@neurynae/toolcairn-mcp 0.5.0 → 0.7.0

package/dist/index.js

@@ -62,13 +62,279 @@ var require_dist = __commonJS({
 
 // src/index.prod.ts
 init_esm_shims();
+var import_config3 = __toESM(require_dist(), 1);
+import { McpServer as McpServer2 } from "@modelcontextprotocol/sdk/server/mcp.js";
+
+// ../../packages/remote/dist/index.js
+init_esm_shims();
+
+// ../../packages/remote/dist/client.js
+init_esm_shims();
+var DEFAULT_TIMEOUT_MS = 3e4;
+var ToolCairnClient = class {
+  baseUrl;
+  apiKey;
+  timeoutMs;
+  accessToken;
+  constructor(opts) {
+    this.baseUrl = opts.baseUrl.replace(/\/$/, "");
+    this.apiKey = opts.apiKey;
+    this.accessToken = opts.accessToken;
+    this.timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  }
+  // ── Core Search ──────────────────────────────────────────────────────────
+  async searchTools(args) {
+    return this.post("/v1/search", args);
+  }
+  async searchToolsRespond(args) {
+    return this.post("/v1/search/respond", args);
+  }
+  // ── Graph ────────────────────────────────────────────────────────────────
+  async checkCompatibility(args) {
+    return this.post("/v1/graph/compatibility", args);
+  }
+  async compareTools(args) {
+    return this.post("/v1/graph/compare", args);
+  }
+  async getStack(args) {
+    return this.post("/v1/graph/stack", args);
+  }
+  // ── Intelligence ─────────────────────────────────────────────────────────
+  async refineRequirement(args) {
+    return this.post("/v1/intelligence/refine", args);
+  }
+  async verifySuggestion(args) {
+    return this.post("/v1/intelligence/verify", args);
+  }
+  async checkIssue(args) {
+    return this.post("/v1/intelligence/issue", args);
+  }
+  // ── Feedback ─────────────────────────────────────────────────────────────
+  async reportOutcome(args) {
+    return this.post("/v1/feedback/outcome", args);
+  }
+  async suggestGraphUpdate(args) {
+    return this.post("/v1/feedback/suggest", args);
+  }
+  // ── Registration ─────────────────────────────────────────────────────────
+  async register(clientId) {
+    const res = await this.rawPost("/v1/register", { client_id: clientId });
+    return res.json();
+  }
+  async healthCheck() {
+    try {
+      const res = await fetch(`${this.baseUrl}/v1/health`, {
+        signal: AbortSignal.timeout(5e3)
+      });
+      return res.ok;
+    } catch {
+      return false;
+    }
+  }
+  // ── Private ──────────────────────────────────────────────────────────────
+  async post(path, body) {
+    try {
+      const res = await this.rawPost(path, body);
+      const data = await res.json();
+      if (data && typeof data === "object" && "content" in data) {
+        return data;
+      }
+      return {
+        content: [{ type: "text", text: JSON.stringify(data) }]
+      };
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({
+              ok: false,
+              error: "network_error",
+              message: `ToolCairn API unreachable: ${msg}. Check your internet connection or try again later.`
+            })
+          }
+        ],
+        isError: true
+      };
+    }
+  }
+  rawPost(path, body) {
+    const headers = {
+      "Content-Type": "application/json",
+      "X-ToolCairn-Key": this.apiKey,
+      "Accept-Encoding": "gzip"
+    };
+    if (this.accessToken) {
+      headers.Authorization = `Bearer ${this.accessToken}`;
+    }
+    return fetch(`${this.baseUrl}${path}`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(body),
+      signal: AbortSignal.timeout(this.timeoutMs)
+    });
+  }
+};
+
+// ../../packages/remote/dist/credentials.js
+init_esm_shims();
+import { mkdir, readFile, writeFile } from "fs/promises";
+import { homedir } from "os";
+import { join } from "path";
+var CREDENTIALS_DIR = join(homedir(), ".toolcairn");
+var CREDENTIALS_FILE = join(CREDENTIALS_DIR, "credentials.json");
+function isTokenValid(creds) {
+  if (!creds.access_token)
+    return false;
+  try {
+    const parts = creds.access_token.split(".");
+    if (parts.length !== 3)
+      return false;
+    const payload = JSON.parse(Buffer.from(parts[1] ?? "", "base64url").toString("utf-8"));
+    if (payload.exp && payload.exp < Date.now() / 1e3 + 300)
+      return false;
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function loadCredentials() {
+  try {
+    const raw = await readFile(CREDENTIALS_FILE, "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+async function loadOrCreateCredentials() {
+  const existing = await loadCredentials();
+  if (existing)
+    return existing;
+  const creds = {
+    client_id: crypto.randomUUID(),
+    created_at: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  await saveCredentials(creds);
+  return creds;
+}
+async function saveCredentials(creds) {
+  await mkdir(CREDENTIALS_DIR, { recursive: true });
+  await writeFile(CREDENTIALS_FILE, JSON.stringify(creds, null, 2), "utf-8");
+}
+async function upgradeToAuthenticated(accessToken, apiKey, user) {
+  const existing = await loadOrCreateCredentials();
+  await saveCredentials({
+    ...existing,
+    client_id: apiKey,
+    access_token: accessToken,
+    user_id: user.id,
+    user_email: user.email ?? void 0,
+    user_name: user.name ?? void 0,
+    authenticated_at: (/* @__PURE__ */ new Date()).toISOString()
+  });
+}
+async function clearAuthentication() {
+  const existing = await loadOrCreateCredentials();
+  await saveCredentials({
+    client_id: existing.client_id,
+    created_at: existing.created_at,
+    api_url: existing.api_url
+  });
+}
+
+// ../../packages/remote/dist/device-auth.js
+init_esm_shims();
+async function openBrowser(url) {
+  const { spawn } = await import("child_process");
+  try {
+    const platform2 = process.platform;
+    let cmd;
+    let args;
+    if (platform2 === "win32") {
+      cmd = "cmd";
+      args = ["/c", "start", "", url];
+    } else if (platform2 === "darwin") {
+      cmd = "open";
+      args = [url];
+    } else {
+      cmd = "xdg-open";
+      args = [url];
+    }
+    const child = spawn(cmd, args, {
+      detached: true,
+      // detach from parent process group
+      stdio: "ignore",
+      // don't inherit parent's stdio
+      shell: false
+    });
+    child.unref();
+  } catch {
+  }
+}
+async function requestDeviceCode(apiUrl) {
+  const res = await fetch(`${apiUrl}/v1/auth/device-code`, { method: "POST" });
+  if (!res.ok)
+    throw new Error("Failed to start device auth. Check your internet connection.");
+  return await res.json();
+}
+async function startDeviceAuth(apiUrl) {
+  const codeData = await requestDeviceCode(apiUrl);
+  process.stderr.write("\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n");
+  process.stderr.write("  ToolCairn \u2014 Sign In Required\n");
+  process.stderr.write("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n");
+  process.stderr.write("\n  Opening browser for authentication...\n\n");
+  process.stderr.write(`  URL:  ${codeData.verification_uri}
+`);
+  process.stderr.write(`  Code: ${codeData.user_code}
+`);
+  process.stderr.write("\n  Waiting... (browser should open automatically)\n\n");
+  await openBrowser(codeData.verification_uri);
+  const result = await pollForToken(apiUrl, codeData.device_code, codeData.interval);
+  await upgradeToAuthenticated(result.access_token, result.api_key, result.user);
+  process.stderr.write(`
+  \u2713 Signed in as ${result.user.email}
+
+`);
+  return {
+    userId: result.user.id,
+    email: result.user.email ?? "",
+    name: result.user.name
+  };
+}
+async function pollForToken(apiUrl, deviceCode, intervalSec) {
+  const intervalMs = Math.max(intervalSec, 5) * 1e3;
+  while (true) {
+    await sleep(intervalMs);
+    const res = await fetch(`${apiUrl}/v1/auth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ device_code: deviceCode, grant_type: "device_code" })
+    });
+    const data = await res.json();
+    if (data.error === "authorization_pending")
+      continue;
+    if (data.error === "expired_token")
+      throw new Error("Device code expired. Please try again.");
+    if (data.error)
+      throw new Error(`Authorization failed: ${data.error}`);
+    if (data.access_token)
+      return data;
+  }
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/index.prod.ts
 import pino9 from "pino";
+import { z as z3 } from "zod";
 
 // src/project-setup.ts
 init_esm_shims();
-import { access, mkdir, writeFile } from "fs/promises";
+import { access, mkdir as mkdir2, writeFile as writeFile2 } from "fs/promises";
 import { platform, type } from "os";
-import { join } from "path";
+import { join as join2 } from "path";
 import pino from "pino";
 
 // src/tools/generate-tracker.ts
@@ -513,13 +779,13 @@ async function ensureProjectSetup(projectRoot = process.cwd()) {
     { os: os.label, platform: os.platform, projectRoot },
     "Detected OS \u2014 starting project setup"
   );
-  const dir = join(projectRoot, ".toolcairn");
-  const configPath = join(dir, "config.json");
-  const trackerPath = join(dir, "tracker.html");
-  const eventsPath = join(dir, "events.jsonl");
+  const dir = join2(projectRoot, ".toolcairn");
+  const configPath = join2(dir, "config.json");
+  const trackerPath = join2(dir, "tracker.html");
+  const eventsPath = join2(dir, "events.jsonl");
   const eventsPathForUrl = toFileUrl(eventsPath);
   try {
-    await mkdir(dir, { recursive: true });
+    await mkdir2(dir, { recursive: true });
     await createIfAbsent(configPath, JSON.stringify(INITIAL_CONFIG, null, 2), "config.json");
     await createIfAbsent(trackerPath, generateTrackerHtml(eventsPathForUrl), "tracker.html");
     await createIfAbsent(eventsPath, "", "events.jsonl");
@@ -536,7 +802,7 @@ async function createIfAbsent(filePath, content, label) {
     await access(filePath);
     logger.debug({ file: label }, "Already exists \u2014 skipping");
   } catch {
-    await writeFile(filePath, content, "utf-8");
+    await writeFile2(filePath, content, "utf-8");
     logger.info({ file: label }, "Created");
   }
 }
@@ -546,249 +812,6 @@ init_esm_shims();
 var import_config = __toESM(require_dist(), 1);
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 
-// ../../packages/remote/dist/index.js
-init_esm_shims();
-
-// ../../packages/remote/dist/client.js
-init_esm_shims();
-var DEFAULT_TIMEOUT_MS = 3e4;
-var ToolCairnClient = class {
-  baseUrl;
-  apiKey;
-  timeoutMs;
-  accessToken;
-  constructor(opts) {
-    this.baseUrl = opts.baseUrl.replace(/\/$/, "");
-    this.apiKey = opts.apiKey;
-    this.accessToken = opts.accessToken;
-    this.timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
-  }
-  // ── Core Search ──────────────────────────────────────────────────────────
-  async searchTools(args) {
-    return this.post("/v1/search", args);
-  }
-  async searchToolsRespond(args) {
-    return this.post("/v1/search/respond", args);
-  }
-  // ── Graph ────────────────────────────────────────────────────────────────
-  async checkCompatibility(args) {
-    return this.post("/v1/graph/compatibility", args);
-  }
-  async compareTools(args) {
-    return this.post("/v1/graph/compare", args);
-  }
-  async getStack(args) {
-    return this.post("/v1/graph/stack", args);
-  }
-  // ── Intelligence ─────────────────────────────────────────────────────────
-  async refineRequirement(args) {
-    return this.post("/v1/intelligence/refine", args);
-  }
-  async verifySuggestion(args) {
-    return this.post("/v1/intelligence/verify", args);
-  }
-  async checkIssue(args) {
-    return this.post("/v1/intelligence/issue", args);
-  }
-  // ── Feedback ─────────────────────────────────────────────────────────────
-  async reportOutcome(args) {
-    return this.post("/v1/feedback/outcome", args);
-  }
-  async suggestGraphUpdate(args) {
-    return this.post("/v1/feedback/suggest", args);
-  }
-  // ── Registration ─────────────────────────────────────────────────────────
-  async register(clientId) {
-    const res = await this.rawPost("/v1/register", { client_id: clientId });
-    return res.json();
-  }
-  async healthCheck() {
-    try {
-      const res = await fetch(`${this.baseUrl}/v1/health`, {
-        signal: AbortSignal.timeout(5e3)
-      });
-      return res.ok;
-    } catch {
-      return false;
-    }
-  }
-  // ── Private ──────────────────────────────────────────────────────────────
-  async post(path, body) {
-    try {
-      const res = await this.rawPost(path, body);
-      const data = await res.json();
-      if (data && typeof data === "object" && "content" in data) {
-        return data;
-      }
-      return {
-        content: [{ type: "text", text: JSON.stringify(data) }]
-      };
-    } catch (e) {
-      const msg = e instanceof Error ? e.message : String(e);
-      return {
-        content: [
-          {
-            type: "text",
-            text: JSON.stringify({
-              ok: false,
-              error: "network_error",
-              message: `ToolCairn API unreachable: ${msg}. Check your internet connection or try again later.`
-            })
-          }
-        ],
-        isError: true
-      };
-    }
-  }
-  rawPost(path, body) {
-    const headers = {
-      "Content-Type": "application/json",
-      "X-ToolCairn-Key": this.apiKey,
-      "Accept-Encoding": "gzip"
-    };
-    if (this.accessToken) {
-      headers.Authorization = `Bearer ${this.accessToken}`;
-    }
-    return fetch(`${this.baseUrl}${path}`, {
-      method: "POST",
-      headers,
-      body: JSON.stringify(body),
-      signal: AbortSignal.timeout(this.timeoutMs)
-    });
-  }
-};
-
-// ../../packages/remote/dist/credentials.js
-init_esm_shims();
-import { mkdir as mkdir2, readFile, writeFile as writeFile2 } from "fs/promises";
-import { homedir } from "os";
-import { join as join2 } from "path";
-var CREDENTIALS_DIR = join2(homedir(), ".toolcairn");
-var CREDENTIALS_FILE = join2(CREDENTIALS_DIR, "credentials.json");
-function isTokenValid(creds) {
-  if (!creds.access_token)
-    return false;
-  try {
-    const parts = creds.access_token.split(".");
-    if (parts.length !== 3)
-      return false;
-    const payload = JSON.parse(Buffer.from(parts[1] ?? "", "base64url").toString("utf-8"));
-    if (payload.exp && payload.exp < Date.now() / 1e3 + 300)
-      return false;
-    return true;
-  } catch {
-    return false;
-  }
-}
-async function loadCredentials() {
-  try {
-    const raw = await readFile(CREDENTIALS_FILE, "utf-8");
-    return JSON.parse(raw);
-  } catch {
-    return null;
-  }
-}
-async function loadOrCreateCredentials() {
-  const existing = await loadCredentials();
-  if (existing)
-    return existing;
-  const creds = {
-    client_id: crypto.randomUUID(),
-    created_at: (/* @__PURE__ */ new Date()).toISOString()
-  };
-  await saveCredentials(creds);
-  return creds;
-}
-async function saveCredentials(creds) {
-  await mkdir2(CREDENTIALS_DIR, { recursive: true });
-  await writeFile2(CREDENTIALS_FILE, JSON.stringify(creds, null, 2), "utf-8");
-}
-async function upgradeToAuthenticated(accessToken, apiKey, user) {
-  const existing = await loadOrCreateCredentials();
-  await saveCredentials({
-    ...existing,
-    client_id: apiKey,
-    access_token: accessToken,
-    user_id: user.id,
-    user_email: user.email ?? void 0,
-    user_name: user.name ?? void 0,
-    authenticated_at: (/* @__PURE__ */ new Date()).toISOString()
-  });
-}
-async function clearAuthentication() {
-  const existing = await loadOrCreateCredentials();
-  await saveCredentials({
-    client_id: existing.client_id,
-    created_at: existing.created_at,
-    api_url: existing.api_url
-  });
-}
-
-// ../../packages/remote/dist/device-auth.js
-init_esm_shims();
-async function openBrowser(url) {
-  const platform2 = process.platform;
-  const { execSync } = await import("child_process");
-  try {
-    if (platform2 === "win32")
-      execSync(`start "" "${url}"`, { stdio: "ignore" });
-    else if (platform2 === "darwin")
-      execSync(`open "${url}"`, { stdio: "ignore" });
-    else
-      execSync(`xdg-open "${url}"`, { stdio: "ignore" });
-  } catch {
-  }
-}
-async function startDeviceAuth(apiUrl) {
-  const codeRes = await fetch(`${apiUrl}/v1/auth/device-code`, { method: "POST" });
-  if (!codeRes.ok)
-    throw new Error("Failed to start device auth. Check your connection.");
-  const codeData = await codeRes.json();
-  console.error("\n\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
-  console.error("  Authenticate ToolCairn MCP");
-  console.error("\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
-  console.error("\n  Open this URL in your browser:\n");
-  console.error(`  ${codeData.verification_uri}
-`);
-  console.error(`  Your device code: ${codeData.user_code}`);
-  console.error("\n  Waiting for authorization...");
-  console.error("  (Press Ctrl+C to cancel)\n");
-  await openBrowser(codeData.verification_uri);
-  const result = await pollForToken(apiUrl, codeData.device_code, codeData.interval);
-  await upgradeToAuthenticated(result.access_token, result.api_key, result.user);
-  console.error(`
-  \u2713 Authenticated as ${result.user.email}
-`);
-  return {
-    userId: result.user.id,
-    email: result.user.email ?? "",
-    name: result.user.name
-  };
-}
-async function pollForToken(apiUrl, deviceCode, intervalSec) {
-  const intervalMs = Math.max(intervalSec, 5) * 1e3;
-  while (true) {
-    await sleep(intervalMs);
-    const res = await fetch(`${apiUrl}/v1/auth/token`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ device_code: deviceCode, grant_type: "device_code" })
-    });
-    const data = await res.json();
-    if (data.error === "authorization_pending")
-      continue;
-    if (data.error === "expired_token")
-      throw new Error("Device code expired. Please try again.");
-    if (data.error)
-      throw new Error(`Authorization failed: ${data.error}`);
-    if (data.access_token)
-      return data;
-  }
-}
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-
 // ../../packages/tools/dist/local.js
 init_esm_shims();
 
@@ -1647,7 +1670,7 @@ async function handleInitProjectConfig(args) {
       chosen_reason: "Auto-detected from project files during toolpilot_init",
       alternatives_considered: []
     }));
-    const config3 = {
+    const config4 = {
       version: "1.0",
       project: {
         name: args.project_name,
@@ -1667,7 +1690,7 @@ async function handleInitProjectConfig(args) {
         }
       ]
     };
-    const config_json = JSON.stringify(config3, null, 2);
+    const config_json = JSON.stringify(config4, null, 2);
     return okResult({
       config_json,
       file_path: ".toolpilot/config.json",
@@ -1692,18 +1715,18 @@ function daysSince(isoDate) {
 async function handleReadProjectConfig(args) {
   try {
     logger5.info("read_project_config called");
-    let config3;
+    let config4;
     try {
-      config3 = JSON.parse(args.config_content);
+      config4 = JSON.parse(args.config_content);
     } catch {
       return errResult("parse_error", "config_content is not valid JSON");
     }
-    if (config3.version !== "1.0") {
-      return errResult("version_error", `Unsupported config version: ${config3.version}`);
+    if (config4.version !== "1.0") {
+      return errResult("version_error", `Unsupported config version: ${config4.version}`);
     }
-    const confirmedToolNames = config3.tools.confirmed.map((t) => t.name);
-    const pendingToolNames = config3.tools.pending_evaluation.map((t) => t.name);
-    const staleTools = config3.tools.confirmed.filter((t) => {
+    const confirmedToolNames = config4.tools.confirmed.map((t) => t.name);
+    const pendingToolNames = config4.tools.pending_evaluation.map((t) => t.name);
+    const staleTools = config4.tools.confirmed.filter((t) => {
       const date = t.last_verified ?? t.chosen_at ?? t.confirmed_at;
       return date ? daysSince(date) > STALENESS_THRESHOLD_DAYS : true;
     }).map((t) => {
@@ -1716,10 +1739,10 @@ async function handleReadProjectConfig(args) {
         recommendation: "Consider using check_issue to verify no new known issues"
       };
     });
-    const non_oss_tools = config3.tools.confirmed.filter((t) => t.source === "non_oss").map((t) => t.name);
-    const toolpilot_indexed_tools = config3.tools.confirmed.filter((t) => t.source === "toolpilot").map((t) => t.name);
+    const non_oss_tools = config4.tools.confirmed.filter((t) => t.source === "non_oss").map((t) => t.name);
+    const toolpilot_indexed_tools = config4.tools.confirmed.filter((t) => t.source === "toolpilot").map((t) => t.name);
     return okResult({
-      project: config3.project,
+      project: config4.project,
       confirmed_tools: confirmedToolNames,
       pending_tools: pendingToolNames,
       non_oss_tools,
@@ -1727,9 +1750,9 @@ async function handleReadProjectConfig(args) {
       stale_tools: staleTools,
       total_confirmed: confirmedToolNames.length,
       total_pending: pendingToolNames.length,
-      last_audit_entry: config3.audit_log.at(-1) ?? null,
+      last_audit_entry: config4.audit_log.at(-1) ?? null,
       agent_instructions: [
-        `Project: ${config3.project.name} (${config3.project.language}${config3.project.framework ? `, ${config3.project.framework}` : ""})`,
+        `Project: ${config4.project.name} (${config4.project.language}${config4.project.framework ? `, ${config4.project.framework}` : ""})`,
         `Already confirmed tools: ${confirmedToolNames.join(", ") || "none"}`,
         "When recommending tools, skip any already in confirmed_tools.",
         non_oss_tools.length > 0 ? `Non-OSS tools in project (handle separately): ${non_oss_tools.join(", ")}` : "",
@@ -1749,9 +1772,9 @@ var logger6 = pino6({ name: "@toolpilot/tools:update-project-config" });
 async function handleUpdateProjectConfig(args) {
   try {
     logger6.info({ action: args.action, tool: args.tool_name }, "update_project_config called");
-    let config3;
+    let config4;
     try {
-      config3 = JSON.parse(args.current_config);
+      config4 = JSON.parse(args.current_config);
     } catch {
       return errResult("parse_error", "current_config is not valid JSON");
     }
@@ -1759,8 +1782,8 @@ async function handleUpdateProjectConfig(args) {
     const data = args.data ?? {};
     switch (args.action) {
       case "add_tool": {
-        config3.tools.pending_evaluation = config3.tools.pending_evaluation.filter((t) => t.name !== args.tool_name);
-        if (!config3.tools.confirmed.some((t) => t.name === args.tool_name)) {
+        config4.tools.pending_evaluation = config4.tools.pending_evaluation.filter((t) => t.name !== args.tool_name);
+        if (!config4.tools.confirmed.some((t) => t.name === args.tool_name)) {
           const newTool = {
             name: args.tool_name,
             source: data.source ?? "toolpilot",
@@ -1772,9 +1795,9 @@ async function handleUpdateProjectConfig(args) {
             query_id: data.query_id,
             notes: data.notes
           };
-          config3.tools.confirmed.push(newTool);
+          config4.tools.confirmed.push(newTool);
         }
-        config3.audit_log.push({
+        config4.audit_log.push({
           action: "add_tool",
           tool: args.tool_name,
           timestamp: now,
@@ -1783,9 +1806,9 @@ async function handleUpdateProjectConfig(args) {
         break;
       }
       case "remove_tool": {
-        config3.tools.confirmed = config3.tools.confirmed.filter((t) => t.name !== args.tool_name);
-        config3.tools.pending_evaluation = config3.tools.pending_evaluation.filter((t) => t.name !== args.tool_name);
-        config3.audit_log.push({
+        config4.tools.confirmed = config4.tools.confirmed.filter((t) => t.name !== args.tool_name);
+        config4.tools.pending_evaluation = config4.tools.pending_evaluation.filter((t) => t.name !== args.tool_name);
+        config4.audit_log.push({
           action: "remove_tool",
           tool: args.tool_name,
           timestamp: now,
@@ -1794,22 +1817,22 @@ async function handleUpdateProjectConfig(args) {
         break;
       }
       case "update_tool": {
-        const idx = config3.tools.confirmed.findIndex((t) => t.name === args.tool_name);
+        const idx = config4.tools.confirmed.findIndex((t) => t.name === args.tool_name);
         if (idx === -1) {
           return errResult("not_found", `Tool "${args.tool_name}" not found in confirmed tools`);
         }
-        const existing = config3.tools.confirmed[idx];
+        const existing = config4.tools.confirmed[idx];
         if (!existing) {
           return errResult("not_found", `Tool "${args.tool_name}" not found`);
         }
-        config3.tools.confirmed[idx] = {
+        config4.tools.confirmed[idx] = {
           ...existing,
           ...data.version !== void 0 ? { version: data.version } : {},
           ...data.notes !== void 0 ? { notes: data.notes } : {},
           ...data.chosen_reason !== void 0 ? { chosen_reason: data.chosen_reason } : {},
           ...data.alternatives_considered !== void 0 ? { alternatives_considered: data.alternatives_considered } : {}
         };
-        config3.audit_log.push({
+        config4.audit_log.push({
           action: "update_tool",
           tool: args.tool_name,
           timestamp: now,
@@ -1818,15 +1841,15 @@ async function handleUpdateProjectConfig(args) {
         break;
       }
       case "add_evaluation": {
-        if (!config3.tools.pending_evaluation.some((t) => t.name === args.tool_name) && !config3.tools.confirmed.some((t) => t.name === args.tool_name)) {
+        if (!config4.tools.pending_evaluation.some((t) => t.name === args.tool_name) && !config4.tools.confirmed.some((t) => t.name === args.tool_name)) {
           const pending = {
             name: args.tool_name,
             category: data.category ?? "other",
             added_at: now
           };
-          config3.tools.pending_evaluation.push(pending);
+          config4.tools.pending_evaluation.push(pending);
         }
-        config3.audit_log.push({
+        config4.audit_log.push({
           action: "add_evaluation",
           tool: args.tool_name,
           timestamp: now,
@@ -1835,14 +1858,14 @@ async function handleUpdateProjectConfig(args) {
         break;
       }
     }
-    const updated_config_json = JSON.stringify(config3, null, 2);
+    const updated_config_json = JSON.stringify(config4, null, 2);
     return okResult({
       updated_config_json,
       file_path: ".toolpilot/config.json",
       action_applied: args.action,
       tool_name: args.tool_name,
-      confirmed_count: config3.tools.confirmed.length,
-      pending_count: config3.tools.pending_evaluation.length,
+      confirmed_count: config4.tools.confirmed.length,
+      pending_count: config4.tools.pending_evaluation.length,
       instructions: "Write updated_config_json to .toolpilot/config.json to persist this change."
     });
   } catch (e) {
@@ -2246,12 +2269,67 @@ function createTransport() {
 process.env.TOOLPILOT_MODE = "production";
 var logger9 = pino9({ name: "@toolcairn/mcp-server" });
 async function main() {
-  logger9.info("Starting ToolCairn MCP Server (production mode)");
   await ensureProjectSetup();
-  const server = await buildProdServer();
+  const creds = await loadCredentials();
+  const authenticated = creds !== null && isTokenValid(creds);
+  let server;
+  if (authenticated) {
+    logger9.info({ user: creds.user_email }, "Authenticated \u2014 starting full server");
+    server = await buildProdServer();
+  } else {
+    let verificationUri = "https://toolcairn.neurynae.com/signup";
+    let userCode = "";
+    try {
+      const codeData = await requestDeviceCode(import_config3.config.TOOLPILOT_API_URL);
+      verificationUri = codeData.verification_uri;
+      userCode = codeData.user_code;
+      startDeviceAuth(import_config3.config.TOOLPILOT_API_URL).then(() => {
+        logger9.info("Sign-in complete. Restart your agent to access all ToolCairn tools.");
+      }).catch((err) => {
+        logger9.error({ err }, "Sign-in failed \u2014 restart your agent and try again");
+      });
+    } catch (err) {
+      logger9.error({ err }, "Could not reach ToolCairn API \u2014 check your connection");
+    }
+    server = new McpServer2(
+      { name: "toolcairn", version: "0.1.0" },
+      {
+        instructions: userCode ? `# ToolCairn \u2014 Sign In Required
+
+A browser window should have opened automatically.
+
+**Sign-in URL:** ${verificationUri}
+**Code to confirm:** \`${userCode}\`
+
+Open the URL, sign in, and confirm the code shown on the page. Then restart your agent \u2014 all 14 tools will be available.` : `# ToolCairn \u2014 Sign In Required
+
+Visit ${verificationUri} to create an account, then restart your agent.`
+      }
+    );
+    server.registerTool(
+      "toolcairn_auth",
+      {
+        description: "Check ToolCairn sign-in status.",
+        inputSchema: z3.object({ action: z3.enum(["status"]) })
+      },
+      async () => ({
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({
+              authenticated: false,
+              sign_in_url: verificationUri,
+              code: userCode || null,
+              message: userCode ? `Open ${verificationUri}, confirm code "${userCode}", then restart your agent.` : "Visit toolcairn.neurynae.com to create an account, then restart your agent."
+            })
+          }
+        ]
+      })
+    );
+  }
   const transport = createTransport();
   await server.connect(transport);
-  logger9.info("ToolCairn MCP Server started");
+  logger9.info(authenticated ? "ToolCairn MCP ready" : "ToolCairn MCP ready (sign-in required)");
 }
 main().catch((error) => {
   pino9({ name: "@toolcairn/mcp-server" }).error({ err: error }, "Failed to start MCP server");