@prmichaelsen/remember-mcp 3.19.3 → 4.0.0

package/dist/server-factory.js

@@ -726,6 +726,23 @@ function getWeaviateClient() {
   }
   return client;
 }
+async function testWeaviateConnection() {
+  try {
+    const weaviateClient = getWeaviateClient();
+    const isReady = await weaviateClient.isReady();
+    logger.info("Weaviate connection test successful", {
+      module: "weaviate-client",
+      isReady
+    });
+    return isReady;
+  } catch (error) {
+    logger.error("Weaviate connection test failed", {
+      module: "weaviate-client",
+      error: error instanceof Error ? error.message : String(error)
+    });
+    return false;
+  }
+}
 function getMemoryCollectionName(userId) {
   return `Memory_users_${userId}`;
 }
@@ -940,7 +957,7 @@ var createMemoryTool = {
   description: `Create a new memory with optional template.
   
   Memories can store any type of information: notes, events, people, recipes, etc.
-  Each memory has a weight (significance 0-1) and trust level (access control 0-1).
+  Each memory has a weight (significance 0-1). Trust defaults to SECRET (level 5) and can be changed via remember_request_set_trust_level.
   Location and context are automatically captured from the request.
   
   **IMPORTANT - Content vs Summary**:
@@ -977,12 +994,6 @@ var createMemoryTool = {
         minimum: 0,
         maximum: 1
       },
-      trust: {
-        type: "number",
-        description: "Access control level (0-1, default: 0.25)",
-        minimum: 0,
-        maximum: 1
-      },
       tags: {
         type: "array",
         items: { type: "string" },
@@ -1078,7 +1089,6 @@ async function handleCreateMemory(args, userId, authContext, context) {
       title: args.title,
       type: args.type,
       weight: args.weight,
-      trust: args.trust,
       tags: args.tags,
       references: args.references,
       template_id: args.template_id,
@@ -1199,8 +1209,10 @@ var searchMemoryTool = {
             description: "Minimum weight (0-1)"
           },
           trust_min: {
-            type: "number",
-            description: "Minimum trust level (0-1)"
+            type: "integer",
+            description: "Minimum trust level (1-5: 1=PUBLIC, 2=INTERNAL, 3=CONFIDENTIAL, 4=RESTRICTED, 5=SECRET)",
+            minimum: 1,
+            maximum: 5
           },
           date_from: {
             type: "string",
@@ -1435,12 +1447,6 @@ var updateMemoryTool = {
         minimum: 0,
         maximum: 1
       },
-      trust: {
-        type: "number",
-        description: "Updated access control level (0-1)",
-        minimum: 0,
-        maximum: 1
-      },
       tags: {
         type: "array",
         items: { type: "string" },
@@ -1531,7 +1537,6 @@ async function handleUpdateMemory(args, userId, authContext) {
       title: args.title,
       type: args.type,
       weight: args.weight,
-      trust: args.trust,
       tags: args.tags,
       references: args.references,
       parent_id: args.parent_id,
@@ -1735,8 +1740,10 @@ var queryMemoryTool = {
             description: "Minimum weight (0-1)"
           },
           trust_min: {
-            type: "number",
-            description: "Minimum trust level (0-1)"
+            type: "integer",
+            description: "Minimum trust level (1-5: 1=PUBLIC, 2=INTERNAL, 3=CONFIDENTIAL, 4=RESTRICTED, 5=SECRET)",
+            minimum: 1,
+            maximum: 5
           },
           date_from: {
             type: "string",
@@ -2731,6 +2738,10 @@ Violating these requirements bypasses user consent and is a security violation.`
       token: {
         type: "string",
         description: "The confirmation token from the action tool"
+      },
+      secret_token: {
+        type: "string",
+        description: "HMAC secret token for guard-protected operations. Only required when confirmation guard is enabled on the server."
       }
     },
     required: ["token"]
@@ -2793,7 +2804,23 @@ async function handleConfirm(args, userId, authContext) {
         2
       );
     }
-    const result = await space.confirm({ token: args.token });
+    if (request.action === "set_trust_level") {
+      const { memory } = createCoreServices(userId);
+      const result2 = await memory.confirmSetTrustLevel(args.token);
+      return JSON.stringify(
+        {
+          success: true,
+          memory_id: result2.memory_id,
+          previous_trust_level: result2.previous_trust_level,
+          new_trust_level: result2.new_trust_level,
+          updated_at: result2.updated_at,
+          message: `Trust level changed from ${result2.previous_trust_level} to ${result2.new_trust_level}`
+        },
+        null,
+        2
+      );
+    }
+    const result = await space.confirm({ token: args.token, secret_token: args.secret_token });
     if (result.action === "retract_memory") {
       return JSON.stringify(
         {
@@ -2878,6 +2905,10 @@ This ensures proper user consent workflow is followed.`,
       token: {
         type: "string",
         description: "The confirmation token from the action tool"
+      },
+      secret_token: {
+        type: "string",
+        description: "HMAC secret token for guard-protected operations. Only required when confirmation guard is enabled on the server."
       }
     },
     required: ["token"]
@@ -2889,7 +2920,7 @@ async function handleDeny(args, userId, authContext) {
     debug.info("Tool invoked");
     debug.trace("Arguments", { args });
     const { space } = createCoreServices(userId);
-    const result = await space.deny({ token: args.token });
+    const result = await space.deny({ token: args.token, secret_token: args.secret_token });
     return JSON.stringify(
       {
         success: result.success
@@ -3468,17 +3499,17 @@ var ghostConfigTool = {
 Actions:
 - get: View current ghost configuration
 - set: Update ghost settings (enabled, trust defaults, enforcement mode)
-- set_trust: Set a per-user trust level override (0-1)
+- set_trust: Set a per-user trust level override (1-5 integer)
 - remove_trust: Remove a per-user trust override (revert to default)
 - block: Block a user from ghost access entirely
 - unblock: Unblock a previously blocked user
 
-Trust levels control what information your ghost can share:
-- 0.0: Existence only ("A memory exists about this")
-- 0.25: Metadata only (tags, type, dates \u2014 no content)
-- 0.5: Summary only (AI-generated summary, no raw content)
-- 0.75: Partial access (content with sensitive fields redacted)
-- 1.0: Full access (all content revealed)
+Trust levels (1-5 integer scale) control what information your ghost can share:
+- 1 (PUBLIC): Full access (all content revealed)
+- 2 (INTERNAL): Partial access (content with sensitive fields redacted)
+- 3 (CONFIDENTIAL): Summary only (AI-generated summary, no raw content)
+- 4 (RESTRICTED): Metadata only (tags, type, dates \u2014 no content)
+- 5 (SECRET): Existence only ("A memory exists about this")
 
 Ghost is disabled by default. Enable it to allow others to chat with your AI representation.`,
   inputSchema: {
@@ -3499,16 +3530,16 @@ Ghost is disabled by default. Enable it to allow others to chat with your AI rep
         description: 'Allow non-friends to chat with ghost (for "set" action)'
       },
       default_friend_trust: {
-        type: "number",
-        description: 'Default trust level for friends (0-1, for "set" action)',
-        minimum: 0,
-        maximum: 1
+        type: "integer",
+        description: 'Default trust level for friends (1-5 integer, for "set" action)',
+        minimum: 1,
+        maximum: 5
       },
       default_public_trust: {
-        type: "number",
-        description: 'Default trust level for strangers (0-1, for "set" action)',
-        minimum: 0,
-        maximum: 1
+        type: "integer",
+        description: 'Default trust level for strangers (1-5 integer, for "set" action)',
+        minimum: 1,
+        maximum: 5
       },
       enforcement_mode: {
         type: "string",
@@ -3521,10 +3552,10 @@ Ghost is disabled by default. Enable it to allow others to chat with your AI rep
         description: "Target user ID (for set_trust, remove_trust, block, unblock)"
       },
       trust_level: {
-        type: "number",
-        description: 'Trust level to assign (0-1, for "set_trust" action)',
-        minimum: 0,
-        maximum: 1
+        type: "integer",
+        description: 'Trust level to assign (1-5 integer, for "set_trust" action)',
+        minimum: 1,
+        maximum: 5
       }
     },
     required: ["action"]
@@ -3636,6 +3667,88 @@ async function handleGhostConfig(args, userId, authContext) {
   }
 }
 
+// src/tools/request-set-trust-level.ts
+var requestSetTrustLevelTool = {
+  name: "remember_request_set_trust_level",
+  description: `Request a trust level change for a memory. Returns a confirmation token.
+
+Trust levels (1-5 integer scale):
+  1 = PUBLIC \u2014 anyone can see
+  2 = INTERNAL \u2014 friends/known users
+  3 = CONFIDENTIAL \u2014 trusted friends
+  4 = RESTRICTED \u2014 close/intimate contacts
+  5 = SECRET \u2014 owner only (default for new memories)
+
+After requesting, use remember_confirm with the returned token to apply the change.
+Lowering trust (e.g. 5\u21921) makes the memory MORE visible. Raising trust makes it LESS visible.
+
+This is the ONLY way to change a memory's trust level. Trust cannot be set during creation or update.`,
+  inputSchema: {
+    type: "object",
+    properties: {
+      memory_id: {
+        type: "string",
+        description: "ID of the memory to change trust level for"
+      },
+      trust_level: {
+        type: "integer",
+        description: "New trust level (1-5)",
+        minimum: 1,
+        maximum: 5
+      }
+    },
+    required: ["memory_id", "trust_level"]
+  }
+};
+async function handleRequestSetTrustLevel(args, userId, authContext) {
+  const debug = createDebugLogger({
+    tool: "remember_request_set_trust_level",
+    userId,
+    operation: "request set trust level"
+  });
+  try {
+    debug.info("Tool invoked");
+    debug.trace("Arguments", { args });
+    if (!Number.isInteger(args.trust_level) || args.trust_level < 1 || args.trust_level > 5) {
+      return JSON.stringify({
+        error: "Invalid trust level",
+        message: "Trust level must be an integer from 1 (PUBLIC) to 5 (SECRET)."
+      }, null, 2);
+    }
+    const { memory } = createCoreServices(userId);
+    const result = await memory.requestSetTrustLevel({
+      memory_id: args.memory_id,
+      trust_level: args.trust_level
+    });
+    const TRUST_NAMES = {
+      1: "PUBLIC",
+      2: "INTERNAL",
+      3: "CONFIDENTIAL",
+      4: "RESTRICTED",
+      5: "SECRET"
+    };
+    return JSON.stringify({
+      token: result.token,
+      memory_id: result.memory_id,
+      current_trust_level: result.current_trust_level,
+      requested_trust_level: result.requested_trust_level,
+      current_trust_name: TRUST_NAMES[result.current_trust_level] || "UNKNOWN",
+      requested_trust_name: TRUST_NAMES[result.requested_trust_level] || "UNKNOWN",
+      expires_at: result.expires_at,
+      message: `Trust level change requested: ${TRUST_NAMES[result.current_trust_level] || result.current_trust_level} (${result.current_trust_level}) \u2192 ${TRUST_NAMES[result.requested_trust_level] || result.requested_trust_level} (${result.requested_trust_level}). Confirm with token to apply.`
+    }, null, 2);
+  } catch (error) {
+    debug.error("Tool failed", { error: error instanceof Error ? error.message : String(error) });
+    handleToolError(error, {
+      toolName: "remember_request_set_trust_level",
+      operation: "request set trust level",
+      userId,
+      memoryId: args.memory_id
+    });
+    return JSON.stringify({ error: "Unexpected error" });
+  }
+}
+
 // src/tools/search-by.ts
 var searchByTool = {
   name: "remember_search_by",
@@ -3928,7 +4041,6 @@ var createInternalMemoryTool = {
       title: { type: "string", description: "Optional title" },
       tags: { type: "array", items: { type: "string" }, description: "Additional tags (internal tags added automatically)" },
       weight: { type: "number", minimum: 0, maximum: 1, description: "Significance (0-1)" },
-      trust: { type: "number", minimum: 0, maximum: 1, description: "Trust level (0-1)" },
       feel_salience: { type: "number", minimum: 0, maximum: 1 },
       feel_social_weight: { type: "number", minimum: 0, maximum: 1 },
       feel_narrative_importance: { type: "number", minimum: 0, maximum: 1 }
@@ -3959,7 +4071,6 @@ async function handleCreateInternalMemory(args, userId, authContext) {
       title: args.title,
       type: ctx.type,
       weight: args.weight,
-      trust: args.trust,
       tags: mergedTags,
       context_summary: `Internal memory created via MCP (${ctx.type})`,
       ...feelFields
@@ -3993,8 +4104,7 @@ var updateInternalMemoryTool = {
       content: { type: "string" },
       title: { type: "string" },
       tags: { type: "array", items: { type: "string" } },
-      weight: { type: "number", minimum: 0, maximum: 1 },
-      trust: { type: "number", minimum: 0, maximum: 1 }
+      weight: { type: "number", minimum: 0, maximum: 1 }
     },
     required: ["memory_id"]
   }
@@ -4024,8 +4134,7 @@ async function handleUpdateInternalMemory(args, userId, authContext) {
       content: args.content,
       title: args.title,
       tags: args.tags,
-      weight: args.weight,
-      trust: args.trust
+      weight: args.weight
     });
     return JSON.stringify({
       memory_id: result.memory_id,
@@ -4504,6 +4613,532 @@ async function checkIfFriend(ownerUserId, accessorUserId) {
   }
 }
 
+// src/utils/admin.ts
+function isAdmin(userId) {
+  const adminIds = (process.env.ADMIN_USER_IDS || "").split(",").map((id) => id.trim()).filter(Boolean);
+  return adminIds.includes(userId);
+}
+function adminPermissionError() {
+  return {
+    content: [{ type: "text", text: "Permission denied: admin access required" }],
+    isError: true
+  };
+}
+
+// src/tools/admin-get-weaviate-schema.ts
+var adminGetWeaviateSchemaTool = {
+  name: "remember_admin_get_weaviate_schema",
+  description: `[Admin] Inspect a Weaviate collection's schema \u2014 property names, types, and configuration.
+
+  Requires admin access (ADMIN_USER_IDS).`,
+  inputSchema: {
+    type: "object",
+    properties: {
+      collection_name: {
+        type: "string",
+        description: 'Collection name (e.g. "Memory_users_abc123", "Memory_spaces_public")'
+      }
+    },
+    required: ["collection_name"]
+  }
+};
+async function handleAdminGetWeaviateSchema(args, userId, _authContext) {
+  const debug = createDebugLogger({ tool: "remember_admin_get_weaviate_schema", userId, operation: "get schema" });
+  try {
+    if (!isAdmin(userId)) {
+      return JSON.stringify(adminPermissionError());
+    }
+    debug.info("Tool invoked", { collection_name: args.collection_name });
+    const client2 = getWeaviateClient();
+    const collection = client2.collections.get(args.collection_name);
+    const config2 = await collection.config.get();
+    return JSON.stringify({
+      collection_name: args.collection_name,
+      properties: config2.properties.map((p) => ({
+        name: p.name,
+        dataType: p.dataType,
+        description: p.description,
+        indexFilterable: p.indexFilterable,
+        indexSearchable: p.indexSearchable,
+        tokenization: p.tokenization
+      })),
+      vectorizers: config2.vectorizers,
+      generative: config2.generative,
+      multiTenancy: config2.multiTenancy,
+      replication: config2.replication
+    }, null, 2);
+  } catch (error) {
+    return handleToolError(error, { toolName: "remember_admin_get_weaviate_schema", userId, operation: "get schema" });
+  }
+}
+
+// src/tools/admin-list-collections.ts
+var adminListCollectionsTool = {
+  name: "remember_admin_list_collections",
+  description: `[Admin] List all Weaviate collections with type categorization (user, space, group).
+
+  Optionally filter by prefix (e.g. "Memory_users_", "Memory_spaces_").
+  Requires admin access (ADMIN_USER_IDS).`,
+  inputSchema: {
+    type: "object",
+    properties: {
+      filter: {
+        type: "string",
+        description: 'Optional prefix filter (e.g. "Memory_users_", "Memory_spaces_")'
+      }
+    }
+  }
+};
+function categorizeCollection(name) {
+  if (name.startsWith("Memory_users_"))
+    return "user";
+  if (name.startsWith("Memory_spaces_"))
+    return "space";
+  if (name.startsWith("Memory_groups_"))
+    return "group";
+  if (name.startsWith("Memory_friends_"))
+    return "friends";
+  return "other";
+}
+async function handleAdminListCollections(args, userId, _authContext) {
+  const debug = createDebugLogger({ tool: "remember_admin_list_collections", userId, operation: "list collections" });
+  try {
+    if (!isAdmin(userId)) {
+      return JSON.stringify(adminPermissionError());
+    }
+    debug.info("Tool invoked", { filter: args.filter });
+    const client2 = getWeaviateClient();
+    const allCollections = await client2.collections.listAll();
+    let collections = allCollections.map((c) => ({
+      name: c.name,
+      type: categorizeCollection(c.name)
+    }));
+    if (args.filter) {
+      collections = collections.filter((c) => c.name.startsWith(args.filter));
+    }
+    return JSON.stringify({
+      total: collections.length,
+      collections
+    }, null, 2);
+  } catch (error) {
+    return handleToolError(error, { toolName: "remember_admin_list_collections", userId, operation: "list collections" });
+  }
+}
+
+// src/tools/admin-collection-stats.ts
+var adminCollectionStatsTool = {
+  name: "remember_admin_collection_stats",
+  description: `[Admin] Get stats for a Weaviate collection \u2014 object count, property count, configuration.
+
+  Requires admin access (ADMIN_USER_IDS).`,
+  inputSchema: {
+    type: "object",
+    properties: {
+      collection_name: {
+        type: "string",
+        description: "Collection name to get stats for"
+      }
+    },
+    required: ["collection_name"]
+  }
+};
+async function handleAdminCollectionStats(args, userId, _authContext) {
+  const debug = createDebugLogger({ tool: "remember_admin_collection_stats", userId, operation: "collection stats" });
+  try {
+    if (!isAdmin(userId)) {
+      return JSON.stringify(adminPermissionError());
+    }
+    debug.info("Tool invoked", { collection_name: args.collection_name });
+    const client2 = getWeaviateClient();
+    const collection = client2.collections.get(args.collection_name);
+    const [config2, objectCount] = await Promise.all([
+      collection.config.get(),
+      collection.length()
+    ]);
+    return JSON.stringify({
+      collection_name: args.collection_name,
+      object_count: objectCount,
+      property_count: config2.properties.length,
+      properties: config2.properties.map((p) => p.name),
+      vectorizers: config2.vectorizers,
+      multiTenancy: config2.multiTenancy,
+      replication: config2.replication
+    }, null, 2);
+  } catch (error) {
+    return handleToolError(error, { toolName: "remember_admin_collection_stats", userId, operation: "collection stats" });
+  }
+}
+
+// src/tools/admin-inspect-memory.ts
+import { MemoryIndexService as MemoryIndexService2, createLogger as createLogger2 } from "@prmichaelsen/remember-core";
+var indexService = new MemoryIndexService2(createLogger2("info"));
+var adminInspectMemoryTool = {
+  name: "remember_admin_inspect_memory",
+  description: `[Admin] Fetch a raw memory object by UUID \u2014 all fields including internal metadata.
+
+  Uses the Firestore index to resolve which collection the memory lives in.
+  Optionally includes the vector embedding.
+  Requires admin access (ADMIN_USER_IDS).`,
+  inputSchema: {
+    type: "object",
+    properties: {
+      memory_id: {
+        type: "string",
+        description: "Memory UUID"
+      },
+      include_vector: {
+        type: "boolean",
+        description: "Include the vector embedding in the response. Default: false"
+      }
+    },
+    required: ["memory_id"]
+  }
+};
+async function handleAdminInspectMemory(args, userId, _authContext) {
+  const debug = createDebugLogger({ tool: "remember_admin_inspect_memory", userId, operation: "inspect memory" });
+  try {
+    if (!isAdmin(userId)) {
+      return JSON.stringify(adminPermissionError());
+    }
+    debug.info("Tool invoked", { memory_id: args.memory_id, include_vector: args.include_vector });
+    const collectionName = await indexService.lookup(args.memory_id);
+    if (!collectionName) {
+      return JSON.stringify({ error: `Memory not found in index: ${args.memory_id}` });
+    }
+    const client2 = getWeaviateClient();
+    const collection = client2.collections.get(collectionName);
+    const result = await collection.query.fetchObjectById(args.memory_id, {
+      includeVector: args.include_vector ?? false
+    });
+    if (!result) {
+      return JSON.stringify({
+        error: `Memory indexed in ${collectionName} but not found in Weaviate: ${args.memory_id}`,
+        collection_name: collectionName
+      });
+    }
+    return JSON.stringify({
+      id: result.uuid,
+      collection_name: collectionName,
+      properties: result.properties,
+      vectors: args.include_vector ? result.vectors : void 0,
+      metadata: result.metadata
+    }, null, 2);
+  } catch (error) {
+    return handleToolError(error, { toolName: "remember_admin_inspect_memory", userId, operation: "inspect memory" });
+  }
+}
+
+// src/tools/admin-search-across-users.ts
+var adminSearchAcrossUsersTool = {
+  name: "remember_admin_search_across_users",
+  description: `[Admin] Search memories across multiple user tenants.
+
+  Results include which user each memory belongs to.
+  Requires explicit user_id array \u2014 no "all users" search.
+  Requires admin access (ADMIN_USER_IDS).`,
+  inputSchema: {
+    type: "object",
+    properties: {
+      user_ids: {
+        type: "array",
+        items: { type: "string" },
+        description: "User IDs to search across (required, 1 or more)"
+      },
+      query: {
+        type: "string",
+        description: "Search query (hybrid search)"
+      },
+      limit: {
+        type: "number",
+        description: "Max results across all users. Default: 10"
+      },
+      content_type: {
+        type: "string",
+        description: "Optional content type filter"
+      }
+    },
+    required: ["user_ids", "query"]
+  }
+};
+async function handleAdminSearchAcrossUsers(args, userId, _authContext) {
+  const debug = createDebugLogger({ tool: "remember_admin_search_across_users", userId, operation: "search across users" });
+  try {
+    if (!isAdmin(userId)) {
+      return JSON.stringify(adminPermissionError());
+    }
+    if (!args.user_ids || args.user_ids.length === 0) {
+      return JSON.stringify({ error: "user_ids array is required and must not be empty" });
+    }
+    debug.info("Tool invoked", { user_ids: args.user_ids, query: args.query, limit: args.limit });
+    const limit = args.limit ?? 10;
+    const allResults = [];
+    const warnings = [];
+    for (const targetUserId of args.user_ids) {
+      try {
+        const services = createCoreServices(targetUserId);
+        const searchResult = await services.memory.search({
+          query: args.query,
+          limit,
+          filters: args.content_type ? { types: [args.content_type] } : void 0
+        });
+        for (const memory of searchResult.memories) {
+          allResults.push({
+            user_id: targetUserId,
+            memory
+          });
+        }
+      } catch (err) {
+        warnings.push(`User ${targetUserId}: ${err instanceof Error ? err.message : String(err)}`);
+      }
+    }
+    const limited = allResults.slice(0, limit);
+    return JSON.stringify({
+      total: limited.length,
+      results: limited,
+      warnings: warnings.length > 0 ? warnings : void 0
+    }, null, 2);
+  } catch (error) {
+    return handleToolError(error, { toolName: "remember_admin_search_across_users", userId, operation: "search across users" });
+  }
+}
+
+// src/tools/admin-inspect-user.ts
+init_init();
+var userIdSchema = {
+  type: "object",
+  properties: {
+    user_id: { type: "string", description: "User ID to inspect" }
+  },
+  required: ["user_id"]
+};
+var adminInspectUserPreferencesTool = {
+  name: "remember_admin_inspect_user_preferences",
+  description: `[Admin] Inspect a user's preferences from Firestore. Requires admin access.`,
+  inputSchema: userIdSchema
+};
+var adminInspectUserGhostConfigsTool = {
+  name: "remember_admin_inspect_user_ghost_configs",
+  description: `[Admin] Inspect a user's ghost configurations from Firestore. Requires admin access.`,
+  inputSchema: userIdSchema
+};
+var adminInspectUserEscalationRecordsTool = {
+  name: "remember_admin_inspect_user_escalation_records",
+  description: `[Admin] Inspect a user's trust escalation records from Firestore. Requires admin access.`,
+  inputSchema: userIdSchema
+};
+var adminInspectUserApiTokensTool = {
+  name: "remember_admin_inspect_user_api_tokens",
+  description: `[Admin] Inspect a user's API token metadata from Firestore (no hashes). Requires admin access.`,
+  inputSchema: userIdSchema
+};
+async function handleAdminInspectUserPreferences(args, userId, _authContext) {
+  const debug = createDebugLogger({ tool: "remember_admin_inspect_user_preferences", userId, operation: "inspect preferences" });
+  try {
+    if (!isAdmin(userId))
+      return JSON.stringify(adminPermissionError());
+    debug.info("Tool invoked", { target_user_id: args.user_id });
+    const services = createCoreServices(args.user_id);
+    const prefs = await services.preferences.getPreferences(args.user_id);
+    return JSON.stringify({ user_id: args.user_id, preferences: prefs }, null, 2);
+  } catch (error) {
+    return handleToolError(error, { toolName: "remember_admin_inspect_user_preferences", userId });
+  }
+}
+async function handleAdminInspectUserGhostConfigs(args, userId, _authContext) {
+  const debug = createDebugLogger({ tool: "remember_admin_inspect_user_ghost_configs", userId, operation: "inspect ghost configs" });
+  try {
+    if (!isAdmin(userId))
+      return JSON.stringify(adminPermissionError());
+    debug.info("Tool invoked", { target_user_id: args.user_id });
+    const config2 = await getGhostConfig(args.user_id);
+    return JSON.stringify({ user_id: args.user_id, ghost_config: config2 }, null, 2);
+  } catch (error) {
+    return handleToolError(error, { toolName: "remember_admin_inspect_user_ghost_configs", userId });
+  }
+}
+async function handleAdminInspectUserEscalationRecords(args, userId, _authContext) {
+  const debug = createDebugLogger({ tool: "remember_admin_inspect_user_escalation_records", userId, operation: "inspect escalation records" });
+  try {
+    if (!isAdmin(userId))
+      return JSON.stringify(adminPermissionError());
+    debug.info("Tool invoked", { target_user_id: args.user_id });
+    const collectionPath = `${BASE}.users/${args.user_id}/escalations`;
+    const records = await queryDocuments(collectionPath);
+    return JSON.stringify({
+      user_id: args.user_id,
+      escalation_records: records.map((r) => ({ id: r.id, ...r.data }))
+    }, null, 2);
+  } catch (error) {
+    return handleToolError(error, { toolName: "remember_admin_inspect_user_escalation_records", userId });
+  }
+}
+async function handleAdminInspectUserApiTokens(args, userId, _authContext) {
+  const debug = createDebugLogger({ tool: "remember_admin_inspect_user_api_tokens", userId, operation: "inspect api tokens" });
+  try {
+    if (!isAdmin(userId))
+      return JSON.stringify(adminPermissionError());
+    debug.info("Tool invoked", { target_user_id: args.user_id });
+    const collectionPath = `${BASE}.users/${args.user_id}/api_tokens`;
+    const tokens = await queryDocuments(collectionPath);
+    const sanitized = tokens.map((token) => {
+      const { token_hash, ...metadata } = token.data;
+      return { id: token.id, ...metadata };
+    });
+    return JSON.stringify({
+      user_id: args.user_id,
+      api_tokens: sanitized
+    }, null, 2);
+  } catch (error) {
+    return handleToolError(error, { toolName: "remember_admin_inspect_user_api_tokens", userId });
+  }
+}
+
+// src/tools/admin-health.ts
+init_init();
+var adminHealthTool = {
+  name: "remember_admin_health",
+  description: `[Admin] Deep health check \u2014 Weaviate and Firestore connectivity with latency.
+
+  Returns overall status (healthy/degraded/unhealthy).
+  Requires admin access (ADMIN_USER_IDS).`,
+  inputSchema: {
+    type: "object",
+    properties: {}
+  }
+};
+async function handleAdminHealth(_args, userId, _authContext) {
+  const debug = createDebugLogger({ tool: "remember_admin_health", userId, operation: "health check" });
+  try {
+    if (!isAdmin(userId)) {
+      return JSON.stringify(adminPermissionError());
+    }
+    debug.info("Tool invoked");
+    const weaviateStart = Date.now();
+    let weaviateOk;
+    let weaviateError;
+    try {
+      weaviateOk = await testWeaviateConnection();
+    } catch (err) {
+      weaviateOk = false;
+      weaviateError = err instanceof Error ? err.message : String(err);
+    }
+    const weaviateLatency = Date.now() - weaviateStart;
+    const firestoreStart = Date.now();
+    let firestoreOk;
+    let firestoreError;
+    try {
+      firestoreOk = await testFirestoreConnection();
+    } catch (err) {
+      firestoreOk = false;
+      firestoreError = err instanceof Error ? err.message : String(err);
+    }
+    const firestoreLatency = Date.now() - firestoreStart;
+    let overall;
+    if (weaviateOk && firestoreOk) {
+      overall = "healthy";
+    } else if (!weaviateOk && !firestoreOk) {
+      overall = "unhealthy";
+    } else {
+      overall = "degraded";
+    }
+    return JSON.stringify({
+      weaviate: {
+        status: weaviateOk ? "ok" : "error",
+        latency_ms: weaviateLatency,
+        message: weaviateError
+      },
+      firestore: {
+        status: firestoreOk ? "ok" : "error",
+        latency_ms: firestoreLatency,
+        message: firestoreError
+      },
+      overall
+    }, null, 2);
+  } catch (error) {
+    return handleToolError(error, { toolName: "remember_admin_health", userId, operation: "health check" });
+  }
+}
+
+// src/tools/admin-detect-weaviate-drift.ts
+import {
+  getUserCollectionProperties,
+  getPublishedCollectionProperties
+} from "@prmichaelsen/remember-core/database/weaviate";
+var adminDetectWeaviateDriftTool = {
+  name: "remember_admin_detect_weaviate_drift",
+  description: `[Admin] Compare expected vs actual Weaviate schema properties per collection.
+
+  Reports missing properties, extra properties, and overall drift status.
+  If no collection_ids provided, checks a sample of collections.
+  Requires admin access (ADMIN_USER_IDS).`,
+  inputSchema: {
+    type: "object",
+    properties: {
+      collection_ids: {
+        type: "array",
+        items: { type: "string" },
+        description: "Optional \u2014 specific collections to check. If omitted, samples available collections."
+      }
+    }
+  }
+};
+function getExpectedProperties(collectionName) {
+  if (collectionName.startsWith("Memory_users_")) {
+    return getUserCollectionProperties();
+  }
+  return getPublishedCollectionProperties();
+}
+async function handleAdminDetectWeaviateDrift(args, userId, _authContext) {
+  const debug = createDebugLogger({ tool: "remember_admin_detect_weaviate_drift", userId, operation: "detect drift" });
+  try {
+    if (!isAdmin(userId)) {
+      return JSON.stringify(adminPermissionError());
+    }
+    debug.info("Tool invoked", { collection_ids: args.collection_ids });
+    const client2 = getWeaviateClient();
+    let collectionNames;
+    if (args.collection_ids && args.collection_ids.length > 0) {
+      collectionNames = args.collection_ids;
+    } else {
+      const all = await client2.collections.listAll();
+      const names = all.map((c) => c.name).filter((n) => n.startsWith("Memory_"));
+      collectionNames = names.slice(0, 5);
+    }
+    const results = [];
+    for (const name of collectionNames) {
+      try {
+        const collection = client2.collections.get(name);
+        const config2 = await collection.config.get();
+        const actualProperties = config2.properties.map((p) => p.name);
+        const expectedProperties = getExpectedProperties(name);
+        const missing = expectedProperties.filter((p) => !actualProperties.includes(p));
+        const extra = actualProperties.filter((p) => !expectedProperties.includes(p));
+        const status = missing.length === 0 && extra.length === 0 ? "match" : "drift";
+        results.push({
+          collection: name,
+          status,
+          expected_count: expectedProperties.length,
+          actual_count: actualProperties.length,
+          missing_properties: missing,
+          extra_properties: extra
+        });
+      } catch (err) {
+        results.push({
+          collection: name,
+          status: "error",
+          error: err instanceof Error ? err.message : String(err)
+        });
+      }
+    }
+    return JSON.stringify({
+      collections_checked: results.length,
+      results
+    }, null, 2);
+  } catch (error) {
+    return handleToolError(error, { toolName: "remember_admin_detect_weaviate_drift", userId, operation: "detect drift" });
+  }
+}
+
 // src/server-factory.ts
 var databasesInitialized = false;
 var initializationPromise = null;
@@ -4603,48 +5238,64 @@ async function createServer(accessToken, userId, options = {}) {
   return server;
 }
 function registerHandlers(server, userId, accessToken, internalContext) {
+  const adminTools = [
+    adminGetWeaviateSchemaTool,
+    adminListCollectionsTool,
+    adminCollectionStatsTool,
+    adminInspectMemoryTool,
+    adminSearchAcrossUsersTool,
+    adminInspectUserPreferencesTool,
+    adminInspectUserGhostConfigsTool,
+    adminInspectUserEscalationRecordsTool,
+    adminInspectUserApiTokensTool,
+    adminHealthTool,
+    adminDetectWeaviateDriftTool
+  ];
   server.setRequestHandler(ListToolsRequestSchema, async () => {
-    return {
-      tools: [
-        // Memory tools
-        createMemoryTool,
-        searchMemoryTool,
-        deleteMemoryTool,
-        updateMemoryTool,
-        findSimilarTool,
-        queryMemoryTool,
-        // Relationship tools
-        createRelationshipTool,
-        updateRelationshipTool,
-        searchRelationshipTool,
-        deleteRelationshipTool,
-        // Preference tools
-        setPreferenceTool,
-        getPreferencesTool,
-        // Space tools
-        publishTool,
-        retractTool,
-        reviseTool,
-        confirmTool,
-        denyTool,
-        searchSpaceTool,
-        querySpaceTool,
-        moderateTool,
-        ghostConfigTool,
-        // Search modes
-        searchByTool,
-        // Unified internal memory tools
-        createInternalMemoryTool,
-        updateInternalMemoryTool,
-        searchInternalMemoryTool,
-        queryInternalMemoryTool,
-        searchInternalMemoryByTool,
-        // Core introspection
-        getCoreTool,
-        // Space search modes
-        searchSpaceByTool
-      ]
-    };
+    const tools = [
+      // Memory tools
+      createMemoryTool,
+      searchMemoryTool,
+      deleteMemoryTool,
+      updateMemoryTool,
+      findSimilarTool,
+      queryMemoryTool,
+      // Relationship tools
+      createRelationshipTool,
+      updateRelationshipTool,
+      searchRelationshipTool,
+      deleteRelationshipTool,
+      // Preference tools
+      setPreferenceTool,
+      getPreferencesTool,
+      // Space tools
+      publishTool,
+      retractTool,
+      reviseTool,
+      confirmTool,
+      denyTool,
+      searchSpaceTool,
+      querySpaceTool,
+      moderateTool,
+      ghostConfigTool,
+      requestSetTrustLevelTool,
+      // Search modes
+      searchByTool,
+      // Unified internal memory tools
+      createInternalMemoryTool,
+      updateInternalMemoryTool,
+      searchInternalMemoryTool,
+      queryInternalMemoryTool,
+      searchInternalMemoryByTool,
+      // Core introspection
+      getCoreTool,
+      // Space search modes
+      searchSpaceByTool
+    ];
+    if (isAdmin(userId)) {
+      tools.push(...adminTools);
+    }
+    return { tools };
   });
   server.setRequestHandler(CallToolRequestSchema, async (request) => {
     const { name, arguments: args } = request.params;
@@ -4716,6 +5367,9 @@ function registerHandlers(server, userId, accessToken, internalContext) {
         case "remember_ghost_config":
           result = await handleGhostConfig(args, userId, authContext);
           break;
+        case "remember_request_set_trust_level":
+          result = await handleRequestSetTrustLevel(args, userId, authContext);
+          break;
         case "remember_search_by":
           result = await handleSearchBy(args, userId, authContext);
           break;
@@ -4740,7 +5394,45 @@ function registerHandlers(server, userId, accessToken, internalContext) {
         case "remember_search_space_by":
           result = await handleSearchSpaceBy(args, userId, authContext);
           break;
+        case "remember_admin_get_weaviate_schema":
+          result = await handleAdminGetWeaviateSchema(args, userId, authContext);
+          break;
+        case "remember_admin_list_collections":
+          result = await handleAdminListCollections(args, userId, authContext);
+          break;
+        case "remember_admin_collection_stats":
+          result = await handleAdminCollectionStats(args, userId, authContext);
+          break;
+        case "remember_admin_inspect_memory":
+          result = await handleAdminInspectMemory(args, userId, authContext);
+          break;
+        case "remember_admin_search_across_users":
+          result = await handleAdminSearchAcrossUsers(args, userId, authContext);
+          break;
+        case "remember_admin_inspect_user_preferences":
+          result = await handleAdminInspectUserPreferences(args, userId, authContext);
+          break;
+        case "remember_admin_inspect_user_ghost_configs":
+          result = await handleAdminInspectUserGhostConfigs(args, userId, authContext);
+          break;
+        case "remember_admin_inspect_user_escalation_records":
+          result = await handleAdminInspectUserEscalationRecords(args, userId, authContext);
+          break;
+        case "remember_admin_inspect_user_api_tokens":
+          result = await handleAdminInspectUserApiTokens(args, userId, authContext);
+          break;
+        case "remember_admin_health":
+          result = await handleAdminHealth(args, userId, authContext);
+          break;
+        case "remember_admin_detect_weaviate_drift":
+          result = await handleAdminDetectWeaviateDrift(args, userId, authContext);
+          break;
         default:
+          if (name.startsWith("remember_admin_")) {
+            if (!isAdmin(userId)) {
+              return adminPermissionError();
+            }
+          }
           throw new McpError(
             ErrorCode.MethodNotFound,
             `Unknown tool: ${name}`