@stackwright-pro/mcp 0.2.0-alpha.6 → 0.2.0-alpha.61

package/dist/server.mjs

@@ -3,15 +3,44 @@ import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 
 // src/tools/data-explorer.ts
-import { z } from "zod";
+import { z as z2 } from "zod";
 import { listEntities, generateFilter } from "@stackwright-pro/cli-data-explorer";
+
+// src/coerce.ts
+import { z } from "zod";
+function jsonCoerce(schema) {
+  return z.preprocess((v) => {
+    if (typeof v === "string") {
+      try {
+        return JSON.parse(v);
+      } catch {
+        return v;
+      }
+    }
+    return v;
+  }, schema);
+}
+function boolCoerce(schema) {
+  return z.preprocess((v) => v === "true" ? true : v === "false" ? false : v, schema);
+}
+function numCoerce(schema) {
+  return z.preprocess((v) => {
+    if (typeof v === "string" && v.trim() !== "") {
+      const n = Number(v);
+      if (!Number.isNaN(n)) return n;
+    }
+    return v;
+  }, schema);
+}
+
+// src/tools/data-explorer.ts
 function registerDataExplorerTools(server2) {
   server2.tool(
     "stackwright_pro_list_entities",
     "List all available API entities from OpenAPI specs or generated Zod schemas. Use this to discover what entities are available before generating endpoint filters. Returns entity names, endpoints, and field counts. Part of the Pro Otter Raft for building API-integrated Stackwright applications.",
     {
-      specPath: z.string().optional().describe("Path to OpenAPI spec file (YAML or JSON)"),
-      projectRoot: z.string().optional().describe("Project root directory (auto-detected if omitted)")
+      specPath: z2.string().optional().describe("Path to OpenAPI spec file (YAML or JSON)"),
+      projectRoot: z2.string().optional().describe("Project root directory (auto-detected if omitted)")
     },
     async ({ specPath, projectRoot }) => {
       const result = listEntities({
@@ -59,9 +88,13 @@ function registerDataExplorerTools(server2) {
     "stackwright_pro_generate_filter",
     "Generate endpoint filter configuration from selected entities. Creates include/exclude patterns for stackwright.yml OpenAPI integration. Use this after stackwright_pro_list_entities to select which API endpoints the application needs. Only selected endpoints will generate client code, reducing bundle size and improving security.",
     {
-      selectedEntities: z.array(z.string()).describe('Entity slugs to include (e.g., ["equipment", "supplies"])'),
-      excludePatterns: z.array(z.string()).optional().describe('Glob patterns to exclude (e.g., ["/admin/**", "/reports/**"])'),
-      projectRoot: z.string().optional().describe("Project root directory")
+      selectedEntities: jsonCoerce(z2.array(z2.string())).describe(
+        'Entity slugs to include (e.g., ["equipment", "supplies"])'
+      ),
+      excludePatterns: jsonCoerce(z2.array(z2.string()).optional()).describe(
+        'Glob patterns to exclude (e.g., ["/admin/**", "/reports/**"])'
+      ),
+      projectRoot: z2.string().optional().describe("Project root directory")
     },
     async ({ selectedEntities, excludePatterns, projectRoot }) => {
       const result = generateFilter({
@@ -117,7 +150,7 @@ function registerDataExplorerTools(server2) {
 }
 
 // src/tools/security.ts
-import { z as z2 } from "zod";
+import { z as z3 } from "zod";
 import { createHash } from "crypto";
 import fs from "fs";
 import path from "path";
@@ -126,8 +159,8 @@ function registerSecurityTools(server2) {
     "stackwright_pro_validate_spec",
     "Validate an OpenAPI spec against the enterprise approved-specs configuration. Checks if the spec URL is on the allowlist and verifies SHA-256 hash integrity. Use this in enterprise environments where only pre-approved API specs are allowed. Fails build if spec is not approved or has been modified.",
     {
-      specPath: z2.string().describe("URL or file path to the OpenAPI spec to validate"),
-      configPath: z2.string().optional().describe("Path to stackwright.yml with prebuild.security config")
+      specPath: z3.string().describe("URL or file path to the OpenAPI spec to validate"),
+      configPath: z3.string().optional().describe("Path to stackwright.yml with prebuild.security config")
     },
     async ({ specPath, configPath }) => {
       let securityEnabled = false;
@@ -235,16 +268,15 @@ Status: Valid (${allowlist.length} specs on allowlist)`
     "stackwright_pro_add_approved_spec",
     "Add an OpenAPI spec to the approved-specs allowlist in stackwright.yml. Computes the SHA-256 hash of the spec and adds it to the security configuration. Use this when onboarding a new API in enterprise environments.",
     {
-      name: z2.string().describe("Human-readable name for the spec"),
-      url: z2.string().describe("URL or file path to the OpenAPI spec"),
-      configPath: z2.string().optional().describe("Path to stackwright.yml")
+      name: z3.string().describe("Human-readable name for the spec"),
+      url: z3.string().describe("URL or file path to the OpenAPI spec"),
+      configPath: z3.string().optional().describe("Path to stackwright.yml")
     },
     async ({ name, url, configPath }) => {
       const configFile = configPath || path.join(process.cwd(), "stackwright.yml");
       let sha256 = "<computed-at-build>";
       try {
         if (url.startsWith("http://") || url.startsWith("https://")) {
-          sha256 = "<computed-at-build>";
         } else if (fs.existsSync(url)) {
           const specContent = fs.readFileSync(url, "utf8");
           sha256 = createHash("sha256").update(specContent).digest("hex");
@@ -291,7 +323,7 @@ SHA-256 computed: ${sha256}`
     "stackwright_pro_list_approved_specs",
     "List all specs currently on the approved-specs allowlist. Shows spec names, URLs, and hash prefixes. Use this to audit what APIs are approved in the project.",
     {
-      configPath: z2.string().optional().describe("Path to stackwright.yml")
+      configPath: z3.string().optional().describe("Path to stackwright.yml")
     },
     async ({ configPath }) => {
       const configFile = configPath || path.join(process.cwd(), "stackwright.yml");
@@ -360,16 +392,18 @@ SHA-256 computed: ${sha256}`
 }
 
 // src/tools/isr.ts
-import { z as z3 } from "zod";
+import { z as z4 } from "zod";
 function registerIsrTools(server2) {
   server2.tool(
     "stackwright_pro_configure_isr",
     "Configure Incremental Static Regeneration (ISR) for an API-backed collection. ISR allows API data to be cached and refreshed on a schedule, providing real-time data with the performance of static generation. Use this after stackwright_pro_generate_filter to set revalidation intervals.",
     {
-      collection: z3.string().describe('Collection name (e.g., "equipment", "supplies")'),
-      revalidateSeconds: z3.number().optional().describe("Revalidation interval in seconds (default: 60)"),
-      fallback: z3.enum(["blocking", "true", "false"]).optional().describe("Fallback behavior for new pages"),
-      configPath: z3.string().optional().describe("Path to stackwright.yml")
+      collection: z4.string().describe('Collection name (e.g., "equipment", "supplies")'),
+      revalidateSeconds: numCoerce(z4.number().optional()).describe(
+        "Revalidation interval in seconds (default: 60)"
+      ),
+      fallback: z4.enum(["blocking", "true", "false"]).optional().describe("Fallback behavior for new pages"),
+      configPath: z4.string().optional().describe("Path to stackwright.yml")
     },
     async ({ collection, revalidateSeconds = 60, fallback = "blocking", configPath }) => {
       const revalidate = revalidateSeconds;
@@ -380,7 +414,7 @@ function registerIsrTools(server2) {
     isr:
       revalidate: ${revalidate}
       fallback: ${fallback}`;
-      let description = "";
+      let description;
       if (revalidate < 60) {
         description = "\u26A1 Very fresh data (revalidate every " + revalidate + "s)";
       } else if (revalidate < 300) {
@@ -412,14 +446,16 @@ ${yamlSnippet}
     "stackwright_pro_configure_isr_batch",
     "Configure ISR for multiple collections at once. More efficient than calling stackwright_pro_configure_isr multiple times. Provide different revalidation intervals based on data freshness requirements.",
     {
-      collections: z3.array(
-        z3.object({
-          name: z3.string().describe("Collection name"),
-          revalidateSeconds: z3.number().optional().describe("Revalidation interval")
-        })
+      collections: jsonCoerce(
+        z4.array(
+          z4.object({
+            name: z4.string().describe("Collection name"),
+            revalidateSeconds: numCoerce(z4.number().optional()).describe("Revalidation interval")
+          })
+        )
       ).describe("Array of collection configurations"),
-      defaultFallback: z3.enum(["blocking", "true", "false"]).optional().describe("Default fallback behavior"),
-      configPath: z3.string().optional().describe("Path to stackwright.yml")
+      defaultFallback: z4.enum(["blocking", "true", "false"]).optional().describe("Default fallback behavior"),
+      configPath: z4.string().optional().describe("Path to stackwright.yml")
     },
     async ({ collections, defaultFallback = "blocking", configPath }) => {
       const lines = [`\u2699\uFE0F Batch ISR Configuration:
@@ -447,17 +483,17 @@ Fallback: ${defaultFallback}`);
 }
 
 // src/tools/dashboard.ts
-import { z as z4 } from "zod";
+import { z as z5 } from "zod";
 import { listEntities as listEntities2 } from "@stackwright-pro/cli-data-explorer";
 function registerDashboardTools(server2) {
   server2.tool(
     "stackwright_pro_generate_dashboard",
     "Generate a dashboard page configuration for displaying API data. Creates YAML content for a Stackwright page with grid, metric_card, data_table, and collection_list content types. Use this after stackwright_pro_generate_filter to create pages for your API collections.",
     {
-      entities: z4.array(z4.string()).describe("Entity slugs to include in dashboard"),
-      layout: z4.enum(["grid", "table", "mixed"]).optional().describe("Dashboard layout style"),
-      pageTitle: z4.string().optional().describe("Page title"),
-      specPath: z4.string().optional().describe("Path to OpenAPI spec for entity details")
+      entities: jsonCoerce(z5.array(z5.string())).describe("Entity slugs to include in dashboard"),
+      layout: z5.enum(["grid", "table", "mixed"]).optional().describe("Dashboard layout style"),
+      pageTitle: z5.string().optional().describe("Page title"),
+      specPath: z5.string().optional().describe("Path to OpenAPI spec for entity details")
     },
     async ({ entities, layout = "mixed", pageTitle, specPath }) => {
       let entityDetails = [];
@@ -543,9 +579,9 @@ ${yaml}
     "stackwright_pro_generate_detail_page",
     "Generate a detail view page for a single API entity. Creates YAML content for displaying all fields of an individual record. Use this to create detail pages that complement collection listing pages.",
     {
-      entity: z4.string().describe('Entity slug (e.g., "equipment")'),
-      slugField: z4.string().optional().describe('Field to use as URL slug (default: "id")'),
-      specPath: z4.string().optional().describe("Path to OpenAPI spec for field details")
+      entity: z5.string().describe('Entity slug (e.g., "equipment")'),
+      slugField: z5.string().optional().describe('Field to use as URL slug (default: "id")'),
+      specPath: z5.string().optional().describe("Path to OpenAPI spec for field details")
     },
     async ({ entity, slugField = "id", specPath }) => {
       let fields = [];
@@ -568,39 +604,49 @@ ${yaml}
         `    title: "${entityName} Details | {{ ${entity}.${slugField} }}"`,
         "",
         "  content_items:",
-        "    - main:",
-        '        label: "detail-header"',
-        "        heading:",
-        `          text: "{{ ${entity}.${slugField} }}"`,
-        '          textSize: "h1"',
-        "        textBlocks:",
-        `          - text: "Details for this ${entity}"`,
-        '            textSize: "body1"',
-        '        background: "primary"',
-        '        color: "text"',
+        "    - type: text_block",
+        '      label: "detail-header"',
+        "      heading:",
+        `        text: "{{ ${entity}.${slugField} }}"`,
+        '        textSize: "h1"',
+        "      textBlocks:",
+        `        - text: "Details for this ${entity}"`,
+        '          textSize: "body1"',
         "",
-        "    - grid:",
-        '        label: "detail-fields"',
-        "        columns: 2",
-        "        items:"
+        "    - type: grid",
+        '      label: "detail-fields"',
+        "      columns:"
       ];
       const displayFields = fields.length > 0 ? fields.slice(0, 8) : [
         { name: slugField, type: "string" },
         { name: "created_at", type: "datetime" },
         { name: "updated_at", type: "datetime" }
       ];
-      for (const field of displayFields) {
-        const label = field.name.replace(/_/g, " ").replace(/\b\w/g, (l) => l.toUpperCase());
-        yamlLines.push(`          - card:`);
-        yamlLines.push(`              label: "${field.name}-field"`);
-        yamlLines.push(`              heading:`);
-        yamlLines.push(`                text: "${label}"`);
-        yamlLines.push(`                textSize: "h4"`);
-        yamlLines.push(`              content:`);
-        yamlLines.push(`                - text: "{{ ${entity}.${field.name} }}"`);
-        yamlLines.push(`                  textSize: "body1"`);
-      }
-      yamlLines.push('        background: "background"');
+      const mid = Math.ceil(displayFields.length / 2);
+      const col1 = displayFields.slice(0, mid);
+      const col2 = displayFields.slice(mid);
+      for (const [colIndex, colFields] of [col1, col2].entries()) {
+        yamlLines.push("        - width: 1");
+        yamlLines.push("          content_items:");
+        for (const field of colFields) {
+          const label = field.name.replace(/_/g, " ").replace(/\b\w/g, (l) => l.toUpperCase());
+          yamlLines.push("            - type: text_block");
+          yamlLines.push(`              label: "${field.name}-field"`);
+          yamlLines.push("              heading:");
+          yamlLines.push(`                text: "${label}"`);
+          yamlLines.push('                textSize: "h4"');
+          yamlLines.push("              textBlocks:");
+          yamlLines.push(`                - text: "{{ ${entity}.${field.name} }}"`);
+          yamlLines.push('                  textSize: "body1"');
+        }
+      }
+      yamlLines.push("");
+      yamlLines.push("    - type: action_bar");
+      yamlLines.push("      actions:");
+      yamlLines.push(`        - label: "<- Back to ${entityName}"`);
+      yamlLines.push("          action: navigate");
+      yamlLines.push(`          href: "/${entity}"`);
+      yamlLines.push("          style: secondary");
       const yaml = yamlLines.join("\n");
       return {
         content: [
@@ -621,7 +667,7 @@ ${yaml}
 }
 
 // src/tools/clarification.ts
-import { z as z5 } from "zod";
+import { z as z6 } from "zod";
 var CONTRADICTION_PATTERNS = [
   {
     keywords: ["minimal", "clean", "simple"],
@@ -709,12 +755,14 @@ function registerClarificationTools(server2) {
     "stackwright_pro_clarify",
     "Ask the user for clarification when a specialist otter encounters ambiguity. This is for MID-EXECUTION questions, NOT upfront question collection (use the Question Manifest Protocol for that). Returns a structured response for the foreman to present to the user via ask_user_question (closed_choice) or directly (open_text).",
     {
-      context: z5.string().optional().describe("Context about what the otter is trying to do"),
-      question_type: z5.enum(["closed_choice", "open_text"]).describe("Type of question being asked"),
-      question: z5.string().describe("The clarification question to ask the user"),
-      choices: z5.array(z5.string()).optional().describe("Options for closed_choice questions"),
-      priority: z5.enum(["blocking", "preferred", "optional"]).optional().default("preferred").describe("How critical is this clarification? Default: preferred"),
-      target_field: z5.string().optional().describe("What field/config does this clarify?")
+      context: z6.string().optional().describe("Context about what the otter is trying to do"),
+      question_type: z6.enum(["closed_choice", "open_text"]).describe("Type of question being asked"),
+      question: z6.string().describe("The clarification question to ask the user"),
+      choices: jsonCoerce(z6.array(z6.string()).optional()).describe(
+        "Options for closed_choice questions"
+      ),
+      priority: z6.enum(["blocking", "preferred", "optional"]).optional().default("preferred").describe("How critical is this clarification? Default: preferred"),
+      target_field: z6.string().optional().describe("What field/config does this clarify?")
     },
     async ({ context, question_type, question, choices, priority, target_field }) => {
       const result = handleClarify({
@@ -743,8 +791,10 @@ function registerClarificationTools(server2) {
     "stackwright_pro_detect_conflict",
     "Detect when a user's stated preference conflicts with their selected choices. Uses keyword heuristics against known contradiction patterns (minimal vs vibrant, dark vs light, etc). Returns conflict details and resolution options.",
     {
-      stated_preference: z5.string().describe("What the user said they wanted"),
-      selected_values: z5.record(z5.string(), z5.string()).describe("What the user actually selected (field \u2192 value)")
+      stated_preference: z6.string().describe("What the user said they wanted"),
+      selected_values: jsonCoerce(z6.record(z6.string(), z6.string())).describe(
+        "What the user actually selected (field \u2192 value)"
+      )
     },
     async ({ stated_preference, selected_values }) => {
       const result = handleDetectConflict({ stated_preference, selected_values });
@@ -789,7 +839,7 @@ ${result.resolution_options?.map((o) => `  \u2022 ${o}`).join("\n")}
 }
 
 // src/tools/packages.ts
-import { z as z6 } from "zod";
+import { z as z7 } from "zod";
 import { readFileSync, writeFileSync, existsSync, realpathSync, lstatSync } from "fs";
 import { execSync } from "child_process";
 import path2 from "path";
@@ -810,17 +860,23 @@ function registerPackageTools(server2) {
     "Ensures pro packages are present in a project's package.json. Safe to call multiple times \u2014 never overwrites existing version pins. Use this to bootstrap dependencies before specialist otters run. Pass includeBaseline: true to automatically include all required @stackwright-pro/* baseline dependencies. Safe to call on existing projects \u2014 never overwrites pinned versions.",
     {
       // FIX 3 (B-new-1): Zod v4 requires two-arg z.record(keySchema, valueSchema)
-      packages: z6.record(z6.string(), z6.string()).describe(
-        'Dependencies to add. Record<packageName, version>. e.g. { "@stackwright-pro/auth": "latest" }'
+      packages: jsonCoerce(z7.record(z7.string(), z7.string()).optional().default({})).describe(
+        'Dependencies to add. Record<packageName, version>. e.g. { "@stackwright-pro/auth": "latest" }. Omit or pass {} when using includeBaseline: true.'
+      ),
+      devPackages: jsonCoerce(z7.record(z7.string(), z7.string()).optional()).describe(
+        "devDependencies to add. Same format as packages."
+      ),
+      scripts: jsonCoerce(z7.record(z7.string(), z7.string()).optional()).describe(
+        "npm scripts to add. Only adds if key does not already exist."
       ),
-      devPackages: z6.record(z6.string(), z6.string()).optional().describe("devDependencies to add. Same format as packages."),
-      scripts: z6.record(z6.string(), z6.string()).optional().describe("npm scripts to add. Only adds if key does not already exist."),
-      targetDir: z6.string().optional().describe(
+      targetDir: z7.string().optional().describe(
         "Project directory containing package.json. Defaults to process.cwd(). Must be an absolute path within the current working directory."
       ),
-      runInstall: z6.boolean().optional().default(true).describe("Run pnpm install after writing package.json. Defaults to true."),
-      includeBaseline: z6.boolean().optional().default(false).describe(
-        "When true, automatically merges BASELINE_DEPS and BASELINE_DEV_DEPS before applying packages/devPackages args. Safe to call on existing projects \u2014 never overwrites pinned versions."
+      runInstall: boolCoerce(z7.boolean().optional().default(true)).describe(
+        "Run pnpm install after writing package.json. Defaults to true. Pass boolean true/false."
+      ),
+      includeBaseline: boolCoerce(z7.boolean().optional().default(false)).describe(
+        "When true, automatically merges BASELINE_DEPS and BASELINE_DEV_DEPS before applying packages/devPackages args. Safe to call on existing projects \u2014 never overwrites pinned versions. Pass boolean true/false."
       )
     },
     async ({ packages, devPackages, scripts, targetDir, runInstall, includeBaseline }) => {
@@ -978,11 +1034,11 @@ function setupPackages(opts) {
       }
     }
     const raw = readFileSync(realPackageJsonPath, "utf8");
-    const PackageJsonSchema = z6.object({
+    const PackageJsonSchema = z7.object({
       // Zod v4: z.record(keySchema, valueSchema) — two-arg form required
-      dependencies: z6.record(z6.string(), z6.string()).optional(),
-      devDependencies: z6.record(z6.string(), z6.string()).optional(),
-      scripts: z6.record(z6.string(), z6.string()).optional()
+      dependencies: z7.record(z7.string(), z7.string()).optional(),
+      devDependencies: z7.record(z7.string(), z7.string()).optional(),
+      scripts: z7.record(z7.string(), z7.string()).optional()
     }).passthrough();
     const schemaResult = PackageJsonSchema.safeParse(JSON.parse(raw));
     if (!schemaResult.success) {
@@ -1063,9 +1119,10 @@ function setupPackages(opts) {
 }
 
 // src/tools/questions.ts
-import { readFile } from "fs/promises";
+import { readFile, writeFile } from "fs/promises";
+import { existsSync as existsSync2, lstatSync as lstatSync2, mkdirSync, renameSync } from "fs";
 import { join } from "path";
-import { z as z7 } from "zod";
+import { z as z8 } from "zod";
 
 // src/question-adapter.ts
 function truncate(str, maxLength) {
@@ -1251,22 +1308,22 @@ function answersToManifestFormat(answers, questions) {
 }
 
 // src/tools/questions.ts
-var ManifestQuestionSchema = z7.object({
-  id: z7.string(),
-  question: z7.string(),
-  type: z7.enum(["text", "select", "multi-select", "confirm"]),
-  required: z7.boolean().optional(),
-  options: z7.array(
-    z7.object({
-      label: z7.string(),
-      value: z7.string()
+var ManifestQuestionSchema = z8.object({
+  id: z8.string(),
+  question: z8.string(),
+  type: z8.enum(["text", "select", "multi-select", "confirm"]),
+  required: z8.boolean().optional(),
+  options: z8.array(
+    z8.object({
+      label: z8.string(),
+      value: z8.string()
     })
   ).optional(),
-  default: z7.union([z7.string(), z7.boolean(), z7.array(z7.string())]).optional(),
-  help: z7.string().optional(),
-  dependsOn: z7.object({
-    questionId: z7.string(),
-    value: z7.union([z7.string(), z7.array(z7.string())])
+  default: z8.union([z8.string(), z8.boolean(), z8.array(z8.string())]).optional(),
+  help: z8.string().optional(),
+  dependsOn: z8.object({
+    questionId: z8.string(),
+    value: z8.union([z8.string(), z8.array(z8.string())])
   }).optional()
 });
 function registerQuestionTools(server2) {
@@ -1274,11 +1331,13 @@ function registerQuestionTools(server2) {
     "stackwright_pro_present_phase_questions",
     "Adapt manifest-format questions from a specialist otter and present them to the user via ask_user_question. Pass only the phase name \u2014 this tool reads questions from .stackwright/question-manifest.json automatically. The questions parameter is optional and only needed if the manifest has not been written yet. Use this instead of calling ask_user_question directly \u2014 it handles label truncation (50-char limit), header generation, confirm/text defaults, and correct array formatting automatically. IMPORTANT: This is the ONLY approved way to prepare questions before calling ask_user_question. Never call ask_user_question with raw manifest questions. Never retry ask_user_question validation errors by calling it directly \u2014 always re-call this tool.",
     {
-      phase: z7.string().describe('Phase name for display context, e.g. "designer", "api", "auth"'),
-      questions: z7.array(ManifestQuestionSchema).optional().describe(
+      phase: z8.string().describe('Phase name for display context, e.g. "designer", "api", "auth"'),
+      questions: jsonCoerce(z8.array(ManifestQuestionSchema).optional()).describe(
         "Questions in Question Manifest format. If omitted, questions are read from .stackwright/question-manifest.json using the phase name."
       ),
-      answers: z7.record(z7.union([z7.string(), z7.array(z7.string()), z7.boolean()])).optional().describe("Previously collected answers used to resolve dependsOn conditions")
+      answers: jsonCoerce(
+        z8.record(z8.string(), z8.union([z8.string(), z8.array(z8.string()), z8.boolean()])).optional()
+      ).describe("Previously collected answers used to resolve dependsOn conditions")
     },
     async ({ phase, questions, answers }) => {
       let resolvedQuestions;
@@ -1329,17 +1388,36 @@ function registerQuestionTools(server2) {
         }
       }
       const adapted = adaptQuestions(resolvedQuestions, answers ?? {});
+      const labelSchema = z8.string().max(50, "Value should have at most 50 characters");
+      for (const q of adapted) {
+        for (const opt of q.options) {
+          const check = labelSchema.safeParse(opt.label);
+          if (!check.success) {
+            return {
+              content: [
+                {
+                  type: "text",
+                  text: JSON.stringify({
+                    error: `Option label for phase "${phase}" exceeds 50 characters: ${check.error.issues[0]?.message ?? "label too long"}. Truncate option labels to \u226450 characters before calling this tool.`
+                  })
+                }
+              ],
+              isError: true
+            };
+          }
+        }
+      }
       if (adapted.length === 0) {
         return {
           content: [
             {
               type: "text",
-              text: JSON.stringify({
-                phase,
-                skipped: true,
-                reason: "No questions to present (all filtered by dependsOn conditions)",
-                answers: []
-              })
+              text: `Phase "${phase}" has no questions to present. Do NOT call ask_user_question. Call stackwright_pro_save_phase_answers({ phase: "${phase}", rawAnswers: [] }) directly, then proceed to the execution step for this phase.`
+            },
+            {
+              type: "text",
+              // Empty array — second block always present so the foreman's two-block contract holds
+              text: JSON.stringify([])
             }
           ],
           isError: false
@@ -1360,11 +1438,149 @@ function registerQuestionTools(server2) {
       };
     }
   );
+  server2.tool(
+    "stackwright_pro_get_next_question",
+    "Returns the next unanswered question for a phase as a plain JSON object \u2014 one question at a time. Returns { done: true } when all questions are answered or the phase has no questions. Call this in a loop: present the question in plain chat, get user reply, call record_answer, repeat.",
+    { phase: z8.string().describe('Phase name e.g. "designer", "api", "auth"') },
+    async ({ phase }) => {
+      const SAFE_PHASE = /^[a-z][a-z0-9-]{0,30}$/;
+      if (!SAFE_PHASE.test(phase)) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({ error: `Invalid phase name: "${phase.slice(0, 50)}"` })
+            }
+          ],
+          isError: true
+        };
+      }
+      const cwd = process.cwd();
+      const questionsPath = join(cwd, ".stackwright", "questions", `${phase}.json`);
+      let questions = [];
+      try {
+        const raw = await readFile(questionsPath, "utf-8");
+        const parsed = JSON.parse(raw);
+        questions = parsed.questions ?? [];
+      } catch {
+        return { content: [{ type: "text", text: JSON.stringify({ done: true }) }] };
+      }
+      if (questions.length === 0) {
+        return { content: [{ type: "text", text: JSON.stringify({ done: true }) }] };
+      }
+      const answersPath = join(cwd, ".stackwright", "answers", `${phase}.json`);
+      let answeredIds = /* @__PURE__ */ new Set();
+      try {
+        const raw = await readFile(answersPath, "utf-8");
+        const parsed = JSON.parse(raw);
+        answeredIds = new Set(Object.keys(parsed.answers ?? {}));
+      } catch {
+      }
+      const next = questions.find((q) => !answeredIds.has(q.id));
+      if (!next) {
+        return { content: [{ type: "text", text: JSON.stringify({ done: true }) }] };
+      }
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({
+              done: false,
+              questionId: next.id,
+              question: next.question,
+              type: next.type,
+              options: next.options ?? null,
+              help: next.help ?? null,
+              index: questions.indexOf(next) + 1,
+              total: questions.length
+            })
+          }
+        ]
+      };
+    }
+  );
+  server2.tool(
+    "stackwright_pro_record_answer",
+    "Records a single answer to a phase question. Appends to .stackwright/answers/{phase}.json incrementally. Idempotent \u2014 calling twice for the same questionId overwrites. Call after receiving each user reply in the conversational question loop.",
+    {
+      phase: z8.string().describe('Phase name e.g. "designer"'),
+      questionId: z8.string().describe('The question ID from get_next_question, e.g. "designer-1"'),
+      answer: z8.string().describe("The user's free-text answer")
+    },
+    async ({ phase, questionId, answer }) => {
+      const SAFE_PHASE = /^[a-z][a-z0-9-]{0,30}$/;
+      if (!SAFE_PHASE.test(phase)) {
+        return {
+          content: [
+            { type: "text", text: JSON.stringify({ error: "Invalid phase name" }) }
+          ],
+          isError: true
+        };
+      }
+      if (!/^[a-z0-9][a-z0-9-]{0,63}$/i.test(questionId)) {
+        return {
+          content: [
+            { type: "text", text: JSON.stringify({ error: "Invalid questionId" }) }
+          ],
+          isError: true
+        };
+      }
+      const safeAnswer = answer.slice(0, 2e3);
+      const cwd = process.cwd();
+      const answersDir = join(cwd, ".stackwright", "answers");
+      const answersPath = join(answersDir, `${phase}.json`);
+      if (existsSync2(answersDir) && lstatSync2(answersDir).isSymbolicLink()) {
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({ error: "answers dir is a symlink \u2014 refusing to write" })
+            }
+          ],
+          isError: true
+        };
+      }
+      mkdirSync(answersDir, { recursive: true });
+      let existing = {
+        version: "1.0",
+        phase,
+        answers: {}
+      };
+      try {
+        if (existsSync2(answersPath)) {
+          if (lstatSync2(answersPath).isSymbolicLink()) {
+            return {
+              content: [
+                {
+                  type: "text",
+                  text: JSON.stringify({ error: "answers file is a symlink \u2014 refusing to write" })
+                }
+              ],
+              isError: true
+            };
+          }
+          const raw = await readFile(answersPath, "utf-8");
+          existing = JSON.parse(raw);
+        }
+      } catch {
+      }
+      existing.answers[questionId] = safeAnswer;
+      existing.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+      const tmp = `${answersPath}.tmp`;
+      await writeFile(tmp, JSON.stringify(existing, null, 2), "utf-8");
+      renameSync(tmp, answersPath);
+      return {
+        content: [
+          { type: "text", text: JSON.stringify({ recorded: true, phase, questionId }) }
+        ]
+      };
+    }
+  );
 }
 
 // src/tools/orchestration.ts
-import { z as z8 } from "zod";
-import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, existsSync as existsSync2, mkdirSync, lstatSync as lstatSync2 } from "fs";
+import { z as z9 } from "zod";
+import { readFileSync as readFileSync2, writeFileSync as writeFileSync2, existsSync as existsSync3, mkdirSync as mkdirSync2, lstatSync as lstatSync3 } from "fs";
 import { join as join2 } from "path";
 var OTTER_NAME_TO_PHASE = [
   ["designer", "designer"],
@@ -1374,7 +1590,9 @@ var OTTER_NAME_TO_PHASE = [
   ["dashboard", "dashboard"],
   ["data", "data"],
   ["page", "pages"],
-  ["workflow", "workflow"]
+  ["workflow", "workflow"],
+  ["polish", "polish"],
+  ["geo", "geo"]
 ];
 var PHASE_TO_OTTER = {
   designer: "stackwright-pro-designer-otter",
@@ -1384,7 +1602,9 @@ var PHASE_TO_OTTER = {
   pages: "stackwright-pro-page-otter",
   dashboard: "stackwright-pro-dashboard-otter",
   data: "stackwright-pro-data-otter",
-  workflow: "stackwright-pro-workflow-otter"
+  workflow: "stackwright-pro-workflow-otter",
+  polish: "stackwright-pro-polish-otter",
+  geo: "stackwright-pro-geo-otter"
 };
 function detectPhase(otterName) {
   const lower = otterName.toLowerCase();
@@ -1420,9 +1640,9 @@ function handleSaveManifest(input) {
   const dir = join2(cwd, ".stackwright");
   const filePath = join2(dir, "question-manifest.json");
   try {
-    mkdirSync(dir, { recursive: true });
-    if (existsSync2(filePath)) {
-      const stat = lstatSync2(filePath);
+    mkdirSync2(dir, { recursive: true });
+    if (existsSync3(filePath)) {
+      const stat = lstatSync3(filePath);
       if (stat.isSymbolicLink()) {
         const message = `Refusing to write to symlink: ${filePath}`;
         return {
@@ -1454,7 +1674,7 @@ function handleSavePhaseAnswers(input) {
   const dir = join2(cwd, ".stackwright", "answers");
   const filePath = join2(dir, `${input.phase}.json`);
   try {
-    mkdirSync(dir, { recursive: true });
+    mkdirSync2(dir, { recursive: true });
     let answers;
     if (input.questions && input.questions.length > 0) {
       answers = answersToManifestFormat(input.rawAnswers, input.questions);
@@ -1469,8 +1689,8 @@ function handleSavePhaseAnswers(input) {
       completedAt: (/* @__PURE__ */ new Date()).toISOString(),
       answers
     };
-    if (existsSync2(filePath)) {
-      const stat = lstatSync2(filePath);
+    if (existsSync3(filePath)) {
+      const stat = lstatSync3(filePath);
       if (stat.isSymbolicLink()) {
         const message = `Refusing to write to symlink: ${filePath}`;
         return {
@@ -1499,7 +1719,7 @@ function handleSavePhaseAnswers(input) {
 function handleReadPhaseAnswers(input) {
   const cwd = input._cwd ?? process.cwd();
   const filePath = join2(cwd, ".stackwright", "answers", `${input.phase}.json`);
-  if (!existsSync2(filePath)) {
+  if (!existsSync3(filePath)) {
     return {
       text: JSON.stringify({ missing: true, phase: input.phase }),
       isError: false
@@ -1531,13 +1751,63 @@ function handleGetOtterName(input) {
     isError: false
   };
 }
+function handleSaveBuildContext(input) {
+  const cwd = input._cwd ?? process.cwd();
+  const dir = join2(cwd, ".stackwright");
+  const filePath = join2(dir, "build-context.json");
+  try {
+    mkdirSync2(dir, { recursive: true });
+    if (existsSync3(filePath)) {
+      const stat = lstatSync3(filePath);
+      if (stat.isSymbolicLink()) {
+        return {
+          text: JSON.stringify({
+            success: false,
+            error: `Refusing to write to symlink: ${filePath}`
+          }),
+          isError: true
+        };
+      }
+    }
+    const payload = {
+      version: "1.0",
+      savedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      buildContext: input.buildContext
+    };
+    writeFileSync2(filePath, JSON.stringify(payload, null, 2) + "\n");
+    return {
+      text: JSON.stringify({ success: true, path: filePath }),
+      isError: false
+    };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      text: JSON.stringify({ success: false, error: message }),
+      isError: true
+    };
+  }
+}
 function registerOrchestrationTools(server2) {
+  server2.tool(
+    "stackwright_pro_save_build_context",
+    `Save the user's initial build description to .stackwright/build-context.json. Call this once at startup after the user answers the opening "what are you building" question. The saved context is automatically prepended to specialist prompts by stackwright_pro_build_specialist_prompt.`,
+    {
+      buildContext: z9.string().describe("Free-text description of what the user wants to build")
+    },
+    async ({ buildContext }) => {
+      const { text, isError } = handleSaveBuildContext({ buildContext });
+      return {
+        content: [{ type: "text", text }],
+        isError
+      };
+    }
+  );
   server2.tool(
     "stackwright_pro_parse_otter_response",
     "Parse and validate a specialist otter's QUESTION_COLLECTION_MODE JSON response. Handles JSON extraction from LLM responses (strips markdown, fixes single quotes, trailing commas). Detects the phase from the otter name. Use this immediately after invoke_agent() to get a validated manifest phase object.",
     {
-      otterName: z8.string().describe('The agent name, e.g. "stackwright-pro-api-otter"'),
-      responseText: z8.string().describe("Raw text response from the otter's QUESTION_COLLECTION_MODE invocation")
+      otterName: z9.string().describe('The agent name, e.g. "stackwright-pro-api-otter"'),
+      responseText: z9.string().describe("Raw text response from the otter's QUESTION_COLLECTION_MODE invocation")
     },
     async ({ otterName, responseText }) => {
       const { result, isError } = handleParseOtterResponse({ otterName, responseText });
@@ -1551,16 +1821,18 @@ function registerOrchestrationTools(server2) {
     "stackwright_pro_save_manifest",
     "Write the question manifest to .stackwright/question-manifest.json. Call this after collecting and parsing questions from all otters via stackwright_pro_parse_otter_response.",
     {
-      phases: z8.array(
-        z8.object({
-          phase: z8.string(),
-          otter: z8.string(),
-          questions: z8.array(z8.any()),
-          requiredPackages: z8.object({
-            dependencies: z8.record(z8.string(), z8.string()).optional(),
-            devPackages: z8.record(z8.string(), z8.string()).optional()
-          }).optional()
-        })
+      phases: jsonCoerce(
+        z9.array(
+          z9.object({
+            phase: z9.string(),
+            otter: z9.string(),
+            questions: z9.array(z9.any()),
+            requiredPackages: z9.object({
+              dependencies: z9.record(z9.string(), z9.string()).optional(),
+              devPackages: z9.record(z9.string(), z9.string()).optional()
+            }).optional()
+          })
+        )
       ).describe("Array of parsed phase objects from stackwright_pro_parse_otter_response")
     },
     async ({ phases }) => {
@@ -1575,15 +1847,21 @@ function registerOrchestrationTools(server2) {
     "stackwright_pro_save_phase_answers",
     "Save user answers for a phase to .stackwright/answers/{phase}.json. Pass rawAnswers directly from ask_user_question and the original manifest questions for label-to-value reverse mapping.",
     {
-      phase: z8.string().describe('Phase name, e.g. "designer"'),
-      rawAnswers: z8.array(
-        z8.object({
-          question_header: z8.string(),
-          selected_options: z8.array(z8.string()),
-          other_text: z8.string().nullable().optional()
-        })
-      ).describe("Answers as returned by ask_user_question"),
-      questions: z8.array(z8.any()).optional().describe("Original manifest questions for label\u2192value reverse-mapping")
+      phase: z9.string().describe('Phase name, e.g. "designer"'),
+      rawAnswers: jsonCoerce(
+        z9.array(
+          z9.object({
+            question_header: z9.string(),
+            selected_options: z9.array(z9.string()),
+            other_text: z9.string().nullable().optional()
+          })
+        )
+      ).describe(
+        "Answers as returned by ask_user_question \u2014 pass the native array, not a JSON string"
+      ),
+      questions: jsonCoerce(z9.array(z9.any()).optional()).describe(
+        "Original manifest questions for label\u2192value reverse-mapping \u2014 pass the native array, not a JSON string"
+      )
     },
     async ({ phase, rawAnswers, questions }) => {
       const { text, isError } = handleSavePhaseAnswers({
@@ -1601,7 +1879,7 @@ function registerOrchestrationTools(server2) {
     "stackwright_pro_read_phase_answers",
     "Read saved answers for a phase from .stackwright/answers/{phase}.json. Returns { missing: true } when no answers exist yet \u2014 use this to skip phases safely in the execution loop.",
     {
-      phase: z8.string().describe('Phase name, e.g. "designer"')
+      phase: z9.string().describe('Phase name, e.g. "designer"')
     },
     async ({ phase }) => {
       const { text, isError } = handleReadPhaseAnswers({ phase });
@@ -1615,7 +1893,7 @@ function registerOrchestrationTools(server2) {
     "stackwright_pro_get_otter_name",
     "Get the agent name for a phase (e.g. 'designer' \u2192 'stackwright-pro-designer-otter'). Use this in the execution loop to invoke the correct specialist otter without hardcoding names in the prompt.",
     {
-      phase: z8.string().describe('Phase name, e.g. "designer", "api", "pages"')
+      phase: z9.string().describe('Phase name, e.g. "designer", "api", "pages"')
     },
     async ({ phase }) => {
       const { text, isError } = handleGetOtterName({ phase });
@@ -1628,28 +1906,391 @@ function registerOrchestrationTools(server2) {
 }
 
 // src/tools/pipeline.ts
-import { z as z9 } from "zod";
-import { readFileSync as readFileSync3, writeFileSync as writeFileSync3, existsSync as existsSync3, mkdirSync as mkdirSync2, lstatSync as lstatSync3 } from "fs";
+import { z as z11 } from "zod";
+import { readFileSync as readFileSync4, writeFileSync as writeFileSync4, existsSync as existsSync5, mkdirSync as mkdirSync4, lstatSync as lstatSync5 } from "fs";
+import { join as join4 } from "path";
+import { createHash as createHash3 } from "crypto";
+
+// src/artifact-signing.ts
+import {
+  createHash as createHash2,
+  generateKeyPairSync,
+  createPublicKey,
+  createPrivateKey,
+  sign,
+  verify,
+  timingSafeEqual
+} from "crypto";
+import {
+  readFileSync as readFileSync3,
+  writeFileSync as writeFileSync3,
+  existsSync as existsSync4,
+  mkdirSync as mkdirSync3,
+  lstatSync as lstatSync4,
+  unlinkSync,
+  readdirSync
+} from "fs";
 import { join as join3 } from "path";
+import { z as z10 } from "zod";
+var ALGORITHM = "ECDSA-P384-SHA384";
+var KEY_FILE = "pipeline-keys.json";
+var KEY_DIR = ".stackwright";
+var SIGNATURE_MANIFEST = "signatures.json";
+var ARTIFACTS_DIR = ".stackwright/artifacts";
+function rejectSymlink(filePath, context) {
+  if (!existsSync4(filePath)) return;
+  const stat = lstatSync4(filePath);
+  if (stat.isSymbolicLink()) {
+    throw new Error(`Security: refusing to follow symlink at ${context}: ${filePath}`);
+  }
+}
+function computeSha384(data) {
+  return createHash2("sha384").update(data).digest("hex");
+}
+function safeDigestEqual(a, b) {
+  if (a.length !== b.length) return false;
+  return timingSafeEqual(Buffer.from(a, "utf8"), Buffer.from(b, "utf8"));
+}
+function emptyManifest() {
+  return {
+    version: "1.0",
+    algorithm: ALGORITHM,
+    signatures: {}
+  };
+}
+function initPipelineKeys(cwd) {
+  const keyDir = join3(cwd, KEY_DIR);
+  const keyPath = join3(keyDir, KEY_FILE);
+  rejectSymlink(keyPath, "pipeline-keys.json");
+  mkdirSync3(keyDir, { recursive: true });
+  const { publicKey, privateKey } = generateKeyPairSync("ec", {
+    namedCurve: "P-384"
+  });
+  const publicKeyPem = publicKey.export({ type: "spki", format: "pem" });
+  const privateKeyPem = privateKey.export({ type: "pkcs8", format: "pem" });
+  const fingerprint = createHash2("sha256").update(publicKeyPem).digest("hex");
+  const keyFile = {
+    version: "1.0",
+    algorithm: ALGORITHM,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    publicKeyPem,
+    privateKeyPem
+  };
+  writeFileSync3(keyPath, JSON.stringify(keyFile, null, 2), { encoding: "utf-8" });
+  return { publicKeyPem, fingerprint };
+}
+function loadPipelineKeys(cwd) {
+  const keyPath = join3(cwd, KEY_DIR, KEY_FILE);
+  rejectSymlink(keyPath, "pipeline-keys.json");
+  if (!existsSync4(keyPath)) {
+    throw new Error("Pipeline keys not found \u2014 call initPipelineKeys() first");
+  }
+  let raw;
+  try {
+    raw = readFileSync3(keyPath, "utf-8");
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new Error(`Cannot read pipeline keys: ${msg}`, { cause: err });
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error("Pipeline keys file is not valid JSON");
+  }
+  if (typeof parsed.publicKeyPem !== "string" || !parsed.publicKeyPem.includes("-----BEGIN PUBLIC KEY-----")) {
+    throw new Error("Invalid public key PEM in pipeline keys file");
+  }
+  if (typeof parsed.privateKeyPem !== "string" || !parsed.privateKeyPem.includes("-----BEGIN")) {
+    throw new Error("Invalid private key PEM in pipeline keys file");
+  }
+  const publicKey = createPublicKey(parsed.publicKeyPem);
+  const privateKey = createPrivateKey(parsed.privateKeyPem);
+  return { privateKey, publicKey };
+}
+function signArtifact(artifactBytes, privateKey) {
+  const digest = computeSha384(artifactBytes);
+  const sig = sign("SHA384", artifactBytes, privateKey);
+  return {
+    digest,
+    signature: sig.toString("base64"),
+    algorithm: ALGORITHM,
+    signedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function verifyArtifact(artifactBytes, signature, publicKey) {
+  const sigValid = verify(
+    "SHA384",
+    artifactBytes,
+    publicKey,
+    Buffer.from(signature.signature, "base64")
+  );
+  if (!sigValid) return false;
+  const actualDigest = computeSha384(artifactBytes);
+  return safeDigestEqual(actualDigest, signature.digest);
+}
+function loadSignatureManifest(cwd) {
+  const manifestPath = join3(cwd, ARTIFACTS_DIR, SIGNATURE_MANIFEST);
+  rejectSymlink(manifestPath, "signatures.json");
+  if (!existsSync4(manifestPath)) return emptyManifest();
+  let raw;
+  try {
+    raw = readFileSync3(manifestPath, "utf-8");
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new Error(`Cannot read signature manifest: ${msg}`, { cause: err });
+  }
+  try {
+    const parsed = JSON.parse(raw);
+    if (parsed.version !== "1.0" || typeof parsed.signatures !== "object") {
+      throw new Error("Malformed signature manifest: invalid version or missing signatures object");
+    }
+    return parsed;
+  } catch (err) {
+    if (err instanceof Error && err.message.startsWith("Malformed")) throw err;
+    throw new Error("Signature manifest is not valid JSON", { cause: err });
+  }
+}
+function saveArtifactSignature(cwd, artifactFilename, sig, signerOtter) {
+  const artifactsDir = join3(cwd, ARTIFACTS_DIR);
+  const manifestPath = join3(artifactsDir, SIGNATURE_MANIFEST);
+  rejectSymlink(manifestPath, "signatures.json (save)");
+  mkdirSync3(artifactsDir, { recursive: true });
+  const manifest = loadSignatureManifest(cwd);
+  manifest.signatures[artifactFilename] = {
+    ...sig,
+    signedBy: signerOtter
+  };
+  writeFileSync3(manifestPath, JSON.stringify(manifest, null, 2), { encoding: "utf-8" });
+}
+function getArtifactSignature(cwd, artifactFilename) {
+  const manifest = loadSignatureManifest(cwd);
+  const entry = manifest.signatures[artifactFilename];
+  if (!entry) return null;
+  return {
+    digest: entry.digest,
+    signature: entry.signature,
+    algorithm: entry.algorithm,
+    signedAt: entry.signedAt
+  };
+}
+function emitSignatureAuditEvent(params) {
+  const record = JSON.stringify({
+    level: "AUDIT",
+    event: "ARTIFACT_SIGNATURE_FAIL",
+    timestamp: params.timestamp,
+    source: params.source,
+    artifactFilename: params.artifactFilename,
+    expectedDigest: params.expectedDigest,
+    actualDigest: params.actualDigest,
+    phase: params.phase
+  });
+  process.stderr.write(`ARTIFACT_SIGNATURE_FAIL ${record}
+`);
+}
+function registerArtifactSigningTools(server2) {
+  server2.tool(
+    "stackwright_pro_verify_artifact_signatures",
+    "Verify ECDSA P-384 signatures for all pipeline artifacts in .stackwright/artifacts/. Auto-discovers keys from .stackwright/pipeline-keys.json. Returns per-artifact verification status.",
+    {
+      cwd: z10.string().optional().describe("Project root directory. Defaults to process.cwd().")
+    },
+    async ({ cwd: cwdParam }) => {
+      const cwd = cwdParam ?? process.cwd();
+      let publicKey;
+      try {
+        const keys = loadPipelineKeys(cwd);
+        publicKey = keys.publicKey;
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({
+                error: true,
+                message: `Cannot load pipeline keys: ${msg}`
+              })
+            }
+          ],
+          isError: true
+        };
+      }
+      let manifest;
+      try {
+        manifest = loadSignatureManifest(cwd);
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({
+                error: true,
+                message: `Cannot load signature manifest: ${msg}`
+              })
+            }
+          ],
+          isError: true
+        };
+      }
+      const artifactsPath = join3(cwd, ARTIFACTS_DIR);
+      let artifactFiles = [];
+      try {
+        if (existsSync4(artifactsPath)) {
+          artifactFiles = readdirSync(artifactsPath).filter(
+            (f) => f.endsWith(".json") && f !== SIGNATURE_MANIFEST
+          );
+        }
+      } catch {
+      }
+      const results = [];
+      let hasFailure = false;
+      for (const filename of artifactFiles) {
+        const filePath = join3(artifactsPath, filename);
+        try {
+          rejectSymlink(filePath, `artifact ${filename}`);
+        } catch {
+          results.push({
+            filename,
+            verified: false,
+            error: "Refusing to verify symlink"
+          });
+          hasFailure = true;
+          continue;
+        }
+        let artifactBytes;
+        try {
+          artifactBytes = readFileSync3(filePath);
+        } catch (err) {
+          const msg = err instanceof Error ? err.message : String(err);
+          results.push({
+            filename,
+            verified: false,
+            error: `Cannot read artifact: ${msg}`
+          });
+          hasFailure = true;
+          continue;
+        }
+        const entry = manifest.signatures[filename];
+        if (!entry) {
+          results.push({
+            filename,
+            verified: false,
+            error: "No signature found in manifest"
+          });
+          hasFailure = true;
+          continue;
+        }
+        const sig = {
+          digest: entry.digest,
+          signature: entry.signature,
+          algorithm: entry.algorithm,
+          signedAt: entry.signedAt
+        };
+        const verified = verifyArtifact(artifactBytes, sig, publicKey);
+        if (!verified) {
+          const actualDigest = computeSha384(artifactBytes);
+          emitSignatureAuditEvent({
+            artifactFilename: filename,
+            expectedDigest: sig.digest,
+            actualDigest,
+            phase: entry.signedBy ?? "unknown",
+            timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+            source: "stackwright_pro_verify_artifact_signatures"
+          });
+          results.push({
+            filename,
+            verified: false,
+            error: `Signature verification failed \u2014 artifact may have been tampered with`,
+            signedBy: entry.signedBy,
+            signedAt: entry.signedAt
+          });
+          hasFailure = true;
+        } else {
+          results.push({
+            filename,
+            verified: true,
+            signedBy: entry.signedBy,
+            signedAt: entry.signedAt
+          });
+        }
+      }
+      for (const manifestFilename of Object.keys(manifest.signatures)) {
+        if (!artifactFiles.includes(manifestFilename)) {
+          results.push({
+            filename: manifestFilename,
+            verified: false,
+            error: "Artifact referenced in manifest but missing from disk"
+          });
+          hasFailure = true;
+        }
+      }
+      const verifiedCount = results.filter((r) => r.verified).length;
+      const failedCount = results.filter((r) => !r.verified).length;
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({
+              totalArtifacts: artifactFiles.length,
+              verifiedCount,
+              failedCount,
+              results,
+              ...hasFailure ? {
+                error: "SIGNATURE VERIFICATION FAILED: One or more artifact signatures are invalid. Do not proceed \u2014 artifacts may have been tampered with."
+              } : {}
+            })
+          }
+        ],
+        isError: hasFailure
+      };
+    }
+  );
+}
+
+// src/tools/pipeline.ts
+import { WorkflowFileSchema, authConfigSchema } from "@stackwright-pro/types";
 var PHASE_ORDER = [
   "designer",
   "theme",
   "api",
-  "auth",
   "data",
+  "geo",
+  "workflow",
+  "services",
   "pages",
   "dashboard",
-  "workflow"
+  "auth",
+  "polish"
 ];
 var PHASE_DEPENDENCIES = {
   designer: [],
   theme: ["designer"],
   api: [],
-  auth: [],
   data: ["api"],
-  pages: ["designer", "theme", "api", "data", "auth"],
-  dashboard: ["designer", "theme", "api", "data"],
-  workflow: ["auth"]
+  geo: ["data"],
+  // workflow: no hard deps — uses service: references with Prism mock fallback
+  // when API artifacts aren't available; roles come from user answers
+  workflow: [],
+  // services: needs API endpoints to know what to wire, and optionally
+  // workflow states as trigger sources. Produces OpenAPI specs consumed
+  // by pages and dashboard for typed data wiring.
+  services: ["api", "workflow"],
+  // pages/dashboard: now also depend on services for typed endpoint wiring
+  // via the OpenAPI specs that services produces.
+  // 'api' is still transitive through 'data'; auth removed — page-otter has
+  // graceful fallback and reads role names from workflow artifacts instead
+  pages: ["designer", "theme", "data", "services"],
+  dashboard: ["designer", "theme", "data", "services"],
+  // auth is the penultimate phase — runs after all content-producing phases
+  // so it can read pages, dashboard, workflow, and geo artifacts for route
+  // protection and RBAC wiring. Skipped upstream phases still satisfy deps
+  // (the foreman marks them executed=true), so auth always runs.
+  auth: ["pages", "dashboard", "workflow", "geo"],
+  // polish is the terminal phase — runs after auth so the landing page and
+  // nav reflect the final set of protected routes and all generated pages.
+  polish: ["auth"]
 };
 var PHASE_ARTIFACT = {
   designer: "design-language.json",
@@ -1659,7 +2300,10 @@ var PHASE_ARTIFACT = {
   data: "data-config.json",
   pages: "pages-manifest.json",
   dashboard: "dashboard-manifest.json",
-  workflow: "workflow-config.json"
+  workflow: "workflow-config.json",
+  services: "services-config.json",
+  polish: "polish-manifest.json",
+  geo: "geo-manifest.json"
 };
 var PHASE_TO_OTTER2 = {
   designer: "stackwright-pro-designer-otter",
@@ -1669,7 +2313,10 @@ var PHASE_TO_OTTER2 = {
   data: "stackwright-pro-data-otter",
   pages: "stackwright-pro-page-otter",
   dashboard: "stackwright-pro-dashboard-otter",
-  workflow: "stackwright-pro-workflow-otter"
+  workflow: "stackwright-pro-workflow-otter",
+  services: "stackwright-services-otter",
+  polish: "stackwright-pro-polish-otter",
+  geo: "stackwright-pro-geo-otter"
 };
 function isValidPhase(phase) {
   return PHASE_ORDER.includes(phase);
@@ -1699,11 +2346,11 @@ function createDefaultState() {
   };
 }
 function statePath(cwd) {
-  return join3(cwd, ".stackwright", "pipeline-state.json");
+  return join4(cwd, ".stackwright", "pipeline-state.json");
 }
 function readState(cwd) {
   const p = statePath(cwd);
-  if (!existsSync3(p)) return createDefaultState();
+  if (!existsSync5(p)) return createDefaultState();
   const raw = JSON.parse(safeReadSync(p));
   if (typeof raw !== "object" || raw === null || raw.version !== "1.0") {
     return createDefaultState();
@@ -1711,26 +2358,26 @@ function readState(cwd) {
   return raw;
 }
 function safeWriteSync(filePath, content) {
-  if (existsSync3(filePath)) {
-    const stat = lstatSync3(filePath);
+  if (existsSync5(filePath)) {
+    const stat = lstatSync5(filePath);
     if (stat.isSymbolicLink()) {
       throw new Error(`Refusing to write to symlink: ${filePath}`);
     }
   }
-  writeFileSync3(filePath, content);
+  writeFileSync4(filePath, content);
 }
 function safeReadSync(filePath) {
-  if (existsSync3(filePath)) {
-    const stat = lstatSync3(filePath);
+  if (existsSync5(filePath)) {
+    const stat = lstatSync5(filePath);
     if (stat.isSymbolicLink()) {
       throw new Error(`Refusing to read symlink: ${filePath}`);
     }
   }
-  return readFileSync3(filePath, "utf-8");
+  return readFileSync4(filePath, "utf-8");
 }
 function writeState(cwd, state) {
-  const dir = join3(cwd, ".stackwright");
-  mkdirSync2(dir, { recursive: true });
+  const dir = join4(cwd, ".stackwright");
+  mkdirSync4(dir, { recursive: true });
   state.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
   safeWriteSync(statePath(cwd), JSON.stringify(state, null, 2) + "\n");
 }
@@ -1751,6 +2398,15 @@ function handleGetPipelineState(_cwd) {
   const cwd = _cwd ?? process.cwd();
   try {
     const state = readState(cwd);
+    const keyPath = join4(cwd, ".stackwright", "pipeline-keys.json");
+    if (!existsSync5(keyPath)) {
+      try {
+        const { fingerprint } = initPipelineKeys(cwd);
+        state["signingKeyFingerprint"] = fingerprint;
+        writeState(cwd, state);
+      } catch {
+      }
+    }
     return { text: JSON.stringify(state), isError: false };
   } catch (err) {
     return { text: JSON.stringify({ error: true, message: String(err) }), isError: true };
@@ -1794,36 +2450,70 @@ function handleSetPipelineState(input) {
       if (input.incrementRetry) {
         phaseState.retryCount += 1;
       }
-      state.currentPhase = phase;
+      state.currentPhase = phase;
+    }
+    writeState(cwd, state);
+    return { text: JSON.stringify(state), isError: false };
+  } catch (err) {
+    return { text: JSON.stringify({ error: true, message: String(err) }), isError: true };
+  }
+}
+function handleCheckExecutionReady(_cwd, phase) {
+  const cwd = _cwd ?? process.cwd();
+  if (phase) {
+    if (!isValidPhase(phase)) {
+      return {
+        text: JSON.stringify({
+          error: true,
+          message: `Invalid phase: ${phase}. Valid phases are: ${PHASE_ORDER.join(", ")}`
+        }),
+        isError: true
+      };
+    }
+    const answerFile = join4(cwd, ".stackwright", "answers", `${phase}.json`);
+    if (!existsSync5(answerFile)) {
+      return {
+        text: JSON.stringify({ ready: false, phase, reason: "Answer file not found" }),
+        isError: false
+      };
+    }
+    try {
+      const raw = safeReadSync(answerFile);
+      const parsed = JSON.parse(raw);
+      if (typeof parsed["version"] !== "string" || typeof parsed["phase"] !== "string" || typeof parsed["answers"] !== "object" || parsed["answers"] === null) {
+        return {
+          text: JSON.stringify({ ready: false, phase, reason: "Answer file is malformed" }),
+          isError: false
+        };
+      }
+      return { text: JSON.stringify({ ready: true, phase }), isError: false };
+    } catch {
+      return {
+        text: JSON.stringify({ ready: false, phase, reason: "Answer file could not be parsed" }),
+        isError: false
+      };
     }
-    writeState(cwd, state);
-    return { text: JSON.stringify(state), isError: false };
-  } catch (err) {
-    return { text: JSON.stringify({ error: true, message: String(err) }), isError: true };
   }
-}
-function handleCheckExecutionReady(_cwd) {
-  const cwd = _cwd ?? process.cwd();
   try {
-    const answersDir = join3(cwd, ".stackwright", "answers");
+    const answersDir = join4(cwd, ".stackwright", "answers");
     const answeredPhases = [];
     const missingPhases = [];
-    for (const phase of PHASE_ORDER) {
-      const answerFile = join3(answersDir, `${phase}.json`);
-      if (existsSync3(answerFile)) {
+    for (const phase2 of PHASE_ORDER) {
+      const answerFile = join4(answersDir, `${phase2}.json`);
+      if (existsSync5(answerFile)) {
         try {
           const raw = safeReadSync(answerFile);
           const parsed = JSON.parse(raw);
           if (typeof parsed["version"] !== "string" || typeof parsed["phase"] !== "string" || typeof parsed["answers"] !== "object" || parsed["answers"] === null) {
-            missingPhases.push(phase);
+            missingPhases.push(phase2);
             continue;
           }
-          answeredPhases.push(phase);
+          answeredPhases.push(phase2);
         } catch {
-          missingPhases.push(phase);
+          missingPhases.push(phase2);
         }
       } else {
-        missingPhases.push(phase);
+        missingPhases.push(phase2);
       }
     }
     return {
@@ -1839,18 +2529,74 @@ function handleCheckExecutionReady(_cwd) {
     return { text: JSON.stringify({ error: true, message: String(err) }), isError: true };
   }
 }
+function handleGetReadyPhases(_cwd) {
+  const cwd = _cwd ?? process.cwd();
+  try {
+    const state = readState(cwd);
+    const completed = [];
+    const ready = [];
+    const blocked = [];
+    for (const phase of PHASE_ORDER) {
+      const ps = state.phases[phase];
+      if (ps?.executed) {
+        completed.push(phase);
+        continue;
+      }
+      const deps = PHASE_DEPENDENCIES[phase];
+      const unmetDeps = deps.filter((dep) => !state.phases[dep]?.executed);
+      if (unmetDeps.length === 0) {
+        ready.push(phase);
+      } else {
+        blocked.push(phase);
+      }
+    }
+    return {
+      text: JSON.stringify({
+        readyPhases: ready,
+        completedPhases: completed,
+        blockedPhases: blocked,
+        waveSize: ready.length,
+        allComplete: ready.length === 0 && blocked.length === 0
+      }),
+      isError: false
+    };
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    return { text: JSON.stringify({ error: true, message }), isError: true };
+  }
+}
 function handleListArtifacts(_cwd) {
   const cwd = _cwd ?? process.cwd();
   try {
-    const artifactsDir = join3(cwd, ".stackwright", "artifacts");
+    const artifactsDir = join4(cwd, ".stackwright", "artifacts");
+    let manifest = null;
+    try {
+      manifest = loadSignatureManifest(cwd);
+    } catch {
+    }
     const artifacts = [];
     let completedCount = 0;
     for (const phase of PHASE_ORDER) {
       const expectedFile = PHASE_ARTIFACT[phase];
-      const fullPath = join3(artifactsDir, expectedFile);
-      const exists = existsSync3(fullPath);
+      const fullPath = join4(artifactsDir, expectedFile);
+      const exists = existsSync5(fullPath);
       if (exists) completedCount++;
-      artifacts.push({ phase, expectedFile, exists, path: fullPath });
+      let signed = false;
+      let signatureValid = null;
+      if (exists && manifest) {
+        const entry = manifest.signatures[expectedFile];
+        if (entry) {
+          signed = true;
+          try {
+            const rawBytes = Buffer.from(safeReadSync(fullPath), "utf-8");
+            const { publicKey } = loadPipelineKeys(cwd);
+            signatureValid = verifyArtifact(rawBytes, entry, publicKey);
+          } catch {
+            signatureValid = null;
+          }
+        }
+      }
+      artifacts.push({ phase, expectedFile, exists, path: fullPath, signed, signatureValid });
     }
     return {
       text: JSON.stringify({ artifacts, completedCount, totalCount: PHASE_ORDER.length }),
@@ -1886,9 +2632,9 @@ function handleWritePhaseQuestions(input) {
       }
     } catch {
     }
-    const questionsDir = join3(cwd, ".stackwright", "questions");
-    mkdirSync2(questionsDir, { recursive: true });
-    const filePath = join3(questionsDir, `${phase}.json`);
+    const questionsDir = join4(cwd, ".stackwright", "questions");
+    mkdirSync4(questionsDir, { recursive: true });
+    const filePath = join4(questionsDir, `${phase}.json`);
     const payload = {
       version: "1.0",
       phase,
@@ -1928,36 +2674,81 @@ function handleBuildSpecialistPrompt(input) {
     };
   }
   try {
-    const answersPath = join3(cwd, ".stackwright", "answers", `${phase}.json`);
+    const answersPath = join4(cwd, ".stackwright", "answers", `${phase}.json`);
     let answers = {};
-    if (existsSync3(answersPath)) {
+    if (existsSync5(answersPath)) {
       answers = JSON.parse(safeReadSync(answersPath));
     }
+    let buildContextText = "";
+    const buildContextPath = join4(cwd, ".stackwright", "build-context.json");
+    if (existsSync5(buildContextPath)) {
+      try {
+        const bcRaw = JSON.parse(safeReadSync(buildContextPath));
+        if (typeof bcRaw.buildContext === "string" && bcRaw.buildContext.trim().length > 0) {
+          buildContextText = bcRaw.buildContext.trim();
+        }
+      } catch {
+      }
+    }
     const deps = PHASE_DEPENDENCIES[phase];
     const artifactSections = [];
     const missingDependencies = [];
     for (const dep of deps) {
       const artifactFile = PHASE_ARTIFACT[dep];
-      const artifactPath = join3(cwd, ".stackwright", "artifacts", artifactFile);
-      if (existsSync3(artifactPath)) {
-        const content = JSON.parse(safeReadSync(artifactPath));
+      const artifactPath = join4(cwd, ".stackwright", "artifacts", artifactFile);
+      if (existsSync5(artifactPath)) {
+        const rawContent = safeReadSync(artifactPath);
+        const rawBytes = Buffer.from(rawContent, "utf-8");
+        const content = JSON.parse(rawContent);
+        let signatureVerified = false;
+        let signatureAvailable = false;
+        try {
+          const sig = getArtifactSignature(cwd, artifactFile);
+          if (sig) {
+            signatureAvailable = true;
+            const { publicKey } = loadPipelineKeys(cwd);
+            signatureVerified = verifyArtifact(rawBytes, sig, publicKey);
+            if (!signatureVerified) {
+              const actualDigest = createHash3("sha384").update(rawBytes).digest("hex");
+              emitSignatureAuditEvent({
+                artifactFilename: artifactFile,
+                expectedDigest: sig.digest,
+                actualDigest,
+                phase: dep,
+                timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+                source: "stackwright_pro_build_specialist_prompt"
+              });
+              missingDependencies.push(dep);
+              artifactSections.push(
+                `[${artifactFile}]:
+(integrity check failed: ECDSA-P384 signature verification failed \u2014 artifact may have been tampered with)`
+              );
+              continue;
+            }
+          }
+        } catch {
+        }
         const expectedOtter = PHASE_TO_OTTER2[dep];
         const artifactOtter = content["generatedBy"];
+        const normalizedOtter = artifactOtter?.replace(/-[a-f0-9]{6}$/, "");
         if (!artifactOtter) {
           missingDependencies.push(dep);
           artifactSections.push(
             `[${artifactFile}]:
 (integrity check failed: missing generatedBy field)`
           );
-        } else if (artifactOtter !== expectedOtter) {
+        } else if (normalizedOtter !== expectedOtter) {
           missingDependencies.push(dep);
           artifactSections.push(
             `[${artifactFile}]:
 (integrity check failed: artifact claims generatedBy="${artifactOtter}" but expected="${expectedOtter}")`
           );
         } else {
-          artifactSections.push(`[${artifactFile}]:
-${JSON.stringify(content, null, 2)}`);
+          const sigStatus = signatureAvailable ? signatureVerified ? " [signature verified]" : " [signature check skipped]" : " [unsigned]";
+          artifactSections.push(
+            `[${artifactFile}]${sigStatus}:
+${JSON.stringify(content, null, 2)}`
+          );
         }
       } else {
         missingDependencies.push(dep);
@@ -1965,10 +2756,17 @@ ${JSON.stringify(content, null, 2)}`);
 (not yet available)`);
       }
     }
-    const parts = ["ANSWERS:", JSON.stringify(answers, null, 2)];
+    const parts = [];
+    if (buildContextText) {
+      parts.push("BUILD_CONTEXT:", buildContextText, "");
+    }
+    parts.push("ANSWERS:", JSON.stringify(answers, null, 2));
     if (artifactSections.length > 0) {
       parts.push("", "UPSTREAM ARTIFACTS:", "", ...artifactSections);
     }
+    const artifactSchema = PHASE_ARTIFACT_SCHEMA[phase];
+    parts.push("", "REQUIRED_ARTIFACT_SCHEMA:");
+    parts.push(artifactSchema);
     parts.push("", "Execute using these answers and the upstream artifacts provided.");
     const prompt = parts.join("\n");
     const dependenciesSatisfied = missingDependencies.length === 0;
@@ -2003,45 +2801,301 @@ var OFF_SCRIPT_PATTERNS = [
 var PHASE_REQUIRED_KEYS = {
   designer: ["designLanguage", "themeTokenSeeds"],
   theme: ["tokens"],
-  api: ["entities"],
+  api: ["entities", "version", "generatedBy"],
   auth: ["version", "generatedBy"],
-  data: ["version", "generatedBy"],
+  data: ["version", "generatedBy", "strategy", "collections"],
   pages: ["version", "generatedBy"],
   dashboard: ["version", "generatedBy"],
-  workflow: ["version", "generatedBy"]
+  workflow: ["version", "generatedBy"],
+  services: ["version", "generatedBy", "flows"],
+  polish: ["version", "generatedBy"],
+  geo: ["version", "generatedBy", "geoCollections"]
+};
+var PHASE_ARTIFACT_SCHEMA = {
+  designer: JSON.stringify(
+    {
+      version: "1.0",
+      generatedBy: "stackwright-pro-designer-otter",
+      application: {
+        type: "<operational|data-explorer|admin|logistics|general>",
+        environment: "<workstation|field|control-room|mixed>",
+        density: "<compact|balanced|spacious>",
+        accessibility: "<wcag-aa|section-508|none>",
+        colorScheme: "<light|dark|both>"
+      },
+      designLanguage: {
+        rationale: "<design rationale>",
+        spacingScale: { base: 8, scale: [0, 4, 8, 16, 24, 32, 48, 64] },
+        colorSemantics: { primary: "#1a365d", accent: "#e53e3e" },
+        typography: {
+          dataFont: "Inter",
+          headingFont: "Inter",
+          monoFont: "monospace",
+          dataSizePx: 12,
+          bodySizePx: 14
+        },
+        contrastRatio: "4.5",
+        borderRadius: "4",
+        shadowElevation: "standard"
+      },
+      themeTokenSeeds: {
+        light: {
+          background: "#ffffff",
+          foreground: "#1a1a1a",
+          primary: "#1a365d",
+          surface: "#f7f7f7",
+          border: "#e2e8f0"
+        },
+        dark: {
+          background: "#1a1a1a",
+          foreground: "#ffffff",
+          primary: "#90cdf4",
+          surface: "#2d2d2d",
+          border: "#4a5568"
+        }
+      },
+      conformsTo: null,
+      operationalNotes: []
+    },
+    null,
+    2
+  ),
+  theme: JSON.stringify(
+    {
+      version: "1.0",
+      generatedBy: "stackwright-pro-theme-otter",
+      componentLibrary: "shadcn",
+      colorScheme: "<light|dark|both>",
+      tokens: {
+        colors: { "primary-500": "#1a365d", background: "#ffffff" },
+        spacing: { "spacing-1": "8px", "spacing-2": "16px" },
+        typography: { "font-data": "Inter", "text-sm": "12px" },
+        shape: { "radius-sm": "4px", "radius-md": "8px" },
+        shadows: { "shadow-sm": "0 1px 2px rgba(0,0,0,0.08)" }
+      },
+      cssVariables: {
+        "--background": "0 0% 100%",
+        "--foreground": "222.2 84% 4.9%",
+        "--primary": "222.2 47.4% 11.2%",
+        "--primary-foreground": "210 40% 98%",
+        "--surface": "210 40% 98%",
+        "--border": "214.3 31.8% 91.4%"
+      },
+      dark: { "--background": "222.2 84% 4.9%", "--foreground": "210 40% 98%" }
+    },
+    null,
+    2
+  ),
+  api: JSON.stringify(
+    {
+      version: "1.0",
+      generatedBy: "stackwright-pro-api-otter",
+      entities: [
+        {
+          name: "Shipment",
+          endpoint: "/shipments",
+          method: "GET",
+          revalidate: 60,
+          mutationType: null
+        }
+      ],
+      auth: { type: "bearer", header: "Authorization", envVar: "API_TOKEN" },
+      baseUrl: "https://api.example.mil/v2",
+      specPath: "./specs/api.yaml"
+    },
+    null,
+    2
+  ),
+  data: JSON.stringify(
+    {
+      version: "1.0",
+      generatedBy: "stackwright-pro-data-otter",
+      strategy: "<pulse-fast|isr-fast|isr-standard|isr-slow>",
+      pulseMode: false,
+      collections: [{ name: "equipment", revalidate: 60, pulse: false }],
+      endpoints: { included: ["/equipment/**"], excluded: ["/admin/**"] },
+      requiredPackages: { dependencies: {}, devPackages: {} }
+    },
+    null,
+    2
+  ),
+  geo: JSON.stringify(
+    {
+      version: "1.0",
+      generatedBy: "stackwright-pro-geo-otter",
+      geoCollections: [
+        {
+          collection: "vessels",
+          latField: "latitude",
+          lngField: "longitude",
+          labelField: "vesselName",
+          colorField: "navigationStatus"
+        }
+      ],
+      pages: [
+        {
+          slug: "fleet-tracker",
+          type: "<tracker|zone|route|combined>",
+          collections: ["vessels"],
+          hasLayers: false
+        }
+      ]
+    },
+    null,
+    2
+  ),
+  workflow: JSON.stringify(
+    {
+      version: "1.0",
+      generatedBy: "stackwright-pro-workflow-otter",
+      workflowConfig: {
+        id: "procurement-approval",
+        route: "/procurement",
+        files: ["workflows/procurement-approval.yml"],
+        serviceDependencies: ["service:workflow-state"],
+        warnings: []
+      }
+    },
+    null,
+    2
+  ),
+  services: JSON.stringify(
+    {
+      version: "1.0",
+      generatedBy: "stackwright-services-otter",
+      flows: [
+        {
+          name: "at-risk-patients",
+          trigger: "<http|event|schedule|queue>",
+          steps: 3,
+          outputSpec: "at-risk-patients.openapi.json"
+        }
+      ],
+      workflows: [
+        {
+          name: "evacuation-coordination",
+          states: 4,
+          transitions: 5
+        }
+      ],
+      openApiSpecs: ["at-risk-patients.openapi.json"],
+      capabilitiesUsed: ["service.call", "collection.join", "collection.filter"]
+    },
+    null,
+    2
+  ),
+  pages: JSON.stringify(
+    {
+      version: "1.0",
+      generatedBy: "stackwright-pro-page-otter",
+      pages: [
+        {
+          slug: "catalog",
+          type: "collection_listing",
+          collection: "products",
+          themeApplied: true,
+          authRequired: false
+        },
+        {
+          slug: "admin",
+          type: "protected",
+          collection: null,
+          themeApplied: true,
+          authRequired: true
+        }
+      ]
+    },
+    null,
+    2
+  ),
+  dashboard: JSON.stringify(
+    {
+      version: "1.0",
+      generatedBy: "stackwright-pro-dashboard-otter",
+      pages: [
+        {
+          slug: "dashboard",
+          layout: "<grid|table|mixed>",
+          collections: ["equipment", "supplies"],
+          mode: "<ISR|Pulse>"
+        }
+      ]
+    },
+    null,
+    2
+  ),
+  // type: 'pki' = CAC/DoD certificate auth | 'oidc' = enterprise SSO
+  // For dev-only mock auth: use type: 'oidc' with devOnly: true (Zod strips devOnly — it's a convention only)
+  auth: JSON.stringify(
+    {
+      version: "1.0",
+      generatedBy: "stackwright-pro-auth-otter",
+      authConfig: {
+        type: "<pki|oidc>",
+        // OIDC-only fields (omit for pki):
+        provider: "<azure_ad|okta|cognito|auth0|authentik|keycloak|custom>",
+        discoveryUrl: "<IdP OIDC discovery URL>",
+        clientId: "<OIDC client ID>",
+        clientSecret: "<OIDC client secret>",
+        rbacRoles: ["ADMIN", "ANALYST"],
+        rbacDefaultRole: "ANALYST",
+        protectedRoutes: ["/dashboard/:path*", "/procurement/:path*"],
+        auditEnabled: true,
+        auditRetentionDays: 90
+      }
+    },
+    null,
+    2
+  ),
+  polish: JSON.stringify(
+    {
+      version: "1.0",
+      generatedBy: "stackwright-pro-polish-otter",
+      landingPage: { slug: "", rewritten: true },
+      navigation: { itemCount: 5, items: ["/dashboard", "/equipment", "/workflows"] },
+      gettingStarted: "<rewritten|redirected|not-found>"
+    },
+    null,
+    2
+  )
 };
 function handleValidateArtifact(input) {
   const cwd = input._cwd ?? process.cwd();
-  const { phase, responseText } = input;
+  const { phase, responseText, artifact: directArtifact } = input;
   if (!isValidPhase(phase)) {
     return {
       text: JSON.stringify({ error: true, message: `Unknown phase: ${phase}` }),
       isError: true
     };
   }
-  for (const { pattern, label } of OFF_SCRIPT_PATTERNS) {
-    if (pattern.test(responseText)) {
+  let artifact;
+  if (directArtifact) {
+    artifact = directArtifact;
+  } else {
+    const text = responseText ?? "";
+    for (const { pattern, label } of OFF_SCRIPT_PATTERNS) {
+      if (pattern.test(text)) {
+        const result = {
+          valid: false,
+          phase,
+          violation: "off-script",
+          retryPrompt: `You returned code output (detected: ${label}). Return ONLY a JSON artifact \u2014 no code, no files.`
+        };
+        return { text: JSON.stringify(result), isError: false };
+      }
+    }
+    try {
+      artifact = extractJsonFromResponse(text);
+    } catch {
       const result = {
         valid: false,
         phase,
-        violation: "off-script",
-        retryPrompt: `You returned code output (detected: ${label}). Return ONLY a JSON artifact \u2014 no code, no files.`
+        violation: "invalid-json",
+        retryPrompt: "Your response did not contain valid JSON. Return a single JSON object with no surrounding text."
       };
       return { text: JSON.stringify(result), isError: false };
     }
   }
-  let artifact;
-  try {
-    artifact = extractJsonFromResponse(responseText);
-  } catch {
-    const result = {
-      valid: false,
-      phase,
-      violation: "invalid-json",
-      retryPrompt: "Your response did not contain valid JSON. Return a single JSON object with no surrounding text."
-    };
-    return { text: JSON.stringify(result), isError: false };
-  }
   if (!artifact.version || !artifact.generatedBy) {
     const result = {
       valid: false,
@@ -2062,12 +3116,58 @@ function handleValidateArtifact(input) {
     };
     return { text: JSON.stringify(result), isError: false };
   }
+  const PHASE_ZOD_VALIDATORS = {
+    workflow: (artifact2) => {
+      const workflowConfig = artifact2["workflowConfig"];
+      if (!workflowConfig) return { success: true };
+      const result = WorkflowFileSchema.safeParse(workflowConfig);
+      if (!result.success) {
+        const issues = result.error.issues.slice(0, 3).map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
+        return { success: false, error: { message: issues } };
+      }
+      return { success: true };
+    },
+    auth: (artifact2) => {
+      const authConfig = artifact2["authConfig"];
+      if (!authConfig) return { success: true };
+      const result = authConfigSchema.safeParse(authConfig);
+      if (!result.success) {
+        const issues = result.error.issues.slice(0, 3).map((i) => `${i.path.join(".")}: ${i.message}`).join("; ");
+        return { success: false, error: { message: issues } };
+      }
+      return { success: true };
+    }
+  };
+  const zodValidator = PHASE_ZOD_VALIDATORS[phase];
+  if (zodValidator) {
+    const zodResult = zodValidator(artifact);
+    if (!zodResult.success) {
+      const result = {
+        valid: false,
+        phase,
+        violation: "schema-mismatch",
+        retryPrompt: `Your artifact failed schema validation: ${zodResult.error?.message}. Fix these fields and return the corrected JSON artifact.`
+      };
+      return { text: JSON.stringify(result), isError: false };
+    }
+  }
   try {
-    const artifactsDir = join3(cwd, ".stackwright", "artifacts");
-    mkdirSync2(artifactsDir, { recursive: true });
+    const artifactsDir = join4(cwd, ".stackwright", "artifacts");
+    mkdirSync4(artifactsDir, { recursive: true });
     const artifactFile = PHASE_ARTIFACT[phase];
-    const artifactPath = join3(artifactsDir, artifactFile);
-    safeWriteSync(artifactPath, JSON.stringify(artifact, null, 2) + "\n");
+    const artifactPath = join4(artifactsDir, artifactFile);
+    const serialized = JSON.stringify(artifact, null, 2) + "\n";
+    const artifactBytes = Buffer.from(serialized, "utf-8");
+    safeWriteSync(artifactPath, serialized);
+    let signed = false;
+    try {
+      const { privateKey } = loadPipelineKeys(cwd);
+      const sig = signArtifact(artifactBytes, privateKey);
+      const signerOtter = PHASE_TO_OTTER2[phase];
+      saveArtifactSignature(cwd, artifactFile, sig, signerOtter);
+      signed = true;
+    } catch {
+    }
     const state = readState(cwd);
     if (!state.phases[phase]) state.phases[phase] = defaultPhaseStatus();
     const ps = state.phases[phase];
@@ -2078,7 +3178,7 @@ function handleValidateArtifact(input) {
       valid: true,
       phase,
       artifactPath,
-      summary: `Wrote ${artifactFile} (keys: ${topKeys}${Object.keys(artifact).length > 5 ? ", ..." : ""})`
+      summary: `Wrote ${artifactFile} (keys: ${topKeys}${Object.keys(artifact).length > 5 ? ", ..." : ""})${signed ? " [signed]" : ""}`
     };
     return { text: JSON.stringify(result), isError: false };
   } catch (err) {
@@ -2102,11 +3202,15 @@ function registerPipelineTools(server2) {
     "stackwright_pro_set_pipeline_state",
     `Atomic read\u2192modify\u2192write pipeline state. ${DESC}`,
     {
-      phase: z9.string().optional().describe('Phase to update, e.g. "designer"'),
-      field: z9.enum(["questionsCollected", "answered", "executed", "artifactWritten"]).optional().describe("Boolean field to set"),
-      value: z9.boolean().optional().describe("Value for the field"),
-      status: z9.enum(["setup", "questions", "execution", "done"]).optional().describe("Top-level status override"),
-      incrementRetry: z9.boolean().optional().describe("Bump retryCount by 1")
+      phase: z11.string().optional().describe('Phase to update, e.g. "designer"'),
+      field: z11.enum(["questionsCollected", "answered", "executed", "artifactWritten"]).optional().describe("Boolean field to set"),
+      value: boolCoerce(z11.boolean().optional()).describe(
+        'Value for the field \u2014 must be a JSON boolean (true/false), NOT the string "true"/"false"'
+      ),
+      status: z11.enum(["setup", "questions", "execution", "done"]).optional().describe("Top-level status override"),
+      incrementRetry: boolCoerce(z11.boolean().optional()).describe(
+        "Bump retryCount by 1 \u2014 must be a JSON boolean"
+      )
     },
     async (args) => res(
       handleSetPipelineState({
@@ -2120,9 +3224,17 @@ function registerPipelineTools(server2) {
   );
   server2.tool(
     "stackwright_pro_check_execution_ready",
-    `Check all phases have answer files in .stackwright/answers/. ${DESC}`,
+    `Check all phases have answer files in .stackwright/answers/. If phase is provided, check only that phase. ${DESC}`,
+    {
+      phase: z11.string().optional().describe("If provided, check only this phase's readiness. Omit to check all phases.")
+    },
+    async ({ phase }) => res(handleCheckExecutionReady(void 0, phase))
+  );
+  server2.tool(
+    "stackwright_pro_get_ready_phases",
+    `Return phases whose dependencies are all satisfied (executed=true). Use to determine which phases can run next \u2014 enables wave-based execution. ${DESC}`,
     {},
-    async () => res(handleCheckExecutionReady())
+    async () => res(handleGetReadyPhases())
   );
   server2.tool(
     "stackwright_pro_list_artifacts",
@@ -2132,40 +3244,92 @@ function registerPipelineTools(server2) {
   );
   server2.tool(
     "stackwright_pro_write_phase_questions",
-    `Parse otter question-collection response \u2192 .stackwright/questions/{phase}.json. ${DESC}`,
+    `Parse otter question-collection response \u2192 .stackwright/questions/{phase}.json. Specialists may also call this directly with a parsed questions array. ${DESC}`,
     {
-      phase: z9.string().describe('Phase name, e.g. "designer"'),
-      responseText: z9.string().describe("Raw LLM response from QUESTION_COLLECTION_MODE")
+      phase: z11.string().optional().describe('Phase name, e.g. "designer" (required for direct write)'),
+      responseText: z11.string().optional().describe("Raw LLM response from QUESTION_COLLECTION_MODE"),
+      questions: jsonCoerce(z11.array(z11.any()).optional()).describe(
+        "Questions array for direct specialist write"
+      )
     },
-    async ({ phase, responseText }) => res(handleWritePhaseQuestions({ phase, responseText }))
+    async ({ phase, responseText, questions }) => {
+      if (phase && questions && Array.isArray(questions)) {
+        const SAFE_PHASE = /^[a-z][a-z0-9-]{0,30}$/;
+        if (!SAFE_PHASE.test(phase)) {
+          return {
+            content: [
+              { type: "text", text: JSON.stringify({ error: `Invalid phase name` }) }
+            ],
+            isError: true
+          };
+        }
+        const questionsDir = join4(process.cwd(), ".stackwright", "questions");
+        mkdirSync4(questionsDir, { recursive: true });
+        const outPath = join4(questionsDir, `${phase}.json`);
+        writeFileSync4(
+          outPath,
+          JSON.stringify({ phase, questions, writtenAt: (/* @__PURE__ */ new Date()).toISOString() }, null, 2)
+        );
+        return {
+          content: [
+            {
+              type: "text",
+              text: JSON.stringify({
+                written: true,
+                phase,
+                count: questions.length
+              })
+            }
+          ]
+        };
+      }
+      return res(
+        handleWritePhaseQuestions({ phase: phase ?? "", responseText: responseText ?? "" })
+      );
+    }
   );
   server2.tool(
     "stackwright_pro_build_specialist_prompt",
     `Assemble execution prompt from answers + upstream artifacts. Foreman passes verbatim. ${DESC}`,
-    { phase: z9.string().describe('Phase to build prompt for, e.g. "pages"') },
+    { phase: z11.string().describe('Phase to build prompt for, e.g. "pages"') },
     async ({ phase }) => res(handleBuildSpecialistPrompt({ phase }))
   );
   server2.tool(
     "stackwright_pro_validate_artifact",
-    `Validate specialist response + write artifact to .stackwright/artifacts/. Returns retryPrompt on failure. ${DESC}`,
+    `Validate and write artifact to .stackwright/artifacts/. Returns retryPrompt on failure. ${DESC}`,
     {
-      phase: z9.string().describe('Phase that produced this artifact, e.g. "designer"'),
-      responseText: z9.string().describe("Raw response text from the specialist otter")
+      phase: z11.string().describe('Phase that produced this artifact, e.g. "designer"'),
+      responseText: z11.string().optional().describe("Raw response text from the specialist otter (Foreman-mediated path, legacy)"),
+      artifact: jsonCoerce(z11.record(z11.string(), z11.unknown()).optional()).describe(
+        "Artifact object to validate and write directly (specialist direct path \u2014 skips off-script detection and JSON parsing)"
+      )
     },
-    async ({ phase, responseText }) => res(handleValidateArtifact({ phase, responseText }))
+    async ({ phase, responseText, artifact }) => {
+      if (artifact) {
+        return res(
+          handleValidateArtifact({ phase, artifact })
+        );
+      }
+      return res(handleValidateArtifact({ phase, responseText: responseText ?? "" }));
+    }
   );
 }
 
 // src/tools/safe-write.ts
-import { z as z10 } from "zod";
-import { writeFileSync as writeFileSync4, existsSync as existsSync4, mkdirSync as mkdirSync3, lstatSync as lstatSync4 } from "fs";
-import { normalize, isAbsolute, dirname, join as join4 } from "path";
+import { z as z12 } from "zod";
+import { writeFileSync as writeFileSync5, existsSync as existsSync6, mkdirSync as mkdirSync5, lstatSync as lstatSync6 } from "fs";
+import { normalize, isAbsolute, dirname, join as join5 } from "path";
 var OTTER_WRITE_ALLOWLISTS = {
   "stackwright-pro-designer-otter": [
     { prefix: ".stackwright/artifacts/", suffix: ".json", description: "Design language artifact" }
   ],
   "stackwright-pro-theme-otter": [
-    { prefix: ".stackwright/artifacts/", suffix: ".json", description: "Theme tokens artifact" }
+    { prefix: ".stackwright/artifacts/", suffix: ".json", description: "Theme tokens artifact" },
+    {
+      prefix: "stackwright.theme.",
+      suffix: ".yml",
+      description: "Theme config YAML (merged at build time)"
+    }
   ],
   "stackwright-pro-auth-otter": [
     { prefix: ".stackwright/artifacts/", suffix: ".json", description: "Auth config artifact" },
@@ -2198,13 +3362,54 @@ var OTTER_WRITE_ALLOWLISTS = {
   ],
   "stackwright-pro-api-otter": [
     { prefix: ".stackwright/artifacts/", suffix: ".json", description: "API config artifact" }
+  ],
+  "stackwright-pro-geo-otter": [
+    { prefix: ".stackwright/artifacts/", suffix: ".json", description: "Geo manifest artifact" },
+    { prefix: "pages/", suffix: "/content.yml", description: "Map page content" },
+    { prefix: "pages/", suffix: "/content.yaml", description: "Map page content" }
+  ],
+  "stackwright-pro-polish-otter": [
+    {
+      prefix: "stackwright.yml",
+      suffix: "",
+      description: "Stackwright config (navigation updates)"
+    },
+    { prefix: "pages/", suffix: "/content.yml", description: "Landing page content" },
+    { prefix: "pages/", suffix: "/content.yaml", description: "Landing page content" },
+    { prefix: ".stackwright/artifacts/", suffix: ".json", description: "Polish artifact" }
+  ],
+  "stackwright-services-otter": [
+    { prefix: ".stackwright/artifacts/", suffix: ".json", description: "Services config artifact" },
+    { prefix: "services/", suffix: ".ts", description: "Service implementation files" },
+    { prefix: "services/", suffix: ".yaml", description: "Service flow definitions" },
+    { prefix: "services/", suffix: ".yml", description: "Service flow definitions" },
+    { prefix: "lib/seeds/", suffix: ".ts", description: "Seed data files" },
+    { prefix: "specs/", suffix: ".json", description: "Generated OpenAPI specs" },
+    { prefix: "specs/", suffix: ".yaml", description: "Generated OpenAPI specs" },
+    { prefix: "stackwright-generated/", suffix: ".json", description: "Services manifest" }
   ]
 };
 var PROTECTED_PATH_PREFIXES = [
   ".stackwright/pipeline-state.json",
+  ".stackwright/pipeline-keys.json",
+  // ephemeral signing keys
+  ".stackwright/artifacts/signatures.json",
+  // artifact signature manifest
   ".stackwright/questions/",
   ".stackwright/answers/"
 ];
+var MAX_SAFE_WRITE_BYTES_JSON = 512 * 1024;
+var MAX_SAFE_WRITE_BYTES_YAML = 256 * 1024;
+var MAX_SAFE_WRITE_BYTES_ENV = 4 * 1024;
+var MAX_SAFE_WRITE_BYTES_DEFAULT = 256 * 1024;
+function getMaxBytesForPath(filePath) {
+  if (filePath.endsWith(".json")) return { limit: MAX_SAFE_WRITE_BYTES_JSON, label: "JSON" };
+  if (filePath.endsWith(".yml") || filePath.endsWith(".yaml"))
+    return { limit: MAX_SAFE_WRITE_BYTES_YAML, label: "YAML" };
+  if (filePath === ".env" || /^\.env\.[a-zA-Z0-9]+/.test(filePath))
+    return { limit: MAX_SAFE_WRITE_BYTES_ENV, label: "env" };
+  return { limit: MAX_SAFE_WRITE_BYTES_DEFAULT, label: "default" };
+}
 function checkPathAllowed(callerOtter, filePath) {
   const normalized = normalize(filePath);
   if (normalized.includes("..")) {
@@ -2330,11 +3535,23 @@ function handleSafeWrite(input) {
     };
     return { text: JSON.stringify(result), isError: true };
   }
+  const contentBytes = Buffer.byteLength(content, "utf-8");
+  const { limit: maxBytes, label: fileTypeLabel } = getMaxBytesForPath(filePath);
+  if (contentBytes > maxBytes) {
+    const result = {
+      success: false,
+      error: `Content size ${contentBytes} bytes exceeds ${fileTypeLabel} limit of ${maxBytes} bytes (${maxBytes / 1024} KB)`,
+      callerOtter,
+      attemptedPath: filePath,
+      allowedPaths: []
+    };
+    return { text: JSON.stringify(result), isError: true };
+  }
   const normalized = normalize(filePath);
-  const fullPath = join4(cwd, normalized);
-  if (existsSync4(fullPath)) {
+  const fullPath = join5(cwd, normalized);
+  if (existsSync6(fullPath)) {
     try {
-      const stat = lstatSync4(fullPath);
+      const stat = lstatSync6(fullPath);
       if (stat.isSymbolicLink()) {
         const result = {
           success: false,
@@ -2361,9 +3578,9 @@ function handleSafeWrite(input) {
   }
   try {
     if (createDirectories) {
-      mkdirSync3(dirname(fullPath), { recursive: true });
+      mkdirSync5(dirname(fullPath), { recursive: true });
     }
-    writeFileSync4(fullPath, content, { encoding: "utf-8" });
+    writeFileSync5(fullPath, content, { encoding: "utf-8" });
     const result = {
       success: true,
       path: normalized,
@@ -2389,10 +3606,12 @@ function registerSafeWriteTools(server2) {
     "stackwright_pro_safe_write",
     DESC,
     {
-      callerOtter: z10.string().describe('The otter agent name requesting the write, e.g. "stackwright-pro-page-otter"'),
-      filePath: z10.string().describe('Relative path from project root, e.g. "pages/dashboard/content.yml"'),
-      content: z10.string().describe("File content to write"),
-      createDirectories: z10.boolean().optional().describe("Create parent directories if they don't exist. Default: true")
+      callerOtter: z12.string().describe('The otter agent name requesting the write, e.g. "stackwright-pro-page-otter"'),
+      filePath: z12.string().describe('Relative path from project root, e.g. "pages/dashboard/content.yml"'),
+      content: z12.string().describe("File content to write"),
+      createDirectories: boolCoerce(z12.boolean().optional().default(true)).describe(
+        "Create parent directories if they don't exist. Default: true"
+      )
     },
     async ({ callerOtter, filePath, content, createDirectories }) => {
       const result = handleSafeWrite({
@@ -2407,9 +3626,9 @@ function registerSafeWriteTools(server2) {
 }
 
 // src/tools/auth.ts
-import { z as z11 } from "zod";
-import { readFileSync as readFileSync4, writeFileSync as writeFileSync5, existsSync as existsSync5 } from "fs";
-import { join as join5 } from "path";
+import { z as z13 } from "zod";
+import { readFileSync as readFileSync5, writeFileSync as writeFileSync6, existsSync as existsSync7 } from "fs";
+import { join as join6 } from "path";
 function buildHierarchy(roles) {
   const h = {};
   for (let i = 0; i < roles.length - 1; i++) {
@@ -2671,7 +3890,7 @@ async function configureAuthHandler(params, cwd) {
       auditRetentionDays,
       protectedRoutes
     );
-    writeFileSync5(join5(cwd, "middleware.ts"), middlewareContent, "utf8");
+    writeFileSync6(join6(cwd, "middleware.ts"), middlewareContent, "utf8");
     filesWritten.push("middleware.ts");
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
@@ -2687,12 +3906,12 @@ async function configureAuthHandler(params, cwd) {
   }
   try {
     const envBlock = generateEnvBlock(method, params);
-    const envPath = join5(cwd, ".env.example");
-    if (existsSync5(envPath)) {
-      const existing = readFileSync4(envPath, "utf8");
-      writeFileSync5(envPath, existing.trimEnd() + "\n\n" + envBlock, "utf8");
+    const envPath = join6(cwd, ".env.example");
+    if (existsSync7(envPath)) {
+      const existing = readFileSync5(envPath, "utf8");
+      writeFileSync6(envPath, existing.trimEnd() + "\n\n" + envBlock, "utf8");
     } else {
-      writeFileSync5(envPath, envBlock, "utf8");
+      writeFileSync6(envPath, envBlock, "utf8");
     }
     filesWritten.push(".env.example");
   } catch (err) {
@@ -2718,12 +3937,12 @@ async function configureAuthHandler(params, cwd) {
       auditRetentionDays,
       protectedRoutes
     );
-    const ymlPath = join5(cwd, "stackwright.yml");
-    if (!existsSync5(ymlPath)) {
-      writeFileSync5(ymlPath, authYaml, "utf8");
+    const ymlPath = join6(cwd, "stackwright.yml");
+    if (!existsSync7(ymlPath)) {
+      writeFileSync6(ymlPath, authYaml, "utf8");
     } else {
-      const existing = readFileSync4(ymlPath, "utf8");
-      writeFileSync5(ymlPath, upsertAuthBlock(existing, authYaml), "utf8");
+      const existing = readFileSync5(ymlPath, "utf8");
+      writeFileSync6(ymlPath, upsertAuthBlock(existing, authYaml), "utf8");
     }
     filesWritten.push("stackwright.yml");
   } catch (err) {
@@ -2762,35 +3981,35 @@ function registerAuthTools(server2) {
     "stackwright_pro_configure_auth",
     "Generate authentication middleware and configuration for a Next.js Stackwright application. Writes `middleware.ts` from a secure template, appends/updates the `auth:` section in `stackwright.yml`, and generates `.env.example` with required environment variables. \u26A0\uFE0F For CAC/PKI: generated `middleware.ts` carries a SECURITY REVIEW REQUIRED comment \u2014 certificate chain validation must be verified by a DoD security officer before production deployment. This is the ONLY approved path to generating `middleware.ts`. Never write TypeScript auth files directly.",
     {
-      method: z11.enum(["cac", "oidc", "oauth2", "none"]),
-      provider: z11.enum(["azure-ad", "okta", "ping", "cognito", "custom"]).optional(),
+      method: z13.enum(["cac", "oidc", "oauth2", "none"]),
+      provider: z13.enum(["azure-ad", "okta", "ping", "cognito", "custom"]).optional(),
       // CAC
-      cacCaBundle: z11.string().optional(),
-      cacEdipiLookup: z11.string().optional(),
-      cacOcspEndpoint: z11.string().optional(),
-      cacCertHeader: z11.string().optional(),
+      cacCaBundle: z13.string().optional(),
+      cacEdipiLookup: z13.string().optional(),
+      cacOcspEndpoint: z13.string().optional(),
+      cacCertHeader: z13.string().optional(),
       // OIDC
-      oidcDiscoveryUrl: z11.string().optional(),
-      oidcClientId: z11.string().optional(),
-      oidcClientSecret: z11.string().optional(),
-      oidcScopes: z11.string().optional(),
-      oidcRoleClaim: z11.string().optional(),
+      oidcDiscoveryUrl: z13.string().optional(),
+      oidcClientId: z13.string().optional(),
+      oidcClientSecret: z13.string().optional(),
+      oidcScopes: z13.string().optional(),
+      oidcRoleClaim: z13.string().optional(),
       // OAuth2
-      oauth2AuthUrl: z11.string().optional(),
-      oauth2TokenUrl: z11.string().optional(),
-      oauth2ClientId: z11.string().optional(),
-      oauth2ClientSecret: z11.string().optional(),
-      oauth2Scopes: z11.string().optional(),
+      oauth2AuthUrl: z13.string().optional(),
+      oauth2TokenUrl: z13.string().optional(),
+      oauth2ClientId: z13.string().optional(),
+      oauth2ClientSecret: z13.string().optional(),
+      oauth2Scopes: z13.string().optional(),
       // RBAC
-      rbacRoles: z11.array(z11.string()).optional(),
-      rbacDefaultRole: z11.string().optional(),
+      rbacRoles: jsonCoerce(z13.array(z13.string()).optional()),
+      rbacDefaultRole: z13.string().optional(),
       // Audit
-      auditEnabled: z11.boolean().optional(),
-      auditRetentionDays: z11.number().int().positive().optional(),
+      auditEnabled: boolCoerce(z13.boolean().optional()),
+      auditRetentionDays: numCoerce(z13.number().int().positive().optional()),
       // Routes
-      protectedRoutes: z11.array(z11.string()).optional(),
+      protectedRoutes: jsonCoerce(z13.array(z13.string()).optional()),
       // Injection for tests
-      _cwd: z11.string().optional()
+      _cwd: z13.string().optional()
     },
     async (params) => {
       const cwd = params._cwd ?? process.cwd();
@@ -2800,45 +4019,61 @@ function registerAuthTools(server2) {
 }
 
 // src/integrity.ts
-import { createHash as createHash2, timingSafeEqual } from "crypto";
-import { readFileSync as readFileSync5, readdirSync, lstatSync as lstatSync5 } from "fs";
-import { join as join6, basename } from "path";
+import { createHash as createHash4, timingSafeEqual as timingSafeEqual2 } from "crypto";
+import { readFileSync as readFileSync6, readdirSync as readdirSync2, lstatSync as lstatSync7 } from "fs";
+import { join as join7, basename } from "path";
 var _checksums = /* @__PURE__ */ new Map([
   [
     "stackwright-pro-api-otter.json",
-    "f1cc9edf2dd1df3ebcea1d0ab33d17a358faaf8aa97ee232cd7994042f2eac0d"
+    "9fbaed0ce6116b82d0289f24432037d04637c89b8e73062ed946e5d49b294734"
   ],
   [
     "stackwright-pro-auth-otter.json",
-    "a19e06c503209a8a35fe321d30448623545b36b48c47a6ec064d13406ad1f725"
+    "8a6ee02cfe7fede3ca708d05b8b46824eb71f60c7f474b6edf9599da77f779b2"
   ],
   [
     "stackwright-pro-dashboard-otter.json",
-    "b3cb3d7554f2e9eed3b57d5e0e3bf85d6ba5b4db5d3af5514391cf0575fcc001"
+    "f5a83b74ad7c44edc6f39b45a568fa122d82aa4788f741ce14614da56d4e29a4"
   ],
   [
     "stackwright-pro-data-otter.json",
-    "bfacb87ae82867472a75982215554336a105a658d6cd3dd2c8b819fa1e11d7ac"
+    "c406e1c775bcb1f2b038b40a92d9bd23172b40d774fc0fa50bad4c9714f53445"
   ],
   [
     "stackwright-pro-designer-otter.json",
-    "c58fa7c7ead9e6398074e1c7ce3f31a8ef4eb3679f5fa18cc03cae3a87878c88"
+    "af09ac8f06385bdbac63e2820daa2ff7d38b8ff1ff383c161f07e3fb9d9359c5"
+  ],
+  [
+    "stackwright-pro-domain-expert-otter.json",
+    "bfe5c167d73fef3f2ef280fff56dcb552073c218e1394a43ecf983a03169ed55"
   ],
   [
     "stackwright-pro-foreman-otter.json",
-    "84ba692e710ac3efab94d27332bcac19c6785b7f41d9076e8e7c860cdd6f8097"
+    "ab38ef53b95ec610a38b2866d78a135cbec16d257a9b35d7e46e2fee2d4de235"
+  ],
+  [
+    "stackwright-pro-geo-otter.json",
+    "6eb7ecf97254dbd79c09ad24348bf16001423cce9585c14bef81afd67b7b901b"
   ],
   [
     "stackwright-pro-page-otter.json",
-    "65bec3a3a0dda6b7591bba2de9399f1e3a4fb99cfe1075342f4f4be98d917b67"
+    "9a5672f0758c81539337d86955e2892cd412547b4f111c2aa098eed1e62d7626"
+  ],
+  [
+    "stackwright-pro-polish-otter.json",
+    "d31116995fdb417798af6056efd03bb1c71e0891371aba1774d283c03c9d77e8"
   ],
   [
     "stackwright-pro-theme-otter.json",
-    "64ffaeeceacd739922788a1d074f6feaffc3f91d09706c2c104f0c0281677732"
+    "08bb04009fdfb8743b10ac4d503cbaddaf8d7c804ba9b606aaed9cc516fd8e93"
   ],
   [
     "stackwright-pro-workflow-otter.json",
-    "0eec9d6a731678cf547c2a7b0b6fc338ca143c35501365a1e4e5dd2779dd5510"
+    "c90d6773b2287aa9a640c2715ca0e75f44c13e99fddcfb89ced36603f38930ce"
+  ],
+  [
+    "stackwright-services-otter.json",
+    "4893a596d187110124f78336ee91184a51b3c8d980c455382fe481adb9b487b5"
   ]
 ]);
 Object.freeze(_checksums);
@@ -2853,11 +4088,11 @@ for (const [name, digest] of CANONICAL_CHECKSUMS) {
 }
 var MAX_OTTER_BYTES = 1 * 1024 * 1024;
 function computeSha256(data) {
-  return createHash2("sha256").update(data).digest("hex");
+  return createHash4("sha256").update(data).digest("hex");
 }
 function safeEqual(a, b) {
   if (a.length !== b.length) return false;
-  return timingSafeEqual(Buffer.from(a, "utf8"), Buffer.from(b, "utf8"));
+  return timingSafeEqual2(Buffer.from(a, "utf8"), Buffer.from(b, "utf8"));
 }
 function verifyOtterFile(filePath) {
   const filename = basename(filePath);
@@ -2867,7 +4102,7 @@ function verifyOtterFile(filePath) {
   }
   let stat;
   try {
-    stat = lstatSync5(filePath);
+    stat = lstatSync7(filePath);
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     return { verified: false, filename, error: `Cannot stat file: ${msg}` };
@@ -2885,7 +4120,7 @@ function verifyOtterFile(filePath) {
   }
   let raw;
   try {
-    raw = readFileSync5(filePath);
+    raw = readFileSync6(filePath);
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     return { verified: false, filename, error: `Cannot read file: ${msg}` };
@@ -2918,12 +4153,24 @@ function verifyOtterFile(filePath) {
   return { verified: true, filename };
 }
 function verifyAllOtters(otterDir) {
+  if (/(?:^|[/\\])\.\.(?:[/\\]|$)/.test(otterDir) || otterDir.includes("..")) {
+    return {
+      verified: [],
+      failed: [
+        {
+          filename: "<directory>",
+          error: `Security: path traversal sequence detected in otter directory parameter`
+        }
+      ],
+      unknown: []
+    };
+  }
   const verified = [];
   const failed = [];
   const unknown = [];
   let entries;
   try {
-    entries = readdirSync(otterDir);
+    entries = readdirSync2(otterDir);
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     return {
@@ -2934,9 +4181,9 @@ function verifyAllOtters(otterDir) {
   }
   const otterFiles = entries.filter((f) => f.endsWith("-otter.json"));
   for (const filename of otterFiles) {
-    const filePath = join6(otterDir, filename);
+    const filePath = join7(otterDir, filename);
     try {
-      if (lstatSync5(filePath).isSymbolicLink()) {
+      if (lstatSync7(filePath).isSymbolicLink()) {
         failed.push({ filename, error: "Skipped: symlink" });
         continue;
       }
@@ -2962,15 +4209,30 @@ var DEFAULT_SEARCH_PATHS = ["node_modules/@stackwright-pro/otters/src/", "packag
 function resolveOtterDir() {
   const cwd = process.cwd();
   for (const relative of DEFAULT_SEARCH_PATHS) {
-    const candidate = join6(cwd, relative);
+    const candidate = join7(cwd, relative);
     try {
-      lstatSync5(candidate);
+      lstatSync7(candidate);
       return candidate;
     } catch {
     }
   }
   return null;
 }
+function emitIntegrityAuditEvent(params) {
+  const record = JSON.stringify({
+    level: "AUDIT",
+    event: "INTEGRITY_FAIL",
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    source: "stackwright_pro_verify_otter_integrity",
+    otterDir: params.otterDir,
+    failedCount: params.failed.length,
+    unknownCount: params.unknown.length,
+    failures: params.failed,
+    unknown: params.unknown
+  });
+  process.stderr.write(`INTEGRITY_FAIL ${record}
+`);
+}
 function registerIntegrityTools(server2) {
   server2.tool(
     "stackwright_pro_verify_otter_integrity",
@@ -2994,6 +4256,13 @@ function registerIntegrityTools(server2) {
       }
       const result = verifyAllOtters(resolved);
       const allGood = result.failed.length === 0 && result.unknown.length === 0;
+      if (!allGood) {
+        emitIntegrityAuditEvent({
+          otterDir: resolved,
+          failed: result.failed,
+          unknown: result.unknown
+        });
+      }
       return {
         content: [
           {
@@ -3006,7 +4275,10 @@ function registerIntegrityTools(server2) {
               unknownCount: result.unknown.length,
               verified: result.verified,
               failed: result.failed,
-              unknown: result.unknown
+              unknown: result.unknown,
+              ...allGood ? {} : {
+                error: "INTEGRITY CHECK FAILED: SHA-256 mismatch detected in otter agent definitions. Do not proceed \u2014 otter files may have been tampered with."
+              }
             })
           }
         ],
@@ -3017,14 +4289,14 @@ function registerIntegrityTools(server2) {
 }
 
 // src/tools/domain.ts
-import { z as z12 } from "zod";
-import { readFileSync as readFileSync6, existsSync as existsSync6 } from "fs";
-import { join as join7 } from "path";
+import { z as z14 } from "zod";
+import { readFileSync as readFileSync7, existsSync as existsSync8 } from "fs";
+import { join as join8 } from "path";
 function handleListCollections(input) {
   const cwd = input._cwd ?? process.cwd();
   const sources = [
     {
-      path: join7(cwd, ".stackwright", "artifacts", "data-config.json"),
+      path: join8(cwd, ".stackwright", "artifacts", "data-config.json"),
       source: "data-config.json",
       parse: (raw) => {
         const parsed = JSON.parse(raw);
@@ -3035,15 +4307,15 @@ function handleListCollections(input) {
       }
     },
     {
-      path: join7(cwd, "stackwright.yml"),
+      path: join8(cwd, "stackwright.yml"),
       source: "stackwright.yml",
       parse: extractCollectionsFromYaml
     }
   ];
   for (const { path: path3, source, parse } of sources) {
-    if (!existsSync6(path3)) continue;
+    if (!existsSync8(path3)) continue;
     try {
-      const collections = parse(readFileSync6(path3, "utf8"));
+      const collections = parse(readFileSync7(path3, "utf8"));
       return {
         text: JSON.stringify({ collections, source, collectionCount: collections.length }),
         isError: false
@@ -3194,8 +4466,8 @@ function handleValidateWorkflow(input) {
   if (input.workflow && Object.keys(input.workflow).length > 0) {
     raw = input.workflow;
   } else {
-    const artifactPath = join7(cwd, ".stackwright", "artifacts", "workflow-config.json");
-    if (!existsSync6(artifactPath)) {
+    const artifactPath = join8(cwd, ".stackwright", "artifacts", "workflow-config.json");
+    if (!existsSync8(artifactPath)) {
       return fail([
         {
           code: "NO_WORKFLOW",
@@ -3204,7 +4476,7 @@ function handleValidateWorkflow(input) {
       ]);
     }
     try {
-      raw = JSON.parse(readFileSync6(artifactPath, "utf8"));
+      raw = JSON.parse(readFileSync7(artifactPath, "utf8"));
     } catch (err) {
       return fail([{ code: "INVALID_JSON", message: `Failed to parse workflow artifact: ${err}` }]);
     }
@@ -3403,7 +4675,7 @@ function registerDomainTools(server2) {
     "stackwright_pro_resolve_data_strategy",
     "Look up the data freshness strategy configuration from the user's answer. Returns mechanism, revalidation seconds, required packages, and the exact MCP tool call to make. Replaces the strategy table in the data-otter prompt.",
     {
-      strategy: z12.string().describe(
+      strategy: z14.string().describe(
         'The data-1 answer value: "pulse-fast", "isr-fast", "isr-standard", or "isr-slow"'
       )
     },
@@ -3413,7 +4685,7 @@ function registerDomainTools(server2) {
     "stackwright_pro_validate_workflow",
     "Validate a workflow definition against the Stackwright workflow schema. Checks step ID uniqueness, transition targets, terminal state existence, and service references. Call this after the workflow otter produces output.",
     {
-      workflow: z12.record(z12.string(), z12.unknown()).optional().describe(
+      workflow: jsonCoerce(z14.record(z14.string(), z14.unknown()).optional()).describe(
         "Parsed workflow object. If omitted, reads from .stackwright/artifacts/workflow-config.json"
       )
     },
@@ -3421,18 +4693,109 @@ function registerDomainTools(server2) {
   );
 }
 
+// src/tools/type-schemas.ts
+import { z as z15 } from "zod";
+function buildTypeSchemaSummary() {
+  return {
+    version: "1.0",
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    domains: {
+      workflow: {
+        description: "Workflow DSL \u2014 step definitions, auth blocks, field types, conditions",
+        schemas: [
+          "WorkflowFileSchema",
+          "WorkflowDefinitionSchema",
+          "WorkflowStepSchema",
+          "WorkflowStepTypeSchema",
+          "WorkflowFieldSchema",
+          "WorkflowActionSchema",
+          "WorkflowAuthSchema",
+          "WorkflowThemeSchema",
+          "TransitionConditionSchema",
+          "PersistenceSchema"
+        ],
+        otter: "stackwright-pro-workflow-otter",
+        artifactKey: "workflowConfig"
+      },
+      auth: {
+        description: "Authentication providers \u2014 PKI/CAC, OIDC, RBAC configuration",
+        schemas: [
+          "authConfigSchema",
+          "pkiConfigSchema",
+          "oidcConfigSchema",
+          "rbacConfigSchema",
+          "componentAuthSchema",
+          "authUserSchema",
+          "authSessionSchema"
+        ],
+        otter: "stackwright-pro-auth-otter",
+        artifactKey: "authConfig"
+      },
+      openapi: {
+        description: "OpenAPI spec integration \u2014 collection config, endpoint filters, actions",
+        interfaces: [
+          "OpenAPIConfig",
+          "ActionConfig",
+          "EndpointFilter",
+          "ApprovedSpec",
+          "PrebuildSecurityConfig",
+          "SiteConfig",
+          "ValidationResult"
+        ],
+        otter: "stackwright-pro-api-otter",
+        artifactKey: "apiConfig"
+      },
+      pulse: {
+        description: "Real-time data polling \u2014 source-agnostic polling options and states",
+        interfaces: ["PulseOptions", "PulseMeta", "PulseState"],
+        note: "React-bound types (PulseProps, PulseIndicatorProps) remain in @stackwright-pro/pulse"
+      },
+      enterprise: {
+        description: "Enterprise collection access \u2014 multi-tenant provider extension",
+        interfaces: [
+          "EnterpriseCollectionProvider",
+          "CollectionProvider",
+          "CollectionEntry",
+          "CollectionListOptions",
+          "CollectionListResult",
+          "TenantFilter",
+          "Collection"
+        ],
+        note: "CollectionProvider, CollectionEntry, CollectionListOptions, and CollectionListResult are re-exported from @stackwright/types (^1.5.0). EnterpriseCollectionProvider, TenantFilter, and Collection are Pro-only extensions."
+      }
+    }
+  };
+}
+function registerTypeSchemasTool(server2) {
+  server2.tool(
+    "stackwright_pro_get_type_schemas",
+    "Returns a structured summary of all canonical @stackwright-pro/types schemas, organized by domain. Use this to determine which otter owns a given schema and what artifact key to expect.",
+    {
+      format: z15.enum(["full", "domains-only"]).optional().default("full").describe("full = complete summary with all fields; domains-only = just domain names")
+    },
+    async ({ format }) => {
+      const summary = buildTypeSchemaSummary();
+      const output = format === "domains-only" ? Object.keys(summary.domains) : summary;
+      return {
+        content: [{ type: "text", text: JSON.stringify(output, null, 2) }]
+      };
+    }
+  );
+}
+
 // package.json
 var package_default = {
   dependencies: {
+    "@stackwright-pro/types": "workspace:*",
     "@modelcontextprotocol/sdk": "^1.10.0",
     "@stackwright-pro/cli-data-explorer": "workspace:*",
-    zod: "^4.3.6"
+    zod: "^4.4.3"
   },
   devDependencies: {
-    "@types/node": "^24.1.0",
-    tsup: "^8.5.0",
-    typescript: "^5.8.3",
-    vitest: "^4.0.18"
+    "@types/node": "catalog:",
+    tsup: "catalog:",
+    typescript: "catalog:",
+    vitest: "catalog:"
   },
   scripts: {
     prepublishOnly: "node scripts/verify-integrity-sync.js",
@@ -3443,10 +4806,13 @@ var package_default = {
     "test:coverage": "vitest run --coverage"
   },
   name: "@stackwright-pro/mcp",
-  version: "0.2.0-alpha.6",
+  version: "0.2.0-alpha.61",
   description: "MCP tools for Stackwright Pro - Data Explorer, Security, ISR, and Dashboard generation",
-  license: "PROPRIETARY",
+  license: "SEE LICENSE IN LICENSE",
   main: "./dist/server.js",
+  bin: {
+    "stackwright-pro-mcp": "./dist/server.js"
+  },
   module: "./dist/server.mjs",
   types: "./dist/server.d.ts",
   exports: {
@@ -3459,6 +4825,11 @@ var package_default = {
       types: "./dist/integrity.d.ts",
       import: "./dist/integrity.mjs",
       require: "./dist/integrity.js"
+    },
+    "./type-schemas": {
+      types: "./dist/tools/type-schemas.d.ts",
+      import: "./dist/tools/type-schemas.mjs",
+      require: "./dist/tools/type-schemas.js"
     }
   },
   files: [
@@ -3486,9 +4857,20 @@ registerPipelineTools(server);
 registerSafeWriteTools(server);
 registerAuthTools(server);
 registerIntegrityTools(server);
+registerArtifactSigningTools(server);
 registerDomainTools(server);
+registerTypeSchemasTool(server);
 async function main() {
   const transport = new StdioServerTransport();
+  try {
+    const servicesRegisterPkg = "@stackwright-services/mcp/register";
+    const mod = await import(servicesRegisterPkg);
+    if (typeof mod.registerServicesTools === "function") {
+      mod.registerServicesTools(server);
+      console.error("Stackwright Services tools registered on pro MCP");
+    }
+  } catch {
+  }
   await server.connect(transport);
   console.error("Stackwright Pro MCP server running on stdio");
 }