@studiometa/productive-mcp 0.10.14 → 0.10.15

package/dist/{handlers-BE96O-uy.js → handlers-BEeOjytC.js}

@@ -1,5 +1,8 @@
 import { ProductiveApi, formatActivity, formatAttachment, formatBooking, formatComment, formatCompany, formatCustomField, formatDeal, formatDiscussion, formatListResponse, formatPage, formatPerson, formatProject, formatService, formatTask, formatTimeEntry, formatTimer } from "@studiometa/productive-api";
 import { ACTIONS, REPORT_TYPES, RESOURCES, ResolveError, VALID_REPORT_TYPES, completeTask, createBooking, createComment, createCompany, createDeal, createDiscussion, createPage, createTask, createTimeEntry, deleteAttachment, deleteDiscussion, deletePage, deleteTimeEntry, fromHandlerContext, getAttachment, getBooking, getComment, getCompany, getCustomField, getDeal, getDealContext, getDiscussion, getMyDaySummary, getPage, getPerson, getProject, getProjectContext, getProjectHealthSummary, getReport, getService, getTask, getTaskContext, getTeamPulseSummary, getTimeEntry, getTimer, listActivities, listAttachments, listBookings, listComments, listCompanies, listCustomFields, listDeals, listDiscussions, listPages, listPeople, listProjects, listServices, listTasks, listTimeEntries, listTimers, logDay, readApi, reopenDiscussion, resolveDiscussion, resolveResource, startTimer, stopTimer, updateBooking, updateComment, updateCompany, updateDeal, updateDiscussion, updatePage, updateTask, updateTimeEntry, weeklyStandup, writeApi } from "@studiometa/productive-core";
+import variant from "@jitl/quickjs-singlefile-cjs-release-sync";
+import { newQuickJSWASMModuleFromVariant } from "quickjs-emscripten-core";
+import { stripTypeScriptTypes } from "node:module";
 //#region src/errors.ts
 /**
 * Custom error classes for MCP server
@@ -2181,7 +2184,7 @@ var allowsEval = cached(() => {
 		return false;
 	}
 });
-function isPlainObject(o) {
+function isPlainObject$1(o) {
 	if (isObject(o) === false) return false;
 	const ctor = o.constructor;
 	if (ctor === void 0) return true;
@@ -2192,7 +2195,7 @@ function isPlainObject(o) {
 	return true;
 }
 function shallowClone(o) {
-	if (isPlainObject(o)) return { ...o };
+	if (isPlainObject$1(o)) return { ...o };
 	if (Array.isArray(o)) return [...o];
 	return o;
 }
@@ -2273,7 +2276,7 @@ function omit(schema, mask) {
 	}));
 }
 function extend(schema, shape) {
-	if (!isPlainObject(shape)) throw new Error("Invalid input to extend: expected a plain object");
+	if (!isPlainObject$1(shape)) throw new Error("Invalid input to extend: expected a plain object");
 	const checks = schema._zod.def.checks;
 	if (checks && checks.length > 0) {
 		const existingShape = schema._zod.def.shape;
@@ -2289,7 +2292,7 @@ function extend(schema, shape) {
 	} }));
 }
 function safeExtend(schema, shape) {
-	if (!isPlainObject(shape)) throw new Error("Invalid input to safeExtend: expected a plain object");
+	if (!isPlainObject$1(shape)) throw new Error("Invalid input to safeExtend: expected a plain object");
 	return clone(schema, mergeDefs(schema._zod.def, { get shape() {
 		const _shape = {
 			...schema._zod.def.shape,
@@ -3803,7 +3806,7 @@ function mergeValues(a, b) {
 		valid: true,
 		data: a
 	};
-	if (isPlainObject(a) && isPlainObject(b)) {
+	if (isPlainObject$1(a) && isPlainObject$1(b)) {
 		const bKeys = Object.keys(b);
 		const sharedKeys = Object.keys(a).filter((key) => bKeys.indexOf(key) !== -1);
 		const newObj = {
@@ -3879,7 +3882,7 @@ var $ZodRecord = /*@__PURE__*/ $constructor("$ZodRecord", (inst, def) => {
 	$ZodType.init(inst, def);
 	inst._zod.parse = (payload, ctx) => {
 		const input = payload.value;
-		if (!isPlainObject(input)) {
+		if (!isPlainObject$1(input)) {
 			payload.issues.push({
 				expected: "record",
 				code: "invalid_type",
@@ -6196,7 +6199,8 @@ object({
 * Full input schema for the raw api_read tool.
 */
 var ApiReadToolInputSchema = object({
-	path: string().trim().min(1, "Path cannot be empty").describe("Relative Productive API path"),
+	path: string().trim().min(1, "Path cannot be empty").optional().describe("Relative Productive API path (required unless using \"search\")"),
+	search: string().trim().min(1, "Search cannot be empty").optional().describe("Keyword search over the documented endpoint catalog; returns matching paths"),
 	describe: boolean().optional(),
 	filter: FilterSchema,
 	include: ParamInclude.optional(),
@@ -6205,7 +6209,7 @@ var ApiReadToolInputSchema = object({
 	per_page: ParamPerPage.optional(),
 	paginate: boolean().optional(),
 	max_pages: number().int().min(1).max(50).optional()
-});
+}).refine((data) => !!data.path || !!data.search, { message: "Provide either \"path\" (to read/describe) or \"search\" (to find endpoints)." });
 /**
 * Full input schema for the raw api_write tool.
 */
@@ -6222,6 +6226,15 @@ var ApiWriteToolInputSchema = object({
 	dry_run: boolean().optional()
 });
 /**
+* Full input schema for the sandboxed run_script tool.
+*/
+var RunScriptToolInputSchema = object({
+	code: string().min(1, "Code cannot be empty").describe("JavaScript/TypeScript source to run"),
+	args: array(unknown()).optional().describe("Positional arguments exposed as `args`"),
+	flags: record(string(), unknown()).optional().describe("Named values exposed as `flags`"),
+	dry_run: boolean().optional().describe("Record mutations instead of executing them")
+});
+/**
 * Format Zod validation errors for LLM consumption
 */
 function formatValidationErrors(error) {
@@ -38948,6 +38961,42 @@ function buildMethodExample(path, method, methodSpec) {
 	} };
 	return example;
 }
+/** Number of documented endpoints in the catalog. */
+function apiEndpointCount() {
+	return Object.keys(PRODUCTIVE_API_REFERENCE).length;
+}
+/** Whether a query matches anywhere in an endpoint's documented surface. */
+function endpointMatches(spec, q) {
+	if (spec.path.toLowerCase().includes(q)) return true;
+	return Object.values(spec.methods).some((method) => method?.summary?.toLowerCase().includes(q) || method?.description?.toLowerCase().includes(q) || method?.operationId?.toLowerCase().includes(q) || Object.keys(method?.filters ?? {}).some((f) => f.toLowerCase().includes(q)));
+}
+/**
+* Keyword-search the documented endpoint catalog, returning matching paths
+* (not their full specs) so an agent can drill in with `api_read describe`.
+* Pure — reused by `api_read` search and the global `search_docs` tool.
+*/
+function searchApiEndpoints(query, limit = 30) {
+	const q = query.trim().toLowerCase();
+	const all = [];
+	for (const spec of Object.values(PRODUCTIVE_API_REFERENCE)) {
+		if (!endpointMatches(spec, q)) continue;
+		const methods = Object.keys(spec.methods);
+		const summary = Object.values(spec.methods).map((m) => m?.summary).find(Boolean);
+		all.push({
+			path: spec.path,
+			methods,
+			summary
+		});
+	}
+	all.sort((a, b) => a.path.localeCompare(b.path));
+	const matches = all.slice(0, limit);
+	return {
+		query,
+		total: all.length,
+		matches,
+		...all.length > matches.length ? { truncated: true } : {}
+	};
+}
 function describeApiEndpoint(path) {
 	const normalizedPath = normalizeApiPath(path);
 	const matches = Object.values(PRODUCTIVE_API_REFERENCE).filter((spec) => {
@@ -38978,6 +39027,11 @@ function describeApiEndpoint(path) {
 //#region src/handlers/api-read.ts
 async function handleApiRead(args, ctx) {
 	try {
+		if (args.search) return jsonResult({
+			...searchApiEndpoints(args.search),
+			_tip: "Call api_read with describe=true and a matching path for its full spec (filters, sort, body fields)."
+		});
+		if (!args.path) throw new UserInputError("Provide \"path\" to read/describe an endpoint, or \"search\" to find one.");
 		if (args.describe) return jsonResult(describeApiEndpoint(args.path));
 		validatePagination(args);
 		const { methodSpec, normalizedPath } = resolveApiEndpoint(args.path, "GET");
@@ -40562,6 +40616,59 @@ function handleHelp(resource) {
 		...help
 	});
 }
+/** Collect the places a query matches within one resource's help. */
+function matchResourceHelp(resource, help, q) {
+	const hits = [];
+	const has = (s) => !!s && s.toLowerCase().includes(q);
+	if (resource.toLowerCase().includes(q)) hits.push("resource name");
+	if (has(help.description)) hits.push("description");
+	for (const [action, desc] of Object.entries(help.actions)) if (action.toLowerCase().includes(q) || has(desc)) hits.push(`action: ${action}`);
+	for (const [filter, desc] of Object.entries(help.filters ?? {})) if (filter.toLowerCase().includes(q) || has(desc)) hits.push(`filter: ${filter}`);
+	for (const [field, desc] of Object.entries(help.fields ?? {})) if (field.toLowerCase().includes(q) || has(desc)) hits.push(`field: ${field}`);
+	for (const include of help.includes ?? []) if (include.toLowerCase().includes(q)) hits.push(`include: ${include}`);
+	for (const example of help.examples ?? []) if (has(example.description)) hits.push(`example: ${example.description}`);
+	return hits;
+}
+/** All resource names that have help documentation. */
+function helpResourceNames() {
+	return Object.keys(RESOURCE_HELP);
+}
+/**
+* Search help across all resources, returning a compact ranked list of matching
+* resources (not their full docs). Pure — reused by both the `action=help`
+* query path and the global `search_docs` tool.
+*/
+function searchResourceHelp(query) {
+	const q = query.trim().toLowerCase();
+	const matches = [];
+	for (const [resource, help] of Object.entries(RESOURCE_HELP)) {
+		const hits = matchResourceHelp(resource, help, q);
+		if (hits.length > 0) matches.push({
+			resource,
+			description: help.description,
+			matched_in: hits.slice(0, 6)
+		});
+	}
+	return matches.toSorted((a, b) => b.matched_in.length - a.matched_in.length || a.resource.localeCompare(b.resource));
+}
+/**
+* `action=help` query path: cross-resource help search as a tool result, so an
+* agent can drill into a specific resource with action="help".
+*/
+function handleHelpSearch(query) {
+	const matches = searchResourceHelp(query);
+	if (matches.length === 0) return jsonResult({
+		query,
+		matches: [],
+		available_resources: helpResourceNames(),
+		_tip: "No matches. Call action=\"help\" with a resource for its full documentation."
+	});
+	return jsonResult({
+		query,
+		matches,
+		_tip: "Call action=\"help\" with resource=\"<name>\" for full filters, fields, and examples."
+	});
+}
 /**
 * Get help for all resources (overview)
 */
@@ -40761,6 +40868,854 @@ async function handleReports(action, args, ctx) {
 	});
 }
 //#endregion
+//#region src/run/bridge.ts
+/** Productive actions that mutate data — intercepted in dry-run mode. */
+var MUTATING_ACTIONS = new Set([
+	"create",
+	"update",
+	"delete",
+	"start",
+	"stop",
+	"reopen",
+	"complete_task",
+	"log_day"
+]);
+/** Whether a call would mutate data (used for dry-run classification). */
+function isMutating(channel, payload) {
+	if (channel === "api_write") return true;
+	if (channel === "productive") return MUTATING_ACTIONS.has(String(payload.action));
+	return false;
+}
+/** Map a channel to its tool name. */
+function toolNameFor(channel) {
+	return channel === "productive" ? "productive" : channel;
+}
+/**
+* Extract the JSON text from a tool result, throwing on error results so that
+* guest-side `try/catch` works naturally. The text is returned verbatim (MCP
+* handlers already produce JSON via `jsonResult`); the guest parses it once.
+*/
+function toJsonText(result) {
+	const content = result.content?.[0];
+	const text = content && content.type === "text" ? content.text : void 0;
+	if (result.isError) throw new Error(text ?? "Unknown tool error");
+	if (text === void 0) throw new Error("Tool returned no content");
+	return text;
+}
+/**
+* Create a bridge bound to a set of credentials and limits.
+*/
+function createBridge(opts) {
+	let apiCalls = 0;
+	const recorded = [];
+	async function call(channel, payload) {
+		if (channel !== "productive" && channel !== "api_read" && channel !== "api_write") throw new Error(`Unknown bridge channel: ${channel}`);
+		if (opts.signal.aborted) throw new Error("Script execution timed out");
+		if (apiCalls >= opts.limits.maxApiCalls) throw new Error(`API call budget exceeded (max ${opts.limits.maxApiCalls})`);
+		apiCalls += 1;
+		if (opts.dryRun && isMutating(channel, payload)) {
+			recorded.push({
+				channel,
+				payload
+			});
+			return JSON.stringify({
+				_dryRun: true,
+				channel,
+				payload
+			});
+		}
+		return toJsonText(await opts.exec(toolNameFor(channel), payload, opts.credentials));
+	}
+	return {
+		call,
+		getStats: () => ({
+			apiCalls,
+			recorded: [...recorded]
+		})
+	};
+}
+//#endregion
+//#region src/run/prelude.ts
+/**
+* Guest-side JavaScript prelude injected into the sandbox before user code.
+*
+* It builds the `productive`, `api`, `output`, `args`, and `flags` globals on
+* top of two host primitives provided by the engine:
+*
+* - `__hostCall(channel, payloadJson)` → Promise<resultJson> — bridged API call
+* - `__emit(entryJson)` — synchronous output buffering
+*
+* The surface deliberately mirrors the `productive` tool's resource/action
+* model (what agents already know) rather than the fluent SDK, since no SDK
+* code runs inside the sandbox.
+*/
+/**
+* Resources that don't map to a simple list/get/create/update shape. These are
+* still reachable through the low-level `productive(resource, action, params)`
+* call, just without a convenience accessor.
+*/
+var NON_DATA_RESOURCES = new Set([
+	"batch",
+	"search",
+	"summaries",
+	"workflows",
+	"reports"
+]);
+/** Resources that get a `productive.<resource>` convenience accessor. */
+var SCRIPT_RESOURCES = RESOURCES.filter((r) => !NON_DATA_RESOURCES.has(r));
+/**
+* Build the prelude source for a run.
+*
+* `args` and `flags` are embedded as JSON literals (safe — JSON is a subset of
+* JS expression syntax).
+*/
+function buildPrelude(opts) {
+	return `
+const __channel = (channel, payload) =>
+  __hostCall(channel, JSON.stringify(payload)).then((s) => JSON.parse(s));
+
+const __out = (type, data) => {
+  let payload;
+  try {
+    payload = JSON.stringify({ type, data });
+  } catch (e) {
+    // A circular structure / BigInt would otherwise abort the whole script;
+    // emit a placeholder so output.* is best-effort instead.
+    payload = JSON.stringify({ type, data: '[unserializable: ' + String((e && e.message) || e) + ']' });
+  }
+  __emit(payload);
+};
+
+// Routing keys (resource/action/id/filter/path) are applied LAST so a
+// user-supplied param of the same name can never silently change routing.
+const productive = (resource, action, params = {}) =>
+  __channel('productive', Object.assign({}, params, { resource, action }));
+
+for (const __r of ${JSON.stringify(SCRIPT_RESOURCES)}) {
+  productive[__r] = {
+    list: (filter = {}, opts = {}) =>
+      __channel('productive', Object.assign({}, opts, { resource: __r, action: 'list', filter })),
+    get: (id, opts = {}) =>
+      __channel('productive', Object.assign({}, opts, { resource: __r, action: 'get', id })),
+    create: (params = {}) =>
+      __channel('productive', Object.assign({}, params, { resource: __r, action: 'create' })),
+    update: (id, params = {}) =>
+      __channel('productive', Object.assign({}, params, { resource: __r, action: 'update', id })),
+  };
+}
+
+const api = {
+  read: (path, opts = {}) => __channel('api_read', Object.assign({}, opts, { path })),
+  write: (method, path, body) => __channel('api_write', { method, path, body, confirm: true }),
+};
+
+const output = {
+  json: (d) => __out('json', d),
+  table: (d) => __out('table', d),
+  csv: (d) => __out('csv', d),
+  text: (t) => __out('text', String(t)),
+  print: (t) => __out('text', String(t)),
+  log: (...a) =>
+    __out('log', a.map((x) => (typeof x === 'string' ? x : JSON.stringify(x))).join(' ')),
+  info: (m) => __out('info', String(m)),
+  warn: (m) => __out('warn', String(m)),
+  error: (m) => __out('error', String(m)),
+  success: (m) => __out('success', String(m)),
+};
+
+const args = ${JSON.stringify(opts.args)};
+const flags = ${JSON.stringify(opts.flags)};
+
+Object.assign(globalThis, { productive, api, output, args, flags });
+`;
+}
+//#endregion
+//#region src/run/engine.ts
+/**
+* QuickJS-WASM execution engine for sandboxed scripts.
+*
+* Each run gets a fresh QuickJS context (isolated globals + heap) created from
+* a single, process-wide cached WASM module. The sandbox has no ambient
+* capabilities: the only host functions exposed are `__hostCall` (bridged API
+* access, returns a real guest Promise so scripts can `await` naturally) and
+* `__emit` (output buffering).
+*
+* Limits enforced here:
+* - memory   — `runtime.setMemoryLimit`
+* - CPU/loop — an interrupt handler with a wall-clock deadline (fires even
+*              while the host event loop is blocked by a synchronous loop)
+* - hang     — an abort-signal race around the async completion wait
+* - output   — buffered output is capped and flagged as truncated
+*/
+/** Error raised when a script fails to compile, throws, or times out. */
+var ScriptError = class extends Error {
+	stackTrace;
+	constructor(message, stackTrace) {
+		super(message);
+		this.name = "ScriptError";
+		this.stackTrace = stackTrace;
+	}
+};
+var modulePromise;
+/**
+* Lazily create and cache the QuickJS WASM module (decision: cache the
+* compiled module across runs; each run still gets a fresh context).
+*/
+function getQuickJSModule() {
+	if (!modulePromise) modulePromise = newQuickJSWASMModuleFromVariant(variant);
+	return modulePromise;
+}
+/** Build the full source: prelude + user code wrapped in an async entrypoint. */
+function buildSource(input) {
+	return `${buildPrelude({
+		args: input.args,
+		flags: input.flags
+	})}
+async function __main() {
+${input.code}
+}
+__main().then(
+  (v) => {
+    try {
+      __resolve(JSON.stringify(v === undefined ? null : v));
+    } catch (e) {
+      __reject(JSON.stringify({ message: 'Result is not serializable: ' + String((e && e.message) || e) }));
+    }
+  },
+  (e) => __reject(JSON.stringify({ message: String((e && e.message) || e), stack: String((e && e.stack) || '') })),
+);`;
+}
+/** A promise that rejects when the abort signal fires. */
+function abortPromise(signal) {
+	let onAbort = () => {};
+	const promise = new Promise((_resolve, reject) => {
+		if (signal.aborted) {
+			reject(new ScriptError("Script execution timed out"));
+			return;
+		}
+		onAbort = () => reject(new ScriptError("Script execution timed out"));
+		signal.addEventListener("abort", onAbort, { once: true });
+	});
+	promise.catch(() => {});
+	return {
+		promise,
+		cleanup: () => signal.removeEventListener("abort", onAbort)
+	};
+}
+/**
+* Register the synchronous host functions (`__emit`, `__resolve`, `__reject`)
+* and the async `__hostCall`, wiring output buffering and result capture.
+*/
+function installHostFunctions(ctx, input, state) {
+	ctx.newFunction("__emit", (handle) => {
+		const raw = ctx.getString(handle);
+		state.bytes += Buffer.byteLength(raw, "utf8");
+		if (state.bytes > input.limits.maxOutputBytes) {
+			state.truncated = true;
+			return;
+		}
+		try {
+			state.output.push(JSON.parse(raw));
+		} catch {}
+	}).consume((f) => ctx.setProp(ctx.global, "__emit", f));
+	ctx.newFunction("__resolve", (handle) => {
+		const raw = ctx.getString(handle);
+		try {
+			state.captured = {
+				ok: true,
+				value: JSON.parse(raw)
+			};
+		} catch {
+			state.captured = {
+				ok: true,
+				value: raw
+			};
+		}
+	}).consume((f) => ctx.setProp(ctx.global, "__resolve", f));
+	ctx.newFunction("__reject", (handle) => {
+		const raw = ctx.getString(handle);
+		try {
+			const parsed = JSON.parse(raw);
+			state.captured = {
+				ok: false,
+				message: parsed.message ?? "Error",
+				stack: parsed.stack
+			};
+		} catch {
+			state.captured = {
+				ok: false,
+				message: raw
+			};
+		}
+	}).consume((f) => ctx.setProp(ctx.global, "__reject", f));
+	ctx.newFunction("__hostCall", (channelHandle, payloadHandle) => {
+		const channel = ctx.getString(channelHandle);
+		const payloadStr = ctx.getString(payloadHandle);
+		const deferred = ctx.newPromise();
+		state.pendingDeferreds.add(deferred);
+		(async () => {
+			let payload = {};
+			try {
+				payload = JSON.parse(payloadStr);
+			} catch {}
+			return input.hostCall(channel, payload);
+		})().then((jsonStr) => {
+			if (state.disposed) return;
+			state.pendingDeferreds.delete(deferred);
+			const handle = ctx.newString(jsonStr);
+			deferred.resolve(handle);
+			handle.dispose();
+		}, (err) => {
+			if (state.disposed) return;
+			state.pendingDeferreds.delete(deferred);
+			const message = err instanceof Error ? err.message : String(err);
+			const handle = ctx.newError(message);
+			deferred.reject(handle);
+			handle.dispose();
+		});
+		deferred.settled.then(() => {
+			if (state.disposed) return;
+			try {
+				ctx.runtime.executePendingJobs();
+			} catch {}
+		});
+		return deferred.handle;
+	}).consume((f) => ctx.setProp(ctx.global, "__hostCall", f));
+}
+/**
+* Run a script to completion in a sandboxed QuickJS context.
+*
+* @throws {ScriptError} on compile error, uncaught guest error, or timeout.
+*/
+async function runScript(input) {
+	const ctx = (await getQuickJSModule()).newContext();
+	const runtime = ctx.runtime;
+	runtime.setMemoryLimit(input.limits.memoryBytes);
+	runtime.setMaxStackSize(1024 * 1024);
+	const deadline = Date.now() + input.limits.timeoutMs;
+	let interrupted = false;
+	runtime.setInterruptHandler(() => {
+		if (Date.now() > deadline || input.signal.aborted) {
+			interrupted = true;
+			return true;
+		}
+		return false;
+	});
+	const state = {
+		output: [],
+		bytes: 0,
+		truncated: false,
+		captured: void 0,
+		disposed: false,
+		pendingDeferreds: /* @__PURE__ */ new Set()
+	};
+	const abort = abortPromise(input.signal);
+	try {
+		installHostFunctions(ctx, input, state);
+		const evalResult = ctx.evalCode(buildSource(input), "script.js");
+		if (evalResult.error) {
+			const dumped = safeDump(ctx, evalResult.error);
+			evalResult.error.dispose();
+			if (interrupted) throw new ScriptError("Script execution timed out");
+			throw new ScriptError(formatGuestError(dumped));
+		}
+		const topPromise = evalResult.value;
+		const native = ctx.resolvePromise(topPromise);
+		topPromise.dispose();
+		runtime.executePendingJobs();
+		const settled = await Promise.race([native, abort.promise]);
+		if (settled.error) settled.error.dispose();
+		else settled.value.dispose();
+	} finally {
+		abort.cleanup();
+		state.disposed = true;
+		for (const deferred of state.pendingDeferreds) try {
+			deferred.dispose();
+		} catch {}
+		ctx.dispose();
+	}
+	if (interrupted || input.signal.aborted) throw new ScriptError("Script execution timed out");
+	if (!state.captured) throw new ScriptError("Script did not complete");
+	if (!state.captured.ok) throw new ScriptError(state.captured.message ?? "Script error", state.captured.stack);
+	return {
+		result: state.captured.value,
+		output: state.output,
+		truncated: state.truncated
+	};
+}
+/** Dump a guest handle to a host value, tolerating dump failures (e.g. OOM). */
+function safeDump(ctx, handle) {
+	try {
+		return ctx.dump(handle);
+	} catch {
+		return;
+	}
+}
+/** Format a dumped guest error into a single-line message. */
+function formatGuestError(dumped) {
+	if (dumped && typeof dumped === "object") {
+		const err = dumped;
+		if (err.message) return err.name ? `${err.name}: ${err.message}` : err.message;
+	}
+	if (typeof dumped === "string") return dumped;
+	return "Script failed to compile";
+}
+//#endregion
+//#region src/run/limits.ts
+var DEFAULTS = {
+	timeoutMs: 5e3,
+	memoryMb: 64,
+	maxApiCalls: 50,
+	maxOutputKb: 256,
+	maxCodeKb: 128
+};
+/**
+* Whether the `run_script` tool is enabled. Off unless explicitly turned on.
+*/
+function isRunScriptEnabled(env = process.env) {
+	return env.PRODUCTIVE_MCP_ENABLE_RUN === "true";
+}
+/**
+* Parse a positive integer from an env var, falling back when missing/invalid.
+*/
+function parsePositiveInt(value, fallback) {
+	if (value === void 0) return fallback;
+	const n = Number(value);
+	return Number.isInteger(n) && n > 0 ? n : fallback;
+}
+/**
+* Resolve the active resource limits from the environment.
+*/
+function resolveRunLimits(env = process.env) {
+	return {
+		timeoutMs: parsePositiveInt(env.PRODUCTIVE_MCP_RUN_TIMEOUT_MS, DEFAULTS.timeoutMs),
+		memoryBytes: parsePositiveInt(env.PRODUCTIVE_MCP_RUN_MEMORY_MB, DEFAULTS.memoryMb) * 1024 * 1024,
+		maxApiCalls: parsePositiveInt(env.PRODUCTIVE_MCP_RUN_MAX_API_CALLS, DEFAULTS.maxApiCalls),
+		maxOutputBytes: parsePositiveInt(env.PRODUCTIVE_MCP_RUN_MAX_OUTPUT_KB, DEFAULTS.maxOutputKb) * 1024,
+		maxCodeBytes: parsePositiveInt(env.PRODUCTIVE_MCP_RUN_MAX_CODE_KB, DEFAULTS.maxCodeKb) * 1024
+	};
+}
+//#endregion
+//#region src/run/render.ts
+/** Labels for log-style output entries. */
+var LOG_LABELS = {
+	info: "ℹ️",
+	warn: "⚠️",
+	error: "❌",
+	success: "✅"
+};
+/** Escape a value for use inside a Markdown table cell. */
+function cell(value) {
+	return (value === null || value === void 0 ? "" : typeof value === "object" ? JSON.stringify(value) : String(value)).replace(/\\/g, "\\\\").replace(/\|/g, "\\|").replace(/\n/g, " ");
+}
+/** Whether a value is a plain (non-array, non-null) object. */
+function isPlainObject(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+/** Render an array of objects as a Markdown table. */
+function markdownTable(rows) {
+	const columns = [...new Set(rows.flatMap((row) => Object.keys(row)))];
+	if (columns.length === 0) return "_(no columns)_";
+	return `${`| ${columns.join(" | ")} |`}\n${`| ${columns.map(() => "---").join(" | ")} |`}\n${rows.map((row) => `| ${columns.map((c) => cell(row[c])).join(" | ")} |`).join("\n")}`;
+}
+/** Build one row of CSV with RFC-4180-style quoting. */
+function csvRow(values) {
+	return values.map((v) => {
+		const text = v === null || v === void 0 ? "" : typeof v === "object" ? JSON.stringify(v) : String(v);
+		return /[",\n]/.test(text) ? `"${text.replace(/"/g, "\"\"")}"` : text;
+	}).join(",");
+}
+/** Render an array of objects as CSV. */
+function toCsv(rows) {
+	const columns = [...new Set(rows.flatMap((row) => Object.keys(row)))];
+	return [csvRow(columns), ...rows.map((row) => csvRow(columns.map((c) => row[c])))].join("\n");
+}
+/** Fenced code block. */
+function fence(lang, body) {
+	return `\`\`\`${lang}\n${body}\n\`\`\``;
+}
+/** Render a single output entry to Markdown. */
+function renderEntry(entry) {
+	const { type, data } = entry;
+	switch (type) {
+		case "table": return Array.isArray(data) && data.length > 0 && data.every(isPlainObject) ? markdownTable(data) : fence("json", JSON.stringify(data, null, 2));
+		case "csv": return Array.isArray(data) && data.length > 0 && data.every(isPlainObject) ? fence("csv", toCsv(data)) : fence("json", JSON.stringify(data, null, 2));
+		case "json": return fence("json", JSON.stringify(data, null, 2));
+		case "text":
+		case "log": return String(data);
+		default: return `${LOG_LABELS[type] ?? `[${type}]`} ${String(data)}`;
+	}
+}
+/** Render the run footer (stats line). */
+function renderFooter(run) {
+	const bits = [`${run.apiCalls} API call${run.apiCalls === 1 ? "" : "s"}`];
+	if (run.dryRun) bits.push("dry run");
+	if (run.outputTruncated) bits.push("output truncated");
+	if (run.recorded && run.recorded.length > 0) bits.push(`${run.recorded.length} recorded mutation${run.recorded.length === 1 ? "" : "s"}`);
+	return `—\n_${bits.join(" · ")}_`;
+}
+/**
+* Render a run result as human-facing Markdown.
+*/
+function renderRunResult(input) {
+	const sections = [];
+	if (input.output.length > 0) sections.push(input.output.map(renderEntry).join("\n\n"));
+	if (input.result !== null && input.result !== void 0) {
+		const body = typeof input.result === "string" ? input.result : fence("json", JSON.stringify(input.result, null, 2));
+		sections.push(`**Result:**\n\n${body}`);
+	}
+	if (sections.length === 0) sections.push("_Script completed with no output._");
+	sections.push(renderFooter(input.run));
+	return sections.join("\n\n");
+}
+//#endregion
+//#region src/run/strip.ts
+/**
+* TypeScript type-stripping for submitted scripts.
+*
+* QuickJS executes JavaScript, so any TypeScript syntax in a submitted script
+* must be transformed away first. We use Node's built-in
+* {@link stripTypeScriptTypes} in `transform` mode, which also lowers `enum`
+* and parameter properties (not just erasing annotations).
+*
+* Plain JavaScript passes through unchanged. If the source cannot be parsed as
+* TypeScript at all, the original is returned untouched so the sandbox can
+* surface the real syntax error to the caller.
+*/
+/**
+* Strip TypeScript types from a script, returning runnable JavaScript.
+*
+* @param code - The submitted script source (TypeScript or JavaScript).
+* @returns JavaScript with type syntax removed.
+*/
+function stripTypes(code) {
+	try {
+		return stripTypeScriptTypes(code, { mode: "transform" });
+	} catch {
+		return code;
+	}
+}
+//#endregion
+//#region src/handlers/run.ts
+/** Coerce the `args` argument into a string array. */
+function normalizeArgs(value) {
+	if (!Array.isArray(value)) return [];
+	return value.map((v) => String(v));
+}
+/** Coerce the `flags` argument into a plain object. */
+function normalizeFlags(value) {
+	if (value && typeof value === "object" && !Array.isArray(value)) return value;
+	return {};
+}
+/**
+* Execute the `run_script` tool.
+*/
+async function handleRunScript(rawArgs, credentials, exec, env = process.env) {
+	if (!isRunScriptEnabled(env)) return inputErrorResult(new UserInputError("run_script is disabled. Set PRODUCTIVE_MCP_ENABLE_RUN=true to enable it."));
+	if (typeof rawArgs.code !== "string" || rawArgs.code.trim() === "") return inputErrorResult(new UserInputError("code is required and must be a non-empty string.", [
+		"Provide a JavaScript/TypeScript script in the \"code\" parameter.",
+		"Available globals: productive(resource, action, params), api.read/write, output.*, args, flags.",
+		"Return a value to surface it as the result; use output.json(...) for additional data."
+	]));
+	const limits = resolveRunLimits(env);
+	const codeBytes = Buffer.byteLength(rawArgs.code, "utf8");
+	if (codeBytes > limits.maxCodeBytes) return inputErrorResult(new UserInputError(`Script is too large (${codeBytes} bytes, max ${limits.maxCodeBytes}).`));
+	const dryRun = rawArgs.dry_run === true;
+	const controller = new AbortController();
+	const timer = setTimeout(() => controller.abort(), limits.timeoutMs);
+	try {
+		const bridge = createBridge({
+			credentials,
+			exec,
+			limits,
+			dryRun,
+			signal: controller.signal
+		});
+		const result = await runScript({
+			code: stripTypes(rawArgs.code),
+			args: normalizeArgs(rawArgs.args),
+			flags: normalizeFlags(rawArgs.flags),
+			limits,
+			signal: controller.signal,
+			hostCall: (channel, payload) => bridge.call(channel, payload)
+		});
+		const stats = bridge.getStats();
+		const run = {
+			apiCalls: stats.apiCalls,
+			dryRun,
+			...result.truncated ? { outputTruncated: true } : {},
+			...dryRun ? { recorded: stats.recorded } : {}
+		};
+		return {
+			content: [{
+				type: "text",
+				text: renderRunResult({
+					result: result.result,
+					output: result.output,
+					run
+				})
+			}],
+			structuredContent: {
+				result: result.result,
+				output: result.output,
+				_run: run
+			}
+		};
+	} catch (error) {
+		if (error instanceof ScriptError) return errorResult(error.message);
+		return errorResult(error instanceof Error ? error.message : String(error));
+	} finally {
+		clearTimeout(timer);
+	}
+}
+//#endregion
+//#region src/run/docs.ts
+/**
+* Scripting-API reference content for `run_script`, surfaced through the global
+* `search_docs` tool (resources / endpoints / scripting all discoverable from
+* one place).
+*
+* This module owns the content as structured sections; `search_docs` is the
+* only consumer (it lists section titles in its table of contents and returns
+* matching section bodies on a query). The resource list is derived from
+* {@link SCRIPT_RESOURCES} so it can't drift from what the prelude exposes.
+*/
+var DOC_SECTIONS = [
+	{
+		title: "Overview",
+		summary: "What run_script is and how the sandbox works.",
+		keywords: [
+			"overview",
+			"intro",
+			"sandbox",
+			"how",
+			"start"
+		],
+		body: [
+			"`run_script` runs JavaScript/TypeScript in a sandboxed QuickJS isolate. There is no direct",
+			"network or filesystem access — the injected client performs Productive API calls on the host.",
+			"Write code using the globals below and `return` a value to surface it as the result.",
+			"No `import`/`require`: use the injected globals only."
+		].join(" ")
+	},
+	{
+		title: "productive client",
+		summary: "productive(...) and per-resource list/get/create/update accessors.",
+		keywords: [
+			"productive",
+			"client",
+			"resource",
+			"action",
+			"list",
+			"get",
+			"create",
+			"update",
+			"call"
+		],
+		body: [
+			"`productive(resource, action, params)` — low-level call, mirrors the `productive` tool.",
+			"Per-resource accessors (all async — `await` them):",
+			"- `productive.<resource>.list(filter?, opts?)`",
+			"- `productive.<resource>.get(id, opts?)`",
+			"- `productive.<resource>.create(params)`",
+			"- `productive.<resource>.update(id, params)`",
+			"",
+			"Example: `const tasks = await productive.tasks.list({ status: 'open' });`"
+		].join("\n")
+	},
+	{
+		title: "api client (raw)",
+		summary: "api.read / api.write for raw API endpoints.",
+		keywords: [
+			"api",
+			"read",
+			"write",
+			"raw",
+			"endpoint",
+			"path",
+			"fetch"
+		],
+		body: ["`api.read(path, opts?)` — raw GET, e.g. `await api.read(\"/invoices\", { page: 2 })`.", "`api.write(method, path, body)` — raw POST/PATCH/PUT/DELETE (requires api_write enabled on the server)."].join("\n")
+	},
+	{
+		title: "output helpers",
+		summary: "output.json/table/csv/log/... and how they render.",
+		keywords: [
+			"output",
+			"table",
+			"csv",
+			"json",
+			"log",
+			"print",
+			"info",
+			"warn",
+			"error",
+			"success",
+			"render"
+		],
+		body: [
+			"Buffer output that is returned alongside the result and rendered to Markdown:",
+			"- `output.json(data)` — fenced JSON block",
+			"- `output.table(rows)` — Markdown table (rows = array of objects)",
+			"- `output.csv(rows)` — fenced CSV block",
+			"- `output.text(s)` / `output.log(...args)` — plain lines",
+			"- `output.info/warn/error/success(msg)` — labelled lines"
+		].join("\n")
+	},
+	{
+		title: "args, flags & result",
+		summary: "Inputs (args, flags) and returning a result.",
+		keywords: [
+			"args",
+			"flags",
+			"input",
+			"parameters",
+			"return",
+			"result"
+		],
+		body: ["`args` (string[]) and `flags` (object) are the values passed in the tool call.", "`return <value>` surfaces a JSON-serializable result (also available as `structuredContent.result`)."].join("\n")
+	},
+	{
+		title: "resources & actions",
+		summary: "Available resources and how to discover their filters/fields.",
+		keywords: [
+			"resources",
+			"actions",
+			"help",
+			"schema",
+			"filters",
+			"fields",
+			"includes"
+		],
+		body: [
+			`Resource accessors: ${SCRIPT_RESOURCES.join(", ")}.`,
+			"Actions, filters, and fields mirror the `productive` tool — call `productive` with action=\"help\"",
+			"or action=\"schema\" for a resource to discover them. Use the low-level",
+			"`productive(resource, action, params)` for actions without an accessor (e.g. delete, resolve,",
+			"reports, summaries, workflows)."
+		].join(" ")
+	},
+	{
+		title: "dry run",
+		summary: "Preview mutations without executing them (dry_run).",
+		keywords: [
+			"dry_run",
+			"dry",
+			"preview",
+			"mutation",
+			"safe"
+		],
+		body: "Pass `dry_run: true` to record mutating calls (create/update/delete/start/stop/...) instead of executing them; they are listed under `_run.recorded`."
+	},
+	{
+		title: "limits & gating",
+		summary: "Timeouts, memory, budgets, and the enable flag.",
+		keywords: [
+			"limit",
+			"limits",
+			"timeout",
+			"memory",
+			"budget",
+			"gating",
+			"enable",
+			"disabled"
+		],
+		body: ["Disabled unless the server sets `PRODUCTIVE_MCP_ENABLE_RUN=true`.", "Operator-tunable per-run limits: wall-clock timeout, memory, API-call budget, output size, code size."].join(" ")
+	},
+	{
+		title: "example",
+		summary: "A complete example script.",
+		keywords: [
+			"example",
+			"examples",
+			"sample"
+		],
+		body: [
+			"```js",
+			"const projects = await productive.projects.list();",
+			"const open = await productive.tasks.list({ status: \"open\" });",
+			"output.json({ projects: projects, openTasks: open });",
+			"return 'summary ready';",
+			"```"
+		].join("\n")
+	}
+];
+/** Section titles, for the documentation table of contents. */
+function docSectionTitles() {
+	return DOC_SECTIONS.map((section) => section.title);
+}
+/** Find scripting-doc sections matching a query (title, keywords, or body). */
+function findDocSections(query) {
+	const q = query.trim().toLowerCase();
+	if (q === "") return [];
+	return DOC_SECTIONS.filter((section) => section.title.toLowerCase().includes(q) || section.keywords.some((k) => k.includes(q) || q.includes(k)) || section.body.toLowerCase().includes(q));
+}
+//#endregion
+//#region src/handlers/search-docs.ts
+/** Build the no-query table of contents across documentation domains. */
+function tableOfContents() {
+	return jsonResult({
+		message: "Documentation domains. Call search_docs with a query to search across all of them at once, or use the drill-in tool noted for each.",
+		domains: [
+			{
+				domain: "resources",
+				description: "Productive resources usable through the `productive` tool.",
+				count: helpResourceNames().length,
+				resources: helpResourceNames(),
+				drill_in: "productive action=\"help\" resource=\"<name>\" (or action=\"help\" query=\"<term>\")"
+			},
+			{
+				domain: "api_endpoints",
+				description: "Documented raw API endpoints for the `api_read`/`api_write` tools.",
+				count: apiEndpointCount(),
+				drill_in: "api_read search=\"<term>\", then api_read describe=true path=\"<path>\""
+			},
+			{
+				domain: "run_script",
+				description: "Sandboxed scripting API (globals, output rendering, limits).",
+				topics: docSectionTitles(),
+				drill_in: "search_docs query=\"<topic>\" (returns the full scripting section)"
+			}
+		],
+		_tip: "Example: search_docs query=\"invoices\" searches resources, endpoints, and scripting docs together."
+	});
+}
+/**
+* Handle the `search_docs` tool: a table of contents with no query, or ranked
+* cross-domain matches with a query.
+*/
+function handleSearchDocs(query) {
+	const q = typeof query === "string" ? query.trim() : "";
+	if (q === "") return tableOfContents();
+	const resources = searchResourceHelp(q);
+	const endpoints = searchApiEndpoints(q);
+	const scripting = findDocSections(q).map((s) => ({
+		title: s.title,
+		body: s.body
+	}));
+	const total = resources.length + endpoints.matches.length + scripting.length;
+	return jsonResult({
+		query: q,
+		total,
+		resources: {
+			count: resources.length,
+			matches: resources,
+			drill_in: "productive action=\"help\" resource=\"<name>\""
+		},
+		api_endpoints: {
+			count: endpoints.total,
+			matches: endpoints.matches,
+			...endpoints.truncated ? { truncated: true } : {},
+			drill_in: "api_read describe=true path=\"<path>\""
+		},
+		run_script: {
+			count: scripting.length,
+			sections: scripting
+		},
+		_tip: total === 0 ? "No matches. Call search_docs without a query for a table of contents." : "For resources and endpoints, use the drill_in tool noted; run_script sections are returned in full."
+	});
+}
+//#endregion
 //#region src/handlers/search.ts
 /**
 * Resources that support the query filter for text search
@@ -41271,6 +42226,12 @@ async function executeToolWithCredentials(name, args, credentials) {
 			executor: () => execCtx
 		});
 	}
+	if (name === "search_docs") return handleSearchDocs(typeof args.query === "string" ? args.query : void 0);
+	if (name === "run_script") {
+		const parsed = RunScriptToolInputSchema.safeParse(args);
+		if (!parsed.success) return inputErrorResult(new UserInputError(formatValidationErrors(parsed.error)));
+		return handleRunScript(parsed.data, credentials, executeToolWithCredentials);
+	}
 	if (name !== "productive") return errorResult(`Unknown tool: ${name}`);
 	const typedArgs = args;
 	if (typedArgs.resource === "batch") return handleBatch(typedArgs.operations, credentials, executeToolWithCredentials);
@@ -41316,7 +42277,10 @@ async function executeToolWithCredentials(name, args, credentials) {
 		executor: () => execCtx
 	};
 	try {
-		if (action === "help" && resource !== "summaries") return resource ? handleHelp(resource) : handleHelpOverview();
+		if (action === "help" && resource !== "summaries") {
+			if (query) return handleHelpSearch(query);
+			return resource ? handleHelp(resource) : handleHelpOverview();
+		}
 		if (action === "schema") return resource ? handleSchema(resource) : handleSchemaOverview();
 		return await routeToHandler(resource, action, restArgs, {
 			query,
@@ -41336,4 +42300,4 @@ async function executeToolWithCredentials(name, args, credentials) {
 //#endregion
 export { handleSchemaOverview as C, handleDeals as E, handleServices as S, handlePeople as T, union as _, boolean as a, handleTasks as b, intersection as c, number as d, object as f, string as g, record as h, array as i, literal as l, preprocess as m, _enum as n, custom as o, optional as p, _null as r, discriminatedUnion as s, executeToolWithCredentials as t, looseObject as u, unknown as v, handleProjects as w, handleSummaries as x, datetime as y };
 
-//# sourceMappingURL=handlers-BE96O-uy.js.map
+//# sourceMappingURL=handlers-BEeOjytC.js.map