@cyanheads/git-mcp-server 2.14.0 → 2.15.0

package/dist/index.js

@@ -15284,7 +15284,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "@cyanheads/git-mcp-server",
-    version: "2.13.0",
+    version: "2.15.0",
     mcpName: "io.github.cyanheads/git-mcp-server",
     description: "A secure and scalable Git MCP server enabling AI agents to perform comprehensive Git version control operations via STDIO and Streamable HTTP.",
     main: "dist/index.js",
@@ -15343,7 +15343,7 @@ var init_package = __esm(() => {
       "publish-mcp": "bun scripts/validate-mcp-publish-schema.ts"
     },
     devDependencies: {
-      "@cloudflare/workers-types": "^4.20260423.1",
+      "@cloudflare/workers-types": "^4.20260426.1",
       "@eslint/js": "^10.0.1",
       "@hono/mcp": "^0.2.5",
       "@hono/node-server": "^2.0.0",
@@ -15358,7 +15358,7 @@ var init_package = __esm(() => {
       "@opentelemetry/sdk-node": "^0.215.0",
       "@opentelemetry/sdk-trace-node": "^2.7.0",
       "@opentelemetry/semantic-conventions": "^1.40.0",
-      "@supabase/supabase-js": "^2.104.1",
+      "@supabase/supabase-js": "^2.105.1",
       "@types/bun": "^1.3.13",
       "@types/cross-spawn": "^6.0.6",
       "@types/node": "^25.6.0",
@@ -15370,19 +15370,19 @@ var init_package = __esm(() => {
       eslint: "^10.2.1",
       execa: "^9.6.1",
       globals: "^17.5.0",
-      hono: "^4.12.14",
+      hono: "^4.12.15",
       husky: "^9.1.7",
       ignore: "^7.0.5",
-      jose: "^6.2.2",
-      msw: "^2.13.5",
+      jose: "^6.2.3",
+      msw: "^2.13.6",
       prettier: "^3.8.3",
       "reflect-metadata": "^0.2.2",
-      repomix: "^1.13.1",
+      repomix: "^1.14.0",
       tslib: "^2.8.1",
       tsyringe: "^4.10.0",
       typedoc: "^0.28.19",
       typescript: "^6.0.3",
-      "typescript-eslint": "^8.59.0",
+      "typescript-eslint": "^8.59.1",
       validator: "^13.15.35",
       vite: "^8.0.10",
       "vite-tsconfig-paths": "^6.1.1",
@@ -114286,7 +114286,7 @@ Suggested solution: ${env.workaround}`;
 var require_version48 = __commonJS((exports) => {
   Object.defineProperty(exports, "__esModule", { value: true });
   exports.version = undefined;
-  exports.version = "2.104.1";
+  exports.version = "2.105.1";
 });
 
 // node_modules/@supabase/realtime-js/dist/main/lib/constants.js
@@ -115806,7 +115806,7 @@ var require_phoenix_cjs = __commonJS((exports, module) => {
         } catch (e2) {
           this.log("error", "error in heartbeat callback", e2);
         }
-        this.triggerChanError();
+        this.triggerChanError(new Error("heartbeat timeout"));
         this.closeWasClean = false;
         this.teardown(() => this.reconnectTimer.scheduleTimeout(), WS_CLOSE_NORMAL, "heartbeat timeout");
       }
@@ -115865,7 +115865,7 @@ var require_phoenix_cjs = __commonJS((exports, module) => {
         this.conn.onclose = () => {};
       if (this.hasLogger())
         this.log("transport", "close", event);
-      this.triggerChanError();
+      this.triggerChanError(event);
       this.clearHeartbeats();
       if (!this.closeWasClean) {
         this.reconnectTimer.scheduleTimeout();
@@ -115874,18 +115874,18 @@ var require_phoenix_cjs = __commonJS((exports, module) => {
     }
     onConnError(error48) {
       if (this.hasLogger())
-        this.log("transport", error48);
+        this.log("transport", "error", error48);
       let transportBefore = this.transport;
       let establishedBefore = this.establishedConnections;
       this.triggerStateCallbacks("error", error48, transportBefore, establishedBefore);
       if (transportBefore === this.transport || establishedBefore > 0) {
-        this.triggerChanError();
+        this.triggerChanError(error48);
       }
     }
-    triggerChanError() {
+    triggerChanError(reason) {
       this.channels.forEach((channel) => {
         if (!(channel.isErrored() || channel.isLeaving() || channel.isClosed())) {
-          channel.trigger(CHANNEL_EVENTS.error);
+          channel.trigger(CHANNEL_EVENTS.error, reason);
         }
       });
     }
@@ -116120,6 +116120,29 @@ var require_RealtimePresence = __commonJS((exports) => {
   exports.default = RealtimePresence;
 });
 
+// node_modules/@supabase/realtime-js/dist/main/lib/normalizeChannelError.js
+var require_normalizeChannelError = __commonJS((exports) => {
+  Object.defineProperty(exports, "__esModule", { value: true });
+  exports.normalizeChannelError = normalizeChannelError;
+  function normalizeChannelError(reason) {
+    if (reason instanceof Error) {
+      return reason;
+    }
+    if (typeof reason === "string") {
+      return new Error(reason);
+    }
+    if (reason && typeof reason === "object") {
+      const obj = reason;
+      if (typeof obj.code === "number") {
+        const detail = typeof obj.reason === "string" && obj.reason ? ` (${obj.reason})` : "";
+        return new Error(`socket closed: ${obj.code}${detail}`, { cause: reason });
+      }
+      return new Error("channel error: transport failure", { cause: reason });
+    }
+    return new Error("channel error: connection lost");
+  }
+});
+
 // node_modules/@supabase/realtime-js/dist/main/phoenix/channelAdapter.js
 var require_channelAdapter = __commonJS((exports) => {
   Object.defineProperty(exports, "__esModule", { value: true });
@@ -116231,6 +116254,7 @@ var require_RealtimeChannel = __commonJS((exports) => {
   var RealtimePresence_1 = tslib_1.__importDefault(require_RealtimePresence());
   var Transformers = tslib_1.__importStar(require_transformers());
   var transformers_1 = require_transformers();
+  var normalizeChannelError_1 = require_normalizeChannelError();
   var channelAdapter_1 = tslib_1.__importDefault(require_channelAdapter());
   var REALTIME_POSTGRES_CHANGES_LISTEN_EVENT;
   (function(REALTIME_POSTGRES_CHANGES_LISTEN_EVENT2) {
@@ -116318,7 +116342,7 @@ var require_RealtimeChannel = __commonJS((exports) => {
           accessTokenPayload.access_token = this.socket.accessTokenValue;
         }
         this._onError((reason) => {
-          callback === null || callback === undefined || callback(REALTIME_SUBSCRIBE_STATES.CHANNEL_ERROR, reason);
+          callback === null || callback === undefined || callback(REALTIME_SUBSCRIBE_STATES.CHANNEL_ERROR, (0, normalizeChannelError_1.normalizeChannelError)(reason));
         });
         this._onClose(() => callback === null || callback === undefined ? undefined : callback(REALTIME_SUBSCRIBE_STATES.CLOSED));
         this.updateJoinPayload(Object.assign({ config: config3 }, accessTokenPayload));
@@ -116334,7 +116358,8 @@ var require_RealtimeChannel = __commonJS((exports) => {
           this._updatePostgresBindings(postgres_changes2, callback);
         }).receive("error", (error48) => {
           this.state = constants_1.CHANNEL_STATES.errored;
-          callback === null || callback === undefined || callback(REALTIME_SUBSCRIBE_STATES.CHANNEL_ERROR, new Error(JSON.stringify(Object.values(error48).join(", ") || "error")));
+          const message = Object.values(error48).join(", ") || "error";
+          callback === null || callback === undefined || callback(REALTIME_SUBSCRIBE_STATES.CHANNEL_ERROR, new Error(message, { cause: error48 }));
         }).receive("timeout", () => {
           callback === null || callback === undefined || callback(REALTIME_SUBSCRIBE_STATES.TIMED_OUT);
         });
@@ -116799,6 +116824,8 @@ var require_RealtimeClient = __commonJS((exports) => {
       this._authPromise = null;
       this._workerHeartbeatTimer = undefined;
       this._pendingWorkerHeartbeatRef = null;
+      this._pendingDisconnectTimer = null;
+      this._disconnectOnEmptyChannelsAfterMs = 0;
       this._resolveFetch = (customFetch) => {
         if (customFetch) {
           return (...args) => customFetch(...args);
@@ -116850,6 +116877,7 @@ var require_RealtimeClient = __commonJS((exports) => {
       return this.socketAdapter.endPointURL();
     }
     async disconnect(code, reason) {
+      this._cancelPendingDisconnect();
       if (this.isDisconnecting()) {
         return "ok";
       }
@@ -116866,9 +116894,6 @@ var require_RealtimeClient = __commonJS((exports) => {
       if (status === "ok") {
         channel.teardown();
       }
-      if (this.channels.length === 0) {
-        this.disconnect();
-      }
       return status;
     }
     async removeAllChannels() {
@@ -116878,7 +116903,7 @@ var require_RealtimeClient = __commonJS((exports) => {
         return result2;
       });
       const result = await Promise.all(promises);
-      this.disconnect();
+      await this.disconnect();
       return result;
     }
     log(kind, msg, data) {
@@ -116901,6 +116926,7 @@ var require_RealtimeClient = __commonJS((exports) => {
       const exists = this.getChannels().find((c) => c.topic === realtimeTopic);
       if (!exists) {
         const chan = new RealtimeChannel_1.default(`realtime:${topic}`, params, this);
+        this._cancelPendingDisconnect();
         this.channels.push(chan);
         return chan;
       } else {
@@ -116932,6 +116958,33 @@ var require_RealtimeClient = __commonJS((exports) => {
     }
     _remove(channel) {
       this.channels = this.channels.filter((c) => c.topic !== channel.topic);
+      if (this.channels.length === 0) {
+        this.log("transport", "no channels remaining, scheduling disconnect");
+        this._schedulePendingDisconnect();
+      }
+    }
+    _schedulePendingDisconnect() {
+      this._cancelPendingDisconnect();
+      if (this._disconnectOnEmptyChannelsAfterMs === 0) {
+        this.log("transport", "disconnecting immediately - no channels");
+        this.disconnect();
+        return;
+      }
+      this._pendingDisconnectTimer = setTimeout(() => {
+        this._pendingDisconnectTimer = null;
+        if (this.channels.length === 0) {
+          this.log("transport", "deferred disconnect fired - no channels, disconnecting");
+          this.disconnect();
+        }
+      }, this._disconnectOnEmptyChannelsAfterMs);
+      this.log("transport", `deferred disconnect scheduled in ${this._disconnectOnEmptyChannelsAfterMs}ms`);
+    }
+    _cancelPendingDisconnect() {
+      if (this._pendingDisconnectTimer !== null) {
+        this.log("transport", "pending disconnect cancelled - channel activity detected");
+        clearTimeout(this._pendingDisconnectTimer);
+        this._pendingDisconnectTimer = null;
+      }
     }
     async _performAuth(token = null) {
       let tokenToSend;
@@ -117057,22 +117110,23 @@ var require_RealtimeClient = __commonJS((exports) => {
       return result_url;
     }
     _initializeOptions(options) {
-      var _a2, _b, _c, _d, _e, _f, _g, _h, _j;
+      var _a2, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l;
       this.worker = (_a2 = options === null || options === undefined ? undefined : options.worker) !== null && _a2 !== undefined ? _a2 : false;
       this.accessToken = (_b = options === null || options === undefined ? undefined : options.accessToken) !== null && _b !== undefined ? _b : null;
       const result = {};
       result.timeout = (_c = options === null || options === undefined ? undefined : options.timeout) !== null && _c !== undefined ? _c : constants_1.DEFAULT_TIMEOUT;
       result.heartbeatIntervalMs = (_d = options === null || options === undefined ? undefined : options.heartbeatIntervalMs) !== null && _d !== undefined ? _d : CONNECTION_TIMEOUTS.HEARTBEAT_INTERVAL;
-      result.transport = (_e = options === null || options === undefined ? undefined : options.transport) !== null && _e !== undefined ? _e : websocket_factory_1.default.getWebSocketConstructor();
+      this._disconnectOnEmptyChannelsAfterMs = (_e = options === null || options === undefined ? undefined : options.disconnectOnEmptyChannelsAfterMs) !== null && _e !== undefined ? _e : 2 * ((_f = options === null || options === undefined ? undefined : options.heartbeatIntervalMs) !== null && _f !== undefined ? _f : CONNECTION_TIMEOUTS.HEARTBEAT_INTERVAL);
+      result.transport = (_g = options === null || options === undefined ? undefined : options.transport) !== null && _g !== undefined ? _g : websocket_factory_1.default.getWebSocketConstructor();
       result.params = options === null || options === undefined ? undefined : options.params;
       result.logger = options === null || options === undefined ? undefined : options.logger;
       result.heartbeatCallback = this._wrapHeartbeatCallback(options === null || options === undefined ? undefined : options.heartbeatCallback);
-      result.reconnectAfterMs = (_f = options === null || options === undefined ? undefined : options.reconnectAfterMs) !== null && _f !== undefined ? _f : (tries) => {
+      result.reconnectAfterMs = (_h = options === null || options === undefined ? undefined : options.reconnectAfterMs) !== null && _h !== undefined ? _h : (tries) => {
         return RECONNECT_INTERVALS[tries - 1] || DEFAULT_RECONNECT_FALLBACK;
       };
       let defaultEncode;
       let defaultDecode;
-      const vsn = (_g = options === null || options === undefined ? undefined : options.vsn) !== null && _g !== undefined ? _g : constants_1.DEFAULT_VSN;
+      const vsn = (_j = options === null || options === undefined ? undefined : options.vsn) !== null && _j !== undefined ? _j : constants_1.DEFAULT_VSN;
       switch (vsn) {
         case constants_1.VSN_1_0_0:
           defaultEncode = (payload, callback) => {
@@ -117090,8 +117144,8 @@ var require_RealtimeClient = __commonJS((exports) => {
           throw new Error(`Unsupported serializer version: ${result.vsn}`);
       }
       result.vsn = vsn;
-      result.encode = (_h = options === null || options === undefined ? undefined : options.encode) !== null && _h !== undefined ? _h : defaultEncode;
-      result.decode = (_j = options === null || options === undefined ? undefined : options.decode) !== null && _j !== undefined ? _j : defaultDecode;
+      result.encode = (_k = options === null || options === undefined ? undefined : options.encode) !== null && _k !== undefined ? _k : defaultEncode;
+      result.decode = (_l = options === null || options === undefined ? undefined : options.decode) !== null && _l !== undefined ? _l : defaultDecode;
       result.beforeReconnect = this._reconnectAuth.bind(this);
       if ((options === null || options === undefined ? undefined : options.logLevel) || (options === null || options === undefined ? undefined : options.log_level)) {
         this.logLevel = options.logLevel || options.log_level;
@@ -117150,7 +117204,7 @@ var require_main3 = __commonJS((exports) => {
 var require_version49 = __commonJS((exports) => {
   Object.defineProperty(exports, "__esModule", { value: true });
   exports.version = undefined;
-  exports.version = "2.104.1";
+  exports.version = "2.105.1";
 });
 
 // node_modules/@supabase/auth-js/dist/main/lib/constants.js
@@ -117543,6 +117597,7 @@ var require_helpers2 = __commonJS((exports) => {
   exports.validateExp = validateExp;
   exports.getAlgorithm = getAlgorithm;
   exports.validateUUID = validateUUID;
+  exports.assertPasskeyExperimentalEnabled = assertPasskeyExperimentalEnabled;
   exports.userNotAvailableProxy = userNotAvailableProxy;
   exports.insecureUserWarningProxy = insecureUserWarningProxy;
   exports.deepClone = deepClone;
@@ -117787,6 +117842,11 @@ var require_helpers2 = __commonJS((exports) => {
       throw new Error("@supabase/auth-js: Expected parameter to be UUID but is not");
     }
   }
+  function assertPasskeyExperimentalEnabled(experimental) {
+    if (!experimental.passkey) {
+      throw new Error("@supabase/auth-js: the passkey API is experimental and disabled by default. Enable it by passing `auth: { experimental: { passkey: true } }` to createClient (or to the GoTrueClient constructor).");
+    }
+  }
   function userNotAvailableProxy() {
     const proxyTarget = {};
     return new Proxy(proxyTarget, {
@@ -118004,10 +118064,11 @@ var require_GoTrueAdminApi = __commonJS((exports) => {
   var errors_1 = require_errors2();
 
   class GoTrueAdminApi {
-    constructor({ url: url2 = "", headers = {}, fetch: fetch3 }) {
+    constructor({ url: url2 = "", headers = {}, fetch: fetch3, experimental }) {
       this.url = url2;
       this.headers = headers;
       this.fetch = (0, helpers_1.resolveFetch)(fetch3);
+      this.experimental = experimental !== null && experimental !== undefined ? experimental : {};
       this.mfa = {
         listFactors: this._listFactors.bind(this),
         deleteFactor: this._deleteFactor.bind(this)
@@ -118027,6 +118088,10 @@ var require_GoTrueAdminApi = __commonJS((exports) => {
         updateProvider: this._updateCustomProvider.bind(this),
         deleteProvider: this._deleteCustomProvider.bind(this)
       };
+      this.passkey = {
+        listPasskeys: this._adminListPasskeys.bind(this),
+        deletePasskey: this._adminDeletePasskey.bind(this)
+      };
     }
     async signOut(jwt2, scope = types_1.SIGN_OUT_SCOPES[0]) {
       if (types_1.SIGN_OUT_SCOPES.indexOf(scope) < 0) {
@@ -118406,6 +118471,32 @@ var require_GoTrueAdminApi = __commonJS((exports) => {
         throw error48;
       }
     }
+    async _adminListPasskeys(params) {
+      (0, helpers_1.assertPasskeyExperimentalEnabled)(this.experimental);
+      (0, helpers_1.validateUUID)(params.userId);
+      try {
+        return await (0, fetch_1._request)(this.fetch, "GET", `${this.url}/admin/users/${params.userId}/passkeys`, { headers: this.headers, xform: (data) => ({ data, error: null }) });
+      } catch (error48) {
+        if ((0, errors_1.isAuthError)(error48)) {
+          return { data: null, error: error48 };
+        }
+        throw error48;
+      }
+    }
+    async _adminDeletePasskey(params) {
+      (0, helpers_1.assertPasskeyExperimentalEnabled)(this.experimental);
+      (0, helpers_1.validateUUID)(params.userId);
+      (0, helpers_1.validateUUID)(params.passkeyId);
+      try {
+        await (0, fetch_1._request)(this.fetch, "DELETE", `${this.url}/admin/users/${params.userId}/passkeys/${params.passkeyId}`, { headers: this.headers, noResolveJson: true });
+        return { data: null, error: null };
+      } catch (error48) {
+        if ((0, errors_1.isAuthError)(error48)) {
+          return { data: null, error: error48 };
+        }
+        throw error48;
+      }
+    }
   }
   exports.default = GoTrueAdminApi;
 });
@@ -118893,6 +118984,7 @@ var require_webauthn = __commonJS((exports) => {
   exports.serializeCredentialCreationResponse = serializeCredentialCreationResponse;
   exports.serializeCredentialRequestResponse = serializeCredentialRequestResponse;
   exports.isValidDomain = isValidDomain;
+  exports.browserSupportsWebAuthn = browserSupportsWebAuthn;
   exports.createCredential = createCredential;
   exports.getCredential = getCredential;
   exports.mergeCredentialCreationOptions = mergeCredentialCreationOptions;
@@ -119366,7 +119458,8 @@ var require_GoTrueClient = __commonJS((exports) => {
     hasCustomAuthorizationHeader: false,
     throwOnError: false,
     lockAcquireTimeout: 5000,
-    skipAutoInitialize: false
+    skipAutoInitialize: false,
+    experimental: {}
   };
   async function lockNoOp(name, acquireTimeout, fn) {
     return await fn();
@@ -119389,7 +119482,7 @@ var require_GoTrueClient = __commonJS((exports) => {
       GLOBAL_JWKS[this.storageKey] = Object.assign(Object.assign({}, GLOBAL_JWKS[this.storageKey]), { cachedAt: value });
     }
     constructor(options) {
-      var _a2, _b, _c;
+      var _a2, _b, _c, _d;
       this.userStorage = null;
       this.memoryStorage = null;
       this.stateChangeEmitters = new Map;
@@ -119422,10 +119515,12 @@ var require_GoTrueClient = __commonJS((exports) => {
       }
       this.persistSession = settings.persistSession;
       this.autoRefreshToken = settings.autoRefreshToken;
+      this.experimental = (_b = settings.experimental) !== null && _b !== undefined ? _b : {};
       this.admin = new GoTrueAdminApi_1.default({
         url: settings.url,
         headers: settings.headers,
-        fetch: settings.fetch
+        fetch: settings.fetch,
+        experimental: this.experimental
       });
       this.url = settings.url;
       this.headers = settings.headers;
@@ -119438,7 +119533,7 @@ var require_GoTrueClient = __commonJS((exports) => {
       this.lockAcquireTimeout = settings.lockAcquireTimeout;
       if (settings.lock) {
         this.lock = settings.lock;
-      } else if (this.persistSession && (0, helpers_1.isBrowser)() && ((_b = globalThis === null || globalThis === undefined ? undefined : globalThis.navigator) === null || _b === undefined ? undefined : _b.locks)) {
+      } else if (this.persistSession && (0, helpers_1.isBrowser)() && ((_c = globalThis === null || globalThis === undefined ? undefined : globalThis.navigator) === null || _c === undefined ? undefined : _c.locks)) {
         this.lock = locks_1.navigatorLock;
       } else {
         this.lock = lockNoOp;
@@ -119464,6 +119559,15 @@ var require_GoTrueClient = __commonJS((exports) => {
         listGrants: this._listOAuthGrants.bind(this),
         revokeGrant: this._revokeOAuthGrant.bind(this)
       };
+      this.passkey = {
+        startRegistration: this._startPasskeyRegistration.bind(this),
+        verifyRegistration: this._verifyPasskeyRegistration.bind(this),
+        startAuthentication: this._startPasskeyAuthentication.bind(this),
+        verifyAuthentication: this._verifyPasskeyAuthentication.bind(this),
+        list: this._listPasskeys.bind(this),
+        update: this._updatePasskey.bind(this),
+        delete: this._deletePasskey.bind(this)
+      };
       if (this.persistSession) {
         if (settings.storage) {
           this.storage = settings.storage;
@@ -119488,7 +119592,7 @@ var require_GoTrueClient = __commonJS((exports) => {
         } catch (e2) {
           console.error("Failed to create a new BroadcastChannel, multi-tab state changes will not be available", e2);
         }
-        (_c = this.broadcastChannel) === null || _c === undefined || _c.addEventListener("message", async (event) => {
+        (_d = this.broadcastChannel) === null || _d === undefined || _d.addEventListener("message", async (event) => {
           this._debug("received broadcast notification from other tab or client", event);
           try {
             await this._notifyAllSubscribers(event.data.event, event.data.session, false);
@@ -121576,6 +121680,274 @@ var require_GoTrueClient = __commonJS((exports) => {
         throw error48;
       }
     }
+    async signInWithPasskey(credentials) {
+      var _a2, _b, _c;
+      (0, helpers_1.assertPasskeyExperimentalEnabled)(this.experimental);
+      try {
+        if (!(0, webauthn_1.browserSupportsWebAuthn)()) {
+          return this._returnResult({
+            data: null,
+            error: new errors_1.AuthUnknownError("Browser does not support WebAuthn", null)
+          });
+        }
+        const { data: options, error: optionsError } = await this._startPasskeyAuthentication({
+          options: { captchaToken: (_a2 = credentials === null || credentials === undefined ? undefined : credentials.options) === null || _a2 === undefined ? undefined : _a2.captchaToken }
+        });
+        if (optionsError || !options) {
+          return this._returnResult({ data: null, error: optionsError });
+        }
+        const publicKeyOptions = (0, webauthn_1.deserializeCredentialRequestOptions)(options.options);
+        const signal = (_c = (_b = credentials === null || credentials === undefined ? undefined : credentials.options) === null || _b === undefined ? undefined : _b.signal) !== null && _c !== undefined ? _c : webauthn_1.webAuthnAbortService.createNewAbortSignal();
+        const { data: credential, error: credentialError } = await (0, webauthn_1.getCredential)({
+          publicKey: publicKeyOptions,
+          signal
+        });
+        if (credentialError || !credential) {
+          return this._returnResult({
+            data: null,
+            error: credentialError !== null && credentialError !== undefined ? credentialError : new errors_1.AuthUnknownError("WebAuthn ceremony failed", null)
+          });
+        }
+        const serialized = (0, webauthn_1.serializeCredentialRequestResponse)(credential);
+        return this._verifyPasskeyAuthentication({
+          challengeId: options.challenge_id,
+          credential: serialized
+        });
+      } catch (error48) {
+        if ((0, errors_1.isAuthError)(error48)) {
+          return this._returnResult({ data: null, error: error48 });
+        }
+        throw error48;
+      }
+    }
+    async registerPasskey(credentials) {
+      var _a2, _b;
+      (0, helpers_1.assertPasskeyExperimentalEnabled)(this.experimental);
+      try {
+        if (!(0, webauthn_1.browserSupportsWebAuthn)()) {
+          return this._returnResult({
+            data: null,
+            error: new errors_1.AuthUnknownError("Browser does not support WebAuthn", null)
+          });
+        }
+        const { data: options, error: optionsError } = await this._startPasskeyRegistration();
+        if (optionsError || !options) {
+          return this._returnResult({ data: null, error: optionsError });
+        }
+        const publicKeyOptions = (0, webauthn_1.deserializeCredentialCreationOptions)(options.options);
+        const signal = (_b = (_a2 = credentials === null || credentials === undefined ? undefined : credentials.options) === null || _a2 === undefined ? undefined : _a2.signal) !== null && _b !== undefined ? _b : webauthn_1.webAuthnAbortService.createNewAbortSignal();
+        const { data: credential, error: credentialError } = await (0, webauthn_1.createCredential)({
+          publicKey: publicKeyOptions,
+          signal
+        });
+        if (credentialError || !credential) {
+          return this._returnResult({
+            data: null,
+            error: credentialError !== null && credentialError !== undefined ? credentialError : new errors_1.AuthUnknownError("WebAuthn ceremony failed", null)
+          });
+        }
+        const serialized = (0, webauthn_1.serializeCredentialCreationResponse)(credential);
+        return this._verifyPasskeyRegistration({
+          challengeId: options.challenge_id,
+          credential: serialized
+        });
+      } catch (error48) {
+        if ((0, errors_1.isAuthError)(error48)) {
+          return this._returnResult({ data: null, error: error48 });
+        }
+        throw error48;
+      }
+    }
+    async _startPasskeyRegistration() {
+      (0, helpers_1.assertPasskeyExperimentalEnabled)(this.experimental);
+      try {
+        return await this._useSession(async (result) => {
+          const { data: { session }, error: sessionError } = result;
+          if (sessionError) {
+            return this._returnResult({ data: null, error: sessionError });
+          }
+          if (!session) {
+            return this._returnResult({ data: null, error: new errors_1.AuthSessionMissingError });
+          }
+          const { data, error: error48 } = await (0, fetch_1._request)(this.fetch, "POST", `${this.url}/passkeys/registration/options`, {
+            headers: this.headers,
+            jwt: session.access_token,
+            body: {}
+          });
+          if (error48) {
+            return this._returnResult({ data: null, error: error48 });
+          }
+          return this._returnResult({ data, error: null });
+        });
+      } catch (error48) {
+        if ((0, errors_1.isAuthError)(error48)) {
+          return this._returnResult({ data: null, error: error48 });
+        }
+        throw error48;
+      }
+    }
+    async _verifyPasskeyRegistration(params) {
+      (0, helpers_1.assertPasskeyExperimentalEnabled)(this.experimental);
+      try {
+        return await this._useSession(async (result) => {
+          const { data: { session }, error: sessionError } = result;
+          if (sessionError) {
+            return this._returnResult({ data: null, error: sessionError });
+          }
+          if (!session) {
+            return this._returnResult({ data: null, error: new errors_1.AuthSessionMissingError });
+          }
+          const { data, error: error48 } = await (0, fetch_1._request)(this.fetch, "POST", `${this.url}/passkeys/registration/verify`, {
+            headers: this.headers,
+            jwt: session.access_token,
+            body: {
+              challenge_id: params.challengeId,
+              credential: params.credential
+            }
+          });
+          if (error48) {
+            return this._returnResult({ data: null, error: error48 });
+          }
+          return this._returnResult({ data, error: null });
+        });
+      } catch (error48) {
+        if ((0, errors_1.isAuthError)(error48)) {
+          return this._returnResult({ data: null, error: error48 });
+        }
+        throw error48;
+      }
+    }
+    async _startPasskeyAuthentication(params) {
+      var _a2;
+      (0, helpers_1.assertPasskeyExperimentalEnabled)(this.experimental);
+      try {
+        const { data, error: error48 } = await (0, fetch_1._request)(this.fetch, "POST", `${this.url}/passkeys/authentication/options`, {
+          headers: this.headers,
+          body: {
+            gotrue_meta_security: { captcha_token: (_a2 = params === null || params === undefined ? undefined : params.options) === null || _a2 === undefined ? undefined : _a2.captchaToken }
+          }
+        });
+        if (error48) {
+          return this._returnResult({ data: null, error: error48 });
+        }
+        return this._returnResult({ data, error: null });
+      } catch (error48) {
+        if ((0, errors_1.isAuthError)(error48)) {
+          return this._returnResult({ data: null, error: error48 });
+        }
+        throw error48;
+      }
+    }
+    async _verifyPasskeyAuthentication(params) {
+      (0, helpers_1.assertPasskeyExperimentalEnabled)(this.experimental);
+      try {
+        const { data, error: error48 } = await (0, fetch_1._request)(this.fetch, "POST", `${this.url}/passkeys/authentication/verify`, {
+          headers: this.headers,
+          body: {
+            challenge_id: params.challengeId,
+            credential: params.credential
+          },
+          xform: fetch_1._sessionResponse
+        });
+        if (error48) {
+          return this._returnResult({ data: null, error: error48 });
+        }
+        if (data.session) {
+          await this._saveSession(data.session);
+          await this._notifyAllSubscribers("SIGNED_IN", data.session);
+        }
+        return this._returnResult({ data, error: null });
+      } catch (error48) {
+        if ((0, errors_1.isAuthError)(error48)) {
+          return this._returnResult({ data: null, error: error48 });
+        }
+        throw error48;
+      }
+    }
+    async _listPasskeys() {
+      (0, helpers_1.assertPasskeyExperimentalEnabled)(this.experimental);
+      try {
+        return await this._useSession(async (result) => {
+          const { data: { session }, error: sessionError } = result;
+          if (sessionError) {
+            return this._returnResult({ data: null, error: sessionError });
+          }
+          if (!session) {
+            return this._returnResult({ data: null, error: new errors_1.AuthSessionMissingError });
+          }
+          const { data, error: error48 } = await (0, fetch_1._request)(this.fetch, "GET", `${this.url}/passkeys`, {
+            headers: this.headers,
+            jwt: session.access_token,
+            xform: (data2) => ({ data: data2, error: null })
+          });
+          if (error48) {
+            return this._returnResult({ data: null, error: error48 });
+          }
+          return this._returnResult({ data, error: null });
+        });
+      } catch (error48) {
+        if ((0, errors_1.isAuthError)(error48)) {
+          return this._returnResult({ data: null, error: error48 });
+        }
+        throw error48;
+      }
+    }
+    async _updatePasskey(params) {
+      (0, helpers_1.assertPasskeyExperimentalEnabled)(this.experimental);
+      try {
+        return await this._useSession(async (result) => {
+          const { data: { session }, error: sessionError } = result;
+          if (sessionError) {
+            return this._returnResult({ data: null, error: sessionError });
+          }
+          if (!session) {
+            return this._returnResult({ data: null, error: new errors_1.AuthSessionMissingError });
+          }
+          const { data, error: error48 } = await (0, fetch_1._request)(this.fetch, "PATCH", `${this.url}/passkeys/${params.passkeyId}`, {
+            headers: this.headers,
+            jwt: session.access_token,
+            body: { friendly_name: params.friendlyName }
+          });
+          if (error48) {
+            return this._returnResult({ data: null, error: error48 });
+          }
+          return this._returnResult({ data, error: null });
+        });
+      } catch (error48) {
+        if ((0, errors_1.isAuthError)(error48)) {
+          return this._returnResult({ data: null, error: error48 });
+        }
+        throw error48;
+      }
+    }
+    async _deletePasskey(params) {
+      (0, helpers_1.assertPasskeyExperimentalEnabled)(this.experimental);
+      try {
+        return await this._useSession(async (result) => {
+          const { data: { session }, error: sessionError } = result;
+          if (sessionError) {
+            return this._returnResult({ data: null, error: sessionError });
+          }
+          if (!session) {
+            return this._returnResult({ data: null, error: new errors_1.AuthSessionMissingError });
+          }
+          const { error: error48 } = await (0, fetch_1._request)(this.fetch, "DELETE", `${this.url}/passkeys/${params.passkeyId}`, {
+            headers: this.headers,
+            jwt: session.access_token,
+            noResolveJson: true
+          });
+          if (error48) {
+            return this._returnResult({ data: null, error: error48 });
+          }
+          return this._returnResult({ data: null, error: null });
+        });
+      } catch (error48) {
+        if ((0, errors_1.isAuthError)(error48)) {
+          return this._returnResult({ data: null, error: error48 });
+        }
+        throw error48;
+      }
+    }
   }
   GoTrueClient.nextInstanceID = {};
   exports.default = GoTrueClient;
@@ -131599,22 +131971,35 @@ var StorageFileApi = class extends BaseApiClient {
     return _this3.handleOperation(async () => {
       let body;
       const options = _objectSpread22(_objectSpread22({}, DEFAULT_FILE_OPTIONS), fileOptions);
-      const headers = _objectSpread22(_objectSpread22({}, _this3.headers), { "x-upsert": String(options.upsert) });
+      let headers = _objectSpread22(_objectSpread22({}, _this3.headers), { "x-upsert": String(options.upsert) });
+      const metadata = options.metadata;
       if (typeof Blob !== "undefined" && fileBody instanceof Blob) {
         body = new FormData;
         body.append("cacheControl", options.cacheControl);
+        if (metadata)
+          body.append("metadata", _this3.encodeMetadata(metadata));
         body.append("", fileBody);
       } else if (typeof FormData !== "undefined" && fileBody instanceof FormData) {
         body = fileBody;
-        body.append("cacheControl", options.cacheControl);
+        if (!body.has("cacheControl"))
+          body.append("cacheControl", options.cacheControl);
+        if (metadata && !body.has("metadata"))
+          body.append("metadata", _this3.encodeMetadata(metadata));
       } else {
         body = fileBody;
         headers["cache-control"] = `max-age=${options.cacheControl}`;
         headers["content-type"] = options.contentType;
+        if (metadata)
+          headers["x-metadata"] = _this3.toBase64(_this3.encodeMetadata(metadata));
+        if ((typeof ReadableStream !== "undefined" && body instanceof ReadableStream || body && typeof body === "object" && ("pipe" in body) && typeof body.pipe === "function") && !options.duplex)
+          options.duplex = "half";
       }
+      if (fileOptions === null || fileOptions === undefined ? undefined : fileOptions.headers)
+        for (const [key, value] of Object.entries(fileOptions.headers))
+          headers = setHeader(headers, key, value);
       return {
         path: cleanPath,
-        fullPath: (await put(_this3.fetch, url2.toString(), body, { headers })).Key
+        fullPath: (await put(_this3.fetch, url2.toString(), body, _objectSpread22({ headers }, (options === null || options === undefined ? undefined : options.duplex) ? { duplex: options.duplex } : {}))).Key
       };
     });
   }
@@ -131800,7 +132185,7 @@ var StorageFileApi = class extends BaseApiClient {
     return query;
   }
 };
-var version2 = "2.104.1";
+var version2 = "2.105.1";
 var DEFAULT_HEADERS = { "X-Client-Info": `storage-js/${version2}` };
 var StorageBucketApi = class extends BaseApiClient {
   constructor(url2, headers = {}, fetch$1, opts) {
@@ -132183,7 +132568,7 @@ var StorageClient = class extends StorageBucketApi {
 var import_auth_js = __toESM(require_main4(), 1);
 __reExport(exports_dist3, __toESM(require_main3(), 1));
 __reExport(exports_dist3, __toESM(require_main4(), 1));
-var version3 = "2.104.1";
+var version3 = "2.105.1";
 var JS_ENV = "";
 if (typeof Deno !== "undefined")
   JS_ENV = "deno";
@@ -132406,7 +132791,7 @@ var SupabaseClient = class {
     const { data } = await _this.auth.getSession();
     return (_data$session$access_ = (_data$session = data.session) === null || _data$session === undefined ? undefined : _data$session.access_token) !== null && _data$session$access_ !== undefined ? _data$session$access_ : _this.supabaseKey;
   }
-  _initSupabaseAuthClient({ autoRefreshToken, persistSession, detectSessionInUrl, storage, userStorage, storageKey, flowType, lock, debug, throwOnError }, headers, fetch$1) {
+  _initSupabaseAuthClient({ autoRefreshToken, persistSession, detectSessionInUrl, storage, userStorage, storageKey, flowType, lock, debug, throwOnError, experimental }, headers, fetch$1) {
     const authHeaders = {
       Authorization: `Bearer ${this.supabaseKey}`,
       apikey: `${this.supabaseKey}`
@@ -132424,6 +132809,7 @@ var SupabaseClient = class {
       lock,
       debug,
       throwOnError,
+      experimental,
       fetch: fetch$1,
       hasCustomAuthorizationHeader: Object.keys(this.headers).some((key) => key.toLowerCase() === "authorization")
     });
@@ -133558,6 +133944,51 @@ diff --git`);
   }
 }
 // src/services/git/providers/cli/operations/commits/show.ts
+var NUL = "\x00";
+var COMMIT_META_FORMAT = [
+  "%H",
+  "%h",
+  "%an",
+  "%ae",
+  "%aI",
+  "%cn",
+  "%ce",
+  "%cI",
+  "%P",
+  "%s",
+  "%b"
+].join(NUL);
+function parseCommitMetadata(stdout) {
+  const fields = stdout.split(NUL);
+  if (fields.length < 11)
+    return null;
+  const [
+    hash2,
+    shortHash,
+    authorName,
+    authorEmail,
+    authorDate,
+    committerName,
+    committerEmail,
+    committerDate,
+    parents,
+    subject,
+    body
+  ] = fields;
+  return {
+    hash: hash2,
+    shortHash,
+    author: { name: authorName, email: authorEmail, date: authorDate },
+    committer: {
+      name: committerName,
+      email: committerEmail,
+      date: committerDate
+    },
+    parents: parents.trim().split(" ").filter(Boolean),
+    subject,
+    body: body.replace(/\n+$/, "")
+  };
+}
 async function executeShow(options, context, execGit) {
   try {
     const args = [];
@@ -133577,19 +134008,33 @@ async function executeShow(options, context, execGit) {
       args: ["-t", options.object]
     });
     const cmd = buildGitCommand({ command: "show", args });
-    const [typeResult, result] = await Promise.all([
+    const metaCmd = buildGitCommand({
+      command: "log",
+      args: ["-1", `--format=${COMMIT_META_FORMAT}`, options.object]
+    });
+    const [typeSettled, contentSettled, metaSettled] = await Promise.allSettled([
       execGit(typeCmd, context.workingDirectory, context.requestContext),
-      execGit(cmd, context.workingDirectory, context.requestContext)
+      execGit(cmd, context.workingDirectory, context.requestContext),
+      execGit(metaCmd, context.workingDirectory, context.requestContext)
     ]);
-    const detectedType = typeResult.stdout.trim();
+    if (typeSettled.status === "rejected")
+      throw typeSettled.reason;
+    if (contentSettled.status === "rejected")
+      throw contentSettled.reason;
+    const detectedType = typeSettled.value.stdout.trim();
     const objectType = ["commit", "tree", "blob", "tag"].includes(detectedType) ? detectedType : "commit";
-    const showResult = {
+    let metadata = {};
+    if (objectType === "commit" && metaSettled.status === "fulfilled" && metaSettled.value?.stdout) {
+      const parsed = parseCommitMetadata(metaSettled.value.stdout);
+      if (parsed)
+        metadata = parsed;
+    }
+    return {
       object: options.object,
       type: objectType,
-      content: result.stdout,
-      metadata: {}
+      content: contentSettled.value.stdout,
+      metadata
     };
-    return showResult;
   } catch (error48) {
     throw mapGitError(error48, "show");
   }
@@ -134454,6 +134899,7 @@ function parseFilesChanged(stdout) {
   return files;
 }
 // src/services/git/providers/cli/operations/tags/tag.ts
+init_errors3();
 async function executeTag(options, context, execGit) {
   try {
     const args = [];
@@ -134572,6 +135018,17 @@ async function executeTag(options, context, execGit) {
         };
         return deleteResult;
       }
+      case "verify": {
+        if (!options.tagName) {
+          throw new Error("Tag name is required for verify operation");
+        }
+        const cmd = buildGitCommand({
+          command: "tag",
+          args: ["-v", options.tagName]
+        });
+        const result = await execGit(cmd, context.workingDirectory, context.requestContext, { allowNonZeroExit: true });
+        return parseVerifyOutput(options.tagName, result.stderr, result.exitCode ?? 0);
+      }
       default:
         throw new Error("Unknown tag operation mode");
     }
@@ -134579,6 +135036,93 @@ async function executeTag(options, context, execGit) {
     throw mapGitError(error48, "tag");
   }
 }
+function parseVerifyOutput(tagName, stderr, exitCode) {
+  if (/^error: tag '.+' not found/m.test(stderr)) {
+    throw new McpError(-32600 /* InvalidRequest */, `Tag not found: ${tagName}`, { tagName });
+  }
+  const base = {
+    mode: "verify",
+    verifiedTag: tagName,
+    rawOutput: stderr
+  };
+  if (/^error: no signature found$/m.test(stderr)) {
+    return {
+      ...base,
+      verified: false,
+      warning: "Tag has no signature. Create with a signing key and `GIT_SIGN_COMMITS=true` to produce a signed tag."
+    };
+  }
+  if (/gpg\.ssh\.allowedSignersFile needs to be configured/.test(stderr) || /No principal matched/.test(stderr)) {
+    return {
+      ...base,
+      verified: false,
+      signatureType: "ssh",
+      warning: "SSH signature verification requires `gpg.ssh.allowedSignersFile` to be configured. The tag may be validly signed; this environment cannot verify it."
+    };
+  }
+  const gpgBadMatch = /(?:gpg|gpgsm): BAD signature from "([^"]+)"/.exec(stderr);
+  if (gpgBadMatch) {
+    return {
+      ...base,
+      verified: false,
+      signatureType: stderr.includes("gpgsm:") ? "x509" : "gpg",
+      signerIdentity: gpgBadMatch[1],
+      warning: "Signature does not validate (BAD signature)."
+    };
+  }
+  const sshBadMatch = /Signature verification failed.*? for "([^"]+)"|Could not verify signature/i.exec(stderr);
+  if (sshBadMatch && exitCode !== 0) {
+    const result = {
+      ...base,
+      verified: false,
+      signatureType: "ssh",
+      warning: "SSH signature does not validate."
+    };
+    if (sshBadMatch[1])
+      result.signerIdentity = sshBadMatch[1];
+    return result;
+  }
+  const gpgGoodMatch = /gpg: Good signature from "([^"]+)"/.exec(stderr);
+  if (gpgGoodMatch) {
+    const result = {
+      ...base,
+      verified: true,
+      signatureType: "gpg",
+      signerIdentity: gpgGoodMatch[1]
+    };
+    const keyMatch = /using \S+ key ([0-9A-Fa-f]{8,})/.exec(stderr);
+    if (keyMatch)
+      result.signerKey = keyMatch[1];
+    return result;
+  }
+  const x509GoodMatch = /gpgsm: Good signature from "([^"]+)"/.exec(stderr);
+  if (x509GoodMatch) {
+    return {
+      ...base,
+      verified: true,
+      signatureType: "x509",
+      signerIdentity: x509GoodMatch[1]
+    };
+  }
+  const sshGoodMatch = /Good "git" signature for (.+?) with \S+ key (SHA256:\S+)/.exec(stderr);
+  if (sshGoodMatch) {
+    return {
+      ...base,
+      verified: true,
+      signatureType: "ssh",
+      signerIdentity: sshGoodMatch[1].trim(),
+      signerKey: sshGoodMatch[2]
+    };
+  }
+  if (exitCode === 0) {
+    return { ...base, verified: true };
+  }
+  return {
+    ...base,
+    verified: false,
+    warning: "Verification failed but the output format was not recognized. See `rawOutput` for details."
+  };
+}
 // src/services/git/providers/cli/operations/stash/stash.ts
 async function executeStash(options, context, execGit) {
   try {
@@ -145112,19 +145656,9 @@ init_zod();
 var PathSchema = exports_external.string().default(".").describe("Path to the Git repository. Defaults to session working directory set via git_set_working_dir.");
 var ForceSchema = exports_external.boolean().default(false).describe("Force the operation, bypassing safety checks.");
 var DryRunSchema = exports_external.boolean().default(false).describe("Preview the operation without executing it.");
-var ConfirmSchema = exports_external.enum(["Y", "y", "Yes", "yes"]).optional().describe("Explicit confirmation required for protected operations (Y/y/Yes/yes).");
 var BranchNameSchema = exports_external.string().min(1).max(255).regex(/^[^~^:?*\[\\]+$/, "Invalid branch name format").describe("Branch name (must follow git naming conventions).");
 var CommitRefSchema = exports_external.string().min(1).describe("Commit reference: full/short hash, branch name, tag name, or relative ref (HEAD~1).");
-var AuthorSchema = exports_external.object({
-  name: exports_external.string().min(1).describe("Author's name"),
-  email: exports_external.string().email().describe("Author's email address")
-});
 var RemoteNameSchema = exports_external.string().min(1).max(255).regex(/^[a-zA-Z0-9._-]+$/, "Invalid remote name format").describe("Remote name (alphanumeric, dots, dashes, underscores only).");
-var SuccessResponseSchema = exports_external.object({
-  success: exports_external.boolean().describe("Indicates if the operation was successful."),
-  message: exports_external.string().describe("Human-readable summary of the result.")
-});
-var FilePathSchema = exports_external.string().min(1).regex(/^[^/].*$/, "File path must be relative to repository root").regex(/^(?!.*\.\.).*$/, "File path cannot contain directory traversal").describe("File path relative to repository root.");
 var TagNameSchema = exports_external.string().min(1).max(255).regex(/^[^~^:?*\[\\]+$/, "Invalid tag name format").describe("Tag name (must follow git naming conventions).");
 function normalizeMessage(message) {
   return message.replace(/\\r\\n/g, `
@@ -145134,9 +145668,6 @@ function normalizeMessage(message) {
 var CommitMessageSchema = exports_external.string().min(1, "Commit message cannot be empty").max(1e4, "Commit message too long").transform(normalizeMessage).describe("Commit message.");
 var LimitSchema = exports_external.number().int().min(1).max(1000).optional().describe("Maximum number of items to return (1-1000).");
 var SkipSchema = exports_external.number().int().nonnegative().optional().describe("Number of items to skip for pagination.");
-var VerboseSchema = exports_external.boolean().default(false).describe("Include verbose/detailed information in output.");
-var QuietSchema = exports_external.boolean().default(false).describe("Suppress informational output (errors only).");
-var RecursiveSchema = exports_external.boolean().default(false).describe("Operate recursively on subdirectories.");
 var AllSchema = exports_external.boolean().default(false).describe("Include all items (varies by operation).");
 var MergeStrategySchema = exports_external.enum(["ort", "recursive", "octopus", "ours", "subtree"]).optional().describe("Merge strategy to use (ort, recursive, octopus, ours, subtree).");
 var PruneSchema = exports_external.boolean().default(false).describe("Prune remote-tracking references that no longer exist on remote.");
@@ -145543,7 +146074,7 @@ var InputSchema = exports_external.object({
   maxTags: exports_external.number().int().min(1).max(1000).default(100).describe("Maximum recent tags to fetch for release context (1-1000). Applied at the git command so large tag catalogs do not bloat the response."),
   sinceTag: exports_external.string().optional().describe('Only include git history since this tag (e.g., "v1.2.0"). Narrows the analysis window.'),
   branch: CommitRefSchema.optional().describe("Branch to analyze (defaults to current branch).")
-});
+}).strict();
 var CommitSummarySchema = exports_external.object({
   hash: exports_external.string().describe("Short commit hash."),
   subject: exports_external.string().describe("Commit subject line."),
@@ -145657,11 +146188,11 @@ var TOOL_TITLE2 = "Git Blame";
 var TOOL_DESCRIPTION2 = "Show line-by-line authorship information for a file, displaying who last modified each line and when. For large files, use startLine/endLine to limit output.";
 var InputSchema2 = exports_external.object({
   path: PathSchema,
-  file: exports_external.string().min(1).describe("Path to the file to blame (relative to repository root)."),
+  filePath: exports_external.string().min(1).describe("Path to the file to blame (relative to repository root)."),
   startLine: exports_external.number().int().min(1).optional().describe("Start line number (1-indexed)."),
   endLine: exports_external.number().int().min(1).optional().describe("End line number (1-indexed)."),
   ignoreWhitespace: exports_external.boolean().default(false).describe("Ignore whitespace changes.")
-});
+}).strict();
 var BlameLineSchema = exports_external.object({
   lineNumber: exports_external.number().int().min(1).describe("Line number in the file (1-indexed)."),
   commitHash: exports_external.string().describe("Full commit hash of the last change to this line."),
@@ -145671,13 +146202,13 @@ var BlameLineSchema = exports_external.object({
 });
 var OutputSchema3 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
-  file: exports_external.string().describe("The file that was blamed."),
+  filePath: exports_external.string().describe("The file that was blamed."),
   lines: exports_external.array(BlameLineSchema).describe("Array of blame information for each line."),
   totalLines: exports_external.number().int().describe("Total number of lines in the output.")
 });
 async function gitBlameLogic(input, { provider, targetPath, appContext }) {
   const blameOptions = {
-    file: input.file,
+    file: input.filePath,
     ignoreWhitespace: input.ignoreWhitespace
   };
   if (input.startLine !== undefined) {
@@ -145693,7 +146224,7 @@ async function gitBlameLogic(input, { provider, targetPath, appContext }) {
   });
   return {
     success: result.success,
-    file: result.file,
+    filePath: result.file,
     lines: result.lines,
     totalLines: result.totalLines
   };
@@ -145702,7 +146233,7 @@ function filterGitBlameOutput(result, level) {
   if (level === "minimal") {
     return {
       success: result.success,
-      file: result.file,
+      filePath: result.filePath,
       totalLines: result.totalLines
     };
   }
@@ -145733,7 +146264,7 @@ var InputSchema3 = exports_external.object({
   dryRun: DryRunSchema,
   directories: exports_external.boolean().default(false).describe("Remove untracked directories in addition to files."),
   ignored: exports_external.boolean().default(false).describe("Remove ignored files as well.")
-}).refine((data) => data.force === true || data.dryRun === true, {
+}).strict().refine((data) => data.force === true || data.dryRun === true, {
   message: "force flag must be set to true to clean untracked files (or use dryRun to preview)",
   path: ["force"]
 });
@@ -145790,7 +146321,7 @@ var TOOL_TITLE4 = "Git Clear Working Directory";
 var TOOL_DESCRIPTION4 = "Clear the session working directory setting. This resets the context without restarting the server. Subsequent git operations will require an explicit path parameter unless git_set_working_dir is called again.";
 var InputSchema4 = exports_external.object({
   confirm: exports_external.enum(["Y", "y", "Yes", "yes"]).describe("Explicit confirmation required to clear working directory. Accepted values: 'Y', 'y', 'Yes', or 'yes'.")
-});
+}).strict();
 var OutputSchema5 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   message: exports_external.string().describe("Confirmation message."),
@@ -145834,26 +146365,26 @@ var gitClearWorkingDirTool = {
 init_zod();
 var TOOL_NAME5 = "git_clone";
 var TOOL_TITLE5 = "Git Clone";
-var TOOL_DESCRIPTION5 = "Clone a repository from a remote URL to a local path. Supports HTTP/HTTPS and SSH URLs, with optional shallow cloning.";
+var TOOL_DESCRIPTION5 = "Clone a repository from a remote URL or local path. Accepts HTTP(S), SSH, git://, file://, and bare filesystem paths, with optional shallow cloning.";
 var InputSchema5 = exports_external.object({
-  url: exports_external.string().url().describe("Remote repository URL to clone from."),
-  localPath: exports_external.string().min(1).describe("Local path where the repository should be cloned."),
+  url: exports_external.string().min(1).describe("Source to clone from: HTTP(S) URL, SSH URL (ssh://… or git@host:path), git:// URL, file:// URL, or a bare filesystem path (e.g. /tmp/repo.git)."),
+  path: exports_external.string().min(1).describe("Destination path where the repository should be cloned."),
   branch: exports_external.string().optional().describe("Specific branch to clone (defaults to remote HEAD)."),
   depth: DepthSchema,
   bare: exports_external.boolean().default(false).describe("Create a bare repository (no working directory)."),
   mirror: exports_external.boolean().default(false).describe("Create a mirror clone (implies bare).")
-});
+}).strict();
 var OutputSchema6 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
-  remoteUrl: exports_external.string().describe("The remote URL that was cloned."),
-  localPath: exports_external.string().describe("Local path where repository was cloned."),
+  remoteUrl: exports_external.string().describe("The remote URL or path that was cloned."),
+  path: exports_external.string().describe("Local path where repository was cloned."),
   branch: exports_external.string().describe("The branch that was checked out."),
   commitHash: exports_external.string().optional().describe("Current HEAD commit hash.")
 });
 async function gitCloneLogic(input, { provider, appContext }) {
   const cloneOptions = {
     remoteUrl: input.url,
-    localPath: input.localPath,
+    localPath: input.path,
     bare: input.bare,
     mirror: input.mirror
   };
@@ -145871,7 +146402,7 @@ async function gitCloneLogic(input, { provider, appContext }) {
   return {
     success: result.success,
     remoteUrl: result.remoteUrl,
-    localPath: result.localPath,
+    path: result.localPath,
     branch: result.branch,
     commitHash: result.commitHash
   };
@@ -145881,7 +146412,7 @@ function filterGitCloneOutput(result, level) {
     return {
       success: result.success,
       remoteUrl: result.remoteUrl,
-      localPath: result.localPath
+      path: result.path
     };
   }
   return result;
@@ -145909,7 +146440,7 @@ var InputSchema6 = exports_external.object({
   path: PathSchema,
   initialBranch: exports_external.string().optional().describe("Name of the initial branch (default: main)."),
   bare: exports_external.boolean().default(false).describe("Create a bare repository (no working directory).")
-});
+}).strict();
 var OutputSchema7 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   path: exports_external.string().describe("Path where repository was initialized."),
@@ -145974,9 +146505,9 @@ var TOOL_TITLE7 = "Git Reflog";
 var TOOL_DESCRIPTION7 = "View the reference logs (reflog) to track when branch tips and other references were updated. Useful for recovering lost commits.";
 var InputSchema7 = exports_external.object({
   path: PathSchema,
-  ref: exports_external.string().optional().describe("Show reflog for specific reference (default: HEAD)."),
+  ref: exports_external.string().default("HEAD").describe("Reference whose reflog to show. Defaults to HEAD."),
   maxCount: LimitSchema.default(25)
-});
+}).strict();
 var ReflogEntrySchema = exports_external.object({
   hash: exports_external.string().describe("Commit hash for this reflog entry."),
   refName: exports_external.string().describe("Reference name (e.g., HEAD@{0}, main@{1})."),
@@ -145991,10 +146522,9 @@ var OutputSchema8 = exports_external.object({
   totalEntries: exports_external.number().int().describe("Total number of reflog entries.")
 });
 async function gitReflogLogic(input, { provider, targetPath, appContext }) {
-  const reflogOptions = {};
-  if (input.ref !== undefined) {
-    reflogOptions.ref = input.ref;
-  }
+  const reflogOptions = {
+    ref: input.ref
+  };
   if (input.maxCount !== undefined) {
     reflogOptions.maxCount = input.maxCount;
   }
@@ -146217,7 +146747,7 @@ var InputSchema8 = exports_external.object({
   path: exports_external.string().min(1).describe("Absolute path to the git repository to use as the working directory."),
   validateGitRepo: exports_external.boolean().default(true).describe("Validate that the path is a Git repository."),
   initializeIfNotPresent: exports_external.boolean().default(false).describe("If not a Git repository, initialize it with 'git init'.")
-});
+}).strict();
 var OutputSchema9 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   path: exports_external.string().describe("The working directory that was set."),
@@ -146301,7 +146831,7 @@ var TOOL_DESCRIPTION9 = "Show the working tree status including staged, unstaged
 var InputSchema9 = exports_external.object({
   path: PathSchema,
   includeUntracked: exports_external.boolean().default(true).describe("Include untracked files in the output.")
-});
+}).strict();
 var OutputSchema10 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   currentBranch: exports_external.string().nullable().describe("Current branch name."),
@@ -146380,7 +146910,7 @@ var TOOL_DESCRIPTION10 = "Returns a Git wrap-up protocol: an acceptance-criteria
 var InputSchema10 = exports_external.object({
   acknowledgement: exports_external.enum(["Y", "y", "Yes", "yes"]).describe("Acknowledgement to initiate the wrap-up workflow."),
   createTag: exports_external.boolean().optional().describe("Controls whether the tag criterion appears in the emitted protocol. Omit or set `true` to include the tag step. Set `false` to omit it entirely — e.g., when tagging is deferred to a separate release step.")
-});
+}).strict();
 var OutputSchema11 = exports_external.object({
   instructions: exports_external.string().describe("The wrap-up protocol to satisfy before the session ships."),
   repository: exports_external.object({
@@ -146530,13 +147060,13 @@ var TOOL_TITLE11 = "Git Add";
 var TOOL_DESCRIPTION11 = "Stage files for commit. Add file contents to the staging area (index) to prepare for the next commit.";
 var InputSchema11 = exports_external.object({
   path: PathSchema,
-  files: exports_external.array(exports_external.string()).default([]).describe('Array of file paths to stage (relative to repository root). Use ["."] to stage all changes. Can be omitted when all or update is true.'),
+  paths: exports_external.array(exports_external.string()).default([]).describe('Array of file or directory paths to stage (relative to repository root). Use ["."] to stage all changes. Can be omitted when all or update is true.'),
   update: exports_external.boolean().default(false).describe("Stage only modified and deleted files (skip untracked files)."),
   all: AllSchema,
   force: exports_external.boolean().default(false).describe("Allow adding otherwise ignored files.")
-}).refine((data) => data.all || data.update || data.files.length > 0, {
-  message: "Either files must be provided, or all/update must be true.",
-  path: ["files"]
+}).strict().refine((data) => data.all || data.update || data.paths.length > 0, {
+  message: "Either paths must be provided, or all/update must be true.",
+  path: ["paths"]
 });
 var OutputSchema12 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
@@ -146552,9 +147082,9 @@ var OutputSchema12 = exports_external.object({
   }).describe("Repository status after staging files.")
 });
 async function gitAddLogic(input, { provider, targetPath, appContext }) {
-  const { path: _path, files, ...rest } = input;
+  const { path: _path, paths, ...rest } = input;
   const addOptions = {
-    paths: files,
+    paths,
     ...rest
   };
   const result = await provider.add(addOptions, {
@@ -146650,7 +147180,7 @@ var InputSchema12 = exports_external.object({
   allowEmpty: exports_external.boolean().default(false).describe("Allow creating a commit with no changes."),
   noVerify: NoVerifySchema,
   filesToStage: exports_external.array(exports_external.string()).optional().describe("File paths to stage before committing (atomic stage+commit operation).")
-});
+}).strict();
 var OutputSchema13 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   commitHash: exports_external.string().describe("SHA-1 hash of the created commit."),
@@ -146814,7 +147344,7 @@ var InputSchema13 = exports_external.object({
   stat: exports_external.boolean().default(false).describe("Show diffstat (summary of changes) instead of full diff content."),
   contextLines: exports_external.number().int().min(0).max(100).default(3).describe("Number of context lines to show around changes."),
   autoExclude: exports_external.boolean().default(true).describe("Automatically exclude lock files and other generated files (e.g., package-lock.json, yarn.lock, bun.lock, poetry.lock, go.sum) from diff output to reduce context bloat. Set to false if you need to inspect these files.")
-});
+}).strict();
 var OutputSchema14 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   diff: exports_external.string().describe("The diff output in unified diff format."),
@@ -146897,7 +147427,7 @@ var InputSchema14 = exports_external.object({
   stat: exports_external.boolean().default(false).describe("Include file change statistics for each commit."),
   patch: exports_external.boolean().default(false).describe("Include the full diff patch for each commit."),
   showSignature: exports_external.boolean().default(false).describe("Show GPG signature verification information for each commit.")
-});
+}).strict();
 var CommitSchema = exports_external.object({
   hash: exports_external.string().describe("Full commit SHA-1 hash."),
   shortHash: exports_external.string().describe("Abbreviated commit hash (7 characters)."),
@@ -146991,7 +147521,7 @@ var InputSchema15 = exports_external.object({
   format: exports_external.enum(["raw"]).optional().describe('Output format for the git object. Use "raw" for unprocessed git output.'),
   stat: exports_external.boolean().default(false).describe("Show diffstat instead of full diff."),
   filePath: exports_external.string().optional().describe("View specific file at a given commit reference. When provided, shows the file content from the specified object.")
-});
+}).strict();
 var OutputSchema16 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   object: exports_external.string().describe("Object identifier."),
@@ -147065,17 +147595,17 @@ var TOOL_TITLE16 = "Git Branch";
 var TOOL_DESCRIPTION16 = "Manage branches: list all branches, show current branch, create a new branch, delete a branch, or rename a branch.";
 var InputSchema16 = exports_external.object({
   path: PathSchema,
-  operation: exports_external.enum(["list", "create", "delete", "rename", "show-current"]).default("list").describe("The branch operation to perform."),
-  name: BranchNameSchema.optional().describe("Branch name for create/delete/rename operations."),
-  newName: BranchNameSchema.optional().describe("New branch name for rename operation."),
+  mode: exports_external.enum(["list", "create", "delete", "rename", "show-current"]).default("list").describe("The branch operation to perform."),
+  branchName: BranchNameSchema.optional().describe("Branch name for create/delete/rename operations."),
+  newBranchName: BranchNameSchema.optional().describe("New branch name for rename operation."),
   startPoint: CommitRefSchema.optional().describe("Starting point (commit/branch) for new branch creation."),
   force: ForceSchema,
-  all: AllSchema.describe("For list operation: show both local and remote branches."),
-  remote: exports_external.boolean().default(false).describe("For list operation: show only remote branches."),
-  merged: exports_external.preprocess((val) => val === "true" ? true : val === "false" ? false : val, exports_external.union([exports_external.boolean(), CommitRefSchema])).optional().describe("For list operation: show only branches merged into HEAD (true) or specified commit (string)."),
-  noMerged: exports_external.preprocess((val) => val === "true" ? true : val === "false" ? false : val, exports_external.union([exports_external.boolean(), CommitRefSchema])).optional().describe("For list operation: show only branches not merged into HEAD (true) or specified commit (string)."),
-  limit: LimitSchema.describe("For list operation: cap the number of branches returned (applied at the git command). Use on repos with many branches.")
-});
+  all: AllSchema.describe("For list mode: show both local and remote branches."),
+  remote: exports_external.boolean().default(false).describe("For list mode: show only remote branches."),
+  merged: exports_external.preprocess((val) => val === "true" ? true : val === "false" ? false : val, exports_external.union([exports_external.boolean(), CommitRefSchema])).optional().describe("For list mode: show only branches merged into HEAD (true) or specified commit (string)."),
+  noMerged: exports_external.preprocess((val) => val === "true" ? true : val === "false" ? false : val, exports_external.union([exports_external.boolean(), CommitRefSchema])).optional().describe("For list mode: show only branches not merged into HEAD (true) or specified commit (string)."),
+  limit: LimitSchema.describe("For list mode: cap the number of branches returned (applied at the git command). Use on repos with many branches.")
+}).strict();
 var BranchInfoSchema = exports_external.object({
   name: exports_external.string().describe("Branch name."),
   current: exports_external.boolean().describe("True if this is the current branch."),
@@ -147086,13 +147616,13 @@ var BranchInfoSchema = exports_external.object({
 });
 var OutputSchema17 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
-  operation: exports_external.enum(["list", "create", "delete", "rename", "show-current"]),
-  branches: exports_external.array(BranchInfoSchema).optional().describe("List of branches (for list operation)."),
+  mode: exports_external.enum(["list", "create", "delete", "rename", "show-current"]),
+  branches: exports_external.array(BranchInfoSchema).optional().describe("List of branches (for list mode)."),
   currentBranch: exports_external.string().optional().describe("Name of current branch."),
-  message: exports_external.string().optional().describe("Success message for create/delete/rename operations.")
+  message: exports_external.string().optional().describe("Success message for create/delete/rename modes.")
 });
 async function gitBranchLogic(input, { provider, targetPath, appContext }) {
-  if (input.operation === "show-current") {
+  if (input.mode === "show-current") {
     const result2 = await provider.branch({ mode: "show-current" }, {
       workingDirectory: targetPath,
       requestContext: appContext,
@@ -147101,21 +147631,21 @@ async function gitBranchLogic(input, { provider, targetPath, appContext }) {
     const current = result2.mode === "show-current" ? result2.current : null;
     return {
       success: true,
-      operation: "show-current",
+      mode: "show-current",
       branches: undefined,
       currentBranch: current ?? undefined,
       message: current ? `Current branch: ${current}` : "Not on any branch (detached HEAD)"
     };
   }
-  const { path: _path, operation, name, newName, ...rest } = input;
+  const { path: _path, mode, branchName, newBranchName, ...rest } = input;
   const branchOptions = {
-    mode: operation
+    mode
   };
-  if (name !== undefined) {
-    branchOptions.branchName = name;
+  if (branchName !== undefined) {
+    branchOptions.branchName = branchName;
   }
-  if (newName !== undefined) {
-    branchOptions.newBranchName = newName;
+  if (newBranchName !== undefined) {
+    branchOptions.newBranchName = newBranchName;
   }
   if (rest.startPoint !== undefined) {
     branchOptions.startPoint = rest.startPoint;
@@ -147145,7 +147675,7 @@ async function gitBranchLogic(input, { provider, targetPath, appContext }) {
   if (result.mode === "list") {
     return {
       success: true,
-      operation: "list",
+      mode: "list",
       branches: result.branches,
       currentBranch: result.branches.find((b) => b.current)?.name,
       message: undefined
@@ -147153,7 +147683,7 @@ async function gitBranchLogic(input, { provider, targetPath, appContext }) {
   } else if (result.mode === "create") {
     return {
       success: true,
-      operation: "create",
+      mode: "create",
       branches: undefined,
       currentBranch: undefined,
       message: `Branch '${result.created}' created successfully.`
@@ -147161,7 +147691,7 @@ async function gitBranchLogic(input, { provider, targetPath, appContext }) {
   } else if (result.mode === "delete") {
     return {
       success: true,
-      operation: "delete",
+      mode: "delete",
       branches: undefined,
       currentBranch: undefined,
       message: `Branch '${result.deleted}' deleted successfully.`
@@ -147169,7 +147699,7 @@ async function gitBranchLogic(input, { provider, targetPath, appContext }) {
   } else if (result.mode === "rename") {
     return {
       success: true,
-      operation: "rename",
+      mode: "rename",
       branches: undefined,
       currentBranch: undefined,
       message: `Branch '${result.renamed.from}' renamed to '${result.renamed.to}'.`
@@ -147181,7 +147711,7 @@ function filterGitBranchOutput(result, level) {
   if (level === "minimal") {
     return {
       success: result.success,
-      operation: result.operation,
+      mode: result.mode,
       currentBranch: result.currentBranch
     };
   }
@@ -147213,7 +147743,7 @@ var InputSchema17 = exports_external.object({
   force: ForceSchema,
   paths: exports_external.array(exports_external.string()).optional().describe("Specific file paths to checkout/restore (relative to repository root)."),
   track: exports_external.boolean().optional().describe("Set up tracking relationship with remote branch when creating new branch.")
-});
+}).strict();
 var OutputSchema18 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   target: exports_external.string().describe("Checked out branch or commit."),
@@ -147281,12 +147811,13 @@ var InputSchema18 = exports_external.object({
   mainline: exports_external.number().int().min(1).optional().describe("For merge commits, specify which parent to follow (1 for first parent, 2 for second, etc.)."),
   strategy: MergeStrategySchema.describe("Merge strategy to use for cherry-pick."),
   signoff: exports_external.boolean().default(false).describe("Add Signed-off-by line to the commit message.")
-});
+}).strict();
 var OutputSchema19 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   pickedCommits: exports_external.array(exports_external.string()).describe("Commits that were successfully cherry-picked."),
   conflicts: exports_external.boolean().describe("Whether operation had conflicts."),
-  conflictedFiles: exports_external.array(exports_external.string()).describe("Files with conflicts that need resolution.")
+  conflictedFiles: exports_external.array(exports_external.string()).describe("Files with conflicts that need resolution."),
+  message: exports_external.string().optional().describe("Human-readable next-step guidance, especially for conflicts.")
 });
 async function gitCherryPickLogic(input, { provider, targetPath, appContext }) {
   const cherryPickOptions = {
@@ -147307,11 +147838,13 @@ async function gitCherryPickLogic(input, { provider, targetPath, appContext }) {
     requestContext: appContext,
     tenantId: appContext.tenantId || "default-tenant"
   });
+  const message = result.conflicts ? `Cherry-pick paused with conflicts in ${result.conflictedFiles.length} file(s). Resolve them and run git_cherry_pick with continueOperation=true, or pass abort=true to cancel.` : undefined;
   return {
     success: result.success,
     pickedCommits: result.pickedCommits,
     conflicts: result.conflicts,
-    conflictedFiles: result.conflictedFiles
+    conflictedFiles: result.conflictedFiles,
+    message
   };
 }
 function filterGitCherryPickOutput(result, level) {
@@ -147350,7 +147883,7 @@ var InputSchema19 = exports_external.object({
   squash: exports_external.boolean().default(false).describe("Squash all commits from the branch into a single commit."),
   message: CommitMessageSchema.optional().describe("Custom merge commit message."),
   abort: exports_external.boolean().default(false).describe("Abort an in-progress merge that has conflicts.")
-});
+}).strict();
 var OutputSchema20 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   strategy: exports_external.string().describe("Merge strategy used."),
@@ -147432,13 +147965,14 @@ var InputSchema20 = exports_external.object({
   interactive: exports_external.boolean().default(false).describe("Interactive rebase (not supported in all providers)."),
   onto: CommitRefSchema.optional().describe("Rebase onto different commit than upstream."),
   preserve: exports_external.boolean().default(false).describe("Preserve merge commits during rebase.")
-});
+}).strict();
 var OutputSchema21 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   conflicts: exports_external.boolean().describe("Whether rebase had conflicts."),
   conflictedFiles: exports_external.array(exports_external.string()).describe("Files with conflicts that need resolution."),
   rebasedCommits: exports_external.number().int().describe("Number of commits that were rebased."),
-  currentCommit: exports_external.string().optional().describe("Current commit hash if rebase stopped due to conflict.")
+  currentCommit: exports_external.string().optional().describe("Current commit hash if rebase stopped due to conflict."),
+  message: exports_external.string().optional().describe("Human-readable next-step guidance, especially for conflicts.")
 });
 async function gitRebaseLogic(input, { provider, targetPath, appContext }) {
   const rebaseOptions = {};
@@ -147465,12 +147999,14 @@ async function gitRebaseLogic(input, { provider, targetPath, appContext }) {
     requestContext: appContext,
     tenantId: appContext.tenantId || "default-tenant"
   });
+  const message = result.conflicts ? `Rebase paused with conflicts in ${result.conflictedFiles.length} file(s). Resolve them, then run git_rebase with mode='continue' (or mode='abort' to cancel, mode='skip' to drop the current commit).` : undefined;
   return {
     success: result.success,
     conflicts: result.conflicts,
     conflictedFiles: result.conflictedFiles,
     rebasedCommits: result.rebasedCommits,
-    currentCommit: result.currentCommit
+    currentCommit: result.currentCommit,
+    message
   };
 }
 function filterGitRebaseOutput(result, level) {
@@ -147508,7 +148044,7 @@ var InputSchema21 = exports_external.object({
   prune: PruneSchema,
   tags: exports_external.boolean().default(false).describe("Fetch all tags from the remote."),
   depth: DepthSchema
-});
+}).strict();
 var OutputSchema22 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   remote: exports_external.string().describe("Remote name that was fetched from."),
@@ -147575,7 +148111,7 @@ var InputSchema22 = exports_external.object({
   branch: BranchNameSchema.optional().describe("Branch name (default: current branch)."),
   rebase: exports_external.boolean().default(false).describe("Use rebase instead of merge when integrating changes."),
   fastForwardOnly: exports_external.boolean().default(false).describe("Fail if can't fast-forward (no merge commit).")
-});
+}).strict();
 var OutputSchema23 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   remote: exports_external.string().describe("Remote name that was pulled from."),
@@ -147661,7 +148197,7 @@ var InputSchema23 = exports_external.object({
   delete: exports_external.boolean().default(false).describe("Delete the specified remote branch."),
   remoteBranch: BranchNameSchema.optional().describe("Remote branch name to push to (if different from local branch name)."),
   confirmed: exports_external.boolean().default(false).describe("Explicit confirmation required for force push or branch deletion on protected branches (main, master, production, etc.).")
-});
+}).strict();
 var OutputSchema24 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   remote: exports_external.string().describe("Remote name that was pushed to."),
@@ -147764,7 +148300,7 @@ var InputSchema24 = exports_external.object({
   url: exports_external.string().url().optional().describe("Remote URL for add/set-url operations."),
   newName: RemoteNameSchema.optional().describe("New remote name for rename operation."),
   push: exports_external.boolean().default(false).describe("Set push URL separately (for set-url operation).")
-});
+}).strict();
 var RemoteInfoSchema = exports_external.object({
   name: exports_external.string().describe("Remote name."),
   fetchUrl: exports_external.string().describe("Fetch URL."),
@@ -147847,10 +148383,10 @@ var TOOL_DESCRIPTION25 = "Reset current HEAD to specified state. Can be used to
 var InputSchema25 = exports_external.object({
   path: PathSchema,
   mode: exports_external.enum(["soft", "mixed", "hard", "merge", "keep"]).default("mixed").describe("Reset mode: soft (keep changes staged), mixed (unstage changes), hard (discard all changes), merge (reset and merge), keep (reset but keep local changes)."),
-  target: CommitRefSchema.optional().describe("Target commit to reset to (default: HEAD)."),
+  target: CommitRefSchema.default("HEAD").describe("Target commit to reset to. Defaults to HEAD."),
   paths: exports_external.array(exports_external.string()).optional().describe("Specific file paths to reset (leaves HEAD unchanged)."),
   confirmed: exports_external.boolean().default(false).describe("Explicit confirmation required for hard, merge, and keep reset modes on protected branches (main, master, production, etc.).")
-});
+}).strict();
 var OutputSchema26 = exports_external.object({
   success: exports_external.boolean().describe("Indicates if the operation was successful."),
   mode: exports_external.string().describe("Reset mode that was used."),
@@ -147870,11 +148406,9 @@ async function gitResetLogic(input, { provider, targetPath, appContext }) {
     }
   }
   const resetOptions = {
-    mode: input.mode
+    mode: input.mode,
+    commit: input.target
   };
-  if (input.target !== undefined) {
-    resetOptions.commit = input.target;
-  }
   if (input.paths !== undefined) {
     resetOptions.paths = input.paths;
   }
@@ -147935,7 +148469,7 @@ var InputSchema26 = exports_external.object({
   includeUntracked: exports_external.boolean().default(false).describe("Include untracked files in the stash (for push operation)."),
   keepIndex: exports_external.boolean().default(false).describe("Don't revert staged changes (for push operation)."),
   limit: LimitSchema.describe("For list mode: cap the number of stash entries returned (applied at the git command).")
-});
+}).strict();
 var StashInfoSchema = exports_external.object({
   ref: exports_external.string().describe("Stash reference (e.g., stash@{0})."),
   index: exports_external.number().int().describe("Stash index number."),
@@ -148014,20 +148548,22 @@ init_zod();
 init_errors3();
 var TOOL_NAME27 = "git_tag";
 var TOOL_TITLE27 = "Git Tag";
-var TOOL_DESCRIPTION27 = "Manage tags: list all tags, create a new tag, or delete a tag. Tags are used to mark specific points in history (releases, milestones).";
+var TOOL_DESCRIPTION27 = "Manage tags: list all tags, create a new tag, delete a tag, or verify a signed tag. Tags are used to mark specific points in history (releases, milestones). Verify runs `git tag -v` and returns a structured result distinguishing unsigned tags, missing trust configuration, bad signatures, and valid signatures.";
 var InputSchema27 = exports_external.object({
   path: PathSchema,
-  mode: exports_external.enum(["list", "create", "delete"]).default("list").describe("The tag operation to perform."),
-  tagName: TagNameSchema.optional().describe("Tag name for create/delete operations."),
+  mode: exports_external.enum(["list", "create", "delete", "verify"]).default("list").describe("The tag operation to perform."),
+  tagName: TagNameSchema.optional().describe("Tag name for create/delete/verify operations."),
   commit: CommitRefSchema.optional().describe("Commit to tag (default: HEAD for create operation)."),
   message: exports_external.string().optional().describe("Tag message. Providing a message always produces an annotated tag (git does not support messages on lightweight tags). For release tags, summarize notable changes."),
   annotated: exports_external.boolean().default(false).describe('Create an annotated tag with a default "Tag <name>" message. Only effective when no message is provided and signing is disabled — otherwise the tag is always annotated.'),
-  force: ForceSchema.describe("Overwrite an existing tag (create mode only; has no effect on list or delete).")
-});
+  force: ForceSchema.describe("Overwrite an existing tag (create mode only; has no effect on list or delete)."),
+  limit: LimitSchema.describe("For list mode: cap the number of tags returned (applied at the git command via `--count=N`). Use on repos with many tags.")
+}).strict();
 var TagInfoSchema = exports_external.object({
   name: exports_external.string().describe("Tag name."),
   commit: exports_external.string().describe("Commit hash the tag points to."),
-  message: exports_external.string().optional().describe("Tag message (for annotated tags)."),
+  message: exports_external.string().optional().describe("First line of the tag annotation (annotated tags only). See `annotationBody` for the remainder."),
+  annotationBody: exports_external.string().optional().describe("Remaining annotation body after the subject line (annotated tags only)."),
   tagger: exports_external.string().optional().describe("Tagger name and email."),
   timestamp: exports_external.number().int().optional().describe("Tag creation timestamp.")
 });
@@ -148038,10 +148574,17 @@ var OutputSchema28 = exports_external.object({
   created: exports_external.string().optional().describe("Created tag name (for create mode)."),
   deleted: exports_external.string().optional().describe("Deleted tag name (for delete mode)."),
   signed: exports_external.boolean().optional().describe("Whether the created tag was signed. Only populated for create mode. False when GIT_SIGN_COMMITS=false or when signing failed and fell back to unsigned."),
-  signingWarning: exports_external.string().optional().describe("Populated only when signing was requested but failed, and the tag was created unsigned as a fallback.")
+  signingWarning: exports_external.string().optional().describe("Populated only when signing was requested but failed, and the tag was created unsigned as a fallback."),
+  verifiedTag: exports_external.string().optional().describe("Verified tag name (for verify mode). Echoes the input so callers can correlate results in batched flows."),
+  verified: exports_external.boolean().optional().describe("Whether the signature validated (for verify mode). `false` for unsigned tags, missing trust config, bad signatures, or unparseable output — inspect `warning` to distinguish."),
+  signatureType: exports_external.enum(["gpg", "ssh", "x509"]).optional().describe("Signature algorithm family when detectable from `git tag -v` output (verify mode). Absent for unsigned tags or unparseable output."),
+  signerIdentity: exports_external.string().optional().describe("Signer identity as emitted by git — e.g., `Name <email>` for GPG or the SSH principal. Verify mode only."),
+  signerKey: exports_external.string().optional().describe("Key material emitted by git — GPG fingerprint/key ID or SSH key fingerprint (`SHA256:…`). Verify mode only; absent when git did not surface it."),
+  warning: exports_external.string().optional().describe("Populated on verify failure with a human-readable reason distinguishing unsigned tags, missing trust configuration, bad signatures, and unparseable output."),
+  rawOutput: exports_external.string().optional().describe("Raw stderr from `git tag -v` for callers that need the full verification output (verify mode only).")
 });
 async function gitTagLogic(input, { provider, targetPath, appContext }) {
-  if ((input.mode === "create" || input.mode === "delete") && !input.tagName) {
+  if ((input.mode === "create" || input.mode === "delete" || input.mode === "verify") && !input.tagName) {
     throw new McpError(-32602 /* InvalidParams */, `Tag name is required for ${input.mode} operation.`);
   }
   const tagOptions = {
@@ -148058,6 +148601,9 @@ async function gitTagLogic(input, { provider, targetPath, appContext }) {
   if (input.message !== undefined) {
     tagOptions.message = normalizeMessage(input.message);
   }
+  if (input.limit !== undefined) {
+    tagOptions.limit = input.limit;
+  }
   const result = await provider.tag(tagOptions, {
     workingDirectory: targetPath,
     requestContext: appContext,
@@ -148076,6 +148622,27 @@ async function gitTagLogic(input, { provider, targetPath, appContext }) {
   if (result.signingWarning) {
     output.signingWarning = result.signingWarning;
   }
+  if (result.verifiedTag !== undefined) {
+    output.verifiedTag = result.verifiedTag;
+  }
+  if (result.verified !== undefined) {
+    output.verified = result.verified;
+  }
+  if (result.signatureType !== undefined) {
+    output.signatureType = result.signatureType;
+  }
+  if (result.signerIdentity !== undefined) {
+    output.signerIdentity = result.signerIdentity;
+  }
+  if (result.signerKey !== undefined) {
+    output.signerKey = result.signerKey;
+  }
+  if (result.warning !== undefined) {
+    output.warning = result.warning;
+  }
+  if (result.rawOutput !== undefined) {
+    output.rawOutput = result.rawOutput;
+  }
   return output;
 }
 function filterGitTagOutput(result, level) {
@@ -148084,10 +148651,16 @@ function filterGitTagOutput(result, level) {
       success: result.success,
       mode: result.mode,
       ...result.signed !== undefined && { signed: result.signed },
-      ...result.signingWarning && { signingWarning: result.signingWarning }
+      ...result.signingWarning && { signingWarning: result.signingWarning },
+      ...result.verified !== undefined && { verified: result.verified },
+      ...result.warning && { warning: result.warning }
     };
   }
-  return result;
+  if (level === "full") {
+    return result;
+  }
+  const { rawOutput: _raw, ...rest } = result;
+  return rest;
 }
 var responseFormatter27 = createJsonFormatter({
   filter: filterGitTagOutput
@@ -148112,14 +148685,14 @@ var InputSchema28 = exports_external.object({
   path: PathSchema,
   mode: exports_external.enum(["list", "add", "remove", "move", "prune"]).default("list").describe("The worktree operation to perform."),
   worktreePath: exports_external.string().optional().describe("Path for the new worktree (for add/move operations)."),
-  branch: BranchNameSchema.optional().describe("Branch to checkout in the new worktree (for add operation)."),
-  commitish: CommitRefSchema.optional().describe("Commit/branch to base the worktree on (for add operation)."),
+  branch: BranchNameSchema.optional().describe("For add operation: create a NEW branch with this name in the new worktree. Fails if the branch already exists — use `commitish` to check out an existing branch instead."),
+  commitish: CommitRefSchema.optional().describe("For add operation: check out this existing branch/commit/tag in the new worktree (no new branch is created)."),
   force: exports_external.boolean().default(false).describe("Force operation (for remove operation with uncommitted changes)."),
   newPath: exports_external.string().optional().describe("New path for the worktree (for move operation)."),
   detach: exports_external.boolean().default(false).describe("Create worktree with detached HEAD (for add operation)."),
   verbose: exports_external.boolean().default(false).describe("Provide detailed output for worktree operations."),
   dryRun: exports_external.boolean().default(false).describe("Preview the operation without executing it (for prune operation).")
-});
+}).strict();
 var WorktreeInfoSchema = exports_external.object({
   path: exports_external.string().describe("Absolute path to the worktree."),
   head: exports_external.string().describe("HEAD commit hash in this worktree."),
@@ -153431,7 +154004,7 @@ function isCloudflareWorkers() {
 var USER_AGENT;
 if (typeof navigator === "undefined" || !navigator.userAgent?.startsWith?.("Mozilla/5.0 ")) {
   const NAME2 = "jose";
-  const VERSION = "v6.2.2";
+  const VERSION = "v6.2.3";
   USER_AGENT = `${NAME2}/${VERSION}`;
 }
 var customFetch = Symbol();