@dereekb/dbx-cli 13.11.18 → 13.12.1

package/generate-mcp-manifest/main.js

@@ -0,0 +1,1314 @@
+#!/usr/bin/env node
+import { createRequire as __createRequire } from 'node:module';
+const require = __createRequire(import.meta.url);
+
+// packages/dbx-cli/generate-mcp-manifest/src/generate-mcp-manifest/main.ts
+import { existsSync, mkdirSync, readFileSync, renameSync, writeFileSync } from "node:fs";
+import { dirname, isAbsolute, relative as relative2, resolve } from "node:path";
+import { createJiti } from "jiti";
+
+// packages/util/src/lib/auth/auth.role.ts
+var AUTH_TOS_SIGNED_ROLE = "tos";
+var AUTH_ONBOARDED_ROLE = "onboarded";
+var AUTH_ADMIN_ROLE = "admin";
+var AUTH_USER_ROLE = "user";
+
+// packages/model/src/lib/type/type.ts
+import { type } from "arktype";
+var EMPTY_ARKTYPE_TYPE = type({});
+function arktypeToJsonSchemaForExport(t) {
+  const raw = t.toJsonSchema({
+    fallback: {
+      predicate: (ctx) => ctx.base,
+      morph: (ctx) => ctx.base,
+      // `false` is a valid JSON Schema value ("matches nothing"), but arktype's TS types
+      // reject `false` as the fallback return — cast through `unknown` to keep runtime behavior.
+      default: (() => false)
+    }
+  });
+  return pruneFalseUnionBranches(JSON.parse(JSON.stringify(raw)));
+}
+function pruneFalseUnionBranches(value) {
+  let result = value;
+  if (Array.isArray(value)) {
+    result = value.map(pruneFalseUnionBranches);
+  } else if (value && typeof value === "object") {
+    const out = {};
+    for (const [key, raw] of Object.entries(value)) {
+      if ((key === "anyOf" || key === "oneOf") && Array.isArray(raw)) {
+        const filtered = raw.filter((v) => v !== false).map(pruneFalseUnionBranches);
+        if (filtered.length > 0) {
+          out[key] = filtered;
+        }
+      } else {
+        out[key] = pruneFalseUnionBranches(raw);
+      }
+    }
+    result = out;
+  }
+  return result;
+}
+
+// packages/firebase/src/lib/common/auth/oidc/oidc.error.ts
+var CALL_MODEL_MISSING_OIDC_SCOPE_ERROR_CODE = "CALL_MODEL_MISSING_OIDC_SCOPE";
+
+// packages/firebase/src/lib/common/auth/oidc/oidc.ts
+var CALL_MODEL_OIDC_SCOPE_PREFIX = "model.";
+var CREATE_MODEL_OIDC_SCOPE = `${CALL_MODEL_OIDC_SCOPE_PREFIX}create`;
+var READ_MODEL_OIDC_SCOPE = `${CALL_MODEL_OIDC_SCOPE_PREFIX}read`;
+var UPDATE_MODEL_OIDC_SCOPE = `${CALL_MODEL_OIDC_SCOPE_PREFIX}update`;
+var DELETE_MODEL_OIDC_SCOPE = `${CALL_MODEL_OIDC_SCOPE_PREFIX}delete`;
+var QUERY_MODEL_OIDC_SCOPE = `${CALL_MODEL_OIDC_SCOPE_PREFIX}query`;
+var INVOKE_MODEL_OIDC_SCOPE = `${CALL_MODEL_OIDC_SCOPE_PREFIX}invoke`;
+var CALL_MODEL_OIDC_SCOPES = [CREATE_MODEL_OIDC_SCOPE, READ_MODEL_OIDC_SCOPE, UPDATE_MODEL_OIDC_SCOPE, DELETE_MODEL_OIDC_SCOPE, QUERY_MODEL_OIDC_SCOPE, INVOKE_MODEL_OIDC_SCOPE];
+var CALL_MODEL_OIDC_SCOPE_FOR_CALL_TYPE = {
+  create: "model.create",
+  read: "model.read",
+  update: "model.update",
+  delete: "model.delete",
+  query: "model.query",
+  invoke: "model.invoke"
+};
+
+// packages/firebase/src/lib/model/storagefile/storagefile.upload.claims.ts
+var STORAGE_FILE_UPLOAD_USER_ROLE = "uploads";
+
+// packages/dbx-cli/src/lib/manifest/types.ts
+var MCP_MANIFEST_VERSION = 1;
+function mcpManifestKey(modelType, call, specifier) {
+  const isDefault = specifier == null || specifier === "_";
+  return isDefault ? `${modelType}.${call}._` : `${modelType}.${call}.${specifier}`;
+}
+
+// packages/dbx-cli/src/lib/mcp-scan/registry/auth-runtime.ts
+// @__NO_SIDE_EFFECTS__
+function createAuthRegistryFromEntries(input = {}) {
+  const roles = input.roles ?? [];
+  const claims = input.claims ?? [];
+  const scopes = input.scopes ?? [];
+  const apps = input.apps ?? [];
+  const loadedSources = input.loadedSources ?? [];
+  const { rolesByKey, rolesByTag } = indexRoles(roles);
+  const { claimsByApp, claimsByInterface, claimsByRole } = indexClaims(claims);
+  const scopesByName = indexScopes(scopes);
+  const { appsBySlug, appsByInterface } = indexApps(apps);
+  const registry = {
+    roles,
+    claims,
+    scopes,
+    apps,
+    loadedSources: [...loadedSources],
+    findRole(key) {
+      return rolesByKey.get(key.toLowerCase());
+    },
+    findRolesByTag(tag) {
+      return rolesByTag.get(tag.toLowerCase()) ?? [];
+    },
+    findClaim(key, app) {
+      let result;
+      if (app === void 0) {
+        result = claims.find((c) => c.key === key);
+      } else {
+        const inApp = claimsByApp.get(app.toLowerCase()) ?? [];
+        result = inApp.find((c) => c.key === key);
+        result ??= claims.find((c) => c.key === key && c.app === void 0);
+      }
+      return result;
+    },
+    findClaimsByApp(app) {
+      return claimsByApp.get(app.toLowerCase()) ?? [];
+    },
+    findClaimsByInterface(interfaceName) {
+      return claimsByInterface.get(interfaceName.toLowerCase()) ?? [];
+    },
+    findScope(scope) {
+      return scopesByName.get(scope);
+    },
+    findApp(app) {
+      return appsBySlug.get(app.toLowerCase());
+    },
+    findAppByInterface(interfaceName) {
+      return appsByInterface.get(interfaceName.toLowerCase());
+    },
+    findClaimsForRole(role) {
+      return claimsByRole.get(role.toLowerCase()) ?? [];
+    }
+  };
+  return registry;
+}
+function pushInto(map, key, value) {
+  const existing = map.get(key);
+  if (existing === void 0) {
+    map.set(key, [value]);
+  } else {
+    existing.push(value);
+  }
+}
+function indexRoles(roles) {
+  const rolesByKey = /* @__PURE__ */ new Map();
+  const rolesByTag = /* @__PURE__ */ new Map();
+  for (const role of roles) {
+    const lowered = role.role.toLowerCase();
+    if (!rolesByKey.has(lowered)) rolesByKey.set(lowered, role);
+    if (role.constName !== void 0) {
+      const constLowered = role.constName.toLowerCase();
+      if (!rolesByKey.has(constLowered)) rolesByKey.set(constLowered, role);
+    }
+    for (const tag of role.tags) {
+      pushInto(rolesByTag, tag.toLowerCase(), role);
+    }
+  }
+  return { rolesByKey, rolesByTag };
+}
+function indexClaims(claims) {
+  const claimsByApp = /* @__PURE__ */ new Map();
+  const claimsByInterface = /* @__PURE__ */ new Map();
+  const claimsByRole = /* @__PURE__ */ new Map();
+  for (const claim of claims) {
+    if (claim.app !== void 0) pushInto(claimsByApp, claim.app.toLowerCase(), claim);
+    if (claim.interfaceName !== void 0) pushInto(claimsByInterface, claim.interfaceName.toLowerCase(), claim);
+    for (const role of claim.mapping.roles) {
+      pushInto(claimsByRole, role.toLowerCase(), claim);
+    }
+  }
+  return { claimsByApp, claimsByInterface, claimsByRole };
+}
+function indexScopes(scopes) {
+  const scopesByName = /* @__PURE__ */ new Map();
+  for (const scope of scopes) {
+    if (!scopesByName.has(scope.scope)) scopesByName.set(scope.scope, scope);
+  }
+  return scopesByName;
+}
+function indexApps(apps) {
+  const appsBySlug = /* @__PURE__ */ new Map();
+  const appsByInterface = /* @__PURE__ */ new Map();
+  for (const app of apps) {
+    appsBySlug.set(app.app.toLowerCase(), app);
+    appsByInterface.set(app.claimsInterfaceName.toLowerCase(), app);
+  }
+  return { appsBySlug, appsByInterface };
+}
+
+// packages/dbx-cli/src/lib/mcp-scan/registry/auth-builtin.ts
+var UTIL_ROLE_PATH = "packages/util/src/lib/auth/auth.role.ts";
+var STORAGE_CLAIM_PATH = "packages/firebase/src/lib/model/storagefile/storagefile.upload.claims.ts";
+var OIDC_SCOPE_PATH = "packages/firebase/src/lib/common/auth/oidc/oidc.ts";
+var OIDC_SCOPE_PRE_ASSERT_PATH = "packages/firebase-server/oidc/src/lib/scope.ts";
+var DEMO_CLAIMS_PATH = "components/demo-firebase/src/lib/auth/claims.ts";
+var BUILTIN_AUTH_ROLES = [
+  {
+    role: AUTH_TOS_SIGNED_ROLE,
+    constName: "AUTH_TOS_SIGNED_ROLE",
+    source: "system",
+    sourcePath: UTIL_ROLE_PATH,
+    sourceLine: 26,
+    description: "Auth role for an account that has signed the terms of service.",
+    tags: ["system", "auth", "verified-user"]
+  },
+  {
+    role: AUTH_ONBOARDED_ROLE,
+    constName: "AUTH_ONBOARDED_ROLE",
+    source: "system",
+    sourcePath: UTIL_ROLE_PATH,
+    sourceLine: 31,
+    description: "Auth role for an account that has been onboarded.",
+    tags: ["system", "auth", "verified-user"]
+  },
+  {
+    role: AUTH_ADMIN_ROLE,
+    constName: "AUTH_ADMIN_ROLE",
+    source: "system",
+    sourcePath: UTIL_ROLE_PATH,
+    sourceLine: 36,
+    description: "Auth role for a full admin. Allowed into all sections of the app.",
+    tags: ["system", "auth", "privileged", "staff"]
+  },
+  {
+    role: AUTH_USER_ROLE,
+    constName: "AUTH_USER_ROLE",
+    source: "system",
+    sourcePath: UTIL_ROLE_PATH,
+    sourceLine: 41,
+    description: "Auth role for a general logged-in user.",
+    tags: ["system", "auth"]
+  },
+  {
+    role: STORAGE_FILE_UPLOAD_USER_ROLE,
+    constName: "STORAGE_FILE_UPLOAD_USER_ROLE",
+    source: "system",
+    sourcePath: STORAGE_CLAIM_PATH,
+    sourceLine: 32,
+    description: "Role granting storage-file uploads. Revoked when the inverse `fr` claim is set.",
+    tags: ["system", "storage", "uploads"]
+  }
+];
+var BUILTIN_AUTH_CLAIMS = [
+  {
+    key: "fr",
+    type: "StorageFileUploadUserRestriction",
+    description: "Inverse claim \u2014 when set, revokes the `uploads` role from the user.",
+    interfaceName: "StorageFileUploadUserClaims",
+    sourcePath: STORAGE_CLAIM_PATH,
+    sourceLine: 26,
+    source: "system",
+    mapping: {
+      roles: [STORAGE_FILE_UPLOAD_USER_ROLE],
+      inverse: true,
+      inverseMode: "any",
+      customEncodeDecode: false
+    },
+    tags: ["system", "storage", "uploads", "inverse"]
+  }
+];
+var BUILTIN_AUTH_SCOPES = CALL_MODEL_OIDC_SCOPES.map((scope) => {
+  const callType = (Object.entries(CALL_MODEL_OIDC_SCOPE_FOR_CALL_TYPE).find(([, s]) => s === scope) ?? [])[0];
+  const result = {
+    scope,
+    prefix: CALL_MODEL_OIDC_SCOPE_PREFIX,
+    callType,
+    description: `Required OIDC scope for the \`callModel\` ${callType ?? "CRUD"} verb.`,
+    enforcedAt: [
+      {
+        path: OIDC_SCOPE_PRE_ASSERT_PATH,
+        line: 21,
+        description: "`oidcCallModelScopePreAssert` rejects requests that lack this scope."
+      }
+    ],
+    errorCode: CALL_MODEL_MISSING_OIDC_SCOPE_ERROR_CODE,
+    source: "system",
+    sourcePath: OIDC_SCOPE_PATH,
+    sourceLine: 30,
+    apps: []
+  };
+  return result;
+});
+var DEMO_CLAIMS = [
+  {
+    key: "o",
+    type: "1",
+    description: "Onboarded flag \u2014 set when the user has signed TOS and completed onboarding.",
+    app: "demo-api",
+    interfaceName: "DemoApiAuthClaims",
+    sourcePath: DEMO_CLAIMS_PATH,
+    sourceLine: 18,
+    source: "app",
+    mapping: {
+      roles: [AUTH_TOS_SIGNED_ROLE, AUTH_ONBOARDED_ROLE],
+      inverse: false,
+      claimValue: 1,
+      customEncodeDecode: false
+    },
+    tags: ["onboarded", "verified-user"]
+  },
+  {
+    key: "a",
+    type: "1",
+    description: "Admin role \u2014 grants full access to admin-only sections of the app.",
+    app: "demo-api",
+    interfaceName: "DemoApiAuthClaims",
+    sourcePath: DEMO_CLAIMS_PATH,
+    sourceLine: 25,
+    source: "app",
+    mapping: {
+      roles: [AUTH_ADMIN_ROLE],
+      inverse: false,
+      claimValue: 1,
+      customEncodeDecode: false
+    },
+    tags: ["privileged", "staff"]
+  }
+];
+var DEMO_APP = {
+  app: "demo-api",
+  claimsInterfaceName: "DemoApiAuthClaims",
+  serviceConstName: "DEMO_AUTH_CLAIMS_SERVICE",
+  sourcePath: DEMO_CLAIMS_PATH,
+  claimKeys: ["o", "a", "fr"],
+  scopes: [...CALL_MODEL_OIDC_SCOPES],
+  description: "Demo Firebase API. Inherits the `fr` storage-upload claim and adds the onboarded (`o`) and admin (`a`) flags."
+};
+var WORKSPACE_AUTH_CLAIMS = [...DEMO_CLAIMS];
+
+// packages/dbx-cli/src/lib/scan-helpers/scan-io.ts
+import { glob as fsGlob, readFile as nodeReadFile } from "node:fs/promises";
+import { Project } from "ts-morph";
+var defaultReadFile = (path) => nodeReadFile(path, "utf-8");
+
+// packages/dbx-cli/src/lib/mcp-scan/scan/auth-extract.ts
+import { Node } from "ts-morph";
+var AUTH_CLAIMS_APP_TAG = "dbxAuthClaimsApp";
+var AUTH_CLAIMS_SERVICE_TAG = "dbxAuthClaimsService";
+var AUTH_CLAIM_MARKER = "dbxAuthClaim";
+var AUTH_ROLE_TAG_TAG = "dbxAuthRoleTag";
+var AUTH_ROLE_TAG = "dbxAuthRole";
+var AUTH_ROLE_CLAIMS_SERVICE_FN = "authRoleClaimsService";
+function extractAuthEntries(input) {
+  const { project, knownRoles } = input;
+  const warnings = [];
+  const localRoleConsts = collectLocalRoleConsts(project);
+  const mergedKnownRoles = mergeKnownRoles(knownRoles, localRoleConsts.scalars);
+  const taggedAppDecls = collectTaggedAppDecls(project, warnings);
+  const serviceMappings = collectServiceMappings(project, warnings, taggedAppDecls);
+  const apps = [];
+  const claims = [];
+  for (const tagged of taggedAppDecls) {
+    const serviceForApp = serviceMappings.get(tagged.slug.toLowerCase());
+    const inheritedInterfaceNames = collectInheritedInterfaceNames(tagged.decl);
+    const ownClaims = collectClaimsFromDecl({
+      decl: tagged.decl,
+      app: tagged.slug,
+      interfaceName: tagged.interfaceName,
+      filePath: tagged.filePath,
+      service: serviceForApp,
+      knownRoles: mergedKnownRoles,
+      localArrayRoles: localRoleConsts.arrays,
+      warnings
+    });
+    for (const claim of ownClaims) claims.push(claim);
+    apps.push({
+      app: tagged.slug,
+      claimsInterfaceName: tagged.interfaceName,
+      serviceConstName: serviceForApp?.constName,
+      inheritedInterfaceNames,
+      ownClaimKeys: ownClaims.map((c) => c.key),
+      filePath: tagged.filePath,
+      line: tagged.line
+    });
+  }
+  return { apps, claims, warnings };
+}
+function collectTaggedAppDecls(project, warnings) {
+  const out = [];
+  for (const sourceFile of project.getSourceFiles()) {
+    const filePath = sourceFile.getFilePath();
+    for (const decl of sourceFile.getInterfaces()) {
+      const tagged = readAppTag({ decl, filePath, warnings, interfaceName: decl.getName() });
+      if (tagged !== void 0) out.push(tagged);
+    }
+    for (const decl of sourceFile.getTypeAliases()) {
+      const tagged = readAppTag({ decl, filePath, warnings, interfaceName: decl.getName() });
+      if (tagged !== void 0) out.push(tagged);
+    }
+  }
+  return out;
+}
+function readAppTag(input) {
+  const { decl, interfaceName, filePath, warnings } = input;
+  const slug = readJsDocFirstTagValue(decl.getJsDocs(), AUTH_CLAIMS_APP_TAG);
+  let result;
+  if (slug.kind === "empty") {
+    warnings.push({ kind: "app-missing-slug", interfaceName, filePath, line: decl.getStartLineNumber() });
+  } else if (slug.kind === "value") {
+    result = {
+      slug: slug.text,
+      interfaceName,
+      decl,
+      filePath,
+      line: decl.getStartLineNumber()
+    };
+  }
+  return result;
+}
+function collectServiceMappings(project, warnings, appDecls) {
+  const knownAppSlugs = new Set(appDecls.map((a) => a.slug.toLowerCase()));
+  const out = /* @__PURE__ */ new Map();
+  for (const sourceFile of project.getSourceFiles()) {
+    const filePath = sourceFile.getFilePath();
+    for (const stmt of sourceFile.getVariableStatements()) {
+      if (!stmt.isExported()) continue;
+      processServiceStatement({ stmt, filePath, knownAppSlugs, warnings, out });
+    }
+  }
+  return out;
+}
+function processServiceStatement(input) {
+  const { stmt, filePath, knownAppSlugs, warnings, out } = input;
+  const slug = readJsDocFirstTagValue(stmt.getJsDocs(), AUTH_CLAIMS_SERVICE_TAG);
+  if (slug.kind === "absent") return;
+  const decls = stmt.getDeclarations();
+  if (slug.kind === "empty") {
+    for (const decl of decls) {
+      warnings.push({ kind: "service-missing-slug", constName: decl.getName(), filePath, line: decl.getStartLineNumber() });
+    }
+    return;
+  }
+  const slugText = slug.text;
+  const slugLower = slugText.toLowerCase();
+  if (!knownAppSlugs.has(slugLower)) {
+    for (const decl of decls) {
+      warnings.push({ kind: "service-without-app", constName: decl.getName(), slug: slugText, filePath, line: decl.getStartLineNumber() });
+    }
+    return;
+  }
+  for (const decl of decls) {
+    out.set(slugLower, {
+      constName: decl.getName(),
+      perKey: parseServiceInitializer(decl.getInitializer()),
+      filePath,
+      line: decl.getStartLineNumber()
+    });
+  }
+}
+function parseServiceInitializer(initializer) {
+  const out = /* @__PURE__ */ new Map();
+  const configArg = initializer === void 0 ? void 0 : resolveServiceConfigArg(initializer);
+  if (configArg !== void 0) {
+    for (const property of configArg.getProperties()) {
+      if (!Node.isPropertyAssignment(property)) continue;
+      const key = readPropertyAssignmentKey(property);
+      if (key === void 0) continue;
+      const parsed = parseRoleMappingValue(property);
+      out.set(key, parsed);
+    }
+  }
+  return out;
+}
+function resolveServiceConfigArg(initializer) {
+  let configArg;
+  if (Node.isCallExpression(initializer)) {
+    const callee = initializer.getExpression();
+    const calleeText = callee.getText();
+    if (calleeText.endsWith(AUTH_ROLE_CLAIMS_SERVICE_FN)) {
+      const args = initializer.getArguments();
+      if (args.length > 0 && Node.isObjectLiteralExpression(args[0])) {
+        configArg = args[0];
+      }
+    }
+  } else if (Node.isObjectLiteralExpression(initializer)) {
+    configArg = initializer;
+  }
+  return configArg;
+}
+function readPropertyAssignmentKey(property) {
+  const nameNode = property.getNameNode();
+  let result;
+  if (Node.isIdentifier(nameNode) || Node.isStringLiteral(nameNode) || Node.isNoSubstitutionTemplateLiteral(nameNode)) {
+    result = Node.isIdentifier(nameNode) ? nameNode.getText() : nameNode.getLiteralText();
+  }
+  return result;
+}
+function parseRoleMappingValue(property) {
+  const initializer = property.getInitializer();
+  let result;
+  if (initializer === void 0) {
+    result = { mapping: { roles: [], inverse: false, customEncodeDecode: false }, unresolvedRoleConsts: [] };
+  } else if (Node.isObjectLiteralExpression(initializer)) {
+    result = parseRoleMappingObject(initializer);
+  } else {
+    result = { mapping: { roles: [], inverse: false, customEncodeDecode: true }, unresolvedRoleConsts: [] };
+  }
+  return result;
+}
+function parseRoleMappingObject(obj) {
+  const rolesProperty = obj.getProperty("roles");
+  const inverseRolesProperty = obj.getProperty("inverseRoles");
+  const claimValueProperty = obj.getProperty("claimValue");
+  const inverseModeProperty = obj.getProperty("inverseMode");
+  let inverse = false;
+  let rawRoles = [];
+  if (rolesProperty !== void 0 && Node.isPropertyAssignment(rolesProperty)) {
+    rawRoles = readRoleListInitializer(rolesProperty.getInitializer());
+  } else if (inverseRolesProperty !== void 0 && Node.isPropertyAssignment(inverseRolesProperty)) {
+    inverse = true;
+    rawRoles = readRoleListInitializer(inverseRolesProperty.getInitializer());
+  }
+  const claimValue = claimValueProperty !== void 0 && Node.isPropertyAssignment(claimValueProperty) ? readClaimValueInitializer(claimValueProperty.getInitializer()) : void 0;
+  const inverseMode = inverseModeProperty !== void 0 && Node.isPropertyAssignment(inverseModeProperty) ? readInverseModeInitializer(inverseModeProperty.getInitializer()) : void 0;
+  const unresolvedRoleConsts = [];
+  const roleTexts = [];
+  for (const raw of rawRoles) {
+    if (!raw.resolvable) {
+      unresolvedRoleConsts.push(raw.text);
+    }
+    roleTexts.push(raw.text);
+  }
+  const mapping = {
+    roles: roleTexts,
+    inverse,
+    ...inverseMode === void 0 ? {} : { inverseMode },
+    ...claimValue === void 0 ? {} : { claimValue },
+    customEncodeDecode: false
+  };
+  return { mapping, unresolvedRoleConsts };
+}
+function readRoleListInitializer(initializer) {
+  const out = [];
+  if (initializer !== void 0) {
+    if (Node.isArrayLiteralExpression(initializer)) {
+      for (const element of initializer.getElements()) {
+        const parsed = readRoleAtom(element);
+        if (parsed !== void 0) out.push(parsed);
+      }
+    } else {
+      const parsed = readRoleAtom(initializer);
+      if (parsed !== void 0) out.push(parsed);
+    }
+  }
+  return out;
+}
+function readRoleAtom(node) {
+  let result;
+  if (Node.isStringLiteral(node) || Node.isNoSubstitutionTemplateLiteral(node)) {
+    result = { text: node.getLiteralText(), resolvable: true };
+  } else if (Node.isIdentifier(node)) {
+    result = { text: node.getText(), resolvable: false };
+  } else if (Node.isSpreadElement(node)) {
+    const inner = node.getExpression();
+    if (Node.isIdentifier(inner)) {
+      result = { text: inner.getText(), resolvable: false };
+    }
+  }
+  return result;
+}
+function readClaimValueInitializer(initializer) {
+  let result;
+  if (initializer === void 0) {
+    result = void 0;
+  } else if (Node.isStringLiteral(initializer) || Node.isNoSubstitutionTemplateLiteral(initializer)) {
+    result = initializer.getLiteralText();
+  } else if (Node.isNumericLiteral(initializer)) {
+    result = Number(initializer.getText());
+  } else if (Node.isTrueLiteral(initializer)) {
+    result = true;
+  } else if (Node.isFalseLiteral(initializer)) {
+    result = false;
+  }
+  return result;
+}
+function readInverseModeInitializer(initializer) {
+  let result;
+  if (initializer !== void 0 && (Node.isStringLiteral(initializer) || Node.isNoSubstitutionTemplateLiteral(initializer))) {
+    const text = initializer.getLiteralText();
+    if (text === "any" || text === "all") {
+      result = text;
+    }
+  }
+  return result;
+}
+function collectClaimsFromDecl(input) {
+  const { decl } = input;
+  const properties = [];
+  if (Node.isInterfaceDeclaration(decl)) {
+    for (const prop of decl.getProperties()) properties.push(prop);
+  } else {
+    const typeNode = decl.getTypeNode();
+    if (typeNode !== void 0) collectPropertySignaturesFromTypeNode(typeNode, properties);
+  }
+  const out = [];
+  for (const property of properties) {
+    const claim = buildClaimFromProperty({ ...input, property });
+    if (claim !== void 0) out.push(claim);
+  }
+  return out;
+}
+function collectPropertySignaturesFromTypeNode(typeNode, sink) {
+  if (Node.isTypeLiteral(typeNode)) {
+    for (const prop of typeNode.getProperties()) sink.push(prop);
+  } else if (Node.isIntersectionTypeNode(typeNode)) {
+    for (const member of typeNode.getTypeNodes()) collectPropertySignaturesFromTypeNode(member, sink);
+  } else if (Node.isParenthesizedTypeNode(typeNode)) {
+    const inner = typeNode.getTypeNode();
+    if (inner !== void 0) collectPropertySignaturesFromTypeNode(inner, sink);
+  }
+}
+function buildClaimFromProperty(input) {
+  const { property, app, interfaceName, filePath, service, knownRoles, localArrayRoles, warnings } = input;
+  const tagState = readPropertyTagState(property.getJsDocs());
+  let result;
+  if (tagState.hasMarker) {
+    const key = property.getName();
+    const typeText = property.getTypeNode()?.getText() ?? "unknown";
+    const description = tagState.summaries.join("\n\n");
+    const line = property.getStartLineNumber();
+    const parsed = service?.perKey.get(key);
+    if (parsed === void 0) {
+      warnings.push({ kind: "claim-missing-mapping", app, key, filePath, line });
+    }
+    const mapping = parsed === void 0 ? { roles: [], inverse: false, customEncodeDecode: false } : resolveMappingRoles({ mapping: parsed.mapping, unresolvedRoleConsts: parsed.unresolvedRoleConsts, knownRoles, localArrayRoles, app, key, filePath, line, warnings });
+    result = {
+      key,
+      type: typeText,
+      description,
+      app,
+      interfaceName,
+      tags: tagState.tags,
+      mapping,
+      filePath,
+      line
+    };
+  }
+  return result;
+}
+function resolveMappingRoles(input) {
+  const { mapping, knownRoles, localArrayRoles, app, key, filePath, line, warnings } = input;
+  const resolved = [];
+  for (const role of mapping.roles) {
+    if (knownRoles.has(role)) {
+      resolved.push(knownRoles.get(role));
+    } else if (input.unresolvedRoleConsts.includes(role)) {
+      const aggregate = resolveRoleConstByName(role, { knownRoles, localArrayRoles, seen: /* @__PURE__ */ new Set() });
+      if (aggregate.unresolved.length === 0) {
+        for (const aggregateRole of aggregate.roles) resolved.push(aggregateRole);
+      } else {
+        warnings.push({ kind: "unresolved-role-const", app, key, constName: role, filePath, line });
+        resolved.push(role);
+      }
+    } else {
+      resolved.push(role);
+    }
+  }
+  return { ...mapping, roles: resolved };
+}
+function collectLocalRoleConsts(project) {
+  const scalars = /* @__PURE__ */ new Map();
+  const arrays = /* @__PURE__ */ new Map();
+  for (const sourceFile of project.getSourceFiles()) {
+    for (const stmt of sourceFile.getVariableStatements()) {
+      if (!stmt.isExported()) continue;
+      for (const decl of stmt.getDeclarations()) {
+        const initializer = decl.getInitializer();
+        const name = decl.getName();
+        if (initializer === void 0) continue;
+        if (Node.isStringLiteral(initializer) || Node.isNoSubstitutionTemplateLiteral(initializer)) {
+          if (!scalars.has(name)) scalars.set(name, initializer.getLiteralText());
+        } else if (Node.isArrayLiteralExpression(initializer) && !arrays.has(name)) arrays.set(name, initializer);
+      }
+    }
+  }
+  return { scalars, arrays };
+}
+function mergeKnownRoles(builtins, localScalars) {
+  const out = /* @__PURE__ */ new Map();
+  for (const [name, role] of localScalars) out.set(name, role);
+  for (const [name, role] of builtins) out.set(name, role);
+  return out;
+}
+var EMPTY_ROLE_CONST_RESOLUTION = { roles: [], unresolved: [] };
+function resolveRoleConstByName(name, ctx) {
+  let result;
+  const scalar = ctx.knownRoles.get(name);
+  if (scalar !== void 0) {
+    result = { roles: [scalar], unresolved: [] };
+  } else {
+    const arrayExpr = ctx.localArrayRoles.get(name);
+    if (arrayExpr === void 0) {
+      result = { roles: [], unresolved: [name] };
+    } else if (ctx.seen.has(name)) {
+      result = EMPTY_ROLE_CONST_RESOLUTION;
+    } else {
+      const nextSeen = new Set(ctx.seen);
+      nextSeen.add(name);
+      result = resolveRoleArrayLiteral(arrayExpr, { ...ctx, seen: nextSeen });
+    }
+  }
+  return result;
+}
+function resolveRoleArrayLiteral(arrayExpr, ctx) {
+  const roles = [];
+  const unresolved = [];
+  for (const element of arrayExpr.getElements()) {
+    const elementResult = resolveRoleArrayElement(element, ctx);
+    for (const role of elementResult.roles) roles.push(role);
+    for (const name of elementResult.unresolved) unresolved.push(name);
+  }
+  return { roles, unresolved };
+}
+function resolveRoleArrayElement(element, ctx) {
+  let result = EMPTY_ROLE_CONST_RESOLUTION;
+  if (Node.isStringLiteral(element) || Node.isNoSubstitutionTemplateLiteral(element)) {
+    result = { roles: [element.getLiteralText()], unresolved: [] };
+  } else if (Node.isIdentifier(element)) {
+    result = resolveRoleConstByName(element.getText(), ctx);
+  } else if (Node.isSpreadElement(element)) {
+    const inner = element.getExpression();
+    if (Node.isIdentifier(inner)) {
+      result = resolveRoleConstByName(inner.getText(), ctx);
+    } else if (Node.isArrayLiteralExpression(inner)) {
+      result = resolveRoleArrayLiteral(inner, ctx);
+    } else {
+      result = { roles: [], unresolved: [inner.getText()] };
+    }
+  }
+  return result;
+}
+function readPropertyTagState(jsDocs) {
+  const summaries = [];
+  const tags = [];
+  let hasMarker = false;
+  for (const jsDoc of jsDocs) {
+    const description = jsDoc.getDescription().trim();
+    if (description.length > 0) summaries.push(description);
+    if (consumeMarkerAndRoles(jsDoc.getTags(), tags)) hasMarker = true;
+  }
+  return { hasMarker, summaries, tags };
+}
+function consumeMarkerAndRoles(jsDocTags, roleSink) {
+  let hasMarker = false;
+  for (const tag of jsDocTags) {
+    const name = tag.getTagName();
+    if (name === AUTH_CLAIM_MARKER) {
+      hasMarker = true;
+    } else {
+      collectRoleTagPieces(name, tag, roleSink);
+    }
+  }
+  return hasMarker;
+}
+function collectRoleTagPieces(name, tag, sink) {
+  if (name !== AUTH_ROLE_TAG_TAG && name !== AUTH_ROLE_TAG) return;
+  const text = tag.getCommentText()?.trim() ?? "";
+  if (text.length === 0) return;
+  for (const piece of splitListTagText(text)) {
+    if (!sink.includes(piece)) sink.push(piece);
+  }
+}
+function splitListTagText(text) {
+  const out = [];
+  for (const piece of text.split(/[\s,]+/)) {
+    const trimmed = piece.trim();
+    if (trimmed.length > 0) out.push(trimmed);
+  }
+  return out;
+}
+function collectInheritedInterfaceNames(decl) {
+  const out = [];
+  if (Node.isInterfaceDeclaration(decl)) {
+    for (const ext of decl.getExtends()) {
+      const name = ext.getExpression().getText();
+      if (name.length > 0 && !out.includes(name)) out.push(name);
+    }
+  } else {
+    const typeNode = decl.getTypeNode();
+    if (typeNode !== void 0) collectInheritedInterfaceNamesFromTypeNode(typeNode, out);
+  }
+  return out;
+}
+function collectInheritedInterfaceNamesFromTypeNode(typeNode, sink) {
+  if (Node.isIntersectionTypeNode(typeNode)) {
+    for (const member of typeNode.getTypeNodes()) collectInheritedInterfaceNamesFromTypeNode(member, sink);
+  } else if (Node.isTypeReference(typeNode)) {
+    const text = typeNode.getTypeName().getText();
+    if (text.length > 0 && !sink.includes(text)) sink.push(text);
+  } else if (Node.isParenthesizedTypeNode(typeNode)) {
+    const inner = typeNode.getTypeNode();
+    if (inner !== void 0) collectInheritedInterfaceNamesFromTypeNode(inner, sink);
+  }
+}
+var JSDOC_TAG_ABSENT = { kind: "absent" };
+var JSDOC_TAG_EMPTY = { kind: "empty" };
+function readJsDocFirstTagValue(jsDocs, tagName) {
+  let result = JSDOC_TAG_ABSENT;
+  for (const jsDoc of jsDocs) {
+    for (const tag of jsDoc.getTags()) {
+      if (tag.getTagName() === tagName) {
+        const text = tag.getCommentText()?.trim() ?? "";
+        result = text.length > 0 ? { kind: "value", text } : JSDOC_TAG_EMPTY;
+        break;
+      }
+    }
+    if (result.kind !== "absent") break;
+  }
+  return result;
+}
+
+// packages/dbx-cli/src/lib/mcp-scan/manifest/load-auth-registry.ts
+import { glob as fsGlob2 } from "node:fs/promises";
+import { join, relative, resolve as resolvePath, sep } from "node:path";
+import { Project as Project2 } from "ts-morph";
+var DEFAULT_GLOB_PATTERNS = ["components/*-firebase/src/**/auth/**/*claims*.ts", "components/*-shared/src/**/auth/**/*claims*.ts", "components/*-web/src/**/auth/**/*claims*.ts", "components/*-core/src/**/auth/**/*claims*.ts", "apps/*/src/**/auth/**/*claims*.ts"];
+var APP_TAG_MARKER = "@dbxAuthClaimsApp";
+var SERVICE_TAG_MARKER = "@dbxAuthClaimsService";
+async function loadAuthRegistry(input) {
+  const { cwd, readFile = defaultReadFile, extraFiles = [], skipDiscovery = false } = input;
+  const discovered = skipDiscovery ? [] : await discoverClaimsFiles(cwd);
+  const candidatePaths = mergeAndNormalisePaths(discovered, extraFiles);
+  const fileWarnings = [];
+  const project = new Project2({ useInMemoryFileSystem: true, skipAddingFilesFromTsConfig: true });
+  const scannedFiles = [];
+  for (const relPath of candidatePaths) {
+    const absolute = resolvePath(cwd, relPath);
+    let text;
+    try {
+      text = await readFile(absolute);
+    } catch (error) {
+      fileWarnings.push({ kind: "read-failed", relPath, error: error instanceof Error ? error.message : String(error) });
+      continue;
+    }
+    if (!hasAuthMarker(text)) continue;
+    try {
+      project.createSourceFile(absolute, text, { overwrite: true });
+      scannedFiles.push(relPath);
+    } catch (error) {
+      fileWarnings.push({ kind: "parse-failed", relPath, error: error instanceof Error ? error.message : String(error) });
+    }
+  }
+  const knownRoles = buildKnownRolesMap(BUILTIN_AUTH_ROLES);
+  const extractResult = scannedFiles.length === 0 ? { apps: [], claims: [], warnings: [] } : extractAuthEntries({ project, knownRoles });
+  const registry = composeRegistry({
+    cwd,
+    extractResult,
+    scannedRelFiles: scannedFiles,
+    builtinRoles: BUILTIN_AUTH_ROLES,
+    builtinClaims: BUILTIN_AUTH_CLAIMS,
+    builtinScopes: BUILTIN_AUTH_SCOPES
+  });
+  return {
+    registry,
+    extractWarnings: extractResult.warnings,
+    fileWarnings,
+    scannedFiles,
+    extractedAppCount: extractResult.apps.length,
+    extractedClaimCount: extractResult.claims.length
+  };
+}
+async function discoverClaimsFiles(cwd) {
+  const found = /* @__PURE__ */ new Set();
+  for (const pattern of DEFAULT_GLOB_PATTERNS) {
+    try {
+      for await (const match of fsGlob2(pattern, { cwd })) {
+        found.add(toPosix(match));
+      }
+    } catch {
+    }
+  }
+  return [...found].sort((a, b) => a.localeCompare(b));
+}
+function mergeAndNormalisePaths(discovered, extra) {
+  const out = /* @__PURE__ */ new Set();
+  for (const p of discovered) out.add(p);
+  for (const p of extra) out.add(toPosix(p));
+  return [...out].sort((a, b) => a.localeCompare(b));
+}
+function toPosix(value) {
+  return value.split(sep).join("/");
+}
+function hasAuthMarker(text) {
+  return text.includes(APP_TAG_MARKER) || text.includes(SERVICE_TAG_MARKER);
+}
+function buildKnownRolesMap(roles) {
+  const out = /* @__PURE__ */ new Map();
+  for (const role of roles) {
+    if (role.constName !== void 0) {
+      out.set(role.constName, role.role);
+    }
+  }
+  return out;
+}
+function composeRegistry(input) {
+  const { cwd, extractResult, scannedRelFiles, builtinRoles, builtinClaims, builtinScopes } = input;
+  const inheritedClaimsByInterface = indexBuiltinClaimsByInterface(builtinClaims);
+  const claims = [...builtinClaims];
+  const apps = [];
+  for (const claim of extractResult.claims) {
+    claims.push(toAuthClaimInfo({ extracted: claim, cwd }));
+  }
+  for (const app of extractResult.apps) {
+    apps.push(toAuthAppInfo({ extracted: app, cwd, inheritedClaimsByInterface, allBuiltinScopes: builtinScopes }));
+  }
+  const loadedSources = ["builtin:@dereekb/util", "builtin:@dereekb/firebase", ...scannedRelFiles.map((rel) => `workspace:${rel}`)];
+  return createAuthRegistryFromEntries({
+    roles: builtinRoles,
+    claims,
+    scopes: builtinScopes,
+    apps,
+    loadedSources
+  });
+}
+function indexBuiltinClaimsByInterface(builtinClaims) {
+  const out = /* @__PURE__ */ new Map();
+  for (const claim of builtinClaims) {
+    if (claim.interfaceName === void 0) continue;
+    const list = out.get(claim.interfaceName);
+    if (list === void 0) out.set(claim.interfaceName, [claim]);
+    else list.push(claim);
+  }
+  return out;
+}
+function toAuthClaimInfo(input) {
+  const { extracted, cwd } = input;
+  return {
+    key: extracted.key,
+    type: extracted.type,
+    description: extracted.description,
+    app: extracted.app,
+    interfaceName: extracted.interfaceName,
+    sourcePath: toRelative(extracted.filePath, cwd),
+    sourceLine: extracted.line,
+    source: "app",
+    mapping: extracted.mapping,
+    tags: extracted.tags
+  };
+}
+function toAuthAppInfo(input) {
+  const { extracted, cwd, inheritedClaimsByInterface, allBuiltinScopes } = input;
+  const inheritedKeys = [];
+  for (const interfaceName of extracted.inheritedInterfaceNames) {
+    const inherited = inheritedClaimsByInterface.get(interfaceName) ?? [];
+    for (const claim of inherited) {
+      if (!inheritedKeys.includes(claim.key)) inheritedKeys.push(claim.key);
+    }
+  }
+  const claimKeys = [];
+  for (const key of extracted.ownClaimKeys) {
+    if (!claimKeys.includes(key)) claimKeys.push(key);
+  }
+  for (const key of inheritedKeys) {
+    if (!claimKeys.includes(key)) claimKeys.push(key);
+  }
+  return {
+    app: extracted.app,
+    claimsInterfaceName: extracted.claimsInterfaceName,
+    serviceConstName: extracted.serviceConstName,
+    sourcePath: toRelative(extracted.filePath, cwd),
+    claimKeys,
+    scopes: allBuiltinScopes.map((s) => s.scope)
+  };
+}
+function toRelative(absolutePath, cwd) {
+  const isAbsolute2 = absolutePath.startsWith("/") || /^[A-Za-z]:[\\/]/.test(absolutePath);
+  const target = isAbsolute2 ? absolutePath : resolvePath(cwd, absolutePath);
+  const rel = relative(cwd, target);
+  return toPosix(rel.length > 0 ? rel : absolutePath);
+}
+
+// packages/dbx-cli/generate-mcp-manifest/src/generate-mcp-manifest/render.ts
+function renderMcpManifest(input, now = /* @__PURE__ */ new Date()) {
+  const tools = {};
+  for (const entry of input.apiManifest) {
+    if (entry.verb === "standalone") {
+      continue;
+    }
+    const key = mcpManifestKey(entry.model, entry.verb, entry.specifier);
+    tools[key] = buildToolEntry(entry);
+  }
+  const models = input.modelManifest != null && input.modelManifest.length > 0 ? input.modelManifest.map(projectModelEntry) : void 0;
+  const auth = input.auth == null ? void 0 : projectAuthSection(input.auth.registry, input.auth.app);
+  const base = { version: MCP_MANIFEST_VERSION, generatedAt: now.toISOString(), tools };
+  const result = {
+    ...base,
+    ...models == null ? {} : { models },
+    ...auth == null ? {} : { auth }
+  };
+  return result;
+}
+function projectAuthSection(registry, appSlug) {
+  const primary = registry.findApp(appSlug);
+  if (primary == null) {
+    return void 0;
+  }
+  const apps = [projectAuthApp(primary)];
+  const ownedKeys = new Set(primary.claimKeys);
+  const claims = registry.claims.filter((claim) => ownedKeys.has(claim.key)).map(projectAuthClaim);
+  return {
+    app: apps[0],
+    apps,
+    claims
+  };
+}
+function projectAuthApp(info) {
+  return {
+    app: info.app,
+    claimsInterfaceName: info.claimsInterfaceName,
+    serviceConstName: info.serviceConstName ?? "",
+    claimKeys: info.claimKeys,
+    scopes: info.scopes,
+    ...info.description == null ? {} : { description: info.description }
+  };
+}
+function projectAuthClaim(info) {
+  const mapping = {
+    roles: info.mapping.roles,
+    inverse: info.mapping.inverse,
+    customEncodeDecode: info.mapping.customEncodeDecode,
+    ...info.mapping.inverseMode == null ? {} : { inverseMode: info.mapping.inverseMode },
+    ...info.mapping.claimValue == null ? {} : { claimValue: info.mapping.claimValue }
+  };
+  return {
+    key: info.key,
+    description: info.description,
+    type: info.type,
+    source: info.source,
+    mapping,
+    tags: info.tags,
+    ...info.app == null ? {} : { app: info.app },
+    ...info.interfaceName == null ? {} : { interfaceName: info.interfaceName }
+  };
+}
+function projectModelEntry(entry) {
+  const projected = {
+    modelType: entry.modelType,
+    modelName: entry.modelName,
+    identityConst: entry.identityConst,
+    collectionPrefix: entry.collectionPrefix,
+    sourcePackage: entry.sourcePackage,
+    sourceFile: entry.sourceFile,
+    fields: entry.fields.map(projectModelField),
+    ...entry.modelGroup == null ? {} : { modelGroup: entry.modelGroup },
+    ...entry.parentIdentityConst == null ? {} : { parentIdentityConst: entry.parentIdentityConst },
+    ...entry.description == null ? {} : { description: entry.description },
+    ...entry.read == null ? {} : { read: entry.read },
+    ...entry.serviceFactory == null ? {} : { serviceFactory: entry.serviceFactory }
+  };
+  return projected;
+}
+function projectModelField(field) {
+  const projected = {
+    name: field.name,
+    longName: field.longName,
+    optional: field.optional,
+    ...field.tsType == null ? {} : { tsType: field.tsType },
+    ...field.description == null ? {} : { description: field.description },
+    ...field.enumRef == null ? {} : { enumRef: field.enumRef },
+    ...field.syncFlag == null ? {} : { syncFlag: field.syncFlag },
+    ...field.nestedFields == null ? {} : { nestedFields: field.nestedFields.map(projectModelField) },
+    ...field.nestedIsArray == null ? {} : { nestedIsArray: field.nestedIsArray }
+  };
+  return projected;
+}
+function buildToolEntry(entry) {
+  const description = buildDescription(entry);
+  const inputSchema = buildInputSchema(entry);
+  const outputSchema = buildOutputSchema(entry);
+  const result = {};
+  if (description != null) result.description = description;
+  if (inputSchema != null) result.inputSchema = inputSchema;
+  if (outputSchema != null) result.outputSchema = outputSchema;
+  return result;
+}
+function buildDescription(entry) {
+  const parts = [entry.description, entry.paramsTypeDescription].filter((value) => typeof value === "string" && value.length > 0);
+  return parts.length === 0 ? void 0 : parts.join("\n\n");
+}
+function buildInputSchema(entry) {
+  const validator = entry.paramsValidator;
+  const baseSchema = validator == null ? void 0 : safeToJsonSchema(validator);
+  const hasFields = entry.paramsFields != null && entry.paramsFields.length > 0;
+  if (baseSchema == null && !hasFields) {
+    return void 0;
+  }
+  const schema = baseSchema == null ? { type: "object" } : cloneJsonObject(baseSchema);
+  const properties = ensureProperties(schema);
+  if (entry.paramsFields != null) {
+    for (const field of entry.paramsFields) {
+      mergeFieldIntoProperties(properties, field);
+    }
+  }
+  return schema;
+}
+function buildOutputSchema(entry) {
+  const hasFields = entry.resultFields != null && entry.resultFields.length > 0;
+  const hasDescription = typeof entry.resultTypeDescription === "string" && entry.resultTypeDescription.length > 0;
+  if (!hasFields && !hasDescription) {
+    return void 0;
+  }
+  const schema = { type: "object" };
+  if (hasDescription) {
+    schema["description"] = entry.resultTypeDescription;
+  }
+  if (hasFields) {
+    const properties = {};
+    for (const field of entry.resultFields) {
+      properties[field.name] = buildPropertyFromField(field);
+    }
+    schema["properties"] = properties;
+  }
+  return schema;
+}
+function ensureProperties(schema) {
+  const existing = schema["properties"];
+  let properties;
+  if (existing != null && typeof existing === "object") {
+    properties = existing;
+  } else {
+    properties = {};
+    schema["properties"] = properties;
+  }
+  return properties;
+}
+function mergeFieldIntoProperties(properties, field) {
+  const existing = properties[field.name];
+  const target = existing != null && typeof existing === "object" ? existing : {};
+  if (target["description"] == null && field.description != null && field.description.length > 0) {
+    target["description"] = field.description;
+  }
+  if (target["type"] == null) {
+    const inferred = inferJsonSchemaType(field.typeText);
+    if (inferred != null) {
+      target["type"] = inferred;
+    }
+  }
+  properties[field.name] = target;
+}
+function buildPropertyFromField(field) {
+  const property = {};
+  if (field.description != null && field.description.length > 0) {
+    property["description"] = field.description;
+  }
+  const inferred = inferJsonSchemaType(field.typeText);
+  if (inferred != null) {
+    property["type"] = inferred;
+  }
+  return property;
+}
+function inferJsonSchemaType(typeText) {
+  if (typeText == null) {
+    return void 0;
+  }
+  const trimmed = typeText.trim();
+  let result;
+  if (trimmed === "string") {
+    result = "string";
+  } else if (trimmed === "number") {
+    result = "number";
+  } else if (trimmed === "boolean") {
+    result = "boolean";
+  } else if (trimmed.endsWith("[]")) {
+    result = "array";
+  } else if (trimmed.startsWith("Maybe<") && trimmed.endsWith(">")) {
+    result = inferJsonSchemaType(trimmed.slice("Maybe<".length, -1));
+  } else {
+    result = void 0;
+  }
+  return result;
+}
+function safeToJsonSchema(validator) {
+  let result;
+  try {
+    const schema = arktypeToJsonSchemaForExport(validator);
+    if (schema != null && typeof schema === "object") {
+      result = schema;
+    }
+  } catch {
+    result = void 0;
+  }
+  return result;
+}
+function cloneJsonObject(value) {
+  return structuredClone(value);
+}
+
+// packages/dbx-cli/generate-mcp-manifest/src/generate-mcp-manifest/main.ts
+var WORKSPACE_ROOT = process.cwd();
+async function main() {
+  const flags = parseFlags(process.argv.slice(2));
+  if (flags.input == null || flags.output == null) {
+    printUsageAndExit();
+    return;
+  }
+  const inputPath = resolveWorkspacePath(flags.input);
+  const outputPath = resolveWorkspacePath(flags.output);
+  if (!existsSync(inputPath)) {
+    const hint = flags.regenerateInput ? "The --regenerate-input flag is reserved for a future revision; for now run the upstream generator manually." : "Pass --regenerate-input is reserved; for now run the upstream generator manually.";
+    console.error(`generate-mcp-manifest: input not found: ${relative2(WORKSPACE_ROOT, inputPath)}
+${hint}
+Expected output of \`nx run <cli>:generate-api-manifest\`.`);
+    process.exit(1);
+  }
+  const loaded = await loadManifest(inputPath);
+  const auth = await maybeLoadAuth(flags);
+  const rendered = renderMcpManifest({ ...loaded, ...auth == null ? {} : { auth } });
+  const serialized = `${JSON.stringify(rendered, null, 2)}
+`;
+  ensureOutputDir(dirname(outputPath));
+  const tmpPath = `${outputPath}.tmp`;
+  writeFileSync(tmpPath, serialized);
+  renameSync(tmpPath, outputPath);
+  const modelCount = rendered.models?.length ?? 0;
+  const authCount = rendered.auth?.claims.length ?? 0;
+  console.log(`[wrote] ${relative2(WORKSPACE_ROOT, outputPath)} \u2014 ${Object.keys(rendered.tools).length} tools, ${modelCount} models, ${authCount} auth claims`);
+}
+async function maybeLoadAuth(flags) {
+  if (flags.app == null || flags.claimsInputs.length === 0) {
+    return void 0;
+  }
+  const extraFiles = flags.claimsInputs.map((p) => relative2(WORKSPACE_ROOT, resolveWorkspacePath(p)));
+  const result = await loadAuthRegistry({ cwd: WORKSPACE_ROOT, extraFiles, skipDiscovery: true });
+  for (const warning of result.fileWarnings) {
+    console.error(`[generate-mcp-manifest] auth file warning (${warning.kind}): ${warning.relPath} \u2014 ${warning.error}`);
+  }
+  for (const warning of result.extractWarnings) {
+    console.error(`[generate-mcp-manifest] auth extract warning: ${JSON.stringify(warning)}`);
+  }
+  return { registry: result.registry, app: flags.app };
+}
+async function loadManifest(path) {
+  const alias = loadTsconfigPathAliases();
+  const jiti = createJiti(import.meta.url, { interopDefault: true, alias });
+  const loaded = await jiti.import(path);
+  const namedApi = Object.entries(loaded).find(([key]) => key.endsWith("_API_MANIFEST"));
+  const fallback = loaded["default"];
+  const apiManifest = namedApi?.[1] ?? fallback;
+  if (apiManifest == null || !Array.isArray(apiManifest)) {
+    throw new Error(`generate-mcp-manifest: ${path} does not export an *_API_MANIFEST array or a default export of CliApiManifest.`);
+  }
+  const namedModel = Object.entries(loaded).find(([key]) => key.endsWith("_MODEL_MANIFEST"));
+  const modelManifestValue = namedModel?.[1];
+  const modelManifest = Array.isArray(modelManifestValue) ? modelManifestValue : void 0;
+  return { apiManifest, modelManifest };
+}
+function loadTsconfigPathAliases() {
+  const tsconfigPath = resolve(WORKSPACE_ROOT, "tsconfig.base.json");
+  let result = {};
+  if (existsSync(tsconfigPath)) {
+    const raw = readFileSync(tsconfigPath, "utf8");
+    const stripped = raw.replaceAll(/\/\*[\s\S]*?\*\//g, "").replaceAll(/(^|[^:])\/\/[^\n]*/g, "$1");
+    const parsed = JSON.parse(stripped);
+    const paths = parsed.compilerOptions?.paths ?? {};
+    result = Object.fromEntries(Object.entries(paths).flatMap(([key, values]) => values.length > 0 ? [[key, resolve(WORKSPACE_ROOT, values[0])]] : []));
+  }
+  return result;
+}
+function ensureOutputDir(outputDir) {
+  if (!existsSync(outputDir)) mkdirSync(outputDir, { recursive: true });
+}
+function resolveWorkspacePath(value) {
+  return isAbsolute(value) ? value : resolve(WORKSPACE_ROOT, value);
+}
+function parseFlags(argv) {
+  let input;
+  let output;
+  let app;
+  const claimsInputs = [];
+  let regenerateInput = false;
+  for (const arg of argv) {
+    if (arg === "--regenerate-input") {
+      regenerateInput = true;
+    } else if (arg.startsWith("--input=")) {
+      input = arg.slice("--input=".length);
+    } else if (arg.startsWith("--output=")) {
+      output = arg.slice("--output=".length);
+    } else if (arg.startsWith("--app=")) {
+      app = arg.slice("--app=".length);
+    } else if (arg.startsWith("--claims-input=")) {
+      claimsInputs.push(arg.slice("--claims-input=".length));
+    }
+  }
+  return { input, output, app, claimsInputs, regenerateInput };
+}
+function printUsageAndExit() {
+  console.error(String.raw`generate-mcp-manifest
+
+Usage:
+  node dist/packages/dbx-cli/generate-mcp-manifest/main.js \
+    --input=<path-to-api.manifest.generated.ts> \
+    --output=<path-to-mcp.manifest.json>
+
+Required flags:
+  --input=<path>             Path to the API manifest TS file (workspace-relative ok).
+  --output=<path>            Path to the MCP manifest JSON to write (workspace-relative ok).
+
+Optional:
+  --regenerate-input         Reserved for a future revision.
+  --app=<slug>               Host app slug whose auth catalog to project (e.g. demo-api).
+                              When set alongside --claims-input, emits an \`auth\` section.
+  --claims-input=<path>      Path to a claims.ts module. Repeatable. Skips workspace
+                              discovery — only the explicit paths are scanned.`);
+  process.exit(1);
+}
+try {
+  await main();
+} catch (e) {
+  console.error(e);
+  process.exit(1);
+}