@ttctl/mcp 0.0.0 → 0.1.0-rc.1

package/dist/tools/file-upload.d.ts

@@ -0,0 +1,133 @@
+import { z } from "zod";
+import type { ToolErrorResponse } from "../errors.js";
+/**
+ * Reusable input-schema fragment for tools that accept a file via either
+ * a server-relative `filePath` (host has filesystem access) or
+ * base64-encoded `content` (web-host without filesystem access).
+ *
+ * Tool descriptions should clarify which option the host prefers per the
+ * issue spec:
+ *
+ *   - **Claude Desktop / Claude Code**: filesystem access; prefer `filePath`.
+ *   - **Web-hosted clients (no filesystem)**: only `content` (base64) works.
+ *
+ * Exactly one of the two MUST be supplied. Schema accepts both as
+ * optional; the runtime validation in `decodeFileUploadInput` enforces
+ * the mutual-exclusion constraint. If we marked one of the two required,
+ * Zod would reject calls that supplied only the other.
+ */
+export declare const fileUploadInputSchema: {
+    filePath: z.ZodOptional<z.ZodString>;
+    filename: z.ZodOptional<z.ZodString>;
+    content: z.ZodOptional<z.ZodString>;
+    contentType: z.ZodOptional<z.ZodString>;
+};
+export type FileUploadInput = {
+    filePath?: string | undefined;
+    filename?: string | undefined;
+    content?: string | undefined;
+    contentType?: string | undefined;
+};
+/**
+ * Resolution variant matching the service-layer `FileSource` shape (so
+ * the caller can pass the result directly to `profile.portfolio.upload*`
+ * / `profile.resume.upload`). Buffer mode populates `contentType` only
+ * when supplied — `exactOptionalPropertyTypes: true` rejects the
+ * `string | undefined` form, so we omit the key in the absence case.
+ */
+export type FileSourceResolution = {
+    kind: "buffer";
+    filename: string;
+    content: Buffer;
+    contentType?: string;
+} | {
+    kind: "path";
+    path: string;
+};
+/**
+ * Per-tool upload category — used to drive the extension allowlist
+ * (defense-in-depth gate per issue #221, audit CRIT-007). Each MCP tool
+ * that accepts a file upload picks the category matching the wire-level
+ * resource it pushes to Toptal.
+ *
+ * The allowlists are deliberately curated by category:
+ *
+ *   - `basicPhoto` / `portfolioCover` — images only (jpg/png/gif/webp).
+ *     Cover images and profile photos render directly on the public
+ *     profile; non-image content has no legitimate use here.
+ *   - `resume` — common resume document formats (pdf / docx / doc / txt
+ *     / rtf / odt). Excludes images and archives.
+ *   - `portfolioFile` — broad attachment allowlist (docs, images, media,
+ *     archives) but explicitly excludes extensions correlated with
+ *     credential exfiltration (no `.pub`, `.env`, `.db`, `.sqlite`, no
+ *     no-extension files like `id_rsa` / `id_ed25519`).
+ *
+ * The category serves as the defense-in-depth layer that catches the
+ * prompt-injection variant described in `SECURITY.md` § Prompt Injection
+ * Risk (file-exfiltration variant): an injected prompt that tries to
+ * push `~/.ssh/id_rsa`, `~/.aws/credentials`, or a cookie database to
+ * Toptal will fail the extension check even if path-sandbox bypass is
+ * enabled.
+ */
+export interface UploadCategory {
+    /** Stable identifier used verbatim in error messages. */
+    readonly name: string;
+    /**
+     * Allowlist of accepted extensions, lowercased and including the
+     * leading dot (e.g. `.pdf`). Match is case-insensitive against the
+     * lowercased {@link path.extname} of the supplied `filePath` or
+     * `filename`. Empty extension (no dot in basename) is NEVER allowed —
+     * a deliberate refusal of extensionless secret files (`id_rsa`,
+     * `credentials`, `config`).
+     */
+    readonly allowedExtensions: readonly string[];
+}
+export declare const UPLOAD_CATEGORIES: {
+    readonly basicPhoto: {
+        readonly name: "basic-photo";
+        readonly allowedExtensions: readonly [".jpg", ".jpeg", ".png", ".gif", ".webp"];
+    };
+    readonly resume: {
+        readonly name: "resume";
+        readonly allowedExtensions: readonly [".pdf", ".docx", ".doc", ".txt", ".rtf", ".odt"];
+    };
+    readonly portfolioCover: {
+        readonly name: "portfolio-cover";
+        readonly allowedExtensions: readonly [".jpg", ".jpeg", ".png", ".gif", ".webp"];
+    };
+    readonly portfolioFile: {
+        readonly name: "portfolio-file";
+        readonly allowedExtensions: readonly [".pdf", ".docx", ".doc", ".txt", ".rtf", ".odt", ".xlsx", ".xls", ".pptx", ".ppt", ".csv", ".md", ".jpg", ".jpeg", ".png", ".gif", ".webp", ".svg", ".heic", ".zip", ".mp4", ".mov", ".webm", ".mp3", ".m4a", ".wav"];
+    };
+};
+/**
+ * Validate a file-upload path against both gates: extension allowlist +
+ * path-prefix sandbox. Returns `null` on accept, {@link ToolErrorResponse}
+ * on reject.
+ *
+ * Exposed so `profile_basic_photo_upload.ts` can call it directly — that
+ * tool registers a bare `file` field (not via {@link fileUploadInputSchema})
+ * and therefore can't go through {@link decodeFileUploadInput}.
+ *
+ * Order: extension first (cheap, clearer signal), then sandbox.
+ */
+export declare function validateUploadPath(filePath: string, category: UploadCategory): ToolErrorResponse | null;
+/**
+ * Translate the typed input fragment into the {@link FileSource}
+ * variant the service layer expects. Validates the mutual-exclusion
+ * constraint and the per-mode requirements.
+ *
+ * Defense-in-depth (issue #221, audit CRIT-007): the path branch
+ * additionally enforces an extension allowlist and a path-prefix
+ * sandbox per the supplied {@link UploadCategory}; the buffer branch
+ * enforces the extension allowlist against the supplied `filename`.
+ *
+ * Returns either:
+ *   - A resolution object the caller passes to the service function, OR
+ *   - A `ToolErrorResponse` carrying a `(VALIDATION_ERROR)` block for the
+ *     tool callback to return directly.
+ */
+export declare function decodeFileUploadInput(input: FileUploadInput, category: UploadCategory): FileSourceResolution | ToolErrorResponse;
+declare function validationError(message: string): ToolErrorResponse;
+export { validationError };
+//# sourceMappingURL=file-upload.d.ts.map

package/dist/tools/file-upload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-upload.d.ts","sourceRoot":"","sources":["../../src/tools/file-upload.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEtD;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,qBAAqB;;;;;CAuBjC,CAAC;AAEF,MAAM,MAAM,eAAe,GAAG;IAC5B,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,WAAW,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CAClC,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,MAAM,oBAAoB,GAC5B;IACE,IAAI,EAAE,QAAQ,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB,GACD;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnC;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,WAAW,cAAc;IAC7B,yDAAyD;IACzD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;;;;;;OAOG;IACH,QAAQ,CAAC,iBAAiB,EAAE,SAAS,MAAM,EAAE,CAAC;CAC/C;AAED,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;CA+CqB,CAAC;AAmFpD;;;;;;;;;;GAUG;AACH,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,EAAE,QAAQ,EAAE,cAAc,GAAG,iBAAiB,GAAG,IAAI,CAIvG;AAED;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,eAAe,EACtB,QAAQ,EAAE,cAAc,GACvB,oBAAoB,GAAG,iBAAiB,CAkC1C;AAED,iBAAS,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,iBAAiB,CAgB3D;AAED,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/tools/file-upload.js

@@ -0,0 +1,247 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+// Copyright (C) 2026 Oleksii PELYKH
+import os from "node:os";
+import path from "node:path";
+import { z } from "zod";
+/**
+ * Reusable input-schema fragment for tools that accept a file via either
+ * a server-relative `filePath` (host has filesystem access) or
+ * base64-encoded `content` (web-host without filesystem access).
+ *
+ * Tool descriptions should clarify which option the host prefers per the
+ * issue spec:
+ *
+ *   - **Claude Desktop / Claude Code**: filesystem access; prefer `filePath`.
+ *   - **Web-hosted clients (no filesystem)**: only `content` (base64) works.
+ *
+ * Exactly one of the two MUST be supplied. Schema accepts both as
+ * optional; the runtime validation in `decodeFileUploadInput` enforces
+ * the mutual-exclusion constraint. If we marked one of the two required,
+ * Zod would reject calls that supplied only the other.
+ */
+export const fileUploadInputSchema = {
+    filePath: z
+        .string()
+        .optional()
+        .describe("Server-relative path to the file. Preferred when the host has filesystem access (Claude Desktop, Claude Code). Mutually exclusive with `content`."),
+    filename: z
+        .string()
+        .optional()
+        .describe("Filename to send to Toptal. Required when using `content` (no path to derive from). Optional when using `filePath` — the basename of the path is used by default."),
+    content: z
+        .string()
+        .optional()
+        .describe("Base64-encoded file content. Use when the host lacks filesystem access (web-hosted clients). Mutually exclusive with `filePath`."),
+    contentType: z
+        .string()
+        .optional()
+        .describe("Content-Type for the file (e.g., `image/png`, `application/pdf`). Optional; server applies a default."),
+};
+export const UPLOAD_CATEGORIES = {
+    basicPhoto: {
+        name: "basic-photo",
+        allowedExtensions: [".jpg", ".jpeg", ".png", ".gif", ".webp"],
+    },
+    resume: {
+        name: "resume",
+        allowedExtensions: [".pdf", ".docx", ".doc", ".txt", ".rtf", ".odt"],
+    },
+    portfolioCover: {
+        name: "portfolio-cover",
+        allowedExtensions: [".jpg", ".jpeg", ".png", ".gif", ".webp"],
+    },
+    portfolioFile: {
+        name: "portfolio-file",
+        allowedExtensions: [
+            // Documents
+            ".pdf",
+            ".docx",
+            ".doc",
+            ".txt",
+            ".rtf",
+            ".odt",
+            ".xlsx",
+            ".xls",
+            ".pptx",
+            ".ppt",
+            ".csv",
+            ".md",
+            // Images
+            ".jpg",
+            ".jpeg",
+            ".png",
+            ".gif",
+            ".webp",
+            ".svg",
+            ".heic",
+            // Archives / media
+            ".zip",
+            ".mp4",
+            ".mov",
+            ".webm",
+            ".mp3",
+            ".m4a",
+            ".wav",
+        ],
+    },
+};
+/**
+ * Directory names (relative to `$HOME`) that the path-prefix sandbox
+ * allows. Picked to cover the common locations a user would intentionally
+ * stage a file for upload from an MCP client. Sensitive directories
+ * (`~/.ssh`, `~/.aws`, `~/Library`, browser profile dirs) are NOT here
+ * and therefore refused unless the env override is set.
+ */
+const SAFE_PATH_PREFIX_DIRS = ["Documents", "Downloads", "Desktop"];
+/**
+ * Env var that disables the path-prefix sandbox (extension allowlist
+ * always remains in force). Set to `"1"` in the MCP server's process
+ * environment to allow uploads from arbitrary paths — for users who
+ * routinely stage upload candidates outside the default safe
+ * directories. Any other value (including empty string, `"0"`, `"true"`)
+ * keeps the sandbox enforced.
+ */
+const SANDBOX_BYPASS_ENV = "TTCTL_MCP_FILE_UPLOAD_ALLOW_ANY";
+function isSandboxBypassed() {
+    return process.env[SANDBOX_BYPASS_ENV] === "1";
+}
+function safePathPrefixes() {
+    const home = os.homedir();
+    return SAFE_PATH_PREFIX_DIRS.map((dir) => path.join(home, dir));
+}
+/**
+ * Validate the extension of the supplied filename or path against the
+ * category's allowlist. Case-insensitive (`Foo.PDF` matches `.pdf`).
+ * Extensionless inputs (`id_rsa`, `credentials`) are NEVER accepted —
+ * the empty-extension case is explicit since no allowlist contains the
+ * empty string.
+ */
+function validateExtension(filenameOrPath, category) {
+    const ext = path.extname(filenameOrPath).toLowerCase();
+    if (ext !== "" && category.allowedExtensions.includes(ext)) {
+        return null;
+    }
+    const displayExt = ext === "" ? "<none>" : ext;
+    return validationError([
+        `File extension "${displayExt}" is not allowed for ${category.name} uploads.`,
+        `Allowed: ${category.allowedExtensions.join(", ")}.`,
+    ].join(" "));
+}
+/**
+ * Validate `filePath` against the path-prefix sandbox. Resolves the
+ * path first (normalises `..`, makes it absolute) so traversal attempts
+ * like `~/Documents/../.ssh/id_rsa` collapse before the prefix check.
+ *
+ * Sibling-name guard: the comparison requires `resolved === prefix` OR
+ * `resolved.startsWith(prefix + path.sep)`, so `~/Documents_secret/`
+ * does NOT match `~/Documents`.
+ *
+ * When `TTCTL_MCP_FILE_UPLOAD_ALLOW_ANY=1`, the sandbox is skipped
+ * entirely. Extension allowlist remains in force in that mode.
+ */
+function validateSandbox(filePath) {
+    if (isSandboxBypassed()) {
+        return null;
+    }
+    const resolved = path.resolve(filePath);
+    const prefixes = safePathPrefixes();
+    const isAllowed = prefixes.some((prefix) => resolved === prefix || resolved.startsWith(prefix + path.sep));
+    if (isAllowed) {
+        return null;
+    }
+    return validationError([
+        `Refusing to read file outside of the MCP upload sandbox.`,
+        `Resolved path: "${resolved}".`,
+        `Allowed prefixes: ${prefixes.join(", ")}.`,
+        `Set ${SANDBOX_BYPASS_ENV}=1 in the MCP server's environment to override (extension allowlist still applies).`,
+    ].join(" "));
+}
+/**
+ * Validate a file-upload path against both gates: extension allowlist +
+ * path-prefix sandbox. Returns `null` on accept, {@link ToolErrorResponse}
+ * on reject.
+ *
+ * Exposed so `profile_basic_photo_upload.ts` can call it directly — that
+ * tool registers a bare `file` field (not via {@link fileUploadInputSchema})
+ * and therefore can't go through {@link decodeFileUploadInput}.
+ *
+ * Order: extension first (cheap, clearer signal), then sandbox.
+ */
+export function validateUploadPath(filePath, category) {
+    const extError = validateExtension(filePath, category);
+    if (extError !== null)
+        return extError;
+    return validateSandbox(filePath);
+}
+/**
+ * Translate the typed input fragment into the {@link FileSource}
+ * variant the service layer expects. Validates the mutual-exclusion
+ * constraint and the per-mode requirements.
+ *
+ * Defense-in-depth (issue #221, audit CRIT-007): the path branch
+ * additionally enforces an extension allowlist and a path-prefix
+ * sandbox per the supplied {@link UploadCategory}; the buffer branch
+ * enforces the extension allowlist against the supplied `filename`.
+ *
+ * Returns either:
+ *   - A resolution object the caller passes to the service function, OR
+ *   - A `ToolErrorResponse` carrying a `(VALIDATION_ERROR)` block for the
+ *     tool callback to return directly.
+ */
+export function decodeFileUploadInput(input, category) {
+    const hasPath = input.filePath !== undefined && input.filePath !== "";
+    const hasContent = input.content !== undefined && input.content !== "";
+    if (hasPath && hasContent) {
+        return validationError("`filePath` and `content` are mutually exclusive — supply exactly one.");
+    }
+    if (!hasPath && !hasContent) {
+        return validationError("Supply exactly one of `filePath` or `content` (base64).");
+    }
+    if (hasPath) {
+        const pathError = validateUploadPath(input.filePath, category);
+        if (pathError !== null)
+            return pathError;
+        return { kind: "path", path: input.filePath };
+    }
+    // base64 branch
+    if (input.filename === undefined || input.filename === "") {
+        return validationError("`filename` is required when uploading via `content` (base64).");
+    }
+    const filenameError = validateExtension(input.filename, category);
+    if (filenameError !== null)
+        return filenameError;
+    let buffer;
+    try {
+        buffer = Buffer.from(input.content, "base64");
+    }
+    catch {
+        return validationError("`content` is not valid base64.");
+    }
+    if (buffer.length === 0) {
+        return validationError("`content` decoded to zero bytes.");
+    }
+    // `contentType` is omitted entirely when not supplied — assigning
+    // `undefined` would violate `exactOptionalPropertyTypes`.
+    return input.contentType !== undefined
+        ? { kind: "buffer", filename: input.filename, content: buffer, contentType: input.contentType }
+        : { kind: "buffer", filename: input.filename, content: buffer };
+}
+function validationError(message) {
+    return {
+        isError: true,
+        content: [
+            {
+                type: "text",
+                text: [
+                    `Error: ${message}`,
+                    "",
+                    "Recovery: Adjust the tool input and call again.",
+                    "",
+                    "(Code: VALIDATION_ERROR)",
+                ].join("\n"),
+            },
+        ],
+    };
+}
+export { validationError };
+//# sourceMappingURL=file-upload.js.map

package/dist/tools/file-upload.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"file-upload.js","sourceRoot":"","sources":["../../src/tools/file-upload.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,oCAAoC;AAEpC,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,QAAQ,EAAE,CAAC;SACR,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CACP,mJAAmJ,CACpJ;IACH,QAAQ,EAAE,CAAC;SACR,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CACP,mKAAmK,CACpK;IACH,OAAO,EAAE,CAAC;SACP,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CACP,kIAAkI,CACnI;IACH,WAAW,EAAE,CAAC;SACX,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CAAC,uGAAuG,CAAC;CACrH,CAAC;AAgEF,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,UAAU,EAAE;QACV,IAAI,EAAE,aAAa;QACnB,iBAAiB,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC;KAC9D;IACD,MAAM,EAAE;QACN,IAAI,EAAE,QAAQ;QACd,iBAAiB,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;KACrE;IACD,cAAc,EAAE;QACd,IAAI,EAAE,iBAAiB;QACvB,iBAAiB,EAAE,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC;KAC9D;IACD,aAAa,EAAE;QACb,IAAI,EAAE,gBAAgB;QACtB,iBAAiB,EAAE;YACjB,YAAY;YACZ,MAAM;YACN,OAAO;YACP,MAAM;YACN,MAAM;YACN,MAAM;YACN,MAAM;YACN,OAAO;YACP,MAAM;YACN,OAAO;YACP,MAAM;YACN,MAAM;YACN,KAAK;YACL,SAAS;YACT,MAAM;YACN,OAAO;YACP,MAAM;YACN,MAAM;YACN,OAAO;YACP,MAAM;YACN,OAAO;YACP,mBAAmB;YACnB,MAAM;YACN,MAAM;YACN,MAAM;YACN,OAAO;YACP,MAAM;YACN,MAAM;YACN,MAAM;SACP;KACF;CACgD,CAAC;AAEpD;;;;;;GAMG;AACH,MAAM,qBAAqB,GAAG,CAAC,WAAW,EAAE,WAAW,EAAE,SAAS,CAAU,CAAC;AAE7E;;;;;;;GAOG;AACH,MAAM,kBAAkB,GAAG,iCAAiC,CAAC;AAE7D,SAAS,iBAAiB;IACxB,OAAO,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,KAAK,GAAG,CAAC;AACjD,CAAC;AAED,SAAS,gBAAgB;IACvB,MAAM,IAAI,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC;IAC1B,OAAO,qBAAqB,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;AAClE,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iBAAiB,CAAC,cAAsB,EAAE,QAAwB;IACzE,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,WAAW,EAAE,CAAC;IACvD,IAAI,GAAG,KAAK,EAAE,IAAI,QAAQ,CAAC,iBAAiB,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3D,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,UAAU,GAAG,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC;IAC/C,OAAO,eAAe,CACpB;QACE,mBAAmB,UAAU,wBAAwB,QAAQ,CAAC,IAAI,WAAW;QAC7E,YAAY,QAAQ,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;KACrD,CAAC,IAAI,CAAC,GAAG,CAAC,CACZ,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,eAAe,CAAC,QAAgB;IACvC,IAAI,iBAAiB,EAAE,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACxC,MAAM,QAAQ,GAAG,gBAAgB,EAAE,CAAC;IACpC,MAAM,SAAS,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,QAAQ,KAAK,MAAM,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAC3G,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,eAAe,CACpB;QACE,0DAA0D;QAC1D,mBAAmB,QAAQ,IAAI;QAC/B,qBAAqB,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;QAC3C,OAAO,kBAAkB,qFAAqF;KAC/G,CAAC,IAAI,CAAC,GAAG,CAAC,CACZ,CAAC;AACJ,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,kBAAkB,CAAC,QAAgB,EAAE,QAAwB;IAC3E,MAAM,QAAQ,GAAG,iBAAiB,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IACvD,IAAI,QAAQ,KAAK,IAAI;QAAE,OAAO,QAAQ,CAAC;IACvC,OAAO,eAAe,CAAC,QAAQ,CAAC,CAAC;AACnC,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,qBAAqB,CACnC,KAAsB,EACtB,QAAwB;IAExB,MAAM,OAAO,GAAG,KAAK,CAAC,QAAQ,KAAK,SAAS,IAAI,KAAK,CAAC,QAAQ,KAAK,EAAE,CAAC;IACtE,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,KAAK,SAAS,IAAI,KAAK,CAAC,OAAO,KAAK,EAAE,CAAC;IACvE,IAAI,OAAO,IAAI,UAAU,EAAE,CAAC;QAC1B,OAAO,eAAe,CAAC,uEAAuE,CAAC,CAAC;IAClG,CAAC;IACD,IAAI,CAAC,OAAO,IAAI,CAAC,UAAU,EAAE,CAAC;QAC5B,OAAO,eAAe,CAAC,yDAAyD,CAAC,CAAC;IACpF,CAAC;IACD,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,SAAS,GAAG,kBAAkB,CAAC,KAAK,CAAC,QAAkB,EAAE,QAAQ,CAAC,CAAC;QACzE,IAAI,SAAS,KAAK,IAAI;YAAE,OAAO,SAAS,CAAC;QACzC,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,QAAkB,EAAE,CAAC;IAC1D,CAAC;IACD,gBAAgB;IAChB,IAAI,KAAK,CAAC,QAAQ,KAAK,SAAS,IAAI,KAAK,CAAC,QAAQ,KAAK,EAAE,EAAE,CAAC;QAC1D,OAAO,eAAe,CAAC,+DAA+D,CAAC,CAAC;IAC1F,CAAC;IACD,MAAM,aAAa,GAAG,iBAAiB,CAAC,KAAK,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAClE,IAAI,aAAa,KAAK,IAAI;QAAE,OAAO,aAAa,CAAC;IACjD,IAAI,MAAc,CAAC;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAiB,EAAE,QAAQ,CAAC,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,eAAe,CAAC,gCAAgC,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,eAAe,CAAC,kCAAkC,CAAC,CAAC;IAC7D,CAAC;IACD,kEAAkE;IAClE,0DAA0D;IAC1D,OAAO,KAAK,CAAC,WAAW,KAAK,SAAS;QACpC,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE;QAC/F,CAAC,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;AACpE,CAAC;AAED,SAAS,eAAe,CAAC,OAAe;IACtC,OAAO;QACL,OAAO,EAAE,IAAI;QACb,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,MAAM;gBACZ,IAAI,EAAE;oBACJ,UAAU,OAAO,EAAE;oBACnB,EAAE;oBACF,iDAAiD;oBACjD,EAAE;oBACF,0BAA0B;iBAC3B,CAAC,IAAI,CAAC,IAAI,CAAC;aACb;SACF;KACF,CAAC;AACJ,CAAC;AAED,OAAO,EAAE,eAAe,EAAE,CAAC"}

package/dist/tools/index.d.ts

@@ -0,0 +1,28 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { ToolRegistrationContext } from "./_shared.js";
+export type { ToolRegistrationContext } from "./_shared.js";
+/**
+ * Register every tool TTCtl exposes via MCP. Called once at server
+ * construction time. Tool names are the CLI path joined with `_`
+ * (`ttctl_profile_basic_show`, `ttctl_profile_industries_add`, …) per
+ * project policy — MCP names use ONLY the canonical sub-domain spelling
+ * (no aliases like `certs` / `experience` / `rm`; those are CLI-only
+ * affordances).
+ *
+ * Today's surface (Wave 3): 4 `profile.basic` + 7 `profile.skills` (#73,
+ * one tool per file) + 5 `profile.industries` + 5 `profile.education` +
+ * 5 `profile.certifications` + 6 `profile.employment` (#74, one file per
+ * sub-domain registering its full leaf set) + 8 `profile.portfolio` +
+ * 4 `profile.visas` + 2 `profile.resume` (#75) + 6 `profile.external` +
+ * 4 `profile.reviews` (#76, one tool per file) = 56 profile tools, plus
+ * 3 `applications` (#15) + 8 `engagements` (#147 + #155 + #156) + 5 `availability`
+ * (#146 amended) + 13 `jobs` (#148) + 3 `timesheet` (#13) = 88 tools total.
+ *
+ * Post-#113: takes a `ToolRegistrationContext` carrying the per-session
+ * auth resolvers bound to the config path captured at `buildServer()`
+ * time. Tools call `ctx.resolveToolAuth()` / `ctx.loadTokenForTool()` on
+ * each invocation; both target the captured path, so env-var shifts
+ * mid-session do NOT retarget reads or writes.
+ */
+export declare function registerAllTools(server: McpServer, ctx: ToolRegistrationContext): void;
+//# sourceMappingURL=index.d.ts.map

package/dist/tools/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/tools/index.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEzE,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAqC5D,YAAY,EAAE,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAE5D;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,uBAAuB,GAAG,IAAI,CAiFtF"}

package/dist/tools/index.js

@@ -0,0 +1,131 @@
+// SPDX-License-Identifier: AGPL-3.0-only
+// Copyright (C) 2026 Oleksii PELYKH
+import { registerApplicationsTools } from "./applications.js";
+import { registerAvailabilityTools } from "./availability.js";
+import { registerContractsTools } from "./contracts.js";
+import { registerEngagementsTools } from "./engagements.js";
+import { registerJobsTools } from "./jobs.js";
+import { registerPaymentsTools } from "./payments.js";
+import { registerTimesheetTools } from "./timesheet.js";
+import { registerCertificationsTools } from "./profile/certifications.js";
+import { registerEducationTools } from "./profile/education.js";
+import { registerEmploymentTools } from "./profile/employment.js";
+import { registerIndustriesTools } from "./profile/industries.js";
+import { registerPortfolioTools } from "./profile/portfolio.js";
+import { registerResumeTools } from "./profile/resume.js";
+import { registerVisasTools } from "./profile/visas.js";
+import { registerProfileBasicPhotoShowTool } from "./profile_basic_photo_show.js";
+import { registerProfileBasicPhotoUploadTool } from "./profile_basic_photo_upload.js";
+import { registerProfileBasicShowTool } from "./profile_basic_show.js";
+import { registerProfileBasicUpdateTool } from "./profile_basic_update.js";
+import { registerProfileExternalAdvancedWizardShowTool } from "./profile_external_advanced_wizard_show.js";
+import { registerProfileExternalCustomRequirementsSetTool } from "./profile_external_custom_requirements_set.js";
+import { registerProfileExternalCustomRequirementsShowTool } from "./profile_external_custom_requirements_show.js";
+import { registerProfileExternalReadinessTool } from "./profile_external_readiness.js";
+import { registerProfileExternalRecommendationsTool } from "./profile_external_recommendations.js";
+import { registerProfileExternalUpdateTool } from "./profile_external_update.js";
+import { registerProfileReviewsApproveItemTool } from "./profile_reviews_approve_item.js";
+import { registerProfileReviewsApproveSectionTool } from "./profile_reviews_approve_section.js";
+import { registerProfileReviewsListTool } from "./profile_reviews_list.js";
+import { registerProfileReviewsSubmitForReviewTool } from "./profile_reviews_submit_for_review.js";
+import { registerProfileSkillsAddTool } from "./profile_skills_add.js";
+import { registerProfileSkillsAutocompleteTool } from "./profile_skills_autocomplete.js";
+import { registerProfileSkillsListTool } from "./profile_skills_list.js";
+import { registerProfileSkillsReadinessTool } from "./profile_skills_readiness.js";
+import { registerProfileSkillsRemoveTool } from "./profile_skills_remove.js";
+import { registerProfileSkillsShowTool } from "./profile_skills_show.js";
+import { registerProfileSkillsUpdateTool } from "./profile_skills_update.js";
+/**
+ * Register every tool TTCtl exposes via MCP. Called once at server
+ * construction time. Tool names are the CLI path joined with `_`
+ * (`ttctl_profile_basic_show`, `ttctl_profile_industries_add`, …) per
+ * project policy — MCP names use ONLY the canonical sub-domain spelling
+ * (no aliases like `certs` / `experience` / `rm`; those are CLI-only
+ * affordances).
+ *
+ * Today's surface (Wave 3): 4 `profile.basic` + 7 `profile.skills` (#73,
+ * one tool per file) + 5 `profile.industries` + 5 `profile.education` +
+ * 5 `profile.certifications` + 6 `profile.employment` (#74, one file per
+ * sub-domain registering its full leaf set) + 8 `profile.portfolio` +
+ * 4 `profile.visas` + 2 `profile.resume` (#75) + 6 `profile.external` +
+ * 4 `profile.reviews` (#76, one tool per file) = 56 profile tools, plus
+ * 3 `applications` (#15) + 8 `engagements` (#147 + #155 + #156) + 5 `availability`
+ * (#146 amended) + 13 `jobs` (#148) + 3 `timesheet` (#13) = 88 tools total.
+ *
+ * Post-#113: takes a `ToolRegistrationContext` carrying the per-session
+ * auth resolvers bound to the config path captured at `buildServer()`
+ * time. Tools call `ctx.resolveToolAuth()` / `ctx.loadTokenForTool()` on
+ * each invocation; both target the captured path, so env-var shifts
+ * mid-session do NOT retarget reads or writes.
+ */
+export function registerAllTools(server, ctx) {
+    // profile.basic — 4 leaves (#73)
+    registerProfileBasicShowTool(server, ctx);
+    registerProfileBasicUpdateTool(server, ctx);
+    registerProfileBasicPhotoShowTool(server, ctx);
+    registerProfileBasicPhotoUploadTool(server, ctx);
+    // profile.skills — 7 leaves (#73, cardinality-collapsed from 18 raw operations)
+    registerProfileSkillsAddTool(server, ctx);
+    registerProfileSkillsRemoveTool(server, ctx);
+    registerProfileSkillsUpdateTool(server, ctx);
+    registerProfileSkillsShowTool(server, ctx);
+    registerProfileSkillsListTool(server, ctx);
+    registerProfileSkillsAutocompleteTool(server, ctx);
+    registerProfileSkillsReadinessTool(server, ctx);
+    // profile.industries / education / certifications / employment — 21 leaves (#74)
+    registerIndustriesTools(server, ctx);
+    registerEducationTools(server, ctx);
+    registerCertificationsTools(server, ctx);
+    registerEmploymentTools(server, ctx);
+    // profile.portfolio (8), profile.visas (4), profile.resume (2) — #75
+    registerPortfolioTools(server, ctx);
+    registerVisasTools(server, ctx);
+    registerResumeTools(server, ctx);
+    // profile.external — 6 leaves (#76)
+    registerProfileExternalUpdateTool(server, ctx);
+    registerProfileExternalCustomRequirementsShowTool(server, ctx);
+    registerProfileExternalCustomRequirementsSetTool(server, ctx);
+    registerProfileExternalReadinessTool(server, ctx);
+    registerProfileExternalRecommendationsTool(server, ctx);
+    registerProfileExternalAdvancedWizardShowTool(server, ctx);
+    // profile.reviews — 4 leaves (#76)
+    registerProfileReviewsListTool(server, ctx);
+    registerProfileReviewsApproveItemTool(server, ctx);
+    registerProfileReviewsApproveSectionTool(server, ctx);
+    registerProfileReviewsSubmitForReviewTool(server, ctx);
+    // applications — 3 leaves (#15). Read-only access to the user's
+    // Toptal Talent Activity view (TalentJobActivityItem rows). Per
+    // project non-goals, no apply / withdraw / edit tools are exposed.
+    registerApplicationsTools(server, ctx);
+    // contracts — 2 leaves (#195). Read-only talent-level legal documents
+    // (Toptal Direct, MSA, etc.) via `viewer.contracts` on the portal
+    // surface. Engagement-attached commercial agreements stay in
+    // `engagements_show` (different surface, different domain type).
+    registerContractsTools(server, ctx);
+    // engagements — 6 leaves (#147). View current and past engagements;
+    // manage engagement breaks (list / add / remove). `allocated-hours`
+    // moved to availability (#146) per scope amendment.
+    registerEngagementsTools(server, ctx);
+    // availability — 5 leaves (#146 amended). Top-level snapshot + working-hours
+    // show/set + allocated-hours show/set. Per-engagement time-off (= engagement
+    // breaks) stays on `engagements` and is NOT mirrored here.
+    registerAvailabilityTools(server, ctx);
+    // jobs — 13 leaves (#148). Browse opportunities (list/show/saved/viewed/
+    // not-interested-list) + interest mutations (save/unsave/mark-viewed/
+    // not-interested/clear-interest) + search-subscription management
+    // (list/save/remove — single-subscription model per R2). Per the AC, MCP
+    // tool names use canonical `jobs_*` prefix only (no `opportunities_*`
+    // aliasing).
+    registerJobsTools(server, ctx);
+    // payments — 7 leaves (#149). Read-only payouts (list/show) and
+    // configured payment methods (list/show); rate sub-namespace mixes a
+    // unified read projection (`rate_show`), discovery (`rate_questions`),
+    // and a state-changing mutation (`rate_change`, INFERRED input, gated
+    // by `--confirm` at the CLI and the LLM-client confirmation at MCP).
+    registerPaymentsTools(server, ctx);
+    // timesheet — 3 leaves (#13). list (viewer-wide pending OR scoped) +
+    // show (BillingCycle.id detail) + submit (destructive: enters Toptal's
+    // billing pipeline; LLM clients must confirm with the user first).
+    registerTimesheetTools(server, ctx);
+}
+//# sourceMappingURL=index.js.map

package/dist/tools/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/tools/index.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,oCAAoC;AAKpC,OAAO,EAAE,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AAC9D,OAAO,EAAE,yBAAyB,EAAE,MAAM,mBAAmB,CAAC;AAC9D,OAAO,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AACxD,OAAO,EAAE,wBAAwB,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,WAAW,CAAC;AAC9C,OAAO,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AACtD,OAAO,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AACxD,OAAO,EAAE,2BAA2B,EAAE,MAAM,6BAA6B,CAAC;AAC1E,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAChE,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClE,OAAO,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAClE,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAChE,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AACxD,OAAO,EAAE,iCAAiC,EAAE,MAAM,+BAA+B,CAAC;AAClF,OAAO,EAAE,mCAAmC,EAAE,MAAM,iCAAiC,CAAC;AACtF,OAAO,EAAE,4BAA4B,EAAE,MAAM,yBAAyB,CAAC;AACvE,OAAO,EAAE,8BAA8B,EAAE,MAAM,2BAA2B,CAAC;AAC3E,OAAO,EAAE,6CAA6C,EAAE,MAAM,4CAA4C,CAAC;AAC3G,OAAO,EAAE,gDAAgD,EAAE,MAAM,+CAA+C,CAAC;AACjH,OAAO,EAAE,iDAAiD,EAAE,MAAM,gDAAgD,CAAC;AACnH,OAAO,EAAE,oCAAoC,EAAE,MAAM,iCAAiC,CAAC;AACvF,OAAO,EAAE,0CAA0C,EAAE,MAAM,uCAAuC,CAAC;AACnG,OAAO,EAAE,iCAAiC,EAAE,MAAM,8BAA8B,CAAC;AACjF,OAAO,EAAE,qCAAqC,EAAE,MAAM,mCAAmC,CAAC;AAC1F,OAAO,EAAE,wCAAwC,EAAE,MAAM,sCAAsC,CAAC;AAChG,OAAO,EAAE,8BAA8B,EAAE,MAAM,2BAA2B,CAAC;AAC3E,OAAO,EAAE,yCAAyC,EAAE,MAAM,wCAAwC,CAAC;AACnG,OAAO,EAAE,4BAA4B,EAAE,MAAM,yBAAyB,CAAC;AACvE,OAAO,EAAE,qCAAqC,EAAE,MAAM,kCAAkC,CAAC;AACzF,OAAO,EAAE,6BAA6B,EAAE,MAAM,0BAA0B,CAAC;AACzE,OAAO,EAAE,kCAAkC,EAAE,MAAM,+BAA+B,CAAC;AACnF,OAAO,EAAE,+BAA+B,EAAE,MAAM,4BAA4B,CAAC;AAC7E,OAAO,EAAE,6BAA6B,EAAE,MAAM,0BAA0B,CAAC;AACzE,OAAO,EAAE,+BAA+B,EAAE,MAAM,4BAA4B,CAAC;AAI7E;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAiB,EAAE,GAA4B;IAC9E,iCAAiC;IACjC,4BAA4B,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC1C,8BAA8B,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC5C,iCAAiC,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC/C,mCAAmC,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAEjD,gFAAgF;IAChF,4BAA4B,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC1C,+BAA+B,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC7C,+BAA+B,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC7C,6BAA6B,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC3C,6BAA6B,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC3C,qCAAqC,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IACnD,kCAAkC,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAEhD,iFAAiF;IACjF,uBAAuB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IACrC,sBAAsB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IACpC,2BAA2B,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IACzC,uBAAuB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAErC,qEAAqE;IACrE,sBAAsB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IACpC,kBAAkB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAChC,mBAAmB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAEjC,oCAAoC;IACpC,iCAAiC,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC/C,iDAAiD,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC/D,gDAAgD,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC9D,oCAAoC,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAClD,0CAA0C,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IACxD,6CAA6C,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAE3D,mCAAmC;IACnC,8BAA8B,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAC5C,qCAAqC,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IACnD,wCAAwC,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IACtD,yCAAyC,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAEvD,gEAAgE;IAChE,gEAAgE;IAChE,mEAAmE;IACnE,yBAAyB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAEvC,sEAAsE;IACtE,kEAAkE;IAClE,6DAA6D;IAC7D,iEAAiE;IACjE,sBAAsB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAEpC,oEAAoE;IACpE,oEAAoE;IACpE,oDAAoD;IACpD,wBAAwB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAEtC,6EAA6E;IAC7E,6EAA6E;IAC7E,2DAA2D;IAC3D,yBAAyB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAEvC,yEAAyE;IACzE,sEAAsE;IACtE,kEAAkE;IAClE,yEAAyE;IACzE,sEAAsE;IACtE,aAAa;IACb,iBAAiB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAE/B,gEAAgE;IAChE,qEAAqE;IACrE,uEAAuE;IACvE,sEAAsE;IACtE,qEAAqE;IACrE,qBAAqB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAEnC,qEAAqE;IACrE,uEAAuE;IACvE,mEAAmE;IACnE,sBAAsB,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;AACtC,CAAC"}

package/dist/tools/jobs.d.ts

@@ -0,0 +1,37 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { type ToolRegistrationContext } from "./_shared.js";
+/**
+ * Register the `ttctl_jobs_*` MCP tools per #148. Tool names use the
+ * `ttctl_` prefix and the canonical CLI path joined with `_`. Per the
+ * AC, MCP tools use the canonical `jobs_*` prefix only — no
+ * `opportunities_*` aliasing (MCP tool names must be deterministic for
+ * LLM clients).
+ *
+ * Tool surface (13 tools):
+ *   - `ttctl_jobs_list`
+ *   - `ttctl_jobs_show`
+ *   - `ttctl_jobs_save`
+ *   - `ttctl_jobs_unsave`
+ *   - `ttctl_jobs_saved`
+ *   - `ttctl_jobs_viewed`
+ *   - `ttctl_jobs_mark_viewed`
+ *   - `ttctl_jobs_not_interested`
+ *   - `ttctl_jobs_not_interested_list`
+ *   - `ttctl_jobs_clear_interest`
+ *   - `ttctl_jobs_search_list`
+ *   - `ttctl_jobs_search_save`
+ *   - `ttctl_jobs_search_remove`
+ *
+ * **Wire-shape notes** (R1 / R2): `jobs_viewed` is scoped to the first
+ * page (≤20 jobs, client-side filter); `jobs_search_*` operates on a
+ * single subscription per user. The tool descriptions surface these.
+ *
+ * Dry-run path (issue #165): every tool accepts `dryRun?: boolean`. Read
+ * tools build the preview at the MCP layer; the 7 mutations (save,
+ * unsave, mark_viewed, not_interested, clear_interest, search_save,
+ * search_remove) passthrough-forward `{ dryRun: true }` to the core
+ * (which already supports dryRun per #162) and reformat the
+ * `{ kind: "preview", preview }` outcome as the uniform envelope.
+ */
+export declare function registerJobsTools(server: McpServer, ctx: ToolRegistrationContext): void;
+//# sourceMappingURL=jobs.d.ts.map

package/dist/tools/jobs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jobs.d.ts","sourceRoot":"","sources":["../../src/tools/jobs.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAMzE,OAAO,EAAyC,KAAK,uBAAuB,EAAE,MAAM,cAAc,CAAC;AAmCnG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,SAAS,EAAE,GAAG,EAAE,uBAAuB,GAAG,IAAI,CAyavF"}