@cyanheads/git-mcp-server 2.12.0 → 2.14.0

package/dist/index.js

@@ -15284,7 +15284,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "@cyanheads/git-mcp-server",
-    version: "2.12.0",
+    version: "2.13.0",
     mcpName: "io.github.cyanheads/git-mcp-server",
     description: "A secure and scalable Git MCP server enabling AI agents to perform comprehensive Git version control operations via STDIO and Streamable HTTP.",
     main: "dist/index.js",
@@ -15517,6 +15517,17 @@ var import_dotenv, packageManifest, emptyStringAsUndefined = (val) => {
     return;
   }
   return val;
+}, parseBoolEnv = (defaultValue) => (val) => {
+  if (typeof val === "boolean")
+    return val;
+  if (typeof val === "string") {
+    const lower = val.trim().toLowerCase();
+    if (["true", "1", "yes", "on"].includes(lower))
+      return true;
+    if (["false", "0", "no", "off", ""].includes(lower))
+      return false;
+  }
+  return defaultValue;
 }, expandTildePath = (path2) => {
   if (typeof path2 !== "string" || path2.trim() === "") {
     return;
@@ -15737,7 +15748,7 @@ var init_config = __esm(() => {
     }),
     git: exports_external.object({
       provider: exports_external.preprocess(emptyStringAsUndefined, exports_external.enum(["auto", "cli", "isomorphic"]).default("auto")),
-      signCommits: exports_external.coerce.boolean().default(false),
+      signCommits: exports_external.preprocess(parseBoolEnv(true), exports_external.boolean()),
       authorName: exports_external.string().regex(/^[^\n\r\0]*$/, "Git author name must not contain newlines or null bytes").optional(),
       authorEmail: exports_external.string().email().optional(),
       committerName: exports_external.string().regex(/^[^\n\r\0]*$/, "Git committer name must not contain newlines or null bytes").optional(),
@@ -105568,75 +105579,6 @@ var require_index_incubating = __commonJS((exports) => {
   __exportStar(require_experimental_events(), exports);
 });
 
-// src/mcp-server/transports/auth/lib/authContext.ts
-import { AsyncLocalStorage } from "async_hooks";
-var authContext;
-var init_authContext = __esm(() => {
-  authContext = new AsyncLocalStorage;
-});
-
-// src/utils/internal/requestContext.ts
-var import_api2, requestContextServiceInstance, requestContextService;
-var init_requestContext = __esm(() => {
-  init_authContext();
-  init_utils();
-  init_logger();
-  import_api2 = __toESM(require_src(), 1);
-  requestContextServiceInstance = {
-    config: {},
-    configure(config3) {
-      this.config = {
-        ...this.config,
-        ...config3
-      };
-      const logContext = this.createRequestContext({
-        operation: "RequestContextService.configure",
-        additionalContext: { newConfigState: { ...this.config } }
-      });
-      logger.debug("RequestContextService configuration updated", logContext);
-      return { ...this.config };
-    },
-    getConfig() {
-      return { ...this.config };
-    },
-    createRequestContext(params = {}) {
-      const { parentContext, additionalContext, operation, ...rest } = params;
-      const inheritedContext = parentContext && typeof parentContext === "object" ? { ...parentContext } : {};
-      let inheritedTenantId;
-      if (inheritedContext && typeof inheritedContext === "object" && "tenantId" in inheritedContext && typeof inheritedContext.tenantId === "string") {
-        inheritedTenantId = inheritedContext.tenantId;
-      }
-      const authStore = authContext.getStore();
-      const tenantIdFromAuth = authStore?.authInfo?.tenantId;
-      const inheritedRequestId = inheritedContext.requestId;
-      const requestId = typeof inheritedRequestId === "string" && inheritedRequestId ? inheritedRequestId : generateRequestContextId();
-      const timestamp = new Date().toISOString();
-      const restTenantId = typeof rest.tenantId === "string" ? rest.tenantId : undefined;
-      const additionalTenantId = additionalContext && typeof additionalContext === "object" && typeof additionalContext.tenantId === "string" ? additionalContext.tenantId : undefined;
-      const resolvedTenantId = additionalTenantId ?? restTenantId ?? inheritedTenantId ?? tenantIdFromAuth;
-      const context = {
-        ...inheritedContext,
-        ...rest,
-        requestId,
-        timestamp,
-        ...resolvedTenantId ? { tenantId: resolvedTenantId } : {},
-        ...additionalContext && typeof additionalContext === "object" ? additionalContext : {},
-        ...operation && typeof operation === "string" ? { operation } : {}
-      };
-      const activeSpan = import_api2.trace.getActiveSpan();
-      if (activeSpan && typeof activeSpan.spanContext === "function") {
-        const spanContext = activeSpan.spanContext();
-        if (spanContext) {
-          context.traceId = spanContext.traceId;
-          context.spanId = spanContext.spanId;
-        }
-      }
-      return context;
-    }
-  };
-  requestContextService = requestContextServiceInstance;
-});
-
 // node_modules/validator/lib/util/assertString.js
 var require_assertString = __commonJS((exports, module) => {
   Object.defineProperty(exports, "__esModule", {
@@ -112035,1408 +111977,6 @@ var require_validator = __commonJS((exports, module) => {
   module.exports.default = exports.default;
 });
 
-// src/utils/security/sanitization.ts
-class Sanitization {
-  static instance;
-  sensitiveFields = [
-    "password",
-    "token",
-    "secret",
-    "apiKey",
-    "credential",
-    "jwt",
-    "ssn",
-    "cvv",
-    "authorization",
-    "cookie",
-    "clientsecret",
-    "client_secret",
-    "private_key",
-    "privatekey"
-  ];
-  constructor() {}
-  static getInstance() {
-    if (!Sanitization.instance) {
-      Sanitization.instance = new Sanitization;
-    }
-    return Sanitization.instance;
-  }
-  setSensitiveFields(fields) {
-    this.sensitiveFields = [
-      ...new Set([
-        ...this.sensitiveFields,
-        ...fields.map((f3) => f3.toLowerCase())
-      ])
-    ];
-    const logContext = requestContextService.createRequestContext({
-      operation: "Sanitization.setSensitiveFields",
-      additionalContext: {
-        newSensitiveFieldCount: this.sensitiveFields.length
-      }
-    });
-    logger.debug("Updated sensitive fields list for log sanitization", logContext);
-  }
-  getSensitiveFields() {
-    return [...this.sensitiveFields];
-  }
-  getSensitivePinoFields() {
-    return this.sensitiveFields.map((field) => field.replace(/[-_]/g, ""));
-  }
-  sanitizeUrl(input, allowedProtocols = ["http", "https"]) {
-    try {
-      const trimmedInput = input.trim();
-      if (!import_validator.default.isURL(trimmedInput, {
-        protocols: allowedProtocols,
-        require_protocol: true,
-        require_host: true
-      })) {
-        throw new Error("Invalid URL format or protocol not in allowed list.");
-      }
-      const lowercasedInput = trimmedInput.toLowerCase();
-      if (lowercasedInput.startsWith("javascript:") || lowercasedInput.startsWith("data:") || lowercasedInput.startsWith("vbscript:")) {
-        throw new Error("Disallowed pseudo-protocol (javascript:, data:, or vbscript:) in URL.");
-      }
-      return trimmedInput;
-    } catch (error48) {
-      throw new McpError(-32007 /* ValidationError */, error48 instanceof Error ? error48.message : "Invalid or unsafe URL provided.", { input });
-    }
-  }
-  sanitizePath(input, options = {}) {
-    if (isServerless || !pathModule) {
-      throw new McpError(-32603 /* InternalError */, "File-based path sanitization is not supported in this environment.");
-    }
-    const path2 = pathModule;
-    const originalInput = input;
-    const resolvedRootDir = options.rootDir ? path2.resolve(options.rootDir) : undefined;
-    const effectiveOptions = {
-      toPosix: options.toPosix ?? false,
-      allowAbsolute: options.allowAbsolute ?? false,
-      ...resolvedRootDir && { rootDir: resolvedRootDir }
-    };
-    let wasAbsoluteInitially = false;
-    try {
-      if (!input || typeof input !== "string")
-        throw new Error("Invalid path input: must be a non-empty string.");
-      if (input.includes("\x00"))
-        throw new Error("Path contains null byte, which is disallowed.");
-      let normalized = path2.normalize(input);
-      wasAbsoluteInitially = path2.isAbsolute(normalized);
-      if (effectiveOptions.toPosix) {
-        normalized = normalized.replace(/\\/g, "/");
-      }
-      let finalSanitizedPath;
-      if (resolvedRootDir) {
-        let fullPath;
-        if (path2.isAbsolute(normalized)) {
-          fullPath = path2.normalize(normalized);
-        } else {
-          fullPath = path2.resolve(resolvedRootDir, normalized);
-        }
-        const normalizedRoot = path2.normalize(resolvedRootDir);
-        const normalizedFull = path2.normalize(fullPath);
-        if (!normalizedFull.startsWith(normalizedRoot + path2.sep) && normalizedFull !== normalizedRoot) {
-          throw new Error("Path traversal detected: attempts to escape the defined root directory.");
-        }
-        finalSanitizedPath = path2.relative(normalizedRoot, normalizedFull);
-        finalSanitizedPath = finalSanitizedPath === "" ? "." : finalSanitizedPath;
-        if (path2.isAbsolute(finalSanitizedPath) && !effectiveOptions.allowAbsolute) {
-          throw new Error("Path resolved to absolute outside root when absolute paths are disallowed.");
-        }
-      } else {
-        if (path2.isAbsolute(normalized)) {
-          if (!effectiveOptions.allowAbsolute) {
-            throw new Error("Absolute paths are disallowed by current options.");
-          } else {
-            finalSanitizedPath = normalized;
-          }
-        } else {
-          const resolvedAgainstCwd = path2.resolve(normalized);
-          const currentWorkingDir = path2.resolve(".");
-          if (!resolvedAgainstCwd.startsWith(currentWorkingDir + path2.sep) && resolvedAgainstCwd !== currentWorkingDir) {
-            throw new Error("Relative path traversal detected (escapes current working directory context).");
-          }
-          finalSanitizedPath = normalized;
-        }
-      }
-      return {
-        sanitizedPath: finalSanitizedPath,
-        originalInput,
-        wasAbsolute: wasAbsoluteInitially,
-        convertedToRelative: wasAbsoluteInitially && !path2.isAbsolute(finalSanitizedPath) && !effectiveOptions.allowAbsolute,
-        optionsUsed: effectiveOptions
-      };
-    } catch (error48) {
-      logger.warning("Path sanitization error", requestContextService.createRequestContext({
-        operation: "Sanitization.sanitizePath.error",
-        additionalContext: {
-          originalPathInput: originalInput,
-          pathOptionsUsed: effectiveOptions,
-          errorMessage: error48 instanceof Error ? error48.message : String(error48)
-        }
-      }));
-      throw new McpError(-32007 /* ValidationError */, error48 instanceof Error ? error48.message : "Invalid or unsafe path provided.", { input: originalInput });
-    }
-  }
-  sanitizeJson(input, maxSize) {
-    try {
-      if (typeof input !== "string")
-        throw new Error("Invalid input: expected a JSON string.");
-      const computeBytes = (s2) => {
-        if (typeof Buffer !== "undefined" && typeof Buffer.byteLength === "function") {
-          return Buffer.byteLength(s2, "utf8");
-        }
-        if (typeof TextEncoder !== "undefined") {
-          return new TextEncoder().encode(s2).length;
-        }
-        return s2.length;
-      };
-      if (maxSize !== undefined && computeBytes(input) > maxSize) {
-        throw new McpError(-32007 /* ValidationError */, `JSON string exceeds maximum allowed size of ${maxSize} bytes.`, { actualSize: computeBytes(input), maxSize });
-      }
-      return JSON.parse(input);
-    } catch (error48) {
-      if (error48 instanceof McpError)
-        throw error48;
-      throw new McpError(-32007 /* ValidationError */, error48 instanceof Error ? error48.message : "Invalid JSON format.", {
-        inputPreview: input.length > 100 ? `${input.substring(0, 100)}...` : input
-      });
-    }
-  }
-  sanitizeNumber(input, min, max) {
-    let value;
-    if (typeof input === "string") {
-      const trimmedInput = input.trim();
-      if (trimmedInput === "" || !import_validator.default.isNumeric(trimmedInput)) {
-        throw new McpError(-32007 /* ValidationError */, "Invalid number format: input is empty or not numeric.", { input });
-      }
-      value = parseFloat(trimmedInput);
-    } else if (typeof input === "number") {
-      value = input;
-    } else {
-      throw new McpError(-32007 /* ValidationError */, "Invalid input type: expected number or string.", { input: String(input) });
-    }
-    if (isNaN(value) || !isFinite(value)) {
-      throw new McpError(-32007 /* ValidationError */, "Invalid number value (NaN or Infinity).", { input });
-    }
-    let clamped = false;
-    const originalValueForLog = value;
-    if (min !== undefined && value < min) {
-      value = min;
-      clamped = true;
-    }
-    if (max !== undefined && value > max) {
-      value = max;
-      clamped = true;
-    }
-    if (clamped) {
-      logger.debug("Number clamped to range.", requestContextService.createRequestContext({
-        operation: "Sanitization.sanitizeNumber.clamped",
-        additionalContext: {
-          originalInput: String(input),
-          parsedValue: originalValueForLog,
-          minValue: min,
-          maxValue: max,
-          clampedValue: value
-        }
-      }));
-    }
-    return value;
-  }
-  sanitizeForLogging(input) {
-    try {
-      if (!input || typeof input !== "object")
-        return input;
-      const clonedInput = typeof globalThis.structuredClone === "function" ? globalThis.structuredClone(input) : JSON.parse(JSON.stringify(input));
-      this.redactSensitiveFields(clonedInput);
-      return clonedInput;
-    } catch (error48) {
-      logger.error("Error during log sanitization, returning placeholder.", requestContextService.createRequestContext({
-        operation: "Sanitization.sanitizeForLogging.error",
-        additionalContext: {
-          errorMessage: error48 instanceof Error ? error48.message : String(error48)
-        }
-      }));
-      return "[Log Sanitization Failed]";
-    }
-  }
-  redactSensitiveFields(obj) {
-    if (!obj || typeof obj !== "object")
-      return;
-    if (Array.isArray(obj)) {
-      obj.forEach((item) => this.redactSensitiveFields(item));
-      return;
-    }
-    const normalize = (str) => str.toLowerCase().replace(/[^a-z0-9]/g, "");
-    const normalizedSensitiveSet = new Set(this.sensitiveFields.map((f3) => normalize(f3)).filter(Boolean));
-    const wordSensitiveSet = new Set(this.sensitiveFields.map((f3) => f3.toLowerCase()).filter(Boolean));
-    for (const key in obj) {
-      if (Object.prototype.hasOwnProperty.call(obj, key)) {
-        const value = obj[key];
-        const normalizedKey = normalize(key);
-        const keyWords = key.replace(/([A-Z])/g, " $1").toLowerCase().split(/[\s_-]+/).filter(Boolean);
-        const isExactSensitive = normalizedSensitiveSet.has(normalizedKey);
-        const isWordSensitive = keyWords.some((w) => wordSensitiveSet.has(w));
-        const isSensitive = isExactSensitive || isWordSensitive;
-        if (isSensitive) {
-          obj[key] = "[REDACTED]";
-        } else if (value && typeof value === "object") {
-          this.redactSensitiveFields(value);
-        }
-      }
-    }
-  }
-}
-var import_validator, isServerless, pathModule, sanitization, sanitizeInputForLogging = (input) => sanitization.sanitizeForLogging(input);
-var init_sanitization = __esm(() => {
-  init_errors3();
-  init_utils();
-  import_validator = __toESM(require_validator(), 1);
-  isServerless = typeof process === "undefined" || process.env.IS_SERVERLESS === "true";
-  if (!isServerless) {
-    import("path").then((mod2) => {
-      pathModule = mod2.default;
-    }).catch(() => {});
-  }
-  sanitization = Sanitization.getInstance();
-});
-
-// src/utils/internal/logger.ts
-import pino from "pino";
-var mcpToPinoLevel, pinoToMcpLevelSeverity, isServerless2, Logger, logger;
-var init_logger = __esm(() => {
-  init_config();
-  init_requestContext();
-  init_sanitization();
-  mcpToPinoLevel = {
-    emerg: "fatal",
-    alert: "fatal",
-    crit: "error",
-    error: "error",
-    warning: "warn",
-    notice: "info",
-    info: "info",
-    debug: "debug"
-  };
-  pinoToMcpLevelSeverity = {
-    fatal: 0,
-    error: 2,
-    warn: 4,
-    info: 6,
-    debug: 7
-  };
-  isServerless2 = typeof process === "undefined" || process.env.IS_SERVERLESS === "true";
-  Logger = class Logger {
-    static instance = new Logger;
-    pinoLogger;
-    interactionLogger;
-    initialized = false;
-    currentMcpLevel = "info";
-    transportType;
-    rateLimitThreshold = 10;
-    rateLimitWindow = 60000;
-    messageCounts = new Map;
-    suppressedMessages = new Map;
-    cleanupTimer;
-    constructor() {}
-    static getInstance() {
-      return Logger.instance;
-    }
-    async createPinoLogger(level, transportType) {
-      const pinoLevel = mcpToPinoLevel[level] || "info";
-      const pinoOptions = {
-        level: pinoLevel,
-        base: {
-          env: config2.environment,
-          version: config2.mcpServerVersion,
-          pid: !isServerless2 ? process.pid : undefined
-        },
-        redact: {
-          paths: sanitization.getSensitivePinoFields(),
-          censor: "[REDACTED]"
-        }
-      };
-      if (isServerless2) {
-        return pino(pinoOptions);
-      }
-      const { default: fs2 } = await import("fs");
-      const { default: path2 } = await import("path");
-      const transports = [];
-      const isDevelopment = config2.environment === "development";
-      const isTest = config2.environment === "testing";
-      const noColorEnv = process.env.NO_COLOR === "1" || process.env.FORCE_COLOR === "0";
-      const useColoredOutput = isDevelopment && transportType !== "stdio" && !noColorEnv;
-      if (useColoredOutput && !isServerless2) {
-        try {
-          const { createRequire: createRequire2 } = await import("node:module");
-          const require2 = createRequire2(import.meta.url);
-          const prettyTarget = require2.resolve("pino-pretty");
-          transports.push({
-            target: prettyTarget,
-            options: { colorize: true, translateTime: "yyyy-mm-dd HH:MM:ss" }
-          });
-        } catch (err) {
-          if (process.stderr?.isTTY) {
-            console.warn(`[Logger Init] Pretty transport unavailable (${err instanceof Error ? err.message : String(err)}); falling back to stdout JSON.`);
-          }
-          transports.push({ target: "pino/file", options: { destination: 1 } });
-        }
-      } else if (!isTest) {
-        transports.push({ target: "pino/file", options: { destination: 2 } });
-      }
-      if (config2.logsPath) {
-        try {
-          if (!fs2.existsSync(config2.logsPath)) {
-            fs2.mkdirSync(config2.logsPath, { recursive: true });
-          }
-          transports.push({
-            level: pinoLevel,
-            target: "pino/file",
-            options: {
-              destination: path2.join(config2.logsPath, "combined.log"),
-              mkdir: true
-            }
-          });
-          transports.push({
-            level: "error",
-            target: "pino/file",
-            options: {
-              destination: path2.join(config2.logsPath, "error.log"),
-              mkdir: true
-            }
-          });
-        } catch (err) {
-          if (process.stderr?.isTTY) {
-            console.error(`[Logger Init] Failed to configure file logging: ${err instanceof Error ? err.message : String(err)}`);
-          }
-        }
-      }
-      return pino({ ...pinoOptions, transport: { targets: transports } });
-    }
-    async createInteractionLogger() {
-      if (isServerless2 || !config2.logsPath)
-        return;
-      const { default: path2 } = await import("path");
-      return pino({
-        transport: {
-          target: "pino/file",
-          options: {
-            destination: path2.join(config2.logsPath, "interactions.log"),
-            mkdir: true
-          }
-        }
-      });
-    }
-    async initialize(level = "info", transportType) {
-      if (this.initialized) {
-        this.warning("Logger already initialized.", requestContextService.createRequestContext({
-          operation: "loggerReinit"
-        }));
-        return;
-      }
-      this.currentMcpLevel = level;
-      this.transportType = transportType;
-      this.pinoLogger = await this.createPinoLogger(level, transportType);
-      this.interactionLogger = await this.createInteractionLogger();
-      if (!isServerless2 && !this.cleanupTimer) {
-        this.cleanupTimer = setInterval(() => this.flushSuppressedMessages(), this.rateLimitWindow);
-        this.cleanupTimer.unref?.();
-      }
-      this.initialized = true;
-      this.info(`Logger initialized. MCP level: ${level}.`, requestContextService.createRequestContext({ operation: "loggerInit" }));
-    }
-    setLevel(newLevel) {
-      if (!this.pinoLogger || !this.initialized) {
-        if (process.stderr?.isTTY) {
-          console.error("Cannot set level: Logger not initialized.");
-        }
-        return;
-      }
-      this.currentMcpLevel = newLevel;
-      this.pinoLogger.level = mcpToPinoLevel[newLevel] || "info";
-      this.info(`Log level changed to ${newLevel}.`, requestContextService.createRequestContext({
-        operation: "loggerSetLevel"
-      }));
-    }
-    async close() {
-      if (!this.initialized)
-        return Promise.resolve();
-      this.info("Logger shutting down.", requestContextService.createRequestContext({ operation: "loggerClose" }));
-      if (this.cleanupTimer)
-        clearInterval(this.cleanupTimer);
-      this.flushSuppressedMessages();
-      await Promise.all([
-        new Promise((resolve) => {
-          if (this.pinoLogger) {
-            this.pinoLogger.flush((err) => {
-              if (err && process.stderr?.isTTY && this.transportType !== "stdio") {
-                console.error("Error flushing main logger:", err);
-              }
-              resolve();
-            });
-          } else {
-            resolve();
-          }
-        }),
-        new Promise((resolve) => {
-          if (this.interactionLogger) {
-            this.interactionLogger.flush((err) => {
-              if (err && process.stderr?.isTTY && this.transportType !== "stdio") {
-                console.error("Error flushing interaction logger:", err);
-              }
-              resolve();
-            });
-          } else {
-            resolve();
-          }
-        })
-      ]);
-      this.initialized = false;
-    }
-    isInitialized() {
-      return this.initialized;
-    }
-    isRateLimited(message) {
-      const now = Date.now();
-      const entry = this.messageCounts.get(message);
-      if (!entry) {
-        this.messageCounts.set(message, { count: 1, firstSeen: now });
-        return false;
-      }
-      if (now - entry.firstSeen > this.rateLimitWindow) {
-        this.messageCounts.set(message, { count: 1, firstSeen: now });
-        return false;
-      }
-      entry.count++;
-      if (entry.count > this.rateLimitThreshold) {
-        this.suppressedMessages.set(message, (this.suppressedMessages.get(message) || 0) + 1);
-        return true;
-      }
-      return false;
-    }
-    flushSuppressedMessages() {
-      if (this.suppressedMessages.size === 0)
-        return;
-      for (const [message, count] of this.suppressedMessages.entries()) {
-        this.warning(`Log message suppressed ${count} times due to rate limiting.`, requestContextService.createRequestContext({
-          operation: "loggerRateLimitFlush",
-          additionalContext: { originalMessage: message }
-        }));
-      }
-      this.suppressedMessages.clear();
-      this.messageCounts.clear();
-    }
-    log(level, msg, context, error48) {
-      if (!this.pinoLogger || !this.initialized)
-        return;
-      const pinoLevel = mcpToPinoLevel[level] || "info";
-      const currentPinoLevel = mcpToPinoLevel[this.currentMcpLevel] || "info";
-      const levelSeverity = pinoToMcpLevelSeverity[pinoLevel];
-      const currentLevelSeverity = pinoToMcpLevelSeverity[currentPinoLevel];
-      if (typeof levelSeverity === "number" && typeof currentLevelSeverity === "number" && levelSeverity > currentLevelSeverity) {
-        return;
-      }
-      if (this.isRateLimited(msg))
-        return;
-      const logObject = { ...context };
-      if (error48)
-        logObject.err = pino.stdSerializers.err(error48);
-      this.pinoLogger[pinoLevel](logObject, msg);
-    }
-    debug(msg, context) {
-      this.log("debug", msg, context);
-    }
-    info(msg, context) {
-      this.log("info", msg, context);
-    }
-    notice(msg, context) {
-      this.log("notice", msg, context);
-    }
-    warning(msg, context) {
-      this.log("warning", msg, context);
-    }
-    error(msg, errorOrContext, context) {
-      const errorObj = errorOrContext instanceof Error ? errorOrContext : undefined;
-      const actualContext = errorOrContext instanceof Error ? context : errorOrContext;
-      this.log("error", msg, actualContext, errorObj);
-    }
-    crit(msg, errorOrContext, context) {
-      const errorObj = errorOrContext instanceof Error ? errorOrContext : undefined;
-      const actualContext = errorOrContext instanceof Error ? context : errorOrContext;
-      this.log("crit", msg, actualContext, errorObj);
-    }
-    alert(msg, errorOrContext, context) {
-      const errorObj = errorOrContext instanceof Error ? errorOrContext : undefined;
-      const actualContext = errorOrContext instanceof Error ? context : errorOrContext;
-      this.log("alert", msg, actualContext, errorObj);
-    }
-    emerg(msg, errorOrContext, context) {
-      const errorObj = errorOrContext instanceof Error ? errorOrContext : undefined;
-      const actualContext = errorOrContext instanceof Error ? context : errorOrContext;
-      this.log("emerg", msg, actualContext, errorObj);
-    }
-    fatal(msg, errorOrContext, context) {
-      this.emerg(msg, errorOrContext, context);
-    }
-    logInteraction(interactionName, data) {
-      if (!this.interactionLogger) {
-        if (!isServerless2)
-          this.warning("Interaction logger not available.", data.context || {});
-        return;
-      }
-      this.interactionLogger.info({ interactionName, ...data });
-    }
-  };
-  logger = Logger.getInstance();
-});
-
-// src/utils/internal/error-handler/mappings.ts
-var ERROR_TYPE_MAPPINGS, COMMON_ERROR_PATTERNS;
-var init_mappings = __esm(() => {
-  ERROR_TYPE_MAPPINGS = {
-    SyntaxError: -32007 /* ValidationError */,
-    TypeError: -32007 /* ValidationError */,
-    ReferenceError: -32603 /* InternalError */,
-    RangeError: -32007 /* ValidationError */,
-    URIError: -32007 /* ValidationError */,
-    EvalError: -32603 /* InternalError */,
-    AggregateError: -32603 /* InternalError */
-  };
-  COMMON_ERROR_PATTERNS = [
-    {
-      pattern: /auth|unauthorized|unauthenticated|not.*logged.*in|invalid.*token|expired.*token/i,
-      errorCode: -32006 /* Unauthorized */
-    },
-    {
-      pattern: /permission|forbidden|access.*denied|not.*allowed/i,
-      errorCode: -32005 /* Forbidden */
-    },
-    {
-      pattern: /not found|missing|no such|doesn't exist|couldn't find/i,
-      errorCode: -32001 /* NotFound */
-    },
-    {
-      pattern: /invalid|validation|malformed|bad request|wrong format|missing required/i,
-      errorCode: -32007 /* ValidationError */
-    },
-    {
-      pattern: /conflict|already exists|duplicate|unique constraint/i,
-      errorCode: -32002 /* Conflict */
-    },
-    {
-      pattern: /rate limit|too many requests|throttled/i,
-      errorCode: -32003 /* RateLimited */
-    },
-    {
-      pattern: /timeout|timed out|deadline exceeded/i,
-      errorCode: -32004 /* Timeout */
-    },
-    {
-      pattern: /abort(ed)?|cancell?ed/i,
-      errorCode: -32004 /* Timeout */
-    },
-    {
-      pattern: /service unavailable|bad gateway|gateway timeout|upstream error/i,
-      errorCode: -32000 /* ServiceUnavailable */
-    },
-    {
-      pattern: /zod|zoderror|schema validation/i,
-      errorCode: -32007 /* ValidationError */
-    }
-  ];
-});
-
-// src/utils/internal/error-handler/helpers.ts
-function createSafeRegex(pattern) {
-  if (pattern instanceof RegExp) {
-    let flags = pattern.flags.replace("g", "");
-    if (!flags.includes("i")) {
-      flags += "i";
-    }
-    return new RegExp(pattern.source, flags);
-  }
-  return new RegExp(pattern, "i");
-}
-function getErrorName(error48) {
-  if (error48 instanceof Error) {
-    return error48.name || "Error";
-  }
-  if (error48 === null) {
-    return "NullValueEncountered";
-  }
-  if (error48 === undefined) {
-    return "UndefinedValueEncountered";
-  }
-  if (typeof error48 === "object" && error48 !== null && error48.constructor && typeof error48.constructor.name === "string" && error48.constructor.name !== "Object") {
-    return `${error48.constructor.name}Encountered`;
-  }
-  return `${typeof error48}Encountered`;
-}
-function getErrorMessage(error48) {
-  try {
-    if (error48 instanceof Error) {
-      if ("errors" in error48 && Array.isArray(error48.errors)) {
-        const inner = error48.errors.map((e2) => e2 instanceof Error ? e2.message : String(e2)).filter(Boolean).slice(0, 3).join("; ");
-        return inner ? `${error48.message}: ${inner}` : error48.message;
-      }
-      return error48.message;
-    }
-    if (error48 === null) {
-      return "Null value encountered as error";
-    }
-    if (error48 === undefined) {
-      return "Undefined value encountered as error";
-    }
-    if (typeof error48 === "string") {
-      return error48;
-    }
-    if (typeof error48 === "number" || typeof error48 === "boolean") {
-      return String(error48);
-    }
-    if (typeof error48 === "bigint") {
-      return error48.toString();
-    }
-    if (typeof error48 === "function") {
-      return `[function ${error48.name || "anonymous"}]`;
-    }
-    if (typeof error48 === "object") {
-      try {
-        const json2 = JSON.stringify(error48);
-        if (json2 && json2 !== "{}")
-          return json2;
-      } catch {}
-      const ctor = error48.constructor?.name;
-      return `Non-Error object encountered (constructor: ${ctor || "Object"})`;
-    }
-    if (typeof error48 === "symbol") {
-      return error48.toString();
-    }
-    return "[unrepresentable error]";
-  } catch (conversionError) {
-    return `Error converting error to string: ${conversionError instanceof Error ? conversionError.message : "Unknown conversion error"}`;
-  }
-}
-
-// src/utils/internal/error-handler/errorHandler.ts
-class ErrorHandler {
-  static determineErrorCode(error48) {
-    if (error48 instanceof McpError) {
-      return error48.code;
-    }
-    const errorName = getErrorName(error48);
-    const errorMessage = getErrorMessage(error48);
-    const mappedFromType = ERROR_TYPE_MAPPINGS[errorName];
-    if (mappedFromType) {
-      return mappedFromType;
-    }
-    for (const mapping of COMMON_ERROR_PATTERNS) {
-      const regex = createSafeRegex(mapping.pattern);
-      if (regex.test(errorMessage) || regex.test(errorName)) {
-        return mapping.errorCode;
-      }
-    }
-    if (typeof error48 === "object" && error48 !== null && "name" in error48 && error48.name === "AbortError") {
-      return -32004 /* Timeout */;
-    }
-    return -32603 /* InternalError */;
-  }
-  static handleError(error48, options) {
-    const activeSpan = import_api3.trace.getActiveSpan();
-    if (activeSpan) {
-      if (error48 instanceof Error) {
-        activeSpan.recordException(error48);
-      }
-      activeSpan.setStatus({
-        code: import_api3.SpanStatusCode.ERROR,
-        message: error48 instanceof Error ? error48.message : String(error48)
-      });
-    }
-    const {
-      context = {},
-      operation,
-      input,
-      rethrow = false,
-      errorCode: explicitErrorCode,
-      includeStack = true,
-      critical = false,
-      errorMapper
-    } = options;
-    const sanitizedInput = input !== undefined ? sanitizeInputForLogging(input) : undefined;
-    const originalErrorName = getErrorName(error48);
-    const originalErrorMessage = getErrorMessage(error48);
-    const originalStack = error48 instanceof Error ? error48.stack : undefined;
-    let finalError;
-    let loggedErrorCode;
-    const errorDataSeed = error48 instanceof McpError && typeof error48.data === "object" && error48.data !== null ? { ...error48.data } : {};
-    const consolidatedData = {
-      ...errorDataSeed,
-      ...context,
-      originalErrorName,
-      originalMessage: originalErrorMessage
-    };
-    if (originalStack && !(error48 instanceof McpError && error48.data?.originalStack)) {
-      consolidatedData.originalStack = originalStack;
-    }
-    const cause = error48 instanceof Error ? error48 : undefined;
-    const rootCause = (() => {
-      let current = cause;
-      let depth = 0;
-      while (current && current instanceof Error && current.cause && depth < 5) {
-        current = current.cause;
-        depth += 1;
-      }
-      return current instanceof Error ? { name: current.name, message: current.message } : undefined;
-    })();
-    if (rootCause) {
-      consolidatedData["rootCause"] = rootCause;
-    }
-    if (error48 instanceof McpError) {
-      loggedErrorCode = error48.code;
-      finalError = errorMapper ? errorMapper(error48) : new McpError(error48.code, error48.message, consolidatedData, {
-        cause
-      });
-    } else {
-      loggedErrorCode = explicitErrorCode || ErrorHandler.determineErrorCode(error48);
-      const message = `Error in ${operation}: ${originalErrorMessage}`;
-      finalError = errorMapper ? errorMapper(error48) : new McpError(loggedErrorCode, message, consolidatedData, {
-        cause
-      });
-    }
-    if (finalError !== error48 && error48 instanceof Error && finalError instanceof Error && !finalError.stack && error48.stack) {
-      finalError.stack = error48.stack;
-    }
-    const logRequestId = typeof context.requestId === "string" && context.requestId ? context.requestId : generateUUID();
-    const logTimestamp = typeof context.timestamp === "string" && context.timestamp ? context.timestamp : new Date().toISOString();
-    const stack = finalError instanceof Error ? finalError.stack : originalStack;
-    const logContext = {
-      requestId: logRequestId,
-      timestamp: logTimestamp,
-      operation,
-      input: sanitizedInput,
-      critical,
-      errorCode: loggedErrorCode,
-      originalErrorType: originalErrorName,
-      finalErrorType: getErrorName(finalError),
-      ...Object.fromEntries(Object.entries(context).filter(([key]) => key !== "requestId" && key !== "timestamp")),
-      errorData: finalError instanceof McpError && finalError.data ? finalError.data : consolidatedData,
-      ...includeStack && stack ? { stack } : {}
-    };
-    logger.error(`Error in ${operation}: ${finalError.message || originalErrorMessage}`, logContext);
-    if (rethrow) {
-      throw finalError;
-    }
-    return finalError;
-  }
-  static mapError(error48, mappings, defaultFactory) {
-    const errorMessage = getErrorMessage(error48);
-    const errorName = getErrorName(error48);
-    for (const mapping of mappings) {
-      const regex = createSafeRegex(mapping.pattern);
-      if (regex.test(errorMessage) || regex.test(errorName)) {
-        return mapping.factory(error48, mapping.additionalContext);
-      }
-    }
-    if (defaultFactory) {
-      return defaultFactory(error48);
-    }
-    return error48 instanceof Error ? error48 : new Error(String(error48));
-  }
-  static formatError(error48) {
-    if (error48 instanceof McpError) {
-      return {
-        code: error48.code,
-        message: error48.message,
-        data: typeof error48.data === "object" && error48.data !== null ? error48.data : {}
-      };
-    }
-    if (error48 instanceof Error) {
-      return {
-        code: ErrorHandler.determineErrorCode(error48),
-        message: error48.message,
-        data: { errorType: error48.name || "Error" }
-      };
-    }
-    return {
-      code: -32099 /* UnknownError */,
-      message: getErrorMessage(error48),
-      data: { errorType: getErrorName(error48) }
-    };
-  }
-  static async tryCatch(fn, options) {
-    try {
-      return await Promise.resolve(fn());
-    } catch (caughtError) {
-      throw ErrorHandler.handleError(caughtError, {
-        ...options,
-        rethrow: true
-      });
-    }
-  }
-}
-var import_api3;
-var init_errorHandler = __esm(() => {
-  init_errors3();
-  init_utils();
-  init_logger();
-  init_mappings();
-  import_api3 = __toESM(require_src(), 1);
-});
-
-// src/utils/internal/error-handler/index.ts
-var init_error_handler = __esm(() => {
-  init_errorHandler();
-});
-
-// src/utils/internal/runtime.ts
-function detectRuntime() {
-  if (runtimeCaps.isBun) {
-    return "bun";
-  }
-  if (runtimeCaps.isNode) {
-    return "node";
-  }
-  if (runtimeCaps.isWorkerLike) {
-    return "worker";
-  }
-  if (runtimeCaps.isBrowserLike) {
-    return "browser";
-  }
-  return "unknown";
-}
-function getRuntimeDescription() {
-  const runtime = detectRuntime();
-  switch (runtime) {
-    case "bun":
-      return `Bun ${process.versions?.bun || "unknown"}`;
-    case "node":
-      return `Node.js ${process.versions?.node || "unknown"}`;
-    case "worker":
-      return "Cloudflare Workers / Web Worker";
-    case "browser":
-      return "Browser";
-    default:
-      return "Unknown runtime";
-  }
-}
-var safeHas = (key) => {
-  try {
-    return typeof globalThis[key] !== "undefined";
-  } catch {
-    return false;
-  }
-}, isBun, isNode, hasProcess, hasBuffer, hasTextEncoder, hasPerformanceNow, isWorkerLike, isBrowserLike, runtimeCaps;
-var init_runtime = __esm(() => {
-  isBun = typeof globalThis.Bun !== "undefined" || typeof process.versions?.bun === "string";
-  isNode = !isBun && typeof process !== "undefined" && typeof process.versions?.node === "string";
-  hasProcess = typeof process !== "undefined";
-  hasBuffer = typeof Buffer !== "undefined";
-  hasTextEncoder = safeHas("TextEncoder");
-  hasPerformanceNow = typeof globalThis.performance?.now === "function";
-  isWorkerLike = !isNode && !isBun && typeof globalThis.WorkerGlobalScope !== "undefined";
-  isBrowserLike = !isNode && !isBun && !isWorkerLike && safeHas("window");
-  runtimeCaps = {
-    isNode,
-    isBun,
-    isWorkerLike,
-    isBrowserLike,
-    hasProcess,
-    hasBuffer,
-    hasTextEncoder,
-    hasPerformanceNow
-  };
-});
-
-// src/utils/internal/health.ts
-function getHealthSnapshot() {
-  return {
-    app: {
-      name: config2.mcpServerName,
-      version: config2.mcpServerVersion,
-      environment: config2.environment
-    },
-    runtime: {
-      isNode: runtimeCaps.isNode,
-      isWorkerLike: runtimeCaps.isWorkerLike,
-      isBrowserLike: runtimeCaps.isBrowserLike
-    },
-    telemetry: {
-      enabled: Boolean(config2.openTelemetry.enabled),
-      diagLevel: config2.openTelemetry.logLevel
-    },
-    logging: {
-      initialized: logger.isInitialized()
-    }
-  };
-}
-var init_health = __esm(() => {
-  init_config();
-  init_logger();
-  init_runtime();
-});
-
-// src/utils/telemetry/semconv.ts
-var ATTR_CODE_FUNCTION = "code.function", ATTR_CODE_NAMESPACE = "code.namespace", ATTR_MCP_TOOL_INPUT_BYTES = "mcp.tool.input_bytes", ATTR_MCP_TOOL_OUTPUT_BYTES = "mcp.tool.output_bytes", ATTR_MCP_TOOL_DURATION_MS = "mcp.tool.duration_ms", ATTR_MCP_TOOL_SUCCESS = "mcp.tool.success", ATTR_MCP_TOOL_ERROR_CODE = "mcp.tool.error_code", ATTR_MCP_TOOL_MEMORY_RSS_BEFORE = "mcp.tool.memory_rss_bytes.before", ATTR_MCP_TOOL_MEMORY_RSS_AFTER = "mcp.tool.memory_rss_bytes.after", ATTR_MCP_TOOL_MEMORY_RSS_DELTA = "mcp.tool.memory_rss_bytes.delta", ATTR_MCP_TOOL_MEMORY_HEAP_USED_BEFORE = "mcp.tool.memory_heap_used_bytes.before", ATTR_MCP_TOOL_MEMORY_HEAP_USED_AFTER = "mcp.tool.memory_heap_used_bytes.after", ATTR_MCP_TOOL_MEMORY_HEAP_USED_DELTA = "mcp.tool.memory_heap_used_bytes.delta";
-
-// src/utils/internal/performance.ts
-async function loadPerfHooks() {
-  return import("perf_hooks");
-}
-async function initializePerformance_Hrt() {
-  const globalWithPerf = globalThis;
-  if (typeof globalWithPerf.performance?.now === "function") {
-    const perf = globalWithPerf.performance;
-    performanceNow = () => perf?.now() ?? Date.now();
-  } else {
-    try {
-      const { performance: nodePerformance } = await loadPerfHooks();
-      performanceNow = () => nodePerformance.now();
-    } catch (_e) {
-      performanceNow = () => Date.now();
-      logger.warning("Could not import perf_hooks, falling back to Date.now() for performance timing.");
-    }
-  }
-}
-async function measureToolExecution(toolLogicFn, context, inputPayload) {
-  const tracer = import_api4.trace.getTracer(config2.openTelemetry.serviceName, config2.openTelemetry.serviceVersion);
-  const { toolName } = context;
-  return tracer.startActiveSpan(`tool_execution:${toolName}`, async (span) => {
-    const memBefore = typeof process !== "undefined" && typeof process.memoryUsage === "function" ? process.memoryUsage() : { rss: 0, heapUsed: 0 };
-    const t0 = nowMs();
-    span.setAttributes({
-      [ATTR_CODE_FUNCTION]: toolName,
-      [ATTR_CODE_NAMESPACE]: "mcp-tools",
-      [ATTR_MCP_TOOL_INPUT_BYTES]: toBytes(inputPayload),
-      [ATTR_MCP_TOOL_MEMORY_RSS_BEFORE]: memBefore.rss,
-      [ATTR_MCP_TOOL_MEMORY_HEAP_USED_BEFORE]: memBefore.heapUsed
-    });
-    let ok = false;
-    let errorCode;
-    let output;
-    try {
-      const result = await toolLogicFn();
-      ok = true;
-      output = result;
-      span.setStatus({ code: import_api4.SpanStatusCode.OK });
-      span.setAttribute(ATTR_MCP_TOOL_OUTPUT_BYTES, toBytes(output));
-      return result;
-    } catch (err) {
-      if (err instanceof McpError)
-        errorCode = String(err.code);
-      else if (err instanceof Error)
-        errorCode = "UNHANDLED_ERROR";
-      else
-        errorCode = "UNKNOWN_ERROR";
-      if (err instanceof Error)
-        span.recordException(err);
-      span.setStatus({
-        code: import_api4.SpanStatusCode.ERROR,
-        message: err instanceof Error ? err.message : String(err)
-      });
-      throw err;
-    } finally {
-      const t1 = nowMs();
-      const durationMs = Number((t1 - t0).toFixed(2));
-      const memAfter = typeof process !== "undefined" && typeof process.memoryUsage === "function" ? process.memoryUsage() : { rss: 0, heapUsed: 0 };
-      const rssDelta = memAfter.rss - memBefore.rss;
-      const heapUsedDelta = memAfter.heapUsed - memBefore.heapUsed;
-      span.setAttributes({
-        [ATTR_MCP_TOOL_DURATION_MS]: durationMs,
-        [ATTR_MCP_TOOL_SUCCESS]: ok,
-        [ATTR_MCP_TOOL_MEMORY_RSS_AFTER]: memAfter.rss,
-        [ATTR_MCP_TOOL_MEMORY_HEAP_USED_AFTER]: memAfter.heapUsed,
-        [ATTR_MCP_TOOL_MEMORY_RSS_DELTA]: rssDelta,
-        [ATTR_MCP_TOOL_MEMORY_HEAP_USED_DELTA]: heapUsedDelta
-      });
-      if (errorCode)
-        span.setAttribute(ATTR_MCP_TOOL_ERROR_CODE, errorCode);
-      span.end();
-      logger.info("Tool execution finished.", {
-        ...context,
-        metrics: {
-          durationMs,
-          isSuccess: ok,
-          errorCode,
-          inputBytes: toBytes(inputPayload),
-          outputBytes: toBytes(output),
-          memory: {
-            rss: {
-              before: memBefore.rss,
-              after: memAfter.rss,
-              delta: rssDelta
-            },
-            heapUsed: {
-              before: memBefore.heapUsed,
-              after: memAfter.heapUsed,
-              delta: heapUsedDelta
-            }
-          }
-        }
-      });
-    }
-  });
-}
-var import_api4, performanceNow = () => Date.now(), nowMs = () => performanceNow(), toBytes = (payload) => {
-  if (payload == null)
-    return 0;
-  try {
-    const json2 = JSON.stringify(payload);
-    if (typeof Buffer !== "undefined" && typeof Buffer.byteLength === "function") {
-      const bytes = Buffer.byteLength(json2, "utf8");
-      return bytes;
-    }
-    if (typeof TextEncoder !== "undefined") {
-      return new TextEncoder().encode(json2).length;
-    }
-    return json2.length;
-  } catch {
-    return 0;
-  }
-};
-var init_performance = __esm(() => {
-  init_config();
-  init_errors3();
-  init_logger();
-  import_api4 = __toESM(require_src(), 1);
-});
-
-// src/utils/internal/startupBanner.ts
-function logStartupBanner(message, transportType) {
-  if (process.stdout.isTTY) {
-    if (transportType === "stdio") {
-      console.error(message);
-    } else {
-      console.log(message);
-    }
-  }
-}
-
-// src/utils/internal/index.ts
-var init_internal = __esm(() => {
-  init_error_handler();
-  init_health();
-  init_logger();
-  init_performance();
-  init_requestContext();
-  init_runtime();
-});
-
-// src/utils/metrics/tokenCounter.ts
-function getModelHeuristics(model) {
-  const key = (model ?? DEFAULT_MODEL).toLowerCase();
-  const found = HEURISTICS[key];
-  return found ?? HEURISTICS.default;
-}
-function nonEmptyString(s2) {
-  return typeof s2 === "string" && s2.length > 0;
-}
-function approxTokenCount(text, charsPerToken) {
-  if (!text)
-    return 0;
-  const normalized = text.replace(/\s+/g, " ").trim();
-  if (!normalized)
-    return 0;
-  return Math.ceil(normalized.length / Math.max(1, charsPerToken));
-}
-async function countTokens(text, context, model) {
-  return ErrorHandler.tryCatch(() => {
-    const h2 = getModelHeuristics(model);
-    return approxTokenCount(text ?? "", h2.charsPerToken);
-  }, {
-    operation: "countTokens",
-    ...context && { context },
-    input: {
-      textSample: nonEmptyString(text) ? text.length > 53 ? `${text.slice(0, 50)}...` : text : ""
-    },
-    errorCode: -32603 /* InternalError */
-  });
-}
-async function countChatTokens(messages, context, model) {
-  return ErrorHandler.tryCatch(() => {
-    const h2 = getModelHeuristics(model);
-    let tokens = 0;
-    for (const message of messages) {
-      tokens += h2.tokensPerMessage;
-      tokens += 1;
-      if (typeof message.content === "string") {
-        tokens += approxTokenCount(message.content, h2.charsPerToken);
-      } else if (Array.isArray(message.content)) {
-        for (const part of message.content) {
-          if (part && part.type === "text" && nonEmptyString(part.text)) {
-            tokens += approxTokenCount(part.text, h2.charsPerToken);
-          } else if (part) {
-            logger.warning(`Non-text content part found (type: ${String(part.type)}), token count contribution ignored.`, context);
-          }
-        }
-      }
-      if (message.name) {
-        tokens += h2.tokensPerName;
-        tokens += approxTokenCount(message.name, h2.charsPerToken);
-      }
-      if (message.role === "assistant" && Array.isArray(message.tool_calls)) {
-        for (const toolCall of message.tool_calls) {
-          if (toolCall?.type === "function") {
-            if (toolCall.function?.name) {
-              tokens += approxTokenCount(toolCall.function.name, h2.charsPerToken);
-            }
-            if (toolCall.function?.arguments) {
-              tokens += approxTokenCount(toolCall.function.arguments, h2.charsPerToken);
-            }
-          }
-        }
-      }
-      if (message.role === "tool" && message.tool_call_id) {
-        tokens += approxTokenCount(message.tool_call_id, h2.charsPerToken);
-      }
-    }
-    tokens += h2.replyPrimer;
-    return tokens;
-  }, {
-    operation: "countChatTokens",
-    ...context && { context },
-    input: { messageCount: messages.length },
-    errorCode: -32603 /* InternalError */
-  });
-}
-var DEFAULT_MODEL = "gpt-4o", HEURISTICS;
-var init_tokenCounter = __esm(() => {
-  init_utils();
-  HEURISTICS = {
-    "gpt-4o": {
-      charsPerToken: 4,
-      tokensPerMessage: 3,
-      tokensPerName: 1,
-      replyPrimer: 3
-    },
-    "gpt-4o-mini": {
-      charsPerToken: 4,
-      tokensPerMessage: 3,
-      tokensPerName: 1,
-      replyPrimer: 3
-    },
-    default: {
-      charsPerToken: 4,
-      tokensPerMessage: 3,
-      tokensPerName: 1,
-      replyPrimer: 3
-    }
-  };
-});
-
-// src/utils/metrics/registry.ts
-function getMeter() {
-  return import_api5.metrics.getMeter(config2.openTelemetry.serviceName, config2.openTelemetry.serviceVersion);
-}
-function isEnabled() {
-  return Boolean(config2.openTelemetry.enabled);
-}
-function getCounter(name, description, unit) {
-  if (!isEnabled()) {
-    return {
-      add: () => {
-        return;
-      },
-      bind: () => ({ add: () => {
-        return;
-      } }),
-      unbind: () => {
-        return;
-      }
-    };
-  }
-  const key = `${name}|${description ?? ""}|${unit ?? ""}`;
-  const existing = counters.get(key);
-  if (existing)
-    return existing;
-  const opts = {};
-  if (description !== undefined)
-    opts.description = description;
-  if (unit !== undefined)
-    opts.unit = unit;
-  const counter = Object.keys(opts).length ? getMeter().createCounter(name, opts) : getMeter().createCounter(name);
-  counters.set(key, counter);
-  return counter;
-}
-function getHistogram(name, description, unit) {
-  if (!isEnabled()) {
-    return {
-      record: () => {
-        return;
-      },
-      bind: () => ({ record: () => {
-        return;
-      } }),
-      unbind: () => {
-        return;
-      }
-    };
-  }
-  const key = `${name}|${description ?? ""}|${unit ?? ""}`;
-  const existing = histograms.get(key);
-  if (existing)
-    return existing;
-  const opts = {};
-  if (description !== undefined)
-    opts.description = description;
-  if (unit !== undefined)
-    opts.unit = unit;
-  const histogram = Object.keys(opts).length ? getMeter().createHistogram(name, opts) : getMeter().createHistogram(name);
-  histograms.set(key, histogram);
-  return histogram;
-}
-function add(name, value, attributes, description, unit) {
-  const c = getCounter(name, description, unit);
-  c.add(value, attributes);
-}
-function record2(name, value, attributes, description, unit) {
-  const h2 = getHistogram(name, description, unit);
-  h2.record(value, attributes);
-}
-var import_api5, counters, histograms, metricsRegistry;
-var init_registry = __esm(() => {
-  init_config();
-  import_api5 = __toESM(require_src(), 1);
-  counters = new Map;
-  histograms = new Map;
-  metricsRegistry = {
-    getCounter,
-    getHistogram,
-    add,
-    record: record2,
-    enabled: isEnabled
-  };
-});
-
-// src/utils/metrics/index.ts
-var init_metrics = __esm(() => {
-  init_tokenCounter();
-  init_registry();
-});
-
-// src/utils/security/idGenerator.ts
-import { randomUUID as cryptoRandomUUID, randomBytes } from "crypto";
-
-class IdGenerator {
-  static DEFAULT_CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
-  static DEFAULT_SEPARATOR = "_";
-  static DEFAULT_LENGTH = 6;
-  entityPrefixes = {};
-  prefixToEntityType = {};
-  constructor(entityPrefixes = {}) {
-    this.setEntityPrefixes(entityPrefixes);
-  }
-  setEntityPrefixes(entityPrefixes) {
-    this.entityPrefixes = { ...entityPrefixes };
-    this.prefixToEntityType = Object.entries(this.entityPrefixes).reduce((acc, [type, prefix]) => {
-      acc[prefix.toLowerCase()] = type;
-      return acc;
-    }, {});
-  }
-  getEntityPrefixes() {
-    return { ...this.entityPrefixes };
-  }
-  generateRandomString(length = IdGenerator.DEFAULT_LENGTH, charset = IdGenerator.DEFAULT_CHARSET) {
-    let result = "";
-    const maxValidByteValue = Math.floor(256 / charset.length) * charset.length;
-    while (result.length < length) {
-      const byteBuffer = randomBytes(1);
-      const byte = byteBuffer[0];
-      if (byte !== undefined && byte < maxValidByteValue) {
-        const charIndex = byte % charset.length;
-        const char = charset[charIndex];
-        if (char) {
-          result += char;
-        }
-      }
-    }
-    return result;
-  }
-  generate(prefix, options = {}) {
-    const {
-      length = IdGenerator.DEFAULT_LENGTH,
-      separator = IdGenerator.DEFAULT_SEPARATOR,
-      charset = IdGenerator.DEFAULT_CHARSET
-    } = options;
-    const randomPart = this.generateRandomString(length, charset);
-    const generatedId = prefix ? `${prefix}${separator}${randomPart}` : randomPart;
-    return generatedId;
-  }
-  generateForEntity(entityType, options = {}) {
-    const prefix = this.entityPrefixes[entityType];
-    if (!prefix) {
-      throw new McpError(-32007 /* ValidationError */, `Unknown entity type: ${entityType}. No prefix registered.`);
-    }
-    return this.generate(prefix, options);
-  }
-  isValid(id, entityType, options = {}) {
-    const prefix = this.entityPrefixes[entityType];
-    const {
-      length = IdGenerator.DEFAULT_LENGTH,
-      separator = IdGenerator.DEFAULT_SEPARATOR,
-      charset = IdGenerator.DEFAULT_CHARSET
-    } = options;
-    if (!prefix) {
-      return false;
-    }
-    const escapedCharsetForClass = charset.replace(/[[\]\\^-]/g, "\\$&");
-    const charsetRegexPart = `[${escapedCharsetForClass}]`;
-    const pattern = new RegExp(`^${this.escapeRegex(prefix)}${this.escapeRegex(separator)}${charsetRegexPart}{${length}}$`);
-    return pattern.test(id);
-  }
-  escapeRegex(str) {
-    return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-  }
-  stripPrefix(id, separator = IdGenerator.DEFAULT_SEPARATOR) {
-    const parts = id.split(separator);
-    return parts.length > 1 ? parts.slice(1).join(separator) : id;
-  }
-  getEntityType(id, separator = IdGenerator.DEFAULT_SEPARATOR) {
-    const parts = id.split(separator);
-    if (parts.length < 2 || !parts[0]) {
-      throw new McpError(-32007 /* ValidationError */, `Invalid ID format: ${id}. Expected format like: PREFIX${separator}RANDOMLPART`);
-    }
-    const prefix = parts[0];
-    const entityType = this.prefixToEntityType[prefix.toLowerCase()];
-    if (!entityType) {
-      throw new McpError(-32007 /* ValidationError */, `Unknown entity type for prefix: ${prefix}`);
-    }
-    return entityType;
-  }
-  normalize(id, separator = IdGenerator.DEFAULT_SEPARATOR) {
-    const entityType = this.getEntityType(id, separator);
-    const registeredPrefix = this.entityPrefixes[entityType];
-    const idParts = id.split(separator);
-    const randomPart = idParts.slice(1).join(separator);
-    return `${registeredPrefix}${separator}${randomPart.toUpperCase()}`;
-  }
-}
-var idGenerator, generateUUID = () => {
-  return cryptoRandomUUID();
-}, generateRequestContextId = () => {
-  const generateSecureRandomString = (length, charset2) => {
-    let result = "";
-    const maxValidByteValue = Math.floor(256 / charset2.length) * charset2.length;
-    while (result.length < length) {
-      const byteBuffer = randomBytes(1);
-      const byte = byteBuffer[0];
-      if (byte !== undefined && byte < maxValidByteValue) {
-        const charIndex = byte % charset2.length;
-        const char = charset2[charIndex];
-        if (char) {
-          result += char;
-        }
-      }
-    }
-    return result;
-  };
-  const charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
-  const part1 = generateSecureRandomString(5, charset);
-  const part2 = generateSecureRandomString(5, charset);
-  return `${part1}-${part2}`;
-};
-var init_idGenerator = __esm(() => {
-  init_errors3();
-  idGenerator = new IdGenerator;
-});
-
 // node_modules/tsyringe/node_modules/tslib/tslib.js
 var require_tslib = __commonJS((exports, module) => {
   /*! *****************************************************************************
@@ -114582,7 +113122,7 @@ var require_registry2 = __commonJS((exports) => {
   Object.defineProperty(exports, "__esModule", { value: true });
   var tslib_1 = require_tslib();
   var dependency_container_1 = require_dependency_container();
-  function registry3(registrations = []) {
+  function registry2(registrations = []) {
     return function(target) {
       registrations.forEach((_a2) => {
         var { token, options } = _a2, provider = tslib_1.__rest(_a2, ["token", "options"]);
@@ -114591,7 +113131,7 @@ var require_registry2 = __commonJS((exports) => {
       return target;
     };
   }
-  exports.default = registry3;
+  exports.default = registry2;
 });
 
 // node_modules/tsyringe/dist/cjs/decorators/singleton.js
@@ -114835,195 +113375,6 @@ var init_tokens = __esm(() => {
   GitProviderFactory = Symbol("GitProviderFactory");
 });
 
-// src/utils/security/rateLimiter.ts
-var import_api6, import_tsyringe, RateLimiter;
-var init_rateLimiter = __esm(() => {
-  init_tokens();
-  init_errors3();
-  init_utils();
-  import_api6 = __toESM(require_src(), 1);
-  import_tsyringe = __toESM(require_cjs2(), 1);
-  RateLimiter = class RateLimiter {
-    config;
-    logger;
-    limits;
-    cleanupTimer = null;
-    effectiveConfig;
-    constructor(config3, logger3) {
-      this.config = config3;
-      this.logger = logger3;
-      const defaultConfig = {
-        windowMs: 15 * 60 * 1000,
-        maxRequests: 100,
-        errorMessage: "Rate limit exceeded. Please try again in {waitTime} seconds.",
-        skipInDevelopment: false,
-        cleanupInterval: 5 * 60 * 1000
-      };
-      this.effectiveConfig = { ...defaultConfig };
-      this.limits = new Map;
-      this.startCleanupTimer();
-    }
-    startCleanupTimer() {
-      if (this.cleanupTimer) {
-        clearInterval(this.cleanupTimer);
-      }
-      const interval = this.effectiveConfig.cleanupInterval;
-      if (interval && interval > 0) {
-        this.cleanupTimer = setInterval(() => {
-          this.cleanupExpiredEntries();
-        }, interval);
-        if (this.cleanupTimer.unref) {
-          this.cleanupTimer.unref();
-        }
-      }
-    }
-    cleanupExpiredEntries() {
-      const now = Date.now();
-      let expiredCount = 0;
-      for (const [key, entry] of this.limits.entries()) {
-        if (now >= entry.resetTime) {
-          this.limits.delete(key);
-          expiredCount++;
-        }
-      }
-      if (expiredCount > 0) {
-        const logContext = requestContextService.createRequestContext({
-          operation: "RateLimiter.cleanupExpiredEntries",
-          additionalContext: {
-            cleanedCount: expiredCount,
-            totalRemainingAfterClean: this.limits.size
-          }
-        });
-        this.logger.debug(`Cleaned up ${expiredCount} expired rate limit entries`, logContext);
-      }
-    }
-    configure(config3) {
-      Object.assign(this.effectiveConfig, config3);
-      if (config3.cleanupInterval !== undefined) {
-        this.startCleanupTimer();
-      }
-    }
-    getConfig() {
-      return { ...this.effectiveConfig };
-    }
-    reset() {
-      this.limits.clear();
-      const logContext = requestContextService.createRequestContext({
-        operation: "RateLimiter.reset"
-      });
-      this.logger.debug("Rate limiter reset, all limits cleared", logContext);
-    }
-    check(key, context) {
-      const activeSpan = import_api6.trace.getActiveSpan();
-      activeSpan?.setAttribute("mcp.rate_limit.checked", true);
-      if (this.effectiveConfig.skipInDevelopment && this.config.environment === "development") {
-        activeSpan?.setAttribute("mcp.rate_limit.skipped", "development");
-        return;
-      }
-      const limitKey = this.effectiveConfig.keyGenerator ? this.effectiveConfig.keyGenerator(key, context) : key;
-      activeSpan?.setAttribute("mcp.rate_limit.key", limitKey);
-      const now = Date.now();
-      let entry = this.limits.get(limitKey);
-      if (!entry || now >= entry.resetTime) {
-        entry = {
-          count: 1,
-          resetTime: now + this.effectiveConfig.windowMs
-        };
-        this.limits.set(limitKey, entry);
-      } else {
-        entry.count++;
-      }
-      const remaining = Math.max(0, this.effectiveConfig.maxRequests - entry.count);
-      activeSpan?.setAttributes({
-        "mcp.rate_limit.limit": this.effectiveConfig.maxRequests,
-        "mcp.rate_limit.count": entry.count,
-        "mcp.rate_limit.remaining": remaining
-      });
-      if (entry.count > this.effectiveConfig.maxRequests) {
-        const waitTime = Math.ceil((entry.resetTime - now) / 1000);
-        const errorMessage = (this.effectiveConfig.errorMessage || "Rate limit exceeded. Please try again in {waitTime} seconds.").replace("{waitTime}", waitTime.toString());
-        activeSpan?.addEvent("rate_limit_exceeded", {
-          "mcp.rate_limit.wait_time_seconds": waitTime
-        });
-        throw new McpError(-32003 /* RateLimited */, errorMessage, {
-          waitTimeSeconds: waitTime,
-          key: limitKey,
-          limit: this.effectiveConfig.maxRequests,
-          windowMs: this.effectiveConfig.windowMs
-        });
-      }
-    }
-    getStatus(key) {
-      const entry = this.limits.get(key);
-      if (!entry)
-        return null;
-      return {
-        current: entry.count,
-        limit: this.effectiveConfig.maxRequests,
-        remaining: Math.max(0, this.effectiveConfig.maxRequests - entry.count),
-        resetTime: entry.resetTime
-      };
-    }
-    dispose() {
-      if (this.cleanupTimer) {
-        clearInterval(this.cleanupTimer);
-        this.cleanupTimer = null;
-      }
-      this.limits.clear();
-    }
-  };
-  RateLimiter = __legacyDecorateClassTS([
-    import_tsyringe.injectable(),
-    __legacyDecorateParamTS(0, import_tsyringe.inject(AppConfig)),
-    __legacyDecorateParamTS(1, import_tsyringe.inject(Logger2)),
-    __legacyMetadataTS("design:paramtypes", [
-      Object,
-      Object
-    ])
-  ], RateLimiter);
-});
-
-// src/utils/security/index.ts
-var init_security = __esm(() => {
-  init_idGenerator();
-  init_rateLimiter();
-  init_sanitization();
-});
-
-// src/utils/index.ts
-var exports_utils = {};
-__export(exports_utils, {
-  sanitizeInputForLogging: () => sanitizeInputForLogging,
-  sanitization: () => sanitization,
-  runtimeCaps: () => runtimeCaps,
-  requestContextService: () => requestContextService,
-  nowMs: () => nowMs,
-  metricsRegistry: () => metricsRegistry,
-  measureToolExecution: () => measureToolExecution,
-  logger: () => logger,
-  logStartupBanner: () => logStartupBanner,
-  loadPerfHooks: () => loadPerfHooks,
-  initializePerformance_Hrt: () => initializePerformance_Hrt,
-  idGenerator: () => idGenerator,
-  getRuntimeDescription: () => getRuntimeDescription,
-  getHealthSnapshot: () => getHealthSnapshot,
-  generateUUID: () => generateUUID,
-  generateRequestContextId: () => generateRequestContextId,
-  detectRuntime: () => detectRuntime,
-  countTokens: () => countTokens,
-  countChatTokens: () => countChatTokens,
-  Sanitization: () => Sanitization,
-  RateLimiter: () => RateLimiter,
-  Logger: () => Logger,
-  IdGenerator: () => IdGenerator,
-  ErrorHandler: () => ErrorHandler
-});
-var init_utils = __esm(() => {
-  init_internal();
-  init_metrics();
-  init_security();
-});
-
 // node_modules/tslib/tslib.js
 var require_tslib2 = __commonJS((exports, module) => {
   var __extends;
@@ -116159,22 +114510,22 @@ var require_transformers = __commonJS((exports) => {
     PostgresTypes2["tsrange"] = "tsrange";
     PostgresTypes2["tstzrange"] = "tstzrange";
   })(PostgresTypes || (exports.PostgresTypes = PostgresTypes = {}));
-  var convertChangeData = (columns, record3, options = {}) => {
+  var convertChangeData = (columns, record2, options = {}) => {
     var _a2;
     const skipTypes = (_a2 = options.skipTypes) !== null && _a2 !== undefined ? _a2 : [];
-    if (!record3) {
+    if (!record2) {
       return {};
     }
-    return Object.keys(record3).reduce((acc, rec_key) => {
-      acc[rec_key] = (0, exports.convertColumn)(rec_key, columns, record3, skipTypes);
+    return Object.keys(record2).reduce((acc, rec_key) => {
+      acc[rec_key] = (0, exports.convertColumn)(rec_key, columns, record2, skipTypes);
       return acc;
     }, {});
   };
   exports.convertChangeData = convertChangeData;
-  var convertColumn = (columnName, columns, record3, skipTypes) => {
+  var convertColumn = (columnName, columns, record2, skipTypes) => {
     const column = columns.find((x2) => x2.name === columnName);
     const colType = column === null || column === undefined ? undefined : column.type;
-    const value = record3[columnName];
+    const value = record2[columnName];
     if (colType && !skipTypes.includes(colType)) {
       return (0, exports.convertCell)(colType, value);
     }
@@ -127939,13 +126290,13 @@ var require_core = __commonJS((exports) => {
     return metaOpts;
   }
   var noLogs = { log() {}, warn() {}, error() {} };
-  function getLogger(logger3) {
-    if (logger3 === false)
+  function getLogger(logger2) {
+    if (logger2 === false)
       return noLogs;
-    if (logger3 === undefined)
+    if (logger2 === undefined)
       return console;
-    if (logger3.log && logger3.warn && logger3.error)
-      return logger3;
+    if (logger2.log && logger2.warn && logger2.error)
+      return logger2;
     throw new Error("logger must implement log, warn and error methods");
   }
   var KEYWORD_NAME = /^[a-z_$][a-z0-9_$:-]*$/i;
@@ -130290,10 +128641,1377 @@ async function shutdownOpenTelemetry() {
   }
 }
 
-// src/index.ts
-init_utils();
-init_logger();
-init_runtime();
+// src/utils/internal/error-handler/errorHandler.ts
+init_errors3();
+var import_api3 = __toESM(require_src(), 1);
+
+// src/utils/internal/logger.ts
+init_config();
+import pino from "pino";
+
+// src/utils/internal/requestContext.ts
+var import_api2 = __toESM(require_src(), 1);
+
+// src/mcp-server/transports/auth/lib/authContext.ts
+import { AsyncLocalStorage } from "async_hooks";
+var authContext = new AsyncLocalStorage;
+
+// src/utils/internal/requestContext.ts
+var requestContextServiceInstance = {
+  config: {},
+  configure(config3) {
+    this.config = {
+      ...this.config,
+      ...config3
+    };
+    const logContext = this.createRequestContext({
+      operation: "RequestContextService.configure",
+      additionalContext: { newConfigState: { ...this.config } }
+    });
+    logger.debug("RequestContextService configuration updated", logContext);
+    return { ...this.config };
+  },
+  getConfig() {
+    return { ...this.config };
+  },
+  createRequestContext(params = {}) {
+    const { parentContext, additionalContext, operation, ...rest } = params;
+    const inheritedContext = parentContext && typeof parentContext === "object" ? { ...parentContext } : {};
+    let inheritedTenantId;
+    if (inheritedContext && typeof inheritedContext === "object" && "tenantId" in inheritedContext && typeof inheritedContext.tenantId === "string") {
+      inheritedTenantId = inheritedContext.tenantId;
+    }
+    const authStore = authContext.getStore();
+    const tenantIdFromAuth = authStore?.authInfo?.tenantId;
+    const inheritedRequestId = inheritedContext.requestId;
+    const requestId = typeof inheritedRequestId === "string" && inheritedRequestId ? inheritedRequestId : generateRequestContextId();
+    const timestamp = new Date().toISOString();
+    const restTenantId = typeof rest.tenantId === "string" ? rest.tenantId : undefined;
+    const additionalTenantId = additionalContext && typeof additionalContext === "object" && typeof additionalContext.tenantId === "string" ? additionalContext.tenantId : undefined;
+    const resolvedTenantId = additionalTenantId ?? restTenantId ?? inheritedTenantId ?? tenantIdFromAuth;
+    const context = {
+      ...inheritedContext,
+      ...rest,
+      requestId,
+      timestamp,
+      ...resolvedTenantId ? { tenantId: resolvedTenantId } : {},
+      ...additionalContext && typeof additionalContext === "object" ? additionalContext : {},
+      ...operation && typeof operation === "string" ? { operation } : {}
+    };
+    const activeSpan = import_api2.trace.getActiveSpan();
+    if (activeSpan && typeof activeSpan.spanContext === "function") {
+      const spanContext = activeSpan.spanContext();
+      if (spanContext) {
+        context.traceId = spanContext.traceId;
+        context.spanId = spanContext.spanId;
+      }
+    }
+    return context;
+  }
+};
+var requestContextService = requestContextServiceInstance;
+
+// src/utils/security/sanitization.ts
+init_errors3();
+var import_validator = __toESM(require_validator(), 1);
+var isServerless = typeof process === "undefined" || process.env.IS_SERVERLESS === "true";
+var pathModule;
+if (!isServerless) {
+  import("path").then((mod2) => {
+    pathModule = mod2.default;
+  }).catch(() => {});
+}
+
+class Sanitization {
+  static instance;
+  sensitiveFields = [
+    "password",
+    "token",
+    "secret",
+    "apiKey",
+    "credential",
+    "jwt",
+    "ssn",
+    "cvv",
+    "authorization",
+    "cookie",
+    "clientsecret",
+    "client_secret",
+    "private_key",
+    "privatekey"
+  ];
+  constructor() {}
+  static getInstance() {
+    if (!Sanitization.instance) {
+      Sanitization.instance = new Sanitization;
+    }
+    return Sanitization.instance;
+  }
+  setSensitiveFields(fields) {
+    this.sensitiveFields = [
+      ...new Set([
+        ...this.sensitiveFields,
+        ...fields.map((f3) => f3.toLowerCase())
+      ])
+    ];
+    const logContext = requestContextService.createRequestContext({
+      operation: "Sanitization.setSensitiveFields",
+      additionalContext: {
+        newSensitiveFieldCount: this.sensitiveFields.length
+      }
+    });
+    logger.debug("Updated sensitive fields list for log sanitization", logContext);
+  }
+  getSensitiveFields() {
+    return [...this.sensitiveFields];
+  }
+  getSensitivePinoFields() {
+    return this.sensitiveFields.map((field) => field.replace(/[-_]/g, ""));
+  }
+  sanitizeUrl(input, allowedProtocols = ["http", "https"]) {
+    try {
+      const trimmedInput = input.trim();
+      if (!import_validator.default.isURL(trimmedInput, {
+        protocols: allowedProtocols,
+        require_protocol: true,
+        require_host: true
+      })) {
+        throw new Error("Invalid URL format or protocol not in allowed list.");
+      }
+      const lowercasedInput = trimmedInput.toLowerCase();
+      if (lowercasedInput.startsWith("javascript:") || lowercasedInput.startsWith("data:") || lowercasedInput.startsWith("vbscript:")) {
+        throw new Error("Disallowed pseudo-protocol (javascript:, data:, or vbscript:) in URL.");
+      }
+      return trimmedInput;
+    } catch (error48) {
+      throw new McpError(-32007 /* ValidationError */, error48 instanceof Error ? error48.message : "Invalid or unsafe URL provided.", { input });
+    }
+  }
+  sanitizePath(input, options = {}) {
+    if (isServerless || !pathModule) {
+      throw new McpError(-32603 /* InternalError */, "File-based path sanitization is not supported in this environment.");
+    }
+    const path2 = pathModule;
+    const originalInput = input;
+    const resolvedRootDir = options.rootDir ? path2.resolve(options.rootDir) : undefined;
+    const effectiveOptions = {
+      toPosix: options.toPosix ?? false,
+      allowAbsolute: options.allowAbsolute ?? false,
+      ...resolvedRootDir && { rootDir: resolvedRootDir }
+    };
+    let wasAbsoluteInitially = false;
+    try {
+      if (!input || typeof input !== "string")
+        throw new Error("Invalid path input: must be a non-empty string.");
+      if (input.includes("\x00"))
+        throw new Error("Path contains null byte, which is disallowed.");
+      let normalized = path2.normalize(input);
+      wasAbsoluteInitially = path2.isAbsolute(normalized);
+      if (effectiveOptions.toPosix) {
+        normalized = normalized.replace(/\\/g, "/");
+      }
+      let finalSanitizedPath;
+      if (resolvedRootDir) {
+        let fullPath;
+        if (path2.isAbsolute(normalized)) {
+          fullPath = path2.normalize(normalized);
+        } else {
+          fullPath = path2.resolve(resolvedRootDir, normalized);
+        }
+        const normalizedRoot = path2.normalize(resolvedRootDir);
+        const normalizedFull = path2.normalize(fullPath);
+        if (!normalizedFull.startsWith(normalizedRoot + path2.sep) && normalizedFull !== normalizedRoot) {
+          throw new Error("Path traversal detected: attempts to escape the defined root directory.");
+        }
+        finalSanitizedPath = path2.relative(normalizedRoot, normalizedFull);
+        finalSanitizedPath = finalSanitizedPath === "" ? "." : finalSanitizedPath;
+        if (path2.isAbsolute(finalSanitizedPath) && !effectiveOptions.allowAbsolute) {
+          throw new Error("Path resolved to absolute outside root when absolute paths are disallowed.");
+        }
+      } else {
+        if (path2.isAbsolute(normalized)) {
+          if (!effectiveOptions.allowAbsolute) {
+            throw new Error("Absolute paths are disallowed by current options.");
+          } else {
+            finalSanitizedPath = normalized;
+          }
+        } else {
+          const resolvedAgainstCwd = path2.resolve(normalized);
+          const currentWorkingDir = path2.resolve(".");
+          if (!resolvedAgainstCwd.startsWith(currentWorkingDir + path2.sep) && resolvedAgainstCwd !== currentWorkingDir) {
+            throw new Error("Relative path traversal detected (escapes current working directory context).");
+          }
+          finalSanitizedPath = normalized;
+        }
+      }
+      return {
+        sanitizedPath: finalSanitizedPath,
+        originalInput,
+        wasAbsolute: wasAbsoluteInitially,
+        convertedToRelative: wasAbsoluteInitially && !path2.isAbsolute(finalSanitizedPath) && !effectiveOptions.allowAbsolute,
+        optionsUsed: effectiveOptions
+      };
+    } catch (error48) {
+      logger.warning("Path sanitization error", requestContextService.createRequestContext({
+        operation: "Sanitization.sanitizePath.error",
+        additionalContext: {
+          originalPathInput: originalInput,
+          pathOptionsUsed: effectiveOptions,
+          errorMessage: error48 instanceof Error ? error48.message : String(error48)
+        }
+      }));
+      throw new McpError(-32007 /* ValidationError */, error48 instanceof Error ? error48.message : "Invalid or unsafe path provided.", { input: originalInput });
+    }
+  }
+  sanitizeJson(input, maxSize) {
+    try {
+      if (typeof input !== "string")
+        throw new Error("Invalid input: expected a JSON string.");
+      const computeBytes = (s2) => {
+        if (typeof Buffer !== "undefined" && typeof Buffer.byteLength === "function") {
+          return Buffer.byteLength(s2, "utf8");
+        }
+        if (typeof TextEncoder !== "undefined") {
+          return new TextEncoder().encode(s2).length;
+        }
+        return s2.length;
+      };
+      if (maxSize !== undefined && computeBytes(input) > maxSize) {
+        throw new McpError(-32007 /* ValidationError */, `JSON string exceeds maximum allowed size of ${maxSize} bytes.`, { actualSize: computeBytes(input), maxSize });
+      }
+      return JSON.parse(input);
+    } catch (error48) {
+      if (error48 instanceof McpError)
+        throw error48;
+      throw new McpError(-32007 /* ValidationError */, error48 instanceof Error ? error48.message : "Invalid JSON format.", {
+        inputPreview: input.length > 100 ? `${input.substring(0, 100)}...` : input
+      });
+    }
+  }
+  sanitizeNumber(input, min, max) {
+    let value;
+    if (typeof input === "string") {
+      const trimmedInput = input.trim();
+      if (trimmedInput === "" || !import_validator.default.isNumeric(trimmedInput)) {
+        throw new McpError(-32007 /* ValidationError */, "Invalid number format: input is empty or not numeric.", { input });
+      }
+      value = parseFloat(trimmedInput);
+    } else if (typeof input === "number") {
+      value = input;
+    } else {
+      throw new McpError(-32007 /* ValidationError */, "Invalid input type: expected number or string.", { input: String(input) });
+    }
+    if (isNaN(value) || !isFinite(value)) {
+      throw new McpError(-32007 /* ValidationError */, "Invalid number value (NaN or Infinity).", { input });
+    }
+    let clamped = false;
+    const originalValueForLog = value;
+    if (min !== undefined && value < min) {
+      value = min;
+      clamped = true;
+    }
+    if (max !== undefined && value > max) {
+      value = max;
+      clamped = true;
+    }
+    if (clamped) {
+      logger.debug("Number clamped to range.", requestContextService.createRequestContext({
+        operation: "Sanitization.sanitizeNumber.clamped",
+        additionalContext: {
+          originalInput: String(input),
+          parsedValue: originalValueForLog,
+          minValue: min,
+          maxValue: max,
+          clampedValue: value
+        }
+      }));
+    }
+    return value;
+  }
+  sanitizeForLogging(input) {
+    try {
+      if (!input || typeof input !== "object")
+        return input;
+      const clonedInput = typeof globalThis.structuredClone === "function" ? globalThis.structuredClone(input) : JSON.parse(JSON.stringify(input));
+      this.redactSensitiveFields(clonedInput);
+      return clonedInput;
+    } catch (error48) {
+      logger.error("Error during log sanitization, returning placeholder.", requestContextService.createRequestContext({
+        operation: "Sanitization.sanitizeForLogging.error",
+        additionalContext: {
+          errorMessage: error48 instanceof Error ? error48.message : String(error48)
+        }
+      }));
+      return "[Log Sanitization Failed]";
+    }
+  }
+  redactSensitiveFields(obj) {
+    if (!obj || typeof obj !== "object")
+      return;
+    if (Array.isArray(obj)) {
+      obj.forEach((item) => this.redactSensitiveFields(item));
+      return;
+    }
+    const normalize = (str) => str.toLowerCase().replace(/[^a-z0-9]/g, "");
+    const normalizedSensitiveSet = new Set(this.sensitiveFields.map((f3) => normalize(f3)).filter(Boolean));
+    const wordSensitiveSet = new Set(this.sensitiveFields.map((f3) => f3.toLowerCase()).filter(Boolean));
+    for (const key in obj) {
+      if (Object.prototype.hasOwnProperty.call(obj, key)) {
+        const value = obj[key];
+        const normalizedKey = normalize(key);
+        const keyWords = key.replace(/([A-Z])/g, " $1").toLowerCase().split(/[\s_-]+/).filter(Boolean);
+        const isExactSensitive = normalizedSensitiveSet.has(normalizedKey);
+        const isWordSensitive = keyWords.some((w) => wordSensitiveSet.has(w));
+        const isSensitive = isExactSensitive || isWordSensitive;
+        if (isSensitive) {
+          obj[key] = "[REDACTED]";
+        } else if (value && typeof value === "object") {
+          this.redactSensitiveFields(value);
+        }
+      }
+    }
+  }
+}
+var sanitization = Sanitization.getInstance();
+var sanitizeInputForLogging = (input) => sanitization.sanitizeForLogging(input);
+
+// src/utils/internal/logger.ts
+var mcpToPinoLevel = {
+  emerg: "fatal",
+  alert: "fatal",
+  crit: "error",
+  error: "error",
+  warning: "warn",
+  notice: "info",
+  info: "info",
+  debug: "debug"
+};
+var pinoToMcpLevelSeverity = {
+  fatal: 0,
+  error: 2,
+  warn: 4,
+  info: 6,
+  debug: 7
+};
+var isServerless2 = typeof process === "undefined" || process.env.IS_SERVERLESS === "true";
+
+class Logger {
+  static instance = new Logger;
+  pinoLogger;
+  interactionLogger;
+  initialized = false;
+  currentMcpLevel = "info";
+  transportType;
+  rateLimitThreshold = 10;
+  rateLimitWindow = 60000;
+  messageCounts = new Map;
+  suppressedMessages = new Map;
+  cleanupTimer;
+  constructor() {}
+  static getInstance() {
+    return Logger.instance;
+  }
+  async createPinoLogger(level, transportType) {
+    const pinoLevel = mcpToPinoLevel[level] || "info";
+    const pinoOptions = {
+      level: pinoLevel,
+      base: {
+        env: config2.environment,
+        version: config2.mcpServerVersion,
+        pid: !isServerless2 ? process.pid : undefined
+      },
+      redact: {
+        paths: sanitization.getSensitivePinoFields(),
+        censor: "[REDACTED]"
+      }
+    };
+    if (isServerless2) {
+      return pino(pinoOptions);
+    }
+    const { default: fs2 } = await import("fs");
+    const { default: path2 } = await import("path");
+    const transports = [];
+    const isDevelopment = config2.environment === "development";
+    const isTest = config2.environment === "testing";
+    const noColorEnv = process.env.NO_COLOR === "1" || process.env.FORCE_COLOR === "0";
+    const useColoredOutput = isDevelopment && transportType !== "stdio" && !noColorEnv;
+    if (useColoredOutput && !isServerless2) {
+      try {
+        const { createRequire: createRequire2 } = await import("node:module");
+        const require2 = createRequire2(import.meta.url);
+        const prettyTarget = require2.resolve("pino-pretty");
+        transports.push({
+          target: prettyTarget,
+          options: { colorize: true, translateTime: "yyyy-mm-dd HH:MM:ss" }
+        });
+      } catch (err) {
+        if (process.stderr?.isTTY) {
+          console.warn(`[Logger Init] Pretty transport unavailable (${err instanceof Error ? err.message : String(err)}); falling back to stdout JSON.`);
+        }
+        transports.push({ target: "pino/file", options: { destination: 1 } });
+      }
+    } else if (!isTest) {
+      transports.push({ target: "pino/file", options: { destination: 2 } });
+    }
+    if (config2.logsPath) {
+      try {
+        if (!fs2.existsSync(config2.logsPath)) {
+          fs2.mkdirSync(config2.logsPath, { recursive: true });
+        }
+        transports.push({
+          level: pinoLevel,
+          target: "pino/file",
+          options: {
+            destination: path2.join(config2.logsPath, "combined.log"),
+            mkdir: true
+          }
+        });
+        transports.push({
+          level: "error",
+          target: "pino/file",
+          options: {
+            destination: path2.join(config2.logsPath, "error.log"),
+            mkdir: true
+          }
+        });
+      } catch (err) {
+        if (process.stderr?.isTTY) {
+          console.error(`[Logger Init] Failed to configure file logging: ${err instanceof Error ? err.message : String(err)}`);
+        }
+      }
+    }
+    return pino({ ...pinoOptions, transport: { targets: transports } });
+  }
+  async createInteractionLogger() {
+    if (isServerless2 || !config2.logsPath)
+      return;
+    const { default: path2 } = await import("path");
+    return pino({
+      transport: {
+        target: "pino/file",
+        options: {
+          destination: path2.join(config2.logsPath, "interactions.log"),
+          mkdir: true
+        }
+      }
+    });
+  }
+  async initialize(level = "info", transportType) {
+    if (this.initialized) {
+      this.warning("Logger already initialized.", requestContextService.createRequestContext({
+        operation: "loggerReinit"
+      }));
+      return;
+    }
+    this.currentMcpLevel = level;
+    this.transportType = transportType;
+    this.pinoLogger = await this.createPinoLogger(level, transportType);
+    this.interactionLogger = await this.createInteractionLogger();
+    if (!isServerless2 && !this.cleanupTimer) {
+      this.cleanupTimer = setInterval(() => this.flushSuppressedMessages(), this.rateLimitWindow);
+      this.cleanupTimer.unref?.();
+    }
+    this.initialized = true;
+    this.info(`Logger initialized. MCP level: ${level}.`, requestContextService.createRequestContext({ operation: "loggerInit" }));
+  }
+  setLevel(newLevel) {
+    if (!this.pinoLogger || !this.initialized) {
+      if (process.stderr?.isTTY) {
+        console.error("Cannot set level: Logger not initialized.");
+      }
+      return;
+    }
+    this.currentMcpLevel = newLevel;
+    this.pinoLogger.level = mcpToPinoLevel[newLevel] || "info";
+    this.info(`Log level changed to ${newLevel}.`, requestContextService.createRequestContext({
+      operation: "loggerSetLevel"
+    }));
+  }
+  async close() {
+    if (!this.initialized)
+      return Promise.resolve();
+    this.info("Logger shutting down.", requestContextService.createRequestContext({ operation: "loggerClose" }));
+    if (this.cleanupTimer)
+      clearInterval(this.cleanupTimer);
+    this.flushSuppressedMessages();
+    await Promise.all([
+      new Promise((resolve) => {
+        if (this.pinoLogger) {
+          this.pinoLogger.flush((err) => {
+            if (err && process.stderr?.isTTY && this.transportType !== "stdio") {
+              console.error("Error flushing main logger:", err);
+            }
+            resolve();
+          });
+        } else {
+          resolve();
+        }
+      }),
+      new Promise((resolve) => {
+        if (this.interactionLogger) {
+          this.interactionLogger.flush((err) => {
+            if (err && process.stderr?.isTTY && this.transportType !== "stdio") {
+              console.error("Error flushing interaction logger:", err);
+            }
+            resolve();
+          });
+        } else {
+          resolve();
+        }
+      })
+    ]);
+    this.initialized = false;
+  }
+  isInitialized() {
+    return this.initialized;
+  }
+  isRateLimited(message) {
+    const now = Date.now();
+    const entry = this.messageCounts.get(message);
+    if (!entry) {
+      this.messageCounts.set(message, { count: 1, firstSeen: now });
+      return false;
+    }
+    if (now - entry.firstSeen > this.rateLimitWindow) {
+      this.messageCounts.set(message, { count: 1, firstSeen: now });
+      return false;
+    }
+    entry.count++;
+    if (entry.count > this.rateLimitThreshold) {
+      this.suppressedMessages.set(message, (this.suppressedMessages.get(message) || 0) + 1);
+      return true;
+    }
+    return false;
+  }
+  flushSuppressedMessages() {
+    if (this.suppressedMessages.size === 0)
+      return;
+    for (const [message, count] of this.suppressedMessages.entries()) {
+      this.warning(`Log message suppressed ${count} times due to rate limiting.`, requestContextService.createRequestContext({
+        operation: "loggerRateLimitFlush",
+        additionalContext: { originalMessage: message }
+      }));
+    }
+    this.suppressedMessages.clear();
+    this.messageCounts.clear();
+  }
+  log(level, msg, context, error48) {
+    if (!this.pinoLogger || !this.initialized)
+      return;
+    const pinoLevel = mcpToPinoLevel[level] || "info";
+    const currentPinoLevel = mcpToPinoLevel[this.currentMcpLevel] || "info";
+    const levelSeverity = pinoToMcpLevelSeverity[pinoLevel];
+    const currentLevelSeverity = pinoToMcpLevelSeverity[currentPinoLevel];
+    if (typeof levelSeverity === "number" && typeof currentLevelSeverity === "number" && levelSeverity > currentLevelSeverity) {
+      return;
+    }
+    if (this.isRateLimited(msg))
+      return;
+    const logObject = { ...context };
+    if (error48)
+      logObject.err = pino.stdSerializers.err(error48);
+    this.pinoLogger[pinoLevel](logObject, msg);
+  }
+  debug(msg, context) {
+    this.log("debug", msg, context);
+  }
+  info(msg, context) {
+    this.log("info", msg, context);
+  }
+  notice(msg, context) {
+    this.log("notice", msg, context);
+  }
+  warning(msg, context) {
+    this.log("warning", msg, context);
+  }
+  error(msg, errorOrContext, context) {
+    const errorObj = errorOrContext instanceof Error ? errorOrContext : undefined;
+    const actualContext = errorOrContext instanceof Error ? context : errorOrContext;
+    this.log("error", msg, actualContext, errorObj);
+  }
+  crit(msg, errorOrContext, context) {
+    const errorObj = errorOrContext instanceof Error ? errorOrContext : undefined;
+    const actualContext = errorOrContext instanceof Error ? context : errorOrContext;
+    this.log("crit", msg, actualContext, errorObj);
+  }
+  alert(msg, errorOrContext, context) {
+    const errorObj = errorOrContext instanceof Error ? errorOrContext : undefined;
+    const actualContext = errorOrContext instanceof Error ? context : errorOrContext;
+    this.log("alert", msg, actualContext, errorObj);
+  }
+  emerg(msg, errorOrContext, context) {
+    const errorObj = errorOrContext instanceof Error ? errorOrContext : undefined;
+    const actualContext = errorOrContext instanceof Error ? context : errorOrContext;
+    this.log("emerg", msg, actualContext, errorObj);
+  }
+  fatal(msg, errorOrContext, context) {
+    this.emerg(msg, errorOrContext, context);
+  }
+  logInteraction(interactionName, data) {
+    if (!this.interactionLogger) {
+      if (!isServerless2)
+        this.warning("Interaction logger not available.", data.context || {});
+      return;
+    }
+    this.interactionLogger.info({ interactionName, ...data });
+  }
+}
+var logger = Logger.getInstance();
+
+// src/utils/internal/error-handler/mappings.ts
+var ERROR_TYPE_MAPPINGS = {
+  SyntaxError: -32007 /* ValidationError */,
+  TypeError: -32007 /* ValidationError */,
+  ReferenceError: -32603 /* InternalError */,
+  RangeError: -32007 /* ValidationError */,
+  URIError: -32007 /* ValidationError */,
+  EvalError: -32603 /* InternalError */,
+  AggregateError: -32603 /* InternalError */
+};
+var COMMON_ERROR_PATTERNS = [
+  {
+    pattern: /auth|unauthorized|unauthenticated|not.*logged.*in|invalid.*token|expired.*token/i,
+    errorCode: -32006 /* Unauthorized */
+  },
+  {
+    pattern: /permission|forbidden|access.*denied|not.*allowed/i,
+    errorCode: -32005 /* Forbidden */
+  },
+  {
+    pattern: /not found|missing|no such|doesn't exist|couldn't find/i,
+    errorCode: -32001 /* NotFound */
+  },
+  {
+    pattern: /invalid|validation|malformed|bad request|wrong format|missing required/i,
+    errorCode: -32007 /* ValidationError */
+  },
+  {
+    pattern: /conflict|already exists|duplicate|unique constraint/i,
+    errorCode: -32002 /* Conflict */
+  },
+  {
+    pattern: /rate limit|too many requests|throttled/i,
+    errorCode: -32003 /* RateLimited */
+  },
+  {
+    pattern: /timeout|timed out|deadline exceeded/i,
+    errorCode: -32004 /* Timeout */
+  },
+  {
+    pattern: /abort(ed)?|cancell?ed/i,
+    errorCode: -32004 /* Timeout */
+  },
+  {
+    pattern: /service unavailable|bad gateway|gateway timeout|upstream error/i,
+    errorCode: -32000 /* ServiceUnavailable */
+  },
+  {
+    pattern: /zod|zoderror|schema validation/i,
+    errorCode: -32007 /* ValidationError */
+  }
+];
+
+// src/utils/internal/error-handler/helpers.ts
+function createSafeRegex(pattern) {
+  if (pattern instanceof RegExp) {
+    let flags = pattern.flags.replace("g", "");
+    if (!flags.includes("i")) {
+      flags += "i";
+    }
+    return new RegExp(pattern.source, flags);
+  }
+  return new RegExp(pattern, "i");
+}
+function getErrorName(error48) {
+  if (error48 instanceof Error) {
+    return error48.name || "Error";
+  }
+  if (error48 === null) {
+    return "NullValueEncountered";
+  }
+  if (error48 === undefined) {
+    return "UndefinedValueEncountered";
+  }
+  if (typeof error48 === "object" && error48 !== null && error48.constructor && typeof error48.constructor.name === "string" && error48.constructor.name !== "Object") {
+    return `${error48.constructor.name}Encountered`;
+  }
+  return `${typeof error48}Encountered`;
+}
+function getErrorMessage(error48) {
+  try {
+    if (error48 instanceof Error) {
+      if ("errors" in error48 && Array.isArray(error48.errors)) {
+        const inner = error48.errors.map((e2) => e2 instanceof Error ? e2.message : String(e2)).filter(Boolean).slice(0, 3).join("; ");
+        return inner ? `${error48.message}: ${inner}` : error48.message;
+      }
+      return error48.message;
+    }
+    if (error48 === null) {
+      return "Null value encountered as error";
+    }
+    if (error48 === undefined) {
+      return "Undefined value encountered as error";
+    }
+    if (typeof error48 === "string") {
+      return error48;
+    }
+    if (typeof error48 === "number" || typeof error48 === "boolean") {
+      return String(error48);
+    }
+    if (typeof error48 === "bigint") {
+      return error48.toString();
+    }
+    if (typeof error48 === "function") {
+      return `[function ${error48.name || "anonymous"}]`;
+    }
+    if (typeof error48 === "object") {
+      try {
+        const json2 = JSON.stringify(error48);
+        if (json2 && json2 !== "{}")
+          return json2;
+      } catch {}
+      const ctor = error48.constructor?.name;
+      return `Non-Error object encountered (constructor: ${ctor || "Object"})`;
+    }
+    if (typeof error48 === "symbol") {
+      return error48.toString();
+    }
+    return "[unrepresentable error]";
+  } catch (conversionError) {
+    return `Error converting error to string: ${conversionError instanceof Error ? conversionError.message : "Unknown conversion error"}`;
+  }
+}
+
+// src/utils/internal/error-handler/errorHandler.ts
+class ErrorHandler {
+  static determineErrorCode(error48) {
+    if (error48 instanceof McpError) {
+      return error48.code;
+    }
+    const errorName = getErrorName(error48);
+    const errorMessage = getErrorMessage(error48);
+    const mappedFromType = ERROR_TYPE_MAPPINGS[errorName];
+    if (mappedFromType) {
+      return mappedFromType;
+    }
+    for (const mapping of COMMON_ERROR_PATTERNS) {
+      const regex = createSafeRegex(mapping.pattern);
+      if (regex.test(errorMessage) || regex.test(errorName)) {
+        return mapping.errorCode;
+      }
+    }
+    if (typeof error48 === "object" && error48 !== null && "name" in error48 && error48.name === "AbortError") {
+      return -32004 /* Timeout */;
+    }
+    return -32603 /* InternalError */;
+  }
+  static handleError(error48, options) {
+    const activeSpan = import_api3.trace.getActiveSpan();
+    if (activeSpan) {
+      if (error48 instanceof Error) {
+        activeSpan.recordException(error48);
+      }
+      activeSpan.setStatus({
+        code: import_api3.SpanStatusCode.ERROR,
+        message: error48 instanceof Error ? error48.message : String(error48)
+      });
+    }
+    const {
+      context = {},
+      operation,
+      input,
+      rethrow = false,
+      errorCode: explicitErrorCode,
+      includeStack = true,
+      critical = false,
+      errorMapper
+    } = options;
+    const sanitizedInput = input !== undefined ? sanitizeInputForLogging(input) : undefined;
+    const originalErrorName = getErrorName(error48);
+    const originalErrorMessage = getErrorMessage(error48);
+    const originalStack = error48 instanceof Error ? error48.stack : undefined;
+    let finalError;
+    let loggedErrorCode;
+    const errorDataSeed = error48 instanceof McpError && typeof error48.data === "object" && error48.data !== null ? { ...error48.data } : {};
+    const consolidatedData = {
+      ...errorDataSeed,
+      ...context,
+      originalErrorName,
+      originalMessage: originalErrorMessage
+    };
+    if (originalStack && !(error48 instanceof McpError && error48.data?.originalStack)) {
+      consolidatedData.originalStack = originalStack;
+    }
+    const cause = error48 instanceof Error ? error48 : undefined;
+    const rootCause = (() => {
+      let current = cause;
+      let depth = 0;
+      while (current && current instanceof Error && current.cause && depth < 5) {
+        current = current.cause;
+        depth += 1;
+      }
+      return current instanceof Error ? { name: current.name, message: current.message } : undefined;
+    })();
+    if (rootCause) {
+      consolidatedData["rootCause"] = rootCause;
+    }
+    if (error48 instanceof McpError) {
+      loggedErrorCode = error48.code;
+      finalError = errorMapper ? errorMapper(error48) : new McpError(error48.code, error48.message, consolidatedData, {
+        cause
+      });
+    } else {
+      loggedErrorCode = explicitErrorCode || ErrorHandler.determineErrorCode(error48);
+      const message = `Error in ${operation}: ${originalErrorMessage}`;
+      finalError = errorMapper ? errorMapper(error48) : new McpError(loggedErrorCode, message, consolidatedData, {
+        cause
+      });
+    }
+    if (finalError !== error48 && error48 instanceof Error && finalError instanceof Error && !finalError.stack && error48.stack) {
+      finalError.stack = error48.stack;
+    }
+    const logRequestId = typeof context.requestId === "string" && context.requestId ? context.requestId : generateUUID();
+    const logTimestamp = typeof context.timestamp === "string" && context.timestamp ? context.timestamp : new Date().toISOString();
+    const stack = finalError instanceof Error ? finalError.stack : originalStack;
+    const logContext = {
+      requestId: logRequestId,
+      timestamp: logTimestamp,
+      operation,
+      input: sanitizedInput,
+      critical,
+      errorCode: loggedErrorCode,
+      originalErrorType: originalErrorName,
+      finalErrorType: getErrorName(finalError),
+      ...Object.fromEntries(Object.entries(context).filter(([key]) => key !== "requestId" && key !== "timestamp")),
+      errorData: finalError instanceof McpError && finalError.data ? finalError.data : consolidatedData,
+      ...includeStack && stack ? { stack } : {}
+    };
+    logger.error(`Error in ${operation}: ${finalError.message || originalErrorMessage}`, logContext);
+    if (rethrow) {
+      throw finalError;
+    }
+    return finalError;
+  }
+  static mapError(error48, mappings, defaultFactory) {
+    const errorMessage = getErrorMessage(error48);
+    const errorName = getErrorName(error48);
+    for (const mapping of mappings) {
+      const regex = createSafeRegex(mapping.pattern);
+      if (regex.test(errorMessage) || regex.test(errorName)) {
+        return mapping.factory(error48, mapping.additionalContext);
+      }
+    }
+    if (defaultFactory) {
+      return defaultFactory(error48);
+    }
+    return error48 instanceof Error ? error48 : new Error(String(error48));
+  }
+  static formatError(error48) {
+    if (error48 instanceof McpError) {
+      return {
+        code: error48.code,
+        message: error48.message,
+        data: typeof error48.data === "object" && error48.data !== null ? error48.data : {}
+      };
+    }
+    if (error48 instanceof Error) {
+      return {
+        code: ErrorHandler.determineErrorCode(error48),
+        message: error48.message,
+        data: { errorType: error48.name || "Error" }
+      };
+    }
+    return {
+      code: -32099 /* UnknownError */,
+      message: getErrorMessage(error48),
+      data: { errorType: getErrorName(error48) }
+    };
+  }
+  static async tryCatch(fn, options) {
+    try {
+      return await Promise.resolve(fn());
+    } catch (caughtError) {
+      throw ErrorHandler.handleError(caughtError, {
+        ...options,
+        rethrow: true
+      });
+    }
+  }
+}
+// src/utils/internal/runtime.ts
+var safeHas = (key) => {
+  try {
+    return typeof globalThis[key] !== "undefined";
+  } catch {
+    return false;
+  }
+};
+var isBun = typeof globalThis.Bun !== "undefined" || typeof process.versions?.bun === "string";
+var isNode = !isBun && typeof process !== "undefined" && typeof process.versions?.node === "string";
+var hasProcess = typeof process !== "undefined";
+var hasBuffer = typeof Buffer !== "undefined";
+var hasTextEncoder = safeHas("TextEncoder");
+var hasPerformanceNow = typeof globalThis.performance?.now === "function";
+var isWorkerLike = !isNode && !isBun && typeof globalThis.WorkerGlobalScope !== "undefined";
+var isBrowserLike = !isNode && !isBun && !isWorkerLike && safeHas("window");
+var runtimeCaps = {
+  isNode,
+  isBun,
+  isWorkerLike,
+  isBrowserLike,
+  hasProcess,
+  hasBuffer,
+  hasTextEncoder,
+  hasPerformanceNow
+};
+function detectRuntime() {
+  if (runtimeCaps.isBun) {
+    return "bun";
+  }
+  if (runtimeCaps.isNode) {
+    return "node";
+  }
+  if (runtimeCaps.isWorkerLike) {
+    return "worker";
+  }
+  if (runtimeCaps.isBrowserLike) {
+    return "browser";
+  }
+  return "unknown";
+}
+function getRuntimeDescription() {
+  const runtime = detectRuntime();
+  switch (runtime) {
+    case "bun":
+      return `Bun ${process.versions?.bun || "unknown"}`;
+    case "node":
+      return `Node.js ${process.versions?.node || "unknown"}`;
+    case "worker":
+      return "Cloudflare Workers / Web Worker";
+    case "browser":
+      return "Browser";
+    default:
+      return "Unknown runtime";
+  }
+}
+
+// src/utils/internal/performance.ts
+init_config();
+init_errors3();
+var import_api4 = __toESM(require_src(), 1);
+
+// src/utils/telemetry/semconv.ts
+var ATTR_CODE_FUNCTION = "code.function";
+var ATTR_CODE_NAMESPACE = "code.namespace";
+var ATTR_MCP_TOOL_INPUT_BYTES = "mcp.tool.input_bytes";
+var ATTR_MCP_TOOL_OUTPUT_BYTES = "mcp.tool.output_bytes";
+var ATTR_MCP_TOOL_DURATION_MS = "mcp.tool.duration_ms";
+var ATTR_MCP_TOOL_SUCCESS = "mcp.tool.success";
+var ATTR_MCP_TOOL_ERROR_CODE = "mcp.tool.error_code";
+var ATTR_MCP_TOOL_MEMORY_RSS_BEFORE = "mcp.tool.memory_rss_bytes.before";
+var ATTR_MCP_TOOL_MEMORY_RSS_AFTER = "mcp.tool.memory_rss_bytes.after";
+var ATTR_MCP_TOOL_MEMORY_RSS_DELTA = "mcp.tool.memory_rss_bytes.delta";
+var ATTR_MCP_TOOL_MEMORY_HEAP_USED_BEFORE = "mcp.tool.memory_heap_used_bytes.before";
+var ATTR_MCP_TOOL_MEMORY_HEAP_USED_AFTER = "mcp.tool.memory_heap_used_bytes.after";
+var ATTR_MCP_TOOL_MEMORY_HEAP_USED_DELTA = "mcp.tool.memory_heap_used_bytes.delta";
+
+// src/utils/internal/performance.ts
+var performanceNow = () => Date.now();
+async function loadPerfHooks() {
+  return import("perf_hooks");
+}
+async function initializePerformance_Hrt() {
+  const globalWithPerf = globalThis;
+  if (typeof globalWithPerf.performance?.now === "function") {
+    const perf = globalWithPerf.performance;
+    performanceNow = () => perf?.now() ?? Date.now();
+  } else {
+    try {
+      const { performance: nodePerformance } = await loadPerfHooks();
+      performanceNow = () => nodePerformance.now();
+    } catch (_e) {
+      performanceNow = () => Date.now();
+      logger.warning("Could not import perf_hooks, falling back to Date.now() for performance timing.");
+    }
+  }
+}
+var nowMs = () => performanceNow();
+var toBytes = (payload) => {
+  if (payload == null)
+    return 0;
+  try {
+    const json2 = JSON.stringify(payload);
+    if (typeof Buffer !== "undefined" && typeof Buffer.byteLength === "function") {
+      const bytes = Buffer.byteLength(json2, "utf8");
+      return bytes;
+    }
+    if (typeof TextEncoder !== "undefined") {
+      return new TextEncoder().encode(json2).length;
+    }
+    return json2.length;
+  } catch {
+    return 0;
+  }
+};
+async function measureToolExecution(toolLogicFn, context, inputPayload) {
+  const tracer = import_api4.trace.getTracer(config2.openTelemetry.serviceName, config2.openTelemetry.serviceVersion);
+  const { toolName } = context;
+  return tracer.startActiveSpan(`tool_execution:${toolName}`, async (span) => {
+    const memBefore = typeof process !== "undefined" && typeof process.memoryUsage === "function" ? process.memoryUsage() : { rss: 0, heapUsed: 0 };
+    const t0 = nowMs();
+    span.setAttributes({
+      [ATTR_CODE_FUNCTION]: toolName,
+      [ATTR_CODE_NAMESPACE]: "mcp-tools",
+      [ATTR_MCP_TOOL_INPUT_BYTES]: toBytes(inputPayload),
+      [ATTR_MCP_TOOL_MEMORY_RSS_BEFORE]: memBefore.rss,
+      [ATTR_MCP_TOOL_MEMORY_HEAP_USED_BEFORE]: memBefore.heapUsed
+    });
+    let ok = false;
+    let errorCode;
+    let output;
+    try {
+      const result = await toolLogicFn();
+      ok = true;
+      output = result;
+      span.setStatus({ code: import_api4.SpanStatusCode.OK });
+      span.setAttribute(ATTR_MCP_TOOL_OUTPUT_BYTES, toBytes(output));
+      return result;
+    } catch (err) {
+      if (err instanceof McpError)
+        errorCode = String(err.code);
+      else if (err instanceof Error)
+        errorCode = "UNHANDLED_ERROR";
+      else
+        errorCode = "UNKNOWN_ERROR";
+      if (err instanceof Error)
+        span.recordException(err);
+      span.setStatus({
+        code: import_api4.SpanStatusCode.ERROR,
+        message: err instanceof Error ? err.message : String(err)
+      });
+      throw err;
+    } finally {
+      const t1 = nowMs();
+      const durationMs = Number((t1 - t0).toFixed(2));
+      const memAfter = typeof process !== "undefined" && typeof process.memoryUsage === "function" ? process.memoryUsage() : { rss: 0, heapUsed: 0 };
+      const rssDelta = memAfter.rss - memBefore.rss;
+      const heapUsedDelta = memAfter.heapUsed - memBefore.heapUsed;
+      span.setAttributes({
+        [ATTR_MCP_TOOL_DURATION_MS]: durationMs,
+        [ATTR_MCP_TOOL_SUCCESS]: ok,
+        [ATTR_MCP_TOOL_MEMORY_RSS_AFTER]: memAfter.rss,
+        [ATTR_MCP_TOOL_MEMORY_HEAP_USED_AFTER]: memAfter.heapUsed,
+        [ATTR_MCP_TOOL_MEMORY_RSS_DELTA]: rssDelta,
+        [ATTR_MCP_TOOL_MEMORY_HEAP_USED_DELTA]: heapUsedDelta
+      });
+      if (errorCode)
+        span.setAttribute(ATTR_MCP_TOOL_ERROR_CODE, errorCode);
+      span.end();
+      logger.info("Tool execution finished.", {
+        ...context,
+        metrics: {
+          durationMs,
+          isSuccess: ok,
+          errorCode,
+          inputBytes: toBytes(inputPayload),
+          outputBytes: toBytes(output),
+          memory: {
+            rss: {
+              before: memBefore.rss,
+              after: memAfter.rss,
+              delta: rssDelta
+            },
+            heapUsed: {
+              before: memBefore.heapUsed,
+              after: memAfter.heapUsed,
+              delta: heapUsedDelta
+            }
+          }
+        }
+      });
+    }
+  });
+}
+
+// src/utils/internal/startupBanner.ts
+function logStartupBanner(message, transportType) {
+  if (process.stdout.isTTY) {
+    if (transportType === "stdio") {
+      console.error(message);
+    } else {
+      console.log(message);
+    }
+  }
+}
+
+// src/utils/security/idGenerator.ts
+init_errors3();
+import { randomUUID as cryptoRandomUUID, randomBytes } from "crypto";
+
+class IdGenerator {
+  static DEFAULT_CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+  static DEFAULT_SEPARATOR = "_";
+  static DEFAULT_LENGTH = 6;
+  entityPrefixes = {};
+  prefixToEntityType = {};
+  constructor(entityPrefixes = {}) {
+    this.setEntityPrefixes(entityPrefixes);
+  }
+  setEntityPrefixes(entityPrefixes) {
+    this.entityPrefixes = { ...entityPrefixes };
+    this.prefixToEntityType = Object.entries(this.entityPrefixes).reduce((acc, [type, prefix]) => {
+      acc[prefix.toLowerCase()] = type;
+      return acc;
+    }, {});
+  }
+  getEntityPrefixes() {
+    return { ...this.entityPrefixes };
+  }
+  generateRandomString(length = IdGenerator.DEFAULT_LENGTH, charset = IdGenerator.DEFAULT_CHARSET) {
+    let result = "";
+    const maxValidByteValue = Math.floor(256 / charset.length) * charset.length;
+    while (result.length < length) {
+      const byteBuffer = randomBytes(1);
+      const byte = byteBuffer[0];
+      if (byte !== undefined && byte < maxValidByteValue) {
+        const charIndex = byte % charset.length;
+        const char = charset[charIndex];
+        if (char) {
+          result += char;
+        }
+      }
+    }
+    return result;
+  }
+  generate(prefix, options = {}) {
+    const {
+      length = IdGenerator.DEFAULT_LENGTH,
+      separator = IdGenerator.DEFAULT_SEPARATOR,
+      charset = IdGenerator.DEFAULT_CHARSET
+    } = options;
+    const randomPart = this.generateRandomString(length, charset);
+    const generatedId = prefix ? `${prefix}${separator}${randomPart}` : randomPart;
+    return generatedId;
+  }
+  generateForEntity(entityType, options = {}) {
+    const prefix = this.entityPrefixes[entityType];
+    if (!prefix) {
+      throw new McpError(-32007 /* ValidationError */, `Unknown entity type: ${entityType}. No prefix registered.`);
+    }
+    return this.generate(prefix, options);
+  }
+  isValid(id, entityType, options = {}) {
+    const prefix = this.entityPrefixes[entityType];
+    const {
+      length = IdGenerator.DEFAULT_LENGTH,
+      separator = IdGenerator.DEFAULT_SEPARATOR,
+      charset = IdGenerator.DEFAULT_CHARSET
+    } = options;
+    if (!prefix) {
+      return false;
+    }
+    const escapedCharsetForClass = charset.replace(/[[\]\\^-]/g, "\\$&");
+    const charsetRegexPart = `[${escapedCharsetForClass}]`;
+    const pattern = new RegExp(`^${this.escapeRegex(prefix)}${this.escapeRegex(separator)}${charsetRegexPart}{${length}}$`);
+    return pattern.test(id);
+  }
+  escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  }
+  stripPrefix(id, separator = IdGenerator.DEFAULT_SEPARATOR) {
+    const parts = id.split(separator);
+    return parts.length > 1 ? parts.slice(1).join(separator) : id;
+  }
+  getEntityType(id, separator = IdGenerator.DEFAULT_SEPARATOR) {
+    const parts = id.split(separator);
+    if (parts.length < 2 || !parts[0]) {
+      throw new McpError(-32007 /* ValidationError */, `Invalid ID format: ${id}. Expected format like: PREFIX${separator}RANDOMLPART`);
+    }
+    const prefix = parts[0];
+    const entityType = this.prefixToEntityType[prefix.toLowerCase()];
+    if (!entityType) {
+      throw new McpError(-32007 /* ValidationError */, `Unknown entity type for prefix: ${prefix}`);
+    }
+    return entityType;
+  }
+  normalize(id, separator = IdGenerator.DEFAULT_SEPARATOR) {
+    const entityType = this.getEntityType(id, separator);
+    const registeredPrefix = this.entityPrefixes[entityType];
+    const idParts = id.split(separator);
+    const randomPart = idParts.slice(1).join(separator);
+    return `${registeredPrefix}${separator}${randomPart.toUpperCase()}`;
+  }
+}
+var idGenerator = new IdGenerator;
+var generateUUID = () => {
+  return cryptoRandomUUID();
+};
+var generateRequestContextId = () => {
+  const generateSecureRandomString = (length, charset2) => {
+    let result = "";
+    const maxValidByteValue = Math.floor(256 / charset2.length) * charset2.length;
+    while (result.length < length) {
+      const byteBuffer = randomBytes(1);
+      const byte = byteBuffer[0];
+      if (byte !== undefined && byte < maxValidByteValue) {
+        const charIndex = byte % charset2.length;
+        const char = charset2[charIndex];
+        if (char) {
+          result += char;
+        }
+      }
+    }
+    return result;
+  };
+  const charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+  const part1 = generateSecureRandomString(5, charset);
+  const part2 = generateSecureRandomString(5, charset);
+  return `${part1}-${part2}`;
+};
+
+// src/utils/security/rateLimiter.ts
+init_tokens();
+init_errors3();
+var import_api5 = __toESM(require_src(), 1);
+var import_tsyringe = __toESM(require_cjs2(), 1);
+class RateLimiter {
+  config;
+  logger;
+  limits;
+  cleanupTimer = null;
+  effectiveConfig;
+  constructor(config3, logger2) {
+    this.config = config3;
+    this.logger = logger2;
+    const defaultConfig = {
+      windowMs: 15 * 60 * 1000,
+      maxRequests: 100,
+      errorMessage: "Rate limit exceeded. Please try again in {waitTime} seconds.",
+      skipInDevelopment: false,
+      cleanupInterval: 5 * 60 * 1000
+    };
+    this.effectiveConfig = { ...defaultConfig };
+    this.limits = new Map;
+    this.startCleanupTimer();
+  }
+  startCleanupTimer() {
+    if (this.cleanupTimer) {
+      clearInterval(this.cleanupTimer);
+    }
+    const interval = this.effectiveConfig.cleanupInterval;
+    if (interval && interval > 0) {
+      this.cleanupTimer = setInterval(() => {
+        this.cleanupExpiredEntries();
+      }, interval);
+      if (this.cleanupTimer.unref) {
+        this.cleanupTimer.unref();
+      }
+    }
+  }
+  cleanupExpiredEntries() {
+    const now = Date.now();
+    let expiredCount = 0;
+    for (const [key, entry] of this.limits.entries()) {
+      if (now >= entry.resetTime) {
+        this.limits.delete(key);
+        expiredCount++;
+      }
+    }
+    if (expiredCount > 0) {
+      const logContext = requestContextService.createRequestContext({
+        operation: "RateLimiter.cleanupExpiredEntries",
+        additionalContext: {
+          cleanedCount: expiredCount,
+          totalRemainingAfterClean: this.limits.size
+        }
+      });
+      this.logger.debug(`Cleaned up ${expiredCount} expired rate limit entries`, logContext);
+    }
+  }
+  configure(config3) {
+    Object.assign(this.effectiveConfig, config3);
+    if (config3.cleanupInterval !== undefined) {
+      this.startCleanupTimer();
+    }
+  }
+  getConfig() {
+    return { ...this.effectiveConfig };
+  }
+  reset() {
+    this.limits.clear();
+    const logContext = requestContextService.createRequestContext({
+      operation: "RateLimiter.reset"
+    });
+    this.logger.debug("Rate limiter reset, all limits cleared", logContext);
+  }
+  check(key, context) {
+    const activeSpan = import_api5.trace.getActiveSpan();
+    activeSpan?.setAttribute("mcp.rate_limit.checked", true);
+    if (this.effectiveConfig.skipInDevelopment && this.config.environment === "development") {
+      activeSpan?.setAttribute("mcp.rate_limit.skipped", "development");
+      return;
+    }
+    const limitKey = this.effectiveConfig.keyGenerator ? this.effectiveConfig.keyGenerator(key, context) : key;
+    activeSpan?.setAttribute("mcp.rate_limit.key", limitKey);
+    const now = Date.now();
+    let entry = this.limits.get(limitKey);
+    if (!entry || now >= entry.resetTime) {
+      entry = {
+        count: 1,
+        resetTime: now + this.effectiveConfig.windowMs
+      };
+      this.limits.set(limitKey, entry);
+    } else {
+      entry.count++;
+    }
+    const remaining = Math.max(0, this.effectiveConfig.maxRequests - entry.count);
+    activeSpan?.setAttributes({
+      "mcp.rate_limit.limit": this.effectiveConfig.maxRequests,
+      "mcp.rate_limit.count": entry.count,
+      "mcp.rate_limit.remaining": remaining
+    });
+    if (entry.count > this.effectiveConfig.maxRequests) {
+      const waitTime = Math.ceil((entry.resetTime - now) / 1000);
+      const errorMessage = (this.effectiveConfig.errorMessage || "Rate limit exceeded. Please try again in {waitTime} seconds.").replace("{waitTime}", waitTime.toString());
+      activeSpan?.addEvent("rate_limit_exceeded", {
+        "mcp.rate_limit.wait_time_seconds": waitTime
+      });
+      throw new McpError(-32003 /* RateLimited */, errorMessage, {
+        waitTimeSeconds: waitTime,
+        key: limitKey,
+        limit: this.effectiveConfig.maxRequests,
+        windowMs: this.effectiveConfig.windowMs
+      });
+    }
+  }
+  getStatus(key) {
+    const entry = this.limits.get(key);
+    if (!entry)
+      return null;
+    return {
+      current: entry.count,
+      limit: this.effectiveConfig.maxRequests,
+      remaining: Math.max(0, this.effectiveConfig.maxRequests - entry.count),
+      resetTime: entry.resetTime
+    };
+  }
+  dispose() {
+    if (this.cleanupTimer) {
+      clearInterval(this.cleanupTimer);
+      this.cleanupTimer = null;
+    }
+    this.limits.clear();
+  }
+}
+RateLimiter = __legacyDecorateClassTS([
+  import_tsyringe.injectable(),
+  __legacyDecorateParamTS(0, import_tsyringe.inject(AppConfig)),
+  __legacyDecorateParamTS(1, import_tsyringe.inject(Logger2)),
+  __legacyMetadataTS("design:paramtypes", [
+    Object,
+    Object
+  ])
+], RateLimiter);
 
 // src/container/index.ts
 var import_reflect_metadata = __toESM(require_Reflect(), 1);
@@ -132754,13 +132472,8 @@ if (shouldShowDeprecationWarning())
 init_config();
 init_tokens();
 
-// src/services/git/core/GitProviderFactory.ts
-init_utils();
-
 // src/services/git/core/BaseGitProvider.ts
 init_errors3();
-init_utils();
-
 class BaseGitProvider {
   checkCapability(capability) {
     if (!this.capabilities[capability]) {
@@ -132794,12 +132507,12 @@ class BaseGitProvider {
       workingDirectory
     });
   }
-  createOperationContext(requestContext2, workingDirectory, tenantId) {
+  createOperationContext(requestContext, workingDirectory, tenantId) {
     const context = {
-      requestContext: requestContext2,
+      requestContext,
       workingDirectory
     };
-    const finalTenantId = tenantId || requestContext2.tenantId;
+    const finalTenantId = tenantId || requestContext.tenantId;
     if (finalTenantId) {
       context.tenantId = finalTenantId;
     }
@@ -133185,8 +132898,8 @@ Stdout: ${stdout}`;
   });
 }
 async function spawnGitCommand(args, cwd, env, timeout = 60000, signal, allowNonZeroExit = false) {
-  const runtime2 = detectRuntime2();
-  if (runtime2 === "bun") {
+  const runtime = detectRuntime2();
+  if (runtime === "bun") {
     return spawnWithBun(args, cwd, env, timeout, signal, allowNonZeroExit);
   } else {
     return spawnWithNode(args, cwd, env, timeout, signal, allowNonZeroExit);
@@ -133258,6 +132971,15 @@ function parseGitStatus(output) {
       const parts2 = line.split(" ");
       if (parts2[1] === "branch.head" && parts2[2]) {
         result.currentBranch = parts2[2] === "(detached)" ? null : parts2[2];
+      } else if (parts2[1] === "branch.upstream" && parts2[2]) {
+        result.upstream = parts2[2];
+      } else if (parts2[1] === "branch.ab" && parts2[2] && parts2[3]) {
+        const ahead = parseInt(parts2[2].replace(/^\+/, ""), 10);
+        const behind = parseInt(parts2[3].replace(/^-/, ""), 10);
+        if (Number.isFinite(ahead))
+          result.ahead = ahead;
+        if (Number.isFinite(behind))
+          result.behind = behind;
       }
       continue;
     }
@@ -133677,8 +133399,10 @@ async function executeCommit(options, context, execGit) {
     if (options.noVerify) {
       args.push("--no-verify");
     }
-    const shouldSign = options.sign ?? shouldSignCommits();
-    if (shouldSign) {
+    const signRequested = shouldSignCommits();
+    let signed = false;
+    let signingWarning;
+    if (signRequested) {
       args.push("--gpg-sign");
     }
     if (options.author) {
@@ -133688,17 +133412,20 @@ async function executeCommit(options, context, execGit) {
     const cmd = buildGitCommand({ command: "commit", args });
     try {
       await execGit(cmd, context.workingDirectory, context.requestContext);
+      signed = signRequested;
     } catch (error48) {
-      if (shouldSign && options.forceUnsignedOnFailure) {
-        const unsignedArgs = args.filter((a) => a !== "--gpg-sign");
-        const unsignedCmd = buildGitCommand({
-          command: "commit",
-          args: unsignedArgs
-        });
-        await execGit(unsignedCmd, context.workingDirectory, context.requestContext);
-      } else {
+      if (!signRequested) {
         throw error48;
       }
+      const errorMessage = error48 instanceof Error ? error48.message : String(error48);
+      logger.warning("Commit signing failed; retrying unsigned. Set GIT_SIGN_COMMITS=false to suppress this attempt.", { ...context.requestContext, error: error48 });
+      signingWarning = `GIT_SIGN_COMMITS is enabled but signing failed; commit created unsigned. Check signing key availability (gpg-agent running, SSH key accessible). Underlying error: ${errorMessage}`;
+      const unsignedArgs = args.filter((a) => a !== "--gpg-sign");
+      const unsignedCmd = buildGitCommand({
+        command: "commit",
+        args: unsignedArgs
+      });
+      await execGit(unsignedCmd, context.workingDirectory, context.requestContext);
     }
     const hashCmd = buildGitCommand({
       command: "rev-parse",
@@ -133727,8 +133454,12 @@ async function executeCommit(options, context, execGit) {
       message: options.message,
       author: authorName,
       timestamp,
-      filesChanged
+      filesChanged,
+      signed
     };
+    if (signingWarning) {
+      result.signingWarning = signingWarning;
+    }
     return result;
   } catch (error48) {
     throw mapGitError(error48, "commit");
@@ -133739,7 +133470,9 @@ var COMMIT_START_MARKER = "<<<COMMIT_START>>>";
 var COMMIT_END_MARKER = "<<<COMMIT_END>>>";
 async function executeLog(options, context, execGit) {
   try {
-    const formatStr = `${COMMIT_START_MARKER}%H${GIT_FIELD_DELIMITER}%h${GIT_FIELD_DELIMITER}%an${GIT_FIELD_DELIMITER}%ae${GIT_FIELD_DELIMITER}%at${GIT_FIELD_DELIMITER}%s${GIT_FIELD_DELIMITER}%b${GIT_FIELD_DELIMITER}%P${COMMIT_END_MARKER}`;
+    const fullFormat = `${COMMIT_START_MARKER}%H${GIT_FIELD_DELIMITER}%h${GIT_FIELD_DELIMITER}%an${GIT_FIELD_DELIMITER}%ae${GIT_FIELD_DELIMITER}%at${GIT_FIELD_DELIMITER}%s${GIT_FIELD_DELIMITER}%b${GIT_FIELD_DELIMITER}%P${COMMIT_END_MARKER}`;
+    const onelineFormat = `${COMMIT_START_MARKER}%H${GIT_FIELD_DELIMITER}%h${GIT_FIELD_DELIMITER}%s${COMMIT_END_MARKER}`;
+    const formatStr = options.oneline ? onelineFormat : fullFormat;
     const args = [`--format=${formatStr}`];
     if (options.maxCount) {
       args.push(`-n${options.maxCount}`);
@@ -133782,7 +133515,11 @@ async function executeLog(options, context, execGit) {
       const formatPart = section.substring(0, endIdx);
       const extraPart = section.substring(endIdx + COMMIT_END_MARKER.length).trim();
       const fields = formatPart.split(GIT_FIELD_DELIMITER);
-      const commit = {
+      const commit = options.oneline ? {
+        hash: fields[0] || "",
+        shortHash: fields[1] || "",
+        subject: fields[2] || ""
+      } : {
         hash: fields[0] || "",
         shortHash: fields[1] || "",
         author: fields[2] || "",
@@ -133791,7 +133528,7 @@ async function executeLog(options, context, execGit) {
         subject: fields[5] || "",
         parents: (fields[7] || "").split(" ").filter((p) => p)
       };
-      if (fields[6]) {
+      if (!options.oneline && fields[6]) {
         commit.body = fields[6];
       }
       if (extraPart) {
@@ -133839,11 +133576,13 @@ async function executeShow(options, context, execGit) {
       command: "cat-file",
       args: ["-t", options.object]
     });
-    const typeResult = await execGit(typeCmd, context.workingDirectory, context.requestContext);
+    const cmd = buildGitCommand({ command: "show", args });
+    const [typeResult, result] = await Promise.all([
+      execGit(typeCmd, context.workingDirectory, context.requestContext),
+      execGit(cmd, context.workingDirectory, context.requestContext)
+    ]);
     const detectedType = typeResult.stdout.trim();
     const objectType = ["commit", "tree", "blob", "tag"].includes(detectedType) ? detectedType : "commit";
-    const cmd = buildGitCommand({ command: "show", args });
-    const result = await execGit(cmd, context.workingDirectory, context.requestContext);
     const showResult = {
       object: options.object,
       type: objectType,
@@ -134039,6 +133778,21 @@ async function executeBranch(options, context, execGit) {
   try {
     const args = [];
     switch (options.mode) {
+      case "show-current": {
+        const cmd = buildGitCommand({
+          command: "symbolic-ref",
+          args: ["--quiet", "--short", "HEAD"]
+        });
+        try {
+          const res = await execGit(cmd, context.workingDirectory, context.requestContext);
+          return {
+            mode: "show-current",
+            current: res.stdout.trim() || null
+          };
+        } catch {
+          return { mode: "show-current", current: null };
+        }
+      }
       case "list": {
         const format = [
           "%(refname)",
@@ -134057,6 +133811,9 @@ async function executeBranch(options, context, execGit) {
           const noMergedRef = typeof options.noMerged === "string" ? options.noMerged : "HEAD";
           args.push(`--no-merged=${noMergedRef}`);
         }
+        if (typeof options.limit === "number" && options.limit > 0) {
+          args.push(`--count=${options.limit}`);
+        }
         const cmd = buildGitCommand({ command: "for-each-ref", args });
         const result = await execGit(cmd, context.workingDirectory, context.requestContext);
         const branches = parseBranchRef(result.stdout);
@@ -134185,8 +133942,7 @@ async function executeMerge(options, context, execGit) {
       if (options.message) {
         args.push("-m", options.message);
       }
-      const shouldSign = options.sign ?? shouldSignCommits();
-      if (shouldSign) {
+      if (shouldSignCommits()) {
         args.push("-S");
       }
       args.push(options.branch);
@@ -134283,8 +134039,7 @@ ${continueResult.stderr}`),
       if (options.preserve) {
         args.push("--preserve-merges");
       }
-      const shouldSign = options.sign ?? shouldSignCommits();
-      if (shouldSign) {
+      if (shouldSignCommits()) {
         args.push("--gpg-sign");
       }
       if (options.onto) {
@@ -134366,8 +134121,7 @@ async function executeCherryPick(options, context, execGit) {
       if (options.signoff) {
         args.push("--signoff");
       }
-      const shouldSign = options.sign ?? shouldSignCommits();
-      if (shouldSign) {
+      if (shouldSignCommits()) {
         args.push("--gpg-sign");
       }
       args.push(...options.commits);
@@ -134643,6 +134397,9 @@ async function executePull(options, context, execGit) {
     if (options.fastForwardOnly) {
       args.push("--ff-only");
     }
+    if (shouldSignCommits()) {
+      args.push("-S");
+    }
     const cmd = buildGitCommand({ command: "pull", args });
     const result = await execGit(cmd, context.workingDirectory, context.requestContext, { allowNonZeroExit: true });
     const hasConflicts = result.stdout.includes("CONFLICT") || result.stderr.includes("CONFLICT");
@@ -134707,17 +134464,26 @@ async function executeTag(options, context, execGit) {
           "%(if)%(*objectname:short)%(then)%(*objectname:short)%(else)%(objectname:short)%(end)",
           "%(if)%(contents:subject)%(then)%(contents:subject)%(end)",
           "%(if)%(taggername)%(then)%(taggername) %(taggeremail)%(end)",
-          "%(if)%(creatordate:unix)%(then)%(creatordate:unix)%(end)"
-        ].join(GIT_FIELD_DELIMITER);
+          "%(if)%(creatordate:unix)%(then)%(creatordate:unix)%(end)",
+          "%(if)%(contents:body)%(then)%(contents:body)%(end)"
+        ].join(GIT_FIELD_DELIMITER) + GIT_RECORD_DELIMITER;
+        const forEachRefArgs = [
+          `--format=${format}`,
+          "--sort=-version:refname",
+          "--sort=-creatordate"
+        ];
+        if (typeof options.limit === "number" && options.limit > 0) {
+          forEachRefArgs.push(`--count=${options.limit}`);
+        }
+        forEachRefArgs.push("refs/tags");
         const refCmd = buildGitCommand({
           command: "for-each-ref",
-          args: [`--format=${format}`, "--sort=-creatordate", "refs/tags"]
+          args: forEachRefArgs
         });
         const result = await execGit(refCmd, context.workingDirectory, context.requestContext);
         const tags = [];
-        for (const line of result.stdout.split(`
-`).filter((l) => l.trim())) {
-          const [name, commit, message, tagger, timestamp] = line.split(GIT_FIELD_DELIMITER);
+        for (const record2 of result.stdout.split(GIT_RECORD_DELIMITER).map((r2) => r2.replace(/^\n/, "")).filter((r2) => r2.length > 0)) {
+          const [name, commit, message, tagger, timestamp, annotationBody] = record2.split(GIT_FIELD_DELIMITER);
           if (!name)
             continue;
           const tag = {
@@ -134730,6 +134496,8 @@ async function executeTag(options, context, execGit) {
             tag.tagger = tagger;
           if (timestamp)
             tag.timestamp = parseInt(timestamp, 10);
+          if (annotationBody)
+            tag.annotationBody = annotationBody.trimEnd();
           tags.push(tag);
         }
         return { mode: "list", tags };
@@ -134738,7 +134506,9 @@ async function executeTag(options, context, execGit) {
         if (!options.tagName) {
           throw new Error("Tag name is required for create operation");
         }
-        const shouldSign = options.sign ?? shouldSignCommits();
+        const signRequested = shouldSignCommits();
+        let signed = false;
+        let signingWarning;
         const buildCreateArgs = (sign) => {
           const createArgs = [options.tagName];
           if (sign) {
@@ -134757,31 +134527,36 @@ async function executeTag(options, context, execGit) {
           }
           return createArgs;
         };
-        const configOverride = shouldSign ? [] : ["-c", "tag.gpgSign=false"];
-        const createCmd = [
-          ...configOverride,
-          ...buildGitCommand({
-            command: "tag",
-            args: buildCreateArgs(shouldSign)
-          })
-        ];
+        const buildCmd = (sign) => {
+          const configOverride = sign ? [] : ["-c", "tag.gpgSign=false"];
+          return [
+            ...configOverride,
+            ...buildGitCommand({
+              command: "tag",
+              args: buildCreateArgs(sign)
+            })
+          ];
+        };
         try {
-          await execGit(createCmd, context.workingDirectory, context.requestContext);
+          await execGit(buildCmd(signRequested), context.workingDirectory, context.requestContext);
+          signed = signRequested;
         } catch (error48) {
-          if (shouldSign && options.forceUnsignedOnFailure) {
-            const unsignedCmd = buildGitCommand({
-              command: "tag",
-              args: buildCreateArgs(false)
-            });
-            await execGit(unsignedCmd, context.workingDirectory, context.requestContext);
-          } else {
+          if (!signRequested) {
             throw error48;
           }
+          const errorMessage = error48 instanceof Error ? error48.message : String(error48);
+          logger.warning("Tag signing failed; retrying unsigned. Set GIT_SIGN_COMMITS=false to suppress this attempt.", { ...context.requestContext, error: error48 });
+          signingWarning = `GIT_SIGN_COMMITS is enabled but signing failed; tag created unsigned. Check signing key availability (gpg-agent running, SSH key accessible). Underlying error: ${errorMessage}`;
+          await execGit(buildCmd(false), context.workingDirectory, context.requestContext);
         }
         const createResult = {
           mode: "create",
-          created: options.tagName
+          created: options.tagName,
+          signed
         };
+        if (signingWarning) {
+          createResult.signingWarning = signingWarning;
+        }
         return createResult;
       }
       case "delete": {
@@ -134811,6 +134586,9 @@ async function executeStash(options, context, execGit) {
     switch (options.mode) {
       case "list": {
         args.push("--format=%gd\t%ct\t%gs");
+        if (typeof options.limit === "number" && options.limit > 0) {
+          args.push(`-n${options.limit}`);
+        }
         const cmd = buildGitCommand({ command: "stash", args });
         const result = await execGit(cmd, context.workingDirectory, context.requestContext);
         const stashes = result.stdout.split(`
@@ -135527,7 +135305,6 @@ var import_tsyringe4 = __toESM(require_cjs2(), 1);
 
 // src/storage/providers/fileSystem/fileSystemProvider.ts
 init_errors3();
-init_utils();
 import { existsSync as existsSync2, mkdirSync } from "fs";
 import { readFile, readdir, rm, writeFile } from "fs/promises";
 import path2 from "path";
@@ -135762,7 +135539,6 @@ class FileSystemProvider {
 }
 
 // src/storage/providers/inMemory/inMemoryProvider.ts
-init_utils();
 var DEFAULT_LIST_LIMIT2 = 1000;
 
 class InMemoryProvider {
@@ -135875,7 +135651,6 @@ class InMemoryProvider {
 // src/storage/providers/supabase/supabaseProvider.ts
 var import_tsyringe3 = __toESM(require_cjs2(), 1);
 init_tokens();
-init_utils();
 var TABLE_NAME = "kv_store";
 var DEFAULT_LIST_LIMIT3 = 1000;
 
@@ -136045,7 +135820,6 @@ SupabaseProvider = __legacyDecorateClassTS([
 
 // src/storage/providers/cloudflare/r2Provider.ts
 init_errors3();
-init_utils();
 var R2_ENVELOPE_VERSION = 1;
 var DEFAULT_LIST_LIMIT4 = 1000;
 
@@ -136241,7 +136015,6 @@ class R2Provider {
 
 // src/storage/providers/cloudflare/kvProvider.ts
 init_errors3();
-init_utils();
 var DEFAULT_LIST_LIMIT5 = 1000;
 
 class KvProvider {
@@ -136408,7 +136181,6 @@ class KvProvider {
 }
 
 // src/storage/core/storageFactory.ts
-init_utils();
 var isServerless3 = typeof process === "undefined" || process.env.IS_SERVERLESS === "true";
 function createStorageProvider(config3, deps = {}) {
   const context = requestContextService.createRequestContext({
@@ -136457,8 +136229,6 @@ function createStorageProvider(config3, deps = {}) {
 
 // src/container/registrations/core.ts
 init_errors3();
-init_utils();
-init_rateLimiter();
 var registerCoreServices = () => {
   const config3 = parseConfig();
   import_tsyringe5.container.register(AppConfig, { useValue: config3 });
@@ -136500,12 +136270,9 @@ var import_tsyringe6 = __toESM(require_cjs2(), 1);
 
 // src/mcp-server/resources/definitions/git-working-directory.resource.ts
 init_zod();
-init_utils();
 
 // src/mcp-server/transports/auth/lib/authUtils.ts
 init_errors3();
-init_utils();
-init_authContext();
 function withRequiredScopes(requiredScopes) {
   const operationName = "withRequiredScopesCheck";
   const initialContext = requestContextService.createRequestContext({
@@ -145125,7 +144892,6 @@ var EMPTY_COMPLETION_RESULT = {
 
 // src/mcp-server/resources/utils/resourceHandlerFactory.ts
 init_errors3();
-init_utils();
 function defaultResponseFormatter(result, meta3) {
   return [
     {
@@ -145211,7 +144977,6 @@ async function registerResource(server, def) {
 }
 
 // src/mcp-server/resources/resource-registration.ts
-init_utils();
 class ResourceRegistry {
   resourceDefs;
   constructor(resourceDefs) {
@@ -145251,12 +145016,10 @@ var import_tsyringe7 = __toESM(require_cjs2(), 1);
 // src/mcp-server/prompts/definitions/git-wrapup.prompt.ts
 init_zod();
 var PROMPT_NAME = "git_wrapup";
-var PROMPT_DESCRIPTION = "Generates a structured workflow prompt for wrapping up git sessions, including reviewing changes, updating documentation, and committing modifications.";
+var PROMPT_DESCRIPTION = "Orchestrates a full git wrap-up: loads the project-aware acceptance-criteria protocol from git_wrapup_instructions, analyzes changes, satisfies each criterion per project convention, commits atomically, and (optionally) tags the release.";
 var ArgumentsSchema = exports_external.object({
-  changelogPath: exports_external.string().optional().describe("Path to the changelog file to update (defaults to CHANGELOG.md)."),
-  skipDocumentation: exports_external.string().optional().describe("Whether to skip documentation review ('true' | 'false'). Defaults to 'false'."),
-  createTag: exports_external.string().optional().describe("Whether to create a git tag after committing ('true' | 'false'). Defaults to 'false'."),
-  updateAgentFiles: exports_external.string().optional().describe("Whether to update agent meta files like CLAUDE.md, AGENTS.md ('true' | 'false'). Defaults to 'false'.")
+  changelogPath: exports_external.string().optional().describe("Path to the changelog file when the project uses a flat one (defaults to CHANGELOG.md). The protocol itself defers to project convention."),
+  createTag: exports_external.string().optional().describe("Whether to include the tag criterion in the protocol ('true' | 'false'). Defaults to 'true' — set to 'false' when tagging is deferred to a separate release step.")
 });
 var gitWrapupPrompt = {
   name: PROMPT_NAME,
@@ -145264,57 +145027,34 @@ var gitWrapupPrompt = {
   argumentsSchema: ArgumentsSchema,
   generate: (args) => {
     const changelogPath = args.changelogPath || "CHANGELOG.md";
-    const skipDocumentation = args.skipDocumentation === "true";
-    const createTag = args.createTag === "true";
-    const updateAgentFiles = args.updateAgentFiles === "true";
-    const documentationSection = skipDocumentation ? "" : `
-4. **Review Documentation**: Read the README.md file and verify it accurately reflects the current codebase state. Update as necessary to maintain currency and accuracy.
-`;
-    const agentFilesSection = updateAgentFiles ? `
-5. **Update Agent Files**: If present, review and update agent-specific meta files (CLAUDE.md, AGENTS.md, .clinerules/) to reflect any architectural or protocol changes.
-` : "";
-    const tagSection = createTag ? `
-After all commits are complete and verified via git_status, create an annotated git tag using the git_tag tool. Use semantic versioning (e.g., v1.2.3) and include a summary of key changes in the annotation message.
-` : "";
+    const includeTag = args.createTag !== "false";
     return [
       {
         role: "user",
         content: {
           type: "text",
-          text: `You are an expert git workflow manager. Execute a systematic wrap-up protocol for the current git session.
+          text: `You are an expert git workflow manager. Run a complete wrap-up for the current git session.
 
-## Workflow Protocol
+## Session Flow
 
-Follow these steps in order. Do not proceed until the prior step is confirmed complete.
+1. **Load Protocol**: Call \`git_wrapup_instructions\` with \`acknowledgement: "yes"\`${includeTag ? "" : " and `createTag: false`"}. It returns an acceptance-criteria checklist — every box must be satisfied before the wrap-up is complete — plus the current repository status.
 
-1. **Initialize Context**: First, call the \`git_wrapup_instructions\` tool with \`acknowledgement: "yes"\`${updateAgentFiles ? ' and `updateAgentMetaFiles: "yes"`' : ""}${createTag ? " and `createTag: true`" : ""}. This will provide the detailed workflow instructions and current repository status.
+2. **Set Working Directory**: If not already set, call \`git_set_working_dir\` to establish the session context. Required before any git operations.
 
-2. **Set Working Directory**: If not already set, use \`git_set_working_dir\` to establish the session context. This is mandatory before any git operations.
+3. **Analyze Changes**: Run \`git_diff\` with \`includeUntracked: true\`. Understand the "why" behind every modification end-to-end before grouping anything — the diff drives your commit plan and messages.
 
-3. **Analyze Changes**: Execute \`git_diff\` with \`includeUntracked: true\` to comprehensively understand all modifications. Analyze the diff output thoroughly to inform your commit strategy and messages.
+4. **Satisfy the Acceptance Criteria**: Work each checkbox from step 1. The protocol is strict on outcomes, generic on mechanism — follow this project's own conventions for where versions live, how the changelog is formatted (default path when flat: \`${changelogPath}\`), and what the verification suite looks like. If the root agent-instruction file (\`AGENTS.md\`, \`CLAUDE.md\`, or equivalent) documents a project-specific wrap-up procedure, that takes precedence over the generic checklist.
 
-4. **Update Changelog**: Read the existing \`${changelogPath}\` file. Append a new version entry at the top that:
-   - Uses past tense and concise language
-   - Categorizes changes (Added, Changed, Fixed, Deprecated, Removed, Security)
-   - Follows the existing changelog format
-   - Provides enough detail for users to understand the impact
-${documentationSection}${agentFilesSection}
-5. **Commit Changes**: Use \`git_commit\` to create atomic, logical commits. For each commit:
-   - Group related changes together using the \`filesToStage\` parameter
-   - Write commit messages following Conventional Commits format (e.g., \`feat(auth): add password reset\`, \`fix(parser): handle edge case\`)
-   - Ensure commits are self-contained and buildable
-   - Do not mix unrelated changes in a single commit
+5. **Commit Atomically**: Use \`git_commit\` to create logical, self-contained commits in Conventional Commits form. Group related changes with the \`filesToStage\` parameter. No mixing unrelated changes in one commit.
 
-6. **Verify Completion**: After all commits, run \`git_status\` to confirm the working directory is clean and all changes are committed.
-${tagSection}
-## Important Guidelines
+6. **Verify Clean**: Run \`git_status\` to confirm the working tree is clean and every change is committed.${includeTag ? "\n\n7. **Tag the Release**: Create an annotated git tag with `git_tag` using semantic versioning (e.g., `v1.2.3`). The annotation message should summarize the real changes — no filler." : ""}
 
-- **Do NOT push** to the remote repository unless explicitly instructed
-- Create a task list before starting to track your progress
-- Be thorough in your diff analysis - understand the "why" behind changes
-- If you encounter merge conflicts or errors, stop and ask for guidance
-- All commit messages must be clear, descriptive, and follow conventions
-- Preserve existing code style and documentation formatting
+## Constraints
+
+- **Do not push** to the remote unless explicitly instructed.
+- Create a task list before starting so progress is trackable.
+- Do not bypass verification failures to land a green commit.
+- On merge conflicts or unexpected errors: stop and surface the blocker.
 
 Begin by calling \`git_wrapup_instructions\` and creating your task list.`
         }
@@ -145327,11 +145067,10 @@ Begin by calling \`git_wrapup_instructions\` and creating your task list.`
 var allPromptDefinitions = [gitWrapupPrompt];
 
 // src/mcp-server/prompts/prompt-registration.ts
-init_utils();
 class PromptRegistry {
   logger;
-  constructor(logger3) {
-    this.logger = logger3;
+  constructor(logger2) {
+    this.logger = logger2;
   }
   registerAll(server) {
     const context = requestContextService.createRequestContext({
@@ -145364,7 +145103,6 @@ PromptRegistry = __legacyDecorateClassTS([
 
 // src/mcp-server/tools/tool-registration.ts
 var import_tsyringe9 = __toESM(require_cjs2(), 1);
-init_utils();
 
 // src/mcp-server/tools/definitions/git-changelog-analyze.tool.ts
 init_zod();
@@ -145403,7 +145141,6 @@ var AllSchema = exports_external.boolean().default(false).describe("Include all
 var MergeStrategySchema = exports_external.enum(["ort", "recursive", "octopus", "ours", "subtree"]).optional().describe("Merge strategy to use (ort, recursive, octopus, ours, subtree).");
 var PruneSchema = exports_external.boolean().default(false).describe("Prune remote-tracking references that no longer exist on remote.");
 var DepthSchema = exports_external.number().int().min(1).optional().describe("Create a shallow clone with history truncated to N commits.");
-var SignSchema = exports_external.boolean().optional().describe("Sign the commit/tag with GPG/SSH. Omit to use the server's GIT_SIGN_COMMITS default (recommended). Set true to force signing, or false to skip signing even when the default enables it.");
 var NoVerifySchema = exports_external.boolean().default(false).describe("Bypass pre-commit and commit-msg hooks.");
 
 // src/mcp-server/tools/utils/json-response-formatter.ts
@@ -145527,12 +145264,10 @@ var defaultJsonFormatter = createJsonFormatter();
 
 // src/mcp-server/tools/utils/toolHandlerFactory.ts
 init_tokens();
-init_utils();
 var import_tsyringe8 = __toESM(require_cjs2(), 1);
 
 // src/mcp-server/tools/utils/git-validators.ts
 init_errors3();
-init_utils();
 import path3 from "node:path";
 async function resolveWorkingDirectory(pathInput, appContext, storage) {
   let workingDir;
@@ -145805,6 +145540,7 @@ var InputSchema = exports_external.object({
   path: PathSchema,
   reviewTypes: exports_external.array(ReviewTypeSchema).min(1).describe("Types of changelog review to perform. At least one required. Options: security, features, storyline, gaps, breaking_changes, quality."),
   maxCommits: exports_external.number().int().min(1).max(1000).default(200).describe("Maximum recent commits to fetch for cross-referencing (1-1000)."),
+  maxTags: exports_external.number().int().min(1).max(1000).default(100).describe("Maximum recent tags to fetch for release context (1-1000). Applied at the git command so large tag catalogs do not bloat the response."),
   sinceTag: exports_external.string().optional().describe('Only include git history since this tag (e.g., "v1.2.0"). Narrows the analysis window.'),
   branch: CommitRefSchema.optional().describe("Branch to analyze (defaults to current branch).")
 });
@@ -145857,7 +145593,7 @@ async function gitChangelogAnalyzeLogic(input, { provider, targetPath, appContex
   }
   const [logResult, tagResult, statusResult] = await Promise.all([
     provider.log(logOptions, operationContext),
-    provider.tag({ mode: "list" }, operationContext),
+    provider.tag({ mode: "list", limit: input.maxTags }, operationContext),
     provider.status({ includeUntracked: false }, operationContext)
   ]);
   const reviewInstructions = buildReviewInstructions(input.reviewTypes);
@@ -145870,8 +145606,8 @@ async function gitChangelogAnalyzeLogic(input, { provider, targetPath, appContex
       commits: logResult.commits.map((c) => ({
         hash: c.shortHash,
         subject: c.subject,
-        author: c.author,
-        timestamp: c.timestamp,
+        author: c.author ?? "",
+        timestamp: c.timestamp ?? 0,
         ...c.refs && c.refs.length > 0 && { refs: c.refs }
       })),
       tags: (tagResult.tags ?? []).map((t2) => ({
@@ -146300,162 +146036,246 @@ var gitReflogTool = {
 
 // src/mcp-server/tools/definitions/git-set-working-dir.tool.ts
 init_zod();
+init_errors3();
+
+// src/mcp-server/tools/utils/repo-snapshot.ts
+init_zod();
+var RepoSnapshotStatusSchema = exports_external.object({
+  branch: exports_external.string().nullable().describe("Current branch (null on detached HEAD)."),
+  isClean: exports_external.boolean().describe("True when the working tree has no changes."),
+  staged: exports_external.array(exports_external.string()).describe("Paths staged for the next commit."),
+  unstaged: exports_external.array(exports_external.string()).describe("Paths with unstaged modifications."),
+  untracked: exports_external.array(exports_external.string()).describe("Untracked paths."),
+  conflicts: exports_external.array(exports_external.string()).describe("Paths with merge conflicts."),
+  upstream: exports_external.string().optional().describe("Upstream ref being tracked by the current branch."),
+  ahead: exports_external.number().int().optional().describe("Commits ahead of upstream (if tracking)."),
+  behind: exports_external.number().int().optional().describe("Commits behind upstream (if tracking).")
+});
+var RepoSnapshotCommitSchema = exports_external.object({
+  hash: exports_external.string().describe("Short commit hash."),
+  author: exports_external.string().describe("Author name."),
+  date: exports_external.string().describe("Author date (ISO 8601)."),
+  subject: exports_external.string().describe("First line of the commit message.")
+});
+var RepoSnapshotTagSchema = exports_external.object({
+  name: exports_external.string().describe("Tag name."),
+  date: exports_external.string().optional().describe("Creator date (ISO 8601); absent for lightweight tags with no metadata."),
+  tagger: exports_external.string().optional().describe("Tagger identity (annotated tags only)."),
+  annotationSubject: exports_external.string().optional().describe("First line of the tag annotation (annotated tags only)."),
+  annotationBody: exports_external.string().optional().describe("Remaining annotation body after the subject (annotated tags only).")
+});
+var RepoSnapshotRemoteSchema = exports_external.object({
+  name: exports_external.string().describe("Remote name."),
+  fetchUrl: exports_external.string().describe("Fetch URL."),
+  pushUrl: exports_external.string().describe("Push URL (may differ from fetch URL).")
+});
+var NOT_A_REPO_HINT = "Repository snapshot unavailable — the path may not be a git repository. Initialize it via git_init or point at an existing repo.";
+function reasonMessage(reason) {
+  if (reason instanceof Error)
+    return reason.message;
+  if (typeof reason === "string")
+    return reason;
+  if (reason === null || reason === undefined)
+    return "unknown error";
+  try {
+    return JSON.stringify(reason);
+  } catch {
+    return "unknown error";
+  }
+}
+function isNotARepoError(reason) {
+  if (!reason)
+    return false;
+  return /not a git repository/i.test(reasonMessage(reason));
+}
+function isEmptyRepoError(reason) {
+  if (!reason)
+    return false;
+  return /does not have any commits yet/i.test(reasonMessage(reason));
+}
+function toIsoDate(unixSeconds) {
+  if (typeof unixSeconds !== "number" || !Number.isFinite(unixSeconds)) {
+    return;
+  }
+  return new Date(unixSeconds * 1000).toISOString();
+}
+async function gatherRepoSnapshot(deps, options = {}) {
+  const { provider, appContext, workingDirectory } = deps;
+  const commitLimit = options.commitLimit ?? 2;
+  const tagLimit = options.tagLimit ?? 2;
+  const tenantId = appContext.tenantId || "default-tenant";
+  const context = {
+    workingDirectory,
+    requestContext: appContext,
+    tenantId
+  };
+  const fetchStatus = provider.status({ includeUntracked: true }, context);
+  const fetchLog = provider.log({ maxCount: commitLimit }, context);
+  const fetchTags = provider.tag({ mode: "list", limit: tagLimit }, context);
+  const fetchRemotes = options.includeRemotes ? provider.remote({ mode: "list" }, context) : Promise.resolve(undefined);
+  const [statusRes, logRes, tagsRes, remotesRes] = await Promise.allSettled([
+    fetchStatus,
+    fetchLog,
+    fetchTags,
+    fetchRemotes
+  ]);
+  const settled = [statusRes, logRes, tagsRes, remotesRes];
+  const rejections = settled.filter((s2) => s2.status === "rejected");
+  if (rejections.length > 0 && rejections.every((r2) => isNotARepoError(r2.reason))) {
+    logger.debug("Repository snapshot skipped: path is not a git repository", {
+      ...appContext,
+      workingDirectory
+    });
+    return { warnings: [NOT_A_REPO_HINT] };
+  }
+  const warnings = [];
+  const status = statusRes.status === "fulfilled" ? {
+    branch: statusRes.value.currentBranch,
+    isClean: statusRes.value.isClean,
+    staged: [
+      ...statusRes.value.stagedChanges.added ?? [],
+      ...statusRes.value.stagedChanges.modified ?? [],
+      ...statusRes.value.stagedChanges.deleted ?? [],
+      ...statusRes.value.stagedChanges.renamed ?? [],
+      ...statusRes.value.stagedChanges.copied ?? []
+    ],
+    unstaged: [
+      ...statusRes.value.unstagedChanges.added ?? [],
+      ...statusRes.value.unstagedChanges.modified ?? [],
+      ...statusRes.value.unstagedChanges.deleted ?? []
+    ],
+    untracked: statusRes.value.untrackedFiles,
+    conflicts: statusRes.value.conflictedFiles,
+    ...statusRes.value.upstream ? { upstream: statusRes.value.upstream } : {},
+    ...typeof statusRes.value.ahead === "number" ? { ahead: statusRes.value.ahead } : {},
+    ...typeof statusRes.value.behind === "number" ? { behind: statusRes.value.behind } : {}
+  } : {
+    branch: null,
+    isClean: false,
+    staged: [],
+    unstaged: [],
+    untracked: [],
+    conflicts: []
+  };
+  if (statusRes.status === "rejected") {
+    warnings.push(`status unavailable: ${reasonMessage(statusRes.reason)}`);
+  }
+  const recentCommits = logRes.status === "fulfilled" ? logRes.value.commits.map((commit) => ({
+    hash: commit.shortHash,
+    author: commit.author ?? "",
+    date: typeof commit.timestamp === "number" ? new Date(commit.timestamp * 1000).toISOString() : "",
+    subject: commit.subject
+  })) : [];
+  if (logRes.status === "rejected" && !isEmptyRepoError(logRes.reason)) {
+    warnings.push(`recent commits unavailable: ${reasonMessage(logRes.reason)}`);
+  }
+  const recentTags = tagsRes.status === "fulfilled" && tagsRes.value.mode === "list" ? (tagsRes.value.tags ?? []).map((tag) => {
+    const entry = { name: tag.name };
+    const date6 = toIsoDate(tag.timestamp);
+    if (date6)
+      entry.date = date6;
+    if (tag.tagger)
+      entry.tagger = tag.tagger;
+    if (tag.message)
+      entry.annotationSubject = tag.message;
+    if (tag.annotationBody)
+      entry.annotationBody = tag.annotationBody;
+    return entry;
+  }) : [];
+  if (tagsRes.status === "rejected") {
+    warnings.push(`recent tags unavailable: ${reasonMessage(tagsRes.reason)}`);
+  }
+  let remotes;
+  if (options.includeRemotes) {
+    if (remotesRes.status === "fulfilled" && remotesRes.value && remotesRes.value.mode === "list") {
+      remotes = (remotesRes.value.remotes ?? []).map((r2) => ({
+        name: r2.name,
+        fetchUrl: r2.fetchUrl,
+        pushUrl: r2.pushUrl
+      }));
+    } else if (remotesRes.status === "rejected") {
+      warnings.push(`remotes unavailable: ${reasonMessage(remotesRes.reason)}`);
+      remotes = [];
+    } else {
+      remotes = [];
+    }
+  }
+  const snapshot = {
+    status,
+    recentCommits,
+    recentTags,
+    ...remotes !== undefined ? { remotes } : {}
+  };
+  return { snapshot, warnings };
+}
+
+// src/mcp-server/tools/definitions/git-set-working-dir.tool.ts
 var TOOL_NAME8 = "git_set_working_dir";
 var TOOL_TITLE8 = "Git Set Working Directory";
-var TOOL_DESCRIPTION8 = "Set the session working directory for all git operations. This allows subsequent git commands to omit the path parameter and use this directory as the default.";
+var TOOL_DESCRIPTION8 = "Set the session working directory for all git operations so subsequent calls can omit the path parameter. Always returns a repository snapshot (status, recent commits, recent tags, remotes) to orient the caller.";
 var InputSchema8 = exports_external.object({
   path: exports_external.string().min(1).describe("Absolute path to the git repository to use as the working directory."),
   validateGitRepo: exports_external.boolean().default(true).describe("Validate that the path is a Git repository."),
-  initializeIfNotPresent: exports_external.boolean().default(false).describe("If not a Git repository, initialize it with 'git init'."),
-  includeMetadata: exports_external.boolean().default(false).describe("Include repository metadata (status, branches, remotes, recent commits) in the response. Set to true for immediate repository context understanding. Defaults to false to minimize response size.")
+  initializeIfNotPresent: exports_external.boolean().default(false).describe("If not a Git repository, initialize it with 'git init'.")
 });
 var OutputSchema9 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   path: exports_external.string().describe("The working directory that was set."),
   message: exports_external.string().describe("Confirmation message."),
-  repositoryContext: exports_external.object({
-    status: exports_external.object({
-      branch: exports_external.string().nullable().describe("Current branch name (null if detached HEAD)."),
-      isClean: exports_external.boolean().describe("True if working directory is clean."),
-      stagedCount: exports_external.number().int().describe("Number of staged files ready for commit."),
-      unstagedCount: exports_external.number().int().describe("Number of files with unstaged changes."),
-      untrackedCount: exports_external.number().int().describe("Number of untracked files."),
-      conflictsCount: exports_external.number().int().describe("Number of files with merge conflicts.")
-    }).describe("Current repository working tree status."),
-    branches: exports_external.object({
-      current: exports_external.string().nullable().describe("Current branch name (null if detached HEAD)."),
-      totalLocal: exports_external.number().int().describe("Total number of local branches."),
-      totalRemote: exports_external.number().int().describe("Total number of remote-tracking branches."),
-      upstream: exports_external.string().optional().describe("Upstream branch name if current branch is tracking one."),
-      ahead: exports_external.number().int().optional().describe("Commits ahead of upstream (if tracking)."),
-      behind: exports_external.number().int().optional().describe("Commits behind upstream (if tracking).")
-    }).describe("Branch information and tracking status."),
-    remotes: exports_external.array(exports_external.object({
-      name: exports_external.string().describe("Remote name."),
-      fetchUrl: exports_external.string().describe("Fetch URL."),
-      pushUrl: exports_external.string().describe("Push URL (may differ from fetch).")
-    })).describe("Configured remote repositories."),
-    recentCommits: exports_external.array(exports_external.object({
-      hash: exports_external.string().describe("Commit hash (short form)."),
-      author: exports_external.string().describe("Commit author name."),
-      date: exports_external.string().describe("Commit date (ISO 8601 format)."),
-      message: exports_external.string().describe("Commit message (first line).")
-    })).describe("Recent commits (up to 5 most recent).")
-  }).optional().describe("Rich repository metadata including status, branches, remotes, and recent history. Only included when includeMetadata parameter is true.")
-});
-async function gatherRepositoryContext(targetPath, dependencies) {
+  repository: exports_external.object({
+    status: RepoSnapshotStatusSchema,
+    recentCommits: exports_external.array(RepoSnapshotCommitSchema).describe("Up to 2 most recent commits on the current branch."),
+    recentTags: exports_external.array(RepoSnapshotTagSchema).describe("Up to 2 most recent tags by creator date."),
+    remotes: exports_external.array(RepoSnapshotRemoteSchema).describe("Configured remote repositories.")
+  }).optional().describe("Best-effort repository snapshot. Omitted when the path is not a git repository (see enrichmentWarnings)."),
+  enrichmentWarnings: exports_external.array(exports_external.string()).optional().describe("Actionable notes when snapshot gathering was skipped or partially failed.")
+});
+async function ensureRepositoryReady(input, dependencies, tenantId) {
+  if (!input.validateGitRepo)
+    return;
   const { provider, appContext } = dependencies;
-  const tenantId = appContext.tenantId || "default-tenant";
-  const context = {
-    workingDirectory: targetPath,
+  const opContext = {
+    workingDirectory: input.path,
     requestContext: appContext,
     tenantId
   };
   try {
-    const [
-      statusResult,
-      localBranchesResult,
-      remoteBranchesResult,
-      remotesResult,
-      logResult
-    ] = await Promise.allSettled([
-      provider.status({ includeUntracked: true }, context),
-      provider.branch({ mode: "list" }, context),
-      provider.branch({ mode: "list", remote: true }, context),
-      provider.remote({ mode: "list" }, context),
-      provider.log({ maxCount: 5 }, context)
-    ]);
-    const status = statusResult.status === "fulfilled" ? {
-      branch: statusResult.value.currentBranch,
-      isClean: statusResult.value.isClean,
-      stagedCount: (statusResult.value.stagedChanges.added?.length || 0) + (statusResult.value.stagedChanges.modified?.length || 0) + (statusResult.value.stagedChanges.deleted?.length || 0) + (statusResult.value.stagedChanges.renamed?.length || 0) + (statusResult.value.stagedChanges.copied?.length || 0),
-      unstagedCount: (statusResult.value.unstagedChanges.added?.length || 0) + (statusResult.value.unstagedChanges.modified?.length || 0) + (statusResult.value.unstagedChanges.deleted?.length || 0),
-      untrackedCount: statusResult.value.untrackedFiles.length,
-      conflictsCount: statusResult.value.conflictedFiles.length
-    } : {
-      branch: null,
-      isClean: false,
-      stagedCount: 0,
-      unstagedCount: 0,
-      untrackedCount: 0,
-      conflictsCount: 0
-    };
-    const localBranches = localBranchesResult.status === "fulfilled" && localBranchesResult.value.mode === "list" ? localBranchesResult.value.branches : [];
-    const remoteBranchCount = remoteBranchesResult.status === "fulfilled" && remoteBranchesResult.value.mode === "list" ? remoteBranchesResult.value.branches.length : 0;
-    const currentBranch = localBranches.find((b) => b.current);
-    const branches = {
-      current: currentBranch?.name || null,
-      totalLocal: localBranches.length,
-      totalRemote: remoteBranchCount,
-      upstream: currentBranch?.upstream,
-      ahead: currentBranch?.ahead,
-      behind: currentBranch?.behind
-    };
-    const remotes = remotesResult.status === "fulfilled" && remotesResult.value.mode === "list" ? remotesResult.value.remotes || [] : [];
-    const recentCommits = logResult.status === "fulfilled" ? logResult.value.commits.map((commit) => ({
-      hash: commit.shortHash,
-      author: commit.author,
-      date: new Date(commit.timestamp * 1000).toISOString(),
-      message: commit.subject
-    })) : [];
-    return {
-      status,
-      branches,
-      remotes,
-      recentCommits
-    };
-  } catch (error48) {
-    const { logger: logger3 } = await Promise.resolve().then(() => (init_utils(), exports_utils));
-    logger3.debug("Failed to gather repository context", {
-      ...appContext,
-      error: error48 instanceof Error ? error48.message : String(error48),
-      targetPath
-    });
+    await provider.validateRepository(input.path, opContext);
     return;
+  } catch (error48) {
+    if (input.initializeIfNotPresent) {
+      await provider.init({ path: input.path, initialBranch: "main", bare: false }, opContext);
+      return;
+    }
+    const original = error48 instanceof Error ? error48.message : String(error48);
+    throw new McpError(-32007 /* ValidationError */, `Path is not a git repository: ${input.path}. Pass initializeIfNotPresent: true to run 'git init' here, or point at an existing repository. Underlying error: ${original}`, { path: input.path });
   }
 }
 async function gitSetWorkingDirLogic(input, dependencies) {
   const { provider, storage, appContext } = dependencies;
   const tenantId = appContext.tenantId || "default-tenant";
-  if (input.validateGitRepo) {
-    try {
-      await provider.validateRepository(input.path, {
-        workingDirectory: input.path,
-        requestContext: appContext,
-        tenantId
-      });
-    } catch (error48) {
-      if (input.initializeIfNotPresent) {
-        await provider.init({
-          path: input.path,
-          initialBranch: "main",
-          bare: false
-        }, {
-          workingDirectory: input.path,
-          requestContext: appContext,
-          tenantId
-        });
-      } else {
-        throw error48;
-      }
-    }
-  }
+  await ensureRepositoryReady(input, dependencies, tenantId);
   const storageKey = `session:workingDir:${tenantId}`;
   await storage.set(storageKey, input.path, appContext);
-  const repositoryContext = input.includeMetadata ? await gatherRepositoryContext(input.path, dependencies) : undefined;
+  const { snapshot, warnings } = await gatherRepoSnapshot({ provider, appContext, workingDirectory: input.path }, { commitLimit: 2, tagLimit: 2, includeRemotes: true });
   return {
     success: true,
     path: input.path,
     message: `Working directory set to: ${input.path}`,
-    repositoryContext
+    ...snapshot ? {
+      repository: {
+        status: snapshot.status,
+        recentCommits: snapshot.recentCommits,
+        recentTags: snapshot.recentTags,
+        remotes: snapshot.remotes ?? []
+      }
+    } : {},
+    ...warnings.length > 0 ? { enrichmentWarnings: warnings } : {}
   };
 }
 function filterGitSetWorkingDirOutput(result, level) {
   if (level === "minimal") {
-    return {
-      success: result.success,
-      path: result.path
-    };
+    return { success: result.success, path: result.path };
   }
   return result;
 }
@@ -146485,6 +146305,9 @@ var InputSchema9 = exports_external.object({
 var OutputSchema10 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   currentBranch: exports_external.string().nullable().describe("Current branch name."),
+  upstream: exports_external.string().optional().describe("Upstream ref the current branch is tracking (if any)."),
+  ahead: exports_external.number().int().optional().describe("Commits ahead of upstream (if tracking)."),
+  behind: exports_external.number().int().optional().describe("Commits behind upstream (if tracking)."),
   isClean: exports_external.boolean().describe("True if working directory is clean (no staged, unstaged, or untracked changes). When includeUntracked is false, untracked files are excluded from this check."),
   stagedChanges: exports_external.object({
     added: exports_external.array(exports_external.string()).optional().describe("Files added to the index (staged)."),
@@ -146512,6 +146335,9 @@ async function gitStatusLogic(input, { provider, targetPath, appContext }) {
   return {
     success: true,
     currentBranch: result.currentBranch,
+    ...result.upstream !== undefined && { upstream: result.upstream },
+    ...result.ahead !== undefined && { ahead: result.ahead },
+    ...result.behind !== undefined && { behind: result.behind },
     isClean: result.isClean,
     stagedChanges: result.stagedChanges,
     unstagedChanges: result.unstagedChanges,
@@ -146545,26 +146371,24 @@ var gitStatusTool = {
 
 // src/mcp-server/tools/definitions/git-wrapup-instructions.tool.ts
 init_zod();
-init_utils();
 import { readFileSync } from "fs";
 import path4 from "path";
 init_config();
 var TOOL_NAME10 = "git_wrapup_instructions";
 var TOOL_TITLE10 = "Git Wrap-up Instructions";
-var TOOL_DESCRIPTION10 = "Returns a Git wrap-up protocol: an acceptance-criteria checklist the agent must satisfy before the session is considered shipped. Uses the operator's custom instructions if configured, otherwise emits a generic goals-strict/mechanism-generic default. Includes current repository status to guide next actions.";
+var TOOL_DESCRIPTION10 = "Returns a Git wrap-up protocol: an acceptance-criteria checklist the agent must satisfy before the session is considered shipped. Uses the operator's custom instructions if configured, otherwise emits a generic goals-strict/mechanism-generic default. Enriches the response with a repository snapshot (status, recent commits, recent tags) so the agent has immediate orientation for the commit and release steps.";
 var InputSchema10 = exports_external.object({
   acknowledgement: exports_external.enum(["Y", "y", "Yes", "yes"]).describe("Acknowledgement to initiate the wrap-up workflow."),
   createTag: exports_external.boolean().optional().describe("Controls whether the tag criterion appears in the emitted protocol. Omit or set `true` to include the tag step. Set `false` to omit it entirely — e.g., when tagging is deferred to a separate release step.")
 });
 var OutputSchema11 = exports_external.object({
-  instructions: exports_external.string().describe("The set of instructions for the wrap-up workflow."),
-  gitStatus: exports_external.object({
-    branch: exports_external.string().describe("Current branch name."),
-    staged: exports_external.array(exports_external.string()).describe("Files staged for commit."),
-    unstaged: exports_external.array(exports_external.string()).describe("Files with unstaged changes."),
-    untracked: exports_external.array(exports_external.string()).describe("Untracked files.")
-  }).optional().describe("The current structured git status."),
-  gitStatusError: exports_external.string().optional().describe("Any error message if getting git status failed.")
+  instructions: exports_external.string().describe("The wrap-up protocol to satisfy before the session ships."),
+  repository: exports_external.object({
+    status: RepoSnapshotStatusSchema,
+    recentCommits: exports_external.array(RepoSnapshotCommitSchema).describe("Up to 2 most recent commits on the current branch."),
+    recentTags: exports_external.array(RepoSnapshotTagSchema).describe("Up to 2 most recent tags by creator date.")
+  }).optional().describe("Best-effort repository snapshot. Omitted when no working directory is set or when the path is not a git repository."),
+  enrichmentWarnings: exports_external.array(exports_external.string()).optional().describe("Actionable notes when snapshot gathering was skipped or partially failed.")
 });
 function buildDefaultInstructions(input) {
   const tagCriterion = input.createTag === false ? "" : "\n- [ ] Annotated tag at the project's convention (typically `v<version>`) with a concise message summarizing the real changes — no filler. Flag if a tag already exists at this commit.";
@@ -146633,49 +146457,32 @@ var customInstructions = loadCustomInstructions(config2?.git?.wrapupInstructions
 async function gitWrapupInstructionsLogic(input, { provider, storage, appContext }) {
   const tenantId = appContext.tenantId || "default-tenant";
   const finalInstructions = customInstructions ?? buildDefaultInstructions(input);
-  let gitStatus;
-  let gitStatusError;
-  try {
-    const storageKey = `session:workingDir:${tenantId}`;
-    const workingDir = await storage.get(storageKey, appContext);
-    if (workingDir) {
-      const result = await provider.status({ includeUntracked: true }, {
-        workingDirectory: workingDir,
-        requestContext: appContext,
-        tenantId
-      });
-      gitStatus = {
-        branch: result.currentBranch || "detached HEAD",
-        staged: [
-          ...result.stagedChanges.added || [],
-          ...result.stagedChanges.modified || [],
-          ...result.stagedChanges.deleted || []
-        ],
-        unstaged: [
-          ...result.unstagedChanges.modified || [],
-          ...result.unstagedChanges.deleted || []
-        ],
-        untracked: result.untrackedFiles
-      };
-    } else {
-      gitStatusError = "No working directory set for session, git status skipped.";
-    }
-  } catch (error48) {
-    const errorMessage = error48 instanceof Error ? error48.message : "Unknown error";
-    gitStatusError = `Failed to get git status: ${errorMessage}`;
-    logger.warning(gitStatusError, { ...appContext, error: error48 });
+  const storageKey = `session:workingDir:${tenantId}`;
+  const workingDir = await storage.get(storageKey, appContext);
+  if (!workingDir) {
+    return {
+      instructions: finalInstructions,
+      enrichmentWarnings: [
+        "No session working directory set. Call git_set_working_dir first to include a repository snapshot (status, recent commits, recent tags) in this response."
+      ]
+    };
   }
+  const { snapshot, warnings } = await gatherRepoSnapshot({ provider, appContext, workingDirectory: workingDir }, { commitLimit: 2, tagLimit: 2 });
   return {
     instructions: finalInstructions,
-    gitStatus,
-    gitStatusError
+    ...snapshot ? {
+      repository: {
+        status: snapshot.status,
+        recentCommits: snapshot.recentCommits,
+        recentTags: snapshot.recentTags
+      }
+    } : {},
+    ...warnings.length > 0 ? { enrichmentWarnings: warnings } : {}
   };
 }
 function filterGitWrapupInstructionsOutput(result, level) {
   if (level === "minimal") {
-    return {
-      instructions: result.instructions
-    };
+    return { instructions: result.instructions };
   }
   return result;
 }
@@ -146841,10 +146648,8 @@ var InputSchema12 = exports_external.object({
   }).optional().describe("Override commit author (defaults to git config)."),
   amend: exports_external.boolean().default(false).describe("Amend the previous commit instead of creating a new one. Use with caution."),
   allowEmpty: exports_external.boolean().default(false).describe("Allow creating a commit with no changes."),
-  sign: SignSchema,
   noVerify: NoVerifySchema,
-  filesToStage: exports_external.array(exports_external.string()).optional().describe("File paths to stage before committing (atomic stage+commit operation)."),
-  forceUnsignedOnFailure: exports_external.boolean().default(false).describe("If GPG/SSH signing fails, retry the commit without signing instead of failing.")
+  filesToStage: exports_external.array(exports_external.string()).optional().describe("File paths to stage before committing (atomic stage+commit operation).")
 });
 var OutputSchema13 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
@@ -146856,6 +146661,8 @@ var OutputSchema13 = exports_external.object({
   committedFiles: exports_external.array(exports_external.string()).describe("List of files that were committed."),
   insertions: exports_external.number().int().optional().describe("Number of line insertions."),
   deletions: exports_external.number().int().optional().describe("Number of line deletions."),
+  signed: exports_external.boolean().describe("Whether the commit was signed. False when GIT_SIGN_COMMITS=false or when signing was attempted and fell back to unsigned on failure."),
+  signingWarning: exports_external.string().optional().describe("Populated only when signing was requested but failed, and the commit was created unsigned as a fallback."),
   status: exports_external.object({
     current_branch: exports_external.string().nullable().describe("Current branch name after commit."),
     staged_changes: exports_external.record(exports_external.string(), exports_external.any()).describe("Remaining staged changes after commit."),
@@ -146877,15 +146684,11 @@ async function gitCommitLogic(input, { provider, targetPath, appContext }) {
     message: input.message,
     amend: input.amend,
     allowEmpty: input.allowEmpty,
-    noVerify: input.noVerify,
-    forceUnsignedOnFailure: input.forceUnsignedOnFailure
+    noVerify: input.noVerify
   };
   if (input.author !== undefined) {
     commitOptions.author = input.author;
   }
-  if (input.sign !== undefined) {
-    commitOptions.sign = input.sign;
-  }
   const result = await provider.commit(commitOptions, {
     workingDirectory: targetPath,
     requestContext: appContext,
@@ -146896,7 +146699,7 @@ async function gitCommitLogic(input, { provider, targetPath, appContext }) {
     requestContext: appContext,
     tenantId: appContext.tenantId || "default-tenant"
   });
-  return {
+  const output = {
     success: result.success,
     commitHash: result.commitHash,
     message: result.message,
@@ -146904,6 +146707,7 @@ async function gitCommitLogic(input, { provider, targetPath, appContext }) {
     timestamp: result.timestamp,
     filesChanged: result.filesChanged.length,
     committedFiles: result.filesChanged,
+    signed: result.signed,
     status: {
       current_branch: statusResult.currentBranch,
       staged_changes: flattenChanges(statusResult.stagedChanges),
@@ -146913,6 +146717,10 @@ async function gitCommitLogic(input, { provider, targetPath, appContext }) {
       is_clean: statusResult.isClean
     }
   };
+  if (result.signingWarning) {
+    output.signingWarning = result.signingWarning;
+  }
+  return output;
 }
 function filterGitCommitOutput(result, level) {
   if (level === "minimal") {
@@ -146920,6 +146728,8 @@ function filterGitCommitOutput(result, level) {
       success: result.success,
       commitHash: result.commitHash,
       message: result.message,
+      signed: result.signed,
+      ...result.signingWarning && { signingWarning: result.signingWarning },
       status: {
         current_branch: result.status.current_branch,
         is_clean: result.status.is_clean,
@@ -146941,6 +146751,8 @@ function filterGitCommitOutput(result, level) {
       insertions: result.insertions,
       deletions: result.deletions,
       committedFiles: result.committedFiles,
+      signed: result.signed,
+      ...result.signingWarning && { signingWarning: result.signingWarning },
       status: {
         current_branch: result.status.current_branch,
         is_clean: result.status.is_clean,
@@ -147102,7 +146914,8 @@ var CommitSchema = exports_external.object({
 var OutputSchema15 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   commits: exports_external.array(CommitSchema).describe("Array of commit objects."),
-  totalCount: exports_external.number().int().describe("Total number of commits returned (may be limited by maxCount).")
+  totalCount: exports_external.number().int().describe("Total number of commits returned (may be limited by maxCount)."),
+  note: exports_external.string().optional().describe("Set when filters returned zero commits. Echoes the criteria and suggests broadening so callers can self-correct without inspecting the request.")
 });
 async function gitLogLogic(input, { provider, targetPath, appContext }) {
   const result = await provider.log({
@@ -147123,15 +146936,25 @@ async function gitLogLogic(input, { provider, targetPath, appContext }) {
     requestContext: appContext,
     tenantId: appContext.tenantId || "default-tenant"
   });
-  const commits = input.oneline ? result.commits.map(({ hash: hash2, shortHash, subject }) => ({
-    hash: hash2,
-    shortHash,
-    subject
-  })) : result.commits;
+  const appliedFilters = [];
+  if (input.author)
+    appliedFilters.push(`author=${input.author}`);
+  if (input.grep)
+    appliedFilters.push(`grep=${input.grep}`);
+  if (input.since)
+    appliedFilters.push(`since=${input.since}`);
+  if (input.until)
+    appliedFilters.push(`until=${input.until}`);
+  if (input.filePath)
+    appliedFilters.push(`filePath=${input.filePath}`);
+  if (input.branch)
+    appliedFilters.push(`branch=${input.branch}`);
+  const note = result.commits.length === 0 && appliedFilters.length > 0 ? `No commits matched the applied filters (${appliedFilters.join(", ")}). Try removing filters or broadening the date/author/path criteria.` : undefined;
   return {
     success: true,
-    commits,
-    totalCount: result.totalCount
+    commits: result.commits,
+    totalCount: result.totalCount,
+    ...note && { note }
   };
 }
 function filterGitLogOutput(result, level) {
@@ -147250,7 +147073,8 @@ var InputSchema16 = exports_external.object({
   all: AllSchema.describe("For list operation: show both local and remote branches."),
   remote: exports_external.boolean().default(false).describe("For list operation: show only remote branches."),
   merged: exports_external.preprocess((val) => val === "true" ? true : val === "false" ? false : val, exports_external.union([exports_external.boolean(), CommitRefSchema])).optional().describe("For list operation: show only branches merged into HEAD (true) or specified commit (string)."),
-  noMerged: exports_external.preprocess((val) => val === "true" ? true : val === "false" ? false : val, exports_external.union([exports_external.boolean(), CommitRefSchema])).optional().describe("For list operation: show only branches not merged into HEAD (true) or specified commit (string).")
+  noMerged: exports_external.preprocess((val) => val === "true" ? true : val === "false" ? false : val, exports_external.union([exports_external.boolean(), CommitRefSchema])).optional().describe("For list operation: show only branches not merged into HEAD (true) or specified commit (string)."),
+  limit: LimitSchema.describe("For list operation: cap the number of branches returned (applied at the git command). Use on repos with many branches.")
 });
 var BranchInfoSchema = exports_external.object({
   name: exports_external.string().describe("Branch name."),
@@ -147269,18 +147093,18 @@ var OutputSchema17 = exports_external.object({
 });
 async function gitBranchLogic(input, { provider, targetPath, appContext }) {
   if (input.operation === "show-current") {
-    const result2 = await provider.branch({ mode: "list" }, {
+    const result2 = await provider.branch({ mode: "show-current" }, {
       workingDirectory: targetPath,
       requestContext: appContext,
       tenantId: appContext.tenantId || "default-tenant"
     });
-    const current = result2.mode === "list" ? result2.branches.find((b) => b.current) : undefined;
+    const current = result2.mode === "show-current" ? result2.current : null;
     return {
       success: true,
       operation: "show-current",
       branches: undefined,
-      currentBranch: current?.name,
-      message: current ? `Current branch: ${current.name}` : "Not on any branch (detached HEAD)"
+      currentBranch: current ?? undefined,
+      message: current ? `Current branch: ${current}` : "Not on any branch (detached HEAD)"
     };
   }
   const { path: _path, operation, name, newName, ...rest } = input;
@@ -147310,6 +147134,9 @@ async function gitBranchLogic(input, { provider, targetPath, appContext }) {
   if (rest.noMerged !== undefined) {
     branchOptions.noMerged = rest.noMerged;
   }
+  if (rest.limit !== undefined) {
+    branchOptions.limit = rest.limit;
+  }
   const result = await provider.branch(branchOptions, {
     workingDirectory: targetPath,
     requestContext: appContext,
@@ -147339,7 +147166,7 @@ async function gitBranchLogic(input, { provider, targetPath, appContext }) {
       currentBranch: undefined,
       message: `Branch '${result.deleted}' deleted successfully.`
     };
-  } else {
+  } else if (result.mode === "rename") {
     return {
       success: true,
       operation: "rename",
@@ -147348,6 +147175,7 @@ async function gitBranchLogic(input, { provider, targetPath, appContext }) {
       message: `Branch '${result.renamed.from}' renamed to '${result.renamed.to}'.`
     };
   }
+  throw new Error(`Unexpected branch result mode: ${result.mode}`);
 }
 function filterGitBranchOutput(result, level) {
   if (level === "minimal") {
@@ -148105,7 +147933,8 @@ var InputSchema26 = exports_external.object({
   message: exports_external.string().optional().describe("Stash message description (for push operation)."),
   stashRef: exports_external.string().optional().describe("Stash reference like stash@{0} (for pop/apply/drop operations)."),
   includeUntracked: exports_external.boolean().default(false).describe("Include untracked files in the stash (for push operation)."),
-  keepIndex: exports_external.boolean().default(false).describe("Don't revert staged changes (for push operation).")
+  keepIndex: exports_external.boolean().default(false).describe("Don't revert staged changes (for push operation)."),
+  limit: LimitSchema.describe("For list mode: cap the number of stash entries returned (applied at the git command).")
 });
 var StashInfoSchema = exports_external.object({
   ref: exports_external.string().describe("Stash reference (e.g., stash@{0})."),
@@ -148139,6 +147968,9 @@ async function gitStashLogic(input, { provider, targetPath, appContext }) {
   if (input.keepIndex !== undefined) {
     stashOptions.keepIndex = input.keepIndex;
   }
+  if (input.limit !== undefined) {
+    stashOptions.limit = input.limit;
+  }
   const result = await provider.stash(stashOptions, {
     workingDirectory: targetPath,
     requestContext: appContext,
@@ -148189,9 +148021,7 @@ var InputSchema27 = exports_external.object({
   tagName: TagNameSchema.optional().describe("Tag name for create/delete operations."),
   commit: CommitRefSchema.optional().describe("Commit to tag (default: HEAD for create operation)."),
   message: exports_external.string().optional().describe("Tag message. Providing a message always produces an annotated tag (git does not support messages on lightweight tags). For release tags, summarize notable changes."),
-  annotated: exports_external.boolean().default(false).describe('Create an annotated tag with a default "Tag <name>" message. Only effective when both message and sign are absent — otherwise the tag is always annotated.'),
-  sign: SignSchema,
-  forceUnsignedOnFailure: exports_external.boolean().default(false).describe("If GPG/SSH signing fails, retry the tag creation without signing instead of failing."),
+  annotated: exports_external.boolean().default(false).describe('Create an annotated tag with a default "Tag <name>" message. Only effective when no message is provided and signing is disabled — otherwise the tag is always annotated.'),
   force: ForceSchema.describe("Overwrite an existing tag (create mode only; has no effect on list or delete).")
 });
 var TagInfoSchema = exports_external.object({
@@ -148206,7 +148036,9 @@ var OutputSchema28 = exports_external.object({
   mode: exports_external.string().describe("Operation mode that was performed."),
   tags: exports_external.array(TagInfoSchema).optional().describe("List of tags (for list mode)."),
   created: exports_external.string().optional().describe("Created tag name (for create mode)."),
-  deleted: exports_external.string().optional().describe("Deleted tag name (for delete mode).")
+  deleted: exports_external.string().optional().describe("Deleted tag name (for delete mode)."),
+  signed: exports_external.boolean().optional().describe("Whether the created tag was signed. Only populated for create mode. False when GIT_SIGN_COMMITS=false or when signing failed and fell back to unsigned."),
+  signingWarning: exports_external.string().optional().describe("Populated only when signing was requested but failed, and the tag was created unsigned as a fallback.")
 });
 async function gitTagLogic(input, { provider, targetPath, appContext }) {
   if ((input.mode === "create" || input.mode === "delete") && !input.tagName) {
@@ -148215,8 +148047,7 @@ async function gitTagLogic(input, { provider, targetPath, appContext }) {
   const tagOptions = {
     mode: input.mode,
     annotated: input.annotated,
-    force: input.force,
-    forceUnsignedOnFailure: input.forceUnsignedOnFailure
+    force: input.force
   };
   if (input.tagName !== undefined) {
     tagOptions.tagName = input.tagName;
@@ -148227,27 +148058,33 @@ async function gitTagLogic(input, { provider, targetPath, appContext }) {
   if (input.message !== undefined) {
     tagOptions.message = normalizeMessage(input.message);
   }
-  if (input.sign !== undefined) {
-    tagOptions.sign = input.sign;
-  }
   const result = await provider.tag(tagOptions, {
     workingDirectory: targetPath,
     requestContext: appContext,
     tenantId: appContext.tenantId || "default-tenant"
   });
-  return {
+  const output = {
     success: true,
     mode: result.mode,
     tags: result.tags,
     created: result.created,
     deleted: result.deleted
   };
+  if (result.signed !== undefined) {
+    output.signed = result.signed;
+  }
+  if (result.signingWarning) {
+    output.signingWarning = result.signingWarning;
+  }
+  return output;
 }
 function filterGitTagOutput(result, level) {
   if (level === "minimal") {
     return {
       success: result.success,
-      mode: result.mode
+      mode: result.mode,
+      ...result.signed !== undefined && { signed: result.signed },
+      ...result.signingWarning && { signingWarning: result.signingWarning }
     };
   }
   return result;
@@ -148466,7 +148303,6 @@ var registerTools = (container4) => {
 };
 
 // src/mcp-server/server.ts
-init_utils();
 async function createMcpServerInstance() {
   const context = requestContextService.createRequestContext({
     operation: "createMcpServerInstance"
@@ -148510,7 +148346,6 @@ async function createMcpServerInstance() {
 
 // src/mcp-server/transports/manager.ts
 init_tokens();
-init_utils();
 var import_tsyringe14 = __toESM(require_cjs2(), 1);
 
 // node_modules/@modelcontextprotocol/sdk/dist/esm/server/auth/errors.js
@@ -151018,11 +150853,11 @@ var MemoryEventStore = class {
   #eventIdToStreamIdMap;
   #idGenerator;
   constructor(options = {}) {
-    const { streamBufferSize = 100, eventsPerStreamBufferSize = 100, idGenerator: idGenerator3 = () => crypto.randomUUID() } = options;
+    const { streamBufferSize = 100, eventsPerStreamBufferSize = 100, idGenerator: idGenerator2 = () => crypto.randomUUID() } = options;
     this.#idToIndexMap = /* @__PURE__ */ new Map;
     this.#eventIdToStreamIdMap = /* @__PURE__ */ new Map;
     this.#eventsPerStreamBufferSize = eventsPerStreamBufferSize;
-    this.#idGenerator = idGenerator3;
+    this.#idGenerator = idGenerator2;
     this.#items = new RingBuffer(streamBufferSize, ({ streamId, events }) => {
       this.#idToIndexMap.delete(streamId);
       events.reset();
@@ -152266,13 +152101,8 @@ var serve = (options, listeningListener) => {
 init_config();
 import http3 from "http";
 import { randomUUID } from "node:crypto";
-
-// src/mcp-server/transports/auth/index.ts
-init_authContext();
-
 // src/mcp-server/transports/auth/authFactory.ts
 init_config();
-init_utils();
 var import_tsyringe13 = __toESM(require_cjs2(), 1);
 
 // node_modules/jose/dist/webapi/lib/buffer_utils.js
@@ -153760,7 +153590,6 @@ function createRemoteJWKSet(url2, options) {
 // src/mcp-server/transports/auth/strategies/jwtStrategy.ts
 init_tokens();
 init_errors3();
-init_utils();
 var import_tsyringe11 = __toESM(require_cjs2(), 1);
 class JwtStrategy {
   config;
@@ -153769,9 +153598,9 @@ class JwtStrategy {
   env;
   devMcpClientId;
   devMcpScopes;
-  constructor(config3, logger3) {
+  constructor(config3, logger2) {
     this.config = config3;
-    this.logger = logger3;
+    this.logger = logger2;
     const context = requestContextService.createRequestContext({
       operation: "JwtStrategy.constructor"
     });
@@ -153876,15 +153705,14 @@ JwtStrategy = __legacyDecorateClassTS([
 // src/mcp-server/transports/auth/strategies/oauthStrategy.ts
 init_tokens();
 init_errors3();
-init_utils();
 var import_tsyringe12 = __toESM(require_cjs2(), 1);
 class OauthStrategy {
   config;
   logger;
   jwks;
-  constructor(config3, logger3) {
+  constructor(config3, logger2) {
     this.config = config3;
-    this.logger = logger3;
+    this.logger = logger2;
     const context = requestContextService.createRequestContext({
       operation: "OauthStrategy.constructor"
     });
@@ -154029,8 +153857,6 @@ function createAuthStrategy() {
 }
 // src/mcp-server/transports/auth/authMiddleware.ts
 init_errors3();
-init_utils();
-init_authContext();
 function createAuthMiddleware(strategy) {
   return async function authMiddleware(c, next) {
     const context = requestContextService.createRequestContext({
@@ -154079,7 +153905,6 @@ function createAuthMiddleware(strategy) {
 }
 // src/mcp-server/transports/http/httpErrorHandler.ts
 init_errors3();
-init_utils();
 var httpErrorHandler = async (err, c) => {
   const context = requestContextService.createRequestContext({
     operation: "httpErrorHandler",
@@ -154164,8 +153989,6 @@ var httpErrorHandler = async (err, c) => {
 };
 
 // src/mcp-server/transports/http/sessionManager.ts
-init_utils();
-
 class SessionManager {
   static instance = null;
   sessions = new Map;
@@ -154324,7 +154147,6 @@ class SessionManager {
 }
 
 // src/mcp-server/transports/http/httpTransport.ts
-init_utils();
 function createHttpApp(createMcpServer, parentContext) {
   const app = new Hono2;
   const transportContext = {
@@ -154700,7 +154522,6 @@ class StdioServerTransport {
 }
 
 // src/mcp-server/transports/stdio/stdioTransport.ts
-init_utils();
 async function startStdioTransport(server, parentContext) {
   const operationContext = {
     ...parentContext,
@@ -154747,9 +154568,9 @@ class TransportManager {
   logger;
   createMcpServer;
   serverInstance = null;
-  constructor(config3, logger3, createMcpServer) {
+  constructor(config3, logger2, createMcpServer) {
     this.config = config3;
-    this.logger = logger3;
+    this.logger = logger2;
     this.createMcpServer = createMcpServer;
   }
   async start() {
@@ -154802,7 +154623,6 @@ TransportManager = __legacyDecorateClassTS([
 ], TransportManager);
 
 // src/container/registrations/mcp.ts
-init_utils();
 var registerMcpServices = () => {
   import_tsyringe15.container.registerSingleton(ToolRegistry);
   import_tsyringe15.container.registerSingleton(ResourceRegistry);
@@ -154898,11 +154718,11 @@ var start = async () => {
   }
   await logger.initialize(validatedMcpLogLevel, config3.mcpTransportType);
   logger.info(`Logger initialized. Effective MCP logging level: ${validatedMcpLogLevel}.`, requestContextService.createRequestContext({ operation: "LoggerInit" }));
-  const runtime2 = detectRuntime();
+  const runtime = detectRuntime();
   const runtimeDesc = getRuntimeDescription();
   logger.info(`Runtime detected: ${runtimeDesc}`, requestContextService.createRequestContext({
     operation: "RuntimeDetection",
-    runtime: runtime2,
+    runtime,
     runtimeVersion: runtimeDesc
   }));
   logger.info(`Storage service initialized with provider: ${config3.storage.providerType}`, requestContextService.createRequestContext({ operation: "StorageInit" }));