@elnora-ai/mcp-server 0.1.1 → 0.2.0

package/dist/middleware/cors.js

@@ -0,0 +1,42 @@
+/**
+ * CORS middleware restricting origins to the Elnora platform domain.
+ * CoSAI MCP-T7: Prevent cross-origin data leaks and CORS policy bypass.
+ *
+ * MCP clients communicate via direct HTTP (not browser), so CORS is primarily
+ * defense-in-depth against browser-based attacks targeting the MCP endpoint.
+ */
+export function corsMiddleware(config) {
+    const publicOrigin = new URL(config.publicUrl).origin;
+    const platformOrigin = config.loginUrl ? new URL(config.loginUrl).origin : null;
+    // Allowed origins: the MCP server itself and the platform
+    const allowedOrigins = new Set([publicOrigin]);
+    if (platformOrigin)
+        allowedOrigins.add(platformOrigin);
+    // Allow configuring additional origins via env var (comma-separated)
+    const extraOrigins = process.env.CORS_ALLOWED_ORIGINS;
+    if (extraOrigins) {
+        for (const origin of extraOrigins.split(",")) {
+            const trimmed = origin.trim();
+            if (trimmed)
+                allowedOrigins.add(trimmed);
+        }
+    }
+    return (req, res, next) => {
+        const origin = req.headers.origin;
+        if (origin && allowedOrigins.has(origin)) {
+            res.setHeader("Access-Control-Allow-Origin", origin);
+            res.setHeader("Vary", "Origin");
+        }
+        res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+        res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, MCP-Protocol-Version");
+        res.setHeader("Access-Control-Max-Age", "86400");
+        // Never expose tokens or auth headers to browsers
+        res.setHeader("Access-Control-Expose-Headers", "WWW-Authenticate");
+        if (req.method === "OPTIONS") {
+            res.status(204).end();
+            return;
+        }
+        next();
+    };
+}
+//# sourceMappingURL=cors.js.map

package/dist/middleware/cors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cors.js","sourceRoot":"","sources":["../../src/middleware/cors.ts"],"names":[],"mappings":"AAGA;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAAC,MAAoB;IACjD,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;IACtD,MAAM,cAAc,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC;IAEhF,0DAA0D;IAC1D,MAAM,cAAc,GAAG,IAAI,GAAG,CAAS,CAAC,YAAY,CAAC,CAAC,CAAC;IACvD,IAAI,cAAc;QAAE,cAAc,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IAEvD,qEAAqE;IACrE,MAAM,YAAY,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IACtD,IAAI,YAAY,EAAE,CAAC;QACjB,KAAK,MAAM,MAAM,IAAI,YAAY,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;YAC7C,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;YAC9B,IAAI,OAAO;gBAAE,cAAc,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACxB,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;QAElC,IAAI,MAAM,IAAI,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACzC,GAAG,CAAC,SAAS,CAAC,6BAA6B,EAAE,MAAM,CAAC,CAAC;YACrD,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAClC,CAAC;QAED,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,oBAAoB,CAAC,CAAC;QACpE,GAAG,CAAC,SAAS,CAAC,8BAA8B,EAAE,mDAAmD,CAAC,CAAC;QACnG,GAAG,CAAC,SAAS,CAAC,wBAAwB,EAAE,OAAO,CAAC,CAAC;QACjD,kDAAkD;QAClD,GAAG,CAAC,SAAS,CAAC,+BAA+B,EAAE,kBAAkB,CAAC,CAAC;QAEnE,IAAI,GAAG,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;YAC7B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;YACtB,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/middleware/rate-limiter.d.ts

@@ -0,0 +1,13 @@
+import { RequestHandler } from "express";
+/**
+ * Simple in-memory rate limiter for the /mcp endpoint.
+ * CoSAI MCP-T10: Prevent resource exhaustion and denial-of-wallet attacks.
+ *
+ * Limits by client IP (or Authorization header hash for authenticated requests).
+ * Default: 60 requests per minute per client.
+ */
+export declare function mcpRateLimiter(opts?: {
+    maxRequests?: number;
+    windowMs?: number;
+}): RequestHandler;
+//# sourceMappingURL=rate-limiter.d.ts.map

package/dist/middleware/rate-limiter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.d.ts","sourceRoot":"","sources":["../../src/middleware/rate-limiter.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,MAAM,SAAS,CAAC;AAEzC;;;;;;GAMG;AACH,wBAAgB,cAAc,CAAC,IAAI,CAAC,EAAE;IAAE,WAAW,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,cAAc,CAiDjG"}

package/dist/middleware/rate-limiter.js

@@ -0,0 +1,59 @@
+/**
+ * Simple in-memory rate limiter for the /mcp endpoint.
+ * CoSAI MCP-T10: Prevent resource exhaustion and denial-of-wallet attacks.
+ *
+ * Limits by client IP (or Authorization header hash for authenticated requests).
+ * Default: 60 requests per minute per client.
+ */
+export function mcpRateLimiter(opts) {
+    const maxRequests = opts?.maxRequests ?? 60;
+    const windowMs = opts?.windowMs ?? 60_000;
+    const hits = new Map();
+    // Periodic cleanup to prevent memory leak
+    setInterval(() => {
+        const now = Date.now();
+        for (const [key, record] of hits) {
+            if (record.resetAt <= now)
+                hits.delete(key);
+        }
+    }, windowMs).unref();
+    return (req, res, next) => {
+        // Key by bearer token (if present) or IP
+        const authHeader = req.headers.authorization;
+        const key = authHeader
+            ? `auth:${simpleHash(authHeader)}`
+            : `ip:${req.ip || req.socket.remoteAddress || "unknown"}`;
+        const now = Date.now();
+        let record = hits.get(key);
+        if (!record || record.resetAt <= now) {
+            record = { count: 0, resetAt: now + windowMs };
+            hits.set(key, record);
+        }
+        record.count++;
+        // Set standard rate limit headers
+        const remaining = Math.max(0, maxRequests - record.count);
+        res.setHeader("X-RateLimit-Limit", maxRequests);
+        res.setHeader("X-RateLimit-Remaining", remaining);
+        res.setHeader("X-RateLimit-Reset", Math.ceil(record.resetAt / 1000));
+        if (record.count > maxRequests) {
+            const retryAfter = Math.ceil((record.resetAt - now) / 1000);
+            res.setHeader("Retry-After", retryAfter);
+            console.error(`[rate-limit] blocked ${key} (${record.count}/${maxRequests} in window)`);
+            res.status(429).json({
+                error: "rate_limit_exceeded",
+                error_description: `Too many requests. Retry after ${retryAfter} seconds.`,
+            });
+            return;
+        }
+        next();
+    };
+}
+/** Fast non-crypto hash for rate limit keying — not for security */
+function simpleHash(str) {
+    let hash = 0;
+    for (let i = 0; i < str.length; i++) {
+        hash = ((hash << 5) - hash + str.charCodeAt(i)) | 0;
+    }
+    return hash.toString(36);
+}
+//# sourceMappingURL=rate-limiter.js.map

package/dist/middleware/rate-limiter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rate-limiter.js","sourceRoot":"","sources":["../../src/middleware/rate-limiter.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,MAAM,UAAU,cAAc,CAAC,IAAkD;IAC/E,MAAM,WAAW,GAAG,IAAI,EAAE,WAAW,IAAI,EAAE,CAAC;IAC5C,MAAM,QAAQ,GAAG,IAAI,EAAE,QAAQ,IAAI,MAAM,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,GAAG,EAA8C,CAAC;IAEnE,0CAA0C;IAC1C,WAAW,CAAC,GAAG,EAAE;QACf,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;YACjC,IAAI,MAAM,CAAC,OAAO,IAAI,GAAG;gBAAE,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC,EAAE,QAAQ,CAAC,CAAC,KAAK,EAAE,CAAC;IAErB,OAAO,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACxB,yCAAyC;QACzC,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,aAAa,CAAC;QAC7C,MAAM,GAAG,GAAG,UAAU;YACpB,CAAC,CAAC,QAAQ,UAAU,CAAC,UAAU,CAAC,EAAE;YAClC,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,IAAI,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,SAAS,EAAE,CAAC;QAE5D,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,IAAI,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAE3B,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,IAAI,GAAG,EAAE,CAAC;YACrC,MAAM,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,GAAG,GAAG,QAAQ,EAAE,CAAC;YAC/C,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;QACxB,CAAC;QAED,MAAM,CAAC,KAAK,EAAE,CAAC;QAEf,kCAAkC;QAClC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QAC1D,GAAG,CAAC,SAAS,CAAC,mBAAmB,EAAE,WAAW,CAAC,CAAC;QAChD,GAAG,CAAC,SAAS,CAAC,uBAAuB,EAAE,SAAS,CAAC,CAAC;QAClD,GAAG,CAAC,SAAS,CAAC,mBAAmB,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;QAErE,IAAI,MAAM,CAAC,KAAK,GAAG,WAAW,EAAE,CAAC;YAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;YAC5D,GAAG,CAAC,SAAS,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;YACzC,OAAO,CAAC,KAAK,CAAC,wBAAwB,GAAG,KAAK,MAAM,CAAC,KAAK,IAAI,WAAW,aAAa,CAAC,CAAC;YACxF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,qBAAqB;gBAC5B,iBAAiB,EAAE,kCAAkC,UAAU,WAAW;aAC3E,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC;AAED,oEAAoE;AACpE,SAAS,UAAU,CAAC,GAAW;IAC7B,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,IAAI,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,IAAI,GAAG,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IACtD,CAAC;IACD,OAAO,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;AAC3B,CAAC"}

package/dist/middleware/tool-logging.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Tool invocation audit logger.
+ * CoSAI MCP-T12: Log every tool call with tool name, parameters, user ID, timestamp.
+ *
+ * Logs are written to stderr (structured JSON) for collection by CloudWatch/Datadog/etc.
+ */
+export declare function logToolInvocation(toolName: string, params: Record<string, unknown>, clientId: string, result: {
+    success: boolean;
+    durationMs: number;
+}): void;
+//# sourceMappingURL=tool-logging.d.ts.map

package/dist/middleware/tool-logging.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-logging.d.ts","sourceRoot":"","sources":["../../src/middleware/tool-logging.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC/B,QAAQ,EAAE,MAAM,EAChB,MAAM,EAAE;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,UAAU,EAAE,MAAM,CAAA;CAAE,GAC/C,IAAI,CAYN"}

package/dist/middleware/tool-logging.js

@@ -0,0 +1,40 @@
+/**
+ * Tool invocation audit logger.
+ * CoSAI MCP-T12: Log every tool call with tool name, parameters, user ID, timestamp.
+ *
+ * Logs are written to stderr (structured JSON) for collection by CloudWatch/Datadog/etc.
+ */
+export function logToolInvocation(toolName, params, clientId, result) {
+    const entry = {
+        type: "tool_invocation",
+        timestamp: new Date().toISOString(),
+        tool: toolName,
+        clientId,
+        params: sanitizeParams(params),
+        success: result.success,
+        durationMs: result.durationMs,
+    };
+    console.error(JSON.stringify(entry));
+}
+/**
+ * Redact sensitive parameter values from logs.
+ * Keep keys and value types visible for debugging, but mask actual content
+ * for fields that might contain user data.
+ */
+function sanitizeParams(params) {
+    const sanitized = {};
+    for (const [key, value] of Object.entries(params)) {
+        if (key === "content" || key === "message") {
+            // Log length instead of content to avoid PII in logs
+            sanitized[key] = typeof value === "string" ? `[${value.length} chars]` : typeof value;
+        }
+        else if (key === "file_ids") {
+            sanitized[key] = Array.isArray(value) ? `[${value.length} ids]` : typeof value;
+        }
+        else {
+            sanitized[key] = value;
+        }
+    }
+    return sanitized;
+}
+//# sourceMappingURL=tool-logging.js.map

package/dist/middleware/tool-logging.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tool-logging.js","sourceRoot":"","sources":["../../src/middleware/tool-logging.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAC/B,QAAgB,EAChB,MAA+B,EAC/B,QAAgB,EAChB,MAAgD;IAEhD,MAAM,KAAK,GAAG;QACZ,IAAI,EAAE,iBAAiB;QACvB,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,IAAI,EAAE,QAAQ;QACd,QAAQ;QACR,MAAM,EAAE,cAAc,CAAC,MAAM,CAAC;QAC9B,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,UAAU,EAAE,MAAM,CAAC,UAAU;KAC9B,CAAC;IAEF,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,SAAS,cAAc,CAAC,MAA+B;IACrD,MAAM,SAAS,GAA4B,EAAE,CAAC;IAC9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YAC3C,qDAAqD;YACrD,SAAS,CAAC,GAAG,CAAC,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,SAAS,CAAC,CAAC,CAAC,OAAO,KAAK,CAAC;QACxF,CAAC;aAAM,IAAI,GAAG,KAAK,UAAU,EAAE,CAAC;YAC9B,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,OAAO,CAAC,CAAC,CAAC,OAAO,KAAK,CAAC;QACjF,CAAC;aAAM,CAAC;YACN,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QACzB,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/server.d.ts

@@ -1,5 +1,10 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { ElnoraApiClient } from "./services/elnora-api-client.js";
 import { ElnoraConfig } from "./types.js";
-export declare function createElnoraServer(config: ElnoraConfig, getClient: () => ElnoraApiClient): McpServer;
+export interface RequestContext {
+    client: ElnoraApiClient;
+    clientId: string;
+    scopes: string[];
+}
+export declare function createElnoraServer(config: ElnoraConfig, getContext: () => RequestContext): McpServer;
 //# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAClE,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAM1C,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,eAAe,GAAG,SAAS,CAYpG"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,eAAe,EAAE,MAAM,iCAAiC,CAAC;AAClE,OAAO,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAS1C,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,eAAe,CAAC;IACxB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,YAAY,EACpB,UAAU,EAAE,MAAM,cAAc,GAC/B,SAAS,CAcX"}

package/dist/server.js

@@ -1,17 +1,21 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { createRequire } from "node:module";
 import { registerTaskTools } from "./tools/tasks.js";
 import { registerMessageTools } from "./tools/messages.js";
 import { registerFileTools } from "./tools/files.js";
 import { registerProtocolTools } from "./tools/protocols.js";
-export function createElnoraServer(config, getClient) {
+const require = createRequire(import.meta.url);
+const { version } = require("../package.json");
+export function createElnoraServer(config, getContext) {
     const server = new McpServer({
         name: "elnora-mcp-server",
-        version: "0.1.0",
+        version,
     });
-    registerTaskTools(server, getClient);
-    registerMessageTools(server, getClient);
-    registerFileTools(server, getClient);
-    registerProtocolTools(server, getClient);
+    const getClient = () => getContext().client;
+    registerTaskTools(server, getClient, getContext);
+    registerMessageTools(server, getClient, getContext);
+    registerFileTools(server, getClient, getContext);
+    registerProtocolTools(server, getClient, getContext);
     return server;
 }
 //# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -1 +1 @@
-{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAGpE,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAE7D,MAAM,UAAU,kBAAkB,CAAC,MAAoB,EAAE,SAAgC;IACvF,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,OAAO;KACjB,CAAC,CAAC;IAEH,iBAAiB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACrC,oBAAoB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACxC,iBAAiB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACrC,qBAAqB,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAEzC,OAAO,MAAM,CAAC;AAChB,CAAC"}
+{"version":3,"file":"server.js","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAG5C,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAE7D,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/C,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,iBAAiB,CAAwB,CAAC;AAQtE,MAAM,UAAU,kBAAkB,CAChC,MAAoB,EACpB,UAAgC;IAEhC,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,mBAAmB;QACzB,OAAO;KACR,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,GAAG,EAAE,CAAC,UAAU,EAAE,CAAC,MAAM,CAAC;IAE5C,iBAAiB,CAAC,MAAM,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IACjD,oBAAoB,CAAC,MAAM,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IACpD,iBAAiB,CAAC,MAAM,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IACjD,qBAAqB,CAAC,MAAM,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;IAErD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/services/elnora-api-client.d.ts

@@ -1,8 +1,6 @@
 import { ElnoraConfig, ElnoraTask, ElnoraMessage, ElnoraFile, TokenValidationResult } from "../types.js";
 export declare class ElnoraApiClient {
-    private bearerToken;
     private client;
-    private tokenValidationUrl;
     constructor(config: ElnoraConfig, bearerToken: string);
     static validateToken(tokenValidationUrl: string, token: string): Promise<TokenValidationResult>;
     createTask(title?: string): Promise<ElnoraTask>;

package/dist/services/elnora-api-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"elnora-api-client.d.ts","sourceRoot":"","sources":["../../src/services/elnora-api-client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,UAAU,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGzG,qBAAa,eAAe;IAIQ,OAAO,CAAC,WAAW;IAHrD,OAAO,CAAC,MAAM,CAAgB;IAC9B,OAAO,CAAC,kBAAkB,CAAS;gBAEvB,MAAM,EAAE,YAAY,EAAU,WAAW,EAAE,MAAM;WAehD,aAAa,CAAC,kBAAkB,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAW/F,UAAU,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAO/C,SAAS,CACb,MAAM,CAAC,EAAE,MAAM,EACf,KAAK,SAAK,EACV,MAAM,SAAI,GACT,OAAO,CAAC;QAAE,KAAK,EAAE,UAAU,EAAE,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAOjD,eAAe,CACnB,MAAM,EAAE,MAAM,EACd,KAAK,SAAK,EACV,MAAM,SAAI,GACT,OAAO,CAAC;QAAE,KAAK,EAAE,aAAa,EAAE,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IASpD,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,aAAa,CAAC;IAWxF,SAAS,CACb,SAAS,CAAC,EAAE,MAAM,EAClB,KAAK,SAAK,EACV,MAAM,SAAI,GACT,OAAO,CAAC;QAAE,KAAK,EAAE,UAAU,EAAE,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAOjD,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IAK5F,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAQxF"}
+{"version":3,"file":"elnora-api-client.d.ts","sourceRoot":"","sources":["../../src/services/elnora-api-client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,aAAa,EAAE,UAAU,EAAE,qBAAqB,EAAE,MAAM,aAAa,CAAC;AAGzG,qBAAa,eAAe;IAC1B,OAAO,CAAC,MAAM,CAAgB;gBAElB,MAAM,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM;WAcxC,aAAa,CAAC,kBAAkB,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAW/F,UAAU,CAAC,KAAK,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;IAO/C,SAAS,CACb,MAAM,CAAC,EAAE,MAAM,EACf,KAAK,SAAK,EACV,MAAM,SAAI,GACT,OAAO,CAAC;QAAE,KAAK,EAAE,UAAU,EAAE,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAOjD,eAAe,CACnB,MAAM,EAAE,MAAM,EACd,KAAK,SAAK,EACV,MAAM,SAAI,GACT,OAAO,CAAC;QAAE,KAAK,EAAE,aAAa,EAAE,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IASpD,WAAW,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,aAAa,CAAC;IAWxF,SAAS,CACb,SAAS,CAAC,EAAE,MAAM,EAClB,KAAK,SAAK,EACV,MAAM,SAAI,GACT,OAAO,CAAC;QAAE,KAAK,EAAE,UAAU,EAAE,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAOjD,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IAK5F,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;CAQxF"}

package/dist/services/elnora-api-client.js

@@ -1,11 +1,8 @@
 import axios from "axios";
 import { REQUEST_TIMEOUT_MS, LONG_REQUEST_TIMEOUT_MS } from "../constants.js";
 export class ElnoraApiClient {
-    bearerToken;
     client;
-    tokenValidationUrl;
     constructor(config, bearerToken) {
-        this.bearerToken = bearerToken;
         this.client = axios.create({
             baseURL: config.apiUrl,
             timeout: REQUEST_TIMEOUT_MS,
@@ -15,7 +12,6 @@ export class ElnoraApiClient {
                 Authorization: `Bearer ${bearerToken}`,
             },
         });
-        this.tokenValidationUrl = config.tokenValidationUrl;
     }
     // --- Token Validation ---
     static async validateToken(tokenValidationUrl, token) {

package/dist/services/elnora-api-client.js.map

@@ -1 +1 @@
-{"version":3,"file":"elnora-api-client.js","sourceRoot":"","sources":["../../src/services/elnora-api-client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAwB,MAAM,OAAO,CAAC;AAE7C,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAE9E,MAAM,OAAO,eAAe;IAIgB;IAHlC,MAAM,CAAgB;IACtB,kBAAkB,CAAS;IAEnC,YAAY,MAAoB,EAAU,WAAmB;QAAnB,gBAAW,GAAX,WAAW,CAAQ;QAC3D,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;YACzB,OAAO,EAAE,MAAM,CAAC,MAAM;YACtB,OAAO,EAAE,kBAAkB;YAC3B,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,MAAM,EAAE,kBAAkB;gBAC1B,aAAa,EAAE,UAAU,WAAW,EAAE;aACvC;SACF,CAAC,CAAC;QACH,IAAI,CAAC,kBAAkB,GAAG,MAAM,CAAC,kBAAkB,CAAC;IACtD,CAAC;IAED,2BAA2B;IAE3B,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,kBAA0B,EAAE,KAAa;QAClE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAC/B,kBAAkB,EAClB,EAAE,KAAK,EAAE,EACT,EAAE,OAAO,EAAE,kBAAkB,EAAE,CAChC,CAAC;QACF,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED,gBAAgB;IAEhB,KAAK,CAAC,UAAU,CAAC,KAAc;QAC7B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAa,QAAQ,EAAE;YAC5D,KAAK,EAAE,KAAK,IAAI,UAAU;SAC3B,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,SAAS,CACb,MAAe,EACf,KAAK,GAAG,EAAE,EACV,MAAM,GAAG,CAAC;QAEV,MAAM,MAAM,GAAoC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAClE,IAAI,MAAM;YAAE,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC;QACnC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QAC7D,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,eAAe,CACnB,MAAc,EACd,KAAK,GAAG,EAAE,EACV,MAAM,GAAG,CAAC;QAEV,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,MAAM,WAAW,EAAE;YAClE,MAAM,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE;SAC1B,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED,mBAAmB;IAEnB,KAAK,CAAC,WAAW,CAAC,MAAc,EAAE,OAAe,EAAE,OAAkB;QACnE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACrC,UAAU,MAAM,WAAW,EAC3B,EAAE,OAAO,EAAE,OAAO,EAAE,EACpB,EAAE,OAAO,EAAE,uBAAuB,EAAE,CACrC,CAAC;QACF,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED,gBAAgB;IAEhB,KAAK,CAAC,SAAS,CACb,SAAkB,EAClB,KAAK,GAAG,EAAE,EACV,MAAM,GAAG,CAAC;QAEV,MAAM,MAAM,GAAoC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAClE,IAAI,SAAS;YAAE,MAAM,CAAC,SAAS,GAAG,SAAS,CAAC;QAC5C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QAC7D,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,MAAc;QACjC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,MAAM,UAAU,CAAC,CAAC;QACnE,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAY,EAAE,OAAe,EAAE,QAAiB;QAC/D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAa,QAAQ,EAAE;YAC5D,IAAI;YACJ,OAAO;YACP,QAAQ,EAAE,QAAQ,IAAI,eAAe;SACtC,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;CACF"}
+{"version":3,"file":"elnora-api-client.js","sourceRoot":"","sources":["../../src/services/elnora-api-client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAwB,MAAM,OAAO,CAAC;AAE7C,OAAO,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAE9E,MAAM,OAAO,eAAe;IAClB,MAAM,CAAgB;IAE9B,YAAY,MAAoB,EAAE,WAAmB;QACnD,IAAI,CAAC,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC;YACzB,OAAO,EAAE,MAAM,CAAC,MAAM;YACtB,OAAO,EAAE,kBAAkB;YAC3B,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,MAAM,EAAE,kBAAkB;gBAC1B,aAAa,EAAE,UAAU,WAAW,EAAE;aACvC;SACF,CAAC,CAAC;IACL,CAAC;IAED,2BAA2B;IAE3B,MAAM,CAAC,KAAK,CAAC,aAAa,CAAC,kBAA0B,EAAE,KAAa;QAClE,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,IAAI,CAC/B,kBAAkB,EAClB,EAAE,KAAK,EAAE,EACT,EAAE,OAAO,EAAE,kBAAkB,EAAE,CAChC,CAAC;QACF,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED,gBAAgB;IAEhB,KAAK,CAAC,UAAU,CAAC,KAAc;QAC7B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAa,QAAQ,EAAE;YAC5D,KAAK,EAAE,KAAK,IAAI,UAAU;SAC3B,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,SAAS,CACb,MAAe,EACf,KAAK,GAAG,EAAE,EACV,MAAM,GAAG,CAAC;QAEV,MAAM,MAAM,GAAoC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAClE,IAAI,MAAM;YAAE,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC;QACnC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QAC7D,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,eAAe,CACnB,MAAc,EACd,KAAK,GAAG,EAAE,EACV,MAAM,GAAG,CAAC;QAEV,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,MAAM,WAAW,EAAE;YAClE,MAAM,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE;SAC1B,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED,mBAAmB;IAEnB,KAAK,CAAC,WAAW,CAAC,MAAc,EAAE,OAAe,EAAE,OAAkB;QACnE,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CACrC,UAAU,MAAM,WAAW,EAC3B,EAAE,OAAO,EAAE,OAAO,EAAE,EACpB,EAAE,OAAO,EAAE,uBAAuB,EAAE,CACrC,CAAC;QACF,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED,gBAAgB;IAEhB,KAAK,CAAC,SAAS,CACb,SAAkB,EAClB,KAAK,GAAG,EAAE,EACV,MAAM,GAAG,CAAC;QAEV,MAAM,MAAM,GAAoC,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC;QAClE,IAAI,SAAS;YAAE,MAAM,CAAC,SAAS,GAAG,SAAS,CAAC;QAC5C,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;QAC7D,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,MAAc;QACjC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,MAAM,UAAU,CAAC,CAAC;QACnE,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,IAAY,EAAE,OAAe,EAAE,QAAiB;QAC/D,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,IAAI,CAAa,QAAQ,EAAE;YAC5D,IAAI;YACJ,OAAO;YACP,QAAQ,EAAE,QAAQ,IAAI,eAAe;SACtC,CAAC,CAAC;QACH,OAAO,QAAQ,CAAC,IAAI,CAAC;IACvB,CAAC;CACF"}

package/dist/tools/files.d.ts

@@ -1,4 +1,5 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { ElnoraApiClient } from "../services/elnora-api-client.js";
-export declare function registerFileTools(server: McpServer, getClient: () => ElnoraApiClient): void;
+import { RequestContext } from "../server.js";
+export declare function registerFileTools(server: McpServer, getClient: () => ElnoraApiClient, getContext: () => RequestContext): void;
 //# sourceMappingURL=files.d.ts.map

package/dist/tools/files.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"files.d.ts","sourceRoot":"","sources":["../../src/tools/files.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AAInE,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,eAAe,GAAG,IAAI,CAwE3F"}
+{"version":3,"file":"files.d.ts","sourceRoot":"","sources":["../../src/tools/files.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAK9C,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,SAAS,EACjB,SAAS,EAAE,MAAM,eAAe,EAChC,UAAU,EAAE,MAAM,cAAc,GAC/B,IAAI,CAwEN"}

package/dist/tools/files.js

@@ -1,7 +1,8 @@
 import { z } from "zod";
 import { handleApiError } from "../services/error-handler.js";
+import { withGuard } from "./with-guard.js";
 import { CHARACTER_LIMIT } from "../constants.js";
-export function registerFileTools(server, getClient) {
+export function registerFileTools(server, getClient, getContext) {
     server.registerTool("elnora_list_files", {
         title: "List Files",
         description: "List files in your Elnora workspace. Returns file metadata including name, type, and visibility.",
@@ -11,7 +12,7 @@ export function registerFileTools(server, getClient) {
             offset: z.number().int().min(0).default(0).describe("Pagination offset"),
         },
         annotations: { readOnlyHint: true, destructiveHint: false, idempotentHint: true, openWorldHint: true },
-    }, async ({ project_id, limit, offset }) => {
+    }, withGuard("elnora_list_files", getContext, async ({ project_id, limit, offset }) => {
         try {
             const result = await getClient().listFiles(project_id, limit, offset);
             return {
@@ -21,7 +22,7 @@ export function registerFileTools(server, getClient) {
         catch (error) {
             return { content: [{ type: "text", text: handleApiError(error) }], isError: true };
         }
-    });
+    }));
     server.registerTool("elnora_get_file_content", {
         title: "Get File Content",
         description: "Retrieve the content of a specific file by its ID. Returns the file content as text along with metadata.",
@@ -29,7 +30,7 @@ export function registerFileTools(server, getClient) {
             file_id: z.string().uuid().describe("File UUID"),
         },
         annotations: { readOnlyHint: true, destructiveHint: false, idempotentHint: true, openWorldHint: true },
-    }, async ({ file_id }) => {
+    }, withGuard("elnora_get_file_content", getContext, async ({ file_id }) => {
         try {
             const result = await getClient().getFileContent(file_id);
             return {
@@ -39,7 +40,7 @@ export function registerFileTools(server, getClient) {
         catch (error) {
             return { content: [{ type: "text", text: handleApiError(error) }], isError: true };
         }
-    });
+    }));
     server.registerTool("elnora_upload_file", {
         title: "Upload File",
         description: "Upload a text file to Elnora. Files are stored in the user's workspace and can be attached to task messages.",
@@ -49,7 +50,7 @@ export function registerFileTools(server, getClient) {
             file_type: z.string().optional().describe("MIME type (default: text/markdown)"),
         },
         annotations: { readOnlyHint: false, destructiveHint: false, idempotentHint: false, openWorldHint: true },
-    }, async ({ name, content, file_type }) => {
+    }, withGuard("elnora_upload_file", getContext, async ({ name, content, file_type }) => {
         try {
             const result = await getClient().uploadFile(name, content, file_type);
             return {
@@ -59,6 +60,6 @@ export function registerFileTools(server, getClient) {
         catch (error) {
             return { content: [{ type: "text", text: handleApiError(error) }], isError: true };
         }
-    });
+    }));
 }
 //# sourceMappingURL=files.js.map

package/dist/tools/files.js.map

@@ -1 +1 @@
-{"version":3,"file":"files.js","sourceRoot":"","sources":["../../src/tools/files.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,MAAM,UAAU,iBAAiB,CAAC,MAAiB,EAAE,SAAgC;IACnF,MAAM,CAAC,YAAY,CACjB,mBAAmB,EACnB;QACE,KAAK,EAAE,YAAY;QACnB,WAAW,EACT,kGAAkG;QACpG,WAAW,EAAE;YACX,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,wBAAwB,CAAC;YAC3E,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC;YAC3E,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,mBAAmB,CAAC;SACzE;QACD,WAAW,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,cAAc,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE;KACvG,EACD,KAAK,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE;QACtC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACtE,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aAC5E,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC9F,CAAC;IACH,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,yBAAyB,EACzB;QACE,KAAK,EAAE,kBAAkB;QACzB,WAAW,EAAE,0GAA0G;QACvH,WAAW,EAAE;YACX,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;SACjD;QACD,WAAW,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,cAAc,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE;KACvG,EACD,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;QACpB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;YACzD,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aAC5E,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC9F,CAAC;IACH,CAAC,CACF,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,oBAAoB,EACpB;QACE,KAAK,EAAE,aAAa;QACpB,WAAW,EACT,8GAA8G;QAChH,WAAW,EAAE;YACX,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC;YACrD,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,QAAQ,CAAC,iCAAiC,CAAC;YAC3F,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,oCAAoC,CAAC;SAChF;QACD,WAAW,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE;KACzG,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE;QACrC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;YACtE,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aAC5E,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC9F,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"files.js","sourceRoot":"","sources":["../../src/tools/files.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAC5C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAElD,MAAM,UAAU,iBAAiB,CAC/B,MAAiB,EACjB,SAAgC,EAChC,UAAgC;IAEhC,MAAM,CAAC,YAAY,CACjB,mBAAmB,EACnB;QACE,KAAK,EAAE,YAAY;QACnB,WAAW,EACT,kGAAkG;QACpG,WAAW,EAAE;YACX,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,wBAAwB,CAAC;YAC3E,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC;YAC3E,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,mBAAmB,CAAC;SACzE;QACD,WAAW,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,cAAc,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE;KACvG,EACD,SAAS,CAAC,mBAAmB,EAAE,UAAU,EAAE,KAAK,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE;QACjF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACtE,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aAC5E,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC9F,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,yBAAyB,EACzB;QACE,KAAK,EAAE,kBAAkB;QACzB,WAAW,EAAE,0GAA0G;QACvH,WAAW,EAAE;YACX,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;SACjD;QACD,WAAW,EAAE,EAAE,YAAY,EAAE,IAAI,EAAE,eAAe,EAAE,KAAK,EAAE,cAAc,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE;KACvG,EACD,SAAS,CAAC,yBAAyB,EAAE,UAAU,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;QACrE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;YACzD,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aAC5E,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC9F,CAAC;IACH,CAAC,CAAC,CACH,CAAC;IAEF,MAAM,CAAC,YAAY,CACjB,oBAAoB,EACpB;QACE,KAAK,EAAE,aAAa;QACpB,WAAW,EACT,8GAA8G;QAChH,WAAW,EAAE;YACX,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC;YACrD,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,QAAQ,CAAC,iCAAiC,CAAC;YAC3F,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,oCAAoC,CAAC;SAChF;QACD,WAAW,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK,EAAE,aAAa,EAAE,IAAI,EAAE;KACzG,EACD,SAAS,CAAC,oBAAoB,EAAE,UAAU,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,EAAE,EAAE;QACjF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,SAAS,EAAE,CAAC,UAAU,CAAC,IAAI,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;YACtE,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aAC5E,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC9F,CAAC;IACH,CAAC,CAAC,CACH,CAAC;AACJ,CAAC"}

package/dist/tools/messages.d.ts

@@ -1,4 +1,5 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { ElnoraApiClient } from "../services/elnora-api-client.js";
-export declare function registerMessageTools(server: McpServer, getClient: () => ElnoraApiClient): void;
+import { RequestContext } from "../server.js";
+export declare function registerMessageTools(server: McpServer, getClient: () => ElnoraApiClient, getContext: () => RequestContext): void;
 //# sourceMappingURL=messages.d.ts.map

package/dist/tools/messages.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"messages.d.ts","sourceRoot":"","sources":["../../src/tools/messages.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AAGnE,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,eAAe,GAAG,IAAI,CA8B9F"}
+{"version":3,"file":"messages.d.ts","sourceRoot":"","sources":["../../src/tools/messages.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAI9C,wBAAgB,oBAAoB,CAClC,MAAM,EAAE,SAAS,EACjB,SAAS,EAAE,MAAM,eAAe,EAChC,UAAU,EAAE,MAAM,cAAc,GAC/B,IAAI,CA8BN"}

package/dist/tools/messages.js

@@ -1,12 +1,13 @@
 import { z } from "zod";
 import { handleApiError } from "../services/error-handler.js";
-export function registerMessageTools(server, getClient) {
+import { withGuard } from "./with-guard.js";
+export function registerMessageTools(server, getClient, getContext) {
     server.registerTool("elnora_send_message", {
         title: "Send Message",
         description: "Send a message to an Elnora task and receive the AI response. The message is processed by Elnora's AI system, which handles protocol generation, research, and data analysis. This operation may take 30-120 seconds for complex requests.",
         inputSchema: {
             task_id: z.string().uuid().describe("Task UUID"),
-            message: z.string().min(1).max(10000).describe("Message content (markdown supported)"),
+            message: z.string().min(1).max(50_000).describe("Message content (markdown supported)"),
             file_ids: z.array(z.string().uuid()).optional().describe("File IDs to attach"),
         },
         annotations: {
@@ -15,7 +16,7 @@ export function registerMessageTools(server, getClient) {
             idempotentHint: false,
             openWorldHint: true,
         },
-    }, async ({ task_id, message, file_ids }) => {
+    }, withGuard("elnora_send_message", getContext, async ({ task_id, message, file_ids }) => {
         try {
             const response = await getClient().sendMessage(task_id, message, file_ids);
             return {
@@ -25,6 +26,6 @@ export function registerMessageTools(server, getClient) {
         catch (error) {
             return { content: [{ type: "text", text: handleApiError(error) }], isError: true };
         }
-    });
+    }));
 }
 //# sourceMappingURL=messages.js.map

package/dist/tools/messages.js.map

@@ -1 +1 @@
-{"version":3,"file":"messages.js","sourceRoot":"","sources":["../../src/tools/messages.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAE9D,MAAM,UAAU,oBAAoB,CAAC,MAAiB,EAAE,SAAgC;IACtF,MAAM,CAAC,YAAY,CACjB,qBAAqB,EACrB;QACE,KAAK,EAAE,cAAc;QACrB,WAAW,EACT,4OAA4O;QAC9O,WAAW,EAAE;YACX,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;YAChD,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,sCAAsC,CAAC;YACtF,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,oBAAoB,CAAC;SAC/E;QACD,WAAW,EAAE;YACX,YAAY,EAAE,KAAK;YACnB,eAAe,EAAE,KAAK;YACtB,cAAc,EAAE,KAAK;YACrB,aAAa,EAAE,IAAI;SACpB;KACF,EACD,KAAK,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE;QACvC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,SAAS,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YAC3E,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aAC9E,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC9F,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"messages.js","sourceRoot":"","sources":["../../src/tools/messages.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,MAAM,UAAU,oBAAoB,CAClC,MAAiB,EACjB,SAAgC,EAChC,UAAgC;IAEhC,MAAM,CAAC,YAAY,CACjB,qBAAqB,EACrB;QACE,KAAK,EAAE,cAAc;QACrB,WAAW,EACT,4OAA4O;QAC9O,WAAW,EAAE;YACX,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC;YAChD,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,sCAAsC,CAAC;YACvF,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,oBAAoB,CAAC;SAC/E;QACD,WAAW,EAAE;YACX,YAAY,EAAE,KAAK;YACnB,eAAe,EAAE,KAAK;YACtB,cAAc,EAAE,KAAK;YACrB,aAAa,EAAE,IAAI;SACpB;KACF,EACD,SAAS,CAAC,qBAAqB,EAAE,UAAU,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE;QACpF,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,SAAS,EAAE,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;YAC3E,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aAC9E,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC9F,CAAC;IACH,CAAC,CAAC,CACH,CAAC;AACJ,CAAC"}

package/dist/tools/protocols.d.ts

@@ -1,4 +1,5 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { ElnoraApiClient } from "../services/elnora-api-client.js";
-export declare function registerProtocolTools(server: McpServer, getClient: () => ElnoraApiClient): void;
+import { RequestContext } from "../server.js";
+export declare function registerProtocolTools(server: McpServer, getClient: () => ElnoraApiClient, getContext: () => RequestContext): void;
 //# sourceMappingURL=protocols.d.ts.map

package/dist/tools/protocols.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"protocols.d.ts","sourceRoot":"","sources":["../../src/tools/protocols.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AAGnE,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,eAAe,GAAG,IAAI,CAgD/F"}
+{"version":3,"file":"protocols.d.ts","sourceRoot":"","sources":["../../src/tools/protocols.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAI9C,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,SAAS,EACjB,SAAS,EAAE,MAAM,eAAe,EAChC,UAAU,EAAE,MAAM,cAAc,GAC/B,IAAI,CAgDN"}

package/dist/tools/protocols.js

@@ -1,6 +1,7 @@
 import { z } from "zod";
 import { handleApiError } from "../services/error-handler.js";
-export function registerProtocolTools(server, getClient) {
+import { withGuard } from "./with-guard.js";
+export function registerProtocolTools(server, getClient, getContext) {
     server.registerTool("elnora_generate_protocol", {
         title: "Generate Protocol",
         description: `Generate a bioprotocol using Elnora's AI agents. This is a convenience tool that creates a task, sends the description as a message, and returns the generated protocol content. This is the primary tool for hackathon partners. The operation typically takes 30-120 seconds.
@@ -19,7 +20,7 @@ Examples:
             idempotentHint: false,
             openWorldHint: true,
         },
-    }, async ({ description, title }) => {
+    }, withGuard("elnora_generate_protocol", getContext, async ({ description, title }) => {
         try {
             const client = getClient();
             // 1. Create a task
@@ -40,6 +41,6 @@ Examples:
         catch (error) {
             return { content: [{ type: "text", text: handleApiError(error) }], isError: true };
         }
-    });
+    }));
 }
 //# sourceMappingURL=protocols.js.map

package/dist/tools/protocols.js.map

@@ -1 +1 @@
-{"version":3,"file":"protocols.js","sourceRoot":"","sources":["../../src/tools/protocols.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAE9D,MAAM,UAAU,qBAAqB,CAAC,MAAiB,EAAE,SAAgC;IACvF,MAAM,CAAC,YAAY,CACjB,0BAA0B,EAC1B;QACE,KAAK,EAAE,mBAAmB;QAC1B,WAAW,EAAE;;;;;oEAKiD;QAC9D,WAAW,EAAE;YACX,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,sBAAsB,CAAC;YAC1E,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,8CAA8C,CAAC;SAC/F;QACD,WAAW,EAAE;YACX,YAAY,EAAE,KAAK;YACnB,eAAe,EAAE,KAAK;YACtB,cAAc,EAAE,KAAK;YACrB,aAAa,EAAE,IAAI;SACpB;KACF,EACD,KAAK,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,EAAE,EAAE;QAC/B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAE3B,mBAAmB;YACnB,MAAM,SAAS,GAAG,KAAK,IAAI,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YACrD,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;YAEhD,uCAAuC;YACvC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;YAEhE,uBAAuB;YACvB,MAAM,MAAM,GAAG;gBACb,OAAO,EAAE,IAAI,CAAC,EAAE;gBAChB,gBAAgB,EAAE,QAAQ,CAAC,OAAO;gBAClC,UAAU,EAAE,QAAQ,CAAC,EAAE;aACxB,CAAC;YAEF,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aAC5E,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC9F,CAAC;IACH,CAAC,CACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"protocols.js","sourceRoot":"","sources":["../../src/tools/protocols.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,OAAO,EAAE,cAAc,EAAE,MAAM,8BAA8B,CAAC;AAC9D,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAE5C,MAAM,UAAU,qBAAqB,CACnC,MAAiB,EACjB,SAAgC,EAChC,UAAgC;IAEhC,MAAM,CAAC,YAAY,CACjB,0BAA0B,EAC1B;QACE,KAAK,EAAE,mBAAmB;QAC1B,WAAW,EAAE;;;;;oEAKiD;QAC9D,WAAW,EAAE;YACX,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,sBAAsB,CAAC;YAC1E,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,8CAA8C,CAAC;SAC/F;QACD,WAAW,EAAE;YACX,YAAY,EAAE,KAAK;YACnB,eAAe,EAAE,KAAK;YACtB,cAAc,EAAE,KAAK;YACrB,aAAa,EAAE,IAAI;SACpB;KACF,EACD,SAAS,CAAC,0BAA0B,EAAE,UAAU,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,KAAK,EAAE,EAAE,EAAE;QACjF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,SAAS,EAAE,CAAC;YAE3B,mBAAmB;YACnB,MAAM,SAAS,GAAG,KAAK,IAAI,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;YACrD,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;YAEhD,uCAAuC;YACvC,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,EAAE,WAAW,CAAC,CAAC;YAEhE,uBAAuB;YACvB,MAAM,MAAM,GAAG;gBACb,OAAO,EAAE,IAAI,CAAC,EAAE;gBAChB,gBAAgB,EAAE,QAAQ,CAAC,OAAO;gBAClC,UAAU,EAAE,QAAQ,CAAC,EAAE;aACxB,CAAC;YAEF,OAAO;gBACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;aAC5E,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,cAAc,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;QAC9F,CAAC;IACH,CAAC,CAAC,CACH,CAAC;AACJ,CAAC"}

package/dist/tools/scope-guard.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Per-tool scope enforcement.
+ * CoSAI MCP-T2: Least privilege — each tool declares required scopes.
+ *
+ * Scope mapping:
+ * - elnora_list_tasks, elnora_get_task_messages → tasks:read
+ * - elnora_create_task → tasks:write
+ * - elnora_send_message → messages:write
+ * - elnora_list_files, elnora_get_file_content → files:read
+ * - elnora_upload_file → files:write
+ * - elnora_generate_protocol → tasks:write, messages:write
+ */
+export declare const TOOL_SCOPES: Record<string, string[]>;
+/**
+ * Check if the given scopes satisfy the required scopes for a tool.
+ * Returns the list of missing scopes, or empty array if all present.
+ */
+export declare function checkToolScopes(toolName: string, grantedScopes: string[]): string[];
+//# sourceMappingURL=scope-guard.d.ts.map

package/dist/tools/scope-guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope-guard.d.ts","sourceRoot":"","sources":["../../src/tools/scope-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,EAAE,CAShD,CAAC;AAEF;;;GAGG;AACH,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,GAAG,MAAM,EAAE,CAInF"}

package/dist/tools/scope-guard.js

@@ -0,0 +1,33 @@
+/**
+ * Per-tool scope enforcement.
+ * CoSAI MCP-T2: Least privilege — each tool declares required scopes.
+ *
+ * Scope mapping:
+ * - elnora_list_tasks, elnora_get_task_messages → tasks:read
+ * - elnora_create_task → tasks:write
+ * - elnora_send_message → messages:write
+ * - elnora_list_files, elnora_get_file_content → files:read
+ * - elnora_upload_file → files:write
+ * - elnora_generate_protocol → tasks:write, messages:write
+ */
+export const TOOL_SCOPES = {
+    elnora_list_tasks: ["tasks:read"],
+    elnora_get_task_messages: ["tasks:read"],
+    elnora_create_task: ["tasks:write"],
+    elnora_send_message: ["messages:write"],
+    elnora_list_files: ["files:read"],
+    elnora_get_file_content: ["files:read"],
+    elnora_upload_file: ["files:write"],
+    elnora_generate_protocol: ["tasks:write", "messages:write"],
+};
+/**
+ * Check if the given scopes satisfy the required scopes for a tool.
+ * Returns the list of missing scopes, or empty array if all present.
+ */
+export function checkToolScopes(toolName, grantedScopes) {
+    const required = TOOL_SCOPES[toolName];
+    if (!required)
+        return []; // Unknown tool — no scope check
+    return required.filter((s) => !grantedScopes.includes(s));
+}
+//# sourceMappingURL=scope-guard.js.map

package/dist/tools/scope-guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope-guard.js","sourceRoot":"","sources":["../../src/tools/scope-guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,WAAW,GAA6B;IACnD,iBAAiB,EAAE,CAAC,YAAY,CAAC;IACjC,wBAAwB,EAAE,CAAC,YAAY,CAAC;IACxC,kBAAkB,EAAE,CAAC,aAAa,CAAC;IACnC,mBAAmB,EAAE,CAAC,gBAAgB,CAAC;IACvC,iBAAiB,EAAE,CAAC,YAAY,CAAC;IACjC,uBAAuB,EAAE,CAAC,YAAY,CAAC;IACvC,kBAAkB,EAAE,CAAC,aAAa,CAAC;IACnC,wBAAwB,EAAE,CAAC,aAAa,EAAE,gBAAgB,CAAC;CAC5D,CAAC;AAEF;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,QAAgB,EAAE,aAAuB;IACvE,MAAM,QAAQ,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;IACvC,IAAI,CAAC,QAAQ;QAAE,OAAO,EAAE,CAAC,CAAC,gCAAgC;IAC1D,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5D,CAAC"}

package/dist/tools/tasks.d.ts

@@ -1,4 +1,5 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { ElnoraApiClient } from "../services/elnora-api-client.js";
-export declare function registerTaskTools(server: McpServer, getClient: () => ElnoraApiClient): void;
+import { RequestContext } from "../server.js";
+export declare function registerTaskTools(server: McpServer, getClient: () => ElnoraApiClient, getContext: () => RequestContext): void;
 //# sourceMappingURL=tasks.d.ts.map

package/dist/tools/tasks.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tasks.d.ts","sourceRoot":"","sources":["../../src/tools/tasks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AAGnE,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,eAAe,GAAG,IAAI,CA8E3F"}
+{"version":3,"file":"tasks.d.ts","sourceRoot":"","sources":["../../src/tools/tasks.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,OAAO,EAAE,eAAe,EAAE,MAAM,kCAAkC,CAAC;AACnE,OAAO,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAI9C,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,SAAS,EACjB,SAAS,EAAE,MAAM,eAAe,EAChC,UAAU,EAAE,MAAM,cAAc,GAC/B,IAAI,CA8EN"}