npm - @hailer/mcp - Versions diffs - 1.2.0 → 1.3.9 - Mend

@hailer/mcp 1.2.0 → 1.3.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (774) hide show

package/.claude/agents/agent-hailer-helper.md +118 -0
package/.claude/commands/debug-squad.md +13 -290
package/.claude/commands/publish.md +2 -2
package/.claude/commands/review-squad.md +17 -139
package/.claude/skills/create-and-publish-app/SKILL.md +148 -81
package/.claude/skills/hailer-app-builder/SKILL.md +29 -2
package/.claude/skills/hailer-ui-guide/SKILL.md +265 -0
package/.env.example +50 -1
package/CLAUDE.md +141 -10
package/dist/app-prep.d.ts +27 -0
package/dist/app-prep.d.ts.map +1 -0
package/dist/app-prep.js +94 -0
package/dist/app-prep.js.map +1 -0
package/dist/app.d.ts.map +1 -1
package/dist/app.js +3 -0
package/dist/app.js.map +1 -1
package/dist/bot/bot-manager.d.ts +9 -6
package/dist/bot/bot-manager.d.ts.map +1 -1
package/dist/bot/bot-manager.js +142 -31
package/dist/bot/bot-manager.js.map +1 -1
package/dist/bot/bot.d.ts +61 -16
package/dist/bot/bot.d.ts.map +1 -1
package/dist/bot/bot.js +927 -151
package/dist/bot/bot.js.map +1 -1
package/dist/bot/operation-logger.d.ts.map +1 -1
package/dist/bot/operation-logger.js +24 -12
package/dist/bot/operation-logger.js.map +1 -1
package/dist/bot/services/bot-permissions.d.ts +37 -5
package/dist/bot/services/bot-permissions.d.ts.map +1 -1
package/dist/bot/services/bot-permissions.js +159 -35
package/dist/bot/services/bot-permissions.js.map +1 -1
package/dist/bot/services/conversation-manager.d.ts +23 -23
package/dist/bot/services/conversation-manager.d.ts.map +1 -1
package/dist/bot/services/conversation-manager.js +52 -49
package/dist/bot/services/conversation-manager.js.map +1 -1
package/dist/bot/services/helper-prompt.d.ts +8 -0
package/dist/bot/services/helper-prompt.d.ts.map +1 -0
package/dist/bot/services/helper-prompt.js +177 -0
package/dist/bot/services/helper-prompt.js.map +1 -0
package/dist/bot/services/message-classifier.d.ts +16 -16
package/dist/bot/services/message-classifier.d.ts.map +1 -1
package/dist/bot/services/message-classifier.js +55 -49
package/dist/bot/services/message-classifier.js.map +1 -1
package/dist/bot/services/message-formatter.d.ts +47 -38
package/dist/bot/services/message-formatter.d.ts.map +1 -1
package/dist/bot/services/message-formatter.js +99 -80
package/dist/bot/services/message-formatter.js.map +1 -1
package/dist/bot/services/permission-guard.d.ts.map +1 -1
package/dist/bot/services/permission-guard.js +20 -10
package/dist/bot/services/permission-guard.js.map +1 -1
package/dist/bot/services/signal-router.d.ts.map +1 -1
package/dist/bot/services/signal-router.js +11 -6
package/dist/bot/services/signal-router.js.map +1 -1
package/dist/bot/services/system-prompt.d.ts +14 -0
package/dist/bot/services/system-prompt.d.ts.map +1 -1
package/dist/bot/services/system-prompt.js +181 -4
package/dist/bot/services/system-prompt.js.map +1 -1
package/dist/bot/services/token-billing.d.ts +23 -23
package/dist/bot/services/token-billing.d.ts.map +1 -1
package/dist/bot/services/token-billing.js +51 -36
package/dist/bot/services/token-billing.js.map +1 -1
package/dist/bot/services/types.d.ts +3 -1
package/dist/bot/services/types.d.ts.map +1 -1
package/dist/bot/services/typing-indicator.d.ts +8 -8
package/dist/bot/services/typing-indicator.d.ts.map +1 -1
package/dist/bot/services/typing-indicator.js +12 -10
package/dist/bot/services/typing-indicator.js.map +1 -1
package/dist/bot/services/workspace-refresh.d.ts +3 -3
package/dist/bot/services/workspace-refresh.d.ts.map +1 -1
package/dist/bot/services/workspace-refresh.js +23 -13
package/dist/bot/services/workspace-refresh.js.map +1 -1
package/dist/bot/tool-executor.d.ts +10 -6
package/dist/bot/tool-executor.d.ts.map +1 -1
package/dist/bot/tool-executor.js +12 -6
package/dist/bot/tool-executor.js.map +1 -1
package/dist/bot/workspace-overview.d.ts.map +1 -1
package/dist/bot/workspace-overview.js +6 -3
package/dist/bot/workspace-overview.js.map +1 -1
package/dist/bot-config/activity-error.d.ts +47 -0
package/dist/bot-config/activity-error.d.ts.map +1 -0
package/dist/bot-config/activity-error.js +67 -0
package/dist/bot-config/activity-error.js.map +1 -0
package/dist/bot-config/context.d.ts +4 -4
package/dist/bot-config/context.d.ts.map +1 -1
package/dist/bot-config/context.js +18 -14
package/dist/bot-config/context.js.map +1 -1
package/dist/bot-config/events.d.ts +45 -0
package/dist/bot-config/events.d.ts.map +1 -0
package/dist/bot-config/events.js +51 -0
package/dist/bot-config/events.js.map +1 -0
package/dist/bot-config/index.d.ts +3 -0
package/dist/bot-config/index.d.ts.map +1 -1
package/dist/bot-config/index.js +8 -1
package/dist/bot-config/index.js.map +1 -1
package/dist/bot-config/loader.d.ts +3 -0
package/dist/bot-config/loader.d.ts.map +1 -1
package/dist/bot-config/loader.js +45 -20
package/dist/bot-config/loader.js.map +1 -1
package/dist/bot-config/persistence.js.map +1 -1
package/dist/bot-config/reconciler.d.ts +11 -0
package/dist/bot-config/reconciler.d.ts.map +1 -0
package/dist/bot-config/reconciler.js +121 -0
package/dist/bot-config/reconciler.js.map +1 -0
package/dist/bot-config/state.d.ts.map +1 -1
package/dist/bot-config/state.js.map +1 -1
package/dist/bot-config/types.d.ts +32 -0
package/dist/bot-config/types.d.ts.map +1 -1
package/dist/bot-config/webhooks.d.ts.map +1 -1
package/dist/bot-config/webhooks.js.map +1 -1
package/dist/bot-config/workflow-installer.d.ts +37 -0
package/dist/bot-config/workflow-installer.d.ts.map +1 -0
package/dist/bot-config/workflow-installer.js +346 -0
package/dist/bot-config/workflow-installer.js.map +1 -0
package/dist/cli.d.ts +4 -1
package/dist/cli.d.ts.map +1 -1
package/dist/cli.js +92 -11
package/dist/cli.js.map +1 -1
package/dist/config.d.ts +23 -19
package/dist/config.d.ts.map +1 -1
package/dist/config.js +65 -27
package/dist/config.js.map +1 -1
package/dist/core.d.ts +6 -4
package/dist/core.d.ts.map +1 -1
package/dist/core.js +11 -16
package/dist/core.js.map +1 -1
package/dist/lib/logger.d.ts.map +1 -1
package/dist/lib/logger.js +7 -4
package/dist/lib/logger.js.map +1 -1
package/dist/lib/request-logger.d.ts +19 -19
package/dist/lib/request-logger.d.ts.map +1 -1
package/dist/lib/request-logger.js +19 -19
package/dist/lib/request-logger.js.map +1 -1
package/dist/mcp/UserContextCache.d.ts +28 -22
package/dist/mcp/UserContextCache.d.ts.map +1 -1
package/dist/mcp/UserContextCache.js +23 -23
package/dist/mcp/UserContextCache.js.map +1 -1
package/dist/mcp/auth.js.map +1 -1
package/dist/mcp/hailer-clients.d.ts +5 -4
package/dist/mcp/hailer-clients.d.ts.map +1 -1
package/dist/mcp/hailer-clients.js +83 -34
package/dist/mcp/hailer-clients.js.map +1 -1
package/dist/mcp/hailer-rpc.d.ts +40 -0
package/dist/mcp/hailer-rpc.d.ts.map +1 -0
package/dist/mcp/hailer-rpc.js +43 -0
package/dist/mcp/hailer-rpc.js.map +1 -0
package/dist/mcp/publish-auth-injector.d.ts +22 -0
package/dist/mcp/publish-auth-injector.d.ts.map +1 -0
package/dist/mcp/publish-auth-injector.js +100 -0
package/dist/mcp/publish-auth-injector.js.map +1 -0
package/dist/mcp/session-store.d.ts +16 -16
package/dist/mcp/session-store.d.ts.map +1 -1
package/dist/mcp/session-store.js +16 -16
package/dist/mcp/session-store.js.map +1 -1
package/dist/mcp/tool-profiles.d.ts +69 -0
package/dist/mcp/tool-profiles.d.ts.map +1 -0
package/dist/mcp/tool-profiles.js +176 -0
package/dist/mcp/tool-profiles.js.map +1 -0
package/dist/mcp/tool-registry.d.ts +16 -0
package/dist/mcp/tool-registry.d.ts.map +1 -1
package/dist/mcp/tool-registry.js +91 -39
package/dist/mcp/tool-registry.js.map +1 -1
package/dist/mcp/tools/activity.d.ts +2 -0
package/dist/mcp/tools/activity.d.ts.map +1 -1
package/dist/mcp/tools/activity.js +575 -218
package/dist/mcp/tools/activity.js.map +1 -1
package/dist/mcp/tools/aliases.d.ts +11 -0
package/dist/mcp/tools/aliases.d.ts.map +1 -0
package/dist/mcp/tools/aliases.js +182 -0
package/dist/mcp/tools/aliases.js.map +1 -0
package/dist/mcp/tools/app-core.d.ts +6 -8
package/dist/mcp/tools/app-core.d.ts.map +1 -1
package/dist/mcp/tools/app-core.js +355 -254
package/dist/mcp/tools/app-core.js.map +1 -1
package/dist/mcp/tools/app-marketplace.d.ts +8 -16
package/dist/mcp/tools/app-marketplace.d.ts.map +1 -1
package/dist/mcp/tools/app-marketplace.js +604 -932
package/dist/mcp/tools/app-marketplace.js.map +1 -1
package/dist/mcp/tools/app.d.ts +4 -7
package/dist/mcp/tools/app.d.ts.map +1 -1
package/dist/mcp/tools/app.js +4 -7
package/dist/mcp/tools/app.js.map +1 -1
package/dist/mcp/tools/bot-self.d.ts +21 -0
package/dist/mcp/tools/bot-self.d.ts.map +1 -0
package/dist/mcp/tools/bot-self.js +174 -0
package/dist/mcp/tools/bot-self.js.map +1 -0
package/dist/mcp/tools/calendar.d.ts +21 -0
package/dist/mcp/tools/calendar.d.ts.map +1 -0
package/dist/mcp/tools/calendar.js +741 -0
package/dist/mcp/tools/calendar.js.map +1 -0
package/dist/mcp/tools/company.d.ts.map +1 -1
package/dist/mcp/tools/company.js +2 -1
package/dist/mcp/tools/company.js.map +1 -1
package/dist/mcp/tools/date.js.map +1 -1
package/dist/mcp/tools/discussion.d.ts +29 -3
package/dist/mcp/tools/discussion.d.ts.map +1 -1
package/dist/mcp/tools/discussion.js +419 -534
package/dist/mcp/tools/discussion.js.map +1 -1
package/dist/mcp/tools/file.d.ts.map +1 -1
package/dist/mcp/tools/file.js +18 -16
package/dist/mcp/tools/file.js.map +1 -1
package/dist/mcp/tools/index.js +4 -4
package/dist/mcp/tools/index.js.map +1 -1
package/dist/mcp/tools/insight.d.ts +24 -5
package/dist/mcp/tools/insight.d.ts.map +1 -1
package/dist/mcp/tools/insight.js +513 -480
package/dist/mcp/tools/insight.js.map +1 -1
package/dist/mcp/tools/user.d.ts.map +1 -1
package/dist/mcp/tools/user.js +15 -13
package/dist/mcp/tools/user.js.map +1 -1
package/dist/mcp/tools/workflow-permissions.d.ts +2 -4
package/dist/mcp/tools/workflow-permissions.d.ts.map +1 -1
package/dist/mcp/tools/workflow-permissions.js +88 -97
package/dist/mcp/tools/workflow-permissions.js.map +1 -1
package/dist/mcp/tools/workflow.d.ts +9 -7
package/dist/mcp/tools/workflow.d.ts.map +1 -1
package/dist/mcp/tools/workflow.js +852 -860
package/dist/mcp/tools/workflow.js.map +1 -1
package/dist/mcp/utils/api-errors.d.ts.map +1 -1
package/dist/mcp/utils/api-errors.js +2 -2
package/dist/mcp/utils/api-errors.js.map +1 -1
package/dist/mcp/utils/data-transformers.d.ts +0 -3
package/dist/mcp/utils/data-transformers.d.ts.map +1 -1
package/dist/mcp/utils/data-transformers.js +32 -5
package/dist/mcp/utils/data-transformers.js.map +1 -1
package/dist/mcp/utils/file-upload.d.ts.map +1 -1
package/dist/mcp/utils/file-upload.js +1 -1
package/dist/mcp/utils/file-upload.js.map +1 -1
package/dist/mcp/utils/hailer-api-client.d.ts +81 -81
package/dist/mcp/utils/hailer-api-client.d.ts.map +1 -1
package/dist/mcp/utils/hailer-api-client.js +113 -103
package/dist/mcp/utils/hailer-api-client.js.map +1 -1
package/dist/mcp/utils/index.d.ts.map +1 -1
package/dist/mcp/utils/index.js.map +1 -1
package/dist/mcp/utils/logger.d.ts.map +1 -1
package/dist/mcp/utils/logger.js.map +1 -1
package/dist/mcp/utils/response-builder.d.ts.map +1 -1
package/dist/mcp/utils/response-builder.js +8 -4
package/dist/mcp/utils/response-builder.js.map +1 -1
package/dist/mcp/utils/role-utils.d.ts.map +1 -1
package/dist/mcp/utils/role-utils.js +6 -3
package/dist/mcp/utils/role-utils.js.map +1 -1
package/dist/mcp/utils/tool-helpers.d.ts.map +1 -1
package/dist/mcp/utils/tool-helpers.js +2 -2
package/dist/mcp/utils/tool-helpers.js.map +1 -1
package/dist/mcp/utils/types.d.ts +2 -1
package/dist/mcp/utils/types.d.ts.map +1 -1
package/dist/mcp/utils/types.js.map +1 -1
package/dist/mcp/webhook-handler.d.ts +43 -8
package/dist/mcp/webhook-handler.d.ts.map +1 -1
package/dist/mcp/webhook-handler.js +861 -116
package/dist/mcp/webhook-handler.js.map +1 -1
package/dist/mcp/workspace-admin-store.d.ts +49 -0
package/dist/mcp/workspace-admin-store.d.ts.map +1 -0
package/dist/mcp/workspace-admin-store.js +168 -0
package/dist/mcp/workspace-admin-store.js.map +1 -0
package/dist/mcp/workspace-cache.d.ts +2 -2
package/dist/mcp/workspace-cache.d.ts.map +1 -1
package/dist/mcp/workspace-cache.js +9 -5
package/dist/mcp/workspace-cache.js.map +1 -1
package/dist/mcp-server.d.ts +26 -11
package/dist/mcp-server.d.ts.map +1 -1
package/dist/mcp-server.js +367 -48
package/dist/mcp-server.js.map +1 -1
package/dist/plugins/vipunen/client.d.ts +41 -41
package/dist/plugins/vipunen/client.d.ts.map +1 -1
package/dist/plugins/vipunen/client.js +53 -48
package/dist/plugins/vipunen/client.js.map +1 -1
package/dist/plugins/vipunen/index.js.map +1 -1
package/dist/plugins/vipunen/tools.d.ts.map +1 -1
package/dist/plugins/vipunen/tools.js +6 -3
package/dist/plugins/vipunen/tools.js.map +1 -1
package/dist/public-chat/graduate.d.ts +29 -0
package/dist/public-chat/graduate.d.ts.map +1 -0
package/dist/public-chat/graduate.js +593 -0
package/dist/public-chat/graduate.js.map +1 -0
package/dist/public-chat/handler.d.ts +12 -0
package/dist/public-chat/handler.d.ts.map +1 -0
package/dist/public-chat/handler.js +183 -0
package/dist/public-chat/handler.js.map +1 -0
package/dist/public-chat/index.d.ts +16 -0
package/dist/public-chat/index.d.ts.map +1 -0
package/dist/public-chat/index.js +74 -0
package/dist/public-chat/index.js.map +1 -0
package/dist/public-chat/knowledge.d.ts +3 -0
package/dist/public-chat/knowledge.d.ts.map +1 -0
package/dist/public-chat/knowledge.js +1340 -0
package/dist/public-chat/knowledge.js.map +1 -0
package/dist/public-chat/rate-limit.d.ts +16 -0
package/dist/public-chat/rate-limit.d.ts.map +1 -0
package/dist/public-chat/rate-limit.js +51 -0
package/dist/public-chat/rate-limit.js.map +1 -0
package/dist/public-chat/session-store.d.ts +41 -0
package/dist/public-chat/session-store.d.ts.map +1 -0
package/dist/public-chat/session-store.js +95 -0
package/dist/public-chat/session-store.js.map +1 -0
package/dist/public-chat/studio-prewarm.d.ts +61 -0
package/dist/public-chat/studio-prewarm.d.ts.map +1 -0
package/dist/public-chat/studio-prewarm.js +162 -0
package/dist/public-chat/studio-prewarm.js.map +1 -0
package/dist/public-chat/system-prompt.d.ts +22 -0
package/dist/public-chat/system-prompt.d.ts.map +1 -0
package/dist/public-chat/system-prompt.js +435 -0
package/dist/public-chat/system-prompt.js.map +1 -0
package/package.json +15 -7
package/scripts/build-public-chat-knowledge.py +101 -0
package/scripts/smoke-public-chat-live.ts +148 -0
package/scripts/smoke-public-chat.ts +110 -0
package/.claude/CLAUDE.md +0 -126
package/.claude/commands/app-squad.md +0 -131
package/.claude/commands/audit-squad.md +0 -158
package/.claude/commands/cleanup-squad.md +0 -98
package/.claude/commands/config-squad.md +0 -106
package/.claude/commands/crud-squad.md +0 -87
package/.claude/commands/data-squad.md +0 -97
package/.claude/commands/doc-squad.md +0 -65
package/.claude/commands/help.md +0 -29
package/.claude/commands/help:agents.md +0 -182
package/.claude/commands/help:commands.md +0 -78
package/.claude/commands/help:faq.md +0 -79
package/.claude/commands/help:plugins.md +0 -50
package/.claude/commands/help:skills.md +0 -87
package/.claude/commands/help:tools.md +0 -75
package/.claude/commands/hotfix-squad.md +0 -112
package/.claude/commands/integration-squad.md +0 -82
package/.claude/commands/janitor-squad.md +0 -167
package/.claude/commands/onboard-squad.md +0 -130
package/.claude/commands/swarm.md +0 -210
package/.claude/commands/tool-builder.md +0 -39
package/.claude/skills/publish-hailer-app/SKILL.md +0 -280
package/dist/CLAUDE.md +0 -370
package/dist/agents/bot-manager.d.ts +0 -48
package/dist/agents/bot-manager.d.ts.map +0 -1
package/dist/agents/bot-manager.js +0 -254
package/dist/agents/bot-manager.js.map +0 -1
package/dist/agents/bug-fixer/ai.d.ts +0 -80
package/dist/agents/bug-fixer/ai.d.ts.map +0 -1
package/dist/agents/bug-fixer/ai.js +0 -466
package/dist/agents/bug-fixer/ai.js.map +0 -1
package/dist/agents/bug-fixer/bot.d.ts +0 -92
package/dist/agents/bug-fixer/bot.d.ts.map +0 -1
package/dist/agents/bug-fixer/bot.js +0 -687
package/dist/agents/bug-fixer/bot.js.map +0 -1
package/dist/agents/bug-fixer/config.d.ts +0 -21
package/dist/agents/bug-fixer/config.d.ts.map +0 -1
package/dist/agents/bug-fixer/config.js +0 -218
package/dist/agents/bug-fixer/config.js.map +0 -1
package/dist/agents/bug-fixer/files.d.ts +0 -67
package/dist/agents/bug-fixer/files.d.ts.map +0 -1
package/dist/agents/bug-fixer/files.js +0 -386
package/dist/agents/bug-fixer/files.js.map +0 -1
package/dist/agents/bug-fixer/git.d.ts +0 -48
package/dist/agents/bug-fixer/git.d.ts.map +0 -1
package/dist/agents/bug-fixer/git.js +0 -298
package/dist/agents/bug-fixer/git.js.map +0 -1
package/dist/agents/bug-fixer/index.d.ts +0 -103
package/dist/agents/bug-fixer/index.d.ts.map +0 -1
package/dist/agents/bug-fixer/index.js +0 -262
package/dist/agents/bug-fixer/index.js.map +0 -1
package/dist/agents/bug-fixer/lsp.d.ts +0 -113
package/dist/agents/bug-fixer/lsp.d.ts.map +0 -1
package/dist/agents/bug-fixer/lsp.js +0 -485
package/dist/agents/bug-fixer/lsp.js.map +0 -1
package/dist/agents/bug-fixer/monitor.d.ts +0 -123
package/dist/agents/bug-fixer/monitor.d.ts.map +0 -1
package/dist/agents/bug-fixer/monitor.js +0 -629
package/dist/agents/bug-fixer/monitor.js.map +0 -1
package/dist/agents/bug-fixer/prompt.d.ts +0 -5
package/dist/agents/bug-fixer/prompt.d.ts.map +0 -1
package/dist/agents/bug-fixer/prompt.js +0 -94
package/dist/agents/bug-fixer/prompt.js.map +0 -1
package/dist/agents/bug-fixer/registries/pending-classification.d.ts +0 -28
package/dist/agents/bug-fixer/registries/pending-classification.d.ts.map +0 -1
package/dist/agents/bug-fixer/registries/pending-classification.js +0 -50
package/dist/agents/bug-fixer/registries/pending-classification.js.map +0 -1
package/dist/agents/bug-fixer/registries/pending-fix.d.ts +0 -33
package/dist/agents/bug-fixer/registries/pending-fix.d.ts.map +0 -1
package/dist/agents/bug-fixer/registries/pending-fix.js +0 -64
package/dist/agents/bug-fixer/registries/pending-fix.js.map +0 -1
package/dist/agents/bug-fixer/registries/pending.d.ts +0 -27
package/dist/agents/bug-fixer/registries/pending.d.ts.map +0 -1
package/dist/agents/bug-fixer/registries/pending.js +0 -49
package/dist/agents/bug-fixer/registries/pending.js.map +0 -1
package/dist/agents/bug-fixer/specialist-daemon.d.ts +0 -88
package/dist/agents/bug-fixer/specialist-daemon.d.ts.map +0 -1
package/dist/agents/bug-fixer/specialist-daemon.js +0 -431
package/dist/agents/bug-fixer/specialist-daemon.js.map +0 -1
package/dist/agents/bug-fixer/specialist.d.ts +0 -47
package/dist/agents/bug-fixer/specialist.d.ts.map +0 -1
package/dist/agents/bug-fixer/specialist.js +0 -327
package/dist/agents/bug-fixer/specialist.js.map +0 -1
package/dist/agents/bug-fixer/types.d.ts +0 -123
package/dist/agents/bug-fixer/types.d.ts.map +0 -1
package/dist/agents/bug-fixer/types.js +0 -9
package/dist/agents/bug-fixer/types.js.map +0 -1
package/dist/agents/factory.d.ts +0 -172
package/dist/agents/factory.d.ts.map +0 -1
package/dist/agents/factory.js +0 -706
package/dist/agents/factory.js.map +0 -1
package/dist/agents/hailer-expert/index.d.ts +0 -8
package/dist/agents/hailer-expert/index.d.ts.map +0 -1
package/dist/agents/hailer-expert/index.js +0 -14
package/dist/agents/hailer-expert/index.js.map +0 -1
package/dist/agents/hal/daemon.d.ts +0 -174
package/dist/agents/hal/daemon.d.ts.map +0 -1
package/dist/agents/hal/daemon.js +0 -1385
package/dist/agents/hal/daemon.js.map +0 -1
package/dist/agents/hal/definitions.d.ts +0 -42
package/dist/agents/hal/definitions.d.ts.map +0 -1
package/dist/agents/hal/definitions.js +0 -300
package/dist/agents/hal/definitions.js.map +0 -1
package/dist/agents/hal/index.d.ts +0 -3
package/dist/agents/hal/index.d.ts.map +0 -1
package/dist/agents/hal/index.js +0 -8
package/dist/agents/hal/index.js.map +0 -1
package/dist/agents/index.d.ts +0 -18
package/dist/agents/index.d.ts.map +0 -1
package/dist/agents/index.js +0 -48
package/dist/agents/index.js.map +0 -1
package/dist/agents/shared/base.d.ts +0 -253
package/dist/agents/shared/base.d.ts.map +0 -1
package/dist/agents/shared/base.js +0 -1122
package/dist/agents/shared/base.js.map +0 -1
package/dist/agents/shared/schemas/action-schema.d.ts +0 -62
package/dist/agents/shared/schemas/action-schema.d.ts.map +0 -1
package/dist/agents/shared/schemas/action-schema.js +0 -483
package/dist/agents/shared/schemas/action-schema.js.map +0 -1
package/dist/agents/shared/services/agent-registry.d.ts +0 -108
package/dist/agents/shared/services/agent-registry.d.ts.map +0 -1
package/dist/agents/shared/services/agent-registry.js +0 -469
package/dist/agents/shared/services/agent-registry.js.map +0 -1
package/dist/agents/shared/services/conversation-manager.d.ts +0 -57
package/dist/agents/shared/services/conversation-manager.d.ts.map +0 -1
package/dist/agents/shared/services/conversation-manager.js +0 -168
package/dist/agents/shared/services/conversation-manager.js.map +0 -1
package/dist/agents/shared/services/mcp-client.d.ts +0 -56
package/dist/agents/shared/services/mcp-client.d.ts.map +0 -1
package/dist/agents/shared/services/mcp-client.js +0 -124
package/dist/agents/shared/services/mcp-client.js.map +0 -1
package/dist/agents/shared/services/message-classifier.d.ts +0 -37
package/dist/agents/shared/services/message-classifier.d.ts.map +0 -1
package/dist/agents/shared/services/message-classifier.js +0 -203
package/dist/agents/shared/services/message-classifier.js.map +0 -1
package/dist/agents/shared/services/message-formatter.d.ts +0 -89
package/dist/agents/shared/services/message-formatter.d.ts.map +0 -1
package/dist/agents/shared/services/message-formatter.js +0 -390
package/dist/agents/shared/services/message-formatter.js.map +0 -1
package/dist/agents/shared/services/session-logger.d.ts +0 -162
package/dist/agents/shared/services/session-logger.d.ts.map +0 -1
package/dist/agents/shared/services/session-logger.js +0 -724
package/dist/agents/shared/services/session-logger.js.map +0 -1
package/dist/agents/shared/services/structured-output-executor.d.ts +0 -88
package/dist/agents/shared/services/structured-output-executor.d.ts.map +0 -1
package/dist/agents/shared/services/structured-output-executor.js +0 -296
package/dist/agents/shared/services/structured-output-executor.js.map +0 -1
package/dist/agents/shared/services/token-billing.d.ts +0 -72
package/dist/agents/shared/services/token-billing.d.ts.map +0 -1
package/dist/agents/shared/services/token-billing.js +0 -198
package/dist/agents/shared/services/token-billing.js.map +0 -1
package/dist/agents/shared/services/tool-executor.d.ts +0 -43
package/dist/agents/shared/services/tool-executor.d.ts.map +0 -1
package/dist/agents/shared/services/tool-executor.js +0 -175
package/dist/agents/shared/services/tool-executor.js.map +0 -1
package/dist/agents/shared/services/typing-indicator.d.ts +0 -24
package/dist/agents/shared/services/typing-indicator.d.ts.map +0 -1
package/dist/agents/shared/services/typing-indicator.js +0 -54
package/dist/agents/shared/services/typing-indicator.js.map +0 -1
package/dist/agents/shared/services/workspace-schema-cache.d.ts +0 -122
package/dist/agents/shared/services/workspace-schema-cache.d.ts.map +0 -1
package/dist/agents/shared/services/workspace-schema-cache.js +0 -507
package/dist/agents/shared/services/workspace-schema-cache.js.map +0 -1
package/dist/agents/shared/specialist.d.ts +0 -91
package/dist/agents/shared/specialist.d.ts.map +0 -1
package/dist/agents/shared/specialist.js +0 -399
package/dist/agents/shared/specialist.js.map +0 -1
package/dist/agents/shared/tool-schema-loader.d.ts +0 -65
package/dist/agents/shared/tool-schema-loader.d.ts.map +0 -1
package/dist/agents/shared/tool-schema-loader.js +0 -238
package/dist/agents/shared/tool-schema-loader.js.map +0 -1
package/dist/agents/shared/types.d.ts +0 -190
package/dist/agents/shared/types.d.ts.map +0 -1
package/dist/agents/shared/types.js +0 -13
package/dist/agents/shared/types.js.map +0 -1
package/dist/bot/bot-config.d.ts +0 -37
package/dist/bot/bot-config.d.ts.map +0 -1
package/dist/bot/bot-config.js +0 -219
package/dist/bot/bot-config.js.map +0 -1
package/dist/bot/services/__tests__/permission-guard.test.d.ts +0 -2
package/dist/bot/services/__tests__/permission-guard.test.d.ts.map +0 -1
package/dist/bot/services/__tests__/permission-guard.test.js +0 -357
package/dist/bot/services/__tests__/permission-guard.test.js.map +0 -1
package/dist/bot/services/session-logger.d.ts +0 -162
package/dist/bot/services/session-logger.d.ts.map +0 -1
package/dist/bot/services/session-logger.js +0 -724
package/dist/bot/services/session-logger.js.map +0 -1
package/dist/bot/services/workspace-schema-cache.d.ts +0 -122
package/dist/bot/services/workspace-schema-cache.d.ts.map +0 -1
package/dist/bot/services/workspace-schema-cache.js +0 -506
package/dist/bot/services/workspace-schema-cache.js.map +0 -1
package/dist/bot-config/tools.d.ts +0 -28
package/dist/bot-config/tools.d.ts.map +0 -1
package/dist/bot-config/tools.js +0 -279
package/dist/bot-config/tools.js.map +0 -1
package/dist/client/agents/base.d.ts +0 -207
package/dist/client/agents/base.d.ts.map +0 -1
package/dist/client/agents/base.js +0 -744
package/dist/client/agents/base.js.map +0 -1
package/dist/client/agents/definitions.d.ts +0 -53
package/dist/client/agents/definitions.d.ts.map +0 -1
package/dist/client/agents/definitions.js +0 -263
package/dist/client/agents/definitions.js.map +0 -1
package/dist/client/agents/orchestrator.d.ts +0 -141
package/dist/client/agents/orchestrator.d.ts.map +0 -1
package/dist/client/agents/orchestrator.js +0 -1062
package/dist/client/agents/orchestrator.js.map +0 -1
package/dist/client/agents/specialist.d.ts +0 -86
package/dist/client/agents/specialist.d.ts.map +0 -1
package/dist/client/agents/specialist.js +0 -340
package/dist/client/agents/specialist.js.map +0 -1
package/dist/client/bot-entrypoint.d.ts +0 -7
package/dist/client/bot-entrypoint.d.ts.map +0 -1
package/dist/client/bot-entrypoint.js +0 -103
package/dist/client/bot-entrypoint.js.map +0 -1
package/dist/client/bot-manager.d.ts +0 -44
package/dist/client/bot-manager.d.ts.map +0 -1
package/dist/client/bot-manager.js +0 -173
package/dist/client/bot-manager.js.map +0 -1
package/dist/client/bot-runner.d.ts +0 -35
package/dist/client/bot-runner.d.ts.map +0 -1
package/dist/client/bot-runner.js +0 -188
package/dist/client/bot-runner.js.map +0 -1
package/dist/client/chat-agent-daemon.d.ts +0 -464
package/dist/client/chat-agent-daemon.d.ts.map +0 -1
package/dist/client/chat-agent-daemon.js +0 -1774
package/dist/client/chat-agent-daemon.js.map +0 -1
package/dist/client/daemon-factory.d.ts +0 -106
package/dist/client/daemon-factory.d.ts.map +0 -1
package/dist/client/daemon-factory.js +0 -301
package/dist/client/daemon-factory.js.map +0 -1
package/dist/client/factory.d.ts +0 -111
package/dist/client/factory.d.ts.map +0 -1
package/dist/client/factory.js +0 -314
package/dist/client/factory.js.map +0 -1
package/dist/client/index.d.ts +0 -17
package/dist/client/index.d.ts.map +0 -1
package/dist/client/index.js +0 -38
package/dist/client/index.js.map +0 -1
package/dist/client/multi-bot-manager.d.ts +0 -42
package/dist/client/multi-bot-manager.d.ts.map +0 -1
package/dist/client/multi-bot-manager.js +0 -161
package/dist/client/multi-bot-manager.js.map +0 -1
package/dist/client/orchestrator-daemon.d.ts +0 -87
package/dist/client/orchestrator-daemon.d.ts.map +0 -1
package/dist/client/orchestrator-daemon.js +0 -444
package/dist/client/orchestrator-daemon.js.map +0 -1
package/dist/client/server.d.ts +0 -8
package/dist/client/server.d.ts.map +0 -1
package/dist/client/server.js +0 -251
package/dist/client/server.js.map +0 -1
package/dist/client/services/agent-registry.d.ts +0 -108
package/dist/client/services/agent-registry.d.ts.map +0 -1
package/dist/client/services/agent-registry.js +0 -630
package/dist/client/services/agent-registry.js.map +0 -1
package/dist/client/services/conversation-manager.d.ts +0 -50
package/dist/client/services/conversation-manager.d.ts.map +0 -1
package/dist/client/services/conversation-manager.js +0 -136
package/dist/client/services/conversation-manager.js.map +0 -1
package/dist/client/services/mcp-client.d.ts +0 -48
package/dist/client/services/mcp-client.d.ts.map +0 -1
package/dist/client/services/mcp-client.js +0 -105
package/dist/client/services/mcp-client.js.map +0 -1
package/dist/client/services/message-classifier.d.ts +0 -37
package/dist/client/services/message-classifier.d.ts.map +0 -1
package/dist/client/services/message-classifier.js +0 -187
package/dist/client/services/message-classifier.js.map +0 -1
package/dist/client/services/message-formatter.d.ts +0 -84
package/dist/client/services/message-formatter.d.ts.map +0 -1
package/dist/client/services/message-formatter.js +0 -353
package/dist/client/services/message-formatter.js.map +0 -1
package/dist/client/services/session-logger.d.ts +0 -106
package/dist/client/services/session-logger.d.ts.map +0 -1
package/dist/client/services/session-logger.js +0 -446
package/dist/client/services/session-logger.js.map +0 -1
package/dist/client/services/tool-executor.d.ts +0 -41
package/dist/client/services/tool-executor.d.ts.map +0 -1
package/dist/client/services/tool-executor.js +0 -169
package/dist/client/services/tool-executor.js.map +0 -1
package/dist/client/services/workspace-schema-cache.d.ts +0 -149
package/dist/client/services/workspace-schema-cache.d.ts.map +0 -1
package/dist/client/services/workspace-schema-cache.js +0 -732
package/dist/client/services/workspace-schema-cache.js.map +0 -1
package/dist/client/specialist-daemon.d.ts +0 -77
package/dist/client/specialist-daemon.d.ts.map +0 -1
package/dist/client/specialist-daemon.js +0 -197
package/dist/client/specialist-daemon.js.map +0 -1
package/dist/client/specialists.d.ts +0 -53
package/dist/client/specialists.d.ts.map +0 -1
package/dist/client/specialists.js +0 -178
package/dist/client/specialists.js.map +0 -1
package/dist/client/tool-schema-loader.d.ts +0 -62
package/dist/client/tool-schema-loader.d.ts.map +0 -1
package/dist/client/tool-schema-loader.js +0 -232
package/dist/client/tool-schema-loader.js.map +0 -1
package/dist/client/types.d.ts +0 -327
package/dist/client/types.d.ts.map +0 -1
package/dist/client/types.js +0 -121
package/dist/client/types.js.map +0 -1
package/dist/commands/seed-config.d.ts +0 -9
package/dist/commands/seed-config.d.ts.map +0 -1
package/dist/commands/seed-config.js +0 -377
package/dist/commands/seed-config.js.map +0 -1
package/dist/commands/setup.d.ts +0 -11
package/dist/commands/setup.d.ts.map +0 -1
package/dist/commands/setup.js +0 -320
package/dist/commands/setup.js.map +0 -1
package/dist/lib/discussion-lock.d.ts +0 -42
package/dist/lib/discussion-lock.d.ts.map +0 -1
package/dist/lib/discussion-lock.js +0 -110
package/dist/lib/discussion-lock.js.map +0 -1
package/dist/mcp/signal-handler.d.ts +0 -82
package/dist/mcp/signal-handler.d.ts.map +0 -1
package/dist/mcp/signal-handler.js +0 -406
package/dist/mcp/signal-handler.js.map +0 -1
package/dist/mcp/tools/__tests__/discussion-forward.test.d.ts +0 -2
package/dist/mcp/tools/__tests__/discussion-forward.test.d.ts.map +0 -1
package/dist/mcp/tools/__tests__/discussion-forward.test.js +0 -218
package/dist/mcp/tools/__tests__/discussion-forward.test.js.map +0 -1
package/dist/mcp/tools/app-member.d.ts +0 -14
package/dist/mcp/tools/app-member.d.ts.map +0 -1
package/dist/mcp/tools/app-member.js +0 -195
package/dist/mcp/tools/app-member.js.map +0 -1
package/dist/mcp/tools/app-scaffold.d.ts +0 -14
package/dist/mcp/tools/app-scaffold.d.ts.map +0 -1
package/dist/mcp/tools/app-scaffold.js +0 -581
package/dist/mcp/tools/app-scaffold.js.map +0 -1
package/dist/mcp/tools/bot-config/constants.d.ts +0 -23
package/dist/mcp/tools/bot-config/constants.d.ts.map +0 -1
package/dist/mcp/tools/bot-config/constants.js +0 -94
package/dist/mcp/tools/bot-config/constants.js.map +0 -1
package/dist/mcp/tools/bot-config/core.d.ts +0 -253
package/dist/mcp/tools/bot-config/core.d.ts.map +0 -1
package/dist/mcp/tools/bot-config/core.js +0 -2456
package/dist/mcp/tools/bot-config/core.js.map +0 -1
package/dist/mcp/tools/bot-config/index.d.ts +0 -10
package/dist/mcp/tools/bot-config/index.d.ts.map +0 -1
package/dist/mcp/tools/bot-config/index.js +0 -59
package/dist/mcp/tools/bot-config/index.js.map +0 -1
package/dist/mcp/tools/bot-config/tools.d.ts +0 -7
package/dist/mcp/tools/bot-config/tools.d.ts.map +0 -1
package/dist/mcp/tools/bot-config/tools.js +0 -15
package/dist/mcp/tools/bot-config/tools.js.map +0 -1
package/dist/mcp/tools/bot-config/types.d.ts +0 -50
package/dist/mcp/tools/bot-config/types.d.ts.map +0 -1
package/dist/mcp/tools/bot-config/types.js +0 -6
package/dist/mcp/tools/bot-config/types.js.map +0 -1
package/dist/mcp/tools/bug-fixer-tools.d.ts +0 -45
package/dist/mcp/tools/bug-fixer-tools.d.ts.map +0 -1
package/dist/mcp/tools/bug-fixer-tools.js +0 -1096
package/dist/mcp/tools/bug-fixer-tools.js.map +0 -1
package/dist/mcp/tools/document.d.ts +0 -11
package/dist/mcp/tools/document.d.ts.map +0 -1
package/dist/mcp/tools/document.js +0 -741
package/dist/mcp/tools/document.js.map +0 -1
package/dist/mcp/tools/investigate.d.ts +0 -9
package/dist/mcp/tools/investigate.d.ts.map +0 -1
package/dist/mcp/tools/investigate.js +0 -254
package/dist/mcp/tools/investigate.js.map +0 -1
package/dist/mcp/utils/pagination.d.ts +0 -40
package/dist/mcp/utils/pagination.d.ts.map +0 -1
package/dist/mcp/utils/pagination.js +0 -55
package/dist/mcp/utils/pagination.js.map +0 -1
package/dist/modules/bug-reports/bug-config.d.ts +0 -25
package/dist/modules/bug-reports/bug-config.d.ts.map +0 -1
package/dist/modules/bug-reports/bug-config.js +0 -187
package/dist/modules/bug-reports/bug-config.js.map +0 -1
package/dist/modules/bug-reports/bug-monitor.d.ts +0 -108
package/dist/modules/bug-reports/bug-monitor.d.ts.map +0 -1
package/dist/modules/bug-reports/bug-monitor.js +0 -510
package/dist/modules/bug-reports/bug-monitor.js.map +0 -1
package/dist/modules/bug-reports/giuseppe-agent.d.ts +0 -58
package/dist/modules/bug-reports/giuseppe-agent.d.ts.map +0 -1
package/dist/modules/bug-reports/giuseppe-agent.js +0 -467
package/dist/modules/bug-reports/giuseppe-agent.js.map +0 -1
package/dist/modules/bug-reports/giuseppe-ai.d.ts +0 -83
package/dist/modules/bug-reports/giuseppe-ai.d.ts.map +0 -1
package/dist/modules/bug-reports/giuseppe-ai.js +0 -466
package/dist/modules/bug-reports/giuseppe-ai.js.map +0 -1
package/dist/modules/bug-reports/giuseppe-bot.d.ts +0 -110
package/dist/modules/bug-reports/giuseppe-bot.d.ts.map +0 -1
package/dist/modules/bug-reports/giuseppe-bot.js +0 -804
package/dist/modules/bug-reports/giuseppe-bot.js.map +0 -1
package/dist/modules/bug-reports/giuseppe-daemon.d.ts +0 -80
package/dist/modules/bug-reports/giuseppe-daemon.d.ts.map +0 -1
package/dist/modules/bug-reports/giuseppe-daemon.js +0 -617
package/dist/modules/bug-reports/giuseppe-daemon.js.map +0 -1
package/dist/modules/bug-reports/giuseppe-files.d.ts +0 -64
package/dist/modules/bug-reports/giuseppe-files.d.ts.map +0 -1
package/dist/modules/bug-reports/giuseppe-files.js +0 -375
package/dist/modules/bug-reports/giuseppe-files.js.map +0 -1
package/dist/modules/bug-reports/giuseppe-git.d.ts +0 -48
package/dist/modules/bug-reports/giuseppe-git.d.ts.map +0 -1
package/dist/modules/bug-reports/giuseppe-git.js +0 -298
package/dist/modules/bug-reports/giuseppe-git.js.map +0 -1
package/dist/modules/bug-reports/giuseppe-lsp.d.ts +0 -113
package/dist/modules/bug-reports/giuseppe-lsp.d.ts.map +0 -1
package/dist/modules/bug-reports/giuseppe-lsp.js +0 -485
package/dist/modules/bug-reports/giuseppe-lsp.js.map +0 -1
package/dist/modules/bug-reports/giuseppe-prompt.d.ts +0 -5
package/dist/modules/bug-reports/giuseppe-prompt.d.ts.map +0 -1
package/dist/modules/bug-reports/giuseppe-prompt.js +0 -94
package/dist/modules/bug-reports/giuseppe-prompt.js.map +0 -1
package/dist/modules/bug-reports/index.d.ts +0 -77
package/dist/modules/bug-reports/index.d.ts.map +0 -1
package/dist/modules/bug-reports/index.js +0 -215
package/dist/modules/bug-reports/index.js.map +0 -1
package/dist/modules/bug-reports/pending-classification-registry.d.ts +0 -28
package/dist/modules/bug-reports/pending-classification-registry.d.ts.map +0 -1
package/dist/modules/bug-reports/pending-classification-registry.js +0 -50
package/dist/modules/bug-reports/pending-classification-registry.js.map +0 -1
package/dist/modules/bug-reports/pending-fix-registry.d.ts +0 -30
package/dist/modules/bug-reports/pending-fix-registry.d.ts.map +0 -1
package/dist/modules/bug-reports/pending-fix-registry.js +0 -42
package/dist/modules/bug-reports/pending-fix-registry.js.map +0 -1
package/dist/modules/bug-reports/pending-registry.d.ts +0 -27
package/dist/modules/bug-reports/pending-registry.d.ts.map +0 -1
package/dist/modules/bug-reports/pending-registry.js +0 -49
package/dist/modules/bug-reports/pending-registry.js.map +0 -1
package/dist/modules/bug-reports/types.d.ts +0 -123
package/dist/modules/bug-reports/types.d.ts.map +0 -1
package/dist/modules/bug-reports/types.js +0 -9
package/dist/modules/bug-reports/types.js.map +0 -1
package/dist/plugins/bug-fixer/index.d.ts +0 -2
package/dist/plugins/bug-fixer/index.d.ts.map +0 -1
package/dist/plugins/bug-fixer/index.js +0 -18
package/dist/plugins/bug-fixer/index.js.map +0 -1
package/dist/plugins/bug-fixer/tools.d.ts +0 -45
package/dist/plugins/bug-fixer/tools.d.ts.map +0 -1
package/dist/plugins/bug-fixer/tools.js +0 -1096
package/dist/plugins/bug-fixer/tools.js.map +0 -1
package/dist/plugins/vipunen/__tests__/tools.test.d.ts +0 -10
package/dist/plugins/vipunen/__tests__/tools.test.d.ts.map +0 -1
package/dist/plugins/vipunen/__tests__/tools.test.js +0 -646
package/dist/plugins/vipunen/__tests__/tools.test.js.map +0 -1
package/dist/routes/agents.d.ts +0 -44
package/dist/routes/agents.d.ts.map +0 -1
package/dist/routes/agents.js +0 -311
package/dist/routes/agents.js.map +0 -1
package/dist/services/agent-credential-store.d.ts +0 -73
package/dist/services/agent-credential-store.d.ts.map +0 -1
package/dist/services/agent-credential-store.js +0 -212
package/dist/services/agent-credential-store.js.map +0 -1
package/dist/stdio-server.d.ts +0 -14
package/dist/stdio-server.d.ts.map +0 -1
package/dist/stdio-server.js +0 -101
package/dist/stdio-server.js.map +0 -1
package/dist/workspace/context.d.ts +0 -148
package/dist/workspace/context.d.ts.map +0 -1
package/dist/workspace/context.js +0 -339
package/dist/workspace/context.js.map +0 -1
package/dist/workspace/credentials.d.ts +0 -55
package/dist/workspace/credentials.d.ts.map +0 -1
package/dist/workspace/credentials.js +0 -239
package/dist/workspace/credentials.js.map +0 -1
package/dist/workspace/index.d.ts +0 -21
package/dist/workspace/index.d.ts.map +0 -1
package/dist/workspace/index.js +0 -45
package/dist/workspace/index.js.map +0 -1
package/dist/workspace/loader.d.ts +0 -27
package/dist/workspace/loader.d.ts.map +0 -1
package/dist/workspace/loader.js +0 -222
package/dist/workspace/loader.js.map +0 -1
package/dist/workspace/schema.d.ts +0 -37
package/dist/workspace/schema.d.ts.map +0 -1
package/dist/workspace/schema.js +0 -192
package/dist/workspace/schema.js.map +0 -1

package/dist/mcp-server.js CHANGED Viewed

@@ -51,9 +51,14 @@ const logger_1 = require("./lib/logger");
 const config_1 = require("./config");
 const UserContextCache_1 = require("./mcp/UserContextCache");
 const tool_registry_1 = require("./mcp/tool-registry");
+const tool_profiles_1 = require("./mcp/tool-profiles");
 const session_store_1 = require("./mcp/session-store");
 const webhook_handler_1 = require("./mcp/webhook-handler");
+const workspace_admin_store_1 = require("./mcp/workspace-admin-store");
+const rate_limit_1 = require("./public-chat/rate-limit");
+const hailer_clients_1 = require("./mcp/hailer-clients");
 const vipunen_1 = require("./plugins/vipunen");
+const public_chat_1 = require("./public-chat");
 // Load MCP instructions for Claude App
 // Try dist/mcp/ first (production), then src/mcp/ (development)
 let mcpInstructions;
@@ -83,6 +88,9 @@ class MCPServerService {
     config;
     toolRegistry;
     appConfig;
+    /** sessionId → profile + timestamp. Set at MCP initialize when clientInfo identifies an SDK-aware client. */
+    mcpClientProfiles = new Map();
+    static PROFILE_TTL_MS = 60 * 60 * 1000; // 1 hour
     constructor(config) {
         this.config = config;
         this.toolRegistry = config.toolRegistry;
@@ -100,6 +108,14 @@ class MCPServerService {
         });
     }
     setupMiddleware() {
+        // Trust all private-range hops (ingress, hailer-api /proxy/mcp) so req.ip
+        // resolves to the first PUBLIC address in X-Forwarded-For regardless of
+        // how many internal proxies the request traversed. The public ingress
+        // (ALB in prod, Traefik in dev) always appends the real client IP as the
+        // rightmost entry, and every internal hop is loopback/RFC1918, so this
+        // is hop-count-agnostic and spoof-safe for internet clients. Required
+        // for per-visitor rate-limit buckets.
+        this.app.set('trust proxy', ['loopback', 'linklocal', 'uniquelocal']);
         // Configure CORS - empty array means allow all origins (like original cors())
         if (this.config.corsOrigins.length === 0) {
             this.app.use((0, cors_1.default)());
@@ -109,7 +125,9 @@ class MCPServerService {
                 origin: this.config.corsOrigins
             }));
         }
-        this.app.use(express_1.default.json());
+        // Match the Hailer backend's 20mb body limit — the body-parser default of
+        // 100kb rejected large bulk create/update payloads with 413 before any handler ran.
+        this.app.use(express_1.default.json({ limit: '20mb' }));
         // Request logging middleware (skip noise: health checks, OAuth discovery probes)
         this.app.use((req, res, next) => {
             const isHealthCheck = req.path === '/health';
@@ -322,7 +340,8 @@ class MCPServerService {
         });
         // Legacy POST callback for backwards compatibility
         this.app.post(`${API_PREFIX}/oauth/callback`, express_1.default.urlencoded({ extended: true }), (req, res) => {
-            req.logger.debug('OAuth callback POST body', { body: req.body });
+            // Body contains access_token (a credential) — log only field names, not values.
+            req.logger.debug('OAuth callback POST received', { fields: Object.keys(req.body ?? {}) });
             const { access_token, error } = req.body;
             if (error) {
                 return res.status(400).send(`<html><body><h1>Authorization Failed</h1><p>Error: ${this.escapeHtml(String(error))}</p></body></html>`);
@@ -363,35 +382,84 @@ class MCPServerService {
         const webhookPath = (0, webhook_handler_1.getWebhookPath)();
         if (webhookPath) {
             // POST /webhook/{token} - Receives updates from Hailer workflow webhooks
-            this.app.post(webhookPath, (req, res) => {
+            this.app.post(webhookPath, async (req, res) => {
                 req.logger.debug('Bot config webhook received', {
                     activityId: req.body?._id,
                     activityName: req.body?.name,
                     workspaceId: req.body?.cid,
                 });
+                // Always return 200 so Hailer doesn't auto-suspend webhook delivery
+                // after consecutive non-2xx responses. Errors are logged; the body
+                // carries `success: false` + `error` for anyone polling the status
+                // endpoint.
                 try {
-                    const result = (0, webhook_handler_1.handleBotConfigWebhook)(req.body);
+                    const result = await (0, webhook_handler_1.handleBotConfigWebhook)(req.body);
                     if (result.success) {
                         req.logger.debug('Bot config updated via webhook', {
                             action: result.action,
                             workspaceId: result.workspaceId,
                             botType: result.botType,
                         });
-                        res.status(200).json(result);
                     }
                     else {
-                        req.logger.warn('Bot config webhook failed', { error: result.error });
-                        res.status(400).json(result);
+                        req.logger.warn('Bot config webhook handled with non-success', { error: result.error });
                     }
+                    res.status(200).json(result);
                 }
                 catch (error) {
                     req.logger.error('Bot config webhook error', { error });
-                    res.status(500).json({
+                    res.status(200).json({
                         success: false,
                         error: error instanceof Error ? error.message : 'Internal error',
                     });
                 }
             });
+            // DELETE /webhook/{token}/bot/:activityId?workspaceId=X&actorUid=Y&actorName=Z
+            // Called by AI Hub when the user deletes a bot, BEFORE the activity is
+            // removed in Hailer. Tears down the Hailer user account (via the bot's
+            // own session) and removes the local config entry, so deletion in AI Hub
+            // is propagated atomically rather than waiting for the reconciler tick.
+            // actorUid/actorName are optional and used purely for audit attribution
+            // — the actual operations run with the admin API key.
+            this.app.delete(`${webhookPath}/bot/:activityId`, async (req, res) => {
+                const activityId = req.params.activityId;
+                const workspaceId = typeof req.query.workspaceId === 'string' ? req.query.workspaceId : '';
+                if (!workspaceId) {
+                    res.status(400).json({ error: 'workspaceId query param required' });
+                    return;
+                }
+                const actor = {
+                    uid: typeof req.query.actorUid === 'string' ? req.query.actorUid : undefined,
+                    name: typeof req.query.actorName === 'string' ? req.query.actorName : undefined,
+                };
+                try {
+                    const outcome = await (0, webhook_handler_1.destroyBot)(workspaceId, activityId, actor);
+                    if (!outcome.teardownOk) {
+                        // 502: the config entry is gone and AI Hub will still delete
+                        // the activity, but the Hailer user account was not torn down
+                        // (no listener, or listener threw). Operator needs to know.
+                        res.status(502).json({
+                            success: false,
+                            removed: !!outcome.removed,
+                            email: outcome.removed?.email ?? null,
+                            error: outcome.teardownError ?? 'teardown skipped',
+                        });
+                        return;
+                    }
+                    res.status(200).json({
+                        success: true,
+                        removed: !!outcome.removed,
+                        email: outcome.removed?.email ?? null,
+                    });
+                }
+                catch (err) {
+                    req.logger.error('Bot destroy failed', { workspaceId, activityId, actor, err });
+                    res.status(500).json({
+                        success: false,
+                        error: err instanceof Error ? err.message : 'Internal error',
+                    });
+                }
+            });
             // GET /webhook/{token}/status - Status endpoint to see all workspace configs
             this.app.get(`${webhookPath}/status`, (_req, res) => {
                 const configs = (0, webhook_handler_1.listWorkspaceConfigs)();
@@ -411,6 +479,179 @@ class MCPServerService {
         else {
             this.logger.debug('Webhook endpoint disabled (no WEBHOOK_TOKEN)');
         }
+        const adminCheckCacheTtlMs = 3000;
+        const adminCheckCacheMax = 1000;
+        const adminCheckCache = new Map();
+        const sweepAdminCheckCache = (now) => {
+            for (const [staleKey, entry] of adminCheckCache) {
+                if (now - entry.time >= adminCheckCacheTtlMs) {
+                    adminCheckCache.delete(staleKey);
+                }
+            }
+        };
+        // Bounded insert: TTL is otherwise only checked on read, so attacker-
+        // supplied random workspaceIds would grow the map without bound. Sweep
+        // expired entries when full, then evict the oldest (Maps iterate in
+        // insertion order) as a last resort.
+        const setAdminCheckCache = (key, body) => {
+            const now = Date.now();
+            if (adminCheckCache.size >= adminCheckCacheMax) {
+                sweepAdminCheckCache(now);
+            }
+            const oldestKey = adminCheckCache.keys().next().value;
+            if (adminCheckCache.size >= adminCheckCacheMax && oldestKey) {
+                adminCheckCache.delete(oldestKey);
+            }
+            adminCheckCache.set(key, { body, time: now });
+        };
+        // Route-scoped CORS: AI Hub polls /check with `credentials: 'include'`
+        // through api.hailer.com /proxy/mcp, and the proxy copies upstream
+        // response headers verbatim — so the global allow-all
+        // `Access-Control-Allow-Origin: *` from setupMiddleware would reach the
+        // browser and make it reject every credentialed response. Reflect only
+        // the AI Hub app origins, with credentials enabled. The POST is a
+        // top-level form navigation (no CORS), so only the GET needs this.
+        const adminAuthorizeCors = (0, cors_1.default)({
+            origin: config_1.environment.ADMIN_CORS_ORIGINS,
+            credentials: true,
+        });
+        // /check returns the stored admin's uid (opaque ObjectId) so AI Hub can
+        // compare against the current user and distinguish "you are connected"
+        // from "another admin connected this workspace." Name/email are NOT
+        // returned — this endpoint is reachable over plaintext HTTP given only
+        // the workspaceId, and we don't want admin PII traveling on the wire.
+        this.app.get('/admin-authorize/check', adminAuthorizeCors, async (req, res) => {
+            const workspaceId = typeof req.query.workspaceId === 'string' ? req.query.workspaceId : '';
+            if (!workspaceId) {
+                res.status(400).json({ error: 'workspaceId required' });
+                return;
+            }
+            // Generous per-IP budget: the AI Hub popup polls every ~1.5s for up
+            // to 120s (~81 requests per full flow incl. the baseline probe);
+            // 250/hr fits three timed-out flows plus app-startup checks. Keyed
+            // by IP only — keying by IP+workspaceId would let one IP mint
+            // unlimited fresh buckets via random workspaceIds. AI Hub treats
+            // non-200 as { hasKey: false } and keeps polling, so 429 degrades
+            // gracefully. Reachable only via the session-gated /proxy/mcp in
+            // prod, so this is defense-in-depth, not the primary gate.
+            const rate = (0, rate_limit_1.checkRate)(`admin-check:${req.ip ?? 'unknown'}`, 250);
+            if (!rate.ok) {
+                res.status(429).json({ error: 'rate_limited', retryAfterSec: rate.retryAfterSec });
+                return;
+            }
+            const cached = adminCheckCache.get(workspaceId);
+            if (cached && Date.now() - cached.time < adminCheckCacheTtlMs) {
+                res.json(cached.body);
+                return;
+            }
+            const record = await (0, workspace_admin_store_1.getValidatedAdminRecord)(workspaceId);
+            let body = { hasKey: false };
+            if (record) {
+                body = {
+                    hasKey: true,
+                    installedAt: record.installedAt,
+                    expiresAt: record.expiresAt,
+                    admin: { uid: record.uid },
+                };
+            }
+            setAdminCheckCache(workspaceId, body);
+            res.json(body);
+        });
+        this.app.post('/admin-authorize', express_1.default.urlencoded({ extended: true }), async (req, res) => {
+            const completeUrl = (status, message) => {
+                const base = `${config_1.environment.HAILER_APP_URL}/#/authorize/complete?status=${status}`;
+                return message ? `${base}&message=${encodeURIComponent(message)}` : base;
+            };
+            try {
+                // Rate-limit the expensive write (each call runs live core.init
+                // validation). Namespaced key so it has its own per-IP budget,
+                // separate from the public-chat limiter sharing this module.
+                const rate = (0, rate_limit_1.checkRate)(`admin-authorize:${req.ip ?? 'unknown'}`);
+                if (!rate.ok) {
+                    req.logger.warn('Admin authorize: rate limited', { retryAfterSec: rate.retryAfterSec });
+                    res.redirect(303, completeUrl('error', 'Too many attempts — please wait a moment and try again.'));
+                    return;
+                }
+                const workspaceId = typeof req.query.workspaceId === 'string' ? req.query.workspaceId : '';
+                const apiKey = typeof req.body?.apiKey === 'string' ? req.body.apiKey : '';
+                req.logger.debug('Admin authorize POST received', {
+                    workspaceId,
+                    hasApiKey: !!apiKey,
+                    contentType: req.headers['content-type'],
+                    bodyKeys: req.body ? Object.keys(req.body) : [],
+                    queryKeys: Object.keys(req.query),
+                });
+                if (!workspaceId || !apiKey) {
+                    res.redirect(303, completeUrl('error', 'Missing workspaceId or apiKey'));
+                    return;
+                }
+                // Validate the key by resolving the admin's identity, and capture it for audit/display.
+                let identity;
+                let targetRole;
+                let adminClient;
+                try {
+                    adminClient = await (0, hailer_clients_1.createHailerClientByApiKey)(apiKey);
+                    identity = await (0, workspace_admin_store_1.resolveAdminIdentity)(adminClient);
+                    targetRole = identity.uid ? await (0, workspace_admin_store_1.resolveRoleInWorkspace)(adminClient, identity.uid, workspaceId) : undefined;
+                }
+                catch (validateErr) {
+                    req.logger.warn('Admin authorize: API key validation failed', {
+                        workspaceId,
+                        error: validateErr instanceof Error ? validateErr.message : validateErr,
+                    });
+                    res.redirect(303, completeUrl('error', 'API key validation failed'));
+                    return;
+                }
+                if (!identity.uid) {
+                    res.redirect(303, completeUrl('error', 'API key did not resolve to a user'));
+                    return;
+                }
+                if (!identity.emailVerified) {
+                    // Unverified admin email → Hailer blocks the bot invite (403
+                    // 'Validate your email.') → reinvite doom loop. Refuse the key
+                    // until the admin verifies (fail-closed on missing/false).
+                    req.logger.warn('Admin authorize: email not verified — refusing to persist', {
+                        workspaceId, adminUid: identity.uid,
+                    });
+                    res.redirect(303, completeUrl('error', 'Please verify your Hailer email before connecting this workspace.'));
+                    return;
+                }
+                // Authorize the key against the target workspace. This endpoint is
+                // reachable publicly via the api.hailer.com /proxy/mcp service, so we
+                // must not store a key for a workspace it is not entitled to. The
+                // user must be an admin/owner of the TARGET workspace — checked
+                // directly via v2.network.get, NOT via identity.workspaceId: that is
+                // the key's ambient current-workspace pointer (init.network._id),
+                // which follows last-viewed/switchEcosystem and falsely rejects
+                // admins whose pointer sits in another workspace.
+                if (targetRole !== 'admin' && targetRole !== 'owner') {
+                    req.logger.warn('Admin authorize: user is not an admin/owner of the target workspace', {
+                        workspaceId, adminUid: identity.uid, targetRole, ambientWorkspaceId: identity.workspaceId,
+                    });
+                    res.redirect(303, completeUrl('error', 'Only workspace admins or owners can connect bot credentials'));
+                    return;
+                }
+                // The popup path bypasses webhooks, so stale 'email-not-verified'
+                // markers written by earlier webhook rejections never get cleared
+                // — AI Hub's pill stays wedged red even with a verified key
+                // stored. Sweep BEFORE persisting so /check flips to hasKey only
+                // once markers are gone. clearAdminKeyErrors never throws.
+                if (adminClient) {
+                    await (0, webhook_handler_1.clearAdminKeyErrors)(adminClient, workspaceId);
+                }
+                (0, workspace_admin_store_1.persistAdminCredentials)(workspaceId, apiKey, identity);
+                adminCheckCache.delete(workspaceId);
+                req.logger.info('Admin credentials stored via authorize flow', {
+                    workspaceId,
+                    adminUid: identity.uid,
+                });
+                res.redirect(303, completeUrl('success'));
+            }
+            catch (error) {
+                req.logger.error('Admin authorize failed', { error });
+                res.redirect(303, completeUrl('error', 'Storage failed'));
+            }
+        });
         // ===== Daemon status endpoint =====
         this.app.get('/daemon/status', (_, res) => {
             if (!this.config.getDaemonStatus) {
@@ -426,9 +667,9 @@ class MCPServerService {
         });
         // ===== Hailer MCP endpoint — Direct API key auth (for Claude Code, mcp-remote, SDK) =====
         // Restored original mcpHandler from pre-Cowork era with BOT_INTERNAL filtering and strict access control
-        const mcpHandler = async (req, res, apiKeyOverride) => {
+        const mcpHandler = async (req, res, apiKeyOverride, profile) => {
             const apiKey = apiKeyOverride || req.query.apiKey;
-            req.logger.debug('MCP request received', { method: req.body?.method, apiKey: apiKey?.slice(0, 8) + '...' });
+            req.logger.debug('MCP request received', { method: req.body?.method, apiKey: apiKey?.slice(0, 8) + '...', profile });
             try {
                 const mcpRequest = req.body;
                 if (!mcpRequest.params) {
@@ -438,15 +679,18 @@ class MCPServerService {
                 if (mcpRequest.method === 'tools/list') {
                     req.logger.debug('Handling tools/list request');
                     let filterConfig;
-                    if (apiKey) {
+                    // Resolve effective profile: explicit route override OR session-tracked clientInfo
+                    const effectiveProfile = this.resolveSessionProfile(req, profile);
+                    if (effectiveProfile) {
+                        filterConfig = (0, tool_profiles_1.profileFilterConfig)(effectiveProfile);
+                        req.logger.debug('Using profile tool allowlist', { profile: effectiveProfile, source: profile ? 'route' : 'clientInfo' });
+                    }
+                    if (!effectiveProfile && apiKey) {
                         try {
                             const agentConfig = this.appConfig.getClientConfig(apiKey);
-                            if (agentConfig.allowedTools || agentConfig.allowedGroups) {
-                                filterConfig = {
-                                    allowedTools: agentConfig.allowedTools,
-                                    allowedGroups: agentConfig.allowedGroups
-                                };
-                            }
+                            filterConfig = (agentConfig.allowedTools || agentConfig.allowedGroups)
+                                ? { allowedTools: agentConfig.allowedTools, allowedGroups: agentConfig.allowedGroups }
+                                : undefined;
                         }
                         catch {
                             req.logger.debug('No config found for apiKey, returning all tools');
@@ -455,15 +699,11 @@ class MCPServerService {
                     // BOT_INTERNAL filtering: only include if explicitly requested (for daemons)
                     const includeBotInternal = mcpRequest.params?.includeBotInternal === true;
                     if (!filterConfig) {
-                        filterConfig = {
-                            allowedGroups: [tool_registry_1.ToolGroup.READ, tool_registry_1.ToolGroup.WRITE, tool_registry_1.ToolGroup.PLAYGROUND]
-                        };
-                        req.logger.debug('Using default tool filter (excludes NUCLEAR and BOT_INTERNAL)');
-                    }
-                    else if (filterConfig.allowedGroups) {
-                        filterConfig.allowedGroups = filterConfig.allowedGroups.filter(g => (includeBotInternal || g !== tool_registry_1.ToolGroup.BOT_INTERNAL) &&
-                            (config_1.environment.ENABLE_NUCLEAR_TOOLS || g !== tool_registry_1.ToolGroup.NUCLEAR));
+                        filterConfig = (0, tool_profiles_1.profileFilterConfig)(config_1.environment.MCP_DEFAULT_PROFILE);
+                        req.logger.debug('Using default profile tool filter', { profile: config_1.environment.MCP_DEFAULT_PROFILE });
                     }
+                    filterConfig.allowedGroups = filterConfig.allowedGroups?.filter(grp => (includeBotInternal || grp !== tool_registry_1.ToolGroup.BOT_INTERNAL) &&
+                        (config_1.environment.ENABLE_NUCLEAR_TOOLS || grp !== tool_registry_1.ToolGroup.NUCLEAR));
                     result = {
                         tools: this.toolRegistry.getToolDefinitions(filterConfig)
                     };
@@ -493,13 +733,30 @@ class MCPServerService {
                     if (!this.canAccessToolStrict(name, apiKey)) {
                         return this.sendMcpError(res, mcpRequest.id, -32603, `Access denied to tool: ${name}`, 403);
                     }
+                    // Profile enforcement — explicit route/clientInfo profile, else the
+                    // default profile when no per-account config governs this key
+                    if (!this.canAccessToolForProfile(name, apiKey, this.resolveSessionProfile(req, profile))) {
+                        return this.sendMcpError(res, mcpRequest.id, -32603, `Tool not available in this connection's profile: ${name}`, 403);
+                    }
                     const userContext = await UserContextCache_1.UserContextCache.getContext(apiKey);
                     result = await this.toolRegistry.executeTool(name, args, userContext);
                 }
                 else if (mcpRequest.method === 'initialize') {
                     const sessionId = `session-${Date.now()}-${Math.random().toString(36).substring(2, 11)}`;
                     res.setHeader('Mcp-Session-Id', sessionId);
-                    req.logger.info('Client connected', { sessionId, clientInfo: mcpRequest.params?.clientInfo });
+                    const clientInfo = mcpRequest.params?.clientInfo;
+                    req.logger.info('Client connected', { sessionId, clientInfo });
+                    // Auto-detect SDK-aware clients (e.g. OpenCode in Hailer Studio sessions)
+                    if (clientInfo?.name === 'opencode') {
+                        this.mcpClientProfiles.set(sessionId, { profile: 'sdk', ts: Date.now() });
+                        // Lazy TTL cleanup — drop entries older than PROFILE_TTL_MS on each insert
+                        const cutoff = Date.now() - MCPServerService.PROFILE_TTL_MS;
+                        for (const [sid, entry] of this.mcpClientProfiles) {
+                            if (entry.ts < cutoff)
+                                this.mcpClientProfiles.delete(sid);
+                        }
+                        req.logger.debug('Assigned sdk profile to session', { sessionId, clientName: clientInfo.name });
+                    }
                     result = {
                         protocolVersion: '2024-11-05',
                         capabilities: { tools: {} },
@@ -532,18 +789,25 @@ class MCPServerService {
             }
             catch (error) {
                 const errorMessage = error instanceof Error ? error.message : String(error);
+                const apiKeyForLog = typeof req.query.apiKey === 'string'
+                    ? req.query.apiKey.slice(0, 8) + '...'
+                    : undefined;
                 if (errorMessage.includes('Multi-workspace credentials detected')) {
-                    req.logger.warn('Multi-workspace credentials blocked', { apiKey: req.query.apiKey });
+                    req.logger.warn('Multi-workspace credentials blocked', { apiKey: apiKeyForLog });
                     this.sendMcpError(res, req.body?.id || null, -32001, errorMessage, 200);
                 }
                 else {
-                    req.logger.error('MCP handler error', error, { apiKey: req.query.apiKey });
+                    req.logger.error('MCP handler error', error, { apiKey: apiKeyForLog });
                     this.sendMcpError(res, req.body?.id || null, -32000, `Server error: ${errorMessage}`, 500);
                 }
             }
         };
         // Route 1: /api/mcp?apiKey=xxx (standard format)
         this.app.post('/api/mcp', (req, res) => mcpHandler(req, res));
+        // Route 1b: /api/studio/mcp?apiKey=xxx — Studio sessions (SDK-aware tool surface)
+        this.app.post('/api/studio/mcp', (req, res) => mcpHandler(req, res, undefined, 'sdk'));
+        // Route 1c: /api/sdk/mcp?apiKey=xxx — canonical alias for SDK projects (same surface as Studio)
+        this.app.post('/api/sdk/mcp', (req, res) => mcpHandler(req, res, undefined, 'sdk'));
         // Route 2: /:apiKey (simplified format - API key as path)
         // Matches 16-64 char alphanumeric keys, but ONLY for MCP requests (has jsonrpc field)
         this.app.post('/:apiKey([a-zA-Z0-9_-]{16,64})', (req, res, next) => {
@@ -675,6 +939,10 @@ class MCPServerService {
                 label: 'Cowork'
             });
         });
+        // Public chat (anonymous) — login-page demo chatbot.
+        const publicChatRegistered = (0, public_chat_1.registerPublicChatRoutes)(this.app, {
+            anthropicApiKey: config_1.environment.ANTHROPIC_API_KEY,
+        });
         this.logger.debug('Routes configured', {
             routes: [
                 '/health',
@@ -683,6 +951,10 @@ class MCPServerService {
                 '/:apiKey (Hailer — API key as path)',
                 `${API_PREFIX}/mcp (Cowork — OAuth)`,
                 '/api/vipunen (Vipunen — Bearer key)',
+                ...(publicChatRegistered ? [
+                    `${public_chat_1.PUBLIC_CHAT_ROUTE} (public chat — anonymous)`,
+                    `${public_chat_1.PUBLIC_CHAT_AUTHORIZE_ROUTE} (public chat — graduation)`,
+                ] : []),
                 '/.well-known/oauth-authorization-server',
                 '/.well-known/oauth-protected-resource',
                 `${API_PREFIX}/oauth/register`,
@@ -718,14 +990,15 @@ class MCPServerService {
         return `${prefix}-${Date.now()}-${Math.random().toString(36).substring(2, 11)}`;
     }
     /**
-     * Strict access control for /api/mcp — returns false on catch (no config = no access)
-     */
+   * Strict access control for /api/mcp — returns false on catch (no config = no access)
+   */
     canAccessToolStrict(toolName, apiKey) {
         // User API Keys aren't in CLIENT_CONFIGS — apply permissive access (non-NUCLEAR)
         if (apiKey.startsWith('userapikey_')) {
             const tool = this.toolRegistry.getTool(toolName);
-            if (!tool)
+            if (!tool) {
                 return false;
+            }
             if (tool.group === tool_registry_1.ToolGroup.NUCLEAR && !config_1.environment.ENABLE_NUCLEAR_TOOLS) {
                 return false;
             }
@@ -747,8 +1020,8 @@ class MCPServerService {
         }
     }
     /**
-     * Permissive access control for Cowork — allows non-NUCLEAR tools on catch (OAuth sessions)
-     */
+   * Permissive access control for Cowork — allows non-NUCLEAR tools on catch (OAuth sessions)
+   */
     canAccessToolPermissive(toolName, apiKey) {
         try {
             const agentConfig = this.appConfig.getClientConfig(apiKey);
@@ -763,8 +1036,9 @@ class MCPServerService {
         }
         catch {
             const tool = this.toolRegistry.getTool(toolName);
-            if (!tool)
+            if (!tool) {
                 return false;
+            }
             if (tool.group === tool_registry_1.ToolGroup.NUCLEAR && !config_1.environment.ENABLE_NUCLEAR_TOOLS) {
                 return false;
             }
@@ -772,9 +1046,53 @@ class MCPServerService {
         }
     }
     /**
-     * Cowork MCP JSON-RPC handler for /api/cowork/mcp (OAuth multi-user).
-     * Permissive access control, contextType filter, OAuth 401 flow.
-     */
+   * Resolve the connection's tool profile: explicit route override first,
+   * else the session-tracked profile assigned at MCP initialize (clientInfo).
+   */
+    resolveSessionProfile(req, routeProfile) {
+        if (routeProfile) {
+            return routeProfile;
+        }
+        const sessionHeader = req.headers['mcp-session-id'];
+        const sessionId = Array.isArray(sessionHeader) ? sessionHeader[0] : sessionHeader;
+        if (!sessionId) {
+            return undefined;
+        }
+        const entry = this.mcpClientProfiles.get(sessionId);
+        if (entry && Date.now() - entry.ts < MCPServerService.PROFILE_TTL_MS) {
+            return entry.profile;
+        }
+        return undefined;
+    }
+    /**
+   * Profile enforcement for tools/call. An explicit route/clientInfo profile
+   * always governs. Otherwise per-account allowedTools/allowedGroups config
+   * takes precedence (already enforced by canAccessToolStrict/Permissive);
+   * keys without explicit config fall back to the server's default profile.
+   */
+    canAccessToolForProfile(toolName, apiKey, explicitProfile) {
+        const tool = this.toolRegistry.getTool(toolName);
+        if (!tool) {
+            return false;
+        }
+        if (explicitProfile) {
+            return (0, tool_profiles_1.isToolAllowedForProfile)(explicitProfile, tool);
+        }
+        try {
+            const agentConfig = this.appConfig.getClientConfig(apiKey);
+            if (agentConfig.allowedTools || agentConfig.allowedGroups) {
+                return true;
+            }
+        }
+        catch {
+            // No per-account config — default profile governs
+        }
+        return (0, tool_profiles_1.isToolAllowedForProfile)(config_1.environment.MCP_DEFAULT_PROFILE, tool);
+    }
+    /**
+   * Cowork MCP JSON-RPC handler for /api/cowork/mcp (OAuth multi-user).
+   * Permissive access control, contextType filter, OAuth 401 flow.
+   */
     async handleCoworkMcp(req, res, options) {
         req.logger.debug(`${options.label} MCP request received`, { method: req.body?.method });
         try {
@@ -805,14 +1123,10 @@ class MCPServerService {
                     }
                 }
                 if (!filterConfig) {
-                    filterConfig = {
-                        allowedGroups: [tool_registry_1.ToolGroup.READ, tool_registry_1.ToolGroup.WRITE, tool_registry_1.ToolGroup.PLAYGROUND]
-                    };
-                    req.logger.debug('Using default tool filter (excludes NUCLEAR)');
-                }
-                else if (filterConfig.allowedGroups) {
-                    filterConfig.allowedGroups = filterConfig.allowedGroups.filter(g => (config_1.environment.ENABLE_NUCLEAR_TOOLS || g !== tool_registry_1.ToolGroup.NUCLEAR));
+                    filterConfig = (0, tool_profiles_1.profileFilterConfig)(config_1.environment.MCP_DEFAULT_PROFILE);
+                    req.logger.debug('Using default profile tool filter', { profile: config_1.environment.MCP_DEFAULT_PROFILE });
                 }
+                filterConfig.allowedGroups = filterConfig.allowedGroups?.filter(grp => (config_1.environment.ENABLE_NUCLEAR_TOOLS || grp !== tool_registry_1.ToolGroup.NUCLEAR));
                 result = {
                     tools: this.toolRegistry.getToolDefinitions(filterConfig)
                         .filter((def) => {
@@ -847,6 +1161,11 @@ class MCPServerService {
                 if (!this.canAccessToolPermissive(name, apiKey)) {
                     return this.sendMcpError(res, mcpRequest.id, -32603, `Access denied to tool: ${name}`, 403);
                 }
+                // Profile enforcement — Cowork has no route/clientInfo profile, so
+                // per-account config governs, else the default profile
+                if (!this.canAccessToolForProfile(name, apiKey)) {
+                    return this.sendMcpError(res, mcpRequest.id, -32603, `Tool not available in this connection's profile: ${name}`, 403);
+                }
                 if (contextType === 'none') {
                     return this.sendMcpError(res, mcpRequest.id, -32602, `Tool not found: ${name}`, 404);
                 }
@@ -894,8 +1213,8 @@ class MCPServerService {
         }
     }
     /**
-     * Send MCP success response via SSE
-     */
+   * Send MCP success response via SSE
+   */
     sendMcpResult(res, id, result) {
         const response = { jsonrpc: '2.0', result, id };
         res.setHeader('Content-Type', 'text/event-stream');
@@ -905,8 +1224,8 @@ class MCPServerService {
         res.end();
     }
     /**
-     * Send MCP error response
-     */
+   * Send MCP error response
+   */
     sendMcpError(res, id, code, message, httpStatus) {
         const errorResponse = {
             jsonrpc: '2.0',