@cyanheads/git-mcp-server 2.13.0 → 2.14.2

package/dist/index.js

@@ -15284,7 +15284,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "@cyanheads/git-mcp-server",
-    version: "2.13.0",
+    version: "2.14.2",
     mcpName: "io.github.cyanheads/git-mcp-server",
     description: "A secure and scalable Git MCP server enabling AI agents to perform comprehensive Git version control operations via STDIO and Streamable HTTP.",
     main: "dist/index.js",
@@ -105579,75 +105579,6 @@ var require_index_incubating = __commonJS((exports) => {
   __exportStar(require_experimental_events(), exports);
 });
 
-// src/mcp-server/transports/auth/lib/authContext.ts
-import { AsyncLocalStorage } from "async_hooks";
-var authContext;
-var init_authContext = __esm(() => {
-  authContext = new AsyncLocalStorage;
-});
-
-// src/utils/internal/requestContext.ts
-var import_api2, requestContextServiceInstance, requestContextService;
-var init_requestContext = __esm(() => {
-  init_authContext();
-  init_utils();
-  init_logger();
-  import_api2 = __toESM(require_src(), 1);
-  requestContextServiceInstance = {
-    config: {},
-    configure(config3) {
-      this.config = {
-        ...this.config,
-        ...config3
-      };
-      const logContext = this.createRequestContext({
-        operation: "RequestContextService.configure",
-        additionalContext: { newConfigState: { ...this.config } }
-      });
-      logger.debug("RequestContextService configuration updated", logContext);
-      return { ...this.config };
-    },
-    getConfig() {
-      return { ...this.config };
-    },
-    createRequestContext(params = {}) {
-      const { parentContext, additionalContext, operation, ...rest } = params;
-      const inheritedContext = parentContext && typeof parentContext === "object" ? { ...parentContext } : {};
-      let inheritedTenantId;
-      if (inheritedContext && typeof inheritedContext === "object" && "tenantId" in inheritedContext && typeof inheritedContext.tenantId === "string") {
-        inheritedTenantId = inheritedContext.tenantId;
-      }
-      const authStore = authContext.getStore();
-      const tenantIdFromAuth = authStore?.authInfo?.tenantId;
-      const inheritedRequestId = inheritedContext.requestId;
-      const requestId = typeof inheritedRequestId === "string" && inheritedRequestId ? inheritedRequestId : generateRequestContextId();
-      const timestamp = new Date().toISOString();
-      const restTenantId = typeof rest.tenantId === "string" ? rest.tenantId : undefined;
-      const additionalTenantId = additionalContext && typeof additionalContext === "object" && typeof additionalContext.tenantId === "string" ? additionalContext.tenantId : undefined;
-      const resolvedTenantId = additionalTenantId ?? restTenantId ?? inheritedTenantId ?? tenantIdFromAuth;
-      const context = {
-        ...inheritedContext,
-        ...rest,
-        requestId,
-        timestamp,
-        ...resolvedTenantId ? { tenantId: resolvedTenantId } : {},
-        ...additionalContext && typeof additionalContext === "object" ? additionalContext : {},
-        ...operation && typeof operation === "string" ? { operation } : {}
-      };
-      const activeSpan = import_api2.trace.getActiveSpan();
-      if (activeSpan && typeof activeSpan.spanContext === "function") {
-        const spanContext = activeSpan.spanContext();
-        if (spanContext) {
-          context.traceId = spanContext.traceId;
-          context.spanId = spanContext.spanId;
-        }
-      }
-      return context;
-    }
-  };
-  requestContextService = requestContextServiceInstance;
-});
-
 // node_modules/validator/lib/util/assertString.js
 var require_assertString = __commonJS((exports, module) => {
   Object.defineProperty(exports, "__esModule", {
@@ -112046,1408 +111977,6 @@ var require_validator = __commonJS((exports, module) => {
   module.exports.default = exports.default;
 });
 
-// src/utils/security/sanitization.ts
-class Sanitization {
-  static instance;
-  sensitiveFields = [
-    "password",
-    "token",
-    "secret",
-    "apiKey",
-    "credential",
-    "jwt",
-    "ssn",
-    "cvv",
-    "authorization",
-    "cookie",
-    "clientsecret",
-    "client_secret",
-    "private_key",
-    "privatekey"
-  ];
-  constructor() {}
-  static getInstance() {
-    if (!Sanitization.instance) {
-      Sanitization.instance = new Sanitization;
-    }
-    return Sanitization.instance;
-  }
-  setSensitiveFields(fields) {
-    this.sensitiveFields = [
-      ...new Set([
-        ...this.sensitiveFields,
-        ...fields.map((f3) => f3.toLowerCase())
-      ])
-    ];
-    const logContext = requestContextService.createRequestContext({
-      operation: "Sanitization.setSensitiveFields",
-      additionalContext: {
-        newSensitiveFieldCount: this.sensitiveFields.length
-      }
-    });
-    logger.debug("Updated sensitive fields list for log sanitization", logContext);
-  }
-  getSensitiveFields() {
-    return [...this.sensitiveFields];
-  }
-  getSensitivePinoFields() {
-    return this.sensitiveFields.map((field) => field.replace(/[-_]/g, ""));
-  }
-  sanitizeUrl(input, allowedProtocols = ["http", "https"]) {
-    try {
-      const trimmedInput = input.trim();
-      if (!import_validator.default.isURL(trimmedInput, {
-        protocols: allowedProtocols,
-        require_protocol: true,
-        require_host: true
-      })) {
-        throw new Error("Invalid URL format or protocol not in allowed list.");
-      }
-      const lowercasedInput = trimmedInput.toLowerCase();
-      if (lowercasedInput.startsWith("javascript:") || lowercasedInput.startsWith("data:") || lowercasedInput.startsWith("vbscript:")) {
-        throw new Error("Disallowed pseudo-protocol (javascript:, data:, or vbscript:) in URL.");
-      }
-      return trimmedInput;
-    } catch (error48) {
-      throw new McpError(-32007 /* ValidationError */, error48 instanceof Error ? error48.message : "Invalid or unsafe URL provided.", { input });
-    }
-  }
-  sanitizePath(input, options = {}) {
-    if (isServerless || !pathModule) {
-      throw new McpError(-32603 /* InternalError */, "File-based path sanitization is not supported in this environment.");
-    }
-    const path2 = pathModule;
-    const originalInput = input;
-    const resolvedRootDir = options.rootDir ? path2.resolve(options.rootDir) : undefined;
-    const effectiveOptions = {
-      toPosix: options.toPosix ?? false,
-      allowAbsolute: options.allowAbsolute ?? false,
-      ...resolvedRootDir && { rootDir: resolvedRootDir }
-    };
-    let wasAbsoluteInitially = false;
-    try {
-      if (!input || typeof input !== "string")
-        throw new Error("Invalid path input: must be a non-empty string.");
-      if (input.includes("\x00"))
-        throw new Error("Path contains null byte, which is disallowed.");
-      let normalized = path2.normalize(input);
-      wasAbsoluteInitially = path2.isAbsolute(normalized);
-      if (effectiveOptions.toPosix) {
-        normalized = normalized.replace(/\\/g, "/");
-      }
-      let finalSanitizedPath;
-      if (resolvedRootDir) {
-        let fullPath;
-        if (path2.isAbsolute(normalized)) {
-          fullPath = path2.normalize(normalized);
-        } else {
-          fullPath = path2.resolve(resolvedRootDir, normalized);
-        }
-        const normalizedRoot = path2.normalize(resolvedRootDir);
-        const normalizedFull = path2.normalize(fullPath);
-        if (!normalizedFull.startsWith(normalizedRoot + path2.sep) && normalizedFull !== normalizedRoot) {
-          throw new Error("Path traversal detected: attempts to escape the defined root directory.");
-        }
-        finalSanitizedPath = path2.relative(normalizedRoot, normalizedFull);
-        finalSanitizedPath = finalSanitizedPath === "" ? "." : finalSanitizedPath;
-        if (path2.isAbsolute(finalSanitizedPath) && !effectiveOptions.allowAbsolute) {
-          throw new Error("Path resolved to absolute outside root when absolute paths are disallowed.");
-        }
-      } else {
-        if (path2.isAbsolute(normalized)) {
-          if (!effectiveOptions.allowAbsolute) {
-            throw new Error("Absolute paths are disallowed by current options.");
-          } else {
-            finalSanitizedPath = normalized;
-          }
-        } else {
-          const resolvedAgainstCwd = path2.resolve(normalized);
-          const currentWorkingDir = path2.resolve(".");
-          if (!resolvedAgainstCwd.startsWith(currentWorkingDir + path2.sep) && resolvedAgainstCwd !== currentWorkingDir) {
-            throw new Error("Relative path traversal detected (escapes current working directory context).");
-          }
-          finalSanitizedPath = normalized;
-        }
-      }
-      return {
-        sanitizedPath: finalSanitizedPath,
-        originalInput,
-        wasAbsolute: wasAbsoluteInitially,
-        convertedToRelative: wasAbsoluteInitially && !path2.isAbsolute(finalSanitizedPath) && !effectiveOptions.allowAbsolute,
-        optionsUsed: effectiveOptions
-      };
-    } catch (error48) {
-      logger.warning("Path sanitization error", requestContextService.createRequestContext({
-        operation: "Sanitization.sanitizePath.error",
-        additionalContext: {
-          originalPathInput: originalInput,
-          pathOptionsUsed: effectiveOptions,
-          errorMessage: error48 instanceof Error ? error48.message : String(error48)
-        }
-      }));
-      throw new McpError(-32007 /* ValidationError */, error48 instanceof Error ? error48.message : "Invalid or unsafe path provided.", { input: originalInput });
-    }
-  }
-  sanitizeJson(input, maxSize) {
-    try {
-      if (typeof input !== "string")
-        throw new Error("Invalid input: expected a JSON string.");
-      const computeBytes = (s2) => {
-        if (typeof Buffer !== "undefined" && typeof Buffer.byteLength === "function") {
-          return Buffer.byteLength(s2, "utf8");
-        }
-        if (typeof TextEncoder !== "undefined") {
-          return new TextEncoder().encode(s2).length;
-        }
-        return s2.length;
-      };
-      if (maxSize !== undefined && computeBytes(input) > maxSize) {
-        throw new McpError(-32007 /* ValidationError */, `JSON string exceeds maximum allowed size of ${maxSize} bytes.`, { actualSize: computeBytes(input), maxSize });
-      }
-      return JSON.parse(input);
-    } catch (error48) {
-      if (error48 instanceof McpError)
-        throw error48;
-      throw new McpError(-32007 /* ValidationError */, error48 instanceof Error ? error48.message : "Invalid JSON format.", {
-        inputPreview: input.length > 100 ? `${input.substring(0, 100)}...` : input
-      });
-    }
-  }
-  sanitizeNumber(input, min, max) {
-    let value;
-    if (typeof input === "string") {
-      const trimmedInput = input.trim();
-      if (trimmedInput === "" || !import_validator.default.isNumeric(trimmedInput)) {
-        throw new McpError(-32007 /* ValidationError */, "Invalid number format: input is empty or not numeric.", { input });
-      }
-      value = parseFloat(trimmedInput);
-    } else if (typeof input === "number") {
-      value = input;
-    } else {
-      throw new McpError(-32007 /* ValidationError */, "Invalid input type: expected number or string.", { input: String(input) });
-    }
-    if (isNaN(value) || !isFinite(value)) {
-      throw new McpError(-32007 /* ValidationError */, "Invalid number value (NaN or Infinity).", { input });
-    }
-    let clamped = false;
-    const originalValueForLog = value;
-    if (min !== undefined && value < min) {
-      value = min;
-      clamped = true;
-    }
-    if (max !== undefined && value > max) {
-      value = max;
-      clamped = true;
-    }
-    if (clamped) {
-      logger.debug("Number clamped to range.", requestContextService.createRequestContext({
-        operation: "Sanitization.sanitizeNumber.clamped",
-        additionalContext: {
-          originalInput: String(input),
-          parsedValue: originalValueForLog,
-          minValue: min,
-          maxValue: max,
-          clampedValue: value
-        }
-      }));
-    }
-    return value;
-  }
-  sanitizeForLogging(input) {
-    try {
-      if (!input || typeof input !== "object")
-        return input;
-      const clonedInput = typeof globalThis.structuredClone === "function" ? globalThis.structuredClone(input) : JSON.parse(JSON.stringify(input));
-      this.redactSensitiveFields(clonedInput);
-      return clonedInput;
-    } catch (error48) {
-      logger.error("Error during log sanitization, returning placeholder.", requestContextService.createRequestContext({
-        operation: "Sanitization.sanitizeForLogging.error",
-        additionalContext: {
-          errorMessage: error48 instanceof Error ? error48.message : String(error48)
-        }
-      }));
-      return "[Log Sanitization Failed]";
-    }
-  }
-  redactSensitiveFields(obj) {
-    if (!obj || typeof obj !== "object")
-      return;
-    if (Array.isArray(obj)) {
-      obj.forEach((item) => this.redactSensitiveFields(item));
-      return;
-    }
-    const normalize = (str) => str.toLowerCase().replace(/[^a-z0-9]/g, "");
-    const normalizedSensitiveSet = new Set(this.sensitiveFields.map((f3) => normalize(f3)).filter(Boolean));
-    const wordSensitiveSet = new Set(this.sensitiveFields.map((f3) => f3.toLowerCase()).filter(Boolean));
-    for (const key in obj) {
-      if (Object.prototype.hasOwnProperty.call(obj, key)) {
-        const value = obj[key];
-        const normalizedKey = normalize(key);
-        const keyWords = key.replace(/([A-Z])/g, " $1").toLowerCase().split(/[\s_-]+/).filter(Boolean);
-        const isExactSensitive = normalizedSensitiveSet.has(normalizedKey);
-        const isWordSensitive = keyWords.some((w) => wordSensitiveSet.has(w));
-        const isSensitive = isExactSensitive || isWordSensitive;
-        if (isSensitive) {
-          obj[key] = "[REDACTED]";
-        } else if (value && typeof value === "object") {
-          this.redactSensitiveFields(value);
-        }
-      }
-    }
-  }
-}
-var import_validator, isServerless, pathModule, sanitization, sanitizeInputForLogging = (input) => sanitization.sanitizeForLogging(input);
-var init_sanitization = __esm(() => {
-  init_errors3();
-  init_utils();
-  import_validator = __toESM(require_validator(), 1);
-  isServerless = typeof process === "undefined" || process.env.IS_SERVERLESS === "true";
-  if (!isServerless) {
-    import("path").then((mod2) => {
-      pathModule = mod2.default;
-    }).catch(() => {});
-  }
-  sanitization = Sanitization.getInstance();
-});
-
-// src/utils/internal/logger.ts
-import pino from "pino";
-var mcpToPinoLevel, pinoToMcpLevelSeverity, isServerless2, Logger, logger;
-var init_logger = __esm(() => {
-  init_config();
-  init_requestContext();
-  init_sanitization();
-  mcpToPinoLevel = {
-    emerg: "fatal",
-    alert: "fatal",
-    crit: "error",
-    error: "error",
-    warning: "warn",
-    notice: "info",
-    info: "info",
-    debug: "debug"
-  };
-  pinoToMcpLevelSeverity = {
-    fatal: 0,
-    error: 2,
-    warn: 4,
-    info: 6,
-    debug: 7
-  };
-  isServerless2 = typeof process === "undefined" || process.env.IS_SERVERLESS === "true";
-  Logger = class Logger {
-    static instance = new Logger;
-    pinoLogger;
-    interactionLogger;
-    initialized = false;
-    currentMcpLevel = "info";
-    transportType;
-    rateLimitThreshold = 10;
-    rateLimitWindow = 60000;
-    messageCounts = new Map;
-    suppressedMessages = new Map;
-    cleanupTimer;
-    constructor() {}
-    static getInstance() {
-      return Logger.instance;
-    }
-    async createPinoLogger(level, transportType) {
-      const pinoLevel = mcpToPinoLevel[level] || "info";
-      const pinoOptions = {
-        level: pinoLevel,
-        base: {
-          env: config2.environment,
-          version: config2.mcpServerVersion,
-          pid: !isServerless2 ? process.pid : undefined
-        },
-        redact: {
-          paths: sanitization.getSensitivePinoFields(),
-          censor: "[REDACTED]"
-        }
-      };
-      if (isServerless2) {
-        return pino(pinoOptions);
-      }
-      const { default: fs2 } = await import("fs");
-      const { default: path2 } = await import("path");
-      const transports = [];
-      const isDevelopment = config2.environment === "development";
-      const isTest = config2.environment === "testing";
-      const noColorEnv = process.env.NO_COLOR === "1" || process.env.FORCE_COLOR === "0";
-      const useColoredOutput = isDevelopment && transportType !== "stdio" && !noColorEnv;
-      if (useColoredOutput && !isServerless2) {
-        try {
-          const { createRequire: createRequire2 } = await import("node:module");
-          const require2 = createRequire2(import.meta.url);
-          const prettyTarget = require2.resolve("pino-pretty");
-          transports.push({
-            target: prettyTarget,
-            options: { colorize: true, translateTime: "yyyy-mm-dd HH:MM:ss" }
-          });
-        } catch (err) {
-          if (process.stderr?.isTTY) {
-            console.warn(`[Logger Init] Pretty transport unavailable (${err instanceof Error ? err.message : String(err)}); falling back to stdout JSON.`);
-          }
-          transports.push({ target: "pino/file", options: { destination: 1 } });
-        }
-      } else if (!isTest) {
-        transports.push({ target: "pino/file", options: { destination: 2 } });
-      }
-      if (config2.logsPath) {
-        try {
-          if (!fs2.existsSync(config2.logsPath)) {
-            fs2.mkdirSync(config2.logsPath, { recursive: true });
-          }
-          transports.push({
-            level: pinoLevel,
-            target: "pino/file",
-            options: {
-              destination: path2.join(config2.logsPath, "combined.log"),
-              mkdir: true
-            }
-          });
-          transports.push({
-            level: "error",
-            target: "pino/file",
-            options: {
-              destination: path2.join(config2.logsPath, "error.log"),
-              mkdir: true
-            }
-          });
-        } catch (err) {
-          if (process.stderr?.isTTY) {
-            console.error(`[Logger Init] Failed to configure file logging: ${err instanceof Error ? err.message : String(err)}`);
-          }
-        }
-      }
-      return pino({ ...pinoOptions, transport: { targets: transports } });
-    }
-    async createInteractionLogger() {
-      if (isServerless2 || !config2.logsPath)
-        return;
-      const { default: path2 } = await import("path");
-      return pino({
-        transport: {
-          target: "pino/file",
-          options: {
-            destination: path2.join(config2.logsPath, "interactions.log"),
-            mkdir: true
-          }
-        }
-      });
-    }
-    async initialize(level = "info", transportType) {
-      if (this.initialized) {
-        this.warning("Logger already initialized.", requestContextService.createRequestContext({
-          operation: "loggerReinit"
-        }));
-        return;
-      }
-      this.currentMcpLevel = level;
-      this.transportType = transportType;
-      this.pinoLogger = await this.createPinoLogger(level, transportType);
-      this.interactionLogger = await this.createInteractionLogger();
-      if (!isServerless2 && !this.cleanupTimer) {
-        this.cleanupTimer = setInterval(() => this.flushSuppressedMessages(), this.rateLimitWindow);
-        this.cleanupTimer.unref?.();
-      }
-      this.initialized = true;
-      this.info(`Logger initialized. MCP level: ${level}.`, requestContextService.createRequestContext({ operation: "loggerInit" }));
-    }
-    setLevel(newLevel) {
-      if (!this.pinoLogger || !this.initialized) {
-        if (process.stderr?.isTTY) {
-          console.error("Cannot set level: Logger not initialized.");
-        }
-        return;
-      }
-      this.currentMcpLevel = newLevel;
-      this.pinoLogger.level = mcpToPinoLevel[newLevel] || "info";
-      this.info(`Log level changed to ${newLevel}.`, requestContextService.createRequestContext({
-        operation: "loggerSetLevel"
-      }));
-    }
-    async close() {
-      if (!this.initialized)
-        return Promise.resolve();
-      this.info("Logger shutting down.", requestContextService.createRequestContext({ operation: "loggerClose" }));
-      if (this.cleanupTimer)
-        clearInterval(this.cleanupTimer);
-      this.flushSuppressedMessages();
-      await Promise.all([
-        new Promise((resolve) => {
-          if (this.pinoLogger) {
-            this.pinoLogger.flush((err) => {
-              if (err && process.stderr?.isTTY && this.transportType !== "stdio") {
-                console.error("Error flushing main logger:", err);
-              }
-              resolve();
-            });
-          } else {
-            resolve();
-          }
-        }),
-        new Promise((resolve) => {
-          if (this.interactionLogger) {
-            this.interactionLogger.flush((err) => {
-              if (err && process.stderr?.isTTY && this.transportType !== "stdio") {
-                console.error("Error flushing interaction logger:", err);
-              }
-              resolve();
-            });
-          } else {
-            resolve();
-          }
-        })
-      ]);
-      this.initialized = false;
-    }
-    isInitialized() {
-      return this.initialized;
-    }
-    isRateLimited(message) {
-      const now = Date.now();
-      const entry = this.messageCounts.get(message);
-      if (!entry) {
-        this.messageCounts.set(message, { count: 1, firstSeen: now });
-        return false;
-      }
-      if (now - entry.firstSeen > this.rateLimitWindow) {
-        this.messageCounts.set(message, { count: 1, firstSeen: now });
-        return false;
-      }
-      entry.count++;
-      if (entry.count > this.rateLimitThreshold) {
-        this.suppressedMessages.set(message, (this.suppressedMessages.get(message) || 0) + 1);
-        return true;
-      }
-      return false;
-    }
-    flushSuppressedMessages() {
-      if (this.suppressedMessages.size === 0)
-        return;
-      for (const [message, count] of this.suppressedMessages.entries()) {
-        this.warning(`Log message suppressed ${count} times due to rate limiting.`, requestContextService.createRequestContext({
-          operation: "loggerRateLimitFlush",
-          additionalContext: { originalMessage: message }
-        }));
-      }
-      this.suppressedMessages.clear();
-      this.messageCounts.clear();
-    }
-    log(level, msg, context, error48) {
-      if (!this.pinoLogger || !this.initialized)
-        return;
-      const pinoLevel = mcpToPinoLevel[level] || "info";
-      const currentPinoLevel = mcpToPinoLevel[this.currentMcpLevel] || "info";
-      const levelSeverity = pinoToMcpLevelSeverity[pinoLevel];
-      const currentLevelSeverity = pinoToMcpLevelSeverity[currentPinoLevel];
-      if (typeof levelSeverity === "number" && typeof currentLevelSeverity === "number" && levelSeverity > currentLevelSeverity) {
-        return;
-      }
-      if (this.isRateLimited(msg))
-        return;
-      const logObject = { ...context };
-      if (error48)
-        logObject.err = pino.stdSerializers.err(error48);
-      this.pinoLogger[pinoLevel](logObject, msg);
-    }
-    debug(msg, context) {
-      this.log("debug", msg, context);
-    }
-    info(msg, context) {
-      this.log("info", msg, context);
-    }
-    notice(msg, context) {
-      this.log("notice", msg, context);
-    }
-    warning(msg, context) {
-      this.log("warning", msg, context);
-    }
-    error(msg, errorOrContext, context) {
-      const errorObj = errorOrContext instanceof Error ? errorOrContext : undefined;
-      const actualContext = errorOrContext instanceof Error ? context : errorOrContext;
-      this.log("error", msg, actualContext, errorObj);
-    }
-    crit(msg, errorOrContext, context) {
-      const errorObj = errorOrContext instanceof Error ? errorOrContext : undefined;
-      const actualContext = errorOrContext instanceof Error ? context : errorOrContext;
-      this.log("crit", msg, actualContext, errorObj);
-    }
-    alert(msg, errorOrContext, context) {
-      const errorObj = errorOrContext instanceof Error ? errorOrContext : undefined;
-      const actualContext = errorOrContext instanceof Error ? context : errorOrContext;
-      this.log("alert", msg, actualContext, errorObj);
-    }
-    emerg(msg, errorOrContext, context) {
-      const errorObj = errorOrContext instanceof Error ? errorOrContext : undefined;
-      const actualContext = errorOrContext instanceof Error ? context : errorOrContext;
-      this.log("emerg", msg, actualContext, errorObj);
-    }
-    fatal(msg, errorOrContext, context) {
-      this.emerg(msg, errorOrContext, context);
-    }
-    logInteraction(interactionName, data) {
-      if (!this.interactionLogger) {
-        if (!isServerless2)
-          this.warning("Interaction logger not available.", data.context || {});
-        return;
-      }
-      this.interactionLogger.info({ interactionName, ...data });
-    }
-  };
-  logger = Logger.getInstance();
-});
-
-// src/utils/internal/error-handler/mappings.ts
-var ERROR_TYPE_MAPPINGS, COMMON_ERROR_PATTERNS;
-var init_mappings = __esm(() => {
-  ERROR_TYPE_MAPPINGS = {
-    SyntaxError: -32007 /* ValidationError */,
-    TypeError: -32007 /* ValidationError */,
-    ReferenceError: -32603 /* InternalError */,
-    RangeError: -32007 /* ValidationError */,
-    URIError: -32007 /* ValidationError */,
-    EvalError: -32603 /* InternalError */,
-    AggregateError: -32603 /* InternalError */
-  };
-  COMMON_ERROR_PATTERNS = [
-    {
-      pattern: /auth|unauthorized|unauthenticated|not.*logged.*in|invalid.*token|expired.*token/i,
-      errorCode: -32006 /* Unauthorized */
-    },
-    {
-      pattern: /permission|forbidden|access.*denied|not.*allowed/i,
-      errorCode: -32005 /* Forbidden */
-    },
-    {
-      pattern: /not found|missing|no such|doesn't exist|couldn't find/i,
-      errorCode: -32001 /* NotFound */
-    },
-    {
-      pattern: /invalid|validation|malformed|bad request|wrong format|missing required/i,
-      errorCode: -32007 /* ValidationError */
-    },
-    {
-      pattern: /conflict|already exists|duplicate|unique constraint/i,
-      errorCode: -32002 /* Conflict */
-    },
-    {
-      pattern: /rate limit|too many requests|throttled/i,
-      errorCode: -32003 /* RateLimited */
-    },
-    {
-      pattern: /timeout|timed out|deadline exceeded/i,
-      errorCode: -32004 /* Timeout */
-    },
-    {
-      pattern: /abort(ed)?|cancell?ed/i,
-      errorCode: -32004 /* Timeout */
-    },
-    {
-      pattern: /service unavailable|bad gateway|gateway timeout|upstream error/i,
-      errorCode: -32000 /* ServiceUnavailable */
-    },
-    {
-      pattern: /zod|zoderror|schema validation/i,
-      errorCode: -32007 /* ValidationError */
-    }
-  ];
-});
-
-// src/utils/internal/error-handler/helpers.ts
-function createSafeRegex(pattern) {
-  if (pattern instanceof RegExp) {
-    let flags = pattern.flags.replace("g", "");
-    if (!flags.includes("i")) {
-      flags += "i";
-    }
-    return new RegExp(pattern.source, flags);
-  }
-  return new RegExp(pattern, "i");
-}
-function getErrorName(error48) {
-  if (error48 instanceof Error) {
-    return error48.name || "Error";
-  }
-  if (error48 === null) {
-    return "NullValueEncountered";
-  }
-  if (error48 === undefined) {
-    return "UndefinedValueEncountered";
-  }
-  if (typeof error48 === "object" && error48 !== null && error48.constructor && typeof error48.constructor.name === "string" && error48.constructor.name !== "Object") {
-    return `${error48.constructor.name}Encountered`;
-  }
-  return `${typeof error48}Encountered`;
-}
-function getErrorMessage(error48) {
-  try {
-    if (error48 instanceof Error) {
-      if ("errors" in error48 && Array.isArray(error48.errors)) {
-        const inner = error48.errors.map((e2) => e2 instanceof Error ? e2.message : String(e2)).filter(Boolean).slice(0, 3).join("; ");
-        return inner ? `${error48.message}: ${inner}` : error48.message;
-      }
-      return error48.message;
-    }
-    if (error48 === null) {
-      return "Null value encountered as error";
-    }
-    if (error48 === undefined) {
-      return "Undefined value encountered as error";
-    }
-    if (typeof error48 === "string") {
-      return error48;
-    }
-    if (typeof error48 === "number" || typeof error48 === "boolean") {
-      return String(error48);
-    }
-    if (typeof error48 === "bigint") {
-      return error48.toString();
-    }
-    if (typeof error48 === "function") {
-      return `[function ${error48.name || "anonymous"}]`;
-    }
-    if (typeof error48 === "object") {
-      try {
-        const json2 = JSON.stringify(error48);
-        if (json2 && json2 !== "{}")
-          return json2;
-      } catch {}
-      const ctor = error48.constructor?.name;
-      return `Non-Error object encountered (constructor: ${ctor || "Object"})`;
-    }
-    if (typeof error48 === "symbol") {
-      return error48.toString();
-    }
-    return "[unrepresentable error]";
-  } catch (conversionError) {
-    return `Error converting error to string: ${conversionError instanceof Error ? conversionError.message : "Unknown conversion error"}`;
-  }
-}
-
-// src/utils/internal/error-handler/errorHandler.ts
-class ErrorHandler {
-  static determineErrorCode(error48) {
-    if (error48 instanceof McpError) {
-      return error48.code;
-    }
-    const errorName = getErrorName(error48);
-    const errorMessage = getErrorMessage(error48);
-    const mappedFromType = ERROR_TYPE_MAPPINGS[errorName];
-    if (mappedFromType) {
-      return mappedFromType;
-    }
-    for (const mapping of COMMON_ERROR_PATTERNS) {
-      const regex = createSafeRegex(mapping.pattern);
-      if (regex.test(errorMessage) || regex.test(errorName)) {
-        return mapping.errorCode;
-      }
-    }
-    if (typeof error48 === "object" && error48 !== null && "name" in error48 && error48.name === "AbortError") {
-      return -32004 /* Timeout */;
-    }
-    return -32603 /* InternalError */;
-  }
-  static handleError(error48, options) {
-    const activeSpan = import_api3.trace.getActiveSpan();
-    if (activeSpan) {
-      if (error48 instanceof Error) {
-        activeSpan.recordException(error48);
-      }
-      activeSpan.setStatus({
-        code: import_api3.SpanStatusCode.ERROR,
-        message: error48 instanceof Error ? error48.message : String(error48)
-      });
-    }
-    const {
-      context = {},
-      operation,
-      input,
-      rethrow = false,
-      errorCode: explicitErrorCode,
-      includeStack = true,
-      critical = false,
-      errorMapper
-    } = options;
-    const sanitizedInput = input !== undefined ? sanitizeInputForLogging(input) : undefined;
-    const originalErrorName = getErrorName(error48);
-    const originalErrorMessage = getErrorMessage(error48);
-    const originalStack = error48 instanceof Error ? error48.stack : undefined;
-    let finalError;
-    let loggedErrorCode;
-    const errorDataSeed = error48 instanceof McpError && typeof error48.data === "object" && error48.data !== null ? { ...error48.data } : {};
-    const consolidatedData = {
-      ...errorDataSeed,
-      ...context,
-      originalErrorName,
-      originalMessage: originalErrorMessage
-    };
-    if (originalStack && !(error48 instanceof McpError && error48.data?.originalStack)) {
-      consolidatedData.originalStack = originalStack;
-    }
-    const cause = error48 instanceof Error ? error48 : undefined;
-    const rootCause = (() => {
-      let current = cause;
-      let depth = 0;
-      while (current && current instanceof Error && current.cause && depth < 5) {
-        current = current.cause;
-        depth += 1;
-      }
-      return current instanceof Error ? { name: current.name, message: current.message } : undefined;
-    })();
-    if (rootCause) {
-      consolidatedData["rootCause"] = rootCause;
-    }
-    if (error48 instanceof McpError) {
-      loggedErrorCode = error48.code;
-      finalError = errorMapper ? errorMapper(error48) : new McpError(error48.code, error48.message, consolidatedData, {
-        cause
-      });
-    } else {
-      loggedErrorCode = explicitErrorCode || ErrorHandler.determineErrorCode(error48);
-      const message = `Error in ${operation}: ${originalErrorMessage}`;
-      finalError = errorMapper ? errorMapper(error48) : new McpError(loggedErrorCode, message, consolidatedData, {
-        cause
-      });
-    }
-    if (finalError !== error48 && error48 instanceof Error && finalError instanceof Error && !finalError.stack && error48.stack) {
-      finalError.stack = error48.stack;
-    }
-    const logRequestId = typeof context.requestId === "string" && context.requestId ? context.requestId : generateUUID();
-    const logTimestamp = typeof context.timestamp === "string" && context.timestamp ? context.timestamp : new Date().toISOString();
-    const stack = finalError instanceof Error ? finalError.stack : originalStack;
-    const logContext = {
-      requestId: logRequestId,
-      timestamp: logTimestamp,
-      operation,
-      input: sanitizedInput,
-      critical,
-      errorCode: loggedErrorCode,
-      originalErrorType: originalErrorName,
-      finalErrorType: getErrorName(finalError),
-      ...Object.fromEntries(Object.entries(context).filter(([key]) => key !== "requestId" && key !== "timestamp")),
-      errorData: finalError instanceof McpError && finalError.data ? finalError.data : consolidatedData,
-      ...includeStack && stack ? { stack } : {}
-    };
-    logger.error(`Error in ${operation}: ${finalError.message || originalErrorMessage}`, logContext);
-    if (rethrow) {
-      throw finalError;
-    }
-    return finalError;
-  }
-  static mapError(error48, mappings, defaultFactory) {
-    const errorMessage = getErrorMessage(error48);
-    const errorName = getErrorName(error48);
-    for (const mapping of mappings) {
-      const regex = createSafeRegex(mapping.pattern);
-      if (regex.test(errorMessage) || regex.test(errorName)) {
-        return mapping.factory(error48, mapping.additionalContext);
-      }
-    }
-    if (defaultFactory) {
-      return defaultFactory(error48);
-    }
-    return error48 instanceof Error ? error48 : new Error(String(error48));
-  }
-  static formatError(error48) {
-    if (error48 instanceof McpError) {
-      return {
-        code: error48.code,
-        message: error48.message,
-        data: typeof error48.data === "object" && error48.data !== null ? error48.data : {}
-      };
-    }
-    if (error48 instanceof Error) {
-      return {
-        code: ErrorHandler.determineErrorCode(error48),
-        message: error48.message,
-        data: { errorType: error48.name || "Error" }
-      };
-    }
-    return {
-      code: -32099 /* UnknownError */,
-      message: getErrorMessage(error48),
-      data: { errorType: getErrorName(error48) }
-    };
-  }
-  static async tryCatch(fn, options) {
-    try {
-      return await Promise.resolve(fn());
-    } catch (caughtError) {
-      throw ErrorHandler.handleError(caughtError, {
-        ...options,
-        rethrow: true
-      });
-    }
-  }
-}
-var import_api3;
-var init_errorHandler = __esm(() => {
-  init_errors3();
-  init_utils();
-  init_logger();
-  init_mappings();
-  import_api3 = __toESM(require_src(), 1);
-});
-
-// src/utils/internal/error-handler/index.ts
-var init_error_handler = __esm(() => {
-  init_errorHandler();
-});
-
-// src/utils/internal/runtime.ts
-function detectRuntime() {
-  if (runtimeCaps.isBun) {
-    return "bun";
-  }
-  if (runtimeCaps.isNode) {
-    return "node";
-  }
-  if (runtimeCaps.isWorkerLike) {
-    return "worker";
-  }
-  if (runtimeCaps.isBrowserLike) {
-    return "browser";
-  }
-  return "unknown";
-}
-function getRuntimeDescription() {
-  const runtime = detectRuntime();
-  switch (runtime) {
-    case "bun":
-      return `Bun ${process.versions?.bun || "unknown"}`;
-    case "node":
-      return `Node.js ${process.versions?.node || "unknown"}`;
-    case "worker":
-      return "Cloudflare Workers / Web Worker";
-    case "browser":
-      return "Browser";
-    default:
-      return "Unknown runtime";
-  }
-}
-var safeHas = (key) => {
-  try {
-    return typeof globalThis[key] !== "undefined";
-  } catch {
-    return false;
-  }
-}, isBun, isNode, hasProcess, hasBuffer, hasTextEncoder, hasPerformanceNow, isWorkerLike, isBrowserLike, runtimeCaps;
-var init_runtime = __esm(() => {
-  isBun = typeof globalThis.Bun !== "undefined" || typeof process.versions?.bun === "string";
-  isNode = !isBun && typeof process !== "undefined" && typeof process.versions?.node === "string";
-  hasProcess = typeof process !== "undefined";
-  hasBuffer = typeof Buffer !== "undefined";
-  hasTextEncoder = safeHas("TextEncoder");
-  hasPerformanceNow = typeof globalThis.performance?.now === "function";
-  isWorkerLike = !isNode && !isBun && typeof globalThis.WorkerGlobalScope !== "undefined";
-  isBrowserLike = !isNode && !isBun && !isWorkerLike && safeHas("window");
-  runtimeCaps = {
-    isNode,
-    isBun,
-    isWorkerLike,
-    isBrowserLike,
-    hasProcess,
-    hasBuffer,
-    hasTextEncoder,
-    hasPerformanceNow
-  };
-});
-
-// src/utils/internal/health.ts
-function getHealthSnapshot() {
-  return {
-    app: {
-      name: config2.mcpServerName,
-      version: config2.mcpServerVersion,
-      environment: config2.environment
-    },
-    runtime: {
-      isNode: runtimeCaps.isNode,
-      isWorkerLike: runtimeCaps.isWorkerLike,
-      isBrowserLike: runtimeCaps.isBrowserLike
-    },
-    telemetry: {
-      enabled: Boolean(config2.openTelemetry.enabled),
-      diagLevel: config2.openTelemetry.logLevel
-    },
-    logging: {
-      initialized: logger.isInitialized()
-    }
-  };
-}
-var init_health = __esm(() => {
-  init_config();
-  init_logger();
-  init_runtime();
-});
-
-// src/utils/telemetry/semconv.ts
-var ATTR_CODE_FUNCTION = "code.function", ATTR_CODE_NAMESPACE = "code.namespace", ATTR_MCP_TOOL_INPUT_BYTES = "mcp.tool.input_bytes", ATTR_MCP_TOOL_OUTPUT_BYTES = "mcp.tool.output_bytes", ATTR_MCP_TOOL_DURATION_MS = "mcp.tool.duration_ms", ATTR_MCP_TOOL_SUCCESS = "mcp.tool.success", ATTR_MCP_TOOL_ERROR_CODE = "mcp.tool.error_code", ATTR_MCP_TOOL_MEMORY_RSS_BEFORE = "mcp.tool.memory_rss_bytes.before", ATTR_MCP_TOOL_MEMORY_RSS_AFTER = "mcp.tool.memory_rss_bytes.after", ATTR_MCP_TOOL_MEMORY_RSS_DELTA = "mcp.tool.memory_rss_bytes.delta", ATTR_MCP_TOOL_MEMORY_HEAP_USED_BEFORE = "mcp.tool.memory_heap_used_bytes.before", ATTR_MCP_TOOL_MEMORY_HEAP_USED_AFTER = "mcp.tool.memory_heap_used_bytes.after", ATTR_MCP_TOOL_MEMORY_HEAP_USED_DELTA = "mcp.tool.memory_heap_used_bytes.delta";
-
-// src/utils/internal/performance.ts
-async function loadPerfHooks() {
-  return import("perf_hooks");
-}
-async function initializePerformance_Hrt() {
-  const globalWithPerf = globalThis;
-  if (typeof globalWithPerf.performance?.now === "function") {
-    const perf = globalWithPerf.performance;
-    performanceNow = () => perf?.now() ?? Date.now();
-  } else {
-    try {
-      const { performance: nodePerformance } = await loadPerfHooks();
-      performanceNow = () => nodePerformance.now();
-    } catch (_e) {
-      performanceNow = () => Date.now();
-      logger.warning("Could not import perf_hooks, falling back to Date.now() for performance timing.");
-    }
-  }
-}
-async function measureToolExecution(toolLogicFn, context, inputPayload) {
-  const tracer = import_api4.trace.getTracer(config2.openTelemetry.serviceName, config2.openTelemetry.serviceVersion);
-  const { toolName } = context;
-  return tracer.startActiveSpan(`tool_execution:${toolName}`, async (span) => {
-    const memBefore = typeof process !== "undefined" && typeof process.memoryUsage === "function" ? process.memoryUsage() : { rss: 0, heapUsed: 0 };
-    const t0 = nowMs();
-    span.setAttributes({
-      [ATTR_CODE_FUNCTION]: toolName,
-      [ATTR_CODE_NAMESPACE]: "mcp-tools",
-      [ATTR_MCP_TOOL_INPUT_BYTES]: toBytes(inputPayload),
-      [ATTR_MCP_TOOL_MEMORY_RSS_BEFORE]: memBefore.rss,
-      [ATTR_MCP_TOOL_MEMORY_HEAP_USED_BEFORE]: memBefore.heapUsed
-    });
-    let ok = false;
-    let errorCode;
-    let output;
-    try {
-      const result = await toolLogicFn();
-      ok = true;
-      output = result;
-      span.setStatus({ code: import_api4.SpanStatusCode.OK });
-      span.setAttribute(ATTR_MCP_TOOL_OUTPUT_BYTES, toBytes(output));
-      return result;
-    } catch (err) {
-      if (err instanceof McpError)
-        errorCode = String(err.code);
-      else if (err instanceof Error)
-        errorCode = "UNHANDLED_ERROR";
-      else
-        errorCode = "UNKNOWN_ERROR";
-      if (err instanceof Error)
-        span.recordException(err);
-      span.setStatus({
-        code: import_api4.SpanStatusCode.ERROR,
-        message: err instanceof Error ? err.message : String(err)
-      });
-      throw err;
-    } finally {
-      const t1 = nowMs();
-      const durationMs = Number((t1 - t0).toFixed(2));
-      const memAfter = typeof process !== "undefined" && typeof process.memoryUsage === "function" ? process.memoryUsage() : { rss: 0, heapUsed: 0 };
-      const rssDelta = memAfter.rss - memBefore.rss;
-      const heapUsedDelta = memAfter.heapUsed - memBefore.heapUsed;
-      span.setAttributes({
-        [ATTR_MCP_TOOL_DURATION_MS]: durationMs,
-        [ATTR_MCP_TOOL_SUCCESS]: ok,
-        [ATTR_MCP_TOOL_MEMORY_RSS_AFTER]: memAfter.rss,
-        [ATTR_MCP_TOOL_MEMORY_HEAP_USED_AFTER]: memAfter.heapUsed,
-        [ATTR_MCP_TOOL_MEMORY_RSS_DELTA]: rssDelta,
-        [ATTR_MCP_TOOL_MEMORY_HEAP_USED_DELTA]: heapUsedDelta
-      });
-      if (errorCode)
-        span.setAttribute(ATTR_MCP_TOOL_ERROR_CODE, errorCode);
-      span.end();
-      logger.info("Tool execution finished.", {
-        ...context,
-        metrics: {
-          durationMs,
-          isSuccess: ok,
-          errorCode,
-          inputBytes: toBytes(inputPayload),
-          outputBytes: toBytes(output),
-          memory: {
-            rss: {
-              before: memBefore.rss,
-              after: memAfter.rss,
-              delta: rssDelta
-            },
-            heapUsed: {
-              before: memBefore.heapUsed,
-              after: memAfter.heapUsed,
-              delta: heapUsedDelta
-            }
-          }
-        }
-      });
-    }
-  });
-}
-var import_api4, performanceNow = () => Date.now(), nowMs = () => performanceNow(), toBytes = (payload) => {
-  if (payload == null)
-    return 0;
-  try {
-    const json2 = JSON.stringify(payload);
-    if (typeof Buffer !== "undefined" && typeof Buffer.byteLength === "function") {
-      const bytes = Buffer.byteLength(json2, "utf8");
-      return bytes;
-    }
-    if (typeof TextEncoder !== "undefined") {
-      return new TextEncoder().encode(json2).length;
-    }
-    return json2.length;
-  } catch {
-    return 0;
-  }
-};
-var init_performance = __esm(() => {
-  init_config();
-  init_errors3();
-  init_logger();
-  import_api4 = __toESM(require_src(), 1);
-});
-
-// src/utils/internal/startupBanner.ts
-function logStartupBanner(message, transportType) {
-  if (process.stdout.isTTY) {
-    if (transportType === "stdio") {
-      console.error(message);
-    } else {
-      console.log(message);
-    }
-  }
-}
-
-// src/utils/internal/index.ts
-var init_internal = __esm(() => {
-  init_error_handler();
-  init_health();
-  init_logger();
-  init_performance();
-  init_requestContext();
-  init_runtime();
-});
-
-// src/utils/metrics/tokenCounter.ts
-function getModelHeuristics(model) {
-  const key = (model ?? DEFAULT_MODEL).toLowerCase();
-  const found = HEURISTICS[key];
-  return found ?? HEURISTICS.default;
-}
-function nonEmptyString(s2) {
-  return typeof s2 === "string" && s2.length > 0;
-}
-function approxTokenCount(text, charsPerToken) {
-  if (!text)
-    return 0;
-  const normalized = text.replace(/\s+/g, " ").trim();
-  if (!normalized)
-    return 0;
-  return Math.ceil(normalized.length / Math.max(1, charsPerToken));
-}
-async function countTokens(text, context, model) {
-  return ErrorHandler.tryCatch(() => {
-    const h2 = getModelHeuristics(model);
-    return approxTokenCount(text ?? "", h2.charsPerToken);
-  }, {
-    operation: "countTokens",
-    ...context && { context },
-    input: {
-      textSample: nonEmptyString(text) ? text.length > 53 ? `${text.slice(0, 50)}...` : text : ""
-    },
-    errorCode: -32603 /* InternalError */
-  });
-}
-async function countChatTokens(messages, context, model) {
-  return ErrorHandler.tryCatch(() => {
-    const h2 = getModelHeuristics(model);
-    let tokens = 0;
-    for (const message of messages) {
-      tokens += h2.tokensPerMessage;
-      tokens += 1;
-      if (typeof message.content === "string") {
-        tokens += approxTokenCount(message.content, h2.charsPerToken);
-      } else if (Array.isArray(message.content)) {
-        for (const part of message.content) {
-          if (part && part.type === "text" && nonEmptyString(part.text)) {
-            tokens += approxTokenCount(part.text, h2.charsPerToken);
-          } else if (part) {
-            logger.warning(`Non-text content part found (type: ${String(part.type)}), token count contribution ignored.`, context);
-          }
-        }
-      }
-      if (message.name) {
-        tokens += h2.tokensPerName;
-        tokens += approxTokenCount(message.name, h2.charsPerToken);
-      }
-      if (message.role === "assistant" && Array.isArray(message.tool_calls)) {
-        for (const toolCall of message.tool_calls) {
-          if (toolCall?.type === "function") {
-            if (toolCall.function?.name) {
-              tokens += approxTokenCount(toolCall.function.name, h2.charsPerToken);
-            }
-            if (toolCall.function?.arguments) {
-              tokens += approxTokenCount(toolCall.function.arguments, h2.charsPerToken);
-            }
-          }
-        }
-      }
-      if (message.role === "tool" && message.tool_call_id) {
-        tokens += approxTokenCount(message.tool_call_id, h2.charsPerToken);
-      }
-    }
-    tokens += h2.replyPrimer;
-    return tokens;
-  }, {
-    operation: "countChatTokens",
-    ...context && { context },
-    input: { messageCount: messages.length },
-    errorCode: -32603 /* InternalError */
-  });
-}
-var DEFAULT_MODEL = "gpt-4o", HEURISTICS;
-var init_tokenCounter = __esm(() => {
-  init_utils();
-  HEURISTICS = {
-    "gpt-4o": {
-      charsPerToken: 4,
-      tokensPerMessage: 3,
-      tokensPerName: 1,
-      replyPrimer: 3
-    },
-    "gpt-4o-mini": {
-      charsPerToken: 4,
-      tokensPerMessage: 3,
-      tokensPerName: 1,
-      replyPrimer: 3
-    },
-    default: {
-      charsPerToken: 4,
-      tokensPerMessage: 3,
-      tokensPerName: 1,
-      replyPrimer: 3
-    }
-  };
-});
-
-// src/utils/metrics/registry.ts
-function getMeter() {
-  return import_api5.metrics.getMeter(config2.openTelemetry.serviceName, config2.openTelemetry.serviceVersion);
-}
-function isEnabled() {
-  return Boolean(config2.openTelemetry.enabled);
-}
-function getCounter(name, description, unit) {
-  if (!isEnabled()) {
-    return {
-      add: () => {
-        return;
-      },
-      bind: () => ({ add: () => {
-        return;
-      } }),
-      unbind: () => {
-        return;
-      }
-    };
-  }
-  const key = `${name}|${description ?? ""}|${unit ?? ""}`;
-  const existing = counters.get(key);
-  if (existing)
-    return existing;
-  const opts = {};
-  if (description !== undefined)
-    opts.description = description;
-  if (unit !== undefined)
-    opts.unit = unit;
-  const counter = Object.keys(opts).length ? getMeter().createCounter(name, opts) : getMeter().createCounter(name);
-  counters.set(key, counter);
-  return counter;
-}
-function getHistogram(name, description, unit) {
-  if (!isEnabled()) {
-    return {
-      record: () => {
-        return;
-      },
-      bind: () => ({ record: () => {
-        return;
-      } }),
-      unbind: () => {
-        return;
-      }
-    };
-  }
-  const key = `${name}|${description ?? ""}|${unit ?? ""}`;
-  const existing = histograms.get(key);
-  if (existing)
-    return existing;
-  const opts = {};
-  if (description !== undefined)
-    opts.description = description;
-  if (unit !== undefined)
-    opts.unit = unit;
-  const histogram = Object.keys(opts).length ? getMeter().createHistogram(name, opts) : getMeter().createHistogram(name);
-  histograms.set(key, histogram);
-  return histogram;
-}
-function add(name, value, attributes, description, unit) {
-  const c = getCounter(name, description, unit);
-  c.add(value, attributes);
-}
-function record2(name, value, attributes, description, unit) {
-  const h2 = getHistogram(name, description, unit);
-  h2.record(value, attributes);
-}
-var import_api5, counters, histograms, metricsRegistry;
-var init_registry = __esm(() => {
-  init_config();
-  import_api5 = __toESM(require_src(), 1);
-  counters = new Map;
-  histograms = new Map;
-  metricsRegistry = {
-    getCounter,
-    getHistogram,
-    add,
-    record: record2,
-    enabled: isEnabled
-  };
-});
-
-// src/utils/metrics/index.ts
-var init_metrics = __esm(() => {
-  init_tokenCounter();
-  init_registry();
-});
-
-// src/utils/security/idGenerator.ts
-import { randomUUID as cryptoRandomUUID, randomBytes } from "crypto";
-
-class IdGenerator {
-  static DEFAULT_CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
-  static DEFAULT_SEPARATOR = "_";
-  static DEFAULT_LENGTH = 6;
-  entityPrefixes = {};
-  prefixToEntityType = {};
-  constructor(entityPrefixes = {}) {
-    this.setEntityPrefixes(entityPrefixes);
-  }
-  setEntityPrefixes(entityPrefixes) {
-    this.entityPrefixes = { ...entityPrefixes };
-    this.prefixToEntityType = Object.entries(this.entityPrefixes).reduce((acc, [type, prefix]) => {
-      acc[prefix.toLowerCase()] = type;
-      return acc;
-    }, {});
-  }
-  getEntityPrefixes() {
-    return { ...this.entityPrefixes };
-  }
-  generateRandomString(length = IdGenerator.DEFAULT_LENGTH, charset = IdGenerator.DEFAULT_CHARSET) {
-    let result = "";
-    const maxValidByteValue = Math.floor(256 / charset.length) * charset.length;
-    while (result.length < length) {
-      const byteBuffer = randomBytes(1);
-      const byte = byteBuffer[0];
-      if (byte !== undefined && byte < maxValidByteValue) {
-        const charIndex = byte % charset.length;
-        const char = charset[charIndex];
-        if (char) {
-          result += char;
-        }
-      }
-    }
-    return result;
-  }
-  generate(prefix, options = {}) {
-    const {
-      length = IdGenerator.DEFAULT_LENGTH,
-      separator = IdGenerator.DEFAULT_SEPARATOR,
-      charset = IdGenerator.DEFAULT_CHARSET
-    } = options;
-    const randomPart = this.generateRandomString(length, charset);
-    const generatedId = prefix ? `${prefix}${separator}${randomPart}` : randomPart;
-    return generatedId;
-  }
-  generateForEntity(entityType, options = {}) {
-    const prefix = this.entityPrefixes[entityType];
-    if (!prefix) {
-      throw new McpError(-32007 /* ValidationError */, `Unknown entity type: ${entityType}. No prefix registered.`);
-    }
-    return this.generate(prefix, options);
-  }
-  isValid(id, entityType, options = {}) {
-    const prefix = this.entityPrefixes[entityType];
-    const {
-      length = IdGenerator.DEFAULT_LENGTH,
-      separator = IdGenerator.DEFAULT_SEPARATOR,
-      charset = IdGenerator.DEFAULT_CHARSET
-    } = options;
-    if (!prefix) {
-      return false;
-    }
-    const escapedCharsetForClass = charset.replace(/[[\]\\^-]/g, "\\$&");
-    const charsetRegexPart = `[${escapedCharsetForClass}]`;
-    const pattern = new RegExp(`^${this.escapeRegex(prefix)}${this.escapeRegex(separator)}${charsetRegexPart}{${length}}$`);
-    return pattern.test(id);
-  }
-  escapeRegex(str) {
-    return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-  }
-  stripPrefix(id, separator = IdGenerator.DEFAULT_SEPARATOR) {
-    const parts = id.split(separator);
-    return parts.length > 1 ? parts.slice(1).join(separator) : id;
-  }
-  getEntityType(id, separator = IdGenerator.DEFAULT_SEPARATOR) {
-    const parts = id.split(separator);
-    if (parts.length < 2 || !parts[0]) {
-      throw new McpError(-32007 /* ValidationError */, `Invalid ID format: ${id}. Expected format like: PREFIX${separator}RANDOMLPART`);
-    }
-    const prefix = parts[0];
-    const entityType = this.prefixToEntityType[prefix.toLowerCase()];
-    if (!entityType) {
-      throw new McpError(-32007 /* ValidationError */, `Unknown entity type for prefix: ${prefix}`);
-    }
-    return entityType;
-  }
-  normalize(id, separator = IdGenerator.DEFAULT_SEPARATOR) {
-    const entityType = this.getEntityType(id, separator);
-    const registeredPrefix = this.entityPrefixes[entityType];
-    const idParts = id.split(separator);
-    const randomPart = idParts.slice(1).join(separator);
-    return `${registeredPrefix}${separator}${randomPart.toUpperCase()}`;
-  }
-}
-var idGenerator, generateUUID = () => {
-  return cryptoRandomUUID();
-}, generateRequestContextId = () => {
-  const generateSecureRandomString = (length, charset2) => {
-    let result = "";
-    const maxValidByteValue = Math.floor(256 / charset2.length) * charset2.length;
-    while (result.length < length) {
-      const byteBuffer = randomBytes(1);
-      const byte = byteBuffer[0];
-      if (byte !== undefined && byte < maxValidByteValue) {
-        const charIndex = byte % charset2.length;
-        const char = charset2[charIndex];
-        if (char) {
-          result += char;
-        }
-      }
-    }
-    return result;
-  };
-  const charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
-  const part1 = generateSecureRandomString(5, charset);
-  const part2 = generateSecureRandomString(5, charset);
-  return `${part1}-${part2}`;
-};
-var init_idGenerator = __esm(() => {
-  init_errors3();
-  idGenerator = new IdGenerator;
-});
-
 // node_modules/tsyringe/node_modules/tslib/tslib.js
 var require_tslib = __commonJS((exports, module) => {
   /*! *****************************************************************************
@@ -114593,7 +113122,7 @@ var require_registry2 = __commonJS((exports) => {
   Object.defineProperty(exports, "__esModule", { value: true });
   var tslib_1 = require_tslib();
   var dependency_container_1 = require_dependency_container();
-  function registry3(registrations = []) {
+  function registry2(registrations = []) {
     return function(target) {
       registrations.forEach((_a2) => {
         var { token, options } = _a2, provider = tslib_1.__rest(_a2, ["token", "options"]);
@@ -114602,7 +113131,7 @@ var require_registry2 = __commonJS((exports) => {
       return target;
     };
   }
-  exports.default = registry3;
+  exports.default = registry2;
 });
 
 // node_modules/tsyringe/dist/cjs/decorators/singleton.js
@@ -114846,195 +113375,6 @@ var init_tokens = __esm(() => {
   GitProviderFactory = Symbol("GitProviderFactory");
 });
 
-// src/utils/security/rateLimiter.ts
-var import_api6, import_tsyringe, RateLimiter;
-var init_rateLimiter = __esm(() => {
-  init_tokens();
-  init_errors3();
-  init_utils();
-  import_api6 = __toESM(require_src(), 1);
-  import_tsyringe = __toESM(require_cjs2(), 1);
-  RateLimiter = class RateLimiter {
-    config;
-    logger;
-    limits;
-    cleanupTimer = null;
-    effectiveConfig;
-    constructor(config3, logger3) {
-      this.config = config3;
-      this.logger = logger3;
-      const defaultConfig = {
-        windowMs: 15 * 60 * 1000,
-        maxRequests: 100,
-        errorMessage: "Rate limit exceeded. Please try again in {waitTime} seconds.",
-        skipInDevelopment: false,
-        cleanupInterval: 5 * 60 * 1000
-      };
-      this.effectiveConfig = { ...defaultConfig };
-      this.limits = new Map;
-      this.startCleanupTimer();
-    }
-    startCleanupTimer() {
-      if (this.cleanupTimer) {
-        clearInterval(this.cleanupTimer);
-      }
-      const interval = this.effectiveConfig.cleanupInterval;
-      if (interval && interval > 0) {
-        this.cleanupTimer = setInterval(() => {
-          this.cleanupExpiredEntries();
-        }, interval);
-        if (this.cleanupTimer.unref) {
-          this.cleanupTimer.unref();
-        }
-      }
-    }
-    cleanupExpiredEntries() {
-      const now = Date.now();
-      let expiredCount = 0;
-      for (const [key, entry] of this.limits.entries()) {
-        if (now >= entry.resetTime) {
-          this.limits.delete(key);
-          expiredCount++;
-        }
-      }
-      if (expiredCount > 0) {
-        const logContext = requestContextService.createRequestContext({
-          operation: "RateLimiter.cleanupExpiredEntries",
-          additionalContext: {
-            cleanedCount: expiredCount,
-            totalRemainingAfterClean: this.limits.size
-          }
-        });
-        this.logger.debug(`Cleaned up ${expiredCount} expired rate limit entries`, logContext);
-      }
-    }
-    configure(config3) {
-      Object.assign(this.effectiveConfig, config3);
-      if (config3.cleanupInterval !== undefined) {
-        this.startCleanupTimer();
-      }
-    }
-    getConfig() {
-      return { ...this.effectiveConfig };
-    }
-    reset() {
-      this.limits.clear();
-      const logContext = requestContextService.createRequestContext({
-        operation: "RateLimiter.reset"
-      });
-      this.logger.debug("Rate limiter reset, all limits cleared", logContext);
-    }
-    check(key, context) {
-      const activeSpan = import_api6.trace.getActiveSpan();
-      activeSpan?.setAttribute("mcp.rate_limit.checked", true);
-      if (this.effectiveConfig.skipInDevelopment && this.config.environment === "development") {
-        activeSpan?.setAttribute("mcp.rate_limit.skipped", "development");
-        return;
-      }
-      const limitKey = this.effectiveConfig.keyGenerator ? this.effectiveConfig.keyGenerator(key, context) : key;
-      activeSpan?.setAttribute("mcp.rate_limit.key", limitKey);
-      const now = Date.now();
-      let entry = this.limits.get(limitKey);
-      if (!entry || now >= entry.resetTime) {
-        entry = {
-          count: 1,
-          resetTime: now + this.effectiveConfig.windowMs
-        };
-        this.limits.set(limitKey, entry);
-      } else {
-        entry.count++;
-      }
-      const remaining = Math.max(0, this.effectiveConfig.maxRequests - entry.count);
-      activeSpan?.setAttributes({
-        "mcp.rate_limit.limit": this.effectiveConfig.maxRequests,
-        "mcp.rate_limit.count": entry.count,
-        "mcp.rate_limit.remaining": remaining
-      });
-      if (entry.count > this.effectiveConfig.maxRequests) {
-        const waitTime = Math.ceil((entry.resetTime - now) / 1000);
-        const errorMessage = (this.effectiveConfig.errorMessage || "Rate limit exceeded. Please try again in {waitTime} seconds.").replace("{waitTime}", waitTime.toString());
-        activeSpan?.addEvent("rate_limit_exceeded", {
-          "mcp.rate_limit.wait_time_seconds": waitTime
-        });
-        throw new McpError(-32003 /* RateLimited */, errorMessage, {
-          waitTimeSeconds: waitTime,
-          key: limitKey,
-          limit: this.effectiveConfig.maxRequests,
-          windowMs: this.effectiveConfig.windowMs
-        });
-      }
-    }
-    getStatus(key) {
-      const entry = this.limits.get(key);
-      if (!entry)
-        return null;
-      return {
-        current: entry.count,
-        limit: this.effectiveConfig.maxRequests,
-        remaining: Math.max(0, this.effectiveConfig.maxRequests - entry.count),
-        resetTime: entry.resetTime
-      };
-    }
-    dispose() {
-      if (this.cleanupTimer) {
-        clearInterval(this.cleanupTimer);
-        this.cleanupTimer = null;
-      }
-      this.limits.clear();
-    }
-  };
-  RateLimiter = __legacyDecorateClassTS([
-    import_tsyringe.injectable(),
-    __legacyDecorateParamTS(0, import_tsyringe.inject(AppConfig)),
-    __legacyDecorateParamTS(1, import_tsyringe.inject(Logger2)),
-    __legacyMetadataTS("design:paramtypes", [
-      Object,
-      Object
-    ])
-  ], RateLimiter);
-});
-
-// src/utils/security/index.ts
-var init_security = __esm(() => {
-  init_idGenerator();
-  init_rateLimiter();
-  init_sanitization();
-});
-
-// src/utils/index.ts
-var exports_utils = {};
-__export(exports_utils, {
-  sanitizeInputForLogging: () => sanitizeInputForLogging,
-  sanitization: () => sanitization,
-  runtimeCaps: () => runtimeCaps,
-  requestContextService: () => requestContextService,
-  nowMs: () => nowMs,
-  metricsRegistry: () => metricsRegistry,
-  measureToolExecution: () => measureToolExecution,
-  logger: () => logger,
-  logStartupBanner: () => logStartupBanner,
-  loadPerfHooks: () => loadPerfHooks,
-  initializePerformance_Hrt: () => initializePerformance_Hrt,
-  idGenerator: () => idGenerator,
-  getRuntimeDescription: () => getRuntimeDescription,
-  getHealthSnapshot: () => getHealthSnapshot,
-  generateUUID: () => generateUUID,
-  generateRequestContextId: () => generateRequestContextId,
-  detectRuntime: () => detectRuntime,
-  countTokens: () => countTokens,
-  countChatTokens: () => countChatTokens,
-  Sanitization: () => Sanitization,
-  RateLimiter: () => RateLimiter,
-  Logger: () => Logger,
-  IdGenerator: () => IdGenerator,
-  ErrorHandler: () => ErrorHandler
-});
-var init_utils = __esm(() => {
-  init_internal();
-  init_metrics();
-  init_security();
-});
-
 // node_modules/tslib/tslib.js
 var require_tslib2 = __commonJS((exports, module) => {
   var __extends;
@@ -116170,22 +114510,22 @@ var require_transformers = __commonJS((exports) => {
     PostgresTypes2["tsrange"] = "tsrange";
     PostgresTypes2["tstzrange"] = "tstzrange";
   })(PostgresTypes || (exports.PostgresTypes = PostgresTypes = {}));
-  var convertChangeData = (columns, record3, options = {}) => {
+  var convertChangeData = (columns, record2, options = {}) => {
     var _a2;
     const skipTypes = (_a2 = options.skipTypes) !== null && _a2 !== undefined ? _a2 : [];
-    if (!record3) {
+    if (!record2) {
       return {};
     }
-    return Object.keys(record3).reduce((acc, rec_key) => {
-      acc[rec_key] = (0, exports.convertColumn)(rec_key, columns, record3, skipTypes);
+    return Object.keys(record2).reduce((acc, rec_key) => {
+      acc[rec_key] = (0, exports.convertColumn)(rec_key, columns, record2, skipTypes);
       return acc;
     }, {});
   };
   exports.convertChangeData = convertChangeData;
-  var convertColumn = (columnName, columns, record3, skipTypes) => {
+  var convertColumn = (columnName, columns, record2, skipTypes) => {
     const column = columns.find((x2) => x2.name === columnName);
     const colType = column === null || column === undefined ? undefined : column.type;
-    const value = record3[columnName];
+    const value = record2[columnName];
     if (colType && !skipTypes.includes(colType)) {
       return (0, exports.convertCell)(colType, value);
     }
@@ -127950,13 +126290,13 @@ var require_core = __commonJS((exports) => {
     return metaOpts;
   }
   var noLogs = { log() {}, warn() {}, error() {} };
-  function getLogger(logger3) {
-    if (logger3 === false)
+  function getLogger(logger2) {
+    if (logger2 === false)
       return noLogs;
-    if (logger3 === undefined)
+    if (logger2 === undefined)
       return console;
-    if (logger3.log && logger3.warn && logger3.error)
-      return logger3;
+    if (logger2.log && logger2.warn && logger2.error)
+      return logger2;
     throw new Error("logger must implement log, warn and error methods");
   }
   var KEYWORD_NAME = /^[a-z_$][a-z0-9_$:-]*$/i;
@@ -130301,10 +128641,1377 @@ async function shutdownOpenTelemetry() {
   }
 }
 
-// src/index.ts
-init_utils();
-init_logger();
-init_runtime();
+// src/utils/internal/error-handler/errorHandler.ts
+init_errors3();
+var import_api3 = __toESM(require_src(), 1);
+
+// src/utils/internal/logger.ts
+init_config();
+import pino from "pino";
+
+// src/utils/internal/requestContext.ts
+var import_api2 = __toESM(require_src(), 1);
+
+// src/mcp-server/transports/auth/lib/authContext.ts
+import { AsyncLocalStorage } from "async_hooks";
+var authContext = new AsyncLocalStorage;
+
+// src/utils/internal/requestContext.ts
+var requestContextServiceInstance = {
+  config: {},
+  configure(config3) {
+    this.config = {
+      ...this.config,
+      ...config3
+    };
+    const logContext = this.createRequestContext({
+      operation: "RequestContextService.configure",
+      additionalContext: { newConfigState: { ...this.config } }
+    });
+    logger.debug("RequestContextService configuration updated", logContext);
+    return { ...this.config };
+  },
+  getConfig() {
+    return { ...this.config };
+  },
+  createRequestContext(params = {}) {
+    const { parentContext, additionalContext, operation, ...rest } = params;
+    const inheritedContext = parentContext && typeof parentContext === "object" ? { ...parentContext } : {};
+    let inheritedTenantId;
+    if (inheritedContext && typeof inheritedContext === "object" && "tenantId" in inheritedContext && typeof inheritedContext.tenantId === "string") {
+      inheritedTenantId = inheritedContext.tenantId;
+    }
+    const authStore = authContext.getStore();
+    const tenantIdFromAuth = authStore?.authInfo?.tenantId;
+    const inheritedRequestId = inheritedContext.requestId;
+    const requestId = typeof inheritedRequestId === "string" && inheritedRequestId ? inheritedRequestId : generateRequestContextId();
+    const timestamp = new Date().toISOString();
+    const restTenantId = typeof rest.tenantId === "string" ? rest.tenantId : undefined;
+    const additionalTenantId = additionalContext && typeof additionalContext === "object" && typeof additionalContext.tenantId === "string" ? additionalContext.tenantId : undefined;
+    const resolvedTenantId = additionalTenantId ?? restTenantId ?? inheritedTenantId ?? tenantIdFromAuth;
+    const context = {
+      ...inheritedContext,
+      ...rest,
+      requestId,
+      timestamp,
+      ...resolvedTenantId ? { tenantId: resolvedTenantId } : {},
+      ...additionalContext && typeof additionalContext === "object" ? additionalContext : {},
+      ...operation && typeof operation === "string" ? { operation } : {}
+    };
+    const activeSpan = import_api2.trace.getActiveSpan();
+    if (activeSpan && typeof activeSpan.spanContext === "function") {
+      const spanContext = activeSpan.spanContext();
+      if (spanContext) {
+        context.traceId = spanContext.traceId;
+        context.spanId = spanContext.spanId;
+      }
+    }
+    return context;
+  }
+};
+var requestContextService = requestContextServiceInstance;
+
+// src/utils/security/sanitization.ts
+init_errors3();
+var import_validator = __toESM(require_validator(), 1);
+var isServerless = typeof process === "undefined" || process.env.IS_SERVERLESS === "true";
+var pathModule;
+if (!isServerless) {
+  import("path").then((mod2) => {
+    pathModule = mod2.default;
+  }).catch(() => {});
+}
+
+class Sanitization {
+  static instance;
+  sensitiveFields = [
+    "password",
+    "token",
+    "secret",
+    "apiKey",
+    "credential",
+    "jwt",
+    "ssn",
+    "cvv",
+    "authorization",
+    "cookie",
+    "clientsecret",
+    "client_secret",
+    "private_key",
+    "privatekey"
+  ];
+  constructor() {}
+  static getInstance() {
+    if (!Sanitization.instance) {
+      Sanitization.instance = new Sanitization;
+    }
+    return Sanitization.instance;
+  }
+  setSensitiveFields(fields) {
+    this.sensitiveFields = [
+      ...new Set([
+        ...this.sensitiveFields,
+        ...fields.map((f3) => f3.toLowerCase())
+      ])
+    ];
+    const logContext = requestContextService.createRequestContext({
+      operation: "Sanitization.setSensitiveFields",
+      additionalContext: {
+        newSensitiveFieldCount: this.sensitiveFields.length
+      }
+    });
+    logger.debug("Updated sensitive fields list for log sanitization", logContext);
+  }
+  getSensitiveFields() {
+    return [...this.sensitiveFields];
+  }
+  getSensitivePinoFields() {
+    return this.sensitiveFields.map((field) => field.replace(/[-_]/g, ""));
+  }
+  sanitizeUrl(input, allowedProtocols = ["http", "https"]) {
+    try {
+      const trimmedInput = input.trim();
+      if (!import_validator.default.isURL(trimmedInput, {
+        protocols: allowedProtocols,
+        require_protocol: true,
+        require_host: true
+      })) {
+        throw new Error("Invalid URL format or protocol not in allowed list.");
+      }
+      const lowercasedInput = trimmedInput.toLowerCase();
+      if (lowercasedInput.startsWith("javascript:") || lowercasedInput.startsWith("data:") || lowercasedInput.startsWith("vbscript:")) {
+        throw new Error("Disallowed pseudo-protocol (javascript:, data:, or vbscript:) in URL.");
+      }
+      return trimmedInput;
+    } catch (error48) {
+      throw new McpError(-32007 /* ValidationError */, error48 instanceof Error ? error48.message : "Invalid or unsafe URL provided.", { input });
+    }
+  }
+  sanitizePath(input, options = {}) {
+    if (isServerless || !pathModule) {
+      throw new McpError(-32603 /* InternalError */, "File-based path sanitization is not supported in this environment.");
+    }
+    const path2 = pathModule;
+    const originalInput = input;
+    const resolvedRootDir = options.rootDir ? path2.resolve(options.rootDir) : undefined;
+    const effectiveOptions = {
+      toPosix: options.toPosix ?? false,
+      allowAbsolute: options.allowAbsolute ?? false,
+      ...resolvedRootDir && { rootDir: resolvedRootDir }
+    };
+    let wasAbsoluteInitially = false;
+    try {
+      if (!input || typeof input !== "string")
+        throw new Error("Invalid path input: must be a non-empty string.");
+      if (input.includes("\x00"))
+        throw new Error("Path contains null byte, which is disallowed.");
+      let normalized = path2.normalize(input);
+      wasAbsoluteInitially = path2.isAbsolute(normalized);
+      if (effectiveOptions.toPosix) {
+        normalized = normalized.replace(/\\/g, "/");
+      }
+      let finalSanitizedPath;
+      if (resolvedRootDir) {
+        let fullPath;
+        if (path2.isAbsolute(normalized)) {
+          fullPath = path2.normalize(normalized);
+        } else {
+          fullPath = path2.resolve(resolvedRootDir, normalized);
+        }
+        const normalizedRoot = path2.normalize(resolvedRootDir);
+        const normalizedFull = path2.normalize(fullPath);
+        if (!normalizedFull.startsWith(normalizedRoot + path2.sep) && normalizedFull !== normalizedRoot) {
+          throw new Error("Path traversal detected: attempts to escape the defined root directory.");
+        }
+        finalSanitizedPath = path2.relative(normalizedRoot, normalizedFull);
+        finalSanitizedPath = finalSanitizedPath === "" ? "." : finalSanitizedPath;
+        if (path2.isAbsolute(finalSanitizedPath) && !effectiveOptions.allowAbsolute) {
+          throw new Error("Path resolved to absolute outside root when absolute paths are disallowed.");
+        }
+      } else {
+        if (path2.isAbsolute(normalized)) {
+          if (!effectiveOptions.allowAbsolute) {
+            throw new Error("Absolute paths are disallowed by current options.");
+          } else {
+            finalSanitizedPath = normalized;
+          }
+        } else {
+          const resolvedAgainstCwd = path2.resolve(normalized);
+          const currentWorkingDir = path2.resolve(".");
+          if (!resolvedAgainstCwd.startsWith(currentWorkingDir + path2.sep) && resolvedAgainstCwd !== currentWorkingDir) {
+            throw new Error("Relative path traversal detected (escapes current working directory context).");
+          }
+          finalSanitizedPath = normalized;
+        }
+      }
+      return {
+        sanitizedPath: finalSanitizedPath,
+        originalInput,
+        wasAbsolute: wasAbsoluteInitially,
+        convertedToRelative: wasAbsoluteInitially && !path2.isAbsolute(finalSanitizedPath) && !effectiveOptions.allowAbsolute,
+        optionsUsed: effectiveOptions
+      };
+    } catch (error48) {
+      logger.warning("Path sanitization error", requestContextService.createRequestContext({
+        operation: "Sanitization.sanitizePath.error",
+        additionalContext: {
+          originalPathInput: originalInput,
+          pathOptionsUsed: effectiveOptions,
+          errorMessage: error48 instanceof Error ? error48.message : String(error48)
+        }
+      }));
+      throw new McpError(-32007 /* ValidationError */, error48 instanceof Error ? error48.message : "Invalid or unsafe path provided.", { input: originalInput });
+    }
+  }
+  sanitizeJson(input, maxSize) {
+    try {
+      if (typeof input !== "string")
+        throw new Error("Invalid input: expected a JSON string.");
+      const computeBytes = (s2) => {
+        if (typeof Buffer !== "undefined" && typeof Buffer.byteLength === "function") {
+          return Buffer.byteLength(s2, "utf8");
+        }
+        if (typeof TextEncoder !== "undefined") {
+          return new TextEncoder().encode(s2).length;
+        }
+        return s2.length;
+      };
+      if (maxSize !== undefined && computeBytes(input) > maxSize) {
+        throw new McpError(-32007 /* ValidationError */, `JSON string exceeds maximum allowed size of ${maxSize} bytes.`, { actualSize: computeBytes(input), maxSize });
+      }
+      return JSON.parse(input);
+    } catch (error48) {
+      if (error48 instanceof McpError)
+        throw error48;
+      throw new McpError(-32007 /* ValidationError */, error48 instanceof Error ? error48.message : "Invalid JSON format.", {
+        inputPreview: input.length > 100 ? `${input.substring(0, 100)}...` : input
+      });
+    }
+  }
+  sanitizeNumber(input, min, max) {
+    let value;
+    if (typeof input === "string") {
+      const trimmedInput = input.trim();
+      if (trimmedInput === "" || !import_validator.default.isNumeric(trimmedInput)) {
+        throw new McpError(-32007 /* ValidationError */, "Invalid number format: input is empty or not numeric.", { input });
+      }
+      value = parseFloat(trimmedInput);
+    } else if (typeof input === "number") {
+      value = input;
+    } else {
+      throw new McpError(-32007 /* ValidationError */, "Invalid input type: expected number or string.", { input: String(input) });
+    }
+    if (isNaN(value) || !isFinite(value)) {
+      throw new McpError(-32007 /* ValidationError */, "Invalid number value (NaN or Infinity).", { input });
+    }
+    let clamped = false;
+    const originalValueForLog = value;
+    if (min !== undefined && value < min) {
+      value = min;
+      clamped = true;
+    }
+    if (max !== undefined && value > max) {
+      value = max;
+      clamped = true;
+    }
+    if (clamped) {
+      logger.debug("Number clamped to range.", requestContextService.createRequestContext({
+        operation: "Sanitization.sanitizeNumber.clamped",
+        additionalContext: {
+          originalInput: String(input),
+          parsedValue: originalValueForLog,
+          minValue: min,
+          maxValue: max,
+          clampedValue: value
+        }
+      }));
+    }
+    return value;
+  }
+  sanitizeForLogging(input) {
+    try {
+      if (!input || typeof input !== "object")
+        return input;
+      const clonedInput = typeof globalThis.structuredClone === "function" ? globalThis.structuredClone(input) : JSON.parse(JSON.stringify(input));
+      this.redactSensitiveFields(clonedInput);
+      return clonedInput;
+    } catch (error48) {
+      logger.error("Error during log sanitization, returning placeholder.", requestContextService.createRequestContext({
+        operation: "Sanitization.sanitizeForLogging.error",
+        additionalContext: {
+          errorMessage: error48 instanceof Error ? error48.message : String(error48)
+        }
+      }));
+      return "[Log Sanitization Failed]";
+    }
+  }
+  redactSensitiveFields(obj) {
+    if (!obj || typeof obj !== "object")
+      return;
+    if (Array.isArray(obj)) {
+      obj.forEach((item) => this.redactSensitiveFields(item));
+      return;
+    }
+    const normalize = (str) => str.toLowerCase().replace(/[^a-z0-9]/g, "");
+    const normalizedSensitiveSet = new Set(this.sensitiveFields.map((f3) => normalize(f3)).filter(Boolean));
+    const wordSensitiveSet = new Set(this.sensitiveFields.map((f3) => f3.toLowerCase()).filter(Boolean));
+    for (const key in obj) {
+      if (Object.prototype.hasOwnProperty.call(obj, key)) {
+        const value = obj[key];
+        const normalizedKey = normalize(key);
+        const keyWords = key.replace(/([A-Z])/g, " $1").toLowerCase().split(/[\s_-]+/).filter(Boolean);
+        const isExactSensitive = normalizedSensitiveSet.has(normalizedKey);
+        const isWordSensitive = keyWords.some((w) => wordSensitiveSet.has(w));
+        const isSensitive = isExactSensitive || isWordSensitive;
+        if (isSensitive) {
+          obj[key] = "[REDACTED]";
+        } else if (value && typeof value === "object") {
+          this.redactSensitiveFields(value);
+        }
+      }
+    }
+  }
+}
+var sanitization = Sanitization.getInstance();
+var sanitizeInputForLogging = (input) => sanitization.sanitizeForLogging(input);
+
+// src/utils/internal/logger.ts
+var mcpToPinoLevel = {
+  emerg: "fatal",
+  alert: "fatal",
+  crit: "error",
+  error: "error",
+  warning: "warn",
+  notice: "info",
+  info: "info",
+  debug: "debug"
+};
+var pinoToMcpLevelSeverity = {
+  fatal: 0,
+  error: 2,
+  warn: 4,
+  info: 6,
+  debug: 7
+};
+var isServerless2 = typeof process === "undefined" || process.env.IS_SERVERLESS === "true";
+
+class Logger {
+  static instance = new Logger;
+  pinoLogger;
+  interactionLogger;
+  initialized = false;
+  currentMcpLevel = "info";
+  transportType;
+  rateLimitThreshold = 10;
+  rateLimitWindow = 60000;
+  messageCounts = new Map;
+  suppressedMessages = new Map;
+  cleanupTimer;
+  constructor() {}
+  static getInstance() {
+    return Logger.instance;
+  }
+  async createPinoLogger(level, transportType) {
+    const pinoLevel = mcpToPinoLevel[level] || "info";
+    const pinoOptions = {
+      level: pinoLevel,
+      base: {
+        env: config2.environment,
+        version: config2.mcpServerVersion,
+        pid: !isServerless2 ? process.pid : undefined
+      },
+      redact: {
+        paths: sanitization.getSensitivePinoFields(),
+        censor: "[REDACTED]"
+      }
+    };
+    if (isServerless2) {
+      return pino(pinoOptions);
+    }
+    const { default: fs2 } = await import("fs");
+    const { default: path2 } = await import("path");
+    const transports = [];
+    const isDevelopment = config2.environment === "development";
+    const isTest = config2.environment === "testing";
+    const noColorEnv = process.env.NO_COLOR === "1" || process.env.FORCE_COLOR === "0";
+    const useColoredOutput = isDevelopment && transportType !== "stdio" && !noColorEnv;
+    if (useColoredOutput && !isServerless2) {
+      try {
+        const { createRequire: createRequire2 } = await import("node:module");
+        const require2 = createRequire2(import.meta.url);
+        const prettyTarget = require2.resolve("pino-pretty");
+        transports.push({
+          target: prettyTarget,
+          options: { colorize: true, translateTime: "yyyy-mm-dd HH:MM:ss" }
+        });
+      } catch (err) {
+        if (process.stderr?.isTTY) {
+          console.warn(`[Logger Init] Pretty transport unavailable (${err instanceof Error ? err.message : String(err)}); falling back to stdout JSON.`);
+        }
+        transports.push({ target: "pino/file", options: { destination: 1 } });
+      }
+    } else if (!isTest) {
+      transports.push({ target: "pino/file", options: { destination: 2 } });
+    }
+    if (config2.logsPath) {
+      try {
+        if (!fs2.existsSync(config2.logsPath)) {
+          fs2.mkdirSync(config2.logsPath, { recursive: true });
+        }
+        transports.push({
+          level: pinoLevel,
+          target: "pino/file",
+          options: {
+            destination: path2.join(config2.logsPath, "combined.log"),
+            mkdir: true
+          }
+        });
+        transports.push({
+          level: "error",
+          target: "pino/file",
+          options: {
+            destination: path2.join(config2.logsPath, "error.log"),
+            mkdir: true
+          }
+        });
+      } catch (err) {
+        if (process.stderr?.isTTY) {
+          console.error(`[Logger Init] Failed to configure file logging: ${err instanceof Error ? err.message : String(err)}`);
+        }
+      }
+    }
+    return pino({ ...pinoOptions, transport: { targets: transports } });
+  }
+  async createInteractionLogger() {
+    if (isServerless2 || !config2.logsPath)
+      return;
+    const { default: path2 } = await import("path");
+    return pino({
+      transport: {
+        target: "pino/file",
+        options: {
+          destination: path2.join(config2.logsPath, "interactions.log"),
+          mkdir: true
+        }
+      }
+    });
+  }
+  async initialize(level = "info", transportType) {
+    if (this.initialized) {
+      this.warning("Logger already initialized.", requestContextService.createRequestContext({
+        operation: "loggerReinit"
+      }));
+      return;
+    }
+    this.currentMcpLevel = level;
+    this.transportType = transportType;
+    this.pinoLogger = await this.createPinoLogger(level, transportType);
+    this.interactionLogger = await this.createInteractionLogger();
+    if (!isServerless2 && !this.cleanupTimer) {
+      this.cleanupTimer = setInterval(() => this.flushSuppressedMessages(), this.rateLimitWindow);
+      this.cleanupTimer.unref?.();
+    }
+    this.initialized = true;
+    this.info(`Logger initialized. MCP level: ${level}.`, requestContextService.createRequestContext({ operation: "loggerInit" }));
+  }
+  setLevel(newLevel) {
+    if (!this.pinoLogger || !this.initialized) {
+      if (process.stderr?.isTTY) {
+        console.error("Cannot set level: Logger not initialized.");
+      }
+      return;
+    }
+    this.currentMcpLevel = newLevel;
+    this.pinoLogger.level = mcpToPinoLevel[newLevel] || "info";
+    this.info(`Log level changed to ${newLevel}.`, requestContextService.createRequestContext({
+      operation: "loggerSetLevel"
+    }));
+  }
+  async close() {
+    if (!this.initialized)
+      return Promise.resolve();
+    this.info("Logger shutting down.", requestContextService.createRequestContext({ operation: "loggerClose" }));
+    if (this.cleanupTimer)
+      clearInterval(this.cleanupTimer);
+    this.flushSuppressedMessages();
+    await Promise.all([
+      new Promise((resolve) => {
+        if (this.pinoLogger) {
+          this.pinoLogger.flush((err) => {
+            if (err && process.stderr?.isTTY && this.transportType !== "stdio") {
+              console.error("Error flushing main logger:", err);
+            }
+            resolve();
+          });
+        } else {
+          resolve();
+        }
+      }),
+      new Promise((resolve) => {
+        if (this.interactionLogger) {
+          this.interactionLogger.flush((err) => {
+            if (err && process.stderr?.isTTY && this.transportType !== "stdio") {
+              console.error("Error flushing interaction logger:", err);
+            }
+            resolve();
+          });
+        } else {
+          resolve();
+        }
+      })
+    ]);
+    this.initialized = false;
+  }
+  isInitialized() {
+    return this.initialized;
+  }
+  isRateLimited(message) {
+    const now = Date.now();
+    const entry = this.messageCounts.get(message);
+    if (!entry) {
+      this.messageCounts.set(message, { count: 1, firstSeen: now });
+      return false;
+    }
+    if (now - entry.firstSeen > this.rateLimitWindow) {
+      this.messageCounts.set(message, { count: 1, firstSeen: now });
+      return false;
+    }
+    entry.count++;
+    if (entry.count > this.rateLimitThreshold) {
+      this.suppressedMessages.set(message, (this.suppressedMessages.get(message) || 0) + 1);
+      return true;
+    }
+    return false;
+  }
+  flushSuppressedMessages() {
+    if (this.suppressedMessages.size === 0)
+      return;
+    for (const [message, count] of this.suppressedMessages.entries()) {
+      this.warning(`Log message suppressed ${count} times due to rate limiting.`, requestContextService.createRequestContext({
+        operation: "loggerRateLimitFlush",
+        additionalContext: { originalMessage: message }
+      }));
+    }
+    this.suppressedMessages.clear();
+    this.messageCounts.clear();
+  }
+  log(level, msg, context, error48) {
+    if (!this.pinoLogger || !this.initialized)
+      return;
+    const pinoLevel = mcpToPinoLevel[level] || "info";
+    const currentPinoLevel = mcpToPinoLevel[this.currentMcpLevel] || "info";
+    const levelSeverity = pinoToMcpLevelSeverity[pinoLevel];
+    const currentLevelSeverity = pinoToMcpLevelSeverity[currentPinoLevel];
+    if (typeof levelSeverity === "number" && typeof currentLevelSeverity === "number" && levelSeverity > currentLevelSeverity) {
+      return;
+    }
+    if (this.isRateLimited(msg))
+      return;
+    const logObject = { ...context };
+    if (error48)
+      logObject.err = pino.stdSerializers.err(error48);
+    this.pinoLogger[pinoLevel](logObject, msg);
+  }
+  debug(msg, context) {
+    this.log("debug", msg, context);
+  }
+  info(msg, context) {
+    this.log("info", msg, context);
+  }
+  notice(msg, context) {
+    this.log("notice", msg, context);
+  }
+  warning(msg, context) {
+    this.log("warning", msg, context);
+  }
+  error(msg, errorOrContext, context) {
+    const errorObj = errorOrContext instanceof Error ? errorOrContext : undefined;
+    const actualContext = errorOrContext instanceof Error ? context : errorOrContext;
+    this.log("error", msg, actualContext, errorObj);
+  }
+  crit(msg, errorOrContext, context) {
+    const errorObj = errorOrContext instanceof Error ? errorOrContext : undefined;
+    const actualContext = errorOrContext instanceof Error ? context : errorOrContext;
+    this.log("crit", msg, actualContext, errorObj);
+  }
+  alert(msg, errorOrContext, context) {
+    const errorObj = errorOrContext instanceof Error ? errorOrContext : undefined;
+    const actualContext = errorOrContext instanceof Error ? context : errorOrContext;
+    this.log("alert", msg, actualContext, errorObj);
+  }
+  emerg(msg, errorOrContext, context) {
+    const errorObj = errorOrContext instanceof Error ? errorOrContext : undefined;
+    const actualContext = errorOrContext instanceof Error ? context : errorOrContext;
+    this.log("emerg", msg, actualContext, errorObj);
+  }
+  fatal(msg, errorOrContext, context) {
+    this.emerg(msg, errorOrContext, context);
+  }
+  logInteraction(interactionName, data) {
+    if (!this.interactionLogger) {
+      if (!isServerless2)
+        this.warning("Interaction logger not available.", data.context || {});
+      return;
+    }
+    this.interactionLogger.info({ interactionName, ...data });
+  }
+}
+var logger = Logger.getInstance();
+
+// src/utils/internal/error-handler/mappings.ts
+var ERROR_TYPE_MAPPINGS = {
+  SyntaxError: -32007 /* ValidationError */,
+  TypeError: -32007 /* ValidationError */,
+  ReferenceError: -32603 /* InternalError */,
+  RangeError: -32007 /* ValidationError */,
+  URIError: -32007 /* ValidationError */,
+  EvalError: -32603 /* InternalError */,
+  AggregateError: -32603 /* InternalError */
+};
+var COMMON_ERROR_PATTERNS = [
+  {
+    pattern: /auth|unauthorized|unauthenticated|not.*logged.*in|invalid.*token|expired.*token/i,
+    errorCode: -32006 /* Unauthorized */
+  },
+  {
+    pattern: /permission|forbidden|access.*denied|not.*allowed/i,
+    errorCode: -32005 /* Forbidden */
+  },
+  {
+    pattern: /not found|missing|no such|doesn't exist|couldn't find/i,
+    errorCode: -32001 /* NotFound */
+  },
+  {
+    pattern: /invalid|validation|malformed|bad request|wrong format|missing required/i,
+    errorCode: -32007 /* ValidationError */
+  },
+  {
+    pattern: /conflict|already exists|duplicate|unique constraint/i,
+    errorCode: -32002 /* Conflict */
+  },
+  {
+    pattern: /rate limit|too many requests|throttled/i,
+    errorCode: -32003 /* RateLimited */
+  },
+  {
+    pattern: /timeout|timed out|deadline exceeded/i,
+    errorCode: -32004 /* Timeout */
+  },
+  {
+    pattern: /abort(ed)?|cancell?ed/i,
+    errorCode: -32004 /* Timeout */
+  },
+  {
+    pattern: /service unavailable|bad gateway|gateway timeout|upstream error/i,
+    errorCode: -32000 /* ServiceUnavailable */
+  },
+  {
+    pattern: /zod|zoderror|schema validation/i,
+    errorCode: -32007 /* ValidationError */
+  }
+];
+
+// src/utils/internal/error-handler/helpers.ts
+function createSafeRegex(pattern) {
+  if (pattern instanceof RegExp) {
+    let flags = pattern.flags.replace("g", "");
+    if (!flags.includes("i")) {
+      flags += "i";
+    }
+    return new RegExp(pattern.source, flags);
+  }
+  return new RegExp(pattern, "i");
+}
+function getErrorName(error48) {
+  if (error48 instanceof Error) {
+    return error48.name || "Error";
+  }
+  if (error48 === null) {
+    return "NullValueEncountered";
+  }
+  if (error48 === undefined) {
+    return "UndefinedValueEncountered";
+  }
+  if (typeof error48 === "object" && error48 !== null && error48.constructor && typeof error48.constructor.name === "string" && error48.constructor.name !== "Object") {
+    return `${error48.constructor.name}Encountered`;
+  }
+  return `${typeof error48}Encountered`;
+}
+function getErrorMessage(error48) {
+  try {
+    if (error48 instanceof Error) {
+      if ("errors" in error48 && Array.isArray(error48.errors)) {
+        const inner = error48.errors.map((e2) => e2 instanceof Error ? e2.message : String(e2)).filter(Boolean).slice(0, 3).join("; ");
+        return inner ? `${error48.message}: ${inner}` : error48.message;
+      }
+      return error48.message;
+    }
+    if (error48 === null) {
+      return "Null value encountered as error";
+    }
+    if (error48 === undefined) {
+      return "Undefined value encountered as error";
+    }
+    if (typeof error48 === "string") {
+      return error48;
+    }
+    if (typeof error48 === "number" || typeof error48 === "boolean") {
+      return String(error48);
+    }
+    if (typeof error48 === "bigint") {
+      return error48.toString();
+    }
+    if (typeof error48 === "function") {
+      return `[function ${error48.name || "anonymous"}]`;
+    }
+    if (typeof error48 === "object") {
+      try {
+        const json2 = JSON.stringify(error48);
+        if (json2 && json2 !== "{}")
+          return json2;
+      } catch {}
+      const ctor = error48.constructor?.name;
+      return `Non-Error object encountered (constructor: ${ctor || "Object"})`;
+    }
+    if (typeof error48 === "symbol") {
+      return error48.toString();
+    }
+    return "[unrepresentable error]";
+  } catch (conversionError) {
+    return `Error converting error to string: ${conversionError instanceof Error ? conversionError.message : "Unknown conversion error"}`;
+  }
+}
+
+// src/utils/internal/error-handler/errorHandler.ts
+class ErrorHandler {
+  static determineErrorCode(error48) {
+    if (error48 instanceof McpError) {
+      return error48.code;
+    }
+    const errorName = getErrorName(error48);
+    const errorMessage = getErrorMessage(error48);
+    const mappedFromType = ERROR_TYPE_MAPPINGS[errorName];
+    if (mappedFromType) {
+      return mappedFromType;
+    }
+    for (const mapping of COMMON_ERROR_PATTERNS) {
+      const regex = createSafeRegex(mapping.pattern);
+      if (regex.test(errorMessage) || regex.test(errorName)) {
+        return mapping.errorCode;
+      }
+    }
+    if (typeof error48 === "object" && error48 !== null && "name" in error48 && error48.name === "AbortError") {
+      return -32004 /* Timeout */;
+    }
+    return -32603 /* InternalError */;
+  }
+  static handleError(error48, options) {
+    const activeSpan = import_api3.trace.getActiveSpan();
+    if (activeSpan) {
+      if (error48 instanceof Error) {
+        activeSpan.recordException(error48);
+      }
+      activeSpan.setStatus({
+        code: import_api3.SpanStatusCode.ERROR,
+        message: error48 instanceof Error ? error48.message : String(error48)
+      });
+    }
+    const {
+      context = {},
+      operation,
+      input,
+      rethrow = false,
+      errorCode: explicitErrorCode,
+      includeStack = true,
+      critical = false,
+      errorMapper
+    } = options;
+    const sanitizedInput = input !== undefined ? sanitizeInputForLogging(input) : undefined;
+    const originalErrorName = getErrorName(error48);
+    const originalErrorMessage = getErrorMessage(error48);
+    const originalStack = error48 instanceof Error ? error48.stack : undefined;
+    let finalError;
+    let loggedErrorCode;
+    const errorDataSeed = error48 instanceof McpError && typeof error48.data === "object" && error48.data !== null ? { ...error48.data } : {};
+    const consolidatedData = {
+      ...errorDataSeed,
+      ...context,
+      originalErrorName,
+      originalMessage: originalErrorMessage
+    };
+    if (originalStack && !(error48 instanceof McpError && error48.data?.originalStack)) {
+      consolidatedData.originalStack = originalStack;
+    }
+    const cause = error48 instanceof Error ? error48 : undefined;
+    const rootCause = (() => {
+      let current = cause;
+      let depth = 0;
+      while (current && current instanceof Error && current.cause && depth < 5) {
+        current = current.cause;
+        depth += 1;
+      }
+      return current instanceof Error ? { name: current.name, message: current.message } : undefined;
+    })();
+    if (rootCause) {
+      consolidatedData["rootCause"] = rootCause;
+    }
+    if (error48 instanceof McpError) {
+      loggedErrorCode = error48.code;
+      finalError = errorMapper ? errorMapper(error48) : new McpError(error48.code, error48.message, consolidatedData, {
+        cause
+      });
+    } else {
+      loggedErrorCode = explicitErrorCode || ErrorHandler.determineErrorCode(error48);
+      const message = `Error in ${operation}: ${originalErrorMessage}`;
+      finalError = errorMapper ? errorMapper(error48) : new McpError(loggedErrorCode, message, consolidatedData, {
+        cause
+      });
+    }
+    if (finalError !== error48 && error48 instanceof Error && finalError instanceof Error && !finalError.stack && error48.stack) {
+      finalError.stack = error48.stack;
+    }
+    const logRequestId = typeof context.requestId === "string" && context.requestId ? context.requestId : generateUUID();
+    const logTimestamp = typeof context.timestamp === "string" && context.timestamp ? context.timestamp : new Date().toISOString();
+    const stack = finalError instanceof Error ? finalError.stack : originalStack;
+    const logContext = {
+      requestId: logRequestId,
+      timestamp: logTimestamp,
+      operation,
+      input: sanitizedInput,
+      critical,
+      errorCode: loggedErrorCode,
+      originalErrorType: originalErrorName,
+      finalErrorType: getErrorName(finalError),
+      ...Object.fromEntries(Object.entries(context).filter(([key]) => key !== "requestId" && key !== "timestamp")),
+      errorData: finalError instanceof McpError && finalError.data ? finalError.data : consolidatedData,
+      ...includeStack && stack ? { stack } : {}
+    };
+    logger.error(`Error in ${operation}: ${finalError.message || originalErrorMessage}`, logContext);
+    if (rethrow) {
+      throw finalError;
+    }
+    return finalError;
+  }
+  static mapError(error48, mappings, defaultFactory) {
+    const errorMessage = getErrorMessage(error48);
+    const errorName = getErrorName(error48);
+    for (const mapping of mappings) {
+      const regex = createSafeRegex(mapping.pattern);
+      if (regex.test(errorMessage) || regex.test(errorName)) {
+        return mapping.factory(error48, mapping.additionalContext);
+      }
+    }
+    if (defaultFactory) {
+      return defaultFactory(error48);
+    }
+    return error48 instanceof Error ? error48 : new Error(String(error48));
+  }
+  static formatError(error48) {
+    if (error48 instanceof McpError) {
+      return {
+        code: error48.code,
+        message: error48.message,
+        data: typeof error48.data === "object" && error48.data !== null ? error48.data : {}
+      };
+    }
+    if (error48 instanceof Error) {
+      return {
+        code: ErrorHandler.determineErrorCode(error48),
+        message: error48.message,
+        data: { errorType: error48.name || "Error" }
+      };
+    }
+    return {
+      code: -32099 /* UnknownError */,
+      message: getErrorMessage(error48),
+      data: { errorType: getErrorName(error48) }
+    };
+  }
+  static async tryCatch(fn, options) {
+    try {
+      return await Promise.resolve(fn());
+    } catch (caughtError) {
+      throw ErrorHandler.handleError(caughtError, {
+        ...options,
+        rethrow: true
+      });
+    }
+  }
+}
+// src/utils/internal/runtime.ts
+var safeHas = (key) => {
+  try {
+    return typeof globalThis[key] !== "undefined";
+  } catch {
+    return false;
+  }
+};
+var isBun = typeof globalThis.Bun !== "undefined" || typeof process.versions?.bun === "string";
+var isNode = !isBun && typeof process !== "undefined" && typeof process.versions?.node === "string";
+var hasProcess = typeof process !== "undefined";
+var hasBuffer = typeof Buffer !== "undefined";
+var hasTextEncoder = safeHas("TextEncoder");
+var hasPerformanceNow = typeof globalThis.performance?.now === "function";
+var isWorkerLike = !isNode && !isBun && typeof globalThis.WorkerGlobalScope !== "undefined";
+var isBrowserLike = !isNode && !isBun && !isWorkerLike && safeHas("window");
+var runtimeCaps = {
+  isNode,
+  isBun,
+  isWorkerLike,
+  isBrowserLike,
+  hasProcess,
+  hasBuffer,
+  hasTextEncoder,
+  hasPerformanceNow
+};
+function detectRuntime() {
+  if (runtimeCaps.isBun) {
+    return "bun";
+  }
+  if (runtimeCaps.isNode) {
+    return "node";
+  }
+  if (runtimeCaps.isWorkerLike) {
+    return "worker";
+  }
+  if (runtimeCaps.isBrowserLike) {
+    return "browser";
+  }
+  return "unknown";
+}
+function getRuntimeDescription() {
+  const runtime = detectRuntime();
+  switch (runtime) {
+    case "bun":
+      return `Bun ${process.versions?.bun || "unknown"}`;
+    case "node":
+      return `Node.js ${process.versions?.node || "unknown"}`;
+    case "worker":
+      return "Cloudflare Workers / Web Worker";
+    case "browser":
+      return "Browser";
+    default:
+      return "Unknown runtime";
+  }
+}
+
+// src/utils/internal/performance.ts
+init_config();
+init_errors3();
+var import_api4 = __toESM(require_src(), 1);
+
+// src/utils/telemetry/semconv.ts
+var ATTR_CODE_FUNCTION = "code.function";
+var ATTR_CODE_NAMESPACE = "code.namespace";
+var ATTR_MCP_TOOL_INPUT_BYTES = "mcp.tool.input_bytes";
+var ATTR_MCP_TOOL_OUTPUT_BYTES = "mcp.tool.output_bytes";
+var ATTR_MCP_TOOL_DURATION_MS = "mcp.tool.duration_ms";
+var ATTR_MCP_TOOL_SUCCESS = "mcp.tool.success";
+var ATTR_MCP_TOOL_ERROR_CODE = "mcp.tool.error_code";
+var ATTR_MCP_TOOL_MEMORY_RSS_BEFORE = "mcp.tool.memory_rss_bytes.before";
+var ATTR_MCP_TOOL_MEMORY_RSS_AFTER = "mcp.tool.memory_rss_bytes.after";
+var ATTR_MCP_TOOL_MEMORY_RSS_DELTA = "mcp.tool.memory_rss_bytes.delta";
+var ATTR_MCP_TOOL_MEMORY_HEAP_USED_BEFORE = "mcp.tool.memory_heap_used_bytes.before";
+var ATTR_MCP_TOOL_MEMORY_HEAP_USED_AFTER = "mcp.tool.memory_heap_used_bytes.after";
+var ATTR_MCP_TOOL_MEMORY_HEAP_USED_DELTA = "mcp.tool.memory_heap_used_bytes.delta";
+
+// src/utils/internal/performance.ts
+var performanceNow = () => Date.now();
+async function loadPerfHooks() {
+  return import("perf_hooks");
+}
+async function initializePerformance_Hrt() {
+  const globalWithPerf = globalThis;
+  if (typeof globalWithPerf.performance?.now === "function") {
+    const perf = globalWithPerf.performance;
+    performanceNow = () => perf?.now() ?? Date.now();
+  } else {
+    try {
+      const { performance: nodePerformance } = await loadPerfHooks();
+      performanceNow = () => nodePerformance.now();
+    } catch (_e) {
+      performanceNow = () => Date.now();
+      logger.warning("Could not import perf_hooks, falling back to Date.now() for performance timing.");
+    }
+  }
+}
+var nowMs = () => performanceNow();
+var toBytes = (payload) => {
+  if (payload == null)
+    return 0;
+  try {
+    const json2 = JSON.stringify(payload);
+    if (typeof Buffer !== "undefined" && typeof Buffer.byteLength === "function") {
+      const bytes = Buffer.byteLength(json2, "utf8");
+      return bytes;
+    }
+    if (typeof TextEncoder !== "undefined") {
+      return new TextEncoder().encode(json2).length;
+    }
+    return json2.length;
+  } catch {
+    return 0;
+  }
+};
+async function measureToolExecution(toolLogicFn, context, inputPayload) {
+  const tracer = import_api4.trace.getTracer(config2.openTelemetry.serviceName, config2.openTelemetry.serviceVersion);
+  const { toolName } = context;
+  return tracer.startActiveSpan(`tool_execution:${toolName}`, async (span) => {
+    const memBefore = typeof process !== "undefined" && typeof process.memoryUsage === "function" ? process.memoryUsage() : { rss: 0, heapUsed: 0 };
+    const t0 = nowMs();
+    span.setAttributes({
+      [ATTR_CODE_FUNCTION]: toolName,
+      [ATTR_CODE_NAMESPACE]: "mcp-tools",
+      [ATTR_MCP_TOOL_INPUT_BYTES]: toBytes(inputPayload),
+      [ATTR_MCP_TOOL_MEMORY_RSS_BEFORE]: memBefore.rss,
+      [ATTR_MCP_TOOL_MEMORY_HEAP_USED_BEFORE]: memBefore.heapUsed
+    });
+    let ok = false;
+    let errorCode;
+    let output;
+    try {
+      const result = await toolLogicFn();
+      ok = true;
+      output = result;
+      span.setStatus({ code: import_api4.SpanStatusCode.OK });
+      span.setAttribute(ATTR_MCP_TOOL_OUTPUT_BYTES, toBytes(output));
+      return result;
+    } catch (err) {
+      if (err instanceof McpError)
+        errorCode = String(err.code);
+      else if (err instanceof Error)
+        errorCode = "UNHANDLED_ERROR";
+      else
+        errorCode = "UNKNOWN_ERROR";
+      if (err instanceof Error)
+        span.recordException(err);
+      span.setStatus({
+        code: import_api4.SpanStatusCode.ERROR,
+        message: err instanceof Error ? err.message : String(err)
+      });
+      throw err;
+    } finally {
+      const t1 = nowMs();
+      const durationMs = Number((t1 - t0).toFixed(2));
+      const memAfter = typeof process !== "undefined" && typeof process.memoryUsage === "function" ? process.memoryUsage() : { rss: 0, heapUsed: 0 };
+      const rssDelta = memAfter.rss - memBefore.rss;
+      const heapUsedDelta = memAfter.heapUsed - memBefore.heapUsed;
+      span.setAttributes({
+        [ATTR_MCP_TOOL_DURATION_MS]: durationMs,
+        [ATTR_MCP_TOOL_SUCCESS]: ok,
+        [ATTR_MCP_TOOL_MEMORY_RSS_AFTER]: memAfter.rss,
+        [ATTR_MCP_TOOL_MEMORY_HEAP_USED_AFTER]: memAfter.heapUsed,
+        [ATTR_MCP_TOOL_MEMORY_RSS_DELTA]: rssDelta,
+        [ATTR_MCP_TOOL_MEMORY_HEAP_USED_DELTA]: heapUsedDelta
+      });
+      if (errorCode)
+        span.setAttribute(ATTR_MCP_TOOL_ERROR_CODE, errorCode);
+      span.end();
+      logger.info("Tool execution finished.", {
+        ...context,
+        metrics: {
+          durationMs,
+          isSuccess: ok,
+          errorCode,
+          inputBytes: toBytes(inputPayload),
+          outputBytes: toBytes(output),
+          memory: {
+            rss: {
+              before: memBefore.rss,
+              after: memAfter.rss,
+              delta: rssDelta
+            },
+            heapUsed: {
+              before: memBefore.heapUsed,
+              after: memAfter.heapUsed,
+              delta: heapUsedDelta
+            }
+          }
+        }
+      });
+    }
+  });
+}
+
+// src/utils/internal/startupBanner.ts
+function logStartupBanner(message, transportType) {
+  if (process.stdout.isTTY) {
+    if (transportType === "stdio") {
+      console.error(message);
+    } else {
+      console.log(message);
+    }
+  }
+}
+
+// src/utils/security/idGenerator.ts
+init_errors3();
+import { randomUUID as cryptoRandomUUID, randomBytes } from "crypto";
+
+class IdGenerator {
+  static DEFAULT_CHARSET = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+  static DEFAULT_SEPARATOR = "_";
+  static DEFAULT_LENGTH = 6;
+  entityPrefixes = {};
+  prefixToEntityType = {};
+  constructor(entityPrefixes = {}) {
+    this.setEntityPrefixes(entityPrefixes);
+  }
+  setEntityPrefixes(entityPrefixes) {
+    this.entityPrefixes = { ...entityPrefixes };
+    this.prefixToEntityType = Object.entries(this.entityPrefixes).reduce((acc, [type, prefix]) => {
+      acc[prefix.toLowerCase()] = type;
+      return acc;
+    }, {});
+  }
+  getEntityPrefixes() {
+    return { ...this.entityPrefixes };
+  }
+  generateRandomString(length = IdGenerator.DEFAULT_LENGTH, charset = IdGenerator.DEFAULT_CHARSET) {
+    let result = "";
+    const maxValidByteValue = Math.floor(256 / charset.length) * charset.length;
+    while (result.length < length) {
+      const byteBuffer = randomBytes(1);
+      const byte = byteBuffer[0];
+      if (byte !== undefined && byte < maxValidByteValue) {
+        const charIndex = byte % charset.length;
+        const char = charset[charIndex];
+        if (char) {
+          result += char;
+        }
+      }
+    }
+    return result;
+  }
+  generate(prefix, options = {}) {
+    const {
+      length = IdGenerator.DEFAULT_LENGTH,
+      separator = IdGenerator.DEFAULT_SEPARATOR,
+      charset = IdGenerator.DEFAULT_CHARSET
+    } = options;
+    const randomPart = this.generateRandomString(length, charset);
+    const generatedId = prefix ? `${prefix}${separator}${randomPart}` : randomPart;
+    return generatedId;
+  }
+  generateForEntity(entityType, options = {}) {
+    const prefix = this.entityPrefixes[entityType];
+    if (!prefix) {
+      throw new McpError(-32007 /* ValidationError */, `Unknown entity type: ${entityType}. No prefix registered.`);
+    }
+    return this.generate(prefix, options);
+  }
+  isValid(id, entityType, options = {}) {
+    const prefix = this.entityPrefixes[entityType];
+    const {
+      length = IdGenerator.DEFAULT_LENGTH,
+      separator = IdGenerator.DEFAULT_SEPARATOR,
+      charset = IdGenerator.DEFAULT_CHARSET
+    } = options;
+    if (!prefix) {
+      return false;
+    }
+    const escapedCharsetForClass = charset.replace(/[[\]\\^-]/g, "\\$&");
+    const charsetRegexPart = `[${escapedCharsetForClass}]`;
+    const pattern = new RegExp(`^${this.escapeRegex(prefix)}${this.escapeRegex(separator)}${charsetRegexPart}{${length}}$`);
+    return pattern.test(id);
+  }
+  escapeRegex(str) {
+    return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  }
+  stripPrefix(id, separator = IdGenerator.DEFAULT_SEPARATOR) {
+    const parts = id.split(separator);
+    return parts.length > 1 ? parts.slice(1).join(separator) : id;
+  }
+  getEntityType(id, separator = IdGenerator.DEFAULT_SEPARATOR) {
+    const parts = id.split(separator);
+    if (parts.length < 2 || !parts[0]) {
+      throw new McpError(-32007 /* ValidationError */, `Invalid ID format: ${id}. Expected format like: PREFIX${separator}RANDOMLPART`);
+    }
+    const prefix = parts[0];
+    const entityType = this.prefixToEntityType[prefix.toLowerCase()];
+    if (!entityType) {
+      throw new McpError(-32007 /* ValidationError */, `Unknown entity type for prefix: ${prefix}`);
+    }
+    return entityType;
+  }
+  normalize(id, separator = IdGenerator.DEFAULT_SEPARATOR) {
+    const entityType = this.getEntityType(id, separator);
+    const registeredPrefix = this.entityPrefixes[entityType];
+    const idParts = id.split(separator);
+    const randomPart = idParts.slice(1).join(separator);
+    return `${registeredPrefix}${separator}${randomPart.toUpperCase()}`;
+  }
+}
+var idGenerator = new IdGenerator;
+var generateUUID = () => {
+  return cryptoRandomUUID();
+};
+var generateRequestContextId = () => {
+  const generateSecureRandomString = (length, charset2) => {
+    let result = "";
+    const maxValidByteValue = Math.floor(256 / charset2.length) * charset2.length;
+    while (result.length < length) {
+      const byteBuffer = randomBytes(1);
+      const byte = byteBuffer[0];
+      if (byte !== undefined && byte < maxValidByteValue) {
+        const charIndex = byte % charset2.length;
+        const char = charset2[charIndex];
+        if (char) {
+          result += char;
+        }
+      }
+    }
+    return result;
+  };
+  const charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+  const part1 = generateSecureRandomString(5, charset);
+  const part2 = generateSecureRandomString(5, charset);
+  return `${part1}-${part2}`;
+};
+
+// src/utils/security/rateLimiter.ts
+init_tokens();
+init_errors3();
+var import_api5 = __toESM(require_src(), 1);
+var import_tsyringe = __toESM(require_cjs2(), 1);
+class RateLimiter {
+  config;
+  logger;
+  limits;
+  cleanupTimer = null;
+  effectiveConfig;
+  constructor(config3, logger2) {
+    this.config = config3;
+    this.logger = logger2;
+    const defaultConfig = {
+      windowMs: 15 * 60 * 1000,
+      maxRequests: 100,
+      errorMessage: "Rate limit exceeded. Please try again in {waitTime} seconds.",
+      skipInDevelopment: false,
+      cleanupInterval: 5 * 60 * 1000
+    };
+    this.effectiveConfig = { ...defaultConfig };
+    this.limits = new Map;
+    this.startCleanupTimer();
+  }
+  startCleanupTimer() {
+    if (this.cleanupTimer) {
+      clearInterval(this.cleanupTimer);
+    }
+    const interval = this.effectiveConfig.cleanupInterval;
+    if (interval && interval > 0) {
+      this.cleanupTimer = setInterval(() => {
+        this.cleanupExpiredEntries();
+      }, interval);
+      if (this.cleanupTimer.unref) {
+        this.cleanupTimer.unref();
+      }
+    }
+  }
+  cleanupExpiredEntries() {
+    const now = Date.now();
+    let expiredCount = 0;
+    for (const [key, entry] of this.limits.entries()) {
+      if (now >= entry.resetTime) {
+        this.limits.delete(key);
+        expiredCount++;
+      }
+    }
+    if (expiredCount > 0) {
+      const logContext = requestContextService.createRequestContext({
+        operation: "RateLimiter.cleanupExpiredEntries",
+        additionalContext: {
+          cleanedCount: expiredCount,
+          totalRemainingAfterClean: this.limits.size
+        }
+      });
+      this.logger.debug(`Cleaned up ${expiredCount} expired rate limit entries`, logContext);
+    }
+  }
+  configure(config3) {
+    Object.assign(this.effectiveConfig, config3);
+    if (config3.cleanupInterval !== undefined) {
+      this.startCleanupTimer();
+    }
+  }
+  getConfig() {
+    return { ...this.effectiveConfig };
+  }
+  reset() {
+    this.limits.clear();
+    const logContext = requestContextService.createRequestContext({
+      operation: "RateLimiter.reset"
+    });
+    this.logger.debug("Rate limiter reset, all limits cleared", logContext);
+  }
+  check(key, context) {
+    const activeSpan = import_api5.trace.getActiveSpan();
+    activeSpan?.setAttribute("mcp.rate_limit.checked", true);
+    if (this.effectiveConfig.skipInDevelopment && this.config.environment === "development") {
+      activeSpan?.setAttribute("mcp.rate_limit.skipped", "development");
+      return;
+    }
+    const limitKey = this.effectiveConfig.keyGenerator ? this.effectiveConfig.keyGenerator(key, context) : key;
+    activeSpan?.setAttribute("mcp.rate_limit.key", limitKey);
+    const now = Date.now();
+    let entry = this.limits.get(limitKey);
+    if (!entry || now >= entry.resetTime) {
+      entry = {
+        count: 1,
+        resetTime: now + this.effectiveConfig.windowMs
+      };
+      this.limits.set(limitKey, entry);
+    } else {
+      entry.count++;
+    }
+    const remaining = Math.max(0, this.effectiveConfig.maxRequests - entry.count);
+    activeSpan?.setAttributes({
+      "mcp.rate_limit.limit": this.effectiveConfig.maxRequests,
+      "mcp.rate_limit.count": entry.count,
+      "mcp.rate_limit.remaining": remaining
+    });
+    if (entry.count > this.effectiveConfig.maxRequests) {
+      const waitTime = Math.ceil((entry.resetTime - now) / 1000);
+      const errorMessage = (this.effectiveConfig.errorMessage || "Rate limit exceeded. Please try again in {waitTime} seconds.").replace("{waitTime}", waitTime.toString());
+      activeSpan?.addEvent("rate_limit_exceeded", {
+        "mcp.rate_limit.wait_time_seconds": waitTime
+      });
+      throw new McpError(-32003 /* RateLimited */, errorMessage, {
+        waitTimeSeconds: waitTime,
+        key: limitKey,
+        limit: this.effectiveConfig.maxRequests,
+        windowMs: this.effectiveConfig.windowMs
+      });
+    }
+  }
+  getStatus(key) {
+    const entry = this.limits.get(key);
+    if (!entry)
+      return null;
+    return {
+      current: entry.count,
+      limit: this.effectiveConfig.maxRequests,
+      remaining: Math.max(0, this.effectiveConfig.maxRequests - entry.count),
+      resetTime: entry.resetTime
+    };
+  }
+  dispose() {
+    if (this.cleanupTimer) {
+      clearInterval(this.cleanupTimer);
+      this.cleanupTimer = null;
+    }
+    this.limits.clear();
+  }
+}
+RateLimiter = __legacyDecorateClassTS([
+  import_tsyringe.injectable(),
+  __legacyDecorateParamTS(0, import_tsyringe.inject(AppConfig)),
+  __legacyDecorateParamTS(1, import_tsyringe.inject(Logger2)),
+  __legacyMetadataTS("design:paramtypes", [
+    Object,
+    Object
+  ])
+], RateLimiter);
 
 // src/container/index.ts
 var import_reflect_metadata = __toESM(require_Reflect(), 1);
@@ -132765,13 +132472,8 @@ if (shouldShowDeprecationWarning())
 init_config();
 init_tokens();
 
-// src/services/git/core/GitProviderFactory.ts
-init_utils();
-
 // src/services/git/core/BaseGitProvider.ts
 init_errors3();
-init_utils();
-
 class BaseGitProvider {
   checkCapability(capability) {
     if (!this.capabilities[capability]) {
@@ -132805,12 +132507,12 @@ class BaseGitProvider {
       workingDirectory
     });
   }
-  createOperationContext(requestContext2, workingDirectory, tenantId) {
+  createOperationContext(requestContext, workingDirectory, tenantId) {
     const context = {
-      requestContext: requestContext2,
+      requestContext,
       workingDirectory
     };
-    const finalTenantId = tenantId || requestContext2.tenantId;
+    const finalTenantId = tenantId || requestContext.tenantId;
     if (finalTenantId) {
       context.tenantId = finalTenantId;
     }
@@ -133196,8 +132898,8 @@ Stdout: ${stdout}`;
   });
 }
 async function spawnGitCommand(args, cwd, env, timeout = 60000, signal, allowNonZeroExit = false) {
-  const runtime2 = detectRuntime2();
-  if (runtime2 === "bun") {
+  const runtime = detectRuntime2();
+  if (runtime === "bun") {
     return spawnWithBun(args, cwd, env, timeout, signal, allowNonZeroExit);
   } else {
     return spawnWithNode(args, cwd, env, timeout, signal, allowNonZeroExit);
@@ -133269,6 +132971,15 @@ function parseGitStatus(output) {
       const parts2 = line.split(" ");
       if (parts2[1] === "branch.head" && parts2[2]) {
         result.currentBranch = parts2[2] === "(detached)" ? null : parts2[2];
+      } else if (parts2[1] === "branch.upstream" && parts2[2]) {
+        result.upstream = parts2[2];
+      } else if (parts2[1] === "branch.ab" && parts2[2] && parts2[3]) {
+        const ahead = parseInt(parts2[2].replace(/^\+/, ""), 10);
+        const behind = parseInt(parts2[3].replace(/^-/, ""), 10);
+        if (Number.isFinite(ahead))
+          result.ahead = ahead;
+        if (Number.isFinite(behind))
+          result.behind = behind;
       }
       continue;
     }
@@ -133669,7 +133380,6 @@ async function listDirtyFiles(execGit, cwd, ctx) {
   return files;
 }
 // src/services/git/providers/cli/operations/commits/commit.ts
-init_utils();
 async function executeCommit(options, context, execGit) {
   try {
     if (options.filesToStage?.length) {
@@ -133760,7 +133470,9 @@ var COMMIT_START_MARKER = "<<<COMMIT_START>>>";
 var COMMIT_END_MARKER = "<<<COMMIT_END>>>";
 async function executeLog(options, context, execGit) {
   try {
-    const formatStr = `${COMMIT_START_MARKER}%H${GIT_FIELD_DELIMITER}%h${GIT_FIELD_DELIMITER}%an${GIT_FIELD_DELIMITER}%ae${GIT_FIELD_DELIMITER}%at${GIT_FIELD_DELIMITER}%s${GIT_FIELD_DELIMITER}%b${GIT_FIELD_DELIMITER}%P${COMMIT_END_MARKER}`;
+    const fullFormat = `${COMMIT_START_MARKER}%H${GIT_FIELD_DELIMITER}%h${GIT_FIELD_DELIMITER}%an${GIT_FIELD_DELIMITER}%ae${GIT_FIELD_DELIMITER}%at${GIT_FIELD_DELIMITER}%s${GIT_FIELD_DELIMITER}%b${GIT_FIELD_DELIMITER}%P${COMMIT_END_MARKER}`;
+    const onelineFormat = `${COMMIT_START_MARKER}%H${GIT_FIELD_DELIMITER}%h${GIT_FIELD_DELIMITER}%s${COMMIT_END_MARKER}`;
+    const formatStr = options.oneline ? onelineFormat : fullFormat;
     const args = [`--format=${formatStr}`];
     if (options.maxCount) {
       args.push(`-n${options.maxCount}`);
@@ -133803,7 +133515,11 @@ async function executeLog(options, context, execGit) {
       const formatPart = section.substring(0, endIdx);
       const extraPart = section.substring(endIdx + COMMIT_END_MARKER.length).trim();
       const fields = formatPart.split(GIT_FIELD_DELIMITER);
-      const commit = {
+      const commit = options.oneline ? {
+        hash: fields[0] || "",
+        shortHash: fields[1] || "",
+        subject: fields[2] || ""
+      } : {
         hash: fields[0] || "",
         shortHash: fields[1] || "",
         author: fields[2] || "",
@@ -133812,7 +133528,7 @@ async function executeLog(options, context, execGit) {
         subject: fields[5] || "",
         parents: (fields[7] || "").split(" ").filter((p) => p)
       };
-      if (fields[6]) {
+      if (!options.oneline && fields[6]) {
         commit.body = fields[6];
       }
       if (extraPart) {
@@ -133860,11 +133576,13 @@ async function executeShow(options, context, execGit) {
       command: "cat-file",
       args: ["-t", options.object]
     });
-    const typeResult = await execGit(typeCmd, context.workingDirectory, context.requestContext);
+    const cmd = buildGitCommand({ command: "show", args });
+    const [typeResult, result] = await Promise.all([
+      execGit(typeCmd, context.workingDirectory, context.requestContext),
+      execGit(cmd, context.workingDirectory, context.requestContext)
+    ]);
     const detectedType = typeResult.stdout.trim();
     const objectType = ["commit", "tree", "blob", "tag"].includes(detectedType) ? detectedType : "commit";
-    const cmd = buildGitCommand({ command: "show", args });
-    const result = await execGit(cmd, context.workingDirectory, context.requestContext);
     const showResult = {
       object: options.object,
       type: objectType,
@@ -134060,6 +133778,21 @@ async function executeBranch(options, context, execGit) {
   try {
     const args = [];
     switch (options.mode) {
+      case "show-current": {
+        const cmd = buildGitCommand({
+          command: "symbolic-ref",
+          args: ["--quiet", "--short", "HEAD"]
+        });
+        try {
+          const res = await execGit(cmd, context.workingDirectory, context.requestContext);
+          return {
+            mode: "show-current",
+            current: res.stdout.trim() || null
+          };
+        } catch {
+          return { mode: "show-current", current: null };
+        }
+      }
       case "list": {
         const format = [
           "%(refname)",
@@ -134078,6 +133811,9 @@ async function executeBranch(options, context, execGit) {
           const noMergedRef = typeof options.noMerged === "string" ? options.noMerged : "HEAD";
           args.push(`--no-merged=${noMergedRef}`);
         }
+        if (typeof options.limit === "number" && options.limit > 0) {
+          args.push(`--count=${options.limit}`);
+        }
         const cmd = buildGitCommand({ command: "for-each-ref", args });
         const result = await execGit(cmd, context.workingDirectory, context.requestContext);
         const branches = parseBranchRef(result.stdout);
@@ -134718,7 +134454,7 @@ function parseFilesChanged(stdout) {
   return files;
 }
 // src/services/git/providers/cli/operations/tags/tag.ts
-init_utils();
+init_errors3();
 async function executeTag(options, context, execGit) {
   try {
     const args = [];
@@ -134729,17 +134465,26 @@ async function executeTag(options, context, execGit) {
           "%(if)%(*objectname:short)%(then)%(*objectname:short)%(else)%(objectname:short)%(end)",
           "%(if)%(contents:subject)%(then)%(contents:subject)%(end)",
           "%(if)%(taggername)%(then)%(taggername) %(taggeremail)%(end)",
-          "%(if)%(creatordate:unix)%(then)%(creatordate:unix)%(end)"
-        ].join(GIT_FIELD_DELIMITER);
+          "%(if)%(creatordate:unix)%(then)%(creatordate:unix)%(end)",
+          "%(if)%(contents:body)%(then)%(contents:body)%(end)"
+        ].join(GIT_FIELD_DELIMITER) + GIT_RECORD_DELIMITER;
+        const forEachRefArgs = [
+          `--format=${format}`,
+          "--sort=-version:refname",
+          "--sort=-creatordate"
+        ];
+        if (typeof options.limit === "number" && options.limit > 0) {
+          forEachRefArgs.push(`--count=${options.limit}`);
+        }
+        forEachRefArgs.push("refs/tags");
         const refCmd = buildGitCommand({
           command: "for-each-ref",
-          args: [`--format=${format}`, "--sort=-creatordate", "refs/tags"]
+          args: forEachRefArgs
         });
         const result = await execGit(refCmd, context.workingDirectory, context.requestContext);
         const tags = [];
-        for (const line of result.stdout.split(`
-`).filter((l) => l.trim())) {
-          const [name, commit, message, tagger, timestamp] = line.split(GIT_FIELD_DELIMITER);
+        for (const record2 of result.stdout.split(GIT_RECORD_DELIMITER).map((r2) => r2.replace(/^\n/, "")).filter((r2) => r2.length > 0)) {
+          const [name, commit, message, tagger, timestamp, annotationBody] = record2.split(GIT_FIELD_DELIMITER);
           if (!name)
             continue;
           const tag = {
@@ -134752,6 +134497,8 @@ async function executeTag(options, context, execGit) {
             tag.tagger = tagger;
           if (timestamp)
             tag.timestamp = parseInt(timestamp, 10);
+          if (annotationBody)
+            tag.annotationBody = annotationBody.trimEnd();
           tags.push(tag);
         }
         return { mode: "list", tags };
@@ -134826,6 +134573,17 @@ async function executeTag(options, context, execGit) {
         };
         return deleteResult;
       }
+      case "verify": {
+        if (!options.tagName) {
+          throw new Error("Tag name is required for verify operation");
+        }
+        const cmd = buildGitCommand({
+          command: "tag",
+          args: ["-v", options.tagName]
+        });
+        const result = await execGit(cmd, context.workingDirectory, context.requestContext, { allowNonZeroExit: true });
+        return parseVerifyOutput(options.tagName, result.stderr, result.exitCode ?? 0);
+      }
       default:
         throw new Error("Unknown tag operation mode");
     }
@@ -134833,6 +134591,93 @@ async function executeTag(options, context, execGit) {
     throw mapGitError(error48, "tag");
   }
 }
+function parseVerifyOutput(tagName, stderr, exitCode) {
+  if (/^error: tag '.+' not found/m.test(stderr)) {
+    throw new McpError(-32600 /* InvalidRequest */, `Tag not found: ${tagName}`, { tagName });
+  }
+  const base = {
+    mode: "verify",
+    verifiedTag: tagName,
+    rawOutput: stderr
+  };
+  if (/^error: no signature found$/m.test(stderr)) {
+    return {
+      ...base,
+      verified: false,
+      warning: "Tag has no signature. Create with a signing key and `GIT_SIGN_COMMITS=true` to produce a signed tag."
+    };
+  }
+  if (/gpg\.ssh\.allowedSignersFile needs to be configured/.test(stderr) || /No principal matched/.test(stderr)) {
+    return {
+      ...base,
+      verified: false,
+      signatureType: "ssh",
+      warning: "SSH signature verification requires `gpg.ssh.allowedSignersFile` to be configured. The tag may be validly signed; this environment cannot verify it."
+    };
+  }
+  const gpgBadMatch = /(?:gpg|gpgsm): BAD signature from "([^"]+)"/.exec(stderr);
+  if (gpgBadMatch) {
+    return {
+      ...base,
+      verified: false,
+      signatureType: stderr.includes("gpgsm:") ? "x509" : "gpg",
+      signerIdentity: gpgBadMatch[1],
+      warning: "Signature does not validate (BAD signature)."
+    };
+  }
+  const sshBadMatch = /Signature verification failed.*? for "([^"]+)"|Could not verify signature/i.exec(stderr);
+  if (sshBadMatch && exitCode !== 0) {
+    const result = {
+      ...base,
+      verified: false,
+      signatureType: "ssh",
+      warning: "SSH signature does not validate."
+    };
+    if (sshBadMatch[1])
+      result.signerIdentity = sshBadMatch[1];
+    return result;
+  }
+  const gpgGoodMatch = /gpg: Good signature from "([^"]+)"/.exec(stderr);
+  if (gpgGoodMatch) {
+    const result = {
+      ...base,
+      verified: true,
+      signatureType: "gpg",
+      signerIdentity: gpgGoodMatch[1]
+    };
+    const keyMatch = /using \S+ key ([0-9A-Fa-f]{8,})/.exec(stderr);
+    if (keyMatch)
+      result.signerKey = keyMatch[1];
+    return result;
+  }
+  const x509GoodMatch = /gpgsm: Good signature from "([^"]+)"/.exec(stderr);
+  if (x509GoodMatch) {
+    return {
+      ...base,
+      verified: true,
+      signatureType: "x509",
+      signerIdentity: x509GoodMatch[1]
+    };
+  }
+  const sshGoodMatch = /Good "git" signature for (.+?) with \S+ key (SHA256:\S+)/.exec(stderr);
+  if (sshGoodMatch) {
+    return {
+      ...base,
+      verified: true,
+      signatureType: "ssh",
+      signerIdentity: sshGoodMatch[1].trim(),
+      signerKey: sshGoodMatch[2]
+    };
+  }
+  if (exitCode === 0) {
+    return { ...base, verified: true };
+  }
+  return {
+    ...base,
+    verified: false,
+    warning: "Verification failed but the output format was not recognized. See `rawOutput` for details."
+  };
+}
 // src/services/git/providers/cli/operations/stash/stash.ts
 async function executeStash(options, context, execGit) {
   try {
@@ -134840,6 +134685,9 @@ async function executeStash(options, context, execGit) {
     switch (options.mode) {
       case "list": {
         args.push("--format=%gd\t%ct\t%gs");
+        if (typeof options.limit === "number" && options.limit > 0) {
+          args.push(`-n${options.limit}`);
+        }
         const cmd = buildGitCommand({ command: "stash", args });
         const result = await execGit(cmd, context.workingDirectory, context.requestContext);
         const stashes = result.stdout.split(`
@@ -135556,7 +135404,6 @@ var import_tsyringe4 = __toESM(require_cjs2(), 1);
 
 // src/storage/providers/fileSystem/fileSystemProvider.ts
 init_errors3();
-init_utils();
 import { existsSync as existsSync2, mkdirSync } from "fs";
 import { readFile, readdir, rm, writeFile } from "fs/promises";
 import path2 from "path";
@@ -135791,7 +135638,6 @@ class FileSystemProvider {
 }
 
 // src/storage/providers/inMemory/inMemoryProvider.ts
-init_utils();
 var DEFAULT_LIST_LIMIT2 = 1000;
 
 class InMemoryProvider {
@@ -135904,7 +135750,6 @@ class InMemoryProvider {
 // src/storage/providers/supabase/supabaseProvider.ts
 var import_tsyringe3 = __toESM(require_cjs2(), 1);
 init_tokens();
-init_utils();
 var TABLE_NAME = "kv_store";
 var DEFAULT_LIST_LIMIT3 = 1000;
 
@@ -136074,7 +135919,6 @@ SupabaseProvider = __legacyDecorateClassTS([
 
 // src/storage/providers/cloudflare/r2Provider.ts
 init_errors3();
-init_utils();
 var R2_ENVELOPE_VERSION = 1;
 var DEFAULT_LIST_LIMIT4 = 1000;
 
@@ -136270,7 +136114,6 @@ class R2Provider {
 
 // src/storage/providers/cloudflare/kvProvider.ts
 init_errors3();
-init_utils();
 var DEFAULT_LIST_LIMIT5 = 1000;
 
 class KvProvider {
@@ -136437,7 +136280,6 @@ class KvProvider {
 }
 
 // src/storage/core/storageFactory.ts
-init_utils();
 var isServerless3 = typeof process === "undefined" || process.env.IS_SERVERLESS === "true";
 function createStorageProvider(config3, deps = {}) {
   const context = requestContextService.createRequestContext({
@@ -136486,8 +136328,6 @@ function createStorageProvider(config3, deps = {}) {
 
 // src/container/registrations/core.ts
 init_errors3();
-init_utils();
-init_rateLimiter();
 var registerCoreServices = () => {
   const config3 = parseConfig();
   import_tsyringe5.container.register(AppConfig, { useValue: config3 });
@@ -136529,12 +136369,9 @@ var import_tsyringe6 = __toESM(require_cjs2(), 1);
 
 // src/mcp-server/resources/definitions/git-working-directory.resource.ts
 init_zod();
-init_utils();
 
 // src/mcp-server/transports/auth/lib/authUtils.ts
 init_errors3();
-init_utils();
-init_authContext();
 function withRequiredScopes(requiredScopes) {
   const operationName = "withRequiredScopesCheck";
   const initialContext = requestContextService.createRequestContext({
@@ -145154,7 +144991,6 @@ var EMPTY_COMPLETION_RESULT = {
 
 // src/mcp-server/resources/utils/resourceHandlerFactory.ts
 init_errors3();
-init_utils();
 function defaultResponseFormatter(result, meta3) {
   return [
     {
@@ -145240,7 +145076,6 @@ async function registerResource(server, def) {
 }
 
 // src/mcp-server/resources/resource-registration.ts
-init_utils();
 class ResourceRegistry {
   resourceDefs;
   constructor(resourceDefs) {
@@ -145331,11 +145166,10 @@ Begin by calling \`git_wrapup_instructions\` and creating your task list.`
 var allPromptDefinitions = [gitWrapupPrompt];
 
 // src/mcp-server/prompts/prompt-registration.ts
-init_utils();
 class PromptRegistry {
   logger;
-  constructor(logger3) {
-    this.logger = logger3;
+  constructor(logger2) {
+    this.logger = logger2;
   }
   registerAll(server) {
     const context = requestContextService.createRequestContext({
@@ -145368,7 +145202,6 @@ PromptRegistry = __legacyDecorateClassTS([
 
 // src/mcp-server/tools/tool-registration.ts
 var import_tsyringe9 = __toESM(require_cjs2(), 1);
-init_utils();
 
 // src/mcp-server/tools/definitions/git-changelog-analyze.tool.ts
 init_zod();
@@ -145530,12 +145363,10 @@ var defaultJsonFormatter = createJsonFormatter();
 
 // src/mcp-server/tools/utils/toolHandlerFactory.ts
 init_tokens();
-init_utils();
 var import_tsyringe8 = __toESM(require_cjs2(), 1);
 
 // src/mcp-server/tools/utils/git-validators.ts
 init_errors3();
-init_utils();
 import path3 from "node:path";
 async function resolveWorkingDirectory(pathInput, appContext, storage) {
   let workingDir;
@@ -145808,6 +145639,7 @@ var InputSchema = exports_external.object({
   path: PathSchema,
   reviewTypes: exports_external.array(ReviewTypeSchema).min(1).describe("Types of changelog review to perform. At least one required. Options: security, features, storyline, gaps, breaking_changes, quality."),
   maxCommits: exports_external.number().int().min(1).max(1000).default(200).describe("Maximum recent commits to fetch for cross-referencing (1-1000)."),
+  maxTags: exports_external.number().int().min(1).max(1000).default(100).describe("Maximum recent tags to fetch for release context (1-1000). Applied at the git command so large tag catalogs do not bloat the response."),
   sinceTag: exports_external.string().optional().describe('Only include git history since this tag (e.g., "v1.2.0"). Narrows the analysis window.'),
   branch: CommitRefSchema.optional().describe("Branch to analyze (defaults to current branch).")
 });
@@ -145860,7 +145692,7 @@ async function gitChangelogAnalyzeLogic(input, { provider, targetPath, appContex
   }
   const [logResult, tagResult, statusResult] = await Promise.all([
     provider.log(logOptions, operationContext),
-    provider.tag({ mode: "list" }, operationContext),
+    provider.tag({ mode: "list", limit: input.maxTags }, operationContext),
     provider.status({ includeUntracked: false }, operationContext)
   ]);
   const reviewInstructions = buildReviewInstructions(input.reviewTypes);
@@ -145873,8 +145705,8 @@ async function gitChangelogAnalyzeLogic(input, { provider, targetPath, appContex
       commits: logResult.commits.map((c) => ({
         hash: c.shortHash,
         subject: c.subject,
-        author: c.author,
-        timestamp: c.timestamp,
+        author: c.author ?? "",
+        timestamp: c.timestamp ?? 0,
         ...c.refs && c.refs.length > 0 && { refs: c.refs }
       })),
       tags: (tagResult.tags ?? []).map((t2) => ({
@@ -146303,162 +146135,246 @@ var gitReflogTool = {
 
 // src/mcp-server/tools/definitions/git-set-working-dir.tool.ts
 init_zod();
+init_errors3();
+
+// src/mcp-server/tools/utils/repo-snapshot.ts
+init_zod();
+var RepoSnapshotStatusSchema = exports_external.object({
+  branch: exports_external.string().nullable().describe("Current branch (null on detached HEAD)."),
+  isClean: exports_external.boolean().describe("True when the working tree has no changes."),
+  staged: exports_external.array(exports_external.string()).describe("Paths staged for the next commit."),
+  unstaged: exports_external.array(exports_external.string()).describe("Paths with unstaged modifications."),
+  untracked: exports_external.array(exports_external.string()).describe("Untracked paths."),
+  conflicts: exports_external.array(exports_external.string()).describe("Paths with merge conflicts."),
+  upstream: exports_external.string().optional().describe("Upstream ref being tracked by the current branch."),
+  ahead: exports_external.number().int().optional().describe("Commits ahead of upstream (if tracking)."),
+  behind: exports_external.number().int().optional().describe("Commits behind upstream (if tracking).")
+});
+var RepoSnapshotCommitSchema = exports_external.object({
+  hash: exports_external.string().describe("Short commit hash."),
+  author: exports_external.string().describe("Author name."),
+  date: exports_external.string().describe("Author date (ISO 8601)."),
+  subject: exports_external.string().describe("First line of the commit message.")
+});
+var RepoSnapshotTagSchema = exports_external.object({
+  name: exports_external.string().describe("Tag name."),
+  date: exports_external.string().optional().describe("Creator date (ISO 8601); absent for lightweight tags with no metadata."),
+  tagger: exports_external.string().optional().describe("Tagger identity (annotated tags only)."),
+  annotationSubject: exports_external.string().optional().describe("First line of the tag annotation (annotated tags only)."),
+  annotationBody: exports_external.string().optional().describe("Remaining annotation body after the subject (annotated tags only).")
+});
+var RepoSnapshotRemoteSchema = exports_external.object({
+  name: exports_external.string().describe("Remote name."),
+  fetchUrl: exports_external.string().describe("Fetch URL."),
+  pushUrl: exports_external.string().describe("Push URL (may differ from fetch URL).")
+});
+var NOT_A_REPO_HINT = "Repository snapshot unavailable — the path may not be a git repository. Initialize it via git_init or point at an existing repo.";
+function reasonMessage(reason) {
+  if (reason instanceof Error)
+    return reason.message;
+  if (typeof reason === "string")
+    return reason;
+  if (reason === null || reason === undefined)
+    return "unknown error";
+  try {
+    return JSON.stringify(reason);
+  } catch {
+    return "unknown error";
+  }
+}
+function isNotARepoError(reason) {
+  if (!reason)
+    return false;
+  return /not a git repository/i.test(reasonMessage(reason));
+}
+function isEmptyRepoError(reason) {
+  if (!reason)
+    return false;
+  return /does not have any commits yet/i.test(reasonMessage(reason));
+}
+function toIsoDate(unixSeconds) {
+  if (typeof unixSeconds !== "number" || !Number.isFinite(unixSeconds)) {
+    return;
+  }
+  return new Date(unixSeconds * 1000).toISOString();
+}
+async function gatherRepoSnapshot(deps, options = {}) {
+  const { provider, appContext, workingDirectory } = deps;
+  const commitLimit = options.commitLimit ?? 2;
+  const tagLimit = options.tagLimit ?? 2;
+  const tenantId = appContext.tenantId || "default-tenant";
+  const context = {
+    workingDirectory,
+    requestContext: appContext,
+    tenantId
+  };
+  const fetchStatus = provider.status({ includeUntracked: true }, context);
+  const fetchLog = provider.log({ maxCount: commitLimit }, context);
+  const fetchTags = provider.tag({ mode: "list", limit: tagLimit }, context);
+  const fetchRemotes = options.includeRemotes ? provider.remote({ mode: "list" }, context) : Promise.resolve(undefined);
+  const [statusRes, logRes, tagsRes, remotesRes] = await Promise.allSettled([
+    fetchStatus,
+    fetchLog,
+    fetchTags,
+    fetchRemotes
+  ]);
+  const settled = [statusRes, logRes, tagsRes, remotesRes];
+  const rejections = settled.filter((s2) => s2.status === "rejected");
+  if (rejections.length > 0 && rejections.every((r2) => isNotARepoError(r2.reason))) {
+    logger.debug("Repository snapshot skipped: path is not a git repository", {
+      ...appContext,
+      workingDirectory
+    });
+    return { warnings: [NOT_A_REPO_HINT] };
+  }
+  const warnings = [];
+  const status = statusRes.status === "fulfilled" ? {
+    branch: statusRes.value.currentBranch,
+    isClean: statusRes.value.isClean,
+    staged: [
+      ...statusRes.value.stagedChanges.added ?? [],
+      ...statusRes.value.stagedChanges.modified ?? [],
+      ...statusRes.value.stagedChanges.deleted ?? [],
+      ...statusRes.value.stagedChanges.renamed ?? [],
+      ...statusRes.value.stagedChanges.copied ?? []
+    ],
+    unstaged: [
+      ...statusRes.value.unstagedChanges.added ?? [],
+      ...statusRes.value.unstagedChanges.modified ?? [],
+      ...statusRes.value.unstagedChanges.deleted ?? []
+    ],
+    untracked: statusRes.value.untrackedFiles,
+    conflicts: statusRes.value.conflictedFiles,
+    ...statusRes.value.upstream ? { upstream: statusRes.value.upstream } : {},
+    ...typeof statusRes.value.ahead === "number" ? { ahead: statusRes.value.ahead } : {},
+    ...typeof statusRes.value.behind === "number" ? { behind: statusRes.value.behind } : {}
+  } : {
+    branch: null,
+    isClean: false,
+    staged: [],
+    unstaged: [],
+    untracked: [],
+    conflicts: []
+  };
+  if (statusRes.status === "rejected") {
+    warnings.push(`status unavailable: ${reasonMessage(statusRes.reason)}`);
+  }
+  const recentCommits = logRes.status === "fulfilled" ? logRes.value.commits.map((commit) => ({
+    hash: commit.shortHash,
+    author: commit.author ?? "",
+    date: typeof commit.timestamp === "number" ? new Date(commit.timestamp * 1000).toISOString() : "",
+    subject: commit.subject
+  })) : [];
+  if (logRes.status === "rejected" && !isEmptyRepoError(logRes.reason)) {
+    warnings.push(`recent commits unavailable: ${reasonMessage(logRes.reason)}`);
+  }
+  const recentTags = tagsRes.status === "fulfilled" && tagsRes.value.mode === "list" ? (tagsRes.value.tags ?? []).map((tag) => {
+    const entry = { name: tag.name };
+    const date6 = toIsoDate(tag.timestamp);
+    if (date6)
+      entry.date = date6;
+    if (tag.tagger)
+      entry.tagger = tag.tagger;
+    if (tag.message)
+      entry.annotationSubject = tag.message;
+    if (tag.annotationBody)
+      entry.annotationBody = tag.annotationBody;
+    return entry;
+  }) : [];
+  if (tagsRes.status === "rejected") {
+    warnings.push(`recent tags unavailable: ${reasonMessage(tagsRes.reason)}`);
+  }
+  let remotes;
+  if (options.includeRemotes) {
+    if (remotesRes.status === "fulfilled" && remotesRes.value && remotesRes.value.mode === "list") {
+      remotes = (remotesRes.value.remotes ?? []).map((r2) => ({
+        name: r2.name,
+        fetchUrl: r2.fetchUrl,
+        pushUrl: r2.pushUrl
+      }));
+    } else if (remotesRes.status === "rejected") {
+      warnings.push(`remotes unavailable: ${reasonMessage(remotesRes.reason)}`);
+      remotes = [];
+    } else {
+      remotes = [];
+    }
+  }
+  const snapshot = {
+    status,
+    recentCommits,
+    recentTags,
+    ...remotes !== undefined ? { remotes } : {}
+  };
+  return { snapshot, warnings };
+}
+
+// src/mcp-server/tools/definitions/git-set-working-dir.tool.ts
 var TOOL_NAME8 = "git_set_working_dir";
 var TOOL_TITLE8 = "Git Set Working Directory";
-var TOOL_DESCRIPTION8 = "Set the session working directory for all git operations. This allows subsequent git commands to omit the path parameter and use this directory as the default.";
+var TOOL_DESCRIPTION8 = "Set the session working directory for all git operations so subsequent calls can omit the path parameter. Always returns a repository snapshot (status, recent commits, recent tags, remotes) to orient the caller.";
 var InputSchema8 = exports_external.object({
   path: exports_external.string().min(1).describe("Absolute path to the git repository to use as the working directory."),
   validateGitRepo: exports_external.boolean().default(true).describe("Validate that the path is a Git repository."),
-  initializeIfNotPresent: exports_external.boolean().default(false).describe("If not a Git repository, initialize it with 'git init'."),
-  includeMetadata: exports_external.boolean().default(false).describe("Include repository metadata (status, branches, remotes, recent commits) in the response. Set to true for immediate repository context understanding. Defaults to false to minimize response size.")
+  initializeIfNotPresent: exports_external.boolean().default(false).describe("If not a Git repository, initialize it with 'git init'.")
 });
 var OutputSchema9 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   path: exports_external.string().describe("The working directory that was set."),
   message: exports_external.string().describe("Confirmation message."),
-  repositoryContext: exports_external.object({
-    status: exports_external.object({
-      branch: exports_external.string().nullable().describe("Current branch name (null if detached HEAD)."),
-      isClean: exports_external.boolean().describe("True if working directory is clean."),
-      stagedCount: exports_external.number().int().describe("Number of staged files ready for commit."),
-      unstagedCount: exports_external.number().int().describe("Number of files with unstaged changes."),
-      untrackedCount: exports_external.number().int().describe("Number of untracked files."),
-      conflictsCount: exports_external.number().int().describe("Number of files with merge conflicts.")
-    }).describe("Current repository working tree status."),
-    branches: exports_external.object({
-      current: exports_external.string().nullable().describe("Current branch name (null if detached HEAD)."),
-      totalLocal: exports_external.number().int().describe("Total number of local branches."),
-      totalRemote: exports_external.number().int().describe("Total number of remote-tracking branches."),
-      upstream: exports_external.string().optional().describe("Upstream branch name if current branch is tracking one."),
-      ahead: exports_external.number().int().optional().describe("Commits ahead of upstream (if tracking)."),
-      behind: exports_external.number().int().optional().describe("Commits behind upstream (if tracking).")
-    }).describe("Branch information and tracking status."),
-    remotes: exports_external.array(exports_external.object({
-      name: exports_external.string().describe("Remote name."),
-      fetchUrl: exports_external.string().describe("Fetch URL."),
-      pushUrl: exports_external.string().describe("Push URL (may differ from fetch).")
-    })).describe("Configured remote repositories."),
-    recentCommits: exports_external.array(exports_external.object({
-      hash: exports_external.string().describe("Commit hash (short form)."),
-      author: exports_external.string().describe("Commit author name."),
-      date: exports_external.string().describe("Commit date (ISO 8601 format)."),
-      message: exports_external.string().describe("Commit message (first line).")
-    })).describe("Recent commits (up to 5 most recent).")
-  }).optional().describe("Rich repository metadata including status, branches, remotes, and recent history. Only included when includeMetadata parameter is true.")
-});
-async function gatherRepositoryContext(targetPath, dependencies) {
+  repository: exports_external.object({
+    status: RepoSnapshotStatusSchema,
+    recentCommits: exports_external.array(RepoSnapshotCommitSchema).describe("Up to 2 most recent commits on the current branch."),
+    recentTags: exports_external.array(RepoSnapshotTagSchema).describe("Up to 2 most recent tags by creator date."),
+    remotes: exports_external.array(RepoSnapshotRemoteSchema).describe("Configured remote repositories.")
+  }).optional().describe("Best-effort repository snapshot. Omitted when the path is not a git repository (see enrichmentWarnings)."),
+  enrichmentWarnings: exports_external.array(exports_external.string()).optional().describe("Actionable notes when snapshot gathering was skipped or partially failed.")
+});
+async function ensureRepositoryReady(input, dependencies, tenantId) {
+  if (!input.validateGitRepo)
+    return;
   const { provider, appContext } = dependencies;
-  const tenantId = appContext.tenantId || "default-tenant";
-  const context = {
-    workingDirectory: targetPath,
+  const opContext = {
+    workingDirectory: input.path,
     requestContext: appContext,
     tenantId
   };
   try {
-    const [
-      statusResult,
-      localBranchesResult,
-      remoteBranchesResult,
-      remotesResult,
-      logResult
-    ] = await Promise.allSettled([
-      provider.status({ includeUntracked: true }, context),
-      provider.branch({ mode: "list" }, context),
-      provider.branch({ mode: "list", remote: true }, context),
-      provider.remote({ mode: "list" }, context),
-      provider.log({ maxCount: 5 }, context)
-    ]);
-    const status = statusResult.status === "fulfilled" ? {
-      branch: statusResult.value.currentBranch,
-      isClean: statusResult.value.isClean,
-      stagedCount: (statusResult.value.stagedChanges.added?.length || 0) + (statusResult.value.stagedChanges.modified?.length || 0) + (statusResult.value.stagedChanges.deleted?.length || 0) + (statusResult.value.stagedChanges.renamed?.length || 0) + (statusResult.value.stagedChanges.copied?.length || 0),
-      unstagedCount: (statusResult.value.unstagedChanges.added?.length || 0) + (statusResult.value.unstagedChanges.modified?.length || 0) + (statusResult.value.unstagedChanges.deleted?.length || 0),
-      untrackedCount: statusResult.value.untrackedFiles.length,
-      conflictsCount: statusResult.value.conflictedFiles.length
-    } : {
-      branch: null,
-      isClean: false,
-      stagedCount: 0,
-      unstagedCount: 0,
-      untrackedCount: 0,
-      conflictsCount: 0
-    };
-    const localBranches = localBranchesResult.status === "fulfilled" && localBranchesResult.value.mode === "list" ? localBranchesResult.value.branches : [];
-    const remoteBranchCount = remoteBranchesResult.status === "fulfilled" && remoteBranchesResult.value.mode === "list" ? remoteBranchesResult.value.branches.length : 0;
-    const currentBranch = localBranches.find((b) => b.current);
-    const branches = {
-      current: currentBranch?.name || null,
-      totalLocal: localBranches.length,
-      totalRemote: remoteBranchCount,
-      upstream: currentBranch?.upstream,
-      ahead: currentBranch?.ahead,
-      behind: currentBranch?.behind
-    };
-    const remotes = remotesResult.status === "fulfilled" && remotesResult.value.mode === "list" ? remotesResult.value.remotes || [] : [];
-    const recentCommits = logResult.status === "fulfilled" ? logResult.value.commits.map((commit) => ({
-      hash: commit.shortHash,
-      author: commit.author,
-      date: new Date(commit.timestamp * 1000).toISOString(),
-      message: commit.subject
-    })) : [];
-    return {
-      status,
-      branches,
-      remotes,
-      recentCommits
-    };
-  } catch (error48) {
-    const { logger: logger3 } = await Promise.resolve().then(() => (init_utils(), exports_utils));
-    logger3.debug("Failed to gather repository context", {
-      ...appContext,
-      error: error48 instanceof Error ? error48.message : String(error48),
-      targetPath
-    });
+    await provider.validateRepository(input.path, opContext);
     return;
+  } catch (error48) {
+    if (input.initializeIfNotPresent) {
+      await provider.init({ path: input.path, initialBranch: "main", bare: false }, opContext);
+      return;
+    }
+    const original = error48 instanceof Error ? error48.message : String(error48);
+    throw new McpError(-32007 /* ValidationError */, `Path is not a git repository: ${input.path}. Pass initializeIfNotPresent: true to run 'git init' here, or point at an existing repository. Underlying error: ${original}`, { path: input.path });
   }
 }
 async function gitSetWorkingDirLogic(input, dependencies) {
   const { provider, storage, appContext } = dependencies;
   const tenantId = appContext.tenantId || "default-tenant";
-  if (input.validateGitRepo) {
-    try {
-      await provider.validateRepository(input.path, {
-        workingDirectory: input.path,
-        requestContext: appContext,
-        tenantId
-      });
-    } catch (error48) {
-      if (input.initializeIfNotPresent) {
-        await provider.init({
-          path: input.path,
-          initialBranch: "main",
-          bare: false
-        }, {
-          workingDirectory: input.path,
-          requestContext: appContext,
-          tenantId
-        });
-      } else {
-        throw error48;
-      }
-    }
-  }
+  await ensureRepositoryReady(input, dependencies, tenantId);
   const storageKey = `session:workingDir:${tenantId}`;
   await storage.set(storageKey, input.path, appContext);
-  const repositoryContext = input.includeMetadata ? await gatherRepositoryContext(input.path, dependencies) : undefined;
+  const { snapshot, warnings } = await gatherRepoSnapshot({ provider, appContext, workingDirectory: input.path }, { commitLimit: 2, tagLimit: 2, includeRemotes: true });
   return {
     success: true,
     path: input.path,
     message: `Working directory set to: ${input.path}`,
-    repositoryContext
+    ...snapshot ? {
+      repository: {
+        status: snapshot.status,
+        recentCommits: snapshot.recentCommits,
+        recentTags: snapshot.recentTags,
+        remotes: snapshot.remotes ?? []
+      }
+    } : {},
+    ...warnings.length > 0 ? { enrichmentWarnings: warnings } : {}
   };
 }
 function filterGitSetWorkingDirOutput(result, level) {
   if (level === "minimal") {
-    return {
-      success: result.success,
-      path: result.path
-    };
+    return { success: result.success, path: result.path };
   }
   return result;
 }
@@ -146488,6 +146404,9 @@ var InputSchema9 = exports_external.object({
 var OutputSchema10 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   currentBranch: exports_external.string().nullable().describe("Current branch name."),
+  upstream: exports_external.string().optional().describe("Upstream ref the current branch is tracking (if any)."),
+  ahead: exports_external.number().int().optional().describe("Commits ahead of upstream (if tracking)."),
+  behind: exports_external.number().int().optional().describe("Commits behind upstream (if tracking)."),
   isClean: exports_external.boolean().describe("True if working directory is clean (no staged, unstaged, or untracked changes). When includeUntracked is false, untracked files are excluded from this check."),
   stagedChanges: exports_external.object({
     added: exports_external.array(exports_external.string()).optional().describe("Files added to the index (staged)."),
@@ -146515,6 +146434,9 @@ async function gitStatusLogic(input, { provider, targetPath, appContext }) {
   return {
     success: true,
     currentBranch: result.currentBranch,
+    ...result.upstream !== undefined && { upstream: result.upstream },
+    ...result.ahead !== undefined && { ahead: result.ahead },
+    ...result.behind !== undefined && { behind: result.behind },
     isClean: result.isClean,
     stagedChanges: result.stagedChanges,
     unstagedChanges: result.unstagedChanges,
@@ -146548,26 +146470,24 @@ var gitStatusTool = {
 
 // src/mcp-server/tools/definitions/git-wrapup-instructions.tool.ts
 init_zod();
-init_utils();
 import { readFileSync } from "fs";
 import path4 from "path";
 init_config();
 var TOOL_NAME10 = "git_wrapup_instructions";
 var TOOL_TITLE10 = "Git Wrap-up Instructions";
-var TOOL_DESCRIPTION10 = "Returns a Git wrap-up protocol: an acceptance-criteria checklist the agent must satisfy before the session is considered shipped. Uses the operator's custom instructions if configured, otherwise emits a generic goals-strict/mechanism-generic default. Includes current repository status to guide next actions.";
+var TOOL_DESCRIPTION10 = "Returns a Git wrap-up protocol: an acceptance-criteria checklist the agent must satisfy before the session is considered shipped. Uses the operator's custom instructions if configured, otherwise emits a generic goals-strict/mechanism-generic default. Enriches the response with a repository snapshot (status, recent commits, recent tags) so the agent has immediate orientation for the commit and release steps.";
 var InputSchema10 = exports_external.object({
   acknowledgement: exports_external.enum(["Y", "y", "Yes", "yes"]).describe("Acknowledgement to initiate the wrap-up workflow."),
   createTag: exports_external.boolean().optional().describe("Controls whether the tag criterion appears in the emitted protocol. Omit or set `true` to include the tag step. Set `false` to omit it entirely — e.g., when tagging is deferred to a separate release step.")
 });
 var OutputSchema11 = exports_external.object({
-  instructions: exports_external.string().describe("The set of instructions for the wrap-up workflow."),
-  gitStatus: exports_external.object({
-    branch: exports_external.string().describe("Current branch name."),
-    staged: exports_external.array(exports_external.string()).describe("Files staged for commit."),
-    unstaged: exports_external.array(exports_external.string()).describe("Files with unstaged changes."),
-    untracked: exports_external.array(exports_external.string()).describe("Untracked files.")
-  }).optional().describe("The current structured git status."),
-  gitStatusError: exports_external.string().optional().describe("Any error message if getting git status failed.")
+  instructions: exports_external.string().describe("The wrap-up protocol to satisfy before the session ships."),
+  repository: exports_external.object({
+    status: RepoSnapshotStatusSchema,
+    recentCommits: exports_external.array(RepoSnapshotCommitSchema).describe("Up to 2 most recent commits on the current branch."),
+    recentTags: exports_external.array(RepoSnapshotTagSchema).describe("Up to 2 most recent tags by creator date.")
+  }).optional().describe("Best-effort repository snapshot. Omitted when no working directory is set or when the path is not a git repository."),
+  enrichmentWarnings: exports_external.array(exports_external.string()).optional().describe("Actionable notes when snapshot gathering was skipped or partially failed.")
 });
 function buildDefaultInstructions(input) {
   const tagCriterion = input.createTag === false ? "" : "\n- [ ] Annotated tag at the project's convention (typically `v<version>`) with a concise message summarizing the real changes — no filler. Flag if a tag already exists at this commit.";
@@ -146636,49 +146556,32 @@ var customInstructions = loadCustomInstructions(config2?.git?.wrapupInstructions
 async function gitWrapupInstructionsLogic(input, { provider, storage, appContext }) {
   const tenantId = appContext.tenantId || "default-tenant";
   const finalInstructions = customInstructions ?? buildDefaultInstructions(input);
-  let gitStatus;
-  let gitStatusError;
-  try {
-    const storageKey = `session:workingDir:${tenantId}`;
-    const workingDir = await storage.get(storageKey, appContext);
-    if (workingDir) {
-      const result = await provider.status({ includeUntracked: true }, {
-        workingDirectory: workingDir,
-        requestContext: appContext,
-        tenantId
-      });
-      gitStatus = {
-        branch: result.currentBranch || "detached HEAD",
-        staged: [
-          ...result.stagedChanges.added || [],
-          ...result.stagedChanges.modified || [],
-          ...result.stagedChanges.deleted || []
-        ],
-        unstaged: [
-          ...result.unstagedChanges.modified || [],
-          ...result.unstagedChanges.deleted || []
-        ],
-        untracked: result.untrackedFiles
-      };
-    } else {
-      gitStatusError = "No working directory set for session, git status skipped.";
-    }
-  } catch (error48) {
-    const errorMessage = error48 instanceof Error ? error48.message : "Unknown error";
-    gitStatusError = `Failed to get git status: ${errorMessage}`;
-    logger.warning(gitStatusError, { ...appContext, error: error48 });
+  const storageKey = `session:workingDir:${tenantId}`;
+  const workingDir = await storage.get(storageKey, appContext);
+  if (!workingDir) {
+    return {
+      instructions: finalInstructions,
+      enrichmentWarnings: [
+        "No session working directory set. Call git_set_working_dir first to include a repository snapshot (status, recent commits, recent tags) in this response."
+      ]
+    };
   }
+  const { snapshot, warnings } = await gatherRepoSnapshot({ provider, appContext, workingDirectory: workingDir }, { commitLimit: 2, tagLimit: 2 });
   return {
     instructions: finalInstructions,
-    gitStatus,
-    gitStatusError
+    ...snapshot ? {
+      repository: {
+        status: snapshot.status,
+        recentCommits: snapshot.recentCommits,
+        recentTags: snapshot.recentTags
+      }
+    } : {},
+    ...warnings.length > 0 ? { enrichmentWarnings: warnings } : {}
   };
 }
 function filterGitWrapupInstructionsOutput(result, level) {
   if (level === "minimal") {
-    return {
-      instructions: result.instructions
-    };
+    return { instructions: result.instructions };
   }
   return result;
 }
@@ -147110,7 +147013,8 @@ var CommitSchema = exports_external.object({
 var OutputSchema15 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   commits: exports_external.array(CommitSchema).describe("Array of commit objects."),
-  totalCount: exports_external.number().int().describe("Total number of commits returned (may be limited by maxCount).")
+  totalCount: exports_external.number().int().describe("Total number of commits returned (may be limited by maxCount)."),
+  note: exports_external.string().optional().describe("Set when filters returned zero commits. Echoes the criteria and suggests broadening so callers can self-correct without inspecting the request.")
 });
 async function gitLogLogic(input, { provider, targetPath, appContext }) {
   const result = await provider.log({
@@ -147131,15 +147035,25 @@ async function gitLogLogic(input, { provider, targetPath, appContext }) {
     requestContext: appContext,
     tenantId: appContext.tenantId || "default-tenant"
   });
-  const commits = input.oneline ? result.commits.map(({ hash: hash2, shortHash, subject }) => ({
-    hash: hash2,
-    shortHash,
-    subject
-  })) : result.commits;
+  const appliedFilters = [];
+  if (input.author)
+    appliedFilters.push(`author=${input.author}`);
+  if (input.grep)
+    appliedFilters.push(`grep=${input.grep}`);
+  if (input.since)
+    appliedFilters.push(`since=${input.since}`);
+  if (input.until)
+    appliedFilters.push(`until=${input.until}`);
+  if (input.filePath)
+    appliedFilters.push(`filePath=${input.filePath}`);
+  if (input.branch)
+    appliedFilters.push(`branch=${input.branch}`);
+  const note = result.commits.length === 0 && appliedFilters.length > 0 ? `No commits matched the applied filters (${appliedFilters.join(", ")}). Try removing filters or broadening the date/author/path criteria.` : undefined;
   return {
     success: true,
-    commits,
-    totalCount: result.totalCount
+    commits: result.commits,
+    totalCount: result.totalCount,
+    ...note && { note }
   };
 }
 function filterGitLogOutput(result, level) {
@@ -147258,7 +147172,8 @@ var InputSchema16 = exports_external.object({
   all: AllSchema.describe("For list operation: show both local and remote branches."),
   remote: exports_external.boolean().default(false).describe("For list operation: show only remote branches."),
   merged: exports_external.preprocess((val) => val === "true" ? true : val === "false" ? false : val, exports_external.union([exports_external.boolean(), CommitRefSchema])).optional().describe("For list operation: show only branches merged into HEAD (true) or specified commit (string)."),
-  noMerged: exports_external.preprocess((val) => val === "true" ? true : val === "false" ? false : val, exports_external.union([exports_external.boolean(), CommitRefSchema])).optional().describe("For list operation: show only branches not merged into HEAD (true) or specified commit (string).")
+  noMerged: exports_external.preprocess((val) => val === "true" ? true : val === "false" ? false : val, exports_external.union([exports_external.boolean(), CommitRefSchema])).optional().describe("For list operation: show only branches not merged into HEAD (true) or specified commit (string)."),
+  limit: LimitSchema.describe("For list operation: cap the number of branches returned (applied at the git command). Use on repos with many branches.")
 });
 var BranchInfoSchema = exports_external.object({
   name: exports_external.string().describe("Branch name."),
@@ -147277,18 +147192,18 @@ var OutputSchema17 = exports_external.object({
 });
 async function gitBranchLogic(input, { provider, targetPath, appContext }) {
   if (input.operation === "show-current") {
-    const result2 = await provider.branch({ mode: "list" }, {
+    const result2 = await provider.branch({ mode: "show-current" }, {
       workingDirectory: targetPath,
       requestContext: appContext,
       tenantId: appContext.tenantId || "default-tenant"
     });
-    const current = result2.mode === "list" ? result2.branches.find((b) => b.current) : undefined;
+    const current = result2.mode === "show-current" ? result2.current : null;
     return {
       success: true,
       operation: "show-current",
       branches: undefined,
-      currentBranch: current?.name,
-      message: current ? `Current branch: ${current.name}` : "Not on any branch (detached HEAD)"
+      currentBranch: current ?? undefined,
+      message: current ? `Current branch: ${current}` : "Not on any branch (detached HEAD)"
     };
   }
   const { path: _path, operation, name, newName, ...rest } = input;
@@ -147318,6 +147233,9 @@ async function gitBranchLogic(input, { provider, targetPath, appContext }) {
   if (rest.noMerged !== undefined) {
     branchOptions.noMerged = rest.noMerged;
   }
+  if (rest.limit !== undefined) {
+    branchOptions.limit = rest.limit;
+  }
   const result = await provider.branch(branchOptions, {
     workingDirectory: targetPath,
     requestContext: appContext,
@@ -147347,7 +147265,7 @@ async function gitBranchLogic(input, { provider, targetPath, appContext }) {
       currentBranch: undefined,
       message: `Branch '${result.deleted}' deleted successfully.`
     };
-  } else {
+  } else if (result.mode === "rename") {
     return {
       success: true,
       operation: "rename",
@@ -147356,6 +147274,7 @@ async function gitBranchLogic(input, { provider, targetPath, appContext }) {
       message: `Branch '${result.renamed.from}' renamed to '${result.renamed.to}'.`
     };
   }
+  throw new Error(`Unexpected branch result mode: ${result.mode}`);
 }
 function filterGitBranchOutput(result, level) {
   if (level === "minimal") {
@@ -148113,7 +148032,8 @@ var InputSchema26 = exports_external.object({
   message: exports_external.string().optional().describe("Stash message description (for push operation)."),
   stashRef: exports_external.string().optional().describe("Stash reference like stash@{0} (for pop/apply/drop operations)."),
   includeUntracked: exports_external.boolean().default(false).describe("Include untracked files in the stash (for push operation)."),
-  keepIndex: exports_external.boolean().default(false).describe("Don't revert staged changes (for push operation).")
+  keepIndex: exports_external.boolean().default(false).describe("Don't revert staged changes (for push operation)."),
+  limit: LimitSchema.describe("For list mode: cap the number of stash entries returned (applied at the git command).")
 });
 var StashInfoSchema = exports_external.object({
   ref: exports_external.string().describe("Stash reference (e.g., stash@{0})."),
@@ -148147,6 +148067,9 @@ async function gitStashLogic(input, { provider, targetPath, appContext }) {
   if (input.keepIndex !== undefined) {
     stashOptions.keepIndex = input.keepIndex;
   }
+  if (input.limit !== undefined) {
+    stashOptions.limit = input.limit;
+  }
   const result = await provider.stash(stashOptions, {
     workingDirectory: targetPath,
     requestContext: appContext,
@@ -148190,20 +148113,22 @@ init_zod();
 init_errors3();
 var TOOL_NAME27 = "git_tag";
 var TOOL_TITLE27 = "Git Tag";
-var TOOL_DESCRIPTION27 = "Manage tags: list all tags, create a new tag, or delete a tag. Tags are used to mark specific points in history (releases, milestones).";
+var TOOL_DESCRIPTION27 = "Manage tags: list all tags, create a new tag, delete a tag, or verify a signed tag. Tags are used to mark specific points in history (releases, milestones). Verify runs `git tag -v` and returns a structured result distinguishing unsigned tags, missing trust configuration, bad signatures, and valid signatures.";
 var InputSchema27 = exports_external.object({
   path: PathSchema,
-  mode: exports_external.enum(["list", "create", "delete"]).default("list").describe("The tag operation to perform."),
-  tagName: TagNameSchema.optional().describe("Tag name for create/delete operations."),
+  mode: exports_external.enum(["list", "create", "delete", "verify"]).default("list").describe("The tag operation to perform."),
+  tagName: TagNameSchema.optional().describe("Tag name for create/delete/verify operations."),
   commit: CommitRefSchema.optional().describe("Commit to tag (default: HEAD for create operation)."),
   message: exports_external.string().optional().describe("Tag message. Providing a message always produces an annotated tag (git does not support messages on lightweight tags). For release tags, summarize notable changes."),
   annotated: exports_external.boolean().default(false).describe('Create an annotated tag with a default "Tag <name>" message. Only effective when no message is provided and signing is disabled — otherwise the tag is always annotated.'),
-  force: ForceSchema.describe("Overwrite an existing tag (create mode only; has no effect on list or delete).")
+  force: ForceSchema.describe("Overwrite an existing tag (create mode only; has no effect on list or delete)."),
+  limit: LimitSchema.describe("For list mode: cap the number of tags returned (applied at the git command via `--count=N`). Use on repos with many tags.")
 });
 var TagInfoSchema = exports_external.object({
   name: exports_external.string().describe("Tag name."),
   commit: exports_external.string().describe("Commit hash the tag points to."),
-  message: exports_external.string().optional().describe("Tag message (for annotated tags)."),
+  message: exports_external.string().optional().describe("First line of the tag annotation (annotated tags only). See `annotationBody` for the remainder."),
+  annotationBody: exports_external.string().optional().describe("Remaining annotation body after the subject line (annotated tags only)."),
   tagger: exports_external.string().optional().describe("Tagger name and email."),
   timestamp: exports_external.number().int().optional().describe("Tag creation timestamp.")
 });
@@ -148214,10 +148139,17 @@ var OutputSchema28 = exports_external.object({
   created: exports_external.string().optional().describe("Created tag name (for create mode)."),
   deleted: exports_external.string().optional().describe("Deleted tag name (for delete mode)."),
   signed: exports_external.boolean().optional().describe("Whether the created tag was signed. Only populated for create mode. False when GIT_SIGN_COMMITS=false or when signing failed and fell back to unsigned."),
-  signingWarning: exports_external.string().optional().describe("Populated only when signing was requested but failed, and the tag was created unsigned as a fallback.")
+  signingWarning: exports_external.string().optional().describe("Populated only when signing was requested but failed, and the tag was created unsigned as a fallback."),
+  verifiedTag: exports_external.string().optional().describe("Verified tag name (for verify mode). Echoes the input so callers can correlate results in batched flows."),
+  verified: exports_external.boolean().optional().describe("Whether the signature validated (for verify mode). `false` for unsigned tags, missing trust config, bad signatures, or unparseable output — inspect `warning` to distinguish."),
+  signatureType: exports_external.enum(["gpg", "ssh", "x509"]).optional().describe("Signature algorithm family when detectable from `git tag -v` output (verify mode). Absent for unsigned tags or unparseable output."),
+  signerIdentity: exports_external.string().optional().describe("Signer identity as emitted by git — e.g., `Name <email>` for GPG or the SSH principal. Verify mode only."),
+  signerKey: exports_external.string().optional().describe("Key material emitted by git — GPG fingerprint/key ID or SSH key fingerprint (`SHA256:…`). Verify mode only; absent when git did not surface it."),
+  warning: exports_external.string().optional().describe("Populated on verify failure with a human-readable reason distinguishing unsigned tags, missing trust configuration, bad signatures, and unparseable output."),
+  rawOutput: exports_external.string().optional().describe("Raw stderr from `git tag -v` for callers that need the full verification output (verify mode only).")
 });
 async function gitTagLogic(input, { provider, targetPath, appContext }) {
-  if ((input.mode === "create" || input.mode === "delete") && !input.tagName) {
+  if ((input.mode === "create" || input.mode === "delete" || input.mode === "verify") && !input.tagName) {
     throw new McpError(-32602 /* InvalidParams */, `Tag name is required for ${input.mode} operation.`);
   }
   const tagOptions = {
@@ -148234,6 +148166,9 @@ async function gitTagLogic(input, { provider, targetPath, appContext }) {
   if (input.message !== undefined) {
     tagOptions.message = normalizeMessage(input.message);
   }
+  if (input.limit !== undefined) {
+    tagOptions.limit = input.limit;
+  }
   const result = await provider.tag(tagOptions, {
     workingDirectory: targetPath,
     requestContext: appContext,
@@ -148252,6 +148187,27 @@ async function gitTagLogic(input, { provider, targetPath, appContext }) {
   if (result.signingWarning) {
     output.signingWarning = result.signingWarning;
   }
+  if (result.verifiedTag !== undefined) {
+    output.verifiedTag = result.verifiedTag;
+  }
+  if (result.verified !== undefined) {
+    output.verified = result.verified;
+  }
+  if (result.signatureType !== undefined) {
+    output.signatureType = result.signatureType;
+  }
+  if (result.signerIdentity !== undefined) {
+    output.signerIdentity = result.signerIdentity;
+  }
+  if (result.signerKey !== undefined) {
+    output.signerKey = result.signerKey;
+  }
+  if (result.warning !== undefined) {
+    output.warning = result.warning;
+  }
+  if (result.rawOutput !== undefined) {
+    output.rawOutput = result.rawOutput;
+  }
   return output;
 }
 function filterGitTagOutput(result, level) {
@@ -148260,10 +148216,16 @@ function filterGitTagOutput(result, level) {
       success: result.success,
       mode: result.mode,
       ...result.signed !== undefined && { signed: result.signed },
-      ...result.signingWarning && { signingWarning: result.signingWarning }
+      ...result.signingWarning && { signingWarning: result.signingWarning },
+      ...result.verified !== undefined && { verified: result.verified },
+      ...result.warning && { warning: result.warning }
     };
   }
-  return result;
+  if (level === "full") {
+    return result;
+  }
+  const { rawOutput: _raw, ...rest } = result;
+  return rest;
 }
 var responseFormatter27 = createJsonFormatter({
   filter: filterGitTagOutput
@@ -148479,7 +148441,6 @@ var registerTools = (container4) => {
 };
 
 // src/mcp-server/server.ts
-init_utils();
 async function createMcpServerInstance() {
   const context = requestContextService.createRequestContext({
     operation: "createMcpServerInstance"
@@ -148523,7 +148484,6 @@ async function createMcpServerInstance() {
 
 // src/mcp-server/transports/manager.ts
 init_tokens();
-init_utils();
 var import_tsyringe14 = __toESM(require_cjs2(), 1);
 
 // node_modules/@modelcontextprotocol/sdk/dist/esm/server/auth/errors.js
@@ -151031,11 +150991,11 @@ var MemoryEventStore = class {
   #eventIdToStreamIdMap;
   #idGenerator;
   constructor(options = {}) {
-    const { streamBufferSize = 100, eventsPerStreamBufferSize = 100, idGenerator: idGenerator3 = () => crypto.randomUUID() } = options;
+    const { streamBufferSize = 100, eventsPerStreamBufferSize = 100, idGenerator: idGenerator2 = () => crypto.randomUUID() } = options;
     this.#idToIndexMap = /* @__PURE__ */ new Map;
     this.#eventIdToStreamIdMap = /* @__PURE__ */ new Map;
     this.#eventsPerStreamBufferSize = eventsPerStreamBufferSize;
-    this.#idGenerator = idGenerator3;
+    this.#idGenerator = idGenerator2;
     this.#items = new RingBuffer(streamBufferSize, ({ streamId, events }) => {
       this.#idToIndexMap.delete(streamId);
       events.reset();
@@ -152279,13 +152239,8 @@ var serve = (options, listeningListener) => {
 init_config();
 import http3 from "http";
 import { randomUUID } from "node:crypto";
-
-// src/mcp-server/transports/auth/index.ts
-init_authContext();
-
 // src/mcp-server/transports/auth/authFactory.ts
 init_config();
-init_utils();
 var import_tsyringe13 = __toESM(require_cjs2(), 1);
 
 // node_modules/jose/dist/webapi/lib/buffer_utils.js
@@ -153773,7 +153728,6 @@ function createRemoteJWKSet(url2, options) {
 // src/mcp-server/transports/auth/strategies/jwtStrategy.ts
 init_tokens();
 init_errors3();
-init_utils();
 var import_tsyringe11 = __toESM(require_cjs2(), 1);
 class JwtStrategy {
   config;
@@ -153782,9 +153736,9 @@ class JwtStrategy {
   env;
   devMcpClientId;
   devMcpScopes;
-  constructor(config3, logger3) {
+  constructor(config3, logger2) {
     this.config = config3;
-    this.logger = logger3;
+    this.logger = logger2;
     const context = requestContextService.createRequestContext({
       operation: "JwtStrategy.constructor"
     });
@@ -153889,15 +153843,14 @@ JwtStrategy = __legacyDecorateClassTS([
 // src/mcp-server/transports/auth/strategies/oauthStrategy.ts
 init_tokens();
 init_errors3();
-init_utils();
 var import_tsyringe12 = __toESM(require_cjs2(), 1);
 class OauthStrategy {
   config;
   logger;
   jwks;
-  constructor(config3, logger3) {
+  constructor(config3, logger2) {
     this.config = config3;
-    this.logger = logger3;
+    this.logger = logger2;
     const context = requestContextService.createRequestContext({
       operation: "OauthStrategy.constructor"
     });
@@ -154042,8 +153995,6 @@ function createAuthStrategy() {
 }
 // src/mcp-server/transports/auth/authMiddleware.ts
 init_errors3();
-init_utils();
-init_authContext();
 function createAuthMiddleware(strategy) {
   return async function authMiddleware(c, next) {
     const context = requestContextService.createRequestContext({
@@ -154092,7 +154043,6 @@ function createAuthMiddleware(strategy) {
 }
 // src/mcp-server/transports/http/httpErrorHandler.ts
 init_errors3();
-init_utils();
 var httpErrorHandler = async (err, c) => {
   const context = requestContextService.createRequestContext({
     operation: "httpErrorHandler",
@@ -154177,8 +154127,6 @@ var httpErrorHandler = async (err, c) => {
 };
 
 // src/mcp-server/transports/http/sessionManager.ts
-init_utils();
-
 class SessionManager {
   static instance = null;
   sessions = new Map;
@@ -154337,7 +154285,6 @@ class SessionManager {
 }
 
 // src/mcp-server/transports/http/httpTransport.ts
-init_utils();
 function createHttpApp(createMcpServer, parentContext) {
   const app = new Hono2;
   const transportContext = {
@@ -154713,7 +154660,6 @@ class StdioServerTransport {
 }
 
 // src/mcp-server/transports/stdio/stdioTransport.ts
-init_utils();
 async function startStdioTransport(server, parentContext) {
   const operationContext = {
     ...parentContext,
@@ -154760,9 +154706,9 @@ class TransportManager {
   logger;
   createMcpServer;
   serverInstance = null;
-  constructor(config3, logger3, createMcpServer) {
+  constructor(config3, logger2, createMcpServer) {
     this.config = config3;
-    this.logger = logger3;
+    this.logger = logger2;
     this.createMcpServer = createMcpServer;
   }
   async start() {
@@ -154815,7 +154761,6 @@ TransportManager = __legacyDecorateClassTS([
 ], TransportManager);
 
 // src/container/registrations/mcp.ts
-init_utils();
 var registerMcpServices = () => {
   import_tsyringe15.container.registerSingleton(ToolRegistry);
   import_tsyringe15.container.registerSingleton(ResourceRegistry);
@@ -154911,11 +154856,11 @@ var start = async () => {
   }
   await logger.initialize(validatedMcpLogLevel, config3.mcpTransportType);
   logger.info(`Logger initialized. Effective MCP logging level: ${validatedMcpLogLevel}.`, requestContextService.createRequestContext({ operation: "LoggerInit" }));
-  const runtime2 = detectRuntime();
+  const runtime = detectRuntime();
   const runtimeDesc = getRuntimeDescription();
   logger.info(`Runtime detected: ${runtimeDesc}`, requestContextService.createRequestContext({
     operation: "RuntimeDetection",
-    runtime: runtime2,
+    runtime,
     runtimeVersion: runtimeDesc
   }));
   logger.info(`Storage service initialized with provider: ${config3.storage.providerType}`, requestContextService.createRequestContext({ operation: "StorageInit" }));