atabey 0.0.7 → 0.0.8

package/framework-mcp/dist/framework-mcp/src/utils/cli.js

@@ -0,0 +1,59 @@
+import fs from "fs";
+import path from "path";
+import { execFileSync } from "child_process";
+/**
+ * Executes a command safely and returns the output.
+ */
+export function safeExec(cmd, args, cwd, timeout = 30000) {
+    try {
+        return execFileSync(cmd, args, { cwd, timeout, encoding: "utf8", stdio: "pipe" });
+    }
+    catch (err) {
+        const error = err;
+        return error.stdout?.toString() || error.stderr?.toString() || error.message || String(err);
+    }
+}
+/**
+ * Detects the backend language from the framework configuration.
+ */
+export function getBackendLanguage(projectRoot) {
+    try {
+        const configPath = path.join(projectRoot, ".atabey", "config.json");
+        if (fs.existsSync(configPath)) {
+            const config = JSON.parse(fs.readFileSync(configPath, "utf8"));
+            return config.backendLanguage || "Node.js (TypeScript)";
+        }
+    }
+    catch {
+        // Fallback to default
+    }
+    return "Node.js (TypeScript)";
+}
+/**
+ * Returns the default lint command for the given language.
+ */
+export function getDefaultLintCommand(language) {
+    if (language.includes("Go"))
+        return "go fmt ./...";
+    if (language.includes("Java"))
+        return "./gradlew check"; // or mvn check
+    if (language.includes("Python"))
+        return "ruff check .";
+    if (language.includes(".NET"))
+        return "dotnet format";
+    return "npm run lint";
+}
+/**
+ * Returns the default test command for the given language.
+ */
+export function getDefaultTestCommand(language) {
+    if (language.includes("Go"))
+        return "go test ./...";
+    if (language.includes("Java"))
+        return "./gradlew test"; // or mvn test
+    if (language.includes("Python"))
+        return "pytest";
+    if (language.includes(".NET"))
+        return "dotnet test";
+    return "npm test";
+}

package/framework-mcp/dist/framework-mcp/src/utils/compliance.js

@@ -0,0 +1,231 @@
+import ts from "typescript";
+import fs from "fs";
+import path from "path";
+import { resolveFrameworkDir } from "./security.js";
+/**
+ * Enterprise Compliance Guardrail
+ * Checks content against corporate standards using AST analysis before allowing file mutations.
+ */
+export function verifyCorporateCompliance(content, filePath) {
+    // Skip compliance checks for non-source files or specific ignored files
+    if (filePath.endsWith(".json") || filePath.endsWith(".md") || filePath.endsWith(".env.example")) {
+        return;
+    }
+    const sourceFile = ts.createSourceFile(filePath, content, ts.ScriptTarget.Latest, true);
+    const errors = [];
+    /**
+     * Recursive AST Visitor
+     */
+    function visit(node) {
+        // 1. Zero Console Policy
+        if (ts.isPropertyAccessExpression(node)) {
+            const expression = node.expression;
+            const name = node.name.text;
+            if (ts.isIdentifier(expression) && expression.text === "console") {
+                if (["log", "warn", "error"].includes(name)) {
+                    // Check if file is exempt
+                    if (!filePath.includes("logger.ts") && !filePath.includes("check.ts") && !filePath.includes("cli.ts")) {
+                        errors.push(`[ERROR] Corporate Compliance Breach: 'console.${name}' usage is forbidden at line ${sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1}.`);
+                    }
+                }
+            }
+        }
+        // 2. No Explicit Any Policy
+        if (ts.isTypeReferenceNode(node)) {
+            if (ts.isIdentifier(node.typeName) && node.typeName.text === "any") {
+                if (!filePath.includes("definitions.ts") && !filePath.includes("types.ts")) {
+                    errors.push(`[ERROR] Corporate Compliance Breach: 'any' type is forbidden at line ${sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1}.`);
+                }
+            }
+        }
+        // 3. Zero UI Library Policy (No @chakra-ui, mui, @shadcn)
+        if (ts.isImportDeclaration(node)) {
+            const moduleSpecifier = node.moduleSpecifier;
+            if (ts.isStringLiteral(moduleSpecifier)) {
+                const forbiddenLibs = ["@chakra-ui", "mui", "@shadcn", "antd", "bootstrap"];
+                const lib = forbiddenLibs.find(l => moduleSpecifier.text.includes(l));
+                if (lib) {
+                    errors.push(`[ERROR] Corporate Compliance Breach: External UI library '${lib}' usage is FORBIDDEN at line ${sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1}. Build atomic components manually instead.`);
+                }
+            }
+        }
+        // Handle 'any' as a keyword type (e.g., parameter: any)
+        if (node.kind === ts.SyntaxKind.AnyKeyword) {
+            if (!filePath.includes("definitions.ts") && !filePath.includes("types.ts")) {
+                errors.push(`[ERROR] Corporate Compliance Breach: 'any' keyword is forbidden at line ${sourceFile.getLineAndCharacterOfPosition(node.getStart()).line + 1}.`);
+            }
+        }
+        ts.forEachChild(node, visit);
+    }
+    visit(sourceFile);
+    // 3. Hardcoded Secrets & PII Guard
+    const piiKeywords = [
+        { regex: /API_KEY\s*=\s*['"][^'"]+['"]/i, msg: "Hardcoded API Key" },
+        { regex: /SECRET\s*=\s*['"][^'"]+['"]/i, msg: "Hardcoded Secret" },
+        { regex: /PASSWORD\s*=\s*['"][^'"]+['"]/i, msg: "Hardcoded Password" },
+        { regex: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/, msg: "PII Detected: Email Address" },
+        { regex: /\b\d{4}[- ]?\d{4}[- ]?\d{4}[- ]?\d{4}\b/, msg: "PII Detected: Credit Card Pattern" }
+    ];
+    for (const { regex, msg } of piiKeywords) {
+        if (regex.test(content)) {
+            // Allow emails in specific files like README or package.json
+            if (msg.includes("Email") && (filePath.endsWith("README.md") || filePath.endsWith("package.json") || filePath.includes("CONTRIBUTING"))) {
+                continue;
+            }
+            errors.push(`[ERROR] Corporate Compliance Breach: ${msg} detected.`);
+        }
+    }
+    if (errors.length > 0) {
+        throw new Error(errors.join("\n"));
+    }
+}
+export function isHighRiskOperation(content, filePath) {
+    const fileName = filePath.toLowerCase();
+    // 1. Database Deletions / Table Drops
+    if (fileName.endsWith(".sql") || fileName.endsWith(".ts") || fileName.endsWith(".js") || fileName.endsWith(".go")) {
+        const dropRegex = /\b(DROP\s+(DATABASE|TABLE|SCHEMA|VIEW|INDEX)|TRUNCATE\s+TABLE)\b/i;
+        if (dropRegex.test(content)) {
+            return { isRisk: true, reason: "Database structural deletion detected (DROP/TRUNCATE)" };
+        }
+    }
+    // 2. Package Updates
+    if (fileName.endsWith("package.json")) {
+        return { isRisk: true, reason: "Dependency/package update operation detected" };
+    }
+    // 3. Deployment / Infrastructure Scripts
+    if (fileName.includes("deploy") ||
+        fileName.includes("dockerfile") ||
+        fileName.includes("docker-compose") ||
+        fileName.includes("k8s") ||
+        fileName.includes("kubernetes") ||
+        fileName.includes("github/workflows")) {
+        return { isRisk: true, reason: "Infrastructure or deployment script mutation detected" };
+    }
+    return { isRisk: false };
+}
+export async function verifyRiskAndAwaitApproval(projectRoot, content, filePath) {
+    const assessment = isHighRiskOperation(content, filePath);
+    if (!assessment.isRisk) {
+        return;
+    }
+    const frameworkDir = resolveFrameworkDir(projectRoot);
+    const absoluteFrameworkPath = path.isAbsolute(frameworkDir)
+        ? frameworkDir
+        : path.resolve(projectRoot, frameworkDir);
+    const statusPath = path.join(absoluteFrameworkPath, "memory", "status.json");
+    const statePath = path.join(absoluteFrameworkPath, "memory", "state.json");
+    const messagesDir = path.join(absoluteFrameworkPath, "messages");
+    const managerMsgPath = path.join(messagesDir, "manager.json");
+    let activeAgent = null;
+    let traceId = "UNKNOWN";
+    // 1. Resolve traceId from state.json
+    if (fs.existsSync(statePath)) {
+        try {
+            const state = JSON.parse(fs.readFileSync(statePath, "utf8"));
+            if (state && state.traceId) {
+                traceId = state.traceId;
+            }
+        }
+        catch { /* ignore */ }
+    }
+    // 2. Resolve active agent from status.json
+    let statusData = {};
+    if (fs.existsSync(statusPath)) {
+        try {
+            statusData = JSON.parse(fs.readFileSync(statusPath, "utf8"));
+            for (const [agentName, info] of Object.entries(statusData)) {
+                if (info.state === "EXECUTING") {
+                    activeAgent = agentName.startsWith("@") ? agentName : `@${agentName}`;
+                    break;
+                }
+            }
+        }
+        catch { /* ignore */ }
+    }
+    if (!activeAgent) {
+        throw new Error(`Security Exception: High-risk operation blocked. ${assessment.reason}. (No active executing agent found)`);
+    }
+    // 3. Update active agent status to WAITING_FOR_APPROVAL
+    const originalTask = statusData[activeAgent.replace("@", "")]?.task || statusData[activeAgent]?.task || "Executing task";
+    const statusKey = activeAgent.replace("@", "");
+    statusData[statusKey] = {
+        state: "WAITING_FOR_APPROVAL",
+        task: `[PAUSED] Waiting for approval: ${assessment.reason} on ${filePath}`
+    };
+    try {
+        fs.writeFileSync(statusPath, JSON.stringify(statusData, null, 2));
+    }
+    catch { /* ignore */ }
+    // 4. Create and append ALERT message to messages/manager.json
+    if (!fs.existsSync(messagesDir)) {
+        fs.mkdirSync(messagesDir, { recursive: true });
+    }
+    const alertMsg = {
+        timestamp: new Date().toISOString(),
+        from: activeAgent,
+        to: "@manager",
+        category: "ALERT",
+        content: `High-risk operation: ${assessment.reason} on ${filePath}`,
+        traceId: traceId,
+        status: "PENDING",
+        priority: "HIGH",
+        requiresApproval: true,
+        action: `MUTATION:${filePath}`
+    };
+    try {
+        fs.appendFileSync(managerMsgPath, JSON.stringify(alertMsg) + "\n");
+    }
+    catch (err) {
+        statusData[statusKey] = { state: "EXECUTING", task: originalTask };
+        fs.writeFileSync(statusPath, JSON.stringify(statusData, null, 2));
+        throw new Error(`Security Exception: Failed to queue approval request. ${String(err)}`, { cause: err });
+    }
+    // 5. Polling Loop: Wait for approval (up to 60 seconds)
+    const pollIntervalMs = 500;
+    const timeoutMs = 60000;
+    const start = Date.now();
+    while (Date.now() - start < timeoutMs) {
+        // Non-blocking wait
+        await new Promise(resolve => setTimeout(resolve, pollIntervalMs));
+        if (fs.existsSync(managerMsgPath)) {
+            try {
+                const contentStr = fs.readFileSync(managerMsgPath, "utf8").trim();
+                const lines = contentStr.split("\n");
+                let isApproved = false;
+                let isDenied = false;
+                for (const line of lines) {
+                    if (!line.trim())
+                        continue;
+                    const parsed = JSON.parse(line);
+                    if (parsed.traceId === traceId && parsed.category === "ALERT" && parsed.action === `MUTATION:${filePath}`) {
+                        if (parsed.status === "APPROVED") {
+                            isApproved = true;
+                        }
+                        else if (parsed.status === "PROCESSED" || parsed.status === "DENIED") {
+                            isDenied = true;
+                        }
+                    }
+                }
+                if (isApproved) {
+                    statusData[statusKey] = { state: "EXECUTING", task: originalTask };
+                    fs.writeFileSync(statusPath, JSON.stringify(statusData, null, 2));
+                    return;
+                }
+                if (isDenied) {
+                    throw new Error("Security Exception: High-risk operation was explicitly DENIED by user.");
+                }
+            }
+            catch (err) {
+                if (err.message.includes("explicitly DENIED")) {
+                    throw err;
+                }
+            }
+        }
+    }
+    statusData[statusKey] = { state: "EXECUTING", task: originalTask };
+    try {
+        fs.writeFileSync(statusPath, JSON.stringify(statusData, null, 2));
+    }
+    catch { /* ignore */ }
+    throw new Error(`Security Exception: High-risk operation timed out waiting for approval. (${assessment.reason})`);
+}

package/framework-mcp/dist/framework-mcp/src/utils/fs.js

@@ -0,0 +1,44 @@
+import fs from "fs";
+import path from "path";
+/**
+ * Ensures directory existence.
+ */
+export function ensureDir(dirPath) {
+    if (!fs.existsSync(dirPath)) {
+        fs.mkdirSync(dirPath, { recursive: true });
+    }
+}
+/**
+ * Atomically writes a text file.
+ */
+export function writeTextFileAtomic(filePath, content) {
+    const dir = path.dirname(filePath);
+    ensureDir(dir);
+    const tempPath = `${filePath}.${Math.random().toString(36).slice(2, 9)}.tmp`;
+    const finalContent = content.endsWith("\n") ? content : `${content}\n`;
+    try {
+        fs.writeFileSync(tempPath, finalContent, "utf8");
+        fs.renameSync(tempPath, filePath);
+    }
+    catch (err) {
+        if (fs.existsSync(tempPath)) {
+            try {
+                fs.unlinkSync(tempPath);
+            }
+            catch { /* ignore */ }
+        }
+        throw err;
+    }
+}
+/**
+ * Atomically appends to a file (if supported by OS) or simulates it.
+ * Note: Real atomic append on POSIX is a single write() call with O_APPEND.
+ * For simplicity and robustness across platforms, we use a simple append here
+ * as the risk of corruption is lower than a full rewrite, but for logs
+ * it's acceptable.
+ */
+export function appendFileSafe(filePath, content) {
+    const dir = path.dirname(filePath);
+    ensureDir(dir);
+    fs.appendFileSync(filePath, content, "utf8");
+}

package/framework-mcp/dist/framework-mcp/src/utils/metrics.js

@@ -0,0 +1,56 @@
+import fs from "fs";
+import path from "path";
+import { resolveFrameworkDir } from "./security.js";
+export const Metrics = {
+    /**
+     * Estimates tokens based on character count (rough heuristic: 1 token ~= 4 chars).
+     */
+    estimateTokens: (text) => {
+        return Math.ceil(text.length / 4);
+    },
+    /**
+     * Logs the token usage and action to the observability metrics file.
+     */
+    logUsage: (projectRoot, agent, action, tokens) => {
+        Metrics.saveMetric(projectRoot, {
+            timestamp: new Date().toISOString(),
+            agent,
+            action,
+            estimatedTokens: tokens
+        });
+    },
+    /**
+     * Logs an error occurrence to the observability metrics file.
+     */
+    logError: (projectRoot, agent, action, error) => {
+        Metrics.saveMetric(projectRoot, {
+            timestamp: new Date().toISOString(),
+            agent,
+            action: `ERROR: ${action}`,
+            estimatedTokens: 0,
+            error
+        });
+    },
+    /**
+     * Internal helper to save metric entries.
+     */
+    saveMetric: (projectRoot, entry) => {
+        const frameworkDir = resolveFrameworkDir(projectRoot);
+        const metricsPath = path.join(projectRoot, frameworkDir, "observability/metrics.json");
+        try {
+            const metricsDir = path.dirname(metricsPath);
+            if (!fs.existsSync(metricsDir))
+                fs.mkdirSync(metricsDir, { recursive: true });
+            let currentMetrics = [];
+            if (fs.existsSync(metricsPath)) {
+                currentMetrics = JSON.parse(fs.readFileSync(metricsPath, "utf8"));
+            }
+            currentMetrics.push(entry);
+            // Keep only last 100 entries to save space
+            if (currentMetrics.length > 100)
+                currentMetrics.shift();
+            fs.writeFileSync(metricsPath, JSON.stringify(currentMetrics, null, 2));
+        }
+        catch { /* ignore: metrics should not block the main process */ }
+    }
+};

package/framework-mcp/dist/framework-mcp/src/utils/permissions.js

@@ -0,0 +1,71 @@
+import fs from "fs";
+import path from "path";
+import { resolveFrameworkDir } from "./security.js";
+function globToRegex(glob) {
+    const escaped = glob.replace(/[.+^${}()|[\]\\]/g, "\\$&");
+    const step1 = escaped.replace(/\*\*/g, "__DBL_STR__");
+    const step2 = step1.replace(/\*/g, "[^/]*");
+    const regexStr = "^" + step2.replace(/__DBL_STR__/g, ".*") + "$";
+    return new RegExp(regexStr);
+}
+/**
+ * Validates if the active agent has write permission for the target file.
+ * Automatically identifies the active agent by checking the status.json store
+ * for the agent in the "EXECUTING" state.
+ */
+export function verifyWritePermission(projectRoot, targetFilePath) {
+    const frameworkDir = resolveFrameworkDir(projectRoot);
+    const absoluteFrameworkPath = path.isAbsolute(frameworkDir)
+        ? frameworkDir
+        : path.resolve(projectRoot, frameworkDir);
+    const matrixPath = path.join(absoluteFrameworkPath, "permission-matrix.json");
+    // If no permission matrix exists, skip enforcement (default allow)
+    if (!fs.existsSync(matrixPath)) {
+        return;
+    }
+    let matrix;
+    try {
+        matrix = JSON.parse(fs.readFileSync(matrixPath, "utf8"));
+    }
+    catch (e) {
+        throw new Error(`Failed to parse permission-matrix.json: ${String(e)}`, { cause: e });
+    }
+    // Determine the active agent from status.json
+    const statusPath = path.join(absoluteFrameworkPath, "memory", "status.json");
+    let activeAgent = null;
+    if (fs.existsSync(statusPath)) {
+        try {
+            const status = JSON.parse(fs.readFileSync(statusPath, "utf8"));
+            // Find an agent that is currently in the EXECUTING state
+            for (const [agentName, info] of Object.entries(status)) {
+                const data = info;
+                if (data.state === "EXECUTING") {
+                    activeAgent = agentName.startsWith("@") ? agentName : `@${agentName}`;
+                    break;
+                }
+            }
+        }
+        catch (e) {
+            // Log warning but don't crash, default to allowing if status can't be parsed
+            process.stderr.write(`[Permissions] Warning: Failed to read status.json: ${String(e)}\n`);
+        }
+    }
+    // If no active executing agent is found, default to allowing
+    if (!activeAgent) {
+        return;
+    }
+    const agentRules = matrix[activeAgent];
+    // If no rules defined for the agent, default to allowing
+    if (!agentRules || !agentRules.write) {
+        return;
+    }
+    // Resolve target path relative to project root for glob matching
+    const relativeTargetPath = path.relative(projectRoot, path.resolve(projectRoot, targetFilePath));
+    const allowed = agentRules.write.some(glob => {
+        const regex = globToRegex(glob);
+        return regex.test(relativeTargetPath);
+    });
+    if (!allowed) {
+        throw new Error(`Permission Denied: Agent ${activeAgent} is not authorized to write to "${relativeTargetPath}". Matrix rules restrict writes to: [${agentRules.write.join(", ")}].`);
+    }
+}

package/framework-mcp/dist/framework-mcp/src/utils/security.js

@@ -0,0 +1,60 @@
+import path from "path";
+import fs from "fs";
+import { FRAMEWORK, MCP, UNIFIED_HUB_DIR } from "../constants.js"; // New import
+import os from "os"; // Need os.homedir()
+/**
+ * Validates and resolves a user-provided path to prevent path traversal attacks.
+ * Ensures the resolved path stays within the project root boundary.
+ */
+export function safePath(projectRoot, userPath) {
+    const resolved = path.resolve(projectRoot, userPath);
+    const normalizedRoot = path.resolve(projectRoot);
+    if (!resolved.startsWith(normalizedRoot + path.sep) && resolved !== normalizedRoot) {
+        throw new Error(`Access denied: path "${userPath}" escapes project root.`);
+    }
+    return resolved;
+}
+/**
+ * Resolves the active framework directory.
+ * Priority: ATABEY_TEST_DIR (env) -> package.json `atabey.frameworkDir` -> `.atabey` -> other adapter dirs -> global HOME.
+ */
+export function resolveFrameworkDir(projectRoot) {
+    // For test environments, use the explicitly set test directory.
+    const testDir = process.env[MCP.TEST_DIR_ENV];
+    if (testDir)
+        return testDir;
+    // 1. Authoritative source: read from package.json if present
+    try {
+        const pkgPath = path.join(projectRoot, "package.json");
+        if (fs.existsSync(pkgPath)) {
+            const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
+            const atabeyConfig = pkg["atabey"];
+            if (atabeyConfig && typeof atabeyConfig["frameworkDir"] === "string") {
+                // Ensure the path is relative if it's within the project, otherwise use as-is.
+                const resolvedDir = path.resolve(projectRoot, atabeyConfig["frameworkDir"]);
+                if (resolvedDir.startsWith(path.resolve(projectRoot))) {
+                    return path.relative(projectRoot, resolvedDir);
+                }
+                return atabeyConfig["frameworkDir"];
+            }
+        }
+    }
+    catch {
+        // ignore — fall through to filesystem scan
+    }
+    // 2. Filesystem scan in projectRoot for common framework directories
+    const localCandidates = [
+        FRAMEWORK.CORE_DIR, // .atabey
+        UNIFIED_HUB_DIR, // .agents
+        // Add other adapter specific directories if needed, or remove if unified is strictly enforced
+    ];
+    for (const candidate of localCandidates) {
+        const candidatePath = path.join(projectRoot, candidate);
+        if (fs.existsSync(candidatePath)) {
+            return candidate;
+        }
+    }
+    // 3. Fallback to global home directory.
+    const homeDir = os.homedir();
+    return path.join(homeDir, FRAMEWORK.CORE_DIR);
+}

package/framework-mcp/dist/index.js

@@ -0,0 +1,144 @@
+#!/usr/bin/env node
+import fs from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
+import { Server } from "@modelcontextprotocol/sdk/server/index.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { CallToolRequestSchema, ListToolsRequestSchema, ListResourcesRequestSchema, ReadResourceRequestSchema, } from "@modelcontextprotocol/sdk/types.js";
+import { TOOLS, toolHandlers } from "./tools/index.js";
+import { RESOURCES, handleReadResource } from "./resources/index.js";
+// ─── Server Setup ─────────────────────────────────────────────────
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+// Robustly find package.json by walking up from __dirname
+function findPackageJson(startDir) {
+    let currentDir = startDir;
+    while (currentDir !== path.parse(currentDir).root) {
+        const pkgPath = path.join(currentDir, "package.json");
+        if (fs.existsSync(pkgPath))
+            return pkgPath;
+        currentDir = path.dirname(currentDir);
+    }
+    throw new Error("Could not find package.json for atabey-mcp");
+}
+const pkgPath = findPackageJson(__dirname);
+const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf8"));
+const serverVersion = pkg.version;
+const server = new Server({
+    name: "atabey-mcp",
+    version: serverVersion,
+}, {
+    capabilities: {
+        tools: {},
+        resources: {},
+    },
+});
+// Basic Schema Validator for Required Fields
+function validateArgs(toolName, args) {
+    const definition = TOOLS.find(t => t.name === toolName);
+    if (!definition)
+        return `Unknown tool: ${toolName}`;
+    const required = definition.inputSchema.required || [];
+    for (const field of required) {
+        if (args[field] === undefined || args[field] === null || args[field] === "") {
+            return `Missing required argument: '${field}' for tool '${toolName}'`;
+        }
+    }
+    return null;
+}
+server.setRequestHandler(ListToolsRequestSchema, async (request) => {
+    // 2026 Stateless Spec: Log client info from metadata if available
+    const meta = request._meta;
+    if (meta) {
+        process.stderr.write(`[MCP] Stateless ListTools from ${meta.client?.name || "unknown"} v${meta.client?.version || "?.?"}\n`);
+    }
+    return { tools: TOOLS };
+});
+server.setRequestHandler(ListResourcesRequestSchema, async () => {
+    return { resources: RESOURCES };
+});
+server.setRequestHandler(ReadResourceRequestSchema, async (request) => {
+    const uri = request.params.uri;
+    try {
+        const content = await handleReadResource(uri);
+        return {
+            contents: [
+                {
+                    uri,
+                    mimeType: "text/markdown",
+                    text: content,
+                },
+            ],
+        };
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        throw new Error(`Failed to read resource: ${message}`, { cause: error });
+    }
+});
+server.setRequestHandler(CallToolRequestSchema, async (request) => {
+    const req = request;
+    const { name, arguments: args } = req.params;
+    const meta = request._meta;
+    // 2026 Stateless Spec: Prioritize metadata-driven context
+    if (meta) {
+        process.stderr.write(`[MCP] Stateless CallTool: ${name} (Client: ${meta.client?.name || "unknown"})\n`);
+    }
+    const projectRoot = process.env.ATABEY_PROJECT_ROOT || process.cwd();
+    try {
+        const handler = toolHandlers[name];
+        if (!handler) {
+            return {
+                isError: true,
+                content: [{ type: "text", text: `[ERROR] Unknown tool: ${name}` }],
+            };
+        }
+        // [SECURITY] Runtime Validation
+        const validationError = validateArgs(name, args || {});
+        if (validationError) {
+            return {
+                isError: true,
+                content: [{ type: "text", text: `[ERROR] Validation Error: ${validationError}` }],
+            };
+        }
+        return await handler(projectRoot, args || {});
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : "Unknown error occurred";
+        return {
+            isError: true,
+            content: [{ type: "text", text: `[ERROR] Execution failed: ${message}` }],
+        };
+    }
+});
+// ─── Graceful Startup & Shutdown ──────────────────────────────────
+async function run() {
+    const transport = new StdioServerTransport();
+    // Prevent unhandled errors from crashing the MCP stream
+    process.on("uncaughtException", (error) => {
+        process.stderr.write(`[atabey-mcp] Uncaught exception: ${error.message}
+`);
+    });
+    process.on("unhandledRejection", (reason) => {
+        const message = reason instanceof Error ? reason.message : String(reason);
+        process.stderr.write(`[atabey-mcp] Unhandled rejection: ${message}
+`);
+    });
+    // Graceful shutdown on SIGINT/SIGTERM
+    const shutdown = async () => {
+        try {
+            await server.close();
+        }
+        catch {
+            // Already closed or failed — safe to ignore
+        }
+        process.exit(0);
+    };
+    process.on("SIGINT", shutdown);
+    process.on("SIGTERM", shutdown);
+    await server.connect(transport);
+}
+run().catch((error) => {
+    process.stderr.write(`[atabey-mcp] Fatal startup error: ${error.message}
+`);
+    process.exit(1);
+});