@atoms-tech/atoms-mcp 0.1.0

package/dist/db/client.js

@@ -0,0 +1,110 @@
+/**
+ * Supabase client factory for the MCP server.
+ *
+ * Creates a user-scoped client with JWT — RLS enforced automatically.
+ * Never uses service role key (all queries respect user permissions).
+ */
+import { createClient } from "@supabase/supabase-js";
+import { getValidToken } from "../auth/refresh.js";
+import { ATOMS_SUPABASE_URL, ATOMS_SUPABASE_ANON_KEY } from "../config.js";
+let cachedClient = null;
+let cachedUserId = null;
+let cachedEmail = null;
+let tokenExpiresAt = 0;
+/**
+ * Get or create an authenticated Supabase client.
+ * Auto-refreshes JWT when expired. All queries run with user's RLS permissions.
+ */
+export async function getClient() {
+    // If token is within 60s of expiry, force refresh
+    if (cachedClient && tokenExpiresAt > Date.now() + 60_000) {
+        return cachedClient;
+    }
+    // Token expired or no client — get a fresh token
+    if (cachedClient) {
+        process.stderr.write("[atoms-mcp] Token expiring, refreshing client...\n");
+    }
+    const { access_token, user_id, email } = await getValidToken();
+    // Decode expiry from JWT
+    const parts = access_token.split(".");
+    if (parts.length === 3) {
+        try {
+            const payload = JSON.parse(Buffer.from(parts[1].replace(/-/g, "+").replace(/_/g, "/"), "base64").toString());
+            tokenExpiresAt = (payload.exp ?? 0) * 1000; // convert to ms
+        }
+        catch {
+            // Fallback: assume 1hr from now
+            tokenExpiresAt = Date.now() + 3600_000;
+        }
+    }
+    // Use global Authorization header — works with all Supabase key formats
+    const client = createClient(ATOMS_SUPABASE_URL, ATOMS_SUPABASE_ANON_KEY, {
+        global: {
+            headers: { Authorization: `Bearer ${access_token}` },
+        },
+    });
+    cachedClient = client;
+    cachedUserId = user_id;
+    cachedEmail = email;
+    return cachedClient;
+}
+/**
+ * Get the authenticated user's ID. Must call getClient() first.
+ */
+export function getUserId() {
+    if (!cachedUserId) {
+        throw new Error("Not authenticated. Call getClient() first.");
+    }
+    return cachedUserId;
+}
+/**
+ * Get the authenticated user's email.
+ */
+export function getUserEmail() {
+    return cachedEmail ?? "";
+}
+/**
+ * Reset the cached client (for token refresh).
+ */
+export function resetClient() {
+    cachedClient = null;
+    cachedUserId = null;
+    cachedEmail = null;
+    tokenExpiresAt = 0;
+}
+/**
+ * Check if the user has write access to a project.
+ * Returns the user's org role, or throws a descriptive error.
+ */
+export async function requireWriteAccess(client, projectId) {
+    const userId = getUserId();
+    // Get the project's org
+    const { data: project, error: projErr } = await client
+        .from("projects")
+        .select("org_id")
+        .eq("id", projectId)
+        .maybeSingle();
+    if (projErr || !project) {
+        throw new Error(`Project '${projectId}' not found`);
+    }
+    // Get user's role in that org
+    const { data: membership, error: memErr } = await client
+        .from("org_members")
+        .select("role")
+        .eq("user_id", userId)
+        .eq("org_id", project.org_id)
+        .maybeSingle();
+    if (memErr || !membership) {
+        // Check if user is a platform admin (can access all orgs)
+        const { data: adminCheck } = await client.rpc("is_platform_admin");
+        if (adminCheck === true) {
+            return "admin";
+        }
+        throw new Error("Not a member of this project's organization");
+    }
+    if (membership.role === "viewer") {
+        throw new Error("VIEWER_ROLE");
+    }
+    return membership.role;
+}
+//# sourceMappingURL=client.js.map

package/dist/db/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/db/client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,YAAY,EAAuB,MAAM,uBAAuB,CAAC;AAC1E,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAE3E,IAAI,YAAY,GAA0B,IAAI,CAAC;AAC/C,IAAI,YAAY,GAAkB,IAAI,CAAC;AACvC,IAAI,WAAW,GAAkB,IAAI,CAAC;AACtC,IAAI,cAAc,GAAW,CAAC,CAAC;AAE/B;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS;IAC7B,kDAAkD;IAClD,IAAI,YAAY,IAAI,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,EAAE,CAAC;QACzD,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,iDAAiD;IACjD,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oDAAoD,CAAC,CAAC;IAC7E,CAAC;IAED,MAAM,EAAE,YAAY,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,MAAM,aAAa,EAAE,CAAC;IAE/D,yBAAyB;IACzB,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACtC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CACxB,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC,QAAQ,EAAE,CAClF,CAAC;YACF,cAAc,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,gBAAgB;QAC9D,CAAC;QAAC,MAAM,CAAC;YACP,gCAAgC;YAChC,cAAc,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,QAAQ,CAAC;QACzC,CAAC;IACH,CAAC;IAED,wEAAwE;IACxE,MAAM,MAAM,GAAG,YAAY,CAAC,kBAAkB,EAAE,uBAAuB,EAAE;QACvE,MAAM,EAAE;YACN,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,YAAY,EAAE,EAAE;SACrD;KACF,CAAC,CAAC;IAEH,YAAY,GAAG,MAAM,CAAC;IACtB,YAAY,GAAG,OAAO,CAAC;IACvB,WAAW,GAAG,KAAK,CAAC;IAEpB,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,SAAS;IACvB,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;IAChE,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY;IAC1B,OAAO,WAAW,IAAI,EAAE,CAAC;AAC3B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW;IACzB,YAAY,GAAG,IAAI,CAAC;IACpB,YAAY,GAAG,IAAI,CAAC;IACpB,WAAW,GAAG,IAAI,CAAC;IACnB,cAAc,GAAG,CAAC,CAAC;AACrB,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,MAAsB,EACtB,SAAiB;IAEjB,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;IAE3B,wBAAwB;IACxB,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,MAAM,MAAM;SACnD,IAAI,CAAC,UAAU,CAAC;SAChB,MAAM,CAAC,QAAQ,CAAC;SAChB,EAAE,CAAC,IAAI,EAAE,SAAS,CAAC;SACnB,WAAW,EAAE,CAAC;IAEjB,IAAI,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,YAAY,SAAS,aAAa,CAAC,CAAC;IACtD,CAAC;IAED,8BAA8B;IAC9B,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM;SACrD,IAAI,CAAC,aAAa,CAAC;SACnB,MAAM,CAAC,MAAM,CAAC;SACd,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;SACrB,EAAE,CAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC;SAC5B,WAAW,EAAE,CAAC;IAEjB,IAAI,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QAC1B,0DAA0D;QAC1D,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC;QACnE,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;YACxB,OAAO,OAAO,CAAC;QACjB,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,UAAU,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,aAAa,CAAC,CAAC;IACjC,CAAC;IAED,OAAO,UAAU,CAAC,IAAI,CAAC;AACzB,CAAC"}

package/dist/db/graph.d.ts

@@ -0,0 +1,8 @@
+export {};
+/**
+ * Graph traversal helpers for traceability links.
+ * Used by get-coverage and export-mermaid tools.
+ *
+ * TODO: Implement graph traversal in Phase 2.
+ */
+//# sourceMappingURL=graph.d.ts.map

package/dist/db/graph.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph.d.ts","sourceRoot":"","sources":["../../src/db/graph.ts"],"names":[],"mappings":";AAAA;;;;;GAKG"}

package/dist/db/graph.js

@@ -0,0 +1,8 @@
+export {};
+/**
+ * Graph traversal helpers for traceability links.
+ * Used by get-coverage and export-mermaid tools.
+ *
+ * TODO: Implement graph traversal in Phase 2.
+ */
+//# sourceMappingURL=graph.js.map

package/dist/db/graph.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"graph.js","sourceRoot":"","sources":["../../src/db/graph.ts"],"names":[],"mappings":";AAAA;;;;;GAKG"}

package/dist/db/queries.d.ts

@@ -0,0 +1,77 @@
+/**
+ * Shared Supabase query helpers for MCP tools.
+ *
+ * All queries use the user's JWT via RLS — no service role key.
+ * Query patterns adapted from supabase/functions/.../db.ts.
+ */
+import type { SupabaseClient } from "@supabase/supabase-js";
+import type { ItemRow } from "../types/work-item.js";
+/**
+ * List projects the authenticated user has access to (via org membership).
+ */
+export declare function listProjects(client: SupabaseClient): Promise<Array<{
+    id: string;
+    name: string;
+    description: string | null;
+    org_id: string;
+    org_name: string;
+    created_at: string;
+}>>;
+/**
+ * List items in a project with optional filters.
+ * Returns rows ordered by created_at, respects soft deletes.
+ */
+export declare function listItems(client: SupabaseClient, projectId: string, opts: {
+    type?: string;
+    domain?: string;
+    level?: string;
+    limit: number;
+    offset: number;
+}): Promise<{
+    items: ItemRow[];
+    totalCount: number;
+}>;
+/**
+ * Get a single item by ID (excludes soft-deleted).
+ */
+export declare function getItemById(client: SupabaseClient, projectId: string, itemId: string): Promise<ItemRow | null>;
+/**
+ * Full-text search across items in a project.
+ * Uses ilike on title, body, and summary for broad matching.
+ */
+export declare function searchItems(client: SupabaseClient, projectId: string, query: string, opts: {
+    type?: string;
+    limit: number;
+}): Promise<{
+    items: ItemRow[];
+    totalCount: number;
+}>;
+/**
+ * Get all relationships for an item (both directions).
+ */
+export declare function getItemRelationships(client: SupabaseClient, projectId: string, itemId: string): Promise<Array<{
+    from_id: string;
+    to_id: string;
+    type: string;
+}>>;
+/**
+ * Get test coverage report: requirements with/without linked test cases.
+ */
+export declare function getCoverageReport(client: SupabaseClient, projectId: string, opts: {
+    domain?: string;
+    level?: string;
+}): Promise<{
+    covered: ItemRow[];
+    uncovered: ItemRow[];
+    total: number;
+}>;
+/**
+ * Get change history for an item, newest first.
+ */
+export declare function getChangeHistory(client: SupabaseClient, projectId: string, itemId: string, limit: number): Promise<Array<Record<string, unknown>>>;
+/**
+ * Generate the next item ID for a given type in a project.
+ * Format: PREFIX-NNNNN (e.g., REQ-00058)
+ */
+export declare function generateItemId(client: SupabaseClient, projectId: string, type: string): Promise<string>;
+//# sourceMappingURL=queries.d.ts.map

package/dist/db/queries.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"queries.d.ts","sourceRoot":"","sources":["../../src/db/queries.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAC5D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,uBAAuB,CAAC;AAMrD;;GAEG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,cAAc,GACrB,OAAO,CAAC,KAAK,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC,CAiBhI;AAMD;;;GAGG;AACH,wBAAsB,SAAS,CAC7B,MAAM,EAAE,cAAc,EACtB,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE;IACJ,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB,GACA,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC,CAkCnD;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,cAAc,EACtB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,OAAO,GAAG,IAAI,CAAC,CAWzB;AAED;;;GAGG;AACH,wBAAsB,WAAW,CAC/B,MAAM,EAAE,cAAc,EACtB,SAAS,EAAE,MAAM,EACjB,KAAK,EAAE,MAAM,EACb,IAAI,EAAE;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GACrC,OAAO,CAAC;IAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,CAAC,CA2BnD;AAMD;;GAEG;AACH,wBAAsB,oBAAoB,CACxC,MAAM,EAAE,cAAc,EACtB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,KAAK,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC,CAAC,CASlE;AAMD;;GAEG;AACH,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,cAAc,EACtB,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,GACxC,OAAO,CAAC;IACT,OAAO,EAAE,OAAO,EAAE,CAAC;IACnB,SAAS,EAAE,OAAO,EAAE,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;CACf,CAAC,CAwCD;AAMD;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,MAAM,EAAE,cAAc,EACtB,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,CAWzC;AAMD;;;GAGG;AACH,wBAAsB,cAAc,CAClC,MAAM,EAAE,cAAc,EACtB,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,GACX,OAAO,CAAC,MAAM,CAAC,CAejB"}

package/dist/db/queries.js

@@ -0,0 +1,210 @@
+/**
+ * Shared Supabase query helpers for MCP tools.
+ *
+ * All queries use the user's JWT via RLS — no service role key.
+ * Query patterns adapted from supabase/functions/.../db.ts.
+ */
+// ---------------------------------------------------------------------------
+// Project queries
+// ---------------------------------------------------------------------------
+/**
+ * List projects the authenticated user has access to (via org membership).
+ */
+export async function listProjects(client) {
+    const { data, error } = await client
+        .from("projects")
+        .select("id, name, description, org_id, created_at, organizations(name)")
+        .is("deleted_at", null)
+        .order("created_at", { ascending: false });
+    if (error)
+        throw new Error(error.message);
+    return (data ?? []).map((p) => ({
+        id: p.id,
+        name: p.name,
+        description: p.description,
+        org_id: p.org_id,
+        org_name: p.organizations?.name ?? "Unknown",
+        created_at: p.created_at,
+    }));
+}
+// ---------------------------------------------------------------------------
+// Item queries
+// ---------------------------------------------------------------------------
+/**
+ * List items in a project with optional filters.
+ * Returns rows ordered by created_at, respects soft deletes.
+ */
+export async function listItems(client, projectId, opts) {
+    let query = client
+        .from("items")
+        .select("*", { count: "exact" })
+        .eq("project_id", projectId)
+        .is("deleted_at", null)
+        .order("created_at", { ascending: true })
+        .range(opts.offset, opts.offset + opts.limit - 1);
+    if (opts.type) {
+        query = query.eq("type", opts.type);
+    }
+    const { data, error, count } = await query;
+    if (error)
+        throw new Error(error.message);
+    // Apply domain/level filters in JS (JSONB nested field filtering)
+    let filtered = (data ?? []);
+    if (opts.domain) {
+        filtered = filtered.filter((item) => {
+            const domains = item.data?.tags?.domains ?? [];
+            return domains.includes(opts.domain);
+        });
+    }
+    if (opts.level) {
+        filtered = filtered.filter((item) => {
+            return item.data?.tags?.level === opts.level;
+        });
+    }
+    return {
+        items: filtered,
+        totalCount: opts.domain || opts.level ? filtered.length : (count ?? 0),
+    };
+}
+/**
+ * Get a single item by ID (excludes soft-deleted).
+ */
+export async function getItemById(client, projectId, itemId) {
+    const { data, error } = await client
+        .from("items")
+        .select("*")
+        .eq("id", itemId)
+        .eq("project_id", projectId)
+        .is("deleted_at", null)
+        .maybeSingle();
+    if (error)
+        throw new Error(error.message);
+    return data;
+}
+/**
+ * Full-text search across items in a project.
+ * Uses ilike on title, body, and summary for broad matching.
+ */
+export async function searchItems(client, projectId, query, opts) {
+    const searchTerm = query.trim();
+    if (!searchTerm) {
+        return { items: [], totalCount: 0 };
+    }
+    // Use ilike for broad matching across title and JSONB fields
+    let queryBuilder = client
+        .from("items")
+        .select("*", { count: "exact" })
+        .eq("project_id", projectId)
+        .is("deleted_at", null)
+        .or(`title.ilike.%${searchTerm}%,` +
+        `data->>body.ilike.%${searchTerm}%,` +
+        `data->>summary.ilike.%${searchTerm}%`)
+        .limit(opts.limit);
+    if (opts.type) {
+        queryBuilder = queryBuilder.eq("type", opts.type);
+    }
+    const { data, error, count } = await queryBuilder;
+    if (error)
+        throw new Error(error.message);
+    return { items: (data ?? []), totalCount: count ?? 0 };
+}
+// ---------------------------------------------------------------------------
+// Relationship queries
+// ---------------------------------------------------------------------------
+/**
+ * Get all relationships for an item (both directions).
+ */
+export async function getItemRelationships(client, projectId, itemId) {
+    const { data, error } = await client
+        .from("item_relationships")
+        .select("from_id, to_id, type")
+        .eq("project_id", projectId)
+        .or(`from_id.eq.${itemId},to_id.eq.${itemId}`);
+    if (error)
+        throw new Error(error.message);
+    return data ?? [];
+}
+// ---------------------------------------------------------------------------
+// Coverage queries
+// ---------------------------------------------------------------------------
+/**
+ * Get test coverage report: requirements with/without linked test cases.
+ */
+export async function getCoverageReport(client, projectId, opts) {
+    // Get all requirements in the project
+    const { data: requirements, error: reqErr } = await client
+        .from("items")
+        .select("*")
+        .eq("project_id", projectId)
+        .eq("type", "requirement")
+        .is("deleted_at", null);
+    if (reqErr)
+        throw new Error(reqErr.message);
+    const allReqs = (requirements ?? []);
+    // Filter by domain/level on the JSONB data
+    const filteredReqs = allReqs.filter((req) => {
+        if (opts.domain) {
+            const domains = req.data?.tags?.domains ?? [];
+            if (!domains.includes(opts.domain))
+                return false;
+        }
+        if (opts.level) {
+            if (req.data?.tags?.level !== opts.level)
+                return false;
+        }
+        return true;
+    });
+    // Get all verified_by relationships for this project
+    const { data: verifiedRels, error: relErr } = await client
+        .from("item_relationships")
+        .select("from_id")
+        .eq("project_id", projectId)
+        .eq("type", "verified_by");
+    if (relErr)
+        throw new Error(relErr.message);
+    const coveredIds = new Set((verifiedRels ?? []).map((r) => r.from_id));
+    const covered = filteredReqs.filter((r) => coveredIds.has(r.id));
+    const uncovered = filteredReqs.filter((r) => !coveredIds.has(r.id));
+    return { covered, uncovered, total: filteredReqs.length };
+}
+// ---------------------------------------------------------------------------
+// History queries
+// ---------------------------------------------------------------------------
+/**
+ * Get change history for an item, newest first.
+ */
+export async function getChangeHistory(client, projectId, itemId, limit) {
+    const { data, error } = await client
+        .from("change_history")
+        .select("*")
+        .eq("item_id", itemId)
+        .eq("project_id", projectId)
+        .order("changed_at", { ascending: false })
+        .limit(limit);
+    if (error)
+        throw new Error(error.message);
+    return data ?? [];
+}
+// ---------------------------------------------------------------------------
+// Item mutations (for write tools — Phase 3)
+// ---------------------------------------------------------------------------
+/**
+ * Generate the next item ID for a given type in a project.
+ * Format: PREFIX-NNNNN (e.g., REQ-00058)
+ */
+export async function generateItemId(client, projectId, type) {
+    const prefix = type === "requirement" ? "REQ"
+        : type === "test-case" ? "TC"
+            : type === "note" ? "NOTE"
+                : "TABLE";
+    // Use Postgres SECURITY DEFINER function that sees ALL items (including soft-deleted)
+    // to avoid ID collisions. Only returns the next ID string, never exposes item data.
+    const { data, error } = await client.rpc("next_item_id", {
+        p_project_id: projectId,
+        p_prefix: prefix,
+    });
+    if (error)
+        throw new Error(`ID generation failed: ${error.message}`);
+    return data;
+}
+//# sourceMappingURL=queries.js.map

package/dist/db/queries.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"queries.js","sourceRoot":"","sources":["../../src/db/queries.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAAsB;IAEtB,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM;SACjC,IAAI,CAAC,UAAU,CAAC;SAChB,MAAM,CAAC,gEAAgE,CAAC;SACxE,EAAE,CAAC,YAAY,EAAE,IAAI,CAAC;SACtB,KAAK,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;IAE7C,IAAI,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAE1C,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAA0B,EAAE,EAAE,CAAC,CAAC;QACvD,EAAE,EAAE,CAAC,CAAC,EAAY;QAClB,IAAI,EAAE,CAAC,CAAC,IAAc;QACtB,WAAW,EAAE,CAAC,CAAC,WAA4B;QAC3C,MAAM,EAAE,CAAC,CAAC,MAAgB;QAC1B,QAAQ,EAAI,CAAC,CAAC,aAAyC,EAAE,IAAe,IAAI,SAAS;QACrF,UAAU,EAAE,CAAC,CAAC,UAAoB;KACnC,CAAC,CAAC,CAAC;AACN,CAAC;AAED,8EAA8E;AAC9E,eAAe;AACf,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,MAAsB,EACtB,SAAiB,EACjB,IAMC;IAED,IAAI,KAAK,GAAG,MAAM;SACf,IAAI,CAAC,OAAO,CAAC;SACb,MAAM,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;SAC/B,EAAE,CAAC,YAAY,EAAE,SAAS,CAAC;SAC3B,EAAE,CAAC,YAAY,EAAE,IAAI,CAAC;SACtB,KAAK,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;SACxC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;IAEpD,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,KAAK,GAAG,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IAED,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,MAAM,KAAK,CAAC;IAC3C,IAAI,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAE1C,kEAAkE;IAClE,IAAI,QAAQ,GAAG,CAAC,IAAI,IAAI,EAAE,CAAc,CAAC;IACzC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChB,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;YAClC,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC;YAC/C,OAAO,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAO,CAAC,CAAC;QACxC,CAAC,CAAC,CAAC;IACL,CAAC;IACD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE;YAClC,OAAO,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC;QAC/C,CAAC,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,KAAK,EAAE,QAAQ;QACf,UAAU,EAAE,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC;KACvE,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAsB,EACtB,SAAiB,EACjB,MAAc;IAEd,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM;SACjC,IAAI,CAAC,OAAO,CAAC;SACb,MAAM,CAAC,GAAG,CAAC;SACX,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC;SAChB,EAAE,CAAC,YAAY,EAAE,SAAS,CAAC;SAC3B,EAAE,CAAC,YAAY,EAAE,IAAI,CAAC;SACtB,WAAW,EAAE,CAAC;IAEjB,IAAI,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC1C,OAAO,IAAsB,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,MAAsB,EACtB,SAAiB,EACjB,KAAa,EACb,IAAsC;IAEtC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IAChC,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,EAAE,KAAK,EAAE,EAAE,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;IACtC,CAAC;IAED,6DAA6D;IAC7D,IAAI,YAAY,GAAG,MAAM;SACtB,IAAI,CAAC,OAAO,CAAC;SACb,MAAM,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;SAC/B,EAAE,CAAC,YAAY,EAAE,SAAS,CAAC;SAC3B,EAAE,CAAC,YAAY,EAAE,IAAI,CAAC;SACtB,EAAE,CACD,gBAAgB,UAAU,IAAI;QAC9B,sBAAsB,UAAU,IAAI;QACpC,yBAAyB,UAAU,GAAG,CACvC;SACA,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAErB,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,YAAY,GAAG,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,GAAG,MAAM,YAAY,CAAC;IAClD,IAAI,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAE1C,OAAO,EAAE,KAAK,EAAE,CAAC,IAAI,IAAI,EAAE,CAAc,EAAE,UAAU,EAAE,KAAK,IAAI,CAAC,EAAE,CAAC;AACtE,CAAC;AAED,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,MAAsB,EACtB,SAAiB,EACjB,MAAc;IAEd,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM;SACjC,IAAI,CAAC,oBAAoB,CAAC;SAC1B,MAAM,CAAC,sBAAsB,CAAC;SAC9B,EAAE,CAAC,YAAY,EAAE,SAAS,CAAC;SAC3B,EAAE,CAAC,cAAc,MAAM,aAAa,MAAM,EAAE,CAAC,CAAC;IAEjD,IAAI,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC1C,OAAO,IAAI,IAAI,EAAE,CAAC;AACpB,CAAC;AAED,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,MAAsB,EACtB,SAAiB,EACjB,IAAyC;IAMzC,sCAAsC;IACtC,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM;SACvD,IAAI,CAAC,OAAO,CAAC;SACb,MAAM,CAAC,GAAG,CAAC;SACX,EAAE,CAAC,YAAY,EAAE,SAAS,CAAC;SAC3B,EAAE,CAAC,MAAM,EAAE,aAAa,CAAC;SACzB,EAAE,CAAC,YAAY,EAAE,IAAI,CAAC,CAAC;IAE1B,IAAI,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAE5C,MAAM,OAAO,GAAG,CAAC,YAAY,IAAI,EAAE,CAAc,CAAC;IAElD,2CAA2C;IAC3C,MAAM,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE;QAC1C,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,IAAI,EAAE,CAAC;YAC9C,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC;gBAAE,OAAO,KAAK,CAAC;QACnD,CAAC;QACD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACf,IAAI,GAAG,CAAC,IAAI,EAAE,IAAI,EAAE,KAAK,KAAK,IAAI,CAAC,KAAK;gBAAE,OAAO,KAAK,CAAC;QACzD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,qDAAqD;IACrD,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,MAAM,MAAM;SACvD,IAAI,CAAC,oBAAoB,CAAC;SAC1B,MAAM,CAAC,SAAS,CAAC;SACjB,EAAE,CAAC,YAAY,EAAE,SAAS,CAAC;SAC3B,EAAE,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;IAE7B,IAAI,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAE5C,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,CAAC,YAAY,IAAI,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAEvE,MAAM,OAAO,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACjE,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAEpE,OAAO,EAAE,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,YAAY,CAAC,MAAM,EAAE,CAAC;AAC5D,CAAC;AAED,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAE9E;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,MAAsB,EACtB,SAAiB,EACjB,MAAc,EACd,KAAa;IAEb,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM;SACjC,IAAI,CAAC,gBAAgB,CAAC;SACtB,MAAM,CAAC,GAAG,CAAC;SACX,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC;SACrB,EAAE,CAAC,YAAY,EAAE,SAAS,CAAC;SAC3B,KAAK,CAAC,YAAY,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;SACzC,KAAK,CAAC,KAAK,CAAC,CAAC;IAEhB,IAAI,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC1C,OAAO,IAAI,IAAI,EAAE,CAAC;AACpB,CAAC;AAED,8EAA8E;AAC9E,6CAA6C;AAC7C,8EAA8E;AAE9E;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,MAAsB,EACtB,SAAiB,EACjB,IAAY;IAEZ,MAAM,MAAM,GAAG,IAAI,KAAK,aAAa,CAAC,CAAC,CAAC,KAAK;QAC3C,CAAC,CAAC,IAAI,KAAK,WAAW,CAAC,CAAC,CAAC,IAAI;YAC7B,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM;gBAC1B,CAAC,CAAC,OAAO,CAAC;IAEZ,sFAAsF;IACtF,oFAAoF;IACpF,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE;QACvD,YAAY,EAAE,SAAS;QACvB,QAAQ,EAAE,MAAM;KACjB,CAAC,CAAC;IAEH,IAAI,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,yBAAyB,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IACrE,OAAO,IAAc,CAAC;AACxB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+/**
+ * ATOMS MCP Server — CLI Entry Point
+ *
+ * Commands:
+ *   npx @atoms-tech/atoms-mcp           → Start MCP server (stdio transport)
+ *   npx @atoms-tech/atoms-mcp login     → Authenticate with ATOMS.tech
+ *   npx @atoms-tech/atoms-mcp whoami    → Show current user
+ *   npx @atoms-tech/atoms-mcp --version → Show version
+ */
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;;;;;;GAQG"}

package/dist/index.js

@@ -0,0 +1,92 @@
+#!/usr/bin/env node
+/**
+ * ATOMS MCP Server — CLI Entry Point
+ *
+ * Commands:
+ *   npx @atoms-tech/atoms-mcp           → Start MCP server (stdio transport)
+ *   npx @atoms-tech/atoms-mcp login     → Authenticate with ATOMS.tech
+ *   npx @atoms-tech/atoms-mcp whoami    → Show current user
+ *   npx @atoms-tech/atoms-mcp --version → Show version
+ */
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { server } from "./server.js";
+const args = process.argv.slice(2);
+const command = args[0];
+async function main() {
+    switch (command) {
+        case "login": {
+            const { login } = await import("./auth/login.js");
+            try {
+                const { email } = await login();
+                process.stderr.write(`\nLogged in as ${email}\n`);
+                process.stderr.write(`\nAdd this to your Claude Desktop config:\n` +
+                    `{\n  "mcpServers": {\n    "atoms": {\n` +
+                    `      "command": "npx",\n` +
+                    `      "args": ["@atoms-tech/atoms-mcp@latest"]\n` +
+                    `    }\n  }\n}\n`);
+            }
+            catch (err) {
+                process.stderr.write(`Login failed: ${err instanceof Error ? err.message : String(err)}\n`);
+                process.exit(1);
+            }
+            break;
+        }
+        case "whoami": {
+            const { getValidToken } = await import("./auth/refresh.js");
+            try {
+                const { email, user_id } = await getValidToken();
+                process.stderr.write(`User: ${email}\nID: ${user_id}\n`);
+            }
+            catch (err) {
+                process.stderr.write(`Not authenticated: ${err instanceof Error ? err.message : String(err)}\n`);
+                process.exit(1);
+            }
+            break;
+        }
+        case "logout": {
+            const { clearCredentials } = await import("./auth/token-store.js");
+            await clearCredentials();
+            process.stderr.write("Logged out. Credentials removed.\n");
+            process.stderr.write("Run 'npx @atoms-tech/atoms-mcp login' to authenticate again.\n");
+            break;
+        }
+        case "--version":
+        case "-v": {
+            process.stderr.write("@atoms-tech/atoms-mcp v0.1.0\n");
+            break;
+        }
+        case "--help":
+        case "-h": {
+            process.stderr.write(`ATOMS MCP Server — AI agent integration for requirements management\n\n` +
+                `Usage:\n` +
+                `  npx @atoms-tech/atoms-mcp           Start MCP server (stdio)\n` +
+                `  npx @atoms-tech/atoms-mcp login     Authenticate with ATOMS.tech\n` +
+                `  npx @atoms-tech/atoms-mcp logout    Switch account / clear credentials\n` +
+                `  npx @atoms-tech/atoms-mcp whoami    Show current user\n` +
+                `  npx @atoms-tech/atoms-mcp --version Show version\n`);
+            break;
+        }
+        default: {
+            // Default: start MCP server via stdio
+            process.stderr.write("[atoms-mcp] Starting MCP server via stdio...\n");
+            try {
+                // Validate auth on startup
+                const { getValidToken } = await import("./auth/refresh.js");
+                const { email } = await getValidToken();
+                process.stderr.write(`[atoms-mcp] Authenticated as ${email}\n`);
+            }
+            catch (err) {
+                process.stderr.write(`[atoms-mcp] Warning: ${err instanceof Error ? err.message : String(err)}\n` +
+                    `[atoms-mcp] Some tools may fail without authentication.\n`);
+            }
+            const transport = new StdioServerTransport();
+            await server.connect(transport);
+            process.stderr.write("[atoms-mcp] MCP server running. Waiting for tool calls...\n");
+        }
+    }
+}
+main().catch((err) => {
+    process.stderr.write(`[atoms-mcp] Fatal: ${err instanceof Error ? err.message : String(err)}\n`);
+    process.exit(1);
+});
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA;;;;;;;;GAQG;AAEH,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAErC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AACnC,MAAM,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;AAExB,KAAK,UAAU,IAAI;IACjB,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,OAAO,CAAC,CAAC,CAAC;YACb,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;YAClD,IAAI,CAAC;gBACH,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,KAAK,EAAE,CAAC;gBAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,KAAK,IAAI,CAAC,CAAC;gBAClD,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,6CAA6C;oBAC7C,wCAAwC;oBACxC,2BAA2B;oBAC3B,kDAAkD;oBAClD,iBAAiB,CAClB,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,iBAAiB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CACtE,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;YAC5D,IAAI,CAAC;gBACH,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,MAAM,aAAa,EAAE,CAAC;gBACjD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,SAAS,KAAK,SAAS,OAAO,IAAI,CAAC,CAAC;YAC3D,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,sBAAsB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAC3E,CAAC;gBACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,MAAM;QACR,CAAC;QAED,KAAK,QAAQ,CAAC,CAAC,CAAC;YACd,MAAM,EAAE,gBAAgB,EAAE,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,CAAC;YACnE,MAAM,gBAAgB,EAAE,CAAC;YACzB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;YAC3D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gEAAgE,CAAC,CAAC;YACvF,MAAM;QACR,CAAC;QAED,KAAK,WAAW,CAAC;QACjB,KAAK,IAAI,CAAC,CAAC,CAAC;YACV,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gCAAgC,CAAC,CAAC;YACvD,MAAM;QACR,CAAC;QAED,KAAK,QAAQ,CAAC;QACd,KAAK,IAAI,CAAC,CAAC,CAAC;YACV,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,yEAAyE;gBACzE,UAAU;gBACV,kEAAkE;gBAClE,sEAAsE;gBACtE,4EAA4E;gBAC5E,2DAA2D;gBAC3D,sDAAsD,CACvD,CAAC;YACF,MAAM;QACR,CAAC;QAED,OAAO,CAAC,CAAC,CAAC;YACR,sCAAsC;YACtC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;YAEvE,IAAI,CAAC;gBACH,2BAA2B;gBAC3B,MAAM,EAAE,aAAa,EAAE,GAAG,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;gBAC5D,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,aAAa,EAAE,CAAC;gBACxC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gCAAgC,KAAK,IAAI,CAAC,CAAC;YAClE,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,wBAAwB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI;oBAC5E,2DAA2D,CAC5D,CAAC;YACJ,CAAC;YAED,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;YAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,6DAA6D,CAAC,CAAC;QACtF,CAAC;IACH,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACjG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/middleware/audit.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Fire-and-forget MCP audit logging.
+ *
+ * Every tool call is logged to mcp_audit_log for enterprise compliance.
+ * Logging NEVER blocks or delays the tool response.
+ */
+import type { SupabaseClient } from "@supabase/supabase-js";
+export interface AuditEntry {
+    tool_name: string;
+    params: Record<string, unknown>;
+    status: "success" | "error";
+    duration_ms: number;
+    error_msg?: string;
+    project_id?: string;
+    session_id?: string;
+    client_name?: string;
+}
+/**
+ * Log a tool call to mcp_audit_log. Fire-and-forget — errors are swallowed.
+ */
+export declare function logAudit(client: SupabaseClient, userId: string, entry: AuditEntry): void;
+/**
+ * Timer utility for measuring tool duration.
+ */
+export declare function startTimer(): () => number;
+//# sourceMappingURL=audit.d.ts.map

package/dist/middleware/audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.d.ts","sourceRoot":"","sources":["../../src/middleware/audit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAE5D,MAAM,WAAW,UAAU;IACzB,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,MAAM,EAAE,SAAS,GAAG,OAAO,CAAC;IAC5B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,wBAAgB,QAAQ,CACtB,MAAM,EAAE,cAAc,EACtB,MAAM,EAAE,MAAM,EACd,KAAK,EAAE,UAAU,GAChB,IAAI,CA6BN;AAED;;GAEG;AACH,wBAAgB,UAAU,IAAI,MAAM,MAAM,CAGzC"}

package/dist/middleware/audit.js

@@ -0,0 +1,44 @@
+/**
+ * Fire-and-forget MCP audit logging.
+ *
+ * Every tool call is logged to mcp_audit_log for enterprise compliance.
+ * Logging NEVER blocks or delays the tool response.
+ */
+/**
+ * Log a tool call to mcp_audit_log. Fire-and-forget — errors are swallowed.
+ */
+export function logAudit(client, userId, entry) {
+    // Sanitize params — strip any secrets
+    const sanitizedParams = { ...entry.params };
+    delete sanitizedParams.access_token;
+    delete sanitizedParams.refresh_token;
+    delete sanitizedParams.password;
+    // Fire and forget — don't await
+    client
+        .from("mcp_audit_log")
+        .insert({
+        user_id: userId,
+        tool_name: entry.tool_name,
+        params: sanitizedParams,
+        status: entry.status,
+        duration_ms: entry.duration_ms,
+        error_msg: entry.error_msg ?? null,
+        project_id: entry.project_id ?? null,
+        session_id: entry.session_id ?? null,
+        client_name: entry.client_name ?? null,
+    })
+        .then(({ error }) => {
+        if (error) {
+            // Log to stderr, never throw
+            process.stderr.write(`[audit] Failed to log: ${error.message}\n`);
+        }
+    });
+}
+/**
+ * Timer utility for measuring tool duration.
+ */
+export function startTimer() {
+    const start = performance.now();
+    return () => Math.round(performance.now() - start);
+}
+//# sourceMappingURL=audit.js.map

package/dist/middleware/audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.js","sourceRoot":"","sources":["../../src/middleware/audit.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAeH;;GAEG;AACH,MAAM,UAAU,QAAQ,CACtB,MAAsB,EACtB,MAAc,EACd,KAAiB;IAEjB,sCAAsC;IACtC,MAAM,eAAe,GAAG,EAAE,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC;IAC5C,OAAO,eAAe,CAAC,YAAY,CAAC;IACpC,OAAO,eAAe,CAAC,aAAa,CAAC;IACrC,OAAO,eAAe,CAAC,QAAQ,CAAC;IAEhC,gCAAgC;IAChC,MAAM;SACH,IAAI,CAAC,eAAe,CAAC;SACrB,MAAM,CAAC;QACN,OAAO,EAAE,MAAM;QACf,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,MAAM,EAAE,eAAe;QACvB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,IAAI;QAClC,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,IAAI;QACpC,UAAU,EAAE,KAAK,CAAC,UAAU,IAAI,IAAI;QACpC,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,IAAI;KACvC,CAAC;SACD,IAAI,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE;QAClB,IAAI,KAAK,EAAE,CAAC;YACV,6BAA6B;YAC7B,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,0BAA0B,KAAK,CAAC,OAAO,IAAI,CAC5C,CAAC;QACJ,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,UAAU;IACxB,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IAChC,OAAO,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,KAAK,CAAC,CAAC;AACrD,CAAC"}