@stackwright-pro/mcp 0.2.0-alpha.3 → 0.2.0-alpha.30

package/dist/server.mjs

@@ -3,15 +3,44 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 
 // src/tools/data-explorer.ts
-import { z } from "zod";
+import { z as z2 } from "zod";
 import { listEntities, generateFilter } from "@stackwright-pro/cli-data-explorer";
+
+// src/coerce.ts
+import { z } from "zod";
+function jsonCoerce(schema) {
+  return z.preprocess((v) => {
+    if (typeof v === "string") {
+      try {
+        return JSON.parse(v);
+      } catch {
+        return v;
+      }
+    }
+    return v;
+  }, schema);
+}
+function boolCoerce(schema) {
+  return z.preprocess((v) => v === "true" ? true : v === "false" ? false : v, schema);
+}
+function numCoerce(schema) {
+  return z.preprocess((v) => {
+    if (typeof v === "string" && v.trim() !== "") {
+      const n = Number(v);
+      if (!Number.isNaN(n)) return n;
+    }
+    return v;
+  }, schema);
+}
+
+// src/tools/data-explorer.ts
 function registerDataExplorerTools(server2) {
   server2.tool(
     "stackwright_pro_list_entities",
     "List all available API entities from OpenAPI specs or generated Zod schemas. Use this to discover what entities are available before generating endpoint filters. Returns entity names, endpoints, and field counts. Part of the Pro Otter Raft for building API-integrated Stackwright applications.",
     {
-      specPath: z.string().optional().describe("Path to OpenAPI spec file (YAML or JSON)"),
-      projectRoot: z.string().optional().describe("Project root directory (auto-detected if omitted)")
+      specPath: z2.string().optional().describe("Path to OpenAPI spec file (YAML or JSON)"),
+      projectRoot: z2.string().optional().describe("Project root directory (auto-detected if omitted)")
     },
     async ({ specPath, projectRoot }) => {
       const result = listEntities({
@@ -59,9 +88,13 @@ function registerDataExplorerTools(server2) {
     "stackwright_pro_generate_filter",
     "Generate endpoint filter configuration from selected entities. Creates include/exclude patterns for stackwright.yml OpenAPI integration. Use this after stackwright_pro_list_entities to select which API endpoints the application needs. Only selected endpoints will generate client code, reducing bundle size and improving security.",
     {
-      selectedEntities: z.array(z.string()).describe('Entity slugs to include (e.g., ["equipment", "supplies"])'),
-      excludePatterns: z.array(z.string()).optional().describe('Glob patterns to exclude (e.g., ["/admin/**", "/reports/**"])'),
-      projectRoot: z.string().optional().describe("Project root directory")
+      selectedEntities: jsonCoerce(z2.array(z2.string())).describe(
+        'Entity slugs to include (e.g., ["equipment", "supplies"])'
+      ),
+      excludePatterns: jsonCoerce(z2.array(z2.string()).optional()).describe(
+        'Glob patterns to exclude (e.g., ["/admin/**", "/reports/**"])'
+      ),
+      projectRoot: z2.string().optional().describe("Project root directory")
     },
     async ({ selectedEntities, excludePatterns, projectRoot }) => {
       const result = generateFilter({
@@ -117,7 +150,7 @@ function registerDataExplorerTools(server2) {
 }
 
 // src/tools/security.ts
-import { z as z2 } from "zod";
+import { z as z3 } from "zod";
 import { createHash } from "crypto";
 import fs from "fs";
 import path from "path";
@@ -126,8 +159,8 @@ function registerSecurityTools(server2) {
     "stackwright_pro_validate_spec",
     "Validate an OpenAPI spec against the enterprise approved-specs configuration. Checks if the spec URL is on the allowlist and verifies SHA-256 hash integrity. Use this in enterprise environments where only pre-approved API specs are allowed. Fails build if spec is not approved or has been modified.",
     {
-      specPath: z2.string().describe("URL or file path to the OpenAPI spec to validate"),
-      configPath: z2.string().optional().describe("Path to stackwright.yml with prebuild.security config")
+      specPath: z3.string().describe("URL or file path to the OpenAPI spec to validate"),
+      configPath: z3.string().optional().describe("Path to stackwright.yml with prebuild.security config")
     },
     async ({ specPath, configPath }) => {
       let securityEnabled = false;
@@ -235,16 +268,15 @@ Status: Valid (${allowlist.length} specs on allowlist)`
     "stackwright_pro_add_approved_spec",
     "Add an OpenAPI spec to the approved-specs allowlist in stackwright.yml. Computes the SHA-256 hash of the spec and adds it to the security configuration. Use this when onboarding a new API in enterprise environments.",
     {
-      name: z2.string().describe("Human-readable name for the spec"),
-      url: z2.string().describe("URL or file path to the OpenAPI spec"),
-      configPath: z2.string().optional().describe("Path to stackwright.yml")
+      name: z3.string().describe("Human-readable name for the spec"),
+      url: z3.string().describe("URL or file path to the OpenAPI spec"),
+      configPath: z3.string().optional().describe("Path to stackwright.yml")
     },
     async ({ name, url, configPath }) => {
       const configFile = configPath || path.join(process.cwd(), "stackwright.yml");
       let sha256 = "<computed-at-build>";
       try {
         if (url.startsWith("http://") || url.startsWith("https://")) {
-          sha256 = "<computed-at-build>";
         } else if (fs.existsSync(url)) {
           const specContent = fs.readFileSync(url, "utf8");
           sha256 = createHash("sha256").update(specContent).digest("hex");
@@ -291,7 +323,7 @@ SHA-256 computed: ${sha256}`
     "stackwright_pro_list_approved_specs",
     "List all specs currently on the approved-specs allowlist. Shows spec names, URLs, and hash prefixes. Use this to audit what APIs are approved in the project.",
     {
-      configPath: z2.string().optional().describe("Path to stackwright.yml")
+      configPath: z3.string().optional().describe("Path to stackwright.yml")
     },
     async ({ configPath }) => {
       const configFile = configPath || path.join(process.cwd(), "stackwright.yml");
@@ -360,16 +392,18 @@ SHA-256 computed: ${sha256}`
 }
 
 // src/tools/isr.ts
-import { z as z3 } from "zod";
+import { z as z4 } from "zod";
 function registerIsrTools(server2) {
   server2.tool(
     "stackwright_pro_configure_isr",
     "Configure Incremental Static Regeneration (ISR) for an API-backed collection. ISR allows API data to be cached and refreshed on a schedule, providing real-time data with the performance of static generation. Use this after stackwright_pro_generate_filter to set revalidation intervals.",
     {
-      collection: z3.string().describe('Collection name (e.g., "equipment", "supplies")'),
-      revalidateSeconds: z3.number().optional().describe("Revalidation interval in seconds (default: 60)"),
-      fallback: z3.enum(["blocking", "true", "false"]).optional().describe("Fallback behavior for new pages"),
-      configPath: z3.string().optional().describe("Path to stackwright.yml")
+      collection: z4.string().describe('Collection name (e.g., "equipment", "supplies")'),
+      revalidateSeconds: numCoerce(z4.number().optional()).describe(
+        "Revalidation interval in seconds (default: 60)"
+      ),
+      fallback: z4.enum(["blocking", "true", "false"]).optional().describe("Fallback behavior for new pages"),
+      configPath: z4.string().optional().describe("Path to stackwright.yml")
     },
     async ({ collection, revalidateSeconds = 60, fallback = "blocking", configPath }) => {
       const revalidate = revalidateSeconds;
@@ -380,7 +414,7 @@ function registerIsrTools(server2) {
     isr:
       revalidate: ${revalidate}
       fallback: ${fallback}`;
-      let description = "";
+      let description;
       if (revalidate < 60) {
         description = "\u26A1 Very fresh data (revalidate every " + revalidate + "s)";
       } else if (revalidate < 300) {
@@ -412,14 +446,16 @@ ${yamlSnippet}
     "stackwright_pro_configure_isr_batch",
     "Configure ISR for multiple collections at once. More efficient than calling stackwright_pro_configure_isr multiple times. Provide different revalidation intervals based on data freshness requirements.",
     {
-      collections: z3.array(
-        z3.object({
-          name: z3.string().describe("Collection name"),
-          revalidateSeconds: z3.number().optional().describe("Revalidation interval")
-        })
+      collections: jsonCoerce(
+        z4.array(
+          z4.object({
+            name: z4.string().describe("Collection name"),
+            revalidateSeconds: numCoerce(z4.number().optional()).describe("Revalidation interval")
+          })
+        )
       ).describe("Array of collection configurations"),
-      defaultFallback: z3.enum(["blocking", "true", "false"]).optional().describe("Default fallback behavior"),
-      configPath: z3.string().optional().describe("Path to stackwright.yml")
+      defaultFallback: z4.enum(["blocking", "true", "false"]).optional().describe("Default fallback behavior"),
+      configPath: z4.string().optional().describe("Path to stackwright.yml")
     },
     async ({ collections, defaultFallback = "blocking", configPath }) => {
       const lines = [`\u2699\uFE0F Batch ISR Configuration:
@@ -447,17 +483,17 @@ Fallback: ${defaultFallback}`);
 }
 
 // src/tools/dashboard.ts
-import { z as z4 } from "zod";
+import { z as z5 } from "zod";
 import { listEntities as listEntities2 } from "@stackwright-pro/cli-data-explorer";
 function registerDashboardTools(server2) {
   server2.tool(
     "stackwright_pro_generate_dashboard",
     "Generate a dashboard page configuration for displaying API data. Creates YAML content for a Stackwright page with grid, metric_card, data_table, and collection_list content types. Use this after stackwright_pro_generate_filter to create pages for your API collections.",
     {
-      entities: z4.array(z4.string()).describe("Entity slugs to include in dashboard"),
-      layout: z4.enum(["grid", "table", "mixed"]).optional().describe("Dashboard layout style"),
-      pageTitle: z4.string().optional().describe("Page title"),
-      specPath: z4.string().optional().describe("Path to OpenAPI spec for entity details")
+      entities: jsonCoerce(z5.array(z5.string())).describe("Entity slugs to include in dashboard"),
+      layout: z5.enum(["grid", "table", "mixed"]).optional().describe("Dashboard layout style"),
+      pageTitle: z5.string().optional().describe("Page title"),
+      specPath: z5.string().optional().describe("Path to OpenAPI spec for entity details")
     },
     async ({ entities, layout = "mixed", pageTitle, specPath }) => {
       let entityDetails = [];
@@ -543,9 +579,9 @@ ${yaml}
     "stackwright_pro_generate_detail_page",
     "Generate a detail view page for a single API entity. Creates YAML content for displaying all fields of an individual record. Use this to create detail pages that complement collection listing pages.",
     {
-      entity: z4.string().describe('Entity slug (e.g., "equipment")'),
-      slugField: z4.string().optional().describe('Field to use as URL slug (default: "id")'),
-      specPath: z4.string().optional().describe("Path to OpenAPI spec for field details")
+      entity: z5.string().describe('Entity slug (e.g., "equipment")'),
+      slugField: z5.string().optional().describe('Field to use as URL slug (default: "id")'),
+      specPath: z5.string().optional().describe("Path to OpenAPI spec for field details")
     },
     async ({ entity, slugField = "id", specPath }) => {
       let fields = [];
@@ -621,298 +657,170 @@ ${yaml}
 }
 
 // src/tools/clarification.ts
-import { z as z5 } from "zod";
-import { spawn } from "child_process";
-import { tmpdir } from "os";
-import { join } from "path";
-import { randomUUID } from "crypto";
-import { existsSync, unlinkSync } from "fs";
-var activeServers = /* @__PURE__ */ new Map();
-async function startPythonServer(sessionId) {
-  const socketPath = join(tmpdir(), `otter-raft-${randomUUID()}.sock`);
-  const port = 8765 + Math.floor(Math.random() * 100);
-  return new Promise((resolve, reject) => {
-    const pythonPath = process.platform === "win32" ? "python" : "python3";
-    const packageRoot = findPythonPackageRoot();
-    const proc = spawn(
-      pythonPath,
-      ["-m", "stackwright_pro.raft.server", "--socket", socketPath, "--port", String(port)],
-      {
-        stdio: ["pipe", "pipe", "pipe"],
-        env: {
-          ...process.env,
-          PYTHONPATH: packageRoot
-        }
-      }
-    );
-    activeServers.set(sessionId, proc);
-    let startupOutput = "";
-    let started = false;
-    proc.stdout?.on("data", (data) => {
-      startupOutput += data.toString();
-      if (startupOutput.includes("Server ready") || startupOutput.includes("HTTP server")) {
-        started = true;
-        resolve({ port, socketPath });
-      }
-    });
-    proc.stderr?.on("data", (data) => {
-      if (!startupOutput.includes("Starting")) {
-        console.error("[Python Clarification]", data.toString().trim());
-      }
-    });
-    proc.on("error", (err) => {
-      if (!started) {
-        activeServers.delete(sessionId);
-        reject(new Error(`Failed to start Python server: ${err.message}`));
-      }
-    });
-    proc.on("exit", (code) => {
-      activeServers.delete(sessionId);
-      if (existsSync(socketPath)) {
-        try {
-          unlinkSync(socketPath);
-        } catch {
-        }
-      }
-    });
-    setTimeout(() => {
-      if (!started) {
-        proc.kill();
-        activeServers.delete(sessionId);
-        reject(new Error("Python server startup timeout"));
-      }
-    }, 1e4);
-  });
-}
-async function stopPythonServer(sessionId) {
-  const proc = activeServers.get(sessionId);
-  if (proc) {
-    proc.kill("SIGTERM");
-    activeServers.delete(sessionId);
-  }
-}
-async function httpRequest(host, port, path3, body) {
-  const http = await import("http");
-  return new Promise((resolve, reject) => {
-    const url = new URL(path3, `http://${host}:${port}`);
-    const reqOptions = {
-      hostname: host,
-      port,
-      path: url.pathname,
-      method: body ? "POST" : "GET",
-      headers: {
-        "Content-Type": "application/json"
-      }
+import { z as z6 } from "zod";
+var CONTRADICTION_PATTERNS = [
+  {
+    keywords: ["minimal", "clean", "simple"],
+    conflicts: ["vibrant", "rich", "content-heavy", "playful"]
+  },
+  {
+    keywords: ["dark", "dark mode"],
+    conflicts: ["light mode only", "light"]
+  },
+  {
+    keywords: ["enterprise", "professional", "corporate"],
+    conflicts: ["playful", "casual", "fun"]
+  },
+  {
+    keywords: ["accessible", "wcag", "section 508"],
+    conflicts: ["compact", "dense", "small text"]
+  },
+  {
+    keywords: ["government", "defense", "federal"],
+    conflicts: ["public", "no auth", "consumer"]
+  }
+];
+function handleClarify(input) {
+  const { question_type, question, choices, priority, target_field, context } = input;
+  const base = {
+    action: "ask_user",
+    targetField: target_field
+  };
+  if (question_type === "closed_choice" && choices && choices.length > 0) {
+    const header = truncateHeader(question);
+    base.adaptedQuestion = {
+      question,
+      header,
+      options: choices.map((c) => ({ label: c }))
     };
-    const req = http.request(reqOptions, (res) => {
-      let data = "";
-      res.on("data", (chunk) => {
-        data += chunk.toString();
-      });
-      res.on("end", () => {
-        try {
-          const parsed = JSON.parse(data);
-          if (res.statusCode && res.statusCode >= 400) {
-            reject(new Error(parsed.detail || parsed.error || `HTTP ${res.statusCode}`));
-          } else {
-            resolve(parsed);
-          }
-        } catch (e) {
-          reject(new Error(`Failed to parse response: ${data}`));
-        }
-      });
-    });
-    req.on("error", reject);
-    if (body) {
-      req.write(JSON.stringify(body));
-    }
-    req.end();
-  });
+  } else {
+    const contextPrefix = context ? `Context: ${context}
+
+` : "";
+    base.prompt = `${contextPrefix}${question}`;
+  }
+  if (priority === "optional") {
+    base.suggestedDefault = inferDefault(question_type, choices);
+  }
+  return base;
 }
-function findPythonPackageRoot() {
-  const candidates = [
-    join(__dirname, "../../python/src"),
-    join(__dirname, "../../../python/src"),
-    join(process.cwd(), "python/src")
-  ];
-  for (const candidate of candidates) {
-    if (existsSync(candidate)) {
-      return candidate;
+function handleDetectConflict(input) {
+  const preferenceLower = input.stated_preference.toLowerCase();
+  const valuesLower = Object.values(input.selected_values).map((v) => v.toLowerCase());
+  for (const pattern of CONTRADICTION_PATTERNS) {
+    const preferenceMatch = pattern.keywords.some((kw) => preferenceLower.includes(kw));
+    if (!preferenceMatch) continue;
+    const conflictingValues = valuesLower.filter(
+      (val) => pattern.conflicts.some((c) => val.includes(c))
+    );
+    if (conflictingValues.length > 0) {
+      const matchedKeywords = pattern.keywords.filter((kw) => preferenceLower.includes(kw));
+      const primaryKeyword = matchedKeywords[0] ?? "preference";
+      return {
+        conflict: true,
+        description: `Stated preference includes "${matchedKeywords.join(", ")}" but selections contain "${conflictingValues.join(", ")}" \u2014 these are contradictory.`,
+        resolution_options: [
+          `Align selections with the "${primaryKeyword}" preference`,
+          `Revise stated preference to match current selections`,
+          "Ask user which direction they actually want"
+        ]
+      };
     }
   }
-  return process.cwd();
+  return { conflict: false };
+}
+function truncateHeader(text) {
+  const MAX = 50;
+  if (text.length <= MAX) return text;
+  return text.slice(0, MAX - 1) + "\u2026";
+}
+function inferDefault(questionType, choices) {
+  if (questionType === "closed_choice" && choices && choices.length > 0) {
+    return choices[0] ?? "(first choice)";
+  }
+  return "(use sensible project default)";
 }
 function registerClarificationTools(server2) {
   server2.tool(
     "stackwright_pro_clarify",
-    "Ask the user for clarification when an otter encounters ambiguity. This is for MID-EXECUTION questions, not upfront question collection. Use this when the otter needs user input to proceed. Returns the user's decision which should be used to continue execution.",
+    "Ask the user for clarification when a specialist otter encounters ambiguity. This is for MID-EXECUTION questions, NOT upfront question collection (use the Question Manifest Protocol for that). Returns a structured response for the foreman to present to the user via ask_user_question (closed_choice) or directly (open_text).",
     {
-      context: z5.string().optional().describe("Context about what the otter is trying to do"),
-      question_type: z5.enum(["closed_choice", "open_text", "conditional", "multi_step", "reconciliation"]).describe("Type of question being asked"),
-      question: z5.string().describe("The clarification question to ask the user"),
-      choices: z5.array(z5.string()).optional().describe("Options for closed_choice or multi_step questions"),
-      priority: z5.enum(["blocking", "preferred", "optional"]).optional().describe("How critical is this clarification? Default: preferred"),
-      target_field: z5.string().optional().describe("What field/config does this clarify?")
+      context: z6.string().optional().describe("Context about what the otter is trying to do"),
+      question_type: z6.enum(["closed_choice", "open_text"]).describe("Type of question being asked"),
+      question: z6.string().describe("The clarification question to ask the user"),
+      choices: jsonCoerce(z6.array(z6.string()).optional()).describe(
+        "Options for closed_choice questions"
+      ),
+      priority: z6.enum(["blocking", "preferred", "optional"]).optional().default("preferred").describe("How critical is this clarification? Default: preferred"),
+      target_field: z6.string().optional().describe("What field/config does this clarify?")
     },
-    async ({ context, question_type, question, choices, priority = "preferred", target_field }) => {
-      const sessionId = `mcp_${randomUUID().slice(0, 8)}`;
-      try {
-        const { port } = await startPythonServer(sessionId);
-        await httpRequest(port === 8765 ? "127.0.0.1" : "127.0.0.1", port, "/sessions", {});
-        if (context) {
-          await httpRequest(
-            port === 8765 ? "127.0.0.1" : "127.0.0.1",
-            port,
-            `/sessions/${sessionId}/context`,
-            { context: { purpose: context } }
-          );
-        }
-        const request = {
-          ...context !== void 0 && { context },
-          question_type,
-          question,
-          ...choices !== void 0 && { choices },
-          priority,
-          ...target_field !== void 0 && { target_field }
-        };
-        const response = await httpRequest(
-          port === 8765 ? "127.0.0.1" : "127.0.0.1",
-          port,
-          "/clarify",
-          { request }
-        );
-        await stopPythonServer(sessionId);
-        const decision = response.decision;
-        const value = decision.value;
-        const source = decision.source;
-        const explicit = decision.explicit ? "explicitly" : "via fallback";
-        if (response.fallback_used) {
-          return {
-            content: [
-              {
-                type: "text",
-                text: `\u26A0\uFE0F Clarification fallback used: ${response.fallback_reason || "No user input available"}
-
-Default value used: ${JSON.stringify(value)}
-
-\u{1F4A1} Consider following up with the user later if this default isn't appropriate.`
-              }
-            ]
-          };
-        }
-        return {
-          content: [
-            {
-              type: "text",
-              text: `\u2705 User clarified (${source}): ${JSON.stringify(value)}
-
-Use this value to continue execution.`
-            }
-          ]
-        };
-      } catch (error) {
-        await stopPythonServer(sessionId);
-        return {
-          content: [
-            {
-              type: "text",
-              text: `\u274C Clarification failed: ${error instanceof Error ? error.message : "Unknown error"}
-
-Cannot proceed without user input. Consider:
-1. Using a reasonable default
-2. Asking the user directly in your response
-3. Skipping this step if optional`
-            }
-          ],
-          isError: true
-        };
-      }
+    async ({ context, question_type, question, choices, priority, target_field }) => {
+      const result = handleClarify({
+        context: context ?? void 0,
+        question_type,
+        question,
+        choices: choices ?? void 0,
+        priority: priority ?? "preferred",
+        target_field: target_field ?? void 0
+      });
+      return {
+        content: [
+          {
+            type: "text",
+            text: `\u{1F9A6} Clarification needed${target_field ? ` for "${target_field}"` : ""}. Present the following to the user. ` + (result.adaptedQuestion ? "Pass the adaptedQuestion to ask_user_question directly." : "Ask the user the prompt below.")
+          },
+          {
+            type: "text",
+            text: JSON.stringify(result)
+          }
+        ]
+      };
     }
   );
   server2.tool(
     "stackwright_pro_detect_conflict",
-    "Detect when a user's stated preference conflicts with their selected choices. Use this to identify when users might be indecisive or misunderstood a question. Returns conflict details and resolution options.",
+    "Detect when a user's stated preference conflicts with their selected choices. Uses keyword heuristics against known contradiction patterns (minimal vs vibrant, dark vs light, etc). Returns conflict details and resolution options.",
     {
-      stated_preference: z5.string().describe("What the user said they wanted"),
-      selected_values: z5.record(z5.string(), z5.string()).describe("What the user actually selected")
+      stated_preference: z6.string().describe("What the user said they wanted"),
+      selected_values: jsonCoerce(z6.record(z6.string(), z6.string())).describe(
+        "What the user actually selected (field \u2192 value)"
+      )
     },
     async ({ stated_preference, selected_values }) => {
-      const sessionId = `mcp_${randomUUID().slice(0, 8)}`;
-      try {
-        const { port } = await startPythonServer(sessionId);
-        const response = await httpRequest(
-          port === 8765 ? "127.0.0.1" : "127.0.0.1",
-          port,
-          "/conflict",
-          { stated_preference, selected_values }
-        );
-        await stopPythonServer(sessionId);
-        if (response.conflict) {
-          const data = response.data;
-          return {
-            content: [
-              {
-                type: "text",
-                text: `\u26A0\uFE0F CONFLICT DETECTED
+      const result = handleDetectConflict({ stated_preference, selected_values });
+      if (result.conflict) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: `\u26A0\uFE0F CONFLICT DETECTED
 
 User stated: "${stated_preference}"
 But selected: ${JSON.stringify(selected_values)}
 
-Conflict: ${data.description}
+${result.description}
 
-Resolution options: ${data.options?.join(", ") || "Ask user to clarify"}
+Resolution options:
+${result.resolution_options?.map((o) => `  \u2022 ${o}`).join("\n")}
 
 \u{1F4A1} Consider asking the user to reconcile this conflict.`
-              }
-            ]
-          };
-        }
-        return {
-          content: [
+            },
             {
               type: "text",
-              text: `\u2705 No conflict detected between stated preference and selections.`
+              text: JSON.stringify(result)
             }
           ]
         };
-      } catch (error) {
-        await stopPythonServer(sessionId);
-        return {
-          content: [
-            {
-              type: "text",
-              text: `\u274C Conflict detection failed: ${error instanceof Error ? error.message : "Unknown error"}`
-            }
-          ],
-          isError: true
-        };
       }
-    }
-  );
-  server2.tool(
-    "stackwright_pro_get_defaults",
-    "Get the current clarification defaults from config. Use this to understand what fallback values will be used if user doesn't provide input.",
-    {
-      config_path: z5.string().optional().describe("Path to config file. Default: .stackwright/clarification.yaml")
-    },
-    async ({ config_path }) => {
       return {
         content: [
           {
             type: "text",
-            text: `\u{1F4CB} Clarification defaults
-
-Configuration is loaded from:
-- Environment: CLARIFICATION_* variables
-- Config file: ${config_path || ".stackwright/clarification.yaml"}
-- CLI args: --clarify-* flags
-
-Default behaviors:
-- allow_dont_know: true (users can skip)
-- default_timeout: 120 seconds
-- channel_priority: [tui, cli_args, config, defaults]
-
-\u{1F4A1} Set CLARIFICATION_DEFAULT_<FIELD>=value to change defaults.`
+            text: "\u2705 No conflict detected between stated preference and selections."
+          },
+          {
+            type: "text",
+            text: JSON.stringify(result)
           }
         ]
       };
@@ -921,31 +829,53 @@ Default behaviors:
 }
 
 // src/tools/packages.ts
-import { z as z6 } from "zod";
-import { readFileSync, writeFileSync, existsSync as existsSync2, realpathSync, lstatSync } from "fs";
+import { z as z7 } from "zod";
+import { readFileSync, writeFileSync, existsSync, realpathSync, lstatSync } from "fs";
 import { execSync } from "child_process";
 import path2 from "path";
+var BASELINE_DEPS = {
+  "@stackwright-pro/mcp": "latest",
+  "@stackwright-pro/otters": "latest",
+  "@stackwright-pro/openapi": "latest",
+  "@stackwright-pro/auth": "latest",
+  "@stackwright-pro/auth-nextjs": "latest",
+  zod: "^3.23.0"
+};
+var BASELINE_DEV_DEPS = {
+  "@stoplight/prism-cli": "^5.14.2"
+};
 function registerPackageTools(server2) {
   server2.tool(
     "stackwright_pro_setup_packages",
-    "Ensures pro packages are present in a project's package.json. Safe to call multiple times \u2014 never overwrites existing version pins. Use this to bootstrap dependencies before specialist otters run.",
+    "Ensures pro packages are present in a project's package.json. Safe to call multiple times \u2014 never overwrites existing version pins. Use this to bootstrap dependencies before specialist otters run. Pass includeBaseline: true to automatically include all required @stackwright-pro/* baseline dependencies. Safe to call on existing projects \u2014 never overwrites pinned versions.",
     {
       // FIX 3 (B-new-1): Zod v4 requires two-arg z.record(keySchema, valueSchema)
-      packages: z6.record(z6.string(), z6.string()).describe(
-        'Dependencies to add. Record<packageName, version>. e.g. { "@stackwright-pro/auth": "latest" }'
+      packages: jsonCoerce(z7.record(z7.string(), z7.string()).optional().default({})).describe(
+        'Dependencies to add. Record<packageName, version>. e.g. { "@stackwright-pro/auth": "latest" }. Omit or pass {} when using includeBaseline: true.'
+      ),
+      devPackages: jsonCoerce(z7.record(z7.string(), z7.string()).optional()).describe(
+        "devDependencies to add. Same format as packages."
+      ),
+      scripts: jsonCoerce(z7.record(z7.string(), z7.string()).optional()).describe(
+        "npm scripts to add. Only adds if key does not already exist."
       ),
-      devPackages: z6.record(z6.string(), z6.string()).optional().describe("devDependencies to add. Same format as packages."),
-      scripts: z6.record(z6.string(), z6.string()).optional().describe("npm scripts to add. Only adds if key does not already exist."),
-      targetDir: z6.string().optional().describe(
+      targetDir: z7.string().optional().describe(
         "Project directory containing package.json. Defaults to process.cwd(). Must be an absolute path within the current working directory."
       ),
-      runInstall: z6.boolean().optional().default(true).describe("Run pnpm install after writing package.json. Defaults to true.")
+      runInstall: boolCoerce(z7.boolean().optional().default(true)).describe(
+        "Run pnpm install after writing package.json. Defaults to true. Pass boolean true/false."
+      ),
+      includeBaseline: boolCoerce(z7.boolean().optional().default(false)).describe(
+        "When true, automatically merges BASELINE_DEPS and BASELINE_DEV_DEPS before applying packages/devPackages args. Safe to call on existing projects \u2014 never overwrites pinned versions. Pass boolean true/false."
+      )
     },
-    async ({ packages, devPackages, scripts, targetDir, runInstall }) => {
+    async ({ packages, devPackages, scripts, targetDir, runInstall, includeBaseline }) => {
+      const mergedPackages = includeBaseline ? { ...BASELINE_DEPS, ...packages } : { ...packages };
+      const mergedDevPackages = includeBaseline ? { ...BASELINE_DEV_DEPS, ...devPackages ?? {} } : devPackages;
       const result = setupPackages({
-        packages,
+        packages: mergedPackages,
         runInstall,
-        ...devPackages !== void 0 ? { devPackages } : {},
+        ...mergedDevPackages !== void 0 ? { devPackages: mergedDevPackages } : {},
         ...scripts !== void 0 ? { scripts } : {},
         ...targetDir !== void 0 ? { targetDir } : {}
       });
@@ -998,7 +928,7 @@ function setupPackages(opts) {
       };
     }
     const preResolvePackageJsonPath = path2.join(resolvedTarget, "package.json");
-    if (!existsSync2(preResolvePackageJsonPath)) {
+    if (!existsSync(preResolvePackageJsonPath)) {
       return {
         success: false,
         ...emptyResult,
@@ -1094,11 +1024,11 @@ function setupPackages(opts) {
       }
     }
     const raw = readFileSync(realPackageJsonPath, "utf8");
-    const PackageJsonSchema = z6.object({
+    const PackageJsonSchema = z7.object({
       // Zod v4: z.record(keySchema, valueSchema) — two-arg form required
-      dependencies: z6.record(z6.string(), z6.string()).optional(),
-      devDependencies: z6.record(z6.string(), z6.string()).optional(),
-      scripts: z6.record(z6.string(), z6.string()).optional()
+      dependencies: z7.record(z7.string(), z7.string()).optional(),
+      devDependencies: z7.record(z7.string(), z7.string()).optional(),
+      scripts: z7.record(z7.string(), z7.string()).optional()
     }).passthrough();
     const schemaResult = PackageJsonSchema.safeParse(JSON.parse(raw));
     if (!schemaResult.success) {
@@ -1178,38 +1108,2839 @@ function setupPackages(opts) {
   }
 }
 
-// package.json
-var package_default = {
-  dependencies: {
-    "@modelcontextprotocol/sdk": "^1.10.0",
-    "@stackwright-pro/cli-data-explorer": "workspace:*",
-    zod: "^4.3.6"
-  },
-  devDependencies: {
-    "@types/node": "^24.1.0",
-    tsup: "^8.5.0",
-    typescript: "^5.8.3",
-    vitest: "^4.0.18"
-  },
-  scripts: {
-    build: "tsup src/server.ts --format cjs,esm --dts --clean",
-    dev: "tsup src/server.ts --format cjs,esm --dts --watch",
-    start: "node dist/server.js",
-    test: "vitest run",
-    "test:coverage": "vitest run --coverage"
-  },
-  name: "@stackwright-pro/mcp",
-  version: "0.2.0-alpha.3",
-  description: "MCP tools for Stackwright Pro - Data Explorer, Security, ISR, and Dashboard generation",
-  license: "PROPRIETARY",
-  main: "./dist/server.js",
-  module: "./dist/server.mjs",
-  types: "./dist/server.d.ts",
-  exports: {
-    ".": {
-      types: "./dist/server.d.ts",
-      import: "./dist/server.mjs",
-      require: "./dist/server.js"
+// src/tools/questions.ts
+import { readFile, writeFile } from "fs/promises";
+import { existsSync as existsSync2, lstatSync as lstatSync2, mkdirSync, renameSync } from "fs";
+import { join } from "path";
+import { z as z8 } from "zod";
+
+// src/question-adapter.ts
+function truncate(str, maxLength) {
+  if (str.length <= maxLength) return str;
+  return str.substring(0, maxLength - 1) + "\u2026";
+}
+function generateHeader(id) {
+  const parts = id.split("-");
+  if (parts.length >= 2) {
+    const prefix = parts[0].toUpperCase().substring(0, 4);
+    const num = parts[1];
+    return truncate(`${prefix}-${num}`, 12);
+  }
+  return truncate(
+    id.toUpperCase().replace(/[^A-Z0-9]/g, "").substring(0, 12),
+    12
+  );
+}
+function generateDefaultOptions(type) {
+  switch (type) {
+    case "confirm":
+      return [
+        { label: "Yes", description: "Enable or confirm this option" },
+        { label: "No", description: "Disable or decline this option" }
+      ];
+    case "text":
+      return [
+        { label: "Specify", description: "I will provide a specific value" },
+        { label: "Skip", description: "Use default or skip this question" }
+      ];
+    default:
+      return [
+        { label: "Option 1", description: "First option" },
+        { label: "Option 2", description: "Second option" }
+      ];
+  }
+}
+function adaptQuestion(q) {
+  const header = generateHeader(q.id);
+  const multiSelect = q.type === "multi-select";
+  let options;
+  if (q.options && q.options.length >= 2) {
+    options = q.options.map((opt) => ({
+      label: truncate(opt.label, 50),
+      description: opt.value !== opt.label ? opt.value : void 0
+    }));
+  } else if (q.options && q.options.length === 1) {
+    options = [
+      ...q.options.map((opt) => ({ label: truncate(opt.label, 50), description: opt.value })),
+      { label: "Other", description: "Specify a different value" }
+    ];
+  } else {
+    options = generateDefaultOptions(q.type);
+  }
+  if (options.length < 2) {
+    options.push({ label: "Other", description: "Alternative option" });
+  }
+  options = options.slice(0, 6);
+  return {
+    question: q.question + (q.help ? `
+
+${q.help}` : ""),
+    header,
+    multi_select: multiSelect,
+    options
+  };
+}
+function adaptQuestions(questions, answers = {}) {
+  const adapted = [];
+  for (const q of questions) {
+    if (q.dependsOn) {
+      const dependsAnswer = answers[q.dependsOn.questionId];
+      if (dependsAnswer === void 0) {
+        continue;
+      }
+      const expectedValues = Array.isArray(q.dependsOn.value) ? q.dependsOn.value : [q.dependsOn.value];
+      const answerValue = Array.isArray(dependsAnswer) ? dependsAnswer[0] : dependsAnswer;
+      if (!expectedValues.includes(answerValue)) {
+        continue;
+      }
+    }
+    adapted.push(adaptQuestion(q));
+  }
+  return adapted;
+}
+function parseLLMQuestionsResponse(text) {
+  let jsonStr = text;
+  jsonStr = jsonStr.replace(/```(?:json|javascript)?\s*/gi, "");
+  jsonStr = jsonStr.replace(/```\s*$/gm, "");
+  const firstBrace = jsonStr.indexOf("{");
+  const firstBracket = jsonStr.indexOf("[");
+  let start = -1;
+  if (firstBrace !== -1 && firstBracket !== -1) {
+    start = Math.min(firstBrace, firstBracket);
+  } else if (firstBrace !== -1) {
+    start = firstBrace;
+  } else if (firstBracket !== -1) {
+    start = firstBracket;
+  }
+  if (start === -1) {
+    throw new Error("No JSON found in response");
+  }
+  jsonStr = jsonStr.substring(start);
+  const lastBrace = jsonStr.lastIndexOf("}");
+  const lastBracket = jsonStr.lastIndexOf("]");
+  const end = Math.max(lastBrace, lastBracket);
+  if (end === -1) {
+    throw new Error("Invalid JSON structure");
+  }
+  jsonStr = jsonStr.substring(0, end + 1);
+  jsonStr = jsonStr.replace(/,(\s*[}\]])/g, "$1");
+  jsonStr = jsonStr.replace(/'/g, '"');
+  const parsed = JSON.parse(jsonStr);
+  let questions;
+  if (Array.isArray(parsed)) {
+    questions = parsed;
+  } else if (parsed.questions && Array.isArray(parsed.questions)) {
+    questions = parsed.questions;
+  } else if (parsed.data && Array.isArray(parsed.data.questions)) {
+    questions = parsed.data.questions;
+  } else {
+    throw new Error("No questions array found in response");
+  }
+  function sanitize(obj) {
+    const sanitized = {};
+    for (const key of Object.keys(obj)) {
+      if (key === "__proto__" || key === "constructor" || key === "prototype") {
+        continue;
+      }
+      const val = obj[key];
+      if (val && typeof val === "object" && !Array.isArray(val)) {
+        sanitized[key] = sanitize(val);
+      } else if (Array.isArray(val)) {
+        sanitized[key] = val.map(
+          (item) => item && typeof item === "object" && !Array.isArray(item) ? sanitize(item) : item
+        );
+      } else {
+        sanitized[key] = val;
+      }
+    }
+    return sanitized;
+  }
+  questions = questions.map((q) => {
+    if (q && typeof q === "object") {
+      return sanitize(q);
+    }
+    return q;
+  });
+  return questions;
+}
+function answersToManifestFormat(answers, questions) {
+  const result = {};
+  for (const answer of answers) {
+    const headerLower = answer.question_header.toLowerCase();
+    const question = questions.find((q) => {
+      const qHeader = generateHeader(q.id).toLowerCase();
+      return qHeader === headerLower || q.id.toLowerCase().includes(headerLower);
+    });
+    if (!question) {
+      const matched = questions.find((q) => {
+        const qHeader = generateHeader(q.id).toLowerCase();
+        return qHeader.startsWith(headerLower.split("-")[0]);
+      });
+      if (matched) {
+        result[matched.id] = answer.selected_options[0] || "";
+      }
+      continue;
+    }
+    if (question.type === "multi-select" || answer.selected_options.length > 1) {
+      result[question.id] = answer.selected_options;
+    } else if (question.type === "confirm") {
+      result[question.id] = answer.selected_options[0] === "Yes";
+    } else {
+      if (answer.other_text) {
+        result[question.id] = answer.other_text;
+      } else if (answer.selected_options.length > 0) {
+        const option = question.options?.find((o) => o.label === answer.selected_options[0]);
+        result[question.id] = option?.value ?? answer.selected_options[0];
+      }
+    }
+  }
+  return result;
+}
+
+// src/tools/questions.ts
+var ManifestQuestionSchema = z8.object({
+  id: z8.string(),
+  question: z8.string(),
+  type: z8.enum(["text", "select", "multi-select", "confirm"]),
+  required: z8.boolean().optional(),
+  options: z8.array(
+    z8.object({
+      label: z8.string(),
+      value: z8.string()
+    })
+  ).optional(),
+  default: z8.union([z8.string(), z8.boolean(), z8.array(z8.string())]).optional(),
+  help: z8.string().optional(),
+  dependsOn: z8.object({
+    questionId: z8.string(),
+    value: z8.union([z8.string(), z8.array(z8.string())])
+  }).optional()
+});
+function registerQuestionTools(server2) {
+  server2.tool(
+    "stackwright_pro_present_phase_questions",
+    "Adapt manifest-format questions from a specialist otter and present them to the user via ask_user_question. Pass only the phase name \u2014 this tool reads questions from .stackwright/question-manifest.json automatically. The questions parameter is optional and only needed if the manifest has not been written yet. Use this instead of calling ask_user_question directly \u2014 it handles label truncation (50-char limit), header generation, confirm/text defaults, and correct array formatting automatically. IMPORTANT: This is the ONLY approved way to prepare questions before calling ask_user_question. Never call ask_user_question with raw manifest questions. Never retry ask_user_question validation errors by calling it directly \u2014 always re-call this tool.",
+    {
+      phase: z8.string().describe('Phase name for display context, e.g. "designer", "api", "auth"'),
+      questions: jsonCoerce(z8.array(ManifestQuestionSchema).optional()).describe(
+        "Questions in Question Manifest format. If omitted, questions are read from .stackwright/question-manifest.json using the phase name."
+      ),
+      answers: jsonCoerce(
+        z8.record(z8.string(), z8.union([z8.string(), z8.array(z8.string()), z8.boolean()])).optional()
+      ).describe("Previously collected answers used to resolve dependsOn conditions")
+    },
+    async ({ phase, questions, answers }) => {
+      let resolvedQuestions;
+      const SAFE_PHASE = /^[a-z][a-z0-9-]{0,30}$/;
+      if (!SAFE_PHASE.test(phase)) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({
+                error: `Invalid phase name: "${phase.slice(0, 50)}". Must be lowercase alphanumeric with hyphens, max 31 chars.`
+              })
+            }
+          ],
+          isError: true
+        };
+      }
+      if (questions && questions.length > 0) {
+        resolvedQuestions = questions;
+      } else {
+        const phaseQuestionPath = join(process.cwd(), ".stackwright", "questions", `${phase}.json`);
+        try {
+          const raw = await readFile(phaseQuestionPath, "utf-8");
+          const phaseData = JSON.parse(raw);
+          resolvedQuestions = phaseData.questions ?? [];
+        } catch {
+          try {
+            const manifestPath = join(process.cwd(), ".stackwright", "question-manifest.json");
+            const raw = await readFile(manifestPath, "utf-8");
+            const manifest = JSON.parse(raw);
+            const phaseData = manifest.phases.find((p) => p.phase === phase);
+            resolvedQuestions = phaseData?.questions ?? [];
+          } catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            return {
+              content: [
+                {
+                  type: "text",
+                  text: JSON.stringify({
+                    error: `Could not read question manifest for phase "${phase}": ${msg}`,
+                    hint: "Write the manifest first, or pass questions directly to this tool."
+                  })
+                }
+              ],
+              isError: true
+            };
+          }
+        }
+      }
+      const adapted = adaptQuestions(resolvedQuestions, answers ?? {});
+      if (adapted.length === 0) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: `Phase "${phase}" has no questions to present. Do NOT call ask_user_question. Call stackwright_pro_save_phase_answers({ phase: "${phase}", rawAnswers: [] }) directly, then proceed to the execution step for this phase.`
+            },
+            {
+              type: "text",
+              // Empty array — second block always present so the foreman's two-block contract holds
+              text: JSON.stringify([])
+            }
+          ],
+          isError: false
+        };
+      }
+      return {
+        content: [
+          {
+            type: "text",
+            text: `Adapted ${adapted.length} questions for phase "${phase}". Pass the JSON array below DIRECTLY to ask_user_question as the "questions" parameter. Do NOT JSON.stringify() it. Do NOT wrap it in an object. Pass the parsed array value as-is.`
+          },
+          {
+            type: "text",
+            text: JSON.stringify(adapted)
+          }
+        ],
+        isError: false
+      };
+    }
+  );
+  server2.tool(
+    "stackwright_pro_get_next_question",
+    "Returns the next unanswered question for a phase as a plain JSON object \u2014 one question at a time. Returns { done: true } when all questions are answered or the phase has no questions. Call this in a loop: present the question in plain chat, get user reply, call record_answer, repeat.",
+    { phase: z8.string().describe('Phase name e.g. "designer", "api", "auth"') },
+    async ({ phase }) => {
+      const SAFE_PHASE = /^[a-z][a-z0-9-]{0,30}$/;
+      if (!SAFE_PHASE.test(phase)) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({ error: `Invalid phase name: "${phase.slice(0, 50)}"` })
+            }
+          ],
+          isError: true
+        };
+      }
+      const cwd = process.cwd();
+      const questionsPath = join(cwd, ".stackwright", "questions", `${phase}.json`);
+      let questions = [];
+      try {
+        const raw = await readFile(questionsPath, "utf-8");
+        const parsed = JSON.parse(raw);
+        questions = parsed.questions ?? [];
+      } catch {
+        return { content: [{ type: "text", text: JSON.stringify({ done: true }) }] };
+      }
+      if (questions.length === 0) {
+        return { content: [{ type: "text", text: JSON.stringify({ done: true }) }] };
+      }
+      const answersPath = join(cwd, ".stackwright", "answers", `${phase}.json`);
+      let answeredIds = /* @__PURE__ */ new Set();
+      try {
+        const raw = await readFile(answersPath, "utf-8");
+        const parsed = JSON.parse(raw);
+        answeredIds = new Set(Object.keys(parsed.answers ?? {}));
+      } catch {
+      }
+      const next = questions.find((q) => !answeredIds.has(q.id));
+      if (!next) {
+        return { content: [{ type: "text", text: JSON.stringify({ done: true }) }] };
+      }
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({
+              done: false,
+              questionId: next.id,
+              question: next.question,
+              type: next.type,
+              options: next.options ?? null,
+              help: next.help ?? null,
+              index: questions.indexOf(next) + 1,
+              total: questions.length
+            })
+          }
+        ]
+      };
+    }
+  );
+  server2.tool(
+    "stackwright_pro_record_answer",
+    "Records a single answer to a phase question. Appends to .stackwright/answers/{phase}.json incrementally. Idempotent \u2014 calling twice for the same questionId overwrites. Call after receiving each user reply in the conversational question loop.",
+    {
+      phase: z8.string().describe('Phase name e.g. "designer"'),
+      questionId: z8.string().describe('The question ID from get_next_question, e.g. "designer-1"'),
+      answer: z8.string().describe("The user's free-text answer")
+    },
+    async ({ phase, questionId, answer }) => {
+      const SAFE_PHASE = /^[a-z][a-z0-9-]{0,30}$/;
+      if (!SAFE_PHASE.test(phase)) {
+        return {
+          content: [
+            { type: "text", text: JSON.stringify({ error: "Invalid phase name" }) }
+          ],
+          isError: true
+        };
+      }
+      if (!/^[a-z0-9][a-z0-9-]{0,63}$/i.test(questionId)) {
+        return {
+          content: [
+            { type: "text", text: JSON.stringify({ error: "Invalid questionId" }) }
+          ],
+          isError: true
+        };
+      }
+      const safeAnswer = answer.slice(0, 2e3);
+      const cwd = process.cwd();
+      const answersDir = join(cwd, ".stackwright", "answers");
+      const answersPath = join(answersDir, `${phase}.json`);
+      if (existsSync2(answersDir) && lstatSync2(answersDir).isSymbolicLink()) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({ error: "answers dir is a symlink \u2014 refusing to write" })
+            }
+          ],
+          isError: true
+        };
+      }
+      mkdirSync(answersDir, { recursive: true });
+      let existing = {
+        version: "1.0",
+        phase,
+        answers: {}
+      };
+      try {
+        if (existsSync2(answersPath)) {
+          if (lstatSync2(answersPath).isSymbolicLink()) {
+            return {
+              content: [
+                {
+                  type: "text",
+                  text: JSON.stringify({ error: "answers file is a symlink \u2014 refusing to write" })
+                }
+              ],
+              isError: true
+            };
+          }
+          const raw = await readFile(answersPath, "utf-8");
+          existing = JSON.parse(raw);
+        }
+      } catch {
+      }
+      existing.answers[questionId] = safeAnswer;
+      existing.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+      const tmp = `${answersPath}.tmp`;
+      await writeFile(tmp, JSON.stringify(existing, null, 2), "utf-8");
+      renameSync(tmp, answersPath);
+      return {
+        content: [
+          { type: "text", text: JSON.stringify({ recorded: true, phase, questionId }) }
+        ]
+      };
+    }
+  );
+}
+
+// src/tools/orchestration.ts
+import { z as z9 } from "zod";
+import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, existsSync as existsSync3, mkdirSync as mkdirSync2, lstatSync as lstatSync3 } from "fs";
+import { join as join2 } from "path";
+var OTTER_NAME_TO_PHASE = [
+  ["designer", "designer"],
+  ["theme", "theme"],
+  ["api", "api"],
+  ["auth", "auth"],
+  ["dashboard", "dashboard"],
+  ["data", "data"],
+  ["page", "pages"],
+  ["workflow", "workflow"]
+];
+var PHASE_TO_OTTER = {
+  designer: "stackwright-pro-designer-otter",
+  theme: "stackwright-pro-theme-otter",
+  api: "stackwright-pro-api-otter",
+  auth: "stackwright-pro-auth-otter",
+  pages: "stackwright-pro-page-otter",
+  dashboard: "stackwright-pro-dashboard-otter",
+  data: "stackwright-pro-data-otter",
+  workflow: "stackwright-pro-workflow-otter"
+};
+function detectPhase(otterName) {
+  const lower = otterName.toLowerCase();
+  for (const [keyword, phase] of OTTER_NAME_TO_PHASE) {
+    if (lower.includes(keyword)) return phase;
+  }
+  return lower.replace(/^stackwright-pro-/, "").replace(/-otter$/, "");
+}
+function handleParseOtterResponse(input) {
+  const phase = detectPhase(input.otterName);
+  try {
+    const questions = parseLLMQuestionsResponse(input.responseText);
+    return {
+      result: { phase, otter: input.otterName, questions },
+      isError: false
+    };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      result: {
+        error: true,
+        otterName: input.otterName,
+        phase,
+        questions: [],
+        parseError: message
+      },
+      isError: true
+    };
+  }
+}
+function handleSaveManifest(input) {
+  const cwd = input._cwd ?? process.cwd();
+  const dir = join2(cwd, ".stackwright");
+  const filePath = join2(dir, "question-manifest.json");
+  try {
+    mkdirSync2(dir, { recursive: true });
+    if (existsSync3(filePath)) {
+      const stat = lstatSync3(filePath);
+      if (stat.isSymbolicLink()) {
+        const message = `Refusing to write to symlink: ${filePath}`;
+        return {
+          text: JSON.stringify({ success: false, error: message }),
+          isError: true
+        };
+      }
+    }
+    const manifest = {
+      version: "1.0",
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      phases: input.phases
+    };
+    writeFileSync2(filePath, JSON.stringify(manifest, null, 2) + "\n");
+    return {
+      text: JSON.stringify({ success: true, path: filePath, phaseCount: input.phases.length }),
+      isError: false
+    };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      text: JSON.stringify({ success: false, error: message }),
+      isError: true
+    };
+  }
+}
+function handleSavePhaseAnswers(input) {
+  const cwd = input._cwd ?? process.cwd();
+  const dir = join2(cwd, ".stackwright", "answers");
+  const filePath = join2(dir, `${input.phase}.json`);
+  try {
+    mkdirSync2(dir, { recursive: true });
+    let answers;
+    if (input.questions && input.questions.length > 0) {
+      answers = answersToManifestFormat(input.rawAnswers, input.questions);
+    } else {
+      answers = Object.fromEntries(
+        input.rawAnswers.map((a) => [a.question_header, a.selected_options[0] ?? ""])
+      );
+    }
+    const payload = {
+      version: "1.0",
+      phase: input.phase,
+      completedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      answers
+    };
+    if (existsSync3(filePath)) {
+      const stat = lstatSync3(filePath);
+      if (stat.isSymbolicLink()) {
+        const message = `Refusing to write to symlink: ${filePath}`;
+        return {
+          text: JSON.stringify({ success: false, error: message }),
+          isError: true
+        };
+      }
+    }
+    writeFileSync2(filePath, JSON.stringify(payload, null, 2) + "\n");
+    return {
+      text: JSON.stringify({
+        success: true,
+        path: filePath,
+        answersCount: Object.keys(answers).length
+      }),
+      isError: false
+    };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      text: JSON.stringify({ success: false, error: message }),
+      isError: true
+    };
+  }
+}
+function handleReadPhaseAnswers(input) {
+  const cwd = input._cwd ?? process.cwd();
+  const filePath = join2(cwd, ".stackwright", "answers", `${input.phase}.json`);
+  if (!existsSync3(filePath)) {
+    return {
+      text: JSON.stringify({ missing: true, phase: input.phase }),
+      isError: false
+    };
+  }
+  try {
+    const raw = readFileSync2(filePath, "utf8");
+    const parsed = JSON.parse(raw);
+    return { text: JSON.stringify(parsed), isError: false };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      text: JSON.stringify({ error: true, phase: input.phase, readError: message }),
+      isError: true
+    };
+  }
+}
+function handleGetOtterName(input) {
+  const normalised = input.phase.toLowerCase().trim();
+  const otterName = PHASE_TO_OTTER[normalised];
+  if (!otterName) {
+    return {
+      text: JSON.stringify({ error: true, message: `Unknown phase: ${input.phase}` }),
+      isError: true
+    };
+  }
+  return {
+    text: JSON.stringify({ phase: normalised, otterName }),
+    isError: false
+  };
+}
+function handleSaveBuildContext(input) {
+  const cwd = input._cwd ?? process.cwd();
+  const dir = join2(cwd, ".stackwright");
+  const filePath = join2(dir, "build-context.json");
+  try {
+    mkdirSync2(dir, { recursive: true });
+    if (existsSync3(filePath)) {
+      const stat = lstatSync3(filePath);
+      if (stat.isSymbolicLink()) {
+        return {
+          text: JSON.stringify({
+            success: false,
+            error: `Refusing to write to symlink: ${filePath}`
+          }),
+          isError: true
+        };
+      }
+    }
+    const payload = {
+      version: "1.0",
+      savedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      buildContext: input.buildContext
+    };
+    writeFileSync2(filePath, JSON.stringify(payload, null, 2) + "\n");
+    return {
+      text: JSON.stringify({ success: true, path: filePath }),
+      isError: false
+    };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      text: JSON.stringify({ success: false, error: message }),
+      isError: true
+    };
+  }
+}
+function registerOrchestrationTools(server2) {
+  server2.tool(
+    "stackwright_pro_save_build_context",
+    `Save the user's initial build description to .stackwright/build-context.json. Call this once at startup after the user answers the opening "what are you building" question. The saved context is automatically prepended to specialist prompts by stackwright_pro_build_specialist_prompt.`,
+    {
+      buildContext: z9.string().describe("Free-text description of what the user wants to build")
+    },
+    async ({ buildContext }) => {
+      const { text, isError } = handleSaveBuildContext({ buildContext });
+      return {
+        content: [{ type: "text", text }],
+        isError
+      };
+    }
+  );
+  server2.tool(
+    "stackwright_pro_parse_otter_response",
+    "Parse and validate a specialist otter's QUESTION_COLLECTION_MODE JSON response. Handles JSON extraction from LLM responses (strips markdown, fixes single quotes, trailing commas). Detects the phase from the otter name. Use this immediately after invoke_agent() to get a validated manifest phase object.",
+    {
+      otterName: z9.string().describe('The agent name, e.g. "stackwright-pro-api-otter"'),
+      responseText: z9.string().describe("Raw text response from the otter's QUESTION_COLLECTION_MODE invocation")
+    },
+    async ({ otterName, responseText }) => {
+      const { result, isError } = handleParseOtterResponse({ otterName, responseText });
+      return {
+        content: [{ type: "text", text: JSON.stringify(result) }],
+        isError
+      };
+    }
+  );
+  server2.tool(
+    "stackwright_pro_save_manifest",
+    "Write the question manifest to .stackwright/question-manifest.json. Call this after collecting and parsing questions from all otters via stackwright_pro_parse_otter_response.",
+    {
+      phases: jsonCoerce(
+        z9.array(
+          z9.object({
+            phase: z9.string(),
+            otter: z9.string(),
+            questions: z9.array(z9.any()),
+            requiredPackages: z9.object({
+              dependencies: z9.record(z9.string(), z9.string()).optional(),
+              devPackages: z9.record(z9.string(), z9.string()).optional()
+            }).optional()
+          })
+        )
+      ).describe("Array of parsed phase objects from stackwright_pro_parse_otter_response")
+    },
+    async ({ phases }) => {
+      const { text, isError } = handleSaveManifest({ phases });
+      return {
+        content: [{ type: "text", text }],
+        isError
+      };
+    }
+  );
+  server2.tool(
+    "stackwright_pro_save_phase_answers",
+    "Save user answers for a phase to .stackwright/answers/{phase}.json. Pass rawAnswers directly from ask_user_question and the original manifest questions for label-to-value reverse mapping.",
+    {
+      phase: z9.string().describe('Phase name, e.g. "designer"'),
+      rawAnswers: jsonCoerce(
+        z9.array(
+          z9.object({
+            question_header: z9.string(),
+            selected_options: z9.array(z9.string()),
+            other_text: z9.string().nullable().optional()
+          })
+        )
+      ).describe(
+        "Answers as returned by ask_user_question \u2014 pass the native array, not a JSON string"
+      ),
+      questions: jsonCoerce(z9.array(z9.any()).optional()).describe(
+        "Original manifest questions for label\u2192value reverse-mapping \u2014 pass the native array, not a JSON string"
+      )
+    },
+    async ({ phase, rawAnswers, questions }) => {
+      const { text, isError } = handleSavePhaseAnswers({
+        phase,
+        rawAnswers,
+        ...questions && questions.length > 0 ? { questions } : {}
+      });
+      return {
+        content: [{ type: "text", text }],
+        isError
+      };
+    }
+  );
+  server2.tool(
+    "stackwright_pro_read_phase_answers",
+    "Read saved answers for a phase from .stackwright/answers/{phase}.json. Returns { missing: true } when no answers exist yet \u2014 use this to skip phases safely in the execution loop.",
+    {
+      phase: z9.string().describe('Phase name, e.g. "designer"')
+    },
+    async ({ phase }) => {
+      const { text, isError } = handleReadPhaseAnswers({ phase });
+      return {
+        content: [{ type: "text", text }],
+        isError
+      };
+    }
+  );
+  server2.tool(
+    "stackwright_pro_get_otter_name",
+    "Get the agent name for a phase (e.g. 'designer' \u2192 'stackwright-pro-designer-otter'). Use this in the execution loop to invoke the correct specialist otter without hardcoding names in the prompt.",
+    {
+      phase: z9.string().describe('Phase name, e.g. "designer", "api", "pages"')
+    },
+    async ({ phase }) => {
+      const { text, isError } = handleGetOtterName({ phase });
+      return {
+        content: [{ type: "text", text }],
+        isError
+      };
+    }
+  );
+}
+
+// src/tools/pipeline.ts
+import { z as z10 } from "zod";
+import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync4, mkdirSync as mkdirSync3, lstatSync as lstatSync4 } from "fs";
+import { join as join3 } from "path";
+import { WorkflowFileSchema, authConfigSchema } from "@stackwright-pro/types";
+var PHASE_ORDER = [
+  "designer",
+  "theme",
+  "api",
+  "data",
+  "workflow",
+  "pages",
+  "dashboard",
+  "auth"
+];
+var PHASE_DEPENDENCIES = {
+  designer: [],
+  theme: ["designer"],
+  api: [],
+  data: ["api"],
+  // workflow: no hard deps — uses service: references with Prism mock fallback
+  // when API artifacts aren't available; roles come from user answers
+  workflow: [],
+  // pages: 'api' is transitive through 'data'; auth removed — page-otter has
+  // graceful fallback and reads role names from workflow artifacts instead
+  pages: ["designer", "theme", "data"],
+  dashboard: ["designer", "theme", "data"],
+  // auth is the terminal phase — reads all available artifacts at runtime;
+  // no hard upstream requirements so it always runs and never gets skipped
+  auth: []
+};
+var PHASE_ARTIFACT = {
+  designer: "design-language.json",
+  theme: "theme-tokens.json",
+  api: "api-config.json",
+  auth: "auth-config.json",
+  data: "data-config.json",
+  pages: "pages-manifest.json",
+  dashboard: "dashboard-manifest.json",
+  workflow: "workflow-config.json"
+};
+var PHASE_TO_OTTER2 = {
+  designer: "stackwright-pro-designer-otter",
+  theme: "stackwright-pro-theme-otter",
+  api: "stackwright-pro-api-otter",
+  auth: "stackwright-pro-auth-otter",
+  data: "stackwright-pro-data-otter",
+  pages: "stackwright-pro-page-otter",
+  dashboard: "stackwright-pro-dashboard-otter",
+  workflow: "stackwright-pro-workflow-otter"
+};
+function isValidPhase(phase) {
+  return PHASE_ORDER.includes(phase);
+}
+function defaultPhaseStatus() {
+  return {
+    questionsCollected: false,
+    answered: false,
+    executed: false,
+    artifactWritten: false,
+    retryCount: 0
+  };
+}
+function createDefaultState() {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const phases = {};
+  for (const p of PHASE_ORDER) {
+    phases[p] = defaultPhaseStatus();
+  }
+  return {
+    version: "1.0",
+    currentPhase: PHASE_ORDER[0],
+    status: "setup",
+    phases,
+    startedAt: now,
+    updatedAt: now
+  };
+}
+function statePath(cwd) {
+  return join3(cwd, ".stackwright", "pipeline-state.json");
+}
+function readState(cwd) {
+  const p = statePath(cwd);
+  if (!existsSync4(p)) return createDefaultState();
+  const raw = JSON.parse(safeReadSync(p));
+  if (typeof raw !== "object" || raw === null || raw.version !== "1.0") {
+    return createDefaultState();
+  }
+  return raw;
+}
+function safeWriteSync(filePath, content) {
+  if (existsSync4(filePath)) {
+    const stat = lstatSync4(filePath);
+    if (stat.isSymbolicLink()) {
+      throw new Error(`Refusing to write to symlink: ${filePath}`);
+    }
+  }
+  writeFileSync3(filePath, content);
+}
+function safeReadSync(filePath) {
+  if (existsSync4(filePath)) {
+    const stat = lstatSync4(filePath);
+    if (stat.isSymbolicLink()) {
+      throw new Error(`Refusing to read symlink: ${filePath}`);
+    }
+  }
+  return readFileSync3(filePath, "utf-8");
+}
+function writeState(cwd, state) {
+  const dir = join3(cwd, ".stackwright");
+  mkdirSync3(dir, { recursive: true });
+  state.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+  safeWriteSync(statePath(cwd), JSON.stringify(state, null, 2) + "\n");
+}
+function extractJsonFromResponse(text) {
+  let cleaned = text;
+  cleaned = cleaned.replace(/```(?:json)?\s*/gi, "");
+  cleaned = cleaned.replace(/```\s*$/gm, "");
+  const firstBrace = cleaned.indexOf("{");
+  if (firstBrace === -1) throw new Error("No JSON object found in response");
+  cleaned = cleaned.substring(firstBrace);
+  const lastBrace = cleaned.lastIndexOf("}");
+  if (lastBrace === -1) throw new Error("Unclosed JSON object in response");
+  cleaned = cleaned.substring(0, lastBrace + 1);
+  cleaned = cleaned.replace(/,(\s*[}\]])/g, "$1");
+  return JSON.parse(cleaned);
+}
+function handleGetPipelineState(_cwd) {
+  const cwd = _cwd ?? process.cwd();
+  try {
+    const state = readState(cwd);
+    return { text: JSON.stringify(state), isError: false };
+  } catch (err) {
+    return { text: JSON.stringify({ error: true, message: String(err) }), isError: true };
+  }
+}
+function handleSetPipelineState(input) {
+  const cwd = input._cwd ?? process.cwd();
+  if (input.phase && !isValidPhase(input.phase)) {
+    return {
+      text: JSON.stringify({
+        error: true,
+        message: `Invalid phase: ${input.phase}. Valid phases are: ${PHASE_ORDER.join(", ")}`
+      }),
+      isError: true
+    };
+  }
+  const VALID_FIELDS = ["questionsCollected", "answered", "executed", "artifactWritten"];
+  if (input.field && !VALID_FIELDS.includes(input.field)) {
+    return {
+      text: JSON.stringify({
+        error: true,
+        message: `Invalid field: ${input.field}. Valid fields are: ${VALID_FIELDS.join(", ")}`
+      }),
+      isError: true
+    };
+  }
+  try {
+    const state = readState(cwd);
+    if (input.status) {
+      state.status = input.status;
+    }
+    if (input.phase) {
+      const phase = input.phase;
+      if (!state.phases[phase]) {
+        state.phases[phase] = defaultPhaseStatus();
+      }
+      const phaseState = state.phases[phase];
+      if (input.field && input.value !== void 0) {
+        phaseState[input.field] = input.value;
+      }
+      if (input.incrementRetry) {
+        phaseState.retryCount += 1;
+      }
+      state.currentPhase = phase;
+    }
+    writeState(cwd, state);
+    return { text: JSON.stringify(state), isError: false };
+  } catch (err) {
+    return { text: JSON.stringify({ error: true, message: String(err) }), isError: true };
+  }
+}
+function handleCheckExecutionReady(_cwd, phase) {
+  const cwd = _cwd ?? process.cwd();
+  if (phase) {
+    if (!isValidPhase(phase)) {
+      return {
+        text: JSON.stringify({
+          error: true,
+          message: `Invalid phase: ${phase}. Valid phases are: ${PHASE_ORDER.join(", ")}`
+        }),
+        isError: true
+      };
+    }
+    const answerFile = join3(cwd, ".stackwright", "answers", `${phase}.json`);
+    if (!existsSync4(answerFile)) {
+      return {
+        text: JSON.stringify({ ready: false, phase, reason: "Answer file not found" }),
+        isError: false
+      };
+    }
+    try {
+      const raw = safeReadSync(answerFile);
+      const parsed = JSON.parse(raw);
+      if (typeof parsed["version"] !== "string" || typeof parsed["phase"] !== "string" || typeof parsed["answers"] !== "object" || parsed["answers"] === null) {
+        return {
+          text: JSON.stringify({ ready: false, phase, reason: "Answer file is malformed" }),
+          isError: false
+        };
+      }
+      return { text: JSON.stringify({ ready: true, phase }), isError: false };
+    } catch {
+      return {
+        text: JSON.stringify({ ready: false, phase, reason: "Answer file could not be parsed" }),
+        isError: false
+      };
+    }
+  }
+  try {
+    const answersDir = join3(cwd, ".stackwright", "answers");
+    const answeredPhases = [];
+    const missingPhases = [];
+    for (const phase2 of PHASE_ORDER) {
+      const answerFile = join3(answersDir, `${phase2}.json`);
+      if (existsSync4(answerFile)) {
+        try {
+          const raw = safeReadSync(answerFile);
+          const parsed = JSON.parse(raw);
+          if (typeof parsed["version"] !== "string" || typeof parsed["phase"] !== "string" || typeof parsed["answers"] !== "object" || parsed["answers"] === null) {
+            missingPhases.push(phase2);
+            continue;
+          }
+          answeredPhases.push(phase2);
+        } catch {
+          missingPhases.push(phase2);
+        }
+      } else {
+        missingPhases.push(phase2);
+      }
+    }
+    return {
+      text: JSON.stringify({
+        ready: missingPhases.length === 0,
+        answeredPhases,
+        missingPhases,
+        totalPhases: PHASE_ORDER.length
+      }),
+      isError: false
+    };
+  } catch (err) {
+    return { text: JSON.stringify({ error: true, message: String(err) }), isError: true };
+  }
+}
+function handleListArtifacts(_cwd) {
+  const cwd = _cwd ?? process.cwd();
+  try {
+    const artifactsDir = join3(cwd, ".stackwright", "artifacts");
+    const artifacts = [];
+    let completedCount = 0;
+    for (const phase of PHASE_ORDER) {
+      const expectedFile = PHASE_ARTIFACT[phase];
+      const fullPath = join3(artifactsDir, expectedFile);
+      const exists = existsSync4(fullPath);
+      if (exists) completedCount++;
+      artifacts.push({ phase, expectedFile, exists, path: fullPath });
+    }
+    return {
+      text: JSON.stringify({ artifacts, completedCount, totalCount: PHASE_ORDER.length }),
+      isError: false
+    };
+  } catch (err) {
+    return { text: JSON.stringify({ error: true, message: String(err) }), isError: true };
+  }
+}
+function handleWritePhaseQuestions(input) {
+  const cwd = input._cwd ?? process.cwd();
+  const { phase, responseText } = input;
+  if (!isValidPhase(phase)) {
+    return {
+      text: JSON.stringify({ error: true, message: `Unknown phase: ${phase}` }),
+      isError: true
+    };
+  }
+  try {
+    const questions = parseLLMQuestionsResponse(responseText);
+    let requiredPackages = {
+      dependencies: {},
+      devPackages: {}
+    };
+    try {
+      const fullParsed = extractJsonFromResponse(responseText);
+      if (fullParsed.requiredPackages && typeof fullParsed.requiredPackages === "object") {
+        const rp = fullParsed.requiredPackages;
+        requiredPackages = {
+          dependencies: rp.dependencies ?? {},
+          devPackages: rp.devPackages ?? {}
+        };
+      }
+    } catch {
+    }
+    const questionsDir = join3(cwd, ".stackwright", "questions");
+    mkdirSync3(questionsDir, { recursive: true });
+    const filePath = join3(questionsDir, `${phase}.json`);
+    const payload = {
+      version: "1.0",
+      phase,
+      otter: PHASE_TO_OTTER2[phase],
+      collectedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      questions,
+      requiredPackages
+    };
+    safeWriteSync(filePath, JSON.stringify(payload, null, 2) + "\n");
+    const state = readState(cwd);
+    if (!state.phases[phase]) state.phases[phase] = defaultPhaseStatus();
+    const ps = state.phases[phase];
+    ps.questionsCollected = true;
+    writeState(cwd, state);
+    return {
+      text: JSON.stringify({
+        success: true,
+        phase,
+        questionCount: questions.length,
+        requiredPackages,
+        path: filePath
+      }),
+      isError: false
+    };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { text: JSON.stringify({ error: true, phase, message }), isError: true };
+  }
+}
+function handleBuildSpecialistPrompt(input) {
+  const cwd = input._cwd ?? process.cwd();
+  const { phase } = input;
+  if (!isValidPhase(phase)) {
+    return {
+      text: JSON.stringify({ error: true, message: `Unknown phase: ${phase}` }),
+      isError: true
+    };
+  }
+  try {
+    const answersPath = join3(cwd, ".stackwright", "answers", `${phase}.json`);
+    let answers = {};
+    if (existsSync4(answersPath)) {
+      answers = JSON.parse(safeReadSync(answersPath));
+    }
+    let buildContextText = "";
+    const buildContextPath = join3(cwd, ".stackwright", "build-context.json");
+    if (existsSync4(buildContextPath)) {
+      try {
+        const bcRaw = JSON.parse(safeReadSync(buildContextPath));
+        if (typeof bcRaw.buildContext === "string" && bcRaw.buildContext.trim().length > 0) {
+          buildContextText = bcRaw.buildContext.trim();
+        }
+      } catch {
+      }
+    }
+    const deps = PHASE_DEPENDENCIES[phase];
+    const artifactSections = [];
+    const missingDependencies = [];
+    for (const dep of deps) {
+      const artifactFile = PHASE_ARTIFACT[dep];
+      const artifactPath = join3(cwd, ".stackwright", "artifacts", artifactFile);
+      if (existsSync4(artifactPath)) {
+        const content = JSON.parse(safeReadSync(artifactPath));
+        const expectedOtter = PHASE_TO_OTTER2[dep];
+        const artifactOtter = content["generatedBy"];
+        const normalizedOtter = artifactOtter?.replace(/-[a-f0-9]{6}$/, "");
+        if (!artifactOtter) {
+          missingDependencies.push(dep);
+          artifactSections.push(
+            `[${artifactFile}]:
+(integrity check failed: missing generatedBy field)`
+          );
+        } else if (normalizedOtter !== expectedOtter) {
+          missingDependencies.push(dep);
+          artifactSections.push(
+            `[${artifactFile}]:
+(integrity check failed: artifact claims generatedBy="${artifactOtter}" but expected="${expectedOtter}")`
+          );
+        } else {
+          artifactSections.push(`[${artifactFile}]:
+${JSON.stringify(content, null, 2)}`);
+        }
+      } else {
+        missingDependencies.push(dep);
+        artifactSections.push(`[${artifactFile}]:
+(not yet available)`);
+      }
+    }
+    const parts = [];
+    if (buildContextText) {
+      parts.push("BUILD_CONTEXT:", buildContextText, "");
+    }
+    parts.push("ANSWERS:", JSON.stringify(answers, null, 2));
+    if (artifactSections.length > 0) {
+      parts.push("", "UPSTREAM ARTIFACTS:", "", ...artifactSections);
+    }
+    parts.push("", "Execute using these answers and the upstream artifacts provided.");
+    const prompt = parts.join("\n");
+    const dependenciesSatisfied = missingDependencies.length === 0;
+    return {
+      text: JSON.stringify({
+        otterName: PHASE_TO_OTTER2[phase],
+        phase,
+        prompt,
+        dependenciesSatisfied,
+        missingDependencies
+      }),
+      isError: false
+    };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { text: JSON.stringify({ error: true, phase, message }), isError: true };
+  }
+}
+var OFF_SCRIPT_PATTERNS = [
+  {
+    pattern: /```(?:ts|tsx|js|jsx|python|bash|sh|sql|ruby|go|rust|java|csharp|c\+\+)\b/,
+    label: "code fence"
+  },
+  { pattern: /\bimport\s+[\w{]/, label: "import statement" },
+  { pattern: /\bexport\s+(?:const|function|default|class)\b/, label: "export statement" },
+  { pattern: /\brequire\s*\(/, label: "require() call" },
+  { pattern: /\beval\s*\(/, label: "eval() call" },
+  { pattern: /^#!/m, label: "shebang" },
+  { pattern: /<script[\s>]/i, label: "script tag" },
+  { pattern: /\.(ts|tsx|js|jsx)\b.*\bfile\b/i, label: "code file reference" }
+];
+var PHASE_REQUIRED_KEYS = {
+  designer: ["designLanguage", "themeTokenSeeds"],
+  theme: ["tokens"],
+  api: ["entities"],
+  auth: ["version", "generatedBy"],
+  data: ["version", "generatedBy"],
+  pages: ["version", "generatedBy"],
+  dashboard: ["version", "generatedBy"],
+  workflow: ["version", "generatedBy"]
+};
+function handleValidateArtifact(input) {
+  const cwd = input._cwd ?? process.cwd();
+  const { phase, responseText } = input;
+  if (!isValidPhase(phase)) {
+    return {
+      text: JSON.stringify({ error: true, message: `Unknown phase: ${phase}` }),
+      isError: true
+    };
+  }
+  for (const { pattern, label } of OFF_SCRIPT_PATTERNS) {
+    if (pattern.test(responseText)) {
+      const result = {
+        valid: false,
+        phase,
+        violation: "off-script",
+        retryPrompt: `You returned code output (detected: ${label}). Return ONLY a JSON artifact \u2014 no code, no files.`
+      };
+      return { text: JSON.stringify(result), isError: false };
+    }
+  }
+  let artifact;
+  try {
+    artifact = extractJsonFromResponse(responseText);
+  } catch {
+    const result = {
+      valid: false,
+      phase,
+      violation: "invalid-json",
+      retryPrompt: "Your response did not contain valid JSON. Return a single JSON object with no surrounding text."
+    };
+    return { text: JSON.stringify(result), isError: false };
+  }
+  if (!artifact.version || !artifact.generatedBy) {
+    const result = {
+      valid: false,
+      phase,
+      violation: "missing-fields",
+      retryPrompt: 'Your JSON artifact is missing required fields. Every artifact MUST include "version" and "generatedBy" at the top level.'
+    };
+    return { text: JSON.stringify(result), isError: false };
+  }
+  const requiredKeys = PHASE_REQUIRED_KEYS[phase];
+  const missingKeys = requiredKeys.filter((k) => !(k in artifact));
+  if (missingKeys.length > 0) {
+    const result = {
+      valid: false,
+      phase,
+      violation: "schema-mismatch",
+      retryPrompt: `Your ${phase} artifact is missing required keys: ${missingKeys.join(", ")}. Include them and try again.`
+    };
+    return { text: JSON.stringify(result), isError: false };
+  }
+  const PHASE_ZOD_VALIDATORS = {
+    workflow: (artifact2) => {
+      const workflowConfig = artifact2["workflowConfig"];
+      if (!workflowConfig) return { success: true };
+      const result = WorkflowFileSchema.safeParse(workflowConfig);
+      if (!result.success) {
+        const issues = result.error.issues.slice(0, 3).map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
+        return { success: false, error: { message: issues } };
+      }
+      return { success: true };
+    },
+    auth: (artifact2) => {
+      const authConfig = artifact2["authConfig"];
+      if (!authConfig) return { success: true };
+      const result = authConfigSchema.safeParse(authConfig);
+      if (!result.success) {
+        const issues = result.error.issues.slice(0, 3).map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
+        return { success: false, error: { message: issues } };
+      }
+      return { success: true };
+    }
+  };
+  const zodValidator = PHASE_ZOD_VALIDATORS[phase];
+  if (zodValidator) {
+    const zodResult = zodValidator(artifact);
+    if (!zodResult.success) {
+      const result = {
+        valid: false,
+        phase,
+        violation: "schema-mismatch",
+        retryPrompt: `Your artifact failed schema validation: ${zodResult.error?.message}. Fix these fields and return the corrected JSON artifact.`
+      };
+      return { text: JSON.stringify(result), isError: false };
+    }
+  }
+  try {
+    const artifactsDir = join3(cwd, ".stackwright", "artifacts");
+    mkdirSync3(artifactsDir, { recursive: true });
+    const artifactFile = PHASE_ARTIFACT[phase];
+    const artifactPath = join3(artifactsDir, artifactFile);
+    safeWriteSync(artifactPath, JSON.stringify(artifact, null, 2) + "\n");
+    const state = readState(cwd);
+    if (!state.phases[phase]) state.phases[phase] = defaultPhaseStatus();
+    const ps = state.phases[phase];
+    ps.artifactWritten = true;
+    writeState(cwd, state);
+    const topKeys = Object.keys(artifact).slice(0, 5).join(", ");
+    const result = {
+      valid: true,
+      phase,
+      artifactPath,
+      summary: `Wrote ${artifactFile} (keys: ${topKeys}${Object.keys(artifact).length > 5 ? ", ..." : ""})`
+    };
+    return { text: JSON.stringify(result), isError: false };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { text: JSON.stringify({ error: true, phase, message }), isError: true };
+  }
+}
+function registerPipelineTools(server2) {
+  const DESC = "Writes state to .stackwright/ \u2014 the filesystem is the state machine.";
+  const res = (r) => ({
+    content: [{ type: "text", text: r.text }],
+    isError: r.isError
+  });
+  server2.tool(
+    "stackwright_pro_get_pipeline_state",
+    `Read pipeline state from .stackwright/pipeline-state.json. ${DESC}`,
+    {},
+    async () => res(handleGetPipelineState())
+  );
+  server2.tool(
+    "stackwright_pro_set_pipeline_state",
+    `Atomic read\u2192modify\u2192write pipeline state. ${DESC}`,
+    {
+      phase: z10.string().optional().describe('Phase to update, e.g. "designer"'),
+      field: z10.enum(["questionsCollected", "answered", "executed", "artifactWritten"]).optional().describe("Boolean field to set"),
+      value: boolCoerce(z10.boolean().optional()).describe(
+        'Value for the field \u2014 must be a JSON boolean (true/false), NOT the string "true"/"false"'
+      ),
+      status: z10.enum(["setup", "questions", "execution", "done"]).optional().describe("Top-level status override"),
+      incrementRetry: boolCoerce(z10.boolean().optional()).describe(
+        "Bump retryCount by 1 \u2014 must be a JSON boolean"
+      )
+    },
+    async (args) => res(
+      handleSetPipelineState({
+        ...args.phase != null ? { phase: args.phase } : {},
+        ...args.field != null ? { field: args.field } : {},
+        ...args.value != null ? { value: args.value } : {},
+        ...args.status != null ? { status: args.status } : {},
+        ...args.incrementRetry != null ? { incrementRetry: args.incrementRetry } : {}
+      })
+    )
+  );
+  server2.tool(
+    "stackwright_pro_check_execution_ready",
+    `Check all phases have answer files in .stackwright/answers/. If phase is provided, check only that phase. ${DESC}`,
+    {
+      phase: z10.string().optional().describe("If provided, check only this phase's readiness. Omit to check all phases.")
+    },
+    async ({ phase }) => res(handleCheckExecutionReady(void 0, phase))
+  );
+  server2.tool(
+    "stackwright_pro_list_artifacts",
+    `List phase artifacts in .stackwright/artifacts/ with completedCount/totalCount. ${DESC}`,
+    {},
+    async () => res(handleListArtifacts())
+  );
+  server2.tool(
+    "stackwright_pro_write_phase_questions",
+    `Parse otter question-collection response \u2192 .stackwright/questions/{phase}.json. Specialists may also call this directly with a parsed questions array. ${DESC}`,
+    {
+      phase: z10.string().optional().describe('Phase name, e.g. "designer" (required for direct write)'),
+      responseText: z10.string().optional().describe("Raw LLM response from QUESTION_COLLECTION_MODE"),
+      questions: jsonCoerce(z10.array(z10.any()).optional()).describe(
+        "Questions array for direct specialist write"
+      )
+    },
+    async ({ phase, responseText, questions }) => {
+      if (phase && questions && Array.isArray(questions)) {
+        const SAFE_PHASE = /^[a-z][a-z0-9-]{0,30}$/;
+        if (!SAFE_PHASE.test(phase)) {
+          return {
+            content: [
+              { type: "text", text: JSON.stringify({ error: `Invalid phase name` }) }
+            ],
+            isError: true
+          };
+        }
+        const questionsDir = join3(process.cwd(), ".stackwright", "questions");
+        mkdirSync3(questionsDir, { recursive: true });
+        const outPath = join3(questionsDir, `${phase}.json`);
+        writeFileSync3(
+          outPath,
+          JSON.stringify({ phase, questions, writtenAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2)
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({
+                written: true,
+                phase,
+                count: questions.length
+              })
+            }
+          ]
+        };
+      }
+      return res(
+        handleWritePhaseQuestions({ phase: phase ?? "", responseText: responseText ?? "" })
+      );
+    }
+  );
+  server2.tool(
+    "stackwright_pro_build_specialist_prompt",
+    `Assemble execution prompt from answers + upstream artifacts. Foreman passes verbatim. ${DESC}`,
+    { phase: z10.string().describe('Phase to build prompt for, e.g. "pages"') },
+    async ({ phase }) => res(handleBuildSpecialistPrompt({ phase }))
+  );
+  server2.tool(
+    "stackwright_pro_validate_artifact",
+    `Validate specialist response + write artifact to .stackwright/artifacts/. Returns retryPrompt on failure. ${DESC}`,
+    {
+      phase: z10.string().describe('Phase that produced this artifact, e.g. "designer"'),
+      responseText: z10.string().describe("Raw response text from the specialist otter")
+    },
+    async ({ phase, responseText }) => res(handleValidateArtifact({ phase, responseText }))
+  );
+}
+
+// src/tools/safe-write.ts
+import { z as z11 } from "zod";
+import { writeFileSync as writeFileSync4, existsSync as existsSync5, mkdirSync as mkdirSync4, lstatSync as lstatSync5 } from "fs";
+import { normalize, isAbsolute, dirname, join as join4 } from "path";
+var OTTER_WRITE_ALLOWLISTS = {
+  "stackwright-pro-designer-otter": [
+    { prefix: ".stackwright/artifacts/", suffix: ".json", description: "Design language artifact" }
+  ],
+  "stackwright-pro-theme-otter": [
+    { prefix: ".stackwright/artifacts/", suffix: ".json", description: "Theme tokens artifact" }
+  ],
+  "stackwright-pro-auth-otter": [
+    { prefix: ".stackwright/artifacts/", suffix: ".json", description: "Auth config artifact" },
+    { prefix: "config/", suffix: ".yml", description: "Auth YAML config" },
+    { prefix: "config/", suffix: ".yaml", description: "Auth YAML config" },
+    {
+      prefix: ".env",
+      suffix: "",
+      description: "Dotenv files (.env, .env.local, .env.production, etc.)"
+    }
+  ],
+  "stackwright-pro-data-otter": [
+    { prefix: ".stackwright/artifacts/", suffix: ".json", description: "Data config artifact" },
+    { prefix: "stackwright.yml", suffix: "", description: "Stackwright config" }
+  ],
+  "stackwright-pro-page-otter": [
+    { prefix: "pages/", suffix: "/content.yml", description: "Page content YAML" },
+    { prefix: "pages/", suffix: "/content.yaml", description: "Page content YAML" },
+    { prefix: ".stackwright/artifacts/", suffix: ".json", description: "Pages manifest" }
+  ],
+  "stackwright-pro-dashboard-otter": [
+    { prefix: "pages/", suffix: "/content.yml", description: "Dashboard content YAML" },
+    { prefix: "pages/", suffix: "/content.yaml", description: "Dashboard content YAML" },
+    { prefix: ".stackwright/artifacts/", suffix: ".json", description: "Dashboard manifest" }
+  ],
+  "stackwright-pro-workflow-otter": [
+    { prefix: "workflows/", suffix: ".yml", description: "Workflow definition" },
+    { prefix: "workflows/", suffix: ".yaml", description: "Workflow definition" },
+    { prefix: ".stackwright/artifacts/", suffix: ".json", description: "Workflow config" }
+  ],
+  "stackwright-pro-api-otter": [
+    { prefix: ".stackwright/artifacts/", suffix: ".json", description: "API config artifact" }
+  ]
+};
+var PROTECTED_PATH_PREFIXES = [
+  ".stackwright/pipeline-state.json",
+  ".stackwright/questions/",
+  ".stackwright/answers/"
+];
+function checkPathAllowed(callerOtter, filePath) {
+  const normalized = normalize(filePath);
+  if (normalized.includes("..")) {
+    return { allowed: false, error: 'Path traversal detected: ".." segments are not allowed' };
+  }
+  if (isAbsolute(normalized)) {
+    return {
+      allowed: false,
+      error: "Absolute paths are not allowed \u2014 use paths relative to project root"
+    };
+  }
+  if (callerOtter === "stackwright-pro-foreman-otter") {
+    return {
+      allowed: false,
+      error: "The foreman otter coordinates \u2014 it does not write files directly"
+    };
+  }
+  const allowlist = OTTER_WRITE_ALLOWLISTS[callerOtter];
+  if (!allowlist) {
+    return {
+      allowed: false,
+      error: `Unknown otter: "${callerOtter}" is not in the write allowlist`
+    };
+  }
+  for (const protectedPrefix of PROTECTED_PATH_PREFIXES) {
+    if (normalized === protectedPrefix || normalized.startsWith(protectedPrefix)) {
+      return {
+        allowed: false,
+        error: `Path "${normalized}" is managed by dedicated sink tools, not safe_write`
+      };
+    }
+  }
+  for (const rule of allowlist) {
+    const prefixMatch = normalized.startsWith(rule.prefix);
+    const suffixMatch = rule.suffix === "" || normalized.endsWith(rule.suffix);
+    if (prefixMatch && suffixMatch) {
+      if (rule.prefix === ".env" && rule.suffix === "") {
+        if (!/^\.env(\.[a-zA-Z0-9]{3,})*$/.test(normalized)) {
+          continue;
+        }
+      }
+      return { allowed: true, rule: rule.description };
+    }
+  }
+  return {
+    allowed: false,
+    error: `Path "${normalized}" does not match any allowed write pattern for ${callerOtter}`
+  };
+}
+function validateJsonContent(content) {
+  try {
+    JSON.parse(content);
+    return null;
+  } catch (err) {
+    return `Invalid JSON: ${err instanceof Error ? err.message : String(err)}`;
+  }
+}
+function validateYamlContent(content) {
+  const trimmed = content.trimStart();
+  const anchorRefPattern = /\[(\*[\w]+)\]/g;
+  const matches = [...content.matchAll(anchorRefPattern)];
+  if (matches.length >= 20) {
+    return "YAML entity expansion pattern detected \u2014 too many anchor references";
+  }
+  const anchorDefPattern = /&([\w]+)/g;
+  const defs = [...content.matchAll(anchorDefPattern)];
+  if (defs.length >= 10) {
+    const anchorNameCounts = /* @__PURE__ */ new Map();
+    for (const [, name] of defs) {
+      const count = (anchorNameCounts.get(name) ?? 0) + 1;
+      anchorNameCounts.set(name, count);
+      if (count >= 10) {
+        return "YAML entity expansion: repeated anchor definitions detected";
+      }
+    }
+  }
+  if (trimmed.startsWith("import ") || trimmed.startsWith("import{")) {
+    return 'Content starts with "import" \u2014 this looks like code, not YAML';
+  }
+  if (trimmed.startsWith("export ") || trimmed.startsWith("export{")) {
+    return 'Content starts with "export" \u2014 this looks like code, not YAML';
+  }
+  if (trimmed.startsWith("#!"))
+    return "Content starts with shebang \u2014 this looks like a script, not YAML";
+  if (/!!(?:python|ruby|perl|js|java)/i.test(content))
+    return "YAML deserialization attack tags detected";
+  if (trimmed.startsWith("<") && !trimmed.startsWith("<<"))
+    return "Content looks like markup, not YAML";
+  return null;
+}
+function validateEnvContent(content) {
+  const lines = content.split("\n");
+  for (let i = 0; i < lines.length; i++) {
+    const raw = lines[i];
+    if (raw === void 0) continue;
+    const line = raw.trim();
+    if (line === "" || line.startsWith("#")) continue;
+    if (!/^[A-Za-z_][A-Za-z0-9_]*=/.test(line)) {
+      return `Line ${i + 1} is not a valid env entry (expected KEY=value): "${line}"`;
+    }
+  }
+  return null;
+}
+function validateContent(filePath, content) {
+  if (filePath.endsWith(".json")) return validateJsonContent(content);
+  if (filePath.endsWith(".yml") || filePath.endsWith(".yaml")) return validateYamlContent(content);
+  if (filePath === ".env" || filePath.startsWith(".env")) return validateEnvContent(content);
+  return null;
+}
+function handleSafeWrite(input) {
+  const cwd = input._cwd ?? process.cwd();
+  const { callerOtter, filePath, content, createDirectories = true } = input;
+  const check = checkPathAllowed(callerOtter, filePath);
+  if (!check.allowed) {
+    const allowlist = OTTER_WRITE_ALLOWLISTS[callerOtter] ?? [];
+    const allowedPaths = allowlist.map((r) => `${r.prefix}*${r.suffix} (${r.description})`);
+    const result = {
+      success: false,
+      error: check.error ?? "Path not allowed",
+      callerOtter,
+      attemptedPath: filePath,
+      allowedPaths
+    };
+    return { text: JSON.stringify(result), isError: true };
+  }
+  const normalized = normalize(filePath);
+  const fullPath = join4(cwd, normalized);
+  if (existsSync5(fullPath)) {
+    try {
+      const stat = lstatSync5(fullPath);
+      if (stat.isSymbolicLink()) {
+        const result = {
+          success: false,
+          error: "Target path is a symlink \u2014 refusing to write through symlinks for security",
+          callerOtter,
+          attemptedPath: filePath,
+          allowedPaths: []
+        };
+        return { text: JSON.stringify(result), isError: true };
+      }
+    } catch {
+    }
+  }
+  const contentError = validateContent(normalized, content);
+  if (contentError) {
+    const result = {
+      success: false,
+      error: `Content validation failed: ${contentError}`,
+      callerOtter,
+      attemptedPath: filePath,
+      allowedPaths: []
+    };
+    return { text: JSON.stringify(result), isError: true };
+  }
+  try {
+    if (createDirectories) {
+      mkdirSync4(dirname(fullPath), { recursive: true });
+    }
+    writeFileSync4(fullPath, content, { encoding: "utf-8" });
+    const result = {
+      success: true,
+      path: normalized,
+      bytesWritten: Buffer.byteLength(content, "utf-8"),
+      allowRule: check.rule ?? "unknown"
+    };
+    return { text: JSON.stringify(result), isError: false };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    const result = {
+      success: false,
+      error: `Write failed: ${message}`,
+      callerOtter,
+      attemptedPath: filePath,
+      allowedPaths: []
+    };
+    return { text: JSON.stringify(result), isError: true };
+  }
+}
+function registerSafeWriteTools(server2) {
+  const DESC = "Controlled file-write chokepoint. Every write from specialist otters goes through this tool with per-otter path allowlists. The LLM cannot write to arbitrary filesystem paths.";
+  server2.tool(
+    "stackwright_pro_safe_write",
+    DESC,
+    {
+      callerOtter: z11.string().describe('The otter agent name requesting the write, e.g. "stackwright-pro-page-otter"'),
+      filePath: z11.string().describe('Relative path from project root, e.g. "pages/dashboard/content.yml"'),
+      content: z11.string().describe("File content to write"),
+      createDirectories: boolCoerce(z11.boolean().optional().default(true)).describe(
+        "Create parent directories if they don't exist. Default: true"
+      )
+    },
+    async ({ callerOtter, filePath, content, createDirectories }) => {
+      const result = handleSafeWrite({
+        callerOtter,
+        filePath,
+        content,
+        ...createDirectories != null ? { createDirectories } : {}
+      });
+      return { content: [{ type: "text", text: result.text }], isError: result.isError };
+    }
+  );
+}
+
+// src/tools/auth.ts
+import { z as z12 } from "zod";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync5, existsSync as existsSync6 } from "fs";
+import { join as join5 } from "path";
+function buildHierarchy(roles) {
+  const h = {};
+  for (let i = 0; i < roles.length - 1; i++) {
+    h[roles[i]] = roles.slice(i + 1);
+  }
+  return h;
+}
+function hierarchyToYaml(hierarchy, indent) {
+  const entries = Object.entries(hierarchy);
+  if (entries.length === 0) return `${indent}{}`;
+  return entries.map(([role, subs]) => `${indent}${role}: [${subs.join(", ")}]`).join("\n");
+}
+function rolesToYaml(roles, indent) {
+  return roles.map((r) => `${indent}- ${r}`).join("\n");
+}
+function routesToYaml(routes, defaultRole, indent) {
+  return routes.map((r) => `${indent}- pattern: ${r}
+${indent}  requiredRole: ${defaultRole}`).join("\n");
+}
+function upsertAuthBlock(existing, authYaml) {
+  const lines = existing.split("\n");
+  let authStart = -1;
+  let authEnd = lines.length;
+  for (let i = 0; i < lines.length; i++) {
+    if (/^auth:/.test(lines[i])) {
+      authStart = i;
+    } else if (authStart >= 0 && i > authStart && /^\S/.test(lines[i]) && lines[i].trim() !== "") {
+      authEnd = i;
+      break;
+    }
+  }
+  if (authStart < 0) {
+    return existing.trimEnd() + "\n" + authYaml + "\n";
+  }
+  const before = lines.slice(0, authStart);
+  const after = lines.slice(authEnd);
+  return [...before, ...authYaml.trimEnd().split("\n"), ...after.length ? after : []].join("\n");
+}
+function generateMiddlewareContent(method, params, roles, defaultRole, hierarchy, auditEnabled, auditRetentionDays, protectedRoutes) {
+  const rbacBlock = `  rbac: {
+    roles: ${JSON.stringify(roles)},
+    defaultRole: '${defaultRole}',
+    hierarchy: ${JSON.stringify(hierarchy, null, 4)},
+  },`;
+  const auditBlock = `  audit: {
+    enabled: ${auditEnabled},
+    retentionDays: ${auditRetentionDays},
+  },`;
+  const routesBlock = `  protectedRoutes: ${JSON.stringify(protectedRoutes)},`;
+  const configBlock = `export const config = {
+  matcher: ${JSON.stringify(protectedRoutes)},
+};`;
+  if (method === "cac") {
+    const caBundle = params.cacCaBundle ?? "./certs/dod-ca-bundle.pem";
+    const edipiLookup = params.cacEdipiLookup ?? "./config/edipi-lookup.json";
+    const ocspEndpoint = params.cacOcspEndpoint ?? "https://ocsp.disa.mil";
+    const certHeader = params.cacCertHeader ?? "X-SSL-Client-Cert";
+    return `// middleware.ts \u2014 generated by @stackwright-pro/auth
+// \u26A0\uFE0F  SECURITY REVIEW REQUIRED \u2014 CAC/PKI certificate validation
+// DoD security officer review required before production deployment.
+// Verify: CA bundle completeness, EDIPI lookup endpoint, OCSP accessibility.
+import { createProMiddleware } from '@stackwright-pro/auth-nextjs';
+
+export const middleware = createProMiddleware({
+  method: 'cac',
+  cac: {
+    caBundle: process.env.CAC_CA_BUNDLE ?? '${caBundle}',
+    edipiLookup: '${edipiLookup}',
+    ocspEndpoint: process.env.CAC_OCSP_ENDPOINT ?? '${ocspEndpoint}',
+    certHeader: '${certHeader}',
+  },
+${rbacBlock}
+${auditBlock}
+${routesBlock}
+});
+
+${configBlock}
+`;
+  }
+  if (method === "oidc") {
+    const scopes2 = params.oidcScopes ?? "openid profile email";
+    const roleClaim = params.oidcRoleClaim ?? "roles";
+    return `// middleware.ts \u2014 generated by @stackwright-pro/auth-nextjs
+import { createProMiddleware } from '@stackwright-pro/auth-nextjs';
+
+export const middleware = createProMiddleware({
+  method: 'oidc',
+  oidc: {
+    discoveryUrl: process.env.OIDC_DISCOVERY_URL!,
+    clientId: process.env.OIDC_CLIENT_ID!,
+    clientSecret: process.env.OIDC_CLIENT_SECRET!,
+    scopes: '${scopes2}',
+    roleClaim: '${roleClaim}',
+  },
+${rbacBlock}
+${auditBlock}
+${routesBlock}
+});
+
+${configBlock}
+`;
+  }
+  const scopes = params.oauth2Scopes ?? "read write";
+  return `// middleware.ts \u2014 generated by @stackwright-pro/auth-nextjs
+import { createProMiddleware } from '@stackwright-pro/auth-nextjs';
+
+export const middleware = createProMiddleware({
+  method: 'oauth2',
+  oauth2: {
+    authorizationUrl: process.env.OAUTH2_AUTH_URL!,
+    tokenUrl: process.env.OAUTH2_TOKEN_URL!,
+    clientId: process.env.OAUTH2_CLIENT_ID!,
+    clientSecret: process.env.OAUTH2_CLIENT_SECRET!,
+    scopes: '${scopes}',
+  },
+${rbacBlock}
+${auditBlock}
+${routesBlock}
+});
+
+${configBlock}
+`;
+}
+function generateEnvBlock(method, params) {
+  if (method === "cac") {
+    return `# Authentication (CAC/PKI \u2014 DoD)
+# \u26A0\uFE0F  SECURITY REVIEW REQUIRED before production deployment
+CAC_CA_BUNDLE=./certs/dod-ca-bundle.pem
+CAC_OCSP_ENDPOINT=https://ocsp.disa.mil
+`;
+  }
+  if (method === "oidc") {
+    const label = params.provider ?? "OIDC";
+    const discoveryUrl = params.oidcDiscoveryUrl ?? "https://your-provider/.well-known/openid-configuration";
+    return `# Authentication (OIDC \u2014 ${label})
+OIDC_DISCOVERY_URL=${discoveryUrl}
+OIDC_CLIENT_ID=your-client-id
+OIDC_CLIENT_SECRET=your-client-secret
+`;
+  }
+  const authUrl = params.oauth2AuthUrl ?? "https://your-auth-server/authorize";
+  const tokenUrl = params.oauth2TokenUrl ?? "https://your-auth-server/token";
+  return `# Authentication (OAuth2)
+OAUTH2_AUTH_URL=${authUrl}
+OAUTH2_TOKEN_URL=${tokenUrl}
+OAUTH2_CLIENT_ID=your-client-id
+OAUTH2_CLIENT_SECRET=your-client-secret
+`;
+}
+function generateYamlBlock(method, params, roles, defaultRole, hierarchy, auditEnabled, auditRetentionDays, protectedRoutes) {
+  const rbacSection = `  rbac:
+    roles:
+${rolesToYaml(roles, "      ")}
+    defaultRole: ${defaultRole}
+    hierarchy:
+${hierarchyToYaml(hierarchy, "      ")}`;
+  const auditSection = `  audit:
+    enabled: ${auditEnabled}
+    retentionDays: ${auditRetentionDays}`;
+  const routesSection = `  protectedRoutes:
+${routesToYaml(protectedRoutes, "    ", defaultRole)}`.replace(/\n\s+,/g, "");
+  const routeLines = protectedRoutes.map((r) => `    - pattern: ${r}
+      requiredRole: ${defaultRole}`).join("\n");
+  const providerLine = params.provider ? `  provider: ${params.provider}
+` : "";
+  if (method === "cac") {
+    const caBundle = params.cacCaBundle ?? "./certs/dod-ca-bundle.pem";
+    const edipiLookup = params.cacEdipiLookup ?? "./config/edipi-lookup.json";
+    const ocspEndpoint = params.cacOcspEndpoint ?? "https://ocsp.disa.mil";
+    const certHeader = params.cacCertHeader ?? "X-SSL-Client-Cert";
+    return `auth:
+  method: cac
+${providerLine}  middleware: ./middleware.ts
+  cac:
+    caBundle: \${CAC_CA_BUNDLE}
+    edipiLookup: ${edipiLookup}
+    ocspEndpoint: \${CAC_OCSP_ENDPOINT}
+    certHeader: ${certHeader}
+${rbacSection}
+  protectedRoutes:
+${routeLines}
+${auditSection}
+`;
+  }
+  if (method === "oidc") {
+    const scopes2 = params.oidcScopes ?? "openid profile email";
+    const roleClaim = params.oidcRoleClaim ?? "roles";
+    return `auth:
+  method: oidc
+${providerLine}  middleware: ./middleware.ts
+  oidc:
+    discoveryUrl: \${OIDC_DISCOVERY_URL}
+    clientId: \${OIDC_CLIENT_ID}
+    clientSecret: \${OIDC_CLIENT_SECRET}
+    scopes: ${scopes2}
+    roleClaim: ${roleClaim}
+${rbacSection}
+  protectedRoutes:
+${routeLines}
+${auditSection}
+`;
+  }
+  const scopes = params.oauth2Scopes ?? "read write";
+  return `auth:
+  method: oauth2
+${providerLine}  middleware: ./middleware.ts
+  oauth2:
+    authorizationUrl: \${OAUTH2_AUTH_URL}
+    tokenUrl: \${OAUTH2_TOKEN_URL}
+    clientId: \${OAUTH2_CLIENT_ID}
+    clientSecret: \${OAUTH2_CLIENT_SECRET}
+    scopes: ${scopes}
+${rbacSection}
+  protectedRoutes:
+${routeLines}
+${auditSection}
+`;
+}
+async function configureAuthHandler(params, cwd) {
+  const {
+    method,
+    provider,
+    rbacRoles = ["SUPER_ADMIN", "ADMIN", "ANALYST"],
+    auditEnabled = true,
+    auditRetentionDays = 90,
+    protectedRoutes = ["/dashboard/:path*"]
+  } = params;
+  const roles = rbacRoles;
+  const defaultRole = params.rbacDefaultRole ?? roles[roles.length - 1];
+  const hierarchy = buildHierarchy(roles);
+  if (method === "none") {
+    return {
+      content: [
+        {
+          type: "text",
+          text: JSON.stringify({
+            success: true,
+            method: "none",
+            provider: null,
+            rbacRoles: roles,
+            rbacDefaultRole: defaultRole,
+            protectedRoutesCount: protectedRoutes.length,
+            filesWritten: [],
+            securityWarning: null
+          })
+        }
+      ]
+    };
+  }
+  const filesWritten = [];
+  try {
+    const middlewareContent = generateMiddlewareContent(
+      method,
+      params,
+      roles,
+      defaultRole,
+      hierarchy,
+      auditEnabled,
+      auditRetentionDays,
+      protectedRoutes
+    );
+    writeFileSync5(join5(cwd, "middleware.ts"), middlewareContent, "utf8");
+    filesWritten.push("middleware.ts");
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return {
+      content: [
+        {
+          type: "text",
+          text: JSON.stringify({ success: false, error: `Failed writing middleware.ts: ${msg}` })
+        }
+      ],
+      isError: true
+    };
+  }
+  try {
+    const envBlock = generateEnvBlock(method, params);
+    const envPath = join5(cwd, ".env.example");
+    if (existsSync6(envPath)) {
+      const existing = readFileSync4(envPath, "utf8");
+      writeFileSync5(envPath, existing.trimEnd() + "\n\n" + envBlock, "utf8");
+    } else {
+      writeFileSync5(envPath, envBlock, "utf8");
+    }
+    filesWritten.push(".env.example");
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return {
+      content: [
+        {
+          type: "text",
+          text: JSON.stringify({ success: false, error: `Failed writing .env.example: ${msg}` })
+        }
+      ],
+      isError: true
+    };
+  }
+  try {
+    const authYaml = generateYamlBlock(
+      method,
+      params,
+      roles,
+      defaultRole,
+      hierarchy,
+      auditEnabled,
+      auditRetentionDays,
+      protectedRoutes
+    );
+    const ymlPath = join5(cwd, "stackwright.yml");
+    if (!existsSync6(ymlPath)) {
+      writeFileSync5(ymlPath, authYaml, "utf8");
+    } else {
+      const existing = readFileSync4(ymlPath, "utf8");
+      writeFileSync5(ymlPath, upsertAuthBlock(existing, authYaml), "utf8");
+    }
+    filesWritten.push("stackwright.yml");
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return {
+      content: [
+        {
+          type: "text",
+          text: JSON.stringify({ success: false, error: `Failed writing stackwright.yml: ${msg}` })
+        }
+      ],
+      isError: true
+    };
+  }
+  const securityWarning = method === "cac" ? "SECURITY REVIEW REQUIRED \u2014 CAC certificate chain must be verified before production deployment" : null;
+  return {
+    content: [
+      {
+        type: "text",
+        text: JSON.stringify({
+          success: true,
+          method,
+          provider: provider ?? null,
+          rbacRoles: roles,
+          rbacDefaultRole: defaultRole,
+          protectedRoutesCount: protectedRoutes.length,
+          filesWritten,
+          securityWarning
+        })
+      }
+    ]
+  };
+}
+function registerAuthTools(server2) {
+  server2.tool(
+    "stackwright_pro_configure_auth",
+    "Generate authentication middleware and configuration for a Next.js Stackwright application. Writes `middleware.ts` from a secure template, appends/updates the `auth:` section in `stackwright.yml`, and generates `.env.example` with required environment variables. \u26A0\uFE0F For CAC/PKI: generated `middleware.ts` carries a SECURITY REVIEW REQUIRED comment \u2014 certificate chain validation must be verified by a DoD security officer before production deployment. This is the ONLY approved path to generating `middleware.ts`. Never write TypeScript auth files directly.",
+    {
+      method: z12.enum(["cac", "oidc", "oauth2", "none"]),
+      provider: z12.enum(["azure-ad", "okta", "ping", "cognito", "custom"]).optional(),
+      // CAC
+      cacCaBundle: z12.string().optional(),
+      cacEdipiLookup: z12.string().optional(),
+      cacOcspEndpoint: z12.string().optional(),
+      cacCertHeader: z12.string().optional(),
+      // OIDC
+      oidcDiscoveryUrl: z12.string().optional(),
+      oidcClientId: z12.string().optional(),
+      oidcClientSecret: z12.string().optional(),
+      oidcScopes: z12.string().optional(),
+      oidcRoleClaim: z12.string().optional(),
+      // OAuth2
+      oauth2AuthUrl: z12.string().optional(),
+      oauth2TokenUrl: z12.string().optional(),
+      oauth2ClientId: z12.string().optional(),
+      oauth2ClientSecret: z12.string().optional(),
+      oauth2Scopes: z12.string().optional(),
+      // RBAC
+      rbacRoles: jsonCoerce(z12.array(z12.string()).optional()),
+      rbacDefaultRole: z12.string().optional(),
+      // Audit
+      auditEnabled: boolCoerce(z12.boolean().optional()),
+      auditRetentionDays: numCoerce(z12.number().int().positive().optional()),
+      // Routes
+      protectedRoutes: jsonCoerce(z12.array(z12.string()).optional()),
+      // Injection for tests
+      _cwd: z12.string().optional()
+    },
+    async (params) => {
+      const cwd = params._cwd ?? process.cwd();
+      return configureAuthHandler(params, cwd);
+    }
+  );
+}
+
+// src/integrity.ts
+import { createHash as createHash2, timingSafeEqual } from "crypto";
+import { readFileSync as readFileSync5, readdirSync, lstatSync as lstatSync6 } from "fs";
+import { join as join6, basename } from "path";
+var _checksums = /* @__PURE__ */ new Map([
+  [
+    "stackwright-pro-api-otter.json",
+    "0ac26d85a5ad35b072a58965e1d5e090dd5c5f16dc14e68c452c3e99fcbb5510"
+  ],
+  [
+    "stackwright-pro-auth-otter.json",
+    "e4314897e7dead94cbd07cf58cd9df1a2614a207c85bdddf9259121945903721"
+  ],
+  [
+    "stackwright-pro-dashboard-otter.json",
+    "600e8597429c353e5b886f316731be84a86cd8b93617bf046e3cbf390b31a431"
+  ],
+  [
+    "stackwright-pro-data-otter.json",
+    "08352843c3dbfd1e20171493fb95ae7c73fde9dca0e2d6eecb5dc2d7d7b3cda7"
+  ],
+  [
+    "stackwright-pro-designer-otter.json",
+    "f4dbff5149051c77be1645de5ee12c0bd7d590c687a0b2d86737b915a5a6d5f0"
+  ],
+  [
+    "stackwright-pro-foreman-otter.json",
+    "e361cc30f013e1e423ebb4f59c54fd1452d049fabcc0539ce56b4a49cb5ec3ea"
+  ],
+  [
+    "stackwright-pro-page-otter.json",
+    "0323d9c9f4b4008b516d7615f24c0ebab9470bdf9cd37e1d48cfc06ccf6fccee"
+  ],
+  [
+    "stackwright-pro-theme-otter.json",
+    "a303ec6c045420f2c916583e3f6efcda469e9610fedfc84a508ed8a8a75866bc"
+  ],
+  [
+    "stackwright-pro-workflow-otter.json",
+    "ec203f222b2771f2bc3b29f340d881480c6a23188667e533476f4245e78453ef"
+  ]
+]);
+Object.freeze(_checksums);
+var CANONICAL_CHECKSUMS = _checksums;
+var SHA256_HEX_RE = /^[0-9a-f]{64}$/;
+for (const [name, digest] of CANONICAL_CHECKSUMS) {
+  if (!SHA256_HEX_RE.test(digest)) {
+    throw new Error(
+      `Malformed SHA-256 in CANONICAL_CHECKSUMS for "${name}": expected 64 hex chars, got ${digest.length}: "${digest}"`
+    );
+  }
+}
+var MAX_OTTER_BYTES = 1 * 1024 * 1024;
+function computeSha256(data) {
+  return createHash2("sha256").update(data).digest("hex");
+}
+function safeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  return timingSafeEqual(Buffer.from(a, "utf8"), Buffer.from(b, "utf8"));
+}
+function verifyOtterFile(filePath) {
+  const filename = basename(filePath);
+  const expected = CANONICAL_CHECKSUMS.get(filename);
+  if (expected === void 0) {
+    return { verified: false, filename, error: `Unknown otter file: not in canonical set` };
+  }
+  let stat;
+  try {
+    stat = lstatSync6(filePath);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return { verified: false, filename, error: `Cannot stat file: ${msg}` };
+  }
+  if (stat.isSymbolicLink()) {
+    return { verified: false, filename, error: "Refusing to verify symlink" };
+  }
+  const size = stat.size;
+  if (size > MAX_OTTER_BYTES) {
+    return {
+      verified: false,
+      filename,
+      error: `File exceeds size limit (${MAX_OTTER_BYTES.toLocaleString()} bytes, got ${size.toLocaleString()})`
+    };
+  }
+  let raw;
+  try {
+    raw = readFileSync5(filePath);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return { verified: false, filename, error: `Cannot read file: ${msg}` };
+  }
+  if (raw.length > MAX_OTTER_BYTES) {
+    return {
+      verified: false,
+      filename,
+      error: `File exceeds size limit after read (${MAX_OTTER_BYTES.toLocaleString()} bytes, got ${raw.length.toLocaleString()})`
+    };
+  }
+  const actual = computeSha256(raw);
+  if (!safeEqual(actual, expected)) {
+    return {
+      verified: false,
+      filename,
+      error: `SHA-256 mismatch: expected ${expected.substring(0, 8)}\u2026, got ${actual.substring(0, 8)}\u2026`
+    };
+  }
+  try {
+    const decoder = new TextDecoder("utf-8", { fatal: true });
+    decoder.decode(raw);
+  } catch {
+    return {
+      verified: false,
+      filename,
+      error: "File is not valid UTF-8 \u2014 may be corrupted or contain binary injection"
+    };
+  }
+  return { verified: true, filename };
+}
+function verifyAllOtters(otterDir) {
+  const verified = [];
+  const failed = [];
+  const unknown = [];
+  let entries;
+  try {
+    entries = readdirSync(otterDir);
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    return {
+      verified: [],
+      failed: [{ filename: "<directory>", error: `Cannot read directory: ${msg}` }],
+      unknown: []
+    };
+  }
+  const otterFiles = entries.filter((f) => f.endsWith("-otter.json"));
+  for (const filename of otterFiles) {
+    const filePath = join6(otterDir, filename);
+    try {
+      if (lstatSync6(filePath).isSymbolicLink()) {
+        failed.push({ filename, error: "Skipped: symlink" });
+        continue;
+      }
+    } catch {
+    }
+    const result = verifyOtterFile(filePath);
+    if (result.verified) {
+      verified.push(result.filename);
+    } else if (result.error?.startsWith("Unknown otter file")) {
+      unknown.push(result.filename);
+    } else {
+      failed.push({ filename: result.filename, error: result.error ?? "Unknown error" });
+    }
+  }
+  for (const canonicalName of CANONICAL_CHECKSUMS.keys()) {
+    if (!otterFiles.includes(canonicalName)) {
+      failed.push({ filename: canonicalName, error: "Missing from directory" });
+    }
+  }
+  return { verified, failed, unknown };
+}
+var DEFAULT_SEARCH_PATHS = ["node_modules/@stackwright-pro/otters/src/", "packages/otters/src/"];
+function resolveOtterDir() {
+  const cwd = process.cwd();
+  for (const relative of DEFAULT_SEARCH_PATHS) {
+    const candidate = join6(cwd, relative);
+    try {
+      lstatSync6(candidate);
+      return candidate;
+    } catch {
+    }
+  }
+  return null;
+}
+function registerIntegrityTools(server2) {
+  server2.tool(
+    "stackwright_pro_verify_otter_integrity",
+    "Verify SHA-256 integrity of all Pro otter agent definitions. Call this at startup before discovering otters. Auto-discovers the otter directory from known paths. Returns verified/failed/unknown lists.",
+    {},
+    async () => {
+      const resolved = resolveOtterDir();
+      if (!resolved) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({
+                error: true,
+                message: "Could not locate otter directory. Searched: " + DEFAULT_SEARCH_PATHS.join(", ")
+              })
+            }
+          ],
+          isError: true
+        };
+      }
+      const result = verifyAllOtters(resolved);
+      const allGood = result.failed.length === 0 && result.unknown.length === 0;
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({
+              otterDir: resolved,
+              totalCanonical: CANONICAL_CHECKSUMS.size,
+              verifiedCount: result.verified.length,
+              failedCount: result.failed.length,
+              unknownCount: result.unknown.length,
+              verified: result.verified,
+              failed: result.failed,
+              unknown: result.unknown,
+              warning: result.failed.length > 0 ? "SHA-256 mismatches detected (non-blocking). PKI-signed manifest support coming soon." : void 0
+            })
+          }
+        ],
+        isError: false
+      };
+    }
+  );
+}
+
+// src/tools/domain.ts
+import { z as z13 } from "zod";
+import { readFileSync as readFileSync6, existsSync as existsSync7 } from "fs";
+import { join as join7 } from "path";
+function handleListCollections(input) {
+  const cwd = input._cwd ?? process.cwd();
+  const sources = [
+    {
+      path: join7(cwd, ".stackwright", "artifacts", "data-config.json"),
+      source: "data-config.json",
+      parse: (raw) => {
+        const parsed = JSON.parse(raw);
+        if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+          return [];
+        }
+        return extractCollectionsFromArtifact(parsed);
+      }
+    },
+    {
+      path: join7(cwd, "stackwright.yml"),
+      source: "stackwright.yml",
+      parse: extractCollectionsFromYaml
+    }
+  ];
+  for (const { path: path3, source, parse } of sources) {
+    if (!existsSync7(path3)) continue;
+    try {
+      const collections = parse(readFileSync6(path3, "utf8"));
+      return {
+        text: JSON.stringify({ collections, source, collectionCount: collections.length }),
+        isError: false
+      };
+    } catch {
+    }
+  }
+  return {
+    text: JSON.stringify({
+      collections: [],
+      source: "none",
+      collectionCount: 0,
+      hint: "Run API Otter and Data Otter first"
+    }),
+    isError: false
+  };
+}
+function extractCollectionsFromArtifact(raw) {
+  const collections = [];
+  const integrations = raw.integrations ?? raw.collections ?? [];
+  if (!Array.isArray(integrations)) return collections;
+  for (const item of integrations) {
+    if (!item || typeof item !== "object") continue;
+    const obj = item;
+    if (typeof obj.name === "string" && typeof obj.endpoint === "string") {
+      collections.push(makeCollectionInfo(obj.name, obj.endpoint, obj.type));
+      continue;
+    }
+    if (!Array.isArray(obj.collections)) continue;
+    for (const col of obj.collections) {
+      if (!col || typeof col !== "object") continue;
+      const c = col;
+      if (typeof c.name === "string" && typeof c.endpoint === "string") {
+        collections.push(makeCollectionInfo(c.name, c.endpoint, c.type ?? obj.type));
+      }
+    }
+  }
+  return collections;
+}
+function makeCollectionInfo(name, endpoint, type) {
+  return { name, endpoint, ...typeof type === "string" ? { type } : {} };
+}
+function extractCollectionsFromYaml(yamlText) {
+  const collections = [];
+  const lines = yamlText.split("\n");
+  let inIntegrations = false;
+  let currentName = null;
+  let currentEndpoint = null;
+  let currentType = null;
+  for (const line of lines) {
+    if (line.length > 1e3) continue;
+    if (/^integrations:\s*$/.test(line)) {
+      inIntegrations = true;
+      continue;
+    }
+    if (inIntegrations && /^[a-z]/.test(line) && !line.startsWith(" ")) {
+      inIntegrations = false;
+    }
+    if (!inIntegrations) continue;
+    const stripQuotes = (s) => s.trim().replace(/^['"]|['"]$/g, "");
+    const typeMatch = line.match(/^\s+type:\s*(.+)$/);
+    if (typeMatch?.[1]) currentType = stripQuotes(typeMatch[1]);
+    const nameMatch = line.match(/^[\s-]+name:\s*(.+)$/);
+    if (nameMatch?.[1]) {
+      if (currentName && currentEndpoint) {
+        collections.push(makeCollectionInfo(currentName, currentEndpoint, currentType));
+      }
+      currentName = stripQuotes(nameMatch[1]);
+      currentEndpoint = null;
+    }
+    const endpointMatch = line.match(/^\s+endpoint:\s*(.+)$/);
+    if (endpointMatch?.[1]) currentEndpoint = stripQuotes(endpointMatch[1]);
+  }
+  if (currentName && currentEndpoint) {
+    collections.push(makeCollectionInfo(currentName, currentEndpoint, currentType));
+  }
+  return collections;
+}
+var DATA_STRATEGIES = {
+  "pulse-fast": {
+    strategy: "pulse-fast",
+    mechanism: "Client-side polling via @stackwright-pro/pulse",
+    mechanismPackage: "@stackwright-pro/pulse",
+    pulse: true,
+    requiredPackages: { "@stackwright-pro/pulse": "latest", "@tanstack/react-query": "^5.0.0" },
+    handoffFlags: ["PULSE_MODE=true"],
+    description: "Real-time updates every few seconds. Uses client-side polling. Dashboard Otter should use *_pulse component variants."
+  },
+  "isr-fast": {
+    strategy: "isr-fast",
+    mechanism: "Next.js ISR",
+    revalidateSeconds: 60,
+    pulse: false,
+    requiredPackages: {},
+    handoffFlags: [],
+    description: "Near real-time with 60-second ISR revalidation. Good for dashboards that need minute-level freshness."
+  },
+  "isr-standard": {
+    strategy: "isr-standard",
+    mechanism: "Next.js ISR",
+    revalidateSeconds: 3600,
+    pulse: false,
+    requiredPackages: {},
+    handoffFlags: [],
+    description: "Standard hourly revalidation. Good for most API-backed pages."
+  },
+  "isr-slow": {
+    strategy: "isr-slow",
+    mechanism: "Next.js ISR",
+    revalidateSeconds: 86400,
+    pulse: false,
+    requiredPackages: {},
+    handoffFlags: [],
+    description: "Daily revalidation. Good for infrequently changing data."
+  }
+};
+function handleResolveDataStrategy(input) {
+  const key = input.strategy.trim().toLowerCase();
+  const match = DATA_STRATEGIES[key];
+  if (!match) {
+    const validKeys = Object.keys(DATA_STRATEGIES).join(", ");
+    return {
+      text: JSON.stringify({
+        error: true,
+        message: `Unknown strategy: "${input.strategy}". Valid strategies: ${validKeys}`,
+        validStrategies: Object.keys(DATA_STRATEGIES)
+      }),
+      isError: true
+    };
+  }
+  const configureIsrCall = match.pulse ? null : {
+    tool: "stackwright_pro_configure_isr_batch",
+    args: {
+      collections: [{ name: "$COLLECTION", revalidateSeconds: match.revalidateSeconds }]
+    }
+  };
+  return {
+    text: JSON.stringify({ ...match, configureIsrCall }),
+    isError: false
+  };
+}
+function fail(errors) {
+  return { text: JSON.stringify({ valid: false, errors, warnings: [] }), isError: true };
+}
+function handleValidateWorkflow(input) {
+  const cwd = input._cwd ?? process.cwd();
+  let raw;
+  if (input.workflow && Object.keys(input.workflow).length > 0) {
+    raw = input.workflow;
+  } else {
+    const artifactPath = join7(cwd, ".stackwright", "artifacts", "workflow-config.json");
+    if (!existsSync7(artifactPath)) {
+      return fail([
+        {
+          code: "NO_WORKFLOW",
+          message: "No workflow provided and .stackwright/artifacts/workflow-config.json not found. Pass a workflow object or run the workflow otter first."
+        }
+      ]);
+    }
+    try {
+      raw = JSON.parse(readFileSync6(artifactPath, "utf8"));
+    } catch (err) {
+      return fail([{ code: "INVALID_JSON", message: `Failed to parse workflow artifact: ${err}` }]);
+    }
+  }
+  const workflow = raw.workflow && typeof raw.workflow === "object" ? raw.workflow : raw;
+  const errors = [];
+  const warnings = [];
+  if (typeof workflow.id !== "string" || !workflow.id) {
+    errors.push({ code: "MISSING_ID", message: "workflow.id is required", path: "workflow.id" });
+  } else if (!/^[a-z0-9-]+$/.test(workflow.id)) {
+    errors.push({
+      code: "INVALID_ID",
+      message: `workflow.id "${workflow.id}" must match ^[a-z0-9-]+$`,
+      path: "workflow.id"
+    });
+  }
+  if (typeof workflow.label !== "string" || !workflow.label) {
+    errors.push({
+      code: "MISSING_LABEL",
+      message: "workflow.label is required",
+      path: "workflow.label"
+    });
+  }
+  const steps = workflow.steps;
+  if (!Array.isArray(steps)) {
+    errors.push({
+      code: "MISSING_STEPS",
+      message: "workflow.steps must be an array",
+      path: "workflow.steps"
+    });
+    return { text: JSON.stringify({ valid: false, errors, warnings }), isError: false };
+  }
+  if (steps.length < 2) {
+    errors.push({
+      code: "TOO_FEW_STEPS",
+      message: "A workflow must have at least 2 steps",
+      path: "workflow.steps"
+    });
+  }
+  const stepIds = /* @__PURE__ */ new Set();
+  const duplicateIds = [];
+  for (const step of steps) {
+    if (!step || typeof step !== "object") continue;
+    const id = step.id;
+    if (typeof id !== "string" || !id) {
+      errors.push({
+        code: "MISSING_STEP_ID",
+        message: "Every step must have an id",
+        path: "workflow.steps"
+      });
+      continue;
+    }
+    if (!/^[a-z0-9_]+$/.test(id)) {
+      errors.push({
+        code: "INVALID_STEP_ID",
+        message: `Step ID "${id}" must match ^[a-z0-9_]+$`,
+        path: `workflow.steps[${id}].id`
+      });
+    }
+    if (stepIds.has(id)) duplicateIds.push(id);
+    stepIds.add(id);
+  }
+  if (duplicateIds.length > 0) {
+    errors.push({
+      code: "DUPLICATE_STEP_IDS",
+      message: `Duplicate step IDs: ${duplicateIds.join(", ")}`,
+      path: "workflow.steps"
+    });
+  }
+  const initialStep = workflow.initial_step;
+  if (typeof initialStep !== "string" || !initialStep) {
+    errors.push({
+      code: "MISSING_INITIAL_STEP",
+      message: "workflow.initial_step is required",
+      path: "workflow.initial_step"
+    });
+  } else if (!stepIds.has(initialStep)) {
+    errors.push({
+      code: "INVALID_INITIAL_STEP",
+      message: `initial_step "${initialStep}" does not reference an existing step. Valid: ${[...stepIds].join(", ")}`,
+      path: "workflow.initial_step"
+    });
+  }
+  for (const step of steps) {
+    if (!step || typeof step !== "object") continue;
+    const s = step;
+    const stepId = String(s.id ?? "??");
+    validateTransitionTargets(s, stepId, stepIds, errors);
+    collectServiceWarnings(s, stepId, warnings);
+  }
+  if (typeof workflow.persistence === "string" && workflow.persistence.startsWith("service:")) {
+    warnings.push({
+      code: "WARN_SERVICE_REFERENCE",
+      message: 'service: reference at "workflow.persistence" requires @stackwright-pro/services. Prism mock fallback will be used until services layer is configured.',
+      path: "workflow.persistence"
+    });
+  }
+  const hasTerminal = steps.some((step) => {
+    if (!step || typeof step !== "object") return false;
+    return step.type === "terminal";
+  });
+  if (!hasTerminal) {
+    errors.push({
+      code: "NO_TERMINAL_STATE",
+      message: "Workflow must have at least one step with type: terminal",
+      path: "workflow.steps"
+    });
+  }
+  return { text: JSON.stringify({ valid: errors.length === 0, errors, warnings }), isError: false };
+}
+function validateTransitionTargets(step, stepId, stepIds, errors) {
+  const check = (target, path3) => {
+    if (typeof target === "string" && !stepIds.has(target)) {
+      errors.push({
+        code: "ORPHANED_TRANSITION",
+        message: `Step "${stepId}" transitions to "${target}" which does not exist`,
+        path: path3
+      });
+    }
+  };
+  const onSubmit = step.on_submit;
+  if (onSubmit && typeof onSubmit === "object") {
+    check(onSubmit.transition, `workflow.steps[${stepId}].on_submit.transition`);
+  }
+  if (Array.isArray(step.actions)) {
+    for (const action of step.actions) {
+      if (!action || typeof action !== "object") continue;
+      const a = action;
+      check(a.transition, `workflow.steps[${stepId}].actions[${a.id ?? "??"}].transition`);
+    }
+  }
+  if (Array.isArray(step.conditions)) {
+    for (const cond of step.conditions) {
+      if (!cond || typeof cond !== "object") continue;
+      const then = cond.then;
+      if (then && typeof then === "object") {
+        check(then.transition, `workflow.steps[${stepId}].conditions`);
+      }
+    }
+  }
+  if (Array.isArray(step.show_fields_from)) {
+    for (const ref of step.show_fields_from)
+      check(ref, `workflow.steps[${stepId}].show_fields_from`);
+  }
+  const display = step.display;
+  if (display && typeof display === "object") {
+    check(display.source_step, `workflow.steps[${stepId}].display.source_step`);
+    if (Array.isArray(display.source_steps)) {
+      for (const ref of display.source_steps)
+        check(ref, `workflow.steps[${stepId}].display.source_steps`);
+    }
+  }
+}
+function collectServiceWarnings(step, stepId, warnings) {
+  const isService = (val) => typeof val === "string" && val.startsWith("service:");
+  const warn = (path3) => {
+    warnings.push({
+      code: "WARN_SERVICE_REFERENCE",
+      message: `service: reference at "${path3}" requires @stackwright-pro/services. Prism mock fallback will be used until services layer is configured.`,
+      path: path3
+    });
+  };
+  const onSubmit = step.on_submit;
+  if (onSubmit && typeof onSubmit === "object" && isService(onSubmit.action))
+    warn(`${stepId}.on_submit.action`);
+  const onEnter = step.on_enter;
+  if (onEnter && typeof onEnter === "object" && isService(onEnter.action))
+    warn(`${stepId}.on_enter.action`);
+  if (Array.isArray(step.actions)) {
+    for (const action of step.actions) {
+      if (!action || typeof action !== "object") continue;
+      const a = action;
+      if (isService(a.action)) warn(`${stepId}.actions.${a.id ?? "??"}.action`);
+    }
+  }
+  if (Array.isArray(step.fields)) {
+    for (const field of step.fields) {
+      if (!field || typeof field !== "object") continue;
+      const f = field;
+      if (isService(f.data_source)) warn(`${stepId}.fields.${f.name ?? "??"}.data_source`);
+    }
+  }
+}
+function registerDomainTools(server2) {
+  const res = (r) => ({
+    content: [{ type: "text", text: r.text }],
+    isError: r.isError
+  });
+  server2.tool(
+    "stackwright_pro_list_collections",
+    "List API-backed collections available for page generation. Reads from Data Otter artifact (.stackwright/artifacts/data-config.json) or stackwright.yml. Call this before generating pages that bind to data.",
+    {},
+    async () => res(handleListCollections({}))
+  );
+  server2.tool(
+    "stackwright_pro_resolve_data_strategy",
+    "Look up the data freshness strategy configuration from the user's answer. Returns mechanism, revalidation seconds, required packages, and the exact MCP tool call to make. Replaces the strategy table in the data-otter prompt.",
+    {
+      strategy: z13.string().describe(
+        'The data-1 answer value: "pulse-fast", "isr-fast", "isr-standard", or "isr-slow"'
+      )
+    },
+    async ({ strategy }) => res(handleResolveDataStrategy({ strategy }))
+  );
+  server2.tool(
+    "stackwright_pro_validate_workflow",
+    "Validate a workflow definition against the Stackwright workflow schema. Checks step ID uniqueness, transition targets, terminal state existence, and service references. Call this after the workflow otter produces output.",
+    {
+      workflow: jsonCoerce(z13.record(z13.string(), z13.unknown()).optional()).describe(
+        "Parsed workflow object. If omitted, reads from .stackwright/artifacts/workflow-config.json"
+      )
+    },
+    async ({ workflow }) => res(handleValidateWorkflow(workflow ? { workflow } : {}))
+  );
+}
+
+// src/tools/type-schemas.ts
+import { z as z14 } from "zod";
+function buildTypeSchemaSummary() {
+  return {
+    version: "1.0",
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    domains: {
+      workflow: {
+        description: "Workflow DSL \u2014 step definitions, auth blocks, field types, conditions",
+        schemas: [
+          "WorkflowFileSchema",
+          "WorkflowDefinitionSchema",
+          "WorkflowStepSchema",
+          "WorkflowStepTypeSchema",
+          "WorkflowFieldSchema",
+          "WorkflowActionSchema",
+          "WorkflowAuthSchema",
+          "WorkflowThemeSchema",
+          "TransitionConditionSchema",
+          "PersistenceSchema"
+        ],
+        otter: "stackwright-pro-workflow-otter",
+        artifactKey: "workflowConfig"
+      },
+      auth: {
+        description: "Authentication providers \u2014 PKI/CAC, OIDC, RBAC configuration",
+        schemas: [
+          "authConfigSchema",
+          "pkiConfigSchema",
+          "oidcConfigSchema",
+          "rbacConfigSchema",
+          "componentAuthSchema",
+          "authUserSchema",
+          "authSessionSchema"
+        ],
+        otter: "stackwright-pro-auth-otter",
+        artifactKey: "authConfig"
+      },
+      openapi: {
+        description: "OpenAPI spec integration \u2014 collection config, endpoint filters, actions",
+        interfaces: [
+          "OpenAPIConfig",
+          "ActionConfig",
+          "EndpointFilter",
+          "ApprovedSpec",
+          "PrebuildSecurityConfig",
+          "SiteConfig",
+          "ValidationResult"
+        ],
+        otter: "stackwright-pro-api-otter",
+        artifactKey: "apiConfig"
+      },
+      pulse: {
+        description: "Real-time data polling \u2014 source-agnostic polling options and states",
+        interfaces: ["PulseOptions", "PulseMeta", "PulseState"],
+        note: "React-bound types (PulseProps, PulseIndicatorProps) remain in @stackwright-pro/pulse"
+      },
+      enterprise: {
+        description: "Enterprise collection access \u2014 multi-tenant provider extension",
+        interfaces: [
+          "EnterpriseCollectionProvider",
+          "CollectionProvider",
+          "CollectionEntry",
+          "CollectionListOptions",
+          "CollectionListResult",
+          "TenantFilter",
+          "Collection"
+        ],
+        note: "CollectionProvider, CollectionEntry, CollectionListOptions, and CollectionListResult are re-exported from @stackwright/types (^1.5.0). EnterpriseCollectionProvider, TenantFilter, and Collection are Pro-only extensions."
+      }
+    }
+  };
+}
+function registerTypeSchemasTool(server2) {
+  server2.tool(
+    "stackwright_pro_get_type_schemas",
+    "Returns a structured summary of all canonical @stackwright-pro/types schemas, organized by domain. Use this to determine which otter owns a given schema and what artifact key to expect.",
+    {
+      format: z14.enum(["full", "domains-only"]).optional().default("full").describe("full = complete summary with all fields; domains-only = just domain names")
+    },
+    async ({ format }) => {
+      const summary = buildTypeSchemaSummary();
+      const output = format === "domains-only" ? Object.keys(summary.domains) : summary;
+      return {
+        content: [{ type: "text", text: JSON.stringify(output, null, 2) }]
+      };
+    }
+  );
+}
+
+// package.json
+var package_default = {
+  dependencies: {
+    "@stackwright-pro/types": "workspace:*",
+    "@modelcontextprotocol/sdk": "^1.10.0",
+    "@stackwright-pro/cli-data-explorer": "workspace:*",
+    zod: "^4.3.6"
+  },
+  devDependencies: {
+    "@types/node": "^24.1.0",
+    tsup: "^8.5.0",
+    typescript: "^5.8.3",
+    vitest: "^4.0.18"
+  },
+  scripts: {
+    prepublishOnly: "node scripts/verify-integrity-sync.js",
+    build: "tsup",
+    dev: "tsup --watch",
+    start: "node dist/server.js",
+    test: "vitest run",
+    "test:coverage": "vitest run --coverage"
+  },
+  name: "@stackwright-pro/mcp",
+  version: "0.2.0-alpha.30",
+  description: "MCP tools for Stackwright Pro - Data Explorer, Security, ISR, and Dashboard generation",
+  license: "PROPRIETARY",
+  main: "./dist/server.js",
+  bin: {
+    "stackwright-pro-mcp": "./dist/server.js"
+  },
+  module: "./dist/server.mjs",
+  types: "./dist/server.d.ts",
+  exports: {
+    ".": {
+      types: "./dist/server.d.ts",
+      import: "./dist/server.mjs",
+      require: "./dist/server.js"
+    },
+    "./integrity": {
+      types: "./dist/integrity.d.ts",
+      import: "./dist/integrity.mjs",
+      require: "./dist/integrity.js"
+    },
+    "./type-schemas": {
+      types: "./dist/tools/type-schemas.d.ts",
+      import: "./dist/tools/type-schemas.mjs",
+      require: "./dist/tools/type-schemas.js"
     }
   },
   files: [
@@ -1231,6 +3962,14 @@ registerIsrTools(server);
 registerDashboardTools(server);
 registerClarificationTools(server);
 registerPackageTools(server);
+registerQuestionTools(server);
+registerOrchestrationTools(server);
+registerPipelineTools(server);
+registerSafeWriteTools(server);
+registerAuthTools(server);
+registerIntegrityTools(server);
+registerDomainTools(server);
+registerTypeSchemasTool(server);
 async function main() {
   const transport = new StdioServerTransport();
   await server.connect(transport);