+        }
+        return redacted;
     }
-    if (fs.existsSync(path.resolve(process.cwd(), "campaign.yml"))) {
-        return "Marketing";
+    if (Array.isArray(value)) {
+        return value.map((entry) => redactMetadata(entry));
     }
-    const repoMarkers = ["package.json", "pyproject.toml", "go.mod", "Cargo.toml"];
-    if (repoMarkers.some((marker) => fs.existsSync(path.resolve(process.cwd(), marker)))) {
-        return "Engineering";
+    if (typeof value === "object" && value !== null) {
+        return Object.fromEntries(Object.entries(value).map(([entryKey, entry]) => [entryKey, redactMetadata(entry, entryKey)]));
     }
-    return "Engineering";
+    return value;
 }
 export function redactProvenanceSignal(input) {
     const parsed = provenanceSignalSchema.parse(input);
     return {
         ...parsed,
+        decision: redactRawSignalText(parsed.decision),
+        rationale: redactRawSignalText(parsed.rationale),
+        framework: typeof parsed.framework === "string" ? redactRawSignalText(parsed.framework) : undefined,
+        filesAffected: parsed.filesAffected.map((filePath) => sanitizeFilePath(filePath)),
         originatingPrompt: typeof parsed.originatingPrompt === "string"
-            ? redactSecrets(parsed.originatingPrompt)
+            ? redactOperationalContext(parsed.originatingPrompt)
             : undefined,
-        metadata: {
-            ...parsed.metadata,
-            functional_area: inferFunctionalArea(parsed),
-        },
+        installToken: typeof parsed.installToken === "string"
+            ? redactOperationalContext(parsed.installToken)
+            : undefined,
+        metadata: redactMetadata(parsed.metadata),
     };
 }
 export function redactCodingSessionSignal(input) {
     const parsed = codingSessionSignalSchema.parse(input);
     return {
         ...parsed,
-        summary: redactSecrets(parsed.summary),
+        summary: redactRawSignalText(parsed.summary),
         evidence: parsed.evidence.map((entry) => ({
             ...entry,
-            excerpt: redactSecrets(entry.excerpt),
+            excerpt: redactOperationalContext(entry.excerpt),
         })),
-        commandsRun: parsed.commandsRun.map((command) => redactSecrets(command)),
+        filesTouched: parsed.filesTouched.map((filePath) => sanitizeFilePath(filePath)),
+        commandsRun: parsed.commandsRun.map((command) => redactOperationalContext(command)),
         metadata: redactMetadata(parsed.metadata),
     };
 }
-function apiBaseUrl() {
-    return process.env.ASKTHEW_API_URL?.trim() || "https://app.askthew.com";
+function apiBaseUrl(override) {
+    return override?.trim() || process.env.ASKTHEW_API_URL?.trim() || "https://app.askthew.com";
 }
 function normalizeClientId(value) {
     return String(value ?? "")
@@ -132,75 +278,126 @@ function normalizeClientId(value) {
 export function normalizeInstallTokenInput(token) {
     return String(token ?? "").trim().replace(/^['"]/, "").replace(/['"]$/, "");
 }
-function credentials() {
+function routeWithQuery(route, params) {
+    const searchParams = new URLSearchParams();
+    for (const [key, value] of Object.entries(params)) {
+        if (value === undefined || value === null || value === "") {
+            continue;
+        }
+        searchParams.set(key, String(value));
+    }
+    const query = searchParams.toString();
+    return query ? `${route}?${query}` : route;
+}
+function credentials(overrides) {
     const legacyHostType = process.env.ASKTHEW_HOST_TYPE?.trim();
     const hostType = legacyHostType === "claude_code" || legacyHostType === "codex" || legacyHostType === "cursor"
         ? legacyHostType
         : undefined;
-    const clientId = normalizeClientId(process.env.ASKTHEW_CLIENT_ID?.trim()) || hostType || "mcp_client";
+    const overrideHostType = overrides?.hostType;
+    const clientId = normalizeClientId(overrides?.clientId) ||
+        normalizeClientId(process.env.ASKTHEW_CLIENT_ID?.trim()) ||
+        overrideHostType ||
+        hostType ||
+        "mcp_client";
     return {
-        installToken: normalizeInstallTokenInput(process.env.ASKTHEW_INSTALL_TOKEN),
-        userId: process.env.ASKTHEW_USER_ID?.trim(),
-        apiKey: process.env.ASKTHEW_API_KEY?.trim(),
-        serverName: process.env.ASKTHEW_SERVER_NAME?.trim(),
+        installToken: normalizeInstallTokenInput(overrides?.installToken) ||
+            normalizeInstallTokenInput(process.env.ASKTHEW_INSTALL_TOKEN),
+        userId: overrides?.userId?.trim() || process.env.ASKTHEW_USER_ID?.trim(),
+        apiKey: overrides?.apiKey?.trim() || process.env.ASKTHEW_API_KEY?.trim(),
+        serverName: overrides?.serverName?.trim() || process.env.ASKTHEW_SERVER_NAME?.trim(),
         clientId,
-        clientLabel: process.env.ASKTHEW_CLIENT_LABEL?.trim(),
-        hostType,
+        clientLabel: overrides?.clientLabel?.trim() || process.env.ASKTHEW_CLIENT_LABEL?.trim(),
+        hostType: overrideHostType || hostType,
     };
 }
-function hasServerIdentity() {
-    const { installToken, userId } = credentials();
+function hasServerIdentity(overrides) {
+    const { installToken, userId } = credentials(overrides);
     return Boolean(installToken || userId);
 }
-async function postToServer(route, payload) {
-    if (!hasServerIdentity()) {
+async function postToServer(route, payload, options, request) {
+    if (!hasServerIdentity(options?.credentials)) {
         return null;
     }
-    const { installToken, userId, apiKey, clientId, clientLabel, hostType } = credentials();
-    const response = await fetch(`${apiBaseUrl()}${route}`, {
-        method: "POST",
+    const { installToken, userId, apiKey, clientId, clientLabel, hostType } = credentials(options?.credentials);
+    const fetcher = options?.fetchImpl ?? fetch;
+    const method = request?.method ?? "POST";
+    const bodyPayload = {
+        ...payload,
+        installToken: installToken || undefined,
+        userId: userId || undefined,
+        clientId,
+        clientLabel: clientLabel || undefined,
+        hostType: hostType || undefined,
+    };
+    const response = await fetcher(`${apiBaseUrl(options?.apiBaseUrl)}${route}`, {
+        method,
         headers: {
-            "Content-Type": "application/json",
-            ...(apiKey ? { Authorization: `Bearer ${apiKey}` } : {}),
+            ...(method === "GET" ? {} : { "Content-Type": "application/json" }),
+            ...(installToken
+                ? { Authorization: `Bearer ${installToken}` }
+                : apiKey
+                    ? { Authorization: `Bearer ${apiKey}` }
+                    : {}),
         },
-        body: JSON.stringify({
-            ...payload,
-            installToken: installToken || undefined,
-            userId: userId || undefined,
-            clientId,
-            clientLabel: clientLabel || undefined,
-            hostType: hostType || undefined,
-        }),
+        ...(method === "GET" ? {} : { body: JSON.stringify(bodyPayload) }),
     }).catch(() => null);
-    if (!response || !response.ok) {
-        return null;
+    if (!response) {
+        return {
+            ok: false,
+            error: "Ask The W server could not be reached.",
+        };
     }
-    return response.json().catch(() => null);
+    const body = await response.json().catch(() => null);
+    if (!response.ok) {
+        return {
+            ok: false,
+            status: response.status,
+            ...(body && typeof body === "object" ? body : { error: "Ask The W request failed." }),
+        };
+    }
+    return body;
 }
-function runtimeMetadata() {
+function runtimeMetadata(options) {
     const scope = resolvePluginScope(process.cwd());
-    const { serverName, clientId, clientLabel } = credentials();
+    const { serverName, clientId, clientLabel } = credentials(options?.credentials);
+    const extraMetadata = typeof options?.runtimeMetadata === "function"
+        ? options.runtimeMetadata()
+        : (options?.runtimeMetadata ?? {});
     return {
         repository: scope.repoName,
         repo_name: scope.repoName,
-        ...(scope.repoRoot ? { repo_root: scope.repoRoot } : {}),
-        ...(scope.appPath ? { app_path: scope.appPath } : {}),
+        ...(scope.repoRoot ? { repo_root: sanitizeFilePath(scope.repoRoot) } : {}),
+        ...(scope.appPath ? { app_path: sanitizeFilePath(scope.appPath) } : {}),
         ...(scope.serviceName ? { service_name: scope.serviceName } : {}),
         ...(serverName ? { server_name: serverName } : {}),
         ...(clientId ? { client_id: clientId } : {}),
         ...(clientLabel ? { client_label: clientLabel } : {}),
+        ...extraMetadata,
     };
 }
-async function sendStartupHeartbeat() {
-    if (!hasServerIdentity()) {
+function startupSessionId(options) {
+    const scope = resolvePluginScope(process.cwd());
+    const { clientId } = credentials(options?.credentials);
+    const scopeKey = [scope.repoName, scope.appPath, scope.serviceName]
+        .filter((part) => Boolean(part))
+        .join(":") || "workspace";
+    return ["mcp-startup", clientId || "mcp_client", scopeKey]
+        .join(":")
+        .replace(/[^a-zA-Z0-9:_-]+/g, "_")
+        .slice(0, 240);
+}
+async function sendStartupHeartbeat(options) {
+    if (!hasServerIdentity(options?.credentials)) {
         return;
     }
-    const { installToken, apiKey, clientId, clientLabel, hostType, serverName } = credentials();
+    const { installToken, apiKey, clientId, clientLabel, hostType, serverName } = credentials(options?.credentials);
     if (!installToken) {
         return;
     }
     const scope = resolvePluginScope(process.cwd());
-    await fetch(`${apiBaseUrl()}/api/connectors/mcp/heartbeat`, {
+    const fetcher = options?.fetchImpl ?? fetch;
+    await fetcher(`${apiBaseUrl(options?.apiBaseUrl)}/api/connectors/mcp/heartbeat`, {
         method: "POST",
         headers: {
             "Content-Type": "application/json",
@@ -219,12 +416,79 @@ async function sendStartupHeartbeat() {
         }),
     }).catch(() => null);
 }
-export function createAskTheWMcpServer() {
+async function sendStartupSetupSignal(options) {
+    const sessionSignal = {
+        sessionId: startupSessionId(options),
+        sequence: 0,
+        kind: "setup_complete",
+        summary: "Ask The W MCP server started for this coding-agent session.",
+        evidence: [],
+        filesTouched: [],
+        commandsRun: [],
+        metadata: {
+            ...runtimeMetadata(options),
+            automated: true,
+            operational: true,
+            origin: "mcp_server_startup",
+        },
+    };
+    await postToServer("/api/ingest/mcp", {
+        sessionSignal: redactCodingSessionSignal(sessionSignal),
+    }, options);
+}
+async function sendStartupSignals(options) {
+    await sendStartupHeartbeat(options).catch(() => null);
+    await sendStartupSetupSignal(options).catch(() => null);
+}
+export function createAskTheWMcpServer(options = {}) {
+    const resolvedMode = resolveMcpMode();
+    const optionInstallToken = normalizeInstallTokenInput(options.credentials?.installToken);
+    const mode = optionInstallToken
+        ? { mode: "paid", installToken: optionInstallToken, reason: "options_install_token" }
+        : resolvedMode;
+    const localStore = mode.mode === "paid" ? null : LocalStore.open();
+    if (localStore) {
+        void flushTelemetryOutbox({
+            store: localStore,
+            credentials: mode.cliCredentials ?? {
+                userId: "unauthenticated",
+                cliToken: "",
+                cliTokenId: "none",
+            },
+            apiUrl: options.apiBaseUrl,
+            fetchImpl: options.fetchImpl,
+        }).catch(() => null);
+    }
     const server = new McpServer({
-        name: "AskTheW Coding Agent Connector",
-        version: "1.0.0",
+        name: "Ask The W Coding Agent Connector",
+        version: "0.4.0",
     });
-    void sendStartupHeartbeat();
+    if (options.sendStartupHeartbeat !== false) {
+        void sendStartupSignals(options);
+    }
+    const apiToolResponse = async (route, payload = {}, method = "GET") => {
+        const upstream = await postToServer(route, payload, options, { method });
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: JSON.stringify(upstream, null, 2),
+                },
+            ],
+        };
+    };
+    const localResponse = (value) => toolJson(value);
+    const requireFreeIdentity = () => {
+        if (mode.mode === "unauthenticated") {
+            return localResponse({
+                ok: false,
+                code: "free_tier_login_required",
+                message: "Run `npx @askthew/mcp-plugin auth login --email you@example.com` to unlock local capture.",
+                supportEmail: "support@askthew.com",
+            });
+        }
+        return null;
+    };
     server.tool("capture_session_signal", {
         sessionId: z.string().min(1),
         sequence: z.number().int().nonnegative(),
@@ -243,13 +507,50 @@ export function createAskTheWMcpServer() {
         const sessionSignal = redactCodingSessionSignal({
             ...payload,
             metadata: {
-                ...runtimeMetadata(),
+                ...runtimeMetadata(options),
                 ...(payload.metadata ?? {}),
             },
         });
+        if (mode.mode !== "paid" && localStore) {
+            const loginRequired = requireFreeIdentity();
+            if (loginRequired) {
+                return loginRequired;
+            }
+            const signal = localStore.insertSignal({
+                sessionId: sessionSignal.sessionId,
+                sequence: sessionSignal.sequence,
+                kind: sessionSignal.kind,
+                summary: sessionSignal.summary,
+                evidence: sessionSignal.evidence,
+                filesTouched: sessionSignal.filesTouched,
+                commandsRun: sessionSignal.commandsRun,
+                metadata: sessionSignal.metadata,
+            });
+            if (sessionSignal.kind === "final_summary" && mode.cliCredentials) {
+                localStore.enqueueTelemetry(buildTelemetryPayload({
+                    store: localStore,
+                    credentials: mode.cliCredentials,
+                    sessionId: sessionSignal.sessionId,
+                }));
+                void flushTelemetryOutbox({
+                    store: localStore,
+                    credentials: mode.cliCredentials,
+                    apiUrl: options.apiBaseUrl,
+                    fetchImpl: options.fetchImpl,
+                }).catch(() => null);
+            }
+            return localResponse({
+                ok: true,
+                tier: "free",
+                signal,
+                note: localStore.usingJsonFallback
+                    ? "Captured locally in JSON fallback mode because SQLite was unavailable."
+                    : "Captured locally in SQLite. Aggregate telemetry only may flush on final_summary unless opted out.",
+            });
+        }
         const upstream = await postToServer("/api/ingest/mcp", {
             sessionSignal,
-        });
+        }, options);
         return {
             content: [
                 {
@@ -264,5 +565,340 @@ export function createAskTheWMcpServer() {
             ],
         };
     });
+    server.tool("list_decisions", {
+        limit: z.number().int().positive().max(300).optional(),
+        cursor: z.string().optional(),
+    }, async (payload) => {
+        if (mode.mode !== "paid" && localStore) {
+            const loginRequired = requireFreeIdentity();
+            if (loginRequired)
+                return loginRequired;
+            return localResponse({
+                ok: true,
+                tier: "free",
+                decisions: localStore.listDecisions({ limit: payload.limit ?? 50 }),
+            });
+        }
+        return apiToolResponse(routeWithQuery("/api/decisions", {
+            limit: payload.limit,
+            cursor: payload.cursor,
+        }));
+    });
+    server.tool("get_decision", {
+        id: z.string().min(1),
+    }, async (payload) => {
+        if (mode.mode !== "paid" && localStore) {
+            const loginRequired = requireFreeIdentity();
+            if (loginRequired)
+                return loginRequired;
+            const decision = localStore.getDecision(payload.id);
+            return localResponse(decision ? { ok: true, tier: "free", decision } : { ok: false, code: "not_found" });
+        }
+        return apiToolResponse(`/api/decisions/${encodeURIComponent(payload.id)}`);
+    });
+    server.tool("create_decision", {
+        content: z.string().min(1),
+    }, async (payload) => {
+        if (mode.mode !== "paid" && localStore) {
+            const loginRequired = requireFreeIdentity();
+            if (loginRequired)
+                return loginRequired;
+            return localResponse({
+                ok: true,
+                tier: "free",
+                decision: localStore.createDecision({
+                    rawContent: payload.content,
+                    sessionId: localStore.mostRecentSessionId(),
+                }),
+            });
+        }
+        return apiToolResponse("/api/decisions", {
+            content: payload.content,
+        }, "POST");
+    });
+    server.tool("update_decision", {
+        id: z.string().min(1),
+        headline: z.string().min(1).optional(),
+        why: z.string().optional(),
+        status: z.enum(["proposed", "committed", "shipped", "abandoned"]).optional(),
+        alignment: z.enum(["aligned", "orthogonal", "conflicts", "ambiguous"]).optional(),
+        outcomeId: z.string().min(1).optional(),
+    }, async (payload) => {
+        if (mode.mode !== "paid" && localStore) {
+            const loginRequired = requireFreeIdentity();
+            if (loginRequired)
+                return loginRequired;
+            const decision = localStore.updateDecision(payload.id, {
+                ...(payload.headline ? { headline: payload.headline } : {}),
+                ...(payload.why !== undefined ? { why: payload.why } : {}),
+                ...(payload.status ? { status: payload.status } : {}),
+                ...(payload.alignment !== undefined ? { alignment: payload.alignment } : {}),
+            });
+            return localResponse(decision ? { ok: true, tier: "free", decision } : { ok: false, code: "not_found" });
+        }
+        return apiToolResponse(`/api/decisions/${encodeURIComponent(payload.id)}`, {
+            headline: payload.headline,
+            why: payload.why,
+            status: payload.status,
+            alignment: payload.alignment,
+            outcomeId: payload.outcomeId,
+        }, "PATCH");
+    });
+    server.tool("delete_decision", {
+        id: z.string().min(1),
+        confirmText: z.string().min(1),
+    }, async (payload) => {
+        if (mode.mode !== "paid" && localStore) {
+            const loginRequired = requireFreeIdentity();
+            if (loginRequired)
+                return loginRequired;
+            if (payload.confirmText !== payload.id) {
+                return localResponse({ ok: false, code: "confirmation_required", message: "confirmText must match the decision id." });
+            }
+            return localResponse({ ok: localStore.deleteDecision(payload.id), tier: "free" });
+        }
+        return apiToolResponse(`/api/decisions/${encodeURIComponent(payload.id)}`, {
+            confirmText: payload.confirmText,
+        }, "DELETE");
+    });
+    server.tool("list_outcomes", paidDescription("List outcomes from your workspace.", mode.mode), {
+        limit: z.number().int().positive().max(300).optional(),
+    }, async (payload) => {
+        if (mode.mode === "free")
+            return localResponse(paidFeatureNudge("list_outcomes"));
+        return apiToolResponse(routeWithQuery("/api/outcomes", {
+            limit: payload.limit,
+        }));
+    });
+    server.tool("get_outcome", paidDescription("Get outcome detail from your workspace.", mode.mode), {
+        id: z.string().min(1),
+    }, async (payload) => mode.mode === "free"
+        ? localResponse(paidFeatureNudge("get_outcome"))
+        : apiToolResponse(`/api/outcomes/${encodeURIComponent(payload.id)}`));
+    server.tool("list_outcome_signals", paidDescription("List signals linked to an outcome.", mode.mode), {
+        id: z.string().min(1),
+    }, async (payload) => mode.mode === "free"
+        ? localResponse(paidFeatureNudge("list_outcome_signals"))
+        : apiToolResponse(`/api/outcomes/${encodeURIComponent(payload.id)}/signals`));
+    server.tool("create_outcome", paidDescription("Create a new outcome.", mode.mode), {
+        name: z.string().min(1),
+        summary: z.string().optional(),
+        causalHypothesis: z.string().optional(),
+        suggestedAction: z.string().optional(),
+    }, async (payload) => {
+        if (mode.mode === "free")
+            return localResponse(paidFeatureNudge("create_outcome"));
+        return apiToolResponse("/api/outcomes", {
+            name: payload.name,
+            summary: payload.summary,
+            causalHypothesis: payload.causalHypothesis,
+            suggestedAction: payload.suggestedAction,
+        }, "POST");
+    });
+    server.tool("update_outcome", paidDescription("Update an outcome.", mode.mode), {
+        id: z.string().min(1),
+        name: z.string().min(1).optional(),
+        summary: z.string().optional(),
+        causalHypothesis: z.string().optional(),
+        suggestedAction: z.string().optional(),
+        status: z.enum(["active", "achieved", "abandoned", "archived"]).optional(),
+    }, async (payload) => {
+        if (mode.mode === "free")
+            return localResponse(paidFeatureNudge("update_outcome"));
+        return apiToolResponse(`/api/outcomes/${encodeURIComponent(payload.id)}`, {
+            name: payload.name,
+            summary: payload.summary,
+            causalHypothesis: payload.causalHypothesis,
+            suggestedAction: payload.suggestedAction,
+            status: payload.status,
+        }, "PATCH");
+    });
+    server.tool("delete_outcome", paidDescription("Delete an outcome.", mode.mode), {
+        id: z.string().min(1),
+        confirmText: z.string().min(1),
+    }, async (payload) => {
+        if (mode.mode === "free")
+            return localResponse(paidFeatureNudge("delete_outcome"));
+        return apiToolResponse(`/api/outcomes/${encodeURIComponent(payload.id)}`, {
+            confirmText: payload.confirmText,
+        }, "DELETE");
+    });
+    server.tool("get_north_star", paidDescription("Read the workspace north-star metric.", mode.mode), {}, async () => mode.mode === "free"
+        ? localResponse(paidFeatureNudge("get_north_star"))
+        : apiToolResponse("/api/north-star"));
+    server.tool("update_north_star", paidDescription("Update the workspace north-star metric.", mode.mode), {
+        metric: z.string().min(1),
+        current: z.string().min(1),
+        target: z.string().min(1),
+        reason: z.string().min(1),
+    }, async (payload) => {
+        if (mode.mode === "free")
+            return localResponse(paidFeatureNudge("update_north_star"));
+        return apiToolResponse("/api/north-star", {
+            metric: payload.metric,
+            current: payload.current,
+            target: payload.target,
+            reason: payload.reason,
+        }, "POST");
+    });
+    server.tool("list_signals", {
+        limit: z.number().int().positive().max(300).optional(),
+        cursor: z.string().optional(),
+    }, async (payload) => {
+        if (mode.mode !== "paid" && localStore) {
+            const loginRequired = requireFreeIdentity();
+            if (loginRequired)
+                return loginRequired;
+            return localResponse({
+                ok: true,
+                tier: "free",
+                signals: localStore.listSignals({ limit: payload.limit ?? 300 }),
+            });
+        }
+        return apiToolResponse(routeWithQuery("/api/signals", {
+            limit: payload.limit,
+            cursor: payload.cursor,
+        }));
+    });
+    server.tool("get_signal", {
+        id: z.string().min(1),
+    }, async (payload) => {
+        if (mode.mode !== "paid" && localStore) {
+            const loginRequired = requireFreeIdentity();
+            if (loginRequired)
+                return loginRequired;
+            const signal = localStore.getSignal(Number(payload.id));
+            return localResponse(signal ? { ok: true, tier: "free", signal } : { ok: false, code: "not_found" });
+        }
+        return apiToolResponse(`/api/signals/${encodeURIComponent(payload.id)}`);
+    });
+    server.tool("review_decisions", {
+        since: z.string().optional(),
+        status: z.enum(["proposed", "committed", "shipped", "abandoned"]).optional(),
+        format: z.enum(["markdown", "json"]).default("markdown"),
+        limit: z.number().int().positive().max(300).default(50),
+    }, async (payload) => {
+        if (mode.mode === "paid") {
+            return apiToolResponse(routeWithQuery("/api/decisions", {
+                since: payload.since,
+                status: payload.status,
+                limit: payload.limit,
+            }));
+        }
+        if (!localStore)
+            return localResponse({ ok: false, code: "local_store_unavailable" });
+        const loginRequired = requireFreeIdentity();
+        if (loginRequired)
+            return loginRequired;
+        const decisions = localStore.listDecisions({
+            since: payload.since,
+            status: payload.status,
+            limit: payload.limit,
+        });
+        return localResponse({
+            ok: true,
+            tier: "free",
+            format: payload.format,
+            rendered: renderDecisionDigest(decisions),
+            decisions,
+            count: decisions.length,
+            copyHint: "Copy this output to back up your decisions - `export_decisions` is a paid feature.",
+        });
+    });
+    server.tool("review_session", {
+        sessionId: z.string().optional(),
+        format: z.enum(["markdown", "json"]).default("markdown"),
+    }, async (payload) => {
+        if (!localStore || mode.mode === "paid") {
+            return apiToolResponse(routeWithQuery("/api/signals", { sessionId: payload.sessionId }));
+        }
+        const loginRequired = requireFreeIdentity();
+        if (loginRequired)
+            return loginRequired;
+        const sessionId = payload.sessionId ?? localStore.mostRecentSessionId();
+        const signals = sessionId ? localStore.listSignals({ sessionId, limit: 100000 }) : [];
+        const counts = signals.reduce((accumulator, signal) => {
+            accumulator[signal.kind] = (accumulator[signal.kind] ?? 0) + 1;
+            return accumulator;
+        }, {});
+        return localResponse({
+            ok: true,
+            tier: "free",
+            sessionId,
+            format: payload.format,
+            rendered: renderSessionFeed(signals),
+            signals,
+            counts: {
+                totalSignals: signals.length,
+                byKind: counts,
+            },
+        });
+    });
+    server.tool("analyze_session", {
+        sessionId: z.string().optional(),
+        window: z.enum(["session", "day", "week"]).default("session"),
+    }, async (payload) => {
+        if (!localStore || mode.mode === "paid") {
+            return localResponse(paidFeatureNudge("analyze_session"));
+        }
+        const loginRequired = requireFreeIdentity();
+        if (loginRequired)
+            return loginRequired;
+        const sessionId = payload.sessionId ?? localStore.mostRecentSessionId();
+        const signals = sessionId ? localStore.listSignals({ sessionId, limit: 100000 }) : [];
+        const decisions = localStore.listDecisions({ limit: 100000 });
+        const tips = signals.length < 5 ? [] : analyzeLocalPatterns({ signals, decisions });
+        const verification = signals.filter((signal) => signal.kind === "verification_result");
+        const verificationPass = verification.filter((signal) => /pass|green|ok|success/i.test(signal.summary)).length;
+        return localResponse({
+            ok: true,
+            tier: "free",
+            window: payload.window,
+            guidance: tips.length === 0
+                ? "Capture a few signals first - `analyze_session` needs at least 5 signals to surface patterns."
+                : undefined,
+            windowSummary: {
+                signalCount: signals.length,
+                decisionsCreated: decisions.length,
+                verificationPassRate: verification.length ? verificationPass / verification.length : 0,
+                directionChanges: signals.filter((signal) => signal.kind === "direction_change").length,
+                filesTouched: new Set(signals.flatMap((signal) => signal.filesTouched)).size,
+            },
+            tips,
+            paidUpsell: "Zones, health-state, velocity trends, and LLM-synthesized cross-session insights are part of the paid tier. https://askthew.com/pricing",
+            supportEmail: "support@askthew.com",
+        });
+    });
+    server.tool("export_decisions", paidDescription("Export decisions from your workspace.", mode.mode), {
+        format: z.enum(["json", "markdown", "jsonl"]).default("json"),
+    }, async () => mode.mode === "free"
+        ? localResponse(paidFeatureNudge("export_decisions"))
+        : apiToolResponse("/api/export/timeline"));
     return server;
 }
+function renderDecisionDigest(decisions) {
+    if (decisions.length === 0) {
+        return "# Decisions\n\nNo local decisions captured yet.";
+    }
+    return [
+        "# Decisions",
+        "",
+        ...decisions.map((decision) => [`## ${decision.headline}`, `- id: ${decision.id}`, `- status: ${decision.status}`, `- created: ${decision.createdAt}`, decision.why ? `- why: ${decision.why}` : "- why: not captured"].join("\n")),
+    ].join("\n\n");
+}
+function renderSessionFeed(signals) {
+    if (signals.length === 0) {
+        return "# Session\n\nNo local signals captured yet.";
+    }
+    return [
+        "# Session",
+        "",
+        ...signals.map((signal) => [
+            `## ${signal.sequence ?? signal.id}. ${signal.kind}`,
+            signal.summary,
+            `- captured: ${signal.capturedAt}`,
+            signal.filesTouched.length ? `- files: ${signal.filesTouched.join(", ")}` : "- files: none",
+            signal.commandsRun.length ? `- commands: ${signal.commandsRun.join(" | ")}` : "- commands: none",
+        ].join("\n")),
+    ].join("\n\n");
+}