@rigstate/mcp 0.7.5 → 0.7.7

package/dist/index.js

@@ -1102,7 +1102,7 @@ import { ListToolsRequestSchema, ListResourcesRequestSchema } from "@modelcontex
 // src/server/types.ts
 init_esm_shims();
 var SERVER_NAME = "rigstate-mcp";
-var SERVER_VERSION = "0.5.0";
+var SERVER_VERSION = "0.7.5";
 
 // src/lib/tool-registry.ts
 init_esm_shims();
@@ -1275,8 +1275,11 @@ ${formatted}
 // src/lib/curator/actions/submit.ts
 init_esm_shims();
 async function submitSignal(supabase, userId, input) {
-  const { data: project, error: projectError } = await supabase.from("projects").select("id").eq("id", input.projectId).eq("owner_id", userId).single();
-  if (projectError || !project) {
+  const { data: hasAccess, error: accessError } = await supabase.rpc("check_project_access_secure", {
+    p_project_id: input.projectId,
+    p_user_id: userId
+  });
+  if (accessError || !hasAccess) {
     throw new Error("Project not found or access denied");
   }
   const fingerprintBase = `${input.instruction}::${input.category}`.toLowerCase();
@@ -1561,8 +1564,11 @@ var GetLearnedInstructionsSchema = z3.object({
 async function refineLogic(supabase, userId, args) {
   const { projectId, originalReasoning, userCorrection, scope } = args;
   const traceId = uuidv4();
-  const { data: project, error: projectError } = await supabase.from("projects").select("id, name").eq("id", projectId).eq("owner_id", userId).single();
-  if (projectError || !project) {
+  const { data: hasAccess, error: accessError } = await supabase.rpc("check_project_access_secure", {
+    p_project_id: projectId,
+    p_user_id: userId
+  });
+  if (accessError || !hasAccess) {
     throw new Error(`Project access denied or not found: ${projectId}`);
   }
   const { data: instruction, error: insertError } = await supabase.from("ai_instructions").insert({
@@ -1895,6 +1901,129 @@ var CompleteRoadmapTaskInputSchema = z4.object({
   integrityGate: z4.any().optional()
 });
 
+// src/lib/project-context-utils.ts
+init_esm_shims();
+async function buildProjectSummary(project, techStack, activeTask, nextTask, agentTasks, roadmapItems, stackDef, supabase, userId) {
+  const summaryParts = [];
+  summaryParts.push(`Project Type: ${project.project_type?.toUpperCase() || "UNKNOWN"}`);
+  if (stackDef || activeTask || nextTask) {
+    summaryParts.push("\n=== ACTIVE MISSION PARAMETERS ===");
+    if (activeTask) {
+      summaryParts.push(`\u26A0\uFE0F  CURRENT OBJECTIVE: T-${activeTask.step_number}: ${activeTask.title}`);
+      summaryParts.push(`   Role: ${activeTask.role || "Developer"}`);
+      const detailedInstructions = activeTask.prompt_content || activeTask.instruction_set;
+      if (detailedInstructions) {
+        summaryParts.push(`   Instructions: ${detailedInstructions.substring(0, 1e3)}...`);
+      }
+      if (activeTask.architectural_brief) {
+        summaryParts.push(`
+   Architectural Brief: ${activeTask.architectural_brief}`);
+      }
+      if (activeTask.context_summary) {
+        summaryParts.push(`
+   Context: ${activeTask.context_summary}`);
+      }
+      if (activeTask.checklist && activeTask.checklist.length > 0) {
+        summaryParts.push("\n   Checklist (DoD):");
+        activeTask.checklist.forEach((item) => {
+          summaryParts.push(`     [ ] ${typeof item === "string" ? item : item.task}`);
+        });
+      }
+      if (activeTask.metadata && Object.keys(activeTask.metadata).length > 0) {
+        summaryParts.push(`
+   Technical Metadata: ${JSON.stringify(activeTask.metadata)}`);
+      }
+      if (activeTask.tags && activeTask.tags.length > 0) {
+        summaryParts.push(`   Tags: ${activeTask.tags.join(", ")}`);
+      }
+      if (activeTask.feature_id) {
+        try {
+          const { data: dbFeatures } = await supabase.rpc("get_project_features_secure", {
+            p_project_id: project.id,
+            p_user_id: userId
+          });
+          const feature = dbFeatures?.find((f) => f.id === activeTask.feature_id);
+          if (feature) {
+            summaryParts.push(`
+   Parent Feature: ${feature.name}`);
+            summaryParts.push(`   Feature Vision: ${feature.description}`);
+          }
+        } catch (e) {
+          console.warn("Feature context fetch failed", e);
+        }
+      }
+      summaryParts.push("\n   ACTION: Focus ALL coding efforts on completing this task.");
+    } else if (nextTask) {
+      summaryParts.push(`\u23F8  SYSTEM IDLE (Waiting for command)`);
+      summaryParts.push(`   Suggested Next Mission: T-${nextTask.step_number}: ${nextTask.title}`);
+      if (nextTask.tags && nextTask.tags.length > 0) {
+        summaryParts.push(`   Scope: ${nextTask.tags.join(", ")}`);
+      }
+      summaryParts.push(`   ACTION: Ask the user "Shall we start T-${nextTask.step_number}?"`);
+    } else {
+      summaryParts.push("\u2705  ALL MISSIONS COMPLETE. Awaiting new roadmap items.");
+    }
+    summaryParts.push("\n=== AI BEHAVIORAL INSTRUCTIONS ===");
+    if (activeTask) {
+      summaryParts.push(`1. FOCUS: The user is working on T-${activeTask.step_number}. Help them complete it.`);
+      summaryParts.push(`2. COMPLIANCE: Ensure all code follows project standards.`);
+    } else if (nextTask) {
+      summaryParts.push(`1. NUDGE: No active task found. Suggest starting T-${nextTask.step_number} (${nextTask.title}).`);
+      summaryParts.push(`2. PROACTIVE: Instead of asking "How can I help?", ask "Shall we start on T-${nextTask.step_number}?"`);
+    }
+    summaryParts.push("\n=== CURRENT STACK ===");
+    if (stackDef) {
+      if (stackDef.frontend) summaryParts.push(`Frontend: ${stackDef.frontend.framework} (${stackDef.frontend.language})`);
+      if (stackDef.backend) summaryParts.push(`Backend: ${stackDef.backend.service} (${stackDef.backend.database})`);
+      if (stackDef.styling) summaryParts.push(`Styling: ${stackDef.styling.framework} ${stackDef.styling.library || ""}`);
+      if (stackDef.hosting) summaryParts.push(`Infrastructure: ${stackDef.hosting.provider}`);
+    } else {
+      if (techStack.framework) summaryParts.push(`Framework: ${techStack.framework}`);
+      if (techStack.orm) summaryParts.push(`ORM: ${techStack.orm}`);
+    }
+  }
+  if (project.description) {
+    summaryParts.push(`
+Description: ${project.description}`);
+  }
+  if (project.functional_spec) {
+    summaryParts.push("\n=== STRATEGIC PROJECT SPECIFICATION (NUANCES) ===");
+    const spec = typeof project.functional_spec === "string" ? JSON.parse(project.functional_spec) : project.functional_spec;
+    if (spec.projectDescription) summaryParts.push(`Vision: ${spec.projectDescription}`);
+    if (spec.targetAudience) summaryParts.push(`Audience: ${spec.targetAudience}`);
+    if (spec.coreProblem) summaryParts.push(`Core Problem: ${spec.coreProblem}`);
+    if (spec.featureList && Array.isArray(spec.featureList)) {
+      summaryParts.push("\nKey Features & Nuances:");
+      spec.featureList.filter((f) => f.priority === "MVP" || f.priority === "HIGH").slice(0, 10).forEach((f) => {
+        summaryParts.push(`- ${f.name}: ${f.description?.substring(0, 200)}`);
+      });
+    }
+  }
+  summaryParts.push("\n=== RIGSTATE TOOLING GUIDELINES ===");
+  summaryParts.push("You have access to specialized MCP tools. USE THEM TO SUCCEED:");
+  summaryParts.push("1. NEVER guess about architecture. Use `query_brain` to search project documentation.");
+  summaryParts.push("2. BEFORE coding, check `get_learned_instructions` to see if you have been corrected before.");
+  summaryParts.push("3. When finishing a task, ALWAYS update the roadmap using `update_roadmap`.");
+  summaryParts.push("4. If you discover a reusable pattern, submit it with `submit_curator_signal`.");
+  summaryParts.push("5. For large refactors, use `run_architecture_audit` to check against rules.");
+  summaryParts.push("6. Store major decisions using `save_decision` (ADR).");
+  summaryParts.push("\n=== RECENT ACTIVITY DIGEST ===");
+  if (agentTasks && agentTasks.length > 0) {
+    summaryParts.push("\nLatest AI Executions:");
+    agentTasks.forEach((t) => {
+      const time = t.completed_at ? new Date(t.completed_at).toLocaleString() : "Recently";
+      summaryParts.push(`- [${time}] ${t.roadmap_title || "Task"}: ${t.execution_summary?.substring(0, 100) || "Completed"}`);
+    });
+  }
+  if (roadmapItems && roadmapItems.length > 0) {
+    summaryParts.push("\nRoadmap Updates:");
+    roadmapItems.forEach((i) => {
+      summaryParts.push(`- ${i.title} is now ${i.status}`);
+    });
+  }
+  return summaryParts.join("\n") || "No project context available.";
+}
+
 // src/tools/get-project-context.ts
 registry.register({
   name: "get_project_context",
@@ -1940,10 +2069,11 @@ async function getProjectContext(supabase, userId, projectId) {
     created_at: projectRow.created_at,
     last_indexed_at: projectRow.last_indexed_at,
     detected_stack: projectRow.detected_stack,
-    repository_tree: projectRow.repository_tree
+    repository_tree: projectRow.repository_tree,
+    functional_spec: projectRow.functional_spec
   };
   const stackDef = projectRow.architectural_dna?.stack_definition;
-  const { data: allChunks, error: chunksError } = await supabase.rpc("get_roadmap_chunks_secure", {
+  const { data: allChunks } = await supabase.rpc("get_roadmap_chunks_secure", {
     p_project_id: projectId,
     p_user_id: userId
   });
@@ -1986,67 +2116,17 @@ async function getProjectContext(supabase, userId, projectId) {
       project.repository_tree.filter((t) => t.type === "tree" && !t.path.includes("/")).map((t) => t.path)
     )].slice(0, 10);
   }
-  const summaryParts = [];
-  summaryParts.push(`Project Type: ${project.project_type?.toUpperCase() || "UNKNOWN"}`);
-  if (stackDef) {
-    summaryParts.push("\n=== ACTIVE MISSION PARAMETERS ===");
-    if (activeTask) {
-      summaryParts.push(`\u26A0\uFE0F  CURRENT OBJECTIVE: T-${activeTask.step_number}: ${activeTask.title}`);
-      summaryParts.push(`   Role: ${activeTask.role || "Developer"}`);
-      if (activeTask.instruction_set) {
-        summaryParts.push(`   Instructions: ${activeTask.instruction_set.substring(0, 200)}...`);
-      }
-      summaryParts.push("   ACTION: Focus ALL coding efforts on completing this task.");
-    } else if (nextTask) {
-      summaryParts.push(`\u23F8  SYSTEM IDLE (Waiting for command)`);
-      summaryParts.push(`   Suggested Next Mission: T-${nextTask.step_number}: ${nextTask.title}`);
-      summaryParts.push(`   ACTION: Ask the user "Shall we start T-${nextTask.step_number}?"`);
-    } else {
-      summaryParts.push("\u2705  ALL MISSIONS COMPLETE. Awaiting new roadmap items.");
-    }
-    summaryParts.push("\n=== AI BEHAVIORAL INSTRUCTIONS ===");
-    if (activeTask) {
-      summaryParts.push(`1. FOCUS: The user is working on T-${activeTask.step_number}. Help them complete it.`);
-      summaryParts.push(`2. COMPLIANCE: Ensure all code follows project standards.`);
-    } else if (nextTask) {
-      summaryParts.push(`1. NUDGE: No active task found. Suggest starting T-${nextTask.step_number} (${nextTask.title}).`);
-      summaryParts.push(`2. PROACTIVE: Instead of asking "How can I help?", ask "Shall we start on T-${nextTask.step_number}?"`);
-    }
-    summaryParts.push("\n=== CURRENT STACK ===");
-    if (stackDef.frontend) summaryParts.push(`Frontend: ${stackDef.frontend.framework} (${stackDef.frontend.language})`);
-    if (stackDef.backend) summaryParts.push(`Backend: ${stackDef.backend.service} (${stackDef.backend.database})`);
-    if (stackDef.styling) summaryParts.push(`Styling: ${stackDef.styling.framework} ${stackDef.styling.library || ""}`);
-    if (stackDef.hosting) summaryParts.push(`Infrastructure: ${stackDef.hosting.provider}`);
-  } else {
-    if (techStack.framework) summaryParts.push(`Framework: ${techStack.framework}`);
-    if (techStack.orm) summaryParts.push(`ORM: ${techStack.orm}`);
-  }
-  if (project.description) {
-    summaryParts.push(`
-Description: ${project.description}`);
-  }
-  summaryParts.push("\n=== RIGSTATE TOOLING GUIDELINES ===");
-  summaryParts.push("You have access to specialized MCP tools. USE THEM TO SUCCEED:");
-  summaryParts.push("1. NEVER guess about architecture. Use `query_brain` to search project documentation.");
-  summaryParts.push("2. BEFORE coding, check `get_learned_instructions` to see if you have been corrected before.");
-  summaryParts.push("3. When finishing a task, ALWAYS update the roadmap using `update_roadmap`.");
-  summaryParts.push("4. If you discover a reusable pattern, submit it with `submit_curator_signal`.");
-  summaryParts.push("5. For large refactors, use `run_architecture_audit` to check against rules.");
-  summaryParts.push("6. Store major decisions using `save_decision` (ADR).");
-  summaryParts.push("\n=== RECENT ACTIVITY DIGEST ===");
-  if (agentTasks && agentTasks.length > 0) {
-    summaryParts.push("\nLatest AI Executions:");
-    agentTasks.forEach((t) => {
-      const time = t.completed_at ? new Date(t.completed_at).toLocaleString() : "Recently";
-      summaryParts.push(`- [${time}] ${t.roadmap_title || "Task"}: ${t.execution_summary || "Completed"}`);
-    });
-  }
-  if (roadmapItems && roadmapItems.length > 0) {
-    summaryParts.push("\nRoadmap Updates:");
-    roadmapItems.forEach((i) => {
-      summaryParts.push(`- ${i.title} is now ${i.status}`);
-    });
-  }
+  const summary = await buildProjectSummary(
+    project,
+    techStack,
+    activeTask,
+    nextTask,
+    agentTasks || [],
+    roadmapItems || [],
+    stackDef,
+    supabase,
+    userId
+  );
   const response = {
     project: {
       id: project.id,
@@ -2057,7 +2137,7 @@ Description: ${project.description}`);
       lastIndexedAt: project.last_indexed_at
     },
     techStack,
-    summary: summaryParts.join("\n") || "No project context available."
+    summary
   };
   try {
     const curatorContext = await injectGlobalContext(supabase, userId, {
@@ -2126,32 +2206,25 @@ async function generateQueryEmbedding(query) {
   }
 }
 async function queryBrain(supabase, userId, projectId, query, limit = 8, threshold = 0.5) {
-  const { data: project, error: projectError } = await supabase.from("projects").select("id").eq("id", projectId).eq("owner_id", userId).single();
-  if (projectError || !project) {
+  const { data: hasAccess, error: accessError } = await supabase.rpc("check_project_access_secure", {
+    p_project_id: projectId,
+    p_user_id: userId
+  });
+  if (accessError || !hasAccess) {
     throw new Error("Project not found or access denied");
   }
   const embedding = await generateQueryEmbedding(query);
   let memories = [];
-  const { data: searchResults, error: searchError } = await supabase.rpc("hybrid_search_memories", {
+  const { data: searchResults, error: searchError } = await supabase.rpc("query_project_brain_secure", {
     p_project_id: projectId,
+    p_user_id: userId,
     p_query: query,
-    p_embedding: embedding || null,
-    p_limit: limit,
-    p_similarity_threshold: threshold || 0.1
+    p_limit: limit
   });
-  if (searchError) {
-    const { data: recentMemories } = await supabase.from("project_memories").select("id, content, category, tags, importance, created_at").eq("project_id", projectId).eq("is_active", true).order("created_at", { ascending: false }).limit(limit);
-    if (recentMemories) {
-      memories = recentMemories.map((m) => ({
-        id: m.id,
-        content: m.content,
-        category: m.category || "general",
-        tags: m.tags || [],
-        netVotes: m.importance || 0,
-        createdAt: m.created_at
-      }));
-    }
-  } else if (searchResults) {
+  if (searchError || !searchResults) {
+    console.error("Brain query failed:", searchError);
+    memories = [];
+  } else {
     memories = searchResults.map((m) => ({
       id: m.id,
       content: m.content,
@@ -2163,8 +2236,15 @@ async function queryBrain(supabase, userId, projectId, query, limit = 8, thresho
   }
   let relevantFeatures = [];
   try {
-    const { data: features } = await supabase.from("project_features").select("name, status, description").eq("project_id", projectId).or(`name.ilike.%${query}%,description.ilike.%${query}%`).limit(3);
-    if (features) relevantFeatures = features;
+    const { data: projectRow } = await supabase.rpc("get_project_context_secure", {
+      p_project_id: projectId,
+      p_user_id: userId
+    }).single();
+    if (projectRow?.functional_spec) {
+      const spec = typeof projectRow.functional_spec === "string" ? JSON.parse(projectRow.functional_spec) : projectRow.functional_spec;
+      const features = spec.featureList || spec.features || [];
+      relevantFeatures = features.filter((f) => (f.name || f.title)?.toLowerCase().includes(query.toLowerCase())).slice(0, 3);
+    }
   } catch (e) {
     console.warn("Feature fetch failed in brain query", e);
   }
@@ -2174,7 +2254,7 @@ async function queryBrain(supabase, userId, projectId, query, limit = 8, thresho
     const category = m.category ? m.category.toUpperCase() : "GENERAL";
     return `- [${category}]${tagStr}${voteIndicator}: ${m.content}`;
   });
-  const searchType = embedding ? "TRIPLE-HYBRID (Vector + FTS + Fuzzy)" : "HYBRID (FTS + Fuzzy)";
+  const searchType = embedding ? "TRIPLE-HYBRID (Vector + FTS + Fuzzy)" : "SECURE-GATEWAY (Fuzzy)";
   let formatted = `=== PROJECT BRAIN: RELEVANT MEMORIES ===
 Search Mode: ${searchType}
 Query: "${query}"`;
@@ -2182,7 +2262,7 @@ Query: "${query}"`;
     formatted += `
 
 === RELATED FEATURES ===
-` + relevantFeatures.map((f) => `- ${f.name} [${f.status}]`).join("\n");
+` + relevantFeatures.map((f) => `- ${f.name || f.title} [${f.status || "Active"}]`).join("\n");
   }
   formatted += `
 
@@ -2320,10 +2400,14 @@ High-importance memory for architectural decisions.`,
   }
 });
 async function saveDecision(supabase, userId, projectId, title, decision, rationale, category = "decision", tags = []) {
-  const { data: project, error: projectError } = await supabase.from("projects").select("id, name").eq("id", projectId).eq("owner_id", userId).single();
-  if (projectError || !project) {
+  const { data: hasAccess, error: accessError } = await supabase.rpc("check_project_access_secure", {
+    p_project_id: projectId,
+    p_user_id: userId
+  });
+  if (accessError || !hasAccess) {
     throw new Error("Project not found or access denied");
   }
+  const { data: project } = await supabase.from("projects").select("name").eq("id", projectId).single();
   const contentParts = [`# ${title}`, "", decision];
   if (rationale) {
     contentParts.push("", "## Rationale", rationale);
@@ -2354,7 +2438,7 @@ async function saveDecision(supabase, userId, projectId, title, decision, ration
   return {
     success: true,
     memoryId: memory.id,
-    message: `\u2705 Decision "${title}" saved to project "${project.name}" with importance 9/10`
+    message: `\u2705 Decision "${title}" saved to project "${project?.name || projectId}" with importance 9/10`
   };
 }
 
@@ -2379,10 +2463,14 @@ Ideas can later be reviewed, analyzed, and promoted to features.`,
   }
 });
 async function submitIdea(supabase, userId, projectId, title, description, category = "feature", tags = []) {
-  const { data: project, error: projectError } = await supabase.from("projects").select("id, name").eq("id", projectId).eq("owner_id", userId).single();
-  if (projectError || !project) {
+  const { data: hasAccess, error: accessError } = await supabase.rpc("check_project_access_secure", {
+    p_project_id: projectId,
+    p_user_id: userId
+  });
+  if (accessError || !hasAccess) {
     throw new Error("Project not found or access denied");
   }
+  const { data: project } = await supabase.from("projects").select("name").eq("id", projectId).single();
   const { data: idea, error: insertError } = await supabase.from("saved_ideas").insert({
     project_id: projectId,
     title,
@@ -2408,7 +2496,7 @@ async function submitIdea(supabase, userId, projectId, title, description, categ
   return {
     success: true,
     ideaId: idea.id,
-    message: `\u{1F4A1} Idea "${title}" submitted to Idea Lab for project "${project.name}". Status: Draft (awaiting review)`
+    message: `\u{1F4A1} Idea "${title}" submitted to Idea Lab for project "${project?.name || projectId}". Status: Draft (awaiting review)`
   };
 }
 
@@ -2432,10 +2520,14 @@ Can search by chunk ID or by title.`,
   }
 });
 async function updateRoadmap(supabase, userId, projectId, status, chunkId, title) {
-  const { data: project, error: projectError } = await supabase.from("projects").select("id, name").eq("id", projectId).eq("owner_id", userId).single();
-  if (projectError || !project) {
+  const { data: hasAccess, error: accessError } = await supabase.rpc("check_project_access_secure", {
+    p_project_id: projectId,
+    p_user_id: userId
+  });
+  if (accessError || !hasAccess) {
     throw new Error("Project not found or access denied");
   }
+  const { data: project } = await supabase.from("projects").select("name").eq("id", projectId).single();
   let targetChunk = null;
   if (chunkId) {
     const { data, error } = await supabase.from("roadmap_chunks").select("id, title, status").eq("id", chunkId).eq("project_id", projectId).single();
@@ -2564,8 +2656,11 @@ Returns violations or "Pass" status.`,
   }
 });
 async function runArchitectureAudit(supabase, userId, projectId, filePath, content) {
-  const { data: project, error: projectError } = await supabase.from("projects").select("id, name").eq("id", projectId).eq("owner_id", userId).single();
-  if (projectError || !project) {
+  const { data: hasAccess, error: accessError } = await supabase.rpc("check_project_access_secure", {
+    p_project_id: projectId,
+    p_user_id: userId
+  });
+  if (accessError || !hasAccess) {
     throw new Error("Project not found or access denied");
   }
   const violations = [];
@@ -2656,7 +2751,7 @@ registry.register({
 based on project context and user settings.`,
   schema: GenerateCursorRulesInputSchema,
   handler: async (args, context) => {
-    const result = await syncIdeRules(context.supabase, args.projectId);
+    const result = await syncIdeRules(context.supabase, context.userId, args.projectId);
     let responseText = `FileName: ${result.fileName}
 
 Content:
@@ -2674,10 +2769,17 @@ Note: Please ensure these modular files are also updated if your IDE is followin
     return { content: [{ type: "text", text: responseText }] };
   }
 });
-async function syncIdeRules(supabase, projectId) {
+async function syncIdeRules(supabase, userId, projectId) {
+  const { data: hasAccess, error: accessError } = await supabase.rpc("check_project_access_secure", {
+    p_project_id: projectId,
+    p_user_id: userId
+  });
+  if (accessError || !hasAccess) {
+    throw new Error("Project not found or access denied");
+  }
   const { data: project, error: projectError } = await supabase.from("projects").select("*").eq("id", projectId).single();
   if (projectError || !project) {
-    throw new Error(`Project ${projectId} not found.`);
+    throw new Error(`Project ${projectId} details not found.`);
   }
   const ide = project.preferred_ide || "cursor";
   const [stack, roadmapRes, legacyStats, activeAgents, dbMetadataRes] = await Promise.all([
@@ -2724,25 +2826,30 @@ var listFeaturesTool = {
 Useful for understanding the strategic context and major milestones.`,
   schema: InputSchema,
   handler: async ({ projectId }, { supabase, userId }) => {
-    const { data: project, error: projectError } = await supabase.from("projects").select("id, functional_spec").eq("id", projectId).eq("owner_id", userId).single();
-    if (projectError || !project) {
-      throw new Error("Project not found or access denied");
+    const { data: projectRow, error: projectError } = await supabase.rpc("get_project_context_secure", {
+      p_project_id: projectId,
+      p_user_id: userId
+    }).single();
+    if (projectError || !projectRow) {
+      throw new Error("Project details not found or access denied");
     }
-    const { data: dbFeatures, error: dbError } = await supabase.from("project_features").select("id, name, description, status").eq("project_id", projectId).neq("status", "shadow").order("created_at", { ascending: false });
+    const { data: dbFeatures, error: dbError } = await supabase.rpc("get_project_features_secure", {
+      p_project_id: projectId,
+      p_user_id: userId
+    });
     let featuresList = [];
     let source = "DB";
     if (!dbError && dbFeatures && dbFeatures.length > 0) {
       featuresList = dbFeatures.map((f) => ({
         ...f,
         title: f.name
-        // Map back to title specifically for uniform handling below
       }));
     } else {
       source = "FALLBACK_SPEC";
-      console.error(`[WARN] Project ${projectId}: 'project_features' empty or missing. Falling back to 'functional_spec'.`);
-      const spec = project.functional_spec;
-      if (spec && typeof spec === "object" && Array.isArray(spec.features)) {
-        featuresList = spec.features.map((f) => ({
+      const spec = projectRow.functional_spec;
+      const features = spec?.featureList || spec?.features;
+      if (Array.isArray(features)) {
+        featuresList = features.map((f) => ({
           id: "legacy",
           title: f.name || f.title,
           description: f.description,
@@ -2810,7 +2917,12 @@ async function listRoadmapTasks(supabase, userId, projectId) {
       priority: t.priority,
       status: t.status,
       step_number: t.step_number,
-      prompt_content: t.prompt_content
+      prompt_content: t.prompt_content,
+      architectural_brief: t.architectural_brief,
+      context_summary: t.context_summary,
+      metadata: t.metadata,
+      checklist: t.checklist,
+      tags: t.tags
     })),
     formatted
   };
@@ -2865,7 +2977,11 @@ async function getNextRoadmapStep(supabase, userId, projectId, currentStepId) {
     };
   }
   return {
-    nextStep,
+    nextStep: {
+      ...nextStep,
+      architectural_brief: nextStep.architectural_brief,
+      context_summary: nextStep.context_summary
+    },
     message: `Next step found: [Step ${nextStep.step_number}] ${nextStep.title}`
   };
 }
@@ -2879,6 +2995,7 @@ registry.register({
   handler: async (args, context) => {
     const result = await checkRulesSync(
       context.supabase,
+      context.userId,
       args.projectId,
       args.currentRulesContent
     );
@@ -2895,7 +3012,7 @@ var SAFETY_CACHE_RULES = `
 4. **Error Handling**: Use try/catch blocks for all external API calls.
 5. **No Blind Deletes**: Never delete data without explicit confirmation or soft-deletes.
 `;
-async function checkRulesSync(supabase, projectId, currentRulesContent) {
+async function checkRulesSync(supabase, userId, projectId, currentRulesContent) {
   if (!currentRulesContent) {
     return {
       synced: false,
@@ -2915,6 +3032,13 @@ async function checkRulesSync(supabase, projectId, currentRulesContent) {
     };
   }
   try {
+    const { data: hasAccess, error: accessError } = await supabase.rpc("check_project_access_secure", {
+      p_project_id: projectId,
+      p_user_id: userId
+    });
+    if (accessError || !hasAccess) {
+      throw new Error("Project not found or access denied");
+    }
     const { data: project, error } = await supabase.from("projects").select("name").eq("id", projectId).single();
     if (error) throw error;
     if (project) {
@@ -2951,7 +3075,14 @@ init_esm_shims();
 init_esm_shims();
 import fs from "fs/promises";
 import path2 from "path";
-async function analyzeDatabasePerformance(supabase, input) {
+async function analyzeDatabasePerformance(supabase, userId, input) {
+  const { data: hasAccess, error: accessError } = await supabase.rpc("check_project_access_secure", {
+    p_project_id: input.projectId,
+    p_user_id: userId
+  });
+  if (accessError || !hasAccess) {
+    throw new Error("Project not found or access denied");
+  }
   const issues = [];
   const { data: rawMetadata, error } = await supabase.rpc("get_table_metadata", {
     p_project_id: input.projectId
@@ -3302,7 +3433,7 @@ registry.register({
   description: `Sven's Tool: Security Shield. Audits the database to ensure Row Level Security (RLS) is enforced.`,
   schema: AuditRlsStatusInputSchema,
   handler: async (args, context) => {
-    const result = await auditRlsStatus(context.supabase, args);
+    const result = await auditRlsStatus(context.supabase, context.userId, args);
     return { content: [{ type: "text", text: result.summary || "No summary available" }] };
   }
 });
@@ -3311,11 +3442,18 @@ registry.register({
   description: `Frank's Tool: Security Oracle. Performs a diagnostic security audit against the Fortress Matrix.`,
   schema: AuditSecurityIntegrityInputSchema,
   handler: async (args, context) => {
-    const result = await auditSecurityIntegrity(context.supabase, args);
+    const result = await auditSecurityIntegrity(context.supabase, context.userId, args);
     return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
   }
 });
-async function auditRlsStatus(supabase, input) {
+async function auditRlsStatus(supabase, userId, input) {
+  const { data: hasAccess, error: accessError } = await supabase.rpc("check_project_access_secure", {
+    p_project_id: input.projectId,
+    p_user_id: userId
+  });
+  if (accessError || !hasAccess) {
+    throw new Error("Project not found or access denied");
+  }
   try {
     const { data, error } = await supabase.rpc("execute_sql", {
       query: `
@@ -3358,7 +3496,14 @@ async function auditRlsStatus(supabase, input) {
     };
   }
 }
-async function auditSecurityIntegrity(supabase, input) {
+async function auditSecurityIntegrity(supabase, userId, input) {
+  const { data: hasAccess, error: accessError } = await supabase.rpc("check_project_access_secure", {
+    p_project_id: input.projectId,
+    p_user_id: userId
+  });
+  if (accessError || !hasAccess) {
+    throw new Error("Project not found or access denied");
+  }
   const violations = [];
   const { content, filePath } = input;
   const sqlViolation = checkSqlInjection(content);
@@ -3405,15 +3550,22 @@ registry.register({
 Can trigger a SOFT LOCK if critical issues are found.`,
   schema: AuditIntegrityGateInputSchema,
   handler: async (args, context) => {
-    const result = await runAuditIntegrityGate(context.supabase, args);
+    const result = await runAuditIntegrityGate(context.supabase, context.userId, args);
     return { content: [{ type: "text", text: result.summary }] };
   }
 });
-async function runAuditIntegrityGate(supabase, input) {
+async function runAuditIntegrityGate(supabase, userId, input) {
+  const { data: hasAccess, error: accessError } = await supabase.rpc("check_project_access_secure", {
+    p_project_id: input.projectId,
+    p_user_id: userId
+  });
+  if (accessError || !hasAccess) {
+    throw new Error("Project not found or access denied");
+  }
   const checks = [];
   let isSoftLocked = false;
   try {
-    const rlsResult = await auditRlsStatus(supabase, { projectId: input.projectId });
+    const rlsResult = await auditRlsStatus(supabase, userId, { projectId: input.projectId });
     const unsecuredTables = rlsResult.unsecuredTables || [];
     if (unsecuredTables.length > 0) {
       isSoftLocked = true;
@@ -3442,7 +3594,7 @@ async function runAuditIntegrityGate(supabase, input) {
       try {
         const fs3 = await import("fs/promises");
         const content = await fs3.readFile(path4, "utf-8");
-        const securityResult = await auditSecurityIntegrity(supabase, {
+        const securityResult = await auditSecurityIntegrity(supabase, userId, {
           projectId: input.projectId,
           filePath: path4,
           content
@@ -3473,7 +3625,7 @@ async function runAuditIntegrityGate(supabase, input) {
   }
   if (input.filePaths && input.filePaths.length > 0) {
     try {
-      const perfResult = await analyzeDatabasePerformance(supabase, {
+      const perfResult = await analyzeDatabasePerformance(supabase, userId, {
         projectId: input.projectId,
         filePaths: input.filePaths
       });
@@ -3532,6 +3684,7 @@ registry.register({
   handler: async (args, context) => {
     const result = await completeRoadmapTask(
       context.supabase,
+      context.userId,
       args.projectId,
       args.summary,
       args.taskId,
@@ -3541,7 +3694,14 @@ registry.register({
     return { content: [{ type: "text", text: result.message }] };
   }
 });
-async function completeRoadmapTask(supabase, projectId, summary, taskId, gitDiff, integrityGate) {
+async function completeRoadmapTask(supabase, userId, projectId, summary, taskId, gitDiff, integrityGate) {
+  const { data: hasAccess, error: accessError } = await supabase.rpc("check_project_access_secure", {
+    p_project_id: projectId,
+    p_user_id: userId
+  });
+  if (accessError || !hasAccess) {
+    throw new Error("Project not found or access denied");
+  }
   let targetTaskId = taskId;
   if (!targetTaskId) {
     const { data: activeTask } = await supabase.from("roadmap_chunks").select("id, title").eq("project_id", projectId).in("status", ["IN_PROGRESS", "ACTIVE"]).order("step_number", { ascending: true }).limit(1).single();
@@ -3653,19 +3813,18 @@ async function saveToProjectBrain(supabase, userId, input) {
   const fullContent = `# ${title}
 
 ${content}`;
-  const { data, error } = await supabase.from("project_memories").insert({
-    project_id: projectId,
-    content: fullContent,
-    category: category.toLowerCase(),
-    tags,
-    importance: category === "DECISION" || category === "ARCHITECTURE" ? 9 : 5,
-    is_active: true,
-    source_type: "chat_manual"
-  }).select("id").single();
+  const { data: memoryId, error } = await supabase.rpc("save_project_memory_secure", {
+    p_project_id: projectId,
+    p_user_id: userId,
+    p_content: fullContent,
+    p_category: category.toLowerCase(),
+    p_tags: tags || [],
+    p_importance: category === "DECISION" || category === "ARCHITECTURE" ? 9 : 5
+  });
   if (error) throw new Error(`Failed to save memory: ${error.message}`);
   return {
     success: true,
-    memoryId: data.id,
+    memoryId,
     message: `\u2705 Saved [${category}] "${title}" to Project Brain.`
   };
 }
@@ -3958,8 +4117,18 @@ function interpolateScribePrompt(basePrompt, vars) {
 // src/tools/generate-professional-pdf.ts
 async function generateProfessionalPdf(supabase, userId, projectId, reportType) {
   console.error(`\u{1F58B}\uFE0F The Scribe is preparing a ${reportType} briefing for project ${projectId}...`);
+  const { data: hasAccess, error: accessError } = await supabase.rpc("check_project_access_secure", {
+    p_project_id: projectId,
+    p_user_id: userId
+  });
+  if (accessError || !hasAccess) {
+    throw new Error("Project not found or access denied");
+  }
   const persona = await getScribePersona(supabase);
-  const { data: project } = await supabase.from("projects").select("name, description, project_type, detected_stack").eq("id", projectId).single();
+  const { data: project, error: projectError } = await supabase.from("projects").select("name, description, project_type, detected_stack").eq("id", projectId).single();
+  if (projectError || !project) {
+    throw new Error("Project details not found");
+  }
   const projectName = project?.name || "Rigstate Project";
   const projectDescription = project?.description || "A cutting-edge software project built with modern architecture.";
   const projectType = project?.project_type || "Web Application";