acf-mcp 1.0.0

package/dist/transport/stdio.js

@@ -0,0 +1,2907 @@
+#!/usr/bin/env node
+import path from 'path';
+import { fileURLToPath } from 'url';
+import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
+import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+import { readFile } from 'fs/promises';
+import { existsSync } from 'fs';
+import matter from 'gray-matter';
+import { z } from 'zod';
+import lunr from 'lunr';
+import { ListResourcesRequestSchema, ReadResourceRequestSchema, ListToolsRequestSchema, CallToolRequestSchema, ListPromptsRequestSchema, GetPromptRequestSchema } from '@modelcontextprotocol/sdk/types.js';
+
+var SUPPORTED_LOCALES = [
+  "fr",
+  "en",
+  "es",
+  "de",
+  "pt",
+  "it",
+  "nl",
+  "ru",
+  "ar",
+  "tr",
+  "ja",
+  "zh",
+  "ko"
+];
+var AcfLocaleSchema = z.enum(SUPPORTED_LOCALES);
+var LocalizedStringSchema = z.object({
+  fr: z.string(),
+  en: z.string()
+}).catchall(z.string());
+var PrincipleSchema = z.object({
+  id: z.string().regex(/^P[1-4]$/),
+  code: z.string().regex(/^P[1-4]$/),
+  title: LocalizedStringSchema,
+  summary: LocalizedStringSchema,
+  doctrine: LocalizedStringSchema,
+  related_fiches: z.array(z.string().regex(/^ACF-(0[0-9]|1[0-6])$/)),
+  related_dimensions: z.array(z.string().regex(/^D[1-6]$/))
+});
+var AutonomyLevelSchema = z.object({
+  id: z.string().regex(/^N[0-3]$/),
+  code: z.string().regex(/^N[0-3]$/),
+  title: LocalizedStringSchema,
+  description: LocalizedStringSchema,
+  controls: LocalizedStringSchema,
+  examples: LocalizedStringSchema
+});
+var DimensionSchema = z.object({
+  id: z.string().regex(/^D[1-6]$/),
+  code: z.string().regex(/^D[1-6]$/),
+  title: LocalizedStringSchema,
+  description: LocalizedStringSchema,
+  practices: LocalizedStringSchema
+});
+var DdaoSchema = z.object({
+  title: LocalizedStringSchema,
+  expansion: z.literal("Delegated Decision Agent Officer"),
+  definition: LocalizedStringSchema,
+  responsibilities: LocalizedStringSchema,
+  not_to_be_confused_with: LocalizedStringSchema
+});
+var RelatedArticleSchema = z.object({
+  regulation: z.enum(["ai-act", "gdpr", "dora", "nis2", "iso-42001"]),
+  article: z.string(),
+  paragraph: z.string().optional()
+});
+var FicheFrontmatterSchema = z.object({
+  code: z.string().regex(/^ACF-(0[0-9]|1[0-6])$/),
+  slug: z.string().min(1),
+  title: z.string().min(1),
+  title_en: z.string().optional(),
+  order: z.number().int().min(0).max(16),
+  maturity_dimension: z.string().regex(/^D[1-6]$/).optional(),
+  related_principles: z.array(z.string().regex(/^P[1-4]$/)).optional(),
+  related_articles: z.array(RelatedArticleSchema).optional(),
+  related_fiches: z.array(z.string().regex(/^ACF-(0[0-9]|1[0-6])$/)).optional(),
+  keywords: z.array(z.string()),
+  version: z.string(),
+  pdf_url: z.string().optional()
+});
+var ApplicableDateSchema = z.object({
+  obligation: z.string(),
+  date: z.string()
+});
+var GuideFrontmatterSchema = z.object({
+  regulation: z.enum(["ai-act", "gdpr", "dora", "nis2", "iso-42001"]),
+  title: z.string().min(1),
+  title_en: z.string().optional(),
+  version: z.string(),
+  last_update: z.string(),
+  applicable_dates: z.array(ApplicableDateSchema).optional()
+});
+var GlossaryEntrySchema = z.object({
+  term: z.string().min(1),
+  expansion: z.string().optional(),
+  definition: z.string().min(1),
+  related_principles: z.array(z.string().regex(/^P[1-4]$/)).optional(),
+  related_fiches: z.array(z.string().regex(/^ACF-(0[0-9]|1[0-6])$/)).optional()
+});
+z.object({
+  slug: z.string().min(1),
+  title: z.string().min(1),
+  level: z.union([z.literal(1), z.literal(2), z.literal(3)]),
+  body: z.string()
+});
+var MetaSchema = z.object({
+  framework_version: z.string(),
+  content_build: z.string(),
+  content_hash: z.string().startsWith("sha256:"),
+  doctrine_signature: z.string().optional(),
+  permanent_archive_url: z.string().url(),
+  rules_version: z.string(),
+  locales: z.array(AcfLocaleSchema),
+  fallback_locale: AcfLocaleSchema
+});
+
+// src/core/locale.ts
+var DEFAULT_FALLBACK_LOCALE = "en";
+var AUTHORITY_SOURCE_LOCALE = "fr";
+function tryParseLocale(value) {
+  if (!value) return null;
+  const lower = value.trim().toLowerCase().slice(0, 2);
+  const result = AcfLocaleSchema.safeParse(lower);
+  return result.success ? result.data : null;
+}
+function negotiateLocale(input) {
+  const fromExplicit = tryParseLocale(input.explicit);
+  if (fromExplicit) return fromExplicit;
+  const fromEnv = tryParseLocale(input.envLocale);
+  if (fromEnv) return fromEnv;
+  return DEFAULT_FALLBACK_LOCALE;
+}
+function fallbackChain(requested) {
+  const chain = [requested];
+  if (!chain.includes(DEFAULT_FALLBACK_LOCALE)) chain.push(DEFAULT_FALLBACK_LOCALE);
+  if (!chain.includes(AUTHORITY_SOURCE_LOCALE)) chain.push(AUTHORITY_SOURCE_LOCALE);
+  return chain;
+}
+
+// src/core/content.ts
+var ContentLoader = class {
+  root;
+  metaCache = null;
+  constructor(opts) {
+    this.root = opts.contentRoot;
+  }
+  /* -------------------- Meta -------------------- */
+  async loadMeta() {
+    if (this.metaCache) return this.metaCache;
+    const file = path.join(this.root, "meta.json");
+    const raw = JSON.parse(await readFile(file, "utf8"));
+    this.metaCache = MetaSchema.parse(raw);
+    return this.metaCache;
+  }
+  /* -------------------- Framework -------------------- */
+  async loadPrinciples() {
+    const file = path.join(this.root, "framework", "principles.json");
+    const raw = JSON.parse(await readFile(file, "utf8"));
+    return (raw.principles ?? []).map((p) => PrincipleSchema.parse(p));
+  }
+  async loadAutonomyLevels() {
+    const file = path.join(this.root, "framework", "autonomy-levels.json");
+    const raw = JSON.parse(await readFile(file, "utf8"));
+    return (raw.levels ?? []).map((l) => AutonomyLevelSchema.parse(l));
+  }
+  async loadDimensions() {
+    const file = path.join(this.root, "framework", "dimensions.json");
+    const raw = JSON.parse(await readFile(file, "utf8"));
+    return (raw.dimensions ?? []).map((d) => DimensionSchema.parse(d));
+  }
+  async loadDdao() {
+    const file = path.join(this.root, "framework", "ddao.json");
+    const raw = JSON.parse(await readFile(file, "utf8"));
+    return DdaoSchema.parse(raw);
+  }
+  /* -------------------- Fiches -------------------- */
+  /**
+   * Load a fiche by code with locale fallback chain.
+   *
+   * **Caller contract:** `code` MUST be pre-validated against `/^ACF-(0[0-9]|1[0-6])$/`
+   * before calling this method. ContentLoader does NOT sanitise the code and relies
+   * on Zod validation at the tool boundary (Phase 5+). Skipping pre-validation is a
+   * path traversal risk.
+   */
+  async loadFiche(code, locale) {
+    for (const candidate of fallbackChain(locale)) {
+      const file = path.join(this.root, "fiches", `${code}.${candidate}.md`);
+      if (!existsSync(file)) continue;
+      const raw = await readFile(file, "utf8");
+      const parsed = matter(raw);
+      const frontmatter = FicheFrontmatterSchema.parse(parsed.data);
+      return {
+        frontmatter,
+        body: parsed.content,
+        served_locale: candidate,
+        is_fallback: candidate !== locale
+      };
+    }
+    throw new Error(`Fiche ${code} not found in any locale chain for ${locale}`);
+  }
+  /* -------------------- Guides -------------------- */
+  /**
+   * Load a regulatory guide markdown with locale fallback chain.
+   *
+   * **Caller contract:** `regulation` MUST be pre-validated against the
+   * `["ai-act", "gdpr", "dora", "nis2", "iso-42001"]` enum before calling
+   * this method. ContentLoader does NOT sanitise the regulation string.
+   */
+  async loadGuide(regulation, locale) {
+    for (const candidate of fallbackChain(locale)) {
+      const file = path.join(this.root, "guides", `${regulation}.${candidate}.md`);
+      if (!existsSync(file)) continue;
+      const raw = await readFile(file, "utf8");
+      const parsed = matter(raw);
+      const frontmatter = GuideFrontmatterSchema.parse(parsed.data);
+      return {
+        frontmatter,
+        body: parsed.content,
+        served_locale: candidate,
+        is_fallback: candidate !== locale
+      };
+    }
+    throw new Error(
+      `Guide ${regulation} not found in any locale chain for ${locale}`
+    );
+  }
+  /* -------------------- Glossary -------------------- */
+  async loadGlossary(locale) {
+    for (const candidate of fallbackChain(locale)) {
+      const file = path.join(this.root, "glossary", `${candidate}.json`);
+      if (!existsSync(file)) continue;
+      const raw = JSON.parse(await readFile(file, "utf8"));
+      return {
+        entries: raw.map((entry) => GlossaryEntrySchema.parse(entry)),
+        served_locale: candidate,
+        is_fallback: candidate !== locale
+      };
+    }
+    throw new Error(`Glossary not found in any locale chain for ${locale}`);
+  }
+  /**
+   * Lookup a glossary entry by `term` or `expansion` (case-insensitive).
+   *
+   * **Caller contract:** `term` is matched against entry strings, not used as a
+   * file path, so path traversal is not a concern here. But callers should
+   * still validate length/format to avoid pathological inputs.
+   *
+   * Returns null if no entry matches.
+   */
+  async loadGlossaryEntry(term, locale) {
+    const { entries, served_locale, is_fallback } = await this.loadGlossary(locale);
+    const normalised = term.trim().toLowerCase();
+    const entry = entries.find(
+      (e) => e.term.toLowerCase() === normalised || e.expansion?.toLowerCase() === normalised
+    ) ?? null;
+    if (!entry) return null;
+    return { entry, served_locale, is_fallback };
+  }
+  /* -------------------- Whitepaper -------------------- */
+  /**
+   * Load the whitepaper raw markdown body with locale fallback chain.
+   *
+   * Returns the file contents AS-IS. If the file contains a YAML frontmatter
+   * block, that block is included verbatim in `body` (this method does NOT
+   * strip it). The Phase 5 whitepaper section parser is responsible for
+   * walking H1/H2 and discarding any frontmatter prefix.
+   */
+  async loadWhitepaperRaw(locale) {
+    for (const candidate of fallbackChain(locale)) {
+      const file = path.join(this.root, "whitepaper", `${candidate}.md`);
+      if (!existsSync(file)) continue;
+      const body = await readFile(file, "utf8");
+      return {
+        body,
+        served_locale: candidate,
+        is_fallback: candidate !== locale
+      };
+    }
+    throw new Error(`Whitepaper not found in any locale chain for ${locale}`);
+  }
+};
+var ConfidenceSchema = z.enum(["low", "medium", "high"]);
+var CriticalitySchema = z.enum(["low", "medium", "high", "critical"]);
+var AcfLevelSchema = z.enum(["N0", "N1", "N2", "N3"]);
+var AiActRoleSchema = z.enum([
+  "provider",
+  "deployer",
+  "importer",
+  "distributor",
+  "not_applicable"
+]);
+var GdprRoleSchema = z.enum([
+  "controller",
+  "processor",
+  "joint_controller",
+  "not_applicable"
+]);
+var TriggerSchema = z.object({
+  structured_flags: z.array(z.string()).optional(),
+  keyword_patterns: z.array(z.string()).optional(),
+  negation_aware: z.boolean().default(true),
+  enum_match: z.record(z.string(), z.array(z.string())).optional()
+});
+var versionedHeader = {
+  version: z.string(),
+  last_update: z.string()
+};
+var RulesMetaSchema = z.object({
+  rules_version: z.string(),
+  last_update: z.string(),
+  applicable_jurisdictions: z.array(z.string())
+});
+var RuleCategorySchema = z.object({
+  id: z.string(),
+  title: z.string(),
+  triggers: TriggerSchema,
+  obligations: z.array(z.string()),
+  fiches: z.array(z.string()),
+  confidence_base: ConfidenceSchema,
+  requires_human_review: z.literal(true)
+});
+var AiActAnnexIIISchema = z.object({
+  ...versionedHeader,
+  applicable_dates: z.array(
+    z.object({
+      category: z.string(),
+      applicable_from: z.string(),
+      deferred: z.boolean()
+    })
+  ),
+  categories: z.array(RuleCategorySchema)
+});
+var AiActAnnexISchema = z.object({
+  ...versionedHeader,
+  applicable_dates: z.array(
+    z.object({
+      category: z.string(),
+      applicable_from: z.string(),
+      deferred: z.boolean()
+    })
+  ),
+  categories: z.array(RuleCategorySchema)
+});
+var GpaiTriggersSchema = z.object({
+  ...versionedHeader,
+  triggers: TriggerSchema,
+  obligations: z.array(
+    z.object({
+      article: z.string(),
+      requirement: z.string(),
+      applicable_date: z.string(),
+      systemic_risk_only: z.boolean().optional()
+    })
+  )
+});
+var CriticalityMatrixSchema = z.object({
+  ...versionedHeader,
+  cells: z.array(
+    z.object({
+      personal_data_level: z.enum(["none", "standard", "sensitive_special"]),
+      financial_exposure: z.enum([
+        "none",
+        "low_operation",
+        "medium_contract",
+        "high_corporate"
+      ]),
+      sector_modifier: z.number(),
+      score: CriticalitySchema,
+      rationale_template: z.string()
+    })
+  )
+});
+var AutonomyInferenceSchema = z.object({
+  ...versionedHeader,
+  thresholds: z.array(
+    z.object({
+      level: AcfLevelSchema,
+      conditions: z.record(z.string(), z.array(z.string())),
+      rationale_template: z.string()
+    })
+  )
+});
+var DdaoControlsMappingSchema = z.object({
+  ...versionedHeader,
+  mappings: z.array(
+    z.object({
+      level: AcfLevelSchema,
+      risk: CriticalitySchema,
+      recommended_controls: z.array(
+        z.object({
+          title: z.string(),
+          description: z.string(),
+          owner_role: z.enum([
+            "ddao",
+            "dpo",
+            "ciso",
+            "business_owner",
+            "auditor"
+          ]),
+          frequency: z.enum([
+            "one_time",
+            "monthly",
+            "quarterly",
+            "annual",
+            "on_event"
+          ]),
+          evidence_artifact: z.string()
+        })
+      ),
+      ddao_controls: z.array(
+        z.object({
+          control_id: z.string(),
+          control_type: z.enum([
+            "preventive",
+            "detective",
+            "corrective",
+            "governance"
+          ]),
+          fiche_reference: z.string(),
+          implementation_note: z.string()
+        })
+      )
+    })
+  )
+});
+var SignOffMatrixSchema = z.object({
+  ...versionedHeader,
+  rules: z.array(
+    z.object({
+      criticality: CriticalitySchema,
+      personal_data_level: z.enum(["none", "standard", "sensitive_special"]),
+      financial_exposure: z.enum([
+        "none",
+        "low_operation",
+        "medium_contract",
+        "high_corporate"
+      ]),
+      required: z.object({
+        security: z.boolean(),
+        privacy: z.boolean(),
+        compliance: z.boolean(),
+        legal: z.boolean(),
+        business_sponsor: z.boolean(),
+        board: z.boolean()
+      })
+    })
+  )
+});
+var GdprQualificationSchema = z.object({
+  ...versionedHeader,
+  cases: z.array(
+    z.object({
+      id: z.string(),
+      triggers: TriggerSchema,
+      role: GdprRoleSchema,
+      confidence_base: ConfidenceSchema,
+      rationale_template: z.string()
+    })
+  )
+});
+var AiActRolesSchema = z.object({
+  ...versionedHeader,
+  rules: z.array(
+    z.object({
+      id: z.string(),
+      triggers: TriggerSchema,
+      role: AiActRoleSchema,
+      confidence_base: ConfidenceSchema,
+      rationale_template: z.string()
+    })
+  )
+});
+
+// src/core/rules-loader.ts
+var RulesLoader = class {
+  root;
+  constructor(opts) {
+    this.root = opts.rulesRoot;
+  }
+  async loadJson(file) {
+    const raw = await readFile(path.join(this.root, file), "utf8");
+    return JSON.parse(raw);
+  }
+  async loadRulesMeta() {
+    return RulesMetaSchema.parse(await this.loadJson("rules-meta.json"));
+  }
+  async loadAiActAnnexIII() {
+    return AiActAnnexIIISchema.parse(await this.loadJson("ai-act-annex-iii.json"));
+  }
+  async loadAiActAnnexI() {
+    return AiActAnnexISchema.parse(await this.loadJson("ai-act-annex-i.json"));
+  }
+  async loadGpaiTriggers() {
+    return GpaiTriggersSchema.parse(await this.loadJson("gpai-triggers.json"));
+  }
+  async loadAutonomyInference() {
+    return AutonomyInferenceSchema.parse(await this.loadJson("autonomy-inference.json"));
+  }
+  async loadCriticalityMatrix() {
+    return CriticalityMatrixSchema.parse(await this.loadJson("criticality-matrix.json"));
+  }
+  async loadDdaoControlsMapping() {
+    return DdaoControlsMappingSchema.parse(await this.loadJson("ddao-controls-mapping.json"));
+  }
+  async loadSignOffMatrix() {
+    return SignOffMatrixSchema.parse(await this.loadJson("sign-off-matrix.json"));
+  }
+  async loadGdprQualification() {
+    return GdprQualificationSchema.parse(await this.loadJson("gdpr-qualification.json"));
+  }
+  async loadAiActRoles() {
+    return AiActRolesSchema.parse(await this.loadJson("ai-act-roles.json"));
+  }
+};
+var FRAMEWORK_CATEGORIES = /* @__PURE__ */ new Set([
+  "principle",
+  "autonomy_level",
+  "dimension",
+  "ddao"
+]);
+var CATEGORY_SCORE_MULTIPLIER = {
+  principle: 1.15,
+  autonomy_level: 1.1,
+  dimension: 1.1,
+  ddao: 1.1,
+  fiche: 1.05,
+  guide: 1.02,
+  whitepaper: 1,
+  glossary: 0.9,
+  meta: 0.8
+};
+var SearchEngine = class _SearchEngine {
+  constructor(idx, docs) {
+    this.idx = idx;
+    this.docs = docs;
+  }
+  idx;
+  docs;
+  static async fromFile(file) {
+    const raw = JSON.parse(await readFile(file, "utf8"));
+    const idx = lunr.Index.load(raw.index);
+    const docs = new Map(Object.entries(raw.docs));
+    return new _SearchEngine(idx, docs);
+  }
+  static fromMemory(serialised) {
+    const idx = lunr.Index.load(serialised.index);
+    const docs = new Map(Object.entries(serialised.docs));
+    return new _SearchEngine(idx, docs);
+  }
+  /**
+   * Normalise a query string the same way lunr normalises indexed tokens:
+   * - strip combining diacritics (é → e, ü → u, ç → c, etc.)
+   * - lower-case
+   * This ensures "souveraineté" matches the stored token "souverainete".
+   */
+  static normaliseQuery(q) {
+    return q.normalize("NFD").replace(new RegExp("\\p{Mn}", "gu"), "").toLowerCase();
+  }
+  search(input) {
+    const normalisedQuery = _SearchEngine.normaliseQuery(input.query);
+    let lunrResults;
+    try {
+      lunrResults = this.idx.search(normalisedQuery);
+    } catch {
+      const sanitised = normalisedQuery.replace(/[^\p{L}\p{N}\s]/gu, " ").trim();
+      lunrResults = sanitised ? this.idx.search(sanitised) : [];
+    }
+    const candidates = [];
+    for (const r of lunrResults) {
+      const doc = this.docs.get(r.ref);
+      if (!doc) continue;
+      if (doc.locale !== input.locale) continue;
+      if (!this.matchesScope(doc.category, input.scope)) continue;
+      const multiplier = CATEGORY_SCORE_MULTIPLIER[doc.category] ?? 1;
+      candidates.push({
+        uri: doc.uri,
+        title: doc.title,
+        snippet: doc.snippet,
+        score: r.score * multiplier,
+        category: doc.category,
+        locale: doc.locale
+      });
+    }
+    candidates.sort((a, b) => b.score - a.score);
+    return candidates.slice(0, input.limit);
+  }
+  matchesScope(category, scope) {
+    if (scope === "all") return true;
+    if (scope === "framework") return FRAMEWORK_CATEGORIES.has(category);
+    if (scope === "fiche") return category === "fiche";
+    if (scope === "guide") return category === "guide";
+    if (scope === "whitepaper") return category === "whitepaper";
+    if (scope === "glossary") return category === "glossary";
+    return false;
+  }
+};
+
+// src/core/uri.ts
+var PREFIX = "acf://";
+function parseAcfUri(uri) {
+  if (!uri.startsWith(PREFIX)) {
+    throw new Error(`Invalid scheme \u2014 expected acf://, got: ${uri}`);
+  }
+  const rest = uri.slice(PREFIX.length);
+  const [pathPart, queryPart] = rest.split("?", 2);
+  if (pathPart === void 0) {
+    throw new Error(`Empty URI: ${uri}`);
+  }
+  const segments = pathPart.split("/").filter(Boolean);
+  let locale;
+  if (queryPart) {
+    const params = new URLSearchParams(queryPart);
+    const lang = params.get("lang");
+    if (lang) {
+      const parsed = AcfLocaleSchema.safeParse(lang);
+      if (parsed.success) locale = parsed.data;
+    }
+  }
+  if (segments[0] === "framework") {
+    if (segments[1] === "principle" && segments[2]) {
+      return { category: "framework_principle", id: segments[2], locale };
+    }
+    if (segments[1] === "autonomy-level" && segments[2]) {
+      return { category: "framework_autonomy_level", id: segments[2], locale };
+    }
+    if (segments[1] === "dimension" && segments[2]) {
+      return { category: "framework_dimension", id: segments[2], locale };
+    }
+    if (segments[1] === "ddao") {
+      return { category: "framework_ddao", id: void 0, locale };
+    }
+  }
+  if (segments[0] === "fiche" && segments[1]) {
+    return { category: "fiche", id: segments[1], locale };
+  }
+  if (segments[0] === "guide" && segments[1]) {
+    return { category: "guide", id: segments[1], locale };
+  }
+  if (segments[0] === "whitepaper") {
+    if (!segments[1]) return { category: "whitepaper", id: void 0, locale };
+    if (segments[1] === "toc")
+      return { category: "whitepaper_toc", id: void 0, locale };
+    if (segments[1] === "section" && segments[2]) {
+      return { category: "whitepaper_section", id: segments[2], locale };
+    }
+  }
+  if (segments[0] === "manual") {
+    if (!segments[1]) return { category: "manual", id: void 0, locale };
+    if (segments[1] === "toc")
+      return { category: "manual_toc", id: void 0, locale };
+    if (segments[1] === "section" && segments[2]) {
+      return { category: "manual_section", id: segments[2], locale };
+    }
+  }
+  if (segments[0] === "deck") {
+    return { category: "deck", id: void 0, locale };
+  }
+  if (segments[0] === "glossary") {
+    if (!segments[1]) return { category: "glossary", id: void 0, locale };
+    return {
+      category: "glossary_entry",
+      id: decodeURIComponent(segments[1]),
+      locale
+    };
+  }
+  if (segments[0] === "meta") {
+    return { category: "meta", id: void 0, locale };
+  }
+  throw new Error(`Unknown ACF URI: ${uri}`);
+}
+
+// src/core/resources.ts
+async function listResources(registry) {
+  const items = [];
+  const principles = await registry.content.loadPrinciples();
+  for (const p of principles) {
+    items.push({
+      uri: `acf://framework/principle/${p.code}`,
+      name: `Principle ${p.code} \u2014 ${p.title.en}`,
+      description: p.summary.en,
+      mimeType: "application/json"
+    });
+  }
+  const levels = await registry.content.loadAutonomyLevels();
+  for (const l of levels) {
+    items.push({
+      uri: `acf://framework/autonomy-level/${l.code}`,
+      name: `Autonomy level ${l.code} \u2014 ${l.title.en}`,
+      description: l.description.en,
+      mimeType: "application/json"
+    });
+  }
+  const dimensions = await registry.content.loadDimensions();
+  for (const d of dimensions) {
+    items.push({
+      uri: `acf://framework/dimension/${d.code}`,
+      name: `Maturity dimension ${d.code} \u2014 ${d.title.en}`,
+      description: d.description.en,
+      mimeType: "application/json"
+    });
+  }
+  items.push({
+    uri: "acf://framework/ddao",
+    name: "DDAO \u2014 Delegated Decision Agent Officer",
+    description: "Canonical ACF\xAE role definition for autonomous-agent guardianship.",
+    mimeType: "application/json"
+  });
+  for (let i = 0; i <= 16; i++) {
+    const code = `ACF-${String(i).padStart(2, "0")}`;
+    items.push({
+      uri: `acf://fiche/${code}`,
+      name: `ACF\xAE card ${code}`,
+      description: `One of the 17 ACF\xAE methodological cards (V1.0).`,
+      mimeType: "text/markdown"
+    });
+  }
+  items.push({
+    uri: "acf://glossary",
+    name: "ACF\xAE Glossary index",
+    description: "List of canonical ACF\xAE terms with cross-refs.",
+    mimeType: "application/json"
+  });
+  items.push({
+    uri: "acf://meta",
+    name: "ACF\xAE doctrine metadata",
+    description: "Framework version, content hash, archive URL, supported locales.",
+    mimeType: "application/json"
+  });
+  return items;
+}
+async function readResource(registry, uri, acceptLanguage) {
+  const parsed = parseAcfUri(uri);
+  const locale = negotiateLocale({
+    explicit: parsed.locale,
+    envLocale: process.env["ACF_MCP_LOCALE"]
+  });
+  switch (parsed.category) {
+    case "framework_principle": {
+      const list = await registry.content.loadPrinciples();
+      const found = list.find((p) => p.code === parsed.id);
+      if (!found) throw new Error(`Principle not found: ${parsed.id}`);
+      return jsonResource(uri, found);
+    }
+    case "framework_autonomy_level": {
+      const list = await registry.content.loadAutonomyLevels();
+      const found = list.find((l) => l.code === parsed.id);
+      if (!found) throw new Error(`Autonomy level not found: ${parsed.id}`);
+      return jsonResource(uri, found);
+    }
+    case "framework_dimension": {
+      const list = await registry.content.loadDimensions();
+      const found = list.find((d) => d.code === parsed.id);
+      if (!found) throw new Error(`Dimension not found: ${parsed.id}`);
+      return jsonResource(uri, found);
+    }
+    case "framework_ddao": {
+      return jsonResource(uri, await registry.content.loadDdao());
+    }
+    case "fiche": {
+      const fiche = await registry.content.loadFiche(parsed.id ?? "", locale);
+      return {
+        contents: [
+          {
+            uri,
+            mimeType: "text/markdown",
+            text: renderFicheMarkdown(fiche)
+          }
+        ]
+      };
+    }
+    case "glossary": {
+      const { entries } = await registry.content.loadGlossary(locale);
+      return jsonResource(uri, entries);
+    }
+    case "glossary_entry": {
+      const result = await registry.content.loadGlossaryEntry(parsed.id ?? "", locale);
+      if (!result) throw new Error(`Glossary entry not found: ${parsed.id}`);
+      return jsonResource(uri, result.entry);
+    }
+    case "meta": {
+      return jsonResource(uri, await registry.content.loadMeta());
+    }
+    default:
+      throw new Error(`Resource not implemented in V1.0: ${parsed.category}`);
+  }
+}
+function jsonResource(uri, data) {
+  return {
+    contents: [
+      { uri, mimeType: "application/json", text: JSON.stringify(data, null, 2) }
+    ]
+  };
+}
+function renderFicheMarkdown(fiche) {
+  const head = [
+    "---",
+    `served_locale: ${fiche.served_locale}`,
+    `is_fallback: ${fiche.is_fallback}`,
+    "---",
+    ""
+  ].join("\n");
+  return head + fiche.body;
+}
+async function registerResources(server, registry) {
+  server.setRequestHandler(ListResourcesRequestSchema, async () => ({
+    resources: await listResources(registry)
+  }));
+  server.setRequestHandler(ReadResourceRequestSchema, async (req) => {
+    return readResource(registry, req.params.uri);
+  });
+}
+
+// src/constants/tool-descriptions.ts
+var TOOL_DESCRIPTIONS = {
+  "acf.search": "When you don't know which ACF\xAE resource is most relevant to the situation at hand (a question, a regulator request, a board challenge\u2026), search the full ACF\xAE corpus and rank candidate resources by relevance.",
+  "acf.fiche.lookup": "When facing a specific governance question (defining an agent's mandate, designing a kill switch, building a decision register\u2026), retrieve the canonical ACF\xAE methodological card that applies \u2014 with its example, its mapping to principles and its related cards.",
+  "acf.regulation.article": "When a regulator, an auditor or a board references a specific article (AI Act Art. 9, GDPR Art. 35, DORA Art. 28, NIS2 Art. 21, ISO 42001 \xA76\u2026), get the verified text and its operational translation into the ACF\xAE framework \u2014 which principles it activates, which maturity dimensions it stresses, which fiches operationalise it.",
+  "acf.glossary.define": "When governance vocabulary becomes ambiguous (what is a DDAO? what does Decision Sovereignty exactly mean? when does an agent transition from N1 to N2?), get the canonical ACF\xAE definition and its connection to the rest of the doctrine.",
+  "acf.cite": "When writing a thesis, a regulatory filing, a board memo or an academic paper that needs to reference ACF\xAE, produce a properly formatted citation in the requested style (APA, MLA, Chicago, ISO 690, BibTeX).",
+  "acf.advisor": "When a user describes a real AI use case and needs a structured ACF\xAE governance assessment in return \u2014 which principles fire, which maturity dimensions are critical, which autonomy level fits, which regulatory obligations apply, which fiches to mobilise in what order, what are the first operational actions, what are the operational risks. This is the conversion tool: from documentation library to governance advisor.",
+  "acf.classify-agent": "When a system owner needs a first-pass governance qualification of an AI agent before go-live \u2014 what autonomy level it likely operates at, what risk class it likely carries, what regulations apply, what controls to put in place, who should sign off \u2014 get one structured preliminary assessment covering all five questions in a single call. Input kept deliberately simple (10 qualified fields); output is structured for human review, not for autonomous regulatory decision-making.",
+  "acf.assess-autonomy": "When deciding how much autonomy to grant an agent \u2014 should it propose, decide or execute? what triggers human review? what is the kill switch design? \u2014 get a first-pass assessment grounded in the 4 ACF\xAE autonomy levels with explicit go/no-go criteria, gating thresholds, and uncertainty signalling for human review.",
+  "acf.identify-governance-gaps": "When auditing your current AI governance setup \u2014 what does ACF\xAE suggest you should have that you don't? \u2014 get a first-pass gap analysis across the 6 maturity dimensions, prioritised by criticality, with remediation actions, quick wins, and explicit uncertainty signalling on which gaps were inferred vs declared.",
+  "acf.map-ai-act-obligations": "When a system has been preliminarily qualified as high-risk and you need the exhaustive list of AI Act obligations that apply \u2014 Art. 9 risk management, Art. 10 data, Art. 11 docs, Art. 12 logs, Art. 13 transparency, Art. 14 human oversight, Art. 15 robustness, GPAI Art. 51-55 \u2014 get the full obligation set structured by lifecycle phase (pre-go-live / continuous / on-incident) with deadlines (incl. Digital Omnibus deferrals) and ACF\xAE operational translation.",
+  "acf.assign-ddao-controls": "When a DDAO needs concrete controls assigned to an autonomous agent \u2014 what kill switches, what escalation thresholds, what audit trails, what documentation, who owns each control \u2014 get the ACF\xAE control set scoped to the agent's autonomy level and risk class, with double vocabulary (plain-English recommended_controls + ACF-canonical ddao_controls) for external clarity.",
+  "acf.evaluate-agent-mandate": "When an existing agent mandate already exists (drafted or proposed for DDAO sign-off) and you need a first-pass audit before go-live or regulatory inspection \u2014 does it cover the decision perimeter, the escalation thresholds, the kill switch, the audit trail, the documentation duty? \u2014 get a structured preliminary verdict with strengths, gaps, required additions, and explicit gaps_to_validate for the human reviewer."
+};
+var SearchInputSchema = z.object({
+  query: z.string().min(2).max(200),
+  scope: z.enum(["all", "framework", "fiche", "guide", "whitepaper", "glossary"]).default("all"),
+  locale: AcfLocaleSchema.optional(),
+  limit: z.number().int().min(1).max(20).default(5)
+});
+async function handleSearchTool(registry, rawInput) {
+  const input = SearchInputSchema.parse(rawInput);
+  const locale = input.locale ?? "en";
+  const hits = registry.search.search({
+    query: input.query,
+    scope: input.scope,
+    locale,
+    limit: input.limit
+  });
+  return { hits };
+}
+var FicheLookupInputSchema = z.object({
+  code: z.string().regex(/^ACF-(0[0-9]|1[0-6])$/),
+  locale: AcfLocaleSchema.optional(),
+  include_frontmatter: z.boolean().default(true)
+});
+async function handleFicheLookupTool(registry, rawInput) {
+  const input = FicheLookupInputSchema.parse(rawInput);
+  const locale = input.locale ?? "en";
+  const fiche = await registry.content.loadFiche(input.code, locale);
+  return {
+    code: fiche.frontmatter.code,
+    title: fiche.frontmatter.title,
+    markdown: fiche.body,
+    metadata: input.include_frontmatter ? fiche.frontmatter : {},
+    pdf_url: fiche.frontmatter.pdf_url ?? "",
+    uri: `acf://fiche/${fiche.frontmatter.code}`,
+    served_locale: fiche.served_locale,
+    is_fallback: fiche.is_fallback
+  };
+}
+var RegulationArticleInputSchema = z.object({
+  regulation: z.enum(["ai-act", "gdpr", "dora", "nis2", "iso-42001"]),
+  article: z.string().min(1).max(20),
+  locale: AcfLocaleSchema.optional()
+});
+var ARTICLE_MAPPINGS = {
+  "ai-act": {
+    "9": {
+      regulation: "ai-act",
+      article: "9",
+      title: "Risk management system (high-risk AI systems)",
+      text: "Providers of high-risk AI systems shall establish, implement, document and maintain a risk management system. See Regulation (EU) 2024/1689, Article 9.",
+      mapping: {
+        principles: ["P2", "P4"],
+        dimensions: ["D5", "D6"],
+        fiches: ["ACF-02", "ACF-11"],
+        operational_note: "ACF\xAE operationalises Art. 9 via ACF-02 (criticality matrix) + ACF-11 (risk assessment), bound by P4 (proportional governance)."
+      },
+      applicable_date: "2027-12-02"
+    },
+    "10": {
+      regulation: "ai-act",
+      article: "10",
+      title: "Data and data governance (high-risk AI systems)",
+      text: "Training, validation and testing data sets shall be subject to data governance and management practices appropriate for the intended purpose. See Regulation (EU) 2024/1689, Article 10.",
+      mapping: {
+        principles: ["P2"],
+        dimensions: ["D5"],
+        fiches: ["ACF-05", "ACF-13"],
+        operational_note: "ACF\xAE operationalises Art. 10 via ACF-05 (decision register) + ACF-13 (retention policy)."
+      },
+      applicable_date: "2027-12-02"
+    },
+    "14": {
+      regulation: "ai-act",
+      article: "14",
+      title: "Human oversight (high-risk AI systems)",
+      text: "High-risk AI systems shall be designed and developed so that they can be effectively overseen by natural persons. See Regulation (EU) 2024/1689, Article 14.",
+      mapping: {
+        principles: ["P3"],
+        dimensions: ["D3", "D4"],
+        fiches: ["ACF-07", "ACF-09", "ACF-14"],
+        operational_note: "ACF\xAE operationalises Art. 14 via P3 (ultimate human control), ACF-07 (kill switch), ACF-09 (escalation thresholds), ACF-14 (takeover drills)."
+      },
+      applicable_date: "2027-12-02"
+    }
+  },
+  "gdpr": {
+    "25": {
+      regulation: "gdpr",
+      article: "25",
+      title: "Data protection by design and by default",
+      text: "The controller shall implement appropriate technical and organisational measures to ensure data protection by design and by default. See Regulation (EU) 2016/679, Article 25.",
+      mapping: {
+        principles: ["P2"],
+        dimensions: ["D3", "D5"],
+        fiches: ["ACF-03", "ACF-13"],
+        operational_note: "ACF\xAE operationalises Art. 25 via ACF-03 (constitution forbidding non-purposeful PII access) + ACF-13 (retention policy)."
+      }
+    },
+    "35": {
+      regulation: "gdpr",
+      article: "35",
+      title: "Data protection impact assessment (DPIA)",
+      text: "Where processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall carry out a DPIA. See Regulation (EU) 2016/679, Article 35.",
+      mapping: {
+        principles: ["P2"],
+        dimensions: ["D5"],
+        fiches: ["ACF-11"],
+        operational_note: "ACF\xAE operationalises Art. 35 via ACF-11 (risk assessment) feeding the DPIA template."
+      }
+    }
+  }
+};
+async function handleRegulationArticleTool(_registry, rawInput) {
+  const input = RegulationArticleInputSchema.parse(rawInput);
+  const reg = ARTICLE_MAPPINGS[input.regulation];
+  if (!reg || !reg[input.article]) {
+    throw new Error(
+      `Article ${input.regulation} Art. ${input.article} not yet seeded in V1.0 \u2014 full expert guides arrive in content-authoring sub-plan.`
+    );
+  }
+  return reg[input.article];
+}
+var GlossaryDefineInputSchema = z.object({
+  term: z.string().min(1).max(80),
+  locale: AcfLocaleSchema.optional()
+});
+async function handleGlossaryDefineTool(registry, rawInput) {
+  const input = GlossaryDefineInputSchema.parse(rawInput);
+  const locale = input.locale ?? "en";
+  const result = await registry.content.loadGlossaryEntry(input.term, locale);
+  if (!result) {
+    throw new Error(`Glossary entry not found: ${input.term}`);
+  }
+  return {
+    term: result.entry.term,
+    expansion: result.entry.expansion,
+    definition: result.entry.definition,
+    related: {
+      principles: result.entry.related_principles ?? [],
+      fiches: result.entry.related_fiches ?? []
+    },
+    // Use the ACTUAL served locale (which may be a fallback), not the requested one.
+    served_locale: result.served_locale
+  };
+}
+var CiteInputSchema = z.object({
+  uri: z.string().regex(/^acf:\/\//),
+  style: z.enum(["apa", "mla", "chicago", "iso-690", "bibtex"]).default("apa"),
+  locale: AcfLocaleSchema.optional()
+});
+var CITATION_AUTHOR = "Dorange, V.";
+var CITATION_YEAR = "2026";
+var CITATION_BASE_URL = "https://acfstandard.com";
+function uriToUrlSlug(uri) {
+  return uri.replace(/^acf:\/\//, "").replace(/[^a-z0-9]+/gi, "-").replace(/^-|-$/g, "");
+}
+async function handleCiteTool(registry, rawInput) {
+  const input = CiteInputSchema.parse(rawInput);
+  const meta = registry.meta;
+  const slug = uriToUrlSlug(input.uri);
+  const url = `${CITATION_BASE_URL}/doctrine/v${meta.framework_version}/${slug}`;
+  const title = `Agentic Commerce Framework\xAE (ACF\xAE) \u2014 ${input.uri}`;
+  const structured = {
+    author: CITATION_AUTHOR,
+    year: CITATION_YEAR,
+    title,
+    url
+  };
+  let citation;
+  switch (input.style) {
+    case "apa":
+      citation = `${CITATION_AUTHOR} (${CITATION_YEAR}). ${title}. ACF Standard. ${url}`;
+      break;
+    case "mla":
+      citation = `${CITATION_AUTHOR} "${title}." ACF Standard, ${CITATION_YEAR}, ${url}.`;
+      break;
+    case "chicago":
+      citation = `${CITATION_AUTHOR} "${title}." ACF Standard. ${CITATION_YEAR}. ${url}.`;
+      break;
+    case "iso-690":
+      citation = `${CITATION_AUTHOR} ${title}. ACF Standard, ${CITATION_YEAR}. Available at: ${url}`;
+      break;
+    case "bibtex":
+      citation = [
+        `@misc{acf-${slug},`,
+        `  author = {${CITATION_AUTHOR}},`,
+        `  title = {${title}},`,
+        `  year = {${CITATION_YEAR}},`,
+        `  url = {${url}}`,
+        "}"
+      ].join("\n");
+      break;
+  }
+  return { citation, structured };
+}
+
+// src/lib/zod-to-json-schema.ts
+function zodToJsonSchema(schema) {
+  return toSchema(schema);
+}
+function toSchema(s2) {
+  const def = s2._def;
+  switch (def.typeName) {
+    case "ZodObject": {
+      const obj = s2;
+      const properties = {};
+      const required = [];
+      const shape = obj.shape;
+      for (const key of Object.keys(shape)) {
+        const child = shape[key];
+        properties[key] = toSchema(child);
+        if (!isOptional(child)) required.push(key);
+      }
+      return {
+        type: "object",
+        properties,
+        required,
+        additionalProperties: false
+      };
+    }
+    case "ZodString": {
+      const s22 = s2;
+      const out = { type: "string" };
+      const checks = s22._def.checks ?? [];
+      for (const c of checks) {
+        if (c.kind === "min" && c.value !== void 0) out["minLength"] = c.value;
+        if (c.kind === "max" && c.value !== void 0) out["maxLength"] = c.value;
+      }
+      return out;
+    }
+    case "ZodNumber": {
+      const s22 = s2;
+      const out = { type: "number" };
+      const checks = s22._def.checks ?? [];
+      for (const c of checks) {
+        if (c.kind === "min" && c.value !== void 0) out["minimum"] = c.value;
+        if (c.kind === "max" && c.value !== void 0) out["maximum"] = c.value;
+        if (c.kind === "int") out["type"] = "integer";
+      }
+      return out;
+    }
+    case "ZodBoolean":
+      return { type: "boolean" };
+    case "ZodEnum": {
+      const e = s2;
+      return { type: "string", enum: [...e.options] };
+    }
+    case "ZodArray": {
+      const inner = s2._def.type;
+      return { type: "array", items: toSchema(inner) };
+    }
+    case "ZodOptional": {
+      const inner = s2._def.innerType;
+      return toSchema(inner);
+    }
+    case "ZodDefault": {
+      const inner = s2._def.innerType;
+      const out = toSchema(inner);
+      const defaultValue = s2._def.defaultValue();
+      return { ...out, default: defaultValue };
+    }
+    case "ZodLiteral": {
+      const v = s2._def.value;
+      return { const: v };
+    }
+    case "ZodRecord":
+      return { type: "object", additionalProperties: true };
+    default:
+      return {};
+  }
+}
+function isOptional(s2) {
+  const t = s2._def.typeName;
+  return t === "ZodOptional" || t === "ZodDefault";
+}
+var HumanApprovalEnum = z.enum(["always", "sometimes", "never"]);
+var PersonalDataEnum = z.enum([
+  "none",
+  "standard",
+  "sensitive_special"
+]);
+var FinancialExposureEnum = z.enum([
+  "none",
+  "low_operation",
+  "medium_contract",
+  "high_corporate"
+]);
+var ExternalActionsEnum = z.enum([
+  "none",
+  "read_only",
+  "limited_write",
+  "full_write"
+]);
+var UsageAudienceEnum = z.enum([
+  "internal",
+  "third_party_b2b",
+  "public_consumer"
+]);
+var JurisdictionEnum = z.enum([
+  "eu",
+  "uk",
+  "us",
+  "ca",
+  "ch",
+  "br",
+  "jp",
+  "other"
+]);
+var AiActTriggerEnum = z.enum([
+  "biometric_identity",
+  "critical_infrastructure",
+  "educational_assessment",
+  "employment_recruitment",
+  "credit_scoring",
+  "law_enforcement",
+  "migration_asylum",
+  "justice_democracy",
+  "none"
+]);
+var ProcessingPurposeEnum = z.enum([
+  "hr",
+  "marketing",
+  "core_financial",
+  "tech_support",
+  "healthcare",
+  "education",
+  "public_service",
+  "compliance_monitoring",
+  "other"
+]);
+var ClassifyAgentInputSchema = z.object({
+  name: z.string().min(2).max(200),
+  description: z.string().min(20).max(1e3),
+  decisions_taken: z.array(z.string()).min(1).max(20),
+  human_approval_required: HumanApprovalEnum,
+  personal_data_level: PersonalDataEnum,
+  financial_exposure: FinancialExposureEnum,
+  external_actions: ExternalActionsEnum,
+  gpai_used: z.boolean(),
+  usage_audience: UsageAudienceEnum,
+  sector: z.string().max(80).optional(),
+  jurisdiction: z.array(JurisdictionEnum).optional(),
+  ai_act_triggers: z.array(AiActTriggerEnum).optional(),
+  processing_purposes: z.array(ProcessingPurposeEnum).optional(),
+  locale: AcfLocaleSchema.optional()
+});
+function extractFlags(input) {
+  return [
+    `human_approval_required:${input.human_approval_required}`,
+    `personal_data_level:${input.personal_data_level}`,
+    `financial_exposure:${input.financial_exposure}`,
+    `external_actions:${input.external_actions}`,
+    `usage_audience:${input.usage_audience}`,
+    `gpai_used:${input.gpai_used}`
+  ];
+}
+function extractEnumHints(input) {
+  const hints = {};
+  if (input.ai_act_triggers) hints["ai_act_triggers"] = input.ai_act_triggers;
+  if (input.processing_purposes)
+    hints["processing_purposes"] = input.processing_purposes;
+  hints["usage_audience"] = [input.usage_audience];
+  hints["personal_data_level"] = [input.personal_data_level];
+  hints["gpai_used"] = [String(input.gpai_used)];
+  return hints;
+}
+
+// src/core/infer-autonomy.ts
+function inferAutonomy(rules, input) {
+  for (const t of rules.thresholds) {
+    const happroved = t.conditions["human_approval_required"] ?? [];
+    const ext = t.conditions["external_actions"] ?? [];
+    if (happroved.includes(input.human_approval_required) && ext.includes(input.external_actions)) {
+      return {
+        level: t.level,
+        rationale: t.rationale_template,
+        rule_id: `autonomy-inference.${t.level}`
+      };
+    }
+  }
+  return {
+    level: "N1",
+    rationale: "No clear autonomy threshold matched the declared inputs; defaulting to N1 (supervised). Confirm with the team.",
+    rule_id: "autonomy-inference.default-N1"
+  };
+}
+
+// src/core/infer-criticality.ts
+function inferCriticality(matrix, input) {
+  for (const cell of matrix.cells) {
+    if (cell.personal_data_level === input.personal_data_level && cell.financial_exposure === input.financial_exposure) {
+      return {
+        score: cell.score,
+        rationale: cell.rationale_template,
+        matrix_ref: `cell(${cell.personal_data_level}, ${cell.financial_exposure})`,
+        rule_id: `criticality-matrix.${cell.personal_data_level}-${cell.financial_exposure}`
+      };
+    }
+  }
+  return {
+    score: "medium",
+    rationale: "Combination of personal_data_level + financial_exposure not yet calibrated; defaulting to medium for safety.",
+    matrix_ref: "default-medium",
+    rule_id: "criticality-matrix.default-medium"
+  };
+}
+
+// src/core/negation-aware.ts
+var NEGATION_TOKENS = [
+  // FR
+  "n'a pas",
+  "n'est pas",
+  "ne pas",
+  "ne sont pas",
+  "n'analyse pas",
+  "pas de",
+  "aucun",
+  "aucune",
+  "jamais",
+  "n'... jamais",
+  "ne... jamais",
+  // EN
+  "not ",
+  "no ",
+  "never",
+  "without",
+  "absent"
+];
+var NEGATION_WINDOW = 40;
+var NEGATION_REGEX = new RegExp(
+  `(${NEGATION_TOKENS.map((t) => t.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")).join("|")})`,
+  "i"
+);
+function negationAwareMatch(text, patterns) {
+  const lower = text.toLowerCase();
+  const hits = [];
+  for (const pattern of patterns) {
+    const p = pattern.toLowerCase();
+    let from = 0;
+    while (from <= lower.length) {
+      const i = lower.indexOf(p, from);
+      if (i === -1) break;
+      const windowStart = Math.max(0, i - NEGATION_WINDOW);
+      const before = lower.slice(windowStart, i);
+      const negated = NEGATION_REGEX.test(before);
+      hits.push({ pattern, index: i, negated });
+      from = i + p.length;
+    }
+  }
+  return {
+    matched: hits.some((h) => !h.negated),
+    hits
+  };
+}
+
+// src/core/trigger-eval.ts
+function evaluateTrigger(trigger, input) {
+  const evidence = [];
+  let fired = false;
+  if (trigger.keyword_patterns && trigger.keyword_patterns.length > 0) {
+    const r = negationAwareMatch(input.text, trigger.keyword_patterns);
+    if (r.matched) {
+      fired = true;
+      for (const h of r.hits) {
+        if (!h.negated) evidence.push(`keyword:${h.pattern}`);
+      }
+    }
+  }
+  if (trigger.enum_match) {
+    for (const [enumKey, allowed] of Object.entries(trigger.enum_match)) {
+      const provided = input.enums[enumKey] ?? [];
+      for (const v of provided) {
+        if (allowed.includes(v)) {
+          fired = true;
+          evidence.push(`enum:${enumKey}=${v}`);
+        }
+      }
+    }
+  }
+  if (trigger.structured_flags) {
+    for (const flag of trigger.structured_flags) {
+      if (input.flags.includes(flag)) {
+        fired = true;
+        evidence.push(`flag:${flag}`);
+      }
+    }
+  }
+  return { fired, evidence };
+}
+
+// src/core/infer-obligations.ts
+function inferAiActObligations(bundle, input) {
+  const out = {
+    firedCategories: [],
+    gpaiObligations: [],
+    rationale_per_rule: []
+  };
+  for (const cat of bundle.annexIII.categories) {
+    const r = evaluateTrigger(cat.triggers, input);
+    out.rationale_per_rule.push({
+      rule_id: `ai-act-annex-iii.${cat.id}`,
+      rule_version: bundle.annexIII.version,
+      fired: r.fired,
+      evidence: r.evidence.join("; ")
+    });
+    if (r.fired) {
+      out.firedCategories.push({
+        id: cat.id,
+        title: cat.title,
+        obligations: cat.obligations,
+        fiches: cat.fiches,
+        confidence_base: cat.confidence_base,
+        evidence: r.evidence,
+        source: "annex-iii"
+      });
+    }
+  }
+  for (const cat of bundle.annexI.categories) {
+    const r = evaluateTrigger(cat.triggers, input);
+    out.rationale_per_rule.push({
+      rule_id: `ai-act-annex-i.${cat.id}`,
+      rule_version: bundle.annexI.version,
+      fired: r.fired,
+      evidence: r.evidence.join("; ")
+    });
+    if (r.fired) {
+      out.firedCategories.push({
+        id: cat.id,
+        title: cat.title,
+        obligations: cat.obligations,
+        fiches: cat.fiches,
+        confidence_base: cat.confidence_base,
+        evidence: r.evidence,
+        source: "annex-i"
+      });
+    }
+  }
+  const gpaiR = evaluateTrigger(bundle.gpai.triggers, input);
+  out.rationale_per_rule.push({
+    rule_id: "gpai-triggers",
+    rule_version: bundle.gpai.version,
+    fired: gpaiR.fired,
+    evidence: gpaiR.evidence.join("; ")
+  });
+  if (gpaiR.fired) {
+    out.gpaiObligations = bundle.gpai.obligations.filter((o) => !o.systemic_risk_only).map((o) => ({
+      article: o.article,
+      requirement: o.requirement,
+      applicable_date: o.applicable_date
+    }));
+  }
+  return out;
+}
+
+// src/core/infer-roles.ts
+function inferAiActRole(rules, input) {
+  for (const r of rules.rules) {
+    const fired = evaluateTrigger(r.triggers, input);
+    if (fired.fired) {
+      return {
+        role: r.role,
+        confidence: r.confidence_base,
+        rationale: r.rationale_template,
+        rule_id: `ai-act-roles.${r.id}`,
+        evidence: fired.evidence
+      };
+    }
+  }
+  return {
+    role: "not_applicable",
+    confidence: "low",
+    rationale: "No AI Act role rule fired with the declared inputs. Defaulting to not_applicable \u2014 confirm manually.",
+    rule_id: "ai-act-roles.default-na",
+    evidence: []
+  };
+}
+function inferGdprRole(rules, input) {
+  for (const c of rules.cases) {
+    const fired = evaluateTrigger(c.triggers, input);
+    if (fired.fired) {
+      return {
+        role: c.role,
+        confidence: c.confidence_base,
+        rationale: c.rationale_template,
+        rule_id: `gdpr-qualification.${c.id}`,
+        evidence: fired.evidence
+      };
+    }
+  }
+  return {
+    role: "not_applicable",
+    confidence: "low",
+    rationale: "No GDPR qualification rule fired; defaulting to not_applicable \u2014 confirm manually whether any PII transits the agent.",
+    rule_id: "gdpr-qualification.default-na",
+    evidence: []
+  };
+}
+
+// src/core/infer-sign-off.ts
+var DEFAULT = {
+  security: false,
+  privacy: false,
+  compliance: false,
+  legal: false,
+  business_sponsor: true,
+  board: false
+};
+function inferSignOff(matrix, input) {
+  for (const rule of matrix.rules) {
+    if (rule.criticality === input.criticality && rule.personal_data_level === input.personal_data_level && rule.financial_exposure === input.financial_exposure) {
+      return {
+        required: rule.required,
+        rule_id: `sign-off-matrix.${rule.criticality}-${rule.personal_data_level}-${rule.financial_exposure}`
+      };
+    }
+  }
+  for (const rule of matrix.rules) {
+    if (rule.criticality === input.criticality) {
+      return {
+        required: rule.required,
+        rule_id: `sign-off-matrix.${rule.criticality}-fallback`
+      };
+    }
+  }
+  return { required: DEFAULT, rule_id: "sign-off-matrix.default" };
+}
+
+// src/core/infer-controls.ts
+var LEVEL_ORDER = ["N0", "N1", "N2", "N3"];
+var RISK_ORDER = ["low", "medium", "high", "critical"];
+function clampNext(order, value, delta) {
+  const i = order.indexOf(value);
+  const j = Math.min(order.length - 1, Math.max(0, i + delta));
+  return order[j];
+}
+function inferDdaoControls(mapping, input) {
+  const candidates = [
+    { level: input.level, risk: input.risk },
+    { level: input.level, risk: clampNext(RISK_ORDER, input.risk, 1) },
+    { level: clampNext(LEVEL_ORDER, input.level, 1), risk: input.risk },
+    { level: input.level, risk: clampNext(RISK_ORDER, input.risk, -1) },
+    { level: clampNext(LEVEL_ORDER, input.level, -1), risk: input.risk }
+  ];
+  for (const c of candidates) {
+    const found = mapping.mappings.find(
+      (m) => m.level === c.level && m.risk === c.risk
+    );
+    if (found) {
+      return {
+        recommended_controls: found.recommended_controls,
+        ddao_controls: found.ddao_controls,
+        rule_id: `ddao-controls-mapping.${c.level}-${c.risk}`
+      };
+    }
+  }
+  return {
+    recommended_controls: [],
+    ddao_controls: [],
+    rule_id: "ddao-controls-mapping.fallback-empty"
+  };
+}
+
+// src/core/confidence.ts
+var ORDER = ["low", "medium", "high"];
+function step(c, delta) {
+  const i = ORDER.indexOf(c);
+  const j = Math.min(ORDER.length - 1, Math.max(0, i + delta));
+  return ORDER[j];
+}
+function aggregateConfidence(input) {
+  let current = input.ruleBaseConfidence;
+  if (input.enumProvided) current = step(current, 0);
+  else current = step(current, -1);
+  if (input.contextFieldsProvided >= 3) current = step(current, 0);
+  else if (input.contextFieldsProvided === 0) current = step(current, -1);
+  if (input.contradictions === 1) current = step(current, -1);
+  else if (input.contradictions >= 2) current = step(current, -2);
+  return current;
+}
+
+// src/constants/disclaimer.ts
+var ACF_REASON_DISCLAIMER = "Preliminary qualification produced by the ACF\xAE deterministic engine. Not legal advice. Human review required. Do not use for autonomous regulatory decision-making. See doctrine_archive_url for the version of the doctrine used.";
+
+// src/core/doctrine-footer.ts
+var REGULATORY_SNAPSHOT = "EU AI Act (Reg. 2024/1689, incl. Digital Omnibus deferral) + GDPR (Reg. 2016/679) + DORA (Reg. 2022/2554) + NIS2 (Dir. 2022/2555) + ISO 42001:2023 \u2014 as of 2026-06-07";
+function buildDoctrineFooter(input) {
+  return {
+    doctrine_version: `ACF framework v${input.frameworkVersion} / rules ${input.rulesVersion}`,
+    doctrine_hash: input.contentHash,
+    doctrine_archive_url: input.archiveUrl,
+    regulatory_snapshot: REGULATORY_SNAPSHOT,
+    generated_at: (/* @__PURE__ */ new Date()).toISOString(),
+    requires_human_review: true,
+    disclaimer: ACF_REASON_DISCLAIMER
+  };
+}
+
+// src/core/tool-classify-agent.ts
+var CLASSIFY_AGENT_CONVERSION_CTA = "Generate the full auditable PDF report on https://acfstandard.com/compliance?ref=mcp";
+var PRE_GO_LIVE_ARTICLES = /* @__PURE__ */ new Set([
+  "art-9",
+  "art-10",
+  "art-11",
+  "art-13",
+  "art-43",
+  "art-50"
+]);
+var ON_INCIDENT_ARTICLES = /* @__PURE__ */ new Set([
+  "art-15",
+  "art-72",
+  "art-79"
+]);
+async function handleClassifyAgentTool(registry, rawInput) {
+  const input = ClassifyAgentInputSchema.parse(rawInput);
+  const [
+    autonomyRules,
+    criticalityRules,
+    annexIII,
+    annexI,
+    gpai,
+    aiActRoles,
+    gdprRules,
+    signOffMatrix,
+    controlsMapping,
+    rulesMeta
+  ] = await Promise.all([
+    registry.rules.loadAutonomyInference(),
+    registry.rules.loadCriticalityMatrix(),
+    registry.rules.loadAiActAnnexIII(),
+    registry.rules.loadAiActAnnexI(),
+    registry.rules.loadGpaiTriggers(),
+    registry.rules.loadAiActRoles(),
+    registry.rules.loadGdprQualification(),
+    registry.rules.loadSignOffMatrix(),
+    registry.rules.loadDdaoControlsMapping(),
+    registry.rules.loadRulesMeta()
+  ]);
+  const flags = extractFlags(input);
+  const enums = extractEnumHints(input);
+  const triggerInput = { text: input.description, enums, flags };
+  const autonomy = inferAutonomy(autonomyRules, input);
+  const criticality = inferCriticality(criticalityRules, input);
+  const obligationsOut = inferAiActObligations(
+    { annexIII, annexI, gpai },
+    triggerInput
+  );
+  const aiActRole = inferAiActRole(aiActRoles, triggerInput);
+  const gdprRole = inferGdprRole(gdprRules, triggerInput);
+  const signOff = inferSignOff(signOffMatrix, {
+    criticality: criticality.score,
+    personal_data_level: input.personal_data_level,
+    financial_exposure: input.financial_exposure
+  });
+  const controls = inferDdaoControls(controlsMapping, {
+    level: autonomy.level,
+    risk: criticality.score
+  });
+  const enumProvided = (input.ai_act_triggers?.length ?? 0) > 0 || (input.processing_purposes?.length ?? 0) > 0;
+  const contextFieldsProvided = (input.sector ? 1 : 0) + (input.jurisdiction?.length ? 1 : 0) + (input.gpai_used !== void 0 ? 1 : 0) + 1;
+  const contradictions = computeContradictions(input, obligationsOut);
+  const confidence = aggregateConfidence({
+    ruleBaseConfidence: averageConfidence(obligationsOut.firedCategories.map((c) => c.confidence_base)),
+    enumProvided,
+    contextFieldsProvided,
+    contradictions
+  });
+  const assumptions = [];
+  const gaps = [];
+  if (!input.sector) {
+    assumptions.push("sector not provided; the criticality calibration uses the neutral default.");
+    gaps.push("confirm sector \u2014 banking/health/critical-infra modifiers may shift criticality.");
+  }
+  if (!input.jurisdiction || input.jurisdiction.length === 0) {
+    assumptions.push("jurisdiction not provided; AI Act + GDPR reasoning assumes EU.");
+    gaps.push("confirm jurisdiction(s) \u2014 non-EU jurisdictions may require entirely different qualifications.");
+  }
+  if (!enumProvided) {
+    assumptions.push("ai_act_triggers and processing_purposes inferred from description (free-text matching).");
+    gaps.push("validate inferred AI Act triggers with a human reviewer before relying on the qualification.");
+  }
+  const fiches = collectFiches(autonomy.level, criticality.score, obligationsOut.firedCategories);
+  const footer = buildDoctrineFooter({
+    frameworkVersion: registry.meta.framework_version,
+    rulesVersion: rulesMeta.rules_version,
+    contentHash: registry.meta.content_hash,
+    archiveUrl: registry.meta.permanent_archive_url
+  });
+  const rationale = [
+    ...obligationsOut.rationale_per_rule,
+    {
+      rule_id: aiActRole.rule_id,
+      rule_version: rulesMeta.rules_version,
+      fired: aiActRole.role !== "not_applicable",
+      evidence: aiActRole.evidence.join("; ")
+    },
+    {
+      rule_id: gdprRole.rule_id,
+      rule_version: rulesMeta.rules_version,
+      fired: gdprRole.role !== "not_applicable",
+      evidence: gdprRole.evidence.join("; ")
+    },
+    {
+      rule_id: signOff.rule_id,
+      rule_version: rulesMeta.rules_version,
+      fired: true,
+      evidence: `criticality=${criticality.score}, pii=${input.personal_data_level}, fin=${input.financial_exposure}`
+    },
+    {
+      rule_id: controls.rule_id,
+      rule_version: rulesMeta.rules_version,
+      fired: controls.recommended_controls.length > 0,
+      evidence: `level=${autonomy.level}, risk=${criticality.score}`
+    },
+    {
+      rule_id: autonomy.rule_id,
+      rule_version: rulesMeta.rules_version,
+      fired: true,
+      evidence: `human_approval=${input.human_approval_required}, ext=${input.external_actions}`
+    },
+    {
+      rule_id: criticality.rule_id,
+      rule_version: rulesMeta.rules_version,
+      fired: true,
+      evidence: `pii=${input.personal_data_level}, fin=${input.financial_exposure}`
+    }
+  ];
+  return {
+    acf_level: { level: autonomy.level, rationale: autonomy.rationale },
+    criticality: {
+      score: criticality.score,
+      rationale: criticality.rationale,
+      matrix_ref: criticality.matrix_ref
+    },
+    regulatory_qualifications: {
+      likely_ai_act_role: aiActRole.role,
+      likely_gdpr_status: gdprRole.role
+    },
+    regulatory_qualifications_confidence: {
+      likely_ai_act_role: aiActRole.confidence,
+      likely_gdpr_status: gdprRole.confidence
+    },
+    ai_act_obligations: groupObligationsByPhase(obligationsOut, gpai.obligations),
+    applicable_fiches: fiches,
+    recommended_controls: controls.recommended_controls.map((c) => c.title),
+    ddao_controls: controls.ddao_controls.map((c) => `${c.control_id} (${c.control_type}, ${c.fiche_reference}): ${c.implementation_note}`),
+    ddao_escalation: {
+      required: criticality.score === "high" || criticality.score === "critical",
+      trigger_thresholds: deriveEscalationThresholds(autonomy.level, criticality.score)
+    },
+    sign_off_required: signOff.required,
+    confidence,
+    assumptions,
+    gaps_to_validate: gaps,
+    requires_human_review: true,
+    rationale_per_rule: rationale,
+    ...footer,
+    conversion_cta: CLASSIFY_AGENT_CONVERSION_CTA,
+    disclaimer: ACF_REASON_DISCLAIMER
+  };
+}
+function averageConfidence(confs) {
+  if (confs.length === 0) return "medium";
+  const score = confs.reduce((acc, c) => acc + (c === "low" ? 0 : c === "medium" ? 1 : 2), 0) / confs.length;
+  return score < 0.66 ? "low" : score < 1.34 ? "medium" : "high";
+}
+function computeContradictions(input, obligations) {
+  let n = 0;
+  if ((input.ai_act_triggers?.includes("none") ?? false) && obligations.firedCategories.length > 0) {
+    n += 1;
+  }
+  return n;
+}
+function groupObligationsByPhase(obligationsOut, gpaiAll) {
+  const pre = [];
+  const continuous = [];
+  const incident = [];
+  const flatObligations = /* @__PURE__ */ new Set();
+  for (const cat of obligationsOut.firedCategories) {
+    for (const o of cat.obligations) flatObligations.add(o);
+  }
+  for (const article of flatObligations) {
+    const item = {
+      article,
+      requirement: ARTICLE_REQUIREMENT_BY_ID[article] ?? `See AI Act ${article}`,
+      applicable_date: "2027-12-02"
+    };
+    if (PRE_GO_LIVE_ARTICLES.has(article)) pre.push(item);
+    else if (ON_INCIDENT_ARTICLES.has(article)) incident.push(item);
+    else continuous.push(item);
+  }
+  for (const o of obligationsOut.gpaiObligations) {
+    if (PRE_GO_LIVE_ARTICLES.has(o.article)) pre.push(o);
+    else continuous.push(o);
+  }
+  return { pre_go_live: pre, continuous, on_incident: incident };
+}
+var ARTICLE_REQUIREMENT_BY_ID = {
+  "art-5": "Prohibited practices screening.",
+  "art-9": "Establish, implement and document a risk management system.",
+  "art-10": "Data governance, training/validation/testing data sets quality.",
+  "art-11": "Technical documentation.",
+  "art-12": "Record-keeping / automated logging.",
+  "art-13": "Transparency and provision of information to deployers / users.",
+  "art-14": "Effective human oversight design and operation.",
+  "art-15": "Accuracy, robustness, cybersecurity.",
+  "art-26": "Deployer obligations: instructions, monitoring, fundamental rights impact assessment.",
+  "art-27": "Fundamental rights impact assessment for high-risk AI deployers.",
+  "art-43": "Conformity assessment for Annex I product-safety scope.",
+  "art-50": "Transparency notice when interacting with AI / GPAI.",
+  "art-72": "Post-market monitoring system.",
+  "art-79": "Serious incident reporting to authorities.",
+  "art-86": "Right to explanation of individual decision-making."
+};
+function deriveEscalationThresholds(level, risk) {
+  const out = [];
+  if (level === "N0" || level === "N1") {
+    out.push("Any rejection of human-validated action escalates to DDAO.");
+  }
+  if (level === "N2") {
+    out.push("Action above bounded perimeter escalates to DDAO before execution.");
+    out.push("Drift > 10% on key metric vs baseline escalates within 24h.");
+  }
+  if (level === "N3") {
+    out.push("Any out-of-perimeter action escalates immediately (block + human review).");
+    out.push("Drift > 5% on any key metric triggers a kill-switch evaluation.");
+    out.push("3 consecutive incidents within 24h auto-suspends the agent.");
+  }
+  if (risk === "critical") {
+    out.push("Any incident with regulatory exposure escalates to board + legal within 4h.");
+  }
+  return out;
+}
+function collectFiches(level, risk, firedCategories) {
+  const fiches = /* @__PURE__ */ new Map();
+  if (level === "N2" || level === "N3") {
+    fiches.set("ACF-12", "Formal mandate required for N2+ autonomy.");
+    fiches.set("ACF-07", "Kill switch required for N2+ autonomy.");
+    fiches.set("ACF-05", "Decision register required for N2+ autonomy.");
+  }
+  if (level === "N3") {
+    fiches.set("ACF-14", "Monthly human-takeover drill required for N3.");
+    fiches.set("ACF-08", "Real-time observability required for N3.");
+  }
+  if (risk === "high" || risk === "critical") {
+    fiches.set("ACF-02", "Criticality matrix grounds the high-risk scoring.");
+    fiches.set("ACF-09", "Escalation thresholds required for high+criticality.");
+    fiches.set("ACF-11", "Risk assessment required for high+criticality.");
+  }
+  for (const cat of firedCategories) {
+    for (const f of cat.fiches) {
+      if (!fiches.has(f)) fiches.set(f, "Mobilised by an AI Act category that fired on the agent description.");
+    }
+  }
+  return [...fiches.entries()].map(([code, why]) => ({ code, why }));
+}
+var AdvisorInputSchema = z.object({
+  case_description: z.string().min(20).max(2e3),
+  sector: z.string().max(80).optional(),
+  jurisdiction: z.enum(["eu", "uk", "us", "ca", "ch", "br", "jp", "other"]).optional(),
+  deployment_scale: z.enum(["pilot", "department", "enterprise", "public"]).optional(),
+  locale: AcfLocaleSchema.optional()
+});
+var ADVISOR_CONVERSION_CTA = "Continue this assessment with the auditable ACF\xAE Compliance workspace at https://acfstandard.com/compliance?ref=mcp";
+async function handleAdvisorTool(registry, rawInput) {
+  const input = AdvisorInputSchema.parse(rawInput);
+  const [autonomyRules, criticalityRules, annexIII, annexI, gpai, rulesMeta] = await Promise.all([
+    registry.rules.loadAutonomyInference(),
+    registry.rules.loadCriticalityMatrix(),
+    registry.rules.loadAiActAnnexIII(),
+    registry.rules.loadAiActAnnexI(),
+    registry.rules.loadGpaiTriggers(),
+    registry.rules.loadRulesMeta()
+  ]);
+  const lower = input.case_description.toLowerCase();
+  const inferredApproval = /(human validate|valide|sign-off)/i.test(lower) ? "always" : /(without approval|sans validation|never validate)/i.test(lower) ? "never" : "sometimes";
+  const inferredExternal = /(automated send|exécute|execute|place order|envoyer)/i.test(lower) ? "limited_write" : "read_only";
+  const inferredPII = /(health|sensitive|medical|biometric|santé|biométrique)/i.test(lower) ? "sensitive_special" : /(customer|client|email|user|utilisateur|name|nom)/i.test(lower) ? "standard" : "none";
+  const inferredFinancial = /(eur 50k|10k|million|millions|board exposure)/i.test(lower) ? "high_corporate" : /(contract|contrat|deal)/i.test(lower) ? "medium_contract" : /(operating cost|opex|operational)/i.test(lower) ? "low_operation" : "none";
+  const autonomy = inferAutonomy(autonomyRules, {
+    human_approval_required: inferredApproval,
+    external_actions: inferredExternal
+  });
+  const criticality = inferCriticality(criticalityRules, {
+    personal_data_level: inferredPII,
+    financial_exposure: inferredFinancial
+  });
+  const obligationsOut = inferAiActObligations(
+    { annexIII, annexI, gpai },
+    { text: input.case_description, enums: {}, flags: [] }
+  );
+  const principles = collectActivatedPrinciples(autonomy.level, criticality.score, obligationsOut.firedCategories.length > 0);
+  const dimensions = collectCriticalDimensions(autonomy.level, criticality.score);
+  const fiches = collectPriorityFiches(autonomy.level, criticality.score, obligationsOut.firedCategories);
+  const articles = collectApplicableArticles(obligationsOut);
+  const firstActions = deriveFirstActions(autonomy.level, criticality.score);
+  const risks = deriveOperationalRisks(autonomy.level, criticality.score, obligationsOut);
+  const confidence = aggregateConfidence({
+    ruleBaseConfidence: "medium",
+    enumProvided: false,
+    contextFieldsProvided: (input.sector ? 1 : 0) + (input.jurisdiction ? 1 : 0) + (input.deployment_scale ? 1 : 0),
+    contradictions: 0
+  });
+  const assumptions = [];
+  const gaps = [];
+  if (!input.sector) {
+    assumptions.push("sector not provided; criticality uses neutral default.");
+    gaps.push("provide sector to refine the criticality calibration.");
+  }
+  if (!input.jurisdiction) {
+    assumptions.push("jurisdiction not provided; reasoning assumes EU.");
+    gaps.push("confirm jurisdiction to keep the regulatory snapshot valid.");
+  }
+  assumptions.push("human_approval, external_actions and personal_data_level were inferred from the free-text description; pass classify-agent with qualified enums for higher confidence.");
+  gaps.push("re-run via acf.classify-agent with structured enums for a more defensible qualification.");
+  const footer = buildDoctrineFooter({
+    frameworkVersion: registry.meta.framework_version,
+    rulesVersion: rulesMeta.rules_version,
+    contentHash: registry.meta.content_hash,
+    archiveUrl: registry.meta.permanent_archive_url
+  });
+  const rationale = [
+    ...obligationsOut.rationale_per_rule,
+    {
+      rule_id: autonomy.rule_id,
+      rule_version: rulesMeta.rules_version,
+      fired: true,
+      evidence: `inferred human_approval=${inferredApproval}, external=${inferredExternal} from description`
+    },
+    {
+      rule_id: criticality.rule_id,
+      rule_version: rulesMeta.rules_version,
+      fired: true,
+      evidence: `inferred pii=${inferredPII}, financial=${inferredFinancial} from description`
+    }
+  ];
+  return {
+    autonomy_level: { level: autonomy.level, rationale: autonomy.rationale },
+    risk_level: {
+      level: criticality.score === "critical" ? "unacceptable" : criticality.score === "high" ? "high" : criticality.score === "medium" ? "medium" : "low",
+      rationale: criticality.rationale
+    },
+    activated_principles: principles,
+    critical_dimensions: dimensions,
+    priority_fiches: fiches,
+    applicable_articles: articles,
+    first_actions: firstActions,
+    operational_risks: risks,
+    confidence,
+    assumptions,
+    gaps_to_validate: gaps,
+    requires_human_review: true,
+    rationale_per_rule: rationale,
+    ...footer,
+    conversion_cta: ADVISOR_CONVERSION_CTA,
+    disclaimer: ACF_REASON_DISCLAIMER
+  };
+}
+function collectActivatedPrinciples(level, risk, regFired) {
+  const out = [
+    { code: "P1", why: "Decision sovereignty applies to every agentic deployment, regardless of autonomy." }
+  ];
+  if (level === "N2" || level === "N3") {
+    out.push({ code: "P3", why: "Conditional or autonomous execution requires a documented kill switch." });
+  }
+  if (risk === "high" || risk === "critical") {
+    out.push({ code: "P2", why: "High-criticality decisions must be reconstructible after the fact." });
+    out.push({ code: "P4", why: "Reinforced governance must match the criticality." });
+  }
+  if (regFired) out.push({ code: "P2", why: "Regulatory exposure makes traceability non-negotiable." });
+  return dedup(out);
+}
+function collectCriticalDimensions(level, risk) {
+  const out = [];
+  if (level !== "N0") out.push({ code: "D4", why: "Role allocation (DDAO + sign-off) is required for N1+ autonomy." });
+  if (risk === "high" || risk === "critical") {
+    out.push({ code: "D5", why: "Regulatory compliance dimension is on the critical path." });
+    out.push({ code: "D3", why: "Technical control (kill switch, observability) is non-negotiable." });
+  }
+  out.push({ code: "D2", why: "Doctrine adoption is the entry gate before any agentic deployment." });
+  return dedup(out);
+}
+function collectPriorityFiches(level, risk, firedCategories) {
+  const fiches = /* @__PURE__ */ new Map();
+  let order = 1;
+  fiches.set("ACF-00", { order: order++, why: "Read first: framework introduction." });
+  if (level === "N2" || level === "N3") {
+    fiches.set("ACF-12", { order: order++, why: "Mandate is required before go-live." });
+    fiches.set("ACF-07", { order: order++, why: "Kill switch is required before go-live." });
+  }
+  if (risk === "high" || risk === "critical") {
+    fiches.set("ACF-02", { order: order++, why: "Calibrate criticality with the matrix." });
+    fiches.set("ACF-09", { order: order++, why: "Define escalation thresholds." });
+    fiches.set("ACF-11", { order: order++, why: "Run a formal risk assessment." });
+  }
+  for (const cat of firedCategories) {
+    for (const f of cat.fiches) {
+      if (!fiches.has(f)) fiches.set(f, { order: order++, why: "Mobilised by a fired regulatory category." });
+    }
+  }
+  return [...fiches.entries()].map(([code, v]) => ({ code, order: v.order, why: v.why }));
+}
+function collectApplicableArticles(obligations) {
+  const out = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const cat of obligations.firedCategories) {
+    for (const article of cat.obligations) {
+      const key = `ai-act:${article}`;
+      if (!seen.has(key)) {
+        seen.add(key);
+        out.push({ regulation: "ai-act", article, why: `Mobilised by category ${cat.title}.` });
+      }
+    }
+  }
+  for (const g of obligations.gpaiObligations) {
+    const key = `ai-act:${g.article}`;
+    if (!seen.has(key)) {
+      seen.add(key);
+      out.push({ regulation: "ai-act", article: g.article, why: "GPAI obligation." });
+    }
+  }
+  return out;
+}
+function deriveFirstActions(level, risk) {
+  const out = [
+    "Identify or appoint the DDAO accountable for the agent (cf. ACF-12).",
+    "Document the agent constitution (decision perimeter, allowed/forbidden actions \u2014 cf. ACF-03).",
+    "Open the decision register and define the retention policy (cf. ACF-05 + ACF-13)."
+  ];
+  if (level === "N2" || level === "N3") {
+    out.push("Design, implement and test the kill switch (cf. ACF-07).");
+  }
+  if (risk === "high" || risk === "critical") {
+    out.push("Run the formal risk assessment + DPIA if PII (cf. ACF-11).");
+  }
+  return out.slice(0, 5);
+}
+function deriveOperationalRisks(level, risk, obligations) {
+  const out = [];
+  if (level === "N3") out.push("Drift goes undetected if observability is not real-time.");
+  if (risk === "high" || risk === "critical") {
+    out.push("Audit chain breaks if the decision register is not immutable.");
+    out.push("Sign-off bottleneck if DDAO is not available in escalation SLA.");
+  }
+  if (obligations.firedCategories.length > 0) {
+    out.push("Regulatory exposure escalates if Article 49 register is not maintained in sync with internal register.");
+  }
+  return out;
+}
+function dedup(arr) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const e of arr) {
+    if (!seen.has(e.code)) {
+      seen.add(e.code);
+      out.push(e);
+    }
+  }
+  return out;
+}
+var AssessAutonomyInputSchema = z.object({
+  agent_description: z.string().min(10).max(1500),
+  intended_actions: z.array(z.string()).min(1).max(20),
+  reversibility: z.enum(["fully", "partially", "irreversible"]),
+  audit_requirements: z.enum(["none", "internal", "regulatory", "forensic"]),
+  human_in_loop_cost: z.enum(["low", "medium", "high"]).optional(),
+  locale: AcfLocaleSchema.optional()
+});
+async function handleAssessAutonomyTool(registry, rawInput) {
+  const input = AssessAutonomyInputSchema.parse(rawInput);
+  const rulesMeta = await registry.rules.loadRulesMeta();
+  let level = "N1";
+  let rationale = "Default baseline for AI agents with bounded responsibility.";
+  if (input.audit_requirements === "regulatory" || input.audit_requirements === "forensic") {
+    level = "N1";
+    rationale = "Regulatory-audit obligations push the recommended baseline to N1 (supervised) at a minimum. Consider N0 if traceability is uncertain.";
+  }
+  if (input.reversibility === "irreversible" && (input.audit_requirements === "regulatory" || input.audit_requirements === "forensic")) {
+    level = "N2";
+    rationale = "Irreversible actions combined with regulatory-audit obligations require at minimum N2 (bounded autonomy) with strong human oversight checkpoints.";
+  }
+  if (input.audit_requirements === "internal" && input.reversibility === "fully") {
+    if (input.intended_actions.every((a) => /search|summari|propose|suggest/i.test(a))) {
+      level = "N0";
+      rationale = "All intended actions are reversible suggestions or read-only; N0 (assistance) is the right baseline.";
+    }
+  }
+  if (input.reversibility === "partially" && input.audit_requirements === "internal") {
+    level = "N2";
+    rationale = "Partial reversibility with internal audit allows bounded N2 execution within a documented mandate.";
+  }
+  if (input.reversibility !== "irreversible" && input.audit_requirements === "none" && input.human_in_loop_cost === "high") {
+    level = "N3";
+    rationale = "High human-in-loop cost and reversible actions allow N3 autonomy with strong observability + kill switch.";
+  }
+  const go_no_go = [
+    { criterion: "Mandate signed by the named DDAO", status: level === "N0" ? "pass" : "conditional" },
+    { criterion: "Kill switch documented and tested", status: level === "N0" ? "pass" : "fail" },
+    { criterion: "Decision register format defined", status: level === "N0" ? "pass" : "conditional" },
+    { criterion: "Escalation thresholds named in numeric terms", status: level === "N0" ? "pass" : "fail" },
+    { criterion: "Sign-off from DPO if PII transits the agent", status: "conditional" }
+  ];
+  const gating_thresholds = [
+    { condition: "Any action above bounded perimeter", escalation: "Block + DDAO ack before execution" },
+    { condition: "Drift > 10% on key metric vs baseline", escalation: "Auto-suspend within 24h + post-mortem" },
+    { condition: "3 consecutive incidents in 24h", escalation: "Auto-suspend + immediate DDAO review" }
+  ];
+  if (level === "N3") {
+    gating_thresholds.push({
+      condition: "Any out-of-perimeter action",
+      escalation: "Block + kill switch evaluation within 5 minutes"
+    });
+  }
+  const kill_switch_design = {
+    levels: ["freeze (instant)", "redirect (\u22645 min)", "revoke (\u22641 h)"],
+    response_time_s: [5, 300, 3600]
+  };
+  const referenced_fiches = level === "N0" ? ["ACF-00", "ACF-05"] : level === "N1" ? ["ACF-05", "ACF-09", "ACF-12"] : level === "N2" ? ["ACF-07", "ACF-09", "ACF-12", "ACF-05"] : ["ACF-07", "ACF-08", "ACF-12", "ACF-14"];
+  const footer = buildDoctrineFooter({
+    frameworkVersion: registry.meta.framework_version,
+    rulesVersion: rulesMeta.rules_version,
+    contentHash: registry.meta.content_hash,
+    archiveUrl: registry.meta.permanent_archive_url
+  });
+  return {
+    recommended_level: { level, rationale },
+    go_no_go_criteria: go_no_go,
+    gating_thresholds,
+    kill_switch_design,
+    referenced_fiches,
+    confidence: aggregateConfidence({
+      ruleBaseConfidence: "medium",
+      enumProvided: true,
+      contextFieldsProvided: input.human_in_loop_cost ? 1 : 0,
+      contradictions: 0
+    }),
+    assumptions: ["Inference is deterministic over the 4 supplied dimensions; sector calibration not included."],
+    gaps_to_validate: [
+      "Confirm whether any intended action handles PII (Article 35 GDPR DPIA may apply).",
+      "Confirm whether the kill switch has been tested in the last quarter."
+    ],
+    requires_human_review: true,
+    rationale_per_rule: [
+      {
+        rule_id: "assess-autonomy.decision-tree",
+        rule_version: rulesMeta.rules_version,
+        fired: true,
+        evidence: `reversibility=${input.reversibility}, audit=${input.audit_requirements}, hil_cost=${input.human_in_loop_cost ?? "n/a"}`
+      }
+    ],
+    ...footer,
+    disclaimer: ACF_REASON_DISCLAIMER
+  };
+}
+var IdentifyGapsInputSchema = z.object({
+  current_inventory: z.object({
+    ai_systems_count: z.number().int().min(0),
+    high_risk_count: z.number().int().min(0).optional(),
+    gpai_used: z.boolean().optional(),
+    shadow_ai_known: z.boolean().optional()
+  }),
+  current_processes: z.array(
+    z.object({
+      process: z.string(),
+      exists: z.boolean(),
+      documented: z.boolean().optional()
+    })
+  ),
+  sector: z.string().max(80).optional(),
+  locale: AcfLocaleSchema.optional()
+});
+var REQUIRED_PROCESSES_BY_DIM = {
+  D1: ["ai_committee", "executive_sponsor"],
+  D2: ["ai_inventory", "doctrine_published"],
+  D3: ["kill_switch_drill", "observability"],
+  D4: ["ddao_appointed", "raci"],
+  D5: ["dpia", "article_49_register", "ai_act_qualification"],
+  D6: ["annual_audit", "incident_review"]
+};
+async function handleIdentifyGapsTool(registry, rawInput) {
+  const input = IdentifyGapsInputSchema.parse(rawInput);
+  const rulesMeta = await registry.rules.loadRulesMeta();
+  const processMap = /* @__PURE__ */ new Map();
+  for (const p of input.current_processes) processMap.set(p.process, p);
+  const dims = {};
+  const gaps = [];
+  for (const [dim, required] of Object.entries(REQUIRED_PROCESSES_BY_DIM)) {
+    let score = 100;
+    for (const proc of required) {
+      const found = processMap.get(proc);
+      if (found && !found.exists) {
+        score -= Math.floor(100 / required.length);
+        const severity = dim === "D5" ? "critical" : dim === "D3" || dim === "D4" ? "high" : "medium";
+        gaps.push({
+          dimension: dim,
+          severity,
+          description: `Process '${proc}' is missing for ${dim}.`,
+          remediation: remediateProcess(proc),
+          fiches: ficheFor(proc),
+          estimated_effort_days: effortFor(proc)
+        });
+      } else if (!found) {
+        score -= Math.floor(50 / required.length);
+      } else if (found.documented === false) {
+        score -= Math.floor(50 / required.length);
+        gaps.push({
+          dimension: dim,
+          severity: "medium",
+          description: `Process '${proc}' exists but is undocumented.`,
+          remediation: `Document '${proc}' with the relevant ACF\xAE card.`,
+          fiches: ficheFor(proc),
+          estimated_effort_days: 2
+        });
+      }
+    }
+    dims[dim] = Math.max(0, score);
+  }
+  if (input.current_inventory.shadow_ai_known) {
+    gaps.push({
+      dimension: "D1",
+      severity: "high",
+      description: "Shadow AI exists in the organisation.",
+      remediation: "Run a discovery campaign + classify each shadow agent via acf.classify-agent.",
+      fiches: ["ACF-01"],
+      estimated_effort_days: 10
+    });
+  }
+  if (input.current_inventory.high_risk_count !== void 0 && input.current_inventory.high_risk_count > 0 && !processMap.get("dpia")?.exists) {
+    gaps.push({
+      dimension: "D5",
+      severity: "critical",
+      description: "High-risk systems present but no DPIA process.",
+      remediation: "Stand up the DPIA workflow before any new high-risk go-live.",
+      fiches: ["ACF-11"],
+      estimated_effort_days: 5
+    });
+  }
+  const overall = Math.round(
+    Object.values(dims).reduce((acc, v) => acc + v, 0) / Object.keys(dims).length
+  );
+  const order = ["critical", "high", "medium", "low"];
+  const priority = [...gaps].sort((a, b) => order.indexOf(a.severity) - order.indexOf(b.severity)).map((g) => `${g.dimension}: ${g.description}`);
+  const quickWins = gaps.filter((g) => (g.estimated_effort_days ?? 0) <= 3).map((g) => g.description);
+  const footer = buildDoctrineFooter({
+    frameworkVersion: registry.meta.framework_version,
+    rulesVersion: rulesMeta.rules_version,
+    contentHash: registry.meta.content_hash,
+    archiveUrl: registry.meta.permanent_archive_url
+  });
+  return {
+    maturity_score: { overall, by_dimension: dims },
+    gaps,
+    priority_order: priority,
+    quick_wins: quickWins,
+    confidence: aggregateConfidence({
+      ruleBaseConfidence: "medium",
+      enumProvided: false,
+      contextFieldsProvided: input.sector ? 1 : 0,
+      contradictions: 0
+    }),
+    assumptions: ["Maturity baseline is unweighted across dimensions; sector-specific weights not yet calibrated."],
+    gaps_to_validate: [
+      "Confirm which gaps were inferred vs explicitly declared by your inventory.",
+      "Run acf.classify-agent on the high-risk subset to consolidate the qualification."
+    ],
+    requires_human_review: true,
+    rationale_per_rule: [
+      {
+        rule_id: "identify-gaps.dimension-checklist",
+        rule_version: rulesMeta.rules_version,
+        fired: true,
+        evidence: `${input.current_processes.length} processes evaluated`
+      }
+    ],
+    ...footer,
+    disclaimer: ACF_REASON_DISCLAIMER
+  };
+}
+function remediateProcess(p) {
+  const map = {
+    ai_committee: "Establish a recurring AI committee with executive sponsorship.",
+    executive_sponsor: "Identify a sponsoring executive at COMEX level.",
+    ai_inventory: "Stand up the AI inventory using the ACF-01 mapping template.",
+    doctrine_published: "Publish a doctrine note grounded in ACF\xAE v1.0 to the relevant teams.",
+    kill_switch_drill: "Run a quarterly kill-switch drill per ACF-14.",
+    observability: "Wire end-to-end observability on every N2+ agent.",
+    ddao_appointed: "Appoint a DDAO per N2+ agent with documented mandate.",
+    raci: "Publish a RACI for agentic decisions including DDAO + DPO + CISO + sponsor.",
+    dpia: "Stand up the DPIA workflow with ACF-11 as the template.",
+    article_49_register: "Prepare the Article 49 register for any high-risk system before go-live.",
+    ai_act_qualification: "Run acf.classify-agent on each system to qualify under the AI Act.",
+    annual_audit: "Schedule an annual internal audit of agents in production.",
+    incident_review: "Open a quarterly incident review forum with the AI committee."
+  };
+  return map[p] ?? `Document and implement ${p}.`;
+}
+function ficheFor(p) {
+  const map = {
+    ai_inventory: ["ACF-01"],
+    decision_register: ["ACF-05"],
+    kill_switch_drill: ["ACF-07", "ACF-14"],
+    ddao_appointed: ["ACF-12"],
+    dpia: ["ACF-11"],
+    article_49_register: ["ACF-05", "ACF-11"],
+    observability: ["ACF-08"]
+  };
+  return map[p] ?? [];
+}
+function effortFor(p) {
+  const map = {
+    ai_committee: 5,
+    decision_register: 8,
+    kill_switch_drill: 3,
+    dpia: 10,
+    ai_inventory: 8,
+    observability: 15
+  };
+  return map[p] ?? 5;
+}
+var MapObligationsInputSchema = z.object({
+  annex: z.enum(["iii", "i", "none"]),
+  use_case: z.string().min(10).max(500),
+  provider_or_deployer: z.enum(["provider", "deployer", "both"]),
+  gpai_used: z.boolean().optional(),
+  locale: AcfLocaleSchema.optional()
+});
+var PRE_GO_LIVE = /* @__PURE__ */ new Set(["art-9", "art-10", "art-11", "art-13", "art-43", "art-50"]);
+var ON_INCIDENT = /* @__PURE__ */ new Set(["art-15", "art-72", "art-79"]);
+var ARTICLE_DETAIL = {
+  "art-9": { title: "Risk management system", requirement: "Establish, implement, document, maintain a risk management system across the lifecycle.", deadline: "2027-12-02", operational_actions: ["Stand up risk register", "Define risk methodology", "Review quarterly"], evidence_required: ["Risk register", "Methodology doc"], digital_omnibus_deferred: true },
+  "art-10": { title: "Data and data governance", requirement: "Training/validation/testing data sets governance + quality requirements.", deadline: "2027-12-02", operational_actions: ["Document data sources", "Run bias evaluation", "Document data drift monitoring"], evidence_required: ["Data inventory", "Bias evaluation report"], digital_omnibus_deferred: true },
+  "art-11": { title: "Technical documentation", requirement: "Maintain technical documentation per Annex IV.", deadline: "2027-12-02", operational_actions: ["Author Annex IV-aligned tech doc"], evidence_required: ["Technical documentation"], digital_omnibus_deferred: true },
+  "art-12": { title: "Record-keeping", requirement: "Automated logs over the lifecycle of the system.", deadline: "2027-12-02", operational_actions: ["Wire structured logging", "Define retention policy"], evidence_required: ["Logs"], digital_omnibus_deferred: true },
+  "art-13": { title: "Transparency to deployers", requirement: "Provide instructions for use that allow the deployer to interpret outputs.", deadline: "2027-12-02", operational_actions: ["Draft instructions for use", "Translate to operating languages"], evidence_required: ["Instructions for use"], digital_omnibus_deferred: true },
+  "art-14": { title: "Human oversight", requirement: "Effective human oversight design + operation.", deadline: "2027-12-02", operational_actions: ["Design kill switch (ACF-07)", "Document escalation thresholds (ACF-09)"], evidence_required: ["Kill switch design", "Drill reports"], digital_omnibus_deferred: true },
+  "art-15": { title: "Accuracy, robustness, cybersecurity", requirement: "Maintain accuracy, robustness, cybersecurity levels appropriate to the use.", deadline: "continuous", operational_actions: ["Define accuracy KPIs", "Run robustness tests", "Define cybersecurity controls"], evidence_required: ["KPI dashboards", "Pen test reports"], digital_omnibus_deferred: false },
+  "art-26": { title: "Deployer obligations", requirement: "Instructions, monitoring, fundamental rights impact assessment.", deadline: "2027-12-02", operational_actions: ["Run fundamental rights IA", "Document monitoring plan"], evidence_required: ["FRIA report", "Monitoring plan"], digital_omnibus_deferred: true },
+  "art-27": { title: "Fundamental rights impact assessment", requirement: "Mandatory FRIA for high-risk deployers in some sectors.", deadline: "2027-12-02", operational_actions: ["Author FRIA"], evidence_required: ["FRIA"], digital_omnibus_deferred: true },
+  "art-43": { title: "Conformity assessment", requirement: "Conformity assessment procedure for Annex I scope.", deadline: "2028-08-02", operational_actions: ["Run conformity assessment via notified body"], evidence_required: ["CE marking"], digital_omnibus_deferred: false },
+  "art-50": { title: "Transparency on AI/GPAI", requirement: "Disclose AI usage to natural persons interacting with the system.", deadline: "2026-08-02", operational_actions: ["Add disclosure on every user surface"], evidence_required: ["Disclosure copy"], digital_omnibus_deferred: false },
+  "art-72": { title: "Post-market monitoring", requirement: "Establish a post-market monitoring system.", deadline: "continuous", operational_actions: ["Define post-market monitoring plan"], evidence_required: ["Monitoring reports"], digital_omnibus_deferred: false },
+  "art-79": { title: "Serious incident reporting", requirement: "Report serious incidents to authorities within 15 days.", deadline: "on-incident", operational_actions: ["Define incident classification + reporting playbook"], evidence_required: ["Incident reports"], digital_omnibus_deferred: false },
+  "art-86": { title: "Right to explanation", requirement: "Affected persons can request an explanation of an individual decision.", deadline: "2027-12-02", operational_actions: ["Build explanation generation flow"], evidence_required: ["Explanation templates"], digital_omnibus_deferred: true }
+};
+async function handleMapObligationsTool(registry, rawInput) {
+  const input = MapObligationsInputSchema.parse(rawInput);
+  const [annexIII, annexI, gpai, rulesMeta] = await Promise.all([
+    registry.rules.loadAiActAnnexIII(),
+    registry.rules.loadAiActAnnexI(),
+    registry.rules.loadGpaiTriggers(),
+    registry.rules.loadRulesMeta()
+  ]);
+  const obligationsOut = inferAiActObligations(
+    { annexIII, annexI, gpai },
+    {
+      text: input.use_case,
+      enums: input.gpai_used ? { gpai_used: ["true"] } : {},
+      flags: []
+    }
+  );
+  const articles = /* @__PURE__ */ new Set();
+  for (const cat of obligationsOut.firedCategories) for (const a of cat.obligations) articles.add(a);
+  if (input.provider_or_deployer === "deployer" || input.provider_or_deployer === "both") {
+    articles.add("art-26");
+    articles.add("art-27");
+  }
+  articles.add("art-50");
+  const pre = [];
+  const continuous = [];
+  const incident = [];
+  const ficheFor2 = (a) => {
+    for (const cat of obligationsOut.firedCategories) {
+      if (cat.obligations.includes(a)) return cat.fiches;
+    }
+    return [];
+  };
+  for (const a of articles) {
+    const detail = ARTICLE_DETAIL[a];
+    if (!detail) continue;
+    const item = {
+      article: a,
+      title: detail.title,
+      requirement: detail.requirement,
+      deadline: detail.deadline,
+      fiches: ficheFor2(a),
+      operational_actions: detail.operational_actions,
+      evidence_required: detail.evidence_required,
+      digital_omnibus_deferred: detail.digital_omnibus_deferred
+    };
+    if (PRE_GO_LIVE.has(a)) pre.push(item);
+    else if (ON_INCIDENT.has(a)) incident.push(item);
+    else continuous.push(item);
+  }
+  for (const o of obligationsOut.gpaiObligations) {
+    const item = {
+      article: o.article,
+      title: ARTICLE_DETAIL[o.article]?.title ?? "GPAI obligation",
+      requirement: o.requirement,
+      deadline: o.applicable_date,
+      fiches: [],
+      operational_actions: ARTICLE_DETAIL[o.article]?.operational_actions ?? [],
+      evidence_required: ARTICLE_DETAIL[o.article]?.evidence_required ?? [],
+      digital_omnibus_deferred: false
+    };
+    if (PRE_GO_LIVE.has(o.article)) pre.push(item);
+    else continuous.push(item);
+  }
+  const total_count = pre.length + continuous.length + incident.length;
+  const critical_path = pre.filter((p) => p.digital_omnibus_deferred === false).slice(0, 5).map((p) => `${p.article}: ${p.title}`);
+  const footer = buildDoctrineFooter({
+    frameworkVersion: registry.meta.framework_version,
+    rulesVersion: rulesMeta.rules_version,
+    contentHash: registry.meta.content_hash,
+    archiveUrl: registry.meta.permanent_archive_url
+  });
+  return {
+    obligations: { pre_go_live: pre, continuous, on_incident: incident },
+    total_count,
+    critical_path,
+    confidence: aggregateConfidence({
+      ruleBaseConfidence: "medium",
+      enumProvided: input.annex === "iii" || input.annex === "i",
+      contextFieldsProvided: input.gpai_used !== void 0 ? 1 : 0,
+      contradictions: input.annex === "none" && obligationsOut.firedCategories.length > 0 ? 1 : 0
+    }),
+    assumptions: input.annex === "none" ? ["Caller declared no annex but at least one rule fired on the use case description; flagged below."] : [],
+    gaps_to_validate: [
+      "Confirm provider_or_deployer qualification \u2014 it changes the obligation set.",
+      "Confirm GPAI usage \u2014 Article 50 transparency obligation depends on it."
+    ],
+    requires_human_review: true,
+    rationale_per_rule: obligationsOut.rationale_per_rule,
+    ...footer,
+    disclaimer: ACF_REASON_DISCLAIMER
+  };
+}
+var AssignControlsInputSchema = z.object({
+  agent_description: z.string().min(10).max(500),
+  acf_level: z.enum(["N0", "N1", "N2", "N3"]),
+  risk_level: z.enum(["low", "medium", "high", "critical"]),
+  budget_constraint: z.enum(["minimal", "standard", "comprehensive"]).optional(),
+  locale: AcfLocaleSchema.optional()
+});
+var EFFORT_DAYS_BY_FREQUENCY = {
+  one_time: 5,
+  monthly: 1,
+  quarterly: 2,
+  annual: 4,
+  on_event: 1
+};
+async function handleAssignControlsTool(registry, rawInput) {
+  const input = AssignControlsInputSchema.parse(rawInput);
+  const [mapping, rulesMeta] = await Promise.all([
+    registry.rules.loadDdaoControlsMapping(),
+    registry.rules.loadRulesMeta()
+  ]);
+  const controls = inferDdaoControls(mapping, {
+    level: input.acf_level,
+    risk: input.risk_level
+  });
+  let recommended = controls.recommended_controls;
+  if (input.budget_constraint === "minimal") recommended = recommended.slice(0, 2);
+  if (input.budget_constraint === "comprehensive") recommended = [...controls.recommended_controls];
+  const estimatedEffort = recommended.reduce(
+    (acc, c) => acc + (EFFORT_DAYS_BY_FREQUENCY[c.frequency] ?? 1),
+    0
+  );
+  const footer = buildDoctrineFooter({
+    frameworkVersion: registry.meta.framework_version,
+    rulesVersion: rulesMeta.rules_version,
+    contentHash: registry.meta.content_hash,
+    archiveUrl: registry.meta.permanent_archive_url
+  });
+  const summary = `Control set scoped to ACF\xAE ${input.acf_level} / risk=${input.risk_level} (${recommended.length} recommended controls, ${controls.ddao_controls.length} ACF-canonical controls).`;
+  return {
+    recommended_controls: recommended,
+    ddao_controls: controls.ddao_controls,
+    total_count: recommended.length + controls.ddao_controls.length,
+    estimated_total_effort_days: estimatedEffort,
+    ddao_summary: summary,
+    confidence: aggregateConfidence({
+      ruleBaseConfidence: "medium",
+      enumProvided: true,
+      contextFieldsProvided: input.budget_constraint ? 1 : 0,
+      contradictions: 0
+    }),
+    assumptions: [
+      "Controls are derived from the canonical level \xD7 risk mapping; sector-specific overrides not applied in V1.0."
+    ],
+    gaps_to_validate: [
+      "Confirm DDAO availability for the proposed escalation cadence.",
+      "Confirm evidence-storage location for each control before go-live."
+    ],
+    requires_human_review: true,
+    rationale_per_rule: [
+      {
+        rule_id: controls.rule_id,
+        rule_version: rulesMeta.rules_version,
+        fired: true,
+        evidence: `level=${input.acf_level}, risk=${input.risk_level}`
+      }
+    ],
+    ...footer,
+    disclaimer: ACF_REASON_DISCLAIMER
+  };
+}
+var EvaluateMandateInputSchema = z.object({
+  mandate_text: z.string().min(50).max(1e4),
+  agent_purpose: z.string().min(10).max(500),
+  deployment_context: z.string().max(500).optional(),
+  locale: AcfLocaleSchema.optional()
+});
+var CHECKS = [
+  {
+    key: "ddao_appointed",
+    area: "Identification du DDAO",
+    weight: 15,
+    matchers: [/\bDDAO\b[^.]*:\s*\S{3,}/i, /\bDelegated Decision Agent Officer\b[^.]*:\s*\S{3,}/i],
+    remediation: "Name an actual DDAO (person or role) \u2014 placeholders like 'TBD' are not acceptable.",
+    fiche_reference: "ACF-12"
+  },
+  {
+    key: "decision_perimeter",
+    area: "P\xE9rim\xE8tre de d\xE9cision",
+    weight: 15,
+    matchers: [/\b(decision perimeter|perimeter|périmètre)/i, /\b(allowed|autorisées?)\b/i],
+    remediation: "Document the positive (allowed) and negative (forbidden) action lists.",
+    fiche_reference: "ACF-03"
+  },
+  {
+    key: "forbidden_actions",
+    area: "Actions interdites",
+    weight: 10,
+    matchers: [/\b(forbidden|interdites?|not allowed|never)\b/i],
+    remediation: "Add an explicit forbidden-actions list \u2014 without it, the agent drifts at the first uncovered case.",
+    fiche_reference: "ACF-03"
+  },
+  {
+    key: "escalation_thresholds",
+    area: "Seuils d'escalade",
+    weight: 15,
+    matchers: [/\b(escalation|escalade)\b[^.]*\d/i, /\bthreshold|seuil/i],
+    remediation: "Specify numeric and qualitative escalation thresholds.",
+    fiche_reference: "ACF-09"
+  },
+  {
+    key: "kill_switch",
+    area: "Kill switch",
+    weight: 15,
+    matchers: [/\b(kill switch|suspension|revoke|révoquer|drill)\b/i],
+    remediation: "Document the kill switch (levels, response times, drill frequency).",
+    fiche_reference: "ACF-07"
+  },
+  {
+    key: "audit_log",
+    area: "Audit log / decision register",
+    weight: 15,
+    matchers: [/\b(audit log|decision register|registre|retention)\b/i],
+    remediation: "Document the decision register format and retention.",
+    fiche_reference: "ACF-05"
+  },
+  {
+    key: "doctrine_version",
+    area: "Doctrine version",
+    weight: 10,
+    matchers: [/\bACF®?[^.]*v\d/i, /\bdoctrine version\b/i],
+    remediation: "Cite the ACF\xAE doctrine version applied (e.g. 'ACF\xAE v1.0').",
+    fiche_reference: "ACF-00"
+  },
+  {
+    key: "sign_off",
+    area: "Sign-off",
+    weight: 5,
+    matchers: [/\b(sign-off|sign off|signature|approuvé)\b/i],
+    remediation: "List the sign-off roles (DDAO + DPO if PII + CISO if attack surface + Legal if exposure).",
+    fiche_reference: "ACF-12"
+  }
+];
+async function handleEvaluateMandateTool(registry, rawInput) {
+  const input = EvaluateMandateInputSchema.parse(rawInput);
+  const rulesMeta = await registry.rules.loadRulesMeta();
+  const strengths = [];
+  const gaps = [];
+  const additions = [];
+  let score = 0;
+  for (const check of CHECKS) {
+    const matched = check.matchers.every((m) => m.test(input.mandate_text));
+    if (matched) {
+      score += check.weight;
+      strengths.push(`${check.area}: present.`);
+    } else {
+      gaps.push({
+        area: check.area,
+        severity: check.weight >= 15 ? "high" : check.weight >= 10 ? "medium" : "low",
+        description: `${check.area} missing or insufficient.`
+      });
+      additions.push({
+        section: check.area,
+        suggested_text: check.remediation,
+        fiche_reference: check.fiche_reference
+      });
+    }
+  }
+  const tbdHits = /\bTBD\b|\bà compléter\b|\?\?\?/i.test(input.mandate_text);
+  if (tbdHits) {
+    gaps.push({
+      area: "Placeholders",
+      severity: "critical",
+      description: "Mandate contains 'TBD' / placeholders \u2014 it is not signable in this state."
+    });
+    score = Math.max(0, score - 20);
+  }
+  let verdict;
+  if (score >= 80) verdict = "approve";
+  else if (score >= 50) verdict = "approve_with_changes";
+  else verdict = "reject";
+  const footer = buildDoctrineFooter({
+    frameworkVersion: registry.meta.framework_version,
+    rulesVersion: rulesMeta.rules_version,
+    contentHash: registry.meta.content_hash,
+    archiveUrl: registry.meta.permanent_archive_url
+  });
+  return {
+    verdict,
+    rationale: verdict === "approve" ? "All canonical mandate sections are present; no critical placeholders detected." : verdict === "approve_with_changes" ? "The mandate covers the core but misses one or more sections. Address the additions below before DDAO sign-off." : "The mandate misses too many canonical sections (or contains placeholders) to be signable.",
+    strengths,
+    identified_gaps: gaps,
+    required_additions: additions,
+    reference_fiches: ["ACF-03", "ACF-07", "ACF-09", "ACF-12"],
+    acf_compliance_score: score,
+    confidence: aggregateConfidence({
+      ruleBaseConfidence: "medium",
+      enumProvided: false,
+      contextFieldsProvided: input.deployment_context ? 1 : 0,
+      contradictions: 0
+    }),
+    assumptions: ["Mandate evaluation uses an 8-check canonical baseline \u2014 sector-specific extras not yet implemented."],
+    gaps_to_validate: [
+      "Confirm with the DDAO that the named escalation thresholds reflect real organisational SLAs.",
+      "Confirm that the kill switch drill has been run in the last quarter."
+    ],
+    requires_human_review: true,
+    rationale_per_rule: CHECKS.map((c) => ({
+      rule_id: `evaluate-mandate.${c.key}`,
+      rule_version: rulesMeta.rules_version,
+      fired: c.matchers.every((m) => m.test(input.mandate_text)),
+      evidence: `${c.area} check`
+    })),
+    ...footer,
+    disclaimer: ACF_REASON_DISCLAIMER
+  };
+}
+
+// src/core/tools.ts
+var HANDLERS = [
+  {
+    name: "acf.search",
+    description: TOOL_DESCRIPTIONS["acf.search"],
+    inputSchema: zodToJsonSchema(SearchInputSchema),
+    handle: handleSearchTool
+  },
+  {
+    name: "acf.fiche.lookup",
+    description: TOOL_DESCRIPTIONS["acf.fiche.lookup"],
+    inputSchema: zodToJsonSchema(FicheLookupInputSchema),
+    handle: handleFicheLookupTool
+  },
+  {
+    name: "acf.regulation.article",
+    description: TOOL_DESCRIPTIONS["acf.regulation.article"],
+    inputSchema: zodToJsonSchema(RegulationArticleInputSchema),
+    handle: handleRegulationArticleTool
+  },
+  {
+    name: "acf.glossary.define",
+    description: TOOL_DESCRIPTIONS["acf.glossary.define"],
+    inputSchema: zodToJsonSchema(GlossaryDefineInputSchema),
+    handle: handleGlossaryDefineTool
+  },
+  {
+    name: "acf.cite",
+    description: TOOL_DESCRIPTIONS["acf.cite"],
+    inputSchema: zodToJsonSchema(CiteInputSchema),
+    handle: handleCiteTool
+  },
+  {
+    name: "acf.classify-agent",
+    description: TOOL_DESCRIPTIONS["acf.classify-agent"],
+    inputSchema: zodToJsonSchema(ClassifyAgentInputSchema),
+    handle: handleClassifyAgentTool
+  },
+  {
+    name: "acf.advisor",
+    description: TOOL_DESCRIPTIONS["acf.advisor"],
+    inputSchema: zodToJsonSchema(AdvisorInputSchema),
+    handle: handleAdvisorTool
+  },
+  {
+    name: "acf.assess-autonomy",
+    description: TOOL_DESCRIPTIONS["acf.assess-autonomy"],
+    inputSchema: zodToJsonSchema(AssessAutonomyInputSchema),
+    handle: handleAssessAutonomyTool
+  },
+  {
+    name: "acf.identify-governance-gaps",
+    description: TOOL_DESCRIPTIONS["acf.identify-governance-gaps"],
+    inputSchema: zodToJsonSchema(IdentifyGapsInputSchema),
+    handle: handleIdentifyGapsTool
+  },
+  {
+    name: "acf.map-ai-act-obligations",
+    description: TOOL_DESCRIPTIONS["acf.map-ai-act-obligations"],
+    inputSchema: zodToJsonSchema(MapObligationsInputSchema),
+    handle: handleMapObligationsTool
+  },
+  {
+    name: "acf.assign-ddao-controls",
+    description: TOOL_DESCRIPTIONS["acf.assign-ddao-controls"],
+    inputSchema: zodToJsonSchema(AssignControlsInputSchema),
+    handle: handleAssignControlsTool
+  },
+  {
+    name: "acf.evaluate-agent-mandate",
+    description: TOOL_DESCRIPTIONS["acf.evaluate-agent-mandate"],
+    inputSchema: zodToJsonSchema(EvaluateMandateInputSchema),
+    handle: handleEvaluateMandateTool
+  }
+];
+async function registerTools(server, registry) {
+  server.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools: HANDLERS.map((h) => ({
+      name: h.name,
+      description: h.description,
+      inputSchema: h.inputSchema
+    }))
+  }));
+  server.setRequestHandler(CallToolRequestSchema, async (req) => {
+    const handler = HANDLERS.find((h) => h.name === req.params.name);
+    if (!handler) {
+      throw new Error(`Unknown tool: ${req.params.name}`);
+    }
+    const result = await handler.handle(registry, req.params.arguments ?? {});
+    return {
+      content: [
+        { type: "text", text: JSON.stringify(result, null, 2) }
+      ]
+    };
+  });
+}
+function s(args, key) {
+  const v = args[key];
+  return v === void 0 || v === null ? "" : String(v);
+}
+var ACF_PROMPTS = [
+  {
+    name: "acf.brief-dpia",
+    description: "When you need to draft a defensible DPIA \u2014 one that will hold against a CNIL inspection or a board challenge \u2014 get a structured first draft organised by ACF\xAE governance dimensions with the right legal references already in place.",
+    arguments: [
+      { name: "system_name", description: "Name of the AI system.", required: true },
+      { name: "system_description", description: "What the system does.", required: true },
+      { name: "deployment_context", description: "Geography, scale, audience.", required: true },
+      { name: "high_risk_qualified", description: "Whether the system is already qualified as high-risk.", required: false }
+    ],
+    render: (args) => [
+      "I need to draft a defensible DPIA for the following AI system:",
+      "",
+      `- Name: ${s(args, "system_name")}`,
+      `- Description: ${s(args, "system_description")}`,
+      `- Deployment context: ${s(args, "deployment_context")}`,
+      `- High-risk qualified: ${s(args, "high_risk_qualified") || "to confirm"}`,
+      "",
+      "Load the canonical ACF\xAE doctrine first:",
+      "- acf://guide/gdpr (Article 35 + DPIA methodology)",
+      "- acf://fiche/ACF-11 (risk assessment template)",
+      "- acf://fiche/ACF-02 (criticality matrix)",
+      "- acf://fiche/ACF-05 (decision register requirement)",
+      "",
+      "Then produce a DPIA structured by ACF\xAE governance dimensions (D5 first), with explicit legal references (GDPR Art. 35, AI Act Art. 9/10/14 if applicable). Cite the doctrine_archive_url in the conclusion.",
+      "",
+      "Mark every assumption explicitly and signal what the human reviewer must confirm before submission."
+    ].join("\n")
+  },
+  {
+    name: "acf.brief-art49-register",
+    description: "When you need to register a high-risk AI system in the EU AI Act Article 49 public register and you want the entry to be both compliant and consistent with your internal ACF\xAE decisions register.",
+    arguments: [
+      { name: "system_name", description: "Name of the AI system.", required: true },
+      { name: "provider_or_deployer", description: "Role of the entity ('provider' / 'deployer').", required: true },
+      { name: "annex_iii_use_case", description: "Which Annex III item applies.", required: true }
+    ],
+    render: (args) => [
+      "I need to prepare an entry for the EU AI Act Article 49 public register.",
+      "",
+      `- System: ${s(args, "system_name")}`,
+      `- Role: ${s(args, "provider_or_deployer")}`,
+      `- Annex III use case: ${s(args, "annex_iii_use_case")}`,
+      "",
+      "Load:",
+      "- acf://guide/ai-act (Article 49 + annex III canonical mapping)",
+      "- acf://fiche/ACF-05 (internal decision register format)",
+      "- acf://fiche/ACF-11 (risk assessment)",
+      "",
+      "Then produce the Article 49 entry in JSON, ensuring it is consistent with the internal ACF\xAE decision register (same identifiers, same scope). Flag any inconsistency that must be resolved before submission."
+    ].join("\n")
+  },
+  {
+    name: "acf.brief-board-report",
+    description: "When the Board asks for a quarterly AI governance report and you want a presentable draft \u2014 executive style, hard numbers, risk heatmap, remediation status \u2014 that you can hand over without rewriting.",
+    arguments: [
+      { name: "quarter", description: "Reporting quarter (e.g. 'Q3 2026').", required: true },
+      { name: "ai_systems_count", description: "Number of AI systems in production.", required: true },
+      { name: "high_risk_count", description: "Number of high-risk systems.", required: false },
+      { name: "open_remediations", description: "Number of open remediation items.", required: false },
+      { name: "context_notes", description: "Free text \u2014 major events of the quarter.", required: false }
+    ],
+    render: (args) => [
+      "I need a presentable AI governance report for the Board.",
+      "",
+      `- Quarter: ${s(args, "quarter")}`,
+      `- AI systems in production: ${s(args, "ai_systems_count")}`,
+      `- High-risk systems: ${s(args, "high_risk_count") || "TBD"}`,
+      `- Open remediations: ${s(args, "open_remediations") || "TBD"}`,
+      `- Context: ${s(args, "context_notes") || ""}`,
+      "",
+      "Load:",
+      "- acf://framework/principle/P2 (traceability)",
+      "- acf://framework/principle/P4 (proportional governance)",
+      "- acf://framework/dimension/D5 (regulatory compliance)",
+      "- acf://framework/dimension/D6 (audit & continuous improvement)",
+      "",
+      "Then produce a 1-page executive draft: portfolio health, criticality distribution (refer to acf://fiche/ACF-02), incidents + remediation status, regulatory delta (AI Act Annex III countdown), recommendations."
+    ].join("\n")
+  },
+  {
+    name: "acf.brief-ddao-mandate",
+    description: "When you are about to deploy an autonomous AI agent and your CISO / DPO / Legal needs a signed mandate that documents the decision perimeter, the escalation thresholds, the kill switch and the audit trail \u2014 before go-live.",
+    arguments: [
+      { name: "agent_name", description: "Name of the agent.", required: true },
+      { name: "agent_purpose", description: "What the agent does.", required: true },
+      { name: "decision_perimeter", description: "Allowed and forbidden actions.", required: true },
+      { name: "escalation_thresholds", description: "Escalation thresholds.", required: true }
+    ],
+    render: (args) => [
+      "I need a signable DDAO mandate.",
+      "",
+      `- Agent name: ${s(args, "agent_name")}`,
+      `- Purpose: ${s(args, "agent_purpose")}`,
+      `- Decision perimeter: ${s(args, "decision_perimeter")}`,
+      `- Escalation thresholds: ${s(args, "escalation_thresholds")}`,
+      "",
+      "Load:",
+      "- acf://framework/ddao",
+      "- acf://fiche/ACF-12 (mandate template)",
+      "- acf://fiche/ACF-03 (constitution)",
+      "- acf://fiche/ACF-07 (kill switch)",
+      "- acf://fiche/ACF-09 (escalation thresholds)",
+      "",
+      "Then produce a mandate document in 7 sections (Identification, Decision perimeter, Forbidden actions, Escalation thresholds, Kill switch, Audit log, Doctrine version) ready for DDAO + DPO + CISO sign-off."
+    ].join("\n")
+  },
+  {
+    name: "acf.brief-classify-system",
+    description: "When you receive an AI system to classify against the EU AI Act and you need a defensible qualification \u2014 Article 5 screening, Annex III check, Annex I check, GPAI test, conclusion with a justification that holds up to a regulator's challenge.",
+    arguments: [
+      { name: "system_description", description: "What the system does.", required: true },
+      { name: "sector", description: "Sector of operation.", required: true },
+      { name: "personal_data", description: "Does it process personal data?", required: false }
+    ],
+    render: (args) => [
+      "I need a defensible AI Act qualification.",
+      "",
+      `- System: ${s(args, "system_description")}`,
+      `- Sector: ${s(args, "sector")}`,
+      `- Personal data: ${s(args, "personal_data") || "to confirm"}`,
+      "",
+      "Load:",
+      "- acf://guide/ai-act",
+      "- acf://fiche/ACF-02 (criticality)",
+      "- acf://fiche/ACF-11 (risk assessment)",
+      "",
+      "Then run the canonical screening (Art. 5 prohibitions \u2192 Annex III \u2192 Annex I \u2192 GPAI test \u2192 transparency-only Art. 50) and conclude with a paragraph that lists the obligations and the operational consequences. If a tool would help, call acf.classify-agent with the structured input."
+    ].join("\n")
+  },
+  {
+    name: "acf.brief-teacher-case",
+    description: "When you need to prepare a teaching case for a master's class, a bar school session or a CPD seminar \u2014 one calibrated to the ACF\xAE V1.0 quality bar (named characters, precise legal refs, bold-answer bonus, 1-3 useful pages max) \u2014 get a ready-to-edit case generated from your angle.",
+    arguments: [
+      { name: "topic", description: "Pedagogical angle (e.g. 'mandate drafting').", required: true },
+      { name: "audience", description: "Audience (e.g. 'L3 droit', 'EMBA').", required: true },
+      { name: "duration_minutes", description: "Duration in minutes (15-180).", required: false }
+    ],
+    render: (args) => [
+      "I need a calibrated ACF\xAE V1.0 teaching case.",
+      "",
+      `- Topic: ${s(args, "topic")}`,
+      `- Audience: ${s(args, "audience")}`,
+      `- Duration: ${s(args, "duration_minutes") || "60"} minutes`,
+      "",
+      "Load:",
+      "- acf://fiche/ACF-00 (introduction)",
+      "- acf://framework/principle/P1",
+      "- acf://framework/principle/P3",
+      "",
+      "Then produce a case study calibrated to the ACF\xAE toolkit quality bar: named characters (avoid Marc/Marie), precise legal references (AI Act / GDPR / DORA articles), 1-3 page brief, 5 explicit deliverables, a teacher's correction guide. End with the ACF\xAE doctrine citation."
+    ].join("\n")
+  }
+];
+var PROMPT_INDEX = new Map(ACF_PROMPTS.map((p) => [p.name, p]));
+function renderPrompt(name, args) {
+  const prompt = PROMPT_INDEX.get(name);
+  if (!prompt) throw new Error(`Unknown prompt: ${name}`);
+  return {
+    description: prompt.description,
+    messages: [
+      {
+        role: "user",
+        content: { type: "text", text: prompt.render(args) }
+      }
+    ]
+  };
+}
+async function registerPrompts(server, _registry) {
+  server.setRequestHandler(ListPromptsRequestSchema, async () => ({
+    prompts: ACF_PROMPTS.map((p) => ({
+      name: p.name,
+      description: p.description,
+      arguments: p.arguments
+    }))
+  }));
+  server.setRequestHandler(GetPromptRequestSchema, async (req) => {
+    return renderPrompt(req.params.name, req.params.arguments ?? {});
+  });
+}
+
+// src/core/server.ts
+var ACF_MCP_NAME = "acf-mcp";
+var ACF_MCP_VERSION = "1.0.0";
+async function createAcfServer(opts) {
+  const content = new ContentLoader({ contentRoot: opts.contentRoot });
+  const rules = new RulesLoader({ rulesRoot: opts.rulesRoot });
+  const search = await SearchEngine.fromFile(opts.indexPath);
+  const meta = await content.loadMeta();
+  const registry = { content, rules, search, meta };
+  const server = new Server(
+    { name: ACF_MCP_NAME, version: ACF_MCP_VERSION },
+    {
+      capabilities: {
+        resources: { listChanged: false, subscribe: false },
+        tools: { listChanged: false },
+        prompts: { listChanged: false }
+      }
+    }
+  );
+  await registerResources(server, registry);
+  await registerTools(server, registry);
+  await registerPrompts(server);
+  return { server, registry };
+}
+
+// src/transport/stdio.ts
+var HERE = path.dirname(fileURLToPath(import.meta.url));
+var PKG_ROOT = path.resolve(HERE, "..", "..");
+async function main() {
+  const { server } = await createAcfServer({
+    contentRoot: path.join(PKG_ROOT, "content"),
+    rulesRoot: path.join(PKG_ROOT, "content", "rules"),
+    indexPath: path.join(PKG_ROOT, "dist", "search-index.json")
+  });
+  const transport = new StdioServerTransport();
+  await server.connect(transport);
+  process.stderr.write(`acf-mcp ready (stdio).
+`);
+}
+main().catch((err) => {
+  process.stderr.write(`${err.stack ?? String(err)}
+`);
+  process.exit(1);
+});
+//# sourceMappingURL=stdio.js.map
+//# sourceMappingURL=stdio.js.map