npm - @mgsoftwarebv/mg-dashboard-mcp - Versions diffs - 6.3.0 → 6.5.0 - Mend

@mgsoftwarebv/mg-dashboard-mcp 6.3.0 → 6.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -7,15 +7,16 @@ import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { ListToolsRequestSchema, CallToolRequestSchema, isInitializeRequest, ListPromptsRequestSchema, GetPromptRequestSchema, ListResourcesRequestSchema, ReadResourceRequestSchema, ListResourceTemplatesRequestSchema, SubscribeRequestSchema, UnsubscribeRequestSchema, ListToolsResultSchema, CallToolResultSchema, ListPromptsResultSchema, GetPromptResultSchema, ListResourcesResultSchema, ReadResourceResultSchema, ListResourceTemplatesResultSchema, EmptyResultSchema } from '@modelcontextprotocol/sdk/types.js';
+import { createServer as createServer$1 } from 'net';
+import { Client } from 'ssh2';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import { createServer } from 'http';
-import { randomUUID, createHash, randomBytes, createDecipheriv, createCipheriv } from 'crypto';
+import { randomUUID, createHash, randomBytes, createCipheriv, createDecipheriv } from 'crypto';
 import { sql } from 'drizzle-orm';
 import { drizzle } from 'drizzle-orm/postgres-js';
 import postgres from 'postgres';
 import { readFile, mkdtemp, writeFile, rm } from 'fs/promises';
 import { tmpdir } from 'os';
-import { Client } from 'ssh2';
 import { HeadObjectCommand, S3Client, ListObjectsV2Command, DeleteObjectsCommand, DeleteObjectCommand, CreateMultipartUploadCommand, UploadPartCommand, CompleteMultipartUploadCommand, AbortMultipartUploadCommand, PutObjectCommand, GetObjectCommand, CopyObjectCommand } from '@aws-sdk/client-s3';
 var __defProp = Object.defineProperty;
@@ -272,6 +273,181 @@ var init_proxy_mode = __esm({
   "src/proxy-mode.ts"() {
   }
 });
+// src/db-ssh-tunnel.ts
+var db_ssh_tunnel_exports = {};
+__export(db_ssh_tunnel_exports, {
+  fetchRemoteEnvValue: () => fetchRemoteEnvValue,
+  openDbSshTunnel: () => openDbSshTunnel
+});
+function expandHome2(path) {
+  if (!path.startsWith("~")) return path;
+  const home = process.env.HOME || process.env.USERPROFILE || "";
+  return join(home, path.slice(1));
+}
+function resolvePrivateKeyPath(input) {
+  const candidate = expandHome2(input);
+  const stripped = candidate.endsWith(".pub") ? candidate.slice(0, -4) : candidate;
+  if (existsSync(stripped) && statSync(stripped).isFile()) return stripped;
+  throw new Error(
+    `SSH private key not found at ${stripped}. The --db-ssh-tunnel flag needs the private key (not just .pub) to open the tunnel.`
+  );
+}
+function parseSshTarget(target) {
+  const at = target.indexOf("@");
+  if (at === -1) {
+    throw new Error(`--db-ssh-tunnel must be in the form user@host[:port], got: ${target}`);
+  }
+  const username = target.slice(0, at);
+  const hostPart = target.slice(at + 1);
+  const colon = hostPart.lastIndexOf(":");
+  if (colon === -1) return { username, host: hostPart, port: 22 };
+  const port = Number(hostPart.slice(colon + 1));
+  if (!Number.isFinite(port) || port < 1 || port > 65535) {
+    throw new Error(`Invalid SSH port in --db-ssh-tunnel: ${hostPart.slice(colon + 1)}`);
+  }
+  return { username, host: hostPart.slice(0, colon), port };
+}
+function rewriteUrl(originalUrl, localPort) {
+  const parsed = new URL(originalUrl);
+  parsed.hostname = "127.0.0.1";
+  parsed.port = String(localPort);
+  return parsed.toString();
+}
+async function connectSsh(opts) {
+  return await new Promise((resolve, reject) => {
+    const conn = new Client();
+    const onError = (err) => {
+      conn.removeAllListeners();
+      reject(err);
+    };
+    conn.once("ready", () => {
+      conn.removeListener("error", onError);
+      resolve(conn);
+    });
+    conn.once("error", onError);
+    conn.connect({
+      host: opts.host,
+      port: opts.port,
+      username: opts.username,
+      privateKey: opts.privateKey,
+      keepaliveInterval: opts.keepaliveIntervalMs,
+      keepaliveCountMax: 3,
+      readyTimeout: 2e4
+    });
+  });
+}
+function execOverSsh(conn, cmd) {
+  return new Promise((resolve, reject) => {
+    conn.exec(cmd, (err, stream) => {
+      if (err) {
+        reject(err);
+        return;
+      }
+      let stdout = "";
+      let stderr = "";
+      stream.on("data", (chunk) => {
+        stdout += chunk.toString("utf8");
+      });
+      stream.stderr.on("data", (chunk) => {
+        stderr += chunk.toString("utf8");
+      });
+      stream.on("close", (code) => {
+        resolve({ stdout, stderr, code: code ?? -1 });
+      });
+    });
+  });
+}
+function parseEnvValue(content, key) {
+  const re = new RegExp(`^${key}\\s*=\\s*(.*)$`, "m");
+  const m = content.match(re);
+  if (!m || !m[1]) return void 0;
+  let value = m[1].trim();
+  if (value.length >= 2 && (value[0] === '"' || value[0] === "'") && value[value.length - 1] === value[0]) {
+    value = value.slice(1, -1);
+  }
+  return value;
+}
+async function fetchRemoteEnvValue(options) {
+  const { username, host, port } = parseSshTarget(options.sshTarget);
+  const privateKeyPath = resolvePrivateKeyPath(options.sshKeyPath);
+  const privateKey = readFileSync(privateKeyPath);
+  const keepaliveIntervalMs = options.keepaliveIntervalMs ?? 3e4;
+  const envKey = options.envKey ?? "DATABASE_PRIMARY_URL";
+  const conn = await connectSsh({ host, port, username, privateKey, keepaliveIntervalMs });
+  try {
+    const safePath = options.remoteEnvPath.replace(/'/g, "'\\''");
+    const result = await execOverSsh(conn, `cat -- '${safePath}'`);
+    if (result.code !== 0) {
+      throw new Error(
+        `remote cat ${options.remoteEnvPath} failed (exit ${result.code}): ${result.stderr.trim()}`
+      );
+    }
+    const value = parseEnvValue(result.stdout, envKey);
+    if (!value) {
+      throw new Error(`${envKey} not found in ${options.remoteEnvPath}`);
+    }
+    return value;
+  } finally {
+    conn.end();
+  }
+}
+async function openDbSshTunnel(options) {
+  const { username, host, port } = parseSshTarget(options.sshTarget);
+  const privateKeyPath = resolvePrivateKeyPath(options.sshKeyPath);
+  const privateKey = readFileSync(privateKeyPath);
+  const keepaliveIntervalMs = options.keepaliveIntervalMs ?? 3e4;
+  const parsedDbUrl = new URL(options.databaseUrl);
+  const remoteHost = parsedDbUrl.hostname;
+  const remotePort = Number(parsedDbUrl.port || "5432");
+  const conn = await connectSsh({ host, port, username, privateKey, keepaliveIntervalMs });
+  conn.on("error", (err) => {
+    console.error(`[mcp][db-ssh-tunnel] ssh connection error: ${err.message}`);
+  });
+  conn.on("close", () => {
+    console.error("[mcp][db-ssh-tunnel] ssh connection closed; MCP will exit so Cursor can respawn it");
+    process.exit(1);
+  });
+  const server2 = createServer$1((local) => {
+    conn.forwardOut("127.0.0.1", 0, remoteHost, remotePort, (err, stream) => {
+      if (err) {
+        console.error(`[mcp][db-ssh-tunnel] forwardOut failed: ${err.message}`);
+        local.destroy(err);
+        return;
+      }
+      local.on("error", () => stream.destroy());
+      stream.on("error", () => local.destroy());
+      local.pipe(stream).pipe(local);
+    });
+  });
+  const localPort = await new Promise((resolve, reject) => {
+    server2.once("error", reject);
+    server2.listen(0, "127.0.0.1", () => {
+      const addr = server2.address();
+      if (!addr || typeof addr === "string") {
+        reject(new Error("Failed to bind local tunnel listener"));
+        return;
+      }
+      resolve(addr.port);
+    });
+  });
+  const rewrittenDatabaseUrl = rewriteUrl(options.databaseUrl, localPort);
+  console.error(
+    `[mcp][db-ssh-tunnel] forwarding 127.0.0.1:${localPort} -> ${remoteHost}:${remotePort} via ssh ${username}@${host}:${port}`
+  );
+  return {
+    rewrittenDatabaseUrl,
+    localPort,
+    async close() {
+      await new Promise((resolve) => server2.close(() => resolve()));
+      conn.end();
+    }
+  };
+}
+var init_db_ssh_tunnel = __esm({
+  "src/db-ssh-tunnel.ts"() {
+  }
+});
 var connectionConfig = {
   prepare: false,
   idle_timeout: 20,
@@ -380,10 +556,10 @@ var TRIGGER_TOOL_MODULE_MAP = {
   "trigger-run": "ci_cd"
 };
 async function discoverInstance(projectSlug, conn, proxy, sshExec2) {
-  const sql4 = `SELECT re.\\"apiKey\\" FROM \\"RuntimeEnvironment\\" re JOIN \\"Project\\" p ON re.\\"projectId\\" = p.id WHERE p.slug='${projectSlug}' AND re.slug='prod' LIMIT 1`;
+  const sql3 = `SELECT re.\\"apiKey\\" FROM \\"RuntimeEnvironment\\" re JOIN \\"Project\\" p ON re.\\"projectId\\" = p.id WHERE p.slug='${projectSlug}' AND re.slug='prod' LIMIT 1`;
   const cmd = [
     `PORT=$(docker port "${WA_CONTAINER}" 3000/tcp 2>/dev/null | head -1 | sed 's/.*://')`,
-    `KEY=$(docker exec "${PG_CONTAINER}" psql -U postgres -d main -t -A -c "${sql4}" 2>/dev/null | tr -d '[:space:]')`,
+    `KEY=$(docker exec "${PG_CONTAINER}" psql -U postgres -d main -t -A -c "${sql3}" 2>/dev/null | tr -d '[:space:]')`,
     'echo "$PORT|$KEY"'
   ].join(" && ");
   const result = await sshExec2(conn, cmd, proxy);
@@ -404,8 +580,8 @@ async function discoverInstance(projectSlug, conn, proxy, sshExec2) {
   return { port, apiKey: apiKey2 };
 }
 async function fetchRunLogs(runId, conn, proxy, sshExec2) {
-  const sql4 = `SELECT level, message, \\"isError\\", \\"createdAt\\" FROM \\"TaskEvent\\" WHERE \\"runId\\" = '${runId}' AND level IN ('INFO','WARN','ERROR','DEBUG','LOG','TRACE') ORDER BY \\"startTime\\" ASC LIMIT 200`;
-  const cmd = `docker exec "${PG_CONTAINER}" psql -U postgres -d main -t -A -c "${sql4}" 2>/dev/null`;
+  const sql3 = `SELECT level, message, \\"isError\\", \\"createdAt\\" FROM \\"TaskEvent\\" WHERE \\"runId\\" = '${runId}' AND level IN ('INFO','WARN','ERROR','DEBUG','LOG','TRACE') ORDER BY \\"startTime\\" ASC LIMIT 200`;
+  const cmd = `docker exec "${PG_CONTAINER}" psql -U postgres -d main -t -A -c "${sql3}" 2>/dev/null`;
   const result = await sshExec2(conn, cmd, proxy);
   const output = result.stdout.trim();
   if (!output) return "";
@@ -487,8 +663,8 @@ async function handleTriggerTool(name, args2, deps) {
   switch (name) {
     // -----------------------------------------------------------------
     case "trigger-list": {
-      const sql4 = 'SELECT slug, name FROM \\"Project\\" ORDER BY name';
-      const cmd = `docker exec "${PG_CONTAINER}" psql -U postgres -d main -t -A -c "${sql4}" 2>/dev/null`;
+      const sql3 = 'SELECT slug, name FROM \\"Project\\" ORDER BY name';
+      const cmd = `docker exec "${PG_CONTAINER}" psql -U postgres -d main -t -A -c "${sql3}" 2>/dev/null`;
       const result = await sshExec2(conn, cmd, proxy);
       const output = result.stdout.trim();
       if (!output) {
@@ -683,621 +859,6 @@ async function waitForCompletion(conn, proxy, sshExec2, instance, runId, waitSec
     }]
   };
 }
-var VERCEL_API = "https://api.vercel.com";
-var VERCEL_TOOLS = [
-  {
-    name: "vercel-projects",
-    description: "List Vercel projects in the configured account/team. Returns id, name, framework, GitHub repo link, production URL, and the latest deployment summary. Use the project name or id as input to vercel-deployments.",
-    inputSchema: {
-      type: "object",
-      properties: {
-        limit: { type: "number", description: "Max projects to return (default 50, max 200)" },
-        search: { type: "string", description: "Substring filter on project name (case-insensitive)" }
-      }
-    }
-  },
-  {
-    name: "vercel-deployments",
-    description: "List recent deployments for a Vercel project. Returns deployment ID, state, target, branch, commit and timestamps. Use the deployment ID with vercel-logs.",
-    inputSchema: {
-      type: "object",
-      properties: {
-        project: { type: "string", description: "Vercel project ID or name (from vercel-projects)" },
-        state: {
-          type: "string",
-          description: "Optional state filter: BUILDING, ERROR, INITIALIZING, QUEUED, READY, CANCELED"
-        },
-        target: { type: "string", description: "Optional target filter: production or preview" },
-        limit: { type: "number", description: "Max deployments to return (default 20, max 100)" }
-      },
-      required: ["project"]
-    }
-  },
-  {
-    name: "vercel-domains",
-    description: 'Manage domains attached to a Vercel project. Use `action` to pick the operation:\n- "list" (default): list all domains attached to the project, including verification status and any redirect.\n- "add": attach a new domain to the project. Returns DNS records to set if the domain is not yet verified.\n- "verify": re-check verification status and surface required CNAME / A / TXT records if misconfigured.\n- "remove": detach a domain from the project.\nPick the project via vercel-projects first.',
-    inputSchema: {
-      type: "object",
-      properties: {
-        action: {
-          type: "string",
-          enum: ["list", "add", "remove", "verify"],
-          description: "Which operation to perform (default: list)."
-        },
-        project: {
-          type: "string",
-          description: "Vercel project ID or name (from vercel-projects)."
-        },
-        domain: {
-          type: "string",
-          description: 'Domain name (required for action="add", "remove", or "verify").'
-        },
-        gitBranch: {
-          type: "string",
-          description: 'Optional git branch this domain should deploy from (action="add" only).'
-        },
-        redirect: {
-          type: "string",
-          description: 'Optional redirect target domain (action="add" only).'
-        },
-        redirectStatusCode: {
-          type: "number",
-          description: 'Optional redirect status code, e.g. 301 / 302 / 307 / 308 (action="add" only).'
-        }
-      },
-      required: ["project"]
-    }
-  },
-  {
-    name: "vercel-logs",
-    description: 'Unified log inspector for Vercel. Use `kind` to pick the source:\n- "build" (default): build / deployment console events (stdout, stderr, command, exit). Requires deploymentId.\n- "runtime": runtime / function logs after a successful build. Requires project + deploymentId.\n- "webhooks": our own vercel_webhook_logs table (Telegram / push delivery history). No deployment needed.\nPick deployments via vercel-deployments first.',
-    inputSchema: {
-      type: "object",
-      properties: {
-        kind: {
-          type: "string",
-          enum: ["build", "runtime", "webhooks"],
-          description: "Which log stream to fetch (default: build)."
-        },
-        project: {
-          type: "string",
-          description: 'Vercel project ID or name (required for kind="runtime").'
-        },
-        deploymentId: {
-          type: "string",
-          description: 'Vercel deployment ID (required for kind="build" or "runtime").'
-        },
-        projectName: {
-          type: "string",
-          description: 'Optional project_name filter (kind="webhooks" only).'
-        },
-        status: {
-          type: "string",
-          description: 'Optional status filter (kind="webhooks" only): sent, skipped, error.'
-        },
-        sinceMinutes: {
-          type: "number",
-          description: `Time window in minutes (kind="runtime" only, max 7 days). When omitted, the tool auto-detects the deployment's created timestamp and queries from there with a 5-minute buffer \u2014 so you don't miss logs by picking a too-small window.`
-        },
-        limit: {
-          type: "number",
-          description: "Max entries to return. Defaults per kind: build=500 (max 5000), runtime=200 (max 1000), webhooks=25 (max 200)."
-        }
-      }
-    }
-  }
-];
-var VERCEL_TOOL_NAMES = new Set(VERCEL_TOOLS.map((t) => t.name));
-var VERCEL_TOOL_MODULE_MAP = {
-  "vercel-projects": "ci_cd",
-  "vercel-deployments": "ci_cd",
-  "vercel-logs": "ci_cd",
-  "vercel-domains": "ci_cd"
-};
-async function vercelFetch(token, path, init) {
-  const res = await fetch(`${VERCEL_API}${path}`, {
-    method: init?.method ?? "GET",
-    headers: { Authorization: `Bearer ${token}`, "Content-Type": "application/json" },
-    body: init?.body !== void 0 ? JSON.stringify(init.body) : void 0
-  });
-  const body = await res.text();
-  let parsed = null;
-  try {
-    parsed = body ? JSON.parse(body) : null;
-  } catch {
-  }
-  if (!res.ok) {
-    const msg = parsed?.error?.message ?? parsed?.message ?? body ?? `HTTP ${res.status}`;
-    return { data: null, error: `Vercel API ${res.status}: ${msg}`, status: res.status };
-  }
-  return { data: parsed, error: null, status: res.status };
-}
-async function listVercelProjectsAll(token, limit) {
-  const collected = [];
-  let nextTimestamp;
-  while (collected.length < limit) {
-    const params = new URLSearchParams({ limit: String(Math.min(limit - collected.length, 100)) });
-    if (nextTimestamp) params.set("until", String(nextTimestamp));
-    const res = await vercelFetch(token, `/v9/projects?${params.toString()}`);
-    if (res.error) return { projects: [], error: res.error };
-    if (!res.data?.projects?.length) break;
-    collected.push(...res.data.projects);
-    if (!res.data.pagination?.next) break;
-    nextTimestamp = res.data.pagination.next;
-  }
-  return { projects: collected, error: null };
-}
-async function listVercelDeployments(token, options) {
-  const params = new URLSearchParams({
-    limit: String(options.limit),
-    projectId: options.projectId
-  });
-  if (options.state) params.set("state", options.state);
-  if (options.target) params.set("target", options.target);
-  const res = await vercelFetch(
-    token,
-    `/v6/deployments?${params.toString()}`
-  );
-  if (res.error) return { deployments: [], error: res.error };
-  return { deployments: res.data?.deployments ?? [], error: null };
-}
-async function getDeploymentBuildEvents(token, deploymentId, limit) {
-  const params = new URLSearchParams({
-    limit: String(limit),
-    direction: "forward",
-    follow: "0"
-  });
-  const url = `${VERCEL_API}/v3/deployments/${encodeURIComponent(deploymentId)}/events?${params.toString()}`;
-  const res = await fetch(url, {
-    headers: { Authorization: `Bearer ${token}` }
-  });
-  const body = await res.text();
-  if (!res.ok) {
-    let msg = body;
-    try {
-      const parsed = JSON.parse(body);
-      msg = parsed?.error?.message ?? parsed?.message ?? body;
-    } catch {
-    }
-    return { events: [], error: `Vercel API ${res.status}: ${msg}` };
-  }
-  const events = [];
-  const trimmed = body.trim();
-  if (!trimmed) return { events, error: null };
-  try {
-    const parsed = JSON.parse(trimmed);
-    if (Array.isArray(parsed)) {
-      for (const r of parsed) events.push(r);
-      return { events, error: null };
-    }
-  } catch {
-  }
-  for (const line of trimmed.split("\n")) {
-    const s = line.trim();
-    if (!s) continue;
-    try {
-      events.push(JSON.parse(s));
-    } catch {
-    }
-  }
-  return { events, error: null };
-}
-async function getDeploymentCreatedMs(token, deploymentId) {
-  const res = await vercelFetch(
-    token,
-    `/v13/deployments/${encodeURIComponent(deploymentId)}`
-  );
-  if (res.error || !res.data) return null;
-  return res.data.createdAt ?? res.data.created ?? null;
-}
-async function getRuntimeLogs(token, projectIdOrName, deploymentId, limit, sinceMs) {
-  const params = new URLSearchParams({
-    limit: String(Math.min(Math.max(limit, 1), 1e3))
-  });
-  if (sinceMs) params.set("since", String(sinceMs));
-  const url = `${VERCEL_API}/v1/projects/${encodeURIComponent(projectIdOrName)}/deployments/${encodeURIComponent(deploymentId)}/runtime-logs?${params.toString()}`;
-  const res = await fetch(url, {
-    headers: { Authorization: `Bearer ${token}` }
-  });
-  const body = await res.text();
-  if (!res.ok) {
-    let msg = body;
-    try {
-      const parsed = JSON.parse(body);
-      msg = parsed?.error?.message ?? parsed?.message ?? body;
-    } catch {
-    }
-    return { logs: [], error: `Vercel API ${res.status}: ${msg}` };
-  }
-  const logs = [];
-  const trimmed = body.trim();
-  if (!trimmed) return { logs, error: null };
-  try {
-    const parsed = JSON.parse(trimmed);
-    if (Array.isArray(parsed)) {
-      for (const r of parsed) logs.push(r);
-      return { logs, error: null };
-    }
-  } catch {
-  }
-  for (const line of trimmed.split("\n")) {
-    const s = line.trim();
-    if (!s) continue;
-    try {
-      logs.push(JSON.parse(s));
-    } catch {
-    }
-  }
-  return { logs, error: null };
-}
-async function listProjectDomains(token, projectId) {
-  const res = await vercelFetch(
-    token,
-    `/v9/projects/${encodeURIComponent(projectId)}/domains?limit=100`
-  );
-  if (res.error) return { domains: [], error: res.error };
-  return { domains: res.data?.domains ?? [], error: null };
-}
-async function addProjectDomain(token, projectId, body) {
-  const res = await vercelFetch(
-    token,
-    `/v10/projects/${encodeURIComponent(projectId)}/domains`,
-    { method: "POST", body }
-  );
-  if (res.error) return { domain: null, error: res.error };
-  return { domain: res.data, error: null };
-}
-async function removeProjectDomain(token, projectId, domain) {
-  const res = await vercelFetch(
-    token,
-    `/v9/projects/${encodeURIComponent(projectId)}/domains/${encodeURIComponent(domain)}`,
-    { method: "DELETE" }
-  );
-  return { error: res.error };
-}
-async function getProjectDomain(token, projectId, domain) {
-  const res = await vercelFetch(
-    token,
-    `/v9/projects/${encodeURIComponent(projectId)}/domains/${encodeURIComponent(domain)}`
-  );
-  if (res.error) return { domain: null, error: res.error };
-  return { domain: res.data, error: null };
-}
-async function getDomainConfig(token, domain) {
-  const res = await vercelFetch(
-    token,
-    `/v6/domains/${encodeURIComponent(domain)}/config`
-  );
-  if (res.error) return { config: null, error: res.error };
-  return { config: res.data, error: null };
-}
-async function getVercelToken(deps) {
-  const rows = await deps.db.execute(sql`
-    SELECT vercel_token_encrypted FROM app_setting LIMIT 1
-  `);
-  const data = rows[0];
-  if (!data?.vercel_token_encrypted) {
-    throw new Error("Vercel API token is not configured. Add it in dashboard Settings.");
-  }
-  try {
-    return deps.decrypt(data.vercel_token_encrypted);
-  } catch {
-    throw new Error("Failed to decrypt the stored Vercel API token.");
-  }
-}
-async function resolveProjectId(token, projectInput) {
-  const res = await vercelFetch(
-    token,
-    `/v9/projects/${encodeURIComponent(projectInput)}`
-  );
-  if (res.error || !res.data?.id) {
-    throw new Error(
-      `Could not resolve Vercel project "${projectInput}": ${res.error ?? "not found"}`
-    );
-  }
-  return res.data.id;
-}
-function formatTimestamp(ms) {
-  if (!ms) return "";
-  return new Date(ms).toLocaleString("nl-NL", { timeZone: "Europe/Amsterdam" });
-}
-function formatProjectsTable(projects) {
-  if (projects.length === 0) return "No Vercel projects found";
-  const lines = projects.map((p) => {
-    const repo = p.link ? `${p.link.org ?? ""}/${p.link.repo ?? ""}` : "";
-    const prodUrl = p.targets?.production?.alias?.[0] ?? p.targets?.production?.url ?? "";
-    const latest = p.latestDeployments?.[0];
-    const latestStr = latest ? `${latest.state} @ ${formatTimestamp(latest.createdAt)}` : "";
-    return `${p.id.padEnd(28)}  ${(p.name || "").padEnd(40)}  ${(p.framework || "-").padEnd(10)}  ${repo.padEnd(40)}  ${prodUrl.padEnd(35)}  ${latestStr}`;
-  });
-  const header = `${"ID".padEnd(28)}  ${"NAME".padEnd(40)}  ${"FRAMEWORK".padEnd(10)}  ${"REPO".padEnd(40)}  ${"PROD URL".padEnd(35)}  LATEST`;
-  return `${header}
-${"-".repeat(header.length)}
-${lines.join("\n")}`;
-}
-function formatDeploymentsTable(deployments) {
-  if (deployments.length === 0) return "No deployments found";
-  const lines = deployments.map((d) => {
-    const branch = d.meta?.githubCommitRef ?? "";
-    const sha = d.meta?.githubCommitSha?.slice(0, 7) ?? "";
-    const msg = (d.meta?.githubCommitMessage ?? "").replace(/\n.*/s, "").slice(0, 60);
-    return `${d.uid.padEnd(28)}  ${d.state.padEnd(11)}  ${(d.target || "-").padEnd(10)}  ${branch.padEnd(20)}  ${sha.padEnd(8)}  ${formatTimestamp(d.created).padEnd(20)}  ${msg}`;
-  });
-  const header = `${"ID".padEnd(28)}  ${"STATE".padEnd(11)}  ${"TARGET".padEnd(10)}  ${"BRANCH".padEnd(20)}  ${"COMMIT".padEnd(8)}  ${"CREATED".padEnd(20)}  MESSAGE`;
-  return `${header}
-${"-".repeat(header.length)}
-${lines.join("\n")}`;
-}
-function formatBuildEvents(events) {
-  if (events.length === 0) return "No build events found for this deployment";
-  const filtered = events.filter(
-    (e) => ["command", "stdout", "stderr", "exit", "delimiter", "deployment-state"].includes(e.type)
-  );
-  return filtered.map((e) => {
-    const time = e.created ? new Date(e.created).toISOString().slice(11, 19) : "--:--:--";
-    const text = (e.payload?.text ?? e.text ?? "").replace(/\s+$/u, "");
-    const prefix = e.type === "stderr" ? "!" : " ";
-    return `${prefix}${time} [${e.type.padEnd(16)}] ${text}`;
-  }).join("\n");
-}
-function formatRuntimeLogs(logs) {
-  if (logs.length === 0) {
-    return "No runtime logs found for this deployment in the requested window";
-  }
-  return logs.map((l) => {
-    const ts = l.timestampInMs ?? l.timestamp ?? 0;
-    const time = ts ? new Date(ts).toISOString().slice(11, 23) : "--:--:--";
-    const level = (l.level ?? "info").toUpperCase().padEnd(5);
-    const status = l.proxy?.statusCode ?? l.responseStatusCode;
-    const reqInfo = l.proxy?.method ? `${l.proxy.method} ${l.proxy.path ?? ""} ${status ?? ""}`.trim() : "";
-    const message = (l.message ?? l.text ?? "").replace(/\s+$/u, "");
-    const reqId = l.requestId ? ` [${l.requestId.slice(0, 12)}]` : "";
-    const head = reqInfo ? `${reqInfo}${reqId}` : reqId.trim();
-    return `${time} [${level}] ${head ? head + " " : ""}${message}`;
-  }).join("\n");
-}
-function formatWebhookHistory(rows) {
-  if (rows.length === 0) return "No webhook log rows match those filters";
-  const lines = rows.map((r) => {
-    const ts = new Date(r.created_at).toLocaleString("nl-NL", { timeZone: "Europe/Amsterdam" });
-    const note = r.error_message ?? r.message ?? "";
-    return `${ts.padEnd(20)}  ${r.event_type.padEnd(22)}  ${r.status.padEnd(8)}  ${(r.project_name ?? "").padEnd(40)}  ${(r.target ?? "").padEnd(10)}  ${(r.deployment_id ?? "").padEnd(28)}  ${note}`;
-  });
-  const header = `${"WHEN".padEnd(20)}  ${"EVENT".padEnd(22)}  ${"STATUS".padEnd(8)}  ${"PROJECT".padEnd(40)}  ${"TARGET".padEnd(10)}  ${"DEPLOYMENT".padEnd(28)}  NOTE`;
-  return `${header}
-${"-".repeat(header.length)}
-${lines.join("\n")}`;
-}
-function formatDomainsTable(domains) {
-  if (domains.length === 0) return "No domains attached to this project";
-  const lines = domains.map((d) => {
-    const verified = d.verified ? "yes" : "no";
-    const branch = d.gitBranch ?? "";
-    const redirect = d.redirect ? `${d.redirect}${d.redirectStatusCode ? ` (${d.redirectStatusCode})` : ""}` : "";
-    return `${d.name.padEnd(45)}  ${verified.padEnd(9)}  ${branch.padEnd(20)}  ${redirect.padEnd(35)}  ${formatTimestamp(d.createdAt)}`;
-  });
-  const header = `${"DOMAIN".padEnd(45)}  ${"VERIFIED".padEnd(9)}  ${"GIT BRANCH".padEnd(20)}  ${"REDIRECT".padEnd(35)}  CREATED`;
-  return `${header}
-${"-".repeat(header.length)}
-${lines.join("\n")}`;
-}
-function formatDomainStatus(domain, config) {
-  const lines = [];
-  lines.push(`Domain: ${domain.name}`);
-  lines.push(`Verified: ${domain.verified ? "yes" : "no"}`);
-  if (config) {
-    lines.push(`Misconfigured: ${config.misconfigured ? "yes" : "no"}`);
-    if (config.configuredBy) lines.push(`Configured by: ${config.configuredBy}`);
-  }
-  if (domain.gitBranch) lines.push(`Git branch: ${domain.gitBranch}`);
-  if (domain.redirect) {
-    lines.push(
-      `Redirect: ${domain.redirect}${domain.redirectStatusCode ? ` (${domain.redirectStatusCode})` : ""}`
-    );
-  }
-  if (domain.verification && domain.verification.length > 0) {
-    lines.push("");
-    lines.push("Required DNS records to verify ownership:");
-    for (const v of domain.verification) {
-      lines.push(`  ${v.type.padEnd(6)} ${v.domain.padEnd(45)} ${v.value}${v.reason ? `  // ${v.reason}` : ""}`);
-    }
-  }
-  return lines.join("\n");
-}
-async function handleVercelTool(name, args2, deps) {
-  switch (name) {
-    case "vercel-projects": {
-      const token = await getVercelToken(deps);
-      const limit = Math.min(Math.max(Number(args2.limit) || 50, 1), 200);
-      const search = typeof args2.search === "string" ? args2.search.toLowerCase() : null;
-      const { projects, error } = await listVercelProjectsAll(token, limit);
-      if (error) return { content: [{ type: "text", text: `Error: ${error}` }] };
-      const filtered = search ? projects.filter((p) => (p.name || "").toLowerCase().includes(search)) : projects;
-      return { content: [{ type: "text", text: formatProjectsTable(filtered) }] };
-    }
-    case "vercel-deployments": {
-      const token = await getVercelToken(deps);
-      const projectInput = String(args2.project);
-      const limit = Math.min(Math.max(Number(args2.limit) || 20, 1), 100);
-      const projectId = await resolveProjectId(token, projectInput);
-      const { deployments, error } = await listVercelDeployments(token, {
-        projectId,
-        limit,
-        state: args2.state ? String(args2.state) : void 0,
-        target: args2.target ? String(args2.target) : void 0
-      });
-      if (error) return { content: [{ type: "text", text: `Error: ${error}` }] };
-      return { content: [{ type: "text", text: formatDeploymentsTable(deployments) }] };
-    }
-    case "vercel-logs": {
-      const kind = (args2.kind ? String(args2.kind) : "build").toLowerCase();
-      if (kind === "build") {
-        if (!args2.deploymentId) {
-          return { content: [{ type: "text", text: 'Error: kind="build" requires deploymentId.' }] };
-        }
-        const token = await getVercelToken(deps);
-        const deploymentId = String(args2.deploymentId);
-        const limit = Math.min(Math.max(Number(args2.limit) || 500, 1), 5e3);
-        const { events, error } = await getDeploymentBuildEvents(token, deploymentId, limit);
-        if (error) return { content: [{ type: "text", text: `Error: ${error}` }] };
-        return { content: [{ type: "text", text: formatBuildEvents(events) }] };
-      }
-      if (kind === "runtime") {
-        if (!args2.project || !args2.deploymentId) {
-          return {
-            content: [
-              { type: "text", text: 'Error: kind="runtime" requires both project and deploymentId.' }
-            ]
-          };
-        }
-        const token = await getVercelToken(deps);
-        const projectInput = String(args2.project);
-        const deploymentId = String(args2.deploymentId);
-        const limit = Math.min(Math.max(Number(args2.limit) || 200, 1), 1e3);
-        const sinceMinutesRaw = Number(args2.sinceMinutes);
-        const sinceExplicit = Number.isFinite(sinceMinutesRaw) && sinceMinutesRaw > 0;
-        const [projectId, deploymentCreatedMs] = await Promise.all([
-          resolveProjectId(token, projectInput),
-          sinceExplicit ? Promise.resolve(null) : getDeploymentCreatedMs(token, deploymentId)
-        ]);
-        const maxWindowMin = 7 * 24 * 60;
-        const autoCapMin = 30;
-        let sinceMs;
-        let windowNote = "";
-        if (sinceExplicit) {
-          const capped = Math.min(sinceMinutesRaw, maxWindowMin);
-          sinceMs = Date.now() - capped * 6e4;
-          windowNote = `window: last ${capped} min (caller-specified)`;
-        } else if (deploymentCreatedMs) {
-          const bufferMs = 5 * 6e4;
-          const sinceDeploymentMs = deploymentCreatedMs - bufferMs;
-          const ageMin = Math.max(1, Math.round((Date.now() - sinceDeploymentMs) / 6e4));
-          if (ageMin <= autoCapMin) {
-            sinceMs = sinceDeploymentMs;
-            windowNote = `window: auto ${ageMin} min from deployment createdAt - 5 min buffer`;
-          } else {
-            sinceMs = Date.now() - autoCapMin * 6e4;
-            windowNote = `window: capped to last ${autoCapMin} min (deployment is ${ageMin} min old \u2014 pass sinceMinutes to widen up to ${maxWindowMin})`;
-          }
-        } else {
-          sinceMs = Date.now() - autoCapMin * 6e4;
-          windowNote = `window: last ${autoCapMin} min (deployment metadata unavailable, used fallback)`;
-        }
-        const { logs, error } = await getRuntimeLogs(
-          token,
-          projectId,
-          deploymentId,
-          limit,
-          sinceMs
-        );
-        if (error) {
-          const hint = error.includes("404") || error.includes("400") ? '\n\nThis endpoint requires both project ID and deployment ID and may not be available on every Vercel plan. Use kind="webhooks" or query the vercel_deployment_log table directly for archived runtime logs.' : "";
-          return { content: [{ type: "text", text: `Error: ${error}${hint}` }] };
-        }
-        const body = formatRuntimeLogs(logs);
-        const hitDurationLimit = /Exceeded query duration limit/i.test(body);
-        const footer = hitDurationLimit ? `
-[${windowNote}]
-[hint] Vercel hit its 5-min query budget for this window. Try a smaller sinceMinutes (e.g. 5-10), lower limit, or use kind="webhooks" / query the vercel_deployment_log table for archived logs.` : `
-[${windowNote}]`;
-        return { content: [{ type: "text", text: body + footer }] };
-      }
-      if (kind === "webhooks") {
-        const limit = Math.min(Math.max(Number(args2.limit) || 25, 1), 200);
-        const conds = [sql`TRUE`];
-        if (args2.projectName) conds.push(sql`project_name = ${String(args2.projectName)}`);
-        if (args2.status) conds.push(sql`status = ${String(args2.status)}`);
-        const where = sql.join(conds, sql` AND `);
-        try {
-          const rows = await deps.db.execute(sql`
-            SELECT id, event_type, status, project_name, deployment_id, target,
-                   message, error_message, created_at
-            FROM vercel_webhook_logs
-            WHERE ${where}
-            ORDER BY created_at DESC
-            LIMIT ${limit}
-          `);
-          return {
-            content: [{ type: "text", text: formatWebhookHistory([...rows]) }]
-          };
-        } catch (err) {
-          const msg = err instanceof Error ? err.message : String(err);
-          return { content: [{ type: "text", text: `Error: ${msg}` }] };
-        }
-      }
-      return {
-        content: [
-          { type: "text", text: `Error: unknown kind "${kind}". Use build, runtime, or webhooks.` }
-        ]
-      };
-    }
-    case "vercel-domains": {
-      const action = (args2.action ? String(args2.action) : "list").toLowerCase();
-      if (!args2.project) {
-        return { content: [{ type: "text", text: 'Error: vercel-domains requires "project".' }] };
-      }
-      const token = await getVercelToken(deps);
-      const projectInput = String(args2.project);
-      const projectId = await resolveProjectId(token, projectInput);
-      if (action === "list") {
-        const { domains, error } = await listProjectDomains(token, projectId);
-        if (error) return { content: [{ type: "text", text: `Error: ${error}` }] };
-        return { content: [{ type: "text", text: formatDomainsTable(domains) }] };
-      }
-      if (action === "add") {
-        if (!args2.domain) {
-          return { content: [{ type: "text", text: 'Error: action="add" requires "domain".' }] };
-        }
-        const body = { name: String(args2.domain) };
-        if (args2.gitBranch) body.gitBranch = String(args2.gitBranch);
-        if (args2.redirect) body.redirect = String(args2.redirect);
-        if (args2.redirectStatusCode) body.redirectStatusCode = Number(args2.redirectStatusCode);
-        const { domain, error } = await addProjectDomain(token, projectId, body);
-        if (error) return { content: [{ type: "text", text: `Error: ${error}` }] };
-        if (!domain) {
-          return { content: [{ type: "text", text: `Domain ${body.name} added (no detail returned).` }] };
-        }
-        const { config } = await getDomainConfig(token, domain.name);
-        const status = formatDomainStatus(domain, config);
-        const headline = domain.verified ? `Domain ${domain.name} added and verified.` : `Domain ${domain.name} added. DNS verification still pending.`;
-        return { content: [{ type: "text", text: `${headline}
-${status}` }] };
-      }
-      if (action === "verify") {
-        if (!args2.domain) {
-          return { content: [{ type: "text", text: 'Error: action="verify" requires "domain".' }] };
-        }
-        const domainName = String(args2.domain);
-        const { domain, error } = await getProjectDomain(token, projectId, domainName);
-        if (error) return { content: [{ type: "text", text: `Error: ${error}` }] };
-        if (!domain) {
-          return { content: [{ type: "text", text: `Domain ${domainName} not found on this project.` }] };
-        }
-        const { config } = await getDomainConfig(token, domainName);
-        return { content: [{ type: "text", text: formatDomainStatus(domain, config) }] };
-      }
-      if (action === "remove") {
-        if (!args2.domain) {
-          return { content: [{ type: "text", text: 'Error: action="remove" requires "domain".' }] };
-        }
-        const domainName = String(args2.domain);
-        const { error } = await removeProjectDomain(token, projectId, domainName);
-        if (error) return { content: [{ type: "text", text: `Error: ${error}` }] };
-        return { content: [{ type: "text", text: `Domain ${domainName} removed from project.` }] };
-      }
-      return {
-        content: [
-          { type: "text", text: `Error: unknown action "${action}". Use list, add, verify, or remove.` }
-        ]
-      };
-    }
-    default:
-      return { content: [{ type: "text", text: `Unknown vercel tool: ${name}` }] };
-  }
-}
 var REPO_TOOLS = [
   {
     name: "repo-list",
@@ -1979,19 +1540,42 @@ var sshKeyPath = getArg2("ssh-key") || process.env.MG_DASHBOARD_SSH_KEY;
 var databaseUrl = getArg2("database-url") || process.env.DATABASE_PRIMARY_POOLER_URL || process.env.DATABASE_PRIMARY_URL;
 var encryptionKey = getArg2("encryption-key") || process.env.ENCRYPTION_KEY;
 var mijnhostApiKey = getArg2("mijnhost-api-key") || process.env.MIJNHOST_API_KEY;
+var dbSshTunnel = getArg2("db-ssh-tunnel") || process.env.MG_DASHBOARD_DB_SSH_TUNNEL;
+var dbRemoteEnvFile = getArg2("db-remote-env-file") || process.env.MG_DASHBOARD_DB_REMOTE_ENV_FILE;
+var dbRemoteEnvKey = getArg2("db-remote-env-key") || process.env.MG_DASHBOARD_DB_REMOTE_ENV_KEY || "DATABASE_PRIMARY_URL";
 var httpMode = args.includes("--http");
 var httpPort = Number(getArg2("port")) || 3100;
 if (!apiKey || !sshKeyPath) {
   console.error("Authentication required. Use both --api-key=dk_xxx and --ssh-key=PATH (path to your SSH private or public key), or set MG_DASHBOARD_API_KEY and MG_DASHBOARD_SSH_KEY.");
   process.exit(1);
 }
+if (dbRemoteEnvFile && !dbSshTunnel) {
+  console.error("--db-remote-env-file requires --db-ssh-tunnel (the same SSH connection is used to read the env value).");
+  process.exit(1);
+}
+if (dbRemoteEnvFile) {
+  const { fetchRemoteEnvValue: fetchRemoteEnvValue2 } = await Promise.resolve().then(() => (init_db_ssh_tunnel(), db_ssh_tunnel_exports));
+  databaseUrl = await fetchRemoteEnvValue2({
+    sshTarget: dbSshTunnel,
+    sshKeyPath,
+    remoteEnvPath: dbRemoteEnvFile,
+    envKey: dbRemoteEnvKey
+  });
+}
 if (!databaseUrl) {
-  console.error("Database URL required. Use --database-url=postgres://... or set DATABASE_PRIMARY_URL (or DATABASE_PRIMARY_POOLER_URL).");
+  console.error("Database URL required. Provide one of:\n  --database-url=postgres://...\n  --db-remote-env-file=/path/.env (combined with --db-ssh-tunnel)\n  DATABASE_PRIMARY_URL or DATABASE_PRIMARY_POOLER_URL env var");
   process.exit(1);
 }
-if (!process.env.DATABASE_PRIMARY_URL && !process.env.DATABASE_PRIMARY_POOLER_URL) {
-  process.env.DATABASE_PRIMARY_URL = databaseUrl;
+if (dbSshTunnel) {
+  const { openDbSshTunnel: openDbSshTunnel2 } = await Promise.resolve().then(() => (init_db_ssh_tunnel(), db_ssh_tunnel_exports));
+  const tunnel = await openDbSshTunnel2({ sshTarget: dbSshTunnel, sshKeyPath, databaseUrl });
+  databaseUrl = tunnel.rewrittenDatabaseUrl;
+  process.on("exit", () => {
+    void tunnel.close();
+  });
 }
+process.env.DATABASE_PRIMARY_URL = databaseUrl;
+process.env.DATABASE_PRIMARY_POOLER_URL = databaseUrl;
 var db = getDb();
 var RateLimiter = class {
   buckets = /* @__PURE__ */ new Map();
@@ -2079,7 +1663,6 @@ async function writeAuditLog(entry) {
 var MODULE_KEYS = [
   "users",
   "ssh_servers",
-  "supabase",
   "wiki",
   "ci_cd",
   "domains",
@@ -2088,7 +1671,7 @@ var MODULE_KEYS = [
 ];
 var FULL_PERMISSIONS = {
   modules: Object.fromEntries(MODULE_KEYS.map((k) => [k, true])),
-  resources: { ssh_servers: ["*"], supabase_instances: ["*"] }
+  resources: { ssh_servers: ["*"] }
 };
 function parsePermissions(raw) {
   if (!raw || typeof raw !== "object") return null;
@@ -2105,8 +1688,7 @@ function resolvePermissions(roleName, roleDefaults, userOverrides) {
     modules[key] = userVal !== void 0 ? userVal : roleVal !== void 0 ? roleVal : false;
   }
   const resources = {
-    ssh_servers: overrides?.resources?.ssh_servers ?? base?.resources?.ssh_servers ?? [],
-    supabase_instances: overrides?.resources?.supabase_instances ?? base?.resources?.supabase_instances ?? []
+    ssh_servers: overrides?.resources?.ssh_servers ?? base?.resources?.ssh_servers ?? []
   };
   return { modules, resources };
 }
@@ -2146,7 +1728,6 @@ var TOOL_MODULE_MAP = {
   "dns-list": "domains",
   "dns-record": "domains",
   ...TRIGGER_TOOL_MODULE_MAP,
-  ...VERCEL_TOOL_MODULE_MAP,
   ...REPO_TOOL_MODULE_MAP
 };
 var authContext = null;
@@ -2503,151 +2084,6 @@ function decrypt(payload) {
   decrypted += decipher.final("utf8");
   return decrypted;
 }
-var VERCEL_API2 = "https://api.vercel.com";
-function parseEnvContent(content) {
-  const result = {};
-  for (const line of content.split("\n")) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith("#")) continue;
-    const eqIdx = trimmed.indexOf("=");
-    if (eqIdx === -1) continue;
-    const key = trimmed.slice(0, eqIdx).trim();
-    let value = trimmed.slice(eqIdx + 1).trim();
-    if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
-      value = value.slice(1, -1);
-    }
-    if (key) result[key] = value;
-  }
-  return result;
-}
-function stageToVercelTargets(stageType, customEnvId) {
-  if (stageType === "prod") return { target: ["production"] };
-  if (customEnvId) return { customEnvironmentIds: [customEnvId] };
-  return { target: ["preview"] };
-}
-function getVercelEnvSyncTargetings(stageType, customEnvId) {
-  const primary = stageToVercelTargets(stageType, customEnvId);
-  if (stageType !== "dev") return [primary];
-  return [primary, { target: ["development"] }];
-}
-async function syncEnvVarsToVercel(token, projectId, envVars) {
-  if (envVars.length === 0) return { created: 0, error: null };
-  const res = await fetch(
-    `${VERCEL_API2}/v10/projects/${encodeURIComponent(projectId)}/env?upsert=true`,
-    {
-      method: "POST",
-      headers: {
-        Authorization: `Bearer ${token}`,
-        "Content-Type": "application/json"
-      },
-      body: JSON.stringify(envVars)
-    }
-  );
-  if (!res.ok) {
-    const body = await res.text().catch(() => "");
-    return { created: 0, error: `Vercel API ${res.status}: ${body}` };
-  }
-  const data = await res.json().catch(() => ({}));
-  return { created: data?.created?.length ?? envVars.length, error: null };
-}
-async function attemptVercelSync(appName, environment, knownStageId) {
-  try {
-    let stageId = knownStageId;
-    if (!stageId) {
-      const directRows = await db.execute(sql`
-        SELECT release_profile_stage_id
-        FROM env_config
-        WHERE app_name = ${appName} AND release_profile_stage_id IS NOT NULL
-        LIMIT 1
-      `);
-      stageId = directRows[0]?.release_profile_stage_id;
-    }
-    if (!stageId) return "Vercel sync skipped: no stage link found";
-    const settingsRows = await db.execute(sql`
-      SELECT vercel_token_encrypted FROM app_setting LIMIT 1
-    `);
-    const settings = settingsRows[0];
-    if (!settings?.vercel_token_encrypted) return "Vercel sync skipped: no Vercel token configured";
-    let token;
-    try {
-      token = decrypt(settings.vercel_token_encrypted);
-    } catch {
-      return "Vercel sync failed: could not decrypt Vercel token";
-    }
-    const stageRows = await db.execute(sql`
-      SELECT id, stage, stage_apps FROM release_profile_stage
-      WHERE id = ${stageId}
-      LIMIT 1
-    `);
-    const stage = stageRows[0];
-    if (!stage) return "Vercel sync skipped: stage not found";
-    const stageType = stage.stage;
-    const stageApps = stage.stage_apps || [];
-    const vercelApps = stageApps.filter(
-      (a) => a.deployMethod === "vercel" && a.enabled && a.vercelProjectId
-    );
-    if (vercelApps.length === 0) return "Vercel sync skipped: no Vercel apps in stage";
-    const envConfigs = await db.execute(sql`
-      SELECT id, app_name, environment, variant, env_data_encrypted, release_profile_stage_id
-      FROM env_config
-      WHERE release_profile_stage_id = ${stageId}
-    `);
-    if (envConfigs.length === 0) return "Vercel sync skipped: no env configs for stage";
-    const variantMap = {
-      dev: "development",
-      staging: "staging",
-      prod: "production"
-    };
-    const deployedVariant = variantMap[stageType] ?? stageType;
-    const syncResults = [];
-    for (const app of vercelApps) {
-      const name = app.path.replace("apps/", "");
-      const config = envConfigs.find(
-        (c) => c.app_name === name && c.variant === deployedVariant
-      );
-      if (!config) {
-        syncResults.push(`${app.label}: skipped (no config for variant "${deployedVariant}")`);
-        continue;
-      }
-      let envContent;
-      try {
-        envContent = decrypt(config.env_data_encrypted);
-      } catch {
-        syncResults.push(`${app.label}: decrypt failed`);
-        continue;
-      }
-      const pairs = parseEnvContent(envContent);
-      const keys = Object.keys(pairs);
-      if (keys.length === 0) {
-        syncResults.push(`${app.label}: empty config`);
-        continue;
-      }
-      const targetings = getVercelEnvSyncTargetings(stageType, app.vercelCustomEnvId);
-      let createdTotal = 0;
-      let lastErr = null;
-      for (const targeting of targetings) {
-        const envVars = keys.map((key) => ({
-          key,
-          value: pairs[key],
-          type: "encrypted",
-          ...targeting
-        }));
-        const { created, error } = await syncEnvVarsToVercel(token, app.vercelProjectId, envVars);
-        if (error) lastErr = error;
-        else createdTotal += created;
-      }
-      if (lastErr) {
-        syncResults.push(`${app.label}: FAILED - ${lastErr}`);
-      } else {
-        syncResults.push(`${app.label}: ${createdTotal} var upsert(s) synced`);
-      }
-    }
-    return `Vercel sync: ${syncResults.join("; ")}`;
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    return `Vercel sync error: ${msg}`;
-  }
-}
 function posixQuote(arg) {
   if (arg === "") return "''";
   if (/^[A-Za-z0-9._\/=:@%+\-]+$/.test(arg)) return arg;
@@ -4276,11 +3712,11 @@ CREATE TABLE IF NOT EXISTS _mcp_migrations (
   applied_by  TEXT
 );
 `.trim();
-function normaliseMigrationSql(sql4) {
-  return sql4.replace(/\r\n/g, "\n").trim() + "\n";
+function normaliseMigrationSql(sql3) {
+  return sql3.replace(/\r\n/g, "\n").trim() + "\n";
 }
-function migrationSha256(sql4) {
-  return createHash("sha256").update(normaliseMigrationSql(sql4), "utf8").digest("hex");
+function migrationSha256(sql3) {
+  return createHash("sha256").update(normaliseMigrationSql(sql3), "utf8").digest("hex");
 }
 function dollarQuoteTag(value) {
   let tag = "_mcp";
@@ -4881,8 +4317,6 @@ var TOOLS = [
   },
   // ----- Trigger.dev -----
   ...TRIGGER_TOOLS,
-  // ----- Vercel -----
-  ...VERCEL_TOOLS,
   // ----- Repo reference -----
   ...REPO_TOOLS
 ];
@@ -6363,9 +5797,7 @@ LIMIT ${limit};
           `);
           saveMsg = `Stored env config: ${appName}/${environment}`;
         }
-        const syncStageId = existing?.release_profile_stage_id ?? resolvedStageIds?.[0];
-        const vercelStatus = await attemptVercelSync(appName, environment, syncStageId);
-        return { content: [{ type: "text", text: `${saveMsg}. ${vercelStatus}` }] };
+        return { content: [{ type: "text", text: saveMsg }] };
       }
       // ----- Cache Purge -----
       case "cache-purge": {
@@ -6626,9 +6058,6 @@ ${lines.join("\n")}` }] };
         if (TRIGGER_TOOL_NAMES.has(name)) {
           return handleTriggerTool(name, a, { sshExec, getServerConnection });
         }
-        if (VERCEL_TOOL_NAMES.has(name)) {
-          return handleVercelTool(name, a, { db, decrypt });
-        }
         if (REPO_TOOL_NAMES.has(name)) {
           return handleRepoTool(name, a, { db, sshExec, getServerConnection });
         }