@graphmemory/server 1.2.0 → 1.3.0

package/LICENSE

@@ -1,15 +1,87 @@
-ISC License
+Copyright (c) 2025-2026 Graph Memory Team
 
-Copyright (c) 2026 prih
+Elastic License 2.0 (ELv2)
 
-Permission to use, copy, modify, and/or distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
+URL: https://www.elastic.co/licensing/elastic-license
 
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH
-REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT,
-INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
-LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
-OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
-PERFORMANCE OF THIS SOFTWARE.
+## Acceptance
+
+By using the software, you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide,
+non-sublicensable, non-transferable license to use, copy, distribute, make
+available, and prepare derivative works of the software, in each case subject
+to the limitations and conditions below.
+
+## Limitations
+
+You may not provide the software to third parties as a hosted or managed
+service, where the service provides users with access to any substantial set
+of the features or functionality of the software.
+
+You may not move, change, disable, or circumvent the license key functionality
+in the software, and you may not remove or obscure any functionality in the
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other
+notices of the licensor in the software. Any use of the licensor's trademarks
+is subject to applicable law.
+
+## Patents
+
+The licensor grants you a license, under any patent claims the licensor can
+license, or becomes able to license, to make, have made, use, sell, offer for
+sale, import and have imported the software, in each case subject to the
+limitations and conditions in this license. This license does not cover any
+patent claims that you cause to be infringed by modifications or additions to
+the software. If you or your company make any written claim that the software
+infringes or contributes to infringement of any patent, your patent license
+for the software granted under these terms ends immediately. If your company
+makes such a claim, your patent license ends immediately for work on behalf
+of your company.
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of the software from
+you also gets a copy of these terms.
+
+If you modify the software, you must include in any modified copies of the
+software prominent notices stating that you have modified the software.
+
+## No Other Rights
+
+These terms do not imply any licenses other than those expressly granted in
+these terms.
+
+## Termination
+
+If you use the software in violation of these terms, such use is not licensed,
+and your licenses will automatically terminate. If the licensor provides you
+with a notice of your violation, and you cease all violation of this license
+no later than 30 days after you receive that notice, your licenses will be
+reinstated retroactively. However, if you violate these terms after such
+reinstatement, any additional violation of these terms will cause your
+licenses to terminate automatically and permanently.
+
+## No Liability
+
+*As far as the law allows, the software comes as is, without any warranty or
+condition, and the licensor will not be liable to you for any damages arising
+out of these terms or the use or nature of the software, under any kind of
+legal claim.*
+
+## Definitions
+
+The **licensor** is the entity offering these terms, and the **software** is
+the software the licensor makes available under these terms, including any
+portion of it.
+
+**you** refers to the individual or entity agreeing to these terms.
+
+**your company** is any legal entity, sole proprietorship, or other kind of
+organization that you work for, plus all organizations that have control over,
+are under the control of, or are under common control with that organization.
+**control** means ownership of substantially all the assets of an entity, or
+the power to direct the management and policies of an entity.

package/README.md

@@ -170,6 +170,12 @@ Full documentation is in [docs/](docs/README.md):
 - **UI**: [architecture](docs/ui-architecture.md), [features](docs/ui-features.md), [patterns](docs/ui-patterns.md)
 - **Development**: [testing](docs/testing.md), [API patterns](docs/api-patterns.md)
 
+## Contributing
+
+Contributions are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
+
+For security vulnerabilities, see [SECURITY.md](SECURITY.md).
+
 ## License
 
-ISC
+[Elastic License 2.0 (ELv2)](LICENSE) — free to use, modify, and self-host. Not permitted to offer as a managed/hosted service.

package/dist/api/index.js

@@ -46,6 +46,8 @@ const streamableHttp_js_1 = require("@modelcontextprotocol/sdk/server/streamable
 const embedder_1 = require("../lib/embedder");
 const index_1 = require("../api/rest/index");
 const websocket_1 = require("../api/rest/websocket");
+const access_1 = require("../lib/access");
+const multi_config_1 = require("../lib/multi-config");
 const docs_1 = require("../graphs/docs");
 const code_1 = require("../graphs/code");
 const knowledge_1 = require("../graphs/knowledge");
@@ -146,7 +148,7 @@ function buildInstructions(ctx) {
 }
 /**
  * Creates the McpServer with all tools wired to the given graphs.
- * Pass docGraph to enable the 10 doc tools (5 base + 5 code-block tools);
+ * Pass docGraph to enable the 9 doc tools (5 base + 4 code-block) + 1 cross_references (needs codeGraph too);
  * pass codeGraph to enable the 5 code tools;
  * pass fileIndexGraph to enable the 3 file index tools.
  * cross_references requires both docGraph and codeGraph.
@@ -156,7 +158,7 @@ function buildInstructions(ctx) {
  *                 Tests typically pass a single function; CLI passes a map for per-graph models.
  * @param mutationQueue  Optional PromiseQueue to serialize mutation tool handlers.
  */
-function createMcpServer(docGraph, codeGraph, knowledgeGraph, fileIndexGraph, taskGraph, embedFn, mutationQueue, projectDir, skillGraph, sessionContext) {
+function createMcpServer(docGraph, codeGraph, knowledgeGraph, fileIndexGraph, taskGraph, embedFn, mutationQueue, projectDir, skillGraph, sessionContext, readonlyGraphs, userAccess) {
     // Backward-compat: single EmbedFn → use for both document and query
     const defaultPair = { document: (q) => (0, embedder_1.embed)(q, ''), query: (q) => (0, embedder_1.embed)(q, '') };
     const fns = typeof embedFn === 'function'
@@ -181,11 +183,34 @@ function createMcpServer(docGraph, codeGraph, knowledgeGraph, fileIndexGraph, ta
     const server = new mcp_js_1.McpServer({ name: 'graphmemory', version: '1.2.0' }, instructions ? { instructions } : undefined);
     // Mutation tools are registered through mutServer to serialize concurrent writes
     const mutServer = mutationQueue ? createMutationServer(server, mutationQueue) : server;
+    // Check if mutation tools should be registered for a graph:
+    // - graph must not be readonly (global setting — tools hidden for all)
+    // - user must have write access (per-user — tools hidden for this user)
+    // - if no userAccess map, all mutations are allowed (no auth configured)
+    const canMutate = (graphName) => {
+        if (readonlyGraphs?.has(graphName))
+            return false;
+        if (userAccess) {
+            const level = userAccess.get(graphName);
+            if (level && !(0, access_1.canWrite)(level))
+                return false;
+        }
+        return true;
+    };
+    // Check if a graph's tools should be registered at all (deny = no tools)
+    const canAccess = (graphName) => {
+        if (!userAccess)
+            return true;
+        const level = userAccess.get(graphName);
+        if (level && !(0, access_1.canRead)(level))
+            return false;
+        return true;
+    };
     // Context tool (always registered)
     getContext.register(server, sessionContext);
     const ext = { docGraph, codeGraph, knowledgeGraph, fileIndexGraph, taskGraph, skillGraph };
-    // Docs tools (only when docGraph is provided)
-    if (docGraph) {
+    // Docs tools (only when docGraph is provided and user has access)
+    if (docGraph && canAccess('docs')) {
         const docMgr = new docs_1.DocGraphManager(docGraph, fns.docs, ext);
         listTopics.register(server, docMgr);
         getToc.register(server, docMgr);
@@ -197,13 +222,13 @@ function createMcpServer(docGraph, codeGraph, knowledgeGraph, fileIndexGraph, ta
         listSnippets.register(server, docMgr);
         explainSymbol.register(server, docMgr);
         // Cross-graph tools (require both docGraph and codeGraph)
-        if (codeGraph) {
+        if (codeGraph && canAccess('code')) {
             const codeMgrForCross = new code_1.CodeGraphManager(codeGraph, fns.code, ext);
             crossReferences.register(server, docMgr, codeMgrForCross);
         }
     }
-    // Code tools (only when codeGraph is provided)
-    if (codeGraph) {
+    // Code tools (only when codeGraph is provided and user has access)
+    if (codeGraph && canAccess('code')) {
         const codeMgr = new code_1.CodeGraphManager(codeGraph, fns.code, ext);
         listFiles.register(server, codeMgr);
         getFileSymbols.register(server, codeMgr);
@@ -211,74 +236,78 @@ function createMcpServer(docGraph, codeGraph, knowledgeGraph, fileIndexGraph, ta
         getSymbol.register(server, codeMgr);
         searchCodeFiles.register(server, codeMgr);
     }
-    // File index tools (always registered when fileIndexGraph is provided)
-    if (fileIndexGraph) {
+    // File index tools (when fileIndexGraph is provided and user has access)
+    if (fileIndexGraph && canAccess('files')) {
         const fileIndexMgr = new file_index_1.FileIndexGraphManager(fileIndexGraph, fns.files, ext);
         listAllFiles.register(server, fileIndexMgr);
         searchAllFiles.register(server, fileIndexMgr);
         getFileInfo.register(server, fileIndexMgr);
     }
-    // Knowledge tools (always registered)
-    // Mutations (create/update/delete) go through mutServer for queue serialization
-    if (knowledgeGraph) {
+    // Knowledge tools — read tools gated by canAccess, mutation tools gated by canMutate
+    if (knowledgeGraph && canAccess('knowledge')) {
         const ctx = projectDir ? { ...(0, manager_types_1.noopContext)(), projectDir } : (0, manager_types_1.noopContext)();
         const knowledgeMgr = new knowledge_1.KnowledgeGraphManager(knowledgeGraph, fns.knowledge, ctx, {
             docGraph, codeGraph, fileIndexGraph, taskGraph, skillGraph,
         });
-        createNote.register(mutServer, knowledgeMgr);
-        updateNote.register(mutServer, knowledgeMgr);
-        deleteNote.register(mutServer, knowledgeMgr);
         getNote.register(server, knowledgeMgr);
         listNotes.register(server, knowledgeMgr);
         searchNotes.register(server, knowledgeMgr);
-        createRelation.register(mutServer, knowledgeMgr);
-        deleteRelation.register(mutServer, knowledgeMgr);
         listRelations.register(server, knowledgeMgr);
         findLinkedNotes.register(server, knowledgeMgr);
-        addNoteAttachment.register(mutServer, knowledgeMgr);
-        removeNoteAttachment.register(mutServer, knowledgeMgr);
+        if (canMutate('knowledge')) {
+            createNote.register(mutServer, knowledgeMgr);
+            updateNote.register(mutServer, knowledgeMgr);
+            deleteNote.register(mutServer, knowledgeMgr);
+            createRelation.register(mutServer, knowledgeMgr);
+            deleteRelation.register(mutServer, knowledgeMgr);
+            addNoteAttachment.register(mutServer, knowledgeMgr);
+            removeNoteAttachment.register(mutServer, knowledgeMgr);
+        }
     }
-    // Task tools (always registered when taskGraph is provided)
-    // Mutations go through mutServer for queue serialization
-    if (taskGraph) {
+    // Task tools — read tools gated by canAccess, mutation tools gated by canMutate
+    if (taskGraph && canAccess('tasks')) {
         const taskCtx = projectDir ? { ...(0, manager_types_1.noopContext)(), projectDir } : (0, manager_types_1.noopContext)();
         const taskMgr = new task_1.TaskGraphManager(taskGraph, fns.tasks, taskCtx, {
             docGraph, codeGraph, knowledgeGraph, fileIndexGraph, skillGraph,
         });
-        createTask.register(mutServer, taskMgr);
-        updateTask.register(mutServer, taskMgr);
-        deleteTask.register(mutServer, taskMgr);
         getTask.register(server, taskMgr);
         listTasksTool.register(server, taskMgr);
         searchTasksTool.register(server, taskMgr);
-        moveTask.register(mutServer, taskMgr);
-        linkTask.register(mutServer, taskMgr);
-        createTaskLink.register(mutServer, taskMgr);
-        deleteTaskLink.register(mutServer, taskMgr);
         findLinkedTasks.register(server, taskMgr);
-        addTaskAttachment.register(mutServer, taskMgr);
-        removeTaskAttachment.register(mutServer, taskMgr);
+        if (canMutate('tasks')) {
+            createTask.register(mutServer, taskMgr);
+            updateTask.register(mutServer, taskMgr);
+            deleteTask.register(mutServer, taskMgr);
+            moveTask.register(mutServer, taskMgr);
+            linkTask.register(mutServer, taskMgr);
+            createTaskLink.register(mutServer, taskMgr);
+            deleteTaskLink.register(mutServer, taskMgr);
+            addTaskAttachment.register(mutServer, taskMgr);
+            removeTaskAttachment.register(mutServer, taskMgr);
+        }
     }
-    // Skill tools (always registered when skillGraph is provided)
-    if (skillGraph) {
+    // Skill tools — read tools gated by canAccess, mutation tools gated by canMutate
+    if (skillGraph && canAccess('skills')) {
         const skillCtx = projectDir ? { ...(0, manager_types_1.noopContext)(), projectDir } : (0, manager_types_1.noopContext)();
         const skillMgr = new skill_1.SkillGraphManager(skillGraph, fns.skills, skillCtx, {
             docGraph, codeGraph, knowledgeGraph, fileIndexGraph, taskGraph,
         });
-        createSkillTool.register(mutServer, skillMgr);
-        updateSkillTool.register(mutServer, skillMgr);
-        deleteSkillTool.register(mutServer, skillMgr);
         getSkillTool.register(server, skillMgr);
         listSkillsTool.register(server, skillMgr);
         searchSkillsTool.register(server, skillMgr);
-        linkSkill.register(mutServer, skillMgr);
-        createSkillLink.register(mutServer, skillMgr);
-        deleteSkillLink.register(mutServer, skillMgr);
         findLinkedSkills.register(server, skillMgr);
-        addSkillAttachment.register(mutServer, skillMgr);
-        removeSkillAttachment.register(mutServer, skillMgr);
         recallSkills.register(server, skillMgr);
-        bumpSkillUsage.register(mutServer, skillMgr);
+        if (canMutate('skills')) {
+            createSkillTool.register(mutServer, skillMgr);
+            updateSkillTool.register(mutServer, skillMgr);
+            deleteSkillTool.register(mutServer, skillMgr);
+            linkSkill.register(mutServer, skillMgr);
+            createSkillLink.register(mutServer, skillMgr);
+            deleteSkillLink.register(mutServer, skillMgr);
+            addSkillAttachment.register(mutServer, skillMgr);
+            removeSkillAttachment.register(mutServer, skillMgr);
+            bumpSkillUsage.register(mutServer, skillMgr);
+        }
     }
     return server;
 }
@@ -297,7 +326,7 @@ async function collectBody(req) {
     }
     return JSON.parse(Buffer.concat(chunks).toString());
 }
-async function startHttpServer(host, port, sessionTimeoutMs, docGraph, codeGraph, knowledgeGraph, fileIndexGraph, taskGraph, embedFn, projectDir, skillGraph, sessionContext) {
+async function startHttpServer(host, port, sessionTimeoutMs, docGraph, codeGraph, knowledgeGraph, fileIndexGraph, taskGraph, embedFn, projectDir, skillGraph, sessionContext, readonlyGraphs) {
     const sessions = new Map();
     // Sweep stale sessions every 60s
     const sweepInterval = setInterval(() => {
@@ -344,7 +373,7 @@ async function startHttpServer(host, port, sessionTimeoutMs, docGraph, codeGraph
                 if (sid)
                     sessions.delete(sid);
             };
-            const mcpServer = createMcpServer(docGraph, codeGraph, knowledgeGraph, fileIndexGraph, taskGraph, embedFn, undefined, projectDir, skillGraph, sessionContext);
+            const mcpServer = createMcpServer(docGraph, codeGraph, knowledgeGraph, fileIndexGraph, taskGraph, embedFn, undefined, projectDir, skillGraph, sessionContext, readonlyGraphs);
             await mcpServer.connect(transport);
             await transport.handleRequest(req, res, body);
         }
@@ -439,6 +468,23 @@ async function startMultiProjectHttpServer(host, port, sessionTimeoutMs, project
                 res.writeHead(404).end(JSON.stringify({ error: `Project "${projectId}" not found` }));
                 return;
             }
+            // Auth: if users configured, require valid API key
+            const users = restOptions?.users ?? {};
+            const hasUsers = Object.keys(users).length > 0;
+            let userId;
+            if (hasUsers) {
+                const auth = req.headers.authorization;
+                if (!auth?.startsWith('Bearer ') || auth.length <= 7) {
+                    res.writeHead(401).end(JSON.stringify({ error: 'API key required' }));
+                    return;
+                }
+                const result = (0, access_1.resolveUserFromApiKey)(auth.slice(7), users);
+                if (!result) {
+                    res.writeHead(401).end(JSON.stringify({ error: 'Invalid API key' }));
+                    return;
+                }
+                userId = result.userId;
+            }
             // Build session context (auto-detect workspace if not in URL)
             const ws = workspaceId
                 ? projectManager.getWorkspace(workspaceId)
@@ -447,13 +493,38 @@ async function startMultiProjectHttpServer(host, port, sessionTimeoutMs, project
                 projectId,
                 workspaceId: ws?.id,
                 workspaceProjects: ws?.config.projects,
+                userId,
             };
+            // Build readonly set from config + workspace overrides
+            const mcpReadonlyGraphs = new Set();
+            for (const gn of multi_config_1.GRAPH_NAMES) {
+                if (project.config.graphConfigs[gn].readonly)
+                    mcpReadonlyGraphs.add(gn);
+            }
+            if (project.workspaceId) {
+                const wsInst = projectManager.getWorkspace(project.workspaceId);
+                if (wsInst) {
+                    for (const gn of ['knowledge', 'tasks', 'skills']) {
+                        if (wsInst.config.graphConfigs[gn].readonly)
+                            mcpReadonlyGraphs.add(gn);
+                    }
+                }
+            }
+            // Build per-user access map
+            let mcpUserAccess;
+            if (userId && restOptions?.serverConfig) {
+                mcpUserAccess = new Map();
+                for (const gn of multi_config_1.GRAPH_NAMES) {
+                    const level = (0, access_1.resolveAccess)(userId, gn, project.config, restOptions.serverConfig, ws?.config);
+                    mcpUserAccess.set(gn, level);
+                }
+            }
             const body = await collectBody(req);
             const transport = new streamableHttp_js_1.StreamableHTTPServerTransport({
                 sessionIdGenerator: () => (0, crypto_1.randomUUID)(),
                 onsessioninitialized: (sid) => {
-                    sessions.set(sid, { projectId, workspaceId: ws?.id, server: mcpServer, transport, lastActivity: Date.now() });
-                    process.stderr.write(`[http] Session ${sid} started (project: ${projectId}${ws ? `, workspace: ${ws.id}` : ''})\n`);
+                    sessions.set(sid, { projectId, workspaceId: ws?.id, userId, server: mcpServer, transport, lastActivity: Date.now() });
+                    process.stderr.write(`[http] Session ${sid} started (project: ${projectId}${ws ? `, workspace: ${ws.id}` : ''}${userId ? `, user: ${userId}` : ''})\n`);
                 },
             });
             transport.onclose = () => {
@@ -461,7 +532,7 @@ async function startMultiProjectHttpServer(host, port, sessionTimeoutMs, project
                 if (sid)
                     sessions.delete(sid);
             };
-            const mcpServer = createMcpServer(project.docGraph, project.codeGraph, project.knowledgeGraph, project.fileIndexGraph, project.taskGraph, project.embedFns, project.mutationQueue, project.config.projectDir, project.skillGraph, sessionCtx);
+            const mcpServer = createMcpServer(project.docGraph, project.codeGraph, project.knowledgeGraph, project.fileIndexGraph, project.taskGraph, project.embedFns, project.mutationQueue, project.config.projectDir, project.skillGraph, sessionCtx, mcpReadonlyGraphs, mcpUserAccess);
             await mcpServer.connect(transport);
             await transport.handleRequest(req, res, body);
         }
@@ -477,9 +548,35 @@ async function startMultiProjectHttpServer(host, port, sessionTimeoutMs, project
     });
     return new Promise((resolve) => {
         httpServer.listen(port, host, () => {
-            process.stderr.write(`[server] MCP endpoints: http://${host}:${port}/mcp/{projectId} and /mcp/{workspaceId}/{projectId}\n`);
-            process.stderr.write(`[server] REST API at http://${host}:${port}/api/\n`);
-            process.stderr.write(`[server] WebSocket at ws://${host}:${port}/api/ws\n`);
+            const base = `http://${host}:${port}`;
+            const projects = projectManager.listProjects();
+            const workspaces = projectManager.listWorkspaces();
+            const lines = [
+                '',
+                '  ╔══════════════════════════════════════════════╗',
+                '  ║         Graph Memory Server Ready            ║',
+                '  ╚══════════════════════════════════════════════╝',
+                '',
+                `  UI        ${base}/ui/`,
+                `  REST API  ${base}/api/`,
+                `  WebSocket ws://${host}:${port}/api/ws`,
+                '',
+                '  MCP endpoints:',
+            ];
+            for (const id of projects) {
+                const ws = projectManager.getProjectWorkspace(id);
+                const wsLabel = ws ? ` (${ws.id})` : '';
+                lines.push(`    ${id}${wsLabel}  ${base}/mcp/${id}`);
+            }
+            if (projects.length === 0) {
+                lines.push('    (no projects configured)');
+            }
+            if (workspaces.length > 0) {
+                lines.push('');
+                lines.push(`  Workspaces: ${workspaces.join(', ')}`);
+            }
+            lines.push('');
+            process.stderr.write(lines.join('\n') + '\n');
             resolve(httpServer);
         });
     });

package/dist/api/rest/index.js

@@ -46,7 +46,7 @@ function createRestApp(projectManager, options) {
     const users = options?.users ?? {};
     const hasUsers = Object.keys(users).length > 0;
     const corsOrigins = serverConfig?.corsOrigins;
-    app.use((0, cors_1.default)(corsOrigins?.length ? { origin: corsOrigins, credentials: true } : { credentials: true }));
+    app.use((0, cors_1.default)(corsOrigins?.length ? { origin: corsOrigins, credentials: true } : {}));
     app.use(express_1.default.json({ limit: '10mb' }));
     app.use((0, cookie_parser_1.default)());
     // Security headers
@@ -89,7 +89,7 @@ function createRestApp(projectManager, options) {
                 const payload = (0, jwt_1.verifyToken)(accessToken, jwtSecret);
                 if (payload?.type === 'access' && users[payload.userId]) {
                     const user = users[payload.userId];
-                    return res.json({ required: true, authenticated: true, userId: payload.userId, name: user.name });
+                    return res.json({ required: true, authenticated: true, userId: payload.userId, name: user.name, apiKey: user.apiKey });
                 }
             }
         }
@@ -170,7 +170,7 @@ function createRestApp(projectManager, options) {
             }
             // 2. Bearer apiKey (from MCP/API clients)
             const auth = req.headers.authorization;
-            if (auth?.startsWith('Bearer ')) {
+            if (auth?.startsWith('Bearer ') && auth.length > 7) {
                 const apiKey = auth.slice(7);
                 const result = (0, access_1.resolveUserFromApiKey)(apiKey, users);
                 if (result) {
@@ -178,6 +178,7 @@ function createRestApp(projectManager, options) {
                     req.user = result.user;
                     return next();
                 }
+                // Invalid Bearer token — reject (explicit auth attempt should not fall through)
                 return _res.status(401).json({ error: 'Invalid API key' });
             }
             // 3. No auth = anonymous (uses defaultAccess)
@@ -200,13 +201,16 @@ function createRestApp(projectManager, options) {
             const p = projectManager.getProject(id);
             const gc = p.config.graphConfigs;
             const ws = p.workspaceId ? projectManager.getWorkspace(p.workspaceId) : undefined;
-            // Per-graph info: enabled + access level for current user
+            // Per-graph info: enabled, readonly, access level for current user
             const graphs = {};
             for (const gn of multi_config_1.GRAPH_NAMES) {
-                const access = serverConfig
+                let access = serverConfig
                     ? (0, access_1.resolveAccess)(userId, gn, p.config, serverConfig, ws?.config)
                     : 'rw';
-                graphs[gn] = { enabled: gc[gn].enabled, access: gc[gn].enabled ? access : null };
+                // Cap access for readonly graphs
+                if (access === 'rw' && gc[gn].readonly)
+                    access = 'r';
+                graphs[gn] = { enabled: gc[gn].enabled, readonly: gc[gn].readonly, access: gc[gn].enabled ? access : null };
             }
             return {
                 id,
@@ -280,14 +284,23 @@ function createRestApp(projectManager, options) {
     // Middleware: check access level for a graph (read or read-write)
     function requireGraphAccess(graphName, level) {
         return (req, _res, next) => {
+            const p = req.project;
+            // Graph-level readonly: enforce even without auth config
+            const isReadonly = p?.config.graphConfigs[graphName]?.readonly;
+            if (isReadonly) {
+                req.accessLevel = 'r';
+            }
             if (!serverConfig)
                 return next(); // no config = no auth enforcement
-            const p = req.project;
             if (!p)
                 return next();
             const userId = req.userId;
             const ws = p.workspaceId ? projectManager.getWorkspace(p.workspaceId) : undefined;
-            const access = (0, access_1.resolveAccess)(userId, graphName, p.config, serverConfig, ws?.config);
+            let access = (0, access_1.resolveAccess)(userId, graphName, p.config, serverConfig, ws?.config);
+            // Graph-level readonly: cap to 'r' regardless of user permissions
+            if (access === 'rw' && p.config.graphConfigs[graphName]?.readonly) {
+                access = 'r';
+            }
             if (!(0, access_1.canRead)(access)) {
                 return _res.status(403).json({ error: 'Access denied' });
             }
@@ -329,7 +342,9 @@ function createRestApp(projectManager, options) {
             return true;
         const userId = req.userId;
         const ws = p.workspaceId ? projectManager.getWorkspace(p.workspaceId) : undefined;
-        const access = (0, access_1.resolveAccess)(userId, graphName, p.config, serverConfig, ws?.config);
+        let access = (0, access_1.resolveAccess)(userId, graphName, p.config, serverConfig, ws?.config);
+        if (access === 'rw' && p.config.graphConfigs[graphName]?.readonly)
+            access = 'r';
         if (level === 'rw')
             return (0, access_1.canWrite)(access);
         return (0, access_1.canRead)(access);
@@ -338,16 +353,21 @@ function createRestApp(projectManager, options) {
     if (serverConfig?.embeddingApi?.enabled && options?.embeddingApiModelName) {
         app.use('/api/embed', (0, embed_1.createEmbedRouter)(serverConfig.embeddingApi, options.embeddingApiModelName));
     }
-    // Serve UI static files — check dist/ui/ (npm package) then ui/dist/ (dev)
+    // Serve UI at /ui/ path — check dist/ui/ (npm package) then ui/dist/ (dev)
     const uiDistPkg = path_1.default.resolve(__dirname, '../../ui');
     const uiDistDev = path_1.default.resolve(__dirname, '../../../ui/dist');
     const uiDist = fs_1.default.existsSync(uiDistPkg) ? uiDistPkg : uiDistDev;
-    app.use(express_1.default.static(uiDist));
-    // SPA fallback: serve index.html for non-API routes
-    app.get('/{*splat}', (_req, res, next) => {
-        if (_req.path.startsWith('/api/'))
+    // Redirect root to /ui/
+    app.get('/', (_req, res) => { res.redirect('/ui/'); });
+    // Static files under /ui/
+    app.use('/ui', express_1.default.static(uiDist, { redirect: false, index: false }));
+    // SPA fallback: serve index.html for all /ui/* routes
+    const indexHtml = path_1.default.join(uiDist, 'index.html');
+    app.use('/ui', (_req, res, next) => {
+        // Skip requests for actual files (assets with extensions like .js, .css, .png)
+        if (_req.path.includes('.') && !_req.path.endsWith('.html'))
             return next();
-        res.sendFile(path_1.default.join(uiDist, 'index.html'), (err) => {
+        res.sendFile(indexHtml, (err) => {
             if (err)
                 next();
         });

package/dist/api/rest/tools.js

@@ -5,6 +5,7 @@ const express_1 = require("express");
 const index_js_1 = require("@modelcontextprotocol/sdk/client/index.js");
 const inMemory_js_1 = require("@modelcontextprotocol/sdk/inMemory.js");
 const index_1 = require("../../api/index");
+const multi_config_1 = require("../../lib/multi-config");
 // Tool category detection based on tool name
 const TOOL_CATEGORIES = {
     get_context: 'context',
@@ -49,8 +50,14 @@ async function getClient(p, pm) {
         workspaceId: ws?.id,
         workspaceProjects: ws?.config.projects,
     };
+    // Build readonly set from config for defense-in-depth
+    const readonlyGraphs = new Set();
+    for (const gn of multi_config_1.GRAPH_NAMES) {
+        if (p.config.graphConfigs[gn].readonly)
+            readonlyGraphs.add(gn);
+    }
     const [serverTransport, clientTransport] = inMemory_js_1.InMemoryTransport.createLinkedPair();
-    const server = (0, index_1.createMcpServer)(p.docGraph, p.codeGraph, p.knowledgeGraph, p.fileIndexGraph, p.taskGraph, p.embedFns, p.mutationQueue, p.config.projectDir, p.skillGraph, sessionCtx);
+    const server = (0, index_1.createMcpServer)(p.docGraph, p.codeGraph, p.knowledgeGraph, p.fileIndexGraph, p.taskGraph, p.embedFns, p.mutationQueue, p.config.projectDir, p.skillGraph, sessionCtx, readonlyGraphs.size > 0 ? readonlyGraphs : undefined);
     await server.connect(serverTransport);
     const client = new index_js_1.Client({ name: 'tools-explorer', version: '1.0.0' });
     await client.connect(clientTransport);

package/dist/api/tools/code/search-code.js

@@ -5,23 +5,26 @@ const zod_1 = require("zod");
 function register(server, mgr) {
     server.registerTool('search_code', {
         description: 'Semantic search over the indexed source code. ' +
-            'Finds the most relevant symbols (functions, classes, types) by matching ' +
-            'against their signatures and doc comments using vector similarity, ' +
+            'Supports three modes: hybrid (default, combines BM25 keyword + vector similarity), ' +
+            'vector (embedding only), keyword (BM25 text matching only). ' +
+            'Finds the most relevant symbols (functions, classes, constructors, types) by matching ' +
+            'against name, signature, doc comments, and body text, ' +
             'then expands results by following graph edges (imports, contains, extends). ' +
             'Returns an array sorted by relevance score (0–1), each with: ' +
             'id, fileId, kind, name, signature, docComment, startLine, endLine, score. ' +
-            'Pass an id to get_symbol to read the full implementation.',
+            'Set includeBody=true to include full source code in results (avoids extra get_symbol calls).',
         inputSchema: {
             query: zod_1.z.string().describe('Natural language or code search query, e.g. "function that loads the graph from disk"'),
-            topK: zod_1.z.number().optional().describe('How many top similar symbols to use as seeds (default 5)'),
-            bfsDepth: zod_1.z.number().optional().describe('How many hops to follow graph edges from each seed (default 1; 0 = no expansion)'),
-            maxResults: zod_1.z.number().optional().describe('Maximum number of results to return (default 20)'),
-            minScore: zod_1.z.number().min(0).max(1).optional().describe('Minimum relevance score 0–1; lower values return more results (default 0.5)'),
+            topK: zod_1.z.number().min(1).max(500).optional().describe('How many top similar symbols to use as seeds (default 5)'),
+            bfsDepth: zod_1.z.number().min(0).max(10).optional().describe('How many hops to follow graph edges from each seed (default 1; 0 = no expansion)'),
+            maxResults: zod_1.z.number().min(1).max(500).optional().describe('Maximum number of results to return (default 20)'),
+            minScore: zod_1.z.number().min(0).max(1).optional().describe('Minimum relevance score 0–1; lower values return more results (default 0.3)'),
             bfsDecay: zod_1.z.number().min(0).max(1).optional().describe('Score multiplier per graph hop (default 0.8)'),
             searchMode: zod_1.z.enum(['hybrid', 'vector', 'keyword']).optional().describe('Search mode: hybrid (default, BM25 + vector), vector (embedding only), keyword (BM25 only)'),
+            includeBody: zod_1.z.boolean().optional().describe('Include full source code body in results (default false)'),
         },
-    }, async ({ query, topK, bfsDepth, maxResults, minScore, bfsDecay, searchMode }) => {
-        const results = await mgr.search(query, { topK, bfsDepth, maxResults, minScore, bfsDecay, searchMode });
+    }, async ({ query, topK, bfsDepth, maxResults, minScore, bfsDecay, searchMode, includeBody }) => {
+        const results = await mgr.search(query, { topK, bfsDepth, maxResults, minScore, bfsDecay, searchMode, includeBody });
         return { content: [{ type: 'text', text: JSON.stringify(results, null, 2) }] };
     });
 }

package/dist/api/tools/code/search-files.js

@@ -12,7 +12,7 @@ function register(server, mgr) {
             'Use this to discover which source files are relevant before diving into symbols with get_file_symbols or search_code.',
         inputSchema: {
             query: zod_1.z.string().describe('Natural language or path search query, e.g. "graph persistence" or "search module"'),
-            topK: zod_1.z.number().optional().describe('Maximum number of results to return (default 10)'),
+            topK: zod_1.z.number().min(1).max(500).optional().describe('Maximum number of results to return (default 10)'),
             minScore: zod_1.z.number().min(0).max(1).optional().describe('Minimum relevance score 0–1 (default 0.3)'),
         },
     }, async ({ query, topK, minScore }) => {