@mgsoftwarebv/mcp-server-bridge 3.5.2 → 3.5.4

package/dist/index.js

@@ -97301,6 +97301,21 @@ var invoiceProducts = pgTable(
     // Array of ProductOptionGroup (see @refront/invoice/types). Null/empty for
     // plain catalog products.
     options: jsonb().$type(),
+    // Structured catalog metadata for richer package/quote composition. All
+    // nullable/defaulted so existing products keep working. Validated at the
+    // app/MCP layer (see @refront/invoice/types constants).
+    // "one_time" | "monthly" | "yearly"
+    billingType: text("billing_type"),
+    // "website" | "addon" | "hosting" | "support" | "other"
+    category: text(),
+    // List of included parts shown to the customer (e.g. "Basis SEO").
+    includedItems: jsonb("included_items").$type(),
+    // Whether this product is an optional add-on rather than a base package.
+    optional: boolean3().default(false).notNull(),
+    // Optional preset/tier label, e.g. start/growth/pro or bronze/silver/gold.
+    tier: text(),
+    // Manual ordering hint for catalog presentation (lower shows first).
+    sortOrder: integer2("sort_order").default(0).notNull(),
     isActive: boolean3().default(true).notNull(),
     usageCount: integer2("usage_count").default(0).notNull(),
     lastUsedAt: timestamp("last_used_at", {
@@ -105939,7 +105954,7 @@ var TOOLS = [
   },
   {
     name: "upload-ticket-attachment",
-    description: "Attach a file (image or document) to a ticket. Provide exactly ONE source: `filePath` (absolute local path), `imageUrl` (public URL to download), or `base64Data` (raw or data: URI). To push an image the user pasted into Cursor chat onto the ticket: when the message is sent, Cursor writes the pasted image into the workspace `assets/` folder as `image-<uuid>.png` \u2014 locate the newest `assets/image-*.png` and pass its absolute path as `filePath`. Allowed types: JPEG, PNG, GIF, WebP, PDF, DOC(X), XLS(X), PPT(X), TXT, CSV. Max 25 MB. Returns the attachment id and a 1-hour download URL.",
+    description: "Attach a file (image or document) to a ticket. Provide exactly ONE source: `filePath` (absolute local path on the MCP runtime), `imageUrl` (URL to download), `uploadId` (from POST /mcp/attachment-upload \u2014 use for Hermes/Telegram gateway cache files over HTTP MCP), or `base64Data` (raw or data: URI, small files only). For Cursor pasted images: locate the newest workspace `assets/image-*.png` and pass its absolute path as `filePath` (stdio MCP). For Hermes cache paths like `/root/.hermes/image_cache/...` over HTTP MCP: POST bytes to `/mcp/attachment-upload` with the same API key, then pass the returned `uploadId`. Optionally set `HERMES_MEDIA_BASE_URL` so Hermes cache `filePath` values are fetched remotely. Allowed types: JPEG, PNG, GIF, WebP, PDF, DOC(X), XLS(X), PPT(X), TXT, CSV. Max 25 MB. Returns the attachment id and a 1-hour download URL.",
     inputSchema: {
       type: "object",
       properties: {
@@ -105950,11 +105965,15 @@ var TOOLS = [
         },
         filePath: {
           type: "string",
-          description: "Absolute local path to the file. For a pasted image, use the newest workspace assets/image-*.png."
+          description: "Absolute local path on the MCP server. Works for Cursor workspace files with stdio MCP; Hermes gateway paths require uploadId or HERMES_MEDIA_BASE_URL."
         },
         imageUrl: {
           type: "string",
-          description: "Public URL to download and attach."
+          description: "Public or gateway URL to download and attach."
+        },
+        uploadId: {
+          type: "string",
+          description: "Staged upload id from POST /mcp/attachment-upload. Preferred for original Telegram/Hermes media over HTTP MCP."
         },
         base64Data: {
           type: "string",
@@ -106480,7 +106499,7 @@ var TOOLS = [
   },
   {
     name: "get-products",
-    description: "List catalog products used on invoices AND quotes (the shared `invoice_products` catalog). Each entry includes its ID (UUID), name, unit price, currency, unit, active/archived flag, configurable flag, and usage stats. Editing or archiving a catalog product never changes existing invoices/quotes \u2014 those keep an immutable line-item snapshot; catalog changes only affect documents created afterwards.",
+    description: "List catalog products used on invoices AND quotes (the shared `invoice_products` catalog). Each entry includes its ID (UUID), name, unit price, currency, unit, active/archived flag, configurable flag, usage stats, and structured package metadata (category, billingType, tier, optional add-on flag and includedItems). Editing or archiving a catalog product never changes existing invoices/quotes \u2014 those keep an immutable line-item snapshot; catalog changes only affect documents created afterwards.",
     inputSchema: {
       type: "object",
       properties: {
@@ -106506,7 +106525,7 @@ var TOOLS = [
   },
   {
     name: "get-product-by-id",
-    description: "Get a single catalog product by its ID (UUID), including name, unit price, currency, unit, active/archived flag, configurable flag, and usage stats.",
+    description: "Get a single catalog product by its ID (UUID), including name, unit price, currency, unit, active/archived flag, configurable flag, usage stats, and structured package metadata (category, billingType, tier, optional add-on flag and includedItems).",
     inputSchema: {
       type: "object",
       properties: {
@@ -106518,7 +106537,7 @@ var TOOLS = [
   },
   {
     name: "create-product",
-    description: "Create a catalog product for use on invoices and quotes. Stored in the shared `invoice_products` catalog. This only adds a reusable catalog entry; it does not place the product on any document. Returns the created product with its ID and normalized fields.",
+    description: "Create a catalog product for use on invoices and quotes. Stored in the shared `invoice_products` catalog. This only adds a reusable catalog entry; it does not place the product on any document. Supports structured package metadata (billingType, category, includedItems, optional add-on flag, tier, sortOrder) so website packages, add-ons, hosting and support subscriptions can be modelled richly. Returns the created product with its ID and normalized fields.",
     inputSchema: {
       type: "object",
       properties: {
@@ -106533,6 +106552,34 @@ var TOOLS = [
         unit: {
           type: "string",
           description: "Unit label (e.g. hour, piece, month)"
+        },
+        billingType: {
+          type: "string",
+          enum: ["one_time", "monthly", "yearly"],
+          description: "Billing cadence for this product"
+        },
+        category: {
+          type: "string",
+          enum: ["website", "addon", "hosting", "support", "other"],
+          description: "Product category for catalog filtering"
+        },
+        includedItems: {
+          type: "array",
+          items: { type: "string" },
+          description: "Parts included in the package (e.g. ['Basis SEO', 'Contactformulier'])"
+        },
+        optional: {
+          type: "boolean",
+          description: "Optional add-on (true) vs base package (false)"
+        },
+        tier: {
+          type: "string",
+          enum: ["start", "growth", "pro", "bronze", "silver", "gold"],
+          description: "Optional preset/tier label"
+        },
+        sortOrder: {
+          type: "number",
+          description: "Manual ordering hint (lower shows first)"
         }
       },
       required: ["name"]
@@ -106540,7 +106587,7 @@ var TOOLS = [
   },
   {
     name: "update-product",
-    description: "Update a catalog product's editable fields (name, description, price, currency, unit) or reactivate it (isActive: true). Only provided fields change. IMPORTANT: updates apply only to FUTURE invoices/quotes. Existing/sent/accepted/paid documents keep their immutable line-item snapshot and are never mutated. Find the product id via get-products.",
+    description: "Update a catalog product's editable fields (name, description, price, currency, unit), its package metadata (billingType, category, includedItems, optional, tier, sortOrder), or reactivate it (isActive: true). Only provided fields change. IMPORTANT: updates apply only to FUTURE invoices/quotes. Existing/sent/accepted/paid documents keep their immutable line-item snapshot and are never mutated. Find the product id via get-products.",
     inputSchema: {
       type: "object",
       properties: {
@@ -106557,6 +106604,34 @@ var TOOLS = [
         isActive: {
           type: "boolean",
           description: "Set true to reactivate an archived product"
+        },
+        billingType: {
+          type: ["string", "null"],
+          enum: ["one_time", "monthly", "yearly", null],
+          description: "Billing cadence; null clears it"
+        },
+        category: {
+          type: ["string", "null"],
+          enum: ["website", "addon", "hosting", "support", "other", null],
+          description: "Product category; null clears it"
+        },
+        includedItems: {
+          type: ["array", "null"],
+          items: { type: "string" },
+          description: "Parts included in the package; null/[] clears it"
+        },
+        optional: {
+          type: "boolean",
+          description: "Optional add-on (true) vs base package (false)"
+        },
+        tier: {
+          type: ["string", "null"],
+          enum: ["start", "growth", "pro", "bronze", "silver", "gold", null],
+          description: "Preset/tier label; null clears it"
+        },
+        sortOrder: {
+          type: "number",
+          description: "Manual ordering hint (lower shows first)"
         }
       },
       required: ["productId"]
@@ -114088,6 +114163,22 @@ The project had no tickets, hours, trips, or templates. Any project-scoped confi
 
 // src/tools/products.ts
 var PRODUCT_STATUSES = ["active", "archived", "all"];
+var BILLING_TYPES = ["one_time", "monthly", "yearly"];
+var CATEGORIES = [
+  "website",
+  "addon",
+  "hosting",
+  "support",
+  "other"
+];
+var TIERS = [
+  "start",
+  "growth",
+  "pro",
+  "bronze",
+  "silver",
+  "gold"
+];
 var PRODUCT_COLUMNS = {
   id: schema_exports.invoiceProducts.id,
   teamId: schema_exports.invoiceProducts.teamId,
@@ -114097,6 +114188,12 @@ var PRODUCT_COLUMNS = {
   currency: schema_exports.invoiceProducts.currency,
   unit: schema_exports.invoiceProducts.unit,
   isConfigurable: schema_exports.invoiceProducts.isConfigurable,
+  billingType: schema_exports.invoiceProducts.billingType,
+  category: schema_exports.invoiceProducts.category,
+  includedItems: schema_exports.invoiceProducts.includedItems,
+  optional: schema_exports.invoiceProducts.optional,
+  tier: schema_exports.invoiceProducts.tier,
+  sortOrder: schema_exports.invoiceProducts.sortOrder,
   isActive: schema_exports.invoiceProducts.isActive,
   usageCount: schema_exports.invoiceProducts.usageCount,
   lastUsedAt: schema_exports.invoiceProducts.lastUsedAt,
@@ -114113,13 +114210,34 @@ function formatPrice(p3) {
 function formatProduct(p3) {
   const flags = [p3.isActive ? "active" : "archived"];
   if (p3.isConfigurable) flags.push("configurable");
+  if (p3.optional) flags.push("add-on");
+  const meta5 = [];
+  if (p3.category) meta5.push(`category=${p3.category}`);
+  if (p3.billingType) meta5.push(`billing=${p3.billingType}`);
+  if (p3.tier) meta5.push(`tier=${p3.tier}`);
+  const included = p3.includedItems && p3.includedItems.length > 0 ? `Included: ${p3.includedItems.join(", ")}
+` : "";
   return `**${p3.name}** (${flags.join(", ")})
 ID: ${p3.id}
 Price: ${formatPrice(p3)}
-${p3.description ? `Description: ${p3.description}
+${meta5.length > 0 ? `${meta5.join(", ")}
+` : ""}` + included + `${p3.description ? `Description: ${p3.description}
 ` : ""}Used: ${p3.usageCount}x${p3.lastUsedAt ? ` (last ${new Date(p3.lastUsedAt).toLocaleDateString()})` : ""}
 `;
 }
+function validateEnum(label, value, allowed) {
+  if (value === void 0 || value === null) return null;
+  if (typeof value !== "string" || !allowed.includes(value)) {
+    return `Error: invalid ${label} "${String(value)}". Allowed: ${allowed.join(", ")}.`;
+  }
+  return null;
+}
+function normalizeIncludedItems(value) {
+  if (value === void 0) return void 0;
+  if (value === null) return null;
+  const cleaned = value.map((item) => typeof item === "string" ? item.trim() : "").filter((item) => item.length > 0);
+  return cleaned.length > 0 ? cleaned : null;
+}
 async function handleGetProducts(input) {
   const { q: q3, currency, pageSize = 20 } = input;
   const status = input.status ?? "active";
@@ -114200,6 +114318,8 @@ async function handleCreateProduct(input) {
   if (!name21 || name21.trim().length === 0) {
     return textResponse3("Error: `name` is required.");
   }
+  const enumError = validateEnum("billingType", input.billingType, BILLING_TYPES) ?? validateEnum("category", input.category, CATEGORIES) ?? validateEnum("tier", input.tier, TIERS);
+  if (enumError) return textResponse3(enumError);
   const resolved = await resolveTeamId(input.teamId);
   if (!resolved.ok) return resolved.response;
   const [created] = await db.insert(schema_exports.invoiceProducts).values({
@@ -114209,6 +114329,12 @@ async function handleCreateProduct(input) {
     price: price ?? null,
     currency: currency ?? null,
     unit: unit ?? null,
+    billingType: input.billingType ?? null,
+    category: input.category ?? null,
+    includedItems: normalizeIncludedItems(input.includedItems) ?? null,
+    optional: input.optional ?? false,
+    tier: input.tier ?? null,
+    sortOrder: input.sortOrder ?? 0,
     isActive: true,
     lastUsedAt: (/* @__PURE__ */ new Date()).toISOString()
   }).returning(PRODUCT_COLUMNS);
@@ -114230,6 +114356,8 @@ async function handleUpdateProduct(input) {
       `Product ${productId} not found, or it is not owned by this team.`
     );
   }
+  const enumError = validateEnum("billingType", input.billingType, BILLING_TYPES) ?? validateEnum("category", input.category, CATEGORIES) ?? validateEnum("tier", input.tier, TIERS);
+  if (enumError) return textResponse3(enumError);
   const updates = {};
   if (input.name !== void 0) {
     if (!input.name || input.name.trim().length === 0) {
@@ -114242,9 +114370,17 @@ async function handleUpdateProduct(input) {
   if (input.currency !== void 0) updates.currency = input.currency;
   if (input.unit !== void 0) updates.unit = input.unit;
   if (input.isActive !== void 0) updates.isActive = input.isActive;
+  if (input.billingType !== void 0) updates.billingType = input.billingType;
+  if (input.category !== void 0) updates.category = input.category;
+  if (input.includedItems !== void 0) {
+    updates.includedItems = normalizeIncludedItems(input.includedItems);
+  }
+  if (input.optional !== void 0) updates.optional = input.optional;
+  if (input.tier !== void 0) updates.tier = input.tier;
+  if (input.sortOrder !== void 0) updates.sortOrder = input.sortOrder;
   if (Object.keys(updates).length === 0) {
     return textResponse3(
-      "No fields to update. Provide at least one of: name, description, price, currency, unit, isActive."
+      "No fields to update. Provide at least one of: name, description, price, currency, unit, isActive, billingType, category, includedItems, optional, tier, sortOrder."
     );
   }
   updates.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
@@ -114320,7 +114456,12 @@ function snapshotFromProduct(product, defaults, now2 = () => (/* @__PURE__ */ ne
     capturedAt: now2(),
     metadata: {
       isConfigurable: product.isConfigurable,
-      options: product.options ?? null
+      options: product.options ?? null,
+      billingType: product.billingType ?? null,
+      category: product.category ?? null,
+      includedItems: product.includedItems ?? null,
+      optional: product.optional ?? false,
+      tier: product.tier ?? null
     }
   };
 }
@@ -114444,7 +114585,12 @@ async function loadProductsInTeam(productIds, teamId) {
     currency: schema_exports.invoiceProducts.currency,
     unit: schema_exports.invoiceProducts.unit,
     isConfigurable: schema_exports.invoiceProducts.isConfigurable,
-    options: schema_exports.invoiceProducts.options
+    options: schema_exports.invoiceProducts.options,
+    billingType: schema_exports.invoiceProducts.billingType,
+    category: schema_exports.invoiceProducts.category,
+    includedItems: schema_exports.invoiceProducts.includedItems,
+    optional: schema_exports.invoiceProducts.optional,
+    tier: schema_exports.invoiceProducts.tier
   }).from(schema_exports.invoiceProducts).where(
     and(
       inArray(schema_exports.invoiceProducts.id, productIds),
@@ -114780,12 +114926,22 @@ async function handleAddProductToQuote(input) {
     lastUsedAt: (/* @__PURE__ */ new Date()).toISOString()
   }).where(eq(schema_exports.invoiceProducts.id, product.id));
   const snap = newItem.productSnapshot;
+  const meta5 = snap.metadata;
+  const metaParts = [];
+  if (meta5.category) metaParts.push(`category=${meta5.category}`);
+  if (meta5.billingType) metaParts.push(`billing=${meta5.billingType}`);
+  if (meta5.tier) metaParts.push(`tier=${meta5.tier}`);
+  if (meta5.optional) metaParts.push("optional add-on");
+  if (meta5.includedItems && meta5.includedItems.length > 0) {
+    metaParts.push(`included=[${meta5.includedItems.join(", ")}]`);
+  }
   return textResponse4(
     `\u2705 **Product added to draft quote ${updated.quotationNumber ?? updated.id}**
 
 Line item: ${newItem.name} \xD7 ${newItem.quantity}${newItem.unit ? ` ${newItem.unit}` : ""} @ ${newItem.price} ${snap.currency}
 Snapshot: name="${snap.name}", unitPrice=${snap.unitPrice}, currency=${snap.currency}, vatRate=${snap.vatRate}%, unit=${snap.unit ?? "-"}
-
+${metaParts.length > 0 ? `Metadata: ${metaParts.join(", ")}
+` : ""}
 New quote total: ${updated.amount} ${updated.currency} (subtotal ${updated.subtotal}, VAT ${updated.vat})
 The snapshot is immutable: later catalog edits won't change this quote.`
   );
@@ -120242,8 +120398,6 @@ var storage = new Proxy({}, {
     return Reflect.get(_storage, prop, _storage);
   }
 });
-
-// src/tools/ticket-attachments.ts
 var ALLOWED_IMAGE_TYPES = [
   "image/jpeg",
   "image/png",
@@ -120282,14 +120436,213 @@ var EXT_MIME = {
   ppt: "application/vnd.ms-powerpoint",
   pptx: "application/vnd.openxmlformats-officedocument.presentationml.presentation"
 };
-function textResponse5(text3) {
-  return { content: [{ type: "text", text: text3 }] };
-}
+var HERMES_CACHE_PATH = /(?:^|[\\/])\.hermes[\\/](.+)$/i;
 function mimeFromName(name21) {
   if (!name21) return null;
   const ext = name21.split(/[?#]/)[0]?.split(".").pop()?.toLowerCase();
   return ext && EXT_MIME[ext] ? EXT_MIME[ext] : null;
 }
+function isHermesCachePath(filePath) {
+  return HERMES_CACHE_PATH.test(filePath.replace(/\\/g, "/"));
+}
+function hermesCacheRelativePath(filePath) {
+  const normalized = filePath.replace(/\\/g, "/");
+  const match = HERMES_CACHE_PATH.exec(normalized);
+  return match?.[1] ?? null;
+}
+function getHermesMediaBaseUrl() {
+  const base = process.env.HERMES_MEDIA_BASE_URL?.trim() || process.env.HERMES_GATEWAY_MEDIA_URL?.trim();
+  return base ? base.replace(/\/+$/, "") : null;
+}
+function resolveHermesCacheMediaUrl(filePath) {
+  const base = getHermesMediaBaseUrl();
+  const relative = hermesCacheRelativePath(filePath);
+  if (!base || !relative) return null;
+  return `${base}/${relative.replace(/^\/+/, "")}`;
+}
+function parseMcpStagingStorageKey(uploadId, teamId, userId) {
+  const normalized = uploadId.replace(/\\/g, "/").replace(/^\/+/, "");
+  const prefix = `${teamId}/mcp-staging/${userId}/`;
+  if (!normalized.startsWith(prefix)) return null;
+  const remainder = normalized.slice(prefix.length);
+  if (!remainder || remainder.includes("..")) return null;
+  return normalized;
+}
+function formatFilePathEnoentError(filePath) {
+  const hermesHint = isHermesCachePath(filePath) ? getHermesMediaBaseUrl() ? " Hermes cache paths are fetched via HERMES_MEDIA_BASE_URL when local read fails." : " For Hermes/Telegram cache files over HTTP MCP, POST the bytes to /mcp/attachment-upload and pass the returned uploadId, or set HERMES_MEDIA_BASE_URL so cache paths can be fetched remotely." : " filePath must exist on the MCP server filesystem (works for Cursor workspace paths with stdio MCP, not for gateway-local paths over HTTP MCP).";
+  return `Failed to read the file at "${filePath}": path not found in the MCP runtime (ENOENT).${hermesHint} Alternatives: imageUrl (download URL), uploadId (from POST /mcp/attachment-upload), or base64Data for small files.`;
+}
+function hermesMediaFetchHeaders() {
+  const token = process.env.HERMES_MEDIA_AUTH_TOKEN?.trim() || process.env.HERMES_MEDIA_BEARER_TOKEN?.trim();
+  if (!token) return void 0;
+  return { Authorization: `Bearer ${token}` };
+}
+async function fetchAttachmentUrl(url3, fallbackName, mimeOverride) {
+  const res = await fetch(url3, { headers: hermesMediaFetchHeaders() });
+  if (!res.ok) {
+    return {
+      ok: false,
+      message: `Could not download from URL: HTTP ${res.status}.`
+    };
+  }
+  const headerType = res.headers.get("content-type")?.split(";")[0]?.trim();
+  const buffer2 = Buffer.from(await res.arrayBuffer());
+  const fileName = fallbackName || url3.split("/").pop()?.split(/[?#]/)[0] || `attachment_${Date.now()}`;
+  const mimeType = mimeOverride?.trim() || (headerType && headerType !== "application/octet-stream" ? headerType : null) || mimeFromName(url3) || mimeFromName(fileName) || "application/octet-stream";
+  return { ok: true, buffer: buffer2, fileName, mimeType };
+}
+async function resolveFromFilePath(filePath, fileNameOverride, mimeOverride) {
+  try {
+    const buffer2 = await readFile(filePath);
+    const fileName = fileNameOverride?.trim() || basename(filePath) || "attachment";
+    const mimeType = mimeOverride?.trim() || mimeFromName(fileName) || "application/octet-stream";
+    return { ok: true, buffer: buffer2, fileName, mimeType };
+  } catch (error49) {
+    const code = error49 && typeof error49 === "object" && "code" in error49 ? String(error49.code) : "";
+    if (code !== "ENOENT") {
+      return {
+        ok: false,
+        message: `Failed to read the file: ${error49 instanceof Error ? error49.message : String(error49)}`
+      };
+    }
+    const hermesUrl = resolveHermesCacheMediaUrl(filePath);
+    if (hermesUrl) {
+      const fetched = await fetchAttachmentUrl(
+        hermesUrl,
+        fileNameOverride?.trim() || basename(filePath) || void 0,
+        mimeOverride
+      );
+      if (fetched.ok) {
+        return {
+          ok: true,
+          buffer: fetched.buffer,
+          fileName: fetched.fileName,
+          mimeType: fetched.mimeType
+        };
+      }
+      return {
+        ok: false,
+        message: `${formatFilePathEnoentError(filePath)} Hermes media fetch also failed: ${fetched.message}`
+      };
+    }
+    return { ok: false, message: formatFilePathEnoentError(filePath) };
+  }
+}
+async function resolveFromUploadId(uploadId, teamId, userId, fileNameOverride, mimeOverride) {
+  const storageKey = parseMcpStagingStorageKey(uploadId, teamId, userId);
+  if (!storageKey) {
+    return {
+      ok: false,
+      message: "Invalid uploadId. Use the uploadId returned by POST /mcp/attachment-upload for your API key user."
+    };
+  }
+  let downloaded;
+  try {
+    downloaded = await storage.download({ bucket: "vault", path: storageKey });
+  } catch (error49) {
+    return {
+      ok: false,
+      message: `Staged upload not found or expired (${uploadId}): ${error49 instanceof Error ? error49.message : String(error49)}`
+    };
+  }
+  const buffer2 = Buffer.from(await downloaded.blob.arrayBuffer());
+  const defaultName = storageKey.split("/").pop() || "attachment";
+  const fileName = fileNameOverride?.trim() || defaultName;
+  const mimeType = mimeOverride?.trim() || downloaded.contentType || mimeFromName(fileName) || "application/octet-stream";
+  return {
+    ok: true,
+    buffer: buffer2,
+    fileName,
+    mimeType,
+    stagingStorageKey: storageKey
+  };
+}
+async function resolveAttachmentSource(input) {
+  const sources = [
+    input.filePath,
+    input.imageUrl,
+    input.base64Data,
+    input.uploadId
+  ].filter((v2) => typeof v2 === "string" && v2.trim().length > 0);
+  if (sources.length === 0) {
+    return {
+      ok: false,
+      message: "Provide exactly one source: filePath, imageUrl, uploadId (from POST /mcp/attachment-upload), or base64Data."
+    };
+  }
+  if (sources.length > 1) {
+    return {
+      ok: false,
+      message: "Provide only one source (filePath, imageUrl, uploadId, or base64Data), not several."
+    };
+  }
+  if (input.uploadId) {
+    return resolveFromUploadId(
+      input.uploadId.trim(),
+      input.teamId,
+      input.userId,
+      input.fileName,
+      input.mimeType
+    );
+  }
+  if (input.filePath) {
+    return resolveFromFilePath(input.filePath, input.fileName, input.mimeType);
+  }
+  if (input.imageUrl) {
+    const fetched = await fetchAttachmentUrl(
+      input.imageUrl,
+      input.fileName,
+      input.mimeType
+    );
+    if (!fetched.ok) return fetched;
+    return {
+      ok: true,
+      buffer: fetched.buffer,
+      fileName: fetched.fileName,
+      mimeType: fetched.mimeType
+    };
+  }
+  let b64 = input.base64Data;
+  let mimeType = input.mimeType?.trim() ?? "";
+  const dataUri = b64.match(/^data:([^;]+);base64,(.*)$/s);
+  if (dataUri) {
+    if (!mimeType) mimeType = dataUri[1] ?? "";
+    b64 = dataUri[2] ?? "";
+  } else if (b64.includes(",")) {
+    b64 = b64.split(",")[1] || b64;
+  }
+  const buffer2 = Buffer.from(b64, "base64");
+  const fileName = input.fileName?.trim() || `attachment_${Date.now()}`;
+  if (!mimeType) {
+    mimeType = mimeFromName(fileName) ?? "application/octet-stream";
+  }
+  return { ok: true, buffer: buffer2, fileName, mimeType };
+}
+function validateAttachmentBuffer(buffer2, mimeType) {
+  if (buffer2.byteLength === 0) {
+    return { ok: false, message: "The file is empty (0 bytes); nothing to upload." };
+  }
+  if (buffer2.byteLength > MAX_FILE_SIZE) {
+    return {
+      ok: false,
+      message: `File too large (${(buffer2.byteLength / 1024 / 1024).toFixed(
+        1
+      )} MB). Max: 25 MB.`
+    };
+  }
+  if (!ALLOWED_MIME_TYPES.has(mimeType)) {
+    return {
+      ok: false,
+      message: `Unsupported file type: ${mimeType}. Allowed: JPEG, PNG, GIF, WebP, PDF, DOC(X), XLS(X), PPT(X), TXT, CSV.`
+    };
+  }
+  return null;
+}
+
+// src/tools/ticket-attachments.ts
+function textResponse5(text3) {
+  return { content: [{ type: "text", text: text3 }] };
+}
 async function findAttachment(attachmentId) {
   const [ticketAtt] = await db.select({
     ticketId: schema_exports.ticketAttachments.ticketId,
@@ -120358,82 +120711,30 @@ ${url3}`
   };
 }
 async function handleUploadTicketAttachment(input) {
-  const ctx = getAuthContext();
-  const sources = [input.filePath, input.imageUrl, input.base64Data].filter(
-    (v2) => typeof v2 === "string" && v2.trim().length > 0
-  );
-  if (sources.length === 0) {
-    return textResponse5(
-      "Provide exactly one source: filePath (absolute local path), imageUrl, or base64Data."
-    );
-  }
-  if (sources.length > 1) {
-    return textResponse5(
-      "Provide only one source (filePath, imageUrl, or base64Data), not several."
-    );
+  const ctx = getAuthContext() ?? authContext;
+  if (!ctx) {
+    return textResponse5("Error: Not authenticated.");
   }
   const access = await loadAccessibleTicket(input.teamId, input.ticketId);
   if (!access.ok) return access.response;
   const ticket = access.ticket;
-  let buffer2;
-  let fileName = input.fileName?.trim() ?? "";
-  let mimeType = input.mimeType?.trim() ?? "";
-  try {
-    if (input.filePath) {
-      buffer2 = await readFile(input.filePath);
-      if (!fileName) fileName = basename(input.filePath) || "attachment";
-      if (!mimeType) {
-        mimeType = mimeFromName(fileName) ?? "application/octet-stream";
-      }
-    } else if (input.imageUrl) {
-      const res = await fetch(input.imageUrl);
-      if (!res.ok) {
-        return textResponse5(
-          `Could not download from URL: HTTP ${res.status}.`
-        );
-      }
-      const headerType = res.headers.get("content-type")?.split(";")[0]?.trim();
-      buffer2 = Buffer.from(await res.arrayBuffer());
-      if (!fileName) {
-        fileName = input.imageUrl.split("/").pop()?.split(/[?#]/)[0] || `attachment_${Date.now()}`;
-      }
-      if (!mimeType) {
-        mimeType = (headerType && headerType !== "application/octet-stream" ? headerType : null) ?? mimeFromName(input.imageUrl) ?? mimeFromName(fileName) ?? "application/octet-stream";
-      }
-    } else {
-      let b64 = input.base64Data;
-      const dataUri = b64.match(/^data:([^;]+);base64,(.*)$/s);
-      if (dataUri) {
-        if (!mimeType) mimeType = dataUri[1] ?? "";
-        b64 = dataUri[2] ?? "";
-      } else if (b64.includes(",")) {
-        b64 = b64.split(",")[1] || b64;
-      }
-      buffer2 = Buffer.from(b64, "base64");
-      if (!fileName) fileName = `attachment_${Date.now()}`;
-      if (!mimeType) {
-        mimeType = mimeFromName(fileName) ?? "application/octet-stream";
-      }
-    }
-  } catch (error49) {
-    return textResponse5(
-      `Failed to read the file: ${error49 instanceof Error ? error49.message : String(error49)}`
-    );
-  }
-  if (buffer2.byteLength === 0) {
-    return textResponse5("The file is empty (0 bytes); nothing to upload.");
-  }
-  if (buffer2.byteLength > MAX_FILE_SIZE) {
-    return textResponse5(
-      `File too large (${(buffer2.byteLength / 1024 / 1024).toFixed(
-        1
-      )} MB). Max: 25 MB.`
-    );
+  const resolved = await resolveAttachmentSource({
+    filePath: input.filePath,
+    imageUrl: input.imageUrl,
+    base64Data: input.base64Data,
+    uploadId: input.uploadId,
+    fileName: input.fileName,
+    mimeType: input.mimeType,
+    teamId: ctx.teamId,
+    userId: ctx.userId
+  });
+  if (!resolved.ok) {
+    return textResponse5(resolved.message);
   }
-  if (!ALLOWED_MIME_TYPES.has(mimeType)) {
-    return textResponse5(
-      `Unsupported file type: ${mimeType}. Allowed: JPEG, PNG, GIF, WebP, PDF, DOC(X), XLS(X), PPT(X), TXT, CSV.`
-    );
+  const { buffer: buffer2, fileName, mimeType, stagingStorageKey } = resolved;
+  const validationError = validateAttachmentBuffer(buffer2, mimeType);
+  if (validationError) {
+    return textResponse5(validationError.message);
   }
   const storageKey = `${ticket.teamId}/tickets/${ticket.id}/${Date.now()}_${fileName}`;
   try {
@@ -120448,6 +120749,12 @@ async function handleUploadTicketAttachment(input) {
       `Upload failed: ${error49 instanceof Error ? error49.message : String(error49)}`
     );
   }
+  if (stagingStorageKey) {
+    try {
+      await storage.remove({ bucket: "vault", paths: [stagingStorageKey] });
+    } catch {
+    }
+  }
   const [row] = await db.insert(schema_exports.ticketAttachments).values({
     ticketId: ticket.id,
     teamId: ticket.teamId,
@@ -121555,7 +121862,7 @@ function attemptedLockedFields(update) {
 
 // src/tools/trips.ts
 var TRIP_TYPES = ["private", "business"];
-var BILLING_TYPES = TRIP_BILLING_TYPES;
+var BILLING_TYPES2 = TRIP_BILLING_TYPES;
 function textResponse7(text3) {
   return { content: [{ type: "text", text: text3 }] };
 }
@@ -121616,9 +121923,9 @@ async function handleGetTrips(input) {
       `Error: invalid tripType "${input.tripType}". Allowed: ${TRIP_TYPES.join(", ")}.`
     );
   }
-  if (input.billingType && !BILLING_TYPES.includes(input.billingType)) {
+  if (input.billingType && !BILLING_TYPES2.includes(input.billingType)) {
     return textResponse7(
-      `Error: invalid billingType "${input.billingType}". Allowed: ${BILLING_TYPES.join(", ")}.`
+      `Error: invalid billingType "${input.billingType}". Allowed: ${BILLING_TYPES2.join(", ")}.`
     );
   }
   const scope = await resolveTeamScope(input.teamId);
@@ -121738,9 +122045,9 @@ async function handleCreateTrip(input) {
     );
   }
   const billingType = input.billingType ?? "not_billable";
-  if (!BILLING_TYPES.includes(billingType)) {
+  if (!BILLING_TYPES2.includes(billingType)) {
     return textResponse7(
-      `Error: invalid billingType "${input.billingType}". Allowed: ${BILLING_TYPES.join(", ")}.`
+      `Error: invalid billingType "${input.billingType}". Allowed: ${BILLING_TYPES2.join(", ")}.`
     );
   }
   const resolved = await resolveTeamId(input.teamId);
@@ -121819,9 +122126,9 @@ async function handleUpdateTrip(input) {
       `Error: invalid tripType "${input.tripType}". Allowed: ${TRIP_TYPES.join(", ")}.`
     );
   }
-  if (input.billingType && !BILLING_TYPES.includes(input.billingType)) {
+  if (input.billingType && !BILLING_TYPES2.includes(input.billingType)) {
     return textResponse7(
-      `Error: invalid billingType "${input.billingType}". Allowed: ${BILLING_TYPES.join(", ")}.`
+      `Error: invalid billingType "${input.billingType}". Allowed: ${BILLING_TYPES2.join(", ")}.`
     );
   }
   const resolved = await resolveTeamId(input.teamId);
@@ -122472,7 +122779,7 @@ ${tagErrors.map((e6) => `   \u2022 ${e6}`).join("\n")}
 }
 
 // src/server.ts
-var SERVER_VERSION = "3.5.1";
+var SERVER_VERSION = "3.5.4";
 function createMcpServer() {
   const server = new Server(
     {