@kylewadegrove/cutline-mcp-cli 0.4.2 → 0.5.1

package/dist/servers/chunk-PD2HN2R5.js

@@ -0,0 +1,908 @@
+// ../mcp/dist/mcp/src/utils.js
+import { McpError, ErrorCode } from "@modelcontextprotocol/sdk/types.js";
+import { initializeApp, applicationDefault, getApps, getApp } from "firebase-admin/app";
+import { getAuth } from "firebase-admin/auth";
+import { getFirestore } from "firebase-admin/firestore";
+import fs from "fs";
+import path from "path";
+import os from "os";
+var isInitializing = false;
+var isInitialized = false;
+function initFirebase(environment) {
+  if (isInitialized) {
+    const apps2 = getApps();
+    if (apps2 && Array.isArray(apps2) && apps2.length > 0) {
+      return;
+    }
+    isInitialized = false;
+  }
+  if (isInitializing) {
+    return;
+  }
+  const apps = getApps();
+  if (apps && Array.isArray(apps) && apps.length > 0) {
+    isInitialized = true;
+    return;
+  }
+  isInitializing = true;
+  try {
+    let projectId = process.env.GOOGLE_CLOUD_PROJECT || process.env.GCLOUD_PROJECT;
+    if (!projectId && environment) {
+      projectId = environment === "staging" ? "cutline-staging" : "cutline-prod";
+    }
+    if (!projectId) {
+      try {
+        const configPath = path.join(os.homedir(), ".cutline-mcp", "config.json");
+        if (fs.existsSync(configPath)) {
+          const content = fs.readFileSync(configPath, "utf-8");
+          const config = JSON.parse(content);
+          if (config.environment === "staging") {
+            projectId = "cutline-staging";
+          } else if (config.environment === "production") {
+            projectId = "cutline-prod";
+          }
+        }
+      } catch (e) {
+      }
+    }
+    projectId = projectId || "cutline-prod";
+    try {
+      const app = initializeApp({
+        projectId,
+        credential: applicationDefault()
+      });
+      getFirestore(app).settings({ ignoreUndefinedProperties: true });
+      isInitialized = true;
+    } catch (error) {
+      if (error?.code === "app/already-exists" || error?.message?.includes("already exists")) {
+        isInitialized = true;
+      } else {
+        throw error;
+      }
+    }
+  } finally {
+    isInitializing = false;
+  }
+}
+var MAX_REQUEST_SIZE = 10 * 1024 * 1024;
+var MAX_JSON_STRING_LENGTH = 50 * 1024 * 1024;
+function validateRequestSize(args) {
+  if (!args || typeof args !== "object") {
+    return;
+  }
+  try {
+    const jsonString = JSON.stringify(args);
+    if (jsonString.length > MAX_JSON_STRING_LENGTH) {
+      throw new McpError(ErrorCode.InvalidParams, `Request payload too large. Maximum size is ${MAX_REQUEST_SIZE / (1024 * 1024)}MB`);
+    }
+  } catch (error) {
+    if (error instanceof McpError)
+      throw error;
+    console.error("[MCP] Failed to validate request size:", error);
+  }
+}
+function mapErrorToMcp(error, context) {
+  const errorId = `err-${Date.now()}-${Math.random().toString(36).slice(2, 9)}`;
+  const isClientError = error instanceof McpError || error?.code && typeof error.code === "string" && error.code.startsWith("4");
+  console.error("Operation failed:", {
+    errorId,
+    tool: context?.tool,
+    operation: context?.operation,
+    error: error instanceof Error ? {
+      name: error.name,
+      message: error.message,
+      stack: error.stack
+    } : String(error)
+  });
+  if (error instanceof McpError) {
+    return error;
+  }
+  const message = error instanceof Error ? error.message : String(error);
+  const sanitizedMessage = sanitizeErrorMessage(message);
+  if (message.includes("NOT_FOUND") || message.includes("404")) {
+    return new McpError(ErrorCode.InvalidRequest, `Resource not found`);
+  }
+  if (message.includes("PERMISSION_DENIED") || message.includes("403")) {
+    return new McpError(ErrorCode.InvalidRequest, `Permission denied`);
+  }
+  if (message.includes("UNAUTHENTICATED") || message.includes("401")) {
+    return new McpError(ErrorCode.InvalidRequest, `Unauthenticated`);
+  }
+  if (isClientError) {
+    return new McpError(ErrorCode.InvalidParams, sanitizedMessage);
+  }
+  return new McpError(ErrorCode.InternalError, `Internal error: ${sanitizedMessage}`);
+}
+function sanitizeErrorMessage(message) {
+  let sanitized = message.replace(/\/[^\s]+/g, "[path]").replace(/[^\s]+@[^\s]+/g, "[email]").replace(/[A-Za-z0-9_-]{40,}/g, "[token]").slice(0, 500);
+  return sanitized || "An error occurred";
+}
+async function validateAuth(authToken) {
+  if (!authToken)
+    return null;
+  try {
+    const apps = getApps();
+    const app = apps.length > 0 ? getApp() : void 0;
+    if (!app) {
+      throw new Error("Firebase Admin not initialized");
+    }
+    const auth = getAuth(app);
+    return await auth.verifyIdToken(authToken);
+  } catch (e) {
+    const errorMsg = e?.message || String(e);
+    console.error("[MCP Auth] Token verification failed:", errorMsg.slice(0, 200));
+    throw new McpError(ErrorCode.InvalidRequest, `Invalid auth token: ${errorMsg.slice(0, 100)}`);
+  }
+}
+async function validateSubscription(uid) {
+  try {
+    const apps = getApps();
+    const app = apps.length > 0 ? getApp() : void 0;
+    if (!app) {
+      console.error("[MCP Auth] Firebase Admin not initialized for subscription check");
+      return false;
+    }
+    const firestore = getFirestore(app);
+    const userDoc = await firestore.collection("users").doc(uid).get();
+    const subscription = userDoc.data()?.subscription;
+    if (!subscription) {
+      console.error(`[MCP Auth] No subscription found for user ${uid}`);
+      return false;
+    }
+    const validStatuses = ["active", "trialing"];
+    const isValid = validStatuses.includes(subscription.status);
+    if (!isValid) {
+      console.error(`[MCP Auth] Subscription status is ${subscription.status}, expected one of: ${validStatuses.join(", ")}`);
+    }
+    return isValid;
+  } catch (e) {
+    console.error("[MCP Auth] Error checking subscription:", e);
+    return false;
+  }
+}
+async function requirePremium(authToken) {
+  const decoded = await validateAuth(authToken);
+  if (!decoded) {
+    throw new McpError(ErrorCode.InvalidRequest, "Authentication required. Run 'cutline-mcp login' to authenticate.");
+  }
+  const hasSubscription = await validateSubscription(decoded.uid);
+  if (!hasSubscription) {
+    throw new McpError(ErrorCode.InvalidRequest, "Premium subscription required. Please upgrade at https://thecutline.ai/upgrade");
+  }
+  return decoded;
+}
+async function resolveAuthContext(authToken) {
+  const decoded = await requirePremiumWithAutoAuth(authToken);
+  const accountType = decoded.accountType;
+  const ownerUid = decoded.ownerUid;
+  if (accountType === "agent") {
+    if (!ownerUid) {
+      throw new McpError(ErrorCode.InvalidRequest, "Agent account is misconfigured: missing ownerUid claim.");
+    }
+    const ownerHasSubscription = await validateSubscription(ownerUid);
+    if (!ownerHasSubscription) {
+      throw new McpError(ErrorCode.InvalidRequest, "The owner account's premium subscription is inactive. Agent access requires an active owner subscription.");
+    }
+    return { decoded, isAgent: true, effectiveUid: ownerUid };
+  }
+  return { decoded, isAgent: false, effectiveUid: decoded.uid };
+}
+var MAX_CACHE_SIZE = 100;
+var CACHE_CLEANUP_INTERVAL = 5 * 60 * 1e3;
+var tokenCache = /* @__PURE__ */ new Map();
+var lastCleanup = Date.now();
+function cleanupTokenCache() {
+  const now = Date.now();
+  for (const [key, value] of tokenCache.entries()) {
+    if (now >= value.expiresAt) {
+      tokenCache.delete(key);
+    }
+  }
+  if (tokenCache.size > MAX_CACHE_SIZE) {
+    const entriesToRemove = tokenCache.size - MAX_CACHE_SIZE;
+    const keysToRemove = [];
+    for (const key of tokenCache.keys()) {
+      if (keysToRemove.length >= entriesToRemove)
+        break;
+      keysToRemove.push(key);
+    }
+    keysToRemove.forEach((key) => tokenCache.delete(key));
+  }
+  lastCleanup = now;
+}
+function getCachedToken(refreshToken) {
+  if (Date.now() - lastCleanup > CACHE_CLEANUP_INTERVAL) {
+    cleanupTokenCache();
+  }
+  const cached = tokenCache.get(refreshToken);
+  if (!cached) {
+    return null;
+  }
+  if (Date.now() >= cached.expiresAt) {
+    tokenCache.delete(refreshToken);
+    return null;
+  }
+  cached.lastUsed = Date.now();
+  tokenCache.delete(refreshToken);
+  tokenCache.set(refreshToken, cached);
+  return cached.idToken;
+}
+function setCachedToken(refreshToken, idToken, expiresAt) {
+  if (tokenCache.size >= MAX_CACHE_SIZE) {
+    cleanupTokenCache();
+  }
+  tokenCache.delete(refreshToken);
+  tokenCache.set(refreshToken, {
+    idToken,
+    expiresAt,
+    lastUsed: Date.now()
+  });
+}
+var cachedApiKey = null;
+var API_KEY_CACHE_TTL = 36e5;
+async function getFirebaseApiKey(environment) {
+  const env = environment || "production";
+  if (env === "staging") {
+    if (process.env.FIREBASE_API_KEY_STAGING) {
+      return process.env.FIREBASE_API_KEY_STAGING;
+    }
+  }
+  const apiKey = process.env.FIREBASE_API_KEY || process.env.NEXT_PUBLIC_FIREBASE_API_KEY;
+  if (apiKey) {
+    return apiKey;
+  }
+  if (cachedApiKey && cachedApiKey.environment === env && Date.now() - cachedApiKey.fetchedAt < API_KEY_CACHE_TTL) {
+    return cachedApiKey.key;
+  }
+  const baseUrl = env === "staging" ? "https://cutline-staging.web.app" : "https://thecutline.ai";
+  try {
+    const response = await fetch(`${baseUrl}/api/firebase-config`, {
+      headers: { "Accept": "application/json" },
+      signal: (() => {
+        const controller = new AbortController();
+        setTimeout(() => controller.abort(), 5e3);
+        return controller.signal;
+      })()
+    });
+    if (!response.ok) {
+      throw new Error(`HTTP ${response.status}`);
+    }
+    const data = await response.json();
+    if (!data.apiKey) {
+      throw new Error("No apiKey in response");
+    }
+    cachedApiKey = { key: data.apiKey, environment: env, fetchedAt: Date.now() };
+    return data.apiKey;
+  } catch (error) {
+    throw new Error(`Firebase API key not found. Set FIREBASE_API_KEY environment variable or ensure ${baseUrl}/api/firebase-config is accessible.`);
+  }
+}
+async function exchangeRefreshToken(refreshToken, firebaseApiKey, maxRetries = 3) {
+  const FIREBASE_API_KEY = firebaseApiKey || await getFirebaseApiKey();
+  let lastError;
+  for (let attempt = 0; attempt < maxRetries; attempt++) {
+    try {
+      const response = await fetch(`https://securetoken.googleapis.com/v1/token?key=${FIREBASE_API_KEY}`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({
+          grant_type: "refresh_token",
+          refresh_token: refreshToken
+        }),
+        // Add timeout to prevent hanging requests
+        signal: (() => {
+          const controller = new AbortController();
+          setTimeout(() => controller.abort(), 1e4);
+          return controller.signal;
+        })()
+      });
+      if (!response.ok) {
+        const error = await response.json();
+        const errorMessage = error.error?.message || "Unknown error";
+        if (response.status >= 400 && response.status < 500) {
+          throw new Error(`Token exchange failed: ${errorMessage}`);
+        }
+        lastError = new Error(`Token exchange failed (attempt ${attempt + 1}/${maxRetries}): ${errorMessage}`);
+        if (attempt < maxRetries - 1) {
+          await new Promise((resolve) => setTimeout(resolve, 500 * Math.pow(2, attempt)));
+          continue;
+        }
+        throw lastError;
+      }
+      const data = await response.json();
+      const idToken = data.id_token;
+      try {
+        const parts = idToken.split(".");
+        if (parts.length === 3) {
+          const payload = JSON.parse(Buffer.from(parts[1], "base64").toString());
+          const tokenProjectId = payload.aud || payload.project_id;
+          console.error(`[MCP Auth] Token exchanged successfully for project: ${tokenProjectId}`);
+        }
+      } catch (e) {
+      }
+      return idToken;
+    } catch (error) {
+      if (error.name === "AbortError" || error.name === "TypeError" || error.message?.includes("fetch")) {
+        lastError = error;
+        if (attempt < maxRetries - 1) {
+          await new Promise((resolve) => setTimeout(resolve, 500 * Math.pow(2, attempt)));
+          continue;
+        }
+      } else {
+        throw error;
+      }
+    }
+  }
+  throw lastError || new Error("Token exchange failed after retries");
+}
+async function getStoredToken() {
+  if (process.env.CUTLINE_MCP_REFRESH_TOKEN) {
+    console.error("[MCP Auth] Using token from CUTLINE_MCP_REFRESH_TOKEN env var");
+    return {
+      refreshToken: process.env.CUTLINE_MCP_REFRESH_TOKEN,
+      environment: process.env.CUTLINE_ENV === "staging" ? "staging" : "production"
+    };
+  }
+  try {
+    const configPath = path.join(os.homedir(), ".cutline-mcp", "config.json");
+    if (fs.existsSync(configPath)) {
+      const content = fs.readFileSync(configPath, "utf-8");
+      const config = JSON.parse(content);
+      if (config.refreshToken) {
+        console.error("[MCP Auth] Using token from ~/.cutline-mcp/config.json", config.environment ? `(environment: ${config.environment})` : "");
+        return {
+          refreshToken: config.refreshToken,
+          environment: config.environment
+        };
+      }
+    }
+  } catch (e) {
+    console.error("[MCP Auth] Failed to read config file:", e);
+  }
+  try {
+    console.error("[MCP Auth Debug] Attempting to import keytar...");
+    const keytar = await import("keytar");
+    console.error("[MCP Auth Debug] Keytar imported successfully, getting password...");
+    const token = await keytar.getPassword("cutline-mcp", "refresh-token");
+    console.error("[MCP Auth Debug] Token retrieved:", token ? "YES (length: " + token.length + ")" : "NO TOKEN FOUND");
+    if (token) {
+      return { refreshToken: token };
+    }
+  } catch (error) {
+    console.error("[MCP Auth Error] Failed to access keychain:", error);
+  }
+  return null;
+}
+async function requirePremiumWithAutoAuth(authToken) {
+  let idToken = authToken;
+  if (!idToken) {
+    const storedTokenInfo = await getStoredToken();
+    if (storedTokenInfo?.environment) {
+      initFirebase(storedTokenInfo.environment);
+    } else {
+      initFirebase();
+    }
+    if (storedTokenInfo) {
+      const { refreshToken, environment } = storedTokenInfo;
+      const apiKeyToUse = await getFirebaseApiKey(environment || "production");
+      const cached = getCachedToken(refreshToken);
+      if (cached) {
+        idToken = cached;
+      } else {
+        try {
+          idToken = await exchangeRefreshToken(refreshToken, apiKeyToUse);
+          setCachedToken(refreshToken, idToken, Date.now() + 50 * 60 * 1e3);
+        } catch (e) {
+          console.error("Token exchange failed:", e);
+          tokenCache.delete(refreshToken);
+        }
+      }
+    }
+  }
+  return await requirePremium(idToken);
+}
+async function requireAuthOnly(authToken) {
+  let idToken = authToken;
+  if (!idToken) {
+    const storedTokenInfo = await getStoredToken();
+    if (storedTokenInfo?.environment) {
+      initFirebase(storedTokenInfo.environment);
+    } else {
+      initFirebase();
+    }
+    if (storedTokenInfo) {
+      const { refreshToken, environment } = storedTokenInfo;
+      const apiKeyToUse = await getFirebaseApiKey(environment || "production");
+      const cached = getCachedToken(refreshToken);
+      if (cached) {
+        idToken = cached;
+      } else {
+        try {
+          idToken = await exchangeRefreshToken(refreshToken, apiKeyToUse);
+          setCachedToken(refreshToken, idToken, Date.now() + 50 * 60 * 1e3);
+        } catch (e) {
+          console.error("Token exchange failed:", e);
+          tokenCache.delete(refreshToken);
+        }
+      }
+    }
+  }
+  const decoded = await validateAuth(idToken);
+  if (!decoded) {
+    throw new McpError(ErrorCode.InvalidRequest, "Authentication required. Run 'cutline-mcp login' to authenticate.");
+  }
+  return decoded;
+}
+async function resolveAuthContextFree(authToken) {
+  const decoded = await requireAuthOnly(authToken);
+  const accountType = decoded.accountType;
+  const ownerUid = decoded.ownerUid;
+  if (accountType === "agent" && ownerUid) {
+    return { decoded, isAgent: true, effectiveUid: ownerUid };
+  }
+  return { decoded, isAgent: false, effectiveUid: decoded.uid };
+}
+
+// ../mcp/dist/mcp/src/shared/sanitize.js
+var NULL_AND_CONTROL_RE = /[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g;
+var HTML_TAG_RE = /<\/?[a-z][^>]*>/gi;
+var SCRIPT_RE = /<script[\s>][\s\S]*?<\/script>/gi;
+var EVENT_HANDLER_RE = /\s+on\w+\s*=\s*["'][^"']*["']/gi;
+function stripControlChars(input) {
+  return input.replace(NULL_AND_CONTROL_RE, "");
+}
+function stripHtmlTags(input) {
+  return input.replace(SCRIPT_RE, "").replace(EVENT_HANDLER_RE, "").replace(HTML_TAG_RE, "");
+}
+var DEFAULT_MAX_LENGTH = 5e4;
+function sanitizeText(input, options = {}) {
+  const { maxLength = DEFAULT_MAX_LENGTH, stripHtml = true } = options;
+  let result = stripControlChars(input);
+  if (stripHtml) {
+    result = stripHtmlTags(result);
+  }
+  result = result.trim();
+  if (result.length > maxLength) {
+    result = result.slice(0, maxLength);
+  }
+  return result;
+}
+function sanitizeArgs(value, options = {}) {
+  if (typeof value === "string") {
+    return sanitizeText(value, options);
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => sanitizeArgs(item, options));
+  }
+  if (value !== null && typeof value === "object" && !(value instanceof Date)) {
+    const result = {};
+    for (const [key, val] of Object.entries(value)) {
+      result[key] = sanitizeArgs(val, options);
+    }
+    return result;
+  }
+  return value;
+}
+
+// ../mcp/dist/mcp/src/shared/pii-scanner.js
+var patterns = [
+  // ── Secrets ──────────────────────────────────────────────────────────────
+  {
+    type: "aws_key",
+    pattern: /AKIA[0-9A-Z]{16}/g,
+    severity: "critical",
+    description: "AWS Access Key ID",
+    validate: (m) => m.length === 20
+  },
+  {
+    type: "aws_secret",
+    pattern: /(?:aws_secret_access_key|secret_access_key|aws_secret)\s*[=:]\s*[A-Za-z0-9/+=]{40}/g,
+    severity: "critical",
+    description: "AWS Secret Access Key"
+  },
+  {
+    type: "stripe_key",
+    pattern: /[sr]k_(live|test)_[0-9a-zA-Z]{24,}/g,
+    severity: "critical",
+    description: "Stripe API key"
+  },
+  {
+    type: "stripe_key",
+    pattern: /pk_(live|test)_[0-9a-zA-Z]{24,}/g,
+    severity: "critical",
+    description: "Stripe publishable key"
+  },
+  {
+    type: "github_token",
+    pattern: /gh[ps]_[A-Za-z0-9]{36,}/g,
+    severity: "critical",
+    description: "GitHub personal access token"
+  },
+  {
+    type: "github_token",
+    pattern: /github_pat_[A-Za-z0-9_]{20,}/g,
+    severity: "critical",
+    description: "GitHub fine-grained personal access token"
+  },
+  {
+    type: "bearer_token",
+    pattern: /Bearer\s+[A-Za-z0-9\-._~+/]+=*/g,
+    severity: "critical",
+    description: "Bearer authorization token"
+  },
+  {
+    type: "generic_api_key",
+    pattern: /(?:api[_-]?key|apikey|api[_-]?secret|secret[_-]?key)\s*[=:"']\s*["']?([A-Za-z0-9\-._~+/]{20,})["']?/gi,
+    severity: "warning",
+    description: "Generic API key/secret assignment"
+  },
+  // ── PII ──────────────────────────────────────────────────────────────────
+  {
+    type: "credit_card",
+    pattern: /\b(?:4[0-9]{3}|5[1-5][0-9]{2}|3[47][0-9]{2}|6(?:011|5[0-9]{2}))[- ]?[0-9]{4}[- ]?[0-9]{4}[- ]?[0-9]{4}\b/g,
+    severity: "critical",
+    description: "Credit card number (Visa, MC, Amex, Discover)"
+  },
+  {
+    type: "ssn",
+    pattern: /(?:ssn|social\s*security(?:\s*number)?|ss#)\s*(?:number\s*)?[:\s]?\s*(\d{3})-?(\d{2})-?(\d{4})/gi,
+    severity: "critical",
+    description: "US Social Security Number (context-required)",
+    validate: (_m, _full, _idx) => true
+  },
+  {
+    type: "phone_number",
+    pattern: /(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]\d{3}[-.\s]\d{4}/g,
+    severity: "warning",
+    description: "US phone number"
+  },
+  {
+    type: "email",
+    pattern: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
+    severity: "info",
+    description: "Email address"
+  }
+];
+var DEFAULT_PATTERNS = Object.freeze(patterns.map((p) => ({ ...p })));
+var REDACT_LABELS = {
+  aws_key: "[AWS_KEY]",
+  aws_secret: "[AWS_SECRET]",
+  stripe_key: "[STRIPE_KEY]",
+  github_token: "[GITHUB_TOKEN]",
+  bearer_token: "[BEARER_TOKEN]",
+  generic_api_key: "[API_KEY]",
+  credit_card: "[CREDIT_CARD]",
+  ssn: "[SSN]",
+  phone_number: "[PHONE]",
+  email: "[EMAIL]"
+};
+function scanForPii(input) {
+  return runScan(input, patterns);
+}
+function runScan(input, defs) {
+  if (!input) {
+    return { matches: [], flags_by_type: {}, scanned_chars: 0, redacted: "" };
+  }
+  const allMatches = [];
+  for (const def of defs) {
+    const re = new RegExp(def.pattern.source, def.pattern.flags);
+    let m;
+    while ((m = re.exec(input)) !== null) {
+      const text = m[0];
+      const start = m.index;
+      const end = start + text.length;
+      if (def.validate && !def.validate(text, input, start)) {
+        continue;
+      }
+      allMatches.push({
+        type: def.type,
+        text,
+        start,
+        end,
+        severity: def.severity
+      });
+    }
+  }
+  allMatches.sort((a, b) => a.start - b.start);
+  const deduped = deduplicateOverlaps(allMatches);
+  const flags_by_type = {};
+  for (const match of deduped) {
+    flags_by_type[match.type] = (flags_by_type[match.type] || 0) + 1;
+  }
+  const redacted = buildRedacted(input, deduped);
+  return {
+    matches: deduped,
+    flags_by_type,
+    scanned_chars: input.length,
+    redacted
+  };
+}
+function deduplicateOverlaps(sorted) {
+  if (sorted.length <= 1)
+    return sorted;
+  const severityRank = {
+    critical: 3,
+    warning: 2,
+    info: 1
+  };
+  const result = [sorted[0]];
+  for (let i = 1; i < sorted.length; i++) {
+    const prev = result[result.length - 1];
+    const curr = sorted[i];
+    if (curr.start < prev.end) {
+      const prevRank = severityRank[prev.severity];
+      const currRank = severityRank[curr.severity];
+      if (currRank > prevRank || currRank === prevRank && curr.end - curr.start > prev.end - prev.start) {
+        result[result.length - 1] = curr;
+      }
+    } else {
+      result.push(curr);
+    }
+  }
+  return result;
+}
+function buildRedacted(input, matches) {
+  if (matches.length === 0)
+    return input;
+  const parts = [];
+  let cursor = 0;
+  for (const match of matches) {
+    if (match.start > cursor) {
+      parts.push(input.slice(cursor, match.start));
+    }
+    parts.push(REDACT_LABELS[match.type] || `[${match.type.toUpperCase()}]`);
+    cursor = match.end;
+  }
+  if (cursor < input.length) {
+    parts.push(input.slice(cursor));
+  }
+  return parts.join("");
+}
+
+// ../mcp/dist/mcp/src/shared/boundary-guard.js
+var DEFAULT_OPTS = { stripHtml: false, maxLength: 1e5 };
+function guardBoundary(toolName, rawArgs, opts = DEFAULT_OPTS) {
+  const args = sanitizeArgs(rawArgs, opts);
+  const piiResults = [];
+  for (const [key, val] of Object.entries(args)) {
+    if (typeof val === "string" && val.length > 0) {
+      const scan = scanForPii(val);
+      if (scan.matches.length > 0) {
+        piiResults.push({ field: key, result: scan });
+        auditLog("pii_detected", "tool_call", toolName, {
+          field: key,
+          flags_by_type: scan.flags_by_type,
+          match_count: scan.matches.length,
+          scanned_chars: scan.scanned_chars
+        });
+      }
+    }
+  }
+  return {
+    args,
+    piiDetected: piiResults.length > 0,
+    piiResults
+  };
+}
+function guardOutput(toolName, response) {
+  let totalRedactions = 0;
+  const content = response.content.map((block) => {
+    if (block.type !== "text" || !block.text)
+      return block;
+    const scan = scanForPii(block.text);
+    if (scan.matches.length === 0)
+      return block;
+    totalRedactions += scan.matches.length;
+    return { ...block, text: scan.redacted };
+  });
+  if (totalRedactions > 0) {
+    auditLog("secret_in_output", "tool_response", toolName, {
+      redaction_count: totalRedactions
+    });
+  }
+  return {
+    ...response,
+    content,
+    _secretsRedacted: totalRedactions > 0,
+    _redactionCount: totalRedactions
+  };
+}
+function auditLog(eventType, resourceType, resourceId, data) {
+  console.error(JSON.stringify({
+    audit: true,
+    severity: "INFO",
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    eventType,
+    resourceType,
+    resourceId,
+    data
+  }));
+}
+
+// ../mcp/dist/mcp/src/shared/perf-tracker.js
+var PerfTracker = class {
+  entries = /* @__PURE__ */ new Map();
+  windowMs;
+  failureAlertThreshold;
+  onFailureAlert;
+  latencyThresholds;
+  maxEntriesPerTool;
+  startedAt = Date.now();
+  alertActive = false;
+  constructor(options = {}) {
+    this.windowMs = options.windowMs ?? 5 * 60 * 1e3;
+    this.failureAlertThreshold = options.failureAlertThreshold ?? 0.05;
+    this.onFailureAlert = options.onFailureAlert;
+    this.latencyThresholds = options.latencyThresholds ?? [];
+    this.maxEntriesPerTool = options.maxEntriesPerTool ?? 1e4;
+  }
+  record(tool, latencyMs, success) {
+    if (!this.entries.has(tool)) {
+      this.entries.set(tool, []);
+    }
+    const bucket = this.entries.get(tool);
+    bucket.push({ timestamp: Date.now(), latencyMs, success });
+    if (bucket.length > this.maxEntriesPerTool) {
+      bucket.splice(0, bucket.length - this.maxEntriesPerTool);
+    }
+    this.checkFailureAlert();
+  }
+  getToolMetrics(tool) {
+    const active = this.getActiveEntries(tool);
+    if (!active || active.length === 0)
+      return void 0;
+    return this.computeMetrics(active);
+  }
+  getSnapshot() {
+    const tools = {};
+    let totalCalls = 0;
+    let totalFailures = 0;
+    for (const tool of this.entries.keys()) {
+      const active = this.getActiveEntries(tool);
+      if (active.length === 0)
+        continue;
+      const metrics = this.computeMetrics(active);
+      tools[tool] = metrics;
+      totalCalls += metrics.totalCalls;
+      totalFailures += metrics.failureCount;
+    }
+    return {
+      tools,
+      totalCalls,
+      globalFailureRate: totalCalls > 0 ? totalFailures / totalCalls : 0,
+      uptimeMs: Date.now() - this.startedAt,
+      windowMs: this.windowMs
+    };
+  }
+  getThresholdBreaches() {
+    const breaches = [];
+    for (const threshold of this.latencyThresholds) {
+      const metrics = this.getToolMetrics(threshold.tool);
+      if (!metrics)
+        continue;
+      const actual = metrics[threshold.percentile];
+      if (actual > threshold.maxMs) {
+        breaches.push({ ...threshold, actual });
+      }
+    }
+    return breaches;
+  }
+  // ═════════════════════════════════════════════════════════════════════════════
+  // INTERNALS
+  // ═════════════════════════════════════════════════════════════════════════════
+  getActiveEntries(tool) {
+    const bucket = this.entries.get(tool);
+    if (!bucket)
+      return [];
+    const cutoff = Date.now() - this.windowMs;
+    const active = bucket.filter((e) => e.timestamp >= cutoff);
+    this.entries.set(tool, active);
+    return active;
+  }
+  computeMetrics(entries) {
+    const latencies = entries.map((e) => e.latencyMs).sort((a, b) => a - b);
+    const successCount = entries.filter((e) => e.success).length;
+    const failureCount = entries.length - successCount;
+    const sum = latencies.reduce((a, b) => a + b, 0);
+    return {
+      totalCalls: entries.length,
+      successCount,
+      failureCount,
+      failureRate: entries.length > 0 ? failureCount / entries.length : 0,
+      p50: percentile(latencies, 0.5),
+      p95: percentile(latencies, 0.95),
+      p99: percentile(latencies, 0.99),
+      avgMs: Math.round(sum / entries.length),
+      minMs: latencies[0],
+      maxMs: latencies[latencies.length - 1]
+    };
+  }
+  checkFailureAlert() {
+    const snap = this.getSnapshot();
+    if (snap.totalCalls === 0)
+      return;
+    if (snap.globalFailureRate > this.failureAlertThreshold) {
+      if (!this.alertActive) {
+        this.alertActive = true;
+        auditLog2("perf_failure_alert", snap);
+        this.onFailureAlert?.(snap);
+      }
+    } else {
+      this.alertActive = false;
+    }
+  }
+};
+function percentile(sorted, p) {
+  if (sorted.length === 0)
+    return 0;
+  if (sorted.length === 1)
+    return sorted[0];
+  const idx = (sorted.length - 1) * p;
+  const lo = Math.floor(idx);
+  const hi = Math.ceil(idx);
+  if (lo === hi)
+    return sorted[lo];
+  return sorted[lo] + (sorted[hi] - sorted[lo]) * (idx - lo);
+}
+function auditLog2(eventType, snapshot) {
+  const toolSummary = {};
+  for (const [tool, m] of Object.entries(snapshot.tools)) {
+    toolSummary[tool] = { calls: m.totalCalls, failRate: m.failureRate, p95: m.p95 };
+  }
+  console.error(JSON.stringify({
+    audit: true,
+    severity: "ERROR",
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    eventType,
+    resourceType: "mcp_perf",
+    data: {
+      globalFailureRate: snapshot.globalFailureRate,
+      totalCalls: snapshot.totalCalls,
+      tools: toolSummary
+    }
+  }));
+}
+
+// ../mcp/dist/mcp/src/shared/perf-tracker-instance.js
+var LATENCY_THRESHOLDS = [
+  { tool: "exploration_start", percentile: "p99", maxMs: 500 },
+  { tool: "discovery_start", percentile: "p99", maxMs: 500 },
+  { tool: "constraints_query", percentile: "p95", maxMs: 800 },
+  { tool: "constraints_semantic_query", percentile: "p95", maxMs: 800 },
+  { tool: "template_discover", percentile: "p95", maxMs: 500 },
+  { tool: "template_list", percentile: "p95", maxMs: 500 }
+];
+var perfTracker = new PerfTracker({
+  windowMs: 5 * 60 * 1e3,
+  failureAlertThreshold: 0.05,
+  latencyThresholds: LATENCY_THRESHOLDS,
+  maxEntriesPerTool: 5e3
+});
+async function withPerfTracking(toolName, fn) {
+  const start = Date.now();
+  let success = true;
+  try {
+    return await fn();
+  } catch (err) {
+    success = false;
+    throw err;
+  } finally {
+    perfTracker.record(toolName, Date.now() - start, success);
+  }
+}
+
+export {
+  initFirebase,
+  validateRequestSize,
+  mapErrorToMcp,
+  validateAuth,
+  validateSubscription,
+  resolveAuthContext,
+  getStoredToken,
+  requirePremiumWithAutoAuth,
+  resolveAuthContextFree,
+  guardBoundary,
+  guardOutput,
+  perfTracker,
+  withPerfTracking
+};