@mtaap/mcp 0.2.13 → 0.5.1

package/dist/index.js

@@ -44,15 +44,18 @@ var import_stdio = require("@modelcontextprotocol/sdk/server/stdio.js");
 // package.json
 var package_default = {
   name: "@mtaap/mcp",
-  version: "0.2.12",
+  version: "0.5.1",
   description: "Model Context Protocol (MCP) server for AI agents to interact with Collab - the multi-tenant collaborative agent development platform",
   mcpName: "collab",
   scripts: {
-    build: "tsup"
+    build: "pnpm build:ui && tsup",
+    "build:ui": "node scripts/build-ui.mjs",
+    "dev:ui": "vite build --watch"
   },
   main: "./dist/index.js",
   types: "./dist/index.d.ts",
   bin: {
+    mcp: "./dist/cli.js",
     "collab-mcp": "./dist/cli.js",
     "collab-mcp-server": "./dist/server.js"
   },
@@ -85,6 +88,7 @@ var package_default = {
   },
   dependencies: {
     "@modelcontextprotocol/sdk": "^1.0.0",
+    "@modelcontextprotocol/ext-apps": "^1.0.1",
     express: "^5.0.1",
     zod: "^4.3.5"
   },
@@ -93,8 +97,18 @@ var package_default = {
     "@mtaap/core": "workspace:*",
     "@types/express": "^5.0.0",
     "@types/node": "^22.0.0",
+    "@types/react": "^19.0.0",
+    "@types/react-dom": "^19.0.0",
+    "@vitejs/plugin-react": "^4.4.0",
+    autoprefixer: "^10.4.21",
+    postcss: "^8.5.3",
+    react: "^19.0.0",
+    "react-dom": "^19.0.0",
+    tailwindcss: "^3.4.17",
     tsup: "^8.5.1",
-    typescript: "^5.4.0"
+    typescript: "^5.4.0",
+    vite: "^6.3.2",
+    "vite-plugin-singlefile": "^2.0.3"
   }
 };
 
@@ -102,7 +116,7 @@ var package_default = {
 var VERSION = package_default.version;
 
 // src/index.ts
-var import_zod3 = require("zod");
+var import_zod9 = require("zod");
 
 // ../../packages/core/dist/constants/enums.js
 var TaskState;
@@ -188,13 +202,11 @@ var WebSocketEventType;
   WebSocketEventType2["TASK_UPDATED"] = "task.updated";
   WebSocketEventType2["TASK_DELETED"] = "task.deleted";
   WebSocketEventType2["MEMBER_JOINED"] = "member.joined";
+  WebSocketEventType2["AGENT_STARTED"] = "agent.started";
+  WebSocketEventType2["AGENT_OUTPUT"] = "agent.output";
+  WebSocketEventType2["AGENT_STOPPED"] = "agent.stopped";
+  WebSocketEventType2["AGENT_ERROR"] = "agent.error";
 })(WebSocketEventType || (WebSocketEventType = {}));
-var AuthProvider;
-(function(AuthProvider2) {
-  AuthProvider2["CREDENTIALS"] = "credentials";
-  AuthProvider2["LDAP"] = "ldap";
-  AuthProvider2["SSO"] = "sso";
-})(AuthProvider || (AuthProvider = {}));
 var SubscriptionStatus;
 (function(SubscriptionStatus2) {
   SubscriptionStatus2["ACTIVE"] = "ACTIVE";
@@ -210,6 +222,37 @@ var EventType;
   EventType2["ACCESS"] = "ACCESS";
   EventType2["MODIFICATION"] = "MODIFICATION";
 })(EventType || (EventType = {}));
+var CreatedVia;
+(function(CreatedVia2) {
+  CreatedVia2["UI"] = "UI";
+  CreatedVia2["API_KEY"] = "API_KEY";
+  CreatedVia2["OAUTH"] = "OAUTH";
+})(CreatedVia || (CreatedVia = {}));
+var AgentModel;
+(function(AgentModel2) {
+  AgentModel2["OPUS"] = "OPUS";
+  AgentModel2["SONNET"] = "SONNET";
+  AgentModel2["HAIKU"] = "HAIKU";
+})(AgentModel || (AgentModel = {}));
+var AgentModelMode;
+(function(AgentModelMode2) {
+  AgentModelMode2["DEFAULT"] = "DEFAULT";
+  AgentModelMode2["PRESET"] = "PRESET";
+  AgentModelMode2["CUSTOM"] = "CUSTOM";
+})(AgentModelMode || (AgentModelMode = {}));
+var AgentCLIType;
+(function(AgentCLIType2) {
+  AgentCLIType2["CLAUDE_CODE"] = "CLAUDE_CODE";
+  AgentCLIType2["OPENCODE"] = "OPENCODE";
+})(AgentCLIType || (AgentCLIType = {}));
+var AgentSessionStatus;
+(function(AgentSessionStatus2) {
+  AgentSessionStatus2["STARTING"] = "STARTING";
+  AgentSessionStatus2["RUNNING"] = "RUNNING";
+  AgentSessionStatus2["STOPPING"] = "STOPPING";
+  AgentSessionStatus2["STOPPED"] = "STOPPED";
+  AgentSessionStatus2["ERROR"] = "ERROR";
+})(AgentSessionStatus || (AgentSessionStatus = {}));
 
 // ../../packages/core/dist/constants/state-machine.js
 var VALID_TRANSITIONS = {
@@ -233,6 +276,62 @@ var VALID_TRANSITIONS = {
   [TaskState.DONE]: []
 };
 
+// ../../packages/core/dist/constants/oauth.js
+var OAuthScopes = {
+  /** Read-only access to MCP resources */
+  READ: "mcp:read",
+  /** Read and write access to MCP resources */
+  WRITE: "mcp:write",
+  /** Full administrative access */
+  ADMIN: "mcp:admin"
+};
+var VALID_OAUTH_SCOPES = [
+  OAuthScopes.READ,
+  OAuthScopes.WRITE,
+  OAuthScopes.ADMIN
+];
+var DEFAULT_OAUTH_SCOPES = `${OAuthScopes.READ} ${OAuthScopes.WRITE}`;
+var OAUTH_SCOPE_TO_PERMISSION = {
+  [OAuthScopes.READ]: ApiKeyPermission.READ,
+  [OAuthScopes.WRITE]: ApiKeyPermission.WRITE,
+  [OAuthScopes.ADMIN]: ApiKeyPermission.ADMIN
+};
+var PERMISSION_TO_OAUTH_SCOPE = {
+  [ApiKeyPermission.READ]: OAuthScopes.READ,
+  [ApiKeyPermission.WRITE]: OAuthScopes.WRITE,
+  [ApiKeyPermission.ADMIN]: OAuthScopes.ADMIN
+};
+var OAuthTokenLifetimes = {
+  /** Access token lifetime: 1 hour */
+  ACCESS_TOKEN_MS: 60 * 60 * 1e3,
+  /** Refresh token lifetime: 30 days */
+  REFRESH_TOKEN_MS: 30 * 24 * 60 * 60 * 1e3,
+  /** Authorization code lifetime: 10 minutes */
+  AUTHORIZATION_CODE_MS: 10 * 60 * 1e3
+};
+var OAuthGrantTypes = {
+  AUTHORIZATION_CODE: "authorization_code",
+  REFRESH_TOKEN: "refresh_token"
+};
+var SUPPORTED_GRANT_TYPES = [
+  OAuthGrantTypes.AUTHORIZATION_CODE,
+  OAuthGrantTypes.REFRESH_TOKEN
+];
+var OAuthResponseTypes = {
+  CODE: "code"
+};
+var OAuthCodeChallengeMethods = {
+  S256: "S256"
+};
+var OAuthRateLimits = {
+  /** /oauth/token: 30 requests per minute per client */
+  TOKEN_ENDPOINT: { limit: 30, windowMs: 60 * 1e3 },
+  /** /oauth/authorize: 10 requests per minute per user */
+  AUTHORIZE_ENDPOINT: { limit: 10, windowMs: 60 * 1e3 },
+  /** /oauth/register: 5 requests per minute per IP */
+  REGISTER_ENDPOINT: { limit: 5, windowMs: 60 * 1e3 }
+};
+
 // ../../packages/core/dist/config/deployment.js
 var config = {
   deploymentMode: process.env.DEPLOYMENT_MODE || "saas"
@@ -240,20 +339,24 @@ var config = {
 var isSaas = config.deploymentMode === "saas";
 var isOnPrem = config.deploymentMode === "onprem";
 
-// ../../packages/core/dist/version.js
-var VERSION2 = "0.1.0";
+// ../../packages/core/dist/versions.js
+var VERSIONS = {
+  core: "0.4.0",
+  web: "0.4.0",
+  mcp: "0.5.0"
+};
+var VERSION2 = VERSIONS.core;
 
 // ../../packages/core/dist/config/index.js
 var DEPLOYMENT_MODE = process.env.DEPLOYMENT_MODE || "saas";
 var config2 = {
   version: VERSION2,
+  packages: VERSIONS,
   deploymentMode: DEPLOYMENT_MODE,
   billing: {
     enabled: DEPLOYMENT_MODE === "saas",
     revenuecat: {
-      publicKey: process.env.REVENUECAT_PUBLIC_API_KEY,
-      stripeKey: process.env.STRIPE_SECRET_KEY
-      // Required by RevenueCat Web Billing
+      publicKey: process.env.NEXT_PUBLIC_REVENUECAT_PUBLIC_KEY
     }
   },
   licensing: {
@@ -321,6 +424,18 @@ var config2 = {
       requestsPerHour: 1e3
     }
   },
+  agent: {
+    defaultModel: "SONNET",
+    sessionTimeoutMs: 30 * 60 * 1e3,
+    // 30 minutes
+    maxSessionDurationMs: 4 * 60 * 60 * 1e3,
+    // 4 hours
+    maxConcurrentSessions: {
+      FREE: 1,
+      PRO: 5,
+      ENTERPRISE: -1
+    }
+  },
   limits: {
     projectNameMaxLength: 100,
     taskDescriptionMaxLength: 5e3,
@@ -359,7 +474,6 @@ var OrganizationIdSchema = import_zod.z.string().regex(/^org_[a-zA-Z0-9]+$/);
 var OrganizationSchema = import_zod.z.object({
   id: OrganizationIdSchema,
   name: import_zod.z.string().min(1).max(255),
-  slug: import_zod.z.string().min(1).max(100).regex(/^[a-z0-9-]+$/),
   logoUrl: import_zod.z.string().url().nullable(),
   accentColor: import_zod.z.string().regex(/^#[0-9A-Fa-f]{6}$/).nullable(),
   tenantName: import_zod.z.string().nullable(),
@@ -487,239 +601,376 @@ var ProjectCollaboratorSchema = import_zod.z.object({
 });
 
 // ../../packages/core/dist/validation/index.js
+var import_zod3 = require("zod");
+
+// ../../packages/core/dist/validation/oauth.js
 var import_zod2 = require("zod");
-var ListProjectsInputSchema = import_zod2.z.object({
-  workspaceType: import_zod2.z.preprocess((val) => typeof val === "string" ? val.toUpperCase() : val, import_zod2.z.enum(["TEAM", "PERSONAL", "ALL"]).optional())
-});
-var ListTasksInputSchema = import_zod2.z.object({
-  projectId: import_zod2.z.string().optional(),
-  state: import_zod2.z.nativeEnum(TaskState).optional(),
-  assigneeId: import_zod2.z.string().optional(),
-  includeArchived: import_zod2.z.boolean().optional()
-});
-var cuidOrPrefixedId = import_zod2.z.string().regex(/^([a-z0-9]+|[a-z]+_[a-zA-Z0-9]+)$/);
-var gitBranchName = import_zod2.z.string().min(1).max(100).regex(/^[a-zA-Z0-9][-a-zA-Z0-9._/]*[a-zA-Z0-9]$|^[a-zA-Z0-9]$/, "Branch name must start and end with alphanumeric character").refine((val) => !val.includes("..") && !val.includes("@{") && !val.includes("//") && !val.endsWith(".lock") && !val.includes("~") && !val.includes("^") && !val.includes(":") && !val.includes("?") && !val.includes("*") && !val.includes("[") && !val.includes("\\") && !val.includes(" ") && !val.includes(";") && !val.includes("&") && !val.includes("|") && !val.includes("$") && !val.includes("`") && !val.includes("'") && !val.includes('"') && !val.includes("<") && !val.includes(">") && !val.includes("(") && !val.includes(")"), "Invalid branch name: contains forbidden characters or sequences");
-var GetTaskInputSchema = import_zod2.z.object({
+var scopeString = import_zod2.z.string().optional().transform((val) => {
+  if (!val)
+    return void 0;
+  const scopes = val.split(" ").filter(Boolean);
+  const validScopes = scopes.filter((s) => VALID_OAUTH_SCOPES.includes(s));
+  return validScopes.length > 0 ? validScopes.join(" ") : void 0;
+});
+var redirectUri = import_zod2.z.string().url().refine((uri) => {
+  const url = new URL(uri);
+  return url.protocol === "https:" || url.hostname === "localhost" || url.hostname === "127.0.0.1";
+}, { message: "redirect_uri must use HTTPS or be localhost" });
+var codeVerifier = import_zod2.z.string().min(43).max(128).regex(/^[A-Za-z0-9._~-]+$/, "code_verifier must only contain unreserved characters");
+var codeChallenge = import_zod2.z.string().min(43).max(128).regex(/^[A-Za-z0-9_-]+$/, "code_challenge must be base64url encoded (no padding)");
+var DynamicClientRegistrationSchema = import_zod2.z.object({
+  redirect_uris: import_zod2.z.array(redirectUri).min(1),
+  client_name: import_zod2.z.string().min(1).max(255),
+  client_uri: import_zod2.z.string().url().optional(),
+  logo_uri: import_zod2.z.string().url().optional(),
+  // Accept lowercase OAuth spec values
+  grant_types: import_zod2.z.array(import_zod2.z.enum(["authorization_code", "refresh_token"])).default(["authorization_code", "refresh_token"]),
+  response_types: import_zod2.z.array(import_zod2.z.enum([OAuthResponseTypes.CODE])).default([OAuthResponseTypes.CODE]),
+  scope: scopeString,
+  // Accept lowercase OAuth spec values
+  token_endpoint_auth_method: import_zod2.z.enum(["none", "client_secret_post", "client_secret_basic"]).default("none")
+});
+var DynamicClientRegistrationResponseSchema = import_zod2.z.object({
+  client_id: import_zod2.z.string(),
+  client_secret: import_zod2.z.string().optional(),
+  client_id_issued_at: import_zod2.z.number(),
+  client_secret_expires_at: import_zod2.z.number().optional(),
+  redirect_uris: import_zod2.z.array(import_zod2.z.string()),
+  client_name: import_zod2.z.string(),
+  client_uri: import_zod2.z.string().optional(),
+  logo_uri: import_zod2.z.string().optional(),
+  grant_types: import_zod2.z.array(import_zod2.z.string()),
+  response_types: import_zod2.z.array(import_zod2.z.string()),
+  scope: import_zod2.z.string(),
+  token_endpoint_auth_method: import_zod2.z.string(),
+  registration_access_token: import_zod2.z.string().optional(),
+  registration_client_uri: import_zod2.z.string().optional()
+});
+var AuthorizationRequestSchema = import_zod2.z.object({
+  response_type: import_zod2.z.literal(OAuthResponseTypes.CODE),
+  client_id: import_zod2.z.string().min(1),
+  redirect_uri: redirectUri,
+  scope: scopeString,
+  state: import_zod2.z.string().max(255).optional(),
+  // PKCE is mandatory in OAuth 2.1
+  code_challenge: codeChallenge,
+  code_challenge_method: import_zod2.z.literal(OAuthCodeChallengeMethods.S256)
+});
+var TokenRequestAuthorizationCodeSchema = import_zod2.z.object({
+  grant_type: import_zod2.z.literal(OAuthGrantTypes.AUTHORIZATION_CODE),
+  code: import_zod2.z.string().min(1),
+  redirect_uri: redirectUri,
+  client_id: import_zod2.z.string().min(1),
+  // PKCE code verifier is mandatory
+  code_verifier: codeVerifier,
+  // Client secret is optional (for confidential clients)
+  client_secret: import_zod2.z.string().optional()
+});
+var TokenRequestRefreshTokenSchema = import_zod2.z.object({
+  grant_type: import_zod2.z.literal(OAuthGrantTypes.REFRESH_TOKEN),
+  refresh_token: import_zod2.z.string().min(1),
+  client_id: import_zod2.z.string().min(1),
+  // Optional: request reduced scope
+  scope: scopeString,
+  // Client secret is optional (for confidential clients)
+  client_secret: import_zod2.z.string().optional()
+});
+var TokenRequestSchema = import_zod2.z.discriminatedUnion("grant_type", [
+  TokenRequestAuthorizationCodeSchema,
+  TokenRequestRefreshTokenSchema
+]);
+var TokenResponseSchema = import_zod2.z.object({
+  access_token: import_zod2.z.string(),
+  token_type: import_zod2.z.literal("Bearer"),
+  expires_in: import_zod2.z.number(),
+  refresh_token: import_zod2.z.string().optional(),
+  scope: import_zod2.z.string()
+});
+var TokenRevocationRequestSchema = import_zod2.z.object({
+  token: import_zod2.z.string().min(1),
+  token_type_hint: import_zod2.z.enum(["access_token", "refresh_token"]).optional(),
+  client_id: import_zod2.z.string().min(1),
+  client_secret: import_zod2.z.string().optional()
+});
+var OAuthErrorResponseSchema = import_zod2.z.object({
+  error: import_zod2.z.string(),
+  error_description: import_zod2.z.string().optional(),
+  error_uri: import_zod2.z.string().url().optional(),
+  state: import_zod2.z.string().optional()
+});
+var AuthorizationServerMetadataSchema = import_zod2.z.object({
+  issuer: import_zod2.z.string().url(),
+  authorization_endpoint: import_zod2.z.string().url(),
+  token_endpoint: import_zod2.z.string().url(),
+  registration_endpoint: import_zod2.z.string().url().optional(),
+  revocation_endpoint: import_zod2.z.string().url().optional(),
+  scopes_supported: import_zod2.z.array(import_zod2.z.string()),
+  response_types_supported: import_zod2.z.array(import_zod2.z.string()),
+  grant_types_supported: import_zod2.z.array(import_zod2.z.string()),
+  token_endpoint_auth_methods_supported: import_zod2.z.array(import_zod2.z.string()),
+  code_challenge_methods_supported: import_zod2.z.array(import_zod2.z.string()),
+  service_documentation: import_zod2.z.string().url().optional()
+});
+var ProtectedResourceMetadataSchema = import_zod2.z.object({
+  resource: import_zod2.z.string().url(),
+  authorization_servers: import_zod2.z.array(import_zod2.z.string().url()),
+  scopes_supported: import_zod2.z.array(import_zod2.z.string()).optional(),
+  bearer_methods_supported: import_zod2.z.array(import_zod2.z.string()).optional(),
+  resource_signing_alg_values_supported: import_zod2.z.array(import_zod2.z.string()).optional(),
+  resource_documentation: import_zod2.z.string().url().optional()
+});
+var InternalTokenValidationRequestSchema = import_zod2.z.object({
+  access_token: import_zod2.z.string().min(1)
+});
+var InternalTokenValidationResponseSchema = import_zod2.z.object({
+  valid: import_zod2.z.boolean(),
+  userId: import_zod2.z.string().optional(),
+  userEmail: import_zod2.z.string().optional(),
+  userName: import_zod2.z.string().optional(),
+  scope: import_zod2.z.string().optional(),
+  permissions: import_zod2.z.string().optional(),
+  clientId: import_zod2.z.string().optional(),
+  expiresAt: import_zod2.z.string().optional()
+});
+
+// ../../packages/core/dist/validation/index.js
+var ListProjectsInputSchema = import_zod3.z.object({
+  workspaceType: import_zod3.z.preprocess((val) => typeof val === "string" ? val.toUpperCase() : val, import_zod3.z.enum(["TEAM", "PERSONAL", "ALL"]).optional())
+});
+var ListTasksInputSchema = import_zod3.z.object({
+  projectId: import_zod3.z.string().optional(),
+  state: import_zod3.z.nativeEnum(TaskState).optional(),
+  assigneeId: import_zod3.z.string().optional(),
+  includeArchived: import_zod3.z.boolean().optional()
+});
+var cuidOrPrefixedId = import_zod3.z.string().regex(/^([a-z0-9]+|[a-z]+_[a-zA-Z0-9]+)$/);
+var gitBranchName = import_zod3.z.string().min(1).max(100).regex(/^[a-zA-Z0-9][-a-zA-Z0-9._/]*[a-zA-Z0-9]$|^[a-zA-Z0-9]$/, "Branch name must start and end with alphanumeric character").refine((val) => !val.includes("..") && !val.includes("@{") && !val.includes("//") && !val.endsWith(".lock") && !val.includes("~") && !val.includes("^") && !val.includes(":") && !val.includes("?") && !val.includes("*") && !val.includes("[") && !val.includes("\\") && !val.includes(" ") && !val.includes(";") && !val.includes("&") && !val.includes("|") && !val.includes("$") && !val.includes("`") && !val.includes("'") && !val.includes('"') && !val.includes("<") && !val.includes(">") && !val.includes("(") && !val.includes(")"), "Invalid branch name: contains forbidden characters or sequences");
+var GetTaskInputSchema = import_zod3.z.object({
   taskId: cuidOrPrefixedId
 });
-var AssignTaskInputSchema = import_zod2.z.object({
+var AssignTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  expectedState: import_zod2.z.nativeEnum(TaskState).default(TaskState.TODO)
+  expectedState: import_zod3.z.nativeEnum(TaskState).default(TaskState.TODO)
 });
-var UpdateProgressInputSchema = import_zod2.z.object({
+var UpdateProgressInputSchema = import_zod3.z.object({
   taskId: cuidOrPrefixedId,
-  statusMessage: import_zod2.z.string().max(1e3).optional(),
-  completedCheckpointIds: import_zod2.z.array(import_zod2.z.string()).optional(),
-  currentCheckpointIndex: import_zod2.z.number().int().optional()
+  statusMessage: import_zod3.z.string().max(1e3).optional(),
+  completedCheckpointIds: import_zod3.z.array(import_zod3.z.string()).optional(),
+  currentCheckpointIndex: import_zod3.z.number().int().optional()
 });
-var CompleteTaskInputSchema = import_zod2.z.object({
+var CompleteTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  pullRequestTitle: import_zod2.z.string().min(1).max(300).optional(),
-  pullRequestBody: import_zod2.z.string().max(1e4).optional()
+  pullRequestTitle: import_zod3.z.string().min(1).max(300).optional(),
+  pullRequestBody: import_zod3.z.string().max(1e4).optional()
 });
-var ReportErrorInputSchema = import_zod2.z.object({
+var ReportErrorInputSchema = import_zod3.z.object({
   taskId: cuidOrPrefixedId,
-  errorType: import_zod2.z.nativeEnum(ErrorType),
-  errorMessage: import_zod2.z.string().min(1).max(1e3),
-  context: import_zod2.z.string().max(2e3).optional()
+  errorType: import_zod3.z.nativeEnum(ErrorType),
+  errorMessage: import_zod3.z.string().min(1).max(1e3),
+  context: import_zod3.z.string().max(2e3).optional()
 });
-var GetProjectContextInputSchema = import_zod2.z.object({
+var GetProjectContextInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId
 });
-var AddNoteInputSchema = import_zod2.z.object({
+var AddNoteInputSchema = import_zod3.z.object({
   taskId: cuidOrPrefixedId,
-  content: import_zod2.z.string().min(1).max(500)
+  content: import_zod3.z.string().min(1).max(500)
 });
-var AbandonTaskInputSchema = import_zod2.z.object({
+var AbandonTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  deleteBranch: import_zod2.z.boolean().optional()
+  deleteBranch: import_zod3.z.boolean().optional()
 });
-var RequestChangesInputSchema = import_zod2.z.object({
+var RequestChangesInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  reviewComments: import_zod2.z.string().min(1).max(5e3),
-  requestedChanges: import_zod2.z.array(import_zod2.z.string().min(1).max(500)).optional()
+  reviewComments: import_zod3.z.string().min(1).max(5e3),
+  requestedChanges: import_zod3.z.array(import_zod3.z.string().min(1).max(500)).optional()
 });
-var ApproveTaskInputSchema = import_zod2.z.object({
+var ApproveTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  reviewComments: import_zod2.z.string().max(2e3).optional()
+  reviewComments: import_zod3.z.string().max(2e3).optional()
 });
-var ArchiveTaskInputSchema = import_zod2.z.object({
+var ArchiveTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId
 });
-var UnarchiveTaskInputSchema = import_zod2.z.object({
+var UnarchiveTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId
 });
-var CreatePersonalProjectInputSchema = import_zod2.z.object({
-  name: import_zod2.z.string().min(1).max(100),
-  description: import_zod2.z.string().max(500).optional(),
-  repositoryUrl: import_zod2.z.string().url()
+var CreatePersonalProjectInputSchema = import_zod3.z.object({
+  name: import_zod3.z.string().min(1).max(100),
+  description: import_zod3.z.string().max(500).optional(),
+  repositoryUrl: import_zod3.z.string().url()
 });
-var CheckActiveTaskInputSchema = import_zod2.z.object({});
-var CreateTaskMCPInputSchema = import_zod2.z.object({
+var CheckActiveTaskInputSchema = import_zod3.z.object({});
+var CreateTaskMCPInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   epicId: cuidOrPrefixedId.nullable().optional(),
-  title: import_zod2.z.string().min(1).max(200),
-  description: import_zod2.z.string().max(5e3),
-  priority: import_zod2.z.nativeEnum(TaskPriority).default(TaskPriority.MEDIUM),
-  acceptanceCriteria: import_zod2.z.array(import_zod2.z.object({
-    description: import_zod2.z.string().min(1).max(500)
+  title: import_zod3.z.string().min(1).max(200),
+  description: import_zod3.z.string().max(5e3),
+  priority: import_zod3.z.nativeEnum(TaskPriority).default(TaskPriority.MEDIUM),
+  acceptanceCriteria: import_zod3.z.array(import_zod3.z.object({
+    description: import_zod3.z.string().min(1).max(500)
   })).min(1)
 });
-var CreateOrganizationInputSchema = import_zod2.z.object({
-  name: import_zod2.z.string().min(1).max(255),
-  slug: import_zod2.z.string().min(1).max(100).regex(/^[a-z0-9-]+$/).optional()
+var CreateOrganizationInputSchema = import_zod3.z.object({
+  name: import_zod3.z.string().min(1).max(255)
 });
-var UpdateOrganizationInputSchema = import_zod2.z.object({
+var UpdateOrganizationInputSchema = import_zod3.z.object({
   organizationId: cuidOrPrefixedId,
-  name: import_zod2.z.string().min(1).max(255).optional(),
-  logoUrl: import_zod2.z.string().url().nullable().optional(),
-  accentColor: import_zod2.z.string().regex(/^#[0-9A-Fa-f]{6}$/, "Invalid hex color format. Expected #RRGGBB").nullable().optional(),
-  tenantName: import_zod2.z.string().max(255).nullable().optional()
-});
-var CreateProjectInputSchema = import_zod2.z.object({
-  name: import_zod2.z.string().min(1).max(100),
-  description: import_zod2.z.string().max(500).optional(),
-  type: import_zod2.z.nativeEnum(ProjectType),
-  repositoryUrl: import_zod2.z.string().url(),
-  baseBranch: import_zod2.z.string().default("develop").optional(),
-  tags: import_zod2.z.array(import_zod2.z.string()).default([])
-});
-var UpdateProjectInputSchema = import_zod2.z.object({
-  projectId: import_zod2.z.string().min(1).optional(),
-  name: import_zod2.z.string().min(1).max(100).optional(),
-  description: import_zod2.z.string().max(500).optional(),
-  repositoryUrl: import_zod2.z.string().url().optional(),
-  baseBranch: import_zod2.z.string().optional(),
-  tags: import_zod2.z.array(import_zod2.z.string()).optional(),
-  allowMemberArchive: import_zod2.z.boolean().optional()
-});
-var CreateEpicInputSchema = import_zod2.z.object({
+  name: import_zod3.z.string().min(1).max(255).optional(),
+  logoUrl: import_zod3.z.string().url().nullable().optional(),
+  accentColor: import_zod3.z.string().regex(/^#[0-9A-Fa-f]{6}$/, "Invalid hex color format. Expected #RRGGBB").nullable().optional(),
+  tenantName: import_zod3.z.string().max(255).nullable().optional()
+});
+var CreateProjectInputSchema = import_zod3.z.object({
+  name: import_zod3.z.string().min(1).max(100),
+  description: import_zod3.z.string().max(500).optional(),
+  type: import_zod3.z.nativeEnum(ProjectType),
+  repositoryUrl: import_zod3.z.string().url(),
+  baseBranch: import_zod3.z.string().default("develop").optional(),
+  tags: import_zod3.z.array(import_zod3.z.string()).default([])
+});
+var UpdateProjectInputSchema = import_zod3.z.object({
+  projectId: import_zod3.z.string().min(1).optional(),
+  name: import_zod3.z.string().min(1).max(100).optional(),
+  description: import_zod3.z.string().max(500).optional(),
+  repositoryUrl: import_zod3.z.string().url().optional(),
+  baseBranch: import_zod3.z.string().optional(),
+  tags: import_zod3.z.array(import_zod3.z.string()).optional(),
+  allowMemberArchive: import_zod3.z.boolean().optional(),
+  localRepoPath: import_zod3.z.string().max(500).optional()
+});
+var CreateEpicInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
-  name: import_zod2.z.string().min(1).max(200),
-  description: import_zod2.z.string().max(2e3).optional()
-});
-var CreateTaskInputSchema = import_zod2.z.object({
-  projectId: import_zod2.z.string().min(1),
-  epicId: import_zod2.z.string().min(1).nullable().optional(),
-  title: import_zod2.z.string().min(1).max(200),
-  description: import_zod2.z.string().max(5e3),
-  priority: import_zod2.z.nativeEnum(TaskPriority).default(TaskPriority.MEDIUM),
-  acceptanceCriteria: import_zod2.z.array(import_zod2.z.object({
-    description: import_zod2.z.string().min(1).max(500)
+  name: import_zod3.z.string().min(1).max(200),
+  description: import_zod3.z.string().max(2e3).optional()
+});
+var CreateTaskInputSchema = import_zod3.z.object({
+  projectId: import_zod3.z.string().min(1),
+  epicId: import_zod3.z.string().min(1).nullable().optional(),
+  title: import_zod3.z.string().min(1).max(200),
+  description: import_zod3.z.string().max(5e3),
+  priority: import_zod3.z.nativeEnum(TaskPriority).default(TaskPriority.MEDIUM),
+  acceptanceCriteria: import_zod3.z.array(import_zod3.z.object({
+    description: import_zod3.z.string().min(1).max(500)
   })).min(1)
 });
-var UpdateTaskInputSchema = import_zod2.z.object({
-  taskId: import_zod2.z.string().min(1),
-  title: import_zod2.z.string().min(1).max(200).optional(),
-  description: import_zod2.z.string().max(5e3).optional(),
-  priority: import_zod2.z.nativeEnum(TaskPriority).optional(),
-  state: import_zod2.z.nativeEnum(TaskState).optional(),
-  assigneeId: import_zod2.z.string().nullable().optional(),
-  acceptanceCriteria: import_zod2.z.array(import_zod2.z.object({
-    id: import_zod2.z.string().optional(),
-    description: import_zod2.z.string().min(1).max(500),
-    completed: import_zod2.z.boolean().optional()
+var UpdateTaskInputSchema = import_zod3.z.object({
+  taskId: import_zod3.z.string().min(1),
+  title: import_zod3.z.string().min(1).max(200).optional(),
+  description: import_zod3.z.string().max(5e3).optional(),
+  priority: import_zod3.z.nativeEnum(TaskPriority).optional(),
+  state: import_zod3.z.nativeEnum(TaskState).optional(),
+  assigneeId: import_zod3.z.string().nullable().optional(),
+  acceptanceCriteria: import_zod3.z.array(import_zod3.z.object({
+    id: import_zod3.z.string().optional(),
+    description: import_zod3.z.string().min(1).max(500),
+    completed: import_zod3.z.boolean().optional()
   })).optional()
 });
-var AssignTaskWebappInputSchema = import_zod2.z.object({
-  taskId: import_zod2.z.string().min(1),
-  userId: import_zod2.z.string().min(1)
+var AssignTaskWebappInputSchema = import_zod3.z.object({
+  taskId: import_zod3.z.string().min(1),
+  userId: import_zod3.z.string().min(1)
 });
-var CreateTagInputSchema = import_zod2.z.object({
+var CreateTagInputSchema = import_zod3.z.object({
   organizationId: cuidOrPrefixedId,
-  name: import_zod2.z.string().min(1).max(50).regex(/^[a-zA-Z0-9\s-]+$/)
+  name: import_zod3.z.string().min(1).max(50).regex(/^[a-zA-Z0-9\s-]+$/)
 });
-var UpdateTagInputSchema = import_zod2.z.object({
-  name: import_zod2.z.string().min(1).max(50).regex(/^[a-zA-Z0-9\s-]+$/)
+var UpdateTagInputSchema = import_zod3.z.object({
+  name: import_zod3.z.string().min(1).max(50).regex(/^[a-zA-Z0-9\s-]+$/)
 });
-var UpdateOrganizationSettingsInputSchema = import_zod2.z.object({
+var UpdateOrganizationSettingsInputSchema = import_zod3.z.object({
   organizationId: cuidOrPrefixedId,
-  ldapEnabled: import_zod2.z.boolean().optional(),
-  ldapUrl: import_zod2.z.string().url().nullable().optional(),
-  ldapBindDN: import_zod2.z.string().nullable().optional(),
-  ldapSearchBase: import_zod2.z.string().nullable().optional(),
-  deleteMergedBranches: import_zod2.z.boolean().optional(),
-  enforceConventionalCommits: import_zod2.z.boolean().optional(),
-  maxPersonalProjectsPerUser: import_zod2.z.number().int().min(0).optional(),
-  logoUrl: import_zod2.z.string().url().nullable().optional(),
-  accentColor: import_zod2.z.string().regex(/^#[0-9A-Fa-f]{6}$/, "Invalid hex color format. Expected #RRGGBB").nullable().optional(),
-  tenantName: import_zod2.z.string().max(255).nullable().optional()
-});
-var InviteUserInputSchema = import_zod2.z.object({
+  ldapEnabled: import_zod3.z.boolean().optional(),
+  ldapUrl: import_zod3.z.string().url().nullable().optional(),
+  ldapBindDN: import_zod3.z.string().nullable().optional(),
+  ldapSearchBase: import_zod3.z.string().nullable().optional(),
+  deleteMergedBranches: import_zod3.z.boolean().optional(),
+  enforceConventionalCommits: import_zod3.z.boolean().optional(),
+  maxPersonalProjectsPerUser: import_zod3.z.number().int().min(0).optional(),
+  logoUrl: import_zod3.z.string().url().nullable().optional(),
+  accentColor: import_zod3.z.string().regex(/^#[0-9A-Fa-f]{6}$/, "Invalid hex color format. Expected #RRGGBB").nullable().optional(),
+  tenantName: import_zod3.z.string().max(255).nullable().optional()
+});
+var InviteUserInputSchema = import_zod3.z.object({
   organizationId: cuidOrPrefixedId,
-  email: import_zod2.z.string().email(),
-  role: import_zod2.z.nativeEnum(UserRole).default(UserRole.MEMBER),
-  tags: import_zod2.z.array(import_zod2.z.string()).default([])
+  email: import_zod3.z.string().email(),
+  role: import_zod3.z.nativeEnum(UserRole).default(UserRole.MEMBER),
+  tags: import_zod3.z.array(import_zod3.z.string()).default([])
 });
-var AssignUserTagsInputSchema = import_zod2.z.object({
+var AssignUserTagsInputSchema = import_zod3.z.object({
   userId: cuidOrPrefixedId,
-  tags: import_zod2.z.array(import_zod2.z.string()).min(0)
+  tags: import_zod3.z.array(import_zod3.z.string()).min(0)
 });
-var InviteCollaboratorInputSchema = import_zod2.z.object({
+var InviteCollaboratorInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
-  email: import_zod2.z.string().email()
+  email: import_zod3.z.string().email()
 });
-var PublishProjectInputSchema = import_zod2.z.object({
+var PublishProjectInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
-  transferOwnership: import_zod2.z.boolean().default(false),
-  tags: import_zod2.z.array(import_zod2.z.string()).min(1)
+  transferOwnership: import_zod3.z.boolean().default(false),
+  tags: import_zod3.z.array(import_zod3.z.string()).min(1)
+});
+var GenerateApiKeyInputSchema = import_zod3.z.object({
+  name: import_zod3.z.string().min(1).max(100),
+  publicNickname: import_zod3.z.string().max(50).optional(),
+  expiresInDays: import_zod3.z.number().int().min(1).max(365).default(90),
+  permissions: import_zod3.z.nativeEnum(ApiKeyPermission).default(ApiKeyPermission.WRITE)
 });
-var GenerateApiKeyInputSchema = import_zod2.z.object({
-  name: import_zod2.z.string().min(1).max(100),
-  expiresInDays: import_zod2.z.number().int().min(1).max(365).default(90),
-  permissions: import_zod2.z.nativeEnum(ApiKeyPermission).default(ApiKeyPermission.WRITE)
+var UpdateApiKeyInputSchema = import_zod3.z.object({
+  publicNickname: import_zod3.z.string().max(50).nullable().optional(),
+  scopedOrganizationId: import_zod3.z.string().optional().nullable(),
+  scopedProjectIds: import_zod3.z.array(import_zod3.z.string()).optional()
 });
-var RevokeApiKeyInputSchema = import_zod2.z.object({
+var RevokeApiKeyInputSchema = import_zod3.z.object({
   keyId: cuidOrPrefixedId
 });
-var LoginInputSchema = import_zod2.z.object({
-  email: import_zod2.z.string().email(),
-  password: import_zod2.z.string().min(8).max(255)
+var LoginInputSchema = import_zod3.z.object({
+  email: import_zod3.z.string().email(),
+  password: import_zod3.z.string().min(8).max(255)
 });
-var RegisterInputSchema = import_zod2.z.object({
-  email: import_zod2.z.string().email(),
-  password: import_zod2.z.string().min(8).max(255),
-  name: import_zod2.z.string().min(1).max(255),
-  organizationSlug: import_zod2.z.string().min(1).max(100).regex(/^[a-z0-9-]+$/).optional()
+var RegisterInputSchema = import_zod3.z.object({
+  email: import_zod3.z.string().email(),
+  password: import_zod3.z.string().min(8).max(255),
+  name: import_zod3.z.string().min(1).max(255)
 });
-var VerifyTaskInputSchema = import_zod2.z.object({
+var VerifyTaskInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  approved: import_zod2.z.boolean(),
-  feedback: import_zod2.z.string().max(5e3).optional()
+  approved: import_zod3.z.boolean(),
+  feedback: import_zod3.z.string().max(5e3).optional()
 });
-var GetTaskPromptInputSchema = import_zod2.z.object({
+var GetTaskPromptInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId
 });
-var UpdateTaskMCPInputSchema = import_zod2.z.object({
+var UpdateTaskMCPInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  title: import_zod2.z.string().min(1).max(200).optional(),
-  description: import_zod2.z.string().max(5e3).optional(),
-  priority: import_zod2.z.nativeEnum(TaskPriority).optional(),
-  acceptanceCriteria: import_zod2.z.array(import_zod2.z.object({
-    id: import_zod2.z.string().optional(),
-    description: import_zod2.z.string().min(1).max(500)
+  title: import_zod3.z.string().min(1).max(200).optional(),
+  description: import_zod3.z.string().max(5e3).optional(),
+  priority: import_zod3.z.nativeEnum(TaskPriority).optional(),
+  acceptanceCriteria: import_zod3.z.array(import_zod3.z.object({
+    id: import_zod3.z.string().optional(),
+    description: import_zod3.z.string().min(1).max(500)
   })).optional()
 });
-var ReportBranchInputSchema = import_zod2.z.object({
+var ReportBranchInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
   branchName: gitBranchName
 });
-var ReportPRInputSchema = import_zod2.z.object({
+var ReportPRInputSchema = import_zod3.z.object({
   projectId: cuidOrPrefixedId,
   taskId: cuidOrPrefixedId,
-  pullRequestUrl: import_zod2.z.string().url(),
-  pullRequestNumber: import_zod2.z.number().int().positive()
+  pullRequestUrl: import_zod3.z.string().url(),
+  pullRequestNumber: import_zod3.z.number().int().positive()
 });
 
 // ../../packages/core/dist/logging/metrics.js
@@ -800,23 +1051,20 @@ function createHistogram(name, help, buckets = [5e-3, 0.01, 0.025, 0.05, 0.1, 0.
 var httpRequestsTotal = createCounter("mtaap_http_requests_total", "Total number of HTTP requests");
 var httpRequestDuration = createHistogram("mtaap_http_request_duration_seconds", "HTTP request duration in seconds");
 var activeUsers = createGauge("mtaap_active_users", "Number of active users");
-var tasksTotal = createCounter("mtaap_tasks_total", "Total number of tasks by state");
-var taskStateChanges = createCounter("mtaap_task_state_changes_total", "Total number of task state changes");
 var httpErrorsTotal = createCounter("mtaap_http_errors_total", "Total number of HTTP errors");
 var httpActiveConnections = createGauge("mtaap_http_active_connections", "Number of active HTTP connections");
 var newSignupsTotal = createCounter("mtaap_new_signups_total", "Total number of new user signups");
 var loginSuccessTotal = createCounter("mtaap_login_success_total", "Total number of successful logins");
 var loginFailureTotal = createCounter("mtaap_login_failure_total", "Total number of failed logins");
-var dbConnectionPoolActive = createGauge("mtaap_db_connection_pool_active", "Number of active database connections");
-var dbConnectionPoolIdle = createGauge("mtaap_db_connection_pool_idle", "Number of idle database connections");
-var dbConnectionPoolMax = createGauge("mtaap_db_connection_pool_max", "Maximum number of database connections");
 var dbQueryDuration = createHistogram("mtaap_db_query_duration_seconds", "Database query duration in seconds");
 var dbSlowQueriesTotal = createCounter("mtaap_db_slow_queries_total", "Total number of slow database queries (>1s)");
-var dbErrorsTotal = createCounter("mtaap_db_errors_total", "Total number of database errors");
 var tasksCreatedTotal = createCounter("mtaap_tasks_created_total", "Total number of tasks created");
 var tasksAssignedTotal = createCounter("mtaap_tasks_assigned_total", "Total number of tasks assigned");
 var tasksCompletedTotal = createCounter("mtaap_tasks_completed_total", "Total number of tasks completed");
-var tasksByState = createGauge("mtaap_tasks_by_state", "Number of tasks by state");
+var agentSessionsTotal = createCounter("mtaap_agent_sessions_total", "Total number of agent sessions started");
+var agentErrorsTotal = createCounter("mtaap_agent_errors_total", "Total number of agent errors");
+var agentSessionDuration = createHistogram("mtaap_agent_session_duration_seconds", "Agent session duration in seconds", [1, 5, 15, 30, 60, 120, 300, 600, 1800, 3600]);
+var agentSessionsActive = createGauge("mtaap_agent_sessions_active", "Number of currently active agent sessions");
 
 // ../../packages/core/dist/logging/performance-monitor.js
 var MAX_SAMPLES = 1e3;
@@ -1020,6 +1268,9 @@ var errorTrackerInstance = new NoOpErrorTracker();
 
 // src/api-client.ts
 var DEFAULT_TIMEOUT = 3e4;
+var DEFAULT_CACHE_TTL = 3e4;
+var MAX_RETRIES = 2;
+var INITIAL_RETRY_DELAY = 500;
 function sanitizeForLogging(str) {
   let sanitized = str.replace(/\bcollab_[a-zA-Z0-9_-]+\b/gi, "[REDACTED_API_KEY]");
   sanitized = sanitized.replace(/\bBearer\s+[a-zA-Z0-9._-]+\b/gi, "Bearer [REDACTED]");
@@ -1034,42 +1285,113 @@ var ApiError = class extends Error {
     this.details = details;
     this.name = "ApiError";
   }
+  /**
+   * Whether this error is transient and the request can be retried.
+   * Retries on network errors (status 0), timeouts (408), and server errors (5xx).
+   */
+  get isRetryable() {
+    return this.status === 0 || this.status === 408 || this.status >= 500;
+  }
 };
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
 var MCPApiClient = class {
   baseUrl;
   apiKey;
+  oauthToken;
   timeout;
   debug;
   authContext = null;
+  cache = /* @__PURE__ */ new Map();
   constructor(config3) {
+    if (!config3.apiKey && !config3.oauthToken) {
+      throw new Error("Either apiKey or oauthToken must be provided");
+    }
     this.baseUrl = config3.baseUrl.replace(/\/$/, "");
     this.apiKey = config3.apiKey;
+    this.oauthToken = config3.oauthToken;
     this.timeout = config3.timeout ?? DEFAULT_TIMEOUT;
     this.debug = config3.debug ?? false;
   }
   /**
-   * Make an HTTP request to the API
+   * Get a cached value if it exists and hasn't expired.
+   */
+  getCached(key) {
+    const entry = this.cache.get(key);
+    if (!entry) return void 0;
+    if (Date.now() > entry.expiresAt) {
+      this.cache.delete(key);
+      return void 0;
+    }
+    return entry.data;
+  }
+  /**
+   * Store a value in cache with a TTL.
+   */
+  setCache(key, data, ttl = DEFAULT_CACHE_TTL) {
+    this.cache.set(key, { data, expiresAt: Date.now() + ttl });
+  }
+  /**
+   * Make an HTTP request to the API with automatic retry on transient failures.
+   */
+  async request(method, path2, body) {
+    let lastError;
+    for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
+      try {
+        return await this.requestOnce(method, path2, body);
+      } catch (error) {
+        if (!(error instanceof ApiError) || !error.isRetryable || attempt === MAX_RETRIES) {
+          throw error;
+        }
+        lastError = error;
+        const delay = INITIAL_RETRY_DELAY * Math.pow(2, attempt);
+        if (this.debug) {
+          console.error(`[mcp-api] Retry ${attempt + 1}/${MAX_RETRIES} after ${delay}ms (${lastError.code})`);
+        }
+        await sleep(delay);
+      }
+    }
+    throw lastError;
+  }
+  /**
+   * Execute a single HTTP request to the API.
    */
-  async request(method, path, body) {
-    const url = `${this.baseUrl}${path}`;
+  async requestOnce(method, path2, body) {
+    const url = `${this.baseUrl}${path2}`;
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), this.timeout);
     if (this.debug) {
-      console.error(`[mcp-api] ${method} ${sanitizeForLogging(path)}`);
+      console.error(`[mcp-api] ${method} ${sanitizeForLogging(path2)}`);
     }
     try {
+      const headers = {
+        "Content-Type": "application/json"
+      };
+      if (this.oauthToken) {
+        headers["Authorization"] = `Bearer ${this.oauthToken}`;
+      } else if (this.apiKey) {
+        headers["X-API-Key"] = this.apiKey;
+      }
       const response = await fetch(url, {
         method,
-        headers: {
-          "Content-Type": "application/json",
-          "X-API-Key": this.apiKey
-        },
+        headers,
         body: body ? JSON.stringify(body) : void 0,
         signal: controller.signal
       });
       clearTimeout(timeoutId);
       const data = await response.json();
       if (!response.ok) {
+        if (response.status === 403 && data.code === "EMAIL_NOT_VERIFIED" && data.verificationUrl) {
+          throw new ApiError(
+            `${data.error}
+
+To verify your email, visit: ${data.verificationUrl}
+${data.hint ? `Hint: ${data.hint}` : ""}`,
+            "EMAIL_NOT_VERIFIED",
+            403
+          );
+        }
         throw new ApiError(
           data.error || "API request failed",
           data.code || "UNKNOWN_ERROR",
@@ -1116,14 +1438,19 @@ var MCPApiClient = class {
     return this.authenticate();
   }
   /**
-   * List accessible projects
+   * List accessible projects (cached for 30s)
    */
   async listProjects(workspaceType) {
     const type = workspaceType || "ALL";
-    return this.request(
+    const cacheKey = `listProjects:${type}`;
+    const cached = this.getCached(cacheKey);
+    if (cached) return cached;
+    const result = await this.request(
       "GET",
       `/api/mcp/projects?workspaceType=${encodeURIComponent(type)}`
     );
+    this.setCache(cacheKey, result);
+    return result;
   }
   /**
    * Get single project details
@@ -1132,13 +1459,18 @@ var MCPApiClient = class {
     return this.request("GET", `/api/mcp/projects/${projectId}`);
   }
   /**
-   * Get project context (README, stack, conventions)
+   * Get project context (README, stack, conventions) (cached for 60s)
    */
   async getProjectContext(projectId) {
-    return this.request(
+    const cacheKey = `projectContext:${projectId}`;
+    const cached = this.getCached(cacheKey);
+    if (cached) return cached;
+    const result = await this.request(
       "GET",
       `/api/mcp/projects/${projectId}/context`
     );
+    this.setCache(cacheKey, result, 6e4);
+    return result;
   }
   /**
    * Create a personal project
@@ -1166,8 +1498,8 @@ var MCPApiClient = class {
     if (filters.assigneeId) params.set("assigneeId", filters.assigneeId);
     if (filters.includeArchived) params.set("includeArchived", "true");
     const queryString = params.toString();
-    const path = queryString ? `/api/mcp/tasks?${queryString}` : "/api/mcp/tasks";
-    return this.request("GET", path);
+    const path2 = queryString ? `/api/mcp/tasks?${queryString}` : "/api/mcp/tasks";
+    return this.request("GET", path2);
   }
   /**
    * Get full task details
@@ -1300,7 +1632,8 @@ var MCPApiClient = class {
     );
   }
   /**
-   * Update task details (DRAFT/TODO states only)
+   * Update task details (DRAFT/TODO states only).
+   * Task stays in its current state.
    */
   async updateTask(taskId, projectId, data) {
     return this.request("PATCH", `/api/mcp/tasks/${taskId}`, {
@@ -1332,7 +1665,7 @@ var PERMISSION_RANK = {
   ADMIN: 3
 };
 function assertApiKeyPermission(apiKey, required, toolName) {
-  const actualRank = PERMISSION_RANK[apiKey.permissions] ?? 0;
+  const actualRank = apiKey.permissions ? PERMISSION_RANK[apiKey.permissions] ?? 0 : 0;
   const requiredRank = PERMISSION_RANK[required] ?? 0;
   if (actualRank >= requiredRank) {
     return;
@@ -1350,6 +1683,454 @@ function assertApiKeyPermission(apiKey, required, toolName) {
   throw error;
 }
 
+// src/apps/task-details.ts
+var import_server2 = require("@modelcontextprotocol/ext-apps/server");
+var import_zod4 = require("zod");
+
+// src/apps/helpers.ts
+var import_server = require("@modelcontextprotocol/ext-apps/server");
+var import_promises = __toESM(require("fs/promises"));
+var import_node_path = __toESM(require("path"));
+var import_node_url = require("url");
+var import_meta = {};
+var getDirname = () => {
+  try {
+    return import_node_path.default.dirname((0, import_node_url.fileURLToPath)(import_meta.url));
+  } catch {
+    return __dirname;
+  }
+};
+function getAppHtmlPath(htmlFileName) {
+  return import_node_path.default.join(getDirname(), "apps", htmlFileName);
+}
+function registerAppHtmlResource(server, config3) {
+  (0, import_server.registerAppResource)(
+    server,
+    config3.name,
+    config3.uri,
+    {
+      mimeType: import_server.RESOURCE_MIME_TYPE,
+      description: config3.description
+    },
+    async () => {
+      const htmlPath = getAppHtmlPath(config3.htmlFileName);
+      try {
+        const html = await import_promises.default.readFile(htmlPath, "utf-8");
+        return {
+          contents: [
+            {
+              uri: config3.uri,
+              mimeType: import_server.RESOURCE_MIME_TYPE,
+              text: html
+            }
+          ]
+        };
+      } catch {
+        return {
+          contents: [
+            {
+              uri: config3.uri,
+              mimeType: import_server.RESOURCE_MIME_TYPE,
+              text: `<!DOCTYPE html><html><body><p>${config3.fallbackLabel} UI not available. Build the UI apps first.</p></body></html>`
+            }
+          ]
+        };
+      }
+    }
+  );
+}
+
+// src/apps/task-details.ts
+var RESOURCE_URI = "ui://collab/task-details.html";
+function registerTaskDetailsApp(server, apiClient, _authContext) {
+  (0, import_server2.registerAppTool)(
+    server,
+    "view_task_details",
+    {
+      title: "Task Details",
+      description: "View interactive task details with acceptance criteria, notes, and progress. Opens a rich UI panel.",
+      inputSchema: {
+        taskId: import_zod4.z.string().describe("The task ID to view"),
+        projectId: import_zod4.z.string().describe("The project ID")
+      },
+      _meta: { ui: { resourceUri: RESOURCE_URI } }
+    },
+    async ({ taskId, projectId }) => {
+      try {
+        const task = await apiClient.getTask(taskId);
+        let project = null;
+        try {
+          project = await apiClient.getProject(projectId);
+        } catch {
+        }
+        return {
+          content: [
+            {
+              type: "text",
+              text: `Viewing task: ${task.title}`
+            }
+          ],
+          structuredContent: {
+            task,
+            project
+          }
+        };
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+          content: [{ type: "text", text: `Error loading task: ${message}` }],
+          isError: true
+        };
+      }
+    }
+  );
+  registerAppHtmlResource(server, {
+    name: "Task Details UI",
+    uri: RESOURCE_URI,
+    description: "Interactive task details view with acceptance criteria and notes",
+    htmlFileName: "task-details.html",
+    fallbackLabel: "Task Details"
+  });
+}
+
+// src/apps/kanban.ts
+var import_server3 = require("@modelcontextprotocol/ext-apps/server");
+var import_zod5 = require("zod");
+var RESOURCE_URI2 = "ui://collab/kanban.html";
+function registerKanbanApp(server, apiClient, _authContext) {
+  (0, import_server3.registerAppTool)(
+    server,
+    "view_kanban_board",
+    {
+      title: "Kanban Board",
+      description: "View interactive drag-and-drop Kanban board for a project. Drag tasks between columns to change their state.",
+      inputSchema: {
+        projectId: import_zod5.z.string().describe("The project ID to display")
+      },
+      _meta: { ui: { resourceUri: RESOURCE_URI2 } }
+    },
+    async ({ projectId }) => {
+      try {
+        const [project, tasks] = await Promise.all([
+          apiClient.getProject(projectId),
+          apiClient.listTasks({ projectId })
+        ]);
+        return {
+          content: [
+            {
+              type: "text",
+              text: `Kanban board for ${project.name} (${tasks.length} tasks)`
+            }
+          ],
+          structuredContent: {
+            project,
+            tasks
+          }
+        };
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+          content: [{ type: "text", text: `Error loading kanban: ${message}` }],
+          isError: true
+        };
+      }
+    }
+  );
+  registerAppHtmlResource(server, {
+    name: "Kanban Board UI",
+    uri: RESOURCE_URI2,
+    description: "Interactive drag-and-drop Kanban board for task management",
+    htmlFileName: "kanban.html",
+    fallbackLabel: "Kanban"
+  });
+}
+
+// src/apps/activity.ts
+var import_server4 = require("@modelcontextprotocol/ext-apps/server");
+var import_zod6 = require("zod");
+var RESOURCE_URI3 = "ui://collab/activity.html";
+function registerActivityApp(server, apiClient, _authContext) {
+  (0, import_server4.registerAppTool)(
+    server,
+    "view_activity",
+    {
+      title: "User Activity",
+      description: "View who is working on what across the team. Shows IN_PROGRESS and REVIEW tasks per user.",
+      inputSchema: {
+        projectId: import_zod6.z.string().optional().describe("Optional project ID to filter by")
+      },
+      _meta: { ui: { resourceUri: RESOURCE_URI3 } }
+    },
+    async ({ projectId }) => {
+      try {
+        const [inProgressTasks, reviewTasks] = await Promise.all([
+          apiClient.listTasks({
+            projectId,
+            state: TaskState.IN_PROGRESS
+          }),
+          apiClient.listTasks({
+            projectId,
+            state: TaskState.REVIEW
+          })
+        ]);
+        const userMap = /* @__PURE__ */ new Map();
+        for (const task of inProgressTasks) {
+          if (task.assigneeId) {
+            if (!userMap.has(task.assigneeId)) {
+              userMap.set(task.assigneeId, {
+                id: task.assigneeId,
+                name: task.assigneeName || "Unknown",
+                email: task.assigneeEmail || "",
+                activeTasks: [],
+                reviewTasks: []
+              });
+            }
+            userMap.get(task.assigneeId).activeTasks.push(task);
+          }
+        }
+        for (const task of reviewTasks) {
+          if (task.assigneeId) {
+            if (!userMap.has(task.assigneeId)) {
+              userMap.set(task.assigneeId, {
+                id: task.assigneeId,
+                name: task.assigneeName || "Unknown",
+                email: task.assigneeEmail || "",
+                activeTasks: [],
+                reviewTasks: []
+              });
+            }
+            userMap.get(task.assigneeId).reviewTasks.push(task);
+          }
+        }
+        const users = Array.from(userMap.values());
+        return {
+          content: [
+            {
+              type: "text",
+              text: `Activity: ${users.length} users with active work`
+            }
+          ],
+          structuredContent: {
+            users,
+            projectId
+          }
+        };
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+          content: [
+            { type: "text", text: `Error loading activity: ${message}` }
+          ],
+          isError: true
+        };
+      }
+    }
+  );
+  registerAppHtmlResource(server, {
+    name: "User Activity UI",
+    uri: RESOURCE_URI3,
+    description: "Dashboard showing team member activity and workload",
+    htmlFileName: "activity.html",
+    fallbackLabel: "Activity"
+  });
+}
+
+// src/apps/project-overview.ts
+var import_server5 = require("@modelcontextprotocol/ext-apps/server");
+var import_zod7 = require("zod");
+var RESOURCE_URI4 = "ui://collab/project-overview.html";
+function registerProjectOverviewApp(server, apiClient, _authContext) {
+  (0, import_server5.registerAppTool)(
+    server,
+    "view_project_overview",
+    {
+      title: "Project Overview",
+      description: "View project health dashboard with task metrics, state distribution, and conventions.",
+      inputSchema: {
+        projectId: import_zod7.z.string().describe("The project ID to display")
+      },
+      _meta: { ui: { resourceUri: RESOURCE_URI4 } }
+    },
+    async ({ projectId }) => {
+      try {
+        const [project, context, tasks] = await Promise.all([
+          apiClient.getProject(projectId),
+          apiClient.getProjectContext(projectId).catch(() => null),
+          apiClient.listTasks({ projectId })
+        ]);
+        const activeTasks = tasks.filter((t) => !t.isArchived);
+        const inProgress = activeTasks.filter(
+          (t) => t.state === TaskState.IN_PROGRESS
+        ).length;
+        const done = activeTasks.filter(
+          (t) => t.state === TaskState.DONE
+        ).length;
+        const blocked = activeTasks.filter((t) => t.errorType).length;
+        const tasksByState = {
+          DRAFT: 0,
+          TODO: 0,
+          IN_PROGRESS: 0,
+          REVIEW: 0,
+          DONE: 0
+        };
+        for (const task of activeTasks) {
+          tasksByState[task.state]++;
+        }
+        const tasksByPriority = {
+          LOW: 0,
+          MEDIUM: 0,
+          HIGH: 0,
+          CRITICAL: 0
+        };
+        for (const task of activeTasks) {
+          tasksByPriority[task.priority]++;
+        }
+        const recentCompleted = activeTasks.filter((t) => t.state === TaskState.DONE).sort(
+          (a, b) => new Date(b.updatedAt).getTime() - new Date(a.updatedAt).getTime()
+        ).slice(0, 5);
+        return {
+          content: [
+            {
+              type: "text",
+              text: `Project overview for ${project.name}: ${activeTasks.length} tasks`
+            }
+          ],
+          structuredContent: {
+            project,
+            context,
+            metrics: {
+              totalTasks: activeTasks.length,
+              inProgress,
+              blocked,
+              done
+            },
+            tasksByState,
+            tasksByPriority,
+            recentCompleted
+          }
+        };
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+          content: [
+            { type: "text", text: `Error loading project overview: ${message}` }
+          ],
+          isError: true
+        };
+      }
+    }
+  );
+  registerAppHtmlResource(server, {
+    name: "Project Overview UI",
+    uri: RESOURCE_URI4,
+    description: "Project health dashboard with metrics and visualizations",
+    htmlFileName: "project-overview.html",
+    fallbackLabel: "Project Overview"
+  });
+}
+
+// src/apps/agent-sessions.ts
+var import_server6 = require("@modelcontextprotocol/ext-apps/server");
+var import_zod8 = require("zod");
+var RESOURCE_URI5 = "ui://collab/agent-sessions.html";
+function registerAgentSessionsApp(server, apiClient, authContext) {
+  (0, import_server6.registerAppTool)(
+    server,
+    "view_agent_sessions",
+    {
+      title: "Agent Sessions",
+      description: "View active AI agent sessions working on tasks. Monitor real-time progress and session status.",
+      inputSchema: {
+        projectId: import_zod8.z.string().optional().describe("Optional project ID to filter by")
+      },
+      _meta: { ui: { resourceUri: RESOURCE_URI5 } }
+    },
+    async ({ projectId }) => {
+      try {
+        const [inProgressTasks, reviewTasks] = await Promise.all([
+          apiClient.listTasks({
+            projectId,
+            state: TaskState.IN_PROGRESS
+          }),
+          apiClient.listTasks({
+            projectId,
+            state: TaskState.REVIEW
+          })
+        ]);
+        const sessions = [];
+        for (const task of inProgressTasks) {
+          if (task.assigneeId) {
+            const totalCriteria = task.acceptanceCriteria?.length || 0;
+            const completedCriteria = task.acceptanceCriteria?.filter((c) => c.completed).length || 0;
+            const progress = totalCriteria > 0 ? Math.round(completedCriteria / totalCriteria * 100) : 0;
+            const latestUpdate = task.progressUpdates?.[task.progressUpdates.length - 1];
+            sessions.push({
+              id: `session-${task.id}`,
+              taskId: task.id,
+              taskTitle: task.title,
+              agentName: task.assigneeName || "Agent",
+              status: "RUNNING",
+              startedAt: task.updatedAt,
+              lastCheckpoint: latestUpdate?.timestamp,
+              currentStep: latestUpdate?.statusMessage,
+              progress
+            });
+          }
+        }
+        for (const task of reviewTasks) {
+          if (task.assigneeId) {
+            sessions.push({
+              id: `session-${task.id}`,
+              taskId: task.id,
+              taskTitle: task.title,
+              agentName: task.assigneeName || "Agent",
+              status: "STOPPED",
+              startedAt: task.updatedAt,
+              progress: 100
+            });
+          }
+        }
+        return {
+          content: [
+            {
+              type: "text",
+              text: `Agent sessions: ${sessions.length} active`
+            }
+          ],
+          structuredContent: {
+            sessions,
+            projectId
+          }
+        };
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return {
+          content: [
+            { type: "text", text: `Error loading agent sessions: ${message}` }
+          ],
+          isError: true
+        };
+      }
+    }
+  );
+  registerAppHtmlResource(server, {
+    name: "Agent Sessions UI",
+    uri: RESOURCE_URI5,
+    description: "Real-time view of AI agent sessions and their progress",
+    htmlFileName: "agent-sessions.html",
+    fallbackLabel: "Agent Sessions"
+  });
+}
+
+// src/apps/index.ts
+function registerMCPApps(server, apiClient, authContext) {
+  registerTaskDetailsApp(server, apiClient, authContext);
+  registerKanbanApp(server, apiClient, authContext);
+  registerActivityApp(server, apiClient, authContext);
+  registerProjectOverviewApp(server, apiClient, authContext);
+  registerAgentSessionsApp(server, apiClient, authContext);
+}
+
 // src/index.ts
 var COLLAB_SERVER_INSTRUCTIONS = `Collab - AI-assisted software development task management platform.
 
@@ -1401,7 +2182,7 @@ Review Workflow:
   list_tasks(state=REVIEW) -> get_task -> approve_task OR request_changes
 
 Task Editing:
-  update_task (DRAFT/TODO only) -> if was TODO, reverts to DRAFT -> verify_task again
+  update_task (DRAFT/TODO only) -> task stays in current state
 
 Error Recovery:
   report_error -> abandon_task -> list_tasks -> assign_task (retry or pick different task)
@@ -1420,7 +2201,7 @@ GIT OPERATIONS NOTE:
 TASK STATE FLOW:
   DRAFT -> TODO -> IN_PROGRESS -> REVIEW -> DONE
   (verify_task: DRAFT -> TODO)
-  (update_task on TODO: reverts to DRAFT)
+  (update_task: DRAFT/TODO only, state unchanged)
   (request_changes: REVIEW -> IN_PROGRESS)
   (abandon_task: IN_PROGRESS -> TODO)
 
@@ -1453,7 +2234,7 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Discover all accessible projects. Use first to find project IDs. Filter by TEAM, PERSONAL, or ALL workspaces.",
       inputSchema: {
-        workspaceType: import_zod3.z.enum(["TEAM", "PERSONAL", "ALL"]).optional().describe("Filter by workspace type")
+        workspaceType: import_zod9.z.enum(["TEAM", "PERSONAL", "ALL"]).optional().describe("Filter by workspace type")
       }
     },
     async (args) => {
@@ -1483,10 +2264,10 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Query tasks with filters. Use state=TODO for assignable tasks, state=REVIEW for pending reviews.",
       inputSchema: {
-        projectId: import_zod3.z.string().optional().describe("Filter by project ID"),
-        state: import_zod3.z.nativeEnum(TaskState).optional().describe("Filter by task state"),
-        assigneeId: import_zod3.z.string().optional().describe("Filter by assignee ID"),
-        includeArchived: import_zod3.z.boolean().optional().describe("Include archived tasks (default: false)")
+        projectId: import_zod9.z.string().optional().describe("Filter by project ID"),
+        state: import_zod9.z.nativeEnum(TaskState).optional().describe("Filter by task state"),
+        assigneeId: import_zod9.z.string().optional().describe("Filter by assignee ID"),
+        includeArchived: import_zod9.z.boolean().optional().describe("Include archived tasks (default: false)")
       }
     },
     async (args) => {
@@ -1517,7 +2298,7 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Get complete task details with acceptance criteria and notes. Call before assign_task to understand requirements.",
       inputSchema: {
-        taskId: import_zod3.z.string().describe("The task ID to retrieve")
+        taskId: import_zod9.z.string().describe("The task ID to retrieve")
       }
     },
     async (args) => {
@@ -1543,9 +2324,9 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Atomically claim a task. Race-safe - fails if already assigned. Task must be TODO. Returns suggested branch name and worktree path for isolated parallel development.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to assign"),
-        expectedState: import_zod3.z.nativeEnum(TaskState).optional().describe("Expected task state (default: TODO)")
+        projectId: import_zod9.z.string().describe("The project ID"),
+        taskId: import_zod9.z.string().describe("The task ID to assign"),
+        expectedState: import_zod9.z.nativeEnum(TaskState).optional().describe("Expected task state (default: TODO)")
       }
     },
     async (args) => {
@@ -1579,10 +2360,10 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Report progress and checkpoint work. Call frequently during execution. Marks acceptance criteria complete.",
       inputSchema: {
-        taskId: import_zod3.z.string().describe("The task ID to update"),
-        statusMessage: import_zod3.z.string().optional().describe("Status message (max 1000 chars)"),
-        completedCheckpointIds: import_zod3.z.array(import_zod3.z.string()).optional().describe("Array of completed checkpoint IDs"),
-        currentCheckpointIndex: import_zod3.z.number().optional().describe("Current checkpoint index")
+        taskId: import_zod9.z.string().describe("The task ID to update"),
+        statusMessage: import_zod9.z.string().optional().describe("Status message (max 1000 chars)"),
+        completedCheckpointIds: import_zod9.z.array(import_zod9.z.string()).optional().describe("Array of completed checkpoint IDs"),
+        currentCheckpointIndex: import_zod9.z.number().optional().describe("Current checkpoint index")
       }
     },
     async (args) => {
@@ -1616,10 +2397,10 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Prepare task for PR creation. Returns PR suggestions. After creating PR locally, call report_pr to transition to REVIEW. Requires IN_PROGRESS state.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to complete"),
-        pullRequestTitle: import_zod3.z.string().optional().describe("PR title (max 300 chars)"),
-        pullRequestBody: import_zod3.z.string().optional().describe("PR body/description (max 10000 chars)")
+        projectId: import_zod9.z.string().describe("The project ID"),
+        taskId: import_zod9.z.string().describe("The task ID to complete"),
+        pullRequestTitle: import_zod9.z.string().optional().describe("PR title (max 300 chars)"),
+        pullRequestBody: import_zod9.z.string().optional().describe("PR body/description (max 10000 chars)")
       }
     },
     async (args) => {
@@ -1676,10 +2457,10 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Report unrecoverable errors (BUILD_FAILURE, TEST_FAILURE, CONFLICT, AUTH_ERROR). Consider abandon_task after.",
       inputSchema: {
-        taskId: import_zod3.z.string().describe("The task ID"),
-        errorType: import_zod3.z.nativeEnum(ErrorType).describe("Error type: BUILD_FAILURE, TEST_FAILURE, CONFLICT, AUTH_ERROR, OTHER"),
-        errorMessage: import_zod3.z.string().describe("Error message (max 1000 chars)"),
-        context: import_zod3.z.string().optional().describe("Additional context (max 2000 chars)")
+        taskId: import_zod9.z.string().describe("The task ID"),
+        errorType: import_zod9.z.nativeEnum(ErrorType).describe("Error type: BUILD_FAILURE, TEST_FAILURE, CONFLICT, AUTH_ERROR, OTHER"),
+        errorMessage: import_zod9.z.string().describe("Error message (max 1000 chars)"),
+        context: import_zod9.z.string().optional().describe("Additional context (max 2000 chars)")
       }
     },
     async (args) => {
@@ -1714,7 +2495,7 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Load project README, tech stack, and coding conventions. Call after selecting project.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID")
+        projectId: import_zod9.z.string().describe("The project ID")
       }
     },
     async (args) => {
@@ -1744,8 +2525,8 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Document implementation decisions. Notes persist for future reference and handoff.",
       inputSchema: {
-        taskId: import_zod3.z.string().describe("The task ID"),
-        content: import_zod3.z.string().describe("Note content (max 500 chars)")
+        taskId: import_zod9.z.string().describe("The task ID"),
+        content: import_zod9.z.string().describe("Note content (max 500 chars)")
       }
     },
     async (args) => {
@@ -1774,9 +2555,9 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Release task assignment and optionally clean up branch. Task returns to TODO. Use after errors.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to abandon"),
-        deleteBranch: import_zod3.z.boolean().optional().describe("Whether to delete the associated branch")
+        projectId: import_zod9.z.string().describe("The project ID"),
+        taskId: import_zod9.z.string().describe("The task ID to abandon"),
+        deleteBranch: import_zod9.z.boolean().optional().describe("Whether to delete the associated branch")
       }
     },
     async (args) => {
@@ -1810,9 +2591,9 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Report a branch created by the agent. Call after using git to create and push a branch. Task must be IN_PROGRESS.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID"),
-        branchName: import_zod3.z.string().describe("Name of the branch created (e.g., feature/TASK-123-fix-login)")
+        projectId: import_zod9.z.string().describe("The project ID"),
+        taskId: import_zod9.z.string().describe("The task ID"),
+        branchName: import_zod9.z.string().describe("Name of the branch created (e.g., feature/TASK-123-fix-login)")
       }
     },
     async (args) => {
@@ -1846,10 +2627,10 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Report a PR created by the agent. Call after using gh pr create. Transitions task to REVIEW state.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID"),
-        pullRequestUrl: import_zod3.z.string().describe("Full URL of the created PR (e.g., https://github.com/owner/repo/pull/123)"),
-        pullRequestNumber: import_zod3.z.number().describe("PR number (e.g., 123)")
+        projectId: import_zod9.z.string().describe("The project ID"),
+        taskId: import_zod9.z.string().describe("The task ID"),
+        pullRequestUrl: import_zod9.z.string().describe("Full URL of the created PR (e.g., https://github.com/owner/repo/pull/123)"),
+        pullRequestNumber: import_zod9.z.number().describe("PR number (e.g., 123)")
       }
     },
     async (args) => {
@@ -1884,8 +2665,8 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Soft-delete a task. Hidden but restorable via unarchive_task.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to archive")
+        projectId: import_zod9.z.string().describe("The project ID"),
+        taskId: import_zod9.z.string().describe("The task ID to archive")
       }
     },
     async (args) => {
@@ -1918,8 +2699,8 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Restore previously archived task to original state.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to restore")
+        projectId: import_zod9.z.string().describe("The project ID"),
+        taskId: import_zod9.z.string().describe("The task ID to restore")
       }
     },
     async (args) => {
@@ -1952,9 +2733,9 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Create new project in personal workspace linked to GitHub repository.",
       inputSchema: {
-        name: import_zod3.z.string().describe("Project name (max 100 chars)"),
-        description: import_zod3.z.string().optional().describe("Project description (max 500 chars)"),
-        repositoryUrl: import_zod3.z.string().describe("GitHub repository URL")
+        name: import_zod9.z.string().describe("Project name (max 100 chars)"),
+        description: import_zod9.z.string().optional().describe("Project description (max 500 chars)"),
+        repositoryUrl: import_zod9.z.string().describe("GitHub repository URL")
       }
     },
     async (args) => {
@@ -1988,14 +2769,14 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Create task with title, description, acceptance criteria. Starts in DRAFT. Priority: LOW/MEDIUM/HIGH/CRITICAL.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID to create the task in"),
-        epicId: import_zod3.z.string().nullable().optional().describe("Optional epic ID to associate the task with"),
-        title: import_zod3.z.string().describe("Task title (max 200 chars)"),
-        description: import_zod3.z.string().describe("Task description (max 5000 chars)"),
-        priority: import_zod3.z.nativeEnum(TaskPriority).optional().describe("Task priority: LOW, MEDIUM, HIGH, CRITICAL (default: MEDIUM)"),
-        acceptanceCriteria: import_zod3.z.array(
-          import_zod3.z.object({
-            description: import_zod3.z.string().describe("Acceptance criterion description (max 500 chars)")
+        projectId: import_zod9.z.string().describe("The project ID to create the task in"),
+        epicId: import_zod9.z.string().nullable().optional().describe("Optional epic ID to associate the task with"),
+        title: import_zod9.z.string().describe("Task title (max 200 chars)"),
+        description: import_zod9.z.string().describe("Task description (max 5000 chars)"),
+        priority: import_zod9.z.nativeEnum(TaskPriority).optional().describe("Task priority: LOW, MEDIUM, HIGH, CRITICAL (default: MEDIUM)"),
+        acceptanceCriteria: import_zod9.z.array(
+          import_zod9.z.object({
+            description: import_zod9.z.string().describe("Acceptance criterion description (max 500 chars)")
           })
         ).describe("Array of acceptance criteria (at least 1 required)")
       }
@@ -2034,10 +2815,10 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Return task from REVIEW to IN_PROGRESS with feedback. Original assignee addresses changes.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to review"),
-        reviewComments: import_zod3.z.string().describe("Review comments explaining requested changes (max 5000 chars)"),
-        requestedChanges: import_zod3.z.array(import_zod3.z.string()).optional().describe("List of specific changes requested")
+        projectId: import_zod9.z.string().describe("The project ID"),
+        taskId: import_zod9.z.string().describe("The task ID to review"),
+        reviewComments: import_zod9.z.string().describe("Review comments explaining requested changes (max 5000 chars)"),
+        requestedChanges: import_zod9.z.array(import_zod9.z.string()).optional().describe("List of specific changes requested")
       }
     },
     async (args) => {
@@ -2072,9 +2853,9 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Approve completed work and mark DONE. Only for REVIEW state tasks.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to approve"),
-        reviewComments: import_zod3.z.string().optional().describe("Optional approval comments (max 2000 chars)")
+        projectId: import_zod9.z.string().describe("The project ID"),
+        taskId: import_zod9.z.string().describe("The task ID to approve"),
+        reviewComments: import_zod9.z.string().optional().describe("Optional approval comments (max 2000 chars)")
       }
     },
     async (args) => {
@@ -2108,10 +2889,10 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Verify a DRAFT task and move it to TODO state. Requires task to pass programmatic validation (title 10+ chars, description 50+ chars, each criterion 20+ chars). If approved=false, stores feedback with NEEDS_REVISION status.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to verify"),
-        approved: import_zod3.z.boolean().describe("Whether to approve the task"),
-        feedback: import_zod3.z.string().optional().describe("Feedback for the task (required if not approved)")
+        projectId: import_zod9.z.string().describe("The project ID"),
+        taskId: import_zod9.z.string().describe("The task ID to verify"),
+        approved: import_zod9.z.boolean().describe("Whether to approve the task"),
+        feedback: import_zod9.z.string().optional().describe("Feedback for the task (required if not approved)")
       }
     },
     async (args) => {
@@ -2142,8 +2923,8 @@ function initializeMCPServer(apiClient, authContext) {
     {
       description: "Get state-appropriate prompt for a task. Returns verify prompt for DRAFT, assignment prompt for TODO, or continue prompt for IN_PROGRESS tasks.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID")
+        projectId: import_zod9.z.string().describe("The project ID"),
+        taskId: import_zod9.z.string().describe("The task ID")
       }
     },
     async (args) => {
@@ -2174,17 +2955,17 @@ function initializeMCPServer(apiClient, authContext) {
   server.registerTool(
     "update_task",
     {
-      description: "Update task details (title, description, priority, acceptanceCriteria). Only works for DRAFT and TODO states. If task is in TODO state, it reverts to DRAFT and requires re-verification.",
+      description: "Update task details (title, description, priority, acceptanceCriteria). Only works for DRAFT and TODO states. Task stays in its current state.",
       inputSchema: {
-        projectId: import_zod3.z.string().describe("The project ID"),
-        taskId: import_zod3.z.string().describe("The task ID to update"),
-        title: import_zod3.z.string().optional().describe("New task title"),
-        description: import_zod3.z.string().optional().describe("New task description"),
-        priority: import_zod3.z.nativeEnum(TaskPriority).optional().describe("New task priority"),
-        acceptanceCriteria: import_zod3.z.array(
-          import_zod3.z.object({
-            id: import_zod3.z.string().optional().describe("Existing criterion ID (for updates)"),
-            description: import_zod3.z.string().describe("Criterion description")
+        projectId: import_zod9.z.string().describe("The project ID"),
+        taskId: import_zod9.z.string().describe("The task ID to update"),
+        title: import_zod9.z.string().optional().describe("New task title"),
+        description: import_zod9.z.string().optional().describe("New task description"),
+        priority: import_zod9.z.nativeEnum(TaskPriority).optional().describe("New task priority"),
+        acceptanceCriteria: import_zod9.z.array(
+          import_zod9.z.object({
+            id: import_zod9.z.string().optional().describe("Existing criterion ID (for updates)"),
+            description: import_zod9.z.string().describe("Criterion description")
           })
         ).optional().describe("New acceptance criteria (replaces existing)")
       }
@@ -2240,6 +3021,7 @@ function initializeMCPServer(apiClient, authContext) {
       };
     }
   );
+  registerMCPApps(server, apiClient, authContext);
   return server;
 }
 async function connectMCPServer(server, transport) {
@@ -2292,30 +3074,30 @@ function handleApiError(error) {
     isError: true
   };
 }
-var ActiveTaskSchema = import_zod3.z.object({
-  taskId: import_zod3.z.string().min(1),
-  projectId: import_zod3.z.string().min(1),
-  branchName: import_zod3.z.string().optional(),
-  worktreePath: import_zod3.z.string().optional(),
-  startedAt: import_zod3.z.string().optional()
+var ActiveTaskSchema = import_zod9.z.object({
+  taskId: import_zod9.z.string().min(1),
+  projectId: import_zod9.z.string().min(1),
+  branchName: import_zod9.z.string().optional(),
+  worktreePath: import_zod9.z.string().optional(),
+  startedAt: import_zod9.z.string().optional()
 });
 async function checkActiveTask() {
-  const fs = await import("fs");
-  const path = await import("path");
+  const fs2 = await import("fs");
+  const path2 = await import("path");
   const cwd = process.cwd();
-  const collabDir = path.join(cwd, ".collab");
-  const activeTaskPath = path.join(collabDir, "active-task.json");
+  const collabDir = path2.join(cwd, ".collab");
+  const activeTaskPath = path2.join(collabDir, "active-task.json");
   try {
-    const resolvedPath = path.resolve(activeTaskPath);
-    const resolvedCollabDir = path.resolve(collabDir);
-    if (!resolvedPath.startsWith(resolvedCollabDir + path.sep) && resolvedPath !== resolvedCollabDir) {
+    const resolvedPath = path2.resolve(activeTaskPath);
+    const resolvedCollabDir = path2.resolve(collabDir);
+    if (!resolvedPath.startsWith(resolvedCollabDir + path2.sep) && resolvedPath !== resolvedCollabDir) {
       return {
         hasActiveTask: false,
         task: null,
         error: "Invalid active task path"
       };
     }
-    const stats = await fs.promises.lstat(activeTaskPath);
+    const stats = await fs2.promises.lstat(activeTaskPath);
     if (stats.isSymbolicLink()) {
       return {
         hasActiveTask: false,
@@ -2329,7 +3111,7 @@ async function checkActiveTask() {
         task: null
       };
     }
-    const content = await fs.promises.readFile(activeTaskPath, "utf-8");
+    const content = await fs2.promises.readFile(activeTaskPath, "utf-8");
     let parsed;
     try {
       parsed = JSON.parse(content);