@mtaap/mcp 0.2.12 → 0.2.13

package/dist/server.js

@@ -0,0 +1,2656 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+
+// src/server.ts
+var import_express = __toESM(require("express"));
+var import_node_crypto = require("crypto");
+var import_streamableHttp = require("@modelcontextprotocol/sdk/server/streamableHttp.js");
+var import_types = require("@modelcontextprotocol/sdk/types.js");
+
+// src/index.ts
+var import_mcp = require("@modelcontextprotocol/sdk/server/mcp.js");
+var import_stdio = require("@modelcontextprotocol/sdk/server/stdio.js");
+
+// package.json
+var package_default = {
+  name: "@mtaap/mcp",
+  version: "0.2.12",
+  description: "Model Context Protocol (MCP) server for AI agents to interact with Collab - the multi-tenant collaborative agent development platform",
+  mcpName: "collab",
+  scripts: {
+    build: "tsup"
+  },
+  main: "./dist/index.js",
+  types: "./dist/index.d.ts",
+  bin: {
+    "collab-mcp": "./dist/cli.js",
+    "collab-mcp-server": "./dist/server.js"
+  },
+  publishConfig: {
+    access: "public"
+  },
+  exports: {
+    ".": {
+      types: "./dist/index.d.ts",
+      require: "./dist/index.js"
+    }
+  },
+  files: [
+    "dist"
+  ],
+  keywords: [
+    "mcp",
+    "model-context-protocol",
+    "ai",
+    "agent",
+    "collaboration",
+    "task-management",
+    "claude",
+    "anthropic"
+  ],
+  license: "Proprietary",
+  author: "MTAAP Contributors",
+  engines: {
+    node: ">=18.18.0"
+  },
+  dependencies: {
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    express: "^5.0.1",
+    zod: "^4.3.5"
+  },
+  devDependencies: {
+    "@mtaap/config-typescript": "workspace:*",
+    "@mtaap/core": "workspace:*",
+    "@types/express": "^5.0.0",
+    "@types/node": "^22.0.0",
+    tsup: "^8.5.1",
+    typescript: "^5.4.0"
+  }
+};
+
+// src/version.ts
+var VERSION = package_default.version;
+
+// src/index.ts
+var import_zod3 = require("zod");
+
+// ../../packages/core/dist/constants/enums.js
+var TaskState;
+(function(TaskState2) {
+  TaskState2["DRAFT"] = "DRAFT";
+  TaskState2["TODO"] = "TODO";
+  TaskState2["BACKLOG"] = "BACKLOG";
+  TaskState2["READY"] = "READY";
+  TaskState2["IN_PROGRESS"] = "IN_PROGRESS";
+  TaskState2["REVIEW"] = "REVIEW";
+  TaskState2["DONE"] = "DONE";
+})(TaskState || (TaskState = {}));
+var VerificationStatus;
+(function(VerificationStatus2) {
+  VerificationStatus2["PENDING"] = "PENDING";
+  VerificationStatus2["PASSED"] = "PASSED";
+  VerificationStatus2["NEEDS_REVISION"] = "NEEDS_REVISION";
+})(VerificationStatus || (VerificationStatus = {}));
+var UserRole;
+(function(UserRole2) {
+  UserRole2["ADMIN"] = "ADMIN";
+  UserRole2["MEMBER"] = "MEMBER";
+})(UserRole || (UserRole = {}));
+var ProjectType;
+(function(ProjectType2) {
+  ProjectType2["TEAM"] = "TEAM";
+  ProjectType2["PERSONAL"] = "PERSONAL";
+})(ProjectType || (ProjectType = {}));
+var ProjectOrigin;
+(function(ProjectOrigin2) {
+  ProjectOrigin2["CREATED"] = "CREATED";
+  ProjectOrigin2["PROMOTED"] = "PROMOTED";
+})(ProjectOrigin || (ProjectOrigin = {}));
+var TaskPriority;
+(function(TaskPriority2) {
+  TaskPriority2["LOW"] = "LOW";
+  TaskPriority2["MEDIUM"] = "MEDIUM";
+  TaskPriority2["HIGH"] = "HIGH";
+  TaskPriority2["CRITICAL"] = "CRITICAL";
+})(TaskPriority || (TaskPriority = {}));
+var DeploymentMode;
+(function(DeploymentMode2) {
+  DeploymentMode2["SAAS"] = "saas";
+  DeploymentMode2["ONPREM"] = "onprem";
+})(DeploymentMode || (DeploymentMode = {}));
+var ErrorType;
+(function(ErrorType3) {
+  ErrorType3["BUILD_FAILURE"] = "BUILD_FAILURE";
+  ErrorType3["TEST_FAILURE"] = "TEST_FAILURE";
+  ErrorType3["CONFLICT"] = "CONFLICT";
+  ErrorType3["AUTH_ERROR"] = "AUTH_ERROR";
+  ErrorType3["OTHER"] = "OTHER";
+})(ErrorType || (ErrorType = {}));
+var PRStatus;
+(function(PRStatus2) {
+  PRStatus2["OPEN"] = "OPEN";
+  PRStatus2["CLOSED"] = "CLOSED";
+  PRStatus2["MERGED"] = "MERGED";
+  PRStatus2["DELETED"] = "DELETED";
+})(PRStatus || (PRStatus = {}));
+var PricingTier;
+(function(PricingTier2) {
+  PricingTier2["FREE"] = "FREE";
+  PricingTier2["PRO"] = "PRO";
+  PricingTier2["ENTERPRISE"] = "ENTERPRISE";
+})(PricingTier || (PricingTier = {}));
+var ApiKeyPermission;
+(function(ApiKeyPermission2) {
+  ApiKeyPermission2["READ"] = "READ";
+  ApiKeyPermission2["WRITE"] = "WRITE";
+  ApiKeyPermission2["ADMIN"] = "ADMIN";
+})(ApiKeyPermission || (ApiKeyPermission = {}));
+var WebSocketEventType;
+(function(WebSocketEventType2) {
+  WebSocketEventType2["TASK_ASSIGNED"] = "task.assigned";
+  WebSocketEventType2["TASK_ABANDONED"] = "task.abandoned";
+  WebSocketEventType2["TASK_PROGRESS"] = "task.progress";
+  WebSocketEventType2["TASK_PR_CREATED"] = "task.pr_created";
+  WebSocketEventType2["TASK_REVIEW_REQUESTED"] = "task.review_requested";
+  WebSocketEventType2["TASK_COMPLETED"] = "task.completed";
+  WebSocketEventType2["TASK_ERROR"] = "task.error";
+  WebSocketEventType2["TASK_STATE_CHANGED"] = "task.state_changed";
+  WebSocketEventType2["TASK_UPDATED"] = "task.updated";
+  WebSocketEventType2["TASK_DELETED"] = "task.deleted";
+  WebSocketEventType2["MEMBER_JOINED"] = "member.joined";
+})(WebSocketEventType || (WebSocketEventType = {}));
+var AuthProvider;
+(function(AuthProvider2) {
+  AuthProvider2["CREDENTIALS"] = "credentials";
+  AuthProvider2["LDAP"] = "ldap";
+  AuthProvider2["SSO"] = "sso";
+})(AuthProvider || (AuthProvider = {}));
+var SubscriptionStatus;
+(function(SubscriptionStatus2) {
+  SubscriptionStatus2["ACTIVE"] = "ACTIVE";
+  SubscriptionStatus2["INACTIVE"] = "INACTIVE";
+  SubscriptionStatus2["PAST_DUE"] = "PAST_DUE";
+  SubscriptionStatus2["CANCELED"] = "CANCELED";
+  SubscriptionStatus2["INCOMPLETE"] = "INCOMPLETE";
+})(SubscriptionStatus || (SubscriptionStatus = {}));
+var EventType;
+(function(EventType2) {
+  EventType2["AUTH"] = "AUTH";
+  EventType2["AUTHORIZATION"] = "AUTHORIZATION";
+  EventType2["ACCESS"] = "ACCESS";
+  EventType2["MODIFICATION"] = "MODIFICATION";
+})(EventType || (EventType = {}));
+
+// ../../packages/core/dist/constants/state-machine.js
+var VALID_TRANSITIONS = {
+  [TaskState.DRAFT]: [TaskState.TODO],
+  [TaskState.TODO]: [TaskState.DRAFT, TaskState.IN_PROGRESS],
+  // Deprecated: BACKLOG transitions to DRAFT (its replacement)
+  [TaskState.BACKLOG]: [TaskState.DRAFT, TaskState.TODO],
+  // Deprecated: READY transitions to TODO (its replacement)
+  [TaskState.READY]: [TaskState.TODO, TaskState.IN_PROGRESS],
+  [TaskState.IN_PROGRESS]: [
+    TaskState.DRAFT,
+    TaskState.TODO,
+    TaskState.REVIEW
+  ],
+  [TaskState.REVIEW]: [
+    TaskState.DRAFT,
+    TaskState.TODO,
+    TaskState.IN_PROGRESS,
+    TaskState.DONE
+  ],
+  [TaskState.DONE]: []
+};
+
+// ../../packages/core/dist/config/deployment.js
+var config = {
+  deploymentMode: process.env.DEPLOYMENT_MODE || "saas"
+};
+var isSaas = config.deploymentMode === "saas";
+var isOnPrem = config.deploymentMode === "onprem";
+
+// ../../packages/core/dist/version.js
+var VERSION2 = "0.1.0";
+
+// ../../packages/core/dist/config/index.js
+var DEPLOYMENT_MODE = process.env.DEPLOYMENT_MODE || "saas";
+var config2 = {
+  version: VERSION2,
+  deploymentMode: DEPLOYMENT_MODE,
+  billing: {
+    enabled: DEPLOYMENT_MODE === "saas",
+    revenuecat: {
+      publicKey: process.env.REVENUECAT_PUBLIC_API_KEY,
+      stripeKey: process.env.STRIPE_SECRET_KEY
+      // Required by RevenueCat Web Billing
+    }
+  },
+  licensing: {
+    enabled: DEPLOYMENT_MODE === "onprem",
+    licenseKey: process.env.LICENSE_KEY
+  },
+  auth: {
+    credentials: true,
+    ldap: process.env.LDAP_ENABLED === "true"
+  },
+  git: {
+    deleteMergedBranches: process.env.DELETE_MERGED_BRANCHES !== "false",
+    enforceConventionalCommits: process.env.ENFORCE_CONVENTIONAL_COMMITS === "true",
+    defaultBaseBranch: process.env.DEFAULT_BASE_BRANCH || "develop"
+  },
+  pricing: {
+    maxPersonalProjects: {
+      FREE: 2,
+      PRO: 5,
+      ENTERPRISE: 10
+    },
+    maxCollaboratorsPerProject: {
+      FREE: 3,
+      PRO: -1,
+      ENTERPRISE: -1
+    },
+    maxProjectsPerOrg: {
+      FREE: 5,
+      PRO: -1,
+      ENTERPRISE: -1
+    },
+    maxSeats: {
+      FREE: 3,
+      PRO: -1,
+      ENTERPRISE: -1
+    },
+    // Default seats when subscription doesn't specify an explicit seat count
+    defaultSeats: {
+      FREE: 3,
+      PRO: 10,
+      ENTERPRISE: 999999
+    }
+  },
+  features: {
+    stripe: {
+      enabled: DEPLOYMENT_MODE === "saas"
+    },
+    gitlab: {
+      enabled: true
+    },
+    ldap: {
+      enabled: process.env.LDAP_ENABLED === "true"
+    },
+    auditLogs: {
+      enabled: process.env.AUDIT_LOGS_ENABLED === "true"
+    }
+  },
+  api: {
+    apiKey: {
+      defaultExpiryDays: 90,
+      prefix: "usr_"
+    },
+    rateLimit: {
+      requestsPerMinute: 100,
+      requestsPerHour: 1e3
+    }
+  },
+  limits: {
+    projectNameMaxLength: 100,
+    taskDescriptionMaxLength: 5e3,
+    notesMaxLength: 500,
+    conventionsNotesMaxLength: 500,
+    recentCompletedTasksLimit: 10
+  }
+};
+var DEFAULT_SEAT_LIMITS = {
+  [PricingTier.FREE]: config2.pricing.defaultSeats.FREE,
+  [PricingTier.PRO]: config2.pricing.defaultSeats.PRO,
+  [PricingTier.ENTERPRISE]: config2.pricing.defaultSeats.ENTERPRISE
+};
+
+// ../../packages/core/dist/types/index.js
+var import_zod = require("zod");
+var UserIdSchema = import_zod.z.string().regex(/^usr_[a-zA-Z0-9]+$/);
+var UserSchema = import_zod.z.object({
+  id: UserIdSchema,
+  email: import_zod.z.string().email(),
+  name: import_zod.z.string().min(1).max(255),
+  role: import_zod.z.nativeEnum(UserRole),
+  organizationId: import_zod.z.string().optional(),
+  lastActiveAt: import_zod.z.coerce.date().optional(),
+  createdAt: import_zod.z.coerce.date()
+});
+var OrganizationUserSchema = import_zod.z.object({
+  id: import_zod.z.number().int(),
+  userId: UserIdSchema,
+  organizationId: import_zod.z.string(),
+  roleId: import_zod.z.nativeEnum(UserRole).optional(),
+  user: UserSchema.pick({ id: true, email: true, name: true, role: true }),
+  createdAt: import_zod.z.coerce.date()
+});
+var OrganizationIdSchema = import_zod.z.string().regex(/^org_[a-zA-Z0-9]+$/);
+var OrganizationSchema = import_zod.z.object({
+  id: OrganizationIdSchema,
+  name: import_zod.z.string().min(1).max(255),
+  slug: import_zod.z.string().min(1).max(100).regex(/^[a-z0-9-]+$/),
+  logoUrl: import_zod.z.string().url().nullable(),
+  accentColor: import_zod.z.string().regex(/^#[0-9A-Fa-f]{6}$/).nullable(),
+  tenantName: import_zod.z.string().nullable(),
+  pricingTier: import_zod.z.nativeEnum(PricingTier),
+  createdAt: import_zod.z.coerce.date()
+});
+var OrganizationSettingsSchema = import_zod.z.object({
+  organizationId: OrganizationIdSchema,
+  ldapEnabled: import_zod.z.boolean(),
+  ldapUrl: import_zod.z.string().url().nullable(),
+  ldapBindDN: import_zod.z.string().nullable(),
+  ldapSearchBase: import_zod.z.string().nullable(),
+  deleteMergedBranches: import_zod.z.boolean(),
+  enforceConventionalCommits: import_zod.z.boolean(),
+  maxPersonalProjectsPerUser: import_zod.z.number().int().min(0)
+});
+var TagSchema = import_zod.z.object({
+  id: import_zod.z.string(),
+  name: import_zod.z.string().min(1).max(50),
+  organizationId: OrganizationIdSchema,
+  createdAt: import_zod.z.coerce.date()
+});
+var ProjectIdSchema = import_zod.z.string().regex(/^prj_[a-zA-Z0-9]+$/);
+var ProjectSchema = import_zod.z.object({
+  id: ProjectIdSchema,
+  name: import_zod.z.string().min(1).max(100),
+  description: import_zod.z.string().max(500).nullable(),
+  type: import_zod.z.nativeEnum(ProjectType),
+  origin: import_zod.z.nativeEnum(ProjectOrigin),
+  organizationId: OrganizationIdSchema,
+  ownerId: UserIdSchema.nullable(),
+  repositoryUrl: import_zod.z.string().url(),
+  baseBranch: import_zod.z.string().default("develop"),
+  tags: import_zod.z.array(import_zod.z.string()),
+  createdAt: import_zod.z.coerce.date(),
+  updatedAt: import_zod.z.coerce.date()
+});
+var EpicIdSchema = import_zod.z.string().regex(/^epc_[a-zA-Z0-9]+$/);
+var EpicSchema = import_zod.z.object({
+  id: EpicIdSchema,
+  projectId: ProjectIdSchema,
+  name: import_zod.z.string().min(1).max(200),
+  description: import_zod.z.string().nullable(),
+  createdAt: import_zod.z.coerce.date(),
+  updatedAt: import_zod.z.coerce.date()
+});
+var TaskIdSchema = import_zod.z.string().regex(/^tsk_[a-zA-Z0-9]+$/);
+var TaskSchema = import_zod.z.object({
+  id: TaskIdSchema,
+  projectId: ProjectIdSchema,
+  epicId: EpicIdSchema.nullable(),
+  title: import_zod.z.string().min(1).max(200),
+  description: import_zod.z.string().max(5e3),
+  state: import_zod.z.nativeEnum(TaskState),
+  priority: import_zod.z.nativeEnum(TaskPriority),
+  assigneeId: UserIdSchema.nullable(),
+  createdBy: UserIdSchema.nullable(),
+  assignedAt: import_zod.z.coerce.date().nullable(),
+  startedAt: import_zod.z.coerce.date().nullable(),
+  completedAt: import_zod.z.coerce.date().nullable(),
+  branchName: import_zod.z.string().nullable(),
+  pullRequestUrl: import_zod.z.string().url().nullable(),
+  pullRequestNumber: import_zod.z.number().int().nullable(),
+  pullRequestStatus: import_zod.z.nativeEnum(PRStatus).nullable(),
+  errorType: import_zod.z.nativeEnum(ErrorType).nullable(),
+  errorMessage: import_zod.z.string().max(1e3).nullable(),
+  createdAt: import_zod.z.coerce.date(),
+  updatedAt: import_zod.z.coerce.date()
+});
+var AcceptanceCriterionSchema = import_zod.z.object({
+  id: import_zod.z.string(),
+  taskId: TaskIdSchema,
+  description: import_zod.z.string().min(1).max(500),
+  completed: import_zod.z.boolean(),
+  completedAt: import_zod.z.coerce.date().nullable(),
+  order: import_zod.z.number().int(),
+  createdAt: import_zod.z.coerce.date()
+});
+var ProgressUpdateSchema = import_zod.z.object({
+  id: import_zod.z.string(),
+  taskId: TaskIdSchema,
+  userId: UserIdSchema,
+  message: import_zod.z.string().max(2e3),
+  checkpoints: import_zod.z.array(import_zod.z.string()).optional(),
+  createdAt: import_zod.z.coerce.date()
+});
+var TaskNoteSchema = import_zod.z.object({
+  id: import_zod.z.string(),
+  taskId: TaskIdSchema,
+  userId: UserIdSchema,
+  content: import_zod.z.string().max(500),
+  createdAt: import_zod.z.coerce.date()
+});
+var ApiKeyIdSchema = import_zod.z.string().regex(/^key_[a-zA-Z0-9]+$/);
+var ApiKeySchema = import_zod.z.object({
+  id: ApiKeyIdSchema,
+  userId: UserIdSchema,
+  name: import_zod.z.string().min(1).max(100),
+  keyHash: import_zod.z.string(),
+  permissions: import_zod.z.nativeEnum(ApiKeyPermission),
+  lastUsedAt: import_zod.z.coerce.date().nullable(),
+  expiresAt: import_zod.z.coerce.date().nullable(),
+  revoked: import_zod.z.boolean(),
+  createdAt: import_zod.z.coerce.date()
+});
+var SubscriptionIdSchema = import_zod.z.string();
+var SubscriptionSchema = import_zod.z.object({
+  id: SubscriptionIdSchema,
+  organizationId: OrganizationIdSchema,
+  pricingTier: import_zod.z.nativeEnum(PricingTier),
+  seats: import_zod.z.number().int().min(0),
+  stripeSubscriptionId: import_zod.z.string().nullable(),
+  stripeCustomerId: import_zod.z.string().nullable(),
+  status: import_zod.z.enum(["active", "past_due", "canceled", "incomplete"]),
+  currentPeriodStart: import_zod.z.coerce.date(),
+  currentPeriodEnd: import_zod.z.coerce.date(),
+  createdAt: import_zod.z.coerce.date()
+});
+var ProjectCollaboratorSchema = import_zod.z.object({
+  id: import_zod.z.string(),
+  projectId: ProjectIdSchema,
+  userId: UserIdSchema,
+  addedBy: UserIdSchema,
+  createdAt: import_zod.z.coerce.date()
+});
+
+// ../../packages/core/dist/validation/index.js
+var import_zod2 = require("zod");
+var ListProjectsInputSchema = import_zod2.z.object({
+  workspaceType: import_zod2.z.preprocess((val) => typeof val === "string" ? val.toUpperCase() : val, import_zod2.z.enum(["TEAM", "PERSONAL", "ALL"]).optional())
+});
+var ListTasksInputSchema = import_zod2.z.object({
+  projectId: import_zod2.z.string().optional(),
+  state: import_zod2.z.nativeEnum(TaskState).optional(),
+  assigneeId: import_zod2.z.string().optional(),
+  includeArchived: import_zod2.z.boolean().optional()
+});
+var cuidOrPrefixedId = import_zod2.z.string().regex(/^([a-z0-9]+|[a-z]+_[a-zA-Z0-9]+)$/);
+var gitBranchName = import_zod2.z.string().min(1).max(100).regex(/^[a-zA-Z0-9][-a-zA-Z0-9._/]*[a-zA-Z0-9]$|^[a-zA-Z0-9]$/, "Branch name must start and end with alphanumeric character").refine((val) => !val.includes("..") && !val.includes("@{") && !val.includes("//") && !val.endsWith(".lock") && !val.includes("~") && !val.includes("^") && !val.includes(":") && !val.includes("?") && !val.includes("*") && !val.includes("[") && !val.includes("\\") && !val.includes(" ") && !val.includes(";") && !val.includes("&") && !val.includes("|") && !val.includes("$") && !val.includes("`") && !val.includes("'") && !val.includes('"') && !val.includes("<") && !val.includes(">") && !val.includes("(") && !val.includes(")"), "Invalid branch name: contains forbidden characters or sequences");
+var GetTaskInputSchema = import_zod2.z.object({
+  taskId: cuidOrPrefixedId
+});
+var AssignTaskInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  taskId: cuidOrPrefixedId,
+  expectedState: import_zod2.z.nativeEnum(TaskState).default(TaskState.TODO)
+});
+var UpdateProgressInputSchema = import_zod2.z.object({
+  taskId: cuidOrPrefixedId,
+  statusMessage: import_zod2.z.string().max(1e3).optional(),
+  completedCheckpointIds: import_zod2.z.array(import_zod2.z.string()).optional(),
+  currentCheckpointIndex: import_zod2.z.number().int().optional()
+});
+var CompleteTaskInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  taskId: cuidOrPrefixedId,
+  pullRequestTitle: import_zod2.z.string().min(1).max(300).optional(),
+  pullRequestBody: import_zod2.z.string().max(1e4).optional()
+});
+var ReportErrorInputSchema = import_zod2.z.object({
+  taskId: cuidOrPrefixedId,
+  errorType: import_zod2.z.nativeEnum(ErrorType),
+  errorMessage: import_zod2.z.string().min(1).max(1e3),
+  context: import_zod2.z.string().max(2e3).optional()
+});
+var GetProjectContextInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId
+});
+var AddNoteInputSchema = import_zod2.z.object({
+  taskId: cuidOrPrefixedId,
+  content: import_zod2.z.string().min(1).max(500)
+});
+var AbandonTaskInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  taskId: cuidOrPrefixedId,
+  deleteBranch: import_zod2.z.boolean().optional()
+});
+var RequestChangesInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  taskId: cuidOrPrefixedId,
+  reviewComments: import_zod2.z.string().min(1).max(5e3),
+  requestedChanges: import_zod2.z.array(import_zod2.z.string().min(1).max(500)).optional()
+});
+var ApproveTaskInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  taskId: cuidOrPrefixedId,
+  reviewComments: import_zod2.z.string().max(2e3).optional()
+});
+var ArchiveTaskInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  taskId: cuidOrPrefixedId
+});
+var UnarchiveTaskInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  taskId: cuidOrPrefixedId
+});
+var CreatePersonalProjectInputSchema = import_zod2.z.object({
+  name: import_zod2.z.string().min(1).max(100),
+  description: import_zod2.z.string().max(500).optional(),
+  repositoryUrl: import_zod2.z.string().url()
+});
+var CheckActiveTaskInputSchema = import_zod2.z.object({});
+var CreateTaskMCPInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  epicId: cuidOrPrefixedId.nullable().optional(),
+  title: import_zod2.z.string().min(1).max(200),
+  description: import_zod2.z.string().max(5e3),
+  priority: import_zod2.z.nativeEnum(TaskPriority).default(TaskPriority.MEDIUM),
+  acceptanceCriteria: import_zod2.z.array(import_zod2.z.object({
+    description: import_zod2.z.string().min(1).max(500)
+  })).min(1)
+});
+var CreateOrganizationInputSchema = import_zod2.z.object({
+  name: import_zod2.z.string().min(1).max(255),
+  slug: import_zod2.z.string().min(1).max(100).regex(/^[a-z0-9-]+$/).optional()
+});
+var UpdateOrganizationInputSchema = import_zod2.z.object({
+  organizationId: cuidOrPrefixedId,
+  name: import_zod2.z.string().min(1).max(255).optional(),
+  logoUrl: import_zod2.z.string().url().nullable().optional(),
+  accentColor: import_zod2.z.string().regex(/^#[0-9A-Fa-f]{6}$/, "Invalid hex color format. Expected #RRGGBB").nullable().optional(),
+  tenantName: import_zod2.z.string().max(255).nullable().optional()
+});
+var CreateProjectInputSchema = import_zod2.z.object({
+  name: import_zod2.z.string().min(1).max(100),
+  description: import_zod2.z.string().max(500).optional(),
+  type: import_zod2.z.nativeEnum(ProjectType),
+  repositoryUrl: import_zod2.z.string().url(),
+  baseBranch: import_zod2.z.string().default("develop").optional(),
+  tags: import_zod2.z.array(import_zod2.z.string()).default([])
+});
+var UpdateProjectInputSchema = import_zod2.z.object({
+  projectId: import_zod2.z.string().min(1).optional(),
+  name: import_zod2.z.string().min(1).max(100).optional(),
+  description: import_zod2.z.string().max(500).optional(),
+  repositoryUrl: import_zod2.z.string().url().optional(),
+  baseBranch: import_zod2.z.string().optional(),
+  tags: import_zod2.z.array(import_zod2.z.string()).optional(),
+  allowMemberArchive: import_zod2.z.boolean().optional()
+});
+var CreateEpicInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  name: import_zod2.z.string().min(1).max(200),
+  description: import_zod2.z.string().max(2e3).optional()
+});
+var CreateTaskInputSchema = import_zod2.z.object({
+  projectId: import_zod2.z.string().min(1),
+  epicId: import_zod2.z.string().min(1).nullable().optional(),
+  title: import_zod2.z.string().min(1).max(200),
+  description: import_zod2.z.string().max(5e3),
+  priority: import_zod2.z.nativeEnum(TaskPriority).default(TaskPriority.MEDIUM),
+  acceptanceCriteria: import_zod2.z.array(import_zod2.z.object({
+    description: import_zod2.z.string().min(1).max(500)
+  })).min(1)
+});
+var UpdateTaskInputSchema = import_zod2.z.object({
+  taskId: import_zod2.z.string().min(1),
+  title: import_zod2.z.string().min(1).max(200).optional(),
+  description: import_zod2.z.string().max(5e3).optional(),
+  priority: import_zod2.z.nativeEnum(TaskPriority).optional(),
+  state: import_zod2.z.nativeEnum(TaskState).optional(),
+  assigneeId: import_zod2.z.string().nullable().optional(),
+  acceptanceCriteria: import_zod2.z.array(import_zod2.z.object({
+    id: import_zod2.z.string().optional(),
+    description: import_zod2.z.string().min(1).max(500),
+    completed: import_zod2.z.boolean().optional()
+  })).optional()
+});
+var AssignTaskWebappInputSchema = import_zod2.z.object({
+  taskId: import_zod2.z.string().min(1),
+  userId: import_zod2.z.string().min(1)
+});
+var CreateTagInputSchema = import_zod2.z.object({
+  organizationId: cuidOrPrefixedId,
+  name: import_zod2.z.string().min(1).max(50).regex(/^[a-zA-Z0-9\s-]+$/)
+});
+var UpdateTagInputSchema = import_zod2.z.object({
+  name: import_zod2.z.string().min(1).max(50).regex(/^[a-zA-Z0-9\s-]+$/)
+});
+var UpdateOrganizationSettingsInputSchema = import_zod2.z.object({
+  organizationId: cuidOrPrefixedId,
+  ldapEnabled: import_zod2.z.boolean().optional(),
+  ldapUrl: import_zod2.z.string().url().nullable().optional(),
+  ldapBindDN: import_zod2.z.string().nullable().optional(),
+  ldapSearchBase: import_zod2.z.string().nullable().optional(),
+  deleteMergedBranches: import_zod2.z.boolean().optional(),
+  enforceConventionalCommits: import_zod2.z.boolean().optional(),
+  maxPersonalProjectsPerUser: import_zod2.z.number().int().min(0).optional(),
+  logoUrl: import_zod2.z.string().url().nullable().optional(),
+  accentColor: import_zod2.z.string().regex(/^#[0-9A-Fa-f]{6}$/, "Invalid hex color format. Expected #RRGGBB").nullable().optional(),
+  tenantName: import_zod2.z.string().max(255).nullable().optional()
+});
+var InviteUserInputSchema = import_zod2.z.object({
+  organizationId: cuidOrPrefixedId,
+  email: import_zod2.z.string().email(),
+  role: import_zod2.z.nativeEnum(UserRole).default(UserRole.MEMBER),
+  tags: import_zod2.z.array(import_zod2.z.string()).default([])
+});
+var AssignUserTagsInputSchema = import_zod2.z.object({
+  userId: cuidOrPrefixedId,
+  tags: import_zod2.z.array(import_zod2.z.string()).min(0)
+});
+var InviteCollaboratorInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  email: import_zod2.z.string().email()
+});
+var PublishProjectInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  transferOwnership: import_zod2.z.boolean().default(false),
+  tags: import_zod2.z.array(import_zod2.z.string()).min(1)
+});
+var GenerateApiKeyInputSchema = import_zod2.z.object({
+  name: import_zod2.z.string().min(1).max(100),
+  expiresInDays: import_zod2.z.number().int().min(1).max(365).default(90),
+  permissions: import_zod2.z.nativeEnum(ApiKeyPermission).default(ApiKeyPermission.WRITE)
+});
+var RevokeApiKeyInputSchema = import_zod2.z.object({
+  keyId: cuidOrPrefixedId
+});
+var LoginInputSchema = import_zod2.z.object({
+  email: import_zod2.z.string().email(),
+  password: import_zod2.z.string().min(8).max(255)
+});
+var RegisterInputSchema = import_zod2.z.object({
+  email: import_zod2.z.string().email(),
+  password: import_zod2.z.string().min(8).max(255),
+  name: import_zod2.z.string().min(1).max(255),
+  organizationSlug: import_zod2.z.string().min(1).max(100).regex(/^[a-z0-9-]+$/).optional()
+});
+var VerifyTaskInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  taskId: cuidOrPrefixedId,
+  approved: import_zod2.z.boolean(),
+  feedback: import_zod2.z.string().max(5e3).optional()
+});
+var GetTaskPromptInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  taskId: cuidOrPrefixedId
+});
+var UpdateTaskMCPInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  taskId: cuidOrPrefixedId,
+  title: import_zod2.z.string().min(1).max(200).optional(),
+  description: import_zod2.z.string().max(5e3).optional(),
+  priority: import_zod2.z.nativeEnum(TaskPriority).optional(),
+  acceptanceCriteria: import_zod2.z.array(import_zod2.z.object({
+    id: import_zod2.z.string().optional(),
+    description: import_zod2.z.string().min(1).max(500)
+  })).optional()
+});
+var ReportBranchInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  taskId: cuidOrPrefixedId,
+  branchName: gitBranchName
+});
+var ReportPRInputSchema = import_zod2.z.object({
+  projectId: cuidOrPrefixedId,
+  taskId: cuidOrPrefixedId,
+  pullRequestUrl: import_zod2.z.string().url(),
+  pullRequestNumber: import_zod2.z.number().int().positive()
+});
+
+// ../../packages/core/dist/logging/metrics.js
+var metrics = /* @__PURE__ */ new Map();
+function labelsToKey(labels) {
+  if (!labels || Object.keys(labels).length === 0)
+    return "";
+  return Object.entries(labels).sort(([a], [b]) => a.localeCompare(b)).map(([k, v]) => `${k}="${v}"`).join(",");
+}
+function createCounter(name, help) {
+  const data = {
+    name,
+    type: "counter",
+    help,
+    values: /* @__PURE__ */ new Map()
+  };
+  metrics.set(name, data);
+  return {
+    inc(labels, value = 1) {
+      const key = labelsToKey(labels);
+      const current = data.values.get(key) || 0;
+      data.values.set(key, current + value);
+    }
+  };
+}
+function createGauge(name, help) {
+  const data = {
+    name,
+    type: "gauge",
+    help,
+    values: /* @__PURE__ */ new Map()
+  };
+  metrics.set(name, data);
+  return {
+    set(labels, value) {
+      const key = labelsToKey(labels);
+      data.values.set(key, value);
+    },
+    inc(labels, value = 1) {
+      const key = labelsToKey(labels);
+      const current = data.values.get(key) || 0;
+      data.values.set(key, current + value);
+    },
+    dec(labels, value = 1) {
+      const key = labelsToKey(labels);
+      const current = data.values.get(key) || 0;
+      data.values.set(key, current - value);
+    }
+  };
+}
+function createHistogram(name, help, buckets = [5e-3, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1, 2.5, 5, 10]) {
+  const data = {
+    name,
+    type: "histogram",
+    help,
+    values: /* @__PURE__ */ new Map(),
+    buckets
+  };
+  metrics.set(name, data);
+  return {
+    observe(labels, value) {
+      const baseKey = labelsToKey(labels);
+      const sumKey = `${baseKey}|sum`;
+      const countKey = `${baseKey}|count`;
+      data.values.set(sumKey, (data.values.get(sumKey) || 0) + value);
+      data.values.set(countKey, (data.values.get(countKey) || 0) + 1);
+      for (const bucket of buckets) {
+        const bucketKey = `${baseKey}|le="${bucket}"`;
+        if (value <= bucket) {
+          data.values.set(bucketKey, (data.values.get(bucketKey) || 0) + 1);
+        }
+      }
+      const infKey = `${baseKey}|le="+Inf"`;
+      data.values.set(infKey, (data.values.get(infKey) || 0) + 1);
+    }
+  };
+}
+var httpRequestsTotal = createCounter("mtaap_http_requests_total", "Total number of HTTP requests");
+var httpRequestDuration = createHistogram("mtaap_http_request_duration_seconds", "HTTP request duration in seconds");
+var activeUsers = createGauge("mtaap_active_users", "Number of active users");
+var tasksTotal = createCounter("mtaap_tasks_total", "Total number of tasks by state");
+var taskStateChanges = createCounter("mtaap_task_state_changes_total", "Total number of task state changes");
+var httpErrorsTotal = createCounter("mtaap_http_errors_total", "Total number of HTTP errors");
+var httpActiveConnections = createGauge("mtaap_http_active_connections", "Number of active HTTP connections");
+var newSignupsTotal = createCounter("mtaap_new_signups_total", "Total number of new user signups");
+var loginSuccessTotal = createCounter("mtaap_login_success_total", "Total number of successful logins");
+var loginFailureTotal = createCounter("mtaap_login_failure_total", "Total number of failed logins");
+var dbConnectionPoolActive = createGauge("mtaap_db_connection_pool_active", "Number of active database connections");
+var dbConnectionPoolIdle = createGauge("mtaap_db_connection_pool_idle", "Number of idle database connections");
+var dbConnectionPoolMax = createGauge("mtaap_db_connection_pool_max", "Maximum number of database connections");
+var dbQueryDuration = createHistogram("mtaap_db_query_duration_seconds", "Database query duration in seconds");
+var dbSlowQueriesTotal = createCounter("mtaap_db_slow_queries_total", "Total number of slow database queries (>1s)");
+var dbErrorsTotal = createCounter("mtaap_db_errors_total", "Total number of database errors");
+var tasksCreatedTotal = createCounter("mtaap_tasks_created_total", "Total number of tasks created");
+var tasksAssignedTotal = createCounter("mtaap_tasks_assigned_total", "Total number of tasks assigned");
+var tasksCompletedTotal = createCounter("mtaap_tasks_completed_total", "Total number of tasks completed");
+var tasksByState = createGauge("mtaap_tasks_by_state", "Number of tasks by state");
+
+// ../../packages/core/dist/logging/performance-monitor.js
+var MAX_SAMPLES = 1e3;
+var ALERT_COOLDOWN_MS = 5 * 60 * 1e3;
+var DEFAULT_THRESHOLDS = {
+  api: {
+    p50: 100,
+    p95: 500,
+    p99: 1e3
+  },
+  db: {
+    p95: 100,
+    p99: 500
+  },
+  webvitals: {
+    FCP: 2e3,
+    LCP: 2500,
+    FID: 100,
+    CLS: 0.1
+  }
+};
+function cloneThresholds() {
+  return Object.fromEntries(Object.entries(DEFAULT_THRESHOLDS).map(([category, metrics2]) => [
+    category,
+    { ...metrics2 }
+  ]));
+}
+function labelsToKey2(labels) {
+  if (!labels || Object.keys(labels).length === 0)
+    return "";
+  return Object.entries(labels).sort(([a], [b]) => a.localeCompare(b)).map(([key, value]) => `${key}="${value}"`).join(",");
+}
+function percentile(sortedValues, percentileValue) {
+  if (sortedValues.length === 0)
+    return 0;
+  const rank = Math.ceil(percentileValue / 100 * sortedValues.length);
+  const index = Math.min(Math.max(rank - 1, 0), sortedValues.length - 1);
+  return sortedValues[index];
+}
+var CircularBuffer = class {
+  capacity;
+  values = [];
+  index = 0;
+  size = 0;
+  constructor(capacity) {
+    this.capacity = capacity;
+  }
+  add(value) {
+    if (this.size < this.capacity) {
+      this.values.push(value);
+      this.size += 1;
+      this.index = this.size % this.capacity;
+      return;
+    }
+    this.values[this.index] = value;
+    this.index = (this.index + 1) % this.capacity;
+  }
+  getValues() {
+    if (this.size < this.capacity) {
+      return this.values.slice(0, this.size);
+    }
+    return this.values.slice();
+  }
+};
+var PerformanceMonitor = class {
+  samples = /* @__PURE__ */ new Map();
+  thresholds = cloneThresholds();
+  alertCallback;
+  lastAlertTimestamps = /* @__PURE__ */ new Map();
+  recordTiming(category, name, durationMs, labels) {
+    if (!Number.isFinite(durationMs))
+      return;
+    const categoryMap = this.getCategoryMap(category);
+    const nameMap = this.getNameMap(categoryMap, name);
+    const labelKey = labelsToKey2(labels);
+    const buffer = nameMap.get(labelKey) ?? new CircularBuffer(MAX_SAMPLES);
+    buffer.add(durationMs);
+    nameMap.set(labelKey, buffer);
+  }
+  getPercentiles(category, name) {
+    const samples = this.collectSamples(category, name);
+    if (samples.length === 0) {
+      return { p50: 0, p95: 0, p99: 0 };
+    }
+    const sorted = [...samples].sort((a, b) => a - b);
+    return {
+      p50: percentile(sorted, 50),
+      p95: percentile(sorted, 95),
+      p99: percentile(sorted, 99)
+    };
+  }
+  checkThresholds() {
+    const alerts = [];
+    const now = Date.now();
+    const callbackAlerts = [];
+    for (const [category, nameMap] of this.samples) {
+      const thresholds = this.thresholds[category];
+      if (!thresholds)
+        continue;
+      for (const name of nameMap.keys()) {
+        const percentiles = this.getPercentiles(category, name);
+        for (const [metric, threshold] of Object.entries(thresholds)) {
+          const value = this.resolveMetricValue(metric, name, percentiles);
+          if (value === void 0 || value <= threshold)
+            continue;
+          const alert = {
+            category,
+            name,
+            metric,
+            value,
+            threshold
+          };
+          alerts.push(alert);
+          const alertKey = `${category}|${name}|${metric}`;
+          const lastAlertTime = this.lastAlertTimestamps.get(alertKey);
+          if (!lastAlertTime || now - lastAlertTime >= ALERT_COOLDOWN_MS) {
+            this.lastAlertTimestamps.set(alertKey, now);
+            callbackAlerts.push(alert);
+          }
+        }
+      }
+    }
+    if (callbackAlerts.length > 0 && this.alertCallback) {
+      this.alertCallback(callbackAlerts);
+    }
+    return alerts;
+  }
+  setAlertCallback(callback) {
+    this.alertCallback = callback;
+  }
+  setThreshold(category, metric, value) {
+    if (!this.thresholds[category]) {
+      this.thresholds[category] = {};
+    }
+    this.thresholds[category][metric] = value;
+  }
+  collectSamples(category, name) {
+    const categoryMap = this.samples.get(category);
+    if (!categoryMap)
+      return [];
+    const entries = name ? [[name, categoryMap.get(name)]] : Array.from(categoryMap.entries());
+    const samples = [];
+    for (const [, labelMap] of entries) {
+      if (!labelMap)
+        continue;
+      for (const buffer of labelMap.values()) {
+        samples.push(...buffer.getValues());
+      }
+    }
+    return samples;
+  }
+  resolveMetricValue(metric, name, percentiles) {
+    if (metric === "p50")
+      return percentiles.p50;
+    if (metric === "p95")
+      return percentiles.p95;
+    if (metric === "p99")
+      return percentiles.p99;
+    if (metric === name)
+      return percentiles.p95;
+    return void 0;
+  }
+  getCategoryMap(category) {
+    const existing = this.samples.get(category);
+    if (existing)
+      return existing;
+    const created = /* @__PURE__ */ new Map();
+    this.samples.set(category, created);
+    return created;
+  }
+  getNameMap(categoryMap, name) {
+    const existing = categoryMap.get(name);
+    if (existing)
+      return existing;
+    const created = /* @__PURE__ */ new Map();
+    categoryMap.set(name, created);
+    return created;
+  }
+};
+var defaultMonitor = new PerformanceMonitor();
+
+// ../../packages/core/dist/logging/error-tracker.js
+var NoOpErrorTracker = class {
+  captureError(error, context) {
+    console.error("Error captured:", error.message, context);
+  }
+  captureException(error, context) {
+    console.error("Exception captured:", error, context);
+  }
+  captureMessage(message, level, context) {
+    console[level === "warning" ? "warn" : level](`Message captured [${level}]:`, message, context);
+  }
+  setUser(user) {
+    console.log("User set:", user);
+  }
+  clearUser() {
+    console.log("User cleared");
+  }
+};
+var errorTrackerInstance = new NoOpErrorTracker();
+
+// src/api-client.ts
+var DEFAULT_TIMEOUT = 3e4;
+function sanitizeForLogging(str) {
+  let sanitized = str.replace(/\bcollab_[a-zA-Z0-9_-]+\b/gi, "[REDACTED_API_KEY]");
+  sanitized = sanitized.replace(/\bBearer\s+[a-zA-Z0-9._-]+\b/gi, "Bearer [REDACTED]");
+  sanitized = sanitized.replace(/([?&](api_?key|token|auth|key|secret)=)[^&\s]+/gi, "$1[REDACTED]");
+  return sanitized;
+}
+var ApiError = class extends Error {
+  constructor(message, code, status, details) {
+    super(message);
+    this.code = code;
+    this.status = status;
+    this.details = details;
+    this.name = "ApiError";
+  }
+};
+var MCPApiClient = class {
+  baseUrl;
+  apiKey;
+  timeout;
+  debug;
+  authContext = null;
+  constructor(config3) {
+    this.baseUrl = config3.baseUrl.replace(/\/$/, "");
+    this.apiKey = config3.apiKey;
+    this.timeout = config3.timeout ?? DEFAULT_TIMEOUT;
+    this.debug = config3.debug ?? false;
+  }
+  /**
+   * Make an HTTP request to the API
+   */
+  async request(method, path, body) {
+    const url = `${this.baseUrl}${path}`;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+    if (this.debug) {
+      console.error(`[mcp-api] ${method} ${sanitizeForLogging(path)}`);
+    }
+    try {
+      const response = await fetch(url, {
+        method,
+        headers: {
+          "Content-Type": "application/json",
+          "X-API-Key": this.apiKey
+        },
+        body: body ? JSON.stringify(body) : void 0,
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      const data = await response.json();
+      if (!response.ok) {
+        throw new ApiError(
+          data.error || "API request failed",
+          data.code || "UNKNOWN_ERROR",
+          response.status,
+          data.details
+        );
+      }
+      return data;
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof ApiError) {
+        throw error;
+      }
+      if (error instanceof Error && error.name === "AbortError") {
+        throw new ApiError(
+          "Request timed out",
+          "TIMEOUT",
+          408
+        );
+      }
+      const rawMessage = error instanceof Error ? error.message : "Unknown error";
+      throw new ApiError(
+        sanitizeForLogging(rawMessage),
+        "NETWORK_ERROR",
+        0
+      );
+    }
+  }
+  /**
+   * Authenticate and get user context
+   */
+  async authenticate() {
+    const context = await this.request("GET", "/api/mcp/auth");
+    this.authContext = context;
+    return context;
+  }
+  /**
+   * Get cached auth context or authenticate
+   */
+  async getAuthContext() {
+    if (this.authContext) {
+      return this.authContext;
+    }
+    return this.authenticate();
+  }
+  /**
+   * List accessible projects
+   */
+  async listProjects(workspaceType) {
+    const type = workspaceType || "ALL";
+    return this.request(
+      "GET",
+      `/api/mcp/projects?workspaceType=${encodeURIComponent(type)}`
+    );
+  }
+  /**
+   * Get single project details
+   */
+  async getProject(projectId) {
+    return this.request("GET", `/api/mcp/projects/${projectId}`);
+  }
+  /**
+   * Get project context (README, stack, conventions)
+   */
+  async getProjectContext(projectId) {
+    return this.request(
+      "GET",
+      `/api/mcp/projects/${projectId}/context`
+    );
+  }
+  /**
+   * Create a personal project
+   */
+  async createPersonalProject(name, description, repositoryUrl) {
+    return this.request(
+      "POST",
+      "/api/mcp/projects/personal",
+      { name, description, repositoryUrl }
+    );
+  }
+  /**
+   * Create a task in a project
+   */
+  async createTask(input) {
+    return this.request("POST", "/api/mcp/tasks", input);
+  }
+  /**
+   * List tasks with optional filters
+   */
+  async listTasks(filters = {}) {
+    const params = new URLSearchParams();
+    if (filters.projectId) params.set("projectId", filters.projectId);
+    if (filters.state) params.set("state", filters.state);
+    if (filters.assigneeId) params.set("assigneeId", filters.assigneeId);
+    if (filters.includeArchived) params.set("includeArchived", "true");
+    const queryString = params.toString();
+    const path = queryString ? `/api/mcp/tasks?${queryString}` : "/api/mcp/tasks";
+    return this.request("GET", path);
+  }
+  /**
+   * Get full task details
+   */
+  async getTask(taskId) {
+    return this.request("GET", `/api/mcp/tasks/${taskId}`);
+  }
+  /**
+   * Assign task to current user and create branch
+   */
+  async assignTask(taskId, projectId, expectedState = TaskState.TODO) {
+    return this.request("POST", `/api/mcp/tasks/${taskId}/assign`, {
+      projectId,
+      expectedState
+    });
+  }
+  /**
+   * Update task progress
+   */
+  async updateProgress(taskId, data) {
+    return this.request("POST", `/api/mcp/tasks/${taskId}/progress`, data);
+  }
+  /**
+   * Complete task and prepare for PR creation.
+   * Returns PR suggestions for the agent to use when creating the PR locally.
+   */
+  async completeTask(taskId, projectId, pullRequestTitle, pullRequestBody) {
+    return this.request("POST", `/api/mcp/tasks/${taskId}/complete`, {
+      projectId,
+      pullRequestTitle,
+      pullRequestBody
+    });
+  }
+  /**
+   * Abandon task and optionally delete branch
+   */
+  async abandonTask(taskId, projectId, deleteBranch = false) {
+    return this.request("POST", `/api/mcp/tasks/${taskId}/abandon`, {
+      projectId,
+      deleteBranch
+    });
+  }
+  /**
+   * Archive a task (soft delete)
+   */
+  async archiveTask(taskId, projectId) {
+    return this.request("POST", `/api/mcp/tasks/${taskId}/archive`, {
+      projectId
+    });
+  }
+  /**
+   * Unarchive a task (restore)
+   */
+  async unarchiveTask(taskId, projectId) {
+    return this.request("DELETE", `/api/mcp/tasks/${taskId}/archive`, {
+      projectId
+    });
+  }
+  /**
+   * Report task error
+   */
+  async reportError(taskId, errorType, errorMessage, context) {
+    return this.request("POST", `/api/mcp/tasks/${taskId}/error`, {
+      errorType,
+      errorMessage,
+      context
+    });
+  }
+  /**
+   * Add note to task
+   */
+  async addNote(taskId, content) {
+    return this.request("POST", `/api/mcp/tasks/${taskId}/notes`, { content });
+  }
+  /**
+   * Request changes on a task in review
+   */
+  async requestChanges(taskId, projectId, reviewComments, requestedChanges) {
+    return this.request("POST", `/api/mcp/tasks/${taskId}/request-changes`, {
+      projectId,
+      reviewComments,
+      requestedChanges
+    });
+  }
+  /**
+   * Approve a task in review and mark as DONE
+   */
+  async approveTask(taskId, projectId, reviewComments) {
+    return this.request("POST", `/api/mcp/tasks/${taskId}/approve`, {
+      projectId,
+      reviewComments
+    });
+  }
+  /**
+   * Report branch created by agent
+   */
+  async reportBranch(taskId, projectId, branchName) {
+    return this.request("POST", `/api/mcp/tasks/${taskId}/branch`, {
+      projectId,
+      branchName
+    });
+  }
+  /**
+   * Report PR created by agent
+   */
+  async reportPR(taskId, projectId, pullRequestUrl, pullRequestNumber) {
+    return this.request("POST", `/api/mcp/tasks/${taskId}/pr`, {
+      projectId,
+      pullRequestUrl,
+      pullRequestNumber
+    });
+  }
+  /**
+   * Verify a DRAFT task to move it to TODO state
+   */
+  async verifyTask(taskId, projectId, approved, feedback) {
+    return this.request("POST", `/api/mcp/tasks/${taskId}/verify`, {
+      projectId,
+      approved,
+      feedback
+    });
+  }
+  /**
+   * Get state-appropriate prompt for a task
+   */
+  async getTaskPrompt(taskId, projectId) {
+    return this.request(
+      "GET",
+      `/api/mcp/tasks/${taskId}/prompt?projectId=${encodeURIComponent(projectId)}`
+    );
+  }
+  /**
+   * Update task details (DRAFT/TODO states only)
+   */
+  async updateTask(taskId, projectId, data) {
+    return this.request("PATCH", `/api/mcp/tasks/${taskId}`, {
+      projectId,
+      ...data
+    });
+  }
+};
+
+// src/permissions.ts
+var PERMISSION_RANK = {
+  READ: 1,
+  WRITE: 2,
+  ADMIN: 3
+};
+function assertApiKeyPermission(apiKey, required, toolName) {
+  const actualRank = PERMISSION_RANK[apiKey.permissions] ?? 0;
+  const requiredRank = PERMISSION_RANK[required] ?? 0;
+  if (actualRank >= requiredRank) {
+    return;
+  }
+  console.warn("API key permission violation", {
+    keyId: apiKey.id,
+    requiredPermission: required,
+    actualPermission: apiKey.permissions,
+    tool: toolName
+  });
+  const error = new Error(
+    `API key lacks required permissions (required: ${required})`
+  );
+  error.status = 403;
+  throw error;
+}
+
+// src/index.ts
+var COLLAB_SERVER_INSTRUCTIONS = `Collab - AI-assisted software development task management platform.
+
+TOOL CATEGORIES:
+
+1. Project Discovery (READ):
+   - list_projects, get_project_context, get_version
+
+2. Task Management (READ/WRITE):
+   - list_tasks, get_task, create_task, update_task, archive_task, unarchive_task
+
+3. Task Verification (WRITE):
+   - verify_task, get_task_prompt
+
+4. Task Execution (WRITE):
+   - assign_task, update_progress, add_note, complete_task, abandon_task, report_error
+
+5. Git Operations (WRITE):
+   - report_branch, report_pr
+
+6. Code Review (WRITE):
+   - request_changes, approve_task
+
+7. Session Management (READ):
+   - check_active_task
+
+WORKFLOWS:
+
+Task Creation & Verification:
+  create_task -> get_task_prompt (DRAFT) -> verify_task(approved=true) -> task moves to TODO
+
+Standard Task Workflow:
+  list_projects -> get_project_context -> list_tasks(state=TODO) -> get_task -> get_task_prompt (TODO)
+  -> assign_task (returns suggested branch name and worktree path)
+  -> git worktree add <worktreePath> -b <branchName> <baseBranch>
+  -> cd <worktreePath>
+  -> [update_progress...]
+  -> git push -u origin <branchName>
+  -> report_branch (tell server about the branch)
+  -> complete_task (returns PR suggestions)
+  -> gh pr create (local gh command)
+  -> report_pr (tell server about the PR)
+  -> git worktree remove <worktreePath>
+
+Resume Workflow:
+  check_active_task -> (if active) get_task -> get_task_prompt (IN_PROGRESS) -> update_progress -> complete_task
+
+Review Workflow:
+  list_tasks(state=REVIEW) -> get_task -> approve_task OR request_changes
+
+Task Editing:
+  update_task (DRAFT/TODO only) -> if was TODO, reverts to DRAFT -> verify_task again
+
+Error Recovery:
+  report_error -> abandon_task -> list_tasks -> assign_task (retry or pick different task)
+  (abandon_task returns IN_PROGRESS tasks to TODO state)
+
+GIT OPERATIONS NOTE:
+  The agent handles all git operations locally using git worktrees for isolation.
+  After assign_task returns a suggested branch name and worktree path:
+  1. Create worktree: git worktree add <worktreePath> -b <branchName> <baseBranch>
+  2. Work in worktree directory: cd <worktreePath>
+  3. After completing work, push and call report_branch
+  4. After complete_task, create PR with gh and call report_pr
+  5. Clean up worktree: git worktree remove <worktreePath>
+  Worktrees enable parallel task execution without git conflicts.
+
+TASK STATE FLOW:
+  DRAFT -> TODO -> IN_PROGRESS -> REVIEW -> DONE
+  (verify_task: DRAFT -> TODO)
+  (update_task on TODO: reverts to DRAFT)
+  (request_changes: REVIEW -> IN_PROGRESS)
+  (abandon_task: IN_PROGRESS -> TODO)
+
+CONSTRAINTS:
+- DRAFT tasks must be verified before assignment
+- verify_task requires programmatic validation (title 10+ chars, description 50+ chars, criteria 20+ chars each)
+- update_task only works on DRAFT and TODO states
+- assign_task is atomic - fails if already claimed
+- Only TODO tasks can be assigned
+- complete_task requires IN_PROGRESS state
+- request_changes/approve_task require REVIEW state
+- Always check_active_task before starting new work
+- Call update_progress frequently to checkpoint
+- Agent must have git/gh CLI configured for local git operations`;
+function initializeMCPServer(apiClient, authContext) {
+  const server = new import_mcp.McpServer(
+    {
+      name: "collab",
+      version: VERSION
+    },
+    {
+      instructions: COLLAB_SERVER_INSTRUCTIONS
+    }
+  );
+  const mockApiKey = {
+    permissions: authContext.permissions.includes("ADMIN") ? ApiKeyPermission.ADMIN : authContext.permissions.includes("WRITE") ? ApiKeyPermission.WRITE : ApiKeyPermission.READ
+  };
+  server.registerTool(
+    "list_projects",
+    {
+      description: "Discover all accessible projects. Use first to find project IDs. Filter by TEAM, PERSONAL, or ALL workspaces.",
+      inputSchema: {
+        workspaceType: import_zod3.z.enum(["TEAM", "PERSONAL", "ALL"]).optional().describe("Filter by workspace type")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.READ,
+        "list_projects"
+      );
+      const validated = ListProjectsInputSchema.parse(args);
+      try {
+        const projects = await apiClient.listProjects(validated.workspaceType);
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(projects, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "list_tasks",
+    {
+      description: "Query tasks with filters. Use state=TODO for assignable tasks, state=REVIEW for pending reviews.",
+      inputSchema: {
+        projectId: import_zod3.z.string().optional().describe("Filter by project ID"),
+        state: import_zod3.z.nativeEnum(TaskState).optional().describe("Filter by task state"),
+        assigneeId: import_zod3.z.string().optional().describe("Filter by assignee ID"),
+        includeArchived: import_zod3.z.boolean().optional().describe("Include archived tasks (default: false)")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(mockApiKey, ApiKeyPermission.READ, "list_tasks");
+      const validated = ListTasksInputSchema.parse(args);
+      try {
+        const tasks = await apiClient.listTasks({
+          projectId: validated.projectId,
+          state: validated.state,
+          assigneeId: validated.assigneeId,
+          includeArchived: validated.includeArchived
+        });
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(tasks, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "get_task",
+    {
+      description: "Get complete task details with acceptance criteria and notes. Call before assign_task to understand requirements.",
+      inputSchema: {
+        taskId: import_zod3.z.string().describe("The task ID to retrieve")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(mockApiKey, ApiKeyPermission.READ, "get_task");
+      const validated = GetTaskInputSchema.parse(args);
+      try {
+        const task = await apiClient.getTask(validated.taskId);
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(task, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "assign_task",
+    {
+      description: "Atomically claim a task. Race-safe - fails if already assigned. Task must be TODO. Returns suggested branch name and worktree path for isolated parallel development.",
+      inputSchema: {
+        projectId: import_zod3.z.string().describe("The project ID"),
+        taskId: import_zod3.z.string().describe("The task ID to assign"),
+        expectedState: import_zod3.z.nativeEnum(TaskState).optional().describe("Expected task state (default: TODO)")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.WRITE,
+        "assign_task"
+      );
+      const validated = AssignTaskInputSchema.parse(args);
+      try {
+        const result = await apiClient.assignTask(
+          validated.taskId,
+          validated.projectId,
+          validated.expectedState
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "update_progress",
+    {
+      description: "Report progress and checkpoint work. Call frequently during execution. Marks acceptance criteria complete.",
+      inputSchema: {
+        taskId: import_zod3.z.string().describe("The task ID to update"),
+        statusMessage: import_zod3.z.string().optional().describe("Status message (max 1000 chars)"),
+        completedCheckpointIds: import_zod3.z.array(import_zod3.z.string()).optional().describe("Array of completed checkpoint IDs"),
+        currentCheckpointIndex: import_zod3.z.number().optional().describe("Current checkpoint index")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.WRITE,
+        "update_progress"
+      );
+      const validated = UpdateProgressInputSchema.parse(args);
+      try {
+        const result = await apiClient.updateProgress(validated.taskId, {
+          statusMessage: validated.statusMessage,
+          completedCheckpointIds: validated.completedCheckpointIds,
+          currentCheckpointIndex: validated.currentCheckpointIndex
+        });
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "complete_task",
+    {
+      description: "Prepare task for PR creation. Returns PR suggestions. After creating PR locally, call report_pr to transition to REVIEW. Requires IN_PROGRESS state.",
+      inputSchema: {
+        projectId: import_zod3.z.string().describe("The project ID"),
+        taskId: import_zod3.z.string().describe("The task ID to complete"),
+        pullRequestTitle: import_zod3.z.string().optional().describe("PR title (max 300 chars)"),
+        pullRequestBody: import_zod3.z.string().optional().describe("PR body/description (max 10000 chars)")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.WRITE,
+        "complete_task"
+      );
+      const validated = CompleteTaskInputSchema.parse(args);
+      try {
+        const result = await apiClient.completeTask(
+          validated.taskId,
+          validated.projectId,
+          validated.pullRequestTitle,
+          validated.pullRequestBody
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "check_active_task",
+    {
+      description: "Check for resumable work from previous session. Always call before starting new work."
+    },
+    async () => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.READ,
+        "check_active_task"
+      );
+      const result = await checkActiveTask();
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify(result, null, 2)
+          }
+        ]
+      };
+    }
+  );
+  server.registerTool(
+    "report_error",
+    {
+      description: "Report unrecoverable errors (BUILD_FAILURE, TEST_FAILURE, CONFLICT, AUTH_ERROR). Consider abandon_task after.",
+      inputSchema: {
+        taskId: import_zod3.z.string().describe("The task ID"),
+        errorType: import_zod3.z.nativeEnum(ErrorType).describe("Error type: BUILD_FAILURE, TEST_FAILURE, CONFLICT, AUTH_ERROR, OTHER"),
+        errorMessage: import_zod3.z.string().describe("Error message (max 1000 chars)"),
+        context: import_zod3.z.string().optional().describe("Additional context (max 2000 chars)")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.WRITE,
+        "report_error"
+      );
+      const validated = ReportErrorInputSchema.parse(args);
+      try {
+        const result = await apiClient.reportError(
+          validated.taskId,
+          validated.errorType,
+          validated.errorMessage,
+          validated.context
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "get_project_context",
+    {
+      description: "Load project README, tech stack, and coding conventions. Call after selecting project.",
+      inputSchema: {
+        projectId: import_zod3.z.string().describe("The project ID")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.READ,
+        "get_project_context"
+      );
+      const validated = GetProjectContextInputSchema.parse(args);
+      try {
+        const context = await apiClient.getProjectContext(validated.projectId);
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(context, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "add_note",
+    {
+      description: "Document implementation decisions. Notes persist for future reference and handoff.",
+      inputSchema: {
+        taskId: import_zod3.z.string().describe("The task ID"),
+        content: import_zod3.z.string().describe("Note content (max 500 chars)")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(mockApiKey, ApiKeyPermission.WRITE, "add_note");
+      const validated = AddNoteInputSchema.parse(args);
+      try {
+        const result = await apiClient.addNote(
+          validated.taskId,
+          validated.content
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "abandon_task",
+    {
+      description: "Release task assignment and optionally clean up branch. Task returns to TODO. Use after errors.",
+      inputSchema: {
+        projectId: import_zod3.z.string().describe("The project ID"),
+        taskId: import_zod3.z.string().describe("The task ID to abandon"),
+        deleteBranch: import_zod3.z.boolean().optional().describe("Whether to delete the associated branch")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.WRITE,
+        "abandon_task"
+      );
+      const validated = AbandonTaskInputSchema.parse(args);
+      try {
+        const result = await apiClient.abandonTask(
+          validated.taskId,
+          validated.projectId,
+          validated.deleteBranch
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "report_branch",
+    {
+      description: "Report a branch created by the agent. Call after using git to create and push a branch. Task must be IN_PROGRESS.",
+      inputSchema: {
+        projectId: import_zod3.z.string().describe("The project ID"),
+        taskId: import_zod3.z.string().describe("The task ID"),
+        branchName: import_zod3.z.string().describe("Name of the branch created (e.g., feature/TASK-123-fix-login)")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.WRITE,
+        "report_branch"
+      );
+      const validated = ReportBranchInputSchema.parse(args);
+      try {
+        const result = await apiClient.reportBranch(
+          validated.taskId,
+          validated.projectId,
+          validated.branchName
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "report_pr",
+    {
+      description: "Report a PR created by the agent. Call after using gh pr create. Transitions task to REVIEW state.",
+      inputSchema: {
+        projectId: import_zod3.z.string().describe("The project ID"),
+        taskId: import_zod3.z.string().describe("The task ID"),
+        pullRequestUrl: import_zod3.z.string().describe("Full URL of the created PR (e.g., https://github.com/owner/repo/pull/123)"),
+        pullRequestNumber: import_zod3.z.number().describe("PR number (e.g., 123)")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.WRITE,
+        "report_pr"
+      );
+      const validated = ReportPRInputSchema.parse(args);
+      try {
+        const result = await apiClient.reportPR(
+          validated.taskId,
+          validated.projectId,
+          validated.pullRequestUrl,
+          validated.pullRequestNumber
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "archive_task",
+    {
+      description: "Soft-delete a task. Hidden but restorable via unarchive_task.",
+      inputSchema: {
+        projectId: import_zod3.z.string().describe("The project ID"),
+        taskId: import_zod3.z.string().describe("The task ID to archive")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.WRITE,
+        "archive_task"
+      );
+      const validated = ArchiveTaskInputSchema.parse(args);
+      try {
+        const result = await apiClient.archiveTask(
+          validated.taskId,
+          validated.projectId
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "unarchive_task",
+    {
+      description: "Restore previously archived task to original state.",
+      inputSchema: {
+        projectId: import_zod3.z.string().describe("The project ID"),
+        taskId: import_zod3.z.string().describe("The task ID to restore")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.WRITE,
+        "unarchive_task"
+      );
+      const validated = UnarchiveTaskInputSchema.parse(args);
+      try {
+        const result = await apiClient.unarchiveTask(
+          validated.taskId,
+          validated.projectId
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "create_personal_project",
+    {
+      description: "Create new project in personal workspace linked to GitHub repository.",
+      inputSchema: {
+        name: import_zod3.z.string().describe("Project name (max 100 chars)"),
+        description: import_zod3.z.string().optional().describe("Project description (max 500 chars)"),
+        repositoryUrl: import_zod3.z.string().describe("GitHub repository URL")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.WRITE,
+        "create_personal_project"
+      );
+      const validated = CreatePersonalProjectInputSchema.parse(args);
+      try {
+        const result = await apiClient.createPersonalProject(
+          validated.name,
+          validated.description,
+          validated.repositoryUrl
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "create_task",
+    {
+      description: "Create task with title, description, acceptance criteria. Starts in DRAFT. Priority: LOW/MEDIUM/HIGH/CRITICAL.",
+      inputSchema: {
+        projectId: import_zod3.z.string().describe("The project ID to create the task in"),
+        epicId: import_zod3.z.string().nullable().optional().describe("Optional epic ID to associate the task with"),
+        title: import_zod3.z.string().describe("Task title (max 200 chars)"),
+        description: import_zod3.z.string().describe("Task description (max 5000 chars)"),
+        priority: import_zod3.z.nativeEnum(TaskPriority).optional().describe("Task priority: LOW, MEDIUM, HIGH, CRITICAL (default: MEDIUM)"),
+        acceptanceCriteria: import_zod3.z.array(
+          import_zod3.z.object({
+            description: import_zod3.z.string().describe("Acceptance criterion description (max 500 chars)")
+          })
+        ).describe("Array of acceptance criteria (at least 1 required)")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.WRITE,
+        "create_task"
+      );
+      const validated = CreateTaskMCPInputSchema.parse(args);
+      try {
+        const result = await apiClient.createTask({
+          projectId: validated.projectId,
+          epicId: validated.epicId,
+          title: validated.title,
+          description: validated.description,
+          priority: validated.priority,
+          acceptanceCriteria: validated.acceptanceCriteria
+        });
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "request_changes",
+    {
+      description: "Return task from REVIEW to IN_PROGRESS with feedback. Original assignee addresses changes.",
+      inputSchema: {
+        projectId: import_zod3.z.string().describe("The project ID"),
+        taskId: import_zod3.z.string().describe("The task ID to review"),
+        reviewComments: import_zod3.z.string().describe("Review comments explaining requested changes (max 5000 chars)"),
+        requestedChanges: import_zod3.z.array(import_zod3.z.string()).optional().describe("List of specific changes requested")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.WRITE,
+        "request_changes"
+      );
+      const validated = RequestChangesInputSchema.parse(args);
+      try {
+        const result = await apiClient.requestChanges(
+          validated.taskId,
+          validated.projectId,
+          validated.reviewComments,
+          validated.requestedChanges
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "approve_task",
+    {
+      description: "Approve completed work and mark DONE. Only for REVIEW state tasks.",
+      inputSchema: {
+        projectId: import_zod3.z.string().describe("The project ID"),
+        taskId: import_zod3.z.string().describe("The task ID to approve"),
+        reviewComments: import_zod3.z.string().optional().describe("Optional approval comments (max 2000 chars)")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.WRITE,
+        "approve_task"
+      );
+      const validated = ApproveTaskInputSchema.parse(args);
+      try {
+        const result = await apiClient.approveTask(
+          validated.taskId,
+          validated.projectId,
+          validated.reviewComments
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "verify_task",
+    {
+      description: "Verify a DRAFT task and move it to TODO state. Requires task to pass programmatic validation (title 10+ chars, description 50+ chars, each criterion 20+ chars). If approved=false, stores feedback with NEEDS_REVISION status.",
+      inputSchema: {
+        projectId: import_zod3.z.string().describe("The project ID"),
+        taskId: import_zod3.z.string().describe("The task ID to verify"),
+        approved: import_zod3.z.boolean().describe("Whether to approve the task"),
+        feedback: import_zod3.z.string().optional().describe("Feedback for the task (required if not approved)")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(mockApiKey, ApiKeyPermission.WRITE, "verify_task");
+      const validated = VerifyTaskInputSchema.parse(args);
+      try {
+        const result = await apiClient.verifyTask(
+          validated.taskId,
+          validated.projectId,
+          validated.approved,
+          validated.feedback
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "get_task_prompt",
+    {
+      description: "Get state-appropriate prompt for a task. Returns verify prompt for DRAFT, assignment prompt for TODO, or continue prompt for IN_PROGRESS tasks.",
+      inputSchema: {
+        projectId: import_zod3.z.string().describe("The project ID"),
+        taskId: import_zod3.z.string().describe("The task ID")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(
+        mockApiKey,
+        ApiKeyPermission.READ,
+        "get_task_prompt"
+      );
+      const validated = GetTaskPromptInputSchema.parse(args);
+      try {
+        const result = await apiClient.getTaskPrompt(
+          validated.taskId,
+          validated.projectId
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "update_task",
+    {
+      description: "Update task details (title, description, priority, acceptanceCriteria). Only works for DRAFT and TODO states. If task is in TODO state, it reverts to DRAFT and requires re-verification.",
+      inputSchema: {
+        projectId: import_zod3.z.string().describe("The project ID"),
+        taskId: import_zod3.z.string().describe("The task ID to update"),
+        title: import_zod3.z.string().optional().describe("New task title"),
+        description: import_zod3.z.string().optional().describe("New task description"),
+        priority: import_zod3.z.nativeEnum(TaskPriority).optional().describe("New task priority"),
+        acceptanceCriteria: import_zod3.z.array(
+          import_zod3.z.object({
+            id: import_zod3.z.string().optional().describe("Existing criterion ID (for updates)"),
+            description: import_zod3.z.string().describe("Criterion description")
+          })
+        ).optional().describe("New acceptance criteria (replaces existing)")
+      }
+    },
+    async (args) => {
+      assertApiKeyPermission(mockApiKey, ApiKeyPermission.WRITE, "update_task");
+      const validated = UpdateTaskMCPInputSchema.parse(args);
+      try {
+        const result = await apiClient.updateTask(
+          validated.taskId,
+          validated.projectId,
+          {
+            title: validated.title,
+            description: validated.description,
+            priority: validated.priority,
+            acceptanceCriteria: validated.acceptanceCriteria
+          }
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify(result, null, 2)
+            }
+          ]
+        };
+      } catch (error) {
+        return handleApiError(error);
+      }
+    }
+  );
+  server.registerTool(
+    "get_version",
+    {
+      description: "Check MCP server version and connectivity."
+    },
+    async () => {
+      assertApiKeyPermission(mockApiKey, ApiKeyPermission.READ, "get_version");
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify(
+              {
+                version: VERSION,
+                timestamp: (/* @__PURE__ */ new Date()).toISOString()
+              },
+              null,
+              2
+            )
+          }
+        ]
+      };
+    }
+  );
+  return server;
+}
+function handleApiError(error) {
+  if (error instanceof ApiError) {
+    return {
+      content: [
+        {
+          type: "text",
+          text: JSON.stringify(
+            {
+              error: error.message,
+              code: error.code,
+              status: error.status,
+              details: error.details
+            },
+            null,
+            2
+          )
+        }
+      ],
+      isError: true
+    };
+  }
+  const message = error instanceof Error ? error.message : String(error);
+  return {
+    content: [
+      {
+        type: "text",
+        text: JSON.stringify({ error: message }, null, 2)
+      }
+    ],
+    isError: true
+  };
+}
+var ActiveTaskSchema = import_zod3.z.object({
+  taskId: import_zod3.z.string().min(1),
+  projectId: import_zod3.z.string().min(1),
+  branchName: import_zod3.z.string().optional(),
+  worktreePath: import_zod3.z.string().optional(),
+  startedAt: import_zod3.z.string().optional()
+});
+async function checkActiveTask() {
+  const fs = await import("fs");
+  const path = await import("path");
+  const cwd = process.cwd();
+  const collabDir = path.join(cwd, ".collab");
+  const activeTaskPath = path.join(collabDir, "active-task.json");
+  try {
+    const resolvedPath = path.resolve(activeTaskPath);
+    const resolvedCollabDir = path.resolve(collabDir);
+    if (!resolvedPath.startsWith(resolvedCollabDir + path.sep) && resolvedPath !== resolvedCollabDir) {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Invalid active task path"
+      };
+    }
+    const stats = await fs.promises.lstat(activeTaskPath);
+    if (stats.isSymbolicLink()) {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Symlinks not allowed for active task file"
+      };
+    }
+    if (!stats.isFile()) {
+      return {
+        hasActiveTask: false,
+        task: null
+      };
+    }
+    const content = await fs.promises.readFile(activeTaskPath, "utf-8");
+    let parsed;
+    try {
+      parsed = JSON.parse(content);
+    } catch {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Invalid JSON in active task file"
+      };
+    }
+    const validationResult = ActiveTaskSchema.safeParse(parsed);
+    if (!validationResult.success) {
+      return {
+        hasActiveTask: false,
+        task: null,
+        error: "Active task file has invalid structure"
+      };
+    }
+    return {
+      hasActiveTask: true,
+      task: validationResult.data
+    };
+  } catch (err) {
+    if (err instanceof Error && "code" in err && err.code === "ENOENT") {
+      return {
+        hasActiveTask: false,
+        task: null
+      };
+    }
+    return {
+      hasActiveTask: false,
+      task: null,
+      error: "Failed to read active task file"
+    };
+  }
+}
+
+// src/auth.ts
+function createAuthMiddleware(baseUrl) {
+  return async (req, res, next) => {
+    const apiKey = req.headers["x-api-key"];
+    if (!apiKey || typeof apiKey !== "string") {
+      res.status(401).json({
+        jsonrpc: "2.0",
+        error: {
+          code: -32001,
+          message: "Missing or invalid X-API-Key header"
+        },
+        id: null
+      });
+      return;
+    }
+    if (!apiKey.startsWith("collab_")) {
+      res.status(401).json({
+        jsonrpc: "2.0",
+        error: {
+          code: -32001,
+          message: "Invalid API key format"
+        },
+        id: null
+      });
+      return;
+    }
+    try {
+      const apiClient = new MCPApiClient({
+        baseUrl,
+        apiKey,
+        timeout: 3e4
+      });
+      const authContext = await apiClient.authenticate();
+      req.apiClient = apiClient;
+      req.authContext = authContext;
+      next();
+    } catch (error) {
+      if (error instanceof ApiError) {
+        const statusCode = error.status || 401;
+        const errorCode = statusCode === 401 ? -32001 : statusCode === 403 ? -32002 : -32e3;
+        res.status(statusCode).json({
+          jsonrpc: "2.0",
+          error: {
+            code: errorCode,
+            message: error.message
+          },
+          id: null
+        });
+        return;
+      }
+      console.error("[collab-mcp-server] Authentication error:", error);
+      res.status(500).json({
+        jsonrpc: "2.0",
+        error: {
+          code: -32e3,
+          message: "Internal authentication error"
+        },
+        id: null
+      });
+    }
+  };
+}
+
+// src/server.ts
+var DEFAULT_PORT = 3001;
+var sessions = /* @__PURE__ */ new Map();
+var SESSION_TIMEOUT_MS = 30 * 60 * 1e3;
+var SESSION_CLEANUP_INTERVAL_MS = 60 * 1e3;
+var cleanupIntervalId = null;
+function startSessionCleanup() {
+  cleanupIntervalId = setInterval(() => {
+    const now = Date.now();
+    let cleanedCount = 0;
+    for (const [id, session] of sessions.entries()) {
+      if (now - session.lastAccessedAt.getTime() > SESSION_TIMEOUT_MS) {
+        console.error(`[collab-mcp-server] Session timed out: ${id}`);
+        session.transport.close();
+        sessions.delete(id);
+        cleanedCount++;
+      }
+    }
+    if (cleanedCount > 0) {
+      console.error(`[collab-mcp-server] Cleaned up ${cleanedCount} expired session(s)`);
+    }
+  }, SESSION_CLEANUP_INTERVAL_MS);
+}
+function getSessionIdHeader(req) {
+  const header = req.headers["mcp-session-id"];
+  if (Array.isArray(header)) {
+    return header[0];
+  }
+  return header;
+}
+async function createHTTPServer() {
+  const port = parseInt(process.env.PORT || String(DEFAULT_PORT), 10);
+  const baseUrl = process.env.COLLAB_BASE_URL;
+  if (!baseUrl) {
+    console.error("[collab-mcp-server] Error: COLLAB_BASE_URL environment variable is required");
+    console.error("\nRequired environment variables:");
+    console.error("  COLLAB_BASE_URL    Collab webapp URL (e.g., https://collab.mtaap.de)");
+    console.error("  PORT               Server port (default: 3001)");
+    console.error("\nClients must provide X-API-Key header with their Collab API key.");
+    process.exit(1);
+  }
+  try {
+    new URL(baseUrl);
+  } catch {
+    console.error(`[collab-mcp-server] Error: COLLAB_BASE_URL is not a valid URL: ${baseUrl}`);
+    process.exit(1);
+  }
+  const app = (0, import_express.default)();
+  app.use(import_express.default.json());
+  app.get("/mcp/health", (_req, res) => {
+    res.json({
+      status: "ok",
+      version: VERSION,
+      activeSessions: sessions.size,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  });
+  const authMiddleware = createAuthMiddleware(baseUrl);
+  app.post("/mcp", authMiddleware, async (req, res) => {
+    const authReq = req;
+    const sessionId = getSessionIdHeader(req);
+    let sessionData;
+    if (sessionId) {
+      sessionData = sessions.get(sessionId);
+      if (!sessionData) {
+        res.status(400).json({
+          jsonrpc: "2.0",
+          error: {
+            code: -32e3,
+            message: "Invalid or expired session"
+          },
+          id: null
+        });
+        return;
+      }
+      sessionData.lastAccessedAt = /* @__PURE__ */ new Date();
+    } else if ((0, import_types.isInitializeRequest)(req.body)) {
+      const now = /* @__PURE__ */ new Date();
+      const transport = new import_streamableHttp.StreamableHTTPServerTransport({
+        sessionIdGenerator: () => (0, import_node_crypto.randomUUID)(),
+        onsessioninitialized: (id) => {
+          sessions.set(id, {
+            transport,
+            apiClient: authReq.apiClient,
+            authContext: authReq.authContext,
+            createdAt: now,
+            lastAccessedAt: now
+          });
+          console.error(`[collab-mcp-server] Session initialized: ${id} (user: ${authReq.authContext.userEmail})`);
+        },
+        onsessionclosed: (id) => {
+          sessions.delete(id);
+          console.error(`[collab-mcp-server] Session closed: ${id}`);
+        }
+      });
+      transport.onclose = () => {
+        if (transport.sessionId) {
+          sessions.delete(transport.sessionId);
+          console.error(`[collab-mcp-server] Transport closed for session: ${transport.sessionId}`);
+        }
+      };
+      const server = initializeMCPServer(authReq.apiClient, authReq.authContext);
+      await server.connect(transport);
+      sessionData = {
+        transport,
+        apiClient: authReq.apiClient,
+        authContext: authReq.authContext,
+        createdAt: now,
+        lastAccessedAt: now
+      };
+    } else {
+      res.status(400).json({
+        jsonrpc: "2.0",
+        error: {
+          code: -32e3,
+          message: "No session ID provided and request is not an initialize request"
+        },
+        id: null
+      });
+      return;
+    }
+    await sessionData.transport.handleRequest(req, res, req.body);
+  });
+  app.get("/mcp", authMiddleware, async (req, res) => {
+    const sessionId = getSessionIdHeader(req);
+    if (!sessionId) {
+      res.status(400).json({
+        jsonrpc: "2.0",
+        error: {
+          code: -32e3,
+          message: "mcp-session-id header is required for SSE stream"
+        },
+        id: null
+      });
+      return;
+    }
+    const sessionData = sessions.get(sessionId);
+    if (!sessionData) {
+      res.status(400).json({
+        jsonrpc: "2.0",
+        error: {
+          code: -32e3,
+          message: "Invalid or expired session"
+        },
+        id: null
+      });
+      return;
+    }
+    sessionData.lastAccessedAt = /* @__PURE__ */ new Date();
+    await sessionData.transport.handleRequest(req, res);
+  });
+  app.delete("/mcp", authMiddleware, async (req, res) => {
+    const sessionId = getSessionIdHeader(req);
+    if (!sessionId) {
+      res.status(400).json({
+        jsonrpc: "2.0",
+        error: {
+          code: -32e3,
+          message: "mcp-session-id header is required for session termination"
+        },
+        id: null
+      });
+      return;
+    }
+    const sessionData = sessions.get(sessionId);
+    if (!sessionData) {
+      res.status(400).json({
+        jsonrpc: "2.0",
+        error: {
+          code: -32e3,
+          message: "Invalid or expired session"
+        },
+        id: null
+      });
+      return;
+    }
+    await sessionData.transport.handleRequest(req, res);
+  });
+  startSessionCleanup();
+  app.listen(port, () => {
+    console.error(`[collab-mcp-server] Collab MCP HTTP Server v${VERSION}`);
+    console.error(`[collab-mcp-server] Listening on http://0.0.0.0:${port}`);
+    console.error(`[collab-mcp-server] MCP endpoint: POST/GET/DELETE /mcp`);
+    console.error(`[collab-mcp-server] Health check: GET /mcp/health`);
+    console.error(`[collab-mcp-server] API URL: ${baseUrl}`);
+    console.error(`[collab-mcp-server] Session timeout: ${SESSION_TIMEOUT_MS / 1e3 / 60} minutes`);
+  });
+}
+function handleCliFlags() {
+  const args = process.argv.slice(2);
+  if (args.includes("--version") || args.includes("-v")) {
+    console.log(`collab-mcp-server v${VERSION}`);
+    process.exit(0);
+  }
+  if (args.includes("--help") || args.includes("-h")) {
+    console.log(`collab-mcp-server v${VERSION}
+
+Collab MCP HTTP Server - Streamable HTTP transport for remote MCP connections
+
+Usage:
+  collab-mcp-server [options]
+
+Options:
+  -v, --version    Show version number
+  -h, --help       Show this help message
+
+Environment Variables:
+  COLLAB_BASE_URL  Collab webapp URL (required)
+  PORT             Server port (default: 3001)
+
+Client Authentication:
+  Clients must provide an X-API-Key header with their Collab API key.
+  Each session is authenticated independently.
+
+Example deployment with Docker:
+  docker run -e COLLAB_BASE_URL=https://collab.mtaap.de -p 3001:3001 mtaap/mcp-server
+
+Example client configuration (Claude Desktop):
+{
+  "mcpServers": {
+    "collab-remote": {
+      "url": "https://your-server.com/mcp",
+      "headers": {
+        "X-API-Key": "collab_your_api_key_here"
+      }
+    }
+  }
+}`);
+    process.exit(0);
+  }
+}
+function setupShutdownHandlers() {
+  const shutdown = (signal) => {
+    console.error(`[collab-mcp-server] Received ${signal}, shutting down...`);
+    if (cleanupIntervalId) {
+      clearInterval(cleanupIntervalId);
+      cleanupIntervalId = null;
+    }
+    for (const [sessionId, sessionData] of sessions.entries()) {
+      console.error(`[collab-mcp-server] Closing session: ${sessionId}`);
+      sessionData.transport.close();
+    }
+    sessions.clear();
+    process.exit(0);
+  };
+  process.on("SIGINT", () => shutdown("SIGINT"));
+  process.on("SIGTERM", () => shutdown("SIGTERM"));
+  process.on("uncaughtException", (error) => {
+    console.error("[collab-mcp-server] Uncaught exception:", error.message);
+    process.exit(1);
+  });
+  process.on("unhandledRejection", (reason) => {
+    const message = reason instanceof Error ? reason.message : String(reason);
+    console.error("[collab-mcp-server] Unhandled rejection:", message);
+    process.exit(1);
+  });
+}
+handleCliFlags();
+setupShutdownHandlers();
+console.error("[collab-mcp-server] Starting Collab MCP HTTP Server...");
+createHTTPServer().catch((error) => {
+  console.error("[collab-mcp-server] Failed to start server:", error.message);
+  process.exit(1);
+});
+//# sourceMappingURL=server.js.map