@stackwright-pro/mcp 0.2.0-alpha.60 → 0.2.0-alpha.66

package/dist/server.mjs

@@ -1678,6 +1678,14 @@ function handleSavePhaseAnswers(input) {
     let answers;
     if (input.questions && input.questions.length > 0) {
       answers = answersToManifestFormat(input.rawAnswers, input.questions);
+      if (Object.keys(answers).length === 0 && input.rawAnswers.length > 0) {
+        answers = Object.fromEntries(
+          input.rawAnswers.map((a) => [
+            a.question_header,
+            a.selected_options.length > 1 ? a.selected_options : a.selected_options[0] ?? ""
+          ])
+        );
+      }
     } else {
       answers = Object.fromEntries(
         input.rawAnswers.map((a) => [a.question_header, a.selected_options[0] ?? ""])
@@ -2277,12 +2285,13 @@ var PHASE_DEPENDENCIES = {
   // workflow states as trigger sources. Produces OpenAPI specs consumed
   // by pages and dashboard for typed data wiring.
   services: ["api", "workflow"],
-  // pages/dashboard: now also depend on services for typed endpoint wiring
-  // via the OpenAPI specs that services produces.
-  // 'api' is still transitive through 'data'; auth removed — page-otter has
-  // graceful fallback and reads role names from workflow artifacts instead
-  pages: ["designer", "theme", "data", "services"],
-  dashboard: ["designer", "theme", "data", "services"],
+  // pages/dashboard: depend on services for typed endpoint wiring (OpenAPI
+  // specs) and on geo so the specialist prompt includes geo-manifest.json
+  // — page/dashboard otters see which page slugs are already claimed and
+  // won't attempt to overwrite them (swp-73c). 'api' is still transitive
+  // through 'data'; auth removed — page-otter has graceful fallback.
+  pages: ["designer", "theme", "data", "services", "geo"],
+  dashboard: ["designer", "theme", "data", "services", "geo"],
   // auth is the penultimate phase — runs after all content-producing phases
   // so it can read pages, dashboard, workflow, and geo artifacts for route
   // protection and RBAC wiring. Skipped upstream phases still satisfy deps
@@ -3024,13 +3033,19 @@ var PHASE_ARTIFACT_SCHEMA = {
     null,
     2
   ),
+  // type: 'pki' = CAC/DoD certificate auth | 'oidc' = enterprise SSO
+  // For dev-only mock auth: use type: 'oidc' with devOnly: true (Zod strips devOnly — it's a convention only)
   auth: JSON.stringify(
     {
       version: "1.0",
       generatedBy: "stackwright-pro-auth-otter",
       authConfig: {
-        method: "<cac|oidc|oauth2|none>",
-        provider: "<azure-ad|okta|ping|cognito \u2014 if OIDC, else null>",
+        type: "<pki|oidc>",
+        // OIDC-only fields (omit for pki):
+        provider: "<azure_ad|okta|cognito|auth0|authentik|keycloak|custom>",
+        discoveryUrl: "<IdP OIDC discovery URL>",
+        clientId: "<OIDC client ID>",
+        clientSecret: "<OIDC client secret>",
         rbacRoles: ["ADMIN", "ANALYST"],
         rbacDefaultRole: "ANALYST",
         protectedRoutes: ["/dashboard/:path*", "/procurement/:path*"],
@@ -3311,7 +3326,7 @@ function registerPipelineTools(server2) {
 
 // src/tools/safe-write.ts
 import { z as z12 } from "zod";
-import { writeFileSync as writeFileSync5, existsSync as existsSync6, mkdirSync as mkdirSync5, lstatSync as lstatSync6 } from "fs";
+import { writeFileSync as writeFileSync5, readFileSync as readFileSync5, existsSync as existsSync6, mkdirSync as mkdirSync5, lstatSync as lstatSync6 } from "fs";
 import { normalize, isAbsolute, dirname, join as join5 } from "path";
 var OTTER_WRITE_ALLOWLISTS = {
   "stackwright-pro-designer-otter": [
@@ -3333,6 +3348,16 @@ var OTTER_WRITE_ALLOWLISTS = {
       prefix: ".env",
       suffix: "",
       description: "Dotenv files (.env, .env.local, .env.production, etc.)"
+    },
+    {
+      prefix: "lib/mock-auth",
+      suffix: ".ts",
+      description: "Mock auth module (DEV_ONLY_MODE role updates)"
+    },
+    {
+      prefix: "package.json",
+      suffix: ".json",
+      description: "Project package.json (DEV_ONLY_MODE script cleanup)"
     }
   ],
   "stackwright-pro-data-otter": [
@@ -3371,6 +3396,16 @@ var OTTER_WRITE_ALLOWLISTS = {
     { prefix: "pages/", suffix: "/content.yml", description: "Landing page content" },
     { prefix: "pages/", suffix: "/content.yaml", description: "Landing page content" },
     { prefix: ".stackwright/artifacts/", suffix: ".json", description: "Polish artifact" }
+  ],
+  "stackwright-services-otter": [
+    { prefix: ".stackwright/artifacts/", suffix: ".json", description: "Services config artifact" },
+    { prefix: "services/", suffix: ".ts", description: "Service implementation files" },
+    { prefix: "services/", suffix: ".yaml", description: "Service flow definitions" },
+    { prefix: "services/", suffix: ".yml", description: "Service flow definitions" },
+    { prefix: "lib/seeds/", suffix: ".ts", description: "Seed data files" },
+    { prefix: "specs/", suffix: ".json", description: "Generated OpenAPI specs" },
+    { prefix: "specs/", suffix: ".yaml", description: "Generated OpenAPI specs" },
+    { prefix: "stackwright-generated/", suffix: ".json", description: "Services manifest" }
   ]
 };
 var PROTECTED_PATH_PREFIXES = [
@@ -3380,7 +3415,9 @@ var PROTECTED_PATH_PREFIXES = [
   ".stackwright/artifacts/signatures.json",
   // artifact signature manifest
   ".stackwright/questions/",
-  ".stackwright/answers/"
+  ".stackwright/answers/",
+  ".stackwright/page-registry.json"
+  // page ownership — managed by safe_write internally
 ];
 var MAX_SAFE_WRITE_BYTES_JSON = 512 * 1024;
 var MAX_SAFE_WRITE_BYTES_YAML = 256 * 1024;
@@ -3394,6 +3431,58 @@ function getMaxBytesForPath(filePath) {
     return { limit: MAX_SAFE_WRITE_BYTES_ENV, label: "env" };
   return { limit: MAX_SAFE_WRITE_BYTES_DEFAULT, label: "default" };
 }
+var PAGE_REGISTRY_FILE = ".stackwright/page-registry.json";
+function extractPageSlug(filePath) {
+  const match = normalize(filePath).match(/^pages\/(.+?)\/content\.ya?ml$/);
+  return match?.[1] ?? null;
+}
+function extractContentTypes(yamlContent) {
+  const typePattern = /^\s*-?\s*type:\s*(\S+)/gm;
+  const types = [];
+  let m;
+  while ((m = typePattern.exec(yamlContent)) !== null) {
+    const typeName = m[1];
+    if (typeName && !types.includes(typeName)) {
+      types.push(typeName);
+    }
+  }
+  return types.length > 0 ? types : ["unknown"];
+}
+function readPageRegistry(cwd) {
+  const regPath = join5(cwd, PAGE_REGISTRY_FILE);
+  if (!existsSync6(regPath)) return {};
+  try {
+    const stat = lstatSync6(regPath);
+    if (stat.isSymbolicLink()) return {};
+    return JSON.parse(readFileSync5(regPath, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function writePageRegistry(cwd, registry) {
+  const dir = join5(cwd, ".stackwright");
+  mkdirSync5(dir, { recursive: true });
+  const regPath = join5(cwd, PAGE_REGISTRY_FILE);
+  if (existsSync6(regPath)) {
+    const stat = lstatSync6(regPath);
+    if (stat.isSymbolicLink()) {
+      throw new Error("Refusing to write page registry through symlink");
+    }
+  }
+  writeFileSync5(regPath, JSON.stringify(registry, null, 2) + "\n", { encoding: "utf-8" });
+}
+function checkPageOwnership(cwd, slug, callerOtter) {
+  const registry = readPageRegistry(cwd);
+  const existing = registry[slug];
+  if (!existing || existing.claimedBy === callerOtter) {
+    return { allowed: true };
+  }
+  return {
+    allowed: false,
+    owner: existing.claimedBy,
+    contentTypes: existing.contentTypes
+  };
+}
 function checkPathAllowed(callerOtter, filePath) {
   const normalized = normalize(filePath);
   if (normalized.includes("..")) {
@@ -3435,6 +3524,16 @@ function checkPathAllowed(callerOtter, filePath) {
           continue;
         }
       }
+      if (rule.prefix === "lib/mock-auth" && rule.suffix === ".ts") {
+        if (normalized !== "lib/mock-auth.ts") {
+          continue;
+        }
+      }
+      if (rule.prefix === "package.json" && rule.suffix === ".json") {
+        if (normalized !== "package.json") {
+          continue;
+        }
+      }
       return { allowed: true, rule: rule.description };
     }
   }
@@ -3560,11 +3659,38 @@ function handleSafeWrite(input) {
     };
     return { text: JSON.stringify(result), isError: true };
   }
+  const pageSlug = extractPageSlug(normalized);
+  if (pageSlug) {
+    const ownership = checkPageOwnership(cwd, pageSlug, callerOtter);
+    if (!ownership.allowed) {
+      const result = {
+        success: false,
+        error: `Page slug "${pageSlug}" is already claimed by ${ownership.owner} (content types: ${ownership.contentTypes.join(", ")}). Use a different slug or coordinate with the owning otter.`,
+        callerOtter,
+        attemptedPath: filePath,
+        allowedPaths: []
+      };
+      return { text: JSON.stringify(result), isError: true };
+    }
+  }
   try {
     if (createDirectories) {
       mkdirSync5(dirname(fullPath), { recursive: true });
     }
     writeFileSync5(fullPath, content, { encoding: "utf-8" });
+    if (pageSlug) {
+      try {
+        const registry = readPageRegistry(cwd);
+        registry[pageSlug] = {
+          slug: pageSlug,
+          claimedBy: callerOtter,
+          contentTypes: extractContentTypes(content),
+          writtenAt: (/* @__PURE__ */ new Date()).toISOString()
+        };
+        writePageRegistry(cwd, registry);
+      } catch {
+      }
+    }
     const result = {
       success: true,
       path: normalized,
@@ -3611,7 +3737,7 @@ function registerSafeWriteTools(server2) {
 
 // src/tools/auth.ts
 import { z as z13 } from "zod";
-import { readFileSync as readFileSync5, writeFileSync as writeFileSync6, existsSync as existsSync7 } from "fs";
+import { readFileSync as readFileSync6, writeFileSync as writeFileSync6, existsSync as existsSync7, mkdirSync as mkdirSync6 } from "fs";
 import { join as join6 } from "path";
 function buildHierarchy(roles) {
   const h = {};
@@ -3831,10 +3957,232 @@ ${routeLines}
 ${auditSection}
 `;
 }
+function generateDevOnlyMiddlewareContent(method, params, roles, defaultRole, hierarchy, auditEnabled, auditRetentionDays, protectedRoutes) {
+  const rbacBlock = `  rbac: {
+    roles: ${JSON.stringify(roles)},
+    defaultRole: '${defaultRole}',
+    hierarchy: ${JSON.stringify(hierarchy, null, 4)},
+  },`;
+  const auditBlock = `  audit: {
+    enabled: ${auditEnabled},
+    retentionDays: ${auditRetentionDays},
+  },`;
+  const routesBlock = `  protectedRoutes: ${JSON.stringify(protectedRoutes)},`;
+  const configBlock = `export const config = {
+  matcher: ${JSON.stringify(protectedRoutes)},
+};`;
+  const devHeader = [
+    "// middleware.ts \u2014 generated by @stackwright-pro/auth-nextjs (dev-only mock)",
+    "//   DEV ONLY \u2014 uses mock authentication from lib/mock-auth.ts",
+    "// Do NOT deploy to production.",
+    "import { createProMiddleware } from '@stackwright-pro/auth-nextjs';",
+    "import { mockAuthProvider } from './lib/mock-auth';"
+  ].join("\n");
+  if (method === "cac") {
+    const caBundle = params.cacCaBundle ?? "./certs/dod-ca-bundle.pem";
+    const edipiLookup = params.cacEdipiLookup ?? "./config/edipi-lookup.json";
+    const ocspEndpoint = params.cacOcspEndpoint ?? "https://ocsp.disa.mil";
+    const certHeader = params.cacCertHeader ?? "X-SSL-Client-Cert";
+    return `${devHeader}
+
+export const middleware = createProMiddleware({
+  method: 'cac',
+  cac: {
+    caBundle: '${caBundle}',
+    edipiLookup: '${edipiLookup}',
+    ocspEndpoint: '${ocspEndpoint}',
+    certHeader: '${certHeader}',
+    provider: mockAuthProvider,
+  },
+${rbacBlock}
+${auditBlock}
+${routesBlock}
+});
+
+${configBlock}
+`;
+  }
+  if (method === "oidc") {
+    const scopes2 = params.oidcScopes ?? "openid profile email";
+    const roleClaim = params.oidcRoleClaim ?? "roles";
+    return `${devHeader}
+
+export const middleware = createProMiddleware({
+  method: 'oidc',
+  oidc: {
+    discoveryUrl: 'https://dev-mock-oidc/.well-known/openid-configuration',
+    clientId: 'dev-mock-client',
+    clientSecret: 'dev-mock-secret',
+    scopes: '${scopes2}',
+    roleClaim: '${roleClaim}',
+    provider: mockAuthProvider,
+  },
+${rbacBlock}
+${auditBlock}
+${routesBlock}
+});
+
+${configBlock}
+`;
+  }
+  const scopes = params.oauth2Scopes ?? "read write";
+  return `${devHeader}
+
+export const middleware = createProMiddleware({
+  method: 'oauth2',
+  oauth2: {
+    authorizationUrl: 'https://dev-mock-oauth2/authorize',
+    tokenUrl: 'https://dev-mock-oauth2/token',
+    clientId: 'dev-mock-client',
+    clientSecret: 'dev-mock-secret',
+    scopes: '${scopes}',
+    provider: mockAuthProvider,
+  },
+${rbacBlock}
+${auditBlock}
+${routesBlock}
+});
+
+${configBlock}
+`;
+}
+function generateDevOnlyYamlBlock(method, params, roles, defaultRole, hierarchy, auditEnabled, auditRetentionDays, protectedRoutes) {
+  const rbacSection = `  rbac:
+    roles:
+${rolesToYaml(roles, "      ")}
+    defaultRole: ${defaultRole}
+    hierarchy:
+${hierarchyToYaml(hierarchy, "      ")}`;
+  const auditSection = `  audit:
+    enabled: ${auditEnabled}
+    retentionDays: ${auditRetentionDays}`;
+  const routeLines = protectedRoutes.map((r) => `    - pattern: ${r}
+      requiredRole: ${defaultRole}`).join("\n");
+  const providerLine = params.provider ? `  provider: ${params.provider}
+` : "";
+  if (method === "cac") {
+    const caBundle = params.cacCaBundle ?? "./certs/dod-ca-bundle.pem";
+    const edipiLookup = params.cacEdipiLookup ?? "./config/edipi-lookup.json";
+    const ocspEndpoint = params.cacOcspEndpoint ?? "https://ocsp.disa.mil";
+    const certHeader = params.cacCertHeader ?? "X-SSL-Client-Cert";
+    return `auth:
+  method: cac
+  devOnly: true
+${providerLine}  middleware: ./middleware.ts
+  cac:
+    caBundle: ${caBundle}
+    edipiLookup: ${edipiLookup}
+    ocspEndpoint: ${ocspEndpoint}
+    certHeader: ${certHeader}
+${rbacSection}
+  protectedRoutes:
+${routeLines}
+${auditSection}
+`;
+  }
+  if (method === "oidc") {
+    const scopes2 = params.oidcScopes ?? "openid profile email";
+    const roleClaim = params.oidcRoleClaim ?? "roles";
+    return `auth:
+  method: oidc
+  devOnly: true
+${providerLine}  middleware: ./middleware.ts
+  oidc:
+    discoveryUrl: https://dev-mock-oidc/.well-known/openid-configuration
+    clientId: dev-mock-client
+    clientSecret: dev-mock-secret
+    scopes: ${scopes2}
+    roleClaim: ${roleClaim}
+${rbacSection}
+  protectedRoutes:
+${routeLines}
+${auditSection}
+`;
+  }
+  const scopes = params.oauth2Scopes ?? "read write";
+  return `auth:
+  method: oauth2
+  devOnly: true
+${providerLine}  middleware: ./middleware.ts
+  oauth2:
+    authorizationUrl: https://dev-mock-oauth2/authorize
+    tokenUrl: https://dev-mock-oauth2/token
+    clientId: dev-mock-client
+    clientSecret: dev-mock-secret
+    scopes: ${scopes}
+${rbacSection}
+  protectedRoutes:
+${routeLines}
+${auditSection}
+`;
+}
+function deriveDevKey(roleName) {
+  const segment = roleName.split("_")[0];
+  return (segment ?? roleName).toLowerCase();
+}
+function generateMockAuthContent(roles, mockUsers) {
+  const entries = [];
+  const scriptLines = [];
+  for (let i = 0; i < roles.length; i++) {
+    const role = roles[i];
+    const devKey = deriveDevKey(role);
+    const persona = mockUsers?.[i];
+    const name = persona?.name ?? `Dev ${role}`;
+    const email = persona?.email ?? `dev-${devKey}@example.mil`;
+    const edipi = String(i + 1).padStart(10, "0");
+    entries.push(`  ${devKey}: {
+    id: 'mock-${devKey}-${String(i + 1).padStart(3, "0")}',
+    name: '${name}',
+    email: '${email}',
+    roles: ['${role}'],
+    edipi: '${edipi}',
+  }`);
+    scriptLines.push(` *   pnpm dev:${devKey}   \u2014 ${name}`);
+  }
+  return `/**
+ * Mock authentication for development mode.
+ *
+ * DEV_ONLY_MODE \u2014 no real auth provider. Select a persona via MOCK_USER env var
+ * or use the convenience scripts in package.json:
+${scriptLines.join("\n")}
+ */
+
+export const MOCK_USERS = {
+${entries.join(",\n")}
+} as const;
+
+export type MockRole = keyof typeof MOCK_USERS;
+
+export function getMockUser(role?: string) {
+  const key = (role ?? process.env.MOCK_USER) as MockRole | undefined;
+  if (!key) return null;
+  return MOCK_USERS[key] ?? null;
+}
+
+export function mockAuthProvider() {
+  return getMockUser();
+}
+`;
+}
+function updatePackageJsonScripts(existingJson, roles, mockUsers) {
+  const pkg = JSON.parse(existingJson);
+  const scripts = pkg.scripts ?? {};
+  delete scripts["dev:admin"];
+  delete scripts["dev:analyst"];
+  delete scripts["dev:viewer"];
+  for (let i = 0; i < roles.length; i++) {
+    const devKey = deriveDevKey(roles[i]);
+    scripts[`dev:${devKey}`] = `MOCK_USER=${devKey} next dev`;
+  }
+  pkg.scripts = scripts;
+  return JSON.stringify(pkg, null, 2) + "\n";
+}
 async function configureAuthHandler(params, cwd) {
   const {
     method,
     provider,
+    devOnly = false,
+    mockUsers,
     rbacRoles = ["SUPER_ADMIN", "ADMIN", "ANALYST"],
     auditEnabled = true,
     auditRetentionDays = 90,
@@ -3864,7 +4212,16 @@ async function configureAuthHandler(params, cwd) {
   }
   const filesWritten = [];
   try {
-    const middlewareContent = generateMiddlewareContent(
+    const middlewareContent = devOnly ? generateDevOnlyMiddlewareContent(
+      method,
+      params,
+      roles,
+      defaultRole,
+      hierarchy,
+      auditEnabled,
+      auditRetentionDays,
+      protectedRoutes
+    ) : generateMiddlewareContent(
       method,
       params,
       roles,
@@ -3888,30 +4245,87 @@ async function configureAuthHandler(params, cwd) {
       isError: true
     };
   }
-  try {
-    const envBlock = generateEnvBlock(method, params);
-    const envPath = join6(cwd, ".env.example");
-    if (existsSync7(envPath)) {
-      const existing = readFileSync5(envPath, "utf8");
-      writeFileSync6(envPath, existing.trimEnd() + "\n\n" + envBlock, "utf8");
-    } else {
-      writeFileSync6(envPath, envBlock, "utf8");
+  if (!devOnly) {
+    try {
+      const envBlock = generateEnvBlock(method, params);
+      const envPath = join6(cwd, ".env.example");
+      if (existsSync7(envPath)) {
+        const existing = readFileSync6(envPath, "utf8");
+        writeFileSync6(envPath, existing.trimEnd() + "\n\n" + envBlock, "utf8");
+      } else {
+        writeFileSync6(envPath, envBlock, "utf8");
+      }
+      filesWritten.push(".env.example");
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({ success: false, error: `Failed writing .env.example: ${msg}` })
+          }
+        ],
+        isError: true
+      };
+    }
+  }
+  if (devOnly) {
+    try {
+      const mockAuthDir = join6(cwd, "lib");
+      mkdirSync6(mockAuthDir, { recursive: true });
+      const mockAuthContent = generateMockAuthContent(roles, mockUsers);
+      writeFileSync6(join6(mockAuthDir, "mock-auth.ts"), mockAuthContent, "utf8");
+      filesWritten.push("lib/mock-auth.ts");
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({
+              success: false,
+              error: `Failed writing lib/mock-auth.ts: ${msg}`
+            })
+          }
+        ],
+        isError: true
+      };
+    }
+    try {
+      const pkgPath = join6(cwd, "package.json");
+      if (existsSync7(pkgPath)) {
+        const existingPkg = readFileSync6(pkgPath, "utf8");
+        const updatedPkg = updatePackageJsonScripts(existingPkg, roles, mockUsers);
+        writeFileSync6(pkgPath, updatedPkg, "utf8");
+        filesWritten.push("package.json");
+      }
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      return {
+        content: [
+          {
+            type: "text",
+            text: JSON.stringify({
+              success: false,
+              error: `Failed updating package.json: ${msg}`
+            })
+          }
+        ],
+        isError: true
+      };
     }
-    filesWritten.push(".env.example");
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    return {
-      content: [
-        {
-          type: "text",
-          text: JSON.stringify({ success: false, error: `Failed writing .env.example: ${msg}` })
-        }
-      ],
-      isError: true
-    };
   }
   try {
-    const authYaml = generateYamlBlock(
+    const authYaml = devOnly ? generateDevOnlyYamlBlock(
+      method,
+      params,
+      roles,
+      defaultRole,
+      hierarchy,
+      auditEnabled,
+      auditRetentionDays,
+      protectedRoutes
+    ) : generateYamlBlock(
       method,
       params,
       roles,
@@ -3925,7 +4339,7 @@ async function configureAuthHandler(params, cwd) {
     if (!existsSync7(ymlPath)) {
       writeFileSync6(ymlPath, authYaml, "utf8");
     } else {
-      const existing = readFileSync5(ymlPath, "utf8");
+      const existing = readFileSync6(ymlPath, "utf8");
       writeFileSync6(ymlPath, upsertAuthBlock(existing, authYaml), "utf8");
     }
     filesWritten.push("stackwright.yml");
@@ -3993,7 +4407,9 @@ function registerAuthTools(server2) {
       // Routes
       protectedRoutes: jsonCoerce(z13.array(z13.string()).optional()),
       // Injection for tests
-      _cwd: z13.string().optional()
+      _cwd: z13.string().optional(),
+      devOnly: boolCoerce(z13.boolean().optional()),
+      mockUsers: jsonCoerce(z13.array(z13.object({ name: z13.string(), email: z13.string() })).optional())
     },
     async (params) => {
       const cwd = params._cwd ?? process.cwd();
@@ -4004,7 +4420,7 @@ function registerAuthTools(server2) {
 
 // src/integrity.ts
 import { createHash as createHash4, timingSafeEqual as timingSafeEqual2 } from "crypto";
-import { readFileSync as readFileSync6, readdirSync as readdirSync2, lstatSync as lstatSync7 } from "fs";
+import { readFileSync as readFileSync7, readdirSync as readdirSync2, lstatSync as lstatSync7 } from "fs";
 import { join as join7, basename } from "path";
 var _checksums = /* @__PURE__ */ new Map([
   [
@@ -4013,15 +4429,15 @@ var _checksums = /* @__PURE__ */ new Map([
   ],
   [
     "stackwright-pro-auth-otter.json",
-    "bf0e66e35d15ba818ba6ff1a007df34975565bacbb35cc0c80151fb1da13e573"
+    "4bf6beba7150d08c74c5f6fbbeb20e988aba52a2029ff2892615e71f6ab12ed1"
   ],
   [
     "stackwright-pro-dashboard-otter.json",
-    "f5a83b74ad7c44edc6f39b45a568fa122d82aa4788f741ce14614da56d4e29a4"
+    "9c319d311801730e8dc9bc142eebb8fc5a7f48da48fa0b8d8c3b7431652447be"
   ],
   [
     "stackwright-pro-data-otter.json",
-    "c406e1c775bcb1f2b038b40a92d9bd23172b40d774fc0fa50bad4c9714f53445"
+    "4d9369277685a4acc484116920c9622ad8a1838012a493fcfe42a6ae5abe53cf"
   ],
   [
     "stackwright-pro-designer-otter.json",
@@ -4029,23 +4445,23 @@ var _checksums = /* @__PURE__ */ new Map([
   ],
   [
     "stackwright-pro-domain-expert-otter.json",
-    "bfe5c167d73fef3f2ef280fff56dcb552073c218e1394a43ecf983a03169ed55"
+    "6055a2efc78f54a8393f628839e2a2563bf0c6de3ad32de00c82779a53381efd"
   ],
   [
     "stackwright-pro-foreman-otter.json",
-    "a3a4c6b3dde05d8bed213759b1b6644d345b3107b73624ff5654d30b98297649"
+    "ab38ef53b95ec610a38b2866d78a135cbec16d257a9b35d7e46e2fee2d4de235"
   ],
   [
     "stackwright-pro-geo-otter.json",
-    "6eb7ecf97254dbd79c09ad24348bf16001423cce9585c14bef81afd67b7b901b"
+    "9e09aaf2bb10197c6d1c05d0fd5f5f9380acc0cb697a410fcae839ffba648561"
   ],
   [
     "stackwright-pro-page-otter.json",
-    "9a5672f0758c81539337d86955e2892cd412547b4f111c2aa098eed1e62d7626"
+    "532bb7e9a25a5c832edd1ff1ea0886dd4453905d86e6f9331eb957ae5e121833"
   ],
   [
     "stackwright-pro-polish-otter.json",
-    "d31116995fdb417798af6056efd03bb1c71e0891371aba1774d283c03c9d77e8"
+    "8f284d4d6a204137cd786824fc584d5bddac1bc757204769b99ca5412cf2cea2"
   ],
   [
     "stackwright-pro-theme-otter.json",
@@ -4057,7 +4473,7 @@ var _checksums = /* @__PURE__ */ new Map([
   ],
   [
     "stackwright-services-otter.json",
-    "2a99df3e50415d027c0bc2a57f509882928bb1ae516e61dda667641ce1652ac3"
+    "4893a596d187110124f78336ee91184a51b3c8d980c455382fe481adb9b487b5"
   ]
 ]);
 Object.freeze(_checksums);
@@ -4104,7 +4520,7 @@ function verifyOtterFile(filePath) {
   }
   let raw;
   try {
-    raw = readFileSync6(filePath);
+    raw = readFileSync7(filePath);
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     return { verified: false, filename, error: `Cannot read file: ${msg}` };
@@ -4274,7 +4690,7 @@ function registerIntegrityTools(server2) {
 
 // src/tools/domain.ts
 import { z as z14 } from "zod";
-import { readFileSync as readFileSync7, existsSync as existsSync8 } from "fs";
+import { readFileSync as readFileSync8, existsSync as existsSync8 } from "fs";
 import { join as join8 } from "path";
 function handleListCollections(input) {
   const cwd = input._cwd ?? process.cwd();
@@ -4299,7 +4715,7 @@ function handleListCollections(input) {
   for (const { path: path3, source, parse } of sources) {
     if (!existsSync8(path3)) continue;
     try {
-      const collections = parse(readFileSync7(path3, "utf8"));
+      const collections = parse(readFileSync8(path3, "utf8"));
       return {
         text: JSON.stringify({ collections, source, collectionCount: collections.length }),
         isError: false
@@ -4460,7 +4876,7 @@ function handleValidateWorkflow(input) {
       ]);
     }
     try {
-      raw = JSON.parse(readFileSync7(artifactPath, "utf8"));
+      raw = JSON.parse(readFileSync8(artifactPath, "utf8"));
     } catch (err) {
       return fail([{ code: "INVALID_JSON", message: `Failed to parse workflow artifact: ${err}` }]);
     }
@@ -4790,7 +5206,7 @@ var package_default = {
     "test:coverage": "vitest run --coverage"
   },
   name: "@stackwright-pro/mcp",
-  version: "0.2.0-alpha.60",
+  version: "0.2.0-alpha.61",
   description: "MCP tools for Stackwright Pro - Data Explorer, Security, ISR, and Dashboard generation",
   license: "SEE LICENSE IN LICENSE",
   main: "./dist/server.js",
@@ -4846,6 +5262,15 @@ registerDomainTools(server);
 registerTypeSchemasTool(server);
 async function main() {
   const transport = new StdioServerTransport();
+  try {
+    const servicesRegisterPkg = "@stackwright-services/mcp/register";
+    const mod = await import(servicesRegisterPkg);
+    if (typeof mod.registerServicesTools === "function") {
+      mod.registerServicesTools(server);
+      console.error("Stackwright Services tools registered on pro MCP");
+    }
+  } catch {
+  }
   await server.connect(transport);
   console.error("Stackwright Pro MCP server running on stdio");
 }