@crowley/rag-mcp 1.2.1 → 1.5.0

package/dist/context-enrichment.d.ts

@@ -19,7 +19,13 @@ export declare const DEFAULT_ENRICHABLE_TOOLS: Set<string>;
 export declare const DEFAULT_SKIP_TOOLS: Set<string>;
 export declare class ContextEnricher {
     private config;
+    private cache;
+    private static CACHE_TTL_MS;
     constructor(config?: Partial<EnrichmentConfig>);
+    /**
+     * Clear enrichment cache (call on session end).
+     */
+    clearCache(): void;
     /**
      * Before hook: auto-recall relevant memories/patterns/ADRs.
      * Returns a context prefix string or null if nothing relevant found.

package/dist/context-enrichment.js

@@ -45,6 +45,8 @@ export const DEFAULT_SKIP_TOOLS = new Set([
 ]);
 export class ContextEnricher {
     config;
+    cache = new Map();
+    static CACHE_TTL_MS = 5 * 60 * 1000; // 5 minutes
     constructor(config = {}) {
         this.config = {
             enrichableTools: config.enrichableTools ?? DEFAULT_ENRICHABLE_TOOLS,
@@ -54,6 +56,12 @@ export class ContextEnricher {
             timeoutMs: config.timeoutMs ?? 2000,
         };
     }
+    /**
+     * Clear enrichment cache (call on session end).
+     */
+    clearCache() {
+        this.cache.clear();
+    }
     /**
      * Before hook: auto-recall relevant memories/patterns/ADRs.
      * Returns a context prefix string or null if nothing relevant found.
@@ -68,11 +76,29 @@ export class ContextEnricher {
         const query = this.extractQuery(args);
         if (!query)
             return null;
+        // Check per-session cache
+        const cacheKey = `${ctx.activeSessionId || 'no-session'}:${query.slice(0, 100)}`;
+        const cached = this.cache.get(cacheKey);
+        if (cached && Date.now() < cached.expiresAt) {
+            return cached.result;
+        }
         try {
             const memories = await this.recallWithTimeout(query, ctx);
-            if (memories.length === 0)
-                return null;
-            return this.formatContext(memories);
+            const result = memories.length === 0 ? null : this.formatContext(memories);
+            // Store in cache
+            this.cache.set(cacheKey, {
+                result,
+                expiresAt: Date.now() + ContextEnricher.CACHE_TTL_MS,
+            });
+            // Evict expired entries lazily (every 50 calls)
+            if (this.cache.size > 100) {
+                const now = Date.now();
+                for (const [key, entry] of this.cache) {
+                    if (now > entry.expiresAt)
+                        this.cache.delete(key);
+                }
+            }
+            return result;
         }
         catch {
             // Enrichment should never break tool calls
@@ -150,8 +176,10 @@ export class ContextEnricher {
         const controller = new AbortController();
         const timeout = setTimeout(() => controller.abort(), this.config.timeoutMs);
         try {
-            // Parallel recall: general memories + decisions/ADRs
-            const [memoriesRes, decisionsRes] = await Promise.all([
+            // Parallel recall: general memories + decisions/ADRs + LTM (when enabled)
+            const graphRecallEnabled = process.env.GRAPH_RECALL_ENABLED === "true";
+            const consolidationEnabled = process.env.CONSOLIDATION_ENABLED === "true";
+            const recalls = [
                 ctx.api
                     .post("/api/memory/recall-durable", {
                     projectName: ctx.projectName,
@@ -168,7 +196,19 @@ export class ContextEnricher {
                     type: "decision",
                 }, { signal: controller.signal })
                     .catch(() => null),
-            ]);
+            ];
+            // Phase 2+4: also recall from LTM (episodic+semantic with Ebbinghaus decay)
+            if (consolidationEnabled) {
+                recalls.push(ctx.api
+                    .post("/api/memory/recall-ltm", {
+                    projectName: ctx.projectName,
+                    query,
+                    limit: this.config.maxAutoRecall,
+                    graphRecall: graphRecallEnabled,
+                }, { signal: controller.signal })
+                    .catch(() => null));
+            }
+            const [memoriesRes, decisionsRes, ltmRes] = await Promise.all(recalls);
             const memories = [];
             const seenIds = new Set();
             // Process general memories
@@ -197,6 +237,23 @@ export class ContextEnricher {
                     }
                 }
             }
+            // Process LTM results (episodic + semantic)
+            if (ltmRes?.data?.results) {
+                for (const r of ltmRes.data.results) {
+                    const mem = r.memory;
+                    const id = mem?.id;
+                    if (r.score >= this.config.minRelevance && id && !seenIds.has(id)) {
+                        seenIds.add(id);
+                        memories.push({
+                            type: mem?.subtype || mem?.type || "insight",
+                            content: mem?.content || "",
+                            score: r.score,
+                        });
+                    }
+                }
+            }
+            // Sort by score and limit
+            memories.sort((a, b) => b.score - a.score);
             return memories.slice(0, this.config.maxAutoRecall + 2);
         }
         finally {

package/dist/schemas.d.ts

@@ -11,40 +11,57 @@ import type { ToolInputSchema } from "./types.js";
  * Used during Phase 2 migration while ToolRegistry still expects raw JSON Schema.
  * Phase 3 passes Zod schemas directly to McpServer.registerTool().
  */
-export declare function zodToInputSchema(schema: z.ZodObject<z.ZodRawShape>): ToolInputSchema;
+export declare function zodToInputSchema(schema: z.ZodObject<Record<string, z.ZodType>>): ToolInputSchema;
 export declare const QueryStr: z.ZodString;
 export declare const Limit: z.ZodDefault<z.ZodNumber>;
 export declare const Offset: z.ZodDefault<z.ZodNumber>;
 export declare const FilePath: z.ZodString;
-export declare const FilePaths: z.ZodArray<z.ZodString, "many">;
+export declare const FilePaths: z.ZodArray<z.ZodString>;
 export declare const Content: z.ZodString;
 export declare const CollectionSuffix: z.ZodString;
-export declare const MemoryType: z.ZodEnum<["decision", "insight", "pattern", "adr", "tech_debt", "todo", "architecture", "convention", "bug_fix", "optimization"]>;
-export declare const ResponseFormat: z.ZodDefault<z.ZodEnum<["json", "markdown"]>>;
-export declare const Importance: z.ZodDefault<z.ZodEnum<["low", "medium", "high", "critical"]>>;
-export declare const Priority: z.ZodEnum<["low", "medium", "high", "critical"]>;
-export declare const Severity: z.ZodEnum<["low", "medium", "high", "critical"]>;
+export declare const MemoryType: z.ZodEnum<{
+    decision: "decision";
+    insight: "insight";
+    todo: "todo";
+    pattern: "pattern";
+    adr: "adr";
+    architecture: "architecture";
+    tech_debt: "tech_debt";
+    convention: "convention";
+    bug_fix: "bug_fix";
+    optimization: "optimization";
+}>;
+export declare const ResponseFormat: z.ZodDefault<z.ZodEnum<{
+    markdown: "markdown";
+    json: "json";
+}>>;
+export declare const Importance: z.ZodDefault<z.ZodEnum<{
+    low: "low";
+    medium: "medium";
+    high: "high";
+    critical: "critical";
+}>>;
+export declare const Priority: z.ZodEnum<{
+    low: "low";
+    medium: "medium";
+    high: "high";
+    critical: "critical";
+}>;
+export declare const Severity: z.ZodEnum<{
+    low: "low";
+    medium: "medium";
+    high: "high";
+    critical: "critical";
+}>;
 export declare const PaginationParams: z.ZodObject<{
     limit: z.ZodOptional<z.ZodDefault<z.ZodNumber>>;
     offset: z.ZodOptional<z.ZodDefault<z.ZodNumber>>;
-}, "strip", z.ZodTypeAny, {
-    limit?: number | undefined;
-    offset?: number | undefined;
-}, {
-    limit?: number | undefined;
-    offset?: number | undefined;
-}>;
+}, z.core.$strip>;
 export declare const SearchFilters: z.ZodOptional<z.ZodObject<{
     file_type: z.ZodOptional<z.ZodString>;
     directory: z.ZodOptional<z.ZodString>;
-}, "strip", z.ZodTypeAny, {
-    file_type?: string | undefined;
-    directory?: string | undefined;
-}, {
-    file_type?: string | undefined;
-    directory?: string | undefined;
-}>>;
-export declare const Tags: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, z.core.$strip>>;
+export declare const Tags: z.ZodOptional<z.ZodArray<z.ZodString>>;
 export declare const Confidence: z.ZodOptional<z.ZodNumber>;
 /** Base shape for search tools: query + optional limit + optional filters */
 export declare const SearchInput: z.ZodObject<{
@@ -53,45 +70,29 @@ export declare const SearchInput: z.ZodObject<{
     filters: z.ZodOptional<z.ZodObject<{
         file_type: z.ZodOptional<z.ZodString>;
         directory: z.ZodOptional<z.ZodString>;
-    }, "strip", z.ZodTypeAny, {
-        file_type?: string | undefined;
-        directory?: string | undefined;
-    }, {
-        file_type?: string | undefined;
-        directory?: string | undefined;
-    }>>;
-}, "strip", z.ZodTypeAny, {
-    query: string;
-    limit?: number | undefined;
-    filters?: {
-        file_type?: string | undefined;
-        directory?: string | undefined;
-    } | undefined;
-}, {
-    query: string;
-    limit?: number | undefined;
-    filters?: {
-        file_type?: string | undefined;
-        directory?: string | undefined;
-    } | undefined;
-}>;
+    }, z.core.$strip>>;
+}, z.core.$strip>;
 /** Base shape for memory record tools */
 export declare const MemoryRecordInput: z.ZodObject<{
     content: z.ZodString;
-    type: z.ZodEnum<["decision", "insight", "pattern", "adr", "tech_debt", "todo", "architecture", "convention", "bug_fix", "optimization"]>;
-    tags: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    importance: z.ZodOptional<z.ZodDefault<z.ZodEnum<["low", "medium", "high", "critical"]>>>;
+    type: z.ZodEnum<{
+        decision: "decision";
+        insight: "insight";
+        todo: "todo";
+        pattern: "pattern";
+        adr: "adr";
+        architecture: "architecture";
+        tech_debt: "tech_debt";
+        convention: "convention";
+        bug_fix: "bug_fix";
+        optimization: "optimization";
+    }>;
+    tags: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    importance: z.ZodOptional<z.ZodDefault<z.ZodEnum<{
+        low: "low";
+        medium: "medium";
+        high: "high";
+        critical: "critical";
+    }>>>;
     context: z.ZodOptional<z.ZodString>;
-}, "strip", z.ZodTypeAny, {
-    type: "decision" | "insight" | "todo" | "adr" | "pattern" | "architecture" | "tech_debt" | "convention" | "bug_fix" | "optimization";
-    content: string;
-    context?: string | undefined;
-    tags?: string[] | undefined;
-    importance?: "low" | "medium" | "high" | "critical" | undefined;
-}, {
-    type: "decision" | "insight" | "todo" | "adr" | "pattern" | "architecture" | "tech_debt" | "convention" | "bug_fix" | "optimization";
-    content: string;
-    context?: string | undefined;
-    tags?: string[] | undefined;
-    importance?: "low" | "medium" | "high" | "critical" | undefined;
-}>;
+}, z.core.$strip>;

package/dist/schemas.js

@@ -5,7 +5,6 @@
  * from raw JSON Schema objects to Zod-based inputSchema definitions.
  */
 import { z } from "zod";
-import { zodToJsonSchema } from "zod-to-json-schema";
 // ── JSON Schema conversion ──────────────────────────────────
 /**
  * Convert a Zod object schema to the MCP ToolInputSchema format.
@@ -13,7 +12,7 @@ import { zodToJsonSchema } from "zod-to-json-schema";
  * Phase 3 passes Zod schemas directly to McpServer.registerTool().
  */
 export function zodToInputSchema(schema) {
-    const jsonSchema = zodToJsonSchema(schema, { target: "openApi3" });
+    const jsonSchema = z.toJSONSchema(schema);
     return {
         type: "object",
         properties: (jsonSchema.properties ?? {}),

package/dist/tool-middleware.js

@@ -8,6 +8,7 @@
  * During Phase 2 migration, ToolRegistry continues to use its own copy.
  * Phase 3 replaces ToolRegistry with wrapHandler() + McpServer.registerTool().
  */
+import { validationPipeline } from "./validation-hooks.js";
 // ── Timeouts ────────────────────────────────────────────────
 /** Default tool timeout in milliseconds */
 const DEFAULT_TIMEOUT_MS = 30_000;
@@ -154,6 +155,43 @@ export function trackUsage(name, args, startTime, success, result, errorMessage,
     })
         .catch(() => { });
 }
+// ── Sensory buffer ─────────────────────────────────────────
+/** Extract file paths from tool args */
+function extractFiles(args) {
+    const files = [];
+    for (const key of ['file', 'filePath', 'currentFile', 'path']) {
+        const v = args[key];
+        if (typeof v === 'string' && v.length > 0)
+            files.push(v);
+    }
+    const arr = args.affectedFiles || args.files;
+    if (Array.isArray(arr)) {
+        for (const f of arr) {
+            if (typeof f === 'string')
+                files.push(f);
+        }
+    }
+    return files.slice(0, 20);
+}
+/** Fire-and-forget: capture tool event in sensory buffer */
+function appendToSensoryBuffer(name, args, startTime, success, resultText, ctx) {
+    if (!ctx.activeSessionId)
+        return;
+    if (TRACKING_EXCLUDE.has(name))
+        return;
+    ctx.api
+        .post("/api/sensory/append", {
+        projectName: ctx.projectName,
+        sessionId: ctx.activeSessionId,
+        toolName: name,
+        inputSummary: summarizeInput(name, args).slice(0, 500),
+        outputSummary: (resultText || "").slice(0, 500),
+        filesTouched: extractFiles(args),
+        success,
+        durationMs: Date.now() - startTime,
+    })
+        .catch(() => { });
+}
 // ── Error formatting ────────────────────────────────────────
 /** Format an error caught during tool execution */
 export function formatToolError(error, ctx) {
@@ -182,13 +220,22 @@ export function wrapHandler(name, handler, deps) {
         }
         const startTime = Date.now();
         try {
+            // Validate: run PreToolUse hooks
+            const validation = await validationPipeline.validate(name, args, ctx);
+            if (!validation.allowed) {
+                return `Blocked: ${validation.reason || 'validation failed'}`;
+            }
+            const validatedArgs = validation.modifiedArgs || args;
+            const warningPrefix = validation.warnings?.length
+                ? `⚠️ ${validation.warnings.join(' | ')}\n\n`
+                : '';
             // Before: auto-enrich context
             const contextPrefix = ctx.enrichmentEnabled && deps.enricher
-                ? await deps.enricher.before(name, args, ctx)
+                ? await deps.enricher.before(name, validatedArgs, ctx)
                 : null;
             // Execute original handler (with timeout)
             const timeoutMs = TOOL_TIMEOUTS[name] ?? DEFAULT_TIMEOUT_MS;
-            const result = await withTimeout(handler(args, ctx), timeoutMs, name);
+            const result = await withTimeout(handler(validatedArgs, ctx), timeoutMs, name);
             // Extract text for tracking/enrichment
             const text = typeof result === "string" ? result : result.text;
             // After: track interaction (fire-and-forget)
@@ -197,12 +244,15 @@ export function wrapHandler(name, handler, deps) {
             }
             // Track usage (fire-and-forget)
             trackUsage(name, args, startTime, true, text, undefined, ctx);
-            // Prepend context if available
-            if (contextPrefix) {
+            // Capture in sensory buffer (fire-and-forget)
+            appendToSensoryBuffer(name, args, startTime, true, text, ctx);
+            // Prepend context/warnings if available
+            const prefix = [warningPrefix, contextPrefix].filter(Boolean).join('');
+            if (prefix) {
                 if (typeof result === "string") {
-                    return contextPrefix + "\n\n" + result;
+                    return prefix + result;
                 }
-                return { text: contextPrefix + "\n\n" + result.text, structured: result.structured };
+                return { text: prefix + result.text, structured: result.structured };
             }
             return result;
         }
@@ -210,6 +260,8 @@ export function wrapHandler(name, handler, deps) {
             const errorMessage = formatToolError(error, ctx);
             // Track failed usage (fire-and-forget)
             trackUsage(name, args, startTime, false, "", errorMessage, ctx);
+            // Capture failure in sensory buffer (fire-and-forget)
+            appendToSensoryBuffer(name, args, startTime, false, errorMessage, ctx);
             return errorMessage;
         }
     };

package/dist/tools/agents.js

@@ -59,6 +59,74 @@ export function createAgentTools(projectName) {
                 return result;
             },
         },
+        {
+            name: "tribunal_debate",
+            description: `Run an adversarial debate on a topic for ${projectName}. Multiple advocates argue positions, a judge renders a verdict. Use for architecture decisions, tech choices, or code approach trade-offs.`,
+            schema: z.object({
+                topic: z.string().describe("The debate topic (e.g., 'Should we use REST or gRPC for the new API?')"),
+                positions: z.array(z.string()).min(2).max(4).describe("Positions to debate (2-4 options, e.g., ['REST', 'gRPC'])"),
+                context: z.string().optional().describe("Additional context for the debate"),
+                maxRounds: z.coerce.number().optional().describe("Number of rebuttal rounds (default: 1, max: 3)"),
+                useCodeContext: z.boolean().optional().describe("Fetch relevant code, ADRs, and patterns as evidence (default: false)"),
+                autoRecord: z.boolean().optional().describe("Save verdict as a decision in project memory (default: false)"),
+            }),
+            annotations: TOOL_ANNOTATIONS["tribunal_debate"] || { priority: 0.4, readOnlyHint: true },
+            handler: async (args, ctx) => {
+                const { topic, positions, context, maxRounds, useCodeContext, autoRecord } = args;
+                const response = await ctx.api.post("/api/tribunal/debate", {
+                    projectName: ctx.projectName,
+                    topic,
+                    positions,
+                    context,
+                    maxRounds,
+                    useCodeContext,
+                    autoRecord,
+                });
+                const data = response.data;
+                // Format result as markdown
+                let result = `## Tribunal Debate: ${data.topic}\n`;
+                result += `**Status:** ${data.status}`;
+                result += ` | **Duration:** ${Math.round(data.durationMs / 1000)}s`;
+                result += ` | **Cost:** ~$${data.cost?.estimatedUsd?.toFixed(3) || '?'}\n\n`;
+                // Phases summary
+                if (data.phases) {
+                    result += `### Phases\n`;
+                    for (const phase of data.phases) {
+                        result += `- **${phase.name}**: ${Math.round(phase.durationMs / 1000)}s, ${phase.tokens} tokens\n`;
+                    }
+                    result += `\n`;
+                }
+                // Arguments
+                if (data.arguments && data.arguments.length > 0) {
+                    result += `### Arguments\n`;
+                    for (const arg of data.arguments) {
+                        const label = arg.round === 0 ? 'Initial' : `Rebuttal R${arg.round}`;
+                        result += `#### ${arg.position} (${label})\n${arg.content}\n\n`;
+                    }
+                }
+                // Verdict
+                if (data.verdict) {
+                    result += `### Verdict\n`;
+                    result += `**Recommendation:** ${data.verdict.recommendation}\n`;
+                    result += `**Confidence:** ${data.verdict.confidence}\n\n`;
+                    if (data.verdict.scores) {
+                        result += `**Scores:**\n`;
+                        for (const s of data.verdict.scores) {
+                            result += `- ${s.position}: ${s.score}/10\n`;
+                        }
+                        result += `\n`;
+                    }
+                    result += `**Reasoning:**\n${data.verdict.reasoning}\n\n`;
+                    result += `**Trade-offs:**\n${data.verdict.tradeoffs}\n\n`;
+                    result += `**Dissent:**\n${data.verdict.dissent}\n\n`;
+                    result += `**Conditions:**\n${data.verdict.conditions}\n`;
+                }
+                if (data.error) {
+                    result += `\n**Error:** ${data.error}\n`;
+                }
+                return result;
+            },
+        },
         {
             name: "get_agent_types",
             description: `List available agent types for ${projectName} with descriptions.`,

package/dist/tools/memory.js

@@ -61,19 +61,22 @@ export function createMemoryTools(projectName) {
             description: "Retrieve relevant memories based on context. Searches agent memory for past decisions, insights, and notes related to the query.",
             schema: z.object({
                 query: z.string().describe("What to recall (semantic search)"),
-                type: z.enum(["decision", "insight", "context", "todo", "conversation", "note", "all"]).optional().describe("Filter by memory type (default: all)"),
+                type: z.enum(["decision", "insight", "context", "todo", "conversation", "note", "procedure", "all"]).optional().describe("Filter by memory type (default: all)"),
                 limit: z.coerce.number().optional().describe("Max memories to retrieve (default: 5)"),
+                graphRecall: z.boolean().optional().describe("Enable graph-aware recall with spreading activation (default: false)"),
             }),
             annotations: TOOL_ANNOTATIONS["recall"],
             handler: async (args, ctx) => {
                 const query = args.query;
                 const type = args.type || "all";
                 const limit = args.limit || 5;
+                const graphRecall = args.graphRecall || false;
                 const response = await ctx.api.post("/api/memory/recall", {
                     projectName: ctx.projectName,
                     query,
                     type,
                     limit,
+                    graphRecall,
                 });
                 const results = response.data.results || [];
                 if (results.length === 0) {

package/dist/types.d.ts

@@ -2,7 +2,7 @@
  * Shared types for the MCP server tool modules.
  */
 import type { AxiosInstance } from "axios";
-import type { ZodObject, ZodRawShape } from "zod";
+import type { z } from "zod";
 import type { ToolAnnotations } from "./annotations.js";
 /** MCP tool input schema shape (raw JSON Schema) */
 export interface ToolInputSchema {
@@ -42,8 +42,8 @@ export interface ToolModule {
 export interface ToolSpec {
     name: string;
     description: string;
-    schema: ZodObject<ZodRawShape>;
-    outputSchema?: ZodObject<ZodRawShape>;
+    schema: z.ZodObject<Record<string, z.ZodType>>;
+    outputSchema?: z.ZodObject<Record<string, z.ZodType>>;
     annotations?: ToolAnnotations;
     handler: ToolHandler;
 }

package/dist/validation-hooks.d.ts

@@ -0,0 +1,40 @@
+/**
+ * PreToolUse Validation Hooks
+ *
+ * Validation pipeline that runs before tool execution.
+ * Hooks can block execution, modify args, or add warnings.
+ *
+ * Inspired by claude-quanta-plugin's PreToolUse hooks pattern.
+ */
+import type { ToolContext } from "./types.js";
+export interface ValidationResult {
+    allowed: boolean;
+    reason?: string;
+    warnings?: string[];
+    modifiedArgs?: Record<string, unknown>;
+}
+export type ValidationHook = (toolName: string, args: Record<string, unknown>, ctx: ToolContext) => Promise<ValidationResult> | ValidationResult;
+/**
+ * Prevent destructive operations without explicit confirmation.
+ * Blocks: index_codebase with force=true, forget (memory deletion).
+ */
+export declare const destructiveGuard: ValidationHook;
+/**
+ * Validate required fields for critical tools.
+ */
+export declare const requiredFieldsValidator: ValidationHook;
+/**
+ * Sanitize inputs — trim strings, enforce reasonable limits.
+ */
+export declare const inputSanitizer: ValidationHook;
+export declare class ValidationPipeline {
+    private hooks;
+    constructor(hooks?: ValidationHook[]);
+    addHook(hook: ValidationHook): void;
+    /**
+     * Run all hooks in sequence. First rejection stops the pipeline.
+     * Args can be modified by hooks (each hook sees the potentially modified args).
+     */
+    validate(toolName: string, args: Record<string, unknown>, ctx: ToolContext): Promise<ValidationResult>;
+}
+export declare const validationPipeline: ValidationPipeline;

package/dist/validation-hooks.js

@@ -0,0 +1,108 @@
+/**
+ * PreToolUse Validation Hooks
+ *
+ * Validation pipeline that runs before tool execution.
+ * Hooks can block execution, modify args, or add warnings.
+ *
+ * Inspired by claude-quanta-plugin's PreToolUse hooks pattern.
+ */
+// ── Built-in Hooks ──────────────────────────────────────────
+/**
+ * Prevent destructive operations without explicit confirmation.
+ * Blocks: index_codebase with force=true, forget (memory deletion).
+ */
+export const destructiveGuard = (toolName, args) => {
+    if (toolName === 'index_codebase' && args.force === true) {
+        return {
+            allowed: true,
+            warnings: ['Force reindex will delete and rebuild the entire index. This may take several minutes.'],
+        };
+    }
+    if (toolName === 'forget') {
+        return {
+            allowed: true,
+            warnings: ['This will permanently delete a memory entry.'],
+        };
+    }
+    return { allowed: true };
+};
+/**
+ * Validate required fields for critical tools.
+ */
+export const requiredFieldsValidator = (toolName, args) => {
+    // Search tools must have a query
+    const searchTools = ['search_codebase', 'hybrid_search', 'search_docs', 'find_feature', 'ask_codebase'];
+    if (searchTools.includes(toolName)) {
+        const query = args.query || args.question;
+        if (!query || (typeof query === 'string' && query.trim().length < 3)) {
+            return { allowed: false, reason: `${toolName} requires a query of at least 3 characters` };
+        }
+    }
+    // Memory tools must have content
+    if (toolName === 'remember' && (!args.content || (typeof args.content === 'string' && args.content.trim().length < 10))) {
+        return { allowed: false, reason: 'remember requires content of at least 10 characters' };
+    }
+    return { allowed: true };
+};
+/**
+ * Sanitize inputs — trim strings, enforce reasonable limits.
+ */
+export const inputSanitizer = (toolName, args) => {
+    const modified = { ...args };
+    let changed = false;
+    // Trim string values
+    for (const [key, value] of Object.entries(modified)) {
+        if (typeof value === 'string' && value !== value.trim()) {
+            modified[key] = value.trim();
+            changed = true;
+        }
+    }
+    // Cap limit params to prevent excessive results
+    if (typeof modified.limit === 'number' && modified.limit > 50) {
+        modified.limit = 50;
+        changed = true;
+    }
+    return changed
+        ? { allowed: true, modifiedArgs: modified }
+        : { allowed: true };
+};
+// ── Validation Pipeline ─────────────────────────────────────
+export class ValidationPipeline {
+    hooks = [];
+    constructor(hooks) {
+        this.hooks = hooks || [
+            destructiveGuard,
+            requiredFieldsValidator,
+            inputSanitizer,
+        ];
+    }
+    addHook(hook) {
+        this.hooks.push(hook);
+    }
+    /**
+     * Run all hooks in sequence. First rejection stops the pipeline.
+     * Args can be modified by hooks (each hook sees the potentially modified args).
+     */
+    async validate(toolName, args, ctx) {
+        let currentArgs = { ...args };
+        const allWarnings = [];
+        for (const hook of this.hooks) {
+            const result = await hook(toolName, currentArgs, ctx);
+            if (!result.allowed) {
+                return result;
+            }
+            if (result.warnings) {
+                allWarnings.push(...result.warnings);
+            }
+            if (result.modifiedArgs) {
+                currentArgs = result.modifiedArgs;
+            }
+        }
+        return {
+            allowed: true,
+            warnings: allWarnings.length > 0 ? allWarnings : undefined,
+            modifiedArgs: currentArgs !== args ? currentArgs : undefined,
+        };
+    }
+}
+export const validationPipeline = new ValidationPipeline();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@crowley/rag-mcp",
-  "version": "1.2.1",
+  "version": "1.5.0",
   "description": "Universal RAG MCP Server for any project",
   "type": "module",
   "main": "dist/index.js",
@@ -35,8 +35,7 @@
     "@modelcontextprotocol/sdk": "^1.0.0",
     "axios": "^1.6.0",
     "glob": "^11.0.0",
-    "zod": "^3.25.76",
-    "zod-to-json-schema": "^3.25.1"
+    "zod": "^4.0.0"
   },
   "devDependencies": {
     "@types/node": "^20.10.0",