@decantr/mcp-server 1.0.4 → 1.0.5

package/dist/bin.js

@@ -1,2 +1,2 @@
 #!/usr/bin/env node
-import "./chunk-UNVKE2YC.js";
+import "./chunk-A4ZCCVQR.js";

package/dist/{chunk-UNVKE2YC.js → chunk-A4ZCCVQR.js}

@@ -1,23 +1,21 @@
 // src/index.ts
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
-import {
-  ListToolsRequestSchema,
-  CallToolRequestSchema
-} from "@modelcontextprotocol/sdk/types.js";
+import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
 
 // src/tools.ts
 import { existsSync, readdirSync, readFileSync } from "fs";
 import { readFile as readFile2 } from "fs/promises";
-import { basename, join as join2, dirname as dirname2, isAbsolute, resolve } from "path";
-import { validateEssence, evaluateGuard, isV3 as isV32 } from "@decantr/essence-spec";
+import { basename as basename2, dirname as dirname2, join as join2, relative as relative2 } from "path";
+import { evaluateGuard, isV3 as isV32, validateEssence } from "@decantr/essence-spec";
 import { isContentIntelligenceSource, resolvePatternPreset } from "@decantr/registry";
 
 // src/helpers.ts
-import { readFile, writeFile, mkdir } from "fs/promises";
-import { join, dirname } from "path";
-import { RegistryAPIClient } from "@decantr/registry";
+import { realpathSync } from "fs";
+import { mkdir, readFile, writeFile } from "fs/promises";
+import { basename, dirname, isAbsolute, join, relative, resolve } from "path";
 import { isV3, migrateV2ToV3 } from "@decantr/essence-spec";
+import { RegistryAPIClient } from "@decantr/registry";
 var MAX_INPUT_LENGTH = 1e3;
 function validateStringArg(args, field) {
   const val = args[field];
@@ -60,8 +58,32 @@ function getPublicAPIClient() {
   }
   return _publicApiClient;
 }
+function resolveWorkspacePath(inputPath, workspaceRoot = process.cwd()) {
+  const rawRoot = resolve(workspaceRoot);
+  const resolvedPath = isAbsolute(inputPath) ? resolve(inputPath) : resolve(rawRoot, inputPath);
+  const root = canonicalizeForContainment(rawRoot);
+  const candidate = canonicalizeForContainment(resolvedPath);
+  const relativePath = relative(root, candidate);
+  if (relativePath.startsWith("..") || isAbsolute(relativePath)) {
+    throw new Error(`Path escapes the active workspace root: ${inputPath}`);
+  }
+  return candidate;
+}
+function canonicalizeForContainment(path) {
+  const resolvedPath = resolve(path);
+  try {
+    return realpathSync.native(resolvedPath);
+  } catch {
+    const parent = dirname(resolvedPath);
+    try {
+      return join(realpathSync.native(parent), basename(resolvedPath));
+    } catch {
+      return resolvedPath;
+    }
+  }
+}
 async function readEssenceFile(essencePath) {
-  const resolvedPath = essencePath || join(process.cwd(), "decantr.essence.json");
+  const resolvedPath = essencePath ? resolveWorkspacePath(essencePath) : join(process.cwd(), "decantr.essence.json");
   const raw = await readFile(resolvedPath, "utf-8");
   const essence = JSON.parse(raw);
   return { essence, raw, path: resolvedPath };
@@ -79,7 +101,7 @@ async function mutateEssenceFile(essencePath, mutate) {
   return { essence: updated, path };
 }
 async function readDriftLog(projectRoot) {
-  const root = projectRoot || process.cwd();
+  const root = projectRoot ? resolveWorkspacePath(projectRoot) : process.cwd();
   const logPath = join(root, ".decantr", "drift-log.json");
   try {
     const raw = await readFile(logPath, "utf-8");
@@ -89,7 +111,7 @@ async function readDriftLog(projectRoot) {
   }
 }
 async function writeDriftLog(entries, projectRoot) {
-  const root = projectRoot || process.cwd();
+  const root = projectRoot ? resolveWorkspacePath(projectRoot) : process.cwd();
   const logPath = join(root, ".decantr", "drift-log.json");
   await mkdir(dirname(logPath), { recursive: true });
   await writeFile(logPath, JSON.stringify(entries, null, 2) + "\n", "utf-8");
@@ -155,17 +177,18 @@ async function getHostedExecutionPackManifestPayload(args) {
   );
 }
 async function getHostedFileCritiquePayload(args) {
-  const client = getPublicAPIClient();
+  const client = getAPIClient();
   const filePath = args.file_path;
-  const resolvedFilePath = isAbsolute(filePath) ? filePath : resolve(process.cwd(), filePath);
+  const resolvedFilePath = resolveWorkspacePath(filePath);
+  const snapshotFilePath = relative2(process.cwd(), resolvedFilePath).replace(/\\/g, "/") || basename2(resolvedFilePath);
   const code = await readFile2(resolvedFilePath, "utf-8");
   const { essence } = await readEssenceFile(args.path);
-  const treatmentsPath = typeof args.treatments_path === "string" ? isAbsolute(args.treatments_path) ? args.treatments_path : resolve(process.cwd(), args.treatments_path) : join2(process.cwd(), "src", "styles", "treatments.css");
+  const treatmentsPath = typeof args.treatments_path === "string" ? resolveWorkspacePath(args.treatments_path) : join2(process.cwd(), "src", "styles", "treatments.css");
   const treatmentsCss = existsSync(treatmentsPath) ? readFileSync(treatmentsPath, "utf-8") : void 0;
   return client.critiqueFile(
     {
       essence,
-      filePath,
+      filePath: snapshotFilePath,
       code,
       treatmentsCss
     },
@@ -183,7 +206,7 @@ function extractHostedAssetPaths(indexHtml) {
   return [...assetPaths];
 }
 async function captureHostedDistSnapshot(projectRoot, distPathArg) {
-  const distRoot = distPathArg ? isAbsolute(distPathArg) ? distPathArg : resolve(projectRoot, distPathArg) : join2(projectRoot, "dist");
+  const distRoot = distPathArg ? resolveWorkspacePath(distPathArg, projectRoot) : join2(projectRoot, "dist");
   const indexPath = join2(distRoot, "index.html");
   if (!existsSync(indexPath)) {
     return void 0;
@@ -191,9 +214,10 @@ async function captureHostedDistSnapshot(projectRoot, distPathArg) {
   const indexHtml = readFileSync(indexPath, "utf-8");
   const assets = {};
   for (const assetPath of extractHostedAssetPaths(indexHtml)) {
-    const assetFilePath = join2(distRoot, assetPath.replace(/^[/\\]+/, ""));
+    const snapshotAssetPath = assetPath.replace(/^[/\\]+/, "");
+    const assetFilePath = resolveWorkspacePath(snapshotAssetPath, distRoot);
     if (existsSync(assetFilePath)) {
-      assets[assetPath] = readFileSync(assetFilePath, "utf-8");
+      assets[snapshotAssetPath] = readFileSync(assetFilePath, "utf-8");
     }
   }
   return {
@@ -209,13 +233,20 @@ async function captureHostedSourceSnapshot(projectRoot, sourcesPathArg) {
   if (!sourcesPathArg) {
     return void 0;
   }
-  const sourcesRoot = isAbsolute(sourcesPathArg) ? sourcesPathArg : resolve(projectRoot, sourcesPathArg);
+  const sourcesRoot = resolveWorkspacePath(sourcesPathArg, projectRoot);
   if (!existsSync(sourcesRoot)) {
     return void 0;
   }
   const files = {};
-  const ignoredDirNames = /* @__PURE__ */ new Set(["node_modules", ".git", ".decantr", "dist", "build", "coverage"]);
-  const rootPrefix = basename(sourcesRoot);
+  const ignoredDirNames = /* @__PURE__ */ new Set([
+    "node_modules",
+    ".git",
+    ".decantr",
+    "dist",
+    "build",
+    "coverage"
+  ]);
+  const rootPrefix = basename2(sourcesRoot);
   const walk = (absoluteDir, relativeDir) => {
     for (const entry of readdirSync(absoluteDir, { withFileTypes: true })) {
       if (ignoredDirNames.has(entry.name)) continue;
@@ -234,10 +265,13 @@ async function captureHostedSourceSnapshot(projectRoot, sourcesPathArg) {
   return Object.keys(files).length > 0 ? { files } : void 0;
 }
 async function getHostedProjectAuditPayload(args) {
-  const client = getPublicAPIClient();
+  const client = getAPIClient();
   const { essence } = await readEssenceFile(args.path);
   const dist = await captureHostedDistSnapshot(process.cwd(), args.dist_path);
-  const sources = await captureHostedSourceSnapshot(process.cwd(), args.sources_path);
+  const sources = await captureHostedSourceSnapshot(
+    process.cwd(),
+    args.sources_path
+  );
   return client.auditProject(
     {
       essence,
@@ -315,6 +349,9 @@ async function loadHostedProjectAuditFallback(args) {
 function hasExecutionPackPayload(payload) {
   return payload.markdown !== null || payload.json !== null;
 }
+function allowsHostedUpload(args) {
+  return args.allow_hosted_upload === true;
+}
 function toHostedExecutionPackPayload(pack) {
   return {
     markdown: pack && typeof pack.renderedMarkdown === "string" ? pack.renderedMarkdown : null,
@@ -390,7 +427,12 @@ function deriveTransitions(zones) {
   const hasGateway = roles.has("gateway");
   const hasPublic = roles.has("public");
   if (hasPublic && hasGateway) {
-    transitions.push({ from: "public", to: "gateway", type: "conversion", trigger: gatewayTrigger });
+    transitions.push({
+      from: "public",
+      to: "gateway",
+      type: "conversion",
+      trigger: gatewayTrigger
+    });
   }
   if (hasPublic && hasApp && !hasGateway) {
     transitions.push({ from: "public", to: "app", type: "conversion", trigger: "navigation" });
@@ -431,8 +473,15 @@ var TOOLS = [
     inputSchema: {
       type: "object",
       properties: {
-        path: { type: "string", description: "Optional path to essence file. Defaults to ./decantr.essence.json." },
-        layer: { type: "string", enum: ["dna", "blueprint", "full"], description: "For v3 essences: return only the specified layer. Defaults to full." }
+        path: {
+          type: "string",
+          description: "Optional path to essence file. Defaults to ./decantr.essence.json."
+        },
+        layer: {
+          type: "string",
+          enum: ["dna", "blueprint", "full"],
+          description: "For v3 essences: return only the specified layer. Defaults to full."
+        }
       }
     },
     annotations: READ_ONLY
@@ -445,7 +494,10 @@ var TOOLS = [
     inputSchema: {
       type: "object",
       properties: {
-        path: { type: "string", description: "Path to essence file. Defaults to ./decantr.essence.json." }
+        path: {
+          type: "string",
+          description: "Path to essence file. Defaults to ./decantr.essence.json."
+        }
       }
     },
     annotations: READ_ONLY
@@ -462,7 +514,10 @@ var TOOLS = [
         type: { type: "string", description: "Filter by type: pattern, archetype, theme, shell" },
         sort: { type: "string", description: "Optional sort: recommended, recent, or name." },
         recommended: { type: "boolean", description: "When true, only return recommended items." },
-        source: { type: "string", description: "Optional intelligence source filter: authored, benchmark, or hybrid." }
+        source: {
+          type: "string",
+          description: "Optional intelligence source filter: authored, benchmark, or hybrid."
+        }
       },
       required: ["query"]
     },
@@ -507,7 +562,10 @@ var TOOLS = [
     inputSchema: {
       type: "object",
       properties: {
-        id: { type: "string", description: 'Blueprint ID (e.g. "saas-dashboard", "ecommerce", "portfolio")' },
+        id: {
+          type: "string",
+          description: 'Blueprint ID (e.g. "saas-dashboard", "ecommerce", "portfolio")'
+        },
         namespace: { type: "string", description: 'Namespace (default: "@official")' }
       },
       required: ["id"]
@@ -522,7 +580,10 @@ var TOOLS = [
     inputSchema: {
       type: "object",
       properties: {
-        description: { type: "string", description: 'Description of the page or section (e.g. "dashboard with metrics and charts", "settings form with toggles")' }
+        description: {
+          type: "string",
+          description: 'Description of the page or section (e.g. "dashboard with metrics and charts", "settings form with toggles")'
+        }
       },
       required: ["description"]
     },
@@ -536,8 +597,14 @@ var TOOLS = [
     inputSchema: {
       type: "object",
       properties: {
-        path: { type: "string", description: "Path to essence file. Defaults to ./decantr.essence.json." },
-        page_id: { type: "string", description: 'Page ID being modified (e.g. "overview", "settings")' },
+        path: {
+          type: "string",
+          description: "Path to essence file. Defaults to ./decantr.essence.json."
+        },
+        page_id: {
+          type: "string",
+          description: 'Page ID being modified (e.g. "overview", "settings")'
+        },
         components_used: {
           type: "array",
           items: { type: "string" },
@@ -556,8 +623,14 @@ var TOOLS = [
     inputSchema: {
       type: "object",
       properties: {
-        description: { type: "string", description: 'Natural language project description (e.g. "SaaS dashboard with analytics, user management, and billing")' },
-        framework: { type: "string", description: 'Target framework (e.g. "react", "vue", "svelte"). Defaults to "react".' }
+        description: {
+          type: "string",
+          description: 'Natural language project description (e.g. "SaaS dashboard with analytics, user management, and billing")'
+        },
+        framework: {
+          type: "string",
+          description: 'Target framework (e.g. "react", "vue", "svelte"). Defaults to "react".'
+        }
       },
       required: ["description"]
     },
@@ -590,8 +663,14 @@ var TOOLS = [
           description: "How to resolve: accept updates the essence, accept_scoped limits to a page, reject is a no-op, defer logs for later."
         },
         scope: { type: "string", description: "For accept_scoped: the page or section scope." },
-        path: { type: "string", description: "Path to essence file. Defaults to ./decantr.essence.json." },
-        confirm_dna: { type: "boolean", description: "Required to be true when accepting DNA-layer violations." }
+        path: {
+          type: "string",
+          description: "Path to essence file. Defaults to ./decantr.essence.json."
+        },
+        confirm_dna: {
+          type: "boolean",
+          description: "Required to be true when accepting DNA-layer violations."
+        }
       },
       required: ["violations", "resolution"]
     },
@@ -607,14 +686,25 @@ var TOOLS = [
       properties: {
         operation: {
           type: "string",
-          enum: ["add_page", "remove_page", "update_page_layout", "update_dna", "update_blueprint", "add_feature", "remove_feature"],
+          enum: [
+            "add_page",
+            "remove_page",
+            "update_page_layout",
+            "update_dna",
+            "update_blueprint",
+            "add_feature",
+            "remove_feature"
+          ],
           description: "The mutation operation to perform."
         },
         payload: {
           type: "object",
           description: "Operation-specific payload. See tool docs for each operation."
         },
-        path: { type: "string", description: "Path to essence file. Defaults to ./decantr.essence.json." }
+        path: {
+          type: "string",
+          description: "Path to essence file. Defaults to ./decantr.essence.json."
+        }
       },
       required: ["operation", "payload"]
     },
@@ -648,7 +738,10 @@ var TOOLS = [
     inputSchema: {
       type: "object",
       properties: {
-        section_id: { type: "string", description: 'Section ID (archetype ID, e.g., "ai-chatbot", "auth-full", "settings-full")' },
+        section_id: {
+          type: "string",
+          description: 'Section ID (archetype ID, e.g., "ai-chatbot", "auth-full", "settings-full")'
+        },
         path: {
           type: "string",
           description: "Optional path to an essence file when using hosted fallback compilation. Defaults to ./decantr.essence.json."
@@ -670,7 +763,10 @@ var TOOLS = [
     inputSchema: {
       type: "object",
       properties: {
-        page_id: { type: "string", description: 'Page ID (for example "overview", "settings", or "home").' },
+        page_id: {
+          type: "string",
+          description: 'Page ID (for example "overview", "settings", or "home").'
+        },
         path: {
           type: "string",
           description: "Optional path to an essence file when using hosted fallback compilation. Defaults to ./decantr.essence.json."
@@ -779,14 +875,30 @@ var TOOLS = [
   {
     name: "decantr_audit_project",
     title: "Audit Project",
-    description: "Audit the current project against the essence contract, guard rules, and compiled execution packs. Falls back to the hosted verifier when local compiled pack artifacts are missing. Returns a schema-backed project audit report.",
+    description: "Audit the current project against the essence contract, guard rules, and compiled execution packs. Can fall back to the hosted verifier when local compiled pack artifacts are missing only when allow_hosted_upload is true. Returns a schema-backed project audit report.",
     inputSchema: {
       type: "object",
       properties: {
-        path: { type: "string", description: "Optional path to the essence file for hosted fallback. Defaults to ./decantr.essence.json." },
-        namespace: { type: "string", description: 'Optional preferred public namespace for hosted fallback. Defaults to "@official".' },
-        dist_path: { type: "string", description: "Optional path to a local dist directory to snapshot for hosted runtime verification. Defaults to ./dist." },
-        sources_path: { type: "string", description: "Optional path to a local source directory to snapshot for hosted source-level verification. For example `src` or `app`." }
+        path: {
+          type: "string",
+          description: "Optional path to the essence file for hosted fallback. Defaults to ./decantr.essence.json."
+        },
+        namespace: {
+          type: "string",
+          description: 'Optional preferred public namespace for hosted fallback. Defaults to "@official".'
+        },
+        dist_path: {
+          type: "string",
+          description: "Optional path to a local dist directory to snapshot for hosted runtime verification. Defaults to ./dist."
+        },
+        sources_path: {
+          type: "string",
+          description: "Optional path to a local source directory to snapshot for hosted source-level verification. For example `src` or `app`."
+        },
+        allow_hosted_upload: {
+          type: "boolean",
+          description: "Explicitly opt in to uploading local dist/source snapshots to the hosted verifier when local packs are missing. Defaults to false."
+        }
       }
     },
     annotations: READ_ONLY_NETWORK
@@ -795,14 +907,30 @@ var TOOLS = [
   {
     name: "decantr_critique",
     title: "Design Critique",
-    description: "Critique a file against the compiled review contract and Decantr verification heuristics. Falls back to the hosted verifier when local review packs are missing. Returns a schema-backed file critique report with scores, findings, and focus areas.",
+    description: "Critique a file against the compiled review contract and Decantr verification heuristics. Can fall back to the hosted verifier when local review packs are missing only when allow_hosted_upload is true. Returns a schema-backed file critique report with scores, findings, and focus areas.",
     inputSchema: {
       type: "object",
       properties: {
-        file_path: { type: "string", description: "Path to the component file to critique" },
-        path: { type: "string", description: "Optional path to the essence file when using hosted fallback. Defaults to ./decantr.essence.json." },
-        namespace: { type: "string", description: 'Optional preferred public namespace for hosted fallback. Defaults to "@official".' },
-        treatments_path: { type: "string", description: "Optional path to treatments.css when using hosted fallback. Defaults to ./src/styles/treatments.css." }
+        file_path: {
+          type: "string",
+          description: "Path to the component file to critique"
+        },
+        path: {
+          type: "string",
+          description: "Optional path to the essence file when using hosted fallback. Defaults to ./decantr.essence.json."
+        },
+        namespace: {
+          type: "string",
+          description: 'Optional preferred public namespace for hosted fallback. Defaults to "@official".'
+        },
+        treatments_path: {
+          type: "string",
+          description: "Optional path to treatments.css when using hosted fallback. Defaults to ./src/styles/treatments.css."
+        },
+        allow_hosted_upload: {
+          type: "boolean",
+          description: "Explicitly opt in to uploading the target source file to the hosted verifier when local review packs are missing. Defaults to false."
+        }
       },
       required: ["file_path"]
     },
@@ -833,7 +961,11 @@ async function handleTool(name, args) {
       try {
         essence = JSON.parse(await readFile2(essencePath, "utf-8"));
       } catch (e) {
-        return { valid: false, errors: [`Could not read: ${e.message}`], guardViolations: [] };
+        return {
+          valid: false,
+          errors: [`Could not read: ${e.message}`],
+          guardViolations: []
+        };
       }
       const result = validateEssence(essence);
       let guardViolations = [];
@@ -986,15 +1118,18 @@ async function handleTool(name, args) {
             if (word.length < 3) continue;
             if (searchable.includes(word)) score += 10;
           }
-          if (desc.includes("dashboard") && ["kpi-grid", "chart-grid", "data-table", "filter-bar"].includes(slug)) score += 20;
+          if (desc.includes("dashboard") && ["kpi-grid", "chart-grid", "data-table", "filter-bar"].includes(slug))
+            score += 20;
           if (desc.includes("metric") && slug === "kpi-grid") score += 15;
           if (desc.includes("chart") && slug === "chart-grid") score += 15;
           if (desc.includes("table") && slug === "data-table") score += 15;
           if (desc.includes("form") && slug === "form-sections") score += 15;
           if (desc.includes("setting") && slug === "form-sections") score += 15;
-          if (desc.includes("landing") && ["hero", "cta-section", "card-grid"].includes(slug)) score += 20;
+          if (desc.includes("landing") && ["hero", "cta-section", "card-grid"].includes(slug))
+            score += 20;
           if (desc.includes("hero") && slug === "hero") score += 20;
-          if (desc.includes("ecommerce") && ["card-grid", "filter-bar", "detail-header"].includes(slug)) score += 15;
+          if (desc.includes("ecommerce") && ["card-grid", "filter-bar", "detail-header"].includes(slug))
+            score += 15;
           if (desc.includes("product") && slug === "card-grid") score += 15;
           if (desc.includes("feed") && slug === "activity-feed") score += 15;
           if (desc.includes("filter") && slug === "filter-bar") score += 15;
@@ -1015,10 +1150,7 @@ async function handleTool(name, args) {
           }
           let score = candidate.score;
           if (fullPattern) {
-            const fullSearchable = [
-              ...fullPattern.components || [],
-              ...fullPattern.tags || []
-            ].join(" ").toLowerCase();
+            const fullSearchable = [...fullPattern.components || [], ...fullPattern.tags || []].join(" ").toLowerCase();
             const words = desc.split(/\s+/);
             for (const word of words) {
               if (word.length < 3) continue;
@@ -1296,18 +1428,24 @@ async function handleTool(name, args) {
         return { error: 'Required parameter "violations" must be a non-empty array.' };
       }
       if (!resolution || !["accept", "accept_scoped", "reject", "defer"].includes(resolution)) {
-        return { error: 'Required parameter "resolution" must be one of: accept, accept_scoped, reject, defer.' };
+        return {
+          error: 'Required parameter "resolution" must be one of: accept, accept_scoped, reject, defer.'
+        };
       }
       const hasDnaViolation = violations.some((v) => {
         const rule = v.rule;
-        return ["theme", "style", "density", "theme-mode", "accessibility", "theme-match"].includes(rule);
+        return ["theme", "style", "density", "theme-mode", "accessibility", "theme-match"].includes(
+          rule
+        );
       });
       if (hasDnaViolation && resolution !== "reject" && resolution !== "defer" && !args.confirm_dna) {
         return {
           error: "DNA-layer violations detected. Set confirm_dna: true to accept changes to design axioms (theme, density, accessibility, etc.).",
           requires_confirmation: true,
           dna_rules_affected: violations.filter(
-            (v) => ["theme", "style", "density", "theme-mode", "accessibility", "theme-match"].includes(v.rule)
+            (v) => ["theme", "style", "density", "theme-mode", "accessibility", "theme-match"].includes(
+              v.rule
+            )
           ).map((v) => v.rule)
         };
       }
@@ -1364,9 +1502,19 @@ async function handleTool(name, args) {
       if (!payload || typeof payload !== "object") {
         return { error: 'Required parameter "payload" must be an object.' };
       }
-      const validOps = ["add_page", "remove_page", "update_page_layout", "update_dna", "update_blueprint", "add_feature", "remove_feature"];
+      const validOps = [
+        "add_page",
+        "remove_page",
+        "update_page_layout",
+        "update_dna",
+        "update_blueprint",
+        "add_feature",
+        "remove_feature"
+      ];
       if (!validOps.includes(operation)) {
-        return { error: `Invalid operation "${operation}". Must be one of: ${validOps.join(", ")}` };
+        return {
+          error: `Invalid operation "${operation}". Must be one of: ${validOps.join(", ")}`
+        };
       }
       try {
         const { essence, path } = await mutateEssenceFile(args.path, (v3) => {
@@ -1413,9 +1561,18 @@ async function handleTool(name, args) {
             execution_pack: scaffoldPayload2,
             review_pack: reviewPayload2,
             pack_manifest: scaffoldSelected.manifest,
-            available_sections: scaffoldSelected.manifest.sections.map((section) => ({ id: section.id, page_ids: section.pageIds })),
-            available_pages: scaffoldSelected.manifest.pages.map((page) => ({ id: page.id, section_id: page.sectionId })),
-            available_mutations: (scaffoldSelected.manifest.mutations ?? []).map((mutation) => ({ id: mutation.id, mutation_type: mutation.mutationType })),
+            available_sections: scaffoldSelected.manifest.sections.map((section) => ({
+              id: section.id,
+              page_ids: section.pageIds
+            })),
+            available_pages: scaffoldSelected.manifest.pages.map((page) => ({
+              id: page.id,
+              section_id: page.sectionId
+            })),
+            available_mutations: (scaffoldSelected.manifest.mutations ?? []).map((mutation) => ({
+              id: mutation.id,
+              mutation_type: mutation.mutationType
+            })),
             note: "Using hosted selected execution packs because local scaffold context artifacts were not found; scaffold pack markdown is being reused as readable scaffold context."
           };
         }
@@ -1435,9 +1592,18 @@ async function handleTool(name, args) {
           execution_pack: scaffoldPayload,
           review_pack: reviewPayload,
           pack_manifest: hosted.bundle.manifest,
-          available_sections: hosted.bundle.manifest.sections.map((section) => ({ id: section.id, page_ids: section.pageIds })),
-          available_pages: hosted.bundle.manifest.pages.map((page) => ({ id: page.id, section_id: page.sectionId })),
-          available_mutations: (hosted.bundle.manifest.mutations ?? []).map((mutation) => ({ id: mutation.id, mutation_type: mutation.mutationType })),
+          available_sections: hosted.bundle.manifest.sections.map((section) => ({
+            id: section.id,
+            page_ids: section.pageIds
+          })),
+          available_pages: hosted.bundle.manifest.pages.map((page) => ({
+            id: page.id,
+            section_id: page.sectionId
+          })),
+          available_mutations: (hosted.bundle.manifest.mutations ?? []).map((mutation) => ({
+            id: mutation.id,
+            mutation_type: mutation.mutationType
+          })),
           note: "Using hosted compiled execution packs because local scaffold context artifacts were not found; scaffold pack markdown is being reused as readable scaffold context."
         };
       }
@@ -1464,7 +1630,10 @@ async function handleTool(name, args) {
         pack_manifest: manifest,
         available_sections: manifest?.sections.map((section) => ({ id: section.id, page_ids: section.pageIds })) ?? [],
         available_pages: manifest?.pages.map((page) => ({ id: page.id, section_id: page.sectionId })) ?? [],
-        available_mutations: manifest?.mutations?.map((mutation) => ({ id: mutation.id, mutation_type: mutation.mutationType })) ?? []
+        available_mutations: manifest?.mutations?.map((mutation) => ({
+          id: mutation.id,
+          mutation_type: mutation.mutationType
+        })) ?? []
       };
     }
     case "decantr_get_section_context": {
@@ -1486,7 +1655,11 @@ async function handleTool(name, args) {
       if (!section) {
         return {
           error: `Section "${sectionId}" not found.`,
-          available_sections: sections.map((s) => ({ id: s.id, role: s.role, pages: s.pages.length }))
+          available_sections: sections.map((s) => ({
+            id: s.id,
+            role: s.role,
+            pages: s.pages.length
+          }))
         };
       }
       const packBasePath = join2(process.cwd(), ".decantr", "context", `section-${sectionId}-pack`);
@@ -1608,7 +1781,10 @@ async function handleTool(name, args) {
         if (!pageEntry) {
           return {
             error: `Page "${pageId}" not found in execution pack manifest.`,
-            available_pages: manifest.pages.map((page) => ({ id: page.id, section_id: page.sectionId })),
+            available_pages: manifest.pages.map((page) => ({
+              id: page.id,
+              section_id: page.sectionId
+            })),
             hosted_fallback_error: manifestSource === "hosted_fallback" ? void 0 : hostedFallbackError
           };
         }
@@ -1865,14 +2041,19 @@ async function handleTool(name, args) {
       if (args.treatments_path != null && typeof args.treatments_path !== "string") {
         return { error: "Invalid treatments_path. Must be a string when provided." };
       }
+      if (args.allow_hosted_upload != null && typeof args.allow_hosted_upload !== "boolean") {
+        return { error: "Invalid allow_hosted_upload. Must be a boolean when provided." };
+      }
       const { critiqueFile } = await import("./critique-VEROHUF4.js");
       const localReviewPackPath = join2(process.cwd(), ".decantr", "context", "review-pack.json");
       if (existsSync(localReviewPackPath)) {
         return critiqueFile(args.file_path, process.cwd());
       }
-      const hosted = await loadHostedFileCritiqueFallback(args);
-      if (hosted.report) {
-        return hosted.report;
+      if (allowsHostedUpload(args)) {
+        const hosted = await loadHostedFileCritiqueFallback(args);
+        if (hosted.report) {
+          return hosted.report;
+        }
       }
       return critiqueFile(args.file_path, process.cwd());
     }
@@ -1889,16 +2070,25 @@ async function handleTool(name, args) {
       if (args.sources_path != null && typeof args.sources_path !== "string") {
         return { error: "Invalid sources_path. Must be a string when provided." };
       }
+      if (args.allow_hosted_upload != null && typeof args.allow_hosted_upload !== "boolean") {
+        return { error: "Invalid allow_hosted_upload. Must be a boolean when provided." };
+      }
       const { auditProject } = await import("@decantr/verifier");
       const projectRoot = process.cwd();
-      const hasReviewPack = existsSync(join2(projectRoot, ".decantr", "context", "review-pack.json"));
-      const hasPackManifest = existsSync(join2(projectRoot, ".decantr", "context", "pack-manifest.json"));
+      const hasReviewPack = existsSync(
+        join2(projectRoot, ".decantr", "context", "review-pack.json")
+      );
+      const hasPackManifest = existsSync(
+        join2(projectRoot, ".decantr", "context", "pack-manifest.json")
+      );
       if (hasReviewPack && hasPackManifest) {
         return auditProject(projectRoot);
       }
-      const hosted = await loadHostedProjectAuditFallback(args);
-      if (hosted.report) {
-        return hosted.report;
+      if (allowsHostedUpload(args)) {
+        const hosted = await loadHostedProjectAuditFallback(args);
+        if (hosted.report) {
+          return hosted.report;
+        }
       }
       return auditProject(projectRoot);
     }
@@ -1966,7 +2156,8 @@ function applyEssenceUpdate(essence, operation, payload) {
       const id = payload.id;
       const layout = payload.layout;
       if (!id) throw new Error('Payload must include "id" for update_page_layout.');
-      if (!layout || !Array.isArray(layout)) throw new Error('Payload must include "layout" array for update_page_layout.');
+      if (!layout || !Array.isArray(layout))
+        throw new Error('Payload must include "layout" array for update_page_layout.');
       const page = essence.blueprint.pages.find((p) => p.id === id);
       if (!page) throw new Error(`Page "${id}" not found.`);
       page.layout = layout;
@@ -2034,10 +2225,7 @@ function describeUpdate(operation, payload) {
 
 // src/index.ts
 var VERSION = "0.2.0";
-var server = new Server(
-  { name: "decantr", version: VERSION },
-  { capabilities: { tools: {} } }
-);
+var server = new Server({ name: "decantr", version: VERSION }, { capabilities: { tools: {} } });
 server.setRequestHandler(ListToolsRequestSchema, async () => {
   return { tools: TOOLS };
 });

package/dist/index.js

@@ -1 +1 @@
-import "./chunk-UNVKE2YC.js";
+import "./chunk-A4ZCCVQR.js";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@decantr/mcp-server",
-  "version": "1.0.4",
+  "version": "1.0.5",
   "mcpName": "io.github.decantr-ai/mcp-server",
   "description": "MCP server for Decantr — exposes design intelligence, packs, and verification to AI coding assistants",
   "keywords": [
@@ -38,18 +38,23 @@
   "files": [
     "dist"
   ],
+  "engines": {
+    "node": ">=20"
+  },
   "publishConfig": {
     "access": "public"
   },
-  "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.29.0",
-    "@decantr/essence-spec": "1.0.3",
-    "@decantr/registry": "1.0.2",
-    "@decantr/verifier": "1.0.2"
-  },
   "scripts": {
     "build": "tsup",
     "test": "vitest run",
-    "test:watch": "vitest"
+    "test:watch": "vitest",
+    "prepublishOnly": "pnpm build",
+    "preversion": "pnpm build && pnpm test"
+  },
+  "dependencies": {
+    "@decantr/essence-spec": "workspace:*",
+    "@decantr/registry": "workspace:*",
+    "@decantr/verifier": "workspace:*",
+    "@modelcontextprotocol/sdk": "^1.29.0"
   }
-}
+}

package/LICENSE

@@ -1,21 +0,0 @@
-MIT License
-
-Copyright (c) 2026 Decantr AI
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.