@de-otio/epimethian-mcp 6.4.1 → 6.6.0

package/dist/cli/index.js

@@ -35481,7 +35481,7 @@ async function getPage(pageId, includeBody) {
 async function _rawCreatePage(spaceId, title, body, parentId, clientLabel) {
   const cfg = await getConfig();
   const pageBody = normalizeBodyForSubmit(body);
-  const epimethianTag = `Epimethian v${"6.4.1"}`;
+  const epimethianTag = `Epimethian v${"6.6.0"}`;
   const versionMsg = cfg.attribution && clientLabel ? `Created by ${clientLabel} (via ${epimethianTag})` : `Created by ${epimethianTag}`;
   const payload = {
     title,
@@ -35502,7 +35502,7 @@ async function _rawCreatePage(spaceId, title, body, parentId, clientLabel) {
 async function _rawUpdatePage(pageId, opts) {
   const cfg = await getConfig();
   const newVersion = opts.version + 1;
-  const epimethianTag = `Epimethian v${"6.4.1"}`;
+  const epimethianTag = `Epimethian v${"6.6.0"}`;
   const effectiveClient = cfg.attribution ? opts.clientLabel : void 0;
   let versionMessage;
   if (opts.versionMessage && effectiveClient)
@@ -36504,6 +36504,25 @@ var init_confluence_client = __esm({
   }
 });
 
+// src/server/converter/types.ts
+var ConverterError, SHRINKAGE_NOT_CONFIRMED, STRUCTURE_LOSS_NOT_CONFIRMED, EMPTY_BODY_REJECTED, CONTENT_FLOOR_BREACHED;
+var init_types2 = __esm({
+  "src/server/converter/types.ts"() {
+    "use strict";
+    ConverterError = class extends Error {
+      constructor(message, code2) {
+        super(message);
+        this.code = code2;
+        this.name = "ConverterError";
+      }
+    };
+    SHRINKAGE_NOT_CONFIRMED = "SHRINKAGE_NOT_CONFIRMED";
+    STRUCTURE_LOSS_NOT_CONFIRMED = "STRUCTURE_LOSS_NOT_CONFIRMED";
+    EMPTY_BODY_REJECTED = "EMPTY_BODY_REJECTED";
+    CONTENT_FLOOR_BREACHED = "CONTENT_FLOOR_BREACHED";
+  }
+});
+
 // src/server/converter/tokeniser.ts
 function formatTokenId(n) {
   return "T" + String(n).padStart(4, "0");
@@ -36645,6 +36664,221 @@ var init_mutation_log = __esm({
   }
 });
 
+// src/server/confirmation-tokens.ts
+function clampTtl(ttlMs) {
+  if (!Number.isFinite(ttlMs)) return DEFAULT_SOFT_CONFIRM_TTL_MS;
+  if (ttlMs < TTL_MIN_MS) return TTL_MIN_MS;
+  if (ttlMs > TTL_MAX_MS) return TTL_MAX_MS;
+  return ttlMs;
+}
+function getMintLimit() {
+  const raw = process.env.EPIMETHIAN_SOFT_CONFIRM_MINT_LIMIT;
+  if (raw === void 0) return MAX_MINTS_PER_15_MIN;
+  const n = parseInt(raw, 10);
+  if (!Number.isFinite(n) || n < 0) return MAX_MINTS_PER_15_MIN;
+  return n;
+}
+function getDefaultTtl() {
+  const raw = process.env.EPIMETHIAN_SOFT_CONFIRM_TTL_MS;
+  if (raw === void 0) return DEFAULT_SOFT_CONFIRM_TTL_MS;
+  const n = parseInt(raw, 10);
+  if (!Number.isFinite(n)) return DEFAULT_SOFT_CONFIRM_TTL_MS;
+  return clampTtl(n);
+}
+function emitMint(meta) {
+  for (const h of mintHandlers) {
+    try {
+      h(meta);
+    } catch {
+    }
+  }
+}
+function emitValidate(meta) {
+  for (const h of validateHandlers) {
+    try {
+      h(meta);
+    } catch {
+    }
+  }
+}
+function sleepUntil(targetWallClockMs) {
+  return new Promise((resolve2) => {
+    const remaining = targetWallClockMs - Date.now();
+    if (remaining <= 0) {
+      resolve2();
+      return;
+    }
+    setTimeout(resolve2, remaining);
+  });
+}
+function pruneMintTimestamps(now) {
+  const cutoff = now - MINT_WINDOW_MS;
+  if (mintTimestamps.length === 0) return;
+  if (mintTimestamps[0] >= cutoff) return;
+  mintTimestamps = mintTimestamps.filter((ts) => ts >= cutoff);
+}
+function evictOldest() {
+  let oldestKey;
+  let oldestSeq = Infinity;
+  for (const [k, v] of store.entries()) {
+    if (v.insertSeq < oldestSeq) {
+      oldestSeq = v.insertSeq;
+      oldestKey = k;
+    }
+  }
+  if (oldestKey === void 0) return;
+  const entry = store.get(oldestKey);
+  store.delete(oldestKey);
+  emitValidate({
+    auditId: entry.auditId,
+    tool: entry.ctx.tool,
+    cloudId: entry.ctx.cloudId,
+    pageId: entry.ctx.pageId,
+    outcome: "evicted"
+  });
+}
+function mintToken(ctx, ttlMs) {
+  const now = Date.now();
+  pruneMintTimestamps(now);
+  const limit = getMintLimit();
+  if (limit > 0 && mintTimestamps.length >= limit) {
+    const oldest = mintTimestamps[0];
+    const waitMs = Math.max(0, oldest + MINT_WINDOW_MS - now);
+    throw new SoftConfirmRateLimitedError(
+      mintTimestamps.length,
+      limit,
+      waitMs
+    );
+  }
+  while (store.size >= MAX_OUTSTANDING_TOKENS) {
+    evictOldest();
+  }
+  const resolvedTtl = clampTtl(ttlMs ?? getDefaultTtl());
+  const expiresAt = now + resolvedTtl;
+  const auditId = (0, import_node_crypto4.randomUUID)();
+  const tokenStr = (0, import_node_crypto4.randomBytes)(24).toString("base64url");
+  store.set(tokenStr, {
+    auditId,
+    ctx: { ...ctx },
+    expiresAt,
+    insertSeq: ++insertSeqCounter
+  });
+  mintTimestamps.push(now);
+  emitMint({
+    auditId,
+    tool: ctx.tool,
+    cloudId: ctx.cloudId,
+    pageId: ctx.pageId,
+    pageVersion: ctx.pageVersion,
+    expiresAt,
+    outstanding: store.size
+  });
+  return { token: tokenStr, auditId, expiresAt };
+}
+async function validateToken(token, ctx) {
+  const floorTarget = Date.now() + MIN_VALIDATE_FLOOR_MS;
+  let outcome;
+  let auditId;
+  const entry = store.get(token);
+  if (!entry) {
+    outcome = "unknown";
+  } else {
+    auditId = entry.auditId;
+    const now = Date.now();
+    if (now >= entry.expiresAt) {
+      store.delete(token);
+      outcome = "expired";
+    } else if (entry.ctx.tool !== ctx.tool || entry.ctx.cloudId !== ctx.cloudId || entry.ctx.pageId !== ctx.pageId || entry.ctx.pageVersion !== ctx.pageVersion || entry.ctx.diffHash !== ctx.diffHash) {
+      outcome = "mismatch";
+    } else {
+      store.delete(token);
+      const siblings = [];
+      for (const [k, v] of store.entries()) {
+        if (v.ctx.cloudId === entry.ctx.cloudId && v.ctx.pageId === entry.ctx.pageId) {
+          siblings.push([k, v]);
+        }
+      }
+      for (const [k, v] of siblings) {
+        store.delete(k);
+        emitValidate({
+          auditId: v.auditId,
+          tool: v.ctx.tool,
+          cloudId: v.ctx.cloudId,
+          pageId: v.ctx.pageId,
+          outcome: "stale"
+        });
+      }
+      outcome = "ok";
+    }
+  }
+  emitValidate({
+    auditId,
+    tool: ctx.tool,
+    cloudId: ctx.cloudId,
+    pageId: ctx.pageId,
+    outcome
+  });
+  await sleepUntil(floorTarget);
+  return outcome === "ok" ? "ok" : "invalid";
+}
+function invalidateForPage(cloudId, pageId) {
+  const victims = [];
+  for (const [k, v] of store.entries()) {
+    if (v.ctx.cloudId === cloudId && v.ctx.pageId === pageId) {
+      victims.push([k, v]);
+    }
+  }
+  for (const [k, v] of victims) {
+    store.delete(k);
+    emitValidate({
+      auditId: v.auditId,
+      tool: v.ctx.tool,
+      cloudId: v.ctx.cloudId,
+      pageId: v.ctx.pageId,
+      outcome: "stale"
+    });
+  }
+}
+function computeDiffHash(canonicalStorageXml, pageVersion) {
+  return (0, import_node_crypto4.createHash)("sha256").update(`${canonicalStorageXml}
+${pageVersion}`).digest("hex");
+}
+var import_node_crypto4, DEFAULT_SOFT_CONFIRM_TTL_MS, TTL_MIN_MS, TTL_MAX_MS, MAX_OUTSTANDING_TOKENS, MAX_MINTS_PER_15_MIN, MINT_WINDOW_MS, MIN_VALIDATE_FLOOR_MS, SOFT_CONFIRM_RATE_LIMITED, SoftConfirmRateLimitedError, store, mintTimestamps, insertSeqCounter, mintHandlers, validateHandlers;
+var init_confirmation_tokens = __esm({
+  "src/server/confirmation-tokens.ts"() {
+    "use strict";
+    import_node_crypto4 = require("node:crypto");
+    DEFAULT_SOFT_CONFIRM_TTL_MS = 5 * 60 * 1e3;
+    TTL_MIN_MS = 6e4;
+    TTL_MAX_MS = 9e5;
+    MAX_OUTSTANDING_TOKENS = 50;
+    MAX_MINTS_PER_15_MIN = 100;
+    MINT_WINDOW_MS = 15 * 60 * 1e3;
+    MIN_VALIDATE_FLOOR_MS = 5;
+    SOFT_CONFIRM_RATE_LIMITED = "SOFT_CONFIRM_RATE_LIMITED";
+    SoftConfirmRateLimitedError = class extends Error {
+      code = SOFT_CONFIRM_RATE_LIMITED;
+      current;
+      limit;
+      waitMs;
+      constructor(current, limit, waitMs) {
+        super(
+          `Soft-confirmation mint cap exhausted: ${current} mints in the last 15 min, limit ${limit}. Window opens again in ~${Math.ceil(waitMs / 6e4)} min. Override via EPIMETHIAN_SOFT_CONFIRM_MINT_LIMIT (set "0" to disable).`
+        );
+        this.name = "SoftConfirmRateLimitedError";
+        this.current = current;
+        this.limit = limit;
+        this.waitMs = waitMs;
+      }
+    };
+    store = /* @__PURE__ */ new Map();
+    mintTimestamps = [];
+    insertSeqCounter = 0;
+    mintHandlers = [];
+    validateHandlers = [];
+  }
+});
+
 // node_modules/mdurl/lib/decode.mjs
 function getDecodeCache(exclude) {
   let cache = decodeCache[exclude];
@@ -46232,25 +46466,6 @@ var init_account_id_validator = __esm({
   }
 });
 
-// src/server/converter/types.ts
-var ConverterError, SHRINKAGE_NOT_CONFIRMED, STRUCTURE_LOSS_NOT_CONFIRMED, EMPTY_BODY_REJECTED, CONTENT_FLOOR_BREACHED;
-var init_types2 = __esm({
-  "src/server/converter/types.ts"() {
-    "use strict";
-    ConverterError = class extends Error {
-      constructor(message, code2) {
-        super(message);
-        this.code = code2;
-        this.name = "ConverterError";
-      }
-    };
-    SHRINKAGE_NOT_CONFIRMED = "SHRINKAGE_NOT_CONFIRMED";
-    STRUCTURE_LOSS_NOT_CONFIRMED = "STRUCTURE_LOSS_NOT_CONFIRMED";
-    EMPTY_BODY_REJECTED = "EMPTY_BODY_REJECTED";
-    CONTENT_FLOOR_BREACHED = "CONTENT_FLOOR_BREACHED";
-  }
-});
-
 // src/server/converter/md-to-storage.ts
 function createHeadingSlugger() {
   const seen = /* @__PURE__ */ new Map();
@@ -47649,6 +47864,53 @@ function suppressEquivalentDeletionsEnabled() {
   const v = process.env.EPIMETHIAN_SUPPRESS_EQUIVALENT_DELETIONS;
   return v === "true" || v === "1";
 }
+async function maybeConsumeConfirmToken(args) {
+  const { confirm_token, tool, cloudId, pageId, pageVersion, diffHash } = args;
+  if (confirm_token === void 0 || cloudId === void 0 || pageVersion <= 0 || diffHash === void 0) {
+    return "no_token";
+  }
+  const outcome = await validateToken(confirm_token, {
+    tool,
+    cloudId,
+    pageId,
+    pageVersion,
+    diffHash
+  });
+  return outcome;
+}
+function formatSoftConfirmationResult(err, params) {
+  const last8 = err.token.slice(-8);
+  const isoExpires = new Date(err.expiresAt).toISOString();
+  const text2 = `\u26A0\uFE0F  Confirmation required (SOFT_CONFIRMATION_REQUIRED)
+
+${err.humanSummary}
+
+Your MCP client does not support in-protocol elicitation. This
+confirmation is being routed through you (the agent). Please ASK
+THE USER before retrying. If the user approves, re-call this tool
+with the same parameters plus the \`confirm_token\` from
+structuredContent.
+
+Token tail: ...${last8}    Expires: ${isoExpires}    Audit ID: ${err.auditId}
+
+The token is single-use, bound to this exact diff and page version,
+and invalidated by any competing write to this page. If validation
+fails, mint a new one by re-calling without \`confirm_token\`.`;
+  const structuredContent = {
+    confirm_token: err.token,
+    audit_id: err.auditId,
+    expires_at: isoExpires,
+    page_id: params.pageId
+  };
+  if (params.deletionSummary) {
+    structuredContent.deletion_summary = params.deletionSummary;
+  }
+  return {
+    content: [{ type: "text", text: text2 }],
+    isError: true,
+    structuredContent
+  };
+}
 function detectMixedInput(body) {
   let stripped = body.replace(
     /^(`{3,})[^\n]*\n[\s\S]*?^\1\s*$/gm,
@@ -47988,7 +48250,8 @@ async function safeSubmitPage(input) {
     confirmStructureLoss,
     confirmDeletions,
     source,
-    assertGrowth
+    assertGrowth,
+    cloudId
   } = input;
   const isCreate = pageId === void 0;
   const resolvedOperation = operation ?? (isCreate ? "create_page" : "update_page");
@@ -48125,6 +48388,9 @@ async function safeSubmitPage(input) {
       });
     } catch {
     }
+    if (cloudId !== void 0 && pageId !== void 0) {
+      invalidateForPage(cloudId, pageId);
+    }
     return {
       page,
       newVersion,
@@ -48355,6 +48621,7 @@ var init_safe_write = __esm({
   "src/server/safe-write.ts"() {
     "use strict";
     init_confluence_client();
+    init_confirmation_tokens();
     init_md_to_storage();
     init_update_orchestrator();
     init_content_safety_guards();
@@ -48482,7 +48749,7 @@ async function writeCheckState(state) {
   const data = JSON.stringify(state, null, 2) + "\n";
   const tmpFile = (0, import_node_path3.join)(
     CONFIG_DIR2,
-    `.update-check.${(0, import_node_crypto4.randomBytes)(4).toString("hex")}.tmp`
+    `.update-check.${(0, import_node_crypto5.randomBytes)(4).toString("hex")}.tmp`
   );
   await (0, import_promises3.writeFile)(tmpFile, data, { mode: 384 });
   await (0, import_promises3.rename)(tmpFile, UPDATE_CHECK_FILE);
@@ -48623,14 +48890,14 @@ async function checkForUpdates(currentVersion) {
     return null;
   }
 }
-var import_promises3, import_node_path3, import_node_os2, import_node_crypto4, import_node_child_process2, import_node_util, execFileAsync, CONFIG_DIR2, UPDATE_CHECK_FILE, ONE_DAY_MS, NPM_REGISTRY_URL, PACKAGE_NAME;
+var import_promises3, import_node_path3, import_node_os2, import_node_crypto5, import_node_child_process2, import_node_util, execFileAsync, CONFIG_DIR2, UPDATE_CHECK_FILE, ONE_DAY_MS, NPM_REGISTRY_URL, PACKAGE_NAME;
 var init_update_check = __esm({
   "src/shared/update-check.ts"() {
     "use strict";
     import_promises3 = require("node:fs/promises");
     import_node_path3 = require("node:path");
     import_node_os2 = require("node:os");
-    import_node_crypto4 = require("node:crypto");
+    import_node_crypto5 = require("node:crypto");
     import_node_child_process2 = require("node:child_process");
     import_node_util = require("node:util");
     init_safe_fs();
@@ -48643,11 +48910,182 @@ var init_update_check = __esm({
   }
 });
 
+// src/cli/client-configs.ts
+var client_configs_exports = {};
+__export(client_configs_exports, {
+  CLIENT_CONFIGS: () => CLIENT_CONFIGS,
+  knownClientIds: () => knownClientIds,
+  renderConfigSnippet: () => renderConfigSnippet
+});
+function renderConfigSnippet(clientId, profile, binPath) {
+  const entry = CLIENT_CONFIGS.find((c) => c.id === clientId);
+  if (!entry) {
+    const valid = knownClientIds().join(", ");
+    throw new Error(
+      `Unknown client ID "${clientId}". Valid IDs are: ${valid}`
+    );
+  }
+  const snippet = entry.template.replace(/\{\{PROFILE\}\}/g, profile).replace(/\{\{BIN\}\}/g, binPath);
+  return { snippet, ...entry.warning ? { warning: entry.warning } : {} };
+}
+function knownClientIds() {
+  return CLIENT_CONFIGS.map((c) => c.id);
+}
+var CLIENT_CONFIGS;
+var init_client_configs = __esm({
+  "src/cli/client-configs.ts"() {
+    "use strict";
+    CLIENT_CONFIGS = [
+      {
+        id: "claude-code",
+        displayName: "Claude Code",
+        configFileHint: ".mcp.json",
+        template: JSON.stringify(
+          {
+            mcpServers: {
+              "epimethian-mcp": {
+                command: "{{BIN}}",
+                args: ["--profile", "{{PROFILE}}"]
+              }
+            }
+          },
+          null,
+          2
+        )
+      },
+      {
+        id: "claude-desktop",
+        displayName: "Claude Desktop",
+        configFileHint: "~/Library/Application Support/Claude/claude_desktop_config.json (macOS) / %APPDATA%\\Claude\\claude_desktop_config.json (Windows) / ~/.config/Claude/claude_desktop_config.json (Linux)",
+        template: JSON.stringify(
+          {
+            mcpServers: {
+              "epimethian-mcp": {
+                command: "{{BIN}}",
+                args: ["--profile", "{{PROFILE}}"]
+              }
+            }
+          },
+          null,
+          2
+        )
+      },
+      {
+        id: "claude-code-vscode",
+        displayName: "Claude Code (VS Code extension)",
+        configFileHint: "VS Code settings.json (mcp.servers block)",
+        template: JSON.stringify(
+          {
+            "mcp.servers": {
+              "epimethian-mcp": {
+                command: "{{BIN}}",
+                args: ["--profile", "{{PROFILE}}"]
+              }
+            }
+          },
+          null,
+          2
+        ),
+        warning: "VS Code extension \u2264 2.1.123 does not honour elicitation requests; if write tools fail with NO_USER_RESPONSE, set `EPIMETHIAN_BYPASS_ELICITATION=true`."
+      },
+      {
+        id: "cursor",
+        displayName: "Cursor",
+        configFileHint: ".cursor/mcp.json",
+        template: JSON.stringify(
+          {
+            mcpServers: {
+              "epimethian-mcp": {
+                command: "{{BIN}}",
+                args: ["--profile", "{{PROFILE}}"]
+              }
+            }
+          },
+          null,
+          2
+        )
+      },
+      {
+        id: "windsurf",
+        displayName: "Windsurf",
+        configFileHint: "~/.codeium/windsurf/mcp_config.json",
+        template: JSON.stringify(
+          {
+            mcpServers: {
+              "epimethian-mcp": {
+                command: "{{BIN}}",
+                args: ["--profile", "{{PROFILE}}"]
+              }
+            }
+          },
+          null,
+          2
+        )
+      },
+      {
+        id: "zed",
+        displayName: "Zed",
+        configFileHint: "~/.config/zed/settings.json (context_servers block)",
+        template: JSON.stringify(
+          {
+            context_servers: {
+              "epimethian-mcp": {
+                command: {
+                  path: "{{BIN}}",
+                  args: ["--profile", "{{PROFILE}}"]
+                }
+              }
+            }
+          },
+          null,
+          2
+        )
+      },
+      {
+        id: "opencode",
+        displayName: "OpenCode",
+        configFileHint: "opencode.json or ~/.config/opencode/opencode.json",
+        template: JSON.stringify(
+          {
+            mcp: {
+              "epimethian-mcp": {
+                type: "local",
+                command: ["{{BIN}}", "--profile", "{{PROFILE}}"],
+                environment: {
+                  EPIMETHIAN_ALLOW_UNGATED_WRITES: "true"
+                }
+              }
+            }
+          },
+          null,
+          2
+        ),
+        warning: "OpenCode does not yet support MCP elicitation. The `EPIMETHIAN_ALLOW_UNGATED_WRITES=true` env var above removes the interactive confirmation prompt for destructive operations. Read tools and additive writes work without any flag. Upgrade to epimethian-mcp v6.6.0 to get soft elicitation (confirmations routed through the agent), and remove the env var when you do."
+      }
+    ];
+  }
+});
+
 // src/cli/setup.ts
 var setup_exports = {};
 __export(setup_exports, {
   runSetup: () => runSetup
 });
+function resolveBinPath() {
+  const argv1 = process.argv[1];
+  if (argv1 && argv1.startsWith("/")) {
+    return argv1;
+  }
+  try {
+    const result = (0, import_node_child_process3.execSync)("which epimethian-mcp", { encoding: "utf8" }).trim();
+    if (result) return result;
+  } catch {
+  }
+  process.stderr.write(
+    "Warning: could not determine absolute path to epimethian-mcp. Replace <absolute path to epimethian-mcp> in the snippet below with the correct path.\n"
+  );
+  return "<absolute path to epimethian-mcp>";
+}
 function readPassword(prompt) {
   import_node_process2.stdout.write(prompt);
   return new Promise((resolve2) => {
@@ -48678,13 +49116,22 @@ function readPassword(prompt) {
     import_node_process2.stdin.on("data", onData);
   });
 }
-async function runSetup(profile) {
+async function runSetup(profile, clientId) {
   if (!import_node_process2.stdin.isTTY) {
     console.error(
       "Error: setup requires an interactive terminal.\nFor non-interactive environments, set CONFLUENCE_URL, CONFLUENCE_EMAIL, and CONFLUENCE_API_TOKEN as environment variables."
     );
     process.exit(1);
   }
+  if (clientId !== void 0) {
+    const validIds = knownClientIds();
+    if (!validIds.includes(clientId)) {
+      console.error(
+        `Error: Unknown --client "${clientId}". Valid IDs are: ${validIds.join(", ")}`
+      );
+      process.exit(1);
+    }
+  }
   if (profile !== void 0 && !PROFILE_NAME_RE.test(profile)) {
     console.error(
       `Error: Invalid profile name "${profile}". Use lowercase alphanumeric and hyphens only (1-63 chars).`
@@ -48843,19 +49290,37 @@ Your choice [default: 1]: `
     console.log(
       "\nSetup complete. Restart your MCP client to use the new credentials."
     );
+    const binPath = resolveBinPath();
+    const effectiveProfile = profile ?? "default";
+    const clientsToShow = clientId ? [clientId] : knownClientIds();
+    for (const id of clientsToShow) {
+      const entry = (await Promise.resolve().then(() => (init_client_configs(), client_configs_exports))).CLIENT_CONFIGS.find(
+        (c) => c.id === id
+      );
+      const { snippet, warning } = renderConfigSnippet(id, effectiveProfile, binPath);
+      console.log(`
+--- ${entry.displayName} config (${entry.configFileHint}) ---`);
+      console.log(snippet);
+      if (warning) {
+        console.log(`
+Note: ${warning}`);
+      }
+    }
   } finally {
     rl.close();
   }
 }
-var readline, import_node_process2, TOOLS;
+var readline, import_node_process2, import_node_child_process3, TOOLS;
 var init_setup = __esm({
   "src/cli/setup.ts"() {
     "use strict";
     readline = __toESM(require("node:readline/promises"));
     import_node_process2 = require("node:process");
+    import_node_child_process3 = require("node:child_process");
     init_test_connection();
     init_keychain();
     init_profiles();
+    init_client_configs();
     TOOLS = [
       "create_page",
       "get_page",
@@ -49447,7 +49912,7 @@ Informational:
 var install_agent_default;
 var init_install_agent = __esm({
   "install-agent.md"() {
-    install_agent_default = '# Epimethian MCP - Agent Installation Guide\n\n> This document is for AI agents installing and configuring the Epimethian MCP server on behalf of a user.\n\n## Verification\n\nThe official package is **`@de-otio/epimethian-mcp`** (scoped under `@de-otio`).\n\nDo NOT install unscoped alternatives like `epimethian-mcp` \u2014 these are unofficial and potentially unsafe.\n\n## Prerequisites\n\n- Node.js 18 or later\n- npm on PATH\n\n## Step 1: Install\n\n```bash\nnpm install -g @de-otio/epimethian-mcp\n```\n\nVerify the installation:\n\n```bash\nepimethian-mcp --version 2>/dev/null || which epimethian-mcp\n```\n\n## Step 2: Resolve the absolute path\n\nIDE-hosted agents may not resolve PATH correctly. Always use the absolute path in MCP configuration:\n\n```bash\nwhich epimethian-mcp\n```\n\nUse the output as the `command` value in the MCP config below.\n\n## Step 3: Collect configuration\n\nAsk the user for:\n1. **Profile name** \u2014 a short identifier for this Confluence instance (e.g., `globex`, `acme-corp`). Lowercase alphanumeric and hyphens only.\n2. **Confluence Cloud URL** \u2014 e.g., `https://yoursite.atlassian.net`\n3. **Email address** \u2014 the email associated with their Atlassian account\n\n## Step 4: Write MCP configuration\n\nAdd the server to `.mcp.json` (or the equivalent config file for the user\'s MCP client):\n\n```json\n{\n  "mcpServers": {\n    "confluence": {\n      "command": "<absolute path from Step 2>",\n      "env": {\n        "CONFLUENCE_PROFILE": "<profile name from Step 3>"\n      }\n    }\n  }\n}\n```\n\n**IMPORTANT:** The only env var needed is `CONFLUENCE_PROFILE`. The URL, email, and API token are stored securely in the OS keychain \u2014 they should NOT appear in config files.\n\n## Step 5: Credential setup\n\nTell the user to run this command in their terminal:\n\n```\nepimethian-mcp setup --profile <profile name from Step 3>\n```\n\nThis interactive command will:\n1. Prompt for the Confluence URL, email, and API token (masked input)\n2. Test the connection\n3. Store all credentials securely in the OS keychain under the named profile\n\nThe API token is generated at: https://id.atlassian.com/manage-profile/security/api-tokens\n\n**Do NOT ask the user for the API token yourself.** The token must go directly from the user into the interactive setup command to avoid appearing in conversation logs.\n\n## Step 6: User must restart the MCP client\n\n**IMPORTANT:** The user must restart their MCP client (e.g., restart Claude Code, reload VS Code, restart Claude Desktop) for the new server configuration to take effect. The MCP client reads `.mcp.json` at startup and does not detect changes while running.\n\nTell the user:\n> Please restart your MCP client now to activate the Confluence tools.\n\n## Step 7: Validation\n\nAfter the user restarts, verify the server is working by listing available Confluence tools or running a simple operation like listing spaces.\n\n## Adding Additional Tenants\n\nTo add a second Confluence instance (e.g., for a different customer):\n\n1. Run `epimethian-mcp setup --profile <new-profile-name>` with the new credentials\n2. In the project that uses the new tenant, update `.mcp.json` to set `CONFLUENCE_PROFILE` to the new profile name\n3. Restart the MCP client\n\nEach VS Code window / Claude Code session uses the profile specified in its `.mcp.json`. Profiles are fully isolated \u2014 different OS keychain entries, different Confluence instances.\n\n## Managing Profiles\n\n- List all profiles: `epimethian-mcp profiles`\n- Show details: `epimethian-mcp profiles --verbose`\n- Check connection: `CONFLUENCE_PROFILE=<name> epimethian-mcp status`\n- Set read-only: `epimethian-mcp profiles --set-read-only <name>`\n- Set read-write: `epimethian-mcp profiles --set-read-write <name>`\n\n### Read-Only Mode\n\nNew profiles default to **read-only**. When read-only, all write tools are blocked and return an error. To enable writes for a profile:\n\n```bash\nepimethian-mcp profiles --set-read-write <name>\n```\n\nOr during setup: `epimethian-mcp setup --profile <name> --read-write`\n\n**Important:** Restart any running MCP servers after changing the read-only flag.\n\n### Removing a Profile\n\nTo delete a profile and its credentials, run:\n\n```bash\nepimethian-mcp profiles --remove <name> --force\n```\n\n**Agents must pass `--force`** because the command normally prompts for interactive confirmation (`Remove profile "<name>" and delete its credentials? [y/N]`), which will fail in non-TTY environments like agent shell sessions. The `--force` flag skips the confirmation prompt when stdin is not a TTY.\n\nThis command:\n1. Deletes the credential entry (URL, email, API token) from the OS keychain\n2. Removes the profile from the registry at `~/.config/epimethian-mcp/profiles.json`\n3. Writes an entry to the audit log at `~/.config/epimethian-mcp/audit.log`\n\nAfter removing a profile, also remove or update any `.mcp.json` files that reference it \u2014 otherwise the MCP server will fail to start with a missing-profile error.\n\n**Errors:**\n- If the profile name is invalid (not matching lowercase alphanumeric/hyphens, 1\u201363 chars), the command exits with code 1\n- If the profile does not exist in the keychain, the keychain deletion is silently skipped \u2014 the registry entry is still removed\n\n## Accessing This Guide Post-Install\n\nOnce installed, this guide is available locally via:\n\n```bash\nepimethian-mcp agent-guide\n```\n\nThis prints the full agent guide to stdout \u2014 no web fetch required.\n\n## Uninstallation\n\nWhen a user asks to uninstall Epimethian MCP, follow these steps:\n\n### Step 1: Check for existing profiles\n\n```bash\nepimethian-mcp profiles\n```\n\n### Step 2: Ask the user about credential cleanup\n\nIf profiles exist, ask the user:\n\n> You have Epimethian profiles configured: [list the profile names]. Would you like to delete all stored credentials before uninstalling? (This removes API tokens from your OS keychain.)\n\n### Step 3: Delete credentials (if the user agrees)\n\nFor each profile the user wants removed:\n\n```bash\nepimethian-mcp profiles --remove <name> --force\n```\n\nOr to remove all profiles:\n\n```bash\nfor name in $(epimethian-mcp profiles | grep \'^ \'); do epimethian-mcp profiles --remove "$name" --force; done\n```\n\n### Step 4: Remove MCP configuration\n\nDelete the `confluence` entry (or the tenant-specific entry like `confluence-globex`) from the project\'s `.mcp.json`.\n\n### Step 5: Uninstall the package\n\n```bash\nnpm uninstall -g @de-otio/epimethian-mcp\n```\n\n### Step 6: Restart the MCP client\n\nTell the user to restart their MCP client so it stops trying to launch the removed server.\n\n## CI/CD (No Keychain)\n\nFor environments where the OS keychain is unavailable (Docker, CI), set all three env vars directly:\n\n```json\n{\n  "mcpServers": {\n    "confluence": {\n      "command": "<absolute path>",\n      "env": {\n        "CONFLUENCE_URL": "<url>",\n        "CONFLUENCE_EMAIL": "<email>",\n        "CONFLUENCE_API_TOKEN": "<token>"\n      }\n    }\n  }\n}\n```\n\n**Warning:** This exposes the API token in the process environment. Use profile-based auth whenever possible.\n\n## Troubleshooting\n\nIf **npm install fails**:\n- Verify Node.js 18+ is installed: `node --version`\n- Verify npm is on PATH: `npm --version`\n- If permission errors occur, the user may need to fix their npm prefix or use a Node version manager (nvm, fnm)\n\nIf **`epimethian-mcp setup` fails**:\n- "Connection failed": Verify the Confluence URL is correct and accessible\n- "Token is invalid or expired": The user needs to generate a new API token at https://id.atlassian.com/manage-profile/security/api-tokens\n- Keychain errors on Linux: The user may need to install `libsecret` / `gnome-keyring` (`apt install libsecret-tools` or equivalent)\n\nIf **the server doesn\'t appear after restart**:\n- Verify the `.mcp.json` path is correct for the user\'s MCP client\n- Verify the `command` value is an absolute path (run `which epimethian-mcp` to confirm)\n- Check that `.mcp.json` contains valid JSON (no trailing commas, correct quoting)\n\n## Write budget (safety cap on writes)\n\nepimethian-mcp enforces two write-rate caps per server process:\n\n- **Session cap** (default 250): total writes since the server started.\n- **Rolling cap** (default 75 per 15-minute window): catches bursts.\n\nThese are local safety nets, not Confluence limits. They exist because an\nautonomous agent in a retry loop or with a bad plan can issue hundreds of writes\nvery quickly, and most users would rather have a brief pause to confirm than\ndiscover the result an hour later.\n\n### What to do when you (the agent) hit `WRITE_BUDGET_EXCEEDED`\n\n1. **Stop and check.** Was the in-progress work user-requested and going as\n   planned? If unsure, ask the user before continuing.\n2. **Explain to the user, in your own words:**\n   - The safety budget has been hit (which scope, current vs. limit).\n   - What the budget is for: a guard against runaway agents.\n   - Whether the work-in-progress is legitimate (your judgement).\n   - The two ways forward: wait for the rolling window to reopen, or raise the cap.\n3. **If the user wants to raise the cap**, give them this snippet to add to the\n   `env` block of the epimethian-mcp entry in their MCP config (`.mcp.json` or\n   equivalent \u2014 see Step 4 above for the layout):\n\n   ```json\n   "EPIMETHIAN_WRITE_BUDGET_ROLLING": "200",\n   "EPIMETHIAN_WRITE_BUDGET_SESSION": "1000"\n   ```\n\n   Set either value to `"0"` to disable that scope. **Confirm with the user\n   before recommending a raise** \u2014 the budget exists precisely to create a\n   pause-and-check moment. The user must restart the MCP server (re-open the\n   MCP client) for changes to take effect.\n4. **If the user gets a deprecation warning** about `EPIMETHIAN_WRITE_BUDGET_HOURLY`,\n   tell them to rename it to `EPIMETHIAN_WRITE_BUDGET_ROLLING` in the same\n   config file. The old name still works but will be removed in version 7.\n\n### Operator-side defaults\n\n- **`EPIMETHIAN_WRITE_BUDGET_SESSION`** \u2014 default 250; set to "0" to disable.\n- **`EPIMETHIAN_WRITE_BUDGET_ROLLING`** \u2014 default 75 per 15-minute window; set to "0" to disable.\n- **`EPIMETHIAN_WRITE_BUDGET_HOURLY`** \u2014 deprecated alias for `EPIMETHIAN_WRITE_BUDGET_ROLLING`; will be removed in version 7.\n\n## Available Tools (35)\n\n| Tool | Description |\n|------|-------------|\n| `check_permissions` | Report the current profile\'s MCP access mode and the token\'s capabilities |\n| `create_page` | Create a new Confluence page |\n| `get_page` | Read a page by ID (use `headings_only` to preview structure first) |\n| `get_page_by_title` | Look up a page by title (use `headings_only` to preview structure first) |\n| `update_page` | Update an existing page |\n| `update_page_section` | Update a single section by heading name (supports `body` replacement OR `find_replace` literal substitutions) |\n| `update_page_sections` | Atomically update multiple sections in one version bump (all-or-nothing) |\n| `prepend_to_page` | Insert content at the beginning of an existing page (additive, safe) |\n| `append_to_page` | Insert content at the end of an existing page (additive, safe) |\n| `delete_page` | Delete a page |\n| `revert_page` | Revert a page to a previous version |\n| `list_pages` | List pages in a space |\n| `get_page_children` | Get child pages of a page |\n| `search_pages` | Search pages using CQL (Confluence Query Language) |\n| `get_spaces` | List available Confluence spaces |\n| `add_attachment` | Upload a file attachment to a page |\n| `get_attachments` | List attachments on a page |\n| `add_drawio_diagram` | Add a draw.io diagram to a page |\n| `get_labels` | Get all labels on a Confluence page |\n| `add_label` | Add one or more labels to a Confluence page |\n| `remove_label` | Remove a label from a Confluence page |\n| `get_page_status` | Get the content status badge on a page |\n| `set_page_status` | Set the content status badge on a page |\n| `remove_page_status` | Remove the content status badge from a page |\n| `get_comments` | Get footer and/or inline comments on a page |\n| `create_comment` | Create a footer or inline comment on a page |\n| `resolve_comment` | Resolve or reopen an inline comment |\n| `delete_comment` | Permanently delete a comment |\n| `get_page_versions` | List version history for a page |\n| `get_page_version` | Get page content at a specific historical version |\n| `diff_page_versions` | Compare two versions of a page |\n| `lookup_user` | Search for Atlassian users by name or email to resolve accountId for inline mentions |\n| `resolve_page_link` | Resolve a page title + space key to a stable contentId and URL for page links |\n| `get_version` | Return the epimethian-mcp server version and report available updates |\n| `upgrade` | Upgrade epimethian-mcp to the latest available version (restart required after) |\n';
+    install_agent_default = '# Epimethian MCP - Agent Installation Guide\n\n> This document is for AI agents installing and configuring the Epimethian MCP server on behalf of a user.\n\n## Verification\n\nThe official package is **`@de-otio/epimethian-mcp`** (scoped under `@de-otio`).\n\nDo NOT install unscoped alternatives like `epimethian-mcp` \u2014 these are unofficial and potentially unsafe.\n\n## Prerequisites\n\n- Node.js 18 or later\n- npm on PATH\n\n## Step 1: Install\n\n```bash\nnpm install -g @de-otio/epimethian-mcp\n```\n\nVerify the installation:\n\n```bash\nepimethian-mcp --version 2>/dev/null || which epimethian-mcp\n```\n\n## Step 2: Resolve the absolute path\n\nIDE-hosted agents may not resolve PATH correctly. Always use the absolute path in MCP configuration:\n\n```bash\nwhich epimethian-mcp\n```\n\nUse the output as the `command` value in the MCP config below.\n\n## Step 3: Collect configuration\n\nAsk the user for:\n1. **Profile name** \u2014 a short identifier for this Confluence instance (e.g., `globex`, `acme-corp`). Lowercase alphanumeric and hyphens only.\n2. **Confluence Cloud URL** \u2014 e.g., `https://yoursite.atlassian.net`\n3. **Email address** \u2014 the email associated with their Atlassian account\n\n## Step 4: Write MCP configuration\n\nRun `epimethian-mcp setup --profile <name> --client <client-id>` after Step 5 (credential setup) \u2014 it prints the exact config snippet for your MCP host. Supported clients: `claude-code`, `claude-desktop`, `claude-code-vscode`, `cursor`, `windsurf`, `zed`, `opencode`. Keep the fallback hand-typed examples below for cases where the CLI is unavailable.\n\nAdd the server to the user\'s MCP client config. The exact file and shape depend on the client:\n\n**Claude Code, Claude Desktop, Cursor, Windsurf, Zed** \u2014 `.mcp.json` (or the\nequivalent client-specific config). The standard `mcpServers` shape:\n\n```json\n{\n  "mcpServers": {\n    "confluence": {\n      "command": "<absolute path from Step 2>",\n      "env": {\n        "CONFLUENCE_PROFILE": "<profile name from Step 3>"\n      }\n    }\n  }\n}\n```\n\n**OpenCode** \u2014 `opencode.json` at the project root or\n`~/.config/opencode/opencode.json`. Different shape (`mcp` block, `type:\n"local"`, `command` is an array, `environment` not `env`):\n\n```jsonc\n{\n  "$schema": "https://opencode.ai/config.json",\n  "mcp": {\n    "confluence": {\n      "type": "local",\n      "command": ["<absolute path from Step 2>"],\n      "enabled": true,\n      "environment": {\n        "CONFLUENCE_PROFILE": "<profile name from Step 3>",\n        "EPIMETHIAN_ALLOW_UNGATED_WRITES": "true"\n      }\n    }\n  }\n}\n```\n\nOpenCode does not support MCP elicitation (the in-protocol confirmation\nprompts), so write tools that fire the elicitation gate fail unless\n`EPIMETHIAN_ALLOW_UNGATED_WRITES=true` is set. See "MCP client\ncompatibility" below for the trade-off.\n\n**IMPORTANT:** The only required env var is `CONFLUENCE_PROFILE`. The URL,\nemail, and API token are stored securely in the OS keychain \u2014 they should\nNOT appear in config files.\n\n## Step 5: Credential setup\n\nTell the user to run this command in their terminal:\n\n```\nepimethian-mcp setup --profile <profile name from Step 3>\n```\n\nThis interactive command will:\n1. Prompt for the Confluence URL, email, and API token (masked input)\n2. Test the connection\n3. Store all credentials securely in the OS keychain under the named profile\n\nThe API token is generated at: https://id.atlassian.com/manage-profile/security/api-tokens\n\n**Do NOT ask the user for the API token yourself.** The token must go directly from the user into the interactive setup command to avoid appearing in conversation logs.\n\n## Step 6: User must restart the MCP client\n\n**IMPORTANT:** The user must restart their MCP client (e.g., restart Claude Code, reload VS Code, restart Claude Desktop) for the new server configuration to take effect. The MCP client reads `.mcp.json` at startup and does not detect changes while running.\n\nTell the user:\n> Please restart your MCP client now to activate the Confluence tools.\n\n## Step 7: Validation\n\nAfter the user restarts, verify the server is working by listing available Confluence tools or running a simple operation like listing spaces.\n\n## Adding Additional Tenants\n\nTo add a second Confluence instance (e.g., for a different customer):\n\n1. Run `epimethian-mcp setup --profile <new-profile-name>` with the new credentials\n2. In the project that uses the new tenant, update `.mcp.json` to set `CONFLUENCE_PROFILE` to the new profile name\n3. Restart the MCP client\n\nEach VS Code window / Claude Code session uses the profile specified in its `.mcp.json`. Profiles are fully isolated \u2014 different OS keychain entries, different Confluence instances.\n\n## Managing Profiles\n\n- List all profiles: `epimethian-mcp profiles`\n- Show details: `epimethian-mcp profiles --verbose`\n- Check connection: `CONFLUENCE_PROFILE=<name> epimethian-mcp status`\n- Set read-only: `epimethian-mcp profiles --set-read-only <name>`\n- Set read-write: `epimethian-mcp profiles --set-read-write <name>`\n\n### Read-Only Mode\n\nNew profiles default to **read-only**. When read-only, all write tools are blocked and return an error. To enable writes for a profile:\n\n```bash\nepimethian-mcp profiles --set-read-write <name>\n```\n\nOr during setup: `epimethian-mcp setup --profile <name> --read-write`\n\n**Important:** Restart any running MCP servers after changing the read-only flag.\n\n### Removing a Profile\n\nTo delete a profile and its credentials, run:\n\n```bash\nepimethian-mcp profiles --remove <name> --force\n```\n\n**Agents must pass `--force`** because the command normally prompts for interactive confirmation (`Remove profile "<name>" and delete its credentials? [y/N]`), which will fail in non-TTY environments like agent shell sessions. The `--force` flag skips the confirmation prompt when stdin is not a TTY.\n\nThis command:\n1. Deletes the credential entry (URL, email, API token) from the OS keychain\n2. Removes the profile from the registry at `~/.config/epimethian-mcp/profiles.json`\n3. Writes an entry to the audit log at `~/.config/epimethian-mcp/audit.log`\n\nAfter removing a profile, also remove or update any `.mcp.json` files that reference it \u2014 otherwise the MCP server will fail to start with a missing-profile error.\n\n**Errors:**\n- If the profile name is invalid (not matching lowercase alphanumeric/hyphens, 1\u201363 chars), the command exits with code 1\n- If the profile does not exist in the keychain, the keychain deletion is silently skipped \u2014 the registry entry is still removed\n\n## Accessing This Guide Post-Install\n\nOnce installed, this guide is available locally via:\n\n```bash\nepimethian-mcp agent-guide\n```\n\nThis prints the full agent guide to stdout \u2014 no web fetch required.\n\n## Uninstallation\n\nWhen a user asks to uninstall Epimethian MCP, follow these steps:\n\n### Step 1: Check for existing profiles\n\n```bash\nepimethian-mcp profiles\n```\n\n### Step 2: Ask the user about credential cleanup\n\nIf profiles exist, ask the user:\n\n> You have Epimethian profiles configured: [list the profile names]. Would you like to delete all stored credentials before uninstalling? (This removes API tokens from your OS keychain.)\n\n### Step 3: Delete credentials (if the user agrees)\n\nFor each profile the user wants removed:\n\n```bash\nepimethian-mcp profiles --remove <name> --force\n```\n\nOr to remove all profiles:\n\n```bash\nfor name in $(epimethian-mcp profiles | grep \'^ \'); do epimethian-mcp profiles --remove "$name" --force; done\n```\n\n### Step 4: Remove MCP configuration\n\nDelete the `confluence` entry (or the tenant-specific entry like `confluence-globex`) from the project\'s `.mcp.json`.\n\n### Step 5: Uninstall the package\n\n```bash\nnpm uninstall -g @de-otio/epimethian-mcp\n```\n\n### Step 6: Restart the MCP client\n\nTell the user to restart their MCP client so it stops trying to launch the removed server.\n\n## CI/CD (No Keychain)\n\nFor environments where the OS keychain is unavailable (Docker, CI), set all three env vars directly:\n\n```json\n{\n  "mcpServers": {\n    "confluence": {\n      "command": "<absolute path>",\n      "env": {\n        "CONFLUENCE_URL": "<url>",\n        "CONFLUENCE_EMAIL": "<email>",\n        "CONFLUENCE_API_TOKEN": "<token>"\n      }\n    }\n  }\n}\n```\n\n**Warning:** This exposes the API token in the process environment. Use profile-based auth whenever possible.\n\n## Troubleshooting\n\nIf **npm install fails**:\n- Verify Node.js 18+ is installed: `node --version`\n- Verify npm is on PATH: `npm --version`\n- If permission errors occur, the user may need to fix their npm prefix or use a Node version manager (nvm, fnm)\n\nIf **`epimethian-mcp setup` fails**:\n- "Connection failed": Verify the Confluence URL is correct and accessible\n- "Token is invalid or expired": The user needs to generate a new API token at https://id.atlassian.com/manage-profile/security/api-tokens\n- Keychain errors on Linux: The user may need to install `libsecret` / `gnome-keyring` (`apt install libsecret-tools` or equivalent)\n\nIf **the server doesn\'t appear after restart**:\n- Verify the `.mcp.json` path is correct for the user\'s MCP client\n- Verify the `command` value is an absolute path (run `which epimethian-mcp` to confirm)\n- Check that `.mcp.json` contains valid JSON (no trailing commas, correct quoting)\n\n## Write budget (safety cap on writes)\n\nepimethian-mcp enforces two write-rate caps per server process:\n\n- **Session cap** (default 250): total writes since the server started.\n- **Rolling cap** (default 75 per 15-minute window): catches bursts.\n\nThese are local safety nets, not Confluence limits. They exist because an\nautonomous agent in a retry loop or with a bad plan can issue hundreds of writes\nvery quickly, and most users would rather have a brief pause to confirm than\ndiscover the result an hour later.\n\n### What to do when you (the agent) hit `WRITE_BUDGET_EXCEEDED`\n\n1. **Stop and check.** Was the in-progress work user-requested and going as\n   planned? If unsure, ask the user before continuing.\n2. **Explain to the user, in your own words:**\n   - The safety budget has been hit (which scope, current vs. limit).\n   - What the budget is for: a guard against runaway agents.\n   - Whether the work-in-progress is legitimate (your judgement).\n   - The two ways forward: wait for the rolling window to reopen, or raise the cap.\n3. **If the user wants to raise the cap**, give them this snippet to add to the\n   `env` block of the epimethian-mcp entry in their MCP config (`.mcp.json` or\n   equivalent \u2014 see Step 4 above for the layout):\n\n   ```json\n   "EPIMETHIAN_WRITE_BUDGET_ROLLING": "200",\n   "EPIMETHIAN_WRITE_BUDGET_SESSION": "1000"\n   ```\n\n   Set either value to `"0"` to disable that scope. **Confirm with the user\n   before recommending a raise** \u2014 the budget exists precisely to create a\n   pause-and-check moment. The user must restart the MCP server (re-open the\n   MCP client) for changes to take effect.\n4. **If the user gets a deprecation warning** about `EPIMETHIAN_WRITE_BUDGET_HOURLY`,\n   tell them to rename it to `EPIMETHIAN_WRITE_BUDGET_ROLLING` in the same\n   config file. The old name still works but will be removed in version 7.\n\n### Operator-side defaults\n\n- **`EPIMETHIAN_WRITE_BUDGET_SESSION`** \u2014 default 250; set to "0" to disable.\n- **`EPIMETHIAN_WRITE_BUDGET_ROLLING`** \u2014 default 75 per 15-minute window; set to "0" to disable.\n- **`EPIMETHIAN_WRITE_BUDGET_HOURLY`** \u2014 deprecated alias for `EPIMETHIAN_WRITE_BUDGET_ROLLING`; will be removed in version 7.\n\n## Soft confirmation (clients without elicitation)\n\nSome MCP clients (currently OpenCode, plus others) don\'t implement the in-protocol\nconfirmation prompt. Starting in v6.6.0, epimethian-mcp routes those confirmations\nthrough your agent\'s normal chat surface instead.\n\n### What you (the agent) see\n\nWhen a destructive write is requested against a client without elicitation, the\ntool returns an error with a confirmation token:\n\n```\nisError: true\nstructuredContent:\n  {\n    "confirm_token": "<opaque token>",\n    "audit_id": "<UUID for correlation>",\n    "expires_at": "<ISO timestamp>",\n    "page_id": "<pageId>",\n    ...\n  }\ncontent[0].text:\n  \u26A0\uFE0F  Confirmation required (SOFT_CONFIRMATION_REQUIRED)\n\n  {humanSummary}\n\n  Please ask the user before retrying. If approved, re-call with:\n  "confirm_token": from structuredContent.\n\n  Expires at {timestamp}; invalidated by competing writes.\n```\n\n### What to do\n\n1. STOP. Don\'t retry blindly.\n2. Show the user, in their language, what\'s about to happen (use the\n   `humanSummary` field from the result).\n3. Ask the user explicitly. Wait for their answer.\n4. If approved: re-call the tool with the SAME parameters plus\n   `confirm_token` from the structuredContent.\n5. If denied: tell the user the operation has been cancelled.\n\n### Token semantics\n\n- Single-use: a successful retry consumes the token. Replays fail.\n- 5-minute TTL by default.\n- Invalidated by any competing write to the same page (stale).\n- Bound to the specific diff and tenant: changing the body, page version, or\n  tenant invalidates the token.\n\n### Operator opt-outs\n\nThese environment variables control soft confirmation behavior:\n\n- **`EPIMETHIAN_ALLOW_UNGATED_WRITES=true`** \u2014 bypasses soft confirmation\n  entirely (no prompt; useful for headless / CI).\n- **`EPIMETHIAN_DISABLE_SOFT_CONFIRM=true`** \u2014 keeps the legacy\n  `ELICITATION_REQUIRED_BUT_UNAVAILABLE` failure mode for clients without\n  elicitation support.\n- **`EPIMETHIAN_SOFT_CONFIRM_TTL_MS=300000`** \u2014 override the default 5-minute\n  TTL (clamped to 60 seconds minimum, 15 minutes maximum).\n- **`EPIMETHIAN_SOFT_CONFIRM_MINT_LIMIT=100`** \u2014 override the per-15-minute\n  mint cap (default 100; "0" disables the cap entirely).\n\n### Multi-process deployments\n\nTokens are process-local in-memory. If you\'re running multiple MCP server\nprocesses for one tenant (e.g. a load-balanced fleet or separate processes\nper IDE window), a soft confirmation minted by process P1 will fail validation\nin process P2 (the load balancer routes the retry to a different process).\nThis is not a bug \u2014 it\'s the safe failure mode \u2014 but it means the user needs\nto mint a new token if the retry lands on a different process.\n\n**Recommendation:** Pin a single MCP server process per agent or IDE window.\nPre-seal profiles upgraded from versions before v5.5.0 must run `epimethian-mcp\nsetup` once to acquire a sealed cloudId before soft confirmation is available.\n\n## MCP client compatibility\n\nepimethian-mcp uses MCP **elicitation** (the in-protocol confirmation\nprompt added to MCP in 2025) as the human-in-the-loop gate for destructive\noperations. Different MCP clients support elicitation differently \u2014 some\nfully, some not at all, and some advertise the capability without honouring\nit. The compatibility matrix below tells you which env-var workaround to\nrecommend, if any.\n\n| Client | Elicitation? | What to do |\n|---|---|---|\n| **Claude Code (CLI)** | Yes \u2014 full support | No special config needed. |\n| **Claude Desktop** | Yes \u2014 full support | No special config needed. |\n| **Claude Code VS Code extension \u2264 2.1.123** | Fakes it | Set `EPIMETHIAN_BYPASS_ELICITATION=true` (see below). |\n| **Claude Code VS Code extension \u2265 2.1.124** | Likely fixed (verify) | If write tools fail with `NO_USER_RESPONSE`, fall back to `EPIMETHIAN_BYPASS_ELICITATION=true`. |\n| **OpenCode** | No \u2014 capability not advertised | Set `EPIMETHIAN_ALLOW_UNGATED_WRITES=true` or use only read tools / additive writes that don\'t trigger the gate. No tracking issue at sst/opencode yet (as of v6.4.1); a feature request would be needed for real elicitation support. |\n| **Cursor / Windsurf / Zed / others** | Varies | If write tools fail with `ELICITATION_REQUIRED_BUT_UNAVAILABLE`, the client doesn\'t advertise the capability \u2014 use `EPIMETHIAN_ALLOW_UNGATED_WRITES=true`. If write tools fail with `NO_USER_RESPONSE` despite the client claiming support, the client fakes it \u2014 use `EPIMETHIAN_BYPASS_ELICITATION=true`. |\n\n### Difference between the two bypass env vars\n\nThese are **not** interchangeable. Pick the one that matches the failure mode:\n\n- **`EPIMETHIAN_ALLOW_UNGATED_WRITES=true`** \u2014 for clients that *don\'t\n  advertise* elicitation during the MCP handshake. The server detects the\n  absence and (with this flag) lets writes proceed. OpenCode falls in this\n  category.\n- **`EPIMETHIAN_BYPASS_ELICITATION=true`** \u2014 for clients that *advertise*\n  elicitation but never actually honour the request (the SDK transport\n  silently returns `{action: "decline"}`). The Claude Code VS Code\n  extension \u2264 2.1.123 falls in this category. This flag is unconditional \u2014\n  it bypasses elicitation even when the client claims to support it.\n\n### Trade-off: what you give up by setting either flag\n\nBoth flags **disable the in-protocol confirmation gate**. Writes still go\nthrough the harness\'s tool allow-list (so users can still block the tool\nin their permission settings) and through every server-side guard\n(provenance, source-policy, write-budget, byte-equivalence) \u2014 but the user\nno longer gets a UI prompt before each destructive operation. Recommend\nthis only when:\n\n1. The user is aware of and accepts the trade-off, AND\n2. The user\'s MCP client provides some other interaction model where they\n   can intervene (e.g. they review tool calls before approval), OR\n3. The work is read-mostly and only occasional, additive writes happen.\n\n**Do NOT set either flag silently.** If you (the agent) need to recommend\none, explain to the user what the gate is for, why their client can\'t\nhonour it, and what alternative protections remain.\n\n## Other operator-side environment variables\n\nThese are off by default and only relevant in specific scenarios:\n\n- **`EPIMETHIAN_SUPPRESS_EQUIVALENT_DELETIONS`** \u2014 opt-in (default OFF).\n  When set to `true`, suppresses the `confirm_deletions` gate for token\n  deletion+creation pairs that canonicalise to byte-equivalent XML\n  (e.g. re-rendering the same `<ac:link>` macros with different attribute\n  order, or regenerating an `<ac:structured-macro>` whose parameters and\n  CDATA body are identical after sort). Genuine semantic deletions still\n  fire the gate. Every suppressed pair is recorded in the mutation log\n  for postmortem. Useful for spaces with lots of cross-link rewrites\n  where the gate fires repeatedly on no-op churn.\n- **`EPIMETHIAN_REQUIRE_SOURCE`** \u2014 opt-in (default OFF). When `true`,\n  every write tool call must include a `source` parameter (one of\n  `user_request` / `file_or_cli_input` / `chained_tool_output` /\n  `elicitation_response`). Calls without an explicit source are rejected\n  with `SOURCE_POLICY_BLOCKED`. Useful in audit-heavy environments where\n  every write must declare provenance.\n- **`EPIMETHIAN_AUTO_UPGRADE`** \u2014 opt-in (default OFF). When `true`, the\n  server checks for and applies updates on startup. Useful for managed\n  fleets; usually you want explicit `epimethian-mcp upgrade` runs instead.\n- **`CONFLUENCE_READ_ONLY`** \u2014 opt-in (default OFF). When `true`, all\n  write tools are disabled regardless of MCP client config. Useful for\n  read-only profiles or sandbox environments.\n\n## Available Tools (35)\n\n| Tool | Description |\n|------|-------------|\n| `check_permissions` | Report the current profile\'s MCP access mode and the token\'s capabilities |\n| `create_page` | Create a new Confluence page |\n| `get_page` | Read a page by ID (use `headings_only` to preview structure first) |\n| `get_page_by_title` | Look up a page by title (use `headings_only` to preview structure first) |\n| `update_page` | Update an existing page |\n| `update_page_section` | Update a single section by heading name (supports `body` replacement OR `find_replace` literal substitutions) |\n| `update_page_sections` | Atomically update multiple sections in one version bump (all-or-nothing) |\n| `prepend_to_page` | Insert content at the beginning of an existing page (additive, safe) |\n| `append_to_page` | Insert content at the end of an existing page (additive, safe) |\n| `delete_page` | Delete a page |\n| `revert_page` | Revert a page to a previous version |\n| `list_pages` | List pages in a space |\n| `get_page_children` | Get child pages of a page |\n| `search_pages` | Search pages using CQL (Confluence Query Language) |\n| `get_spaces` | List available Confluence spaces |\n| `add_attachment` | Upload a file attachment to a page |\n| `get_attachments` | List attachments on a page |\n| `add_drawio_diagram` | Add a draw.io diagram to a page |\n| `get_labels` | Get all labels on a Confluence page |\n| `add_label` | Add one or more labels to a Confluence page |\n| `remove_label` | Remove a label from a Confluence page |\n| `get_page_status` | Get the content status badge on a page |\n| `set_page_status` | Set the content status badge on a page |\n| `remove_page_status` | Remove the content status badge from a page |\n| `get_comments` | Get footer and/or inline comments on a page |\n| `create_comment` | Create a footer or inline comment on a page |\n| `resolve_comment` | Resolve or reopen an inline comment |\n| `delete_comment` | Permanently delete a comment |\n| `get_page_versions` | List version history for a page |\n| `get_page_version` | Get page content at a specific historical version |\n| `diff_page_versions` | Compare two versions of a page |\n| `lookup_user` | Search for Atlassian users by name or email to resolve accountId for inline mentions |\n| `resolve_page_link` | Resolve a page title + space key to a stable contentId and URL for page links |\n| `get_version` | Return the epimethian-mcp server version and report available updates |\n| `upgrade` | Upgrade epimethian-mcp to the latest available version (restart required after) |\n';
   }
 });
 
@@ -49472,7 +49937,7 @@ __export(upgrade_exports, {
   runUpgrade: () => runUpgrade
 });
 async function runUpgrade() {
-  const currentVersion = "6.4.1";
+  const currentVersion = "6.6.0";
   console.log(`epimethian-mcp upgrade: current version v${currentVersion}`);
   let pending = await getPendingUpdate();
   if (!pending) {
@@ -60255,6 +60720,7 @@ function computeUnifiedDiff(textA, textB, maxLength) {
 }
 
 // src/server/index.ts
+init_types2();
 init_untrusted_fence();
 
 // src/server/converter/storage-to-md.ts
@@ -60407,10 +60873,12 @@ function listDestructiveFlagsSet(flags) {
 init_write_budget();
 
 // src/server/elicitation.ts
+init_confirmation_tokens();
 var USER_DECLINED = "USER_DECLINED";
 var USER_CANCELLED = "USER_CANCELLED";
 var NO_USER_RESPONSE = "NO_USER_RESPONSE";
 var ELICITATION_REQUIRED_BUT_UNAVAILABLE = "ELICITATION_REQUIRED_BUT_UNAVAILABLE";
+var SOFT_CONFIRMATION_REQUIRED = "SOFT_CONFIRMATION_REQUIRED";
 var GatedOperationError = class extends Error {
   code;
   constructor(code2, message) {
@@ -60419,21 +60887,103 @@ var GatedOperationError = class extends Error {
     this.code = code2;
   }
 };
+var SoftConfirmationRequiredError = class extends GatedOperationError {
+  token;
+  auditId;
+  expiresAt;
+  humanSummary;
+  retryHint;
+  pageId;
+  constructor(args) {
+    super(SOFT_CONFIRMATION_REQUIRED, args.message);
+    this.name = "SoftConfirmationRequiredError";
+    this.token = args.token;
+    this.auditId = args.auditId;
+    this.expiresAt = args.expiresAt;
+    this.humanSummary = args.humanSummary;
+    this.retryHint = args.retryHint;
+    this.pageId = args.pageId;
+  }
+};
+function renderDeletionSummary(s) {
+  const parts = [];
+  if (s.tocs > 0) parts.push(`${s.tocs} TOC macro${s.tocs === 1 ? "" : "s"}`);
+  if (s.links > 0) parts.push(`${s.links} link macro${s.links === 1 ? "" : "s"}`);
+  if (s.codeMacros > 0)
+    parts.push(`${s.codeMacros} code macro${s.codeMacros === 1 ? "" : "s"}`);
+  if (s.structuredMacros > 0)
+    parts.push(
+      `${s.structuredMacros} structured macro${s.structuredMacros === 1 ? "" : "s"}`
+    );
+  if (s.plainElements > 0)
+    parts.push(
+      `${s.plainElements} plain element${s.plainElements === 1 ? "" : "s"}`
+    );
+  if (s.other > 0)
+    parts.push(`${s.other} other element${s.other === 1 ? "" : "s"}`);
+  if (parts.length === 0) {
+    return "This update has no destructive changes.";
+  }
+  const list2 = parts.length === 1 ? parts[0] : parts.slice(0, -1).join(", ") + " and " + parts[parts.length - 1];
+  return `This update will remove ${list2}.`;
+}
+var bypassMisconfigWarningFired = false;
 async function gateOperation(server, context) {
+  const supported = clientSupportsElicitation(server);
   if (process.env.EPIMETHIAN_BYPASS_ELICITATION === "true") {
+    if (!supported && !bypassMisconfigWarningFired) {
+      bypassMisconfigWarningFired = true;
+      console.error(
+        `epimethian-mcp: BYPASS_ELICITATION is set, but the connected client does not advertise elicitation support. The intended use of BYPASS_ELICITATION is for clients that falsely advertise the capability and never honour requests. For clients that don't advertise it (e.g. OpenCode), set EPIMETHIAN_ALLOW_UNGATED_WRITES instead, or upgrade to v6.6.0 to benefit from soft elicitation.`
+      );
+    }
     console.error(
       `epimethian-mcp: [UNGATED] tool=${context.tool} \u2014 bypassing elicitation gate; proceeding because EPIMETHIAN_BYPASS_ELICITATION=true.`
     );
     return;
   }
-  const supported = clientSupportsElicitation(server);
+  if (!supported && process.env.EPIMETHIAN_ALLOW_UNGATED_WRITES === "true") {
+    console.error(
+      `epimethian-mcp: [UNGATED] tool=${context.tool} \u2014 client does not support elicitation; proceeding because EPIMETHIAN_ALLOW_UNGATED_WRITES=true.`
+    );
+    return;
+  }
+  if (!supported && process.env.EPIMETHIAN_DISABLE_SOFT_CONFIRM === "true") {
+    throw new GatedOperationError(
+      ELICITATION_REQUIRED_BUT_UNAVAILABLE,
+      `This tool requires interactive confirmation but your MCP client does not expose elicitation, and EPIMETHIAN_DISABLE_SOFT_CONFIRM is set. Use \`update_page_section\` instead, or switch to a client that supports MCP elicitation (Claude Code \u2265 2.x, Claude Desktop \u2265 0.10).`
+    );
+  }
+  if (!supported && context.cloudId !== void 0 && context.pageId !== void 0 && context.pageVersion !== void 0 && context.diffHash !== void 0) {
+    const deletionSummary = context.details?.deletionSummary;
+    let humanSummary;
+    if (deletionSummary !== void 0 && typeof deletionSummary === "object" && deletionSummary !== null && !Array.isArray(deletionSummary)) {
+      humanSummary = renderDeletionSummary(deletionSummary);
+    } else {
+      humanSummary = context.summary;
+    }
+    const minted = mintToken({
+      tool: context.tool,
+      cloudId: context.cloudId,
+      pageId: context.pageId,
+      pageVersion: context.pageVersion,
+      diffHash: context.diffHash
+    });
+    const retryHint = `Re-call \`${context.tool}\` with the same parameters plus \`confirm_token\` set to the value in structuredContent.confirm_token.`;
+    throw new SoftConfirmationRequiredError({
+      token: minted.token,
+      auditId: minted.auditId,
+      expiresAt: minted.expiresAt,
+      humanSummary,
+      retryHint,
+      pageId: context.pageId,
+      // The message is consumed by the index.ts catch in §5.5; the
+      // structured fields above are the load-bearing payload. Keep the
+      // text agent-directed (not user-facing) and free of tenant content.
+      message: `Soft confirmation required for ${context.tool}: surface the prompt to the user and retry with the confirm_token.`
+    });
+  }
   if (!supported) {
-    if (process.env.EPIMETHIAN_ALLOW_UNGATED_WRITES === "true") {
-      console.error(
-        `epimethian-mcp: [UNGATED] tool=${context.tool} \u2014 client does not support elicitation; proceeding because EPIMETHIAN_ALLOW_UNGATED_WRITES=true.`
-      );
-      return;
-    }
     throw new GatedOperationError(
       ELICITATION_REQUIRED_BUT_UNAVAILABLE,
       `This tool requires interactive confirmation but your MCP client does not expose elicitation. Use \`update_page_section\` instead, or switch to a client that supports MCP elicitation (Claude Code \u2265 2.x, Claude Desktop \u2265 0.10).`
@@ -60444,17 +60994,11 @@ async function gateOperation(server, context) {
     for (const [k, v] of Object.entries(context.details)) {
       if (v === void 0) continue;
       if (k === "deletionSummary" && typeof v === "object" && v !== null) {
-        const s = v;
-        const parts = [];
-        if (s.tocs > 0) parts.push(`${s.tocs} TOC macro${s.tocs === 1 ? "" : "s"}`);
-        if (s.links > 0) parts.push(`${s.links} link macro${s.links === 1 ? "" : "s"}`);
-        if (s.codeMacros > 0) parts.push(`${s.codeMacros} code macro${s.codeMacros === 1 ? "" : "s"}`);
-        if (s.structuredMacros > 0) parts.push(`${s.structuredMacros} structured macro${s.structuredMacros === 1 ? "" : "s"}`);
-        if (s.plainElements > 0) parts.push(`${s.plainElements} plain element${s.plainElements === 1 ? "" : "s"}`);
-        if (s.other > 0) parts.push(`${s.other} other element${s.other === 1 ? "" : "s"}`);
-        if (parts.length > 0) {
-          const list2 = parts.length === 1 ? parts[0] : parts.slice(0, -1).join(", ") + " and " + parts[parts.length - 1];
-          lines.push(`  This update will remove ${list2} that the new markdown does not regenerate. Proceed?`);
+        const rendered = renderDeletionSummary(v);
+        if (rendered !== "This update has no destructive changes.") {
+          lines.push(
+            `  ${rendered.replace(/\.$/, "")} that the new markdown does not regenerate. Proceed?`
+          );
         }
         continue;
       }
@@ -60506,6 +61050,7 @@ async function gateOperation(server, context) {
 }
 
 // src/server/index.ts
+init_confirmation_tokens();
 init_update_orchestrator();
 init_tokeniser();
 
@@ -61059,7 +61604,9 @@ async function registerTools(server, config3) {
       deletedTokens: prepared.deletedTokens,
       clientLabel: getClientLabel(server),
       operation: position === "prepend" ? "prepend_to_page" : "append_to_page",
-      assertGrowth: true
+      assertGrowth: true,
+      // 2.E: defense-in-depth invalidation.
+      cloudId: opts.cloudId
     });
     return { page: submitted.page, newVersion: submitted.newVersion, oldLen: currentStorage.length, newLen: newBody.length };
   }
@@ -61244,7 +61791,7 @@ ${truncated}${truncationNote(origLen)}`
     {
       description: describeWithLock(
         withDestructiveWarning(
-          "Update an existing Confluence page. Accepts GFM markdown or Confluence storage format \u2014 markdown is automatically converted via the token-aware write path, which preserves all existing macros and rich elements. Do NOT mix the two: a body that contains both <ac:.../> storage tags AND markdown structural patterns (## headings, lists, fenced code blocks) is rejected with MIXED_INPUT_DETECTED. To inject a TOC macro from markdown, use YAML frontmatter at the top of the body: `---\\ntoc:\\n  maxLevel: 3\\n  minLevel: 1\\n---`. For other macros from markdown, use directive syntax: `:info[content]`, `:mention[Name]{accountId=...}`, `:date[2026-04-23]`. You must provide the version number from your most recent get_page call. If the page was modified by someone else since then, this will return a conflict error \u2014 re-read the page and retry.\n\nFor narrow changes to a single section, prefer update_page_section \u2014 it leaves the rest of the page untouched and is safer for targeted edits.\n\nMarkdown update flags:\n- confirm_deletions: set to true to acknowledge removing preserved macros/elements (default false \u2014 any deletion errors until confirmed).\n- replace_body: set to true for a wholesale rewrite that skips preservation (default false).\n- confirm_shrinkage: set to true to acknowledge a >50% body size reduction (default false).\n- confirm_structure_loss: set to true to acknowledge a >50% heading count drop (default false).\n- allow_raw_html: allow raw HTML inside markdown bodies (default false).\n- confluence_base_url: override the URL used by the link rewriter.\n\nreplace_body skips all safety nets (token preservation, deletion confirmation). When delegating update_page to a subagent, ensure the agent includes the full existing body \u2014 replace_body replaces ALL content with only what you provide."
+          "Update an existing Confluence page. Accepts GFM markdown or Confluence storage format \u2014 markdown is automatically converted via the token-aware write path, which preserves all existing macros and rich elements. Do NOT mix the two: a body that contains both <ac:.../> storage tags AND markdown structural patterns (## headings, lists, fenced code blocks) is rejected with MIXED_INPUT_DETECTED. To inject a TOC macro from markdown, use YAML frontmatter at the top of the body: `---\\ntoc:\\n  maxLevel: 3\\n  minLevel: 1\\n---`. For other macros from markdown, use directive syntax: `:info[content]`, `:mention[Name]{accountId=...}`, `:date[2026-04-23]`. You must provide the version number from your most recent get_page call. If the page was modified by someone else since then, this will return a conflict error \u2014 re-read the page and retry.\n\nFor narrow changes to a single section, prefer update_page_section \u2014 it leaves the rest of the page untouched and is safer for targeted edits.\n\nMarkdown update flags:\n- confirm_deletions: set to true to acknowledge removing preserved macros/elements (default false \u2014 any deletion errors until confirmed).\n- replace_body: set to true for a wholesale rewrite that skips preservation (default false).\n- confirm_shrinkage: set to true to acknowledge a >50% body size reduction (default false).\n- confirm_structure_loss: set to true to acknowledge a >50% heading count drop (default false).\n- allow_raw_html: allow raw HTML inside markdown bodies (default false).\n- confluence_base_url: override the URL used by the link rewriter.\n\nreplace_body skips all safety nets (token preservation, deletion confirmation). When delegating update_page to a subagent, ensure the agent includes the full existing body \u2014 replace_body replaces ALL content with only what you provide.\n\nIf your MCP client does not support in-protocol confirmation, this tool returns `SOFT_CONFIRMATION_REQUIRED` on the first call when destructive flags are set. STOP and ask the user before retrying. If the user approves, re-call this tool with the same parameters plus `confirm_token` from the first response. The token expires after 5 minutes and is invalidated by competing writes. See the 'Soft confirmation' section of `install-agent.md` for the full protocol."
         ),
         config3
       ),
@@ -61266,11 +61813,12 @@ ${truncated}${truncationNote(origLen)}`
         ),
         allow_raw_html: external_exports.boolean().default(false).describe("Allow raw HTML passthrough inside markdown bodies (disabled by default)."),
         confluence_base_url: external_exports.string().url().optional().describe("Override the Confluence base URL used by the link rewriter. Defaults to the configured Confluence URL."),
-        source: sourceSchema
+        source: sourceSchema,
+        confirm_token: external_exports.string().optional().describe("Soft-confirmation token from a prior SOFT_CONFIRMATION_REQUIRED response. Single-use; bound to this exact diff and page version.")
       },
       annotations: { destructiveHint: false, idempotentHint: false }
     },
-    async ({ page_id, title, version: version2, body, version_message, confirm_deletions, replace_body, confirm_shrinkage, confirm_structure_loss, allow_raw_html, confluence_base_url, source }) => {
+    async ({ page_id, title, version: version2, body, version_message, confirm_deletions, replace_body, confirm_shrinkage, confirm_structure_loss, allow_raw_html, confluence_base_url, source, confirm_token }) => {
       const blocked = writeGuard("update_page", config3);
       if (blocked) return blocked;
       try {
@@ -61283,21 +61831,43 @@ ${truncated}${truncationNote(origLen)}`
         });
         const effectiveSource = validateSource(source, flagsSet);
         const cfg = await getConfig();
+        const cloudId = cfg.sealedCloudId;
         const currentPage = await getPage(page_id, true);
         const currentStorage = currentPage.body?.storage?.value ?? currentPage.body?.value ?? "";
+        const pageVersion = currentPage.version?.number ?? 0;
         if (flagsSet.length > 0) {
           const deletionSummary = confirm_deletions && body ? tryForecastDeletions(currentStorage, body, confluence_base_url ?? cfg.url) : null;
-          await gateOperation(server, {
+          const diffHash = cloudId && pageVersion > 0 ? computeDiffHash(body ?? currentStorage, pageVersion) : void 0;
+          const tokenResult = await maybeConsumeConfirmToken({
+            confirm_token,
             tool: "update_page",
-            summary: `Update page ${page_id} with destructive flags?`,
-            details: {
-              page_id,
-              flags: flagsSet.join(","),
-              source: effectiveSource,
-              version: version2,
-              ...deletionSummary ? { deletionSummary } : {}
-            }
+            cloudId,
+            pageId: page_id,
+            pageVersion,
+            diffHash
           });
+          if (tokenResult === "invalid") {
+            throw new ConverterError(
+              "The confirmation token is no longer valid. Mint a new one by re-calling this tool without confirm_token, ask the user again, then retry with the new token.",
+              "CONFIRMATION_TOKEN_INVALID"
+            );
+          } else if (tokenResult === "no_token") {
+            await gateOperation(server, {
+              tool: "update_page",
+              summary: `Update page ${page_id} with destructive flags?`,
+              details: {
+                page_id,
+                flags: flagsSet.join(","),
+                source: effectiveSource,
+                version: version2,
+                ...deletionSummary ? { deletionSummary } : {}
+              },
+              cloudId,
+              pageId: page_id,
+              pageVersion,
+              diffHash
+            });
+          }
         }
         const resolvedVersion = version2 === "current" ? currentPage.version?.number ?? 0 : version2;
         if (resolvedVersion <= 0) {
@@ -61331,7 +61901,9 @@ ${truncated}${truncationNote(origLen)}`
           confirmStructureLoss: confirm_structure_loss,
           confirmDeletions: confirm_deletions,
           // E2: thread the validated source into the mutation log.
-          source: effectiveSource
+          source: effectiveSource,
+          // 2.E: defense-in-depth invalidation.
+          cloudId
         });
         const isTitleOnly = prepared.finalStorage === void 0;
         const warnings = [];
@@ -61349,6 +61921,9 @@ ${truncated}${truncationNote(origLen)}`
           appendWarnings(`Updated: ${submitted.page.title} (ID: ${submitted.page.id}, version: ${submitted.newVersion}, body: ${submitted.oldLen}\u2192${submitted.newLen} chars${removalNote})`, warnings) + echo
         );
       } catch (err) {
+        if (err instanceof SoftConfirmationRequiredError) {
+          return formatSoftConfirmationResult(err, { pageId: page_id });
+        }
         return toolErrorWithContext(err, { operation: "update_page", resource: `page ${page_id}`, profile: config3.profile });
       }
     }
@@ -61358,7 +61933,7 @@ ${truncated}${truncationNote(origLen)}`
     {
       description: describeWithLock(
         withDestructiveWarning(
-          "Delete a Confluence page by ID. Requires the current `version` from your most recent get_page call \u2014 delete is refused if the page has been modified since. Set EPIMETHIAN_LEGACY_DELETE_WITHOUT_VERSION=true to restore the previous version-less behaviour for one release while scripts are migrated."
+          "Delete a Confluence page by ID. Requires the current `version` from your most recent get_page call \u2014 delete is refused if the page has been modified since. Set EPIMETHIAN_LEGACY_DELETE_WITHOUT_VERSION=true to restore the previous version-less behaviour for one release while scripts are migrated.\n\nIf your MCP client does not support in-protocol confirmation, this tool returns `SOFT_CONFIRMATION_REQUIRED` on the first call when destructive flags are set. STOP and ask the user before retrying. If the user approves, re-call this tool with the same parameters plus `confirm_token` from the first response. The token expires after 5 minutes and is invalidated by competing writes. See the 'Soft confirmation' section of `install-agent.md` for the full protocol."
         ),
         config3
       ),
@@ -61367,11 +61942,12 @@ ${truncated}${truncationNote(origLen)}`
         version: external_exports.number().int().positive().optional().describe(
           "The page version number from your most recent get_page call. Required unless EPIMETHIAN_LEGACY_DELETE_WITHOUT_VERSION=true is set; omitting it under the legacy flag emits a stderr warning."
         ),
-        source: sourceSchema
+        source: sourceSchema,
+        confirm_token: external_exports.string().optional().describe("Soft-confirmation token from a prior SOFT_CONFIRMATION_REQUIRED response. Single-use; bound to this exact page version.")
       },
       annotations: { destructiveHint: true, idempotentHint: true }
     },
-    async ({ page_id, version: version2, source }) => {
+    async ({ page_id, version: version2, source, confirm_token }) => {
       const blocked = writeGuard("delete_page", config3);
       if (blocked) return blocked;
       try {
@@ -61390,17 +61966,43 @@ ${truncated}${truncationNote(origLen)}`
             `epimethian-mcp: WARNING: delete_page on page ${page_id} without a version (legacy opt-out active). This opt-out will be removed in a future release.`
           );
         }
-        await gateOperation(server, {
+        const cfg = await getConfig();
+        const cloudId = cfg.sealedCloudId;
+        const pageVersion = version2 ?? 0;
+        const diffHash = cloudId && pageVersion > 0 ? computeDiffHash("", pageVersion) : void 0;
+        const tokenResult = await maybeConsumeConfirmToken({
+          confirm_token,
           tool: "delete_page",
-          summary: `Delete page ${page_id}?`,
-          details: {
-            page_id,
-            version: version2 ?? "(legacy: unversioned)",
-            source: effectiveSource
-          }
+          cloudId,
+          pageId: page_id,
+          pageVersion,
+          diffHash
         });
+        if (tokenResult === "invalid") {
+          throw new ConverterError(
+            "The confirmation token is no longer valid. Mint a new one by re-calling this tool without confirm_token, ask the user again, then retry with the new token.",
+            "CONFIRMATION_TOKEN_INVALID"
+          );
+        } else if (tokenResult === "no_token") {
+          await gateOperation(server, {
+            tool: "delete_page",
+            summary: `Delete page ${page_id}?`,
+            details: {
+              page_id,
+              version: version2 ?? "(legacy: unversioned)",
+              source: effectiveSource
+            },
+            cloudId,
+            pageId: page_id,
+            pageVersion,
+            diffHash
+          });
+        }
         writeBudget.consume();
         await deletePage(page_id, version2);
+        if (cloudId !== void 0) {
+          invalidateForPage(cloudId, page_id);
+        }
         logMutation({
           timestamp: (/* @__PURE__ */ new Date()).toISOString(),
           operation: "delete_page",
@@ -61410,6 +62012,9 @@ ${truncated}${truncationNote(origLen)}`
         });
         return toolResult(`Deleted page ${page_id}` + echo);
       } catch (err) {
+        if (err instanceof SoftConfirmationRequiredError) {
+          return formatSoftConfirmationResult(err, { pageId: page_id });
+        }
         logMutation(errorRecord("delete_page", page_id, err));
         return toolErrorWithContext(err, { operation: "delete_page", resource: `page ${page_id}`, profile: config3.profile });
       }
@@ -61420,7 +62025,7 @@ ${truncated}${truncationNote(origLen)}`
     {
       description: describeWithLock(
         withDestructiveWarning(
-          "Update a single section of a Confluence page by heading name. Only the content under the specified heading is replaced; the rest of the page is untouched. Use headings_only to find section names first. Note: in Confluence spaces with heading auto-numbering enabled, stored heading text contains the prefix (e.g. `1.2. Section`); the matcher accepts either the prefixed or plain form."
+          "Update a single section of a Confluence page by heading name. Only the content under the specified heading is replaced; the rest of the page is untouched. Use headings_only to find section names first. Note: in Confluence spaces with heading auto-numbering enabled, stored heading text contains the prefix (e.g. `1.2. Section`); the matcher accepts either the prefixed or plain form.\n\nIf your MCP client does not support in-protocol confirmation, this tool returns `SOFT_CONFIRMATION_REQUIRED` on the first call when destructive flags are set. STOP and ask the user before retrying. If the user approves, re-call this tool with the same parameters plus `confirm_token` from the first response. The token expires after 5 minutes and is invalidated by competing writes. See the 'Soft confirmation' section of `install-agent.md` for the full protocol."
         ),
         config3
       ),
@@ -61446,11 +62051,12 @@ ${truncated}${truncationNote(origLen)}`
           `The page version number from your most recent get_page call. Pass the literal string "current" to skip the read and apply this update on top of whatever the latest version is right now. WARNING: "current" deliberately bypasses optimistic concurrency \u2014 it is NOT a conflict-resolution strategy. If a coworker (or another agent) writes between our read and submit, the API will still 409. Use a numeric version when you want the "don't overwrite my coworker's changes" guard.`
         ),
         version_message: external_exports.string().optional().describe("Optional version comment"),
-        confirm_deletions: external_exports.boolean().default(false).describe("Set to true to acknowledge that your markdown removes preserved macros, emoticons, or rich elements from this section. Required when any preserved element would be deleted.")
+        confirm_deletions: external_exports.boolean().default(false).describe("Set to true to acknowledge that your markdown removes preserved macros, emoticons, or rich elements from this section. Required when any preserved element would be deleted."),
+        confirm_token: external_exports.string().optional().describe("Soft-confirmation token from a prior SOFT_CONFIRMATION_REQUIRED response. Single-use; bound to this exact diff and page version.")
       },
       annotations: { destructiveHint: false, idempotentHint: false }
     },
-    async ({ page_id, section, body, find_replace, version: version2, version_message, confirm_deletions }) => {
+    async ({ page_id, section, body, find_replace, version: version2, version_message, confirm_deletions, confirm_token }) => {
       const blocked = writeGuard("update_page_section", config3);
       if (blocked) return blocked;
       try {
@@ -61472,8 +62078,10 @@ ${truncated}${truncationNote(origLen)}`
         }
         await checkSpaceAllowed({ pageId: page_id });
         const cfg = await getConfig();
+        const cloudId = cfg.sealedCloudId;
         const page = await getPage(page_id, true);
         const fullBody = page.body?.storage?.value ?? page.body?.value ?? "";
+        const pageVersion = page.version?.number ?? 0;
         const resolvedVersion = version2 === "current" ? page.version?.number ?? 0 : version2;
         if (resolvedVersion <= 0) {
           throw new Error(
@@ -61510,7 +62118,8 @@ ${truncated}${truncationNote(origLen)}`
             versionMessage: version_message ?? "",
             deletedTokens: [],
             operation: "update_page_section",
-            clientLabel: getClientLabel(server)
+            clientLabel: getClientLabel(server),
+            cloudId
           });
           const warnings2 = [];
           const labelResult2 = await ensureAttributionLabel(submitted2.page.id);
@@ -61527,16 +62136,36 @@ ${truncated}${truncationNote(origLen)}`
         }
         if (confirm_deletions) {
           const deletionSummary = tryForecastDeletions(currentSectionBody, body, cfg.url);
-          await gateOperation(server, {
+          const diffHash = cloudId && pageVersion > 0 ? computeDiffHash(body ?? currentSectionBody, pageVersion) : void 0;
+          const tokenResult = await maybeConsumeConfirmToken({
+            confirm_token,
             tool: "update_page_section",
-            summary: `Update section "${section}" in page ${page_id} with confirm_deletions?`,
-            details: {
-              page_id,
-              section,
-              source: "confirm_deletions",
-              ...deletionSummary ? { deletionSummary } : {}
-            }
+            cloudId,
+            pageId: page_id,
+            pageVersion,
+            diffHash
           });
+          if (tokenResult === "invalid") {
+            throw new ConverterError(
+              "The confirmation token is no longer valid. Mint a new one by re-calling this tool without confirm_token, ask the user again, then retry with the new token.",
+              "CONFIRMATION_TOKEN_INVALID"
+            );
+          } else if (tokenResult === "no_token") {
+            await gateOperation(server, {
+              tool: "update_page_section",
+              summary: `Update section "${section}" in page ${page_id} with confirm_deletions?`,
+              details: {
+                page_id,
+                section,
+                source: "confirm_deletions",
+                ...deletionSummary ? { deletionSummary } : {}
+              },
+              cloudId,
+              pageId: page_id,
+              pageVersion,
+              diffHash
+            });
+          }
         }
         const prepared = await safePrepareBody({
           body,
@@ -61563,7 +62192,8 @@ ${truncated}${truncationNote(origLen)}`
           versionMessage: mergedVersionMessage,
           deletedTokens: prepared.deletedTokens,
           operation: "update_page_section",
-          clientLabel: getClientLabel(server)
+          clientLabel: getClientLabel(server),
+          cloudId
         });
         const warnings = [];
         const labelResult = await ensureAttributionLabel(submitted.page.id);
@@ -61575,6 +62205,9 @@ ${truncated}${truncationNote(origLen)}`
           appendWarnings(`Updated section "${section}" in: ${submitted.page.title} (ID: ${submitted.page.id}, version: ${submitted.newVersion}${removalNote})`, warnings) + echo
         );
       } catch (err) {
+        if (err instanceof SoftConfirmationRequiredError) {
+          return formatSoftConfirmationResult(err, { pageId: page_id });
+        }
         return toolErrorWithContext(err, { operation: "update_page_section", resource: `page ${page_id}`, profile: config3.profile });
       }
     }
@@ -61584,7 +62217,7 @@ ${truncated}${truncationNote(origLen)}`
     {
       description: describeWithLock(
         withDestructiveWarning(
-          "Update multiple sections of a Confluence page atomically in a single version bump. Either every section applies or none do \u2014 if any section's heading is missing, ambiguous, or its body fails to convert, the whole call is rejected and the page is left unchanged. Use this when you need to update 4+ sections in one go without 4 separate version bumps.\n\nSections are matched against the ORIGINAL page contents (not the cumulative-edited state) and applied in input order; sections cannot reference content introduced by an earlier section in the same call.\n\nUse headings_only to find section names first. Note: in spaces with heading auto-numbering enabled, stored heading text contains the prefix (e.g. `1.2. Section`); the matcher accepts either the prefixed or plain form. Section names must be unique within the input list."
+          "Update multiple sections of a Confluence page atomically in a single version bump. Either every section applies or none do \u2014 if any section's heading is missing, ambiguous, or its body fails to convert, the whole call is rejected and the page is left unchanged. Use this when you need to update 4+ sections in one go without 4 separate version bumps.\n\nSections are matched against the ORIGINAL page contents (not the cumulative-edited state) and applied in input order; sections cannot reference content introduced by an earlier section in the same call.\n\nUse headings_only to find section names first. Note: in spaces with heading auto-numbering enabled, stored heading text contains the prefix (e.g. `1.2. Section`); the matcher accepts either the prefixed or plain form. Section names must be unique within the input list.\n\nIf your MCP client does not support in-protocol confirmation, this tool returns `SOFT_CONFIRMATION_REQUIRED` on the first call when destructive flags are set. STOP and ask the user before retrying. If the user approves, re-call this tool with the same parameters plus `confirm_token` from the first response. The token expires after 5 minutes and is invalidated by competing writes. See the 'Soft confirmation' section of `install-agent.md` for the full protocol."
         ),
         config3
       ),
@@ -61597,6 +62230,7 @@ ${truncated}${truncationNote(origLen)}`
         confirm_deletions: external_exports.boolean().default(false).describe(
           "Set to true to acknowledge that the aggregated set of sections removes preserved macros, emoticons, or rich elements. Required when ANY section would delete a preserved element. The deletion-summary gate fires once on the AGGREGATE \u2014 a caller cannot bypass the gate by spreading deletions across sections."
         ),
+        confirm_token: external_exports.string().optional().describe("Soft-confirmation token from a prior SOFT_CONFIRMATION_REQUIRED response. Single-use; bound to this exact diff and page version."),
         sections: external_exports.array(
           external_exports.object({
             section: external_exports.string().describe("Heading text identifying the section to replace"),
@@ -61610,14 +62244,16 @@ ${truncated}${truncationNote(origLen)}`
       },
       annotations: { destructiveHint: false, idempotentHint: false }
     },
-    async ({ page_id, version: version2, version_message, confirm_deletions, sections }) => {
+    async ({ page_id, version: version2, version_message, confirm_deletions, sections, confirm_token }) => {
       const blocked = writeGuard("update_page_sections", config3);
       if (blocked) return blocked;
       try {
         await checkSpaceAllowed({ pageId: page_id });
         const cfg = await getConfig();
+        const cloudId = cfg.sealedCloudId;
         const page = await getPage(page_id, true);
         const fullBody = page.body?.storage?.value ?? page.body?.value ?? "";
+        const pageVersion = page.version?.number ?? 0;
         const resolvedVersion = version2 === "current" ? page.version?.number ?? 0 : version2;
         if (resolvedVersion <= 0) {
           throw new Error(
@@ -61657,16 +62293,37 @@ ${truncated}${truncationNote(origLen)}`
               any = true;
             }
           }
-          await gateOperation(server, {
+          const aggregateBody = sections.map((s) => s.body).join("\n");
+          const diffHash = cloudId && pageVersion > 0 ? computeDiffHash(aggregateBody, pageVersion) : void 0;
+          const tokenResult = await maybeConsumeConfirmToken({
+            confirm_token,
             tool: "update_page_sections",
-            summary: `Update ${sections.length} section${sections.length === 1 ? "" : "s"} in page ${page_id} with confirm_deletions?`,
-            details: {
-              page_id,
-              section_count: sections.length,
-              source: "confirm_deletions",
-              ...any ? { deletionSummary: summed } : {}
-            }
+            cloudId,
+            pageId: page_id,
+            pageVersion,
+            diffHash
           });
+          if (tokenResult === "invalid") {
+            throw new ConverterError(
+              "The confirmation token is no longer valid. Mint a new one by re-calling this tool without confirm_token, ask the user again, then retry with the new token.",
+              "CONFIRMATION_TOKEN_INVALID"
+            );
+          } else if (tokenResult === "no_token") {
+            await gateOperation(server, {
+              tool: "update_page_sections",
+              summary: `Update ${sections.length} section${sections.length === 1 ? "" : "s"} in page ${page_id} with confirm_deletions?`,
+              details: {
+                page_id,
+                section_count: sections.length,
+                source: "confirm_deletions",
+                ...any ? { deletionSummary: summed } : {}
+              },
+              cloudId,
+              pageId: page_id,
+              pageVersion,
+              diffHash
+            });
+          }
         }
         const prepared = await safePrepareMultiSectionBody({
           currentStorage: fullBody,
@@ -61686,7 +62343,8 @@ ${truncated}${truncationNote(origLen)}`
           regeneratedTokens: prepared.aggregatedRegeneratedTokens,
           operation: "update_page_section",
           clientLabel: getClientLabel(server),
-          confirmDeletions: confirm_deletions
+          confirmDeletions: confirm_deletions,
+          cloudId
         });
         const warnings = [];
         const labelResult = await ensureAttributionLabel(submitted.page.id);
@@ -61702,6 +62360,9 @@ ${truncated}${truncationNote(origLen)}`
           ) + echo
         );
       } catch (err) {
+        if (err instanceof SoftConfirmationRequiredError) {
+          return formatSoftConfirmationResult(err, { pageId: page_id });
+        }
         if (err instanceof MultiSectionError) {
           return toolError(err);
         }
@@ -61714,7 +62375,7 @@ ${truncated}${truncationNote(origLen)}`
     {
       description: describeWithLock(
         withDestructiveWarning(
-          "Insert content at the beginning of an existing Confluence page. The caller provides only the new content \u2014 the server fetches the existing body and handles concatenation. Safer than update_page with replace_body for additive operations.\n\nContent can be GFM markdown or Confluence storage format (auto-detected)."
+          "Insert content at the beginning of an existing Confluence page. The caller provides only the new content \u2014 the server fetches the existing body and handles concatenation. Safer than update_page with replace_body for additive operations.\n\nContent can be GFM markdown or Confluence storage format (auto-detected).\n\nIf your MCP client does not support in-protocol confirmation, this tool returns `SOFT_CONFIRMATION_REQUIRED` on the first call when destructive flags are set. STOP and ask the user before retrying. If the user approves, re-call this tool with the same parameters plus `confirm_token` from the first response. The token expires after 5 minutes and is invalidated by competing writes. See the 'Soft confirmation' section of `install-agent.md` for the full protocol."
         ),
         config3
       ),
@@ -61727,7 +62388,8 @@ ${truncated}${truncationNote(origLen)}`
         separator: external_exports.string().optional().describe("Separator between new and existing content. Max 100 chars, no XML tags. Defaults to blank line (markdown) or empty (storage)."),
         version_message: external_exports.string().optional().describe("Optional version comment"),
         allow_raw_html: external_exports.boolean().default(false).describe("Allow raw HTML inside markdown content (default false)."),
-        confluence_base_url: external_exports.string().url().optional().describe("Override the Confluence base URL used by the link rewriter.")
+        confluence_base_url: external_exports.string().url().optional().describe("Override the Confluence base URL used by the link rewriter."),
+        confirm_token: external_exports.string().optional().describe("Soft-confirmation token from a prior SOFT_CONFIRMATION_REQUIRED response. Single-use; bound to this exact diff and page version.")
       },
       annotations: { destructiveHint: false, idempotentHint: false }
     },
@@ -61742,7 +62404,7 @@ ${truncated}${truncationNote(origLen)}`
           version2,
           content,
           "prepend",
-          { separator, versionMessage: version_message ?? "Prepend content", allowRawHtml: allow_raw_html, confluenceBaseUrl: confluence_base_url ?? cfg.url }
+          { separator, versionMessage: version_message ?? "Prepend content", allowRawHtml: allow_raw_html, confluenceBaseUrl: confluence_base_url ?? cfg.url, cloudId: cfg.sealedCloudId }
         );
         const warnings = [];
         const labelResult = await ensureAttributionLabel(page.id);
@@ -61751,6 +62413,9 @@ ${truncated}${truncationNote(origLen)}`
         if (badgeResult.warning) warnings.push(badgeResult.warning);
         return toolResult(appendWarnings(`Prepended to: ${page.title} (ID: ${page.id}, version: ${newVersion}, body: ${oldLen}\u2192${newLen} chars)`, warnings) + echo);
       } catch (err) {
+        if (err instanceof SoftConfirmationRequiredError) {
+          return formatSoftConfirmationResult(err, { pageId: page_id });
+        }
         return toolErrorWithContext(err, { operation: "prepend_to_page", resource: `page ${page_id}`, profile: config3.profile });
       }
     }
@@ -61760,7 +62425,7 @@ ${truncated}${truncationNote(origLen)}`
     {
       description: describeWithLock(
         withDestructiveWarning(
-          "Insert content at the end of an existing Confluence page. The caller provides only the new content \u2014 the server fetches the existing body and handles concatenation. Safer than update_page with replace_body for additive operations.\n\nContent can be GFM markdown or Confluence storage format (auto-detected)."
+          "Insert content at the end of an existing Confluence page. The caller provides only the new content \u2014 the server fetches the existing body and handles concatenation. Safer than update_page with replace_body for additive operations.\n\nContent can be GFM markdown or Confluence storage format (auto-detected).\n\nIf your MCP client does not support in-protocol confirmation, this tool returns `SOFT_CONFIRMATION_REQUIRED` on the first call when destructive flags are set. STOP and ask the user before retrying. If the user approves, re-call this tool with the same parameters plus `confirm_token` from the first response. The token expires after 5 minutes and is invalidated by competing writes. See the 'Soft confirmation' section of `install-agent.md` for the full protocol."
         ),
         config3
       ),
@@ -61773,7 +62438,8 @@ ${truncated}${truncationNote(origLen)}`
         separator: external_exports.string().optional().describe("Separator between existing and new content. Max 100 chars, no XML tags. Defaults to blank line (markdown) or empty (storage)."),
         version_message: external_exports.string().optional().describe("Optional version comment"),
         allow_raw_html: external_exports.boolean().default(false).describe("Allow raw HTML inside markdown content (default false)."),
-        confluence_base_url: external_exports.string().url().optional().describe("Override the Confluence base URL used by the link rewriter.")
+        confluence_base_url: external_exports.string().url().optional().describe("Override the Confluence base URL used by the link rewriter."),
+        confirm_token: external_exports.string().optional().describe("Soft-confirmation token from a prior SOFT_CONFIRMATION_REQUIRED response. Single-use; bound to this exact diff and page version.")
       },
       annotations: { destructiveHint: false, idempotentHint: false }
     },
@@ -61788,7 +62454,7 @@ ${truncated}${truncationNote(origLen)}`
           version2,
           content,
           "append",
-          { separator, versionMessage: version_message ?? "Append content", allowRawHtml: allow_raw_html, confluenceBaseUrl: confluence_base_url ?? cfg.url }
+          { separator, versionMessage: version_message ?? "Append content", allowRawHtml: allow_raw_html, confluenceBaseUrl: confluence_base_url ?? cfg.url, cloudId: cfg.sealedCloudId }
         );
         const warnings = [];
         const labelResult = await ensureAttributionLabel(page.id);
@@ -61797,6 +62463,9 @@ ${truncated}${truncationNote(origLen)}`
         if (badgeResult.warning) warnings.push(badgeResult.warning);
         return toolResult(appendWarnings(`Appended to: ${page.title} (ID: ${page.id}, version: ${newVersion}, body: ${oldLen}\u2192${newLen} chars)`, warnings) + echo);
       } catch (err) {
+        if (err instanceof SoftConfirmationRequiredError) {
+          return formatSoftConfirmationResult(err, { pageId: page_id });
+        }
         return toolErrorWithContext(err, { operation: "append_to_page", resource: `page ${page_id}`, profile: config3.profile });
       }
     }
@@ -62728,7 +63397,7 @@ ${sectionFenced}`
     {
       description: describeWithLock(
         withDestructiveWarning(
-          "Revert a Confluence page to a previous version. Fetches the exact storage-format body from the historical version and pushes it as a new version. This is a lossless revert \u2014 unlike reading get_page_version (which returns sanitized markdown) and passing it to update_page, this preserves all macros, formatting, and rich elements exactly.\n\nThe shrinkage guard applies: if the reverted content is significantly smaller than the current content, you will be asked to confirm."
+          "Revert a Confluence page to a previous version. Fetches the exact storage-format body from the historical version and pushes it as a new version. This is a lossless revert \u2014 unlike reading get_page_version (which returns sanitized markdown) and passing it to update_page, this preserves all macros, formatting, and rich elements exactly.\n\nThe shrinkage guard applies: if the reverted content is significantly smaller than the current content, you will be asked to confirm.\n\nIf your MCP client does not support in-protocol confirmation, this tool returns `SOFT_CONFIRMATION_REQUIRED` on the first call when destructive flags are set. STOP and ask the user before retrying. If the user approves, re-call this tool with the same parameters plus `confirm_token` from the first response. The token expires after 5 minutes and is invalidated by competing writes. See the 'Soft confirmation' section of `install-agent.md` for the full protocol."
         ),
         config3
       ),
@@ -62749,7 +63418,8 @@ ${sectionFenced}`
         version_message: external_exports.string().optional().describe(
           "Optional version comment. Defaults to 'Revert to version N'."
         ),
-        source: sourceSchema
+        source: sourceSchema,
+        confirm_token: external_exports.string().optional().describe("Soft-confirmation token from a prior SOFT_CONFIRMATION_REQUIRED response. Single-use; bound to this exact page version.")
       },
       annotations: { destructiveHint: false, idempotentHint: false }
     },
@@ -62760,7 +63430,8 @@ ${sectionFenced}`
       confirm_shrinkage,
       confirm_structure_loss,
       version_message,
-      source
+      source,
+      confirm_token
     }) => {
       const blocked = writeGuard("revert_page", config3);
       if (blocked) return blocked;
@@ -62772,18 +63443,41 @@ ${sectionFenced}`
           targetVersion: target_version
         });
         const effectiveSource = validateSource(source, flagsSet);
-        await gateOperation(server, {
+        const cfg = await getConfig();
+        const cloudId = cfg.sealedCloudId;
+        const pageVersion = current_version;
+        const diffHash = cloudId && pageVersion > 0 ? computeDiffHash("", pageVersion) : void 0;
+        const tokenResult = await maybeConsumeConfirmToken({
+          confirm_token,
           tool: "revert_page",
-          summary: `Revert page ${page_id} to version ${target_version}?`,
-          details: {
-            page_id,
-            target_version,
-            current_version,
-            confirm_shrinkage,
-            confirm_structure_loss,
-            source: effectiveSource
-          }
+          cloudId,
+          pageId: page_id,
+          pageVersion,
+          diffHash
         });
+        if (tokenResult === "invalid") {
+          throw new ConverterError(
+            "The confirmation token is no longer valid. Mint a new one by re-calling this tool without confirm_token, ask the user again, then retry with the new token.",
+            "CONFIRMATION_TOKEN_INVALID"
+          );
+        } else if (tokenResult === "no_token") {
+          await gateOperation(server, {
+            tool: "revert_page",
+            summary: `Revert page ${page_id} to version ${target_version}?`,
+            details: {
+              page_id,
+              target_version,
+              current_version,
+              confirm_shrinkage,
+              confirm_structure_loss,
+              source: effectiveSource
+            },
+            cloudId,
+            pageId: page_id,
+            pageVersion,
+            diffHash
+          });
+        }
         const currentPage = await getPage(page_id, true);
         const currentStorage = currentPage.body?.storage?.value ?? currentPage.body?.value ?? "";
         const actualVersion = currentPage.version?.number;
@@ -62818,7 +63512,9 @@ ${sectionFenced}`
           confirmShrinkage: confirm_shrinkage,
           confirmStructureLoss: confirm_structure_loss,
           // E2: thread validated source for the mutation log.
-          source: effectiveSource
+          source: effectiveSource,
+          // 2.E: defense-in-depth token invalidation after successful write.
+          cloudId
         });
         const warnings = [];
         const labelResult = await ensureAttributionLabel(submitted.page.id);
@@ -62832,6 +63528,9 @@ ${sectionFenced}`
           ) + echo
         );
       } catch (err) {
+        if (err instanceof SoftConfirmationRequiredError) {
+          return formatSoftConfirmationResult(err, { pageId: page_id });
+        }
         return toolErrorWithContext(err, { operation: "revert_page", resource: `page ${page_id}`, profile: config3.profile });
       }
     }
@@ -62921,7 +63620,7 @@ ${titleFenced}${echo2}`
       inputSchema: {}
     },
     async () => {
-      let text2 = `epimethian-mcp v${"6.4.1"}`;
+      let text2 = `epimethian-mcp v${"6.6.0"}`;
       try {
         const pending = await getPendingUpdate();
         if (pending) {
@@ -62952,7 +63651,7 @@ ${label} update available: v${pending.current} \u2192 v${pending.latest}. Run \`
         const pending = await getPendingUpdate();
         if (!pending) {
           return toolResult(
-            `epimethian-mcp v${"6.4.1"} is already up to date.`
+            `epimethian-mcp v${"6.6.0"} is already up to date.`
           );
         }
         const output = await performUpgrade(pending.latest);
@@ -62974,7 +63673,7 @@ async function startRecoveryServer(profile) {
   const server = new McpServer(
     {
       name: `confluence-${profile}-setup-needed`,
-      version: "6.4.1"
+      version: "6.6.0"
     },
     {
       instructions: `The Confluence profile "${profile}" referenced by CONFLUENCE_PROFILE has no keychain entry, so no Confluence tools are available. Call the setup_profile tool for instructions to create it.`
@@ -63025,21 +63724,21 @@ async function main() {
   const serverName = config3.profile ? `confluence-${config3.profile}` : "confluence";
   const server = new McpServer({
     name: serverName,
-    version: "6.4.1"
+    version: "6.6.0"
   });
   await registerTools(server, config3);
   const transport = new StdioServerTransport();
   await server.connect(transport);
   try {
     const pending = await getPendingUpdate();
-    if (pending && pending.current === "6.4.1") {
+    if (pending && pending.current === "6.6.0") {
       console.error(
         `epimethian-mcp: update available: v${pending.current} \u2192 v${pending.latest} (${pending.type}). Run \`epimethian-mcp upgrade\` to install.`
       );
     }
   } catch {
   }
-  checkForUpdates("6.4.1").catch(() => {
+  checkForUpdates("6.6.0").catch(() => {
   });
 }
 
@@ -63049,8 +63748,10 @@ async function run() {
   if (command === "setup") {
     const idx = process.argv.indexOf("--profile");
     const profile = idx > -1 ? process.argv[idx + 1] : void 0;
+    const clientIdx = process.argv.indexOf("--client");
+    const clientId = clientIdx > -1 ? process.argv[clientIdx + 1] : void 0;
     const { runSetup: runSetup2 } = await Promise.resolve().then(() => (init_setup(), setup_exports));
-    await runSetup2(profile);
+    await runSetup2(profile, clientId);
   } else if (command === "profiles") {
     const { runProfiles: runProfiles2 } = await Promise.resolve().then(() => (init_profiles2(), profiles_exports));
     await runProfiles2();