@kinetica/admin-agent 0.1.0

package/dist/admin-agent.js

@@ -0,0 +1,4961 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/cli/index.ts
+var cli_exports = {};
+__export(cli_exports, {
+  getSession: () => getSession,
+  main: () => main,
+  verbose: () => verbose
+});
+module.exports = __toCommonJS(cli_exports);
+var import_picocolors14 = __toESM(require("picocolors"));
+
+// src/cli/banner.ts
+var import_picocolors = __toESM(require("picocolors"));
+
+// src/cli/version.ts
+var import_fs = require("fs");
+var import_path = require("path");
+function getVersion() {
+  try {
+    let dir = __dirname;
+    while (dir !== (0, import_path.dirname)(dir)) {
+      const candidate = (0, import_path.join)(dir, "package.json");
+      if ((0, import_fs.existsSync)(candidate)) {
+        const pkg = JSON.parse((0, import_fs.readFileSync)(candidate, "utf8"));
+        return pkg.version;
+      }
+      dir = (0, import_path.dirname)(dir);
+    }
+    return "0.0.0";
+  } catch {
+    return "0.0.0";
+  }
+}
+
+// src/cli/banner.ts
+var LOGO = `  \u2588\u2588\u2557  \u2588\u2588\u2557\u2588\u2588\u2557\u2588\u2588\u2588\u2557   \u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2557
+  \u2588\u2588\u2551 \u2588\u2588\u2554\u255D\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255D\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255D\u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2557
+  \u2588\u2588\u2588\u2588\u2588\u2554\u255D \u2588\u2588\u2551\u2588\u2588\u2554\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2557     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551
+  \u2588\u2588\u2554\u2550\u2588\u2588\u2557 \u2588\u2588\u2551\u2588\u2588\u2551\u255A\u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2554\u2550\u2550\u255D     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551     \u2588\u2588\u2554\u2550\u2550\u2588\u2588\u2551
+  \u2588\u2588\u2551  \u2588\u2588\u2557\u2588\u2588\u2551\u2588\u2588\u2551 \u255A\u2588\u2588\u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557   \u2588\u2588\u2551   \u2588\u2588\u2551\u255A\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2551  \u2588\u2588\u2551
+  \u255A\u2550\u255D  \u255A\u2550\u255D\u255A\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u2550\u2550\u255D\u255A\u2550\u2550\u2550\u2550\u2550\u2550\u255D   \u255A\u2550\u255D   \u255A\u2550\u255D \u255A\u2550\u2550\u2550\u2550\u2550\u255D\u255A\u2550\u255D  \u255A\u2550\u255D`;
+function lerpRgb(from, to, t) {
+  return [
+    Math.round(from[0] + (to[0] - from[0]) * t),
+    Math.round(from[1] + (to[1] - from[1]) * t),
+    Math.round(from[2] + (to[2] - from[2]) * t)
+  ];
+}
+function dimRgb(color, factor) {
+  return [
+    Math.round(color[0] * factor),
+    Math.round(color[1] * factor),
+    Math.round(color[2] * factor)
+  ];
+}
+var SHADOW_CHARS = /* @__PURE__ */ new Set(["\u2557", "\u2554", "\u2551", "\u255D", "\u255A", "\u2550"]);
+var DIM_FACTOR = 0.4;
+function gradientize(text) {
+  const PURPLE = [147, 51, 234];
+  const HOT_PINK = [236, 72, 153];
+  const RESET = "\x1B[0m";
+  const lines = text.split("\n");
+  const maxIdx = Math.max(lines.length - 1, 1);
+  return lines.map((line, i) => {
+    const bright = lerpRgb(PURPLE, HOT_PINK, i / maxIdx);
+    const dim = dimRgb(bright, DIM_FACTOR);
+    let result = "";
+    let currentMode = null;
+    for (const ch of line) {
+      const mode = SHADOW_CHARS.has(ch) ? "dim" : "bright";
+      if (mode !== currentMode) {
+        const [r, g, b] = mode === "dim" ? dim : bright;
+        result += `\x1B[38;2;${r};${g};${b}m`;
+        currentMode = mode;
+      }
+      result += ch;
+    }
+    return result + RESET;
+  }).join("\n");
+}
+function printBanner(model) {
+  const version = getVersion();
+  const subtitle = `admin-agent ${import_picocolors.default.dim(`v${version}`)}`;
+  const header = model ? `${subtitle}
+${import_picocolors.default.dim(`model: ${model}`)}` : subtitle;
+  process.stderr.write("\n\n" + gradientize(LOGO) + "\n\n" + header + "\n");
+  return subtitle;
+}
+
+// src/auth/preflight.ts
+var import_claude_agent_sdk = require("@anthropic-ai/claude-agent-sdk");
+
+// src/auth/oauth-flow.ts
+var import_picocolors2 = __toESM(require("picocolors"));
+
+// src/auth/open-browser.ts
+var import_child_process = require("child_process");
+function openBrowser(url) {
+  try {
+    const platform = process.platform;
+    const { command, args } = platform === "darwin" ? { command: "open", args: [url] } : platform === "win32" ? { command: "cmd", args: ["/c", "start", "", url] } : { command: "xdg-open", args: [url] };
+    const child = (0, import_child_process.spawn)(command, args, { detached: true, stdio: "ignore" });
+    child.unref();
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/auth/oauth-flow.ts
+async function resolveAuthentication(agentQuery, options) {
+  if (options.hasApiKey && !options.forceLogin) {
+    return { method: "api_key" };
+  }
+  const query3 = agentQuery;
+  try {
+    const { manualUrl, automaticUrl } = await query3.claudeAuthenticate(options.loginWithClaudeAi);
+    const opened = openBrowser(automaticUrl);
+    if (opened) {
+      process.stderr.write(import_picocolors2.default.dim("Browser opened for login. Waiting for authentication...\n"));
+    } else {
+      process.stderr.write(`
+Open this URL in your browser to log in:
+${import_picocolors2.default.bold(manualUrl)}
+
+`);
+      process.stderr.write(import_picocolors2.default.dim("Waiting for browser login to complete...\n"));
+    }
+    await query3.claudeOAuthWaitForCompletion();
+    return { method: "oauth" };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    process.stderr.write(
+      import_picocolors2.default.yellow(`
+Warning: OAuth login failed (${message}). SDK may retry automatically.
+`)
+    );
+    return { method: "oauth" };
+  }
+}
+
+// src/auth/preflight.ts
+var PROBE_TIMEOUT_MS = 1e4;
+async function probeCachedCredentials(authQuery) {
+  try {
+    const info = await Promise.race([
+      authQuery.accountInfo(),
+      new Promise(
+        (_, reject) => setTimeout(() => reject(new Error("Probe timed out")), PROBE_TIMEOUT_MS)
+      )
+    ]);
+    if (info.email || info.apiKeySource) {
+      return info;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+async function authenticateAnthropic(options) {
+  const hasApiKey = Boolean(process.env.ANTHROPIC_API_KEY);
+  if (hasApiKey && !options.forceLogin) {
+    return { method: "api_key" };
+  }
+  if (!process.stdin.isTTY) {
+    throw new Error(
+      "No ANTHROPIC_API_KEY set and terminal is non-interactive. Set ANTHROPIC_API_KEY or run in an interactive terminal with --login."
+    );
+  }
+  const env = options.forceLogin ? (() => {
+    const { ANTHROPIC_API_KEY: _stripped, ...rest } = process.env;
+    return { ...rest, CLAUDE_AGENT_SDK_CLIENT_APP: "admin-agent" };
+  })() : { ...process.env, CLAUDE_AGENT_SDK_CLIENT_APP: "admin-agent" };
+  const abortController = new AbortController();
+  async function* hangingPrompt() {
+    await new Promise(() => {
+    });
+  }
+  const authQuery = (0, import_claude_agent_sdk.query)({
+    prompt: hangingPrompt(),
+    options: {
+      persistSession: false,
+      abortController,
+      env,
+      ...options.loginMethod ? { forceLoginMethod: options.loginMethod } : {},
+      ...options.loginOrgUUID ? { forceLoginOrgUUID: options.loginOrgUUID } : {}
+    }
+  });
+  try {
+    if (!options.forceLogin) {
+      const cached = await probeCachedCredentials(authQuery);
+      if (cached) {
+        return { method: "oauth", email: cached.email };
+      }
+    }
+    return await resolveAuthentication(authQuery, {
+      forceLogin: options.forceLogin,
+      loginWithClaudeAi: (options.loginMethod ?? "claudeai") === "claudeai",
+      hasApiKey
+    });
+  } finally {
+    abortController.abort();
+    await authQuery.return().catch(() => {
+    });
+  }
+}
+
+// src/auth/logout.ts
+var import_child_process2 = require("child_process");
+var import_node_module = require("module");
+var import_node_path = __toESM(require("path"));
+var import_util = require("util");
+var execFileAsync = (0, import_util.promisify)(import_child_process2.execFile);
+function resolveSdkCliPath() {
+  const require_ = (0, import_node_module.createRequire)(__filename);
+  return import_node_path.default.join(import_node_path.default.dirname(require_.resolve("@anthropic-ai/claude-agent-sdk")), "cli.js");
+}
+async function logout() {
+  try {
+    const sdkCliPath = resolveSdkCliPath();
+    const { stdout, stderr } = await execFileAsync(process.execPath, [
+      sdkCliPath,
+      "auth",
+      "logout"
+    ]);
+    const output = (stdout || stderr || "").trim();
+    return { success: true, message: output || "Logged out successfully." };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { success: false, message: `Logout failed: ${message}` };
+  }
+}
+
+// src/session/env-file.ts
+var import_fs2 = require("fs");
+var import_promises = require("fs/promises");
+var import_path2 = require("path");
+var import_prompts = require("@inquirer/prompts");
+var import_picocolors3 = __toESM(require("picocolors"));
+function parseEnvContent(content) {
+  const entries = [];
+  for (const line of content.split("\n")) {
+    const trimmed = line.trim();
+    if (trimmed === "" || trimmed.startsWith("#")) continue;
+    const match = /^([A-Za-z_]\w*)=(.*)/.exec(trimmed);
+    if (!match) continue;
+    const key = match[1];
+    let value = match[2];
+    if (value.startsWith('"') && value.endsWith('"') && value.length >= 2) {
+      value = value.slice(1, -1).replace(/\\(["\\])/g, "$1");
+    } else if (value.startsWith("'") && value.endsWith("'") && value.length >= 2) {
+      value = value.slice(1, -1);
+    }
+    entries.push([key, value]);
+  }
+  return new Map(entries);
+}
+var FORBIDDEN_VALUE_CHARS = /[\n\r\0]/;
+var REQUIRES_QUOTING = /[\s"'#]/;
+function escapeEnvValue(value) {
+  if (FORBIDDEN_VALUE_CHARS.test(value)) {
+    throw new Error(
+      "Env value contains a forbidden character (newline or null byte); refusing to write"
+    );
+  }
+  if (!REQUIRES_QUOTING.test(value)) {
+    return value;
+  }
+  const escaped = value.replace(/\\/g, "\\\\").replace(/"/g, '\\"');
+  return `"${escaped}"`;
+}
+var ENV_TEMPLATE = `# Anthropic API key (optional \u2014 if not set, OAuth login via browser is used)
+ANTHROPIC_API_KEY=
+
+# Kinetica connection details (prompted interactively if not set)
+# If password is omitted, the agent will prompt for it at startup
+KINETICA_URL={url}
+KINETICA_USER={user}
+KINETICA_PASS=
+`;
+function buildEnvContent(url, user, existingContent) {
+  const safeUrl = escapeEnvValue(url);
+  const safeUser = escapeEnvValue(user);
+  if (!existingContent?.trim()) {
+    return ENV_TEMPLATE.replace("{url}", safeUrl).replace("{user}", safeUser);
+  }
+  const lines = existingContent.split("\n");
+  let urlReplaced = false;
+  let userReplaced = false;
+  const updated = lines.map((line) => {
+    if (/^KINETICA_URL=/.exec(line)) {
+      urlReplaced = true;
+      return `KINETICA_URL=${safeUrl}`;
+    }
+    if (/^KINETICA_USER=/.exec(line)) {
+      userReplaced = true;
+      return `KINETICA_USER=${safeUser}`;
+    }
+    return line;
+  });
+  if (!urlReplaced) updated.push(`KINETICA_URL=${safeUrl}`);
+  if (!userReplaced) updated.push(`KINETICA_USER=${safeUser}`);
+  return updated.join("\n");
+}
+function loadEnvFile(dir, env = process.env) {
+  try {
+    const filePath = (0, import_path2.join)(dir ?? process.cwd(), ".env");
+    const content = (0, import_fs2.readFileSync)(filePath, "utf8");
+    const parsed = parseEnvContent(content);
+    for (const [key, value] of parsed) {
+      if (env[key] === void 0 && value !== "") {
+        env[key] = value;
+      }
+    }
+  } catch {
+  }
+}
+async function offerSaveCredentials(url, user, dir) {
+  if (!process.stdin.isTTY) return;
+  try {
+    const shouldSave = await (0, import_prompts.confirm)({
+      message: "Save KINETICA_URL and KINETICA_USER to .env? (password is never saved)",
+      default: true
+    });
+    if (!shouldSave) return;
+    const filePath = (0, import_path2.join)(dir ?? process.cwd(), ".env");
+    let existing;
+    try {
+      existing = await (0, import_promises.readFile)(filePath, "utf8");
+    } catch {
+    }
+    const content = buildEnvContent(url, user, existing);
+    await (0, import_promises.writeFile)(filePath, content, "utf8");
+    console.error(import_picocolors3.default.dim("Saved to .env"));
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    console.error(import_picocolors3.default.yellow(`Could not save .env file: ${message}`));
+  }
+}
+
+// src/session/verify.ts
+var import_picocolors6 = __toESM(require("picocolors"));
+var import_prompts4 = require("@inquirer/prompts");
+
+// src/session/collect.ts
+var import_prompts2 = require("@inquirer/prompts");
+var import_picocolors4 = __toESM(require("picocolors"));
+async function collectCredentials() {
+  const prompted = /* @__PURE__ */ new Set();
+  const envUrl = process.env.KINETICA_URL;
+  const envUser = process.env.KINETICA_USER;
+  if (envUrl && envUser && process.stdin.isTTY) {
+    console.error(import_picocolors4.default.dim(`Saved connection: ${envUrl} (${envUser})`));
+    const useSaved = await (0, import_prompts2.confirm)({
+      message: "Use saved connection?",
+      default: true
+    });
+    if (!useSaved) {
+      prompted.add("url");
+      prompted.add("user");
+      const url2 = await (0, import_prompts2.input)({ message: "Kinetica endpoint URL:" });
+      const user2 = await (0, import_prompts2.input)({ message: "Admin username:" });
+      const pass2 = await (0, import_prompts2.password)({ message: "Admin password:", mask: "*" });
+      return { credentials: { url: url2, user: user2, pass: pass2 }, prompted };
+    }
+  }
+  const url = envUrl ?? (prompted.add("url"), await (0, import_prompts2.input)({ message: "Kinetica endpoint URL:" }));
+  const user = envUser ?? (prompted.add("user"), await (0, import_prompts2.input)({ message: "Admin username:" }));
+  const pass = process.env.KINETICA_PASS ?? await (0, import_prompts2.password)({ message: "Admin password:", mask: "*" });
+  return { credentials: { url, user, pass }, prompted };
+}
+async function repromptCredentials() {
+  const user = await (0, import_prompts2.input)({ message: "Admin username:" });
+  const pass = await (0, import_prompts2.password)({ message: "Admin password:", mask: "*" });
+  return { user, pass };
+}
+
+// src/session/KineticaSession.ts
+var REQUEST_TIMEOUT_MS = 3e4;
+function replacePort(baseUrl, port) {
+  const parsed = new URL(baseUrl);
+  parsed.port = String(port);
+  return parsed.origin;
+}
+function createSession(url, user, pass) {
+  const authHeader = "Basic " + Buffer.from(`${user}:${pass}`).toString("base64");
+  const doFetch = async (fullUrl, body) => {
+    if (process.env.DEBUG) {
+      console.error(`[DEBUG] POST ${fullUrl}`);
+    }
+    return fetch(fullUrl, {
+      method: "POST",
+      headers: {
+        Authorization: authHeader,
+        "Content-Type": "application/json"
+      },
+      body: body !== void 0 ? JSON.stringify(body) : void 0,
+      signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
+    });
+  };
+  return {
+    baseUrl: url,
+    makeRequest: (endpoint, body) => doFetch(`${url}${endpoint}`, body),
+    makeRequestToPort: (port, endpoint, body) => doFetch(`${replacePort(url, port)}${endpoint}`, body)
+  };
+}
+
+// src/session/resolve-url.ts
+var import_picocolors5 = __toESM(require("picocolors"));
+var import_prompts3 = require("@inquirer/prompts");
+var PROBE_TIMEOUT_MS2 = 3e3;
+var HTTP_PROTOCOL_RE = /^https?:\/\//i;
+var ANY_PROTOCOL_RE = /^[a-z][a-z0-9+.-]*:\/\//i;
+function hasProtocol(input5) {
+  return HTTP_PROTOCOL_RE.test(input5);
+}
+function stripTrailingSlashes(url) {
+  return url.replace(/\/+$/, "");
+}
+async function probeProtocol(url) {
+  try {
+    await fetch(url, {
+      method: "HEAD",
+      signal: AbortSignal.timeout(PROBE_TIMEOUT_MS2)
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function isHttpsOnly() {
+  return process.env.KINETICA_HTTPS_ONLY === "1";
+}
+function isInteractive() {
+  return Boolean(process.stdin.isTTY);
+}
+async function confirmHttpFallback(host) {
+  process.stderr.write(
+    "\n" + import_picocolors5.default.red(
+      import_picocolors5.default.bold(
+        `  WARNING: HTTPS unavailable at ${host}.
+  Falling back to plaintext HTTP will transmit your Kinetica credentials in the clear.
+`
+      )
+    ) + import_picocolors5.default.dim(
+      `  Set KINETICA_HTTPS_ONLY=1 to refuse this fallback automatically, or pass an explicit http:// prefix to silence this prompt.
+
+`
+    )
+  );
+  try {
+    return await (0, import_prompts3.confirm)({
+      message: "Continue over plaintext HTTP?",
+      default: false
+    });
+  } catch {
+    return false;
+  }
+}
+async function resolveUrl(input5) {
+  const trimmed = input5.trim();
+  if (trimmed === "") {
+    return { ok: false, error: "URL is empty" };
+  }
+  const normalized = stripTrailingSlashes(trimmed);
+  if (hasProtocol(normalized)) {
+    return { ok: true, url: normalized };
+  }
+  if (ANY_PROTOCOL_RE.test(normalized)) {
+    const scheme = normalized.split("://")[0];
+    return {
+      ok: false,
+      error: `Unsupported protocol: ${scheme}. Use http:// or https://`
+    };
+  }
+  const httpsUrl = `https://${normalized}`;
+  const httpUrl = `http://${normalized}`;
+  console.error(import_picocolors5.default.dim("Detecting protocol..."));
+  if (await probeProtocol(httpsUrl)) {
+    return { ok: true, url: httpsUrl };
+  }
+  if (isHttpsOnly()) {
+    return {
+      ok: false,
+      error: `HTTPS probe to ${httpsUrl} failed and KINETICA_HTTPS_ONLY=1; refusing to fall back to plaintext HTTP.`
+    };
+  }
+  if (!await probeProtocol(httpUrl)) {
+    return {
+      ok: false,
+      error: `Could not connect to ${normalized} via https:// or http://`
+    };
+  }
+  if (!isInteractive()) {
+    return {
+      ok: false,
+      error: `HTTPS unavailable at ${normalized} and terminal is non-interactive. Pass an explicit http:// prefix to allow plaintext HTTP, or point the URL at an HTTPS endpoint.`
+    };
+  }
+  const approved = await confirmHttpFallback(normalized);
+  if (!approved) {
+    return {
+      ok: false,
+      error: "User declined plaintext HTTP fallback"
+    };
+  }
+  return { ok: true, url: httpUrl };
+}
+
+// src/session/verify.ts
+var MAX_RETRIES = 3;
+var MAX_REPROMPTS = 2;
+var DEFAULT_HM_PORT = 9300;
+function extractVersion(responseBody) {
+  try {
+    const outer = JSON.parse(responseBody);
+    if (typeof outer.data_str !== "string") return void 0;
+    const inner = JSON.parse(outer.data_str);
+    const systemStr = inner.status_map?.system;
+    if (typeof systemStr !== "string") return void 0;
+    const system = JSON.parse(systemStr);
+    return typeof system.version === "string" ? system.version : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function extractVersionFromHostManager(responseBody) {
+  try {
+    const parsed = JSON.parse(responseBody);
+    return typeof parsed.version === "string" ? parsed.version : void 0;
+  } catch {
+    return void 0;
+  }
+}
+async function probeHostManager(session2) {
+  if (!session2.makeRequestToPort) {
+    return { ok: false };
+  }
+  try {
+    const response = await session2.makeRequestToPort(DEFAULT_HM_PORT, "/", void 0);
+    if (!response.ok) return { ok: false };
+    const body = await response.text();
+    return { ok: true, version: extractVersionFromHostManager(body) };
+  } catch {
+    return { ok: false };
+  }
+}
+async function verifyConnectivity(session2) {
+  const response = await session2.makeRequest("/show/system/status", {});
+  if (!response.ok) {
+    const body2 = await response.text();
+    throw new Error(`HTTP ${response.status}: ${body2}`);
+  }
+  const body = await response.text();
+  return extractVersion(body);
+}
+function isCredentialError(errorMessage) {
+  return errorMessage.startsWith("HTTP 401") || errorMessage.startsWith("HTTP 403");
+}
+async function connectWithRetry() {
+  const { credentials, prompted } = await collectCredentials();
+  const resolved = await resolveUrl(credentials.url);
+  if (!resolved.ok) {
+    console.error(import_picocolors6.default.red(resolved.error));
+    process.exit(1);
+  }
+  const resolvedUrl = resolved.url;
+  let currentUser = credentials.user;
+  let currentPass = credentials.pass;
+  let wasReprompted = false;
+  let repromptCount = 0;
+  let session2 = createSession(resolvedUrl, currentUser, currentPass);
+  for (let attempt = 1; attempt <= MAX_RETRIES; attempt++) {
+    try {
+      const kineticaVersion = await verifyConnectivity(session2);
+      console.error(import_picocolors6.default.green("Connected to Kinetica successfully."));
+      if (prompted.size > 0 || wasReprompted) {
+        await offerSaveCredentials(resolvedUrl, currentUser);
+      }
+      return { session: session2, kineticaVersion, degraded: false };
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.error(import_picocolors6.default.red(`Connection failed (attempt ${attempt}/${MAX_RETRIES}): ${msg}`));
+      if (isCredentialError(msg)) {
+        if (process.stdin.isTTY && repromptCount < MAX_REPROMPTS) {
+          const shouldRetry = await (0, import_prompts4.confirm)({
+            message: "Credentials may be incorrect. Re-enter?",
+            default: true
+          });
+          if (shouldRetry) {
+            const fresh = await repromptCredentials();
+            currentUser = fresh.user;
+            currentPass = fresh.pass;
+            wasReprompted = true;
+            repromptCount++;
+            session2 = createSession(resolvedUrl, currentUser, currentPass);
+            attempt = 0;
+            continue;
+          }
+        }
+        console.error(import_picocolors6.default.red("Authentication failed. Exiting."));
+        process.exit(1);
+      }
+      if (attempt === MAX_RETRIES) {
+        console.error(import_picocolors6.default.yellow("DB engine unreachable. Probing host manager on port 9300..."));
+        const hmResult = await probeHostManager(session2);
+        if (hmResult.ok) {
+          console.error(
+            import_picocolors6.default.yellow(
+              "Connected in DEGRADED MODE (host manager only). Most diagnostic tools will be unavailable."
+            )
+          );
+          if (prompted.size > 0 || wasReprompted) {
+            await offerSaveCredentials(resolvedUrl, currentUser);
+          }
+          return { session: session2, kineticaVersion: hmResult.version, degraded: true };
+        }
+        console.error(import_picocolors6.default.red("Host manager also unreachable. Exiting."));
+        process.exit(1);
+      }
+    }
+  }
+  throw new Error("unreachable");
+}
+
+// src/agent/run-agent.ts
+var import_claude_agent_sdk5 = require("@anthropic-ai/claude-agent-sdk");
+var import_prompts8 = require("@inquirer/prompts");
+var import_picocolors13 = __toESM(require("picocolors"));
+
+// src/agent/diagnostic-sql.ts
+function has(columns, name) {
+  return columns.includes(name);
+}
+var FALLBACK_QUERY_HISTORY_SQL = `-- Slow queries in the last hour
+SELECT query_id, user_name, query_text, start_time, stop_time,
+       TIMESTAMPDIFF(SECOND, start_time, stop_time) AS elapsed_sec
+FROM ki_catalog.ki_query_history
+WHERE start_time > NOW() - INTERVAL '1' HOUR
+ORDER BY elapsed_sec DESC
+LIMIT 20;`;
+var FALLBACK_ACTIVE_QUERIES_SQL = `-- Currently active queries
+SELECT query_id, user_name, query_text, start_time, execution_status
+FROM ki_catalog.ki_query_active_all
+ORDER BY start_time ASC;`;
+var FALLBACK_TIERED_OBJECTS_SQL = `-- Objects in disk tier (potential memory pressure)
+-- NOTE: id is a string (e.g. @schema@oid[col][0]), NOT a numeric OID. Filter by table: WHERE id LIKE '%table_name%'
+-- For per-table tier placement, prefer kinetica_resource_objects with table_names filter.
+SELECT id, tier, size, source_rank, owner_resource_group
+FROM ki_catalog.ki_tiered_objects
+WHERE tier != 'VRAM'
+ORDER BY size DESC
+LIMIT 20;`;
+var FALLBACK_OBJ_STAT_SQL = `-- Table sizes and row counts
+SELECT object_name, total_bytes, row_count
+FROM ki_catalog.ki_obj_stat
+ORDER BY total_bytes DESC
+LIMIT 30;`;
+var FALLBACK_COLUMNS_SQL = `-- Structural column metadata (use kinetica_show_table for Kinetica-native types)
+SELECT c.table_name, c.column_name, c.column_position
+FROM ki_catalog.ki_columns c
+WHERE c.table_name = '<TABLE_NAME>'
+ORDER BY c.column_position;`;
+var FALLBACK_DATATYPES_SQL = `-- Resolve column_type_oid to human-readable type name
+SELECT oid, name, sql_typename
+FROM ki_catalog.ki_datatypes
+ORDER BY oid;`;
+var FALLBACK_QUERY_SPAN_METRICS_SQL = `-- Query span metrics for a specific query
+SELECT query_id, span_id, parent_span_id, operator, sql_step,
+       metric_data, start_time, stop_time, source_rank
+FROM ki_catalog.ki_query_span_metrics_all
+WHERE query_id = '<QUERY_ID>'
+ORDER BY start_time;`;
+var FALLBACK_QUERY_WORKERS_SQL = `-- Active query workers (non-idle)
+SELECT job_id, worker_id, type, status, elapsed_time_ms, source_rank
+FROM ki_catalog.ki_query_workers
+WHERE status != 'IDLE'
+ORDER BY elapsed_time_ms DESC;`;
+var FALLBACK_OBJECTS_SQL = `-- Object registry and metadata
+SELECT oid, object_name, schema_name, type_id, persistence, obj_kind,
+       creation_time, last_read_time, read_count, write_count
+FROM ki_catalog.ki_objects
+ORDER BY last_read_time DESC
+LIMIT 30;`;
+var FALLBACK_PARTITIONS_SQL = `-- Partition sizes and tier distribution
+SELECT oid, object_name, schema_name, rank_num, partition_type,
+       partition_id, num_rows, actual_bytes, tier
+FROM ki_catalog.ki_partitions
+ORDER BY actual_bytes DESC
+LIMIT 30;`;
+var FALLBACK_INDEXES_SQL = `-- Index definitions
+SELECT oid, object_name, schema_name, index_type, index_columns
+FROM ki_catalog.ki_indexes
+ORDER BY object_name;`;
+var FALLBACK_PERIODIC_OBJECTS_SQL = `-- Periodic refresh schedules
+SELECT oid, object_name, schema_name, last_refresh_time,
+       next_refresh_time, additional_info
+FROM ki_catalog.ki_periodic_objects
+ORDER BY next_refresh_time;`;
+var FALLBACK_USERS_AND_ROLES_SQL = `-- Users and roles
+SELECT oid, name, can_login, is_superuser, resource_group
+FROM ki_catalog.ki_users_and_roles
+ORDER BY name;`;
+var FALLBACK_OBJECT_PERMISSIONS_SQL = `-- Object permissions
+SELECT role_name, permission_type, object_type, object_name, with_grant_option
+FROM ki_catalog.ki_object_permissions
+ORDER BY object_name, role_name;`;
+var FALLBACK_DEPEND_SQL = `-- Object dependency graph
+SELECT src_obj_oid, src_obj_kind, dep_obj_oid, dep_obj_kind, mv_oid, dep_kind
+FROM ki_catalog.ki_depend;`;
+var FALLBACK_LOAD_HISTORY_SQL = `-- Recent data load history
+SELECT table_oid, datasource_oid, user_name, load_kind,
+       start_time, end_time, rows_inserted, event_message
+FROM ki_catalog.ki_load_history
+WHERE start_time > NOW() - INTERVAL '1' HOUR
+ORDER BY start_time DESC
+LIMIT 20;`;
+var FALLBACK_BACKUP_HISTORY_SQL = `-- Backup history
+SELECT backup_name, operation, status, start_time, end_time,
+       num_files, num_bytes, num_records
+FROM ki_catalog.ki_backup_history
+ORDER BY start_time DESC
+LIMIT 20;`;
+var FALLBACK_KAFKA_LAG_INFO_SQL = `-- Kafka consumer lag
+SELECT datasource_oid, table_oid, schema_name, table_name,
+       partition_id, highest_offset, last_committed_offset
+FROM ki_catalog.ki_kafka_lag_info
+ORDER BY datasource_oid, partition_id;`;
+function buildQueryHistorySql(columns) {
+  const select = columns.join(", ");
+  const elapsed = has(columns, "start_time") && has(columns, "stop_time") ? ",\n       TIMESTAMPDIFF(SECOND, start_time, stop_time) AS elapsed_sec" : "";
+  const where = has(columns, "start_time") ? "\nWHERE start_time > NOW() - INTERVAL '1' HOUR" : "";
+  const orderBy = has(columns, "start_time") && has(columns, "stop_time") ? (
+    // Kinetica does not support timestamp arithmetic in ORDER BY; use the elapsed_sec alias instead
+    "\nORDER BY elapsed_sec DESC"
+  ) : "";
+  return `-- Slow queries in the last hour
+SELECT ${select}${elapsed}
+FROM ki_catalog.ki_query_history${where}${orderBy}
+LIMIT 20;`;
+}
+function buildActiveQueriesSql(columns) {
+  const select = columns.join(", ");
+  const orderBy = has(columns, "start_time") ? "\nORDER BY start_time ASC" : "";
+  return `-- Currently active queries
+SELECT ${select}
+FROM ki_catalog.ki_query_active_all${orderBy};`;
+}
+function buildTieredObjectsSql(columns) {
+  const select = columns.join(", ");
+  const where = has(columns, "tier") ? "\nWHERE tier != 'VRAM'" : "";
+  const orderBy = has(columns, "size") ? "\nORDER BY size DESC" : "";
+  const idNote = has(columns, "id") ? "\n-- NOTE: id is a string (e.g. @schema@oid[col][0]), NOT a numeric OID. Filter by table: WHERE id LIKE '%table_name%'" : "";
+  return `-- Objects in disk tier (potential memory pressure)${idNote}
+SELECT ${select}
+FROM ki_catalog.ki_tiered_objects${where}${orderBy}
+LIMIT 20;`;
+}
+function buildObjStatSql(columns) {
+  const select = columns.join(", ");
+  const orderBy = has(columns, "total_bytes") ? "\nORDER BY total_bytes DESC" : "";
+  return `-- Table sizes and row counts
+SELECT ${select}
+FROM ki_catalog.ki_obj_stat${orderBy}
+LIMIT 30;`;
+}
+var STRUCTURAL_COLUMNS = /* @__PURE__ */ new Set([
+  "table_name",
+  "column_name",
+  "column_position",
+  "is_nullable",
+  "is_shard_key",
+  "is_primary_key",
+  "is_dict_encoded",
+  "default_value",
+  "bytes_on_disk_uncompressed",
+  "bytes_on_disk_compressed"
+]);
+function buildColumnsSql(columns) {
+  const filtered = columns.filter((c) => STRUCTURAL_COLUMNS.has(c));
+  const selectCols = filtered.length > 0 ? filtered : columns;
+  const select = selectCols.map((c) => `c.${c}`).join(", ");
+  const where = has(selectCols, "table_name") ? "\nWHERE c.table_name = '<TABLE_NAME>'" : "";
+  const orderBy = has(selectCols, "column_position") ? "\nORDER BY c.column_position" : has(selectCols, "column_name") ? "\nORDER BY c.column_name" : "";
+  return `-- Structural column metadata (use kinetica_show_table for Kinetica-native types)
+SELECT ${select}
+FROM ki_catalog.ki_columns c${where}${orderBy};`;
+}
+function buildDatatypesSql(columns) {
+  const select = columns.join(", ");
+  const orderBy = has(columns, "oid") ? "\nORDER BY oid" : "";
+  return `-- Resolve column_type_oid to human-readable type name
+SELECT ${select}
+FROM ki_catalog.ki_datatypes${orderBy};`;
+}
+function buildQuerySpanMetricsSql(columns) {
+  const select = columns.join(", ");
+  const where = has(columns, "query_id") ? "\nWHERE query_id = '<QUERY_ID>'" : "";
+  const orderBy = has(columns, "start_time") ? "\nORDER BY start_time" : "";
+  return `-- Query span metrics for a specific query
+SELECT ${select}
+FROM ki_catalog.ki_query_span_metrics_all${where}${orderBy};`;
+}
+function buildQueryWorkersSql(columns) {
+  const select = columns.join(", ");
+  const where = has(columns, "status") ? "\nWHERE status != 'IDLE'" : "";
+  const orderBy = has(columns, "elapsed_time_ms") ? "\nORDER BY elapsed_time_ms DESC" : "";
+  return `-- Active query workers (non-idle)
+SELECT ${select}
+FROM ki_catalog.ki_query_workers${where}${orderBy};`;
+}
+function buildObjectsSql(columns) {
+  const select = columns.join(", ");
+  const orderBy = has(columns, "last_read_time") ? "\nORDER BY last_read_time DESC" : has(columns, "creation_time") ? "\nORDER BY creation_time DESC" : "";
+  return `-- Object registry and metadata
+SELECT ${select}
+FROM ki_catalog.ki_objects${orderBy}
+LIMIT 30;`;
+}
+function buildPartitionsSql(columns) {
+  const select = columns.join(", ");
+  const orderBy = has(columns, "actual_bytes") ? "\nORDER BY actual_bytes DESC" : "";
+  return `-- Partition sizes and tier distribution
+SELECT ${select}
+FROM ki_catalog.ki_partitions${orderBy}
+LIMIT 30;`;
+}
+function buildIndexesSql(columns) {
+  const select = columns.join(", ");
+  const orderBy = has(columns, "object_name") ? "\nORDER BY object_name" : "";
+  return `-- Index definitions
+SELECT ${select}
+FROM ki_catalog.ki_indexes${orderBy};`;
+}
+function buildPeriodicObjectsSql(columns) {
+  const select = columns.join(", ");
+  const orderBy = has(columns, "next_refresh_time") ? "\nORDER BY next_refresh_time" : "";
+  return `-- Periodic refresh schedules
+SELECT ${select}
+FROM ki_catalog.ki_periodic_objects${orderBy};`;
+}
+function buildUsersAndRolesSql(columns) {
+  const select = columns.join(", ");
+  const orderBy = has(columns, "name") ? "\nORDER BY name" : "";
+  return `-- Users and roles
+SELECT ${select}
+FROM ki_catalog.ki_users_and_roles${orderBy};`;
+}
+function buildObjectPermissionsSql(columns) {
+  const select = columns.join(", ");
+  const orderBy = has(columns, "object_name") && has(columns, "role_name") ? "\nORDER BY object_name, role_name" : has(columns, "object_name") ? "\nORDER BY object_name" : "";
+  return `-- Object permissions
+SELECT ${select}
+FROM ki_catalog.ki_object_permissions${orderBy};`;
+}
+function buildDependSql(columns) {
+  const select = columns.join(", ");
+  return `-- Object dependency graph
+SELECT ${select}
+FROM ki_catalog.ki_depend;`;
+}
+function buildLoadHistorySql(columns) {
+  const select = columns.join(", ");
+  const where = has(columns, "start_time") ? "\nWHERE start_time > NOW() - INTERVAL '1' HOUR" : "";
+  const orderBy = has(columns, "start_time") ? "\nORDER BY start_time DESC" : "";
+  return `-- Recent data load history
+SELECT ${select}
+FROM ki_catalog.ki_load_history${where}${orderBy}
+LIMIT 20;`;
+}
+function buildBackupHistorySql(columns) {
+  const select = columns.join(", ");
+  const orderBy = has(columns, "start_time") ? "\nORDER BY start_time DESC" : "";
+  return `-- Backup history
+SELECT ${select}
+FROM ki_catalog.ki_backup_history${orderBy}
+LIMIT 20;`;
+}
+function buildKafkaLagInfoSql(columns) {
+  const select = columns.join(", ");
+  const orderBy = has(columns, "datasource_oid") && has(columns, "partition_id") ? "\nORDER BY datasource_oid, partition_id" : has(columns, "datasource_oid") ? "\nORDER BY datasource_oid" : "";
+  return `-- Kafka consumer lag
+SELECT ${select}
+FROM ki_catalog.ki_kafka_lag_info${orderBy};`;
+}
+var BUILDER_REGISTRY = [
+  // Query History and Performance
+  {
+    table: "ki_query_history",
+    section: "Query History and Performance",
+    build: buildQueryHistorySql,
+    fallback: FALLBACK_QUERY_HISTORY_SQL
+  },
+  {
+    table: "ki_query_active_all",
+    section: "Query History and Performance",
+    build: buildActiveQueriesSql,
+    fallback: FALLBACK_ACTIVE_QUERIES_SQL
+  },
+  {
+    table: "ki_query_span_metrics_all",
+    section: "Query History and Performance",
+    build: buildQuerySpanMetricsSql,
+    fallback: FALLBACK_QUERY_SPAN_METRICS_SQL
+  },
+  {
+    table: "ki_query_workers",
+    section: "Query History and Performance",
+    build: buildQueryWorkersSql,
+    fallback: FALLBACK_QUERY_WORKERS_SQL
+  },
+  // Memory and Storage Tiers
+  {
+    table: "ki_tiered_objects",
+    section: "Memory and Storage Tiers",
+    build: buildTieredObjectsSql,
+    fallback: FALLBACK_TIERED_OBJECTS_SQL
+  },
+  {
+    table: "ki_obj_stat",
+    section: "Memory and Storage Tiers",
+    build: buildObjStatSql,
+    fallback: FALLBACK_OBJ_STAT_SQL
+  },
+  {
+    table: "ki_partitions",
+    section: "Memory and Storage Tiers",
+    build: buildPartitionsSql,
+    fallback: FALLBACK_PARTITIONS_SQL
+  },
+  // Object Registry and Metadata
+  {
+    table: "ki_objects",
+    section: "Object Registry and Metadata",
+    build: buildObjectsSql,
+    fallback: FALLBACK_OBJECTS_SQL
+  },
+  {
+    table: "ki_indexes",
+    section: "Object Registry and Metadata",
+    build: buildIndexesSql,
+    fallback: FALLBACK_INDEXES_SQL
+  },
+  {
+    table: "ki_periodic_objects",
+    section: "Object Registry and Metadata",
+    build: buildPeriodicObjectsSql,
+    fallback: FALLBACK_PERIODIC_OBJECTS_SQL
+  },
+  {
+    table: "ki_depend",
+    section: "Object Registry and Metadata",
+    build: buildDependSql,
+    fallback: FALLBACK_DEPEND_SQL
+  },
+  // Security and Access Control
+  {
+    table: "ki_users_and_roles",
+    section: "Security and Access Control",
+    build: buildUsersAndRolesSql,
+    fallback: FALLBACK_USERS_AND_ROLES_SQL
+  },
+  {
+    table: "ki_object_permissions",
+    section: "Security and Access Control",
+    build: buildObjectPermissionsSql,
+    fallback: FALLBACK_OBJECT_PERMISSIONS_SQL
+  },
+  // Data Ingestion and Operations
+  {
+    table: "ki_load_history",
+    section: "Data Ingestion and Operations",
+    build: buildLoadHistorySql,
+    fallback: FALLBACK_LOAD_HISTORY_SQL
+  },
+  {
+    table: "ki_backup_history",
+    section: "Data Ingestion and Operations",
+    build: buildBackupHistorySql,
+    fallback: FALLBACK_BACKUP_HISTORY_SQL
+  },
+  {
+    table: "ki_kafka_lag_info",
+    section: "Data Ingestion and Operations",
+    build: buildKafkaLagInfoSql,
+    fallback: FALLBACK_KAFKA_LAG_INFO_SQL
+  },
+  // Schema Inspection
+  {
+    table: "ki_columns",
+    section: "Schema Inspection",
+    build: buildColumnsSql,
+    fallback: FALLBACK_COLUMNS_SQL
+  },
+  {
+    table: "ki_datatypes",
+    section: "Schema Inspection",
+    build: buildDatatypesSql,
+    fallback: FALLBACK_DATATYPES_SQL
+  }
+];
+
+// src/tools/index.ts
+var import_claude_agent_sdk3 = require("@anthropic-ai/claude-agent-sdk");
+var import_zod16 = require("zod");
+var import_picocolors9 = __toESM(require("picocolors"));
+
+// src/approval/registry.ts
+var DEFAULT_READ_ONLY_TOOLS = /* @__PURE__ */ new Set();
+function createRegistry(tools = DEFAULT_READ_ONLY_TOOLS) {
+  return {
+    isReadOnlyTool: (toolName) => tools.has(toolName),
+    // Returns a NEW registry — never mutates the current one
+    registerReadOnlyTool: (toolName) => createRegistry(/* @__PURE__ */ new Set([...tools, toolName])),
+    tools
+  };
+}
+var defaultRegistry = createRegistry();
+var isReadOnlyTool = defaultRegistry.isReadOnlyTool;
+var READ_ONLY_TOOLS = defaultRegistry.tools;
+
+// src/output/stringify.ts
+function stringifyValue(v) {
+  if (v === void 0 || v === null) return "";
+  if (typeof v === "string") return v;
+  if (typeof v === "number" || typeof v === "boolean" || typeof v === "bigint") {
+    return v.toString();
+  }
+  if (typeof v === "object") return JSON.stringify(v);
+  if (typeof v === "symbol") return v.toString();
+  return "";
+}
+
+// src/output/format.ts
+function formatOutput(json) {
+  if (json === null || json === void 0) {
+    return "(empty)";
+  }
+  if (Array.isArray(json)) {
+    return formatArray(json);
+  }
+  if (typeof json === "object") {
+    return formatObject(json);
+  }
+  return stringifyValue(json);
+}
+function formatArray(arr) {
+  if (arr.length === 0) {
+    return "(no results)";
+  }
+  const first = arr[0];
+  if (typeof first === "object" && first !== null && !Array.isArray(first)) {
+    return formatTableArray(arr);
+  }
+  return arr.map(stringifyValue).join("\n");
+}
+function formatTableArray(rows) {
+  const headers = Object.keys(rows[0]);
+  const cells = rows.map((row) => headers.map((h) => stringifyValue(row[h])));
+  const colWidths = headers.map(
+    (h, i) => Math.max(h.length, ...cells.map((row) => row[i].length), 3)
+  );
+  const pad = (text, col) => text.padEnd(colWidths[col]);
+  const headerRow = `| ${headers.map((h, i) => pad(h, i)).join(" | ")} |`;
+  const separatorRow = `| ${colWidths.map((w) => "-".repeat(w)).join(" | ")} |`;
+  const dataRows = cells.map((row) => `| ${row.map((cell, i) => pad(cell, i)).join(" | ")} |`);
+  return [headerRow, separatorRow, ...dataRows].join("\n");
+}
+function formatObject(obj) {
+  return Object.entries(obj).map(([key, value]) => {
+    if (typeof value === "object" && value !== null) {
+      return `**${key}:**
+${formatOutput(value)}`;
+    }
+    return `**${key}:** ${stringifyValue(value)}`;
+  }).join("\n");
+}
+
+// src/output/format-tool-name.ts
+function formatToolName(toolName) {
+  const stripped = toolName.replace(/^mcp__[^_]+__/, "").replace(/^kinetica_/, "");
+  return stripped.replace(/_/g, " ");
+}
+
+// src/types/index.ts
+var DEFAULT_TRUNCATION = {
+  headLines: 150,
+  tailLines: 50
+};
+
+// src/output/truncate.ts
+function truncateOutput(text, options = DEFAULT_TRUNCATION) {
+  if (text === "") return "";
+  const lines = text.split("\n");
+  const { headLines, tailLines } = options;
+  const threshold = headLines + tailLines;
+  if (lines.length <= threshold) {
+    return text;
+  }
+  const truncatedCount = lines.length - headLines - tailLines;
+  const head = lines.slice(0, headLines);
+  const tail = lines.slice(lines.length - tailLines);
+  return [...head, "", `[... ${truncatedCount} lines truncated ...]`, "", ...tail].join("\n");
+}
+
+// src/output/reshape.ts
+function safeString(v) {
+  if (typeof v === "object" && v !== null) {
+    return JSON.stringify(v);
+  }
+  return String(v);
+}
+function flatObjectToRows(obj, keyLabel = "key", valueLabel = "value") {
+  return Object.entries(obj).map(([k, v]) => ({
+    [keyLabel]: k,
+    [valueLabel]: safeString(v)
+  }));
+}
+
+// src/tools/rest/parse-data-str.ts
+function parseDataStr(outerDataStr, raw) {
+  if (typeof outerDataStr !== "string") {
+    return { ok: true, data: void 0 };
+  }
+  try {
+    return { ok: true, data: JSON.parse(outerDataStr) };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { ok: false, status: 200, error: `data_str parse error: ${message}`, raw };
+  }
+}
+
+// src/tools/rest/health.ts
+async function healthCheck(session2) {
+  let response;
+  let rawText;
+  try {
+    response = await session2.makeRequest("/show/system/status", {});
+    rawText = await response.text();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 0,
+      error: message,
+      raw: ""
+    };
+  }
+  if (!response.ok) {
+    return {
+      ok: false,
+      status: response.status,
+      error: `HTTP ${response.status}`,
+      raw: rawText
+    };
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(rawText);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 200,
+      error: `JSON parse error: ${message}`,
+      raw: rawText
+    };
+  }
+  const inner = parseDataStr(parsed.data_str, rawText);
+  if (!inner.ok) return inner;
+  const statusMap = inner.data?.status_map ?? {};
+  return {
+    ok: true,
+    data: flatObjectToRows(statusMap, "component", "status")
+  };
+}
+
+// src/tools/rest/decode-nested-json.ts
+function decodeNestedJsonStrings(obj) {
+  return Object.fromEntries(
+    Object.entries(obj).map(([k, v]) => {
+      if (typeof v !== "string") return [k, v];
+      try {
+        const parsed = JSON.parse(v);
+        if (typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
+          return [k, decodeNestedJsonStrings(parsed)];
+        }
+        return [k, parsed];
+      } catch {
+        return [k, v];
+      }
+    })
+  );
+}
+
+// src/tools/rest/flatten-rank-stats.ts
+function findTier(tiers, prefix) {
+  for (const [name, data] of Object.entries(tiers)) {
+    if (name === prefix || name.startsWith(`${prefix}.`) || name.startsWith(`${prefix}_`) || name.startsWith(prefix) && /^\d/.test(name.slice(prefix.length))) {
+      if (typeof data === "object" && data !== null && !Array.isArray(data)) {
+        return data;
+      }
+    }
+  }
+  return void 0;
+}
+function overallField(tier, field) {
+  if (!tier) return "";
+  const overall = tier.overall;
+  if (typeof overall !== "object" || overall === null) return "";
+  const value = overall[field];
+  return stringifyValue(value);
+}
+function computePercent(used, limit) {
+  if (!used || !limit) return "";
+  const usedN = Number(used);
+  const limitN = Number(limit);
+  if (!Number.isFinite(usedN) || !Number.isFinite(limitN) || limitN === 0) return "";
+  return `${(usedN / limitN * 100).toFixed(1)}%`;
+}
+function flattenRanksSummary(decoded) {
+  const ranksRaw = typeof decoded.ranks === "object" && decoded.ranks !== null ? decoded.ranks : decoded;
+  return Object.entries(ranksRaw).filter(([, v]) => typeof v === "object" && v !== null && !Array.isArray(v)).map(([rankId, rankData]) => {
+    const rank = rankData;
+    const tiers = typeof rank.tiers === "object" && rank.tiers !== null ? rank.tiers : {};
+    const ramUsed = overallField(findTier(tiers, "RAM"), "used");
+    const ramLimit = overallField(findTier(tiers, "RAM"), "limit");
+    return {
+      rank: rankId,
+      ram_used: ramUsed,
+      ram_limit: ramLimit,
+      ram_percent: computePercent(ramUsed, ramLimit),
+      persist_used: overallField(findTier(tiers, "PERSIST"), "used"),
+      disk_used: overallField(findTier(tiers, "DISK"), "used"),
+      vram_used: overallField(findTier(tiers, "VRAM"), "used")
+    };
+  });
+}
+function flattenRankDetail(rankData) {
+  const tiersRaw = typeof rankData.tiers === "object" && rankData.tiers !== null ? rankData.tiers : {};
+  const tiers = Object.entries(tiersRaw).filter(([, v]) => typeof v === "object" && v !== null && !Array.isArray(v)).map(([tierName, tierData]) => {
+    const tier = tierData;
+    const overall = typeof tier.overall === "object" && tier.overall !== null ? tier.overall : {};
+    const stats = typeof tier.stats === "object" && tier.stats !== null ? tier.stats : {};
+    const row = { tier: tierName };
+    for (const [k, v] of Object.entries(overall)) {
+      row[k] = stringifyValue(v);
+    }
+    for (const [k, v] of Object.entries(stats)) {
+      row[k] = stringifyValue(v);
+    }
+    return row;
+  });
+  const rgRaw = typeof rankData.resource_groups === "object" && rankData.resource_groups !== null ? rankData.resource_groups : {};
+  const resource_groups = Object.entries(rgRaw).filter(([, v]) => typeof v === "object" && v !== null && !Array.isArray(v)).map(([rgName, rgData]) => {
+    const rg = rgData;
+    const row = { name: rgName };
+    for (const [k, v] of Object.entries(rg)) {
+      row[k] = stringifyValue(v);
+    }
+    return row;
+  });
+  return { tiers, resource_groups };
+}
+
+// src/tools/rest/metrics.ts
+async function getMetrics(session2, nodeId) {
+  let response;
+  let rawText;
+  try {
+    response = await session2.makeRequest("/show/resource/statistics", {
+      options: {}
+    });
+    rawText = await response.text();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { ok: false, status: 0, error: message, raw: "" };
+  }
+  if (!response.ok) {
+    return {
+      ok: false,
+      status: response.status,
+      error: `HTTP ${response.status}`,
+      raw: rawText
+    };
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(rawText);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 200,
+      error: `JSON parse error: ${message}`,
+      raw: rawText
+    };
+  }
+  const inner = parseDataStr(parsed.data_str, rawText);
+  if (!inner.ok) return inner;
+  const statisticsMap = inner.data?.statistics_map ?? {};
+  const decoded = decodeNestedJsonStrings(statisticsMap);
+  const rows = flattenRanksSummary(decoded);
+  if (nodeId !== void 0) {
+    return { ok: true, data: rows, note: `Filtered for node: ${nodeId}` };
+  }
+  return { ok: true, data: rows };
+}
+
+// src/tools/rest/summarize-shards.ts
+var EMPTY_SUMMARY = {
+  shard_array_version: void 0,
+  total_shards: 0,
+  rank_count: 0,
+  distribution: [],
+  balanced: true
+};
+function summarizeShards(raw) {
+  if (raw === null || raw === void 0 || typeof raw !== "object") {
+    return EMPTY_SUMMARY;
+  }
+  const obj = raw;
+  const version = typeof obj.shard_array_version === "number" ? obj.shard_array_version : void 0;
+  const shardMap = obj.shard_map;
+  if (shardMap === null || shardMap === void 0 || typeof shardMap !== "object" || Array.isArray(shardMap)) {
+    return { ...EMPTY_SUMMARY, shard_array_version: version };
+  }
+  const entries = Object.values(shardMap);
+  if (entries.length === 0) {
+    return { ...EMPTY_SUMMARY, shard_array_version: version };
+  }
+  const counts = entries.reduce((acc, rank) => {
+    const map = new Map(acc);
+    map.set(rank, (acc.get(rank) ?? 0) + 1);
+    return map;
+  }, /* @__PURE__ */ new Map());
+  const totalShards = entries.length;
+  const distribution = [...counts.entries()].sort(([a], [b]) => a.localeCompare(b)).map(([rank, count]) => ({
+    rank,
+    shard_count: count,
+    percent: `${(count / totalShards * 100).toFixed(1)}%`
+  }));
+  const shardCounts = distribution.map((d) => d.shard_count);
+  const balanced = Math.max(...shardCounts) - Math.min(...shardCounts) <= 1;
+  return {
+    shard_array_version: version,
+    total_shards: totalShards,
+    rank_count: counts.size,
+    distribution,
+    balanced
+  };
+}
+
+// src/tools/rest/system-properties.ts
+var import_zod = require("zod");
+var GetSystemPropertiesSchema = import_zod.z.object({
+  category: import_zod.z.string().optional(),
+  key_pattern: import_zod.z.string().optional()
+});
+async function getSystemProperties(session2, input5) {
+  try {
+    const response = await session2.makeRequest("/show/system/properties", {
+      options: {}
+    });
+    if (!response.ok) {
+      const raw2 = await response.text();
+      return {
+        ok: false,
+        status: response.status,
+        error: `HTTP ${response.status}`,
+        raw: raw2
+      };
+    }
+    const raw = await response.text();
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch (parseError) {
+      const message = parseError instanceof Error ? parseError.message : String(parseError);
+      return {
+        ok: false,
+        status: 200,
+        error: `JSON parse error: ${message}`,
+        raw
+      };
+    }
+    const inner = parseDataStr(parsed.data_str, raw);
+    if (!inner.ok) return inner;
+    const propertyMap = inner.data?.property_map ?? {};
+    const filteredMap = applyFilters(propertyMap, input5);
+    return {
+      ok: true,
+      data: flatObjectToRows(filteredMap, "property", "value"),
+      rowCount: Object.keys(filteredMap).length
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return {
+      ok: false,
+      status: 0,
+      error: message,
+      raw: ""
+    };
+  }
+}
+function applyFilters(propertyMap, input5) {
+  const { category, key_pattern } = input5;
+  if (category === void 0 && key_pattern === void 0) {
+    return propertyMap;
+  }
+  const patternLower = key_pattern?.toLowerCase();
+  return Object.fromEntries(
+    Object.entries(propertyMap).filter(([key]) => {
+      const matchesCategory = category === void 0 || key.startsWith(category);
+      const matchesPattern = patternLower === void 0 || key.toLowerCase().includes(patternLower);
+      return matchesCategory && matchesPattern;
+    })
+  );
+}
+
+// src/tools/rest/discover-hm-port.ts
+var DEFAULT_HM_PORT2 = 9300;
+async function discoverHmPort(session2) {
+  const result = await getSystemProperties(session2, { key_pattern: "hm_http_port" });
+  if (!result.ok) return DEFAULT_HM_PORT2;
+  const rows = result.data;
+  const entry = rows.find((r) => r.property?.includes("hm_http_port"));
+  if (!entry?.value) return DEFAULT_HM_PORT2;
+  const port = parseInt(entry.value, 10);
+  return Number.isFinite(port) ? port : DEFAULT_HM_PORT2;
+}
+
+// src/tools/rest/cluster.ts
+async function fetchJson(session2, endpoint, body) {
+  let response;
+  let rawText;
+  try {
+    response = await session2.makeRequest(endpoint, body);
+    rawText = await response.text();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { ok: false, status: 0, error: message, raw: "" };
+  }
+  if (!response.ok) {
+    return {
+      ok: false,
+      status: response.status,
+      error: `HTTP ${response.status}`,
+      raw: rawText
+    };
+  }
+  try {
+    const parsed = JSON.parse(rawText);
+    return { ok: true, data: parsed };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 200,
+      error: `JSON parse error: ${message}`,
+      raw: rawText
+    };
+  }
+}
+async function fetchJsonOnPort(session2, port, endpoint, body) {
+  if (!session2.makeRequestToPort) {
+    return {
+      ok: false,
+      status: 0,
+      error: "makeRequestToPort not available on this session",
+      raw: ""
+    };
+  }
+  let response;
+  let rawText;
+  try {
+    response = await session2.makeRequestToPort(port, endpoint, body);
+    rawText = await response.text();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { ok: false, status: 0, error: message, raw: "" };
+  }
+  if (!response.ok) {
+    return {
+      ok: false,
+      status: response.status,
+      error: `HTTP ${response.status}`,
+      raw: rawText
+    };
+  }
+  try {
+    const parsed = JSON.parse(rawText);
+    return { ok: true, data: parsed };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 200,
+      error: `JSON parse error: ${message}`,
+      raw: rawText
+    };
+  }
+}
+async function clusterStatus(session2) {
+  const opsResult = await fetchJson(session2, "/admin/show/cluster/operations", { options: {} });
+  if (!opsResult.ok) return opsResult;
+  const shardsResult = await fetchJson(session2, "/admin/show/shards", {
+    options: {}
+  });
+  if (!shardsResult.ok) return shardsResult;
+  const hmPort = await discoverHmPort(session2);
+  const alertsResult = await fetchJsonOnPort(session2, hmPort, "/admin/show/alerts", {
+    num_alerts: 50,
+    options: {}
+  });
+  const alertsAvailable = alertsResult.ok;
+  const jobsResult = await fetchJson(session2, "/admin/show/jobs", {
+    options: { show_async_jobs: "true", show_worker_info: "true" }
+  });
+  if (!jobsResult.ok) return jobsResult;
+  let alerts = [];
+  if (alertsAvailable) {
+    const alertsOuter = alertsResult.data;
+    const alertsInner = parseDataStr(
+      alertsOuter.data_str,
+      JSON.stringify(alertsResult.data)
+    );
+    if (!alertsInner.ok) return alertsInner;
+    const timestamps = alertsInner.data?.timestamps ?? [];
+    const alertTypes = alertsInner.data?.types ?? [];
+    const alertParams = alertsInner.data?.params ?? [];
+    alerts = timestamps.map((ts, i) => ({
+      timestamp: ts,
+      type: alertTypes[i] ?? "",
+      params: alertParams[i] ?? ""
+    }));
+  }
+  const jobsOuter = jobsResult.data;
+  const jobsInner = parseDataStr(jobsOuter.data_str, JSON.stringify(jobsResult.data));
+  if (!jobsInner.ok) return jobsInner;
+  const jobIds = jobsInner.data?.job_id ?? [];
+  const jobStatuses = jobsInner.data?.status ?? [];
+  const jobEndpoints = jobsInner.data?.endpoint_name ?? [];
+  const jobs = jobIds.map((id, i) => ({
+    job_id: id,
+    status: jobStatuses[i] ?? "",
+    endpoint: jobEndpoints[i] ?? ""
+  }));
+  return {
+    ok: true,
+    data: {
+      operations: opsResult.data,
+      shards: summarizeShards(shardsResult.data),
+      alerts,
+      jobs
+    },
+    ...alertsAvailable ? {} : { note: "/admin/show/alerts not available on this version \u2014 alerts array is empty" }
+  };
+}
+
+// src/tools/rest/node.ts
+async function nodeDetails(session2, nodeId) {
+  let response;
+  let rawText;
+  try {
+    response = await session2.makeRequest("/show/resource/statistics", {
+      options: {}
+    });
+    rawText = await response.text();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { ok: false, status: 0, error: message, raw: "" };
+  }
+  if (!response.ok) {
+    return {
+      ok: false,
+      status: response.status,
+      error: `HTTP ${response.status}`,
+      raw: rawText
+    };
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(rawText);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 200,
+      error: `JSON parse error: ${message}`,
+      raw: rawText
+    };
+  }
+  const inner = parseDataStr(
+    parsed.data_str,
+    rawText
+  );
+  if (!inner.ok) return inner;
+  const rawMap = inner.data?.statistics_map ?? {};
+  const decoded = decodeNestedJsonStrings(rawMap);
+  const ranks = typeof decoded.ranks === "object" && decoded.ranks !== null ? decoded.ranks : decoded;
+  if (nodeId !== void 0) {
+    if (Object.prototype.hasOwnProperty.call(ranks, nodeId)) {
+      return {
+        ok: true,
+        data: flattenRankDetail(ranks[nodeId])
+      };
+    }
+    return {
+      ok: true,
+      data: flattenRanksSummary(decoded),
+      note: `node_id '${nodeId}' not found in statistics_map \u2014 returning all nodes`
+    };
+  }
+  return { ok: true, data: flattenRanksSummary(decoded) };
+}
+
+// src/tools/rest/logs.ts
+var import_zod2 = require("zod");
+var LOG_SOURCES = ["kinetica", "rank", "syslog", "gadmin", "reveal", "workbench"];
+var LOG_SEVERITIES = ["DEBUG", "INFO", "WARN", "ERROR", "FATAL"];
+var GetLogsSchema = import_zod2.z.object({
+  source: import_zod2.z.enum(LOG_SOURCES),
+  min_severity: import_zod2.z.enum(LOG_SEVERITIES).default("INFO"),
+  duration: import_zod2.z.string().regex(
+    /^\d+[mhd]$/,
+    "Duration must match pattern: digits followed by m, h, or d (e.g. '1h', '30m', '7d')"
+  ).optional(),
+  start_time: import_zod2.z.string().datetime().optional(),
+  end_time: import_zod2.z.string().datetime().optional(),
+  node_id: import_zod2.z.string().optional(),
+  limit: import_zod2.z.number().int().min(1).max(5e3).default(500)
+}).refine(
+  (data) => {
+    const hasDuration = data.duration !== void 0;
+    const hasAbsoluteTime = data.start_time !== void 0 || data.end_time !== void 0;
+    return !(hasDuration && hasAbsoluteTime);
+  },
+  {
+    message: "duration and start_time/end_time are mutually exclusive -- use one or the other, not both"
+  }
+);
+function buildStubResponse(input5) {
+  return {
+    ok: true,
+    data: {
+      note: "The /admin/show/logs endpoint is not yet implemented on this Kinetica server. Use kinetica_execute_sql to query ki_catalog system tables for log-like diagnostic data.",
+      endpoint: "/admin/show/logs",
+      status: "stub",
+      requested_params: {
+        source: input5.source,
+        min_severity: input5.min_severity,
+        duration: input5.duration,
+        start_time: input5.start_time,
+        end_time: input5.end_time,
+        node_id: input5.node_id,
+        limit: input5.limit
+      }
+    }
+  };
+}
+async function getLogs(session2, input5) {
+  const params = {
+    source: input5.source,
+    severity: input5.min_severity,
+    limit: input5.limit
+  };
+  if (input5.duration !== void 0) {
+    params.duration = input5.duration;
+  }
+  if (input5.start_time !== void 0) {
+    params.start_time = input5.start_time;
+  }
+  if (input5.end_time !== void 0) {
+    params.end_time = input5.end_time;
+  }
+  if (input5.node_id !== void 0) {
+    params.node_id = input5.node_id;
+  }
+  try {
+    const response = await session2.makeRequest("/admin/show/logs", params);
+    if (!response.ok) {
+      return buildStubResponse(input5);
+    }
+    const raw = await response.text();
+    try {
+      const data = JSON.parse(raw);
+      return {
+        ok: true,
+        data
+      };
+    } catch {
+      return buildStubResponse(input5);
+    }
+  } catch {
+    return buildStubResponse(input5);
+  }
+}
+
+// src/tools/rest/show-configuration.ts
+var import_zod3 = require("zod");
+
+// src/report/scrub.ts
+var CONFIG_SECRET_PATTERN = /([^\r\n=:]*(?:password|passwd|passphrase|license[_-]?key|private[_-]?key|secret)[^\r\n=:]*[:=][ \t]*)[^\r\n]+/gi;
+function redactConfigSecrets(content) {
+  return content.replace(CONFIG_SECRET_PATTERN, "$1[REDACTED]");
+}
+var DEFAULT_SCRUB_PATTERNS = [
+  /https?:\/\/[^\s"'`)\]]+/gi,
+  // HTTP/HTTPS URLs
+  /Basic\s+[A-Za-z0-9+/=]+/gi,
+  // Basic auth headers
+  /Bearer\s+[A-Za-z0-9._-]+/gi,
+  // Bearer tokens
+  /password[:\s]+[^\s"'`)\]]+/gi,
+  // Password values (bare form: password: value)
+  /"password"\s*:\s*"[^"]*"/gi,
+  // JSON form: "password":"..."
+  /(api[_-]?key|access[_-]?token|secret)["']?\s*[:=]\s*['"]?[^\s"'`)\]&,;]+/gi,
+  // api_key / access_token / secret
+  /(set-)?cookie\s*:\s*[^\r\n]+/gi,
+  // Cookie / Set-Cookie headers
+  /Authorization[:\s]+[^\s"'`)\]]+/gi
+  // Authorization header values
+];
+function scrubCredentials(content, patterns = DEFAULT_SCRUB_PATTERNS) {
+  const configRedacted = redactConfigSecrets(content);
+  return patterns.reduce((text, pattern) => text.replace(pattern, "[REDACTED]"), configRedacted);
+}
+
+// src/tools/rest/show-configuration.ts
+var ShowConfigurationSchema = import_zod3.z.object({});
+async function showConfiguration(session2, _input) {
+  if (!session2.makeRequestToPort) {
+    return {
+      ok: false,
+      status: 0,
+      error: "makeRequestToPort not available on this session",
+      raw: ""
+    };
+  }
+  const hmPort = await discoverHmPort(session2);
+  let response;
+  let rawText;
+  try {
+    response = await session2.makeRequestToPort(hmPort, "/admin/show/configuration", {});
+    rawText = await response.text();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { ok: false, status: 0, error: message, raw: "" };
+  }
+  if (!response.ok) {
+    return {
+      ok: false,
+      status: response.status,
+      error: `HTTP ${response.status}`,
+      raw: rawText
+    };
+  }
+  let outer;
+  try {
+    outer = JSON.parse(rawText);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 200,
+      error: `JSON parse error: ${message}`,
+      raw: rawText
+    };
+  }
+  const inner = parseDataStr(outer.data_str, rawText);
+  if (!inner.ok) return inner;
+  return {
+    ok: true,
+    data: {
+      config_string: redactConfigSecrets(inner.data?.config_string ?? ""),
+      info: inner.data?.info ?? {}
+    }
+  };
+}
+
+// src/tools/rest/system-timing.ts
+async function systemTiming(session2) {
+  let response;
+  let rawText;
+  try {
+    response = await session2.makeRequest("/show/system/timing", { options: {} });
+    rawText = await response.text();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 0,
+      error: message,
+      raw: ""
+    };
+  }
+  if (!response.ok) {
+    return {
+      ok: false,
+      status: response.status,
+      error: `HTTP ${response.status}`,
+      raw: rawText
+    };
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(rawText);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 200,
+      error: `JSON parse error: ${message}`,
+      raw: rawText
+    };
+  }
+  const inner = parseDataStr(parsed.data_str, rawText);
+  if (!inner.ok) return inner;
+  const endpoints = inner.data?.endpoints ?? [];
+  const timings = inner.data?.time_in_ms ?? [];
+  const jobIds = inner.data?.jobIds ?? [];
+  const data = endpoints.map((endpoint, i) => ({
+    endpoint,
+    time_in_ms: timings[i] ?? 0,
+    job_id: jobIds[i] ?? ""
+  }));
+  return {
+    ok: true,
+    data
+  };
+}
+
+// src/tools/rest/resource-groups.ts
+var import_zod4 = require("zod");
+var ResourceGroupsSchema = import_zod4.z.object({
+  names: import_zod4.z.array(import_zod4.z.string()).optional().default([""]),
+  show_tier_usage: import_zod4.z.boolean().optional()
+});
+async function getResourceGroups(session2, input5) {
+  try {
+    const response = await session2.makeRequest("/show/resourcegroups", {
+      names: input5.names,
+      options: {
+        show_tier_usage: String(input5.show_tier_usage ?? false),
+        show_default_values: "true",
+        show_default_group: "true"
+      }
+    });
+    if (!response.ok) {
+      const raw2 = await response.text();
+      return {
+        ok: false,
+        status: response.status,
+        error: `HTTP ${response.status}`,
+        raw: raw2
+      };
+    }
+    const raw = await response.text();
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch (parseError) {
+      const message = parseError instanceof Error ? parseError.message : String(parseError);
+      return {
+        ok: false,
+        status: 200,
+        error: `JSON parse error: ${message}`,
+        raw
+      };
+    }
+    const inner = parseDataStr(parsed.data_str, raw);
+    if (!inner.ok) return inner;
+    return {
+      ok: true,
+      data: inner.data ?? {}
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return {
+      ok: false,
+      status: 0,
+      error: message,
+      raw: ""
+    };
+  }
+}
+
+// src/tools/rest/verify-db.ts
+var import_zod5 = require("zod");
+var VerifyDbSchema = import_zod5.z.object({
+  verify_nulls: import_zod5.z.boolean().optional(),
+  verify_persist: import_zod5.z.boolean().optional(),
+  verify_rank0: import_zod5.z.boolean().optional()
+});
+async function verifyDb(session2, input5) {
+  const options = {
+    concurrent_safe: "true"
+  };
+  if (input5.verify_nulls !== void 0) {
+    options.verify_nulls = String(input5.verify_nulls);
+  }
+  if (input5.verify_persist !== void 0) {
+    options.verify_persist = String(input5.verify_persist);
+  }
+  if (input5.verify_rank0 !== void 0) {
+    options.verify_rank0 = String(input5.verify_rank0);
+  }
+  try {
+    const response = await session2.makeRequest("/admin/verifydb", { options });
+    if (!response.ok) {
+      const raw2 = await response.text();
+      return {
+        ok: false,
+        status: response.status,
+        error: `HTTP ${response.status}`,
+        raw: raw2
+      };
+    }
+    const raw = await response.text();
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch (parseError) {
+      const message = parseError instanceof Error ? parseError.message : String(parseError);
+      return {
+        ok: false,
+        status: 200,
+        error: `JSON parse error: ${message}`,
+        raw
+      };
+    }
+    const inner = parseDataStr(parsed.data_str, raw);
+    if (!inner.ok) return inner;
+    const data = {
+      verified_ok: inner.data?.verified_ok ?? false,
+      error_list: inner.data?.error_list ?? [],
+      orphaned_tables_total_size: inner.data?.orphaned_tables_total_size ?? 0
+    };
+    return {
+      ok: true,
+      data
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return {
+      ok: false,
+      status: 0,
+      error: message,
+      raw: ""
+    };
+  }
+}
+
+// src/tools/rest/security.ts
+var import_zod6 = require("zod");
+var ShowSecuritySchema = import_zod6.z.object({
+  names: import_zod6.z.array(import_zod6.z.string()).optional().default([""])
+});
+async function showSecurity(session2, input5) {
+  try {
+    const response = await session2.makeRequest("/show/security", {
+      names: input5.names,
+      options: {}
+    });
+    if (!response.ok) {
+      const raw2 = await response.text();
+      return {
+        ok: false,
+        status: response.status,
+        error: `HTTP ${response.status}`,
+        raw: raw2
+      };
+    }
+    const raw = await response.text();
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch (parseError) {
+      const message = parseError instanceof Error ? parseError.message : String(parseError);
+      return {
+        ok: false,
+        status: 200,
+        error: `JSON parse error: ${message}`,
+        raw
+      };
+    }
+    const inner = parseDataStr(parsed.data_str, raw);
+    if (!inner.ok) return inner;
+    return {
+      ok: true,
+      data: inner.data ?? {}
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return {
+      ok: false,
+      status: 0,
+      error: message,
+      raw: ""
+    };
+  }
+}
+
+// src/tools/rest/show-table.ts
+var import_zod7 = require("zod");
+
+// src/tools/rest/parse-type-schema.ts
+function resolveUnionType(union) {
+  for (const entry of union) {
+    if (typeof entry === "string" && entry !== "null") {
+      return entry;
+    }
+  }
+  return "null";
+}
+function resolveFieldType(fieldType) {
+  if (typeof fieldType === "string") {
+    return fieldType;
+  }
+  if (Array.isArray(fieldType)) {
+    return resolveUnionType(fieldType);
+  }
+  return void 0;
+}
+function parseTypeSchema(schemaJson) {
+  let parsed;
+  try {
+    parsed = JSON.parse(schemaJson);
+  } catch {
+    return [];
+  }
+  if (typeof parsed !== "object" || parsed === null || !("type" in parsed) || !("fields" in parsed)) {
+    return [];
+  }
+  const record = parsed;
+  if (record.type !== "record" || !Array.isArray(record.fields)) {
+    return [];
+  }
+  const columns = [];
+  for (const field of record.fields) {
+    if (typeof field !== "object" || field === null) continue;
+    const f = field;
+    if (typeof f.name !== "string" || f.type === void 0) continue;
+    const resolvedType = resolveFieldType(f.type);
+    if (resolvedType === void 0) continue;
+    columns.push({ name: f.name, type: resolvedType });
+  }
+  return columns;
+}
+
+// src/tools/rest/show-table.ts
+var ShowTableSchema = import_zod7.z.object({
+  table_name: import_zod7.z.string().optional().default(""),
+  get_sizes: import_zod7.z.boolean().optional(),
+  get_access_data: import_zod7.z.boolean().optional(),
+  get_column_info: import_zod7.z.boolean().optional()
+});
+function resolveColumnInfoOption(input5) {
+  if (input5.get_column_info === true) return "true";
+  if (input5.get_column_info === false) return "false";
+  return input5.table_name !== "" ? "true" : "false";
+}
+function parseColumnProperties(propertiesJson) {
+  try {
+    const parsed = JSON.parse(propertiesJson);
+    const result = /* @__PURE__ */ new Map();
+    for (const [colName, props] of Object.entries(parsed)) {
+      if (Array.isArray(props)) {
+        result.set(colName, props.join(", "));
+      }
+    }
+    return result;
+  } catch {
+    return /* @__PURE__ */ new Map();
+  }
+}
+function buildColumnEntries(typeSchemaJson, propertiesStr) {
+  if (!typeSchemaJson) return [];
+  const columnInfos = parseTypeSchema(typeSchemaJson);
+  if (columnInfos.length === 0) return [];
+  const propsMap = propertiesStr !== void 0 ? parseColumnProperties(propertiesStr) : /* @__PURE__ */ new Map();
+  return columnInfos.map((col) => ({
+    name: col.name,
+    type: col.type,
+    properties: propsMap.get(col.name) ?? ""
+  }));
+}
+function escapeSqlString(value) {
+  return value.replace(/'/g, "''");
+}
+function splitSchemaTable(tableName) {
+  const dot = tableName.indexOf(".");
+  if (dot === -1) return null;
+  return { schema: tableName.slice(0, dot), table: tableName.slice(dot + 1) };
+}
+async function fetchIndexes(session2, tableName) {
+  const parts = splitSchemaTable(tableName);
+  if (!parts) return [];
+  const schema = escapeSqlString(parts.schema);
+  const table = escapeSqlString(parts.table);
+  const statement = `SELECT index_type, index_columns FROM ki_catalog.ki_indexes WHERE schema_name = '${schema}' AND object_name = '${table}'`;
+  try {
+    const response = await session2.makeRequest("/execute/sql", {
+      statement,
+      offset: 0,
+      limit: 100,
+      encoding: "json",
+      options: {}
+    });
+    if (!response.ok) return [];
+    const rawText = await response.text();
+    const outer = JSON.parse(rawText);
+    if (outer.status === "ERROR") return [];
+    const dataStr = JSON.parse(outer.data_str);
+    if (dataStr.total_number_of_records === 0) return [];
+    const cols = JSON.parse(dataStr.json_encoded_response);
+    const types = cols.column_1 ?? [];
+    const indexCols = cols.column_2 ?? [];
+    return types.map((t, i) => ({
+      index_type: t,
+      index_columns: indexCols[i] ?? ""
+    }));
+  } catch {
+    return [];
+  }
+}
+async function showTable(session2, input5) {
+  const options = {
+    get_sizes: String(input5.get_sizes ?? true),
+    show_children: "false",
+    no_error_if_not_exists: "true",
+    get_column_info: resolveColumnInfoOption(input5)
+  };
+  if (input5.get_access_data !== void 0) {
+    options.get_access_data = String(input5.get_access_data);
+  }
+  try {
+    const response = await session2.makeRequest("/show/table", {
+      table_name: input5.table_name,
+      options
+    });
+    if (!response.ok) {
+      const raw2 = await response.text();
+      return {
+        ok: false,
+        status: response.status,
+        error: `HTTP ${response.status}`,
+        raw: raw2
+      };
+    }
+    const raw = await response.text();
+    let outer;
+    try {
+      outer = JSON.parse(raw);
+    } catch (parseError) {
+      const message = parseError instanceof Error ? parseError.message : String(parseError);
+      return {
+        ok: false,
+        status: 200,
+        error: `JSON parse error: ${message}`,
+        raw
+      };
+    }
+    let inner = {};
+    if (typeof outer.data_str === "string") {
+      try {
+        inner = JSON.parse(outer.data_str);
+      } catch (parseError) {
+        const message = parseError instanceof Error ? parseError.message : String(parseError);
+        return {
+          ok: false,
+          status: 200,
+          error: `data_str parse error: ${message}`,
+          raw
+        };
+      }
+    }
+    const tableNames = inner.table_names ?? [];
+    const descriptions = inner.table_descriptions ?? [];
+    const sizes = inner.sizes ?? [];
+    const properties = inner.properties ?? [];
+    const typeSchemas = inner.type_schemas;
+    if (options.get_column_info === "true" && tableNames.length > 0) {
+      const table = {
+        table_name: tableNames[0],
+        description: descriptions[0] ?? "",
+        size: sizes[0] ?? "",
+        properties: properties[0] ?? ""
+      };
+      const columns = buildColumnEntries(typeSchemas?.[0], typeSchemas ? properties[0] : void 0);
+      const indexes = await fetchIndexes(session2, input5.table_name);
+      return {
+        ok: true,
+        data: { table, columns, indexes }
+      };
+    }
+    const data = tableNames.map((name, i) => ({
+      table_name: name,
+      description: descriptions[i] ?? "",
+      size: sizes[i] ?? "",
+      properties: properties[i] ?? ""
+    }));
+    return {
+      ok: true,
+      data
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return {
+      ok: false,
+      status: 0,
+      error: message,
+      raw: ""
+    };
+  }
+}
+
+// src/tools/rest/resource-objects.ts
+var import_zod8 = require("zod");
+var ResourceObjectsSchema = import_zod8.z.object({
+  table_names: import_zod8.z.string().optional().default("*"),
+  tiers: import_zod8.z.string().optional(),
+  order_by: import_zod8.z.string().optional(),
+  limit: import_zod8.z.number().int().min(1).max(1e4).optional().default(100)
+});
+async function getResourceObjects(session2, input5) {
+  const options = {
+    table_names: input5.table_names ?? "*",
+    limit: String(input5.limit ?? 100)
+  };
+  if (input5.tiers !== void 0) {
+    options.tiers = input5.tiers;
+  }
+  if (input5.order_by !== void 0) {
+    options.order_by = input5.order_by;
+  }
+  try {
+    const response = await session2.makeRequest("/show/resource/objects", {
+      options
+    });
+    if (!response.ok) {
+      const raw2 = await response.text();
+      return {
+        ok: false,
+        status: response.status,
+        error: `HTTP ${response.status}`,
+        raw: raw2
+      };
+    }
+    const raw = await response.text();
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch (parseError) {
+      const message = parseError instanceof Error ? parseError.message : String(parseError);
+      return {
+        ok: false,
+        status: 200,
+        error: `JSON parse error: ${message}`,
+        raw
+      };
+    }
+    const inner = parseDataStr(parsed.data_str, raw);
+    if (!inner.ok) return inner;
+    return {
+      ok: true,
+      data: inner.data ?? {}
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return {
+      ok: false,
+      status: 0,
+      error: message,
+      raw: ""
+    };
+  }
+}
+
+// src/tools/rest/host-manager.ts
+async function hostManagerStatus(session2) {
+  if (!session2.makeRequestToPort) {
+    return {
+      ok: false,
+      status: 0,
+      error: "makeRequestToPort not available on this session",
+      raw: ""
+    };
+  }
+  const hmPort = await discoverHmPort(session2);
+  let response;
+  let rawText;
+  try {
+    response = await session2.makeRequestToPort(hmPort, "/", void 0);
+    rawText = await response.text();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 0,
+      error: message,
+      raw: ""
+    };
+  }
+  if (!response.ok) {
+    return {
+      ok: false,
+      status: response.status,
+      error: `HTTP ${response.status}`,
+      raw: rawText
+    };
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(rawText);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 200,
+      error: `JSON parse error: ${message}`,
+      raw: rawText
+    };
+  }
+  return {
+    ok: true,
+    data: flatObjectToRows(parsed, "key", "value")
+  };
+}
+async function hostManagerAlerts(session2) {
+  if (!session2.makeRequestToPort) {
+    return {
+      ok: false,
+      status: 0,
+      error: "makeRequestToPort not available on this session",
+      raw: ""
+    };
+  }
+  const hmPort = await discoverHmPort(session2);
+  let response;
+  let rawText;
+  try {
+    response = await session2.makeRequestToPort(hmPort, "/admin/show/alerts", {
+      num_alerts: 50,
+      options: {}
+    });
+    rawText = await response.text();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { ok: false, status: 0, error: message, raw: "" };
+  }
+  if (!response.ok) {
+    return {
+      ok: false,
+      status: response.status,
+      error: `HTTP ${response.status}`,
+      raw: rawText
+    };
+  }
+  let outer;
+  try {
+    outer = JSON.parse(rawText);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 200,
+      error: `JSON parse error: ${message}`,
+      raw: rawText
+    };
+  }
+  const inner = parseDataStr(outer.data_str, rawText);
+  if (!inner.ok) return inner;
+  const timestamps = inner.data?.timestamps ?? [];
+  const alertTypes = inner.data?.types ?? [];
+  const alertParams = inner.data?.params ?? [];
+  const alerts = timestamps.map((ts, i) => ({
+    timestamp: ts,
+    type: alertTypes[i] ?? "",
+    params: alertParams[i] ?? ""
+  }));
+  return { ok: true, data: alerts };
+}
+
+// src/tools/sql/execute.ts
+var import_zod9 = require("zod");
+var ExecuteSqlSchema = import_zod9.z.object({
+  statement: import_zod9.z.string().min(1),
+  limit: import_zod9.z.number().int().min(1).max(1e4).default(100)
+});
+var READ_ONLY_PREFIXES = /^\s*(SELECT|EXPLAIN|DESCRIBE|DESC)\b/i;
+var SQL_COMMENTS = /\/\*[\s\S]*?\*\/|--[^\n]*/g;
+function isCteReadOnly(stripped) {
+  let depth = 0;
+  let pastFirstParen = false;
+  let finalStart = -1;
+  for (let i = 0; i < stripped.length; i++) {
+    const ch = stripped[i];
+    if (ch === "(") {
+      depth++;
+      pastFirstParen = true;
+    } else if (ch === ")") {
+      depth--;
+      if (depth === 0 && pastFirstParen) {
+        finalStart = i + 1;
+      }
+    }
+  }
+  if (finalStart === -1) {
+    return false;
+  }
+  const tail = stripped.slice(finalStart).trim();
+  return READ_ONLY_PREFIXES.test(tail);
+}
+function isReadOnlySql(statement) {
+  const stripped = statement.replace(SQL_COMMENTS, " ").trim();
+  if (READ_ONLY_PREFIXES.test(stripped)) {
+    return true;
+  }
+  if (/^\s*WITH\b/i.test(stripped)) {
+    return isCteReadOnly(stripped);
+  }
+  return false;
+}
+async function executeSql(session2, statement, limit = 100) {
+  if (!isReadOnlySql(statement)) {
+    return {
+      ok: false,
+      status: 400,
+      error: "SQL rejected: only SELECT, WITH, and EXPLAIN statements are permitted",
+      raw: statement
+    };
+  }
+  let response;
+  let rawText;
+  try {
+    response = await session2.makeRequest("/execute/sql", {
+      statement,
+      offset: 0,
+      limit,
+      encoding: "json",
+      options: {}
+    });
+    rawText = await response.text();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { ok: false, status: 0, error: message, raw: "" };
+  }
+  if (!response.ok) {
+    return {
+      ok: false,
+      status: response.status,
+      error: `HTTP ${response.status}`,
+      raw: rawText
+    };
+  }
+  let outer;
+  try {
+    outer = JSON.parse(rawText);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 200,
+      error: `JSON parse error: ${message}`,
+      raw: rawText
+    };
+  }
+  if (outer.status === "ERROR") {
+    return {
+      ok: false,
+      status: 400,
+      error: outer.message,
+      raw: rawText
+    };
+  }
+  let dataStr;
+  try {
+    dataStr = JSON.parse(outer.data_str);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 200,
+      error: `data_str parse error: ${message}`,
+      raw: rawText
+    };
+  }
+  let rows;
+  try {
+    rows = JSON.parse(dataStr.json_encoded_response);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 200,
+      error: `JSON parse error: ${message}`,
+      raw: rawText
+    };
+  }
+  const totalRecords = dataStr.total_number_of_records;
+  if (totalRecords === 0) {
+    return {
+      ok: true,
+      data: [],
+      rowCount: 0,
+      note: "Query returned 0 rows"
+    };
+  }
+  return {
+    ok: true,
+    data: rows,
+    rowCount: totalRecords
+  };
+}
+
+// src/tools/sql/explain.ts
+var import_zod10 = require("zod");
+var ExplainQuerySchema = import_zod10.z.object({
+  statement: import_zod10.z.string().min(1),
+  limit: import_zod10.z.number().int().min(1).max(1e4).default(100)
+});
+async function explainQuery(session2, statement, limit = 100) {
+  return executeSql(session2, "EXPLAIN " + statement.trimStart(), limit);
+}
+
+// src/tools/sql/enrich-error.ts
+var KI_CATALOG_TABLE_RE = /(?:FROM|JOIN)\s+ki_catalog\.(\w+)/i;
+function enrichSqlError(error, statement, schemas) {
+  if (!schemas) return error;
+  const match = KI_CATALOG_TABLE_RE.exec(statement);
+  if (!match) return error;
+  const tableName = match[1];
+  const columns = schemas.tables.get(tableName);
+  if (!columns) return error;
+  return `${error}
+
+Verified columns for ${tableName}: ${columns.join(", ")}`;
+}
+
+// src/tools/mutation/alter-system-properties.ts
+var import_zod11 = require("zod");
+var AlterSystemPropertiesSchema = import_zod11.z.object({
+  /**
+   * Map of property key -> new value to apply at runtime.
+   * At least one entry is required.
+   */
+  property_updates_map: import_zod11.z.record(import_zod11.z.string(), import_zod11.z.string()).refine((map) => Object.keys(map).length >= 1, {
+    message: "property_updates_map must have at least one entry"
+  })
+});
+var ALTERABLE_PROPERTIES = /* @__PURE__ */ new Set([
+  "concurrent_kernel_execution",
+  "subtask_concurrency_limit",
+  "chunk_size",
+  "chunk_column_max_memory",
+  "chunk_max_memory",
+  "execution_mode",
+  "external_files_directory",
+  "request_timeout",
+  "max_get_records_size",
+  "enable_audit",
+  "audit_headers",
+  "audit_body",
+  "audit_data",
+  "audit_response",
+  "shadow_agg_size",
+  "shadow_filter_size",
+  "enable_overlapped_equi_join",
+  "enable_one_step_compound_equi_join",
+  "kafka_batch_size",
+  "kafka_poll_timeout",
+  "kafka_wait_time",
+  "egress_parquet_compression",
+  "egress_single_file_max_size",
+  "max_concurrent_kernels",
+  "system_metadata_retention_period",
+  "tcs_per_tom",
+  "tps_per_tom",
+  "background_worker_threads",
+  "log_debug_job_info",
+  "enable_thread_hang_logging",
+  "ai_enable_rag",
+  "ai_api_provider",
+  "ai_api_url",
+  "ai_api_key",
+  "ai_api_connection_timeout",
+  "ai_api_embeddings_model",
+  "telm_persist_query_metrics",
+  "postgres_proxy_idle_connection_timeout",
+  "postgres_proxy_keep_alive",
+  "kifs_directory_data_limit",
+  "compression_codec",
+  "disk_auto_optimize_timeout",
+  "ha_consumer_replay_offset"
+]);
+var BLOCKED_PROPERTIES = /* @__PURE__ */ new Set([
+  "ai_api_key",
+  // credential — would appear in audit logs
+  "external_files_directory"
+  // filesystem path — potential path traversal
+]);
+function findDisallowedProperties(requestedKeys) {
+  return requestedKeys.filter(
+    (key) => !ALTERABLE_PROPERTIES.has(key) || BLOCKED_PROPERTIES.has(key)
+  );
+}
+async function readRequestedProperties(session2, requestedKeys) {
+  try {
+    const response = await session2.makeRequest("/show/system/properties", {
+      options: {}
+    });
+    if (!response.ok) return {};
+    const raw = await response.text();
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      return {};
+    }
+    const inner = parseDataStr(parsed.data_str, raw);
+    if (!inner.ok) return {};
+    const propertyMap = inner.data?.property_map ?? {};
+    return Object.fromEntries(
+      requestedKeys.filter((key) => Object.prototype.hasOwnProperty.call(propertyMap, key)).map((key) => [key, propertyMap[key]])
+    );
+  } catch {
+    return {};
+  }
+}
+function computeVerification(requestedMap, afterState) {
+  for (const [key, expectedValue] of Object.entries(requestedMap)) {
+    if (afterState[key] !== expectedValue) {
+      return "failed";
+    }
+  }
+  return "confirmed";
+}
+async function alterSystemProperties(session2, input5) {
+  const requestedKeys = Object.keys(input5.property_updates_map);
+  const disallowed = findDisallowedProperties(requestedKeys);
+  if (disallowed.length > 0) {
+    return {
+      ok: false,
+      status: 400,
+      error: `Property rejected: ${disallowed.map((k) => `'${k}'`).join(", ")} not supported by /alter/system/properties`,
+      raw: ""
+    };
+  }
+  const beforeState = await readRequestedProperties(session2, requestedKeys);
+  let mutationResponse;
+  let rawText;
+  try {
+    mutationResponse = await session2.makeRequest("/alter/system/properties", {
+      property_updates_map: input5.property_updates_map
+    });
+    rawText = await mutationResponse.text();
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return { ok: false, status: 0, error: message, raw: "" };
+  }
+  if (!mutationResponse.ok) {
+    return {
+      ok: false,
+      status: mutationResponse.status,
+      error: `HTTP ${mutationResponse.status}`,
+      raw: rawText
+    };
+  }
+  let parsedMutation;
+  try {
+    parsedMutation = JSON.parse(rawText);
+  } catch (parseError) {
+    const message = parseError instanceof Error ? parseError.message : String(parseError);
+    return {
+      ok: false,
+      status: 200,
+      error: `JSON parse error: ${message}`,
+      raw: rawText
+    };
+  }
+  const innerMutation = parseDataStr(parsedMutation.data_str, rawText);
+  if (!innerMutation.ok) return innerMutation;
+  const updatedPropertiesMap = innerMutation.data?.updated_properties_map ?? {};
+  let afterState;
+  let verification;
+  try {
+    const verifyResponse = await session2.makeRequest("/show/system/properties", { options: {} });
+    if (!verifyResponse.ok) {
+      afterState = {};
+      verification = "unavailable";
+    } else {
+      const verifyRaw = await verifyResponse.text();
+      let parsedVerify;
+      try {
+        parsedVerify = JSON.parse(verifyRaw);
+      } catch {
+        afterState = {};
+        verification = "unavailable";
+        const data2 = {
+          updated_properties_map: updatedPropertiesMap,
+          before_state: beforeState,
+          after_state: afterState,
+          verification
+        };
+        return { ok: true, data: data2 };
+      }
+      const innerVerify = parseDataStr(parsedVerify.data_str, verifyRaw);
+      if (!innerVerify.ok) {
+        afterState = {};
+        verification = "unavailable";
+      } else {
+        const verifyPropertyMap = innerVerify.data?.property_map ?? {};
+        afterState = Object.fromEntries(
+          requestedKeys.filter((key) => Object.prototype.hasOwnProperty.call(verifyPropertyMap, key)).map((key) => [key, verifyPropertyMap[key]])
+        );
+        verification = computeVerification(input5.property_updates_map, afterState);
+      }
+    }
+  } catch {
+    afterState = {};
+    verification = "unavailable";
+  }
+  const data = {
+    updated_properties_map: updatedPropertiesMap,
+    before_state: beforeState,
+    after_state: afterState,
+    verification
+  };
+  return { ok: true, data };
+}
+
+// src/tools/mutation/execute-mutation-sql.ts
+var import_zod12 = require("zod");
+var ExecuteMutationSqlSchema = import_zod12.z.object({
+  statement: import_zod12.z.string().min(1),
+  limit: import_zod12.z.number().int().min(1).max(1e4).default(100)
+});
+var SQL_COMMENTS2 = /\/\*[\s\S]*?\*\/|--[^\n]*/g;
+var DENY_LIST_PATTERN = /\b(DROP\s+(TABLE|SCHEMA|DATABASE|INDEX|VIEW|MATERIALIZED\s+VIEW|PROCEDURE|FUNCTION|SEQUENCE|TYPE)\b|TRUNCATE(\s+TABLE)?\b|DELETE\s+FROM\b|DELETE\b(?!\s+INDEX)|(?<!FOR\s)UPDATE\s+\w)/i;
+function isDeniedMutationSql(statement) {
+  const stripped = statement.replace(SQL_COMMENTS2, " ").trim();
+  return DENY_LIST_PATTERN.test(stripped);
+}
+async function executeMutationSql(session2, statement, limit = 100) {
+  if (isDeniedMutationSql(statement)) {
+    return {
+      ok: false,
+      status: 400,
+      error: "SQL rejected: destructive statements (DROP, TRUNCATE, DELETE, UPDATE) are not permitted, even inside a CTE",
+      raw: statement
+    };
+  }
+  let response;
+  let rawText;
+  try {
+    response = await session2.makeRequest("/execute/sql", {
+      statement,
+      offset: 0,
+      limit,
+      encoding: "json",
+      options: {}
+    });
+    rawText = await response.text();
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { ok: false, status: 0, error: message, raw: "" };
+  }
+  if (!response.ok) {
+    return {
+      ok: false,
+      status: response.status,
+      error: `HTTP ${response.status}`,
+      raw: rawText
+    };
+  }
+  let outer;
+  try {
+    outer = JSON.parse(rawText);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 200,
+      error: `JSON parse error: ${message}`,
+      raw: rawText
+    };
+  }
+  if (outer.status === "ERROR") {
+    return {
+      ok: false,
+      status: 400,
+      error: outer.message,
+      raw: rawText
+    };
+  }
+  let dataStr;
+  try {
+    dataStr = JSON.parse(outer.data_str);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 200,
+      error: `data_str parse error: ${message}`,
+      raw: rawText
+    };
+  }
+  let rows;
+  try {
+    rows = JSON.parse(dataStr.json_encoded_response);
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      ok: false,
+      status: 200,
+      error: `JSON parse error: ${message}`,
+      raw: rawText
+    };
+  }
+  const data = {
+    rows,
+    total_records: dataStr.total_number_of_records
+  };
+  return { ok: true, data };
+}
+
+// src/tools/mutation/admin-rebalance.ts
+var import_zod13 = require("zod");
+var AdminRebalanceSchema = import_zod13.z.object({
+  rebalance_sharded_data: import_zod13.z.boolean().optional(),
+  rebalance_unsharded_data: import_zod13.z.boolean().optional(),
+  table_includes: import_zod13.z.string().optional(),
+  table_excludes: import_zod13.z.string().optional(),
+  aggressiveness: import_zod13.z.number().int().min(1).max(5).optional(),
+  compact_after_rebalance: import_zod13.z.boolean().optional(),
+  compact_only: import_zod13.z.boolean().optional()
+});
+async function readShardState(session2) {
+  try {
+    const response = await session2.makeRequest("/show/system/status", {});
+    if (!response.ok) return {};
+    const raw = await response.text();
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      return {};
+    }
+    const inner = parseDataStr(parsed.data_str, raw);
+    if (!inner.ok || !inner.data) return {};
+    const data = inner.data;
+    return {
+      shard_map: data.shard_map ?? {},
+      db_status: data.db_status ?? "unknown"
+    };
+  } catch {
+    return {};
+  }
+}
+async function adminRebalance(session2, input5) {
+  const beforeState = await readShardState(session2);
+  const options = {};
+  if (input5.rebalance_sharded_data !== void 0) {
+    options.rebalance_sharded_data = String(input5.rebalance_sharded_data);
+  }
+  if (input5.rebalance_unsharded_data !== void 0) {
+    options.rebalance_unsharded_data = String(input5.rebalance_unsharded_data);
+  }
+  if (input5.table_includes !== void 0) {
+    options.table_includes = input5.table_includes;
+  }
+  if (input5.table_excludes !== void 0) {
+    options.table_excludes = input5.table_excludes;
+  }
+  if (input5.aggressiveness !== void 0) {
+    options.aggressiveness = String(input5.aggressiveness);
+  }
+  if (input5.compact_after_rebalance !== void 0) {
+    options.compact_after_rebalance = String(input5.compact_after_rebalance);
+  }
+  if (input5.compact_only !== void 0) {
+    options.compact_only = String(input5.compact_only);
+  }
+  try {
+    const response = await session2.makeRequest("/admin/rebalance", { options });
+    if (!response.ok) {
+      const raw2 = await response.text();
+      return {
+        ok: false,
+        status: response.status,
+        error: `HTTP ${response.status}`,
+        raw: raw2
+      };
+    }
+    const raw = await response.text();
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch (parseError) {
+      const message = parseError instanceof Error ? parseError.message : String(parseError);
+      return {
+        ok: false,
+        status: 200,
+        error: `JSON parse error: ${message}`,
+        raw
+      };
+    }
+    const inner = parseDataStr(parsed.data_str, raw);
+    if (!inner.ok) return inner;
+    const info = inner.data?.info ?? {};
+    const afterState = await readShardState(session2);
+    const verification = Object.keys(afterState).length > 0 ? "confirmed" : "unavailable";
+    const data = {
+      info,
+      before_state: beforeState,
+      after_state: afterState,
+      verification
+    };
+    return { ok: true, data };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return {
+      ok: false,
+      status: 0,
+      error: message,
+      raw: ""
+    };
+  }
+}
+
+// src/tools/mutation/alter-configuration.ts
+var import_zod14 = require("zod");
+var AlterConfigurationSchema = import_zod14.z.object({
+  /**
+   * The full replacement content for the gpudb.conf configuration file.
+   * Must be non-empty.
+   */
+  config_string: import_zod14.z.string().min(1, { message: "config_string must not be empty" })
+});
+var PREVIEW_LINES = 20;
+var EMPTY_SUMMARY2 = { line_count: 0, preview: "" };
+function summarizeConfig(configString) {
+  const lines = configString.split("\n");
+  const preview = lines.slice(0, PREVIEW_LINES).join("\n");
+  return { line_count: lines.length, preview };
+}
+async function readCurrentConfig(session2) {
+  try {
+    const result = await showConfiguration(session2, {});
+    return result.ok ? result.data.config_string : void 0;
+  } catch {
+    return void 0;
+  }
+}
+async function alterConfiguration(session2, input5) {
+  if (!session2.makeRequestToPort) {
+    return {
+      ok: false,
+      status: 0,
+      error: "makeRequestToPort not available on this session",
+      raw: ""
+    };
+  }
+  const beforeConfig = await readCurrentConfig(session2);
+  const beforeSummary = beforeConfig !== void 0 ? summarizeConfig(beforeConfig) : EMPTY_SUMMARY2;
+  const hmPort = await discoverHmPort(session2);
+  let mutationResponse;
+  let rawText;
+  try {
+    mutationResponse = await session2.makeRequestToPort(hmPort, "/admin/alter/configuration", {
+      config_string: input5.config_string
+    });
+    rawText = await mutationResponse.text();
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return { ok: false, status: 0, error: message, raw: "" };
+  }
+  if (!mutationResponse.ok) {
+    return {
+      ok: false,
+      status: mutationResponse.status,
+      error: `HTTP ${mutationResponse.status}`,
+      raw: rawText
+    };
+  }
+  let parsedMutation;
+  try {
+    parsedMutation = JSON.parse(rawText);
+  } catch (parseError) {
+    const message = parseError instanceof Error ? parseError.message : String(parseError);
+    return {
+      ok: false,
+      status: 200,
+      error: `JSON parse error: ${message}`,
+      raw: rawText
+    };
+  }
+  const innerMutation = parseDataStr(parsedMutation.data_str, rawText);
+  if (!innerMutation.ok) return innerMutation;
+  const responseInfo = innerMutation.data?.info ?? {};
+  const afterConfig = await readCurrentConfig(session2);
+  let afterSummary;
+  let verification;
+  if (afterConfig === void 0) {
+    afterSummary = EMPTY_SUMMARY2;
+    verification = "unavailable";
+  } else {
+    afterSummary = summarizeConfig(afterConfig);
+    if (beforeConfig === void 0) {
+      verification = "unavailable";
+    } else {
+      verification = afterConfig !== beforeConfig ? "confirmed" : "failed";
+    }
+  }
+  const data = {
+    before_summary: beforeSummary,
+    after_summary: afterSummary,
+    verification,
+    info: responseInfo
+  };
+  return { ok: true, data };
+}
+
+// src/tools/mutation/alter-table-columns.ts
+var import_zod15 = require("zod");
+var import_prompts6 = require("@inquirer/prompts");
+var import_picocolors8 = __toESM(require("picocolors"));
+var import_claude_agent_sdk2 = require("@anthropic-ai/claude-agent-sdk");
+
+// src/approval/checklist.ts
+var import_prompts5 = require("@inquirer/prompts");
+var import_picocolors7 = __toESM(require("picocolors"));
+var DIVIDER = import_picocolors7.default.dim("\u2500".repeat(60));
+function renderChecklist(header, summary, items) {
+  const lines = [
+    "",
+    DIVIDER,
+    `  ${import_picocolors7.default.bold(import_picocolors7.default.yellow(header))}`,
+    "",
+    `  ${import_picocolors7.default.dim("Summary:")} ${summary}`,
+    "",
+    `  ${import_picocolors7.default.bold(`${items.length} proposed column change(s):`)}`,
+    ""
+  ];
+  for (let i = 0; i < items.length; i++) {
+    const item = items[i];
+    lines.push(`  ${import_picocolors7.default.bold(`${i + 1}.`)} ${item.label}`, `     ${import_picocolors7.default.dim(item.description)}`);
+  }
+  lines.push("", DIVIDER, "");
+  return lines.join("\n");
+}
+async function showChecklist(header, summary, items) {
+  const panel = renderChecklist(header, summary, items);
+  process.stderr.write(panel);
+  try {
+    const selected = await (0, import_prompts5.checkbox)({
+      message: "Select columns to alter (space to toggle, enter to confirm):",
+      choices: items.map((item, i) => ({
+        value: i,
+        name: item.label,
+        description: item.description,
+        checked: true
+      })),
+      loop: false
+    });
+    if (selected.length === 0) {
+      return { action: "cancelled" };
+    }
+    return { action: "confirmed", selectedIndices: selected };
+  } catch {
+    return { action: "cancelled" };
+  }
+}
+
+// src/tools/mutation/alter-table-columns.ts
+var ColumnChangeSchema = import_zod15.z.object({
+  column_name: import_zod15.z.string().min(1),
+  new_definition: import_zod15.z.string().min(1),
+  description: import_zod15.z.string().min(1)
+});
+var AlterTableColumnsSchema = import_zod15.z.object({
+  table_name: import_zod15.z.string().min(1),
+  rationale: import_zod15.z.string().min(1),
+  columns: import_zod15.z.array(ColumnChangeSchema).min(2).max(50)
+});
+function buildAlterTableSql(tableName, columns) {
+  const clauses = columns.map((c) => `  ALTER COLUMN ${c.column_name} ${c.new_definition}`);
+  return `ALTER TABLE ${tableName}
+${clauses.join(",\n")}`;
+}
+var SQL_DIVIDER = import_picocolors8.default.dim("\u2500".repeat(60));
+async function confirmSqlExecution(sql) {
+  const panel = [
+    "",
+    SQL_DIVIDER,
+    `  ${import_picocolors8.default.bold(import_picocolors8.default.yellow("Generated SQL:"))}`,
+    "",
+    sql.split("\n").map((line) => `  ${line}`).join("\n"),
+    "",
+    SQL_DIVIDER,
+    ""
+  ].join("\n");
+  process.stderr.write(panel);
+  try {
+    const response = await (0, import_prompts6.input)({ message: "Execute? (y/n):" });
+    return response.trim().toLowerCase() === "y";
+  } catch {
+    return false;
+  }
+}
+function buildChecklistItems(columns) {
+  return columns.map((col) => ({
+    label: `${col.column_name}: ${col.new_definition}`,
+    description: col.description
+  }));
+}
+async function alterTableColumns(session2, toolInput) {
+  const { table_name, rationale, columns } = toolInput;
+  const items = buildChecklistItems(columns);
+  const selection = await showChecklist(
+    "ALTER TABLE Column Changes",
+    `Table: ${table_name}
+  ${rationale}`,
+    items
+  );
+  if (selection.action === "cancelled") {
+    return {
+      ok: true,
+      data: {
+        status: "cancelled",
+        total_count: columns.length
+      }
+    };
+  }
+  const selectedColumns = selection.selectedIndices.map((i) => {
+    const col = columns[i];
+    return {
+      column_name: col.column_name,
+      new_definition: col.new_definition
+    };
+  });
+  const sql = buildAlterTableSql(table_name, selectedColumns);
+  const confirmed = await confirmSqlExecution(sql);
+  if (!confirmed) {
+    return {
+      ok: true,
+      data: {
+        status: "declined",
+        sql,
+        selected_count: selectedColumns.length,
+        total_count: columns.length
+      }
+    };
+  }
+  const result = await executeMutationSql(session2, sql);
+  if (!result.ok) {
+    return result;
+  }
+  return {
+    ok: true,
+    data: {
+      status: "executed",
+      sql,
+      selected_count: selectedColumns.length,
+      total_count: columns.length,
+      execution_result: result.data
+    }
+  };
+}
+function makeAlterTableColumnsTool(session2, deps) {
+  return (0, import_claude_agent_sdk2.tool)(
+    "kinetica_alter_table_columns",
+    "Batch multiple column type/property changes on a SINGLE table into one efficient ALTER TABLE statement. Use when recommending 2+ column changes on the same table (e.g., adding DICT encoding to multiple columns, adding TEXT_SEARCH, changing column types). Each column change requires: column_name, new_definition (full type definition with properties and nullability), and description (human-readable reason). The operator selects which columns to alter via interactive checklist, then confirms the generated SQL. For a single column change, use kinetica_execute_mutation_sql directly. Kinetica ALTER TABLE syntax requires repeating the FULL column definition \u2014 properties go INSIDE parentheses: VARCHAR(50, DICT), not VARCHAR(50) DICT.",
+    AlterTableColumnsSchema.shape,
+    async (args) => {
+      const parsed = AlterTableColumnsSchema.parse(args);
+      const result = await alterTableColumns(session2, parsed);
+      deps.logMutationAudit("kinetica_alter_table_columns", result, {
+        table_name: parsed.table_name,
+        columns_proposed: parsed.columns.length
+      });
+      return {
+        content: [{ type: "text", text: deps.applyOutputPipeline(result) }]
+      };
+    },
+    { annotations: { destructive: true, readOnly: false } }
+  );
+}
+
+// src/tools/audit-redact.ts
+var import_node_crypto = require("crypto");
+var FINGERPRINT_THRESHOLD = 300;
+var FINGERPRINT_HEX_LEN = 12;
+var ALWAYS_FINGERPRINT_KEYS = /* @__PURE__ */ new Set(["config_string"]);
+var CREDENTIAL_PATTERNS = [
+  // password = '...' or password='...'
+  {
+    regex: /(password\s*=\s*)['"][^'"]*['"]/gi,
+    replacement: "$1'[REDACTED]'"
+  },
+  // IDENTIFIED BY '...'  (Kinetica CREATE/ALTER USER)
+  {
+    regex: /(identified\s+by\s+)['"][^'"]*['"]/gi,
+    replacement: "$1'[REDACTED]'"
+  },
+  // apiKey=... / api_key: ... / access_token=... / secret = '...' / "access_token": "..."
+  {
+    regex: /(api[_-]?key|access[_-]?token|secret)['"]?(\s*[:=]\s*)['"]?([^\s'"`,;)]+)['"]?/gi,
+    replacement: "$1$2'[REDACTED]'"
+  }
+];
+function fingerprint(value) {
+  const sha = (0, import_node_crypto.createHash)("sha256").update(value).digest("hex").slice(0, FINGERPRINT_HEX_LEN);
+  return `<${value.length} bytes, sha256:${sha}\u2026>`;
+}
+function scrubCredentialPatterns(value) {
+  return CREDENTIAL_PATTERNS.reduce(
+    (text, { regex, replacement }) => text.replace(regex, replacement),
+    value
+  );
+}
+function redactValue(value) {
+  if (typeof value === "string") {
+    const scrubbed = scrubCredentialPatterns(value);
+    return scrubbed.length > FINGERPRINT_THRESHOLD ? fingerprint(scrubbed) : scrubbed;
+  }
+  if (Array.isArray(value)) {
+    return value.map(redactValue);
+  }
+  if (value && typeof value === "object") {
+    return Object.fromEntries(
+      Object.entries(value).map(([k, v]) => [k, redactNamedField(k, v)])
+    );
+  }
+  return value;
+}
+function redactNamedField(key, value) {
+  if (ALWAYS_FINGERPRINT_KEYS.has(key) && typeof value === "string") {
+    return fingerprint(value);
+  }
+  return redactValue(value);
+}
+function redactAuditInput(input5) {
+  return Object.fromEntries(Object.entries(input5).map(([k, v]) => [k, redactNamedField(k, v)]));
+}
+
+// src/tools/index.ts
+var MUTATION_TOOL_NAMES = [
+  "kinetica_alter_system_properties",
+  "kinetica_execute_mutation_sql",
+  "kinetica_admin_rebalance",
+  "kinetica_alter_configuration"
+];
+var ALTER_TABLE_COLUMNS_TOOL_NAME = "kinetica_alter_table_columns";
+var DIAGNOSTIC_TOOL_NAMES = [
+  "kinetica_health_check",
+  "kinetica_get_metrics",
+  "kinetica_cluster_status",
+  "kinetica_node_details",
+  "kinetica_get_logs",
+  "kinetica_show_configuration",
+  "kinetica_get_system_properties",
+  "kinetica_execute_sql",
+  "kinetica_explain_query",
+  "kinetica_system_timing",
+  "kinetica_resource_groups",
+  "kinetica_verify_db",
+  "kinetica_show_security",
+  "kinetica_show_table",
+  "kinetica_resource_objects",
+  "kinetica_host_manager_status"
+];
+function createDiagnosticRegistry() {
+  return DIAGNOSTIC_TOOL_NAMES.reduce(
+    (registry, name) => registry.registerReadOnlyTool(name),
+    createRegistry()
+  );
+}
+function applyOutputPipeline(result) {
+  const payload = result.ok ? result.data : result;
+  return truncateOutput(formatOutput(payload));
+}
+function logMutationAudit(toolName, result, input5) {
+  const statusLabel = result.ok ? import_picocolors9.default.bold(import_picocolors9.default.green("EXECUTED")) : import_picocolors9.default.bold(import_picocolors9.default.red("FAILED"));
+  const redacted = redactAuditInput(input5);
+  const inputSummary = Object.entries(redacted).map(([k, v]) => `${k}=${typeof v === "string" ? v : JSON.stringify(v)}`).join(", ");
+  const displayName = formatToolName(toolName);
+  process.stderr.write(
+    `  ${import_picocolors9.default.dim("MUTATION")} ${statusLabel}  ${displayName}
+  ${import_picocolors9.default.dim(inputSummary)}
+
+`
+  );
+}
+function makeAlterSystemPropertiesTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_alter_system_properties",
+    "Apply runtime configuration changes to Kinetica via /alter/system/properties. Accepts a map of property name to new value. Captures current values before applying and verifies changes after. Only the 43 documented properties are accepted \u2014 requests with unsupported property names are rejected before any API call. Blocked for safety: ai_api_key, external_files_directory. Common properties (7.2.x): subtask_concurrency_limit, request_timeout, max_get_records_size, concurrent_kernel_execution, max_concurrent_kernels, tcs_per_tom, tps_per_tom, chunk_size, enable_audit, egress_parquet_compression, background_worker_threads. All property names require 'conf.' prefix in /show/system/properties but NOT in /alter/system/properties.",
+    AlterSystemPropertiesSchema.shape,
+    async (args) => {
+      const parsed = AlterSystemPropertiesSchema.parse(args);
+      const result = await alterSystemProperties(session2, parsed);
+      logMutationAudit("kinetica_alter_system_properties", result, parsed);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { destructive: true, readOnly: false } }
+  );
+}
+function makeExecuteMutationSqlTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_execute_mutation_sql",
+    "Execute a SQL mutation statement on Kinetica (CREATE INDEX, ALTER TABLE, ALTER SYSTEM SET, REFRESH MATERIALIZED VIEW, etc.). ANALYZE TABLE is NOT supported by Kinetica \u2014 do not call it. DROP, TRUNCATE, DELETE, and UPDATE are always rejected \u2014 even when wrapped in a CTE (WITH ... DELETE/UPDATE). Requires user approval before execution.",
+    ExecuteMutationSqlSchema.shape,
+    async (args) => {
+      const parsed = ExecuteMutationSqlSchema.parse(args);
+      const result = await executeMutationSql(session2, parsed.statement, parsed.limit);
+      logMutationAudit("kinetica_execute_mutation_sql", result, parsed);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { destructive: true, readOnly: false } }
+  );
+}
+function makeAdminRebalanceTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_admin_rebalance",
+    "Trigger shard data rebalancing across Kinetica cluster ranks via /admin/rebalance. Options: rebalance_sharded_data, rebalance_unsharded_data, table_includes, table_excludes, aggressiveness (1-5, capped for safety), compact_after_rebalance, compact_only. Captures before/after shard distribution for verification. WARNING: rebalance causes delayed query responses while running \u2014 use low aggressiveness (1-3) during production hours. NOTE: On single-worker-rank clusters, /admin/rebalance returns 'Database must be offline' because there is only one data rank \u2014 rebalance is only meaningful with 2+ worker ranks.",
+    AdminRebalanceSchema.shape,
+    async (args) => {
+      const parsed = AdminRebalanceSchema.parse(args);
+      const result = await adminRebalance(session2, parsed);
+      logMutationAudit("kinetica_admin_rebalance", result, parsed);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { destructive: true, readOnly: false } }
+  );
+}
+function makeAlterConfigurationTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_alter_configuration",
+    "Replace the full gpudb.conf configuration on the Kinetica host manager via /admin/alter/configuration (port 9300). Requires the complete config_string content \u2014 the entire file is replaced. Captures before/after config summaries for verification. WARNING: This replaces the ENTIRE configuration file. Always read the current config via kinetica_show_configuration first, make targeted changes to specific lines, and submit the full modified content. Never compose a config from scratch. Requires host manager connectivity and user approval.",
+    AlterConfigurationSchema.shape,
+    async (args) => {
+      const parsed = AlterConfigurationSchema.parse(args);
+      const result = await alterConfiguration(session2, parsed);
+      logMutationAudit("kinetica_alter_configuration", result, parsed);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { destructive: true, readOnly: false } }
+  );
+}
+function makeHealthCheckTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_health_check",
+    "Query Kinetica system health status via /show/system/status. Returns 11 components as rows (component, status): system (cluster status, leader, offline), ranks (per-rank status/mode/accepting_jobs/read_only), hosts (hostname, memory, GPU IDs, sub-service statuses), http_server (connections current/refused, thread capacity), ha_cluster_info/ha_status, graph, text, migrations, triggers, symbols. NOTE: Each status value is a JSON-encoded string \u2014 parse mentally to extract nested fields. Healthy baseline: system.status='running', all ranks rank_status='running' + rank_mode='run', hosts.status='running', http_server.connections.refused=0.",
+    {},
+    async (_args) => {
+      const result = await healthCheck(session2);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+function makeGetMetricsTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_get_metrics",
+    "Retrieve per-rank storage tier metrics from /show/resource/statistics. Returns rows with: rank, ram_used, ram_limit, ram_percent (computed as 'X.Y%' e.g. '9.6%'), persist_used, disk_used, vram_used (all string values). Rank 0 is the head/coordinator node with minimal RAM (~794MB limit) and empty persist/disk/vram fields. Worker ranks (1+) hold the actual data with ~5.6GB RAM limit. Empty string means tier not configured; '0' means configured but unused. Healthy baseline: ram_percent under 80%. Optional node_id to annotate which node was requested.",
+    { node_id: import_zod16.z.string().optional() },
+    async (args) => {
+      const result = await getMetrics(session2, args.node_id);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+function makeClusterStatusTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_cluster_status",
+    "Get full cluster overview via 4 sub-calls: (1) /admin/show/cluster/operations \u2014 in_progress flag, percent_complete, rebalance/add/remove status; (2) /admin/show/shards \u2014 summarized as shard distribution per rank (total_shards, rank_count, per-rank shard_count/percent, balanced flag, shard_array_version); (3) /admin/show/alerts on host manager port \u2014 recent alerts (gracefully degrades if unavailable); (4) /admin/show/jobs \u2014 active async jobs as {job_id, status, endpoint} objects. Healthy baseline: operations.in_progress=false, shards.balanced=true, empty alerts/jobs arrays.",
+    {},
+    async (_args) => {
+      const result = await clusterStatus(session2);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+function makeNodeDetailsTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_node_details",
+    "Get per-rank resource statistics from /show/resource/statistics (same endpoint as kinetica_get_metrics). Without node_id: returns summary rows for all ranks. With node_id: returns detailed tier + resource-group breakdown for that rank. Per-tier fields: limit, used, free, percent_used, num_evictable_objs, num_unevictable_objs, plus stats: evictions, pins, unpins, watermark_cycles, allocs, reallocs, deallocs (RAM/VRAM tiers) or reads, writes, deletes (PERSIST/DISK tiers). Per-resource-group fields: name, thread_running_count, data (bytes). Rank 0 is the head node \u2014 only RAM tier (no PERSIST/DISK/VRAM), no resource groups.",
+    { node_id: import_zod16.z.string().optional() },
+    async (args) => {
+      const result = await nodeDetails(session2, args.node_id);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+function makeGetLogsTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_get_logs",
+    "Retrieve application logs via /admin/show/logs. Sources: kinetica, rank, syslog, gadmin, reveal, workbench. Severity: DEBUG|INFO|WARN|ERROR|FATAL. Time: duration (1h, 30m) or start_time+end_time. WARNING: This endpoint is NOT available on Kinetica 7.2.x \u2014 it always returns a stub response. Use kinetica_execute_sql to query ki_catalog.ki_query_history (for query errors) or ki_catalog.ki_query_span_metrics_all (for operation-level events) instead.",
+    GetLogsSchema.shape,
+    async (args) => {
+      const parsed = GetLogsSchema.parse(args);
+      const result = await getLogs(session2, parsed);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+function makeShowConfigurationTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_show_configuration",
+    "Retrieve the full gpudb.conf configuration file from the Kinetica host manager via /admin/show/configuration (port 9300). Returns the raw config_string in INI format with all sections and comments. Use this to inspect the complete server configuration for drift detection, misconfiguration diagnosis, or before proposing config changes via kinetica_alter_configuration. Requires host manager connectivity.",
+    ShowConfigurationSchema.shape,
+    async (args) => {
+      const parsed = ShowConfigurationSchema.parse(args);
+      const result = await showConfiguration(session2, parsed);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+function makeGetSystemPropertiesTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_get_system_properties",
+    "Read Kinetica system configuration properties from /show/system/properties. Returns 260+ property rows as {property, value} pairs (all values are strings). Filter by category prefix (e.g., 'conf.tier', 'conf.sql', 'version') or key_pattern substring. Key property groups: conf.tier.* (RAM limits, watermarks, tier strategy), conf.sql.* (parallel_execution, planner timeout), conf.enable_* (authorization, HA, ML, text_search), version.* (gpudb_core_version, compute_engine). Omit both filters to get the full property_map.",
+    GetSystemPropertiesSchema.shape,
+    async (args) => {
+      const parsed = GetSystemPropertiesSchema.parse(args);
+      const result = await getSystemProperties(session2, parsed);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+function makeExecuteSqlTool(session2, catalogSchemas) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_execute_sql",
+    "Execute a read-only SQL query (SELECT, WITH, or EXPLAIN) against Kinetica. Key system tables: ki_catalog.ki_query_history (slow queries \u2014 columns: job_id, query_id, user_name, endpoint, execution_status, error_message, query_text, start_time, stop_time, sql_step_count, refresh_id, resource_group, source_ip), ki_catalog.ki_query_active_all (running queries \u2014 columns: job_id, query_id, user_name, resource_group, source_ip, endpoint, execution_status, error_message, start_time, query_text, sql_step_count, refresh_id, is_mh, is_perpetual, is_cancellable, is_using_timeout, source_rank), ki_catalog.ki_tiered_objects (per-object tier placement \u2014 size, id (string like @schema@oid[col][0] \u2014 NOT a numeric OID, do not join with ki_objects.oid), priority, tier, evictable, locked, pin_count, ram_evictions, persist_evictions, owner_resource_group, source_rank, outer_object; for per-table tier data prefer kinetica_resource_objects with table_names filter), ki_catalog.ki_obj_stat (table sizes \u2014 oid, schema_name, object_name, row_count, bytes_per_row, total_bytes), ki_catalog.ki_columns (column metadata), ki_catalog.ki_objects (object registry with obj_kind R=table/V=view). WARNING: ki_catalog.ki_tables and ki_catalog.ki_version do NOT exist in Kinetica 7.2.x \u2014 use ki_objects and /show/system/status instead.",
+    ExecuteSqlSchema.shape,
+    async (args) => {
+      const result = await executeSql(session2, args.statement, args.limit);
+      if (!result.ok) {
+        const enrichedError = enrichSqlError(result.error, args.statement, catalogSchemas);
+        const enrichedResult = enrichedError !== result.error ? { ok: false, status: result.status, error: enrichedError, raw: result.raw } : result;
+        return { content: [{ type: "text", text: applyOutputPipeline(enrichedResult) }] };
+      }
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+function makeExplainQueryTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_explain_query",
+    "Get the execution plan for a SQL statement. Pass the SELECT statement without the EXPLAIN keyword \u2014 it will be added automatically. Returns rows with columns: ID (step number), ENDPOINT (internal REST endpoint used, e.g., /get/records/bycolumn), INPUT_TABLES, OUTPUT_TABLE, DEPENDENCIES (step IDs this depends on; -1 means none). Use to understand which internal operations a query triggers and verify index usage.",
+    ExplainQuerySchema.shape,
+    async (args) => {
+      const result = await explainQuery(session2, args.statement, args.limit);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+function makeSystemTimingTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_system_timing",
+    "Show endpoint response timing statistics from /show/system/timing. Returns the last ~100 API calls as {endpoint, time_in_ms, job_id} rows with sub-millisecond precision. job_id='0' means synchronous execution at head node; non-zero means async. Typical baselines: /show/system/properties <4ms, /show/security <1ms, /execute/sql 14-1300ms, /admin/verifydb 500-4500ms. Use to identify slow API endpoints or confirm whether a specific call was abnormally slow.",
+    {},
+    async (_args) => {
+      const result = await systemTiming(session2);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+function makeResourceGroupsTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_resource_groups",
+    "List resource groups and their configuration from /show/resourcegroups. Returns {groups, rank_usage, info}. Groups include: name, RAM.max_memory, VRAM.GPU0.max_memory, max_cpu_concurrency, max_data, max_scheduling_priority (100=system, 50=default), max_tier_priority. Value '9223372036854775807' (Long.MAX_VALUE) means unlimited. Default groups are kinetica_system_resource_group (priority 100) and kinetica_default_resource_group (priority 50). rank_usage maps rank IDs to JSON-encoded per-group usage (thread_running_count, data bytes, RAM.used, VRAM.GPU0.used). Only worker ranks appear in rank_usage \u2014 rank 0 (head) has no entry. Set show_tier_usage=true for rank-level breakdown.",
+    ResourceGroupsSchema.shape,
+    async (args) => {
+      const parsed = ResourceGroupsSchema.parse(args);
+      const result = await getResourceGroups(session2, parsed);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+function makeVerifyDbTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_verify_db",
+    "Run a read-only database integrity verification via /admin/verifydb. Checks for null values, persistence issues, and rank0 consistency. Always runs in concurrent_safe mode. Returns {verified_ok: boolean, error_list: [], orphaned_tables_total_size: number}. Healthy: verified_ok=true, empty error_list, orphaned_tables_total_size of -1 (not checked) or 0. WARNING: This is the slowest diagnostic tool \u2014 typically takes 500ms-4500ms. Use sparingly and only when data integrity issues are suspected.",
+    VerifyDbSchema.shape,
+    async (args) => {
+      const parsed = VerifyDbSchema.parse(args);
+      const result = await verifyDb(session2, parsed);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+function makeShowSecurityTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_show_security",
+    "Show security configuration from /show/security. Returns {types, roles, permissions, resource_groups, info}. When enable_authorization=false (check permissions[''].enable_authorization), types/roles/resource_groups are empty objects \u2014 the tool provides minimal data. When authorization is enabled: types maps usernames to 'internal_user'/'external_user', roles maps role names to member arrays, permissions maps users to permission arrays, resource_groups maps users to group names. Use to audit access control or diagnose authorization failures.",
+    ShowSecuritySchema.shape,
+    async (args) => {
+      const parsed = ShowSecuritySchema.parse(args);
+      const result = await showSecurity(session2, parsed);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+function makeShowTableTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_show_table",
+    "Show table metadata from /show/table. When a specific table_name is provided: returns table metadata with Kinetica-native column types, per-column properties (DICT, TEXT_SEARCH, COMPRESS, etc.), and index definitions from ki_catalog.ki_indexes (index_type, index_columns) \u2014 this is the preferred method for full table inspection. When table_name is omitted or empty: returns schema-level (collection) entries with sizes, but the processed output may be empty \u2014 use kinetica_execute_sql with 'SELECT * FROM ki_catalog.ki_objects WHERE obj_kind = ''R'' ORDER BY schema_name' for reliable table listing instead.",
+    ShowTableSchema.shape,
+    async (args) => {
+      const parsed = ShowTableSchema.parse(args);
+      const result = await showTable(session2, parsed);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+function makeResourceObjectsTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_resource_objects",
+    `Show per-rank resource tier usage from /show/resource/objects. Returns {rank_objects: {rank_id: JSON_string_with_objects_array}, info}. Each object has: id (naming convention: @table@oid[column][chunk] for data, AttrIndex[...] for indexes, PKIndex_... for PK hashes), size (bytes), priority (1=system, 5=user, 9=temp), tier ('RAM' or 'PERSIST'), evictable (boolean), locked (boolean), pin_count, ram_evictions, persist_evictions, owner_resource_group. The rank_objects JSON is {"objects": [...]} \u2014 an array nested under an 'objects' key. Only worker ranks have data \u2014 rank 0 (head) has no resource objects. Healthy: zero evictions, zero pin_count at rest.`,
+    ResourceObjectsSchema.shape,
+    async (args) => {
+      const parsed = ResourceObjectsSchema.parse(args);
+      const result = await getResourceObjects(session2, parsed);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+function makeHostManagerStatusTool(session2) {
+  return (0, import_claude_agent_sdk3.tool)(
+    "kinetica_host_manager_status",
+    "Query the Kinetica host manager root endpoint (port 9300) for cluster-wide status. Returns a flat key-value map including: version, hostname, system_mode ('run'/'stop'), system_status ('running'/'stopped'), system_idle_time (seconds), cluster_leader (IP), cluster_operation ('none'/'rebalance'/etc.), license_type/status/expiration, per-host and per-rank mode/status/pid, and service statuses (ml, httpd, query_planner, reveal, stats, graph, text). Healthy baseline: system_mode='run', system_status='running', all rankN_status='running', license_status='ok'. Does NOT require Kinetica DB authentication \u2014 queries the host manager service directly.",
+    {},
+    async (_args) => {
+      const result = await hostManagerStatus(session2);
+      return { content: [{ type: "text", text: applyOutputPipeline(result) }] };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+function makeDiagnosticTools(session2, catalogSchemas) {
+  return [
+    makeHealthCheckTool(session2),
+    makeGetMetricsTool(session2),
+    makeClusterStatusTool(session2),
+    makeNodeDetailsTool(session2),
+    makeGetLogsTool(session2),
+    makeShowConfigurationTool(session2),
+    makeGetSystemPropertiesTool(session2),
+    makeExecuteSqlTool(session2, catalogSchemas),
+    makeExplainQueryTool(session2),
+    makeSystemTimingTool(session2),
+    makeResourceGroupsTool(session2),
+    makeVerifyDbTool(session2),
+    makeShowSecurityTool(session2),
+    makeShowTableTool(session2),
+    makeResourceObjectsTool(session2),
+    makeHostManagerStatusTool(session2)
+  ];
+}
+function makeMutationTools(session2) {
+  return [
+    makeAlterSystemPropertiesTool(session2),
+    makeExecuteMutationSqlTool(session2),
+    makeAdminRebalanceTool(session2),
+    makeAlterConfigurationTool(session2)
+  ];
+}
+function makeAlterTableColumnsToolWithDeps(session2) {
+  return makeAlterTableColumnsTool(session2, {
+    applyOutputPipeline,
+    logMutationAudit
+  });
+}
+
+// src/tools/catalog.ts
+var TOOL_CATALOG = {
+  kinetica_health_check: {
+    reveals: "System health status, version info",
+    whenToUse: "Every investigation (Round 1)"
+  },
+  kinetica_host_manager_status: {
+    reveals: "Host manager overview: version, license, system mode, per-rank process status/PIDs, service statuses (ML, query planner, reveal, graph, text). No auth required.",
+    whenToUse: "Every investigation (Round 1)"
+  },
+  kinetica_get_metrics: {
+    reveals: "CPU, GPU, memory usage per rank",
+    whenToUse: "Performance issues, OOM, high load"
+  },
+  kinetica_cluster_status: {
+    reveals: "Rebalance/add/remove ops, shard mapping, alerts, jobs",
+    whenToUse: "Cluster instability, replication issues"
+  },
+  kinetica_node_details: {
+    reveals: "Per-node resource statistics",
+    whenToUse: "Identifying which node is under pressure"
+  },
+  kinetica_get_logs: {
+    reveals: "Application errors, warnings, system events",
+    whenToUse: "Any error investigation (Round 1)"
+  },
+  kinetica_show_configuration: {
+    reveals: "Full gpudb.conf from host manager (port 9300)",
+    whenToUse: "Config drift, misconfiguration, complete config inspection"
+  },
+  kinetica_get_system_properties: {
+    reveals: "Runtime config properties (260+ rows); filter by category or key pattern",
+    whenToUse: "Read current property values before ALTER, version lookup, feature-flag audit"
+  },
+  kinetica_execute_sql: {
+    reveals: "Query history, active queries, table stats, schema",
+    whenToUse: "Slow queries, contention, data issues"
+  },
+  kinetica_explain_query: {
+    reveals: "Query execution plan with operator tree",
+    whenToUse: "Query performance optimization"
+  },
+  kinetica_system_timing: {
+    reveals: "Per-endpoint response times, slow API detection",
+    whenToUse: "Performance issues, slow endpoint response"
+  },
+  kinetica_resource_groups: {
+    reveals: "Resource group config, tier usage per rank",
+    whenToUse: "Resource allocation, tier capacity issues"
+  },
+  kinetica_verify_db: {
+    reveals: "Database integrity: nulls, persistence, rank0 (healthy: verified_ok=true, orphaned_size=-1)",
+    whenToUse: "Data corruption, integrity verification"
+  },
+  kinetica_show_security: {
+    reveals: "User types, roles, permissions, resource groups",
+    whenToUse: "Access control audit, authorization failures"
+  },
+  kinetica_show_table: {
+    reveals: "Table names, sizes, properties, column types",
+    whenToUse: "Schema inspection, column type inspection, table size analysis"
+  },
+  kinetica_resource_objects: {
+    reveals: "Per-rank object placement across storage tiers",
+    whenToUse: "Tier capacity, eviction, data placement"
+  },
+  kinetica_alter_system_properties: {
+    reveals: "Apply runtime config changes (before/after/verify)",
+    whenToUse: "Config drift remediation, thread pool tuning"
+  },
+  kinetica_execute_mutation_sql: {
+    reveals: "Execute approved DDL/DML (CREATE INDEX, ALTER TABLE, etc.) \u2014 ANALYZE TABLE is NOT supported by Kinetica",
+    whenToUse: "Query optimization, index creation"
+  },
+  kinetica_admin_rebalance: {
+    reveals: "Trigger shard rebalancing (requires 2+ worker ranks)",
+    whenToUse: "Shard imbalance, uneven data distribution"
+  },
+  kinetica_alter_configuration: {
+    reveals: "Replace gpudb.conf on host manager (before/after/verify)",
+    whenToUse: "Config remediation, targeted config file changes"
+  },
+  kinetica_alter_table_columns: {
+    reveals: "Batch column type/property changes (DICT, TEXT_SEARCH, etc.) via checklist",
+    whenToUse: "When recommending 2+ column changes on one table"
+  }
+};
+function buildEvidenceChecklist() {
+  const ordered = [
+    ...DIAGNOSTIC_TOOL_NAMES,
+    ...MUTATION_TOOL_NAMES,
+    ALTER_TABLE_COLUMNS_TOOL_NAME
+  ];
+  const rows = ordered.map((name) => {
+    const entry = TOOL_CATALOG[name];
+    return `| ${name} | ${entry.reveals} | ${entry.whenToUse} |`;
+  });
+  return [
+    "| Tool | What it reveals | When to use |",
+    "|------|----------------|-------------|",
+    ...rows
+  ].join("\n");
+}
+
+// src/agent/report-template.ts
+var import_node_fs2 = require("fs");
+var import_node_path3 = require("path");
+
+// src/agent/load-playbooks.ts
+var import_promises2 = require("fs/promises");
+var import_node_path2 = require("path");
+var import_node_fs = require("fs");
+function findPackageRoot(startDir) {
+  let dir = startDir;
+  while (dir !== (0, import_node_path2.dirname)(dir)) {
+    if ((0, import_node_fs.existsSync)((0, import_node_path2.join)(dir, "package.json"))) return dir;
+    dir = (0, import_node_path2.dirname)(dir);
+  }
+  return startDir;
+}
+function parseFrontmatter(raw) {
+  const match = /^---\r?\n([\s\S]*?)\r?\n---/.exec(raw);
+  if (!match) return null;
+  const yamlBlock = match[1];
+  const fields = {};
+  for (const line of yamlBlock.split(/\r?\n/)) {
+    const colonIdx = line.indexOf(":");
+    if (colonIdx === -1) continue;
+    const key = line.slice(0, colonIdx).trim();
+    const value = line.slice(colonIdx + 1).trim();
+    if (key) fields[key] = value;
+  }
+  const title = fields.title;
+  if (!title) return null;
+  const keywordsRaw = fields.keywords ?? "";
+  const keywords = keywordsRaw.startsWith("[") && keywordsRaw.endsWith("]") ? keywordsRaw.slice(1, -1).split(",").map((s) => s.trim()).filter(Boolean) : [];
+  return {
+    title,
+    category: fields.category ?? "general",
+    severity: fields.severity ?? "info",
+    keywords
+  };
+}
+function extractBody(raw) {
+  const match = /^---\r?\n[\s\S]*?\r?\n---\r?\n([\s\S]*)$/.exec(raw);
+  return match ? match[1].trim() : raw.trim();
+}
+async function loadPlaybooks(playbooksDir) {
+  try {
+    const dir = playbooksDir ?? (0, import_node_path2.join)(findPackageRoot(__dirname), "knowledge", "playbooks");
+    if (!(0, import_node_fs.existsSync)(dir)) return [];
+    const files = await (0, import_promises2.readdir)(dir);
+    const mdFiles = files.filter((f) => f.endsWith(".md")).sort();
+    const playbooks = [];
+    for (const file of mdFiles) {
+      const raw = await (0, import_promises2.readFile)((0, import_node_path2.join)(dir, file), "utf-8");
+      const frontmatter = parseFrontmatter(raw);
+      if (!frontmatter) continue;
+      playbooks.push({
+        ...frontmatter,
+        body: extractBody(raw),
+        filename: file
+      });
+    }
+    return playbooks;
+  } catch {
+    return [];
+  }
+}
+
+// src/agent/report-template.ts
+function loadReportTemplateSync() {
+  try {
+    const root = findPackageRoot(__dirname);
+    const path2 = (0, import_node_path3.join)(root, "knowledge", "templates", "report.md");
+    return (0, import_node_fs2.readFileSync)(path2, "utf-8");
+  } catch (err) {
+    console.warn(`[report-template] failed to load knowledge/templates/report.md: ${String(err)}`);
+    return "";
+  }
+}
+var REPORT_TEMPLATE = loadReportTemplateSync();
+
+// src/agent/system-prompt.ts
+function buildColumnDirective(schemas) {
+  const lines = [
+    "> **Verified Column Names** \u2014 always use these exact columns in SQL queries:"
+  ];
+  for (const [table, columns] of schemas.tables) {
+    lines.push(`> - **${table}**: ${columns.join(", ")}`);
+  }
+  return lines.join("\n") + "\n\n";
+}
+function buildDiagnosticSqlSection(schemas) {
+  const getColumns = (table) => schemas?.tables.get(table);
+  const directive = schemas ? buildColumnDirective(schemas) : "";
+  const sectionSqls = /* @__PURE__ */ new Map();
+  for (const entry of BUILDER_REGISTRY) {
+    const cols = getColumns(entry.table);
+    const sql = cols ? entry.build(cols) : entry.fallback;
+    const existing = sectionSqls.get(entry.section) ?? [];
+    sectionSqls.set(entry.section, [...existing, sql]);
+  }
+  let result = directive;
+  for (const [heading, sqls] of sectionSqls) {
+    result += `**${heading}:**
+\`\`\`sql
+${sqls.join("\n\n")}
+\`\`\`
+
+`;
+  }
+  return result.trimEnd();
+}
+function buildFailurePatternsSection(playbooks) {
+  if (!playbooks || playbooks.length === 0) return "";
+  const entries = playbooks.map((p) => `**${p.title}:**
+
+${p.body}`).join("\n\n");
+  return `### Common Failure Patterns
+
+${entries}`;
+}
+function buildReferenceSection(references) {
+  if (!references || references.length === 0) return "";
+  const entries = references.map((r) => `**${r.title}:**
+
+${r.body}`).join("\n\n");
+  return `### Reference Knowledge
+
+${entries}`;
+}
+function buildSystemPrompt(kineticaVersion, catalogSchemas, playbooks, references, degraded) {
+  const versionSection = kineticaVersion ? `**Kinetica Version:** ${kineticaVersion} (provided at session start)` : "**Kinetica Version:** Unknown \u2014 detect via kinetica_health_check as the first action of every investigation.";
+  const t = "`";
+  const degradedSection = degraded ? `
+---
+
+## DEGRADED MODE \u2014 DB Engine Unreachable
+
+**CRITICAL:** The Kinetica DB engine on port 9191 is DOWN. You are connected to the host manager (port 9300) only.
+
+### What works:
+- ${t}kinetica_host_manager_status${t} \u2014 **USE THIS FIRST** for every investigation. Returns version, license info, system mode, per-rank process status/PIDs, and service statuses (ML, query planner, reveal, graph, text).
+
+### What will fail:
+- ALL other diagnostic tools (${t}kinetica_health_check${t}, ${t}kinetica_get_metrics${t}, ${t}kinetica_cluster_status${t}, ${t}kinetica_execute_sql${t}, etc.) \u2014 they target port 9191 and will return errors.
+- SQL queries against ki_catalog system tables \u2014 the DB engine is required.
+- Mutation tools \u2014 cannot modify a downed system.
+
+### Investigation strategy in degraded mode:
+1. Call ${t}kinetica_host_manager_status${t} to gather all available data
+2. Analyze rank process statuses \u2014 look for stopped/crashed ranks and their PIDs
+3. Check ${t}system_mode${t} and ${t}system_status${t} for cluster state
+4. Check ${t}license_status${t} and ${t}license_expiration${t} for license issues
+5. Check service statuses: ${t}ml_status${t}, ${t}query_planner_status${t}, ${t}reveal_status${t}, ${t}graph0_status${t}, ${t}text0_status${t}
+6. Report findings and clearly note that full diagnostics require the DB engine to be running
+7. Recommend the operator check: process logs (${t}/opt/gpudb/core/logs/${t}), ${t}gadmin status${t}, disk space, and network connectivity
+
+### Report adjustments for degraded mode:
+- Evidence Gaps MUST include: "DB engine unreachable (port 9191) \u2014 all DB-dependent diagnostic tools unavailable"
+- Remediation should prioritize bringing the DB engine back online
+- Do NOT attempt Round 4 (mutations) or Round 5 (verification) \u2014 the DB engine must be running first
+
+` : "";
+  return `You are an expert Kinetica GPU database administrator and diagnostician with deep knowledge of Kinetica's internals, system tables, REST API, and common failure patterns. Your job is to autonomously investigate database issues reported by operators, gather diagnostic evidence, reason over that evidence to identify root causes, and produce a structured diagnostic report with actionable remediation steps.
+
+${versionSection}
+${degradedSection}
+---
+
+## Role and Mandate
+
+You are the operator's expert assistant. When an operator describes a problem, you take ownership of the investigation. You use diagnostic tools to gather evidence, reason over that evidence to identify the most likely root cause, and deliver a clear, specific, actionable report. You never give vague or generic advice.
+
+---
+
+## Investigation Protocol
+
+### Pre-Investigation: Announce Your Plan
+
+Before gathering any evidence, announce a brief 2-3 line investigation plan:
+1. Restate the issue in your own words
+2. List the primary tools you will check first
+3. Begin immediately \u2014 do not wait for user confirmation
+
+### 5-Round Investigation Protocol
+
+You have up to 5 rounds of tool calls:
+
+**Round 1 \u2014 Initial Sweep:**
+Run a broad baseline sweep. Use parallel tool calls where possible \u2014 issue health + metrics + logs simultaneously to maximize efficiency. Goal: establish baseline and surface obvious anomalies.
+
+Recommended Round 1 tools (in parallel):
+- ${t}kinetica_health_check${t} \u2014 system health status
+- ${t}kinetica_host_manager_status${t} \u2014 host manager cluster overview (version, license, per-rank/service status)
+- ${t}kinetica_get_metrics${t} \u2014 CPU/GPU/memory resource usage
+- ${t}kinetica_get_logs${t} (severity: ERROR, duration: 1h) \u2014 recent errors
+
+**Round 2 \u2014 Targeted Drill-Down:**
+Based on Round 1 findings, perform targeted drill-down on specific hypotheses. Use additional tools as needed:
+- ${t}kinetica_cluster_status${t} \u2014 cluster operations, shard mapping, alerts
+- ${t}kinetica_node_details${t} \u2014 per-node resource breakdown
+- ${t}kinetica_execute_sql${t} \u2014 query history, active queries, table stats
+- ${t}kinetica_show_configuration${t} \u2014 full gpudb.conf from host manager
+- ${t}kinetica_system_timing${t} \u2014 endpoint timing, slow API detection
+- ${t}kinetica_show_table${t} \u2014 table sizes, properties, column types
+
+**Round 3 \u2014 Confirmation Pass:**
+Confirm your primary hypothesis with additional evidence. Use ${t}kinetica_explain_query${t} for query plan issues. Run targeted SQL queries to validate root cause. Use ${t}kinetica_verify_db${t} when suspecting data integrity issues. Collect any final missing evidence.
+
+After Round 3, you MUST write the report \u2014 even if uncertainty remains.
+
+### Round 4 -- Mutation Proposal
+
+When diagnostic evidence supports a specific remediation:
+1. Explain your reasoning in the tool call (the approval panel will display it)
+2. Call the appropriate mutation tool:
+   - ${t}kinetica_alter_table_columns${t} -- for batching 2+ column type/property changes on a SINGLE table
+     into one efficient ALTER TABLE statement. Provide column_name, new_definition (full type def), and
+     description for each column. The operator selects which columns via interactive checklist.
+   - ${t}kinetica_alter_system_properties${t} -- for runtime property changes
+   - ${t}kinetica_execute_mutation_sql${t} -- for index creation, single column change, or other DDL (note: Kinetica does NOT support ANALYZE TABLE)
+   - ${t}kinetica_admin_rebalance${t} -- for shard distribution issues
+   - ${t}kinetica_alter_configuration${t} -- for gpudb.conf file changes (via host manager)
+3. If the user denies: acknowledge, note in report as denied, move to next recommendation
+4. If the tool fails after approval: note the failure in report, explain the error, suggest alternatives
+
+**When to use ${t}kinetica_alter_table_columns${t} vs ${t}kinetica_execute_mutation_sql${t}:**
+- 2+ column changes on the same table \u2192 use ${t}kinetica_alter_table_columns${t} (single efficient statement)
+- 1 column change, or non-column DDL (e.g., CREATE INDEX) \u2192 use ${t}kinetica_execute_mutation_sql${t}. Do NOT call ANALYZE TABLE \u2014 it is not supported by Kinetica and there is no equivalent "refresh stats" command.
+
+### Round 5 -- Post-Mutation Verification
+
+After all approved mutations:
+1. Re-run relevant diagnostic tools (${t}kinetica_get_system_properties${t}, ${t}kinetica_cluster_status${t}, ${t}kinetica_get_metrics${t}, ${t}kinetica_host_manager_status${t})
+2. Confirm changes took effect (compare before/after values from tool results)
+3. Check for any new issues introduced by the mutations
+4. Proceed to report generation
+
+### Parallel Tool Calls
+
+Issue independent tool calls simultaneously when possible. For example:
+- In Round 1: issue ${t}kinetica_health_check${t}, ${t}kinetica_host_manager_status${t}, ${t}kinetica_get_metrics${t}, and ${t}kinetica_get_logs${t} together
+- In Round 2: issue ${t}kinetica_cluster_status${t} and ${t}kinetica_node_details${t} together
+
+---
+
+## Evidence Checklist \u2014 Diagnostic Tools
+
+Each tool provides specific diagnostic value. Use them strategically:
+
+${buildEvidenceChecklist()}
+
+---
+
+## Kinetica Domain Knowledge
+
+### System Tables for Diagnostics
+
+Use kinetica_execute_sql to query these system tables:
+
+` + buildDiagnosticSqlSection(catalogSchemas) + `
+
+### Tables That May Be Empty (Not an Error)
+
+These tables return 0 rows when the feature is not configured \u2014 this is normal:
+- ${t}ki_catalog.ki_periodic_objects${t} \u2014 no scheduled/periodic refresh objects
+- ${t}ki_catalog.ki_backup_history${t} \u2014 no backups have been performed
+- ${t}ki_catalog.ki_kafka_lag_info${t} \u2014 no Kafka streaming ingestion configured
+
+### Response Data Interpretation
+
+Tool responses have these consistent patterns:
+- **All values are strings** \u2014 numeric fields like ram_used, sizes, counts are returned as strings, not numbers
+- **Empty string vs "0":** Empty string ${t}""${t} means a tier/feature is not configured; ${t}"0"${t} means configured but currently unused
+- **JSON-encoded strings:** Health check status values, resource group rank_usage, and resource object rank_objects contain JSON as strings \u2014 parse mentally to extract nested fields
+- **Timestamps:** SQL queries return epoch milliseconds (e.g., 1774153326000); compute duration as ${t}(stop_time - start_time)${t} in milliseconds
+- **Long.MAX_VALUE:** ${t}9223372036854775807${t} in resource group limits means unlimited
+
+### Column Type Inspection
+
+**Preferred method:** Use ${t}kinetica_show_table${t} with a specific ${t}table_name${t} to get
+Kinetica-native column types and per-column properties (DICT, TEXT_SEARCH, COMPRESS, etc.).
+
+**Avoid for types:** ${t}ki_catalog.ki_columns${t} returns SQL-standard types (e.g., ${t}character(64)${t})
+not Kinetica-native types. Use ${t}ki_columns${t} only for structural metadata not available from
+${t}kinetica_show_table${t} (e.g., ${t}is_shard_key${t}, ${t}is_primary_key${t}, disk compression stats).
+
+${buildFailurePatternsSection(playbooks)}
+
+${buildReferenceSection(references)}
+
+---
+
+## Analysis Instructions
+
+### Commit to the Best Hypothesis
+
+After gathering evidence, you MUST name specific root causes. No generic hedging.
+
+**DO:**
+- "Root cause: GPU OOM due to query materializing 45GB result set in VRAM on rank 3"
+- "Root cause: Stale rank \u2014 rank 2 failed to rejoin cluster after network event at 14:23 UTC"
+- "If uncertain, rank top 2-3 hypotheses by likelihood: Primary (70%): X; Secondary (25%): Y; ranked by likelihood"
+
+**DO NOT:**
+- "There could be various reasons for this issue..."
+- "It might be a performance problem or possibly a configuration issue..."
+- "Further investigation may be needed..."
+
+This is not about hedging on uncertainty \u2014 you can say "I don't have enough evidence for the exact version" \u2014 it is about not avoiding a conclusion. Always commit to the most likely root cause with supporting evidence.
+
+### Tie Evidence to Conclusions
+
+Every conclusion must reference specific evidence:
+- Wrong: "The cluster appears to have memory issues"
+- Right: "GPU memory on rank 3 is at 98% (kinetica_get_metrics) with 3 queries materializing >10GB each in ki_catalog.ki_query_history"
+
+### Evidence Gap Handling
+
+**SQL column errors (recoverable):**
+1. Check the **Verified Column Names** list in this prompt for the correct columns
+2. Rewrite the query using only verified columns and retry once
+3. If no verified columns exist for that table, fall back to \`SELECT * FROM ki_catalog.<table> LIMIT 10\`
+4. If the retry also fails, log the gap and continue
+
+**Other tool failures (non-recoverable):**
+- Note the gap and continue. Use this format:
+  - "Cluster status: unavailable (HTTP status 503 \u2014 WMS unreachable)"
+  - "Log retrieval: failed (HTTP status 401 \u2014 authentication issue)"
+
+Never halt the investigation on a single tool failure.
+
+---
+
+## Fix Instructions
+
+Include specific, actionable remediation steps tied to your findings. Structure your actionable remediation as a numbered list:
+
+1. Immediate manual actions the operator can take now
+2. Configuration changes to prevent recurrence
+3. Monitoring/alerting improvements to add
+4. Agent-assisted mutations (propose via mutation tools with user approval)
+
+---
+
+## Post-Report Behavior
+
+1. Call the ${t}save_report${t} tool with the complete report markdown content to save it to disk.
+2. After the report is saved, ask: "Would you like to investigate another issue, or end the session?"
+3. If the operator wants another investigation, start fresh with the same 5-round protocol.
+4. On session end: summarize all issues investigated and list the saved report file paths, then exit.
+
+---
+
+## Context Window Awareness
+
+Monitor your context window usage during long investigations:
+- After many tool calls with verbose results, the context window may be getting full.
+- If you detect that context is getting full (many rounds, many large tool responses), warn the operator: "The session context is getting long. Consider starting a fresh session after this report to maintain investigation quality. Your reports are saved to disk."
+- Do NOT continue investigating when context is too full \u2014 write the report with evidence gathered so far.
+
+---
+
+## Output Formatting
+
+When presenting data in your response, use clean, well-structured markdown tables:
+
+- Use standard markdown table syntax: header row, separator row (with dashes), then data rows
+- Keep column count low (3\u20136 columns max). If data has more dimensions, split into multiple focused tables
+- **Bold** key identifiers in the first column for scannability
+- Use consistent status indicators: \`OK\`, \`WARN\`, \`ERROR\`, \`N/A\`
+- Do NOT dump raw tool output \u2014 synthesize findings into clean, readable tables
+- Align numeric columns for easy comparison
+
+Example:
+
+| **Node**   | CPU | Memory | Status |
+| ---------- | --- | ------ | ------ |
+| **node_0** | 45% | 12 GB  | OK     |
+| **node_1** | 92% | 15 GB  | WARN   |
+
+---
+
+## REPORT TEMPLATE
+
+At the end of each investigation, generate a structured markdown report using this EXACT template and section order:
+
+\`\`\`markdown
+` + REPORT_TEMPLATE + `\`\`\`
+
+**CRITICAL:** Use this exact section order. The metadata table comes first. Summary before Remediation. Evidence Collected before Evidence Gaps. Mutations Applied before Post-Remediation Verification. Do NOT reorder sections.
+
+**Section order:** Metadata -> Summary -> Remediation -> Root Cause Analysis -> Evidence Collected -> Evidence Gaps -> Mutations Applied -> Post-Remediation Verification
+
+**Evidence Collected guidance:** Include only the key data points that led to your conclusion. No raw JSON dumps. No full log output. Extract the 3-10 most relevant findings.
+`;
+}
+
+// src/agent/discover-schemas.ts
+var TARGET_TABLES = [
+  "ki_query_history",
+  "ki_query_active_all",
+  "ki_query_span_metrics_all",
+  "ki_query_workers",
+  "ki_tiered_objects",
+  "ki_obj_stat",
+  "ki_partitions",
+  "ki_objects",
+  "ki_indexes",
+  "ki_periodic_objects",
+  "ki_depend",
+  "ki_users_and_roles",
+  "ki_object_permissions",
+  "ki_load_history",
+  "ki_backup_history",
+  "ki_kafka_lag_info",
+  "ki_columns",
+  "ki_datatypes"
+];
+async function discoverCatalogSchemas(session2) {
+  try {
+    const tableList = TARGET_TABLES.map((t) => `'${t}'`).join(", ");
+    const statement = `SELECT table_name, column_name FROM ki_catalog.ki_columns WHERE table_name IN (${tableList}) ORDER BY table_name, column_name`;
+    const result = await executeSql(session2, statement, 1e3);
+    if (!result.ok) {
+      return void 0;
+    }
+    const rows = result.data;
+    if (rows.length === 0) {
+      return void 0;
+    }
+    const grouped = /* @__PURE__ */ new Map();
+    for (const row of rows) {
+      const existing = grouped.get(row.table_name) ?? [];
+      grouped.set(row.table_name, [...existing, row.column_name]);
+    }
+    return { tables: grouped };
+  } catch {
+    return void 0;
+  }
+}
+
+// src/agent/load-references.ts
+var import_promises3 = require("fs/promises");
+var import_node_path4 = require("path");
+var import_node_fs3 = require("fs");
+async function loadReferences(refsDir) {
+  try {
+    const dir = refsDir ?? (0, import_node_path4.join)(findPackageRoot(__dirname), "knowledge", "references");
+    if (!(0, import_node_fs3.existsSync)(dir)) return [];
+    const files = await (0, import_promises3.readdir)(dir);
+    const mdFiles = files.filter((f) => f.endsWith(".md")).sort();
+    const references = [];
+    for (const file of mdFiles) {
+      const raw = await (0, import_promises3.readFile)((0, import_node_path4.join)(dir, file), "utf-8");
+      const frontmatter = parseFrontmatter(raw);
+      if (!frontmatter) continue;
+      references.push({
+        title: frontmatter.title,
+        category: frontmatter.category,
+        keywords: frontmatter.keywords,
+        body: extractBody(raw),
+        filename: file
+      });
+    }
+    return references;
+  } catch {
+    return [];
+  }
+}
+
+// src/agent/prompt-budget.ts
+var CHARS_PER_TOKEN = 4;
+var DEFAULT_PROMPT_BUDGET_TOKENS = 15e3;
+function estimateTokens(text) {
+  if (!text) return 0;
+  return Math.ceil(text.length / CHARS_PER_TOKEN);
+}
+function checkPromptBudget(prompt, opts) {
+  const threshold = opts?.warnAtTokens ?? DEFAULT_PROMPT_BUDGET_TOKENS;
+  const tokens = estimateTokens(prompt);
+  return {
+    tokens,
+    chars: prompt ? prompt.length : 0,
+    threshold,
+    overBudget: tokens > threshold
+  };
+}
+
+// src/report/save-report.ts
+var import_promises4 = require("fs/promises");
+var import_node_path5 = require("path");
+var import_claude_agent_sdk4 = require("@anthropic-ai/claude-agent-sdk");
+var import_zod17 = require("zod");
+var PARTIAL_MARKER = "(PARTIAL -- investigation interrupted)\n\n";
+function formatTimestamp(date) {
+  const year = date.getUTCFullYear();
+  const month = String(date.getUTCMonth() + 1).padStart(2, "0");
+  const day = String(date.getUTCDate()).padStart(2, "0");
+  const hours = String(date.getUTCHours()).padStart(2, "0");
+  const minutes = String(date.getUTCMinutes()).padStart(2, "0");
+  const seconds = String(date.getUTCSeconds()).padStart(2, "0");
+  return `${year}-${month}-${day}-${hours}${minutes}${seconds}`;
+}
+function makeSaveReportTool() {
+  return (0, import_claude_agent_sdk4.tool)(
+    "save_report",
+    "Save a diagnostic report to disk. Automatically scrubs credentials, creates a timestamped filename in reports/, and auto-creates the directory. Use at the end of each investigation or when interrupted.",
+    {
+      content: import_zod17.z.string().describe("The full markdown diagnostic report content"),
+      partial: import_zod17.z.boolean().optional().describe(
+        "Set to true if the investigation was interrupted (e.g., Ctrl+C). Prepends a PARTIAL marker to the report."
+      )
+    },
+    async (args) => {
+      const rawContent = args.partial ? `${PARTIAL_MARKER}${args.content}` : args.content;
+      const scrubbed = scrubCredentials(rawContent);
+      const timestamp = formatTimestamp(/* @__PURE__ */ new Date());
+      const filename = `kinetica-diag-${timestamp}.md`;
+      const dir = (0, import_node_path5.resolve)(process.cwd(), "reports");
+      await (0, import_promises4.mkdir)(dir, { recursive: true });
+      const filepath = (0, import_node_path5.join)(dir, filename);
+      await (0, import_promises4.writeFile)(filepath, scrubbed, "utf-8");
+      return {
+        content: [{ type: "text", text: `Report saved: ${filepath}` }]
+      };
+    },
+    { annotations: { readOnly: true } }
+  );
+}
+
+// src/approval/gate.ts
+var import_prompts7 = require("@inquirer/prompts");
+
+// src/approval/display.ts
+var import_picocolors10 = __toESM(require("picocolors"));
+var IMPACT_FALLBACK = "Impact unknown \u2014 review parameters carefully";
+var DIVIDER2 = import_picocolors10.default.dim("\u2500".repeat(50));
+var LABEL_WIDTH = 8;
+function formatLabel(label) {
+  return `  ${label.padEnd(LABEL_WIDTH)}: `;
+}
+function renderApprovalPanel(toolName, toolInput, impact, beforeAfter, reasoningSummary) {
+  const header = import_picocolors10.default.bold(import_picocolors10.default.yellow("  Mutation Approval Required"));
+  const action = `${formatLabel("Action")}${import_picocolors10.default.bold(formatToolName(toolName))}`;
+  const paramEntries = Object.entries(toolInput);
+  const paramSection = paramEntries.length === 0 ? "  (no parameters)" : paramEntries.map(([key, value]) => {
+    const formatted = typeof value === "string" ? value : JSON.stringify(value, null, 2);
+    return `  ${import_picocolors10.default.dim(key)}: ${formatted}`;
+  }).join("\n");
+  const impactLine = `${formatLabel("Impact")}${impact ?? IMPACT_FALLBACK}`;
+  const prompt = import_picocolors10.default.dim(
+    `${formatLabel("Respond")}y (proceed) | n (abort) | explain (show reasoning)`
+  );
+  const hasBeforeAfter = beforeAfter !== void 0 && beforeAfter.length > 0;
+  const beforeAfterSection = hasBeforeAfter ? beforeAfter.map(
+    (entry) => `  ${import_picocolors10.default.dim(entry.key)}: ${entry.current} ${import_picocolors10.default.yellow("->")} ${entry.proposed}`
+  ).join("\n") : null;
+  const hasReasoning = reasoningSummary !== void 0 && reasoningSummary.length > 0;
+  const reasoningSection = hasReasoning ? `${formatLabel("Reason")}${reasoningSummary}` : null;
+  const sections = ["", DIVIDER2, header, "", action, paramSection, ""];
+  if (beforeAfterSection !== null) {
+    sections.push(beforeAfterSection, "");
+  }
+  if (reasoningSection !== null) {
+    sections.push(reasoningSection, "");
+  }
+  sections.push(impactLine, "", prompt, DIVIDER2, "");
+  return sections.join("\n");
+}
+
+// src/approval/gate.ts
+var DENY_MESSAGE = "User denied this mutation. Skip and continue with the investigation.";
+var REASONING_FALLBACK = "Reasoning not available. Review the action details above before proceeding.";
+function createApprovalGate(isReadOnly) {
+  return async (toolName, toolInput, options) => {
+    if (isReadOnly(toolName)) {
+      return {
+        behavior: "allow",
+        updatedInput: toolInput,
+        toolUseID: options.toolUseID
+      };
+    }
+    const impact = options.decisionReason;
+    const panel = renderApprovalPanel(toolName, toolInput, impact);
+    console.error(panel);
+    while (true) {
+      try {
+        const raw = await (0, import_prompts7.input)({ message: "Proceed? (y/n/explain):" }, { signal: options.signal });
+        const normalized = raw.trim().toLowerCase();
+        if (normalized === "y") {
+          process.stderr.write("\n");
+          return {
+            behavior: "allow",
+            updatedInput: toolInput,
+            toolUseID: options.toolUseID
+          };
+        }
+        if (normalized === "n") {
+          process.stderr.write("\n");
+          return {
+            behavior: "deny",
+            message: DENY_MESSAGE,
+            toolUseID: options.toolUseID
+          };
+        }
+        if (normalized === "explain") {
+          const reasoning = options.decisionReason;
+          if (reasoning) {
+            console.error(`
+Agent reasoning: ${reasoning}
+`);
+          } else {
+            console.error(`
+${REASONING_FALLBACK}
+`);
+          }
+        }
+      } catch {
+        return {
+          behavior: "deny",
+          message: DENY_MESSAGE,
+          toolUseID: options.toolUseID
+        };
+      }
+    }
+  };
+}
+
+// src/agent/turn-gate.ts
+function createTurnGate() {
+  let resolve2 = () => {
+  };
+  let promise = new Promise((r) => {
+    resolve2 = r;
+  });
+  return Object.freeze({
+    wait: () => promise,
+    open: () => {
+      resolve2();
+    },
+    close: () => {
+      promise = new Promise((r) => {
+        resolve2 = r;
+      });
+    }
+  });
+}
+
+// src/output/render-markdown.ts
+var import_picocolors11 = __toESM(require("picocolors"));
+var BOLD_RE = /\*\*(.+?)\*\*/g;
+var HEADING_RE = /^(#{1,6})\s+(.+)$/;
+function renderMarkdownLine(line) {
+  const headingMatch = HEADING_RE.exec(line);
+  if (headingMatch) {
+    return import_picocolors11.default.bold(headingMatch[2]);
+  }
+  if (line.includes("**")) {
+    return line.replace(BOLD_RE, (_, text) => import_picocolors11.default.bold(text));
+  }
+  return line;
+}
+
+// src/output/reformat-tables.ts
+var SEPARATOR_CELL_RE = /^:?-+:?$/;
+var BOLD_MARKERS_RE = /\*\*(.+?)\*\*/g;
+function visualWidth(text) {
+  return text.replace(BOLD_MARKERS_RE, "$1").length;
+}
+function isSeparatorCell(cell) {
+  return SEPARATOR_CELL_RE.test(cell);
+}
+function isSeparatorRow(cells) {
+  return cells.length > 0 && cells.every(isSeparatorCell);
+}
+function parseCells(line) {
+  return line.split("|").slice(1, -1).map((c) => c.trim());
+}
+function reformatTableBlock(lines) {
+  const parsed = lines.map(parseCells);
+  const colCount = Math.max(...parsed.map((row) => row.length));
+  const normalised = parsed.map((row) => {
+    const padded = [...row];
+    while (padded.length < colCount) {
+      padded.push("");
+    }
+    return padded;
+  });
+  const colWidths = Array.from(
+    { length: colCount },
+    (_, col) => Math.max(
+      3,
+      ...normalised.filter((row) => !isSeparatorRow(row)).map((row) => visualWidth(row[col]))
+    )
+  );
+  const borderRow = `+${colWidths.map((w) => "-".repeat(w + 2)).join("+")}+`;
+  const bodyRows = normalised.map((row) => {
+    if (isSeparatorRow(row)) {
+      return borderRow;
+    }
+    const cells = row.map((cell, col) => {
+      const rendered = renderMarkdownLine(cell);
+      const pad = colWidths[col] - visualWidth(cell);
+      return rendered + " ".repeat(Math.max(0, pad));
+    });
+    return `| ${cells.join(" | ")} |`;
+  });
+  return [borderRow, ...bodyRows, borderRow];
+}
+
+// src/output/streaming-table-aligner.ts
+var TABLE_LINE_RE = /^\|.*\|$/;
+function createStreamingTableAligner() {
+  let lineBuffer = "";
+  let tableLines = [];
+  function flushTable() {
+    if (tableLines.length === 0) return "";
+    const aligned = reformatTableBlock(tableLines);
+    tableLines = [];
+    return aligned.join("\n") + "\n";
+  }
+  function push(text) {
+    if (!text) return "";
+    const combined = lineBuffer + text;
+    const segments = combined.split("\n");
+    lineBuffer = segments[segments.length - 1];
+    const completeLines = segments.slice(0, -1);
+    let output = "";
+    for (const line of completeLines) {
+      const trimmed = line.trim();
+      if (TABLE_LINE_RE.test(trimmed)) {
+        tableLines.push(trimmed);
+      } else {
+        output += flushTable();
+        output += renderMarkdownLine(line) + "\n";
+      }
+    }
+    return output;
+  }
+  function flush() {
+    let output = flushTable();
+    if (lineBuffer) {
+      output += renderMarkdownLine(lineBuffer);
+      lineBuffer = "";
+    }
+    return output;
+  }
+  return Object.freeze({ push, flush });
+}
+
+// src/output/spinner.ts
+var import_picocolors12 = __toESM(require("picocolors"));
+var FRAMES = ["\u280B", "\u2819", "\u2839", "\u2838", "\u283C", "\u2834", "\u2826", "\u2827", "\u2807", "\u280F"];
+var FRAME_INTERVAL_MS = 80;
+var DEFAULT_LABEL = "Thinking";
+function createSpinner() {
+  let timer = null;
+  let frameIndex = 0;
+  const start = (label = DEFAULT_LABEL) => {
+    if (timer !== null) return;
+    frameIndex = 0;
+    timer = setInterval(() => {
+      const frame = FRAMES[frameIndex % FRAMES.length];
+      process.stderr.write(`\r${import_picocolors12.default.dim(`${frame} ${label}...`)}`);
+      frameIndex += 1;
+    }, FRAME_INTERVAL_MS);
+    timer.unref();
+  };
+  const stop = () => {
+    if (timer === null) return;
+    clearInterval(timer);
+    timer = null;
+    process.stderr.write("\r\x1B[K");
+  };
+  const isRunning = () => timer !== null;
+  return Object.freeze({ start, stop, isRunning });
+}
+
+// src/agent/run-agent.ts
+var MCP_SERVER_NAME = "kinetica-diagnostics";
+var EXIT_COMMANDS = /* @__PURE__ */ new Set(["exit", "quit", "end", "q"]);
+var SUPPORTED_MODELS = ["sonnet", "haiku", "opus"];
+var DEFAULT_AGENT_MODEL = "sonnet";
+var DEFAULT_MAX_BUDGET_USD = 5;
+var ALLOWED_TOOL_NAMES = [
+  ...DIAGNOSTIC_TOOL_NAMES.map((name) => `mcp__${MCP_SERVER_NAME}__${name}`),
+  `mcp__${MCP_SERVER_NAME}__save_report`,
+  `mcp__${MCP_SERVER_NAME}__${ALTER_TABLE_COLUMNS_TOOL_NAME}`
+];
+var DISALLOWED_TOOLS = ["Bash", "Edit", "Write", "MultiEdit"];
+var ERROR_LABELS = {
+  authentication_failed: "Authentication failed \u2014 check your API key or re-run with --login",
+  billing_error: "Billing error \u2014 check your Anthropic account",
+  rate_limit: "Rate limit exceeded",
+  server_error: "Anthropic API server error",
+  invalid_request: "Invalid API request",
+  max_output_tokens: "Response exceeded maximum output length",
+  unknown: "Unknown API error"
+};
+function isExitCommand(text) {
+  return EXIT_COMMANDS.has(text.trim().toLowerCase());
+}
+function makeUserMessage(content) {
+  return {
+    type: "user",
+    message: { role: "user", content },
+    parent_tool_use_id: null,
+    session_id: ""
+  };
+}
+async function* makeInteractivePrompt(abortController, turnGate, spinner) {
+  while (!abortController.signal.aborted) {
+    try {
+      process.stderr.write("\n");
+      const issue = await (0, import_prompts8.input)({ message: "Describe the issue to investigate:" });
+      process.stderr.write("\n");
+      const trimmed = issue.trim();
+      if (!trimmed) continue;
+      if (isExitCommand(trimmed)) return;
+      spinner.start();
+      yield makeUserMessage(trimmed);
+      break;
+    } catch {
+      return;
+    }
+  }
+  while (!abortController.signal.aborted) {
+    try {
+      await turnGate.wait();
+      if (abortController.signal.aborted) break;
+      process.stderr.write("\n");
+      const response = await (0, import_prompts8.input)({ message: "You:" });
+      process.stderr.write("\n");
+      const trimmed = response.trim();
+      if (!trimmed) continue;
+      if (isExitCommand(trimmed)) return;
+      turnGate.close();
+      spinner.start();
+      yield makeUserMessage(trimmed);
+    } catch {
+      return;
+    }
+  }
+}
+async function displayDegradedStatus(session2) {
+  const [statusResult, alertsResult] = await Promise.all([
+    hostManagerStatus(session2),
+    hostManagerAlerts(session2)
+  ]);
+  process.stderr.write(import_picocolors13.default.bold("\u2500\u2500 Host Manager Status \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"));
+  if (statusResult.ok) {
+    const rows = statusResult.data;
+    const maxKeyLen = rows.reduce((max, r) => Math.max(max, r.key.length), 0);
+    for (const row of rows) {
+      process.stderr.write(`  ${import_picocolors13.default.dim(row.key.padEnd(maxKeyLen))}  ${row.value}
+`);
+    }
+  } else {
+    process.stderr.write(`  ${import_picocolors13.default.red(`Error: ${statusResult.error}`)}
+`);
+  }
+  process.stderr.write("\n");
+  process.stderr.write(import_picocolors13.default.bold("\u2500\u2500 Recent Alerts \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n"));
+  if (alertsResult.ok) {
+    const alerts = alertsResult.data;
+    if (alerts.length === 0) {
+      process.stderr.write(`  ${import_picocolors13.default.dim("No recent alerts.")}
+`);
+    } else {
+      for (const alert of alerts) {
+        process.stderr.write(`  ${import_picocolors13.default.dim(alert.timestamp)}  ${alert.type}  ${alert.params}
+`);
+      }
+    }
+  } else {
+    process.stderr.write(`  ${import_picocolors13.default.dim(`Unavailable: ${alertsResult.error}`)}
+`);
+  }
+  process.stderr.write("\n");
+}
+async function runAgent(session2, kineticaVersion, degraded, model) {
+  const [catalogSchemas, playbooks, references] = await Promise.all([
+    degraded ? Promise.resolve(void 0) : discoverCatalogSchemas(session2),
+    loadPlaybooks(),
+    loadReferences()
+  ]);
+  const systemPrompt = buildSystemPrompt(
+    kineticaVersion,
+    catalogSchemas,
+    playbooks,
+    references,
+    degraded
+  );
+  const budget = checkPromptBudget(systemPrompt);
+  if (process.env.DEBUG) {
+    process.stderr.write(
+      import_picocolors13.default.dim(`system prompt: ~${budget.tokens} tokens (${budget.chars} chars)
+`)
+    );
+  }
+  if (budget.overBudget) {
+    process.stderr.write(
+      import_picocolors13.default.yellow(
+        `\u26A0 system prompt is ~${budget.tokens} tokens (threshold ${budget.threshold}) \u2014 knowledge corpus is getting expensive; consider keyword-based playbook selection.
+`
+      )
+    );
+  }
+  const diagnosticTools = makeDiagnosticTools(session2, catalogSchemas);
+  const mutationTools = makeMutationTools(session2);
+  const saveReportTool = makeSaveReportTool();
+  const alterTableColumnsTool = makeAlterTableColumnsToolWithDeps(session2);
+  const server = (0, import_claude_agent_sdk5.createSdkMcpServer)({
+    name: MCP_SERVER_NAME,
+    version: "1.0.0",
+    tools: [...diagnosticTools, ...mutationTools, saveReportTool, alterTableColumnsTool]
+  });
+  const spinner = createSpinner();
+  const registry = createDiagnosticRegistry();
+  const approvalGate = createApprovalGate(registry.isReadOnlyTool);
+  const canUseTool = async (toolName, toolInput, options2) => {
+    spinner.stop();
+    return approvalGate(toolName, toolInput, options2);
+  };
+  const abortController = new AbortController();
+  const effectiveModel = model ?? DEFAULT_AGENT_MODEL;
+  const options = {
+    mcpServers: { [MCP_SERVER_NAME]: server },
+    allowedTools: ALLOWED_TOOL_NAMES,
+    disallowedTools: [...DISALLOWED_TOOLS],
+    canUseTool,
+    systemPrompt,
+    model: effectiveModel,
+    fallbackModel: "haiku",
+    thinking: { type: "adaptive" },
+    maxTurns: 100,
+    maxBudgetUsd: DEFAULT_MAX_BUDGET_USD,
+    persistSession: false,
+    includePartialMessages: true,
+    abortController,
+    env: { ...process.env, CLAUDE_AGENT_SDK_CLIENT_APP: "admin-agent" }
+  };
+  if (degraded) {
+    process.stderr.write("\nKinetica Diagnostic Session Ready (DEGRADED MODE)\n");
+    process.stderr.write(
+      "DB engine (port 9191) is unreachable. Only host manager tools are available.\n\n"
+    );
+    await displayDegradedStatus(session2);
+    process.stderr.write("Type 'exit' to end the session.\n\n");
+  } else {
+    process.stderr.write("\nKinetica Diagnostic Session Ready\n");
+    process.stderr.write("Type 'exit' to end the session.\n\n");
+  }
+  const turnGate = createTurnGate();
+  const agentQuery = (0, import_claude_agent_sdk5.query)({
+    prompt: makeInteractivePrompt(abortController, turnGate, spinner),
+    options
+  });
+  process.once("SIGINT", () => {
+    spinner.stop();
+    process.stderr.write("\nInterrupted \u2014 aborting investigation...\n");
+    abortController.abort();
+    agentQuery.close();
+  });
+  let numTurns = 0;
+  let totalCostUsd = 0;
+  let durationMs = 0;
+  let durationApiMs = 0;
+  let lastStreamCharWasNewline = true;
+  const tableAligner = createStreamingTableAligner();
+  let hadNonAbortError = false;
+  try {
+    for await (const message of agentQuery) {
+      if (message.type === "stream_event") {
+        const { event: evt } = message;
+        if (evt.type === "content_block_delta" && evt.delta.type === "text_delta") {
+          const text = evt.delta.text ?? "";
+          if (text) {
+            spinner.stop();
+            const output = tableAligner.push(text);
+            if (output) {
+              process.stderr.write(output);
+              lastStreamCharWasNewline = output.endsWith("\n");
+            }
+          }
+        }
+      } else if (message.type === "assistant") {
+        const assistantMsg = message;
+        const remaining = tableAligner.flush();
+        if (remaining) {
+          process.stderr.write(remaining);
+          lastStreamCharWasNewline = remaining.endsWith("\n");
+        }
+        if (!lastStreamCharWasNewline) {
+          process.stderr.write("\n");
+          lastStreamCharWasNewline = true;
+        }
+        if (assistantMsg.message.stop_reason === "end_turn") {
+          spinner.stop();
+          turnGate.open();
+        } else if (assistantMsg.message.stop_reason === "tool_use") {
+          spinner.start("Investigating");
+        } else {
+          spinner.stop();
+        }
+        if (assistantMsg.error) {
+          spinner.stop();
+          const label = ERROR_LABELS[assistantMsg.error] ?? assistantMsg.error;
+          process.stderr.write(import_picocolors13.default.yellow(`
+API error: ${label}
+`));
+          turnGate.open();
+        }
+      } else if (message.type === "result") {
+        spinner.stop();
+        const resultMsg = message;
+        numTurns = resultMsg.num_turns;
+        totalCostUsd = resultMsg.total_cost_usd;
+        durationMs = resultMsg.duration_ms;
+        durationApiMs = resultMsg.duration_api_ms;
+        if (resultMsg.subtype === "error_max_turns") {
+          process.stderr.write(
+            "\nInvestigation hit turn limit. Partial report may be available.\n"
+          );
+        } else if (resultMsg.subtype === "error_max_budget_usd") {
+          process.stderr.write("\nBudget limit reached.\n");
+        } else if (resultMsg.subtype === "error_during_execution") {
+          process.stderr.write(
+            "\nExecution error \u2014 the agent encountered an unrecoverable failure.\n"
+          );
+        } else if (resultMsg.subtype !== "success") {
+          process.stderr.write(`
+Agent session ended with error: ${resultMsg.subtype}
+`);
+        }
+        if (resultMsg.permission_denials.length > 0) {
+          const denied = resultMsg.permission_denials.map((d) => d.tool_name).join(", ");
+          process.stderr.write(`
+Permission denials: ${denied}
+`);
+        }
+        turnGate.open();
+      } else if (message.type === "system") {
+        const sysMsg = message;
+        if (sysMsg.subtype === "init") {
+          const initMsg = message;
+          const failed = (initMsg.mcp_servers ?? []).filter(
+            (s) => s.name === MCP_SERVER_NAME && s.status !== "connected"
+          );
+          for (const s of failed) {
+            process.stderr.write(
+              `
+Warning: MCP server "${s.name}" failed to connect (${s.status})
+`
+            );
+          }
+        } else if (sysMsg.subtype === "api_retry") {
+          const retryMsg = message;
+          const statusStr = retryMsg.error_status !== null ? ` (HTTP ${retryMsg.error_status})` : "";
+          const delaySec = Math.round(retryMsg.retry_delay_ms / 1e3);
+          process.stderr.write(
+            import_picocolors13.default.yellow(
+              `
+API error${statusStr}. Retrying (attempt ${retryMsg.attempt}/${retryMsg.max_retries}) in ${delaySec}s...
+`
+            )
+          );
+        } else if (sysMsg.subtype === "compact_boundary") {
+          const compactMsg = message;
+          const preTokens = compactMsg.compact_metadata.pre_tokens;
+          process.stderr.write(
+            `
+[Context compressed (${preTokens} tokens before compaction) \u2014 investigation continues]
+`
+          );
+        }
+      } else if (message.type === "rate_limit_event") {
+        const rateMsg = message;
+        const { status, resetsAt } = rateMsg.rate_limit_info;
+        if (status === "rejected") {
+          const resetStr = resetsAt ? ` Resets at ${new Date(resetsAt * 1e3).toISOString()}.` : "";
+          process.stderr.write(`
+Rate limited \u2014 requests rejected.${resetStr}
+`);
+        } else if (status === "allowed_warning") {
+          process.stderr.write("\nApproaching rate limit \u2014 investigation may slow.\n");
+        }
+      } else if (message.type === "control_request") {
+        const controlMsg = message;
+        if (controlMsg.request.subtype === "claude_authenticate") {
+          process.stderr.write(import_picocolors13.default.yellow("\nRe-authentication requested by SDK...\n"));
+        }
+      }
+    }
+  } catch (error) {
+    spinner.stop();
+    if (error instanceof import_claude_agent_sdk5.AbortError) {
+      hadNonAbortError = false;
+    } else {
+      hadNonAbortError = true;
+      const message = error instanceof Error ? error.message : String(error);
+      process.stderr.write(import_picocolors13.default.red(`
+Agent error: ${message}
+`));
+    }
+  } finally {
+    spinner.stop();
+    const remaining = tableAligner.flush();
+    if (remaining) {
+      process.stderr.write(remaining);
+    }
+    turnGate.open();
+    const durationSec = Math.round(durationMs / 1e3);
+    const apiPct = durationMs > 0 ? Math.round(durationApiMs / durationMs * 100) : 0;
+    const costStr = totalCostUsd > 0 ? ` Cost: $${totalCostUsd.toFixed(4)}.` : "";
+    if (hadNonAbortError) {
+      process.stderr.write(`
+Session ended due to error. Turns: ${numTurns}.${costStr}
+`);
+    } else {
+      process.stderr.write(
+        `
+Session ended. Turns: ${numTurns}. Duration: ${durationSec}s (${apiPct}% API).${costStr}
+`
+      );
+    }
+  }
+}
+
+// src/cli/index.ts
+var verbose = false;
+var session;
+function printHelp() {
+  const lines = [
+    "",
+    "  admin-agent",
+    "",
+    "  Autonomous diagnostic agent for Kinetica databases",
+    "",
+    "  Usage:",
+    "    admin-agent [flags]",
+    "",
+    "  Flags:",
+    "    --help                Show this help message",
+    "    --version             Print version and exit",
+    "    --verbose             Enable verbose output (stack traces on error)",
+    "    --login               Force OAuth login (even if ANTHROPIC_API_KEY is set)",
+    "    --login-method=TYPE   Login method: claudeai (Pro/Max) or console",
+    "    --login-org=UUID      Target organization UUID for OAuth",
+    "    --logout              Log out from Anthropic account and exit",
+    `    --model=NAME          Override agent model (${SUPPORTED_MODELS.join(" | ")}); default: sonnet`,
+    "",
+    "  Environment variables:",
+    "    ANTHROPIC_API_KEY  Anthropic API key (if not set, OAuth login via browser is used)",
+    "    KINETICA_URL       Kinetica endpoint URL",
+    "    KINETICA_USER      Admin username",
+    "    KINETICA_PASS      Admin password",
+    ""
+  ];
+  process.stdout.write(lines.join("\n") + "\n");
+}
+async function main() {
+  const args = process.argv.slice(2);
+  if (args.includes("--verbose")) {
+    verbose = true;
+  }
+  if (args.includes("--version")) {
+    process.stdout.write(getVersion() + "\n");
+    return;
+  }
+  if (args.includes("--help")) {
+    printHelp();
+    return;
+  }
+  if (args.includes("--logout")) {
+    const result = await logout();
+    process.stderr.write(result.message + "\n");
+    process.exitCode = result.success ? 0 : 1;
+    return;
+  }
+  const forceLogin = args.includes("--login");
+  const loginMethodArg = args.find((a) => a.startsWith("--login-method="));
+  const loginMethod = loginMethodArg?.split("=")[1];
+  const loginOrgArg = args.find((a) => a.startsWith("--login-org="));
+  const loginOrgUUID = loginOrgArg?.split("=")[1];
+  const modelArg = args.find((a) => a.startsWith("--model="));
+  const modelValue = modelArg?.split("=")[1];
+  let model;
+  if (modelValue !== void 0) {
+    if (SUPPORTED_MODELS.includes(modelValue)) {
+      model = modelValue;
+    } else {
+      const valid = SUPPORTED_MODELS.join(", ");
+      process.stderr.write(
+        import_picocolors14.default.red(`Error: unknown --model value "${modelValue}". Valid models: ${valid}
+`)
+      );
+      process.exitCode = 1;
+      return;
+    }
+  }
+  loadEnvFile();
+  const effectiveModel = model ?? DEFAULT_AGENT_MODEL;
+  printBanner(effectiveModel);
+  const authResult = await authenticateAnthropic({ forceLogin, loginMethod, loginOrgUUID });
+  if (authResult.method === "oauth") {
+    const acctInfo = authResult.email ? ` (${authResult.email})` : "";
+    process.stderr.write(import_picocolors14.default.dim(`Authenticated via OAuth${acctInfo}
+`));
+  } else {
+    process.stderr.write(import_picocolors14.default.dim("Authenticated via API key\n"));
+  }
+  const { session: connectedSession, kineticaVersion, degraded } = await connectWithRetry();
+  session = connectedSession;
+  await runAgent(session, kineticaVersion, degraded, model);
+}
+function getSession() {
+  return session;
+}
+if (process.env.NODE_ENV !== "test") {
+  main().catch((err) => {
+    const message = err instanceof Error ? err.message : String(err);
+    process.stderr.write(import_picocolors14.default.red(`Error: ${message}
+`));
+    if (verbose && err instanceof Error && err.stack) {
+      process.stderr.write(err.stack + "\n");
+    }
+    process.exit(1);
+  });
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  getSession,
+  main,
+  verbose
+});