npm - @mgsoftwarebv/mcp-server-bridge - Versions diffs - 3.3.0 → 3.3.2 - Mend

@mgsoftwarebv/mcp-server-bridge 3.3.0 → 3.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -6,7 +6,7 @@ import Stream, { Readable, Writable, Duplex } from 'stream';
 import { performance } from 'perf_hooks';
 import os, { platform, release, homedir } from 'os';
 import fs, { ReadStream, lstatSync, fstatSync, readFileSync, promises } from 'fs';
-import { join, dirname, sep as sep$1, normalize } from 'path';
+import { basename, join, dirname, sep as sep$1, normalize } from 'path';
 import fs2, { readFile } from 'fs/promises';
 import { Buffer as Buffer$1 } from 'buffer';
 import { request as request$2 } from 'http';
@@ -23574,7 +23574,14 @@ var init_quotations = __esm({
           withTimezone: true,
           mode: "string"
         }),
-        compiledHash: text("compiled_hash")
+        compiledHash: text("compiled_hash"),
+        // Manual, terminal lock: once set, signatures can no longer be cleared,
+        // edited, or added. Set when the provider clicks "Definitief maken".
+        finalizedAt: timestamp("finalized_at", {
+          withTimezone: true,
+          mode: "string"
+        }),
+        finalizedBy: uuid3("finalized_by")
       },
       (table) => [
         index("idx_documents_team_id").on(table.teamId),
@@ -23595,6 +23602,11 @@ var init_quotations = __esm({
           foreignColumns: [users.id],
           name: "documents_user_id_fkey"
         }).onDelete("set null"),
+        foreignKey({
+          columns: [table.finalizedBy],
+          foreignColumns: [users.id],
+          name: "documents_finalized_by_fkey"
+        }).onDelete("set null"),
         foreignKey({
           columns: [table.templateId],
           foreignColumns: [documentTemplates.id],
@@ -23707,7 +23719,15 @@ var init_quotations = __esm({
         recipientEmail: text("recipient_email"),
         message: text(),
         expiresAt: timestamp("expires_at", { withTimezone: true, mode: "string" }),
-        signedAt: timestamp("signed_at", { withTimezone: true, mode: "string" })
+        signedAt: timestamp("signed_at", { withTimezone: true, mode: "string" }),
+        // Which signer slot this signature belongs to (mirrors
+        // document_signatures.signature_data.signerId for direct querying).
+        signerSlotId: text("signer_slot_id"),
+        // Hash of the private edit token returned to the signer's browser so an
+        // anonymous signer can later replace their own signature.
+        editTokenHash: text("edit_token_hash"),
+        // Set when a logged-in (portal) user signs, enabling identity-based edits.
+        signerUserId: uuid3("signer_user_id")
       },
       (table) => [
         index("idx_document_signing_requests_document_id").on(table.documentId),
@@ -23732,6 +23752,11 @@ var init_quotations = __esm({
           columns: [table.createdBy],
           foreignColumns: [users.id],
           name: "document_signing_requests_created_by_fkey"
+        }).onDelete("set null"),
+        foreignKey({
+          columns: [table.signerUserId],
+          foreignColumns: [users.id],
+          name: "document_signing_requests_signer_user_id_fkey"
         }).onDelete("set null")
       ]
     );
@@ -106926,6 +106951,41 @@ var TOOLS = [
       required: ["attachmentId"]
     }
   },
+  {
+    name: "upload-ticket-attachment",
+    description: "Attach a file (image or document) to a ticket. Provide exactly ONE source: `filePath` (absolute local path), `imageUrl` (public URL to download), or `base64Data` (raw or data: URI). To push an image the user pasted into Cursor chat onto the ticket: when the message is sent, Cursor writes the pasted image into the workspace `assets/` folder as `image-<uuid>.png` \u2014 locate the newest `assets/image-*.png` and pass its absolute path as `filePath`. Allowed types: JPEG, PNG, GIF, WebP, PDF, DOC(X), XLS(X), PPT(X), TXT, CSV. Max 25 MB. Returns the attachment id and a 1-hour download URL.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        teamId: teamIdProp,
+        ticketId: {
+          type: "string",
+          description: "Ticket ID (UUID) to attach the file to."
+        },
+        filePath: {
+          type: "string",
+          description: "Absolute local path to the file. For a pasted image, use the newest workspace assets/image-*.png."
+        },
+        imageUrl: {
+          type: "string",
+          description: "Public URL to download and attach."
+        },
+        base64Data: {
+          type: "string",
+          description: "Base64 file contents (raw or a data: URI)."
+        },
+        fileName: {
+          type: "string",
+          description: "Optional file name override (defaults to the source's basename)."
+        },
+        mimeType: {
+          type: "string",
+          description: "Optional MIME override; needed for base64Data without a data: prefix."
+        }
+      },
+      required: ["ticketId"]
+    }
+  },
   {
     name: "get-customers",
     description: "Get customers with optional search",
@@ -106989,6 +107049,109 @@ var TOOLS = [
       required: ["name"]
     }
   },
+  {
+    name: "update-project",
+    description: "Update an existing project's fields (name, description, customer, rate, currency, billable, estimate, internal). Only provided fields change. Renaming a project renumbers its tickets. There is no project 'status' field. Find the project id via get-projects.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        teamId: teamIdProp,
+        id: { type: "string", description: "Project ID" },
+        name: { type: "string" },
+        description: { type: ["string", "null"] },
+        customerId: {
+          type: ["string", "null"],
+          description: "Customer ID to link, or null to unlink."
+        },
+        rate: { type: ["number", "null"], description: "Hourly rate" },
+        currency: { type: ["string", "null"] },
+        billable: { type: "boolean" },
+        estimate: {
+          type: ["number", "null"],
+          description: "Estimated hours/units"
+        },
+        internal: {
+          type: "boolean",
+          description: "Whether this is an internal (no-customer) project"
+        }
+      },
+      required: ["id"]
+    }
+  },
+  {
+    name: "get-project-members",
+    description: "List the members explicitly assigned to a project (member_project_access) plus the full team roster with each member's effective access. Use the returned userIds with set/add/remove-project-member. Access model: owners and members with no restrictions see ALL projects; once a member is explicitly assigned to ANY project they can ONLY see their explicitly-assigned projects.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        teamId: teamIdProp,
+        projectId: { type: "string", description: "Project ID" }
+      },
+      required: ["projectId"]
+    }
+  },
+  {
+    name: "set-project-members",
+    description: "Replace the COMPLETE set of members explicitly assigned to a project. Members not listed lose their explicit assignment; pass an empty list to clear all assignments (the project then reverts to being visible to every owner and unrestricted member). Identify members by userIds and/or emails (each must be a member of the team). Requires team OWNER privileges. Warning: assigning a member who previously had no restrictions limits them to ONLY their explicitly-assigned projects.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        teamId: teamIdProp,
+        projectId: { type: "string", description: "Project ID" },
+        userIds: {
+          type: "array",
+          items: { type: "string" },
+          description: "User IDs to assign to the project"
+        },
+        emails: {
+          type: "array",
+          items: { type: "string" },
+          description: "Member emails to assign (resolved to user IDs)"
+        }
+      },
+      required: ["projectId"]
+    }
+  },
+  {
+    name: "add-project-member",
+    description: "Grant a single member explicit access to a project, preserving existing assignments. Identify the member by userId or email. Requires team OWNER privileges. Warning: if the member previously had no restrictions (saw all projects), granting this first assignment restricts them to ONLY their explicitly-assigned projects.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        teamId: teamIdProp,
+        projectId: { type: "string", description: "Project ID" },
+        userId: {
+          type: "string",
+          description: "User ID of the member to add"
+        },
+        email: {
+          type: "string",
+          description: "Email of the member to add (alternative to userId)"
+        }
+      },
+      required: ["projectId"]
+    }
+  },
+  {
+    name: "remove-project-member",
+    description: "Remove a single member's explicit access to a project, preserving their other assignments. Identify the member by userId or email. Requires team OWNER privileges. If this was the member's only assignment, their restrictions are cleared and they can see all projects again.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        teamId: teamIdProp,
+        projectId: { type: "string", description: "Project ID" },
+        userId: {
+          type: "string",
+          description: "User ID of the member to remove"
+        },
+        email: {
+          type: "string",
+          description: "Email of the member to remove (alternative to userId)"
+        }
+      },
+      required: ["projectId"]
+    }
+  },
   {
     name: "list-documents",
     description: "List quote/proposal/deliverables documents with optional filtering by type, status, customer, linked invoice, or a title search. Returns document ids for use with get-document / update-document.",
@@ -108262,6 +108425,7 @@ var signatureBlockSchema = external_exports5.object({
         name: external_exports5.string().optional(),
         company: external_exports5.string().optional(),
         role: external_exports5.string().optional(),
+        optional: external_exports5.boolean().optional(),
         signedBy: external_exports5.string().optional(),
         signedAt: external_exports5.string().optional(),
         signatureType: external_exports5.enum(["drawn", "typed"]).optional(),
@@ -113123,6 +113287,479 @@ ${description ? `Description: ${description}
     ]
   };
 }
+function textResponse(text3) {
+  return { content: [{ type: "text", text: text3 }] };
+}
+function memberLabel(m4) {
+  return m4.fullName || m4.email || m4.userId;
+}
+var OWNER_REQUIRED = "Only team owners can manage project members. Ask a team owner to run this action (or use an owner's API key).";
+async function requireTeamOwner(teamId, userId) {
+  const [membership] = await db.select({ role: schema_exports.usersOnTeam.role }).from(schema_exports.usersOnTeam).where(
+    and(
+      eq(schema_exports.usersOnTeam.userId, userId),
+      eq(schema_exports.usersOnTeam.teamId, teamId)
+    )
+  ).limit(1);
+  return membership?.role === "owner" ? null : textResponse(OWNER_REQUIRED);
+}
+async function setProjectMemberAccess(params) {
+  const { projectId, teamId, memberIds, createdBy } = params;
+  const baseFilter = and(
+    eq(schema_exports.memberProjectAccess.projectId, projectId),
+    eq(schema_exports.memberProjectAccess.teamId, teamId)
+  );
+  if (memberIds.length > 0) {
+    await db.delete(schema_exports.memberProjectAccess).where(
+      and(baseFilter, notInArray(schema_exports.memberProjectAccess.userId, memberIds))
+    );
+    await db.insert(schema_exports.memberProjectAccess).values(
+      memberIds.map((userId) => ({
+        userId,
+        teamId,
+        projectId,
+        hasAccess: true,
+        createdBy,
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+      }))
+    ).onConflictDoUpdate({
+      target: [
+        schema_exports.memberProjectAccess.userId,
+        schema_exports.memberProjectAccess.teamId,
+        schema_exports.memberProjectAccess.projectId
+      ],
+      set: {
+        hasAccess: true,
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+        createdBy
+      }
+    });
+  } else {
+    await db.delete(schema_exports.memberProjectAccess).where(baseFilter);
+  }
+}
+function generateProjectAbbreviation(projectName) {
+  if (!projectName || projectName.trim() === "") {
+    return "PROJ";
+  }
+  const cleanName = projectName.toUpperCase().replace(/[^A-Z0-9\s]/g, "");
+  const words = cleanName.split(" ").filter((word) => word.length > 0);
+  if (words.length === 0) {
+    const cleaned = projectName.toUpperCase().replace(/[^A-Z0-9]/g, "");
+    const abbr = cleaned.substring(0, 5);
+    return abbr.length < 2 ? "PROJ" : abbr;
+  }
+  let abbreviation = "";
+  if (words.length === 1) {
+    const word = words[0];
+    if (word && word.length <= 5) {
+      abbreviation = word;
+    } else if (word) {
+      abbreviation = word.substring(
+        0,
+        word.substring(3, 4).match(/[AEIOU]/) ? 3 : 5
+      );
+    }
+  } else if (words.length === 2) {
+    const firstWord = words[0];
+    const secondWord = words[1];
+    if (firstWord && secondWord) {
+      abbreviation = firstWord.substring(0, 3) + secondWord.substring(0, 2);
+    }
+  } else {
+    for (let i6 = 0; i6 < Math.min(words.length, 6); i6++) {
+      const word = words[i6];
+      if (word && (word.length > 2 || i6 === 0)) {
+        abbreviation += word.charAt(0);
+      }
+    }
+    if (abbreviation.length < 3 && words.length > 0) {
+      const firstWord = words[0];
+      if (firstWord) {
+        abbreviation = firstWord.substring(0, 3) + abbreviation.substring(1);
+      }
+    }
+  }
+  if (abbreviation.length === 0) {
+    abbreviation = "PROJ";
+  } else if (abbreviation.length > 8) {
+    abbreviation = abbreviation.substring(0, 8);
+  }
+  if (abbreviation.length < 2) {
+    abbreviation += "X";
+  }
+  return abbreviation;
+}
+async function getTeamRoster(teamId) {
+  return db.select({
+    userId: schema_exports.usersOnTeam.userId,
+    role: schema_exports.usersOnTeam.role,
+    fullName: schema_exports.users.fullName,
+    email: schema_exports.users.email
+  }).from(schema_exports.usersOnTeam).innerJoin(schema_exports.users, eq(schema_exports.usersOnTeam.userId, schema_exports.users.id)).where(eq(schema_exports.usersOnTeam.teamId, teamId));
+}
+async function resolveTeamMember(teamId, opts) {
+  const roster = await getTeamRoster(teamId);
+  if (opts.userId) {
+    const match = roster.find((m4) => m4.userId === opts.userId);
+    if (!match) {
+      return {
+        ok: false,
+        response: textResponse(
+          `User ${opts.userId} is not a member of this team. Call get-project-members to see the team roster.`
+        )
+      };
+    }
+    return { ok: true, member: match };
+  }
+  if (opts.email) {
+    const needle = opts.email.trim().toLowerCase();
+    const matches = roster.filter((m4) => (m4.email ?? "").toLowerCase() === needle);
+    if (matches.length === 0) {
+      return {
+        ok: false,
+        response: textResponse(
+          `No team member found with email "${opts.email}". Call get-project-members to see the team roster.`
+        )
+      };
+    }
+    if (matches.length > 1) {
+      return {
+        ok: false,
+        response: textResponse(
+          `Multiple team members match email "${opts.email}". Pass an explicit userId instead.`
+        )
+      };
+    }
+    return { ok: true, member: matches[0] };
+  }
+  return {
+    ok: false,
+    response: textResponse(
+      "Provide either a userId or an email to identify the member."
+    )
+  };
+}
+async function loadProjectInTeam(projectId, teamId) {
+  const accessibleTeamIds = await getAccessibleTeamIds(teamId);
+  const [row] = await db.select({
+    id: schema_exports.projects.id,
+    name: schema_exports.projects.name,
+    description: schema_exports.projects.description,
+    customerId: schema_exports.projects.customerId,
+    rate: schema_exports.projects.rate,
+    currency: schema_exports.projects.currency,
+    billable: schema_exports.projects.billable,
+    estimate: schema_exports.projects.estimate,
+    internal: schema_exports.projects.internal,
+    ownedByCustomer: schema_exports.projects.ownedByCustomer,
+    teamId: schema_exports.projects.teamId
+  }).from(schema_exports.projects).where(eq(schema_exports.projects.id, projectId)).limit(1);
+  if (!row || !row.teamId || !accessibleTeamIds.includes(row.teamId)) {
+    return null;
+  }
+  return row;
+}
+async function getProjectAccessState(teamId, projectId) {
+  const rows = await db.select({
+    userId: schema_exports.memberProjectAccess.userId,
+    projectId: schema_exports.memberProjectAccess.projectId,
+    hasAccess: schema_exports.memberProjectAccess.hasAccess
+  }).from(schema_exports.memberProjectAccess).where(eq(schema_exports.memberProjectAccess.teamId, teamId));
+  const restrictedUserIds = /* @__PURE__ */ new Set();
+  const projectMemberIds = /* @__PURE__ */ new Set();
+  const rowCountByUser = /* @__PURE__ */ new Map();
+  for (const r6 of rows) {
+    restrictedUserIds.add(r6.userId);
+    rowCountByUser.set(r6.userId, (rowCountByUser.get(r6.userId) ?? 0) + 1);
+    if (r6.projectId === projectId && r6.hasAccess) {
+      projectMemberIds.add(r6.userId);
+    }
+  }
+  return { restrictedUserIds, projectMemberIds, rowCountByUser };
+}
+async function handleUpdateProject(input) {
+  const { id } = input;
+  const resolved = await resolveTeamId(input.teamId);
+  if (!resolved.ok) return resolved.response;
+  const existing = await loadProjectInTeam(id, resolved.teamId);
+  if (!existing) {
+    return textResponse(
+      `Project ${id} not found, or it is not owned by this team.`
+    );
+  }
+  const owningTeamId = existing.teamId;
+  const willRename = input.name !== void 0 && input.name !== existing.name;
+  if (willRename) {
+    const [dupe] = await db.select({ id: schema_exports.projects.id }).from(schema_exports.projects).where(
+      and(
+        eq(schema_exports.projects.teamId, owningTeamId),
+        eq(schema_exports.projects.name, input.name),
+        sql`${schema_exports.projects.id} != ${id}`
+      )
+    ).limit(1);
+    if (dupe) {
+      return textResponse(
+        `A project named "${input.name}" already exists in this team. Choose a different name.`
+      );
+    }
+  }
+  const oldRate = existing.rate;
+  const oldInternal = existing.internal;
+  const newRate = input.rate !== void 0 ? input.rate : existing.rate;
+  const newInternal = input.internal !== void 0 ? input.internal : existing.internal;
+  await db.update(schema_exports.projects).set({
+    ...input.name !== void 0 ? { name: input.name } : {},
+    ...input.description !== void 0 ? { description: input.description } : {},
+    ...input.customerId !== void 0 ? { customerId: input.customerId } : {},
+    ...input.rate !== void 0 ? { rate: input.rate } : {},
+    ...input.currency !== void 0 ? { currency: input.currency } : {},
+    ...input.billable !== void 0 ? { billable: input.billable } : {},
+    ...input.estimate !== void 0 ? { estimate: input.estimate } : {},
+    ...input.internal !== void 0 ? { internal: input.internal } : {},
+    updatedAt: sql`now()`
+  }).where(eq(schema_exports.projects.id, id));
+  if (willRename) {
+    const abbreviation = generateProjectAbbreviation(input.name);
+    const currentYear = (/* @__PURE__ */ new Date()).getFullYear();
+    await db.execute(sql`
+      UPDATE tickets
+      SET
+        ticket_number = ${currentYear} || '-' || ${abbreviation} || '-' || LPAD(numbered.rn::text, 3, '0'),
+        updated_at = NOW()
+      FROM (
+        SELECT id, ROW_NUMBER() OVER (ORDER BY created_at ASC) AS rn
+        FROM tickets
+        WHERE project_id = ${id}
+      ) AS numbered
+      WHERE tickets.id = numbered.id
+    `);
+  }
+  const wasBillable = (oldRate ?? 0) > 0 && !(oldInternal ?? false);
+  const isBillable = (newRate ?? 0) > 0 && !(newInternal ?? false);
+  if (!wasBillable && isBillable) {
+    await db.update(schema_exports.timesheetEvents).set({ billingStatus: "to_bill", updatedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(
+      and(
+        eq(schema_exports.timesheetEvents.projectId, id),
+        eq(schema_exports.timesheetEvents.billingStatus, "unbillable"),
+        eq(schema_exports.timesheetEvents.isDeleted, false)
+      )
+    );
+  } else if (wasBillable && !isBillable) {
+    await db.update(schema_exports.timesheetEvents).set({ billingStatus: "unbillable", updatedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(
+      and(
+        eq(schema_exports.timesheetEvents.projectId, id),
+        eq(schema_exports.timesheetEvents.billingStatus, "to_bill"),
+        eq(schema_exports.timesheetEvents.isDeleted, false)
+      )
+    );
+  }
+  const [updated] = await db.select({
+    id: schema_exports.projects.id,
+    name: schema_exports.projects.name,
+    description: schema_exports.projects.description,
+    rate: schema_exports.projects.rate,
+    currency: schema_exports.projects.currency,
+    internal: schema_exports.projects.internal,
+    customerName: schema_exports.customers.name
+  }).from(schema_exports.projects).leftJoin(schema_exports.customers, eq(schema_exports.projects.customerId, schema_exports.customers.id)).where(eq(schema_exports.projects.id, id)).limit(1);
+  if (!updated) {
+    return textResponse(`Failed to update project ${id}.`);
+  }
+  const lines = [
+    "\u2705 **Project Updated**",
+    "",
+    `Name: ${updated.name} (ID: ${updated.id})`
+  ];
+  if (updated.description) lines.push(`Description: ${updated.description}`);
+  if (updated.customerName) lines.push(`Customer: ${updated.customerName}`);
+  if (updated.rate != null) {
+    lines.push(
+      `Rate: ${updated.rate}${updated.currency ? ` ${updated.currency}` : ""}`
+    );
+  }
+  lines.push(`Internal: ${updated.internal ? "yes" : "no"}`);
+  if (willRename) {
+    lines.push("", "Note: tickets for this project were renumbered.");
+  }
+  return textResponse(lines.join("\n"));
+}
+async function handleGetProjectMembers(input) {
+  const { projectId } = input;
+  const resolved = await resolveTeamId(input.teamId);
+  if (!resolved.ok) return resolved.response;
+  const project = await loadProjectInTeam(projectId, resolved.teamId);
+  if (!project) {
+    return textResponse(
+      `Project ${projectId} not found, or it is not owned by this team.`
+    );
+  }
+  const [roster, state2] = await Promise.all([
+    getTeamRoster(resolved.teamId),
+    getProjectAccessState(resolved.teamId, projectId)
+  ]);
+  const rosterById = new Map(roster.map((m4) => [m4.userId, m4]));
+  const explicitList = [...state2.projectMemberIds].map((uid2) => {
+    const m4 = rosterById.get(uid2);
+    return `- ${m4 ? memberLabel(m4) : uid2} (userId: ${uid2})`;
+  }).join("\n") || "  (none)";
+  const rosterList = roster.map((m4) => {
+    const isOwner = m4.role === "owner";
+    const restricted = state2.restrictedUserIds.has(m4.userId);
+    let access;
+    if (isOwner) {
+      access = "all projects (owner)";
+    } else if (!restricted) {
+      access = "all projects (no restrictions)";
+    } else if (state2.projectMemberIds.has(m4.userId)) {
+      access = "HAS access to this project";
+    } else {
+      access = "NO access to this project";
+    }
+    return `- ${memberLabel(m4)} (userId: ${m4.userId}, role: ${m4.role ?? "member"}) \u2014 ${access}`;
+  }).join("\n");
+  const note = state2.projectMemberIds.size === 0 ? "No members are explicitly assigned to this project, so every owner and every unrestricted member can see it." : `${state2.projectMemberIds.size} member(s) are explicitly assigned to this project.`;
+  return textResponse(
+    `**Project members for "${project.name}"** (ID: ${project.id})
+${note}
+Explicitly assigned members:
+${explicitList}
+Team roster (use these userIds with set/add/remove-project-member):
+${rosterList}`
+  );
+}
+async function handleSetProjectMembers(input) {
+  const ctx = authContext;
+  const { projectId } = input;
+  const resolved = await resolveTeamId(input.teamId);
+  if (!resolved.ok) return resolved.response;
+  const ownerError = await requireTeamOwner(resolved.teamId, ctx.userId);
+  if (ownerError) return ownerError;
+  const project = await loadProjectInTeam(projectId, resolved.teamId);
+  if (!project) {
+    return textResponse(
+      `Project ${projectId} not found, or it is not owned by this team.`
+    );
+  }
+  const before = await getProjectAccessState(resolved.teamId, projectId);
+  const memberIds = /* @__PURE__ */ new Set();
+  for (const userId of input.userIds ?? []) {
+    const r6 = await resolveTeamMember(resolved.teamId, { userId });
+    if (!r6.ok) return r6.response;
+    memberIds.add(r6.member.userId);
+  }
+  for (const email5 of input.emails ?? []) {
+    const r6 = await resolveTeamMember(resolved.teamId, { email: email5 });
+    if (!r6.ok) return r6.response;
+    memberIds.add(r6.member.userId);
+  }
+  await setProjectMemberAccess({
+    projectId,
+    teamId: resolved.teamId,
+    memberIds: [...memberIds],
+    createdBy: ctx.userId
+  });
+  const roster = await getTeamRoster(resolved.teamId);
+  const rosterById = new Map(roster.map((m4) => [m4.userId, m4]));
+  const list = [...memberIds].map((uid2) => {
+    const m4 = rosterById.get(uid2);
+    return `- ${m4 ? memberLabel(m4) : uid2} (userId: ${uid2})`;
+  }).join("\n") || "  (none \u2014 all explicit assignments cleared; the project is visible to every owner and unrestricted member)";
+  const newlyRestricted = [...memberIds].filter(
+    (uid2) => !before.restrictedUserIds.has(uid2)
+  );
+  let warning2 = "";
+  if (newlyRestricted.length > 0) {
+    const names = newlyRestricted.map((uid2) => memberLabel(rosterById.get(uid2) ?? { fullName: null, email: null, userId: uid2 })).join(", ");
+    warning2 = `
+\u26A0\uFE0F ${names} previously had no restrictions (could see all projects). They are now restricted to only the projects explicitly assigned to them.`;
+  }
+  return textResponse(
+    `\u2705 **Project members updated**
+Members with explicit access to this project:
+${list}${warning2}`
+  );
+}
+async function handleAddProjectMember(input) {
+  const ctx = authContext;
+  const { projectId } = input;
+  const resolved = await resolveTeamId(input.teamId);
+  if (!resolved.ok) return resolved.response;
+  const ownerError = await requireTeamOwner(resolved.teamId, ctx.userId);
+  if (ownerError) return ownerError;
+  const project = await loadProjectInTeam(projectId, resolved.teamId);
+  if (!project) {
+    return textResponse(
+      `Project ${projectId} not found, or it is not owned by this team.`
+    );
+  }
+  const member2 = await resolveTeamMember(resolved.teamId, {
+    userId: input.userId,
+    email: input.email
+  });
+  if (!member2.ok) return member2.response;
+  const state2 = await getProjectAccessState(resolved.teamId, projectId);
+  if (state2.projectMemberIds.has(member2.member.userId)) {
+    return textResponse(
+      `${memberLabel(member2.member)} already has explicit access to this project.`
+    );
+  }
+  const wasUnrestricted = !state2.restrictedUserIds.has(member2.member.userId);
+  await setProjectMemberAccess({
+    projectId,
+    teamId: resolved.teamId,
+    memberIds: [...state2.projectMemberIds, member2.member.userId],
+    createdBy: ctx.userId
+  });
+  let text3 = `\u2705 Added ${memberLabel(member2.member)} (userId: ${member2.member.userId}) to the project.`;
+  if (wasUnrestricted) {
+    text3 += "\n\n\u26A0\uFE0F This member previously had no access restrictions (they could see all projects). They are now restricted to ONLY the projects explicitly assigned to them. Grant any other projects they still need with add-project-member, or remove all their assignments to restore full visibility.";
+  }
+  return textResponse(text3);
+}
+async function handleRemoveProjectMember(input) {
+  const ctx = authContext;
+  const { projectId } = input;
+  const resolved = await resolveTeamId(input.teamId);
+  if (!resolved.ok) return resolved.response;
+  const ownerError = await requireTeamOwner(resolved.teamId, ctx.userId);
+  if (ownerError) return ownerError;
+  const project = await loadProjectInTeam(projectId, resolved.teamId);
+  if (!project) {
+    return textResponse(
+      `Project ${projectId} not found, or it is not owned by this team.`
+    );
+  }
+  const member2 = await resolveTeamMember(resolved.teamId, {
+    userId: input.userId,
+    email: input.email
+  });
+  if (!member2.ok) return member2.response;
+  const state2 = await getProjectAccessState(resolved.teamId, projectId);
+  if (!state2.projectMemberIds.has(member2.member.userId)) {
+    return textResponse(
+      `${memberLabel(member2.member)} has no explicit assignment to this project; nothing to remove.`
+    );
+  }
+  await setProjectMemberAccess({
+    projectId,
+    teamId: resolved.teamId,
+    memberIds: [...state2.projectMemberIds].filter(
+      (uid2) => uid2 !== member2.member.userId
+    ),
+    createdBy: ctx.userId
+  });
+  let text3 = `\u2705 Removed ${memberLabel(member2.member)} (userId: ${member2.member.userId}) from the project.`;
+  if ((state2.rowCountByUser.get(member2.member.userId) ?? 0) <= 1) {
+    text3 += "\n\nThis was the member's last project assignment, so their access restrictions were cleared \u2014 they can see all projects in the team again (default behavior).";
+  }
+  return textResponse(text3);
+}
 // src/tools/session-completion.ts
 init_drizzle_orm();
@@ -114027,6 +114664,7 @@ ${JSON.stringify(teams2)}`
 // src/tools/ticket-attachments.ts
 init_drizzle_orm();
+init_auth();
 init_db2();
 // ../../node_modules/@aws-sdk/middleware-expect-continue/dist-es/index.js
@@ -119487,6 +120125,52 @@ async function loadAccessibleTicket(requestedTeamId, ticketId) {
 }
 // src/tools/ticket-attachments.ts
+var ALLOWED_IMAGE_TYPES = [
+  "image/jpeg",
+  "image/png",
+  "image/gif",
+  "image/webp"
+];
+var ALLOWED_DOCUMENT_TYPES = [
+  "application/pdf",
+  "application/msword",
+  "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+  "application/vnd.ms-excel",
+  "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+  "application/vnd.ms-powerpoint",
+  "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+  "text/plain",
+  "text/csv"
+];
+var ALLOWED_MIME_TYPES = /* @__PURE__ */ new Set([
+  ...ALLOWED_IMAGE_TYPES,
+  ...ALLOWED_DOCUMENT_TYPES
+]);
+var MAX_FILE_SIZE = 25 * 1024 * 1024;
+var EXT_MIME = {
+  jpg: "image/jpeg",
+  jpeg: "image/jpeg",
+  png: "image/png",
+  gif: "image/gif",
+  webp: "image/webp",
+  pdf: "application/pdf",
+  doc: "application/msword",
+  txt: "text/plain",
+  csv: "text/csv",
+  docx: "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+  xls: "application/vnd.ms-excel",
+  xlsx: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+  ppt: "application/vnd.ms-powerpoint",
+  pptx: "application/vnd.openxmlformats-officedocument.presentationml.presentation"
+};
+function textResponse2(text3) {
+  return { content: [{ type: "text", text: text3 }] };
+}
+function mimeFromName(name21) {
+  if (!name21) return null;
+  const ext = name21.split(/[?#]/)[0]?.split(".").pop()?.toLowerCase();
+  return ext && EXT_MIME[ext] ? EXT_MIME[ext] : null;
+}
 async function findAttachment(attachmentId) {
   const [ticketAtt] = await db.select({
     ticketId: schema_exports.ticketAttachments.ticketId,
@@ -119554,6 +120238,127 @@ ${url3}`
     ]
   };
 }
+async function handleUploadTicketAttachment(input) {
+  const ctx = authContext;
+  const sources = [input.filePath, input.imageUrl, input.base64Data].filter(
+    (v2) => typeof v2 === "string" && v2.trim().length > 0
+  );
+  if (sources.length === 0) {
+    return textResponse2(
+      "Provide exactly one source: filePath (absolute local path), imageUrl, or base64Data."
+    );
+  }
+  if (sources.length > 1) {
+    return textResponse2(
+      "Provide only one source (filePath, imageUrl, or base64Data), not several."
+    );
+  }
+  const access = await loadAccessibleTicket(input.teamId, input.ticketId);
+  if (!access.ok) return access.response;
+  const ticket = access.ticket;
+  let buffer2;
+  let fileName = input.fileName?.trim() ?? "";
+  let mimeType = input.mimeType?.trim() ?? "";
+  try {
+    if (input.filePath) {
+      buffer2 = await readFile(input.filePath);
+      if (!fileName) fileName = basename(input.filePath) || "attachment";
+      if (!mimeType) {
+        mimeType = mimeFromName(fileName) ?? "application/octet-stream";
+      }
+    } else if (input.imageUrl) {
+      const res = await fetch(input.imageUrl);
+      if (!res.ok) {
+        return textResponse2(
+          `Could not download from URL: HTTP ${res.status}.`
+        );
+      }
+      const headerType = res.headers.get("content-type")?.split(";")[0]?.trim();
+      buffer2 = Buffer.from(await res.arrayBuffer());
+      if (!fileName) {
+        fileName = input.imageUrl.split("/").pop()?.split(/[?#]/)[0] || `attachment_${Date.now()}`;
+      }
+      if (!mimeType) {
+        mimeType = (headerType && headerType !== "application/octet-stream" ? headerType : null) ?? mimeFromName(input.imageUrl) ?? mimeFromName(fileName) ?? "application/octet-stream";
+      }
+    } else {
+      let b64 = input.base64Data;
+      const dataUri = b64.match(/^data:([^;]+);base64,(.*)$/s);
+      if (dataUri) {
+        if (!mimeType) mimeType = dataUri[1] ?? "";
+        b64 = dataUri[2] ?? "";
+      } else if (b64.includes(",")) {
+        b64 = b64.split(",")[1] || b64;
+      }
+      buffer2 = Buffer.from(b64, "base64");
+      if (!fileName) fileName = `attachment_${Date.now()}`;
+      if (!mimeType) {
+        mimeType = mimeFromName(fileName) ?? "application/octet-stream";
+      }
+    }
+  } catch (error49) {
+    return textResponse2(
+      `Failed to read the file: ${error49 instanceof Error ? error49.message : String(error49)}`
+    );
+  }
+  if (buffer2.byteLength === 0) {
+    return textResponse2("The file is empty (0 bytes); nothing to upload.");
+  }
+  if (buffer2.byteLength > MAX_FILE_SIZE) {
+    return textResponse2(
+      `File too large (${(buffer2.byteLength / 1024 / 1024).toFixed(
+        1
+      )} MB). Max: 25 MB.`
+    );
+  }
+  if (!ALLOWED_MIME_TYPES.has(mimeType)) {
+    return textResponse2(
+      `Unsupported file type: ${mimeType}. Allowed: JPEG, PNG, GIF, WebP, PDF, DOC(X), XLS(X), PPT(X), TXT, CSV.`
+    );
+  }
+  const storageKey = `${ticket.teamId}/tickets/${ticket.id}/${Date.now()}_${fileName}`;
+  try {
+    await storage.upload({
+      bucket: "vault",
+      path: storageKey,
+      body: buffer2,
+      options: { contentType: mimeType, upsert: true }
+    });
+  } catch (error49) {
+    return textResponse2(
+      `Upload failed: ${error49 instanceof Error ? error49.message : String(error49)}`
+    );
+  }
+  const [row] = await db.insert(schema_exports.ticketAttachments).values({
+    ticketId: ticket.id,
+    teamId: ticket.teamId,
+    userId: ctx.userId,
+    fileName,
+    fileSize: buffer2.byteLength,
+    mimeType,
+    storageKey
+  }).returning({ id: schema_exports.ticketAttachments.id });
+  let url3 = "";
+  try {
+    const signed = await storage.createSignedUrl({
+      bucket: "vault",
+      path: storageKey,
+      expiresIn: 3600
+    });
+    url3 = signed.url;
+  } catch {
+  }
+  return textResponse2(
+    `\u{1F4CE} **Attached to ${ticket.ticketNumber}**
+File: ${fileName}
+Type: ${mimeType}
+Size: ${Math.round(buffer2.byteLength / 1024)}KB
+Attachment id: ${row?.id}` + (url3 ? `
+Download URL (valid 1 hour):
+${url3}` : "")
+  );
+}
 // src/tools/ticket-comments.ts
 init_drizzle_orm();
@@ -120252,6 +121057,10 @@ server.setRequestHandler(CallToolRequestSchema, async (request3) => {
         return await handleGetTicketAttachment(
           asToolArgs(toolArgs)
         );
+      case "upload-ticket-attachment":
+        return await handleUploadTicketAttachment(
+          asToolArgs(toolArgs)
+        );
       case "get-customers":
         return await handleGetCustomers(asToolArgs(toolArgs));
       case "create-customer":
@@ -120260,6 +121069,24 @@ server.setRequestHandler(CallToolRequestSchema, async (request3) => {
         return await handleGetProjects(asToolArgs(toolArgs));
       case "create-project":
         return await handleCreateProject(asToolArgs(toolArgs));
+      case "update-project":
+        return await handleUpdateProject(asToolArgs(toolArgs));
+      case "get-project-members":
+        return await handleGetProjectMembers(
+          asToolArgs(toolArgs)
+        );
+      case "set-project-members":
+        return await handleSetProjectMembers(
+          asToolArgs(toolArgs)
+        );
+      case "add-project-member":
+        return await handleAddProjectMember(
+          asToolArgs(toolArgs)
+        );
+      case "remove-project-member":
+        return await handleRemoveProjectMember(
+          asToolArgs(toolArgs)
+        );
       case "list-documents":
         return await handleListDocuments(asToolArgs(toolArgs));
       case "get-document":