@bridge_gpt/mcp-server 0.1.17 → 0.2.0

package/build/start-tickets-prereqs.js

@@ -13,6 +13,9 @@
  * the runtime graph stays acyclic — `start-tickets.ts` imports values FROM here,
  * never the reverse.
  */
+import { resolveBapiCredentials } from "./credential-store.js";
+import { readBridgeConfig } from "./bridge-config.js";
+import { probeWorktreeMcpRegistration } from "./mcp-registration-doctor.js";
 // ---------------------------------------------------------------------------
 // Constants (moved here from start-tickets.ts so both consumers share them)
 // ---------------------------------------------------------------------------
@@ -250,6 +253,87 @@ function agentDescriptor(agent) {
 function uvDescriptor() {
     return commandDescriptor("uv", "uv", UV_INSTALL_HINTS);
 }
+/** Secret-free remediation hint shared by the credential-resolution descriptor. */
+const CREDENTIAL_RESOLUTION_HINT = 'Set BAPI_API_KEY in the environment, or add it under "bapi:<repo_name>" in ' +
+    "~/.config/bridge/credentials.json.";
+const CREDENTIAL_RESOLUTION_INSTALL_HINTS = {
+    darwin: CREDENTIAL_RESOLUTION_HINT,
+    linux: CREDENTIAL_RESOLUTION_HINT,
+    win32: CREDENTIAL_RESOLUTION_HINT,
+};
+/**
+ * Doctor-only, strictly read-only probe: can the Bridge API credentials be
+ * resolved for the current repo? Resolves repo identity from `BAPI_REPO_NAME`
+ * first, then `.bridge/config`, then asks the credential resolver. Reports only
+ * the SOURCE CLASS (env vs. store) — NEVER the resolved key value.
+ */
+export function credentialResolutionDescriptor() {
+    return {
+        id: "bapi-credentials",
+        label: "Bridge API credential resolution",
+        installHint: CREDENTIAL_RESOLUTION_INSTALL_HINTS,
+        probe: async (deps) => {
+            const { readFile, stat, homedir } = deps;
+            if (!readFile || !stat || !homedir) {
+                return { found: false, detail: "credential probe unavailable (no read-only filesystem access)" };
+            }
+            let repoName = (deps.env.BAPI_REPO_NAME ?? "").trim();
+            if (repoName.length === 0) {
+                const read = await readBridgeConfig(deps.cwd, { readFile });
+                if (read.ok) {
+                    repoName = read.manifest.repoName;
+                }
+                else {
+                    return {
+                        found: false,
+                        detail: "cannot determine repo identity (set BAPI_REPO_NAME or add a valid .bridge/config). " +
+                            CREDENTIAL_RESOLUTION_HINT,
+                    };
+                }
+            }
+            const result = await resolveBapiCredentials(repoName, {
+                env: deps.env,
+                homedir,
+                platform: deps.platform,
+                readFile,
+                stat,
+            });
+            if (result.ok) {
+                const via = result.credentials.source === "env" ? "env" : "store";
+                return { found: true, detail: `credentials resolvable via ${via}` };
+            }
+            return { found: false, detail: CREDENTIAL_RESOLUTION_HINT };
+        },
+    };
+}
+/** Secret-free remediation hint shared by the worktree-MCP descriptor. */
+const WORKTREE_MCP_HINT = "Re-run start-tickets to provision the worktree MCP registration " +
+    "(.mcp.json / .cursor/mcp.json pointing at the mcp-invoke shim).";
+const WORKTREE_MCP_INSTALL_HINTS = {
+    darwin: WORKTREE_MCP_HINT,
+    linux: WORKTREE_MCP_HINT,
+    win32: WORKTREE_MCP_HINT,
+};
+/**
+ * Doctor-only, strictly read-only probe: does the current worktree's generated
+ * MCP registration point at the Bridge API `mcp-invoke` shim? Inspects
+ * `.mcp.json` / `.cursor/mcp.json` under `deps.cwd` without spawning anything.
+ */
+export function worktreeMcpReachabilityDescriptor() {
+    return {
+        id: "worktree-mcp-registration",
+        label: "Worktree MCP registration reachability",
+        installHint: WORKTREE_MCP_INSTALL_HINTS,
+        probe: async (deps) => {
+            const { readFile } = deps;
+            if (!readFile) {
+                return { found: false, detail: "registration probe unavailable (no read-only filesystem access)" };
+            }
+            const result = await probeWorktreeMcpRegistration(deps.cwd, { readFile });
+            return { found: result.found, detail: result.detail };
+        },
+    };
+}
 /**
  * The exact existing live-preflight requirement set per platform, plus the git
  * work-tree custom check appended after the command checks. This is the ONLY
@@ -286,7 +370,12 @@ export function getPreflightPrereqDescriptors(platform, env) {
  * additive (BAPI-302/303 regression-safe).
  */
 export function getDoctorOnlyPrereqDescriptors(_platform, _env, agent) {
-    return [uvDescriptor(), agentDescriptor(agent)];
+    return [
+        uvDescriptor(),
+        agentDescriptor(agent),
+        credentialResolutionDescriptor(),
+        worktreeMcpReachabilityDescriptor(),
+    ];
 }
 /**
  * The doctor's full descriptor set: the preflight descriptors (verbatim) plus

package/build/start-tickets.js

@@ -53,7 +53,10 @@
  * unit-testable on Linux CI without spawning real commands or terminals.
  */
 import { execFile } from "child_process";
+import { readFile, writeFile, mkdir } from "fs/promises";
 import path from "path";
+import { VERSION } from "./version.generated.js";
+import { provisionMcpRegistrationsForCreatedWorktrees, } from "./mcp-provisioning.js";
 // Per-OS prerequisite knowledge + low-level command probes live in the shared
 // prereqs module so `runPreflight` (enforce) and the read-only `doctor` (render)
 // can never drift. `start-tickets.ts` imports VALUES from there; the prereqs
@@ -75,6 +78,10 @@ export const DEFAULT_MAX_PARALLEL = 3;
 export const DEFAULT_TMUX_SESSION_PREFIX = "bridge-start-tickets";
 /** Environment variable overriding the tmux session-name prefix. */
 export const TMUX_SESSION_OVERRIDE_ENV = "BAPI_TMUX_SESSION";
+/** Return a copy of `row` with `warning` appended; never mutates the input. */
+export function appendSummaryRowWarning(row, warning) {
+    return { ...row, warnings: [...(row.warnings ?? []), warning] };
+}
 // ---------------------------------------------------------------------------
 // Usage / argument parsing
 // ---------------------------------------------------------------------------
@@ -227,7 +234,7 @@ export function parseStartTicketsArgs(argv) {
             dryRun = true;
             continue;
         }
-        if (arg === "--auto-approve") {
+        if (arg === "--auto") {
             autoApprove = true;
             continue;
         }
@@ -789,10 +796,10 @@ export async function createWorktrees(deps, options, worktrunkBinary) {
 /**
  * The starter prompt handed to the selected agent. Identical for every agent.
  * When `autoApprove` is set, the implementation agent runs hands-off
- * (`/implement-ticket <KEY> --auto-approve`) — used by full-automation chains.
+ * (`/implement-ticket <KEY> --auto`) — used by full-automation chains.
  */
 export function buildAgentPrompt(key, opts = {}) {
-    return `/implement-ticket ${key}${opts.autoApprove ? " --auto-approve" : ""}`;
+    return `/implement-ticket ${key}${opts.autoApprove ? " --auto" : ""}`;
 }
 /**
  * Build the agent invocation (`<command> <quotedPrompt>`) for the agent's prompt
@@ -1111,10 +1118,31 @@ export function getDryRunPlatformDetails(agent, platform = process.platform, env
         buildAgentShellCommand: (key, worktreePath) => buildAgentShellCommand(agent, key, worktreePath, platform, autoApprove),
     };
 }
+/**
+ * Build the dry-run preview of the secret-free MCP provisioning that
+ * `start-tickets` would perform for a worktree whose `.bridge/config` includes
+ * the `bapi` target. Lists both registration files and the version-pinned shim
+ * command. Pure formatting — implies no credentials and writes no files.
+ */
+export function buildDryRunMcpProvisioningLines(worktreePath, platform = process.platform) {
+    const api = platform === "win32" ? path.win32 : path.posix;
+    const mcpJson = api.join(worktreePath, ".mcp.json");
+    const cursorJson = api.join(worktreePath, ".cursor", "mcp.json");
+    const shim = `npx -y @bridge_gpt/mcp-server@${VERSION} mcp-invoke --target <target> --project-root ${worktreePath}`;
+    return [
+        "DRY-RUN:   MCP provisioning (target-driven from .bridge/config — bapi plus any",
+        "DRY-RUN:   supported Tier-2 target such as sfcc): would write a secret-free shim",
+        "DRY-RUN:   entry per target to",
+        `DRY-RUN:     ${mcpJson}`,
+        `DRY-RUN:     ${cursorJson}`,
+        `DRY-RUN:     ${shim}`,
+    ];
+}
 /**
  * Build the user-facing dry-run detail lines for one ticket, rendering the
- * platform-correct Worktrunk binary and the selected agent's shell command. Pure
- * platform formatting only — no preflight, no routing failures.
+ * platform-correct Worktrunk binary, the selected agent's shell command, and
+ * the secret-free MCP provisioning preview. Pure platform formatting only — no
+ * preflight, no routing failures.
  */
 export function buildDryRunDetailLines(agent, key, branch, platform = process.platform, env = process.env, baseBranch = "main", autoApprove = false) {
     const { worktrunkBinary, buildAgentShellCommand: build } = getDryRunPlatformDetails(agent, platform, env, autoApprove);
@@ -1124,6 +1152,7 @@ export function buildDryRunDetailLines(agent, key, branch, platform = process.pl
         `DRY-RUN: ${key} -> branch=${branch}`,
         `DRY-RUN:   ${worktrunkBinary} ${wtArgs.join(" ")}`,
         `DRY-RUN:   ${agentInvocation}`,
+        ...buildDryRunMcpProvisioningLines("<worktree-path>", platform),
     ];
 }
 /**
@@ -1140,13 +1169,30 @@ export function formatSummaryReport(rows) {
             line += `  path=${row.path}`;
         lines.push(line);
     }
-    const failures = rows.filter((r) => r.status === "create-failed" || r.status === "spawn-failed");
-    if (failures.length > 0) {
+    // Warnings section: create/spawn-failed row errors AND any non-fatal
+    // per-row provisioning warnings. Identical error/warning text for the same
+    // row is emitted only once.
+    const warningLines = [];
+    for (const row of rows) {
+        const messages = [];
+        if (row.status === "create-failed" || row.status === "spawn-failed") {
+            messages.push(row.error ?? row.status);
+        }
+        for (const warning of row.warnings ?? []) {
+            messages.push(warning);
+        }
+        const seen = new Set();
+        for (const message of messages) {
+            if (seen.has(message))
+                continue;
+            seen.add(message);
+            warningLines.push(`  ${row.key}: ${message}`);
+        }
+    }
+    if (warningLines.length > 0) {
         lines.push("");
         lines.push("Warnings:");
-        for (const row of failures) {
-            lines.push(`  ${row.key}: ${row.error ?? row.status}`);
-        }
+        lines.push(...warningLines);
     }
     return lines.join("\n");
 }
@@ -1158,7 +1204,38 @@ export function formatSummaryReport(rows) {
  * using the platform-correct shell builder. Global preflight/refresh failures
  * are returned as `{ ok: false }`; per-ticket failures stay in the rows.
  */
-export async function orchestrateStartTickets(deps, options) {
+/**
+ * Build the `mcp-provisioning` filesystem boundary from `StartTicketsDeps`.
+ * Provisioning needs real `fs/promises` ops (not part of the command-runner DI
+ * boundary), but inherits the platform and cwd from the orchestration deps.
+ */
+export function buildMcpProvisioningDeps(deps) {
+    return {
+        readFile: (filePath) => readFile(filePath, "utf-8"),
+        writeFile: (filePath, data) => writeFile(filePath, data, "utf-8"),
+        mkdir: (dirPath, options) => mkdir(dirPath, options),
+        platform: deps.platform,
+        cwd: deps.cwd,
+    };
+}
+/**
+ * Tier-3 file-credential materialization seam.
+ *
+ * The committed `.bridge/config` schema does not (yet) declare file-credential
+ * entries — Tier-3 file materialization is a gated seam (see
+ * `credential-materialization.ts`, whose Windows worktree-visible copy remains
+ * disabled pending the open context-vs-server-only design decision). With no
+ * file-credential configuration there is nothing to materialize, so the default
+ * is a safe pass-through. The seam exists so `orchestrateStartTickets` calls it
+ * in the correct order — AFTER MCP registration provisioning and BEFORE tab
+ * spawning — once the schema and the design decision are resolved. Per-row
+ * failures must mark only the affected row `spawn-failed`; normal symlinks are
+ * never torn down on completion.
+ */
+export async function materializeFileCredentialsForCreatedWorktrees(rows, _deps) {
+    return rows;
+}
+export async function orchestrateStartTickets(deps, options, overrides = {}) {
     if (options.dryRun) {
         return { ok: true, rows: buildDryRunResults(options.keys, options.branchOverrides) };
     }
@@ -1183,9 +1260,24 @@ export async function orchestrateStartTickets(deps, options) {
     });
     if (!refresh.ok)
         return { ok: false, error: refresh.error };
-    const created = await createWorktrees(deps, options, platformConfig.config.worktrunkBinary);
-    const terminal = detectTerminal(options.terminal, deps.env);
-    const rows = await spawnTabsForCreatedWorktrees(deps, created, terminal, platformConfig.config.buildAgentShellCommand);
+    const createWorktreesFn = overrides.createWorktrees ?? createWorktrees;
+    const provisionFn = overrides.provisionMcpRegistrations ??
+        ((rows, d) => provisionMcpRegistrationsForCreatedWorktrees(rows, buildMcpProvisioningDeps(d)));
+    const materializeFn = overrides.materializeFileCredentials ?? materializeFileCredentialsForCreatedWorktrees;
+    const detectTerminalFn = overrides.detectTerminal ?? detectTerminal;
+    const spawnTabsFn = overrides.spawnTabsForCreatedWorktrees ?? spawnTabsForCreatedWorktrees;
+    const created = await createWorktreesFn(deps, options, platformConfig.config.worktrunkBinary);
+    // Synchronously provision secret-free worktree MCP registrations after
+    // worktree creation and before launching the agent tab. Per-worktree
+    // provisioning failures mark only that row `spawn-failed` (skipped by the
+    // spawn step below) — they never abort the whole run.
+    const provisioned = await provisionFn(created, deps);
+    // Materialize any Tier-3 file credentials AFTER MCP registration provisioning
+    // and BEFORE tab spawning (currently a pass-through seam; see
+    // materializeFileCredentialsForCreatedWorktrees).
+    const materialized = await materializeFn(provisioned, deps);
+    const terminal = detectTerminalFn(options.terminal, deps.env);
+    const rows = await spawnTabsFn(deps, materialized, terminal, platformConfig.config.buildAgentShellCommand);
     return { ok: true, rows };
 }
 /** Platform-specific guidance printed when one or more tabs fail to spawn. */

package/build/third-party-mcp-targets.js

@@ -0,0 +1,75 @@
+/**
+ * Tier-2 third-party MCP target metadata + atomic env injection.
+ *
+ * Known third-party MCP targets (e.g. Salesforce `b2c-dx-mcp` via `sfcc`) are
+ * declared here as additive, data-only definitions: each names the secret env
+ * keys it needs. Provisioning and `mcp-invoke` consume these definitions without
+ * any target-specific branching, so adding a future Tier-2 target is a matter of
+ * adding one entry to the registry below.
+ *
+ * Credential resolution is delegated to the generic
+ * {@link resolveCredentialBundle}; the resulting env overlay is ATOMIC — either
+ * every required key resolves or the whole overlay fails. A half overlay (one of
+ * an `SFCC_CLIENT_ID`/`SFCC_CLIENT_SECRET` pair) is never returned. No secret
+ * value ever appears in an error message.
+ */
+import { resolveCredentialBundle, } from "./credential-store.js";
+// ---------------------------------------------------------------------------
+// Registry — additive; add a new entry to support a new Tier-2 target.
+// ---------------------------------------------------------------------------
+const THIRD_PARTY_TARGETS = {
+    sfcc: {
+        target: "sfcc",
+        requiredEnvKeys: ["SFCC_CLIENT_ID", "SFCC_CLIENT_SECRET"],
+    },
+};
+/** Return the definition for a supported Tier-2 target, or `undefined`. */
+export function getThirdPartyTargetDefinition(target) {
+    return THIRD_PARTY_TARGETS[target];
+}
+/** List all supported Tier-2 target identifiers. */
+export function getSupportedThirdPartyTargets() {
+    return Object.keys(THIRD_PARTY_TARGETS);
+}
+// ---------------------------------------------------------------------------
+// Manifest entry validation
+// ---------------------------------------------------------------------------
+/**
+ * Validate that a parsed manifest entry for a Tier-2 target declares everything
+ * needed to launch it: a non-empty `command`, an `args` array, and a non-empty
+ * `secret_bundle`. Errors name only the missing field, never any value.
+ */
+export function validateThirdPartyTargetManifestEntry(entry) {
+    if (entry.command === undefined || entry.command.trim().length === 0) {
+        return { ok: false, error: `target '${entry.target}' requires a non-empty command` };
+    }
+    if (entry.args === undefined) {
+        return { ok: false, error: `target '${entry.target}' requires an args array` };
+    }
+    if (entry.secretBundle === undefined || entry.secretBundle.trim().length === 0) {
+        return { ok: false, error: `target '${entry.target}' requires a non-empty secret_bundle` };
+    }
+    return { ok: true };
+}
+// ---------------------------------------------------------------------------
+// Atomic env resolution
+// ---------------------------------------------------------------------------
+/**
+ * Resolve the complete env overlay a Tier-2 target needs from its secret bundle.
+ * Delegates to {@link resolveCredentialBundle}; because that resolver fails
+ * unless every required key resolves, the returned overlay is atomic — there is
+ * no code path that returns a partial set of the target's secrets. Parent env
+ * values override store values key-by-key (handled by the generic resolver).
+ * Errors are secret-free and name the missing key(s).
+ */
+export async function resolveThirdPartyTargetEnv(definition, secretBundle, deps) {
+    const result = await resolveCredentialBundle(secretBundle, definition.requiredEnvKeys, deps);
+    if (!result.ok) {
+        return { ok: false, error: result.error };
+    }
+    const env = {};
+    for (const key of definition.requiredEnvKeys) {
+        env[key] = result.values[key];
+    }
+    return { ok: true, env };
+}

package/build/version.generated.js

@@ -1,2 +1,2 @@
 // AUTO-GENERATED — do not edit manually. Regenerate with: npm run build
-export const VERSION = "0.1.17";
+export const VERSION = "0.2.0";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bridge_gpt/mcp-server",
-  "version": "0.1.17",
+  "version": "0.2.0",
   "description": "Bridge API MCP server — exposes Jira endpoints as MCP tools for Claude Code agents",
   "license": "MIT",
   "type": "module",
@@ -20,8 +20,8 @@
     "build": "node scripts/bundle-version.js && node scripts/bundle-pipelines.js && node scripts/bundle-commands.js && node scripts/bundle-agents.js && tsc",
     "postbuild": "node scripts/prepend-shebang.cjs",
     "start": "node build/index.js",
-    "test": "node --test build/pipeline-utils.test.js build/update-check.test.js build/cli-upgrade.test.js build/decision-page-schema.test.js build/decision-page-template.test.js build/bundle-pipelines.test.js build/instructions-contract.test.js build/pipeline-orchestrator-persistence.test.js build/pipeline-orchestrator-execution.test.js build/pipeline-orchestrator-integration.test.js build/index-static.test.js build/start-tickets.test.js build/start-tickets-base-branch.test.js build/agent-registry.test.js build/start-tickets-prereqs.test.js build/doctor.test.js build/package-static.test.js build/chain-utils.test.js build/chain-orchestrator.test.js build/scheduler-backends/types.test.js build/scheduler-backends/escaping.test.js build/scheduler-backends/launchd.test.js build/scheduler-backends/task-scheduler.test.js build/scheduler-backends/systemd-user.test.js build/scheduler-backends/at-fallback.test.js build/scheduler-backends/index.test.js build/agent-launchers/claude.test.js build/agent-launchers/index.test.js build/schedule-store.test.js build/schedule-run.test.js",
-    "test:integration": "node --test build/integration/refresh-main.integration.test.js build/integration/start-tickets.integration.test.js build/integration/doctor.integration.test.js",
+    "test": "node --test build/pipeline-utils.test.js build/update-check.test.js build/cli-upgrade.test.js build/decision-page-schema.test.js build/decision-page-template.test.js build/bundle-pipelines.test.js build/instructions-contract.test.js build/pipeline-orchestrator-persistence.test.js build/pipeline-orchestrator-execution.test.js build/pipeline-orchestrator-integration.test.js build/index-static.test.js build/index-resolvers.test.js build/index-project-root.test.js build/index-pipelines.test.js build/index.test.js build/bridge-config.test.js build/credential-store.test.js build/mcp-invoke.test.js build/mcp-provisioning.test.js build/third-party-mcp-targets.test.js build/git-ignore-utils.test.js build/credential-materialization.test.js build/mcp-registration-doctor.test.js build/secret-safety.test.js build/start-tickets.test.js build/start-tickets-base-branch.test.js build/agent-registry.test.js build/start-tickets-prereqs.test.js build/doctor.test.js build/package-static.test.js build/chain-utils.test.js build/chain-orchestrator.test.js build/scheduler-backends/types.test.js build/scheduler-backends/escaping.test.js build/scheduler-backends/launchd.test.js build/scheduler-backends/task-scheduler.test.js build/scheduler-backends/systemd-user.test.js build/scheduler-backends/at-fallback.test.js build/scheduler-backends/index.test.js build/agent-launchers/claude.test.js build/agent-launchers/index.test.js build/schedule-store.test.js build/schedule-run.test.js build/agent-capabilities/cli.test.js build/agent-capabilities/runner.test.js build/agent-capabilities/probes.test.js build/agent-capabilities/reporter.test.js && node --experimental-test-module-mocks --test build/index-heavy-read-truncation.test.js build/index-artifacts.test.js build/index-brainstorm-filenames.test.js build/index-output-path.test.js build/index-generate-decision-page.test.js build/index-generate-decision-page.integration.test.js",
+    "test:integration": "node --test build/integration/refresh-main.integration.test.js build/integration/start-tickets.integration.test.js build/integration/doctor.integration.test.js build/integration/agent-capabilities.integration.test.js",
     "prepublishOnly": "npm run build && node scripts/verify-shebang.cjs"
   },
   "dependencies": {

package/pipelines/full-automation.json

@@ -20,13 +20,15 @@
         "auto_approve_external": "{auto_approve}"
       },
       "outputs": {
+        "child_ticket_keys": "child_ticket_keys",
+        "epic_parent_key": "epic_parent_key",
         "created_ticket_keys": "created_ticket_keys"
       }
     },
     {
       "pipeline_name": "review-ticket",
       "description": "Review each created ticket (one child pipeline run per ticket).",
-      "fan_out_input": "created_ticket_keys",
+      "fan_out_input": "child_ticket_keys",
       "fan_out_variable": "ticket_key",
       "variables": {
         "ticket_key": "{ticket_key}"

package/pipelines/implement-ticket.json

@@ -22,7 +22,7 @@
     },
     {
       "type": "agent_task",
-      "instruction_file": "execute-plan.md",
+      "instruction_file": "execute-plan-sectioned.md",
       "description": "Execute the implementation plan"
     },
     {
@@ -58,5 +58,31 @@
       "instruction_file": "monitor-ci-checks.md",
       "description": "Monitor CI checks and report results"
     }
-  ]
+  ],
+  "tiered_executor_policy": {
+    "supported_hosts": ["claude_code"],
+    "sequential_only": true,
+    "tier_model_mapping": {
+      "cheap": "haiku",
+      "basic": "sonnet",
+      "premium": "opus"
+    },
+    "final_review_policy": {
+      "default": "premium_whole_diff_when_below_coordinator_tier_touched_code",
+      "skip_when": "entire_run_inline_default_at_coordinator_tier"
+    },
+    "escalation_policy": {
+      "max_section_escalations": 1,
+      "allowed_hops": {
+        "cheap": "basic",
+        "basic": "premium"
+      },
+      "final_review_fix_reverify_passes": 1
+    },
+    "budget_policy": {
+      "cache_hit_rate_source": "measurement_spike_go_marker",
+      "default_cache_hit_rate": 0.0,
+      "abort_mode": "inline_default"
+    }
+  }
 }

package/smoke-test/SMOKE-TEST.md

@@ -445,12 +445,12 @@ and raw protocol noise.** Sensitive values are redacted.
 
 ---
 
-## Full 53-Tool Smoke Tier Matrix
+## Full 55-Tool Smoke Tier Matrix
 
 Every registered MCP tool appears **exactly once** below with its smoke tier.
 Tier 4 (mutating/hazardous) tools are **deferred in v1**.
 
-Coverage reconciliation: **8 + 18 + 1 + 9 + 17 = 53**.
+Coverage reconciliation: **8 + 18 + 1 + 10 + 18 = 55**.
 
 | Tier | Tool | Default action / expected-empty / special handling |
 |---|---|---|
@@ -482,6 +482,7 @@ Coverage reconciliation: **8 + 18 + 1 + 9 + 17 = 53**.
 | Tier 1 | `get_pipeline_recipe` | Read-only; needs a pipeline name. |
 | Tier 2 | `generate_decision_page` | Local-only file-write canary; always run with the verbatim payload above. |
 | Tier 3 | `second_opinion` | Synchronous, token-costing; opt-in. |
+| Tier 3 | `generate_image` | Synchronous, token/credit-costing; spends provider credits; opt-in. |
 | Tier 3 | `request_plan_generation` | Async (ticket-key based); retrieve with `get_plan`; opt-in. |
 | Tier 3 | `request_architecture` | Async (ticket-key based); retrieve with `get_architecture`; opt-in. |
 | Tier 3 | `request_clarifying_questions` | Async (ticket-key based); retrieve with `get_clarifying_questions`; opt-in. |
@@ -507,3 +508,4 @@ Coverage reconciliation: **8 + 18 + 1 + 9 + 17 = 53**.
 | Tier 4 | `regenerate_directory_map` | Hazardous; deferred in v1. |
 | Tier 4 | `run_full_automation` | Orchestration (dispatches mutating child pipelines / spawns worktrees); deferred in v1. |
 | Tier 4 | `resume_full_automation` | Orchestration; deferred in v1. |
+| Tier 4 | `record_tiered_section_metric` | Writes server-side telemetry state (tiered_section_metrics row); deferred in v1. |