@gethmy/mcp 2.8.5 → 2.9.0

package/dist/cli.js

@@ -1456,6 +1456,12 @@ class HarmonyApiClient {
   async getWorkspaceMembers(workspaceId) {
     return this.request("GET", `/workspaces/${workspaceId}/members`);
   }
+  async listWorkspaceAgents(workspaceId) {
+    return this.request("GET", `/workspaces/${workspaceId}/agents`);
+  }
+  async registerWorkspaceAgent(workspaceId, data) {
+    return this.request("POST", `/workspaces/${workspaceId}/agents`, data);
+  }
   async listProjects(workspaceId) {
     return this.request("GET", `/workspaces/${workspaceId}/projects`);
   }
@@ -1720,6 +1726,10 @@ class HarmonyApiClient {
       params.set("type", options.type);
     if (options?.limit !== undefined)
       params.set("limit", String(options.limit));
+    for (const tag of options?.tags ?? [])
+      params.append("tags", tag);
+    if (options?.include_superseded)
+      params.set("include_superseded", "true");
     return this.request("GET", `/memory/search?${params.toString()}`);
   }
   async getVaultIndex(options) {
@@ -2043,43 +2053,56 @@ var AUTO_START_TRIGGERS = new Set([
 ]);
 var INACTIVITY_TIMEOUT_MS = 10 * 60 * 1000;
 var CHECK_INTERVAL_MS = 60 * 1000;
-var activeSessions = new Map;
+var DEFAULT_SCOPE = "__default__";
+var scopes = new Map;
 var inactivityTimer = null;
-var endCallback = null;
-var clientGetter = null;
-var clientInfoGetter = null;
-function initAutoSession(callback, getClient2, getClientInfo) {
-  endCallback = callback;
-  clientGetter = getClient2;
-  clientInfoGetter = getClientInfo ?? null;
-  if (inactivityTimer)
-    clearInterval(inactivityTimer);
-  inactivityTimer = setInterval(checkInactivity, CHECK_INTERVAL_MS);
+function getOrCreateScope(scopeId) {
+  let scope = scopes.get(scopeId);
+  if (!scope) {
+    scope = {
+      sessions: new Map,
+      endCallback: null,
+      clientGetter: null,
+      clientInfoGetter: null
+    };
+    scopes.set(scopeId, scope);
+  }
+  return scope;
+}
+function initAutoSession(callback, getClient2, getClientInfo, scopeId = DEFAULT_SCOPE) {
+  const scope = getOrCreateScope(scopeId);
+  scope.endCallback = callback;
+  scope.clientGetter = getClient2;
+  scope.clientInfoGetter = getClientInfo ?? null;
+  if (!inactivityTimer) {
+    inactivityTimer = setInterval(checkInactivity, CHECK_INTERVAL_MS);
+  }
 }
 async function trackActivity(cardId, options) {
+  const scope = getOrCreateScope(options?.scopeId ?? DEFAULT_SCOPE);
   const now = Date.now();
-  const existing = activeSessions.get(cardId);
+  const existing = scope.sessions.get(cardId);
   if (existing) {
     existing.lastActivityAt = now;
     return;
   }
   if (!options?.autoStart)
     return;
-  const client3 = options?.client ?? clientGetter?.();
+  const client3 = options?.client ?? scope.clientGetter?.();
   if (!client3)
     return;
-  const info = clientInfoGetter?.() ?? null;
+  const info = options?.clientInfo ?? scope.clientInfoGetter?.() ?? null;
   if (!info?.name)
     return;
   const { agentIdentifier, agentName } = resolveAgentIdentity(info);
   const toEnd = [];
-  for (const [otherCardId, session] of activeSessions) {
+  for (const [otherCardId, session] of scope.sessions) {
     if (otherCardId !== cardId && !session.isExplicit) {
       toEnd.push(otherCardId);
     }
   }
   for (const otherCardId of toEnd) {
-    await autoEndSession(client3, otherCardId, "completed");
+    await autoEndSession(scope, client3, otherCardId, "completed");
   }
   try {
     await client3.startAgentSession(cardId, {
@@ -2088,7 +2111,7 @@ async function trackActivity(cardId, options) {
       status: "working"
     });
   } catch {}
-  activeSessions.set(cardId, {
+  scope.sessions.set(cardId, {
     cardId,
     startedAt: now,
     lastActivityAt: now,
@@ -2098,7 +2121,8 @@ async function trackActivity(cardId, options) {
   });
 }
 function markExplicit(cardId, options) {
-  const existing = activeSessions.get(cardId);
+  const scope = getOrCreateScope(options?.scopeId ?? DEFAULT_SCOPE);
+  const existing = scope.sessions.get(cardId);
   if (existing) {
     existing.isExplicit = true;
     if (options?.agentIdentifier)
@@ -2106,7 +2130,7 @@ function markExplicit(cardId, options) {
     if (options?.agentName)
       existing.agentName = options.agentName;
   } else {
-    activeSessions.set(cardId, {
+    scope.sessions.set(cardId, {
       cardId,
       startedAt: Date.now(),
       lastActivityAt: Date.now(),
@@ -2116,15 +2140,23 @@ function markExplicit(cardId, options) {
     });
   }
 }
-function untrack(cardId) {
-  activeSessions.delete(cardId);
+function untrack(cardId, scopeId = DEFAULT_SCOPE) {
+  scopes.get(scopeId)?.sessions.delete(cardId);
 }
-async function shutdownAllSessions() {
-  const client3 = clientGetter?.();
-  if (!client3)
-    return;
-  const cardIds = [...activeSessions.keys()];
-  const promises = cardIds.map((cardId) => autoEndSession(client3, cardId, "paused"));
+async function shutdownAllSessions(scopeId) {
+  const targets = scopeId !== undefined ? scopes.has(scopeId) ? [scopeId] : [] : [...scopes.keys()];
+  const promises = [];
+  for (const sid of targets) {
+    const scope = scopes.get(sid);
+    if (!scope)
+      continue;
+    const client3 = scope.clientGetter?.();
+    if (!client3)
+      continue;
+    for (const cardId of [...scope.sessions.keys()]) {
+      promises.push(autoEndSession(scope, client3, cardId, "paused"));
+    }
+  }
   await Promise.allSettled(promises);
 }
 function destroyAutoSession() {
@@ -2132,32 +2164,32 @@ function destroyAutoSession() {
     clearInterval(inactivityTimer);
     inactivityTimer = null;
   }
-  activeSessions.clear();
-  endCallback = null;
-  clientGetter = null;
-  clientInfoGetter = null;
+  scopes.clear();
 }
 function checkInactivity() {
   const now = Date.now();
-  const client3 = clientGetter?.();
-  if (!client3)
-    return;
-  const entries = [...activeSessions.entries()];
-  for (const [cardId, session] of entries) {
-    if (session.isExplicit)
+  for (const scope of scopes.values()) {
+    const client3 = scope.clientGetter?.();
+    if (!client3)
       continue;
-    if (now - session.lastActivityAt > INACTIVITY_TIMEOUT_MS) {
-      autoEndSession(client3, cardId, "completed").catch(() => {});
+    const entries = [...scope.sessions.entries()];
+    for (const [cardId, session] of entries) {
+      if (session.isExplicit)
+        continue;
+      if (now - session.lastActivityAt > INACTIVITY_TIMEOUT_MS) {
+        autoEndSession(scope, client3, cardId, "completed").catch(() => {});
+      }
     }
   }
 }
-async function autoEndSession(client3, cardId, status) {
-  activeSessions.delete(cardId);
+async function autoEndSession(scope, client3, cardId, status) {
+  if (!scope.sessions.delete(cardId))
+    return;
   try {
     await client3.endAgentSession(cardId, { status });
   } catch {}
   try {
-    await endCallback?.(client3, cardId, status);
+    await scope.endCallback?.(client3, cardId, status);
   } catch {}
 }
 
@@ -4561,9 +4593,12 @@ function registerHandlers(server, deps) {
     const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
     if (cardIdArg && UUID_RE.test(cardIdArg) && deps.isConfigured()) {
       const isAutoStartTrigger = AUTO_START_TRIGGERS.has(name);
+      const cv = server.getClientVersion?.();
       trackActivity(cardIdArg, {
         autoStart: isAutoStartTrigger,
-        client: deps.getClient()
+        client: deps.getClient(),
+        clientInfo: cv ? { name: cv.name, version: cv.version } : undefined,
+        scopeId: deps.getScopeId?.()
       }).catch(() => {});
     }
     try {
@@ -4573,9 +4608,12 @@ function registerHandlers(server, deps) {
           const parsed = typeof result === "object" && result !== null ? result : {};
           const resolvedCardId = parsed.cardId;
           if (resolvedCardId && UUID_RE.test(resolvedCardId)) {
+            const cv = server.getClientVersion?.();
             trackActivity(resolvedCardId, {
               autoStart: true,
-              client: deps.getClient()
+              client: deps.getClient(),
+              clientInfo: cv ? { name: cv.name, version: cv.version } : undefined,
+              scopeId: deps.getScopeId?.()
             }).catch(() => {});
           }
         } catch {}
@@ -4732,7 +4770,7 @@ async function handleToolCall(name, args, deps) {
             const { session } = await client3.getAgentSession(cardId);
             if (session) {
               await client3.endAgentSession(cardId, { status: "completed" });
-              untrack(cardId);
+              untrack(cardId, deps.getScopeId?.());
               sessionEnded = true;
             }
           }
@@ -5090,7 +5128,11 @@ async function handleToolCall(name, args, deps) {
         currentTask: args.currentTask,
         estimatedMinutesRemaining: args.estimatedMinutesRemaining
       });
-      markExplicit(cardId, { agentIdentifier, agentName });
+      markExplicit(cardId, {
+        agentIdentifier,
+        agentName,
+        scopeId: deps.getScopeId?.()
+      });
       const agentSessionId = result.session?.id;
       initMemorySession(cardId, agentIdentifier, agentName, agentSessionId);
       return {
@@ -5152,7 +5194,7 @@ async function handleToolCall(name, args, deps) {
       } catch (err) {
         sessionEndError = err instanceof Error ? err.message : "Failed to end session";
       }
-      untrack(cardId);
+      untrack(cardId, deps.getScopeId?.());
       let movedTo = null;
       try {
         const { card } = await client3.getCard(cardId);
@@ -5329,23 +5371,21 @@ async function handleToolCall(name, args, deps) {
       let entities;
       let relevanceMap;
       if (queryText) {
+        const requestedTags = args.tags;
         const searchResult = await client3.searchMemoryEntities(workspaceId, queryText, {
           project_id: projectId,
           type: args.type,
-          limit: fetchLimit
+          limit: fetchLimit,
+          tags: requestedTags && requestedTags.length > 0 ? requestedTags : undefined,
+          include_superseded: includeSuperseded
         });
         entities = searchResult.entities ?? [];
-        const requestedTags = args.tags;
         const minConfidence = args.minConfidence;
         if (userScopeFilter) {
           entities = entities.filter((e) => e?.scope === userScopeFilter);
         } else if (excludeSessionFromLongTerm) {
           entities = entities.filter((e) => !isSessionScope(e?.scope));
         }
-        if (requestedTags && requestedTags.length > 0) {
-          const wanted = new Set(requestedTags);
-          entities = entities.filter((e) => (e?.tags ?? []).some((t) => wanted.has(t)));
-        }
         entities = filterByMinConfidence(entities, minConfidence);
         if (!includeSuperseded) {
           entities = entities.filter((e) => !e?.superseded_at);

package/dist/index.js

@@ -1452,6 +1452,12 @@ class HarmonyApiClient {
   async getWorkspaceMembers(workspaceId) {
     return this.request("GET", `/workspaces/${workspaceId}/members`);
   }
+  async listWorkspaceAgents(workspaceId) {
+    return this.request("GET", `/workspaces/${workspaceId}/agents`);
+  }
+  async registerWorkspaceAgent(workspaceId, data) {
+    return this.request("POST", `/workspaces/${workspaceId}/agents`, data);
+  }
   async listProjects(workspaceId) {
     return this.request("GET", `/workspaces/${workspaceId}/projects`);
   }
@@ -1716,6 +1722,10 @@ class HarmonyApiClient {
       params.set("type", options.type);
     if (options?.limit !== undefined)
       params.set("limit", String(options.limit));
+    for (const tag of options?.tags ?? [])
+      params.append("tags", tag);
+    if (options?.include_superseded)
+      params.set("include_superseded", "true");
     return this.request("GET", `/memory/search?${params.toString()}`);
   }
   async getVaultIndex(options) {
@@ -2039,43 +2049,56 @@ var AUTO_START_TRIGGERS = new Set([
 ]);
 var INACTIVITY_TIMEOUT_MS = 10 * 60 * 1000;
 var CHECK_INTERVAL_MS = 60 * 1000;
-var activeSessions = new Map;
+var DEFAULT_SCOPE = "__default__";
+var scopes = new Map;
 var inactivityTimer = null;
-var endCallback = null;
-var clientGetter = null;
-var clientInfoGetter = null;
-function initAutoSession(callback, getClient2, getClientInfo) {
-  endCallback = callback;
-  clientGetter = getClient2;
-  clientInfoGetter = getClientInfo ?? null;
-  if (inactivityTimer)
-    clearInterval(inactivityTimer);
-  inactivityTimer = setInterval(checkInactivity, CHECK_INTERVAL_MS);
+function getOrCreateScope(scopeId) {
+  let scope = scopes.get(scopeId);
+  if (!scope) {
+    scope = {
+      sessions: new Map,
+      endCallback: null,
+      clientGetter: null,
+      clientInfoGetter: null
+    };
+    scopes.set(scopeId, scope);
+  }
+  return scope;
+}
+function initAutoSession(callback, getClient2, getClientInfo, scopeId = DEFAULT_SCOPE) {
+  const scope = getOrCreateScope(scopeId);
+  scope.endCallback = callback;
+  scope.clientGetter = getClient2;
+  scope.clientInfoGetter = getClientInfo ?? null;
+  if (!inactivityTimer) {
+    inactivityTimer = setInterval(checkInactivity, CHECK_INTERVAL_MS);
+  }
 }
 async function trackActivity(cardId, options) {
+  const scope = getOrCreateScope(options?.scopeId ?? DEFAULT_SCOPE);
   const now = Date.now();
-  const existing = activeSessions.get(cardId);
+  const existing = scope.sessions.get(cardId);
   if (existing) {
     existing.lastActivityAt = now;
     return;
   }
   if (!options?.autoStart)
     return;
-  const client3 = options?.client ?? clientGetter?.();
+  const client3 = options?.client ?? scope.clientGetter?.();
   if (!client3)
     return;
-  const info = clientInfoGetter?.() ?? null;
+  const info = options?.clientInfo ?? scope.clientInfoGetter?.() ?? null;
   if (!info?.name)
     return;
   const { agentIdentifier, agentName } = resolveAgentIdentity(info);
   const toEnd = [];
-  for (const [otherCardId, session] of activeSessions) {
+  for (const [otherCardId, session] of scope.sessions) {
     if (otherCardId !== cardId && !session.isExplicit) {
       toEnd.push(otherCardId);
     }
   }
   for (const otherCardId of toEnd) {
-    await autoEndSession(client3, otherCardId, "completed");
+    await autoEndSession(scope, client3, otherCardId, "completed");
   }
   try {
     await client3.startAgentSession(cardId, {
@@ -2084,7 +2107,7 @@ async function trackActivity(cardId, options) {
       status: "working"
     });
   } catch {}
-  activeSessions.set(cardId, {
+  scope.sessions.set(cardId, {
     cardId,
     startedAt: now,
     lastActivityAt: now,
@@ -2094,7 +2117,8 @@ async function trackActivity(cardId, options) {
   });
 }
 function markExplicit(cardId, options) {
-  const existing = activeSessions.get(cardId);
+  const scope = getOrCreateScope(options?.scopeId ?? DEFAULT_SCOPE);
+  const existing = scope.sessions.get(cardId);
   if (existing) {
     existing.isExplicit = true;
     if (options?.agentIdentifier)
@@ -2102,7 +2126,7 @@ function markExplicit(cardId, options) {
     if (options?.agentName)
       existing.agentName = options.agentName;
   } else {
-    activeSessions.set(cardId, {
+    scope.sessions.set(cardId, {
       cardId,
       startedAt: Date.now(),
       lastActivityAt: Date.now(),
@@ -2112,15 +2136,23 @@ function markExplicit(cardId, options) {
     });
   }
 }
-function untrack(cardId) {
-  activeSessions.delete(cardId);
+function untrack(cardId, scopeId = DEFAULT_SCOPE) {
+  scopes.get(scopeId)?.sessions.delete(cardId);
 }
-async function shutdownAllSessions() {
-  const client3 = clientGetter?.();
-  if (!client3)
-    return;
-  const cardIds = [...activeSessions.keys()];
-  const promises = cardIds.map((cardId) => autoEndSession(client3, cardId, "paused"));
+async function shutdownAllSessions(scopeId) {
+  const targets = scopeId !== undefined ? scopes.has(scopeId) ? [scopeId] : [] : [...scopes.keys()];
+  const promises = [];
+  for (const sid of targets) {
+    const scope = scopes.get(sid);
+    if (!scope)
+      continue;
+    const client3 = scope.clientGetter?.();
+    if (!client3)
+      continue;
+    for (const cardId of [...scope.sessions.keys()]) {
+      promises.push(autoEndSession(scope, client3, cardId, "paused"));
+    }
+  }
   await Promise.allSettled(promises);
 }
 function destroyAutoSession() {
@@ -2128,32 +2160,32 @@ function destroyAutoSession() {
     clearInterval(inactivityTimer);
     inactivityTimer = null;
   }
-  activeSessions.clear();
-  endCallback = null;
-  clientGetter = null;
-  clientInfoGetter = null;
+  scopes.clear();
 }
 function checkInactivity() {
   const now = Date.now();
-  const client3 = clientGetter?.();
-  if (!client3)
-    return;
-  const entries = [...activeSessions.entries()];
-  for (const [cardId, session] of entries) {
-    if (session.isExplicit)
+  for (const scope of scopes.values()) {
+    const client3 = scope.clientGetter?.();
+    if (!client3)
       continue;
-    if (now - session.lastActivityAt > INACTIVITY_TIMEOUT_MS) {
-      autoEndSession(client3, cardId, "completed").catch(() => {});
+    const entries = [...scope.sessions.entries()];
+    for (const [cardId, session] of entries) {
+      if (session.isExplicit)
+        continue;
+      if (now - session.lastActivityAt > INACTIVITY_TIMEOUT_MS) {
+        autoEndSession(scope, client3, cardId, "completed").catch(() => {});
+      }
     }
   }
 }
-async function autoEndSession(client3, cardId, status) {
-  activeSessions.delete(cardId);
+async function autoEndSession(scope, client3, cardId, status) {
+  if (!scope.sessions.delete(cardId))
+    return;
   try {
     await client3.endAgentSession(cardId, { status });
   } catch {}
   try {
-    await endCallback?.(client3, cardId, status);
+    await scope.endCallback?.(client3, cardId, status);
   } catch {}
 }
 
@@ -4557,9 +4589,12 @@ function registerHandlers(server, deps) {
     const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
     if (cardIdArg && UUID_RE.test(cardIdArg) && deps.isConfigured()) {
       const isAutoStartTrigger = AUTO_START_TRIGGERS.has(name);
+      const cv = server.getClientVersion?.();
       trackActivity(cardIdArg, {
         autoStart: isAutoStartTrigger,
-        client: deps.getClient()
+        client: deps.getClient(),
+        clientInfo: cv ? { name: cv.name, version: cv.version } : undefined,
+        scopeId: deps.getScopeId?.()
       }).catch(() => {});
     }
     try {
@@ -4569,9 +4604,12 @@ function registerHandlers(server, deps) {
           const parsed = typeof result === "object" && result !== null ? result : {};
           const resolvedCardId = parsed.cardId;
           if (resolvedCardId && UUID_RE.test(resolvedCardId)) {
+            const cv = server.getClientVersion?.();
             trackActivity(resolvedCardId, {
               autoStart: true,
-              client: deps.getClient()
+              client: deps.getClient(),
+              clientInfo: cv ? { name: cv.name, version: cv.version } : undefined,
+              scopeId: deps.getScopeId?.()
             }).catch(() => {});
           }
         } catch {}
@@ -4728,7 +4766,7 @@ async function handleToolCall(name, args, deps) {
             const { session } = await client3.getAgentSession(cardId);
             if (session) {
               await client3.endAgentSession(cardId, { status: "completed" });
-              untrack(cardId);
+              untrack(cardId, deps.getScopeId?.());
               sessionEnded = true;
             }
           }
@@ -5086,7 +5124,11 @@ async function handleToolCall(name, args, deps) {
         currentTask: args.currentTask,
         estimatedMinutesRemaining: args.estimatedMinutesRemaining
       });
-      markExplicit(cardId, { agentIdentifier, agentName });
+      markExplicit(cardId, {
+        agentIdentifier,
+        agentName,
+        scopeId: deps.getScopeId?.()
+      });
       const agentSessionId = result.session?.id;
       initMemorySession(cardId, agentIdentifier, agentName, agentSessionId);
       return {
@@ -5148,7 +5190,7 @@ async function handleToolCall(name, args, deps) {
       } catch (err) {
         sessionEndError = err instanceof Error ? err.message : "Failed to end session";
       }
-      untrack(cardId);
+      untrack(cardId, deps.getScopeId?.());
       let movedTo = null;
       try {
         const { card } = await client3.getCard(cardId);
@@ -5325,23 +5367,21 @@ async function handleToolCall(name, args, deps) {
       let entities;
       let relevanceMap;
       if (queryText) {
+        const requestedTags = args.tags;
         const searchResult = await client3.searchMemoryEntities(workspaceId, queryText, {
           project_id: projectId,
           type: args.type,
-          limit: fetchLimit
+          limit: fetchLimit,
+          tags: requestedTags && requestedTags.length > 0 ? requestedTags : undefined,
+          include_superseded: includeSuperseded
         });
         entities = searchResult.entities ?? [];
-        const requestedTags = args.tags;
         const minConfidence = args.minConfidence;
         if (userScopeFilter) {
           entities = entities.filter((e) => e?.scope === userScopeFilter);
         } else if (excludeSessionFromLongTerm) {
           entities = entities.filter((e) => !isSessionScope(e?.scope));
         }
-        if (requestedTags && requestedTags.length > 0) {
-          const wanted = new Set(requestedTags);
-          entities = entities.filter((e) => (e?.tags ?? []).some((t) => wanted.has(t)));
-        }
         entities = filterByMinConfidence(entities, minConfidence);
         if (!includeSuperseded) {
           entities = entities.filter((e) => !e?.superseded_at);

package/dist/lib/api-client.js

@@ -1059,6 +1059,12 @@ class HarmonyApiClient {
   async getWorkspaceMembers(workspaceId) {
     return this.request("GET", `/workspaces/${workspaceId}/members`);
   }
+  async listWorkspaceAgents(workspaceId) {
+    return this.request("GET", `/workspaces/${workspaceId}/agents`);
+  }
+  async registerWorkspaceAgent(workspaceId, data) {
+    return this.request("POST", `/workspaces/${workspaceId}/agents`, data);
+  }
   async listProjects(workspaceId) {
     return this.request("GET", `/workspaces/${workspaceId}/projects`);
   }
@@ -1323,6 +1329,10 @@ class HarmonyApiClient {
       params.set("type", options.type);
     if (options?.limit !== undefined)
       params.set("limit", String(options.limit));
+    for (const tag of options?.tags ?? [])
+      params.append("tags", tag);
+    if (options?.include_superseded)
+      params.set("include_superseded", "true");
     return this.request("GET", `/memory/search?${params.toString()}`);
   }
   async getVaultIndex(options) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gethmy/mcp",
-  "version": "2.8.5",
+  "version": "2.9.0",
   "description": "MCP server for Harmony Kanban board - enables AI coding agents to manage your boards",
   "publishConfig": {
     "access": "public"

package/src/api-client.ts

@@ -2,6 +2,7 @@ import {
   type Comment,
   getDisplayLinkType,
   serializeCommentThread,
+  type WorkspaceAgent,
 } from "@harmony/shared";
 import { getApiKey, getApiUrl } from "./config.js";
 
@@ -396,6 +397,20 @@ export class HarmonyApiClient {
     return this.request("GET", `/workspaces/${workspaceId}/members`);
   }
 
+  async listWorkspaceAgents(
+    workspaceId: string,
+  ): Promise<{ agents: WorkspaceAgent[] }> {
+    return this.request("GET", `/workspaces/${workspaceId}/agents`);
+  }
+
+  /** Register/upsert this daemon's virtual agent. Idempotent by (workspace, identifier). */
+  async registerWorkspaceAgent(
+    workspaceId: string,
+    data: { identifier: string; name: string; color?: string },
+  ): Promise<{ agent: WorkspaceAgent }> {
+    return this.request("POST", `/workspaces/${workspaceId}/agents`, data);
+  }
+
   // ============ PROJECT OPERATIONS ============
 
   async listProjects(workspaceId: string): Promise<{ projects: unknown[] }> {
@@ -676,6 +691,7 @@ export class HarmonyApiClient {
     data: {
       agentIdentifier: string;
       agentName: string;
+      agentId?: string | null;
       status?: "working" | "blocked" | "paused" | "completed";
       progressPercent?: number;
       currentTask?: string;
@@ -716,6 +732,8 @@ export class HarmonyApiClient {
         | "review"
         | "daemon_restart"
         | "budget"
+        | "timeout"
+        | "stale"
         | "other";
       failureSummary?: string;
       recoveryBranch?: string;
@@ -742,6 +760,8 @@ export class HarmonyApiClient {
         | "review"
         | "daemon_restart"
         | "budget"
+        | "timeout"
+        | "stale"
         | "other";
       failureSummary?: string;
       recoveryBranch?: string;
@@ -1003,6 +1023,8 @@ export class HarmonyApiClient {
       project_id?: string;
       type?: string;
       limit?: number;
+      tags?: string[];
+      include_superseded?: boolean;
     },
   ): Promise<{ entities: unknown[]; count: number }> {
     const params = new URLSearchParams();
@@ -1012,6 +1034,10 @@ export class HarmonyApiClient {
     if (options?.type) params.set("type", options.type);
     if (options?.limit !== undefined)
       params.set("limit", String(options.limit));
+    // Repeated `tags` params — the search endpoint reads them via getAll and
+    // matches against the canonical `tags_normalized` column (#299).
+    for (const tag of options?.tags ?? []) params.append("tags", tag);
+    if (options?.include_superseded) params.set("include_superseded", "true");
     return this.request("GET", `/memory/search?${params.toString()}`);
   }
 

package/src/auto-session.ts

@@ -8,6 +8,19 @@
  * Agent identity is resolved from the MCP client's `initialize` handshake
  * (clientInfo.name), so "Claude Code", "Cursor", "Codex", etc. are
  * detected automatically — no hardcoded fallback needed.
+ *
+ * ## Multi-tenant scoping
+ *
+ * Bookkeeping is partitioned into per-scope state (`ScopeState`), keyed by a
+ * caller-supplied `scopeId`. The hosted/remote transport is multi-tenant — two
+ * different users acting on the *same card* must NOT collide on one shared
+ * entry. Remote scopes by `userId`; stdio (single user) uses `DEFAULT_SCOPE`.
+ *
+ * Each scope owns its own session map, end-of-session callback, API client
+ * getter, and client-identity getter, so per-connection `initAutoSession` calls
+ * no longer fight over a single global getter (the enabler for wiring the
+ * inactivity sweep + end pipeline on remote). A single process-wide timer
+ * sweeps every scope, ending idle sessions with that scope's own client.
  */
 
 import type { HarmonyApiClient } from "./api-client.js";
@@ -88,29 +101,80 @@ export const AUTO_START_TRIGGERS = new Set([
 export const INACTIVITY_TIMEOUT_MS = 10 * 60 * 1000; // 10 minutes
 const CHECK_INTERVAL_MS = 60 * 1000; // 60 seconds
 
-const activeSessions = new Map<string, TrackedSession>();
+/**
+ * Scope used when no `scopeId` is supplied. stdio is single-user, so it shares
+ * one scope; the unit tests also exercise this default scope exclusively.
+ */
+const DEFAULT_SCOPE = "__default__";
+
+/**
+ * Per-tenant auto-session state. One per `scopeId` (e.g. one per remote user,
+ * or the single shared `DEFAULT_SCOPE` on stdio). Keying `sessions` by cardId
+ * *within* a scope means two users on the same card no longer collide.
+ */
+interface ScopeState {
+  /** cardId → tracked session */
+  sessions: Map<string, TrackedSession>;
+  endCallback: EndSessionCallback | null;
+  clientGetter: (() => HarmonyApiClient) | null;
+  clientInfoGetter: (() => ClientInfo | null) | null;
+}
+
+/** scopeId → per-tenant state */
+const scopes = new Map<string, ScopeState>();
+/**
+ * Single process-wide inactivity sweep. Started once; on each tick it walks
+ * every scope and ends that scope's idle sessions with the scope's own client.
+ * Keeping it global (rather than one timer per scope) is what lets the remote
+ * transport register many per-connection scopes without spawning a timer each.
+ */
 let inactivityTimer: ReturnType<typeof setInterval> | null = null;
-let endCallback: EndSessionCallback | null = null;
-let clientGetter: (() => HarmonyApiClient) | null = null;
-let clientInfoGetter: (() => ClientInfo | null) | null = null;
+
+function getOrCreateScope(scopeId: string): ScopeState {
+  let scope = scopes.get(scopeId);
+  if (!scope) {
+    scope = {
+      sessions: new Map(),
+      endCallback: null,
+      clientGetter: null,
+      clientInfoGetter: null,
+    };
+    scopes.set(scopeId, scope);
+  }
+  return scope;
+}
 
 /**
- * Initialize auto-session tracking.
+ * Initialize auto-session tracking for a scope.
+ *
+ * Safe to call once per scope (stdio: once for `DEFAULT_SCOPE`; remote: once per
+ * connection, keyed by the connection's userId). Re-calling a scope just updates
+ * its callbacks/getters — the latest connection's client wins, which is fine
+ * because all of a user's connections share equivalent API access. The shared
+ * inactivity timer is started on first init and left running.
+ *
  * @param callback Called when an auto-session ends (runs the learning pipeline)
- * @param getClient Function to get the current API client
+ * @param getClient Function to get the current API client for this scope
  * @param getClientInfo Function to get MCP client identity from the initialize handshake
+ * @param scopeId Tenant scope (default: the shared single-user scope)
  */
 export function initAutoSession(
   callback: EndSessionCallback,
   getClient: () => HarmonyApiClient,
   getClientInfo?: () => ClientInfo | null,
+  scopeId: string = DEFAULT_SCOPE,
 ): void {
-  endCallback = callback;
-  clientGetter = getClient;
-  clientInfoGetter = getClientInfo ?? null;
+  const scope = getOrCreateScope(scopeId);
+  scope.endCallback = callback;
+  scope.clientGetter = getClient;
+  scope.clientInfoGetter = getClientInfo ?? null;
 
-  if (inactivityTimer) clearInterval(inactivityTimer);
-  inactivityTimer = setInterval(checkInactivity, CHECK_INTERVAL_MS);
+  // Start the shared sweep once. Don't clear/restart on every (re-)init — on
+  // the remote transport, connections arrive faster than the 60s interval and a
+  // restart-each-time would keep deferring the sweep indefinitely (starvation).
+  if (!inactivityTimer) {
+    inactivityTimer = setInterval(checkInactivity, CHECK_INTERVAL_MS);
+  }
 }
 
 /**
@@ -121,10 +185,23 @@ export async function trackActivity(
   options?: {
     autoStart?: boolean;
     client?: HarmonyApiClient;
+    /**
+     * Per-request MCP client identity. Takes precedence over the scope's
+     * clientInfoGetter. The remote/HTTP transport resolves identity from the
+     * in-scope Server.getClientVersion() and passes it here, so auto-sessions
+     * attribute correctly on every transport (card #297).
+     */
+    clientInfo?: ClientInfo;
+    /**
+     * Tenant scope. Remote passes the connection's userId so two users on the
+     * same card don't collide; stdio/tests omit it and share `DEFAULT_SCOPE`.
+     */
+    scopeId?: string;
   },
 ): Promise<void> {
+  const scope = getOrCreateScope(options?.scopeId ?? DEFAULT_SCOPE);
   const now = Date.now();
-  const existing = activeSessions.get(cardId);
+  const existing = scope.sessions.get(cardId);
 
   if (existing) {
     // Update last activity timestamp
@@ -135,7 +212,7 @@ export async function trackActivity(
   // Only auto-start if the tool is a trigger
   if (!options?.autoStart) return;
 
-  const client = options?.client ?? clientGetter?.();
+  const client = options?.client ?? scope.clientGetter?.();
   if (!client) return;
 
   // Resolve agent identity from the MCP `initialize` handshake. Never auto-start
@@ -143,19 +220,22 @@ export async function trackActivity(
   // phantom "Unknown Agent" session (card #295). Identified clients only — this
   // bail happens BEFORE ending other sessions so an unidentified call can't tear
   // down a legitimate tracked session.
-  const info = clientInfoGetter?.() ?? null;
+  const info = options?.clientInfo ?? scope.clientInfoGetter?.() ?? null;
   if (!info?.name) return;
   const { agentIdentifier, agentName } = resolveAgentIdentity(info);
 
-  // Collect auto-sessions on other cards to end (avoid mutating map during iteration)
+  // Collect this scope's auto-sessions on other cards to end (a card switch
+  // within one tenant ends the prior auto-session). Only this scope's sessions
+  // are swept — another user's work on a different card is untouched. Snapshot
+  // first to avoid mutating the map during iteration.
   const toEnd: string[] = [];
-  for (const [otherCardId, session] of activeSessions) {
+  for (const [otherCardId, session] of scope.sessions) {
     if (otherCardId !== cardId && !session.isExplicit) {
       toEnd.push(otherCardId);
     }
   }
   for (const otherCardId of toEnd) {
-    await autoEndSession(client, otherCardId, "completed");
+    await autoEndSession(scope, client, otherCardId, "completed");
   }
 
   // Start a new auto-session
@@ -169,7 +249,7 @@ export async function trackActivity(
     // Session start failed (might already have one), still track locally
   }
 
-  activeSessions.set(cardId, {
+  scope.sessions.set(cardId, {
     cardId,
     startedAt: now,
     lastActivityAt: now,
@@ -185,9 +265,10 @@ export async function trackActivity(
  */
 export function markExplicit(
   cardId: string,
-  options?: { agentIdentifier?: string; agentName?: string },
+  options?: { agentIdentifier?: string; agentName?: string; scopeId?: string },
 ): void {
-  const existing = activeSessions.get(cardId);
+  const scope = getOrCreateScope(options?.scopeId ?? DEFAULT_SCOPE);
+  const existing = scope.sessions.get(cardId);
   if (existing) {
     existing.isExplicit = true;
     if (options?.agentIdentifier)
@@ -195,7 +276,7 @@ export function markExplicit(
     if (options?.agentName) existing.agentName = options.agentName;
   } else {
     // Track the explicit session even if we didn't auto-start it
-    activeSessions.set(cardId, {
+    scope.sessions.set(cardId, {
       cardId,
       startedAt: Date.now(),
       lastActivityAt: Date.now(),
@@ -209,61 +290,88 @@ export function markExplicit(
 /**
  * Remove a session from tracking (called when session is explicitly ended).
  */
-export function untrack(cardId: string): void {
-  activeSessions.delete(cardId);
+export function untrack(cardId: string, scopeId: string = DEFAULT_SCOPE): void {
+  scopes.get(scopeId)?.sessions.delete(cardId);
 }
 
 /**
- * End all active auto-sessions (called on process shutdown).
+ * End active auto-sessions (called on process shutdown, or on a single tenant's
+ * disconnect). With a `scopeId`, only that scope's sessions are ended; without
+ * one, every scope is drained.
  */
-export async function shutdownAllSessions(): Promise<void> {
-  const client = clientGetter?.();
-  if (!client) return;
+export async function shutdownAllSessions(scopeId?: string): Promise<void> {
+  const targets =
+    scopeId !== undefined
+      ? scopes.has(scopeId)
+        ? [scopeId]
+        : []
+      : [...scopes.keys()];
 
-  // Snapshot keys to avoid mutating map during iteration
-  const cardIds = [...activeSessions.keys()];
-  const promises = cardIds.map((cardId) =>
-    autoEndSession(client, cardId, "paused"),
-  );
+  const promises: Promise<void>[] = [];
+  for (const sid of targets) {
+    const scope = scopes.get(sid);
+    if (!scope) continue;
+    const client = scope.clientGetter?.();
+    if (!client) continue;
+    // Snapshot keys to avoid mutating map during iteration
+    for (const cardId of [...scope.sessions.keys()]) {
+      promises.push(autoEndSession(scope, client, cardId, "paused"));
+    }
+  }
   await Promise.allSettled(promises);
 }
 
 /**
- * Clean up the interval timer (for tests).
+ * Drop a tenant scope entirely (remote: called when a user's last connection
+ * closes). Bounds the `scopes` map on a long-lived multi-tenant server so it
+ * doesn't retain one stale per-connection client/deps closure per distinct user
+ * forever. The shared sweep timer then only walks live scopes. End the scope's
+ * sessions FIRST (via shutdownAllSessions(scopeId)) so nothing dangles. Never
+ * drops DEFAULT_SCOPE — stdio's single scope lives for the whole process.
+ */
+export function dropScope(scopeId: string): void {
+  if (scopeId !== DEFAULT_SCOPE) scopes.delete(scopeId);
+}
+
+/**
+ * Clean up the interval timer and all scope state (for tests / full shutdown).
  */
 export function destroyAutoSession(): void {
   if (inactivityTimer) {
     clearInterval(inactivityTimer);
     inactivityTimer = null;
   }
-  activeSessions.clear();
-  endCallback = null;
-  clientGetter = null;
-  clientInfoGetter = null;
+  scopes.clear();
 }
 
 /**
- * Get a snapshot of active sessions (for testing/debugging).
+ * Get a snapshot of a scope's active sessions (for testing/debugging).
+ * Defaults to the shared single-user scope.
  */
-export function getActiveSessions(): Map<string, TrackedSession> {
-  return activeSessions;
+export function getActiveSessions(
+  scopeId: string = DEFAULT_SCOPE,
+): Map<string, TrackedSession> {
+  return getOrCreateScope(scopeId).sessions;
 }
 
 /**
  * Run inactivity check immediately (exported for testing).
- * In production, called by the setInterval timer every 60s.
+ * In production, called by the setInterval timer every 60s. Sweeps every scope
+ * so the remote transport's per-user sessions auto-end just like stdio's.
  */
 export function checkInactivity(): void {
   const now = Date.now();
-  const client = clientGetter?.();
-  if (!client) return;
+  for (const scope of scopes.values()) {
+    const client = scope.clientGetter?.();
+    if (!client) continue;
 
-  // Snapshot keys to avoid mutating map during iteration
-  const entries = [...activeSessions.entries()];
-  for (const [cardId, session] of entries) {
-    if (session.isExplicit) continue;
-    if (now - session.lastActivityAt > INACTIVITY_TIMEOUT_MS) {
-      autoEndSession(client, cardId, "completed").catch(() => {});
+    // Snapshot entries to avoid mutating map during iteration
+    const entries = [...scope.sessions.entries()];
+    for (const [cardId, session] of entries) {
+      if (session.isExplicit) continue;
+      if (now - session.lastActivityAt > INACTIVITY_TIMEOUT_MS) {
+        autoEndSession(scope, client, cardId, "completed").catch(() => {});
+      }
     }
   }
 }
@@ -271,18 +379,23 @@ export function checkInactivity(): void {
 // --- Internal ---
 
 async function autoEndSession(
+  scope: ScopeState,
   client: HarmonyApiClient,
   cardId: string,
   status: "completed" | "paused",
 ): Promise<void> {
-  activeSessions.delete(cardId);
+  // Delete-and-claim: Map.delete returns false if the entry is already gone.
+  // The card-switch sweep and the inactivity timer can both target the same
+  // cardId concurrently; whichever claims it first runs the end + pipeline,
+  // the loser bails so endAgentSession / runEndSessionPipeline fire exactly once.
+  if (!scope.sessions.delete(cardId)) return;
   try {
     await client.endAgentSession(cardId, { status });
   } catch {
     // Best-effort end
   }
   try {
-    await endCallback?.(client, cardId, status);
+    await scope.endCallback?.(client, cardId, status);
   } catch {
     // Best-effort pipeline
   }

package/src/graph-expansion.ts

@@ -264,13 +264,11 @@ export async function findSupersedeCandidates(
         if (options?.scope && (e as { scope?: string }).scope !== undefined) {
           if ((e as { scope?: string }).scope !== options.scope) return false;
         }
-        // Skip already-superseded rows when the field is present. NOTE: the
-        // hybrid-search RPC does not return `superseded_at`, so this only fires
-        // on the FTS-fallback path; on the embedding path an already-retired row
-        // can still surface as a *candidate*. That is non-destructive — the
-        // `similar` list is advisory and the caller decides explicitly whether
-        // to supersede. A complete fix needs the RPC to return/filter the column
-        // (migration + deploy); tracked in docs/memory.md.
+        // Skip already-superseded rows. The hybrid-search RPC now both returns
+        // `superseded_at` and excludes tombstoned rows by default (#298), so
+        // retired rows no longer surface as candidates on the embedding path.
+        // Kept as belt-and-suspenders for the FTS fallback and any caller that
+        // opts into include_superseded.
         if ((e as { superseded_at?: string | null }).superseded_at) {
           return false;
         }

package/src/remote.ts

@@ -21,7 +21,16 @@ import { serve } from "bun";
 import { Hono } from "hono";
 import { cors } from "hono/cors";
 import { HarmonyApiClient } from "./api-client.js";
-import { registerHandlers, type ToolDeps } from "./server.js";
+import {
+  dropScope,
+  initAutoSession,
+  shutdownAllSessions,
+} from "./auto-session.js";
+import {
+  registerHandlers,
+  runEndSessionPipeline,
+  type ToolDeps,
+} from "./server.js";
 
 // ---------------------------------------------------------------------------
 // Config from env
@@ -258,16 +267,52 @@ function createSession(apiKey: string, keyInfo: TokenInfo): McpSession {
     getUserEmail: () => null,
     saveConfig: () => {}, // No-op in remote mode
     resetClient: () => {}, // No-op in remote mode
+    // Partition auto-session bookkeeping by user. The hosted server is
+    // multi-tenant: keying by userId stops two users on the same card from
+    // colliding on one shared auto-session entry (card #301, Gap 2).
+    getScopeId: () => keyInfo.userId,
   };
 
   registerHandlers(server, deps);
 
+  // Wire the inactivity sweep + end-of-session pipeline for this user's scope.
+  // The remote transport historically skipped initAutoSession entirely, so
+  // hosted auto-sessions never auto-ended on inactivity and the end pipeline
+  // never fired — they dangled "working" indefinitely (card #301, Gap 1).
+  // Now each connection registers its userId scope; the shared process timer
+  // sweeps it like stdio. Identity is resolved per-request via options.clientInfo
+  // in the pre-hook (card #297), so no clientInfoGetter is supplied here. Re-init
+  // by a second connection of the same user just refreshes the scope's client —
+  // both are equivalent, and per-scope state means it can't clobber other users.
+  initAutoSession(
+    async (endClient, cardId, status) => {
+      await runEndSessionPipeline(endClient, deps, cardId, status);
+    },
+    () => client,
+    undefined,
+    keyInfo.userId,
+  );
+
   // Single cleanup path: fires on explicit DELETE, our evictSession,
   // and the stale-session GC. Keeping onsessioninitialized + this onclose
   // (instead of also wiring onsessionclosed) avoids double-logging on DELETE.
   transport.onclose = () => {
     if (transport.sessionId) {
       sessions.delete(transport.sessionId);
+      // Reap this user's auto-session scope once their LAST live connection is
+      // gone — otherwise `scopes` grows unbounded (one stale client/deps closure
+      // per distinct user) on a long-lived multi-tenant process. A user with
+      // another open connection keeps the scope (sessions.delete already ran, so
+      // the closing session isn't counted). Pause any in-flight auto-sessions so
+      // nothing dangles "working"; a reconnect + next tool call starts fresh.
+      const stillLive = [...sessions.values()].some(
+        (s) => s.userId === session.userId,
+      );
+      if (!stillLive) {
+        shutdownAllSessions(session.userId)
+          .catch(() => {})
+          .finally(() => dropScope(session.userId));
+      }
       console.log(`[mcp] session=${transport.sessionId} closed`);
     }
   };

package/src/server.ts

@@ -81,6 +81,12 @@ export interface ToolDeps {
   getUserEmail: () => string | null;
   saveConfig: (config: { apiKey: string }) => void;
   resetClient: () => void;
+  /**
+   * Tenant scope for auto-session bookkeeping. The remote/HTTP transport returns
+   * the connection's userId so two users on the same card don't collide on one
+   * shared auto-session entry. Omitted on stdio (single user → default scope).
+   */
+  getScopeId?: () => string;
 }
 
 // --- Memory Session Tracking ---
@@ -1852,9 +1858,18 @@ export function registerHandlers(server: Server, deps: ToolDeps): void {
       /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
     if (cardIdArg && UUID_RE.test(cardIdArg) && deps.isConfigured()) {
       const isAutoStartTrigger = AUTO_START_TRIGGERS.has(name);
+      // Resolve MCP client identity per request from the in-scope Server. The
+      // remote transport never calls initAutoSession (global getter is null),
+      // so passing it here is what makes auto-sessions attribute correctly on
+      // the hosted/OAuth path, not just stdio (card #297).
+      // Optional-chained: the pre-hook is best-effort and must never throw into
+      // tool dispatch if a transport/wrapper doesn't expose getClientVersion.
+      const cv = server.getClientVersion?.();
       trackActivity(cardIdArg, {
         autoStart: isAutoStartTrigger,
         client: deps.getClient(),
+        clientInfo: cv ? { name: cv.name, version: cv.version } : undefined,
+        scopeId: deps.getScopeId?.(),
       }).catch(() => {}); // fire-and-forget
     }
 
@@ -1874,9 +1889,16 @@ export function registerHandlers(server: Server, deps: ToolDeps): void {
             | string
             | undefined;
           if (resolvedCardId && UUID_RE.test(resolvedCardId)) {
+            // Optional-chained: the pre-hook is best-effort and must never throw into
+            // tool dispatch if a transport/wrapper doesn't expose getClientVersion.
+            const cv = server.getClientVersion?.();
             trackActivity(resolvedCardId, {
               autoStart: true,
               client: deps.getClient(),
+              clientInfo: cv
+                ? { name: cv.name, version: cv.version }
+                : undefined,
+              scopeId: deps.getScopeId?.(),
             }).catch(() => {});
           }
         } catch {
@@ -2113,7 +2135,7 @@ async function handleToolCall(
             const { session } = await client.getAgentSession(cardId);
             if (session) {
               await client.endAgentSession(cardId, { status: "completed" });
-              untrack(cardId);
+              untrack(cardId, deps.getScopeId?.());
               sessionEnded = true;
             }
           }
@@ -2618,7 +2640,11 @@ async function handleToolCall(
       });
 
       // Mark as explicit so auto-session won't interfere
-      markExplicit(cardId, { agentIdentifier, agentName });
+      markExplicit(cardId, {
+        agentIdentifier,
+        agentName,
+        scopeId: deps.getScopeId?.(),
+      });
 
       // Initialize memory session tracking for action visibility. Capture the
       // backend session id so working-memory writes (`scope: 'session'`) bind
@@ -2721,7 +2747,7 @@ async function handleToolCall(
       }
 
       // Remove from auto-session tracking regardless
-      untrack(cardId);
+      untrack(cardId, deps.getScopeId?.());
 
       let movedTo: string | null = null;
 
@@ -3080,6 +3106,12 @@ async function handleToolCall(
       let relevanceMap: Map<string, number>;
 
       if (queryText) {
+        const requestedTags = args.tags as string[] | undefined;
+        // Tag + superseded filtering is now authoritative in the hybrid_search
+        // RPC (#298/#299): tags match the canonical `tags_normalized` column at
+        // the DB level (no client-side fetch-then-filter completeness gap), and
+        // tombstoned rows are excluded unless include_superseded is set. Tags
+        // are normalized server-side; we pass them through verbatim.
         const searchResult = await client.searchMemoryEntities(
           workspaceId,
           queryText,
@@ -3087,14 +3119,18 @@ async function handleToolCall(
             project_id: projectId,
             type: args.type as string | undefined,
             limit: fetchLimit,
+            tags:
+              requestedTags && requestedTags.length > 0
+                ? requestedTags
+                : undefined,
+            include_superseded: includeSuperseded,
           },
         );
         entities = (searchResult.entities ?? []) as any[];
 
-        // Post-filter the rest of the params client-side. Hybrid search RPC
-        // exposes only project_id + type; tags / scope / minConfidence /
-        // include_superseded are applied here on the rank-ordered set.
-        const requestedTags = args.tags as string[] | undefined;
+        // Post-filter the params the RPC does not handle. Scope + minConfidence
+        // are applied here on the rank-ordered set. (Tags + include_superseded
+        // are handled server-side above.)
         const minConfidence = args.minConfidence as number | undefined;
         if (userScopeFilter) {
           entities = entities.filter((e) => e?.scope === userScopeFilter);
@@ -3103,13 +3139,9 @@ async function handleToolCall(
           // out of the long-term mix so the same row never shows twice.
           entities = entities.filter((e) => !isSessionScope(e?.scope));
         }
-        if (requestedTags && requestedTags.length > 0) {
-          const wanted = new Set(requestedTags);
-          entities = entities.filter((e) =>
-            (e?.tags ?? []).some((t: string) => wanted.has(t)),
-          );
-        }
         entities = filterByMinConfidence(entities, minConfidence);
+        // Belt-and-suspenders: the RPC already excludes tombstoned rows; this
+        // also drops any if a stale/FTS path slipped one through.
         if (!includeSuperseded) {
           entities = entities.filter((e) => !e?.superseded_at);
         }