npm - @hasna/knowledge - Versions diffs - 0.2.22 → 0.2.24 - Mend

@hasna/knowledge 0.2.22 → 0.2.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/README.md +48 -13
package/bin/open-knowledge-mcp.js +1080 -430
package/bin/open-knowledge.js +1 -1
package/docs/architecture/ai-native-knowledge-base.md +14 -0
package/docs/architecture/hybrid-semantic-search.md +11 -10
package/package.json +1 -1
package/src/mcp.js +789 -1

package/bin/open-knowledge-mcp.js CHANGED Viewed

@@ -120,7 +120,7 @@ var MCP_HTTP_SERVICE_NAME = "knowledge", DEFAULT_MCP_HTTP_PORT = 8819;
 var init_mcp_http = () => {};
 // src/mcp.js
-import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { McpServer, ResourceTemplate } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 // node_modules/zod/v4/classic/external.js
@@ -13660,7 +13660,7 @@ import { existsSync as existsSync8, readFileSync as readFileSync8, writeFileSync
 // package.json
 var package_default = {
   name: "@hasna/knowledge",
-  version: "0.2.22",
+  version: "0.2.24",
   description: "Agent-friendly local knowledge CLI with JSON output, pagination, and safe destructive actions",
   type: "module",
   bin: {
@@ -13723,9 +13723,8 @@ var package_default = {
   }
 };
-// src/store.ts
-import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, existsSync as existsSync2, renameSync, unlinkSync } from "fs";
-import { randomUUID } from "crypto";
+// src/knowledge-db.ts
+import { Database } from "bun:sqlite";
 // src/workspace.ts
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
@@ -13855,414 +13854,37 @@ function writeKnowledgeConfig(path, config2) {
 `);
 }
-// src/store.ts
-function defaultStorePath() {
-  return workspaceForHome(globalKnowledgeHome()).jsonStorePath;
-}
-function ensureStore(path) {
-  if (!existsSync2(path)) {
-    ensureParentDir(path);
-    if (path === defaultStorePath() && existsSync2(legacyGlobalStorePath())) {
-      writeFileSync2(path, readFileSync2(legacyGlobalStorePath(), "utf8"));
-    } else {
-      writeFileSync2(path, JSON.stringify({ items: [] }, null, 2));
-    }
-  }
-}
-function lockPath(path) {
-  return `${path}.lock`;
-}
-function acquireLock(lockPath2, ownerId) {
-  const maxWait = 5000;
-  const interval = 50;
-  const start = Date.now();
-  while (Date.now() - start < maxWait) {
-    try {
-      if (!existsSync2(lockPath2)) {
-        writeFileSync2(lockPath2, JSON.stringify({ owner: ownerId, ts: Date.now() }));
-        return;
-      }
-      const lock = JSON.parse(readFileSync2(lockPath2, "utf8"));
-      if (Date.now() - lock.ts > 1e4) {
-        unlinkSync(lockPath2);
-      }
-    } catch {}
-    const start2 = Date.now();
-    while (Date.now() - start2 < interval) {}
-  }
-  throw new Error(`Could not acquire lock on ${lockPath2} after ${maxWait}ms`);
-}
-function releaseLock(lockPath2, ownerId) {
-  try {
-    if (existsSync2(lockPath2)) {
-      const lock = JSON.parse(readFileSync2(lockPath2, "utf8"));
-      if (lock.owner === ownerId) {
-        unlinkSync(lockPath2);
-      }
-    }
-  } catch {}
-}
-function loadStore(path) {
-  ensureStore(path);
-  const raw = readFileSync2(path, "utf8");
-  const parsed = JSON.parse(raw);
-  if (!parsed || !Array.isArray(parsed.items)) {
-    return { items: [] };
-  }
-  return parsed;
-}
-function saveStore(path, store) {
-  const tmp = `${path}.tmp.${randomUUID()}`;
-  writeFileSync2(tmp, JSON.stringify(store, null, 2));
-  renameSync(tmp, path);
-}
-function withLock(path, fn) {
-  const owner = randomUUID();
-  const lpath = lockPath(path);
-  acquireLock(lpath, owner);
-  try {
-    return fn();
-  } finally {
-    releaseLock(lpath, owner);
-  }
-}
-function makeId() {
-  return `k_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`;
-}
+// src/knowledge-db.ts
+var MIGRATION_1 = `
+PRAGMA journal_mode = WAL;
+PRAGMA foreign_keys = ON;
-// src/source-ref.ts
-function assertNonEmpty(value, message) {
-  if (!value)
-    throw new Error(message);
-  return value;
-}
-function parseOpenFilesRef(uri) {
-  const withoutScheme = uri.slice("open-files://".length);
-  const parts = withoutScheme.split("/").filter(Boolean);
-  const entity = parts[0];
-  if (entity !== "file" && entity !== "source") {
-    throw new Error("Invalid open-files ref. Expected open-files://file/<id>, open-files://file/<id>/revision/<revision_id>, or open-files://source/<id>/path/<path>.");
-  }
-  const id = assertNonEmpty(parts[1], "Invalid open-files ref. Missing id.");
-  if (entity === "file") {
-    if (parts.length === 2)
-      return { kind: "open-files", uri, entity, id };
-    if (parts[2] === "revision" && parts[3] && parts.length === 4) {
-      return { kind: "open-files", uri, entity, id, revision_id: decodeURIComponent(parts[3]) };
-    }
-    throw new Error("Invalid open-files file ref. Expected open-files://file/<id>/revision/<revision_id>.");
-  }
-  const pathIndex = parts.indexOf("path");
-  const path = pathIndex >= 0 ? decodeURIComponent(parts.slice(pathIndex + 1).join("/")) : undefined;
-  return { kind: "open-files", uri, entity, id, path };
-}
-function parseS3Ref(uri) {
-  const parsed = new URL(uri);
-  const bucket = assertNonEmpty(parsed.hostname, "Invalid s3 ref. Missing bucket.");
-  const key = decodeURIComponent(parsed.pathname.replace(/^\/+/, ""));
-  if (!key)
-    throw new Error("Invalid s3 ref. Missing object key.");
-  return { kind: "s3", uri, bucket, key };
-}
-function parseFileRef(uri) {
-  const parsed = new URL(uri);
-  return { kind: "file", uri, path: decodeURIComponent(parsed.pathname) };
-}
-function parseWebRef(uri) {
-  const parsed = new URL(uri);
-  return { kind: "web", uri, url: parsed.toString() };
-}
-function parseSourceRef(uri) {
-  if (uri.startsWith("open-files://"))
-    return parseOpenFilesRef(uri);
-  if (uri.startsWith("s3://"))
-    return parseS3Ref(uri);
-  if (uri.startsWith("file://"))
-    return parseFileRef(uri);
-  if (uri.startsWith("https://") || uri.startsWith("http://"))
-    return parseWebRef(uri);
-  throw new Error(`Unsupported source ref scheme: ${uri}`);
-}
-function catalogSourceUriForRef(uri, parsed = parseSourceRef(uri)) {
-  if (parsed.kind === "open-files" && parsed.entity === "file" && parsed.revision_id) {
-    return uri.replace(/\/revision\/[^/]+$/, "");
-  }
-  return uri;
-}
-function revisionIdForSourceRef(uri) {
-  const parsed = parseSourceRef(uri);
-  return parsed.kind === "open-files" && parsed.entity === "file" ? parsed.revision_id ?? null : null;
-}
+CREATE TABLE IF NOT EXISTS schema_versions (
+  version INTEGER PRIMARY KEY,
+  applied_at TEXT NOT NULL
+);
-// src/artifact-store.ts
-import { existsSync as existsSync3, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
-import { dirname as dirname2, join as join2, relative, sep } from "path";
-function normalizeArtifactKey(key) {
-  const raw = key.replace(/\\/g, "/").trim();
-  if (!raw || raw.startsWith("/")) {
-    throw new Error(`Invalid artifact key: ${key}`);
-  }
-  const segments = raw.split("/").filter(Boolean);
-  if (segments.length === 0 || segments.some((segment) => segment === "." || segment === "..")) {
-    throw new Error(`Invalid artifact key: ${key}`);
-  }
-  return segments.join("/");
-}
-function assertInside(root, target) {
-  const rel = relative(root, target);
-  if (rel.startsWith("..") || rel === ".." || rel.startsWith(`..${sep}`)) {
-    throw new Error(`Artifact path escapes root: ${target}`);
-  }
-}
+CREATE TABLE IF NOT EXISTS sources (
+  id TEXT PRIMARY KEY,
+  uri TEXT NOT NULL UNIQUE,
+  kind TEXT NOT NULL,
+  title TEXT,
+  metadata_json TEXT NOT NULL DEFAULT '{}',
+  acl_json TEXT NOT NULL DEFAULT '{}',
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL
+);
-class LocalArtifactStore {
-  root;
-  type = "local";
-  canRead = true;
-  canWrite = true;
-  constructor(root) {
-    this.root = root;
-    mkdirSync2(root, { recursive: true });
-  }
-  async put(entry) {
-    const key = normalizeArtifactKey(entry.key);
-    const path = join2(this.root, key);
-    assertInside(this.root, path);
-    mkdirSync2(dirname2(path), { recursive: true });
-    writeFileSync3(path, entry.body);
-    return { key, uri: `file://${path}` };
-  }
-  async getText(key) {
-    const normalizedKey = normalizeArtifactKey(key);
-    const path = join2(this.root, normalizedKey);
-    assertInside(this.root, path);
-    return readFileSync3(path, "utf8");
-  }
-  async exists(key) {
-    const normalizedKey = normalizeArtifactKey(key);
-    const path = join2(this.root, normalizedKey);
-    assertInside(this.root, path);
-    return existsSync3(path);
-  }
-}
-class S3ArtifactStore {
-  options;
-  type = "s3";
-  canRead = true;
-  canWrite = true;
-  client;
-  constructor(options) {
-    this.options = options;
-    this.client = options.client;
-  }
-  async getClient() {
-    if (this.client)
-      return this.client;
-    const [{ S3Client }, { fromIni }] = await Promise.all([
-      import("@aws-sdk/client-s3"),
-      import("@aws-sdk/credential-providers")
-    ]);
-    this.client = new S3Client({
-      region: this.options.region,
-      credentials: this.options.profile ? fromIni({ profile: this.options.profile }) : undefined,
-      maxAttempts: this.options.max_attempts
-    });
-    return this.client;
-  }
-  objectKey(key) {
-    const normalizedKey = normalizeArtifactKey(key);
-    const prefix = this.options.prefix ? normalizeArtifactKey(this.options.prefix) : "";
-    return prefix ? `${prefix}/${normalizedKey}` : normalizedKey;
-  }
-  async put(entry) {
-    const [{ PutObjectCommand }, client] = await Promise.all([
-      import("@aws-sdk/client-s3"),
-      this.getClient()
-    ]);
-    const key = this.objectKey(entry.key);
-    await client.send(new PutObjectCommand({
-      Bucket: this.options.bucket,
-      Key: key,
-      Body: entry.body,
-      ContentType: entry.content_type,
-      Metadata: entry.metadata,
-      ServerSideEncryption: this.options.server_side_encryption,
-      SSEKMSKeyId: this.options.kms_key_id
-    }));
-    return { key, uri: `s3://${this.options.bucket}/${key}` };
-  }
-  async getText(key) {
-    const [{ GetObjectCommand }, client] = await Promise.all([
-      import("@aws-sdk/client-s3"),
-      this.getClient()
-    ]);
-    const objectKey = this.objectKey(key);
-    const response = await client.send(new GetObjectCommand({
-      Bucket: this.options.bucket,
-      Key: objectKey
-    }));
-    if (!response.Body)
-      return "";
-    return await response.Body.transformToString();
-  }
-  async exists(key) {
-    const [{ HeadObjectCommand }, client] = await Promise.all([
-      import("@aws-sdk/client-s3"),
-      this.getClient()
-    ]);
-    const objectKey = this.objectKey(key);
-    try {
-      await client.send(new HeadObjectCommand({
-        Bucket: this.options.bucket,
-        Key: objectKey
-      }));
-      return true;
-    } catch (error48) {
-      const name = error48 instanceof Error ? error48.name : "";
-      if (name === "NotFound" || name === "NoSuchKey" || name === "NotFoundError")
-        return false;
-      throw error48;
-    }
-  }
-}
-function createArtifactStore(config2, workspace) {
-  if (config2.storage.type === "s3") {
-    if (!config2.storage.s3?.bucket)
-      throw new Error("S3 artifact storage requires storage.s3.bucket");
-    return new S3ArtifactStore({
-      bucket: config2.storage.s3.bucket,
-      prefix: config2.storage.s3.prefix,
-      region: config2.storage.s3.region,
-      profile: config2.storage.s3.profile,
-      max_attempts: config2.storage.s3.max_attempts,
-      server_side_encryption: config2.storage.s3.server_side_encryption,
-      kms_key_id: config2.storage.s3.kms_key_id
-    });
-  }
-  return new LocalArtifactStore(workspace.artifactsDir);
-}
-// src/auth.ts
-import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync4, unlinkSync as unlinkSync2, writeFileSync as writeFileSync4 } from "fs";
-import { homedir as homedir2 } from "os";
-import { dirname as dirname3, join as join3 } from "path";
-var DEFAULT_KNOWLEDGE_API_URL = "https://knowledge.hasna.xyz";
-function normalizeKnowledgeApiOrigin(apiUrl) {
-  const url2 = new URL(apiUrl);
-  if (url2.protocol !== "http:" && url2.protocol !== "https:") {
-    throw new Error("Knowledge API URL must use http or https.");
-  }
-  const pathname = url2.pathname.replace(/\/+$/, "");
-  if (pathname === "/api" || pathname === "/api/v1") {
-    url2.pathname = "/";
-  } else if (pathname.endsWith("/api/v1")) {
-    url2.pathname = pathname.slice(0, -"/api/v1".length) || "/";
-  } else if (pathname.endsWith("/api")) {
-    url2.pathname = pathname.slice(0, -"/api".length) || "/";
-  }
-  return url2.toString().replace(/\/+$/, "");
-}
-function knowledgeAuthPath(env = process.env) {
-  if (env.HASNA_KNOWLEDGE_AUTH_PATH)
-    return env.HASNA_KNOWLEDGE_AUTH_PATH;
-  const root = env.HASNA_KNOWLEDGE_AUTH_DIR ?? join3(homedir2(), ".hasna", "knowledge");
-  return join3(root, "auth.json");
-}
-function resolveKnowledgeApiUrl(config2, env = process.env) {
-  return normalizeKnowledgeApiOrigin(env.KNOWLEDGE_API_URL ?? config2?.hosted?.api_url ?? DEFAULT_KNOWLEDGE_API_URL);
-}
-function getKnowledgeAuth(env = process.env) {
-  try {
-    const path = knowledgeAuthPath(env);
-    if (!existsSync4(path))
-      return null;
-    const parsed = JSON.parse(readFileSync4(path, "utf8"));
-    return typeof parsed.api_key === "string" && parsed.api_key.length > 0 ? parsed : null;
-  } catch {
-    return null;
-  }
-}
-function saveKnowledgeAuth(auth, env = process.env) {
-  const path = knowledgeAuthPath(env);
-  const stored = {
-    ...auth,
-    api_url: auth.api_url ? normalizeKnowledgeApiOrigin(auth.api_url) : undefined,
-    created_at: auth.created_at ?? new Date().toISOString()
-  };
-  mkdirSync3(dirname3(path), { recursive: true, mode: 448 });
-  writeFileSync4(path, `${JSON.stringify(stored, null, 2)}
-`, { mode: 384 });
-  return stored;
-}
-function clearKnowledgeAuth(env = process.env) {
-  try {
-    unlinkSync2(knowledgeAuthPath(env));
-    return true;
-  } catch {
-    return false;
-  }
-}
-function getKnowledgeApiKey(env = process.env) {
-  if (env.KNOWLEDGE_API_KEY)
-    return { apiKey: env.KNOWLEDGE_API_KEY, source: "env" };
-  if (env.HASNA_KNOWLEDGE_API_KEY)
-    return { apiKey: env.HASNA_KNOWLEDGE_API_KEY, source: "env" };
-  const auth = getKnowledgeAuth(env);
-  return auth?.api_key ? { apiKey: auth.api_key, source: "file" } : { apiKey: null, source: "none" };
-}
-function knowledgeAuthStatus(config2, env = process.env) {
-  const auth = getKnowledgeAuth(env);
-  const key = getKnowledgeApiKey(env);
-  const apiUrl = env.KNOWLEDGE_API_URL ? resolveKnowledgeApiUrl(config2, env) : auth?.api_url ? normalizeKnowledgeApiOrigin(auth.api_url) : resolveKnowledgeApiUrl(config2, env);
-  return {
-    authenticated: Boolean(key.apiKey),
-    source: key.source,
-    api_url: apiUrl,
-    auth_path: knowledgeAuthPath(env),
-    email: key.source === "file" ? auth?.email ?? null : null,
-    org_id: key.source === "file" ? auth?.org_id ?? null : null,
-    org_slug: key.source === "file" ? auth?.org_slug ?? null : null,
-    user_id: key.source === "file" ? auth?.user_id ?? null : null,
-    api_key_present: Boolean(key.apiKey)
-  };
-}
-// src/agent.ts
-import { randomUUID as randomUUID3 } from "crypto";
-// src/knowledge-db.ts
-import { Database } from "bun:sqlite";
-var MIGRATION_1 = `
-PRAGMA journal_mode = WAL;
-PRAGMA foreign_keys = ON;
-CREATE TABLE IF NOT EXISTS schema_versions (
-  version INTEGER PRIMARY KEY,
-  applied_at TEXT NOT NULL
-);
-CREATE TABLE IF NOT EXISTS sources (
-  id TEXT PRIMARY KEY,
-  uri TEXT NOT NULL UNIQUE,
-  kind TEXT NOT NULL,
-  title TEXT,
-  metadata_json TEXT NOT NULL DEFAULT '{}',
-  acl_json TEXT NOT NULL DEFAULT '{}',
-  created_at TEXT NOT NULL,
-  updated_at TEXT NOT NULL
-);
-CREATE TABLE IF NOT EXISTS source_revisions (
-  id TEXT PRIMARY KEY,
-  source_id TEXT NOT NULL REFERENCES sources(id) ON DELETE CASCADE,
-  revision TEXT NOT NULL,
-  hash TEXT,
-  extracted_text_uri TEXT,
-  metadata_json TEXT NOT NULL DEFAULT '{}',
-  created_at TEXT NOT NULL,
-  UNIQUE(source_id, revision)
-);
+CREATE TABLE IF NOT EXISTS source_revisions (
+  id TEXT PRIMARY KEY,
+  source_id TEXT NOT NULL REFERENCES sources(id) ON DELETE CASCADE,
+  revision TEXT NOT NULL,
+  hash TEXT,
+  extracted_text_uri TEXT,
+  metadata_json TEXT NOT NULL DEFAULT '{}',
+  created_at TEXT NOT NULL,
+  UNIQUE(source_id, revision)
+);
 CREATE TABLE IF NOT EXISTS chunks (
   id TEXT PRIMARY KEY,
@@ -14536,28 +14158,406 @@ function count(db, table) {
 function getKnowledgeDbStats(path) {
   const db = openKnowledgeDb(path);
   try {
-    return {
-      schema_version: getSchemaVersion(db),
-      sources: count(db, "sources"),
-      source_revisions: count(db, "source_revisions"),
-      chunks: count(db, "chunks"),
-      wiki_pages: count(db, "wiki_pages"),
-      citations: count(db, "citations"),
-      indexes: count(db, "knowledge_indexes"),
-      runs: count(db, "runs"),
-      run_events: count(db, "run_events"),
-      redaction_findings: count(db, "redaction_findings"),
-      audit_events: count(db, "audit_events"),
-      approval_gates: count(db, "approval_gates"),
-      storage_objects: count(db, "storage_objects"),
-      embeddings: count(db, "chunk_embeddings"),
-      vector_entries: count(db, "vector_index_entries"),
-      reindex_queue: count(db, "reindex_queue")
-    };
-  } finally {
-    db.close();
+    return {
+      schema_version: getSchemaVersion(db),
+      sources: count(db, "sources"),
+      source_revisions: count(db, "source_revisions"),
+      chunks: count(db, "chunks"),
+      wiki_pages: count(db, "wiki_pages"),
+      citations: count(db, "citations"),
+      indexes: count(db, "knowledge_indexes"),
+      runs: count(db, "runs"),
+      run_events: count(db, "run_events"),
+      redaction_findings: count(db, "redaction_findings"),
+      audit_events: count(db, "audit_events"),
+      approval_gates: count(db, "approval_gates"),
+      storage_objects: count(db, "storage_objects"),
+      embeddings: count(db, "chunk_embeddings"),
+      vector_entries: count(db, "vector_index_entries"),
+      reindex_queue: count(db, "reindex_queue")
+    };
+  } finally {
+    db.close();
+  }
+}
+// src/store.ts
+import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, existsSync as existsSync2, renameSync, unlinkSync } from "fs";
+import { randomUUID } from "crypto";
+function defaultStorePath() {
+  return workspaceForHome(globalKnowledgeHome()).jsonStorePath;
+}
+function ensureStore(path) {
+  if (!existsSync2(path)) {
+    ensureParentDir(path);
+    if (path === defaultStorePath() && existsSync2(legacyGlobalStorePath())) {
+      writeFileSync2(path, readFileSync2(legacyGlobalStorePath(), "utf8"));
+    } else {
+      writeFileSync2(path, JSON.stringify({ items: [] }, null, 2));
+    }
+  }
+}
+function lockPath(path) {
+  return `${path}.lock`;
+}
+function acquireLock(lockPath2, ownerId) {
+  const maxWait = 5000;
+  const interval = 50;
+  const start = Date.now();
+  while (Date.now() - start < maxWait) {
+    try {
+      if (!existsSync2(lockPath2)) {
+        writeFileSync2(lockPath2, JSON.stringify({ owner: ownerId, ts: Date.now() }));
+        return;
+      }
+      const lock = JSON.parse(readFileSync2(lockPath2, "utf8"));
+      if (Date.now() - lock.ts > 1e4) {
+        unlinkSync(lockPath2);
+      }
+    } catch {}
+    const start2 = Date.now();
+    while (Date.now() - start2 < interval) {}
+  }
+  throw new Error(`Could not acquire lock on ${lockPath2} after ${maxWait}ms`);
+}
+function releaseLock(lockPath2, ownerId) {
+  try {
+    if (existsSync2(lockPath2)) {
+      const lock = JSON.parse(readFileSync2(lockPath2, "utf8"));
+      if (lock.owner === ownerId) {
+        unlinkSync(lockPath2);
+      }
+    }
+  } catch {}
+}
+function loadStore(path) {
+  ensureStore(path);
+  const raw = readFileSync2(path, "utf8");
+  const parsed = JSON.parse(raw);
+  if (!parsed || !Array.isArray(parsed.items)) {
+    return { items: [] };
+  }
+  return parsed;
+}
+function saveStore(path, store) {
+  const tmp = `${path}.tmp.${randomUUID()}`;
+  writeFileSync2(tmp, JSON.stringify(store, null, 2));
+  renameSync(tmp, path);
+}
+function withLock(path, fn) {
+  const owner = randomUUID();
+  const lpath = lockPath(path);
+  acquireLock(lpath, owner);
+  try {
+    return fn();
+  } finally {
+    releaseLock(lpath, owner);
+  }
+}
+function makeId() {
+  return `k_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`;
+}
+// src/source-ref.ts
+function assertNonEmpty(value, message) {
+  if (!value)
+    throw new Error(message);
+  return value;
+}
+function parseOpenFilesRef(uri) {
+  const withoutScheme = uri.slice("open-files://".length);
+  const parts = withoutScheme.split("/").filter(Boolean);
+  const entity = parts[0];
+  if (entity !== "file" && entity !== "source") {
+    throw new Error("Invalid open-files ref. Expected open-files://file/<id>, open-files://file/<id>/revision/<revision_id>, or open-files://source/<id>/path/<path>.");
+  }
+  const id = assertNonEmpty(parts[1], "Invalid open-files ref. Missing id.");
+  if (entity === "file") {
+    if (parts.length === 2)
+      return { kind: "open-files", uri, entity, id };
+    if (parts[2] === "revision" && parts[3] && parts.length === 4) {
+      return { kind: "open-files", uri, entity, id, revision_id: decodeURIComponent(parts[3]) };
+    }
+    throw new Error("Invalid open-files file ref. Expected open-files://file/<id>/revision/<revision_id>.");
+  }
+  const pathIndex = parts.indexOf("path");
+  const path = pathIndex >= 0 ? decodeURIComponent(parts.slice(pathIndex + 1).join("/")) : undefined;
+  return { kind: "open-files", uri, entity, id, path };
+}
+function parseS3Ref(uri) {
+  const parsed = new URL(uri);
+  const bucket = assertNonEmpty(parsed.hostname, "Invalid s3 ref. Missing bucket.");
+  const key = decodeURIComponent(parsed.pathname.replace(/^\/+/, ""));
+  if (!key)
+    throw new Error("Invalid s3 ref. Missing object key.");
+  return { kind: "s3", uri, bucket, key };
+}
+function parseFileRef(uri) {
+  const parsed = new URL(uri);
+  return { kind: "file", uri, path: decodeURIComponent(parsed.pathname) };
+}
+function parseWebRef(uri) {
+  const parsed = new URL(uri);
+  return { kind: "web", uri, url: parsed.toString() };
+}
+function parseSourceRef(uri) {
+  if (uri.startsWith("open-files://"))
+    return parseOpenFilesRef(uri);
+  if (uri.startsWith("s3://"))
+    return parseS3Ref(uri);
+  if (uri.startsWith("file://"))
+    return parseFileRef(uri);
+  if (uri.startsWith("https://") || uri.startsWith("http://"))
+    return parseWebRef(uri);
+  throw new Error(`Unsupported source ref scheme: ${uri}`);
+}
+function catalogSourceUriForRef(uri, parsed = parseSourceRef(uri)) {
+  if (parsed.kind === "open-files" && parsed.entity === "file" && parsed.revision_id) {
+    return uri.replace(/\/revision\/[^/]+$/, "");
+  }
+  return uri;
+}
+function revisionIdForSourceRef(uri) {
+  const parsed = parseSourceRef(uri);
+  return parsed.kind === "open-files" && parsed.entity === "file" ? parsed.revision_id ?? null : null;
+}
+// src/artifact-store.ts
+import { existsSync as existsSync3, mkdirSync as mkdirSync2, readFileSync as readFileSync3, writeFileSync as writeFileSync3 } from "fs";
+import { dirname as dirname2, join as join2, relative, sep } from "path";
+function normalizeArtifactKey(key) {
+  const raw = key.replace(/\\/g, "/").trim();
+  if (!raw || raw.startsWith("/")) {
+    throw new Error(`Invalid artifact key: ${key}`);
+  }
+  const segments = raw.split("/").filter(Boolean);
+  if (segments.length === 0 || segments.some((segment) => segment === "." || segment === "..")) {
+    throw new Error(`Invalid artifact key: ${key}`);
+  }
+  return segments.join("/");
+}
+function assertInside(root, target) {
+  const rel = relative(root, target);
+  if (rel.startsWith("..") || rel === ".." || rel.startsWith(`..${sep}`)) {
+    throw new Error(`Artifact path escapes root: ${target}`);
+  }
+}
+class LocalArtifactStore {
+  root;
+  type = "local";
+  canRead = true;
+  canWrite = true;
+  constructor(root) {
+    this.root = root;
+    mkdirSync2(root, { recursive: true });
+  }
+  async put(entry) {
+    const key = normalizeArtifactKey(entry.key);
+    const path = join2(this.root, key);
+    assertInside(this.root, path);
+    mkdirSync2(dirname2(path), { recursive: true });
+    writeFileSync3(path, entry.body);
+    return { key, uri: `file://${path}` };
+  }
+  async getText(key) {
+    const normalizedKey = normalizeArtifactKey(key);
+    const path = join2(this.root, normalizedKey);
+    assertInside(this.root, path);
+    return readFileSync3(path, "utf8");
+  }
+  async exists(key) {
+    const normalizedKey = normalizeArtifactKey(key);
+    const path = join2(this.root, normalizedKey);
+    assertInside(this.root, path);
+    return existsSync3(path);
+  }
+}
+class S3ArtifactStore {
+  options;
+  type = "s3";
+  canRead = true;
+  canWrite = true;
+  client;
+  constructor(options) {
+    this.options = options;
+    this.client = options.client;
+  }
+  async getClient() {
+    if (this.client)
+      return this.client;
+    const [{ S3Client }, { fromIni }] = await Promise.all([
+      import("@aws-sdk/client-s3"),
+      import("@aws-sdk/credential-providers")
+    ]);
+    this.client = new S3Client({
+      region: this.options.region,
+      credentials: this.options.profile ? fromIni({ profile: this.options.profile }) : undefined,
+      maxAttempts: this.options.max_attempts
+    });
+    return this.client;
+  }
+  objectKey(key) {
+    const normalizedKey = normalizeArtifactKey(key);
+    const prefix = this.options.prefix ? normalizeArtifactKey(this.options.prefix) : "";
+    return prefix ? `${prefix}/${normalizedKey}` : normalizedKey;
+  }
+  async put(entry) {
+    const [{ PutObjectCommand }, client] = await Promise.all([
+      import("@aws-sdk/client-s3"),
+      this.getClient()
+    ]);
+    const key = this.objectKey(entry.key);
+    await client.send(new PutObjectCommand({
+      Bucket: this.options.bucket,
+      Key: key,
+      Body: entry.body,
+      ContentType: entry.content_type,
+      Metadata: entry.metadata,
+      ServerSideEncryption: this.options.server_side_encryption,
+      SSEKMSKeyId: this.options.kms_key_id
+    }));
+    return { key, uri: `s3://${this.options.bucket}/${key}` };
+  }
+  async getText(key) {
+    const [{ GetObjectCommand }, client] = await Promise.all([
+      import("@aws-sdk/client-s3"),
+      this.getClient()
+    ]);
+    const objectKey = this.objectKey(key);
+    const response = await client.send(new GetObjectCommand({
+      Bucket: this.options.bucket,
+      Key: objectKey
+    }));
+    if (!response.Body)
+      return "";
+    return await response.Body.transformToString();
+  }
+  async exists(key) {
+    const [{ HeadObjectCommand }, client] = await Promise.all([
+      import("@aws-sdk/client-s3"),
+      this.getClient()
+    ]);
+    const objectKey = this.objectKey(key);
+    try {
+      await client.send(new HeadObjectCommand({
+        Bucket: this.options.bucket,
+        Key: objectKey
+      }));
+      return true;
+    } catch (error48) {
+      const name = error48 instanceof Error ? error48.name : "";
+      if (name === "NotFound" || name === "NoSuchKey" || name === "NotFoundError")
+        return false;
+      throw error48;
+    }
+  }
+}
+function createArtifactStore(config2, workspace) {
+  if (config2.storage.type === "s3") {
+    if (!config2.storage.s3?.bucket)
+      throw new Error("S3 artifact storage requires storage.s3.bucket");
+    return new S3ArtifactStore({
+      bucket: config2.storage.s3.bucket,
+      prefix: config2.storage.s3.prefix,
+      region: config2.storage.s3.region,
+      profile: config2.storage.s3.profile,
+      max_attempts: config2.storage.s3.max_attempts,
+      server_side_encryption: config2.storage.s3.server_side_encryption,
+      kms_key_id: config2.storage.s3.kms_key_id
+    });
+  }
+  return new LocalArtifactStore(workspace.artifactsDir);
+}
+// src/auth.ts
+import { existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync4, unlinkSync as unlinkSync2, writeFileSync as writeFileSync4 } from "fs";
+import { homedir as homedir2 } from "os";
+import { dirname as dirname3, join as join3 } from "path";
+var DEFAULT_KNOWLEDGE_API_URL = "https://knowledge.hasna.xyz";
+function normalizeKnowledgeApiOrigin(apiUrl) {
+  const url2 = new URL(apiUrl);
+  if (url2.protocol !== "http:" && url2.protocol !== "https:") {
+    throw new Error("Knowledge API URL must use http or https.");
+  }
+  const pathname = url2.pathname.replace(/\/+$/, "");
+  if (pathname === "/api" || pathname === "/api/v1") {
+    url2.pathname = "/";
+  } else if (pathname.endsWith("/api/v1")) {
+    url2.pathname = pathname.slice(0, -"/api/v1".length) || "/";
+  } else if (pathname.endsWith("/api")) {
+    url2.pathname = pathname.slice(0, -"/api".length) || "/";
+  }
+  return url2.toString().replace(/\/+$/, "");
+}
+function knowledgeAuthPath(env = process.env) {
+  if (env.HASNA_KNOWLEDGE_AUTH_PATH)
+    return env.HASNA_KNOWLEDGE_AUTH_PATH;
+  const root = env.HASNA_KNOWLEDGE_AUTH_DIR ?? join3(homedir2(), ".hasna", "knowledge");
+  return join3(root, "auth.json");
+}
+function resolveKnowledgeApiUrl(config2, env = process.env) {
+  return normalizeKnowledgeApiOrigin(env.KNOWLEDGE_API_URL ?? config2?.hosted?.api_url ?? DEFAULT_KNOWLEDGE_API_URL);
+}
+function getKnowledgeAuth(env = process.env) {
+  try {
+    const path = knowledgeAuthPath(env);
+    if (!existsSync4(path))
+      return null;
+    const parsed = JSON.parse(readFileSync4(path, "utf8"));
+    return typeof parsed.api_key === "string" && parsed.api_key.length > 0 ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+function saveKnowledgeAuth(auth, env = process.env) {
+  const path = knowledgeAuthPath(env);
+  const stored = {
+    ...auth,
+    api_url: auth.api_url ? normalizeKnowledgeApiOrigin(auth.api_url) : undefined,
+    created_at: auth.created_at ?? new Date().toISOString()
+  };
+  mkdirSync3(dirname3(path), { recursive: true, mode: 448 });
+  writeFileSync4(path, `${JSON.stringify(stored, null, 2)}
+`, { mode: 384 });
+  return stored;
+}
+function clearKnowledgeAuth(env = process.env) {
+  try {
+    unlinkSync2(knowledgeAuthPath(env));
+    return true;
+  } catch {
+    return false;
   }
 }
+function getKnowledgeApiKey(env = process.env) {
+  if (env.KNOWLEDGE_API_KEY)
+    return { apiKey: env.KNOWLEDGE_API_KEY, source: "env" };
+  if (env.HASNA_KNOWLEDGE_API_KEY)
+    return { apiKey: env.HASNA_KNOWLEDGE_API_KEY, source: "env" };
+  const auth = getKnowledgeAuth(env);
+  return auth?.api_key ? { apiKey: auth.api_key, source: "file" } : { apiKey: null, source: "none" };
+}
+function knowledgeAuthStatus(config2, env = process.env) {
+  const auth = getKnowledgeAuth(env);
+  const key = getKnowledgeApiKey(env);
+  const apiUrl = env.KNOWLEDGE_API_URL ? resolveKnowledgeApiUrl(config2, env) : auth?.api_url ? normalizeKnowledgeApiOrigin(auth.api_url) : resolveKnowledgeApiUrl(config2, env);
+  return {
+    authenticated: Boolean(key.apiKey),
+    source: key.source,
+    api_url: apiUrl,
+    auth_path: knowledgeAuthPath(env),
+    email: key.source === "file" ? auth?.email ?? null : null,
+    org_id: key.source === "file" ? auth?.org_id ?? null : null,
+    org_slug: key.source === "file" ? auth?.org_slug ?? null : null,
+    user_id: key.source === "file" ? auth?.user_id ?? null : null,
+    api_key_present: Boolean(key.apiKey)
+  };
+}
+// src/agent.ts
+import { randomUUID as randomUUID3 } from "crypto";
 // src/providers.ts
 import { randomUUID as randomUUID2 } from "crypto";
@@ -19344,14 +19344,520 @@ function sortItems(items, sort = "created", desc = false) {
 function activeItems(items, includeArchived) {
   return includeArchived ? items : items.filter((item) => !item.archived);
 }
+function limitNumber(value, fallback = 20, max = 100) {
+  if (!Number.isFinite(value) || value <= 0)
+    return fallback;
+  return Math.min(Math.floor(value), max);
+}
+function parseJsonObject5(value) {
+  if (!value)
+    return {};
+  try {
+    const parsed = JSON.parse(value);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : {};
+  } catch {
+    return {};
+  }
+}
+function jsonResource(uri, data) {
+  return {
+    contents: [{
+      uri: uri.toString(),
+      mimeType: "application/json",
+      text: JSON.stringify(data, null, 2)
+    }]
+  };
+}
 function registerTool(server, name, title, description, inputSchema, handler) {
   server.registerTool(name, { title, description, inputSchema }, handler);
 }
+function registerJsonResource(server, name, uri, title, description, read) {
+  server.registerResource(name, uri, {
+    title,
+    description,
+    mimeType: "application/json"
+  }, async (resourceUri) => jsonResource(resourceUri, await read(resourceUri)));
+}
+function registerJsonTemplate(server, name, template, title, description, list, read) {
+  server.registerResource(name, new ResourceTemplate(template, { list }), {
+    title,
+    description,
+    mimeType: "application/json"
+  }, async (resourceUri, variables) => jsonResource(resourceUri, await read(resourceUri, variables)));
+}
+function projectService() {
+  return createKnowledgeService({ scope: "project" });
+}
+function openProjectDb(service = projectService()) {
+  const workspace = service.ensureWorkspace();
+  migrateKnowledgeDb(workspace.knowledgeDbPath);
+  return openKnowledgeDb(workspace.knowledgeDbPath);
+}
+function itemResources(storePath = createKnowledgeService({ scope: "project" }).jsonStorePath()) {
+  return readStoreLocked(storePath, (db) => activeItems(db.items, false).slice(0, 100).map((item) => ({
+    uri: `knowledge://project/items/${encodeURIComponent(item.id)}`,
+    name: item.title,
+    description: `Knowledge item ${item.id}`,
+    mimeType: "application/json"
+  })));
+}
+function listRows(db, sql, params = []) {
+  return db.query(sql).all(...params);
+}
+function rowWithJson(row, fields = ["metadata_json", "acl_json"]) {
+  if (!row)
+    return null;
+  const next = { ...row };
+  for (const field of fields) {
+    if (field in next) {
+      const name = field.endsWith("_json") ? field.slice(0, -5) : field;
+      next[name] = parseJsonObject5(next[field]);
+      delete next[field];
+    }
+  }
+  return next;
+}
+function dbStatsSnapshot(service = projectService()) {
+  const stats = service.dbStats();
+  const db = openProjectDb(service);
+  try {
+    return {
+      ok: true,
+      scope: "project",
+      path: service.workspace.knowledgeDbPath,
+      stats,
+      schema_versions: listRows(db, "SELECT version, applied_at FROM schema_versions ORDER BY version ASC")
+    };
+  } finally {
+    db.close();
+  }
+}
+function storageSnapshot(service = projectService()) {
+  const validation = service.validateStorage();
+  return {
+    ok: validation.ok,
+    scope: "project",
+    paths: service.paths(),
+    storage: service.storageContract(),
+    validation
+  };
+}
+function configSnapshot(service = projectService()) {
+  return {
+    ok: true,
+    scope: "project",
+    package: {
+      name: package_default.name,
+      version: package_default.version
+    },
+    paths: service.paths(),
+    storage: service.storageContract(),
+    provider_status: service.providerStatus(),
+    model_registry: service.modelRegistry()
+  };
+}
+function sourceRows(limit = 50, service = projectService()) {
+  const db = openProjectDb(service);
+  try {
+    return listRows(db, `
+      SELECT
+        s.id,
+        s.uri,
+        s.kind,
+        s.title,
+        s.metadata_json,
+        s.acl_json,
+        s.created_at,
+        s.updated_at,
+        COUNT(DISTINCT sr.id) AS revisions,
+        COUNT(DISTINCT c.id) AS chunks
+      FROM sources s
+      LEFT JOIN source_revisions sr ON sr.source_id = s.id
+      LEFT JOIN chunks c ON c.source_revision_id = sr.id
+      GROUP BY s.id
+      ORDER BY s.updated_at DESC
+      LIMIT ?
+    `, [limitNumber(limit, 50, 200)]).map((row) => rowWithJson(row));
+  } finally {
+    db.close();
+  }
+}
+function sourceSnapshot(id, { limit = 10, service = projectService() } = {}) {
+  const db = openProjectDb(service);
+  try {
+    const source = rowWithJson(db.query(`
+      SELECT id, uri, kind, title, metadata_json, acl_json, created_at, updated_at
+      FROM sources
+      WHERE id = ? OR uri = ?
+    `).get(id, id));
+    if (!source)
+      return null;
+    const revisions = listRows(db, `
+      SELECT id, revision, hash, extracted_text_uri, metadata_json, created_at
+      FROM source_revisions
+      WHERE source_id = ?
+      ORDER BY created_at DESC
+      LIMIT ?
+    `, [source.id, limitNumber(limit, 10, 100)]).map((row) => rowWithJson(row, ["metadata_json"]));
+    const chunks = listRows(db, `
+      SELECT c.id, c.kind, c.ordinal, c.text, c.token_count, c.start_offset, c.end_offset, c.metadata_json, c.created_at,
+             sr.revision, sr.hash
+      FROM chunks c
+      JOIN source_revisions sr ON sr.id = c.source_revision_id
+      WHERE sr.source_id = ?
+      ORDER BY sr.created_at DESC, c.ordinal ASC
+      LIMIT ?
+    `, [source.id, limitNumber(limit, 10, 50)]).map((row) => rowWithJson(row, ["metadata_json"]));
+    return { source, revisions, chunks };
+  } finally {
+    db.close();
+  }
+}
+function openFilesSnapshot(service = projectService()) {
+  const db = openProjectDb(service);
+  try {
+    const rows = listRows(db, `
+      SELECT
+        s.id,
+        s.uri,
+        s.title,
+        sr.revision,
+        sr.hash,
+        c.metadata_json,
+        COUNT(c.id) AS chunks
+      FROM sources s
+      JOIN source_revisions sr ON sr.source_id = s.id
+      LEFT JOIN chunks c ON c.source_revision_id = sr.id
+      WHERE s.uri LIKE 'open-files://%'
+      GROUP BY s.id, sr.id
+      ORDER BY s.updated_at DESC
+      LIMIT 100
+    `);
+    return {
+      ok: true,
+      scope: "project",
+      source_ownership: "open-files",
+      raw_source_bytes_exposed: false,
+      refs: rows.map((row) => {
+        const metadata = parseJsonObject5(row.metadata_json);
+        return {
+          id: row.id,
+          uri: row.uri,
+          source_ref: typeof metadata.source_ref === "string" ? metadata.source_ref : row.uri,
+          title: row.title,
+          revision: row.revision,
+          hash: row.hash,
+          chunks: row.chunks
+        };
+      })
+    };
+  } finally {
+    db.close();
+  }
+}
+function wikiRows(limit = 50, service = projectService()) {
+  const db = openProjectDb(service);
+  try {
+    return listRows(db, `
+      SELECT id, path, title, artifact_uri, content_hash, status, metadata_json, created_at, updated_at
+      FROM wiki_pages
+      ORDER BY updated_at DESC
+      LIMIT ?
+    `, [limitNumber(limit, 50, 200)]).map((row) => rowWithJson(row, ["metadata_json"]));
+  } finally {
+    db.close();
+  }
+}
+async function wikiSnapshot(id, { includeContent = true, service = projectService() } = {}) {
+  const db = openProjectDb(service);
+  try {
+    const page = rowWithJson(db.query(`
+      SELECT id, path, title, artifact_uri, content_hash, status, metadata_json, created_at, updated_at
+      FROM wiki_pages
+      WHERE id = ? OR path = ?
+    `).get(id, id), ["metadata_json"]);
+    if (!page)
+      return null;
+    const citations = listRows(db, `
+      SELECT id, chunk_id, source_uri, quote, start_offset, end_offset, metadata_json, created_at
+      FROM citations
+      WHERE wiki_page_id = ?
+      ORDER BY created_at ASC
+      LIMIT 100
+    `, [page.id]).map((row) => rowWithJson(row, ["metadata_json"]));
+    let content = null;
+    if (includeContent) {
+      const artifactKey = page.metadata?.artifact_key ?? page.path;
+      if (typeof artifactKey === "string") {
+        try {
+          content = await service.artifactStore().getText(artifactKey);
+        } catch {
+          content = null;
+        }
+      }
+    }
+    return { page, citations, content };
+  } finally {
+    db.close();
+  }
+}
+function indexRows(limit = 50, service = projectService()) {
+  const db = openProjectDb(service);
+  try {
+    return listRows(db, `
+      SELECT id, kind, name, artifact_uri, shard_key, metadata_json, created_at, updated_at
+      FROM knowledge_indexes
+      ORDER BY updated_at DESC
+      LIMIT ?
+    `, [limitNumber(limit, 50, 200)]).map((row) => rowWithJson(row, ["metadata_json"]));
+  } finally {
+    db.close();
+  }
+}
+function indexSnapshot(id, service = projectService()) {
+  const db = openProjectDb(service);
+  try {
+    const index = rowWithJson(db.query(`
+      SELECT id, kind, name, artifact_uri, shard_key, metadata_json, created_at, updated_at
+      FROM knowledge_indexes
+      WHERE id = ? OR name = ? OR shard_key = ?
+    `).get(id, id, id), ["metadata_json"]);
+    if (!index)
+      return null;
+    const vector_counts = listRows(db, `
+      SELECT provider, model, dimensions, status, COUNT(*) AS entries
+      FROM vector_index_entries
+      GROUP BY provider, model, dimensions, status
+      ORDER BY entries DESC
+      LIMIT 50
+    `);
+    return { index, vector_counts };
+  } finally {
+    db.close();
+  }
+}
+function runRows(limit = 50, service = projectService()) {
+  const db = openProjectDb(service);
+  try {
+    return listRows(db, `
+      SELECT id, type, prompt, status, provider, model, cost_tokens, cost_usd, metadata_json, created_at, updated_at
+      FROM runs
+      ORDER BY updated_at DESC
+      LIMIT ?
+    `, [limitNumber(limit, 50, 200)]).map((row) => rowWithJson(row, ["metadata_json"]));
+  } finally {
+    db.close();
+  }
+}
+function runSnapshot(id, { limit = 50, service = projectService() } = {}) {
+  const db = openProjectDb(service);
+  try {
+    const run = rowWithJson(db.query(`
+      SELECT id, type, prompt, status, provider, model, cost_tokens, cost_usd, metadata_json, created_at, updated_at
+      FROM runs
+      WHERE id = ?
+    `).get(id), ["metadata_json"]);
+    if (!run)
+      return null;
+    const events = listRows(db, `
+      SELECT id, level, event, metadata_json, created_at
+      FROM run_events
+      WHERE run_id = ?
+      ORDER BY created_at ASC
+      LIMIT ?
+    `, [id, limitNumber(limit, 50, 200)]).map((row) => rowWithJson(row, ["metadata_json"]));
+    const usage = listRows(db, `
+      SELECT id, provider, model, input_tokens, output_tokens, cost_usd, metadata_json, created_at
+      FROM provider_usage
+      WHERE run_id = ?
+      ORDER BY created_at ASC
+      LIMIT 100
+    `, [id]).map((row) => rowWithJson(row, ["metadata_json"]));
+    return { run, events, usage };
+  } finally {
+    db.close();
+  }
+}
+function decisionsSnapshot(limit = 50, service = projectService()) {
+  const db = openProjectDb(service);
+  try {
+    return {
+      ok: true,
+      scope: "project",
+      approval_gates: listRows(db, `
+        SELECT id, action, target_uri, status, reason, approved_by, metadata_json, created_at, updated_at
+        FROM approval_gates
+        ORDER BY updated_at DESC
+        LIMIT ?
+      `, [limitNumber(limit, 50, 200)]).map((row) => rowWithJson(row, ["metadata_json"])),
+      audit_events: listRows(db, `
+        SELECT id, event_type, action, target_uri, decision, metadata_json, created_at
+        FROM audit_events
+        ORDER BY created_at DESC
+        LIMIT ?
+      `, [limitNumber(limit, 50, 200)]).map((row) => rowWithJson(row, ["metadata_json"]))
+    };
+  } finally {
+    db.close();
+  }
+}
+function decisionSnapshot(id, service = projectService()) {
+  const db = openProjectDb(service);
+  try {
+    const approval = rowWithJson(db.query(`
+      SELECT id, action, target_uri, status, reason, approved_by, metadata_json, created_at, updated_at
+      FROM approval_gates
+      WHERE id = ? OR target_uri = ?
+    `).get(id, id), ["metadata_json"]);
+    if (approval)
+      return { kind: "approval_gate", decision: approval };
+    const audit = rowWithJson(db.query(`
+      SELECT id, event_type, action, target_uri, decision, metadata_json, created_at
+      FROM audit_events
+      WHERE id = ? OR target_uri = ?
+    `).get(id, id), ["metadata_json"]);
+    return audit ? { kind: "audit_event", decision: audit } : null;
+  } finally {
+    db.close();
+  }
+}
+async function getKnowledgeRecord(kind, id, options = {}) {
+  const normalized = kind ?? "auto";
+  const service = createKnowledgeService({ scope: options.scope });
+  const attempts = normalized === "auto" ? ["item", "source", "wiki_page", "run", "index", "decision"] : [normalized];
+  for (const entry of attempts) {
+    if (entry === "item") {
+      const storePath = resolveStorePath(options.store_path, options.scope);
+      const item = readStoreLocked(storePath, (db) => findItem(db, id));
+      if (item)
+        return { kind: "item", item, store_path: storePath };
+    }
+    if (entry === "source") {
+      const source = sourceSnapshot(id, { limit: options.limit, service });
+      if (source)
+        return { kind: "source", ...source };
+    }
+    if (entry === "wiki_page") {
+      const page = await wikiSnapshot(id, { includeContent: options.include_content !== false, service });
+      if (page)
+        return { kind: "wiki_page", ...page };
+    }
+    if (entry === "run") {
+      const run = runSnapshot(id, { limit: options.limit, service });
+      if (run)
+        return { kind: "run", ...run };
+    }
+    if (entry === "index") {
+      const index = indexSnapshot(id, service);
+      if (index)
+        return { kind: "index", ...index };
+    }
+    if (entry === "decision") {
+      const decision = decisionSnapshot(id, service);
+      if (decision)
+        return { kind: "decision", ...decision };
+    }
+  }
+  return null;
+}
+function registerKnowledgeResources(server) {
+  registerJsonResource(server, "knowledge-project-config", "knowledge://project/config", "Project knowledge config", "Resolved project workspace config, provider registry, and storage contract", async () => configSnapshot());
+  registerJsonResource(server, "knowledge-project-storage", "knowledge://project/storage", "Project knowledge storage", "Artifact storage contract and validation for project knowledge", async () => storageSnapshot());
+  registerJsonResource(server, "knowledge-project-schema", "knowledge://project/schema", "Project knowledge schema", "SQLite schema version and table counts for project knowledge", async () => dbStatsSnapshot());
+  registerJsonResource(server, "knowledge-project-sources", "knowledge://project/sources", "Project knowledge sources", "Indexed source refs and revision/chunk counts without raw source bytes", async () => ({ ok: true, scope: "project", sources: sourceRows() }));
+  registerJsonResource(server, "knowledge-project-open-files", "knowledge://project/open-files", "Project open-files refs", "Open-files source refs known to the project knowledge catalog", async () => openFilesSnapshot());
+  registerJsonResource(server, "knowledge-project-wiki-pages", "knowledge://project/wiki/pages", "Project wiki pages", "Generated wiki pages and citation artifact metadata", async () => ({ ok: true, scope: "project", pages: wikiRows() }));
+  registerJsonResource(server, "knowledge-project-indexes", "knowledge://project/indexes", "Project knowledge indexes", "Sharded knowledge indexes and vector-index status", async () => ({
+    ok: true,
+    scope: "project",
+    indexes: indexRows(),
+    embeddings: projectService().embeddingStatus()
+  }));
+  registerJsonResource(server, "knowledge-project-runs", "knowledge://project/runs", "Project knowledge runs", "Recent prompt, ingestion, web search, and reindex run ledger entries", async () => ({ ok: true, scope: "project", runs: runRows() }));
+  registerJsonResource(server, "knowledge-project-decisions", "knowledge://project/decisions", "Project knowledge decisions", "Approval gates and audit decisions for generated knowledge operations", async () => decisionsSnapshot());
+  registerJsonTemplate(server, "knowledge-project-items", "knowledge://project/items/{id}", "Project knowledge item", "Read a compatibility JSON-store item by id", async () => ({ resources: itemResources() }), async (_uri, variables) => {
+    const id = decodeURIComponent(String(variables.id));
+    const record2 = await getKnowledgeRecord("item", id, { scope: "project" });
+    return record2 ? { ok: true, ...record2 } : { ok: false, error: `Item not found: ${id}` };
+  });
+  registerJsonTemplate(server, "knowledge-project-source", "knowledge://project/sources/{id}", "Project source", "Read indexed source metadata, revisions, and derived chunks", async () => ({
+    resources: sourceRows().map((source) => ({
+      uri: `knowledge://project/sources/${encodeURIComponent(source.id)}`,
+      name: source.title ?? source.uri,
+      description: `${source.kind} source with ${source.chunks} chunk(s)`,
+      mimeType: "application/json"
+    }))
+  }), async (_uri, variables) => {
+    const id = decodeURIComponent(String(variables.id));
+    const record2 = sourceSnapshot(id);
+    return record2 ? { ok: true, kind: "source", ...record2 } : { ok: false, error: `Source not found: ${id}` };
+  });
+  registerJsonTemplate(server, "knowledge-project-wiki-page", "knowledge://project/wiki/pages/{id}", "Project wiki page", "Read generated wiki page metadata, citations, and artifact text", async () => ({
+    resources: wikiRows().map((page) => ({
+      uri: `knowledge://project/wiki/pages/${encodeURIComponent(page.id)}`,
+      name: page.title,
+      description: page.path,
+      mimeType: "application/json"
+    }))
+  }), async (_uri, variables) => {
+    const id = decodeURIComponent(String(variables.id));
+    const record2 = await wikiSnapshot(id);
+    return record2 ? { ok: true, kind: "wiki_page", ...record2 } : { ok: false, error: `Wiki page not found: ${id}` };
+  });
+  registerJsonTemplate(server, "knowledge-project-index", "knowledge://project/indexes/{id}", "Project knowledge index", "Read a knowledge index row and vector-count snapshot", async () => ({
+    resources: indexRows().map((index) => ({
+      uri: `knowledge://project/indexes/${encodeURIComponent(index.id)}`,
+      name: index.name,
+      description: `${index.kind} index${index.shard_key ? ` shard ${index.shard_key}` : ""}`,
+      mimeType: "application/json"
+    }))
+  }), async (_uri, variables) => {
+    const id = decodeURIComponent(String(variables.id));
+    const record2 = indexSnapshot(id);
+    return record2 ? { ok: true, kind: "index", ...record2 } : { ok: false, error: `Index not found: ${id}` };
+  });
+  registerJsonTemplate(server, "knowledge-project-run", "knowledge://project/runs/{id}", "Project run", "Read a knowledge run ledger entry with events and usage", async () => ({
+    resources: runRows().map((run) => ({
+      uri: `knowledge://project/runs/${encodeURIComponent(run.id)}`,
+      name: `${run.type}: ${run.status}`,
+      description: run.prompt ?? run.id,
+      mimeType: "application/json"
+    }))
+  }), async (_uri, variables) => {
+    const id = decodeURIComponent(String(variables.id));
+    const record2 = runSnapshot(id);
+    return record2 ? { ok: true, kind: "run", ...record2 } : { ok: false, error: `Run not found: ${id}` };
+  });
+  registerJsonTemplate(server, "knowledge-project-decision", "knowledge://project/decisions/{id}", "Project decision", "Read an approval gate or audit decision", async () => {
+    const decisions = decisionsSnapshot();
+    return {
+      resources: [
+        ...decisions.approval_gates.map((entry) => ({
+          uri: `knowledge://project/decisions/${encodeURIComponent(entry.id)}`,
+          name: `${entry.action}: ${entry.status}`,
+          description: entry.target_uri ?? entry.id,
+          mimeType: "application/json"
+        })),
+        ...decisions.audit_events.map((entry) => ({
+          uri: `knowledge://project/decisions/${encodeURIComponent(entry.id)}`,
+          name: `${entry.action}: ${entry.decision}`,
+          description: entry.target_uri ?? entry.id,
+          mimeType: "application/json"
+        }))
+      ]
+    };
+  }, async (_uri, variables) => {
+    const id = decodeURIComponent(String(variables.id));
+    const record2 = decisionSnapshot(id);
+    return record2 ? { ok: true, ...record2 } : { ok: false, error: `Decision not found: ${id}` };
+  });
+}
 function buildServer() {
   const server = new McpServer({
     name: "open-knowledge",
     version: package_default.version
   });
+  registerKnowledgeResources(server);
   registerTool(server, "ok_paths", "Knowledge workspace paths", "Show resolved workspace and store paths", {
     scope: scopeField
   }, async ({ scope }) => {
@@ -19532,6 +20038,150 @@ function buildServer() {
       return errorText(error48 instanceof Error ? error48.message : String(error48));
     }
   });
+  registerTool(server, "knowledge_get", "Get knowledge record", "Read a knowledge item, indexed source, wiki page, run, index, or decision by id without raw source-byte access", {
+    scope: scopeField,
+    kind: exports_external.enum(["auto", "item", "source", "wiki_page", "run", "index", "decision"]).optional().describe("Record kind; auto tries all supported kinds"),
+    id: exports_external.string().describe("Record id, short id, source URI, wiki path, index shard/name, or decision target URI"),
+    include_content: exports_external.boolean().optional().describe("Include generated wiki artifact text when reading wiki pages"),
+    limit: exports_external.number().optional().describe("Maximum related chunks/events to return"),
+    store_path: storePathField
+  }, async ({ scope, kind, id, include_content, limit, store_path }) => {
+    try {
+      const record2 = await getKnowledgeRecord(kind ?? "auto", id, {
+        scope,
+        include_content,
+        limit,
+        store_path
+      });
+      return record2 ? jsonText({ ok: true, ...record2 }) : errorText(`Knowledge record not found: ${id}`);
+    } catch (error48) {
+      return errorText(error48 instanceof Error ? error48.message : String(error48));
+    }
+  });
+  registerTool(server, "knowledge_ingest", "Ingest knowledge source", "Ingest an open-files/S3/file/web source ref or open-files manifest into the derived knowledge catalog", {
+    scope: scopeField,
+    source_ref: exports_external.string().optional().describe("Source reference URI to ingest, e.g. open-files://file/<id>/revision/<rev>"),
+    manifest: exports_external.string().optional().describe("Manifest file path or s3:// URI to ingest"),
+    purpose: exports_external.string().optional().describe("Read-only purpose label, default knowledge_answer")
+  }, async ({ scope, source_ref, manifest, purpose }) => {
+    if (!source_ref && !manifest)
+      return errorText("Missing input. Provide source_ref or manifest.");
+    if (source_ref && manifest)
+      return errorText("Use either source_ref or manifest, not both.");
+    const service = createKnowledgeService({ scope });
+    try {
+      const result = source_ref ? await service.ingestSource(source_ref, purpose) : await service.ingestManifest(manifest);
+      return jsonText({ ok: true, mode: source_ref ? "source" : "manifest", ...result });
+    } catch (error48) {
+      return errorText(error48 instanceof Error ? error48.message : String(error48));
+    }
+  });
+  registerTool(server, "knowledge_build", "Build knowledge answer", "Run the knowledge prompt flow and optionally file the cited answer into generated wiki artifacts after approval", {
+    scope: scopeField,
+    prompt: exports_external.string().describe("Prompt to answer and build durable knowledge from"),
+    limit: exports_external.number().optional().describe("Maximum context results"),
+    semantic: exports_external.boolean().optional().describe("Include vector semantic results"),
+    generate: exports_external.boolean().optional().describe("Call AI SDK text generation; omitted returns a local citation draft"),
+    approve_write: exports_external.boolean().optional().describe("Approve durable wiki filing for this call"),
+    file_answer: exports_external.boolean().optional().describe("Attempt wiki answer filing; writes only with approve_write=true"),
+    model: exports_external.string().optional().describe("Model alias/ref, default configured provider default"),
+    dimensions: exports_external.number().optional().describe("Embedding dimensions for deterministic fake mode"),
+    fake: exports_external.boolean().optional().describe("Use deterministic fake embeddings/generation for local tests")
+  }, async ({ scope, prompt, limit, semantic, generate, approve_write, file_answer, model, dimensions, fake }) => {
+    const service = createKnowledgeService({ scope });
+    try {
+      const result = await service.runPrompt({ prompt, limit, semantic, generate, approveWrite: approve_write, modelRef: model, dimensions, fake });
+      let wiki_file = null;
+      if (file_answer === true || approve_write === true) {
+        wiki_file = await service.fileAnswer({
+          prompt,
+          answer: result.answer,
+          approveWrite: approve_write,
+          limit,
+          semantic,
+          modelRef: model,
+          dimensions,
+          fake
+        });
+      }
+      return jsonText({ ok: true, ...result, wiki_file });
+    } catch (error48) {
+      return errorText(error48 instanceof Error ? error48.message : String(error48));
+    }
+  });
+  registerTool(server, "knowledge_web_search", "Knowledge web search", "Run safety-gated provider-native web search and optionally file snippets as web source refs", {
+    scope: scopeField,
+    query: exports_external.string().describe("Web search query"),
+    limit: exports_external.number().optional().describe("Maximum sources"),
+    provider: exports_external.enum(["openai", "anthropic", "deepseek"]).optional().describe("Provider override"),
+    model: exports_external.string().optional().describe("Model alias/ref"),
+    domains: exports_external.array(exports_external.string()).optional().describe("Allowed domains"),
+    fake: exports_external.boolean().optional().describe("Use deterministic fake web results"),
+    file_results: exports_external.boolean().optional().describe("File web snippets as web source refs")
+  }, async ({ scope, query, limit, provider, model, domains, fake, file_results }) => {
+    const service = createKnowledgeService({ scope });
+    try {
+      return jsonText({ ok: true, ...await service.webSearch({ query, limit, provider, modelRef: model, domains, fake, fileResults: file_results }) });
+    } catch (error48) {
+      return errorText(error48 instanceof Error ? error48.message : String(error48));
+    }
+  });
+  registerTool(server, "knowledge_lint", "Lint knowledge wiki", "Check generated wiki pages for missing citations, stale citations, duplicates, or source issues", {
+    scope: scopeField
+  }, async ({ scope }) => {
+    const service = createKnowledgeService({ scope });
+    try {
+      return jsonText({ ok: true, ...service.lintWiki() });
+    } catch (error48) {
+      return errorText(error48 instanceof Error ? error48.message : String(error48));
+    }
+  });
+  registerTool(server, "knowledge_run_status", "Knowledge run status", "List recent runs or inspect one run ledger with events and provider usage", {
+    scope: scopeField,
+    run_id: exports_external.string().optional().describe("Run id to inspect; omitted lists recent runs"),
+    limit: exports_external.number().optional().describe("Maximum runs or events to return")
+  }, async ({ scope, run_id, limit }) => {
+    const service = createKnowledgeService({ scope });
+    try {
+      if (run_id) {
+        const run = runSnapshot(run_id, { limit, service });
+        return run ? jsonText({ ok: true, kind: "run", ...run }) : errorText(`Run not found: ${run_id}`);
+      }
+      return jsonText({ ok: true, runs: runRows(limit, service) });
+    } catch (error48) {
+      return errorText(error48 instanceof Error ? error48.message : String(error48));
+    }
+  });
+  registerTool(server, "knowledge_storage", "Knowledge storage contract", "Inspect local/S3 artifact storage, source ownership, and hosted/SaaS boundary metadata", {
+    scope: scopeField
+  }, async ({ scope }) => {
+    const service = createKnowledgeService({ scope });
+    try {
+      const validation = service.validateStorage();
+      return jsonText({
+        ok: validation.ok,
+        ...service.storageContract(),
+        validation,
+        remote_contract: service.remoteContract()
+      });
+    } catch (error48) {
+      return errorText(error48 instanceof Error ? error48.message : String(error48));
+    }
+  });
+  registerTool(server, "knowledge_resolve_source", "Resolve knowledge source", "Resolve indexed source chunks through the read-only open-files/source boundary with citation evidence", {
+    source_ref: exports_external.string().describe("Source reference URI, preferably open-files://..."),
+    purpose: exports_external.string().optional().describe("Read-only purpose label, default knowledge_answer"),
+    limit: exports_external.number().optional().describe("Maximum chunks to return, default 10"),
+    scope: scopeField
+  }, async ({ source_ref, purpose, limit, scope }) => {
+    const service = createKnowledgeService({ scope });
+    try {
+      const result = await service.resolveSource(source_ref, { purpose, limit });
+      return jsonText({ ok: true, ...result });
+    } catch (error48) {
+      return errorText(error48 instanceof Error ? error48.message : String(error48));
+    }
+  });
   registerTool(server, "ok_web_search", "Provider web search", "Run safety-gated provider-native web search and return citations/sources", {
     scope: scopeField,
     query: exports_external.string().describe("Web search query"),