@graphmemory/server 1.1.0

package/dist/api/rest/tasks.js

@@ -0,0 +1,273 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createTasksRouter = createTasksRouter;
+const fs_1 = __importDefault(require("fs"));
+const mime_1 = __importDefault(require("mime"));
+const express_1 = require("express");
+const multer_1 = __importDefault(require("multer"));
+const validation_1 = require("../../api/rest/validation");
+const index_1 = require("../../api/rest/index");
+const manager_types_1 = require("../../graphs/manager-types");
+const upload = (0, multer_1.default)({ storage: multer_1.default.memoryStorage(), limits: { fileSize: 50 * 1024 * 1024 } });
+function createTasksRouter() {
+    const router = (0, express_1.Router)({ mergeParams: true });
+    function getProject(req) {
+        return req.project;
+    }
+    // List tasks
+    router.get('/', (0, validation_1.validateQuery)(validation_1.taskListSchema), (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const q = req.validatedQuery;
+            const tasks = p.taskManager.listTasks(q);
+            res.json({ results: tasks });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // Search tasks
+    router.get('/search', (0, validation_1.validateQuery)(validation_1.taskSearchSchema), async (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const q = req.validatedQuery;
+            const results = await p.taskManager.searchTasks(q.q, {
+                topK: q.topK,
+                minScore: q.minScore,
+                searchMode: q.searchMode,
+            });
+            res.json({ results });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // Find tasks linked to an external entity
+    router.get('/linked', (0, validation_1.validateQuery)(validation_1.linkedQuerySchema), (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const { targetGraph, targetNodeId, kind, projectId } = req.validatedQuery;
+            const tasks = p.taskManager.findLinkedTasks(targetGraph, targetNodeId, kind, projectId ?? req.params.projectId);
+            res.json({ results: tasks });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // Get task
+    router.get('/:taskId', (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const task = p.taskManager.getTask(req.params.taskId);
+            if (!task)
+                return res.status(404).json({ error: 'Task not found' });
+            const relations = p.taskManager.listRelations(req.params.taskId);
+            res.json({ ...task, relations });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // Create task
+    router.post('/', index_1.requireWriteAccess, (0, validation_1.validateBody)(validation_1.createTaskSchema), async (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const { title, description, status, priority, tags, dueDate, estimate, assignee } = req.body;
+            const created = await p.mutationQueue.enqueue(async () => {
+                const taskId = await p.taskManager.createTask(title, description, status, priority, tags, dueDate, estimate, assignee ?? null);
+                return p.taskManager.getTask(taskId);
+            });
+            res.status(201).json(created);
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // Update task
+    router.put('/:taskId', index_1.requireWriteAccess, (0, validation_1.validateBody)(validation_1.updateTaskSchema), async (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const taskId = req.params.taskId;
+            const { version, ...patch } = req.body;
+            const result = await p.mutationQueue.enqueue(async () => {
+                const ok = await p.taskManager.updateTask(taskId, patch, version);
+                if (!ok)
+                    return null;
+                return p.taskManager.getTask(taskId);
+            });
+            if (!result)
+                return res.status(404).json({ error: 'Task not found' });
+            res.json(result);
+        }
+        catch (err) {
+            if (err instanceof manager_types_1.VersionConflictError) {
+                return res.status(409).json({ error: 'version_conflict', current: err.current, expected: err.expected });
+            }
+            next(err);
+        }
+    });
+    // Move task (change status) — action, so POST
+    router.post('/:taskId/move', index_1.requireWriteAccess, (0, validation_1.validateBody)(validation_1.moveTaskSchema), async (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const taskId = req.params.taskId;
+            const { status, version } = req.body;
+            const result = await p.mutationQueue.enqueue(async () => {
+                const ok = p.taskManager.moveTask(taskId, status, version);
+                if (!ok)
+                    return null;
+                return p.taskManager.getTask(taskId);
+            });
+            if (!result)
+                return res.status(404).json({ error: 'Task not found' });
+            res.json(result);
+        }
+        catch (err) {
+            if (err instanceof manager_types_1.VersionConflictError) {
+                return res.status(409).json({ error: 'version_conflict', current: err.current, expected: err.expected });
+            }
+            next(err);
+        }
+    });
+    // Delete task
+    router.delete('/:taskId', index_1.requireWriteAccess, async (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const taskId = req.params.taskId;
+            const ok = await p.mutationQueue.enqueue(async () => {
+                return p.taskManager.deleteTask(taskId);
+            });
+            if (!ok)
+                return res.status(404).json({ error: 'Task not found' });
+            res.status(204).end();
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // Create task link (task-to-task or cross-graph)
+    router.post('/links', index_1.requireWriteAccess, (0, validation_1.validateBody)(validation_1.createTaskLinkSchema), async (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const { fromId, toId, kind, targetGraph, projectId } = req.body;
+            const ok = await p.mutationQueue.enqueue(async () => {
+                if (targetGraph) {
+                    return p.taskManager.createCrossLink(fromId, toId, targetGraph, kind, projectId);
+                }
+                else {
+                    return p.taskManager.linkTasks(fromId, toId, kind);
+                }
+            });
+            if (!ok)
+                return res.status(400).json({ error: 'Failed to create link' });
+            res.status(201).json({ fromId, toId, kind, targetGraph: targetGraph || undefined });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // Delete task link
+    router.delete('/links', index_1.requireWriteAccess, (0, validation_1.validateBody)(validation_1.createTaskLinkSchema.pick({ fromId: true, toId: true, targetGraph: true, projectId: true })), async (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const { fromId, toId, targetGraph, projectId } = req.body;
+            const ok = await p.mutationQueue.enqueue(async () => {
+                if (targetGraph) {
+                    return p.taskManager.deleteCrossLink(fromId, toId, targetGraph, projectId);
+                }
+                else {
+                    return p.taskManager.deleteTaskLink(fromId, toId);
+                }
+            });
+            if (!ok)
+                return res.status(404).json({ error: 'Link not found' });
+            res.status(204).end();
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // List relations for a task
+    router.get('/:taskId/relations', (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const relations = p.taskManager.listRelations(req.params.taskId);
+            res.json({ results: relations });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // -- Attachments --
+    // Upload attachment
+    router.post('/:taskId/attachments', index_1.requireWriteAccess, upload.single('file'), async (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const taskId = req.params.taskId;
+            const file = req.file;
+            if (!file)
+                return res.status(400).json({ error: 'No file uploaded' });
+            const meta = await p.mutationQueue.enqueue(async () => {
+                return p.taskManager.addAttachment(taskId, file.originalname, file.buffer);
+            });
+            if (!meta)
+                return res.status(404).json({ error: 'Task not found' });
+            res.status(201).json(meta);
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // List attachments
+    router.get('/:taskId/attachments', (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const attachments = p.taskManager.listAttachments(req.params.taskId);
+            res.json({ results: attachments });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // Download attachment
+    router.get('/:taskId/attachments/:filename', (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const filename = validation_1.attachmentFilenameSchema.parse(req.params.filename);
+            const filePath = p.taskManager.getAttachmentPath(req.params.taskId, filename);
+            if (!filePath)
+                return res.status(404).json({ error: 'Attachment not found' });
+            const mimeType = mime_1.default.getType(filePath) ?? 'application/octet-stream';
+            res.setHeader('Content-Type', mimeType);
+            res.setHeader('Content-Disposition', `attachment; filename*=UTF-8''${encodeURIComponent(filename)}`);
+            res.setHeader('X-Content-Type-Options', 'nosniff');
+            const stream = fs_1.default.createReadStream(filePath);
+            stream.on('error', (err) => next(err));
+            stream.pipe(res);
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // Delete attachment
+    router.delete('/:taskId/attachments/:filename', index_1.requireWriteAccess, async (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const taskId = req.params.taskId;
+            const filename = validation_1.attachmentFilenameSchema.parse(req.params.filename);
+            const ok = await p.mutationQueue.enqueue(async () => {
+                return p.taskManager.removeAttachment(taskId, filename);
+            });
+            if (!ok)
+                return res.status(404).json({ error: 'Attachment not found' });
+            res.status(204).end();
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    return router;
+}

package/dist/api/rest/tools.js

@@ -0,0 +1,157 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createToolsRouter = createToolsRouter;
+const express_1 = require("express");
+const index_js_1 = require("@modelcontextprotocol/sdk/client/index.js");
+const inMemory_js_1 = require("@modelcontextprotocol/sdk/inMemory.js");
+const index_1 = require("../../api/index");
+// Tool category detection based on tool name
+const TOOL_CATEGORIES = {
+    get_context: 'context',
+    list_topics: 'docs', get_toc: 'docs', search: 'docs', get_node: 'docs',
+    search_topic_files: 'docs', find_examples: 'docs', search_snippets: 'docs',
+    list_snippets: 'docs', explain_symbol: 'docs', cross_references: 'cross-graph',
+    list_files: 'code', get_file_symbols: 'code', search_code: 'code',
+    get_symbol: 'code', search_files: 'code',
+    list_all_files: 'files', search_all_files: 'files', get_file_info: 'files',
+    create_note: 'knowledge', update_note: 'knowledge', delete_note: 'knowledge',
+    get_note: 'knowledge', list_notes: 'knowledge', search_notes: 'knowledge',
+    create_relation: 'knowledge', delete_relation: 'knowledge',
+    list_relations: 'knowledge', find_linked_notes: 'knowledge',
+    add_note_attachment: 'knowledge', remove_note_attachment: 'knowledge',
+    create_task: 'tasks', update_task: 'tasks', delete_task: 'tasks',
+    get_task: 'tasks', list_tasks: 'tasks', search_tasks: 'tasks',
+    move_task: 'tasks', link_task: 'tasks', create_task_link: 'tasks',
+    delete_task_link: 'tasks', find_linked_tasks: 'tasks',
+    add_task_attachment: 'tasks', remove_task_attachment: 'tasks',
+    create_skill: 'skills', update_skill: 'skills', delete_skill: 'skills',
+    get_skill: 'skills', list_skills: 'skills', search_skills: 'skills',
+    recall_skills: 'skills', bump_skill_usage: 'skills',
+    link_skill: 'skills', create_skill_link: 'skills', delete_skill_link: 'skills',
+    find_linked_skills: 'skills',
+    add_skill_attachment: 'skills', remove_skill_attachment: 'skills',
+};
+const MUTATION_PREFIXES = ['create_', 'update_', 'delete_', 'move_', 'link_', 'add_', 'remove_', 'bump_'];
+function isMutationTool(toolName) {
+    return MUTATION_PREFIXES.some(p => toolName.startsWith(p));
+}
+/**
+ * Get or create a lazy MCP client for a project instance.
+ * The client is cached on the instance for reuse.
+ */
+async function getClient(p, pm) {
+    if (p.mcpClient)
+        return p.mcpClient;
+    // Build session context for get_context tool
+    const ws = p.workspaceId ? pm.getWorkspace(p.workspaceId) : undefined;
+    const sessionCtx = {
+        projectId: p.id,
+        workspaceId: ws?.id,
+        workspaceProjects: ws?.config.projects,
+    };
+    const [serverTransport, clientTransport] = inMemory_js_1.InMemoryTransport.createLinkedPair();
+    const server = (0, index_1.createMcpServer)(p.docGraph, p.codeGraph, p.knowledgeGraph, p.fileIndexGraph, p.taskGraph, p.embedFns, p.mutationQueue, p.config.projectDir, p.skillGraph, sessionCtx);
+    await server.connect(serverTransport);
+    const client = new index_js_1.Client({ name: 'tools-explorer', version: '1.0.0' });
+    await client.connect(clientTransport);
+    p.mcpClient = client;
+    p.mcpClientCleanup = async () => {
+        await client.close();
+        p.mcpClient = undefined;
+        p.mcpClientCleanup = undefined;
+    };
+    return client;
+}
+function createToolsRouter(projectManager, checkAccess) {
+    const router = (0, express_1.Router)({ mergeParams: true });
+    function getProject(req) {
+        return req.project;
+    }
+    // List all available tools (filtered by access)
+    router.get('/', async (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const client = await getClient(p, projectManager);
+            const { tools } = await client.listTools();
+            const results = tools
+                .filter(t => {
+                if (!checkAccess)
+                    return true;
+                const cat = TOOL_CATEGORIES[t.name];
+                if (!cat || cat === 'context' || cat === 'cross-graph')
+                    return true;
+                return checkAccess(req, cat, 'r');
+            })
+                .map(t => ({
+                name: t.name,
+                description: t.description || '',
+                category: TOOL_CATEGORIES[t.name] || 'other',
+                inputSchema: t.inputSchema,
+            }));
+            res.json({ results });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // Get single tool info
+    router.get('/:toolName', async (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const client = await getClient(p, projectManager);
+            const { tools } = await client.listTools();
+            const tool = tools.find(t => t.name === req.params.toolName);
+            if (!tool)
+                return res.status(404).json({ error: `Tool "${req.params.toolName}" not found` });
+            // Check read access for the tool's graph
+            if (checkAccess) {
+                const cat = TOOL_CATEGORIES[tool.name];
+                if (cat && cat !== 'context' && cat !== 'cross-graph' && !checkAccess(req, cat, 'r')) {
+                    return res.status(403).json({ error: 'Access denied' });
+                }
+            }
+            res.json({
+                name: tool.name,
+                description: tool.description || '',
+                category: TOOL_CATEGORIES[tool.name] || 'other',
+                inputSchema: tool.inputSchema,
+            });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    // Call a tool
+    router.post('/:toolName/call', async (req, res, next) => {
+        try {
+            const p = getProject(req);
+            const toolName = req.params.toolName;
+            // Check access: read for queries, write for mutations
+            if (checkAccess) {
+                const cat = TOOL_CATEGORIES[toolName];
+                if (cat && cat !== 'context' && cat !== 'cross-graph') {
+                    const level = isMutationTool(toolName) ? 'rw' : 'r';
+                    if (!checkAccess(req, cat, level)) {
+                        return res.status(403).json({ error: level === 'rw' ? 'Read-only access' : 'Access denied' });
+                    }
+                }
+            }
+            const client = await getClient(p, projectManager);
+            const start = Date.now();
+            const result = await client.callTool({
+                name: toolName,
+                arguments: req.body.arguments || {},
+            });
+            const duration = Date.now() - start;
+            res.json({
+                result: result.content,
+                isError: result.isError || false,
+                duration,
+            });
+        }
+        catch (err) {
+            next(err);
+        }
+    });
+    return router;
+}

package/dist/api/rest/validation.js

@@ -0,0 +1,196 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.attachmentFilenameSchema = exports.linkedQuerySchema = exports.graphExportSchema = exports.skillListSchema = exports.skillSearchSchema = exports.createSkillLinkSchema = exports.updateSkillSchema = exports.createSkillSchema = exports.fileListSchema = exports.listQuerySchema = exports.searchQuerySchema = exports.taskListSchema = exports.taskSearchSchema = exports.createTaskLinkSchema = exports.moveTaskSchema = exports.updateTaskSchema = exports.createTaskSchema = exports.noteListSchema = exports.noteSearchSchema = exports.createRelationSchema = exports.updateNoteSchema = exports.createNoteSchema = void 0;
+exports.validateBody = validateBody;
+exports.validateQuery = validateQuery;
+const zod_1 = require("zod");
+function validateBody(schema) {
+    return (req, _res, next) => {
+        req.body = schema.parse(req.body);
+        next();
+    };
+}
+function validateQuery(schema) {
+    return (req, _res, next) => {
+        req.validatedQuery = schema.parse(req.query);
+        next();
+    };
+}
+// ---------------------------------------------------------------------------
+// Knowledge schemas
+// ---------------------------------------------------------------------------
+exports.createNoteSchema = zod_1.z.object({
+    title: zod_1.z.string().min(1).max(500),
+    content: zod_1.z.string().max(1_000_000),
+    tags: zod_1.z.array(zod_1.z.string().max(100)).max(100).optional().default([]),
+});
+exports.updateNoteSchema = zod_1.z.object({
+    title: zod_1.z.string().min(1).max(500).optional(),
+    content: zod_1.z.string().max(1_000_000).optional(),
+    tags: zod_1.z.array(zod_1.z.string().max(100)).max(100).optional(),
+    version: zod_1.z.number().int().positive().optional(),
+});
+exports.createRelationSchema = zod_1.z.object({
+    fromId: zod_1.z.string().min(1),
+    toId: zod_1.z.string().min(1),
+    kind: zod_1.z.string().min(1),
+    targetGraph: zod_1.z.enum(['docs', 'code', 'files', 'tasks', 'skills']).optional(),
+    projectId: zod_1.z.string().min(1).optional(),
+});
+exports.noteSearchSchema = zod_1.z.object({
+    q: zod_1.z.string().min(1).max(2000),
+    topK: zod_1.z.coerce.number().int().positive().max(500).optional(),
+    minScore: zod_1.z.coerce.number().min(0).max(1).optional(),
+    searchMode: zod_1.z.enum(['hybrid', 'vector', 'keyword']).optional(),
+});
+exports.noteListSchema = zod_1.z.object({
+    filter: zod_1.z.string().optional(),
+    tag: zod_1.z.string().optional(),
+    limit: zod_1.z.coerce.number().int().positive().optional(),
+});
+// ---------------------------------------------------------------------------
+// Task schemas
+// ---------------------------------------------------------------------------
+exports.createTaskSchema = zod_1.z.object({
+    title: zod_1.z.string().min(1).max(500),
+    description: zod_1.z.string().max(500_000).default(''),
+    status: zod_1.z.enum(['backlog', 'todo', 'in_progress', 'review', 'done', 'cancelled']).default('todo'),
+    priority: zod_1.z.enum(['critical', 'high', 'medium', 'low']).default('medium'),
+    tags: zod_1.z.array(zod_1.z.string().max(100)).max(100).optional().default([]),
+    dueDate: zod_1.z.number().nullable().optional(),
+    estimate: zod_1.z.number().nullable().optional(),
+    assignee: zod_1.z.string().max(100).nullable().optional(),
+});
+exports.updateTaskSchema = zod_1.z.object({
+    title: zod_1.z.string().min(1).max(500).optional(),
+    description: zod_1.z.string().max(500_000).optional(),
+    status: zod_1.z.enum(['backlog', 'todo', 'in_progress', 'review', 'done', 'cancelled']).optional(),
+    priority: zod_1.z.enum(['critical', 'high', 'medium', 'low']).optional(),
+    tags: zod_1.z.array(zod_1.z.string().max(100)).max(100).optional(),
+    dueDate: zod_1.z.number().nullable().optional(),
+    estimate: zod_1.z.number().nullable().optional(),
+    assignee: zod_1.z.string().max(100).nullable().optional(),
+    version: zod_1.z.number().int().positive().optional(),
+});
+exports.moveTaskSchema = zod_1.z.object({
+    status: zod_1.z.enum(['backlog', 'todo', 'in_progress', 'review', 'done', 'cancelled']),
+    version: zod_1.z.number().int().positive().optional(),
+});
+exports.createTaskLinkSchema = zod_1.z.object({
+    fromId: zod_1.z.string().min(1),
+    toId: zod_1.z.string().min(1),
+    kind: zod_1.z.string().min(1),
+    targetGraph: zod_1.z.enum(['docs', 'code', 'files', 'knowledge', 'skills']).optional(),
+    projectId: zod_1.z.string().min(1).optional(),
+});
+exports.taskSearchSchema = zod_1.z.object({
+    q: zod_1.z.string().min(1).max(2000),
+    topK: zod_1.z.coerce.number().int().positive().max(500).optional(),
+    minScore: zod_1.z.coerce.number().min(0).max(1).optional(),
+    searchMode: zod_1.z.enum(['hybrid', 'vector', 'keyword']).optional(),
+});
+exports.taskListSchema = zod_1.z.object({
+    status: zod_1.z.enum(['backlog', 'todo', 'in_progress', 'review', 'done', 'cancelled']).optional(),
+    priority: zod_1.z.enum(['critical', 'high', 'medium', 'low']).optional(),
+    tag: zod_1.z.string().optional(),
+    filter: zod_1.z.string().optional(),
+    assignee: zod_1.z.string().optional(),
+    limit: zod_1.z.coerce.number().int().positive().optional(),
+});
+// ---------------------------------------------------------------------------
+// Search schemas (docs, code, files)
+// ---------------------------------------------------------------------------
+exports.searchQuerySchema = zod_1.z.object({
+    q: zod_1.z.string().min(1).max(2000),
+    topK: zod_1.z.coerce.number().int().positive().max(500).optional(),
+    minScore: zod_1.z.coerce.number().min(0).max(1).optional(),
+    searchMode: zod_1.z.enum(['hybrid', 'vector', 'keyword']).optional(),
+});
+exports.listQuerySchema = zod_1.z.object({
+    filter: zod_1.z.string().optional(),
+    limit: zod_1.z.coerce.number().int().positive().optional(),
+});
+// ---------------------------------------------------------------------------
+// File index schemas
+// ---------------------------------------------------------------------------
+exports.fileListSchema = zod_1.z.object({
+    directory: zod_1.z.string().optional(),
+    extension: zod_1.z.string().optional(),
+    language: zod_1.z.string().optional(),
+    filter: zod_1.z.string().optional(),
+    limit: zod_1.z.coerce.number().int().positive().optional(),
+});
+// ---------------------------------------------------------------------------
+// Graph export schema
+// ---------------------------------------------------------------------------
+// ---------------------------------------------------------------------------
+// Skill schemas
+// ---------------------------------------------------------------------------
+exports.createSkillSchema = zod_1.z.object({
+    title: zod_1.z.string().min(1).max(500),
+    description: zod_1.z.string().max(500_000).default(''),
+    steps: zod_1.z.array(zod_1.z.string().max(10_000)).max(100).optional().default([]),
+    triggers: zod_1.z.array(zod_1.z.string().max(500)).max(50).optional().default([]),
+    inputHints: zod_1.z.array(zod_1.z.string().max(500)).max(50).optional().default([]),
+    filePatterns: zod_1.z.array(zod_1.z.string().max(500)).max(50).optional().default([]),
+    tags: zod_1.z.array(zod_1.z.string().max(100)).max(100).optional().default([]),
+    source: zod_1.z.enum(['user', 'learned']).default('user'),
+    confidence: zod_1.z.number().min(0).max(1).default(1),
+});
+exports.updateSkillSchema = zod_1.z.object({
+    title: zod_1.z.string().min(1).max(500).optional(),
+    description: zod_1.z.string().max(500_000).optional(),
+    steps: zod_1.z.array(zod_1.z.string().max(10_000)).max(100).optional(),
+    triggers: zod_1.z.array(zod_1.z.string().max(500)).max(50).optional(),
+    inputHints: zod_1.z.array(zod_1.z.string().max(500)).max(50).optional(),
+    filePatterns: zod_1.z.array(zod_1.z.string().max(500)).max(50).optional(),
+    tags: zod_1.z.array(zod_1.z.string().max(100)).max(100).optional(),
+    source: zod_1.z.enum(['user', 'learned']).optional(),
+    confidence: zod_1.z.number().min(0).max(1).optional(),
+    version: zod_1.z.number().int().positive().optional(),
+});
+exports.createSkillLinkSchema = zod_1.z.object({
+    fromId: zod_1.z.string().min(1),
+    toId: zod_1.z.string().min(1),
+    kind: zod_1.z.string().min(1),
+    targetGraph: zod_1.z.enum(['docs', 'code', 'files', 'knowledge', 'tasks']).optional(),
+    projectId: zod_1.z.string().min(1).optional(),
+});
+exports.skillSearchSchema = zod_1.z.object({
+    q: zod_1.z.string().min(1).max(2000),
+    topK: zod_1.z.coerce.number().int().positive().max(500).optional(),
+    minScore: zod_1.z.coerce.number().min(0).max(1).optional(),
+    searchMode: zod_1.z.enum(['hybrid', 'vector', 'keyword']).optional(),
+});
+exports.skillListSchema = zod_1.z.object({
+    source: zod_1.z.enum(['user', 'learned']).optional(),
+    tag: zod_1.z.string().optional(),
+    filter: zod_1.z.string().optional(),
+    limit: zod_1.z.coerce.number().int().positive().optional(),
+});
+exports.graphExportSchema = zod_1.z.object({
+    scope: zod_1.z.enum(['all', 'docs', 'code', 'knowledge', 'tasks', 'files', 'skills']).default('all'),
+});
+// ---------------------------------------------------------------------------
+// Attachment schemas
+// ---------------------------------------------------------------------------
+// ---------------------------------------------------------------------------
+// Linked query schema (cross-graph reverse lookup)
+// ---------------------------------------------------------------------------
+exports.linkedQuerySchema = zod_1.z.object({
+    targetGraph: zod_1.z.enum(['docs', 'code', 'files', 'knowledge', 'tasks', 'skills']),
+    targetNodeId: zod_1.z.string().min(1).max(500),
+    kind: zod_1.z.string().max(100).optional(),
+    projectId: zod_1.z.string().max(200).optional(),
+});
+// ---------------------------------------------------------------------------
+// Attachment schemas
+// ---------------------------------------------------------------------------
+/** Validates an attachment filename (path param). No path separators, no .., no dangerous chars. */
+exports.attachmentFilenameSchema = zod_1.z.string()
+    .min(1)
+    .max(255)
+    .refine(s => !/[/\\]/.test(s), 'Filename must not contain path separators')
+    .refine(s => !s.includes('..'), 'Filename must not contain ..')
+    .refine(s => !s.includes('\0'), 'Filename must not contain null bytes')
+    .refine(s => !/[\x00-\x1f\x7f"<>|?*]/.test(s), 'Filename contains invalid characters');