@lightcone-ai/daemon 0.12.0 → 0.14.0

package/mcp-servers/mysql/core.js

@@ -0,0 +1,270 @@
+import { createHash } from 'crypto';
+
+export const DEFAULT_LIMIT = 200;
+export const MAX_LIMIT = 1000;
+
+const READ_QUERY_PREFIX = /^(SELECT|SHOW|DESCRIBE|DESC|EXPLAIN|WITH)\b/i;
+const REQUIRED_DB_KEYS = ['DB_HOST', 'DB_PORT', 'DB_USER', 'DB_PASSWORD', 'DB_NAME'];
+
+function trimTrailingSemicolons(sql) {
+  return sql.replace(/;+\s*$/u, '');
+}
+
+export function normalizeSql(rawSql) {
+  if (typeof rawSql !== 'string') return '';
+  const trimmed = rawSql.trim();
+  if (!trimmed) return '';
+  return trimTrailingSemicolons(trimmed);
+}
+
+export function normalizeLimit(limit) {
+  const numeric = Number(limit);
+  if (!Number.isFinite(numeric) || numeric <= 0) return DEFAULT_LIMIT;
+  return Math.min(Math.trunc(numeric), MAX_LIMIT);
+}
+
+export function isReadQuery(sql) {
+  return READ_QUERY_PREFIX.test(sql);
+}
+
+export function hasLimitClause(sql) {
+  return /\bLIMIT\b/i.test(sql);
+}
+
+export function prepareSql(sql, limit) {
+  const normalizedSql = normalizeSql(sql);
+  if (!normalizedSql) throw new Error('sql must be a non-empty string');
+
+  const effectiveLimit = normalizeLimit(limit);
+  if (!isReadQuery(normalizedSql) || hasLimitClause(normalizedSql)) {
+    return {
+      sql: normalizedSql,
+      limit: effectiveLimit,
+      limitParams: [],
+      limitInjected: false,
+    };
+  }
+
+  return {
+    sql: `${normalizedSql} LIMIT ?`,
+    limit: effectiveLimit,
+    limitParams: [effectiveLimit],
+    limitInjected: true,
+  };
+}
+
+function readRequiredKey(envVars, key) {
+  const raw = envVars?.[key];
+  if (raw == null || String(raw).trim() === '') return null;
+  return String(raw).trim();
+}
+
+export function parseDbConfig(envVars) {
+  const missing = [];
+  const values = {};
+  for (const key of REQUIRED_DB_KEYS) {
+    const value = readRequiredKey(envVars, key);
+    if (value == null) {
+      missing.push(key);
+      continue;
+    }
+    values[key] = value;
+  }
+  if (missing.length > 0) {
+    throw new Error(`credential payload missing required DB fields: ${missing.join(', ')}`);
+  }
+
+  const port = Number(values.DB_PORT);
+  if (!Number.isFinite(port) || port <= 0) {
+    throw new Error('credential payload has invalid DB_PORT');
+  }
+
+  return {
+    host: values.DB_HOST,
+    port,
+    user: values.DB_USER,
+    password: values.DB_PASSWORD,
+    database: values.DB_NAME,
+    waitForConnections: true,
+    connectionLimit: 3,
+    queueLimit: 0,
+  };
+}
+
+function fingerprintDbConfig(dbConfig) {
+  return createHash('sha256')
+    .update(JSON.stringify([
+      dbConfig.host,
+      dbConfig.port,
+      dbConfig.user,
+      dbConfig.password,
+      dbConfig.database,
+    ]))
+    .digest('hex');
+}
+
+export function createDataSourcePoolRegistry({ createPool, logger = () => {} } = {}) {
+  if (typeof createPool !== 'function') {
+    throw new Error('createPool function is required');
+  }
+
+  const pools = new Map();
+
+  return {
+    getOrCreate(dataSourceId, dbConfig) {
+      const id = String(dataSourceId ?? '').trim();
+      if (!id) throw new Error('data_source_id must be a non-empty string');
+      const nextFingerprint = fingerprintDbConfig(dbConfig);
+      const existing = pools.get(id);
+
+      if (existing && existing.fingerprint === nextFingerprint) {
+        return existing.pool;
+      }
+
+      if (existing) {
+        Promise.resolve(existing.pool.end())
+          .catch((error) => logger(`[mysql-mcp] failed to close previous pool for data_source_id=${id}: ${error.message}`));
+      }
+
+      const pool = createPool(dbConfig);
+      pools.set(id, { fingerprint: nextFingerprint, pool });
+      return pool;
+    },
+
+    async closeAll() {
+      const closing = [];
+      for (const { pool } of pools.values()) {
+        closing.push(
+          Promise.resolve(pool.end()).catch((error) => {
+            logger(`[mysql-mcp] failed to close pool: ${error.message}`);
+          })
+        );
+      }
+      pools.clear();
+      await Promise.all(closing);
+    },
+
+    size() {
+      return pools.size;
+    },
+  };
+}
+
+function normalizeServerUrl(serverUrl) {
+  return String(serverUrl ?? '').trim().replace(/\/+$/u, '');
+}
+
+export function createCredentialBrokerClient({
+  fetchFn = globalThis.fetch,
+  serverUrl = '',
+  machineApiKey = '',
+  agentId = '',
+  workspaceId = '',
+  bundleId = '',
+} = {}) {
+  if (typeof fetchFn !== 'function') {
+    throw new Error('fetch function is required');
+  }
+
+  const normalizedServerUrl = normalizeServerUrl(serverUrl);
+  const normalizedMachineApiKey = String(machineApiKey ?? '').trim();
+  const normalizedAgentId = String(agentId ?? '').trim();
+  const normalizedWorkspaceId = String(workspaceId ?? '').trim();
+  const normalizedBundleId = String(bundleId ?? '').trim();
+
+  return async function fetchCredentialEnvVars(dataSourceId) {
+    const normalizedDataSourceId = String(dataSourceId ?? '').trim();
+    if (!normalizedDataSourceId) {
+      throw new Error('data_source_id is required');
+    }
+    if (!normalizedServerUrl || !normalizedMachineApiKey || !normalizedAgentId) {
+      throw new Error('mysql MCP missing SERVER_URL/MACHINE_API_KEY/AGENT_ID runtime context');
+    }
+
+    const response = await fetchFn(`${normalizedServerUrl}/governance/credential-broker`, {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${normalizedMachineApiKey}`,
+      },
+      body: JSON.stringify({
+        agent_id: normalizedAgentId,
+        workspace_id: normalizedWorkspaceId || null,
+        required_credentials: [normalizedDataSourceId],
+        bundle_id: normalizedBundleId || null,
+      }),
+    });
+
+    let payload = null;
+    try {
+      payload = await response.json();
+    } catch {
+      payload = null;
+    }
+
+    if (!response.ok) {
+      const reason = typeof payload?.error === 'string'
+        ? payload.error
+        : `status_${response.status}`;
+      throw new Error(`credential_broker_failed:${reason}`);
+    }
+
+    const envVars = payload?.env_vars;
+    if (!envVars || typeof envVars !== 'object' || Array.isArray(envVars)) {
+      throw new Error('credential_broker_invalid_response');
+    }
+    return envVars;
+  };
+}
+
+export async function executeSql({
+  dataSourceId,
+  sql,
+  params = [],
+  limit,
+  fetchCredentialEnvVars,
+  poolRegistry,
+} = {}) {
+  const normalizedDataSourceId = String(dataSourceId ?? '').trim();
+  if (!normalizedDataSourceId) {
+    throw new Error('data_source_id is required');
+  }
+  if (!Array.isArray(params)) {
+    throw new Error('params must be an array');
+  }
+  if (typeof fetchCredentialEnvVars !== 'function') {
+    throw new Error('fetchCredentialEnvVars function is required');
+  }
+  if (!poolRegistry || typeof poolRegistry.getOrCreate !== 'function') {
+    throw new Error('poolRegistry.getOrCreate is required');
+  }
+
+  const prepared = prepareSql(sql, limit);
+  const credentialEnv = await fetchCredentialEnvVars(normalizedDataSourceId);
+  const dbConfig = parseDbConfig(credentialEnv);
+  const pool = poolRegistry.getOrCreate(normalizedDataSourceId, dbConfig);
+
+  const queryParams = [...params, ...prepared.limitParams];
+  const [result] = await pool.query(prepared.sql, queryParams);
+
+  if (Array.isArray(result)) {
+    const rows = result.length > prepared.limit
+      ? result.slice(0, prepared.limit)
+      : result;
+    return {
+      data_source_id: normalizedDataSourceId,
+      row_count: rows.length,
+      limit: prepared.limit,
+      limit_applied: prepared.limitInjected || rows.length < result.length,
+      rows,
+    };
+  }
+
+  return {
+    data_source_id: normalizedDataSourceId,
+    affected_rows: Number(result?.affectedRows ?? 0),
+    changed_rows: Number(result?.changedRows ?? 0),
+    insert_id: result?.insertId ?? null,
+    warning_status: Number(result?.warningStatus ?? 0),
+  };
+}

package/mcp-servers/mysql/index.js

@@ -3,161 +3,89 @@ import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { z } from 'zod';
 import mysql from 'mysql2/promise';
-
-function requiredEnv(name) {
-  const value = process.env[name];
-  if (!value) {
-    throw new Error(`${name} is required; configure the remote Tencent MySQL connection in .env`);
+import { pathToFileURL } from 'url';
+import {
+  createCredentialBrokerClient,
+  createDataSourcePoolRegistry,
+  executeSql,
+} from './core.js';
+
+const TOOL_SCHEMA = {
+  data_source_id: z.string().describe('数据源 ID（当前实现映射为 credential_id）'),
+  sql: z.string().describe('要执行的 SQL。支持参数占位符 ?'),
+  params: z.array(z.any()).optional().describe('SQL 参数数组（按顺序对应 ? 占位符）'),
+  limit: z.number().int().positive().optional().describe('结果行数上限。默认 200，最大 1000'),
+};
+
+function isExecutedDirectly(metaUrl) {
+  const entry = process.argv[1];
+  if (!entry) return false;
+  try {
+    return pathToFileURL(entry).href === metaUrl;
+  } catch {
+    return false;
   }
-  return value;
 }
 
-const pool = mysql.createPool({
-  host:     requiredEnv('DB_HOST'),
-  port:     Number(requiredEnv('DB_PORT')),
-  user:     requiredEnv('DB_USER'),
-  password: requiredEnv('DB_PASSWORD'),
-  database: requiredEnv('DB_NAME'),
-  waitForConnections: true,
-  connectionLimit: 3,
-});
-
-const server = new McpServer({ name: 'mysql-jobs', version: '0.1.0' });
-
-// ── search_jobs ───────────────────────────────────────────────────────────────
-server.tool('search_jobs',
-  '搜索职位。支持按关键词、公司名、职位类型、工作地点过滤。返回匹配的职位列表（不含完整描述）。',
-  {
-    keyword:  z.string().optional().describe('搜索关键词，匹配职位名称或描述'),
-    company:  z.string().optional().describe('公司名（模糊匹配）'),
-    job_type: z.string().optional().describe('职位类型，如 实习、校招、社招'),
-    location: z.string().optional().describe('工作地点，如 北京、上海'),
-    limit:    z.number().optional().describe('返回数量，默认 10，最大 50'),
-  },
-  async ({ keyword, company, job_type, location, limit = 10 }) => {
-    const max = Math.min(limit, 50);
-    const conditions = ['is_valid != "false"'];
-    const params = [];
-
-    if (keyword) {
-      conditions.push('(job_title LIKE ? OR job_description LIKE ?)');
-      params.push(`%${keyword}%`, `%${keyword}%`);
-    }
-    if (company) {
-      conditions.push('company_name LIKE ?');
-      params.push(`%${company}%`);
-    }
-    if (job_type) {
-      conditions.push('job_type LIKE ?');
-      params.push(`%${job_type}%`);
-    }
-    if (location) {
-      conditions.push('work_location LIKE ?');
-      params.push(`%${location}%`);
-    }
-
-    params.push(max);
-    const sql = `
-      SELECT job_id, job_title, company_name, salary, work_location, job_type, degree, tags, publish_date
-      FROM job_details
-      WHERE ${conditions.join(' AND ')}
-      ORDER BY created_at DESC
-      LIMIT ?
-    `;
-
-    console.error(`[mysql-mcp] search_jobs: ${sql.replace(/\s+/g, ' ').trim()} | params: ${JSON.stringify(params)}`);
-    const [rows] = await pool.query(sql, params);
-    if (rows.length === 0) {
-      return { content: [{ type: 'text', text: '未找到匹配的职位。' }] };
-    }
-
-    const text = rows.map(r => [
-      `job_id: ${r.job_id}`,
-      `职位: ${r.job_title} @ ${r.company_name}`,
-      `类型: ${r.job_type ?? '-'}  地点: ${r.work_location ?? '-'}  学历: ${r.degree ?? '-'}`,
-      `薪资: ${r.salary || '未披露'}`,
-      `标签: ${(() => { try { return r.tags ? JSON.parse(r.tags).join(', ') : '-'; } catch { return r.tags ?? '-'; } })()}`,
-      `发布日期: ${r.publish_date ?? '-'}`,
-    ].join('\n')).join('\n\n---\n\n');
-
-    return { content: [{ type: 'text', text: `共 ${rows.length} 条结果：\n\n${text}` }] };
-  }
-);
-
-// ── get_job_detail ────────────────────────────────────────────────────────────
-server.tool('get_job_detail',
-  '根据 job_id 获取职位完整详情，包括职位描述全文。用于写手生成文案前获取完整信息。',
-  {
-    job_id: z.string().describe('职位 ID（从 search_jobs 结果中获取）'),
-  },
-  async ({ job_id }) => {
-    const detailSql = `SELECT jd.*, c.industry, c.scale, c.type as company_type, c.logo_url FROM job_details jd LEFT JOIN companies c ON jd.company_id = c.company_id WHERE jd.job_id = ?`;
-    console.error(`[mysql-mcp] get_job_detail: ${detailSql} | params: ${JSON.stringify([job_id])}`);
-    const [rows] = await pool.query(detailSql, [job_id]);
-
-    if (rows.length === 0) {
-      return { content: [{ type: 'text', text: `未找到 job_id=${job_id} 的职位。` }] };
-    }
-
-    const r = rows[0];
-    const tags = (() => { try { return r.tags ? JSON.parse(r.tags) : []; } catch { return []; } })();
-    const text = [
-      `【职位详情】`,
-      `职位名称: ${r.job_title}`,
-      `公司: ${r.company_name}${r.industry ? `（${r.industry}）` : ''}`,
-      `公司规模: ${r.scale ?? '-'}  公司类型: ${r.company_type ?? '-'}`,
-      `薪资: ${r.salary || '未披露'}`,
-      `工作地点: ${r.work_location ?? '-'}`,
-      `职位类型: ${r.job_type ?? '-'}`,
-      `学历要求: ${r.degree ?? '-'}`,
-      `技能标签: ${tags.join(', ') || '-'}`,
-      `发布日期: ${r.publish_date ?? '-'}`,
-      `截止日期: ${r.close_date ?? '-'}`,
-      `原始链接: ${r.job_detail_url}`,
-      ``,
-      `【职位描述】`,
-      r.job_description ?? '（无描述）',
-    ].join('\n');
-
-    return { content: [{ type: 'text', text }] };
-  }
-);
-
-// ── list_jobs ─────────────────────────────────────────────────────────────────
-server.tool('list_jobs',
-  '列出最新职位，支持按类型、地点过滤。用于浏览近期职位。',
-  {
-    job_type: z.string().optional().describe('职位类型过滤，如 实习、校招、社招'),
-    location: z.string().optional().describe('工作地点过滤'),
-    limit:    z.number().optional().describe('返回数量，默认 20，最大 50'),
-    offset:   z.number().optional().describe('跳过前 N 条，用于分页'),
-  },
-  async ({ job_type, location, limit = 20, offset = 0 }) => {
-    const max = Math.min(limit, 50);
-    const conditions = ['is_valid != "false"'];
-    const params = [];
-
-    if (job_type) { conditions.push('job_type LIKE ?'); params.push(`%${job_type}%`); }
-    if (location) { conditions.push('work_location LIKE ?'); params.push(`%${location}%`); }
-
-    params.push(max, offset);
-    const listSql = `SELECT job_id, job_title, company_name, salary, work_location, job_type, degree, tags FROM job_details WHERE ${conditions.join(' AND ')} ORDER BY created_at DESC LIMIT ? OFFSET ?`;
-    console.error(`[mysql-mcp] list_jobs: ${listSql} | params: ${JSON.stringify(params)}`);
-    const [rows] = await pool.query(listSql, params);
-
-    if (rows.length === 0) {
-      return { content: [{ type: 'text', text: '暂无职位数据。' }] };
+export function createMysqlMcpServer({
+  env = process.env,
+  fetchFn = globalThis.fetch,
+  mysqlModule = mysql,
+  logger = console.error,
+} = {}) {
+  const brokerClient = createCredentialBrokerClient({
+    fetchFn,
+    serverUrl: env.SERVER_URL,
+    machineApiKey: env.MACHINE_API_KEY,
+    agentId: env.AGENT_ID,
+    workspaceId: env.WORKSPACE_ID,
+    bundleId: env.GOVERNANCE_SPAWN_BUNDLE_ID,
+  });
+  const poolRegistry = createDataSourcePoolRegistry({
+    createPool: mysqlModule.createPool.bind(mysqlModule),
+    logger,
+  });
+
+  const server = new McpServer({ name: 'mysql-universal-sql', version: '0.2.0' });
+
+  server.tool(
+    'query',
+    '执行通用 SQL。调用时通过 data_source_id 走 credential broker 动态获取 DB 凭证并路由连接。',
+    TOOL_SCHEMA,
+    async ({ data_source_id, sql, params = [], limit }) => {
+      try {
+        const payload = await executeSql({
+          dataSourceId: data_source_id,
+          sql,
+          params,
+          limit,
+          fetchCredentialEnvVars: brokerClient,
+          poolRegistry,
+        });
+        return { content: [{ type: 'text', text: JSON.stringify(payload, null, 2) }] };
+      } catch (error) {
+        logger(`[mysql-mcp] query failed for data_source_id=${data_source_id}: ${error.message}`);
+        return {
+          isError: true,
+          content: [{ type: 'text', text: `query failed: ${error.message}` }],
+        };
+      }
     }
+  );
 
-    const text = rows.map(r =>
-      `${r.job_id} | ${r.job_title} @ ${r.company_name} | ${r.job_type ?? '-'} | ${r.work_location ?? '-'} | ${r.salary || '薪资未披露'}`
-    ).join('\n');
+  return { server, poolRegistry };
+}
 
-    return { content: [{ type: 'text', text }] };
-  }
-);
+export async function startMysqlMcpServer(options = {}) {
+  const { server } = createMysqlMcpServer(options);
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+  console.error('[mysql-mcp] Server started (universal SQL mode)');
+}
 
-// ── start ─────────────────────────────────────────────────────────────────────
-const transport = new StdioServerTransport();
-await server.connect(transport);
-console.error('[mysql-mcp] Server started');
+if (isExecutedDirectly(import.meta.url)) {
+  startMysqlMcpServer().catch((error) => {
+    console.error(`[mysql-mcp] failed to start: ${error.message}`);
+    process.exitCode = 1;
+  });
+}

package/mcp-servers/mysql/manifest.json

@@ -1,16 +1,18 @@
 {
   "id": "mysql",
   "name": "MySQL MCP Server",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "runtime": "node",
   "entrypoint": "index.js",
   "tool_declarations": [
-    { "name": "search_jobs", "classification": "cacheable" },
-    { "name": "get_job_detail", "classification": "cacheable" },
-    { "name": "list_jobs", "classification": "cacheable" }
+    { "name": "query", "classification": "mandatory" }
   ],
   "smoke_test": {
-    "tool": "list_jobs",
-    "arguments": { "limit": 1 }
+    "tool": "query",
+    "arguments": {
+      "data_source_id": "smoke-test-data-source",
+      "sql": "SELECT 1",
+      "limit": 1
+    }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lightcone-ai/daemon",
-  "version": "0.12.0",
+  "version": "0.14.0",
   "type": "module",
   "main": "src/index.js",
   "bin": {

package/src/chat-bridge.js

@@ -14,9 +14,19 @@ function getArg(name) {
   return idx !== -1 && cliArgs[idx + 1] ? cliArgs[idx + 1] : '';
 }
 
+function parseBooleanFlag(value, fallback = false) {
+  if (value == null) return fallback;
+  if (typeof value === 'boolean') return value;
+  const normalized = String(value).trim().toLowerCase();
+  if (['1', 'true', 'yes', 'y', 'on'].includes(normalized)) return true;
+  if (['0', 'false', 'no', 'n', 'off'].includes(normalized)) return false;
+  return fallback;
+}
+
 const SERVER_URL      = process.env.SERVER_URL || getArg('--server-url') || 'http://localhost:9779';
 const MACHINE_API_KEY = process.env.MACHINE_API_KEY || getArg('--auth-token') || '';
 const AGENT_ID        = process.env.AGENT_ID || getArg('--agent-id') || '';
+const HOST_AGENT_HINT = process.env.IS_HOST_AGENT || getArg('--is-host-agent') || '';
 const WORKSPACE_ID      = process.env.WORKSPACE_ID || getArg('--workspace-id') || '';  // injected per-workspace at spawn time
 const WORKSPACE_DIR = path.resolve(process.env.WORKSPACE_DIR || getArg('--workspace-dir') || process.cwd());
 const WORKSPACE_ROOT_DIR = path.dirname(WORKSPACE_DIR);
@@ -102,6 +112,19 @@ const DEFAULT_TOOL_CLASSIFICATION = {
   request_approval: 'mandatory',
   execute_approved_action: 'mandatory',
   promote_context: 'mandatory',
+  update_goal_field: 'mandatory',
+  supersede_goal_field: 'mandatory',
+  request_credential_auth: 'mandatory',
+  register_data_source: 'mandatory',
+  bind_workspace_scenario: 'mandatory',
+  create_workspace: 'mandatory',
+  rename_workspace: 'mandatory',
+  delete_workspace: 'mandatory',
+  revoke_credential: 'mandatory',
+  submit_feedback: 'mandatory',
+  escalate_to_human: 'mandatory',
+  navigate_to_workspace: 'mandatory',
+  navigate_to_settings: 'mandatory',
 
   search_messages: 'cacheable',
   list_server: 'cacheable',
@@ -111,6 +134,19 @@ const DEFAULT_TOOL_CLASSIFICATION = {
   skill_list: 'cacheable',
   skill_read: 'cacheable',
   skill_search: 'cacheable',
+  search_scenarios: 'cacheable',
+  get_scenario: 'cacheable',
+  list_scenarios: 'cacheable',
+  recommend_scenario: 'cacheable',
+  list_workspaces: 'cacheable',
+  get_workspace_summary: 'cacheable',
+  query_user_history: 'cacheable',
+  list_accounts: 'cacheable',
+  list_credentials: 'cacheable',
+  get_data_locations: 'cacheable',
+  explain_concept: 'cacheable',
+  get_release_notes: 'cacheable',
+  get_known_issues: 'cacheable',
 };
 
 const TOOL_CLASSIFICATION = Object.freeze({
@@ -132,6 +168,19 @@ const CACHE_INVALIDATION_TOOLS = new Set([
   'request_approval',
   'execute_approved_action',
   'promote_context',
+  'update_goal_field',
+  'supersede_goal_field',
+  'request_credential_auth',
+  'register_data_source',
+  'bind_workspace_scenario',
+  'create_workspace',
+  'rename_workspace',
+  'delete_workspace',
+  'revoke_credential',
+  'submit_feedback',
+  'escalate_to_human',
+  'navigate_to_workspace',
+  'navigate_to_settings',
 ]);
 
 const governanceContext = {
@@ -196,11 +245,38 @@ function inferToolForApi(method, apiPath, body) {
   if (method === 'PATCH' && cleanPath.startsWith('/skills/')) return 'skill_update';
   if (method === 'POST' && cleanPath === '/actions/request') return 'request_approval';
   if (method === 'POST' && /^\/actions\/[^/]+\/execute$/.test(cleanPath)) return 'execute_approved_action';
+  if (method === 'POST' && cleanPath === '/goal-fields/update') return 'update_goal_field';
+  if (method === 'POST' && cleanPath === '/goal-fields/supersede') return 'supersede_goal_field';
+  if (method === 'POST' && cleanPath === '/credential-auth/request') return 'request_credential_auth';
+  if (method === 'POST' && cleanPath === '/api/data-sources') return 'register_data_source';
   if (method === 'POST' && cleanPath === '/orchestrate/decision') return 'write_governance_decision';
   if (method === 'POST' && cleanPath === '/orchestrate/correction') return 'write_governance_correction';
   if (method === 'GET'  && cleanPath === '/orchestrate/context') return 'get_orchestrate_context';
   if (method === 'POST' && cleanPath === '/orchestrate/complete') return 'complete_orchestrate_trigger';
   if (method === 'POST' && cleanPath === '/context-proposals') return 'promote_context';
+
+  if (method === 'GET' && cleanPath === '/host/scenarios/search') return 'search_scenarios';
+  if (method === 'POST' && cleanPath === '/host/scenarios/recommend') return 'recommend_scenario';
+  if (method === 'GET' && /^\/host\/scenarios\/[^/]+$/.test(cleanPath)) return 'get_scenario';
+  if (method === 'GET' && cleanPath === '/host/scenarios') return 'list_scenarios';
+  if (method === 'POST' && cleanPath === '/host/workspaces/bind-scenario') return 'bind_workspace_scenario';
+  if (method === 'GET' && cleanPath === '/host/workspaces') return 'list_workspaces';
+  if (method === 'POST' && cleanPath === '/host/workspaces') return 'create_workspace';
+  if (method === 'PATCH' && /^\/host\/workspaces\/[^/]+$/.test(cleanPath)) return 'rename_workspace';
+  if (method === 'DELETE' && /^\/host\/workspaces\/[^/]+$/.test(cleanPath)) return 'delete_workspace';
+  if (method === 'GET' && /^\/host\/workspaces\/[^/]+\/summary$/.test(cleanPath)) return 'get_workspace_summary';
+  if (method === 'GET' && cleanPath === '/host/history') return 'query_user_history';
+  if (method === 'GET' && cleanPath === '/host/accounts') return 'list_accounts';
+  if (method === 'GET' && cleanPath === '/host/credentials') return 'list_credentials';
+  if (method === 'POST' && /^\/host\/credentials\/[^/]+\/revoke$/.test(cleanPath)) return 'revoke_credential';
+  if (method === 'GET' && cleanPath === '/host/data-locations') return 'get_data_locations';
+  if (method === 'GET' && cleanPath === '/host/docs/explain') return 'explain_concept';
+  if (method === 'GET' && cleanPath === '/host/docs/release-notes') return 'get_release_notes';
+  if (method === 'GET' && cleanPath === '/host/docs/known-issues') return 'get_known_issues';
+  if (method === 'POST' && cleanPath === '/host/feedback') return 'submit_feedback';
+  if (method === 'POST' && cleanPath === '/host/escalate') return 'escalate_to_human';
+  if (method === 'POST' && cleanPath === '/host/navigation/workspace') return 'navigate_to_workspace';
+  if (method === 'POST' && cleanPath === '/host/navigation/settings') return 'navigate_to_settings';
   return null;
 }
 
@@ -584,6 +660,29 @@ async function api(method, apiPath, body) {
   }
 }
 
+async function resolveHostAgentFlag() {
+  const hinted = parseBooleanFlag(HOST_AGENT_HINT, false);
+  if (!AGENT_ID || !SERVER_URL || !MACHINE_API_KEY) return hinted;
+
+  try {
+    const res = await fetch(`${SERVER_URL}/internal/agent/${AGENT_ID}/profile`, {
+      method: 'GET',
+      headers: {
+        'Content-Type': 'application/json',
+        'Authorization': `Bearer ${MACHINE_API_KEY}`,
+      },
+    });
+    if (!res.ok) return hinted;
+    const data = await res.json();
+    if (typeof data?.isHostAgent === 'boolean') return data.isHostAgent;
+    return hinted;
+  } catch {
+    return hinted;
+  }
+}
+
+const IS_HOST_AGENT = await resolveHostAgentFlag();
+
 const server = new McpServer({ name: 'chat', version: '0.1.0' });
 
 // ── check_messages ────────────────────────────────────────────────────────────
@@ -921,6 +1020,145 @@ server.tool('upload_image',
   }
 );
 
+// ── update_goal_field ─────────────────────────────────────────────────────────
+server.tool('update_goal_field',
+  'Incrementally update one goal field in workspace context. Use this during IM dialogue to capture user intent continuously, instead of waiting for a full goal form.',
+  {
+    field_path: z.string().describe('Dot path under goal context, e.g. "brand_positioning.voice" or "audience.primary".'),
+    value: z.any().describe('Field value (string/number/object/array).'),
+    confidence: z.number().min(0).max(1).optional().describe('Confidence in [0,1].'),
+    status: z.enum(['candidate', 'user_confirmed']).optional().describe('candidate=tentative, user_confirmed=explicitly confirmed by user.'),
+    source_turn_id: z.string().optional().describe('Optional conversation turn id for traceability.'),
+  },
+  async ({ field_path, value, confidence, status, source_turn_id }) => {
+    if (!currentWorkspaceId) {
+      return { isError: true, content: [{ type: 'text', text: 'No workspace context. Call check_messages first or specify workspace context in the current conversation.' }] };
+    }
+    const data = await api('POST', '/goal-fields/update', {
+      workspace_id: currentWorkspaceId,
+      field_path,
+      value,
+      confidence,
+      status,
+      source_turn_id,
+    });
+    return {
+      content: [{
+        type: 'text',
+        text:
+          `Goal field updated.\n` +
+          `workspace=${data.workspaceId ?? currentWorkspaceId}\n` +
+          `field_path=${data.fieldPath ?? field_path}\n` +
+          `status=${data.status ?? status ?? 'candidate'}\n` +
+          `context_item_id=${data.contextItemId ?? 'unknown'} version=${data.contextItemVersion ?? 'unknown'}`,
+      }],
+    };
+  }
+);
+
+// ── supersede_goal_field ──────────────────────────────────────────────────────
+server.tool('supersede_goal_field',
+  'Mark an existing goal field value as superseded when the user explicitly changes their mind.',
+  {
+    field_path: z.string().describe('Dot path to supersede, e.g. "audience.primary".'),
+    reason: z.string().optional().describe('Why this field is superseded (optional).'),
+    source_turn_id: z.string().optional().describe('Optional conversation turn id for traceability.'),
+  },
+  async ({ field_path, reason, source_turn_id }) => {
+    if (!currentWorkspaceId) {
+      return { isError: true, content: [{ type: 'text', text: 'No workspace context. Call check_messages first or specify workspace context in the current conversation.' }] };
+    }
+    const data = await api('POST', '/goal-fields/supersede', {
+      workspace_id: currentWorkspaceId,
+      field_path,
+      reason,
+      source_turn_id,
+    });
+    return {
+      content: [{
+        type: 'text',
+        text:
+          `Goal field superseded.\n` +
+          `workspace=${data.workspaceId ?? currentWorkspaceId}\n` +
+          `field_path=${data.fieldPath ?? field_path}\n` +
+          `context_item_id=${data.contextItemId ?? 'unknown'} version=${data.contextItemVersion ?? 'unknown'}`,
+      }],
+    };
+  }
+);
+
+// ── request_credential_auth ───────────────────────────────────────────────────
+server.tool('request_credential_auth',
+  'Request just-in-time credential authorization for a platform. Returns a one-time OAuth URL that should be sent to the user as a clickable IM message.',
+  {
+    platform: z.string().describe('Target platform, e.g. "x".'),
+    reason: z.string().describe('Human-readable reason why this credential is needed right now.'),
+    source_turn_id: z.string().optional().describe('Optional conversation turn id for traceability.'),
+  },
+  async ({ platform, reason, source_turn_id }) => {
+    if (!currentWorkspaceId) {
+      return { isError: true, content: [{ type: 'text', text: 'No workspace context. Call check_messages first or specify workspace context in the current conversation.' }] };
+    }
+    const data = await api('POST', '/credential-auth/request', {
+      workspace_id: currentWorkspaceId,
+      platform,
+      reason,
+      source_turn_id,
+    });
+    return {
+      content: [{
+        type: 'text',
+        text:
+          `Credential auth requested.\n` +
+          `platform=${data.platform ?? platform}\n` +
+          `expires_at=${data.expiresAt ?? 'unknown'}\n` +
+          `auth_url=${data.authUrl}\n` +
+          `im_message_id=${data.messageId ?? 'unknown'}\n\n` +
+          `A structured credential auth message has been posted to IM. Ask the user to click the authorization button there.`,
+      }],
+    };
+  }
+);
+
+// ── register_data_source ───────────────────────────────────────────────────────
+server.tool('register_data_source',
+  'Register a workspace data source without binding credential yet. Returns a one-time secure auth URL (10-minute expiry) that should be sent to the user via IM.',
+  {
+    workspace_id: z.string().optional().describe('Target workspace id. Defaults to current workspace context if omitted.'),
+    display_name: z.string().describe('Human-readable data source name.'),
+    source_type: z.string().describe('Data source type, e.g. "mysql", "postgresql", "api", "csv", "rss", "google_sheets".'),
+    schema_hint: z.any().optional().describe('Optional schema hint JSON for downstream query planning.'),
+  },
+  async ({ workspace_id, display_name, source_type, schema_hint }) => {
+    const targetWorkspaceId = (workspace_id ?? currentWorkspaceId ?? WORKSPACE_ID ?? '').trim();
+    if (!targetWorkspaceId) {
+      return { isError: true, content: [{ type: 'text', text: 'workspace_id is required (no current workspace context).' }] };
+    }
+
+    const body = {
+      workspace_id: targetWorkspaceId,
+      display_name,
+      source_type,
+    };
+    if (schema_hint !== undefined) body.schema_hint = schema_hint;
+
+    const data = await api('POST', '/api/data-sources', body);
+    return {
+      content: [{
+        type: 'text',
+        text:
+          `Data source registered.\n` +
+          `workspace_id=${data.workspace_id ?? targetWorkspaceId}\n` +
+          `data_source_id=${data.data_source_id}\n` +
+          `source_type=${data.source_type ?? source_type}\n` +
+          `expires_at=${data.expires_at ?? 'unknown'}\n` +
+          `secure_auth_url=${data.secure_auth_url}\n\n` +
+          `Send secure_auth_url to the user in IM so they can complete credential binding securely.`,
+      }],
+    };
+  }
+);
+
 // ── request_approval ──────────────────────────────────────────────────────────
 server.tool('request_approval',
   'Request human approval before executing a sensitive platform action (posting, sending, publishing). Returns an action_id. After the human approves, call execute_approved_action with that ID.',
@@ -1122,7 +1360,424 @@ server.tool('complete_orchestrate_trigger',
   }
 );
 
+function hostJsonResult(data) {
+  return { content: [{ type: 'text', text: JSON.stringify(data, null, 2) }] };
+}
+
+function hostErrorResult(err) {
+  return { isError: true, content: [{ type: 'text', text: `Error: ${err.message}` }] };
+}
+
+function buildQuery(params = {}) {
+  const query = new URLSearchParams();
+  for (const [key, value] of Object.entries(params)) {
+    if (value == null) continue;
+    if (typeof value === 'string' && !value.trim()) continue;
+    query.set(key, String(value));
+  }
+  const text = query.toString();
+  return text ? `?${text}` : '';
+}
+
+if (IS_HOST_AGENT) {
+  server.tool('search_scenarios',
+    'Search scenario candidates by user intent for host routing decisions.',
+    {
+      intent_text: z.string().describe('User intent text to match against scenario catalog.'),
+      category: z.string().optional().describe('Optional category filter.'),
+      visibility: z.string().optional().describe('Optional visibility filter (public/system/user_private/org_shared).'),
+      status: z.string().optional().describe('Optional status filter (draft/published/active/deprecated/archived).'),
+      limit: z.number().int().min(1).max(20).optional().describe('Maximum number of returned scenarios.'),
+    },
+    async ({ intent_text, category, visibility, status, limit }) => {
+      try {
+        const query = buildQuery({ intent_text, category, visibility, status, limit });
+        const data = await api('GET', `/host/scenarios/search${query}`);
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('get_scenario',
+    'Get full scenario details (manifest + roles) for host explanation.',
+    {
+      scenario_id: z.string().describe('Scenario ID to inspect.'),
+    },
+    async ({ scenario_id }) => {
+      try {
+        const data = await api('GET', `/host/scenarios/${encodeURIComponent(scenario_id)}`);
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('list_scenarios',
+    'List scenarios visible to host agent (public/system + owner-accessible).',
+    {
+      visibility: z.string().optional().describe('Optional visibility filter.'),
+      category: z.string().optional().describe('Optional category filter.'),
+      status: z.string().optional().describe('Optional status filter.'),
+      include_archived: z.boolean().optional().describe('Include archived scenarios when true.'),
+      limit: z.number().int().min(1).max(200).optional().describe('Maximum rows to return.'),
+    },
+    async ({ visibility, category, status, include_archived, limit }) => {
+      try {
+        const query = buildQuery({
+          visibility,
+          category,
+          status,
+          includeArchived: include_archived,
+          limit,
+        });
+        const data = await api('GET', `/host/scenarios${query}`);
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('bind_workspace_scenario',
+    'Bind a scenario to an existing workspace and ensure a primary agent.',
+    {
+      workspace_id: z.string().describe('Workspace ID to bind.'),
+      scenario_id: z.string().describe('Scenario ID to bind.'),
+      role_id: z.string().optional().describe('Optional preferred role id/name for primary agent binding.'),
+      repair_role_binding: z.boolean().optional().describe('When true, ignore existing workspace role binding once and re-resolve primary agent for cleanup.'),
+    },
+    async ({ workspace_id, scenario_id, role_id, repair_role_binding }) => {
+      try {
+        const data = await api('POST', '/host/workspaces/bind-scenario', {
+          workspace_id,
+          scenario_id,
+          role_id,
+          repair_role_binding,
+        });
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('recommend_scenario',
+    'Recommend best-fit scenarios for a given user intent.',
+    {
+      user_intent: z.string().describe('Natural-language user intent.'),
+    },
+    async ({ user_intent }) => {
+      try {
+        const data = await api('POST', '/host/scenarios/recommend', { user_intent });
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('list_workspaces',
+    'List all owner workspaces with scenario/mode/last activity for host overview.',
+    {
+      owner_id: z.string().optional().describe('Optional owner id (must match current host owner).'),
+      limit: z.number().int().min(1).max(300).optional().describe('Maximum rows to return.'),
+    },
+    async ({ owner_id, limit }) => {
+      try {
+        const query = buildQuery({ owner_id, limit });
+        const data = await api('GET', `/host/workspaces${query}`);
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('create_workspace',
+    'Create a workspace and optionally bind scenario + primary role.',
+    {
+      name: z.string().optional().describe('Optional workspace name.'),
+      description: z.string().optional().describe('Optional workspace description.'),
+      scenario_id: z.string().optional().describe('Optional scenario id to bind immediately.'),
+      role_id: z.string().optional().describe('Optional preferred role id/name when scenario is bound.'),
+    },
+    async ({ name, description, scenario_id, role_id }) => {
+      try {
+        const data = await api('POST', '/host/workspaces', {
+          name,
+          description,
+          scenario_id,
+          role_id,
+        });
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('rename_workspace',
+    'Rename an existing workspace.',
+    {
+      workspace_id: z.string().describe('Workspace ID to rename.'),
+      new_name: z.string().describe('New workspace name.'),
+    },
+    async ({ workspace_id, new_name }) => {
+      try {
+        const data = await api('PATCH', `/host/workspaces/${encodeURIComponent(workspace_id)}`, {
+          new_name,
+        });
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('delete_workspace',
+    'Delete (soft-delete) a workspace owned by the current user.',
+    {
+      workspace_id: z.string().describe('Workspace ID to delete.'),
+      confirm: z.boolean().describe('Must be true to confirm deletion.'),
+    },
+    async ({ workspace_id, confirm }) => {
+      try {
+        const query = buildQuery({ confirm });
+        const data = await api('DELETE', `/host/workspaces/${encodeURIComponent(workspace_id)}${query}`);
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('get_workspace_summary',
+    'Get summary of workspace scenario, active agents, recent messages and publish stats.',
+    {
+      workspace_id: z.string().describe('Workspace ID to summarize.'),
+    },
+    async ({ workspace_id }) => {
+      try {
+        const data = await api('GET', `/host/workspaces/${encodeURIComponent(workspace_id)}/summary`);
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('query_user_history',
+    'Search user history across owner workspaces for prior activities/messages.',
+    {
+      topic: z.string().describe('Topic keyword to search across workspaces.'),
+      limit: z.number().int().min(1).max(50).optional().describe('Maximum number of results.'),
+    },
+    async ({ topic, limit }) => {
+      try {
+        const query = buildQuery({ topic, limit });
+        const data = await api('GET', `/host/history${query}`);
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('list_accounts',
+    'List platform accounts owned by the current user.',
+    {
+      owner_id: z.string().optional().describe('Optional owner id (must match current owner).'),
+      workspace_id: z.string().optional().describe('Optional workspace filter; pass "null" for unbound accounts.'),
+      platform: z.string().optional().describe('Optional platform filter.'),
+      status: z.string().optional().describe('Optional status filter.'),
+      include_archived: z.boolean().optional().describe('Include archived accounts.'),
+    },
+    async ({ owner_id, workspace_id, platform, status, include_archived }) => {
+      try {
+        const query = buildQuery({
+          owner_id,
+          workspace_id,
+          platform,
+          status,
+          include_archived,
+        });
+        const data = await api('GET', `/host/accounts${query}`);
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('list_credentials',
+    'List credentials as masked metadata (no plaintext).',
+    {
+      owner_id: z.string().optional().describe('Optional owner id (must match current owner).'),
+    },
+    async ({ owner_id }) => {
+      try {
+        const query = buildQuery({ owner_id });
+        const data = await api('GET', `/host/credentials${query}`);
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('revoke_credential',
+    'Revoke a credential with explicit confirmation.',
+    {
+      credential_id: z.string().describe('Credential ID to revoke.'),
+      confirm: z.boolean().describe('Must be true to confirm revocation.'),
+    },
+    async ({ credential_id, confirm }) => {
+      try {
+        const data = await api('POST', `/host/credentials/${encodeURIComponent(credential_id)}/revoke`, {
+          confirm,
+        });
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('get_data_locations',
+    'Describe where user/platform data is stored.',
+    {},
+    async () => {
+      try {
+        const data = await api('GET', '/host/data-locations');
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('explain_concept',
+    'Explain a product concept from docs corpus.',
+    {
+      topic: z.string().describe('Concept/topic text to explain.'),
+    },
+    async ({ topic }) => {
+      try {
+        const query = buildQuery({ topic });
+        const data = await api('GET', `/host/docs/explain${query}`);
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('get_release_notes',
+    'Get release notes/events since a specified timestamp.',
+    {
+      since: z.string().optional().describe('Optional ISO timestamp (default: last 30 days).'),
+    },
+    async ({ since }) => {
+      try {
+        const query = buildQuery({ since });
+        const data = await api('GET', `/host/docs/release-notes${query}`);
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('get_known_issues',
+    'Get current known issues and limitations.',
+    {},
+    async () => {
+      try {
+        const data = await api('GET', '/host/docs/known-issues');
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('submit_feedback',
+    'Submit user feedback into internal backlog workflow.',
+    {
+      category: z.enum(['bug', 'feature', 'ux', 'performance', 'security', 'other']).describe('Feedback category.'),
+      content: z.string().describe('Feedback content.'),
+      workspace_id: z.string().optional().describe('Optional workspace context for this feedback.'),
+    },
+    async ({ category, content, workspace_id }) => {
+      try {
+        const data = await api('POST', '/host/feedback', {
+          category,
+          content,
+          workspace_id,
+        });
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('escalate_to_human',
+    'Escalate severe issue to human operators.',
+    {
+      issue: z.string().describe('Issue details to escalate.'),
+      priority: z.enum(['low', 'medium', 'high', 'critical']).optional().describe('Escalation priority.'),
+      workspace_id: z.string().optional().describe('Optional workspace context for escalation.'),
+    },
+    async ({ issue, priority, workspace_id }) => {
+      try {
+        const data = await api('POST', '/host/escalate', {
+          issue,
+          priority,
+          workspace_id,
+        });
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('navigate_to_workspace',
+    'Emit navigation intent for UI to open a target workspace.',
+    {
+      workspace_id: z.string().describe('Target workspace ID.'),
+    },
+    async ({ workspace_id }) => {
+      try {
+        const data = await api('POST', '/host/navigation/workspace', { workspace_id });
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+
+  server.tool('navigate_to_settings',
+    'Emit navigation intent for UI to open a settings section.',
+    {
+      section: z.string().describe('Settings section key, e.g. "credentials", "profile", "workspace".'),
+    },
+    async ({ section }) => {
+      try {
+        const data = await api('POST', '/host/navigation/settings', { section });
+        return hostJsonResult(data);
+      } catch (err) {
+        return hostErrorResult(err);
+      }
+    }
+  );
+}
+
 // ── start ─────────────────────────────────────────────────────────────────────
 const transport = new StdioServerTransport();
 await server.connect(transport);
-console.error(`[chat-bridge] MCP Server started (agentId=${AGENT_ID})`);
+console.error(`[chat-bridge] MCP Server started (agentId=${AGENT_ID}, host=${IS_HOST_AGENT ? 'true' : 'false'})`);

package/src/mcp-config.js

@@ -58,7 +58,8 @@ function baseEnvForServer(serverKey, { serverUrl, authToken, agentId, workspaceI
     return { SERVER_URL: serverUrl, MACHINE_API_KEY: authToken, AGENT_ID: agentId };
   }
   if (
-    serverKey === 'publisher'
+    serverKey === 'mysql'
+    || serverKey === 'publisher'
     || serverKey === 'platform'
     || serverKey === 'research-fetch'
     || serverKey === 'market-data-query'