@gethmy/mcp 2.9.3 → 2.9.5

package/dist/index.js

@@ -17,6 +17,199 @@ var __export = (target, all) => {
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
+// src/config.ts
+import { existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "node:fs";
+import { homedir } from "node:os";
+import { join as join2 } from "node:path";
+function getConfigDir() {
+  return join2(homedir(), ".harmony-mcp");
+}
+function getConfigPath() {
+  return join2(getConfigDir(), "config.json");
+}
+function getLocalConfigPath(cwd) {
+  return join2(cwd || process.cwd(), LOCAL_CONFIG_FILENAME);
+}
+function emptyConfig() {
+  return {
+    apiKey: null,
+    apiUrl: DEFAULT_API_URL,
+    activeWorkspaceId: null,
+    activeProjectId: null,
+    userEmail: null,
+    memoryDir: null,
+    oauthAccessToken: null,
+    oauthRefreshToken: null,
+    oauthExpiresAt: null,
+    oauthClientId: null
+  };
+}
+function loadConfig() {
+  const configPath = getConfigPath();
+  if (!existsSync2(configPath)) {
+    return emptyConfig();
+  }
+  try {
+    const data = readFileSync2(configPath, "utf-8");
+    const config = JSON.parse(data);
+    return {
+      apiKey: config.apiKey || null,
+      apiUrl: config.apiUrl || DEFAULT_API_URL,
+      activeWorkspaceId: config.activeWorkspaceId || null,
+      activeProjectId: config.activeProjectId || null,
+      userEmail: config.userEmail || null,
+      memoryDir: config.memoryDir || null,
+      oauthAccessToken: config.oauthAccessToken || null,
+      oauthRefreshToken: config.oauthRefreshToken || null,
+      oauthExpiresAt: typeof config.oauthExpiresAt === "number" ? config.oauthExpiresAt : null,
+      oauthClientId: config.oauthClientId || null
+    };
+  } catch {
+    return emptyConfig();
+  }
+}
+function saveConfig(config) {
+  const configDir = getConfigDir();
+  const configPath = getConfigPath();
+  if (!existsSync2(configDir)) {
+    mkdirSync2(configDir, { recursive: true, mode: 448 });
+  }
+  const existingConfig = loadConfig();
+  const newConfig = { ...existingConfig, ...config };
+  writeFileSync2(configPath, JSON.stringify(newConfig, null, 2), {
+    mode: 384
+  });
+}
+function loadLocalConfig(cwd) {
+  const localConfigPath = getLocalConfigPath(cwd);
+  if (!existsSync2(localConfigPath)) {
+    return null;
+  }
+  try {
+    const data = readFileSync2(localConfigPath, "utf-8");
+    const config = JSON.parse(data);
+    return {
+      workspaceId: config.workspaceId || null,
+      projectId: config.projectId || null
+    };
+  } catch {
+    return null;
+  }
+}
+function saveLocalConfig(config, cwd) {
+  const localConfigPath = getLocalConfigPath(cwd);
+  const existingConfig = loadLocalConfig(cwd) || {
+    workspaceId: null,
+    projectId: null
+  };
+  const newConfig = { ...existingConfig, ...config };
+  const cleanConfig = {};
+  if (newConfig.workspaceId)
+    cleanConfig.workspaceId = newConfig.workspaceId;
+  if (newConfig.projectId)
+    cleanConfig.projectId = newConfig.projectId;
+  writeFileSync2(localConfigPath, JSON.stringify(cleanConfig, null, 2));
+}
+function hasLocalConfig(cwd) {
+  return existsSync2(getLocalConfigPath(cwd));
+}
+function getActiveCredential() {
+  const config = loadConfig();
+  if (config.oauthAccessToken)
+    return config.oauthAccessToken;
+  if (config.apiKey)
+    return config.apiKey;
+  throw new Error(`Not configured. Run "npx @gethmy/mcp setup" to connect Harmony.
+` + "Setup authorizes in your browser — no API key handling required.");
+}
+function getApiKey() {
+  return getActiveCredential();
+}
+function getApiUrl() {
+  const config = loadConfig();
+  return config.apiUrl;
+}
+function getUserEmail() {
+  const config = loadConfig();
+  return config.userEmail;
+}
+function setActiveWorkspace(workspaceId, options) {
+  if (options?.local) {
+    saveLocalConfig({ workspaceId }, options.cwd);
+  } else {
+    saveConfig({ activeWorkspaceId: workspaceId });
+  }
+}
+function setActiveProject(projectId, options) {
+  if (options?.local) {
+    saveLocalConfig({ projectId }, options.cwd);
+  } else {
+    saveConfig({ activeProjectId: projectId });
+  }
+}
+function getActiveWorkspaceId(cwd) {
+  const localConfig = loadLocalConfig(cwd);
+  if (localConfig?.workspaceId) {
+    return localConfig.workspaceId;
+  }
+  return loadConfig().activeWorkspaceId;
+}
+function getActiveProjectId(cwd) {
+  const localConfig = loadLocalConfig(cwd);
+  if (localConfig?.projectId) {
+    return localConfig.projectId;
+  }
+  return loadConfig().activeProjectId;
+}
+function isConfigured() {
+  const config = loadConfig();
+  return !!(config.apiKey || config.oauthAccessToken);
+}
+function areSkillsInstalled(cwd) {
+  const home = homedir();
+  const workingDir = cwd || process.cwd();
+  const foundPaths = [];
+  const globalSkillsDir = join2(home, ".agents", "skills");
+  const globalSkillPath = join2(globalSkillsDir, "hmy", "SKILL.md");
+  if (existsSync2(globalSkillPath)) {
+    foundPaths.push(globalSkillPath);
+    return { installed: true, location: "global", paths: foundPaths };
+  }
+  const claudeGlobalSkill = join2(home, ".claude", "skills", "hmy.md");
+  if (existsSync2(claudeGlobalSkill)) {
+    foundPaths.push(claudeGlobalSkill);
+    return { installed: true, location: "global", paths: foundPaths };
+  }
+  const claudeGlobalSkillAlt = join2(home, ".claude", "skills", "hmy", "SKILL.md");
+  if (existsSync2(claudeGlobalSkillAlt)) {
+    foundPaths.push(claudeGlobalSkillAlt);
+    return { installed: true, location: "global", paths: foundPaths };
+  }
+  const localSkillPath = join2(workingDir, ".claude", "skills", "hmy.md");
+  if (existsSync2(localSkillPath)) {
+    foundPaths.push(localSkillPath);
+    return { installed: true, location: "local", paths: foundPaths };
+  }
+  const localSkillPathAlt = join2(workingDir, ".claude", "skills", "hmy", "SKILL.md");
+  if (existsSync2(localSkillPathAlt)) {
+    foundPaths.push(localSkillPathAlt);
+    return { installed: true, location: "local", paths: foundPaths };
+  }
+  return { installed: false, location: null, paths: [] };
+}
+function hasProjectContext(cwd) {
+  const localConfig = loadLocalConfig(cwd);
+  return !!(localConfig?.workspaceId || localConfig?.projectId);
+}
+function getMemoryDir() {
+  const config = loadConfig();
+  if (config.memoryDir)
+    return config.memoryDir;
+  return join2(homedir(), ".harmony", "memory");
+}
+var DEFAULT_API_URL = "https://app.gethmy.com/api", LOCAL_CONFIG_FILENAME = ".harmony-mcp.json";
+var init_config = () => {};
+
 // src/prompt-builder.ts
 var exports_prompt_builder = {};
 __export(exports_prompt_builder, {
@@ -507,6 +700,290 @@ var init_prompt_builder = __esm(() => {
   };
 });
 
+// src/oauth-login.ts
+import { spawn } from "node:child_process";
+import { createHash as createHash3, randomBytes } from "node:crypto";
+import { createServer } from "node:http";
+function base64Url(buf) {
+  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function generatePkce() {
+  const verifier = base64Url(randomBytes(32));
+  const challenge = base64Url(createHash3("sha256").update(verifier).digest());
+  return { verifier, challenge };
+}
+function oauthBaseFromApiUrl(apiUrl) {
+  return `${new URL(apiUrl).origin}/oauth`;
+}
+function openBrowser(url) {
+  const platform = process.platform;
+  const cmd = platform === "darwin" ? "open" : platform === "win32" ? "cmd" : "xdg-open";
+  const args = platform === "win32" ? ["/c", "start", "", url.replace(/&/g, "^&")] : [url];
+  try {
+    const child = spawn(cmd, args, { stdio: "ignore", detached: true });
+    child.on("error", () => {});
+    child.unref();
+  } catch {}
+}
+async function loginWithBrowser(opts) {
+  const base = oauthBaseFromApiUrl(opts.apiUrl);
+  const { verifier, challenge } = generatePkce();
+  const state = base64Url(randomBytes(16));
+  const { server, port, waitForCode } = await startLoopbackServer(state);
+  const redirectUri = `http://127.0.0.1:${port}/callback`;
+  try {
+    const clientId = await registerClient(base, redirectUri);
+    const authorizeUrl = new URL(`${base}/authorize`);
+    authorizeUrl.searchParams.set("response_type", "code");
+    authorizeUrl.searchParams.set("client_id", clientId);
+    authorizeUrl.searchParams.set("redirect_uri", redirectUri);
+    authorizeUrl.searchParams.set("code_challenge", challenge);
+    authorizeUrl.searchParams.set("code_challenge_method", "S256");
+    authorizeUrl.searchParams.set("state", state);
+    authorizeUrl.searchParams.set("scope", "mcp");
+    authorizeUrl.searchParams.set("resource", MCP_RESOURCE_URL);
+    if (opts.workspaceId) {
+      authorizeUrl.searchParams.set("workspace_id", opts.workspaceId);
+    }
+    const authUrlStr = authorizeUrl.toString();
+    opts.onUrl?.(authUrlStr);
+    openBrowser(authUrlStr);
+    const code = await waitForCode;
+    return await exchangeCode(base, {
+      code,
+      redirectUri,
+      clientId,
+      verifier
+    });
+  } finally {
+    server.close();
+  }
+}
+async function registerClient(base, redirectUri) {
+  const res = await fetch(`${base}/register`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      client_name: "Harmony CLI (setup)",
+      redirect_uris: [redirectUri],
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      token_endpoint_auth_method: "none"
+    })
+  });
+  const body = await res.json().catch(() => ({}));
+  if (!res.ok || !body.client_id) {
+    throw new Error(body.error_description || `Could not register OAuth client (HTTP ${res.status})`);
+  }
+  return body.client_id;
+}
+async function exchangeCode(base, params) {
+  const res = await fetch(`${base}/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      code: params.code,
+      redirect_uri: params.redirectUri,
+      client_id: params.clientId,
+      code_verifier: params.verifier
+    }).toString()
+  });
+  const body = await res.json().catch(() => ({}));
+  if (!res.ok || !body.access_token || !body.refresh_token) {
+    throw new Error(body.error_description || `Token exchange failed (HTTP ${res.status})`);
+  }
+  return {
+    accessToken: body.access_token,
+    refreshToken: body.refresh_token,
+    expiresAt: Date.now() + (body.expires_in ?? 0) * 1000,
+    clientId: params.clientId
+  };
+}
+function startLoopbackServer(expectedState) {
+  return new Promise((resolveOuter, rejectOuter) => {
+    let resolveCode;
+    let rejectCode;
+    const waitForCode = new Promise((res, rej) => {
+      resolveCode = res;
+      rejectCode = rej;
+    });
+    const timeout = setTimeout(() => {
+      rejectCode(new Error("Timed out waiting for browser authorization (5 min)."));
+    }, LOGIN_TIMEOUT_MS);
+    timeout.unref?.();
+    const server = createServer((req, res) => {
+      const url = new URL(req.url ?? "/", "http://127.0.0.1");
+      if (url.pathname !== "/callback") {
+        res.writeHead(404).end();
+        return;
+      }
+      clearTimeout(timeout);
+      const error = url.searchParams.get("error");
+      const code = url.searchParams.get("code");
+      const state = url.searchParams.get("state");
+      const fail = (msg) => {
+        res.writeHead(400, { "Content-Type": "text/html" }).end(FAILURE_HTML);
+        rejectCode(new Error(msg));
+      };
+      if (error) {
+        return fail(`Authorization denied: ${url.searchParams.get("error_description") || error}`);
+      }
+      if (!state || state !== expectedState) {
+        return fail("State mismatch — possible CSRF, aborting.");
+      }
+      if (!code) {
+        return fail("No authorization code returned.");
+      }
+      res.writeHead(200, { "Content-Type": "text/html" }).end(SUCCESS_HTML);
+      resolveCode(code);
+    });
+    server.on("error", (err) => {
+      clearTimeout(timeout);
+      rejectOuter(err);
+    });
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      resolveOuter({ server, port: addr.port, waitForCode });
+    });
+  });
+}
+var MCP_RESOURCE_URL, LOGIN_TIMEOUT_MS, SUCCESS_HTML = `<!doctype html><html><head><meta charset="utf-8"><title>Harmony connected</title></head>
+<body style="font-family:system-ui,sans-serif;background:#0f1729;color:#dce4ef;display:flex;align-items:center;justify-content:center;height:100vh;margin:0">
+<div style="text-align:center"><h1 style="color:#57b8a5">✓ Connected to Harmony</h1>
+<p>You can close this tab and return to your terminal.</p></div></body></html>`, FAILURE_HTML = `<!doctype html><html><head><meta charset="utf-8"><title>Harmony</title></head>
+<body style="font-family:system-ui,sans-serif;background:#0f1729;color:#dce4ef;display:flex;align-items:center;justify-content:center;height:100vh;margin:0">
+<div style="text-align:center"><h1 style="color:#ff6b6b">Authorization failed</h1>
+<p>Return to your terminal for details.</p></div></body></html>`;
+var init_oauth_login = __esm(() => {
+  MCP_RESOURCE_URL = process.env.HARMONY_MCP_RESOURCE || "https://mcp.gethmy.com";
+  LOGIN_TIMEOUT_MS = 5 * 60 * 1000;
+});
+
+// src/oauth-refresh.ts
+var exports_oauth_refresh = {};
+__export(exports_oauth_refresh, {
+  refreshOAuthToken: () => refreshOAuthToken
+});
+import {
+  closeSync,
+  openSync,
+  renameSync,
+  rmSync as rmSync2,
+  statSync,
+  writeSync
+} from "node:fs";
+import { join as join3 } from "node:path";
+function lockPath() {
+  return join3(getConfigDir(), LOCK_FILENAME);
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function withRefreshLock(fn) {
+  const path = lockPath();
+  const deadline = Date.now() + LOCK_ACQUIRE_TIMEOUT_MS;
+  let held = false;
+  while (Date.now() < deadline) {
+    try {
+      const fd = openSync(path, "wx");
+      writeSync(fd, String(process.pid));
+      closeSync(fd);
+      held = true;
+      break;
+    } catch (err) {
+      if (err.code !== "EEXIST") {
+        break;
+      }
+      try {
+        const age = Date.now() - statSync(path).mtimeMs;
+        if (age > LOCK_STALE_MS) {
+          const claim = `${path}.stale.${process.pid}`;
+          try {
+            renameSync(path, claim);
+            rmSync2(claim, { force: true });
+          } catch {}
+          continue;
+        }
+      } catch {
+        continue;
+      }
+      await sleep(LOCK_RETRY_MS);
+    }
+  }
+  try {
+    return await fn();
+  } finally {
+    if (held) {
+      try {
+        rmSync2(path, { force: true });
+      } catch {}
+    }
+  }
+}
+function refreshOAuthToken() {
+  if (inFlight)
+    return inFlight;
+  inFlight = doRefresh().finally(() => {
+    inFlight = null;
+  });
+  return inFlight;
+}
+async function doRefresh() {
+  const before = loadConfig();
+  if (!before.oauthRefreshToken || !before.oauthClientId)
+    return null;
+  return withRefreshLock(async () => {
+    const config = loadConfig();
+    if (config.oauthRefreshToken !== before.oauthRefreshToken && config.oauthAccessToken) {
+      return config.oauthAccessToken;
+    }
+    if (!config.oauthRefreshToken || !config.oauthClientId)
+      return null;
+    const base = oauthBaseFromApiUrl(config.apiUrl);
+    let res;
+    try {
+      res = await fetch(`${base}/token`, {
+        method: "POST",
+        headers: { "Content-Type": "application/x-www-form-urlencoded" },
+        body: new URLSearchParams({
+          grant_type: "refresh_token",
+          refresh_token: config.oauthRefreshToken,
+          client_id: config.oauthClientId
+        }).toString()
+      });
+    } catch {
+      return null;
+    }
+    if (!res.ok) {
+      const errorCode = await res.json().then((b) => b?.error ?? null).catch(() => null);
+      if (errorCode === "invalid_grant") {
+        saveConfig({
+          oauthAccessToken: null,
+          oauthRefreshToken: null,
+          oauthExpiresAt: null,
+          oauthClientId: null
+        });
+      }
+      return null;
+    }
+    const body = await res.json().catch(() => null);
+    if (!body?.access_token || !body.refresh_token)
+      return null;
+    saveConfig({
+      oauthAccessToken: body.access_token,
+      oauthRefreshToken: body.refresh_token,
+      oauthExpiresAt: Date.now() + (body.expires_in ?? 0) * 1000
+    });
+    return body.access_token;
+  });
+}
+var inFlight = null, LOCK_FILENAME = "refresh.lock", LOCK_STALE_MS = 30000, LOCK_ACQUIRE_TIMEOUT_MS = 35000, LOCK_RETRY_MS = 100;
+var init_oauth_refresh = __esm(() => {
+  init_config();
+  init_oauth_login();
+});
+
 // src/server.ts
 import { readFile } from "node:fs/promises";
 import { basename } from "node:path";
@@ -1015,192 +1492,8 @@ var TIMINGS = {
   QUERY_STALE_TIME: 1000 * 60 * 5,
   QUERY_GC_TIME: 1000 * 60 * 60 * 24
 };
-// src/config.ts
-import { existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "node:fs";
-import { homedir } from "node:os";
-import { join as join2 } from "node:path";
-var DEFAULT_API_URL = "https://app.gethmy.com/api";
-var LOCAL_CONFIG_FILENAME = ".harmony-mcp.json";
-function getConfigDir() {
-  return join2(homedir(), ".harmony-mcp");
-}
-function getConfigPath() {
-  return join2(getConfigDir(), "config.json");
-}
-function getLocalConfigPath(cwd) {
-  return join2(cwd || process.cwd(), LOCAL_CONFIG_FILENAME);
-}
-function loadConfig() {
-  const configPath = getConfigPath();
-  if (!existsSync2(configPath)) {
-    return {
-      apiKey: null,
-      apiUrl: DEFAULT_API_URL,
-      activeWorkspaceId: null,
-      activeProjectId: null,
-      userEmail: null,
-      memoryDir: null
-    };
-  }
-  try {
-    const data = readFileSync2(configPath, "utf-8");
-    const config = JSON.parse(data);
-    return {
-      apiKey: config.apiKey || null,
-      apiUrl: config.apiUrl || DEFAULT_API_URL,
-      activeWorkspaceId: config.activeWorkspaceId || null,
-      activeProjectId: config.activeProjectId || null,
-      userEmail: config.userEmail || null,
-      memoryDir: config.memoryDir || null
-    };
-  } catch {
-    return {
-      apiKey: null,
-      apiUrl: DEFAULT_API_URL,
-      activeWorkspaceId: null,
-      activeProjectId: null,
-      userEmail: null,
-      memoryDir: null
-    };
-  }
-}
-function saveConfig(config) {
-  const configDir = getConfigDir();
-  const configPath = getConfigPath();
-  if (!existsSync2(configDir)) {
-    mkdirSync2(configDir, { recursive: true, mode: 448 });
-  }
-  const existingConfig = loadConfig();
-  const newConfig = { ...existingConfig, ...config };
-  writeFileSync2(configPath, JSON.stringify(newConfig, null, 2), {
-    mode: 384
-  });
-}
-function loadLocalConfig(cwd) {
-  const localConfigPath = getLocalConfigPath(cwd);
-  if (!existsSync2(localConfigPath)) {
-    return null;
-  }
-  try {
-    const data = readFileSync2(localConfigPath, "utf-8");
-    const config = JSON.parse(data);
-    return {
-      workspaceId: config.workspaceId || null,
-      projectId: config.projectId || null
-    };
-  } catch {
-    return null;
-  }
-}
-function saveLocalConfig(config, cwd) {
-  const localConfigPath = getLocalConfigPath(cwd);
-  const existingConfig = loadLocalConfig(cwd) || {
-    workspaceId: null,
-    projectId: null
-  };
-  const newConfig = { ...existingConfig, ...config };
-  const cleanConfig = {};
-  if (newConfig.workspaceId)
-    cleanConfig.workspaceId = newConfig.workspaceId;
-  if (newConfig.projectId)
-    cleanConfig.projectId = newConfig.projectId;
-  writeFileSync2(localConfigPath, JSON.stringify(cleanConfig, null, 2));
-}
-function hasLocalConfig(cwd) {
-  return existsSync2(getLocalConfigPath(cwd));
-}
-function getApiKey() {
-  const config = loadConfig();
-  if (!config.apiKey) {
-    throw new Error(`Not configured. Run "npx @gethmy/mcp setup" to set your API key.
-` + "You can generate an API key at https://gethmy.com → Settings → API Keys.");
-  }
-  return config.apiKey;
-}
-function getApiUrl() {
-  const config = loadConfig();
-  return config.apiUrl;
-}
-function getUserEmail() {
-  const config = loadConfig();
-  return config.userEmail;
-}
-function setActiveWorkspace(workspaceId, options) {
-  if (options?.local) {
-    saveLocalConfig({ workspaceId }, options.cwd);
-  } else {
-    saveConfig({ activeWorkspaceId: workspaceId });
-  }
-}
-function setActiveProject(projectId, options) {
-  if (options?.local) {
-    saveLocalConfig({ projectId }, options.cwd);
-  } else {
-    saveConfig({ activeProjectId: projectId });
-  }
-}
-function getActiveWorkspaceId(cwd) {
-  const localConfig = loadLocalConfig(cwd);
-  if (localConfig?.workspaceId) {
-    return localConfig.workspaceId;
-  }
-  return loadConfig().activeWorkspaceId;
-}
-function getActiveProjectId(cwd) {
-  const localConfig = loadLocalConfig(cwd);
-  if (localConfig?.projectId) {
-    return localConfig.projectId;
-  }
-  return loadConfig().activeProjectId;
-}
-function isConfigured() {
-  const config = loadConfig();
-  return !!config.apiKey;
-}
-function areSkillsInstalled(cwd) {
-  const home = homedir();
-  const workingDir = cwd || process.cwd();
-  const foundPaths = [];
-  const globalSkillsDir = join2(home, ".agents", "skills");
-  const globalSkillPath = join2(globalSkillsDir, "hmy", "SKILL.md");
-  if (existsSync2(globalSkillPath)) {
-    foundPaths.push(globalSkillPath);
-    return { installed: true, location: "global", paths: foundPaths };
-  }
-  const claudeGlobalSkill = join2(home, ".claude", "skills", "hmy.md");
-  if (existsSync2(claudeGlobalSkill)) {
-    foundPaths.push(claudeGlobalSkill);
-    return { installed: true, location: "global", paths: foundPaths };
-  }
-  const claudeGlobalSkillAlt = join2(home, ".claude", "skills", "hmy", "SKILL.md");
-  if (existsSync2(claudeGlobalSkillAlt)) {
-    foundPaths.push(claudeGlobalSkillAlt);
-    return { installed: true, location: "global", paths: foundPaths };
-  }
-  const localSkillPath = join2(workingDir, ".claude", "skills", "hmy.md");
-  if (existsSync2(localSkillPath)) {
-    foundPaths.push(localSkillPath);
-    return { installed: true, location: "local", paths: foundPaths };
-  }
-  const localSkillPathAlt = join2(workingDir, ".claude", "skills", "hmy", "SKILL.md");
-  if (existsSync2(localSkillPathAlt)) {
-    foundPaths.push(localSkillPathAlt);
-    return { installed: true, location: "local", paths: foundPaths };
-  }
-  return { installed: false, location: null, paths: [] };
-}
-function hasProjectContext(cwd) {
-  const localConfig = loadLocalConfig(cwd);
-  return !!(localConfig?.workspaceId || localConfig?.projectId);
-}
-function getMemoryDir() {
-  const config = loadConfig();
-  if (config.memoryDir)
-    return config.memoryDir;
-  return join2(homedir(), ".harmony", "memory");
-}
-
 // src/api-client.ts
+init_config();
 var RETRY_CONFIG = {
   maxRetries: 3,
   baseDelayMs: 1000,
@@ -1220,7 +1513,7 @@ function getRetryDelay(attempt) {
   const delay = Math.min(RETRY_CONFIG.baseDelayMs * 2 ** attempt, RETRY_CONFIG.maxDelayMs);
   return Math.round(delay + delay * 0.25 * (Math.random() * 2 - 1));
 }
-var sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+var sleep2 = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
 
 class Semaphore {
   permits;
@@ -1285,10 +1578,12 @@ class HarmonyApiClient {
   apiKey;
   apiUrl;
   onUnauthorized;
+  refreshCredential;
   constructor(options) {
     this.apiKey = options?.apiKey ?? getApiKey();
     this.apiUrl = options?.apiUrl ?? getApiUrl();
     this.onUnauthorized = options?.onUnauthorized;
+    this.refreshCredential = options?.refreshCredential;
   }
   getApiUrl() {
     return this.apiUrl;
@@ -1318,6 +1613,7 @@ class HarmonyApiClient {
   async requestWithRetry(method, path, body, options) {
     const url = `${this.apiUrl}/v1${path}`;
     let lastError = null;
+    let refreshed = false;
     const contentType = options?.contentType || "application/json";
     const accept = options?.accept || "application/json";
     for (let attempt = 0;attempt <= RETRY_CONFIG.maxRetries; attempt++) {
@@ -1346,6 +1642,15 @@ class HarmonyApiClient {
         if (!response.ok) {
           const errorMsg = data?.error || (looksLikeJson ? null : `API error: ${response.status} (non-JSON response)`) || `API error: ${response.status}`;
           if (response.status === 401) {
+            if (this.refreshCredential && !refreshed) {
+              refreshed = true;
+              const fresh = await this.refreshCredential();
+              if (fresh) {
+                this.apiKey = fresh;
+                attempt--;
+                continue;
+              }
+            }
             this.onUnauthorized?.();
             throw new HarmonyUnauthorizedError(errorMsg);
           }
@@ -1354,7 +1659,7 @@ class HarmonyApiClient {
           }
           lastError = new Error(errorMsg);
           if (attempt < RETRY_CONFIG.maxRetries) {
-            await sleep(getRetryDelay(attempt));
+            await sleep2(getRetryDelay(attempt));
             continue;
           }
           throw lastError;
@@ -1368,7 +1673,7 @@ class HarmonyApiClient {
         if (!isRetryableError(error))
           throw lastError;
         if (attempt < RETRY_CONFIG.maxRetries) {
-          await sleep(getRetryDelay(attempt));
+          await sleep2(getRetryDelay(attempt));
         }
       }
     }
@@ -1377,6 +1682,7 @@ class HarmonyApiClient {
   async requestRawWithRetry(method, path, body, options) {
     const url = `${this.apiUrl}/v1${path}`;
     let lastError = null;
+    let refreshed = false;
     const contentType = options?.contentType || "application/json";
     const accept = options?.accept || "text/markdown";
     for (let attempt = 0;attempt <= RETRY_CONFIG.maxRetries; attempt++) {
@@ -1399,6 +1705,15 @@ class HarmonyApiClient {
             errorMsg = text || `API error: ${response.status}`;
           }
           if (response.status === 401) {
+            if (this.refreshCredential && !refreshed) {
+              refreshed = true;
+              const fresh = await this.refreshCredential();
+              if (fresh) {
+                this.apiKey = fresh;
+                attempt--;
+                continue;
+              }
+            }
             this.onUnauthorized?.();
             throw new HarmonyUnauthorizedError(errorMsg);
           }
@@ -1407,7 +1722,7 @@ class HarmonyApiClient {
           }
           lastError = new Error(errorMsg);
           if (attempt < RETRY_CONFIG.maxRetries) {
-            await sleep(getRetryDelay(attempt));
+            await sleep2(getRetryDelay(attempt));
             continue;
           }
           throw lastError;
@@ -1418,7 +1733,7 @@ class HarmonyApiClient {
         if (!isRetryableError(error))
           throw lastError;
         if (attempt < RETRY_CONFIG.maxRetries) {
-          await sleep(getRetryDelay(attempt));
+          await sleep2(getRetryDelay(attempt));
         }
       }
     }
@@ -2000,7 +2315,12 @@ async function loadPromptModules() {
 var client2 = null;
 function getClient() {
   if (!client2) {
-    client2 = new HarmonyApiClient;
+    client2 = new HarmonyApiClient({
+      refreshCredential: async () => {
+        const { refreshOAuthToken: refreshOAuthToken2 } = await Promise.resolve().then(() => (init_oauth_refresh(), exports_oauth_refresh));
+        return refreshOAuthToken2();
+      }
+    });
   }
   return client2;
 }
@@ -2179,6 +2499,9 @@ async function autoEndSession(scope, client3, cardId, status) {
   } catch {}
 }
 
+// src/server.ts
+init_config();
+
 // src/graph-expansion.ts
 async function autoExpandGraph(client3, entityId, title, content, _tags, workspaceId, projectId, maxRelations = 5) {
   try {
@@ -2189,14 +2512,14 @@ async function autoExpandGraph(client3, entityId, title, content, _tags, workspa
       project_id: projectId,
       limit: 20
     });
-    candidates = entities.filter((e) => e.id !== entityId).slice(0, maxRelations);
+    candidates = entities.filter((e) => e.id !== entityId && (e.confidence ?? 1) >= 0.4).slice(0, maxRelations);
     if (candidates.length === 0) {
       await new Promise((resolve) => setTimeout(resolve, 2000));
       const retry = await client3.searchMemoryEntities(workspaceId, query, {
         project_id: projectId,
         limit: 20
       });
-      candidates = retry.entities.filter((e) => e.id !== entityId).slice(0, maxRelations);
+      candidates = retry.entities.filter((e) => e.id !== entityId && (e.confidence ?? 1) >= 0.4).slice(0, maxRelations);
     }
     let relationsCreated = 0;
     for (const candidate of candidates) {
@@ -2733,6 +3056,7 @@ function lintTags(tags) {
 }
 
 // src/onboard.ts
+init_config();
 async function onboardNewUser(params) {
   const {
     email,
@@ -2778,19 +3102,20 @@ import {
   existsSync as existsSync4,
   mkdirSync as mkdirSync3,
   readFileSync as readFileSync4,
-  renameSync,
+  renameSync as renameSync2,
   writeFileSync as writeFileSync3
 } from "node:fs";
 import { homedir as homedir3 } from "node:os";
-import { dirname, join as join4 } from "node:path";
+import { dirname, join as join5 } from "node:path";
+init_config();
 
 // src/hmy-config.ts
 import { existsSync as existsSync3, readFileSync as readFileSync3 } from "node:fs";
 import { homedir as homedir2 } from "node:os";
-import { join as join3 } from "node:path";
+import { join as join4 } from "node:path";
 var DEFAULTS = { updateCheck: true, pin: null };
 function getHmyConfigPath() {
-  return join3(homedir2(), ".hmy", "config.yaml");
+  return join4(homedir2(), ".hmy", "config.yaml");
 }
 function loadHmyConfig() {
   const path = getHmyConfigPath();
@@ -2933,7 +3258,7 @@ function atomicWrite(filePath, content) {
     mkdirSync3(dir, { recursive: true });
   const tmp = `${filePath}.tmp-${process.pid}-${Date.now()}`;
   writeFileSync3(tmp, content);
-  renameSync(tmp, filePath);
+  renameSync2(tmp, filePath);
 }
 function hasMetadataVersion(content) {
   return parseSkillVersion(content) !== null;
@@ -2973,9 +3298,9 @@ function findSkillFiles(paths, knownNames) {
   }
   return results;
 }
-var HMY_DIR = join4(homedir3(), ".hmy");
-var HMY_VERSION_FILE = join4(HMY_DIR, "VERSION");
-var LAST_CHECK_FILE = join4(HMY_DIR, "last-update-check");
+var HMY_DIR = join5(homedir3(), ".hmy");
+var HMY_VERSION_FILE = join5(HMY_DIR, "VERSION");
+var LAST_CHECK_FILE = join5(HMY_DIR, "last-update-check");
 var CHECK_TTL_MS = 24 * 60 * 60 * 1000;
 function checkedRecently(now = Date.now()) {
   try {
@@ -3008,7 +3333,7 @@ async function refreshSkills(opts = {}) {
     const status = areSkillsInstalled();
     if (!status.installed)
       return { updated: false };
-    const client3 = new HarmonyApiClient;
+    const client3 = getClient();
     const versionInfo = await client3.fetchSkillsVersion();
     recordCheck();
     const skillFiles = findSkillFiles(status.paths, versionInfo.skills);
@@ -4871,7 +5196,7 @@ async function handleToolCall(name, args, deps) {
     case "harmony_delete_label": {
       const labelId = z.string().uuid().parse(args.labelId);
       const result = await client3.deleteLabel(labelId);
-      return { success: true, ...result };
+      return { ...result };
     }
     case "harmony_add_label_to_card": {
       const cardId = z.string().uuid().parse(args.cardId);
@@ -5828,8 +6153,8 @@ async function handleToolCall(name, args, deps) {
             content: summary,
             type: "lesson",
             scope: "project",
-            workspaceId,
-            projectId: plan.project_id,
+            workspace_id: workspaceId,
+            project_id: plan.project_id,
             tags: ["plan", "archived"],
             confidence: 0.8
           });