choda-deck 0.2.3 → 0.3.0

package/dist/mcp-server.cjs

@@ -1869,8 +1869,8 @@ var require_keyword = __commonJS({
       var _a2;
       const { gen, keyword, schema, parentSchema, $data, it } = cxt;
       checkAsyncKeyword(it, def);
-      const validate3 = !$data && def.compile ? def.compile.call(it.self, schema, parentSchema, it) : def.validate;
-      const validateRef = useKeyword(gen, keyword, validate3);
+      const validate2 = !$data && def.compile ? def.compile.call(it.self, schema, parentSchema, it) : def.validate;
+      const validateRef = useKeyword(gen, keyword, validate2);
       const valid = gen.let("valid");
       cxt.block$data(valid, validateKeyword);
       cxt.ok((_a2 = def.valid) !== null && _a2 !== void 0 ? _a2 : valid);
@@ -2943,28 +2943,28 @@ var require_compile = __commonJS({
         if (this.opts.code.process)
           sourceCode = this.opts.code.process(sourceCode, sch);
         const makeValidate = new Function(`${names_1.default.self}`, `${names_1.default.scope}`, sourceCode);
-        const validate3 = makeValidate(this, this.scope.get());
-        this.scope.value(validateName, { ref: validate3 });
-        validate3.errors = null;
-        validate3.schema = sch.schema;
-        validate3.schemaEnv = sch;
+        const validate2 = makeValidate(this, this.scope.get());
+        this.scope.value(validateName, { ref: validate2 });
+        validate2.errors = null;
+        validate2.schema = sch.schema;
+        validate2.schemaEnv = sch;
         if (sch.$async)
-          validate3.$async = true;
+          validate2.$async = true;
         if (this.opts.code.source === true) {
-          validate3.source = { validateName, validateCode, scopeValues: gen._values };
+          validate2.source = { validateName, validateCode, scopeValues: gen._values };
         }
         if (this.opts.unevaluated) {
           const { props, items } = schemaCxt;
-          validate3.evaluated = {
+          validate2.evaluated = {
             props: props instanceof codegen_1.Name ? void 0 : props,
             items: items instanceof codegen_1.Name ? void 0 : items,
             dynamicProps: props instanceof codegen_1.Name,
             dynamicItems: items instanceof codegen_1.Name
           };
-          if (validate3.source)
-            validate3.source.evaluated = (0, codegen_1.stringify)(validate3.evaluated);
+          if (validate2.source)
+            validate2.source.evaluated = (0, codegen_1.stringify)(validate2.evaluated);
         }
-        sch.validate = validate3;
+        sch.validate = validate2;
         return sch;
       } catch (e) {
         delete sch.validate;
@@ -3225,8 +3225,8 @@ var require_utils = __commonJS({
       }
       return ind;
     }
-    function removeDotSegments(path10) {
-      let input = path10;
+    function removeDotSegments(path9) {
+      let input = path9;
       const output = [];
       let nextSlash = -1;
       let len = 0;
@@ -3425,8 +3425,8 @@ var require_schemes = __commonJS({
         wsComponent.secure = void 0;
       }
       if (wsComponent.resourceName) {
-        const [path10, query] = wsComponent.resourceName.split("?");
-        wsComponent.path = path10 && path10 !== "/" ? path10 : void 0;
+        const [path9, query] = wsComponent.resourceName.split("?");
+        wsComponent.path = path9 && path9 !== "/" ? path9 : void 0;
         wsComponent.query = query;
         wsComponent.resourceName = void 0;
       }
@@ -6490,8 +6490,8 @@ var require_formats = __commonJS({
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.formatNames = exports2.fastFormats = exports2.fullFormats = void 0;
-    function fmtDef(validate3, compare) {
-      return { validate: validate3, compare };
+    function fmtDef(validate2, compare) {
+      return { validate: validate2, compare };
     }
     exports2.fullFormats = {
       // date: http://tools.ietf.org/html/rfc3339#section-5.6
@@ -7355,51 +7355,51 @@ var require_textParsers = __commonJS({
       result.radius = parseFloat(radius);
       return result;
     };
-    var init = function(register18) {
-      register18(20, parseBigInteger);
-      register18(21, parseInteger);
-      register18(23, parseInteger);
-      register18(26, parseInteger);
-      register18(700, parseFloat);
-      register18(701, parseFloat);
-      register18(16, parseBool);
-      register18(1082, parseDate);
-      register18(1114, parseDate);
-      register18(1184, parseDate);
-      register18(600, parsePoint);
-      register18(651, parseStringArray);
-      register18(718, parseCircle);
-      register18(1e3, parseBoolArray);
-      register18(1001, parseByteAArray);
-      register18(1005, parseIntegerArray);
-      register18(1007, parseIntegerArray);
-      register18(1028, parseIntegerArray);
-      register18(1016, parseBigIntegerArray);
-      register18(1017, parsePointArray);
-      register18(1021, parseFloatArray);
-      register18(1022, parseFloatArray);
-      register18(1231, parseFloatArray);
-      register18(1014, parseStringArray);
-      register18(1015, parseStringArray);
-      register18(1008, parseStringArray);
-      register18(1009, parseStringArray);
-      register18(1040, parseStringArray);
-      register18(1041, parseStringArray);
-      register18(1115, parseDateArray);
-      register18(1182, parseDateArray);
-      register18(1185, parseDateArray);
-      register18(1186, parseInterval);
-      register18(1187, parseIntervalArray);
-      register18(17, parseByteA);
-      register18(114, JSON.parse.bind(JSON));
-      register18(3802, JSON.parse.bind(JSON));
-      register18(199, parseJsonArray);
-      register18(3807, parseJsonArray);
-      register18(3907, parseStringArray);
-      register18(2951, parseStringArray);
-      register18(791, parseStringArray);
-      register18(1183, parseStringArray);
-      register18(1270, parseStringArray);
+    var init = function(register22) {
+      register22(20, parseBigInteger);
+      register22(21, parseInteger);
+      register22(23, parseInteger);
+      register22(26, parseInteger);
+      register22(700, parseFloat);
+      register22(701, parseFloat);
+      register22(16, parseBool);
+      register22(1082, parseDate);
+      register22(1114, parseDate);
+      register22(1184, parseDate);
+      register22(600, parsePoint);
+      register22(651, parseStringArray);
+      register22(718, parseCircle);
+      register22(1e3, parseBoolArray);
+      register22(1001, parseByteAArray);
+      register22(1005, parseIntegerArray);
+      register22(1007, parseIntegerArray);
+      register22(1028, parseIntegerArray);
+      register22(1016, parseBigIntegerArray);
+      register22(1017, parsePointArray);
+      register22(1021, parseFloatArray);
+      register22(1022, parseFloatArray);
+      register22(1231, parseFloatArray);
+      register22(1014, parseStringArray);
+      register22(1015, parseStringArray);
+      register22(1008, parseStringArray);
+      register22(1009, parseStringArray);
+      register22(1040, parseStringArray);
+      register22(1041, parseStringArray);
+      register22(1115, parseDateArray);
+      register22(1182, parseDateArray);
+      register22(1185, parseDateArray);
+      register22(1186, parseInterval);
+      register22(1187, parseIntervalArray);
+      register22(17, parseByteA);
+      register22(114, JSON.parse.bind(JSON));
+      register22(3802, JSON.parse.bind(JSON));
+      register22(199, parseJsonArray);
+      register22(3807, parseJsonArray);
+      register22(3907, parseStringArray);
+      register22(2951, parseStringArray);
+      register22(791, parseStringArray);
+      register22(1183, parseStringArray);
+      register22(1270, parseStringArray);
     };
     module2.exports = {
       init
@@ -7663,23 +7663,23 @@ var require_binaryParsers = __commonJS({
       if (value === null) return null;
       return parseBits(value, 8) > 0;
     };
-    var init = function(register18) {
-      register18(20, parseInt64);
-      register18(21, parseInt16);
-      register18(23, parseInt32);
-      register18(26, parseInt32);
-      register18(1700, parseNumeric);
-      register18(700, parseFloat32);
-      register18(701, parseFloat64);
-      register18(16, parseBool);
-      register18(1114, parseDate.bind(null, false));
-      register18(1184, parseDate.bind(null, true));
-      register18(1e3, parseArray);
-      register18(1007, parseArray);
-      register18(1016, parseArray);
-      register18(1008, parseArray);
-      register18(1009, parseArray);
-      register18(25, parseText);
+    var init = function(register22) {
+      register22(20, parseInt64);
+      register22(21, parseInt16);
+      register22(23, parseInt32);
+      register22(26, parseInt32);
+      register22(1700, parseNumeric);
+      register22(700, parseFloat32);
+      register22(701, parseFloat64);
+      register22(16, parseBool);
+      register22(1114, parseDate.bind(null, false));
+      register22(1184, parseDate.bind(null, true));
+      register22(1e3, parseArray);
+      register22(1007, parseArray);
+      register22(1016, parseArray);
+      register22(1008, parseArray);
+      register22(1009, parseArray);
+      register22(25, parseText);
     };
     module2.exports = {
       init
@@ -8017,7 +8017,7 @@ var require_utils3 = __commonJS({
     var nodeCrypto = require("crypto");
     module2.exports = {
       postgresMd5PasswordHash,
-      randomBytes: randomBytes3,
+      randomBytes,
       deriveKey,
       sha256,
       hashByName,
@@ -8027,7 +8027,7 @@ var require_utils3 = __commonJS({
     var webCrypto = nodeCrypto.webcrypto || globalThis.crypto;
     var subtleCrypto = webCrypto.subtle;
     var textEncoder = new TextEncoder();
-    function randomBytes3(length) {
+    function randomBytes(length) {
       return webCrypto.getRandomValues(Buffer.alloc(length));
     }
     async function md5(string4) {
@@ -10225,7 +10225,7 @@ var require_split2 = __commonJS({
 var require_helper = __commonJS({
   "node_modules/pgpass/lib/helper.js"(exports2, module2) {
     "use strict";
-    var path10 = require("path");
+    var path9 = require("path");
     var Stream = require("stream").Stream;
     var split = require_split2();
     var util2 = require("util");
@@ -10264,7 +10264,7 @@ var require_helper = __commonJS({
     };
     module2.exports.getFileName = function(rawEnv) {
       var env = rawEnv || process.env;
-      var file2 = env.PGPASSFILE || (isWin ? path10.join(env.APPDATA || "./", "postgresql", "pgpass.conf") : path10.join(env.HOME || "./", ".pgpass"));
+      var file2 = env.PGPASSFILE || (isWin ? path9.join(env.APPDATA || "./", "postgresql", "pgpass.conf") : path9.join(env.HOME || "./", ".pgpass"));
       return file2;
     };
     module2.exports.usePgPass = function(stats, fname) {
@@ -10396,7 +10396,7 @@ var require_helper = __commonJS({
 var require_lib = __commonJS({
   "node_modules/pgpass/lib/index.js"(exports2, module2) {
     "use strict";
-    var path10 = require("path");
+    var path9 = require("path");
     var fs9 = require("fs");
     var helper = require_helper();
     module2.exports = function(connInfo, cb) {
@@ -11953,8 +11953,6 @@ var require_lib2 = __commonJS({
 
 // src/adapters/mcp/server-bootstrap.ts
 var fs8 = __toESM(require("fs"));
-var path9 = __toESM(require("path"));
-var import_better_sqlite32 = __toESM(require("better-sqlite3"));
 
 // node_modules/zod/v3/helpers/util.js
 var util;
@@ -12315,8 +12313,8 @@ function getErrorMap() {
 
 // node_modules/zod/v3/helpers/parseUtil.js
 var makeIssue = (params) => {
-  const { data, path: path10, errorMaps, issueData } = params;
-  const fullPath = [...path10, ...issueData.path || []];
+  const { data, path: path9, errorMaps, issueData } = params;
+  const fullPath = [...path9, ...issueData.path || []];
   const fullIssue = {
     ...issueData,
     path: fullPath
@@ -12431,11 +12429,11 @@ var errorUtil;
 
 // node_modules/zod/v3/types.js
 var ParseInputLazyPath = class {
-  constructor(parent, value, path10, key) {
+  constructor(parent, value, path9, key) {
     this._cachedPath = [];
     this.parent = parent;
     this.data = value;
-    this._path = path10;
+    this._path = path9;
     this._key = key;
   }
   get path() {
@@ -16358,10 +16356,10 @@ function mergeDefs(...defs) {
 function cloneDef(schema) {
   return mergeDefs(schema._zod.def);
 }
-function getElementAtPath(obj, path10) {
-  if (!path10)
+function getElementAtPath(obj, path9) {
+  if (!path9)
     return obj;
-  return path10.reduce((acc, key) => acc?.[key], obj);
+  return path9.reduce((acc, key) => acc?.[key], obj);
 }
 function promiseAllObject(promisesObj) {
   const keys = Object.keys(promisesObj);
@@ -16744,11 +16742,11 @@ function aborted(x, startIndex = 0) {
   }
   return false;
 }
-function prefixIssues(path10, issues) {
+function prefixIssues(path9, issues) {
   return issues.map((iss) => {
     var _a2;
     (_a2 = iss).path ?? (_a2.path = []);
-    iss.path.unshift(path10);
+    iss.path.unshift(path9);
     return iss;
   });
 }
@@ -16931,7 +16929,7 @@ function formatError(error48, mapper = (issue2) => issue2.message) {
 }
 function treeifyError(error48, mapper = (issue2) => issue2.message) {
   const result = { errors: [] };
-  const processError = (error49, path10 = []) => {
+  const processError = (error49, path9 = []) => {
     var _a2, _b;
     for (const issue2 of error49.issues) {
       if (issue2.code === "invalid_union" && issue2.errors.length) {
@@ -16941,7 +16939,7 @@ function treeifyError(error48, mapper = (issue2) => issue2.message) {
       } else if (issue2.code === "invalid_element") {
         processError({ issues: issue2.issues }, issue2.path);
       } else {
-        const fullpath = [...path10, ...issue2.path];
+        const fullpath = [...path9, ...issue2.path];
         if (fullpath.length === 0) {
           result.errors.push(mapper(issue2));
           continue;
@@ -16973,8 +16971,8 @@ function treeifyError(error48, mapper = (issue2) => issue2.message) {
 }
 function toDotPath(_path) {
   const segs = [];
-  const path10 = _path.map((seg) => typeof seg === "object" ? seg.key : seg);
-  for (const seg of path10) {
+  const path9 = _path.map((seg) => typeof seg === "object" ? seg.key : seg);
+  for (const seg of path9) {
     if (typeof seg === "number")
       segs.push(`[${seg}]`);
     else if (typeof seg === "symbol")
@@ -18572,13 +18570,13 @@ var $ZodObject = /* @__PURE__ */ $constructor("$ZodObject", (inst, def) => {
     }
     return propValues;
   });
-  const isObject2 = isObject;
+  const isObject3 = isObject;
   const catchall = def.catchall;
   let value;
   inst._zod.parse = (payload, ctx) => {
     value ?? (value = _normalized.value);
     const input = payload.value;
-    if (!isObject2(input)) {
+    if (!isObject3(input)) {
       payload.issues.push({
         expected: "object",
         code: "invalid_type",
@@ -18676,7 +18674,7 @@ var $ZodObjectJIT = /* @__PURE__ */ $constructor("$ZodObjectJIT", (inst, def) =>
     return (payload, ctx) => fn(shape, payload, ctx);
   };
   let fastpass;
-  const isObject2 = isObject;
+  const isObject3 = isObject;
   const jit = !globalConfig.jitless;
   const allowsEval2 = allowsEval;
   const fastEnabled = jit && allowsEval2.value;
@@ -18685,7 +18683,7 @@ var $ZodObjectJIT = /* @__PURE__ */ $constructor("$ZodObjectJIT", (inst, def) =>
   inst._zod.parse = (payload, ctx) => {
     value ?? (value = _normalized.value);
     const input = payload.value;
-    if (!isObject2(input)) {
+    if (!isObject3(input)) {
       payload.issues.push({
         expected: "object",
         code: "invalid_type",
@@ -29380,13 +29378,13 @@ function resolveRef(ref, ctx) {
   if (!ref.startsWith("#")) {
     throw new Error("External $ref is not supported, only local refs (#/...) are allowed");
   }
-  const path10 = ref.slice(1).split("/").filter(Boolean);
-  if (path10.length === 0) {
+  const path9 = ref.slice(1).split("/").filter(Boolean);
+  if (path9.length === 0) {
     return ctx.rootSchema;
   }
   const defsKey = ctx.version === "draft-2020-12" ? "$defs" : "definitions";
-  if (path10[0] === defsKey) {
-    const key = path10[1];
+  if (path9[0] === defsKey) {
+    const key = path9[1];
     if (!key || !ctx.defs[key]) {
       throw new Error(`Reference not found: ${ref}`);
     }
@@ -32894,7 +32892,7 @@ var Protocol = class {
     const capturedTransport = this._transport;
     const relatedTaskId = request.params?._meta?.[RELATED_TASK_META_KEY]?.taskId;
     if (handler === void 0) {
-      const errorResponse3 = {
+      const errorResponse = {
         jsonrpc: "2.0",
         id: request.id,
         error: {
@@ -32905,11 +32903,11 @@ var Protocol = class {
       if (relatedTaskId && this._taskMessageQueue) {
         this._enqueueTaskMessage(relatedTaskId, {
           type: "error",
-          message: errorResponse3,
+          message: errorResponse,
           timestamp: Date.now()
         }, capturedTransport?.sessionId).catch((error48) => this._onerror(new Error(`Failed to enqueue error response: ${error48}`)));
       } else {
-        capturedTransport?.send(errorResponse3).catch((error48) => this._onerror(new Error(`Failed to send an error response: ${error48}`)));
+        capturedTransport?.send(errorResponse).catch((error48) => this._onerror(new Error(`Failed to send an error response: ${error48}`)));
       }
       return;
     }
@@ -32979,7 +32977,7 @@ var Protocol = class {
       if (abortController.signal.aborted) {
         return;
       }
-      const errorResponse3 = {
+      const errorResponse = {
         jsonrpc: "2.0",
         id: request.id,
         error: {
@@ -32991,11 +32989,11 @@ var Protocol = class {
       if (relatedTaskId && this._taskMessageQueue) {
         await this._enqueueTaskMessage(relatedTaskId, {
           type: "error",
-          message: errorResponse3,
+          message: errorResponse,
           timestamp: Date.now()
         }, capturedTransport?.sessionId);
       } else {
-        await capturedTransport?.send(errorResponse3);
+        await capturedTransport?.send(errorResponse);
       }
     }).catch((error48) => this._onerror(new Error(`Failed to send response: ${error48}`))).finally(() => {
       if (this._requestHandlerAbortControllers.get(request.id) === abortController) {
@@ -35281,6 +35279,60 @@ var path3 = __toESM(require("path"));
 var import_better_sqlite3 = __toESM(require("better-sqlite3"));
 var sqliteVec = __toESM(require("sqlite-vec"));
 
+// src/core/sync/syncable-tables.ts
+var SYNCABLE_TABLES = [
+  "projects",
+  "workspaces",
+  "tasks",
+  "inbox_items",
+  "conversations",
+  "conversation_messages",
+  "conversation_actions"
+];
+var SYNC_COLUMNS = [
+  { name: "sync_updated_at", sqliteType: "INTEGER", pgType: "BIGINT" },
+  { name: "sync_deleted_at", sqliteType: "INTEGER", pgType: "BIGINT" },
+  { name: "sync_origin", sqliteType: "TEXT", pgType: "TEXT" }
+];
+
+// src/core/sync/sync-source.ts
+function fetchSinceFromSqlite(db, since) {
+  const deltas = [];
+  for (const table of SYNCABLE_TABLES) {
+    const rows = db.prepare(
+      `SELECT * FROM ${table} WHERE sync_updated_at > ? OR sync_deleted_at > ? ORDER BY sync_updated_at`
+    ).all(since, since);
+    if (rows.length > 0) deltas.push({ table, rows });
+  }
+  return deltas;
+}
+async function fetchSinceFromPg(conn, since) {
+  const deltas = [];
+  for (const table of SYNCABLE_TABLES) {
+    const result = await conn.query(
+      `SELECT * FROM ${table} WHERE sync_updated_at > $1 OR sync_deleted_at > $1 ORDER BY sync_updated_at`,
+      [since]
+    );
+    if (result.rows.length > 0) {
+      deltas.push({ table, rows: result.rows.map(normalizePgRow) });
+    }
+  }
+  return deltas;
+}
+function normalizePgRow(row) {
+  const out = {};
+  for (const [k, v] of Object.entries(row)) {
+    if (k === "sync_updated_at" || k === "sync_deleted_at") {
+      out[k] = v === null || v === void 0 ? null : Number(v);
+    } else if (v instanceof Date) {
+      out[k] = v.toISOString();
+    } else {
+      out[k] = v;
+    }
+  }
+  return out;
+}
+
 // src/core/domain/embedding/embedding-store.ts
 var EmbeddingStore = class {
   db;
@@ -35549,6 +35601,33 @@ var NoActiveSessionError = class extends LifecycleError {
     this.name = "NoActiveSessionError";
   }
 };
+var InvestigationNotFoundError = class extends LifecycleError {
+  constructor(id) {
+    super("INVESTIGATION_NOT_FOUND", `Investigation ${id} not found`);
+    this.name = "InvestigationNotFoundError";
+  }
+};
+var InvestigationStatusError = class extends LifecycleError {
+  constructor(id, current, message) {
+    super("INVESTIGATION_INVALID_STATUS", `Investigation ${id} is ${current} \u2014 ${message}`);
+    this.name = "InvestigationStatusError";
+  }
+};
+var HypothesisNotFoundError = class extends LifecycleError {
+  constructor(id) {
+    super("HYPOTHESIS_NOT_FOUND", `Hypothesis ${id} not found`);
+    this.name = "HypothesisNotFoundError";
+  }
+};
+var HypothesisTransitionError = class extends LifecycleError {
+  constructor(id, current, target) {
+    super(
+      "HYPOTHESIS_INVALID_TRANSITION",
+      `Hypothesis ${id} is ${current} \u2014 cannot transition to ${target} (only testing \u2192 ruled_out | confirmed is allowed)`
+    );
+    this.name = "HypothesisTransitionError";
+  }
+};
 
 // src/core/domain/lifecycle/inbox-lifecycle-service.ts
 var InboxLifecycleService = class {
@@ -35609,7 +35688,8 @@ var InboxLifecycleService = class {
       this.closeLinkedConversations(id, `Converted to ${task.id}: ${input.title}`);
       const final = this.tasks.get(task.id);
       if (!final) throw new Error(`Task ${task.id} disappeared mid-transaction`);
-      return { inboxId: id, taskId: task.id, task: final };
+      const localizationWarning = item.workspaceId ? void 0 : `${id} had no workspaceId \u2014 converted ${task.id} is not localized to an app. Set it during research (inbox_ready) next time, or scope the task via its worker session.`;
+      return { inboxId: id, taskId: task.id, task: final, localizationWarning };
     });
     return tx();
   }
@@ -35876,13 +35956,15 @@ function computeLineOffsets(body, lineCount) {
 
 // src/core/domain/lifecycle/session-lifecycle-service.ts
 var SessionLifecycleService = class {
-  constructor(db, sessions, contextSources, conversations, tasks, sessionEvents, recallMemoriesFn) {
+  constructor(db, sessions, contextSources, conversations, tasks, sessionEvents, relationships, codeRefs, recallMemoriesFn) {
     this.db = db;
     this.sessions = sessions;
     this.contextSources = contextSources;
     this.conversations = conversations;
     this.tasks = tasks;
     this.sessionEvents = sessionEvents;
+    this.relationships = relationships;
+    this.codeRefs = codeRefs;
     this.recallMemoriesFn = recallMemoriesFn;
   }
   db;
@@ -35891,6 +35973,8 @@ var SessionLifecycleService = class {
   conversations;
   tasks;
   sessionEvents;
+  relationships;
+  codeRefs;
   recallMemoriesFn;
   async startSession(input) {
     const tx = this.db.transaction(() => {
@@ -35913,7 +35997,8 @@ var SessionLifecycleService = class {
         workspaceId: input.workspaceId,
         taskId: input.taskId,
         startedAt: now(),
-        status: "active"
+        status: "active",
+        ccSessionId: input.ccSessionId
       });
       if (input.taskId) {
         this.tasks.update(input.taskId, { status: "IN-PROGRESS" });
@@ -35979,6 +36064,19 @@ var SessionLifecycleService = class {
           memoryCandidate: false
         });
       }
+      if (session.taskId) {
+        this.deriveTouchesFromFileEdits(id, session.taskId, session.projectId, endedAt);
+      }
+      const featureId = session.taskId ? this.inferFeatureForTask(session.taskId) : null;
+      for (const decision of input.handoff.decisions ?? []) {
+        const draft = draftGotchaFromDecision(decision, featureId);
+        this.sessionEvents.create({
+          sessionId: id,
+          eventType: "observation",
+          payloadJson: JSON.stringify({ kind: "gotcha_draft", ...draft }),
+          memoryCandidate: true
+        });
+      }
       const memoryCandidates = this.sessionEvents.listMemoryCandidates(id);
       const selfEditPrompt = buildSelfEditPrompt(memoryCandidates);
       return { session: updated, closedConversationIds, taskUpdated, memoryCandidates, selfEditPrompt };
@@ -36027,6 +36125,30 @@ var SessionLifecycleService = class {
     });
     return { session: updated };
   }
+  // TASK-998: the feature a task REALIZES (task → feature edge, TASK-992). A task
+  // normally realizes one feature; if several, the first by edge order is used.
+  // Returns null when the task has no REALIZES edge.
+  inferFeatureForTask(taskId) {
+    const edges = this.relationships.getFrom(taskId, "REALIZES");
+    return edges.length > 0 ? edges[0].toId : null;
+  }
+  // INBOX-424: upsert a file-level code_ref (symbol=null — the sanctioned
+  // convention for non-symbol refs) + a `modifies` TOUCHES edge for each DISTINCT
+  // path the session edited. Pure-derivation: reads channel-1 events, writes the
+  // graph projection; no AC / summary side effects.
+  deriveTouchesFromFileEdits(sessionId, taskId, projectId, nowIso) {
+    const paths = /* @__PURE__ */ new Set();
+    for (const evt of this.sessionEvents.listBySession(sessionId, "observation")) {
+      const payload = parseObservationPayload(evt.payloadJson);
+      if (payload?.kind === "file_modified" && typeof payload.path === "string") {
+        paths.add(payload.path);
+      }
+    }
+    for (const path9 of paths) {
+      const ref = this.codeRefs.upsert({ slug: fileRefSlug(path9), projectId, path: path9, symbol: null }, nowIso);
+      this.codeRefs.addTouches(taskId, ref.slug, "modifies");
+    }
+  }
   async resumeSession(id) {
     const session = this.sessions.get(id);
     if (!session) throw new SessionNotFoundError(id);
@@ -36089,6 +36211,9 @@ function aggregateSessionSummary(sessionEvents, tasks, sessionId, summary) {
     acCoverage: mergedAcCoverage
   };
 }
+function fileRefSlug(path9) {
+  return `code-ref-${path9.replace(/[^a-z0-9]+/gi, "-").replace(/^-+|-+$/g, "").toLowerCase()}`;
+}
 function parseObservationPayload(json2) {
   if (!json2) return null;
   try {
@@ -36100,11 +36225,245 @@ function parseObservationPayload(json2) {
 }
 function buildSelfEditPrompt(candidates) {
   if (candidates.length === 0) return "";
-  const n = candidates.length;
-  const word = n === 1 ? "event" : "events";
-  return `Review these ${n} candidate ${word} from the session. Call memory_write for 1-3 entries worth remembering across sessions \u2014 use type='episodic' with scope='task' for task-specific learnings, or type='procedural' with scope='project' or 'workspace' for reusable patterns. Skip entirely if nothing here is worth keeping.`;
+  const gotchaDrafts = candidates.filter((c) => {
+    const p = parseObservationPayload(c.payloadJson);
+    return p?.kind === "gotcha_draft";
+  });
+  const memN = candidates.length - gotchaDrafts.length;
+  const parts = [];
+  if (memN > 0) {
+    const word = memN === 1 ? "event" : "events";
+    parts.push(
+      `Review ${memN} candidate ${word} from the session. Call memory_write for 1-3 entries worth remembering across sessions \u2014 use type='episodic' with scope='task' for task-specific learnings, or type='procedural' with scope='project' or 'workspace' for reusable patterns.`
+    );
+  }
+  if (gotchaDrafts.length > 0) {
+    const word = gotchaDrafts.length === 1 ? "gotcha draft" : "gotcha drafts";
+    const needFeature = gotchaDrafts.some((c) => {
+      const p = parseObservationPayload(c.payloadJson);
+      return p?.needsFeature === true;
+    });
+    parts.push(
+      `${gotchaDrafts.length} ${word} (kind='gotcha_draft') were proposed from the session's decisions. Review each, refine the structured fields (trigger / context / business_rule / resolution), and call knowledge_create(type='gotcha') for ones worth keeping.` + (needFeature ? ` Some have no affectedFeatureId (the task has no REALIZES edge) \u2014 ask the human which feature before creating those.` : "")
+    );
+  }
+  parts.push("Skip entirely if nothing here is worth keeping.");
+  return parts.join(" ");
+}
+function draftGotchaFromDecision(decision, featureId) {
+  const text = decision.trim();
+  const marker = text.match(/\bbecause\b|\bso that\b|[—–]| - |:/i);
+  let businessRule = text;
+  let resolution = "";
+  if (marker && marker.index !== void 0 && marker.index > 0) {
+    businessRule = text.slice(0, marker.index).replace(/[\s,;:—–-]+$/, "").trim();
+    resolution = text.slice(marker.index + marker[0].length).trim();
+  }
+  return {
+    trigger: "",
+    context: text,
+    businessRule,
+    resolution,
+    affectedFeatureId: featureId,
+    needsFeature: featureId === null,
+    sourceDecision: text
+  };
 }
 
+// src/core/domain/lifecycle/investigation-lifecycle-service.ts
+var InvestigationLifecycleService = class {
+  constructor(db, investigations) {
+    this.db = db;
+    this.investigations = investigations;
+  }
+  db;
+  investigations;
+  async startInvestigation(input) {
+    return this.investigations.insertInvestigation(input);
+  }
+  async getInvestigation(id) {
+    return this.investigations.getInvestigation(id);
+  }
+  async addHypothesis(investigationId, description) {
+    const tx = this.db.transaction(() => {
+      const inv = this.investigations.getInvestigation(investigationId);
+      if (!inv) throw new InvestigationNotFoundError(investigationId);
+      if (inv.status === "resolved") {
+        throw new InvestigationStatusError(investigationId, inv.status, "cannot add a hypothesis");
+      }
+      return this.investigations.insertHypothesis(investigationId, description);
+    });
+    return tx();
+  }
+  // Only testing → ruled_out | confirmed is legal. A terminal hypothesis (already
+  // ruled_out/confirmed) cannot transition again, and 'testing' is never a target.
+  async setHypothesisStatus(hypothesisId, status) {
+    const tx = this.db.transaction(() => {
+      const hyp = this.investigations.getHypothesis(hypothesisId);
+      if (!hyp) throw new HypothesisNotFoundError(hypothesisId);
+      const legal = hyp.status === "testing" && (status === "ruled_out" || status === "confirmed");
+      if (!legal) throw new HypothesisTransitionError(hypothesisId, hyp.status, status);
+      this.investigations.setHypothesisStatus(hypothesisId, status);
+      return this.investigations.getHypothesis(hypothesisId);
+    });
+    return tx();
+  }
+  async addEvidence(input) {
+    const tx = this.db.transaction(() => {
+      const inv = this.investigations.getInvestigation(input.investigationId);
+      if (!inv) throw new InvestigationNotFoundError(input.investigationId);
+      if (input.hypothesisId) {
+        const hyp = this.investigations.getHypothesis(input.hypothesisId);
+        if (!hyp || hyp.investigationId !== input.investigationId) {
+          throw new HypothesisNotFoundError(input.hypothesisId);
+        }
+      }
+      return this.investigations.insertEvidence(input);
+    });
+    return tx();
+  }
+  async resolveInvestigation(id, input) {
+    const tx = this.db.transaction(() => {
+      const inv = this.investigations.getInvestigation(id);
+      if (!inv) throw new InvestigationNotFoundError(id);
+      if (inv.status === "resolved") {
+        throw new InvestigationStatusError(id, inv.status, "already resolved");
+      }
+      const patternTag = input.patternTag ?? null;
+      this.investigations.setInvestigationResolved(id, {
+        rootCause: input.rootCause,
+        fixSummary: input.fixSummary,
+        patternTag
+      });
+      const investigation = this.investigations.getInvestigation(id);
+      const knowledgeDraft = buildKnowledgeDraft(investigation);
+      return { investigation, knowledgeDraft };
+    });
+    return tx();
+  }
+};
+function buildKnowledgeDraft(inv) {
+  const title = inv.patternTag ? `Gotcha: ${inv.patternTag}` : `Gotcha: ${inv.symptom.slice(0, 80)}`;
+  const body = [
+    `**Symptom:** ${inv.symptom}`,
+    `**Root cause:** ${inv.rootCause ?? ""}`,
+    `**Fix:** ${inv.fixSummary ?? ""}`,
+    inv.patternTag ? `**Pattern tag:** ${inv.patternTag}` : null,
+    ``,
+    `_Drafted from ${inv.id} (ADR-035). Review before committing via knowledge_create._`
+  ].filter((line) => line !== null).join("\n");
+  return { type: "gotcha", title, body, patternTag: inv.patternTag };
+}
+
+// src/core/domain/repositories/investigation-repository.ts
+function rowToInvestigation(row) {
+  return {
+    id: row.id,
+    symptom: row.symptom,
+    status: row.status,
+    taskId: row.task_id || null,
+    sessionId: row.session_id || null,
+    rootCause: row.root_cause || null,
+    fixSummary: row.fix_summary || null,
+    patternTag: row.pattern_tag || null,
+    createdAt: row.created_at,
+    resolvedAt: row.resolved_at || null,
+    hypotheses: [],
+    evidence: []
+  };
+}
+function rowToHypothesis(row) {
+  return {
+    id: row.id,
+    investigationId: row.investigation_id,
+    description: row.description,
+    status: row.status,
+    createdAt: row.created_at
+  };
+}
+function rowToEvidence(row) {
+  return {
+    id: row.id,
+    investigationId: row.investigation_id,
+    hypothesisId: row.hypothesis_id || null,
+    type: row.type,
+    ref: row.ref,
+    note: row.note || null,
+    createdAt: row.created_at
+  };
+}
+var InvestigationRepository = class {
+  constructor(db, counters) {
+    this.db = db;
+    this.counters = counters;
+  }
+  db;
+  counters;
+  nextId(prefix, entity) {
+    return `${prefix}-${String(this.counters.nextNumber(entity)).padStart(3, "0")}`;
+  }
+  insertInvestigation(input) {
+    const ts = now();
+    const id = this.nextId("INV", "investigation");
+    this.db.prepare(
+      `INSERT INTO investigations (id, symptom, status, task_id, session_id, created_at)
+         VALUES (?, ?, 'exploring', ?, ?, ?)`
+    ).run(id, input.symptom, input.taskId ?? null, input.sessionId ?? null, ts);
+    return this.getInvestigation(id);
+  }
+  // Nested read: investigation row + all hypotheses + all evidence (AC-5).
+  getInvestigation(id) {
+    const row = this.db.prepare("SELECT * FROM investigations WHERE id = ?").get(id);
+    if (!row) return null;
+    const investigation = rowToInvestigation(row);
+    investigation.hypotheses = this.db.prepare("SELECT * FROM hypotheses WHERE investigation_id = ? ORDER BY created_at, rowid").all(id).map(rowToHypothesis);
+    investigation.evidence = this.db.prepare("SELECT * FROM evidence WHERE investigation_id = ? ORDER BY created_at, rowid").all(id).map(rowToEvidence);
+    return investigation;
+  }
+  setInvestigationResolved(id, fields) {
+    this.db.prepare(
+      `UPDATE investigations
+         SET status = 'resolved', root_cause = ?, fix_summary = ?, pattern_tag = ?, resolved_at = ?
+         WHERE id = ?`
+    ).run(fields.rootCause, fields.fixSummary, fields.patternTag, now(), id);
+  }
+  insertHypothesis(investigationId, description) {
+    const id = this.nextId("HYP", "hypothesis");
+    this.db.prepare(
+      `INSERT INTO hypotheses (id, investigation_id, description, status, created_at)
+         VALUES (?, ?, ?, 'testing', ?)`
+    ).run(id, investigationId, description, now());
+    return this.getHypothesis(id);
+  }
+  getHypothesis(id) {
+    const row = this.db.prepare("SELECT * FROM hypotheses WHERE id = ?").get(id);
+    return row ? rowToHypothesis(row) : null;
+  }
+  setHypothesisStatus(id, status) {
+    this.db.prepare("UPDATE hypotheses SET status = ? WHERE id = ?").run(status, id);
+  }
+  insertEvidence(input) {
+    const id = this.nextId("EVID", "evidence");
+    this.db.prepare(
+      `INSERT INTO evidence (id, investigation_id, hypothesis_id, type, ref, note, created_at)
+         VALUES (?, ?, ?, ?, ?, ?, ?)`
+    ).run(
+      id,
+      input.investigationId,
+      input.hypothesisId ?? null,
+      input.type,
+      input.ref,
+      input.note ?? null,
+      now()
+    );
+    return this.getEvidence(id);
+  }
+  getEvidence(id) {
+    const row = this.db.prepare("SELECT * FROM evidence WHERE id = ?").get(id);
+    return row ? rowToEvidence(row) : null;
+  }
+};
+
 // src/core/domain/knowledge-service.ts
 var fs = __toESM(require("fs"));
 var path2 = __toESM(require("path"));
@@ -36142,6 +36501,17 @@ var GitOpsImpl = class {
     if (out === "") return [];
     return out.split(/\r?\n/).map((s) => s.trim()).filter((s) => s.length > 0);
   }
+  commitsInWindow(cwd, sinceIso, grepTaskId) {
+    const args = ["log", `--since=${sinceIso}`, "--format=%h %s"];
+    if (grepTaskId) args.push(`--grep=${grepTaskId}`);
+    try {
+      const out = runGit(cwd, args).trim();
+      if (out === "") return [];
+      return out.split(/\r?\n/).map((s) => s.trim()).filter((s) => s.length > 0);
+    } catch {
+      return [];
+    }
+  }
 };
 function runGit(cwd, args) {
   try {
@@ -36158,11 +36528,23 @@ var KNOWLEDGE_TYPES = [
   "decision",
   "postmortem",
   "learning",
-  "evaluation"
+  "evaluation",
+  "feature",
+  "code_ref",
+  "gotcha"
 ];
 var KNOWLEDGE_SCOPES = ["project", "cross"];
+var EFFORT_BANDS = ["S", "M", "L", "XL"];
+var FEATURE_STATUSES = [
+  "planned",
+  "in-progress",
+  "shipped",
+  "blocked"
+];
 
 // src/core/domain/knowledge-frontmatter.ts
+var STRUCTURED_SCALAR_KEYS = ["anchorTaskId", "effortBand", "status", "affectedFeatureId"];
+var STRUCTURED_LIST_KEYS = ["realizesTasks", "inWorkspaces"];
 var FRONTMATTER_RE = /^---\r?\n([\s\S]*?)\r?\n---\r?\n?([\s\S]*)$/;
 var FrontmatterParseError = class extends Error {
   constructor(message) {
@@ -36176,6 +36558,7 @@ function parseFrontmatter(raw) {
   const fmText = m[1];
   const body = m[2] ?? "";
   const fm = { refs: [] };
+  const structured = {};
   const lines = fmText.split(/\r?\n/);
   let i = 0;
   while (i < lines.length) {
@@ -36199,11 +36582,42 @@ function parseFrontmatter(raw) {
     const kv = line.match(/^([a-zA-Z]+):\s*(.*)$/);
     if (!kv) throw new FrontmatterParseError(`unrecognized line: ${line}`);
     const key = kv[1];
-    const value = unquote(kv[2].trim());
-    assignScalar(fm, key, value);
+    const rawValue = kv[2].trim();
+    if (assignStructured(structured, key, rawValue)) {
+      i++;
+      continue;
+    }
+    assignScalar(fm, key, unquote(rawValue));
     i++;
   }
-  return { frontmatter: validate(fm), body };
+  return { frontmatter: validate(fm, structured), body };
+}
+function assignStructured(s, key, rawValue) {
+  if (STRUCTURED_SCALAR_KEYS.includes(key)) {
+    const value = unquote(rawValue);
+    if (key === "effortBand") s.effortBand = value;
+    else if (key === "status") s.status = value;
+    else if (key === "anchorTaskId") s.anchorTaskId = value;
+    else if (key === "affectedFeatureId") s.affectedFeatureId = value;
+    return true;
+  }
+  if (STRUCTURED_LIST_KEYS.includes(key)) {
+    const list = parseInlineList(rawValue);
+    if (key === "realizesTasks") s.realizesTasks = list;
+    else if (key === "inWorkspaces") s.inWorkspaces = list;
+    return true;
+  }
+  return false;
+}
+function parseInlineList(raw) {
+  const trimmed = raw.trim();
+  if (trimmed === "[]" || trimmed === "") return [];
+  try {
+    const parsed = JSON.parse(trimmed);
+    if (Array.isArray(parsed)) return parsed.map((v) => String(v));
+  } catch {
+  }
+  return trimmed.replace(/^\[|\]$/g, "").split(",").map((v) => unquote(v.trim())).filter((v) => v.length > 0);
 }
 function parseRefsBlock(lines, startIdx) {
   const out = [];
@@ -36266,7 +36680,7 @@ function assignScalar(fm, key, value) {
       throw new FrontmatterParseError(`unknown key: ${key}`);
   }
 }
-function validate(fm) {
+function validate(fm, structured) {
   if (!fm.type || !KNOWLEDGE_TYPES.includes(fm.type)) {
     throw new FrontmatterParseError(`invalid type: ${fm.type}`);
   }
@@ -36277,6 +36691,13 @@ function validate(fm) {
   if (!fm.projectId) throw new FrontmatterParseError("missing projectId");
   if (!fm.createdAt) throw new FrontmatterParseError("missing createdAt");
   if (!fm.lastVerifiedAt) throw new FrontmatterParseError("missing lastVerifiedAt");
+  if (structured.effortBand && !EFFORT_BANDS.includes(structured.effortBand)) {
+    throw new FrontmatterParseError(`invalid effortBand: ${structured.effortBand}`);
+  }
+  if (structured.status && !FEATURE_STATUSES.includes(structured.status)) {
+    throw new FrontmatterParseError(`invalid status: ${structured.status}`);
+  }
+  const hasStructured = Object.values(structured).some((v) => v !== void 0);
   return {
     type: fm.type,
     title: fm.title,
@@ -36285,7 +36706,8 @@ function validate(fm) {
     scope: fm.scope,
     refs: fm.refs ?? [],
     createdAt: fm.createdAt,
-    lastVerifiedAt: fm.lastVerifiedAt
+    lastVerifiedAt: fm.lastVerifiedAt,
+    structured: hasStructured ? structured : void 0
   };
 }
 function serializeFrontmatter(fm, body) {
@@ -36306,6 +36728,19 @@ function serializeFrontmatter(fm, body) {
   }
   lines.push(`createdAt: ${fm.createdAt}`);
   lines.push(`lastVerifiedAt: ${fm.lastVerifiedAt}`);
+  const s = fm.structured;
+  if (s) {
+    if (s.anchorTaskId) lines.push(`anchorTaskId: ${s.anchorTaskId}`);
+    if (s.realizesTasks && s.realizesTasks.length > 0) {
+      lines.push(`realizesTasks: ${JSON.stringify(s.realizesTasks)}`);
+    }
+    if (s.inWorkspaces && s.inWorkspaces.length > 0) {
+      lines.push(`inWorkspaces: ${JSON.stringify(s.inWorkspaces)}`);
+    }
+    if (s.effortBand) lines.push(`effortBand: ${s.effortBand}`);
+    if (s.status) lines.push(`status: ${s.status}`);
+    if (s.affectedFeatureId) lines.push(`affectedFeatureId: ${s.affectedFeatureId}`);
+  }
   lines.push("---");
   const trimmedBody = body.replace(/^\r?\n+/, "");
   return lines.join("\n") + "\n\n" + trimmedBody + (trimmedBody.endsWith("\n") ? "" : "\n");
@@ -36358,6 +36793,7 @@ var KnowledgeService = class {
   now;
   embeddingStore;
   embeddingProvider;
+  edges;
   constructor(deps) {
     this.knowledge = deps.knowledge;
     this.projects = deps.projects;
@@ -36367,11 +36803,13 @@ var KnowledgeService = class {
     this.now = deps.now ?? (() => /* @__PURE__ */ new Date());
     this.embeddingStore = deps.embeddingStore ?? null;
     this.embeddingProvider = deps.embeddingProvider ?? null;
+    this.edges = deps.edges ?? null;
   }
   async createKnowledge(input) {
     this.validateInput(input);
     const project = await this.projects.get(input.projectId);
     if (!project) throw new KnowledgeValidationError(`unknown projectId: ${input.projectId}`);
+    await this.validateStructured(input);
     const workspaceCwd = await this.resolveWorkspaceCwd(input.projectId, input.workspaceId);
     const slug = input.slug ?? slugify2(input.title);
     if (!slug) throw new KnowledgeValidationError("cannot derive slug from title");
@@ -36398,7 +36836,8 @@ var KnowledgeService = class {
       scope: input.scope,
       refs,
       createdAt: isoDate,
-      lastVerifiedAt: isoDate
+      lastVerifiedAt: isoDate,
+      structured: input.structured
     };
     const content = serializeFrontmatter(frontmatter, input.body);
     fs.mkdirSync(path2.dirname(filePath), { recursive: true });
@@ -36422,6 +36861,7 @@ var KnowledgeService = class {
         await this.regenerateIndexMd(input.projectId, project.cwd);
       }
     }
+    await this.syncEdgesOnCreate(slug, input.type, input.structured);
     this.scheduleEmbed(slug, input.body);
     const staleness = this.computeStaleness(refs, stalenessCwd, input.scope);
     return {
@@ -36433,6 +36873,25 @@ var KnowledgeService = class {
       isStale: staleness.some((s) => s.commitsSince > 0)
     };
   }
+  // TASK-992: derive ADR-NNN Pillar 3 edges from a new entry's structured
+  // frontmatter so the relationships table stays current without re-running the
+  // migration. feature → REALIZES (task→feature) + IN (feature→workspace);
+  // gotcha → ABOUT (gotcha→feature). Edges are idempotent (INSERT OR IGNORE).
+  // Only createKnowledge calls this — updateKnowledge cannot change structured
+  // fields (it spreads the existing frontmatter), so there is nothing to re-sync.
+  async syncEdgesOnCreate(slug, type, structured) {
+    if (!this.edges || !structured) return;
+    if (type === "feature") {
+      for (const taskId of structured.realizesTasks ?? []) {
+        await this.edges.add(taskId, slug, "REALIZES");
+      }
+      for (const ws of structured.inWorkspaces ?? []) {
+        await this.edges.add(slug, ws, "IN");
+      }
+    } else if (type === "gotcha" && structured.affectedFeatureId) {
+      await this.edges.add(slug, structured.affectedFeatureId, "ABOUT");
+    }
+  }
   async registerExistingKnowledge(input) {
     if (!fs.existsSync(input.filePath)) {
       throw new KnowledgeValidationError(`file not found: ${input.filePath}`);
@@ -36634,6 +37093,25 @@ var KnowledgeService = class {
     }));
     return { slug, refs: staleness, isStale: false, lastVerifiedAt: isoDate };
   }
+  // TASK-988: structured-field validation for the first-class types. A gotcha's
+  // affectedFeatureId must resolve to an existing `feature` entry — otherwise the
+  // ABOUT edge dangles. Other structured fields (effortBand/status enums) are
+  // validated in the frontmatter layer.
+  async validateStructured(input) {
+    const featureId = input.structured?.affectedFeatureId;
+    if (!featureId) return;
+    const target = await this.knowledge.get(featureId);
+    if (!target) {
+      throw new KnowledgeValidationError(
+        `affectedFeatureId "${featureId}" does not resolve to a known knowledge entry`
+      );
+    }
+    if (target.type !== "feature") {
+      throw new KnowledgeValidationError(
+        `affectedFeatureId "${featureId}" is a ${target.type}, expected a feature`
+      );
+    }
+  }
   validateInput(input) {
     if (!KNOWLEDGE_TYPES.includes(input.type)) {
       throw new KnowledgeValidationError(`invalid type: ${input.type}`);
@@ -36887,18 +37365,168 @@ var KnowledgeRepository = class {
   }
 };
 
+// src/core/domain/repositories/code-ref-repository.ts
+function rowToCodeRef(row) {
+  return {
+    slug: row.slug,
+    projectId: row.project_id,
+    workspaceId: row.workspace_id ?? null,
+    path: row.path,
+    symbol: row.symbol ?? null,
+    lineHint: row.line_hint ?? null,
+    commitSha: row.commit_sha ?? null,
+    createdAt: row.created_at,
+    lastVerifiedAt: row.last_verified_at
+  };
+}
+var CodeRefRepository = class {
+  constructor(db) {
+    this.db = db;
+  }
+  db;
+  // Identity = (project_id, path, COALESCE(symbol,'')). A write matching an
+  // existing identity re-pins commit_sha / line_hint / last_verified_at on the
+  // ORIGINAL slug instead of inserting a second row (ADR Pillar 2c). The slug
+  // supplied on such a write is ignored in favour of the existing one.
+  upsert(input, nowIso) {
+    const existing = this.getByIdentity(input.projectId, input.path, input.symbol ?? null);
+    if (existing) {
+      this.db.prepare(
+        `UPDATE code_refs
+             SET commit_sha = ?, line_hint = ?, workspace_id = ?, last_verified_at = ?
+           WHERE slug = ?`
+      ).run(
+        input.commitSha ?? existing.commitSha,
+        input.lineHint ?? existing.lineHint,
+        input.workspaceId ?? existing.workspaceId,
+        nowIso,
+        existing.slug
+      );
+      return this.get(existing.slug);
+    }
+    this.db.prepare(
+      `INSERT INTO code_refs
+           (slug, project_id, workspace_id, path, symbol, line_hint, commit_sha, created_at, last_verified_at)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`
+    ).run(
+      input.slug,
+      input.projectId,
+      input.workspaceId ?? null,
+      input.path,
+      input.symbol ?? null,
+      input.lineHint ?? null,
+      input.commitSha ?? null,
+      nowIso,
+      nowIso
+    );
+    return this.get(input.slug);
+  }
+  get(slug) {
+    const row = this.db.prepare("SELECT * FROM code_refs WHERE slug = ?").get(slug);
+    return row ? rowToCodeRef(row) : null;
+  }
+  getByIdentity(projectId, path9, symbol2) {
+    const row = this.db.prepare(
+      "SELECT * FROM code_refs WHERE project_id = ? AND path = ? AND COALESCE(symbol, '') = COALESCE(?, '')"
+    ).get(projectId, path9, symbol2);
+    return row ? rowToCodeRef(row) : null;
+  }
+  // Prefix query over the dotted symbol (ADR Pillar 2c): e.g. all Domain-layer
+  // refs via symbolPrefix = 'Ichiba.Pim.TradingCatalog.Domain.'. Falls back to
+  // a path filter, or lists the whole project when neither is given.
+  listByPrefix(filter) {
+    const where = ["project_id = ?"];
+    const params = [filter.projectId];
+    if (filter.symbolPrefix) {
+      where.push("symbol LIKE ? ESCAPE ?");
+      params.push(`${escapeLike(filter.symbolPrefix)}%`, "\\");
+    }
+    if (filter.path) {
+      where.push("path = ?");
+      params.push(filter.path);
+    }
+    const rows = this.db.prepare(`SELECT * FROM code_refs WHERE ${where.join(" AND ")} ORDER BY symbol, path`).all(...params);
+    return rows.map(rowToCodeRef);
+  }
+  delete(slug) {
+    this.db.prepare("DELETE FROM task_code_refs WHERE code_ref_slug = ?").run(slug);
+    this.db.prepare("DELETE FROM code_refs WHERE slug = ?").run(slug);
+  }
+  // ── TOUCHES edges ──────────────────────────────────────────────────────────
+  addTouches(taskId, codeRefSlug, relation) {
+    this.db.prepare(
+      `INSERT INTO task_code_refs (task_id, code_ref_slug, relation)
+         VALUES (?, ?, ?)
+         ON CONFLICT(task_id, code_ref_slug) DO UPDATE SET relation = excluded.relation`
+    ).run(taskId, codeRefSlug, relation);
+  }
+  removeTouches(taskId, codeRefSlug) {
+    this.db.prepare("DELETE FROM task_code_refs WHERE task_id = ? AND code_ref_slug = ?").run(taskId, codeRefSlug);
+  }
+  getTouchesForTask(taskId) {
+    const rows = this.db.prepare("SELECT * FROM task_code_refs WHERE task_id = ? ORDER BY code_ref_slug").all(taskId);
+    return rows.map((r) => ({
+      taskId: r.task_id,
+      codeRefSlug: r.code_ref_slug,
+      relation: r.relation
+    }));
+  }
+  getTouchesForCodeRef(codeRefSlug) {
+    const rows = this.db.prepare("SELECT * FROM task_code_refs WHERE code_ref_slug = ? ORDER BY task_id").all(codeRefSlug);
+    return rows.map((r) => ({
+      taskId: r.task_id,
+      codeRefSlug: r.code_ref_slug,
+      relation: r.relation
+    }));
+  }
+};
+function escapeLike(s) {
+  return s.replace(/[\\%_]/g, (m) => `\\${m}`);
+}
+
+// src/core/sync/lamport-clock.ts
+function createSyncClockTables(db) {
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS _sync_clock (
+      id INTEGER PRIMARY KEY CHECK (id = 0),
+      counter INTEGER NOT NULL DEFAULT 0
+    )
+  `);
+  db.exec("INSERT OR IGNORE INTO _sync_clock (id, counter) VALUES (0, 0)");
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS _sync_state (
+      id INTEGER PRIMARY KEY CHECK (id = 0),
+      last_pull_at INTEGER NOT NULL DEFAULT 0
+    )
+  `);
+  db.exec("INSERT OR IGNORE INTO _sync_state (id, last_pull_at) VALUES (0, 0)");
+}
+
 // src/core/domain/repositories/schema.ts
-var SCHEMA_VERSION = 4;
+var SCHEMA_VERSION = 6;
 function initSchema(db) {
   createCoreTables(db);
   runLegacyMigrations(db);
   createM1Tables(db);
   createM2Tables(db);
-  createOAuthTables(db);
+  createInvestigationTables(db);
+  dropLegacyOAuthTables(db);
+  addSyncColumns(db);
+  createSyncClockTables(db);
   createIndexes(db);
   cleanupPoisonedTaskIds(db);
   seedSchemaVersion(db);
 }
+function addSyncColumns(db) {
+  for (const table of SYNCABLE_TABLES) {
+    for (const col of SYNC_COLUMNS) {
+      try {
+        db.exec(`ALTER TABLE ${table} ADD COLUMN ${col.name} ${col.sqliteType}`);
+      } catch {
+      }
+    }
+  }
+}
 function seedSchemaVersion(db) {
   db.exec(`
     CREATE TABLE IF NOT EXISTS schema_version (
@@ -37030,6 +37658,10 @@ function runLegacyMigrations(db) {
     db.exec("ALTER TABLE sessions ADD COLUMN checkpoint_at TEXT");
   } catch {
   }
+  try {
+    db.exec("ALTER TABLE sessions ADD COLUMN cc_session_id TEXT");
+  } catch {
+  }
   try {
     db.exec("ALTER TABLE workspaces ADD COLUMN archived_at TEXT");
   } catch {
@@ -37077,6 +37709,34 @@ function migrateSessionsStatus(db) {
   db.exec("DROP TABLE sessions");
   db.exec("ALTER TABLE sessions_new RENAME TO sessions");
 }
+function migrateKnowledgeTypeCheck(db) {
+  const row = db.prepare("SELECT sql FROM sqlite_master WHERE type='table' AND name='knowledge_index'").get();
+  if (!row?.sql) return;
+  if (row.sql.includes("'feature'")) return;
+  const cols = db.pragma("table_info(knowledge_index)").map(
+    (c) => c.name
+  );
+  const colList = cols.join(", ");
+  db.exec(`
+    CREATE TABLE knowledge_index_new (
+      slug TEXT PRIMARY KEY,
+      project_id TEXT NOT NULL,
+      scope TEXT NOT NULL CHECK (scope IN ('project','cross')),
+      type TEXT NOT NULL CHECK (type IN ('spike','decision','postmortem','learning','evaluation','feature','code_ref','gotcha')),
+      title TEXT NOT NULL,
+      file_path TEXT NOT NULL,
+      created_at TEXT NOT NULL,
+      last_verified_at TEXT NOT NULL,
+      embedding_provider_id TEXT,
+      embedding_dims INTEGER,
+      workspace_id TEXT REFERENCES workspaces(id),
+      FOREIGN KEY (project_id) REFERENCES projects(id)
+    )
+  `);
+  db.exec(`INSERT INTO knowledge_index_new (${colList}) SELECT ${colList} FROM knowledge_index`);
+  db.exec("DROP TABLE knowledge_index");
+  db.exec("ALTER TABLE knowledge_index_new RENAME TO knowledge_index");
+}
 var COUNTER_SANE_MAX = 1e5;
 function seedGlobalCounter(db, entityType, selectIdSql, prefixLen) {
   let max = 0;
@@ -37217,6 +37877,7 @@ function createM1Tables(db) {
       created_at TEXT NOT NULL DEFAULT (datetime('now')),
       checkpoint TEXT,
       checkpoint_at TEXT,
+      cc_session_id TEXT,
       FOREIGN KEY (project_id) REFERENCES projects(id)
     )
   `);
@@ -37304,6 +37965,7 @@ function createM1Tables(db) {
     CREATE TABLE IF NOT EXISTS inbox_items (
       id TEXT PRIMARY KEY,
       project_id TEXT,
+      workspace_id TEXT,
       content TEXT NOT NULL,
       status TEXT NOT NULL DEFAULT 'raw',
       linked_task_id TEXT,
@@ -37311,12 +37973,16 @@ function createM1Tables(db) {
       updated_at TEXT NOT NULL DEFAULT (datetime('now'))
     )
   `);
+  try {
+    db.exec("ALTER TABLE inbox_items ADD COLUMN workspace_id TEXT");
+  } catch {
+  }
   db.exec(`
     CREATE TABLE IF NOT EXISTS knowledge_index (
       slug TEXT PRIMARY KEY,
       project_id TEXT NOT NULL,
       scope TEXT NOT NULL CHECK (scope IN ('project','cross')),
-      type TEXT NOT NULL CHECK (type IN ('spike','decision','postmortem','learning','evaluation')),
+      type TEXT NOT NULL CHECK (type IN ('spike','decision','postmortem','learning','evaluation','feature','code_ref','gotcha')),
       title TEXT NOT NULL,
       file_path TEXT NOT NULL,
       created_at TEXT NOT NULL,
@@ -37338,6 +38004,37 @@ function createM1Tables(db) {
     db.exec("ALTER TABLE knowledge_index ADD COLUMN workspace_id TEXT REFERENCES workspaces(id)");
   } catch {
   }
+  migrateKnowledgeTypeCheck(db);
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS code_refs (
+      slug TEXT PRIMARY KEY,
+      project_id TEXT NOT NULL,
+      workspace_id TEXT,
+      path TEXT NOT NULL,
+      symbol TEXT,
+      line_hint INTEGER,
+      commit_sha TEXT,
+      created_at TEXT NOT NULL,
+      last_verified_at TEXT NOT NULL,
+      FOREIGN KEY (project_id) REFERENCES projects(id)
+    )
+  `);
+  db.exec(
+    "CREATE UNIQUE INDEX IF NOT EXISTS idx_code_refs_identity ON code_refs(project_id, path, COALESCE(symbol, ''))"
+  );
+  db.exec("CREATE INDEX IF NOT EXISTS idx_code_refs_symbol ON code_refs(project_id, symbol)");
+  db.exec("CREATE INDEX IF NOT EXISTS idx_code_refs_path ON code_refs(project_id, path)");
+  db.exec(`
+    CREATE TABLE IF NOT EXISTS task_code_refs (
+      task_id TEXT NOT NULL,
+      code_ref_slug TEXT NOT NULL,
+      relation TEXT NOT NULL CHECK (relation IN ('modifies','reference')),
+      PRIMARY KEY (task_id, code_ref_slug),
+      FOREIGN KEY (code_ref_slug) REFERENCES code_refs(slug)
+    )
+  `);
+  db.exec("CREATE INDEX IF NOT EXISTS idx_task_code_refs_task ON task_code_refs(task_id)");
+  db.exec("CREATE INDEX IF NOT EXISTS idx_task_code_refs_slug ON task_code_refs(code_ref_slug)");
   db.exec(`
     CREATE TABLE IF NOT EXISTS tool_invocations (
       id INTEGER PRIMARY KEY,
@@ -37377,37 +38074,52 @@ function createM2Tables(db) {
     )
   `);
 }
-function createOAuthTables(db) {
+function createInvestigationTables(db) {
   db.exec(`
-    CREATE TABLE IF NOT EXISTS oauth_clients (
-      client_id TEXT PRIMARY KEY,
-      client_name TEXT NOT NULL,
-      redirect_uris TEXT NOT NULL,
-      created_at TEXT NOT NULL DEFAULT (datetime('now'))
+    CREATE TABLE IF NOT EXISTS investigations (
+      id TEXT PRIMARY KEY,
+      symptom TEXT NOT NULL,
+      status TEXT NOT NULL DEFAULT 'exploring' CHECK (status IN ('exploring','confirmed','resolved')),
+      task_id TEXT,
+      session_id TEXT,
+      root_cause TEXT,
+      fix_summary TEXT,
+      pattern_tag TEXT,
+      created_at TEXT NOT NULL,
+      resolved_at TEXT
     )
   `);
   db.exec(`
-    CREATE TABLE IF NOT EXISTS oauth_auth_codes (
-      code TEXT PRIMARY KEY,
-      client_id TEXT NOT NULL REFERENCES oauth_clients(client_id),
-      code_challenge TEXT NOT NULL,
-      code_challenge_method TEXT NOT NULL CHECK (code_challenge_method = 'S256'),
-      redirect_uri TEXT NOT NULL,
-      expires_at TEXT NOT NULL,
-      created_at TEXT NOT NULL DEFAULT (datetime('now'))
+    CREATE TABLE IF NOT EXISTS hypotheses (
+      id TEXT PRIMARY KEY,
+      investigation_id TEXT NOT NULL,
+      description TEXT NOT NULL,
+      status TEXT NOT NULL DEFAULT 'testing' CHECK (status IN ('testing','ruled_out','confirmed')),
+      created_at TEXT NOT NULL,
+      FOREIGN KEY (investigation_id) REFERENCES investigations(id)
     )
   `);
   db.exec(`
-    CREATE TABLE IF NOT EXISTS oauth_tokens (
-      access_token TEXT PRIMARY KEY,
-      refresh_token TEXT UNIQUE NOT NULL,
-      client_id TEXT NOT NULL REFERENCES oauth_clients(client_id),
-      access_expires_at TEXT NOT NULL,
-      refresh_expires_at TEXT NOT NULL,
-      revoked INTEGER NOT NULL DEFAULT 0,
-      created_at TEXT NOT NULL DEFAULT (datetime('now'))
+    CREATE TABLE IF NOT EXISTS evidence (
+      id TEXT PRIMARY KEY,
+      investigation_id TEXT NOT NULL,
+      hypothesis_id TEXT,
+      type TEXT NOT NULL CHECK (type IN ('screenshot','log','network','code_snippet')),
+      ref TEXT NOT NULL,
+      note TEXT,
+      created_at TEXT NOT NULL,
+      FOREIGN KEY (investigation_id) REFERENCES investigations(id),
+      FOREIGN KEY (hypothesis_id) REFERENCES hypotheses(id)
     )
   `);
+  db.exec("CREATE INDEX IF NOT EXISTS idx_hypotheses_investigation ON hypotheses(investigation_id)");
+  db.exec("CREATE INDEX IF NOT EXISTS idx_evidence_investigation ON evidence(investigation_id)");
+  db.exec("CREATE INDEX IF NOT EXISTS idx_evidence_hypothesis ON evidence(hypothesis_id)");
+}
+function dropLegacyOAuthTables(db) {
+  db.exec("DROP TABLE IF EXISTS oauth_auth_codes");
+  db.exec("DROP TABLE IF EXISTS oauth_tokens");
+  db.exec("DROP TABLE IF EXISTS oauth_clients");
 }
 function createIndexes(db) {
   db.exec("CREATE INDEX IF NOT EXISTS idx_tasks_project ON tasks(project_id)");
@@ -37433,6 +38145,7 @@ function createIndexes(db) {
   );
   db.exec("CREATE INDEX IF NOT EXISTS idx_inbox_project ON inbox_items(project_id)");
   db.exec("CREATE INDEX IF NOT EXISTS idx_inbox_status ON inbox_items(project_id, status)");
+  db.exec("CREATE INDEX IF NOT EXISTS idx_inbox_workspace ON inbox_items(workspace_id)");
   db.exec(
     "CREATE INDEX IF NOT EXISTS idx_conversations_owner_session ON conversations(owner_session_id)"
   );
@@ -37452,16 +38165,6 @@ function createIndexes(db) {
   db.exec(
     "CREATE INDEX IF NOT EXISTS idx_agent_memories_recall ON agent_memories(importance DESC, recall_count DESC)"
   );
-  db.exec(
-    "CREATE INDEX IF NOT EXISTS idx_oauth_auth_codes_client ON oauth_auth_codes(client_id)"
-  );
-  db.exec(
-    "CREATE INDEX IF NOT EXISTS idx_oauth_auth_codes_expires ON oauth_auth_codes(expires_at)"
-  );
-  db.exec("CREATE INDEX IF NOT EXISTS idx_oauth_tokens_client ON oauth_tokens(client_id)");
-  db.exec(
-    "CREATE INDEX IF NOT EXISTS idx_oauth_tokens_access_expires ON oauth_tokens(access_expires_at)"
-  );
 }
 function cleanupPoisonedTaskIds(db) {
   const rows = db.prepare("SELECT id FROM tasks WHERE id GLOB 'TASK-[0-9]*'").all();
@@ -37952,6 +38655,14 @@ var RelationshipRepository = class {
     const rows = type ? this.db.prepare("SELECT * FROM relationships WHERE from_id = ? AND type = ?").all(itemId, type) : this.db.prepare("SELECT * FROM relationships WHERE from_id = ?").all(itemId);
     return rows.map(rowToRelationship);
   }
+  // Inbound counterpart to getFrom — edges pointing AT itemId. Needed for the
+  // ADR-NNN graph queries whose answer is the source node: "which tasks REALIZE
+  // this feature?" = getTo(featureSlug, 'REALIZES') → from_ids; "which gotchas
+  // are ABOUT it?" = getTo(featureSlug, 'ABOUT').
+  getTo(itemId, type) {
+    const rows = type ? this.db.prepare("SELECT * FROM relationships WHERE to_id = ? AND type = ?").all(itemId, type) : this.db.prepare("SELECT * FROM relationships WHERE to_id = ?").all(itemId);
+    return rows.map(rowToRelationship);
+  }
 };
 
 // src/core/domain/repositories/session-repository.ts
@@ -37964,6 +38675,7 @@ function rowToSession(row) {
     startedAt: row.started_at,
     endedAt: row.ended_at || null,
     status: row.status,
+    ccSessionId: row.cc_session_id || null,
     handoff: row.handoff_json ? JSON.parse(row.handoff_json) : null,
     checkpoint: row.checkpoint ? JSON.parse(row.checkpoint) : null,
     checkpointAt: row.checkpoint_at || null,
@@ -37980,8 +38692,8 @@ var SessionRepository = class {
     const id = input.id || generateId("SESSION");
     const startedAt = input.startedAt || ts;
     this.db.prepare(
-      `INSERT INTO sessions (id, project_id, workspace_id, task_id, started_at, status, handoff_json, created_at)
-       VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+      `INSERT INTO sessions (id, project_id, workspace_id, task_id, started_at, status, cc_session_id, handoff_json, created_at)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`
     ).run(
       id,
       input.projectId,
@@ -37989,6 +38701,7 @@ var SessionRepository = class {
       input.taskId || null,
       startedAt,
       input.status || "active",
+      input.ccSessionId || null,
       input.handoff ? JSON.stringify(input.handoff) : null,
       ts
     );
@@ -38415,6 +39128,7 @@ function rowToInbox(row) {
   return {
     id: row.id,
     projectId: row.project_id || null,
+    workspaceId: row.workspace_id || null,
     content: row.content,
     status: row.status,
     linkedTaskId: row.linked_task_id || null,
@@ -38437,9 +39151,9 @@ var InboxRepository = class {
     const projectId = input.projectId ?? null;
     const id = this.nextInboxId();
     this.db.prepare(
-      `INSERT INTO inbox_items (id, project_id, content, status, created_at, updated_at)
-         VALUES (?, ?, ?, 'raw', ?, ?)`
-    ).run(id, projectId, input.content, ts, ts);
+      `INSERT INTO inbox_items (id, project_id, workspace_id, content, status, linked_task_id, created_at, updated_at)
+         VALUES (?, ?, ?, ?, 'raw', ?, ?, ?)`
+    ).run(id, projectId, input.workspaceId ?? null, input.content, input.linkedTaskId ?? null, ts, ts);
     return this.get(id);
   }
   update(id, input) {
@@ -38453,6 +39167,10 @@ var InboxRepository = class {
       sets.push("status = ?");
       params.push(input.status);
     }
+    if (input.workspaceId !== void 0) {
+      sets.push("workspace_id = ?");
+      params.push(input.workspaceId);
+    }
     if (input.linkedTaskId !== void 0) {
       sets.push("linked_task_id = ?");
       params.push(input.linkedTaskId);
@@ -38481,6 +39199,14 @@ var InboxRepository = class {
         params.push(filter.projectId);
       }
     }
+    if (filter.workspaceId !== void 0) {
+      if (filter.workspaceId === null) {
+        wheres.push("workspace_id IS NULL");
+      } else {
+        wheres.push("workspace_id = ?");
+        params.push(filter.workspaceId);
+      }
+    }
     if (filter.status) {
       wheres.push("status = ?");
       params.push(filter.status);
@@ -38723,11 +39449,14 @@ var SqliteTaskService = class {
   toolInvocations;
   sessionEvents;
   agentMemories;
+  investigations;
   inboxLifecycle;
   conversationLifecycle;
   sessionLifecycle;
+  investigationLifecycle;
   knowledgeRepo;
   knowledgeService;
+  codeRefs;
   embeddingStore;
   embeddingProviderPromise;
   embeddingReadyPromise = null;
@@ -38756,6 +39485,8 @@ var SqliteTaskService = class {
     this.contextSources = new ContextSourceRepository(this.db);
     this.conversations = new ConversationRepository(this.db);
     this.inbox = new InboxRepository(this.db, this.counters);
+    this.investigations = new InvestigationRepository(this.db, this.counters);
+    this.investigationLifecycle = new InvestigationLifecycleService(this.db, this.investigations);
     this.inboxLifecycle = new InboxLifecycleService(
       this.db,
       this.inbox,
@@ -38768,6 +39499,7 @@ var SqliteTaskService = class {
       this.tasks,
       this.sessions
     );
+    this.codeRefs = new CodeRefRepository(this.db);
     this.sessionLifecycle = new SessionLifecycleService(
       this.db,
       this.sessions,
@@ -38775,6 +39507,8 @@ var SqliteTaskService = class {
       this.conversations,
       this.tasks,
       this.sessionEvents,
+      this.relationships,
+      this.codeRefs,
       (input) => this.recallMemoriesSync(input)
     );
     this.knowledgeRepo = new KnowledgeRepository(this.db);
@@ -38783,7 +39517,8 @@ var SqliteTaskService = class {
       projects: this.projects,
       workspaces: this.workspaces,
       embeddingStore: this.embeddingStore,
-      embeddingProvider: () => this.embeddingProviderPromise
+      embeddingProvider: () => this.embeddingProviderPromise,
+      edges: this.relationships
     });
   }
   // ── Lifecycle ──────────────────────────────────────────────────────────────
@@ -38924,6 +39659,9 @@ var SqliteTaskService = class {
   async getRelationshipsFrom(itemId, type) {
     return this.relationships.getFrom(itemId, type);
   }
+  async getRelationshipsTo(itemId, type) {
+    return this.relationships.getTo(itemId, type);
+  }
   // ── Session operations (M1) ────────────────────────────────────────────────
   async createSession(input) {
     return this.sessions.create(input);
@@ -39015,6 +39753,9 @@ var SqliteTaskService = class {
     return this.conversations.findByLink(linkedType, linkedId);
   }
   // ── Inbox ──────────────────────────────────────────────────────────────────
+  async fetchSince(since) {
+    return fetchSinceFromSqlite(this.db, since);
+  }
   async createInbox(input) {
     return this.inbox.create(input);
   }
@@ -39066,6 +39807,25 @@ var SqliteTaskService = class {
   async resumeSession(id) {
     return this.sessionLifecycle.resumeSession(id);
   }
+  // ── Investigation lifecycle (ADR-035, stdio-only) ──────────────────────────
+  async startInvestigation(input) {
+    return this.investigationLifecycle.startInvestigation(input);
+  }
+  async addHypothesis(investigationId, description) {
+    return this.investigationLifecycle.addHypothesis(investigationId, description);
+  }
+  async setHypothesisStatus(hypothesisId, status) {
+    return this.investigationLifecycle.setHypothesisStatus(hypothesisId, status);
+  }
+  async addEvidence(input) {
+    return this.investigationLifecycle.addEvidence(input);
+  }
+  async resolveInvestigation(id, input) {
+    return this.investigationLifecycle.resolveInvestigation(id, input);
+  }
+  async getInvestigation(id) {
+    return this.investigationLifecycle.getInvestigation(id);
+  }
   // ── Knowledge ─────────────────────────────────────────────────────────────
   async createKnowledge(input) {
     return this.knowledgeService.createKnowledge(input);
@@ -39091,6 +39851,31 @@ var SqliteTaskService = class {
   searchKnowledge(query, k) {
     return this.knowledgeService.searchKnowledge(query, k);
   }
+  // ── Code refs + TOUCHES edges (TASK-988) ────────────────────────────────────
+  async upsertCodeRef(input) {
+    return this.codeRefs.upsert(input, (/* @__PURE__ */ new Date()).toISOString().slice(0, 10));
+  }
+  async getCodeRef(slug) {
+    return this.codeRefs.get(slug);
+  }
+  async listCodeRefsByPrefix(filter) {
+    return this.codeRefs.listByPrefix(filter);
+  }
+  async deleteCodeRef(slug) {
+    this.codeRefs.delete(slug);
+  }
+  async addTouches(taskId, codeRefSlug, relation) {
+    this.codeRefs.addTouches(taskId, codeRefSlug, relation);
+  }
+  async removeTouches(taskId, codeRefSlug) {
+    this.codeRefs.removeTouches(taskId, codeRefSlug);
+  }
+  async getTouchesForTask(taskId) {
+    return this.codeRefs.getTouchesForTask(taskId);
+  }
+  async getTouchesForCodeRef(codeRefSlug) {
+    return this.codeRefs.getTouchesForCodeRef(codeRefSlug);
+  }
   // ── Session Events ─────────────────────────────────────────────────────────
   async createSessionEvent(input) {
     return this.sessionEvents.create(input);
@@ -39185,6 +39970,15 @@ function loadVecExtension(db) {
 }
 
 // src/core/domain/repositories/postgres/migrations.ts
+function buildSyncColumnsSql() {
+  const lines = [];
+  for (const table of SYNCABLE_TABLES) {
+    for (const col of SYNC_COLUMNS) {
+      lines.push(`ALTER TABLE ${table} ADD COLUMN IF NOT EXISTS ${col.name} ${col.pgType};`);
+    }
+  }
+  return lines.join("\n");
+}
 var MIGRATIONS = [
   {
     name: "001_init",
@@ -39350,6 +40144,15 @@ var MIGRATIONS = [
       CREATE INDEX IF NOT EXISTS inbox_status_idx ON inbox_items (project_id, status);
     `
   },
+  {
+    // P6 (ADR-032 Pillar 6, TASK-993): nullable workspace scope on inbox, filled
+    // progressively. inbox_add is remote-allowlisted, so the PG path must persist it.
+    name: "009_inbox_workspace",
+    sql: `
+      ALTER TABLE inbox_items ADD COLUMN IF NOT EXISTS workspace_id TEXT;
+      CREATE INDEX IF NOT EXISTS inbox_workspace_idx ON inbox_items (workspace_id);
+    `
+  },
   {
     // TASK-972 Phase 1 (additive) — signed_off_json column + conversation_message_reads
     // side-table. PG equivalents of SQLite's INSERT OR IGNORE = ON CONFLICT DO NOTHING;
@@ -39430,6 +40233,40 @@ var MIGRATIONS = [
       CREATE INDEX IF NOT EXISTS oauth_tokens_client_idx ON oauth_tokens (client_id);
       CREATE INDEX IF NOT EXISTS oauth_tokens_access_expires_idx ON oauth_tokens (access_expires_at);
     `
+  },
+  {
+    // ADR-034: drop the ADR-027 self-issued OAuth store. Keycloak now issues and
+    // stores tokens; choda-deck only validates Keycloak JWTs. 010_oauth stays in
+    // history (already applied on existing deploys) — this migration removes it.
+    name: "011_drop_oauth",
+    sql: `
+      DROP TABLE IF EXISTS oauth_auth_codes;
+      DROP TABLE IF EXISTS oauth_tokens;
+      DROP TABLE IF EXISTS oauth_clients;
+    `
+  },
+  {
+    // ADR-030 Phase 1 (TASK-978) — additive sync metadata (updated_at / deleted_at
+    // / origin) on every syncable entity table. Mirrors schema.ts addSyncColumns;
+    // both generate from src/core/sync/syncable-tables.ts. No _sync_clock/_sync_state
+    // singletons here — the Lamport clock is a local-SQLite concern (Postgres is
+    // canonical and stamps updated_at server-side in Phase 2+).
+    name: "012_sync_columns",
+    sql: buildSyncColumnsSql()
+  },
+  {
+    // ADR-030 Phase 2 (TASK-978) — server-side Lamport clock for the remote
+    // (Postgres canonical) writer. inbox_add stamps sync_updated_at from this
+    // counter so the local pull can order remote changes. Singleton row pinned
+    // at id = 0 (mirrors SQLite's _sync_clock).
+    name: "013_sync_clock",
+    sql: `
+      CREATE TABLE IF NOT EXISTS _sync_clock (
+        id INTEGER PRIMARY KEY CHECK (id = 0),
+        counter BIGINT NOT NULL DEFAULT 0
+      );
+      INSERT INTO _sync_clock (id, counter) VALUES (0, 0) ON CONFLICT (id) DO NOTHING;
+    `
   }
 ];
 async function migrate(conn) {
@@ -39790,11 +40627,61 @@ var PostgresConversationRepository = class {
   }
 };
 
+// node_modules/pg/esm/index.mjs
+var import_lib = __toESM(require_lib2(), 1);
+var Client = import_lib.default.Client;
+var Pool = import_lib.default.Pool;
+var Connection = import_lib.default.Connection;
+var types = import_lib.default.types;
+var Query = import_lib.default.Query;
+var DatabaseError = import_lib.default.DatabaseError;
+var escapeIdentifier = import_lib.default.escapeIdentifier;
+var escapeLiteral = import_lib.default.escapeLiteral;
+var Result = import_lib.default.Result;
+var TypeOverrides = import_lib.default.TypeOverrides;
+var defaults = import_lib.default.defaults;
+
+// src/core/domain/repositories/postgres/connection.ts
+async function runInTx(q, fn) {
+  if (q.transaction) return q.transaction(fn);
+  return fn(q);
+}
+var PgConnection = class {
+  pool;
+  constructor(config2) {
+    this.pool = typeof config2 === "string" ? new Pool({ connectionString: config2 }) : new Pool(config2);
+  }
+  async query(text, params) {
+    return this.pool.query(text, params);
+  }
+  async transaction(fn) {
+    const client = await this.pool.connect();
+    try {
+      await client.query("BEGIN");
+      const result = await fn(client);
+      await client.query("COMMIT");
+      return result;
+    } catch (err) {
+      try {
+        await client.query("ROLLBACK");
+      } catch {
+      }
+      throw err;
+    } finally {
+      client.release();
+    }
+  }
+  async close() {
+    await this.pool.end();
+  }
+};
+
 // src/core/domain/repositories/postgres/inbox-repository.pg.ts
 function mapRow5(row) {
   return {
     id: row.id,
     projectId: row.project_id,
+    workspaceId: row.workspace_id,
     content: row.content,
     status: row.status,
     linkedTaskId: row.linked_task_id,
@@ -39802,7 +40689,7 @@ function mapRow5(row) {
     updatedAt: row.updated_at
   };
 }
-var SELECT_COLS3 = "id, project_id, content, status, linked_task_id, created_at, updated_at";
+var SELECT_COLS3 = "id, project_id, workspace_id, content, status, linked_task_id, created_at, updated_at";
 var PostgresInboxRepository = class {
   constructor(conn, counters) {
     this.conn = conn;
@@ -39817,11 +40704,25 @@ var PostgresInboxRepository = class {
   async create(input) {
     const ts = now();
     const id = await this.nextInboxId();
-    await this.conn.query(
-      `INSERT INTO inbox_items (id, project_id, content, status, created_at, updated_at)
-       VALUES ($1, $2, $3, 'raw', $4, $4)`,
-      [id, input.projectId ?? null, input.content, ts]
-    );
+    await runInTx(this.conn, async (tx) => {
+      const clk = await tx.query(
+        "UPDATE _sync_clock SET counter = counter + 1 WHERE id = 0 RETURNING counter"
+      );
+      const lamport = Number(clk.rows[0].counter);
+      await tx.query(
+        `INSERT INTO inbox_items (id, project_id, workspace_id, content, status, linked_task_id, created_at, updated_at, sync_updated_at, sync_origin)
+         VALUES ($1, $2, $3, $4, 'raw', $5, $6, $6, $7, 'remote')`,
+        [
+          id,
+          input.projectId ?? null,
+          input.workspaceId ?? null,
+          input.content,
+          input.linkedTaskId ?? null,
+          ts,
+          lamport
+        ]
+      );
+    });
     const got = await this.get(id);
     if (!got) throw new Error(`Inbox item disappeared after insert: ${id}`);
     return got;
@@ -39846,6 +40747,14 @@ var PostgresInboxRepository = class {
         params.push(filter.projectId);
       }
     }
+    if (filter.workspaceId !== void 0) {
+      if (filter.workspaceId === null) {
+        wheres.push("workspace_id IS NULL");
+      } else {
+        wheres.push(`workspace_id = $${n++}`);
+        params.push(filter.workspaceId);
+      }
+    }
     if (filter.status) {
       wheres.push(`status = $${n++}`);
       params.push(filter.status);
@@ -39955,54 +40864,8 @@ var PostgresTaskService = class {
   async getConversationActions(conversationId) {
     return this.conversations.getActions(conversationId);
   }
-};
-
-// node_modules/pg/esm/index.mjs
-var import_lib = __toESM(require_lib2(), 1);
-var Client = import_lib.default.Client;
-var Pool = import_lib.default.Pool;
-var Connection = import_lib.default.Connection;
-var types = import_lib.default.types;
-var Query = import_lib.default.Query;
-var DatabaseError = import_lib.default.DatabaseError;
-var escapeIdentifier = import_lib.default.escapeIdentifier;
-var escapeLiteral = import_lib.default.escapeLiteral;
-var Result = import_lib.default.Result;
-var TypeOverrides = import_lib.default.TypeOverrides;
-var defaults = import_lib.default.defaults;
-
-// src/core/domain/repositories/postgres/connection.ts
-async function runInTx(q, fn) {
-  if (q.transaction) return q.transaction(fn);
-  return fn(q);
-}
-var PgConnection = class {
-  pool;
-  constructor(config2) {
-    this.pool = typeof config2 === "string" ? new Pool({ connectionString: config2 }) : new Pool(config2);
-  }
-  async query(text, params) {
-    return this.pool.query(text, params);
-  }
-  async transaction(fn) {
-    const client = await this.pool.connect();
-    try {
-      await client.query("BEGIN");
-      const result = await fn(client);
-      await client.query("COMMIT");
-      return result;
-    } catch (err) {
-      try {
-        await client.query("ROLLBACK");
-      } catch {
-      }
-      throw err;
-    } finally {
-      client.release();
-    }
-  }
-  async close() {
-    await this.pool.end();
+  async fetchSince(since) {
+    return fetchSinceFromPg(this.conn, since);
   }
 };
 
@@ -40035,346 +40898,6 @@ function requireBackendForTransport(backend, transport) {
   }
 }
 
-// src/core/domain/repositories/oauth-repository.ts
-var import_crypto = require("crypto");
-var OAuthRepository = class {
-  constructor(db) {
-    this.db = db;
-    this.insertClient = db.prepare(
-      `INSERT INTO oauth_clients (client_id, client_name, redirect_uris)
-       VALUES (?, ?, ?)`
-    );
-    this.selectClient = db.prepare("SELECT * FROM oauth_clients WHERE client_id = ?");
-    this.insertAuthCode = db.prepare(
-      `INSERT INTO oauth_auth_codes
-         (code, client_id, code_challenge, code_challenge_method, redirect_uri, expires_at)
-       VALUES (?, ?, ?, 'S256', ?, ?)`
-    );
-    this.consumeAuthCodeStmt = db.prepare(
-      "DELETE FROM oauth_auth_codes WHERE code = ? RETURNING *"
-    );
-    this.insertToken = db.prepare(
-      `INSERT INTO oauth_tokens
-         (access_token, refresh_token, client_id, access_expires_at, refresh_expires_at)
-       VALUES (?, ?, ?, ?, ?)`
-    );
-    this.selectAccessToken = db.prepare(
-      "SELECT * FROM oauth_tokens WHERE access_token = ? AND revoked = 0"
-    );
-    this.selectRefreshToken = db.prepare(
-      "SELECT * FROM oauth_tokens WHERE refresh_token = ?"
-    );
-    this.markRevoked = db.prepare(
-      "UPDATE oauth_tokens SET revoked = 1 WHERE access_token = ?"
-    );
-    this.revokeAllForClient = db.prepare(
-      "UPDATE oauth_tokens SET revoked = 1 WHERE client_id = ?"
-    );
-  }
-  db;
-  insertClient;
-  selectClient;
-  insertAuthCode;
-  consumeAuthCodeStmt;
-  insertToken;
-  selectAccessToken;
-  selectRefreshToken;
-  markRevoked;
-  revokeAllForClient;
-  async registerClient(input) {
-    const clientId = `cdck_cli_${randomToken(16)}`;
-    this.insertClient.run(clientId, input.clientName, JSON.stringify(input.redirectUris));
-    const row = this.selectClient.get(clientId);
-    return rowToClient(row);
-  }
-  async getClient(clientId) {
-    const row = this.selectClient.get(clientId);
-    return row ? rowToClient(row) : null;
-  }
-  async createAuthCode(input) {
-    const code = `cdck_code_${randomToken(32)}`;
-    const expiresAt = isoFromNow(input.ttlSeconds);
-    this.insertAuthCode.run(
-      code,
-      input.clientId,
-      input.codeChallenge,
-      input.redirectUri,
-      expiresAt
-    );
-    return {
-      code,
-      clientId: input.clientId,
-      codeChallenge: input.codeChallenge,
-      redirectUri: input.redirectUri,
-      expiresAt
-    };
-  }
-  // Single-use: deletes the row even if expired. Caller must check expiresAt.
-  async consumeAuthCode(code) {
-    const row = this.consumeAuthCodeStmt.get(code);
-    if (!row) return null;
-    return {
-      code: row.code,
-      clientId: row.client_id,
-      codeChallenge: row.code_challenge,
-      redirectUri: row.redirect_uri,
-      expiresAt: row.expires_at
-    };
-  }
-  async createTokens(input) {
-    const accessToken = `cdck_at_${randomToken(32)}`;
-    const refreshToken = `cdck_rt_${randomToken(32)}`;
-    const accessExpiresAt = isoFromNow(input.accessTtlSeconds);
-    const refreshExpiresAt = isoFromNow(input.refreshTtlSeconds);
-    this.insertToken.run(
-      accessToken,
-      refreshToken,
-      input.clientId,
-      accessExpiresAt,
-      refreshExpiresAt
-    );
-    return {
-      accessToken,
-      refreshToken,
-      clientId: input.clientId,
-      accessExpiresAt,
-      refreshExpiresAt
-    };
-  }
-  // Returns the row only if not revoked and not expired. Otherwise null.
-  async validateAccessToken(accessToken) {
-    const row = this.selectAccessToken.get(accessToken);
-    if (!row) return null;
-    if (Date.parse(row.access_expires_at) <= Date.now()) return null;
-    return rowToToken(row);
-  }
-  // Atomic transaction: detect replay (revoked refresh) → revoke chain;
-  // detect expiry → invalid_grant; happy path → mark old revoked + insert new.
-  async rotateRefresh(refreshToken, ttls) {
-    const tx = this.db.transaction(() => {
-      const row = this.selectRefreshToken.get(refreshToken);
-      if (!row) return { ok: false, error: "invalid_grant" };
-      if (row.revoked === 1) {
-        this.revokeAllForClient.run(row.client_id);
-        return { ok: false, error: "replay_detected" };
-      }
-      if (Date.parse(row.refresh_expires_at) <= Date.now()) {
-        return { ok: false, error: "invalid_grant" };
-      }
-      this.markRevoked.run(row.access_token);
-      const accessToken = `cdck_at_${randomToken(32)}`;
-      const newRefreshToken = `cdck_rt_${randomToken(32)}`;
-      const accessExpiresAt = isoFromNow(ttls.accessTtlSeconds);
-      const refreshExpiresAt = isoFromNow(ttls.refreshTtlSeconds);
-      this.insertToken.run(
-        accessToken,
-        newRefreshToken,
-        row.client_id,
-        accessExpiresAt,
-        refreshExpiresAt
-      );
-      return {
-        ok: true,
-        tokens: {
-          accessToken,
-          refreshToken: newRefreshToken,
-          clientId: row.client_id,
-          accessExpiresAt,
-          refreshExpiresAt
-        }
-      };
-    });
-    return tx();
-  }
-};
-function rowToClient(row) {
-  return {
-    clientId: row.client_id,
-    clientName: row.client_name,
-    redirectUris: JSON.parse(row.redirect_uris),
-    createdAt: row.created_at
-  };
-}
-function rowToToken(row) {
-  return {
-    accessToken: row.access_token,
-    refreshToken: row.refresh_token,
-    clientId: row.client_id,
-    accessExpiresAt: row.access_expires_at,
-    refreshExpiresAt: row.refresh_expires_at
-  };
-}
-function randomToken(bytes) {
-  return (0, import_crypto.randomBytes)(bytes).toString("base64url");
-}
-function isoFromNow(seconds) {
-  return new Date(Date.now() + seconds * 1e3).toISOString();
-}
-
-// src/core/domain/repositories/postgres/oauth-repository.pg.ts
-var import_crypto2 = require("crypto");
-function rowToClient2(row) {
-  return {
-    clientId: row.client_id,
-    clientName: row.client_name,
-    redirectUris: row.redirect_uris,
-    createdAt: row.created_at.toISOString()
-  };
-}
-function rowToToken2(row) {
-  return {
-    accessToken: row.access_token,
-    refreshToken: row.refresh_token,
-    clientId: row.client_id,
-    accessExpiresAt: row.access_expires_at,
-    refreshExpiresAt: row.refresh_expires_at
-  };
-}
-function randomToken2(bytes) {
-  return (0, import_crypto2.randomBytes)(bytes).toString("base64url");
-}
-function isoFromNow2(seconds) {
-  return new Date(Date.now() + seconds * 1e3).toISOString();
-}
-var PostgresOAuthRepository = class {
-  constructor(conn) {
-    this.conn = conn;
-  }
-  conn;
-  async registerClient(input) {
-    const clientId = `cdck_cli_${randomToken2(16)}`;
-    const result = await this.conn.query(
-      `INSERT INTO oauth_clients (client_id, client_name, redirect_uris)
-       VALUES ($1, $2, $3::jsonb)
-       RETURNING client_id, client_name, redirect_uris, created_at`,
-      [clientId, input.clientName, JSON.stringify(input.redirectUris)]
-    );
-    return rowToClient2(result.rows[0]);
-  }
-  async getClient(clientId) {
-    const result = await this.conn.query(
-      `SELECT client_id, client_name, redirect_uris, created_at
-       FROM oauth_clients WHERE client_id = $1`,
-      [clientId]
-    );
-    const row = result.rows[0];
-    return row ? rowToClient2(row) : null;
-  }
-  async createAuthCode(input) {
-    const code = `cdck_code_${randomToken2(32)}`;
-    const expiresAt = isoFromNow2(input.ttlSeconds);
-    await this.conn.query(
-      `INSERT INTO oauth_auth_codes
-         (code, client_id, code_challenge, code_challenge_method, redirect_uri, expires_at)
-       VALUES ($1, $2, $3, 'S256', $4, $5)`,
-      [code, input.clientId, input.codeChallenge, input.redirectUri, expiresAt]
-    );
-    return {
-      code,
-      clientId: input.clientId,
-      codeChallenge: input.codeChallenge,
-      redirectUri: input.redirectUri,
-      expiresAt
-    };
-  }
-  // Single-use: DELETE...RETURNING removes the row even if expired.
-  // Caller is expected to check expiresAt.
-  async consumeAuthCode(code) {
-    const result = await this.conn.query(
-      `DELETE FROM oauth_auth_codes WHERE code = $1
-       RETURNING code, client_id, code_challenge, redirect_uri, expires_at`,
-      [code]
-    );
-    const row = result.rows[0];
-    if (!row) return null;
-    return {
-      code: row.code,
-      clientId: row.client_id,
-      codeChallenge: row.code_challenge,
-      redirectUri: row.redirect_uri,
-      expiresAt: row.expires_at
-    };
-  }
-  async createTokens(input) {
-    const accessToken = `cdck_at_${randomToken2(32)}`;
-    const refreshToken = `cdck_rt_${randomToken2(32)}`;
-    const accessExpiresAt = isoFromNow2(input.accessTtlSeconds);
-    const refreshExpiresAt = isoFromNow2(input.refreshTtlSeconds);
-    await this.conn.query(
-      `INSERT INTO oauth_tokens
-         (access_token, refresh_token, client_id, access_expires_at, refresh_expires_at)
-       VALUES ($1, $2, $3, $4, $5)`,
-      [accessToken, refreshToken, input.clientId, accessExpiresAt, refreshExpiresAt]
-    );
-    return {
-      accessToken,
-      refreshToken,
-      clientId: input.clientId,
-      accessExpiresAt,
-      refreshExpiresAt
-    };
-  }
-  // Returns the row only if not revoked AND not expired. Otherwise null.
-  async validateAccessToken(accessToken) {
-    const result = await this.conn.query(
-      `SELECT access_token, refresh_token, client_id, access_expires_at,
-              refresh_expires_at, revoked
-       FROM oauth_tokens WHERE access_token = $1 AND revoked = FALSE`,
-      [accessToken]
-    );
-    const row = result.rows[0];
-    if (!row) return null;
-    if (Date.parse(row.access_expires_at) <= Date.now()) return null;
-    return rowToToken2(row);
-  }
-  // Atomic: detect replay (revoked refresh) → revoke chain;
-  // detect expiry → invalid_grant; happy path → mark old revoked + insert new.
-  async rotateRefresh(refreshToken, ttls) {
-    return runInTx(this.conn, async (tx) => {
-      const lookup = await tx.query(
-        `SELECT access_token, refresh_token, client_id, access_expires_at,
-                refresh_expires_at, revoked
-         FROM oauth_tokens WHERE refresh_token = $1`,
-        [refreshToken]
-      );
-      const row = lookup.rows[0];
-      if (!row) return { ok: false, error: "invalid_grant" };
-      if (row.revoked) {
-        await tx.query("UPDATE oauth_tokens SET revoked = TRUE WHERE client_id = $1", [
-          row.client_id
-        ]);
-        return { ok: false, error: "replay_detected" };
-      }
-      if (Date.parse(row.refresh_expires_at) <= Date.now()) {
-        return { ok: false, error: "invalid_grant" };
-      }
-      await tx.query("UPDATE oauth_tokens SET revoked = TRUE WHERE access_token = $1", [
-        row.access_token
-      ]);
-      const accessToken = `cdck_at_${randomToken2(32)}`;
-      const newRefreshToken = `cdck_rt_${randomToken2(32)}`;
-      const accessExpiresAt = isoFromNow2(ttls.accessTtlSeconds);
-      const refreshExpiresAt = isoFromNow2(ttls.refreshTtlSeconds);
-      await tx.query(
-        `INSERT INTO oauth_tokens
-           (access_token, refresh_token, client_id, access_expires_at, refresh_expires_at)
-         VALUES ($1, $2, $3, $4, $5)`,
-        [accessToken, newRefreshToken, row.client_id, accessExpiresAt, refreshExpiresAt]
-      );
-      return {
-        ok: true,
-        tokens: {
-          accessToken,
-          refreshToken: newRefreshToken,
-          clientId: row.client_id,
-          accessExpiresAt,
-          refreshExpiresAt
-        }
-      };
-    });
-  }
-};
-
 // src/core/paths.ts
 var path4 = __toESM(require("path"));
 function resolveDataPaths(electronDataDir) {
@@ -40466,14 +40989,14 @@ function createInstrumentedServer(server, sink, toolAllowlist) {
 
 // src/adapters/mcp/http-transport.ts
 var import_http = require("http");
-var import_buffer3 = require("buffer");
-var import_crypto6 = require("crypto");
+var import_buffer = require("buffer");
+var import_crypto2 = require("crypto");
 
 // node_modules/@hono/node-server/dist/index.mjs
 var import_http2 = require("http2");
 var import_http22 = require("http2");
 var import_stream = require("stream");
-var import_crypto3 = __toESM(require("crypto"), 1);
+var import_crypto = __toESM(require("crypto"), 1);
 var RequestError = class extends Error {
   constructor(message, options) {
     super(message, options);
@@ -40812,7 +41335,7 @@ var buildOutgoingHttpHeaders = (headers) => {
 };
 var X_ALREADY_SENT = "x-hono-already-sent";
 if (typeof global.crypto === "undefined") {
-  global.crypto = import_crypto3.default;
+  global.crypto = import_crypto.default;
 }
 var outgoingEnded = /* @__PURE__ */ Symbol("outgoingEnded");
 var incomingDraining = /* @__PURE__ */ Symbol("incomingDraining");
@@ -41795,8 +42318,8 @@ var StreamableHTTPServerTransport = class {
 };
 
 // src/adapters/mcp/oauth/discovery.ts
-function authServerMetadata(issuer) {
-  const base = stripTrailingSlash(issuer);
+function authServerMetadata(origin) {
+  const base = stripTrailingSlash(origin);
   return {
     issuer: base,
     authorization_endpoint: `${base}/authorize`,
@@ -41808,8 +42331,8 @@ function authServerMetadata(issuer) {
     token_endpoint_auth_methods_supported: ["none"]
   };
 }
-function protectedResourceMetadata(issuer) {
-  const base = stripTrailingSlash(issuer);
+function protectedResourceMetadata(origin) {
+  const base = stripTrailingSlash(origin);
   return {
     resource: `${base}/mcp`,
     authorization_servers: [base],
@@ -41820,335 +42343,67 @@ function stripTrailingSlash(s) {
   return s.endsWith("/") ? s.slice(0, -1) : s;
 }
 
-// src/adapters/mcp/oauth/register.ts
-async function handleRegister(repo, raw) {
-  if (raw === null || typeof raw !== "object") {
-    return errorResponse(400, "invalid_client_metadata", "request body must be a JSON object");
-  }
-  const req = raw;
-  if (!Array.isArray(req.redirect_uris) || req.redirect_uris.length === 0) {
-    return errorResponse(
-      400,
-      "invalid_redirect_uri",
-      "redirect_uris must be a non-empty array of URLs"
-    );
-  }
-  if (!req.redirect_uris.every((u) => typeof u === "string" && isHttpUrl(u))) {
-    return errorResponse(
-      400,
-      "invalid_redirect_uri",
-      "each redirect_uri must be an http(s) URL"
-    );
+// src/adapters/mcp/oauth/keycloak-proxy.ts
+var FORWARDED_AUTHORIZE_PARAMS = [
+  "response_type",
+  "client_id",
+  "redirect_uri",
+  "state",
+  "scope",
+  "code_challenge",
+  "code_challenge_method",
+  "nonce",
+  "resource"
+];
+function handleAuthorizeRedirect(cfg, params) {
+  const forwarded = new URLSearchParams();
+  for (const key of FORWARDED_AUTHORIZE_PARAMS) {
+    const value = params.get(key);
+    if (value !== null) forwarded.set(key, value);
+  }
+  if (!forwarded.has("client_id")) forwarded.set("client_id", cfg.clientId);
+  if (!forwarded.has("response_type")) forwarded.set("response_type", "code");
+  return { location: `${cfg.authorizationEndpoint}?${forwarded.toString()}` };
+}
+async function handleTokenProxy(cfg, form, fetchImpl = fetch) {
+  const upstream = new URLSearchParams(form);
+  if (!upstream.has("client_id")) upstream.set("client_id", cfg.clientId);
+  if (cfg.clientSecret && !upstream.has("client_secret")) {
+    upstream.set("client_secret", cfg.clientSecret);
   }
-  const clientName = typeof req.client_name === "string" ? req.client_name : "mcp-client";
-  const client = await repo.registerClient({
-    clientName,
-    redirectUris: req.redirect_uris
-  });
-  return {
-    status: 201,
-    body: {
-      client_id: client.clientId,
-      client_id_issued_at: Math.floor(Date.now() / 1e3),
-      client_name: client.clientName,
-      redirect_uris: client.redirectUris,
-      grant_types: ["authorization_code", "refresh_token"],
-      response_types: ["code"],
-      token_endpoint_auth_method: "none"
-    }
-  };
-}
-function errorResponse(status, error48, errorDescription) {
-  return {
-    status,
-    body: { error: error48, error_description: errorDescription }
-  };
-}
-function isHttpUrl(s) {
   try {
-    const u = new URL(s);
-    return u.protocol === "https:" || u.protocol === "http:";
+    const res = await fetchImpl(cfg.tokenEndpoint, {
+      method: "POST",
+      headers: {
+        "content-type": "application/x-www-form-urlencoded",
+        accept: "application/json"
+      },
+      body: upstream.toString()
+    });
+    const body = await res.json().catch(() => ({}));
+    return { status: res.status, body };
   } catch {
-    return false;
-  }
-}
-
-// src/adapters/mcp/oauth/authorize.ts
-var import_crypto4 = require("crypto");
-var import_buffer = require("buffer");
-
-// src/adapters/mcp/oauth/consent-template.ts
-function renderConsentScreen(params) {
-  const errorBlock = params.errorMessage ? `<p class="err">${escapeHtml(params.errorMessage)}</p>` : "";
-  const stateField = params.state === null ? "" : `<input type="hidden" name="state" value="${escapeHtml(params.state)}" />`;
-  return `<!doctype html>
-<html lang="en">
-<head>
-  <meta charset="utf-8" />
-  <title>Authorize ${escapeHtml(params.clientName)}</title>
-  <style>
-    body { font-family: system-ui, sans-serif; max-width: 32rem; margin: 4rem auto; padding: 0 1rem; color: #111; }
-    h1 { font-size: 1.25rem; }
-    .client { background: #f5f5f5; padding: 0.75rem 1rem; border-radius: 4px; margin: 1rem 0; font-family: ui-monospace, monospace; font-size: 0.875rem; }
-    label { display: block; margin-top: 1rem; font-size: 0.9rem; }
-    input[type=password] { width: 100%; padding: 0.5rem; font-size: 1rem; box-sizing: border-box; }
-    button { margin-top: 1rem; padding: 0.5rem 1.25rem; font-size: 1rem; cursor: pointer; }
-    .err { color: #b00020; margin-top: 1rem; font-size: 0.9rem; }
-    .meta { color: #666; font-size: 0.8rem; margin-top: 2rem; }
-  </style>
-</head>
-<body>
-  <h1>Authorize access</h1>
-  <p>An application wants to connect to your choda-deck MCP server.</p>
-  <div class="client">
-    <div><strong>${escapeHtml(params.clientName)}</strong></div>
-    <div>${escapeHtml(params.clientId)}</div>
-    <div>Redirect: ${escapeHtml(params.redirectUri)}</div>
-  </div>
-  ${errorBlock}
-  <form method="POST" action="/authorize">
-    <input type="hidden" name="response_type" value="${escapeHtml(params.responseType)}" />
-    <input type="hidden" name="client_id" value="${escapeHtml(params.clientId)}" />
-    <input type="hidden" name="redirect_uri" value="${escapeHtml(params.redirectUri)}" />
-    <input type="hidden" name="code_challenge" value="${escapeHtml(params.codeChallenge)}" />
-    <input type="hidden" name="code_challenge_method" value="${escapeHtml(params.codeChallengeMethod)}" />
-    ${stateField}
-    <label for="password">Consent password</label>
-    <input id="password" name="consent_password" type="password" autocomplete="off" autofocus required />
-    <button type="submit">Approve</button>
-  </form>
-  <p class="meta">choda-deck OAuth 2.0 + DCR (ADR-027)</p>
-</body>
-</html>`;
-}
-function escapeHtml(s) {
-  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
-}
-
-// src/adapters/mcp/oauth/authorize.ts
-var AUTH_CODE_TTL_SECONDS = 60;
-var CHALLENGE_MIN_LEN = 43;
-var CHALLENGE_MAX_LEN = 128;
-async function handleAuthorizeGet(repo, query) {
-  const params = parseParams(query);
-  const v = await validate2(repo, params);
-  if (v.kind !== "ok") return v.result;
-  return renderForm(params, v.client.clientName);
-}
-async function handleAuthorizePost(repo, form, consentPasswordHashHex) {
-  const params = parseParams(form);
-  const v = await validate2(repo, params);
-  if (v.kind !== "ok") return v.result;
-  const submitted = form.get("consent_password") ?? "";
-  if (!verifyConsentPassword(submitted, consentPasswordHashHex)) {
     return {
-      kind: "html",
-      status: 401,
-      html: renderConsentScreen({
-        clientName: v.client.clientName,
-        clientId: params.clientId,
-        redirectUri: params.redirectUri,
-        state: params.state,
-        codeChallenge: params.codeChallenge,
-        codeChallengeMethod: "S256",
-        responseType: "code",
-        errorMessage: "Incorrect consent password."
-      })
+      status: 502,
+      body: { error: "server_error", error_description: "authorization server unreachable" }
     };
   }
-  const ac = await repo.createAuthCode({
-    clientId: params.clientId,
-    codeChallenge: params.codeChallenge,
-    redirectUri: params.redirectUri,
-    ttlSeconds: AUTH_CODE_TTL_SECONDS
-  });
-  const url2 = new URL(params.redirectUri);
-  url2.searchParams.set("code", ac.code);
-  if (params.state !== null) url2.searchParams.set("state", params.state);
-  return { kind: "redirect", status: 302, location: url2.toString() };
-}
-function parseParams(p) {
-  return {
-    responseType: p.get("response_type"),
-    clientId: p.get("client_id"),
-    redirectUri: p.get("redirect_uri"),
-    state: p.get("state"),
-    codeChallenge: p.get("code_challenge"),
-    codeChallengeMethod: p.get("code_challenge_method")
-  };
-}
-async function validate2(repo, p) {
-  if (!p.clientId) {
-    return { kind: "fatal", result: htmlError(400, "Missing client_id.") };
-  }
-  const client = await repo.getClient(p.clientId);
-  if (!client) {
-    return { kind: "fatal", result: htmlError(400, "Unknown client_id.") };
-  }
-  if (!p.redirectUri || !client.redirectUris.includes(p.redirectUri)) {
-    return {
-      kind: "fatal",
-      result: htmlError(400, "Missing or unregistered redirect_uri.")
-    };
-  }
-  if (p.responseType !== "code") {
-    return {
-      kind: "redirectError",
-      result: redirectWithError(p.redirectUri, p.state, "unsupported_response_type")
-    };
-  }
-  if (p.codeChallengeMethod !== "S256") {
-    return {
-      kind: "redirectError",
-      result: redirectWithError(
-        p.redirectUri,
-        p.state,
-        "invalid_request",
-        "code_challenge_method must be S256"
-      )
-    };
-  }
-  if (!p.codeChallenge || p.codeChallenge.length < CHALLENGE_MIN_LEN || p.codeChallenge.length > CHALLENGE_MAX_LEN) {
-    return {
-      kind: "redirectError",
-      result: redirectWithError(
-        p.redirectUri,
-        p.state,
-        "invalid_request",
-        "code_challenge missing or wrong length"
-      )
-    };
-  }
-  return { kind: "ok", client };
-}
-function renderForm(p, clientName) {
-  return {
-    kind: "html",
-    status: 200,
-    html: renderConsentScreen({
-      clientName,
-      clientId: p.clientId,
-      redirectUri: p.redirectUri,
-      state: p.state,
-      codeChallenge: p.codeChallenge,
-      codeChallengeMethod: "S256",
-      responseType: "code"
-    })
-  };
-}
-function htmlError(status, message) {
-  const html = `<!doctype html><html><head><meta charset="utf-8"/><title>OAuth error</title></head><body style="font-family:system-ui;max-width:32rem;margin:4rem auto;padding:0 1rem"><h1>Authorization error</h1><p>${escapeHtml2(message)}</p></body></html>`;
-  return { kind: "html", status, html };
-}
-function redirectWithError(redirectUri, state, error48, errorDescription) {
-  const url2 = new URL(redirectUri);
-  url2.searchParams.set("error", error48);
-  if (errorDescription) url2.searchParams.set("error_description", errorDescription);
-  if (state !== null) url2.searchParams.set("state", state);
-  return { kind: "redirect", status: 302, location: url2.toString() };
-}
-function verifyConsentPassword(submitted, expectedHashHex) {
-  if (submitted.length === 0 || expectedHashHex.length === 0) return false;
-  const submittedHash = (0, import_crypto4.createHash)("sha256").update(submitted, "utf8").digest();
-  let expected;
-  try {
-    expected = import_buffer.Buffer.from(expectedHashHex, "hex");
-  } catch {
-    return false;
-  }
-  if (submittedHash.length !== expected.length) return false;
-  return (0, import_crypto4.timingSafeEqual)(submittedHash, expected);
-}
-function escapeHtml2(s) {
-  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
-}
-
-// src/adapters/mcp/oauth/pkce.ts
-var import_crypto5 = require("crypto");
-var import_buffer2 = require("buffer");
-function verifyPkceS256(verifier, challenge) {
-  if (verifier.length < 43 || verifier.length > 128) return false;
-  const computed = computeChallengeS256(verifier);
-  const a = import_buffer2.Buffer.from(computed, "utf8");
-  const b = import_buffer2.Buffer.from(challenge, "utf8");
-  if (a.length !== b.length) return false;
-  return (0, import_crypto5.timingSafeEqual)(a, b);
-}
-function computeChallengeS256(verifier) {
-  return (0, import_crypto5.createHash)("sha256").update(verifier, "utf8").digest("base64url");
-}
-
-// src/adapters/mcp/oauth/token.ts
-var ACCESS_TTL_SECONDS = 60 * 60;
-var REFRESH_TTL_SECONDS = 60 * 60 * 24 * 30;
-async function handleToken(repo, form) {
-  const grantType = form.get("grant_type");
-  if (grantType === "authorization_code") return handleCodeGrant(repo, form);
-  if (grantType === "refresh_token") return handleRefreshGrant(repo, form);
-  return errorResponse2(
-    400,
-    "unsupported_grant_type",
-    "only authorization_code and refresh_token are supported"
-  );
-}
-async function handleCodeGrant(repo, form) {
-  const code = form.get("code");
-  const redirectUri = form.get("redirect_uri");
-  const clientId = form.get("client_id");
-  const codeVerifier = form.get("code_verifier");
-  if (!code || !redirectUri || !clientId || !codeVerifier) {
-    return errorResponse2(400, "invalid_request", "missing required parameter");
-  }
-  const consumed = await repo.consumeAuthCode(code);
-  if (!consumed) return errorResponse2(400, "invalid_grant", "code unknown or already used");
-  if (Date.parse(consumed.expiresAt) <= Date.now()) {
-    return errorResponse2(400, "invalid_grant", "code expired");
-  }
-  if (consumed.clientId !== clientId) {
-    return errorResponse2(400, "invalid_grant", "client_id does not match code");
-  }
-  if (consumed.redirectUri !== redirectUri) {
-    return errorResponse2(400, "invalid_grant", "redirect_uri does not match code");
-  }
-  if (!verifyPkceS256(codeVerifier, consumed.codeChallenge)) {
-    return errorResponse2(400, "invalid_grant", "PKCE verifier does not match challenge");
-  }
-  const tokens = await repo.createTokens({
-    clientId,
-    accessTtlSeconds: ACCESS_TTL_SECONDS,
-    refreshTtlSeconds: REFRESH_TTL_SECONDS
-  });
-  return tokenSuccess(tokens);
-}
-async function handleRefreshGrant(repo, form) {
-  const refreshToken = form.get("refresh_token");
-  if (!refreshToken) return errorResponse2(400, "invalid_request", "missing refresh_token");
-  const result = await repo.rotateRefresh(refreshToken, {
-    accessTtlSeconds: ACCESS_TTL_SECONDS,
-    refreshTtlSeconds: REFRESH_TTL_SECONDS
-  });
-  if (!result.ok) {
-    const description = result.error === "replay_detected" ? "refresh token replayed; chain revoked" : "refresh token unknown or expired";
-    return errorResponse2(400, "invalid_grant", description);
-  }
-  return tokenSuccess(result.tokens);
 }
-function tokenSuccess(tokens) {
+function handleRegisterStatic(cfg, parsed) {
+  const redirectUris = isObject2(parsed) && Array.isArray(parsed.redirect_uris) ? parsed.redirect_uris.filter((u) => typeof u === "string") : [];
   return {
-    status: 200,
+    status: 201,
     body: {
-      access_token: tokens.accessToken,
-      token_type: "Bearer",
-      expires_in: ACCESS_TTL_SECONDS,
-      refresh_token: tokens.refreshToken
+      client_id: cfg.clientId,
+      token_endpoint_auth_method: cfg.clientSecret ? "client_secret_post" : "none",
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      redirect_uris: redirectUris
     }
   };
 }
-function errorResponse2(status, error48, errorDescription) {
-  return {
-    status,
-    body: { error: error48, error_description: errorDescription }
-  };
+function isObject2(v) {
+  return typeof v === "object" && v !== null;
 }
 
 // src/adapters/mcp/http-transport.ts
@@ -42160,10 +42415,10 @@ var BodyTooLargeError = class extends Error {
   }
 };
 async function startHttpTransport(serverFactory, opts) {
-  const tokenBuf = import_buffer3.Buffer.from(opts.token, "utf8");
+  const tokenBuf = import_buffer.Buffer.from(opts.token, "utf8");
   const oauth = opts.oauth;
   const httpServer = (0, import_http.createServer)((req, res) => {
-    handle(req, res, serverFactory, tokenBuf, oauth).catch((err) => {
+    handle(req, res, serverFactory, tokenBuf, oauth, opts.syncSource).catch((err) => {
       console.error("[choda-deck] http handler error", err);
       if (!res.headersSent) {
         res.writeHead(500);
@@ -42184,10 +42439,11 @@ async function startHttpTransport(serverFactory, opts) {
     address: bound,
     close: () => new Promise((resolve3, reject) => {
       httpServer.close((err) => err ? reject(err) : resolve3());
+      httpServer.closeIdleConnections();
     })
   };
 }
-async function handle(req, res, serverFactory, tokenBuf, oauth) {
+async function handle(req, res, serverFactory, tokenBuf, oauth, syncSource) {
   const parsedUrl = new URL(req.url ?? "/", "http://placeholder");
   const pathname = parsedUrl.pathname;
   const method = req.method ?? "GET";
@@ -42197,19 +42453,42 @@ async function handle(req, res, serverFactory, tokenBuf, oauth) {
   if (oauth && await tryHandleOAuthRoute(req, res, pathname, method, parsedUrl, oauth)) {
     return;
   }
+  if (pathname === "/sync/since" && method === "GET") {
+    return handleSyncSince(req, res, tokenBuf, oauth, syncSource, parsedUrl);
+  }
   if (pathname === "/mcp" && method === "POST") {
     return handleMcp(req, res, serverFactory, tokenBuf, oauth);
   }
   res.writeHead(404);
   res.end();
 }
+async function handleSyncSince(req, res, tokenBuf, oauth, syncSource, parsedUrl) {
+  if (!syncSource) {
+    res.writeHead(404);
+    res.end();
+    return;
+  }
+  if (!await isAuthorized(req.headers.authorization ?? "", tokenBuf, oauth)) {
+    sendUnauthorized(res, oauth);
+    return;
+  }
+  const sinceRaw = parsedUrl.searchParams.get("since");
+  const since = Number.parseInt(sinceRaw ?? "0", 10);
+  if (!Number.isFinite(since) || since < 0) {
+    res.writeHead(400);
+    res.end();
+    return;
+  }
+  const deltas = await syncSource.fetchSince(since);
+  sendJson(res, 200, { since, deltas });
+}
 async function tryHandleOAuthRoute(req, res, pathname, method, parsedUrl, oauth) {
   if (pathname === "/.well-known/oauth-authorization-server" && method === "GET") {
-    sendJson(res, 200, authServerMetadata(oauth.issuer));
+    sendJson(res, 200, authServerMetadata(oauth.origin));
     return true;
   }
   if (pathname === "/.well-known/oauth-protected-resource" && method === "GET") {
-    sendJson(res, 200, protectedResourceMetadata(oauth.issuer));
+    sendJson(res, 200, protectedResourceMetadata(oauth.origin));
     return true;
   }
   if (pathname === "/register" && method === "POST") {
@@ -42220,26 +42499,14 @@ async function tryHandleOAuthRoute(req, res, pathname, method, parsedUrl, oauth)
       writeBodyError(res, err);
       return true;
     }
-    const result = await handleRegister(oauth.repo, parsed);
+    const result = handleRegisterStatic(oauth.keycloak, parsed);
     sendJson(res, result.status, result.body);
     return true;
   }
   if (pathname === "/authorize" && method === "GET") {
-    sendAuthorizeResult(res, await handleAuthorizeGet(oauth.repo, parsedUrl.searchParams));
-    return true;
-  }
-  if (pathname === "/authorize" && method === "POST") {
-    let form;
-    try {
-      form = await readForm(req);
-    } catch (err) {
-      writeBodyError(res, err);
-      return true;
-    }
-    sendAuthorizeResult(
-      res,
-      await handleAuthorizePost(oauth.repo, form, oauth.consentPasswordHashHex)
-    );
+    const { location } = handleAuthorizeRedirect(oauth.keycloak, parsedUrl.searchParams);
+    res.writeHead(302, { location });
+    res.end();
     return true;
   }
   if (pathname === "/token" && method === "POST") {
@@ -42250,7 +42517,7 @@ async function tryHandleOAuthRoute(req, res, pathname, method, parsedUrl, oauth)
       writeBodyError(res, err);
       return true;
     }
-    const result = await handleToken(oauth.repo, form);
+    const result = await handleTokenProxy(oauth.keycloak, form);
     res.setHeader("Cache-Control", "no-store");
     sendJson(res, result.status, result.body);
     return true;
@@ -42258,15 +42525,8 @@ async function tryHandleOAuthRoute(req, res, pathname, method, parsedUrl, oauth)
   return false;
 }
 async function handleMcp(req, res, serverFactory, tokenBuf, oauth) {
-  const authHeader = req.headers.authorization ?? "";
-  const authorized = oauth ? await verifyOAuthBearer(authHeader, oauth.repo) : verifyBearer(authHeader, tokenBuf);
-  if (!authorized) {
-    if (oauth) {
-      const resourceMetadataUrl = `${oauth.issuer}/.well-known/oauth-protected-resource`;
-      res.setHeader("WWW-Authenticate", `Bearer resource_metadata="${resourceMetadataUrl}"`);
-    }
-    res.writeHead(401);
-    res.end();
+  if (!await isAuthorized(req.headers.authorization ?? "", tokenBuf, oauth)) {
+    sendUnauthorized(res, oauth);
     return;
   }
   const contentType = (req.headers["content-type"] ?? "").toLowerCase();
@@ -42309,36 +42569,39 @@ async function handleMcp(req, res, serverFactory, tokenBuf, oauth) {
     }
   }
 }
+async function isAuthorized(authHeader, tokenBuf, oauth) {
+  return oauth ? verifyOAuthBearer(authHeader, oauth.verifier) : verifyBearer(authHeader, tokenBuf);
+}
+function sendUnauthorized(res, oauth) {
+  if (oauth) {
+    const resourceMetadataUrl = `${oauth.origin}/.well-known/oauth-protected-resource`;
+    res.setHeader("WWW-Authenticate", `Bearer resource_metadata="${resourceMetadataUrl}"`);
+  }
+  res.writeHead(401);
+  res.end();
+}
 function verifyBearer(authHeader, tokenBuf) {
   const prefix = "Bearer ";
   if (!authHeader.startsWith(prefix)) return false;
-  const provided = import_buffer3.Buffer.from(authHeader.slice(prefix.length), "utf8");
+  const provided = import_buffer.Buffer.from(authHeader.slice(prefix.length), "utf8");
   if (provided.length !== tokenBuf.length) return false;
-  return (0, import_crypto6.timingSafeEqual)(provided, tokenBuf);
+  return (0, import_crypto2.timingSafeEqual)(provided, tokenBuf);
 }
-async function verifyOAuthBearer(authHeader, repo) {
+async function verifyOAuthBearer(authHeader, verifier) {
   const prefix = "Bearer ";
   if (!authHeader.startsWith(prefix)) return false;
   const token = authHeader.slice(prefix.length);
-  return await repo.validateAccessToken(token) !== null;
+  const claims = await verifier.verify(token);
+  return claims !== null;
 }
 function sendJson(res, status, body) {
   const payload = JSON.stringify(body);
   res.writeHead(status, {
     "content-type": "application/json",
-    "content-length": import_buffer3.Buffer.byteLength(payload).toString()
+    "content-length": import_buffer.Buffer.byteLength(payload).toString()
   });
   res.end(payload);
 }
-function sendAuthorizeResult(res, result) {
-  if (result.kind === "redirect") {
-    res.writeHead(302, { location: result.location });
-    res.end();
-    return;
-  }
-  res.writeHead(result.status, { "content-type": "text/html; charset=utf-8" });
-  res.end(result.html);
-}
 async function readJson(req) {
   const raw = await readBody(req);
   return JSON.parse(raw.toString("utf8"));
@@ -42379,7 +42642,7 @@ function readBody(req) {
         chunks.push(chunk);
       }
     });
-    req.on("end", () => settle(() => resolve3(import_buffer3.Buffer.concat(chunks))));
+    req.on("end", () => settle(() => resolve3(import_buffer.Buffer.concat(chunks))));
     req.on("error", (err) => settle(() => reject(err)));
   });
 }
@@ -42401,293 +42664,119 @@ function listen(server, port, bind) {
   });
 }
 
-// src/adapters/mcp/mcp-tools/types.ts
-function textResponse(payload) {
-  const text = typeof payload === "string" ? payload : JSON.stringify(payload, null, 2);
-  return { content: [{ type: "text", text }] };
-}
-
-// src/adapters/mcp/mcp-tools/task-context-graphify.ts
-var fs3 = __toESM(require("node:fs"));
-var path5 = __toESM(require("node:path"));
-var STALE_DAYS = 7;
-var BFS_DEPTH = 2;
-var MAX_AFFECTED_FILES = 15;
-var MAX_GOD_NODES = 10;
-var GOD_NODE_DEGREE_THRESHOLD = 5;
-var CONFIDENCE_MIN = 0.7;
-var RELATION_FILTER = /* @__PURE__ */ new Set([
-  "imports_from",
-  "calls",
-  "contains",
-  "method",
-  "implements",
-  "references"
-]);
-var KEYWORD_STOPWORDS = /* @__PURE__ */ new Set([
-  "add",
-  "update",
-  "fix",
-  "create",
-  "make",
-  "implement",
-  "the",
-  "for",
-  "from",
-  "into",
-  "with",
-  "this",
-  "that",
-  "and",
-  "but",
-  "when",
-  "then",
-  "thing",
-  "stuff",
-  "code",
-  "task",
-  "tasks",
-  "feature",
-  "work",
-  "change",
-  "changes",
-  "trong",
-  "kh\xF4ng",
-  "tr\xEAn",
-  "d\u01B0\u1EDBi",
-  "ch\u1EE9a",
-  "\u0111\xFAng",
-  "ng\u01B0\u1EE3c",
-  "ph\u1EA3i",
-  "c\u1EA7n",
-  "n\u1EBFu",
-  "khi",
-  "nh\u01B0",
-  "theo",
-  "sau",
-  "tr\u01B0\u1EDBc"
-]);
-var LABEL_KEY_PREFIX = /^(assignee|adr|phase)[:-]/i;
-var LABEL_EXACT_DROP = /* @__PURE__ */ new Set([
-  "auto-safe",
-  "bug",
-  "feat",
-  "fix",
-  "test",
-  "metrics",
-  "chore",
-  "docs"
-]);
-async function buildGraphifyContext(task, svc) {
-  const graphPath = await findGraphPath(task.projectId, svc);
-  if (!graphPath) {
-    return {
-      status: "no-graph",
-      message: "No graphify-out/graph.json in project workspaces. Run `/graphify <workspace>` to enable graph-driven context."
-    };
-  }
-  const keywords = extractKeywords(task);
-  const filePointerPaths = extractFilePointers(task.body ?? "");
-  if (keywords.length === 0 && filePointerPaths.length === 0) {
-    return {
-      status: "no-matches",
-      message: "Task title/AC/labels/file-pointers produced no usable signal."
-    };
-  }
-  const data = JSON.parse(fs3.readFileSync(graphPath, "utf8"));
-  const nodeIndex = new Map(data.nodes.map((n) => [n.id, n]));
-  const adj = buildAdjacency(data.links);
-  const startNodes = findStartNodes(data.nodes, keywords, filePointerPaths, 3);
-  if (startNodes.length === 0) {
-    return {
-      status: "no-matches",
-      message: filePointerPaths.length > 0 ? `File pointers not in graph: ${filePointerPaths.join(", ")}; keywords: ${keywords.join(", ")}` : `No graph nodes matched keywords: ${keywords.join(", ")}`
-    };
+// src/adapters/mcp/oauth/jwt-verifier.ts
+var import_crypto3 = require("crypto");
+var REFRESH_THROTTLE_MS = 1e4;
+function createKeycloakVerifier(config2, loadKeys) {
+  return new KeycloakJwtVerifier(config2, loadKeys ?? defaultJwksLoader(config2.jwksUri));
+}
+var KeycloakJwtVerifier = class {
+  constructor(config2, loadKeys) {
+    this.config = config2;
+    this.loadKeys = loadKeys;
+  }
+  config;
+  loadKeys;
+  keys = /* @__PURE__ */ new Map();
+  lastFetchMs = 0;
+  inflight = null;
+  async verify(token) {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const [headerB64, payloadB64, signatureB64] = parts;
+    const header = decodeJson(headerB64);
+    if (!header || header.alg !== "RS256" || !header.kid) return null;
+    const key = await this.resolveKey(header.kid);
+    if (!key) return null;
+    if (!verifySignature(`${headerB64}.${payloadB64}`, signatureB64, key)) return null;
+    const claims = decodeJson(payloadB64);
+    if (!claims) return null;
+    if (!this.claimsValid(claims)) return null;
+    return claims;
+  }
+  claimsValid(claims) {
+    if (claims.iss !== this.config.issuer) return false;
+    if (typeof claims.exp !== "number" || claims.exp * 1e3 <= Date.now()) return false;
+    return audienceMatches(claims, this.config.audience);
+  }
+  // Cache by kid; on an unknown kid (key rollover) refetch once, throttled so a
+  // bogus-kid flood can't hammer Keycloak.
+  async resolveKey(kid) {
+    const cached2 = this.keys.get(kid);
+    if (cached2) return cached2;
+    if (Date.now() - this.lastFetchMs < REFRESH_THROTTLE_MS) return null;
+    await this.refresh();
+    return this.keys.get(kid) ?? null;
+  }
+  async refresh() {
+    if (this.inflight) return this.inflight;
+    this.inflight = (async () => {
+      try {
+        const jwks = await this.loadKeys();
+        const next = /* @__PURE__ */ new Map();
+        for (const jwk of jwks) {
+          if (jwk.kty !== "RSA" || !jwk.kid || !jwk.n || !jwk.e) continue;
+          try {
+            next.set(
+              jwk.kid,
+              (0, import_crypto3.createPublicKey)({ key: jwk, format: "jwk" })
+            );
+          } catch {
+          }
+        }
+        this.keys = next;
+        this.lastFetchMs = Date.now();
+      } catch {
+        this.lastFetchMs = Date.now();
+      } finally {
+        this.inflight = null;
+      }
+    })();
+    return this.inflight;
   }
-  const subgraph = bfs(
-    adj,
-    startNodes.map((s) => s.id),
-    BFS_DEPTH,
-    RELATION_FILTER,
-    CONFIDENCE_MIN
-  );
-  const affected_files = extractAffectedFiles(subgraph, nodeIndex, MAX_AFFECTED_FILES);
-  const god_nodes = identifyGodNodes(
-    subgraph,
-    adj,
-    nodeIndex,
-    GOD_NODE_DEGREE_THRESHOLD,
-    MAX_GOD_NODES
-  );
-  const affected_communities = identifyAffectedCommunities(subgraph, nodeIndex);
-  const staleness = computeStaleness(graphPath);
-  return {
-    affected_files,
-    god_nodes,
-    affected_communities,
-    keywords_used: keywords,
-    ...staleness
-  };
+};
+function audienceMatches(claims, expected) {
+  const aud = claims.aud;
+  if (typeof aud === "string" && aud === expected) return true;
+  if (Array.isArray(aud) && aud.includes(expected)) return true;
+  return claims.azp === expected;
 }
-async function findGraphPath(projectId, svc) {
-  const workspaces = await svc.findWorkspaces(projectId);
-  for (const ws of workspaces) {
-    const p = path5.join(ws.cwd, "graphify-out", "graph.json");
-    if (fs3.existsSync(p)) return p;
+function verifySignature(signingInput, signatureB64, key) {
+  try {
+    const verifier = (0, import_crypto3.createVerify)("RSA-SHA256");
+    verifier.update(signingInput);
+    verifier.end();
+    return verifier.verify(key, base64UrlToBuffer(signatureB64));
+  } catch {
+    return false;
   }
-  const project = await svc.getProject(projectId);
-  if (project) {
-    const p = path5.join(project.cwd, "graphify-out", "graph.json");
-    if (fs3.existsSync(p)) return p;
+}
+function decodeJson(segment) {
+  try {
+    return JSON.parse(base64UrlToBuffer(segment).toString("utf8"));
+  } catch {
+    return null;
   }
-  return null;
 }
-function extractKeywords(task) {
-  const acSection = extractAcceptanceSection(task.body ?? "");
-  const raw = `${task.title} ${acSection}`.split(/\s+/);
-  const fromLabels = (task.labels ?? []).map((l) => l.toLowerCase()).filter((l) => !LABEL_KEY_PREFIX.test(l) && !LABEL_EXACT_DROP.has(l));
-  const all = [...raw.map((t) => t.toLowerCase()), ...fromLabels];
-  const deduped = /* @__PURE__ */ new Set();
-  for (const t of all) {
-    const cleaned = cleanToken(t);
-    if (cleaned.length <= 3) continue;
-    if (KEYWORD_STOPWORDS.has(cleaned)) continue;
-    deduped.add(cleaned);
-  }
-  return Array.from(deduped);
-}
-function extractFilePointers(body) {
-  const match = body.match(/(?:^|\n)##\s*File Pointers\s*\n[\s\S]*?(?=\n##\s|$)/i);
-  if (!match) return [];
-  const paths = [];
-  for (const line of splitLines(match[0])) {
-    if (/\(NEW\)/i.test(line)) continue;
-    const pathMatch = line.match(/^\s*-\s+`([^`]+)`/);
-    if (!pathMatch) continue;
-    paths.push(pathMatch[1].replace(/\\/g, "/"));
-  }
-  return paths;
-}
-function cleanToken(t) {
-  return t.replace(/^[^a-z0-9_-]+|[^a-z0-9_-]+$/gi, "");
-}
-function extractAcceptanceSection(body) {
-  const match = body.match(/(?:^|\n)##\s*Acceptance\s*\n[\s\S]*?(?=\n##\s|$)/i);
-  if (!match) return "";
-  return match[0].slice(0, 500);
-}
-function findStartNodes(nodes, keywords, filePointerPaths, topK) {
-  if (filePointerPaths.length > 0) {
-    const fileMatches = findStartNodesByFile(nodes, filePointerPaths);
-    if (fileMatches.length > 0) return fileMatches;
-  }
-  return findStartNodesByKeyword(nodes, keywords, topK);
-}
-function findStartNodesByFile(nodes, paths) {
-  const targets = new Set(paths.map((p) => p.replace(/\\/g, "/")));
-  const matches = [];
-  for (const n of nodes) {
-    if (!n.source_file) continue;
-    const normalized = n.source_file.replace(/\\/g, "/");
-    if (targets.has(normalized)) {
-      matches.push({ id: n.id, score: 100 });
-    }
-  }
-  matches.sort((a, b) => {
-    if (a.id < b.id) return -1;
-    if (a.id > b.id) return 1;
-    return 0;
-  });
-  return matches;
-}
-function findStartNodesByKeyword(nodes, keywords, topK) {
-  const scored = [];
-  for (const n of nodes) {
-    const label = (n.label ?? "").toLowerCase();
-    let score = 0;
-    for (const k of keywords) {
-      if (label.includes(k)) score += 1;
-    }
-    if (score > 0) scored.push({ id: n.id, score });
-  }
-  scored.sort((a, b) => {
-    if (b.score !== a.score) return b.score - a.score;
-    if (b.id > a.id) return 1;
-    if (b.id < a.id) return -1;
-    return 0;
-  });
-  return scored.slice(0, topK);
-}
-function buildAdjacency(links) {
-  const adj = /* @__PURE__ */ new Map();
-  const push = (from, to, link) => {
-    if (!adj.has(from)) adj.set(from, []);
-    adj.get(from).push({ neighbor: to, link });
-  };
-  for (const l of links) {
-    push(l.source, l.target, l);
-    push(l.target, l.source, l);
-  }
-  return adj;
-}
-function bfs(adj, startNodes, depth, relationFilter, confidenceMin) {
-  const visited = new Set(startNodes);
-  let frontier = new Set(startNodes);
-  for (let d = 0; d < depth; d += 1) {
-    const next = /* @__PURE__ */ new Set();
-    for (const n of frontier) {
-      const neighbors = adj.get(n) ?? [];
-      for (const { neighbor, link } of neighbors) {
-        if (link.relation && !relationFilter.has(link.relation)) continue;
-        if ((link.confidence_score ?? 1) < confidenceMin) continue;
-        if (!visited.has(neighbor)) next.add(neighbor);
-      }
-    }
-    for (const n of next) visited.add(n);
-    frontier = next;
-  }
-  return visited;
-}
-function extractAffectedFiles(subgraph, nodeIndex, max) {
-  const hits = /* @__PURE__ */ new Map();
-  for (const id of subgraph) {
-    const n = nodeIndex.get(id);
-    if (!n?.source_file) continue;
-    hits.set(n.source_file, (hits.get(n.source_file) ?? 0) + 1);
-  }
-  return Array.from(hits.entries()).map(([p, h]) => ({ path: p, hits: h })).sort((a, b) => b.hits - a.hits).slice(0, max);
-}
-function identifyGodNodes(subgraph, adj, nodeIndex, threshold, max) {
-  const result = [];
-  for (const id of subgraph) {
-    const deg = (adj.get(id) ?? []).length;
-    if (deg >= threshold) {
-      result.push({ id, label: nodeIndex.get(id)?.label ?? id, degree: deg });
-    }
-  }
-  return result.sort((a, b) => b.degree - a.degree).slice(0, max);
-}
-function identifyAffectedCommunities(subgraph, nodeIndex) {
-  const counts = /* @__PURE__ */ new Map();
-  for (const id of subgraph) {
-    const n = nodeIndex.get(id);
-    if (typeof n?.community !== "number") continue;
-    counts.set(n.community, (counts.get(n.community) ?? 0) + 1);
-  }
-  return Array.from(counts.entries()).map(([cid, count]) => ({ id: cid, label: null, nodeCount: count })).sort((a, b) => b.nodeCount - a.nodeCount);
-}
-function computeStaleness(graphPath) {
-  const stat = fs3.statSync(graphPath);
-  const mtimeMs = stat.mtimeMs;
-  const ageMs = Date.now() - mtimeMs;
-  const ageDays = ageMs / (1e3 * 60 * 60 * 24);
-  return {
-    graph_mtime_iso: new Date(mtimeMs).toISOString(),
-    graph_age_days: Math.round(ageDays * 10) / 10,
-    graph_is_stale: ageDays > STALE_DAYS
+function base64UrlToBuffer(input) {
+  const padded = input.replace(/-/g, "+").replace(/_/g, "/");
+  return Buffer.from(padded, "base64");
+}
+function defaultJwksLoader(jwksUri) {
+  return async () => {
+    const res = await fetch(jwksUri, { headers: { accept: "application/json" } });
+    if (!res.ok) throw new Error(`JWKS fetch ${res.status}`);
+    const body = await res.json();
+    return body.keys ?? [];
   };
 }
 
+// src/adapters/mcp/mcp-tools/types.ts
+function textResponse(payload) {
+  const text = typeof payload === "string" ? payload : JSON.stringify(payload, null, 2);
+  return { content: [{ type: "text", text }] };
+}
+
 // src/adapters/mcp/mcp-tools/task-tools.ts
 function defaultBody(id, title) {
   return `# ${id}: ${title}
@@ -42738,7 +42827,6 @@ var register = (server, svc) => {
           }))
         }))
       );
-      const graphify_context = await buildGraphifyContext(task, svc);
       return textResponse({
         task,
         dependencies: deps,
@@ -42746,8 +42834,7 @@ var register = (server, svc) => {
         tags,
         relationships: rels,
         conversations,
-        body: task.body,
-        graphify_context
+        body: task.body
       });
     }
   );
@@ -42869,13 +42956,13 @@ var EMPTY_RULES = {
   sessionEnd: "",
   conversationRead: ""
 };
-function loadMcpRules(path10 = rulesPath()) {
-  if (!(0, import_fs.existsSync)(path10)) {
-    console.warn(`[mcp-rules] file not found at ${path10} \u2014 returning empty rules`);
+function loadMcpRules(path9 = rulesPath()) {
+  if (!(0, import_fs.existsSync)(path9)) {
+    console.warn(`[mcp-rules] file not found at ${path9} \u2014 returning empty rules`);
     return { ...EMPTY_RULES };
   }
   try {
-    const content = (0, import_fs.readFileSync)(path10, "utf-8");
+    const content = (0, import_fs.readFileSync)(path9, "utf-8");
     const sessionStart = parseSection(content, "On session_start");
     const sessionCheckpoint = parseSection(content, "On session_checkpoint");
     const sessionResume = parseSection(content, "On session_resume");
@@ -42888,11 +42975,11 @@ function loadMcpRules(path10 = rulesPath()) {
       ["On session_end", sessionEnd],
       ["On conversation_read", conversationRead]
     ]) {
-      if (!value) console.warn(`[mcp-rules] "## ${name}" section missing in ${path10}`);
+      if (!value) console.warn(`[mcp-rules] "## ${name}" section missing in ${path9}`);
     }
     return { sessionStart, sessionCheckpoint, sessionResume, sessionEnd, conversationRead };
   } catch (err) {
-    console.error(`[mcp-rules] failed to read ${path10}:`, err);
+    console.error(`[mcp-rules] failed to read ${path9}:`, err);
     return { ...EMPTY_RULES };
   }
 }
@@ -43121,8 +43208,8 @@ var register2 = (server, svc) => {
 };
 
 // src/adapters/mcp/mcp-tools/project-context-builder.ts
-var fs4 = __toESM(require("fs"));
-var path6 = __toESM(require("path"));
+var fs3 = __toESM(require("fs"));
+var path5 = __toESM(require("path"));
 
 // src/core/domain/inbox-triage-policy.ts
 var STALE_RAW_DAYS = 3;
@@ -43225,10 +43312,10 @@ function loadRecentDecisions(sources, contentRoot, depth) {
   }).filter((d) => d.excerpt.length > 0);
 }
 function readMarkdown(contentRoot, sourcePath, depth) {
-  const absolute = path6.isAbsolute(sourcePath) ? sourcePath : path6.join(contentRoot, sourcePath);
-  if (!fs4.existsSync(absolute)) return null;
+  const absolute = path5.isAbsolute(sourcePath) ? sourcePath : path5.join(contentRoot, sourcePath);
+  if (!fs3.existsSync(absolute)) return null;
   try {
-    const raw = fs4.readFileSync(absolute, "utf-8");
+    const raw = fs3.readFileSync(absolute, "utf-8");
     const stripped = stripFrontmatter(raw);
     return depth === "summary" ? summarize(stripped) : stripped;
   } catch {
@@ -43299,7 +43386,7 @@ var register3 = (server, svc) => {
 };
 
 // src/adapters/mcp/mcp-tools/workspace-tools.ts
-var fs5 = __toESM(require("node:fs"));
+var fs4 = __toESM(require("node:fs"));
 var register4 = (server, svc) => {
   server.registerTool(
     "workspace_list",
@@ -43337,7 +43424,7 @@ var register4 = (server, svc) => {
         );
       }
       const ws = await svc.addWorkspace(projectId, id, label, cwd);
-      const cwdExists = fs5.existsSync(cwd);
+      const cwdExists = fs4.existsSync(cwd);
       return textResponse({ workspace: ws, warning: cwdExists ? null : `cwd ${cwd} not found on disk` });
     }
   );
@@ -43373,18 +43460,18 @@ async function archiveOrError(svc, projectId, workspaceId) {
 }
 
 // src/adapters/mcp/mcp-tools/workspace-resolver.ts
-var path7 = __toESM(require("path"));
+var path6 = __toESM(require("path"));
 var isWindows = process.platform === "win32";
 function normalize2(p) {
-  const resolved = path7.resolve(p).replace(/[\\/]+$/, "");
+  const resolved = path6.resolve(p).replace(/[\\/]+$/, "");
   return isWindows ? resolved.toLowerCase().replace(/\//g, "\\") : resolved;
 }
 function isDescendantOrEqual(parent, child) {
   if (parent === child) return true;
-  const rel = path7.relative(parent, child);
+  const rel = path6.relative(parent, child);
   if (rel === "") return true;
   if (rel.startsWith("..")) return false;
-  return !path7.isAbsolute(rel);
+  return !path6.isAbsolute(rel);
 }
 function resolveWorkspaceId(input) {
   const { explicitWorkspaceId, cwd, workspaces } = input;
@@ -43512,6 +43599,72 @@ function collectFilesByCommit(cwd, commitLines, git) {
   return map2;
 }
 
+// src/core/domain/session-transcript.ts
+var fs5 = __toESM(require("fs"));
+var path7 = __toESM(require("path"));
+var os = __toESM(require("os"));
+function isTextBlock(b) {
+  return typeof b === "object" && b !== null && b.type === "text" && typeof b.text === "string";
+}
+function cwdToProjectSlug(cwd) {
+  return cwd.replace(/[^a-zA-Z0-9]/g, "-");
+}
+function parseTranscript(content) {
+  const rows = [];
+  for (const line of splitLines(content)) {
+    if (!line.trim()) continue;
+    try {
+      rows.push(JSON.parse(line));
+    } catch {
+    }
+  }
+  return rows;
+}
+function extractResumePoint(rows) {
+  for (let i = rows.length - 1; i >= 0; i--) {
+    const r = rows[i];
+    if (r.type !== "assistant") continue;
+    const content = r.message?.content;
+    if (!Array.isArray(content)) continue;
+    const text = content.filter(isTextBlock).map((b) => b.text).join("\n").trim();
+    if (text) return text;
+  }
+  return null;
+}
+var TranscriptOpsImpl = class {
+  readResumePoint(opts) {
+    try {
+      const base = path7.join(
+        opts.homeDir ?? os.homedir(),
+        ".claude",
+        "projects",
+        cwdToProjectSlug(opts.cwd)
+      );
+      if (!fs5.existsSync(base)) return null;
+      if (opts.ccSessionId) {
+        const file2 = path7.join(base, `${opts.ccSessionId}.jsonl`);
+        if (fs5.existsSync(file2)) {
+          return extractResumePoint(parseTranscript(fs5.readFileSync(file2, "utf8")));
+        }
+      }
+      const sinceMs = Date.parse(opts.startedAt);
+      const candidates = fs5.readdirSync(base).filter((f) => f.endsWith(".jsonl")).map((f) => {
+        const full = path7.join(base, f);
+        let mtimeMs = 0;
+        try {
+          mtimeMs = fs5.statSync(full).mtimeMs;
+        } catch {
+        }
+        return { full, mtimeMs };
+      }).filter((c) => c.mtimeMs > 0 && (Number.isNaN(sinceMs) || c.mtimeMs >= sinceMs)).sort((a, b) => b.mtimeMs - a.mtimeMs);
+      if (candidates.length === 0) return null;
+      return extractResumePoint(parseTranscript(fs5.readFileSync(candidates[0].full, "utf8")));
+    } catch {
+      return null;
+    }
+  }
+};
+
 // src/adapters/mcp/mcp-tools/session-tools.ts
 var sessionSummarySchema = external_exports3.object({
   summary: external_exports3.string(),
@@ -43544,9 +43697,13 @@ var sessionSummarySchema = external_exports3.object({
 });
 var handoffInputSchema = {
   sessionId: external_exports3.string(),
-  commits: external_exports3.array(external_exports3.string()).optional(),
+  commits: external_exports3.array(external_exports3.string()).optional().describe(
+    'Format: "<short-sha> <subject>". Optional (ADR-031) \u2014 when omitted, the server derives commits from the session time window (filtered by the bound task id). Any value you provide wins; derivation only fills the gap.'
+  ),
   decisions: external_exports3.array(external_exports3.string()).optional(),
-  resumePoint: external_exports3.string(),
+  resumePoint: external_exports3.string().optional().describe(
+    "One sentence: where you stopped + what to pick up next. Optional (ADR-031) \u2014 when omitted, the server derives it from the last text-bearing assistant turn in the session transcript. Best-effort; any value you provide wins."
+  ),
   looseEnds: external_exports3.array(external_exports3.string()).optional(),
   notes: external_exports3.string().optional(),
   testResults: external_exports3.object({
@@ -43567,7 +43724,7 @@ async function tryLifecycle2(fn) {
     throw e;
   }
 }
-var register5 = (server, svc, git = new GitOpsImpl()) => {
+var register5 = (server, svc, git = new GitOpsImpl(), transcript = new TranscriptOpsImpl()) => {
   server.registerTool(
     "session_start",
     {
@@ -43578,10 +43735,13 @@ var register5 = (server, svc, git = new GitOpsImpl()) => {
         workspaceId: external_exports3.string().optional().describe("Workspace ID (e.g. workflow-engine)"),
         cwd: external_exports3.string().optional().describe(
           "Current working directory \u2014 used to auto-detect workspaceId when not passed explicitly"
+        ),
+        ccSessionId: external_exports3.string().optional().describe(
+          "Claude Code session UUID (the transcript .jsonl filename under ~/.claude/projects/). Pass it so session_end can derive resumePoint from the transcript (ADR-031). Optional \u2014 omitted falls back to heuristic correlation."
         )
       }
     },
-    async ({ projectId, taskId, workspaceId, cwd }) => tryLifecycle2(async () => {
+    async ({ projectId, taskId, workspaceId, cwd, ccSessionId }) => tryLifecycle2(async () => {
       const project = await svc.getProject(projectId);
       if (!project) throw new Error(`Project ${projectId} not found`);
       const resolvedWorkspaceId = resolveWorkspaceId({
@@ -43592,7 +43752,8 @@ var register5 = (server, svc, git = new GitOpsImpl()) => {
       const { session, contextSources, existingActiveSessions, recalledMemories } = await svc.startSession({
         projectId,
         taskId,
-        workspaceId: resolvedWorkspaceId
+        workspaceId: resolvedWorkspaceId,
+        ccSessionId
       });
       const lastSession = await loadLastSession(svc, projectId, resolvedWorkspaceId);
       const bundle = await buildProjectContext(svc, projectId, "summary");
@@ -43706,10 +43867,12 @@ var register5 = (server, svc, git = new GitOpsImpl()) => {
       inputSchema: handoffInputSchema
     },
     async (input) => tryLifecycle2(async () => {
+      const commits = await resolveCommits(svc, git, input.sessionId, input.commits);
+      const resumePoint = await resolveResumePoint(svc, transcript, input.sessionId, input.resumePoint);
       const handoff = {
-        commits: input.commits,
+        commits,
         decisions: input.decisions,
-        resumePoint: input.resumePoint,
+        resumePoint,
         looseEnds: input.looseEnds,
         tasksUpdated: [],
         testResults: input.testResults
@@ -43732,7 +43895,58 @@ var register5 = (server, svc, git = new GitOpsImpl()) => {
       };
     })
   );
+  server.registerTool(
+    "session_cancel",
+    {
+      description: "Cancel (retire) an active session WITHOUT marking its task DONE. Use for an empty or abandoned session \u2014 an orphaned session_start where no real work followed, or a session you want to drop without completing the task. Marks the session completed with a failureReason, closes any linked conversations, and intentionally leaves the bound task status untouched (stays IN-PROGRESS for human review). Distinct from session_end, which marks the task DONE.",
+      inputSchema: {
+        sessionId: external_exports3.string(),
+        reason: external_exports3.string().optional().describe(
+          'Why the session is being cancelled (e.g. "empty session \u2014 no work recorded"). Defaults to "cancelled \u2014 no work recorded".'
+        )
+      }
+    },
+    async ({ sessionId, reason }) => tryLifecycle2(async () => {
+      const result = await svc.abandonSession(
+        sessionId,
+        reason ?? "cancelled \u2014 no work recorded"
+      );
+      return {
+        sessionId: result.session.id,
+        status: result.session.status,
+        endedAt: result.session.endedAt,
+        taskId: result.session.taskId,
+        taskUntouched: true,
+        closedConversationIds: result.closedConversationIds
+      };
+    })
+  );
 };
+async function resolveCommits(svc, git, sessionId, provided) {
+  if (provided && provided.length > 0) return provided;
+  const session = await svc.getSession(sessionId);
+  if (!session) return provided;
+  const project = await svc.getProject(session.projectId);
+  const cwd = project?.cwd;
+  if (!cwd) return provided;
+  const derived = git.commitsInWindow(cwd, session.startedAt, session.taskId ?? void 0);
+  return derived.length > 0 ? derived : provided;
+}
+async function resolveResumePoint(svc, transcript, sessionId, provided) {
+  if (provided && provided.trim()) return provided;
+  const session = await svc.getSession(sessionId);
+  if (!session) return provided;
+  const project = await svc.getProject(session.projectId);
+  const cwd = project?.cwd;
+  if (!cwd) return provided;
+  const derived = transcript.readResumePoint({
+    cwd,
+    ccSessionId: session.ccSessionId,
+    startedAt: session.startedAt,
+    endedAt: session.endedAt
+  });
+  return derived ?? provided;
+}
 async function buildSuggestedKnowledge(svc, git, projectId, handoff) {
   const project = await svc.getProject(projectId);
   const cwd = project?.cwd ?? "";
@@ -43793,7 +44007,8 @@ async function createLooseEndInboxes(svc, looseEnds, session) {
       projectId: session.projectId,
       content: `${content}
 
-\u2014 from session ${tag}`
+\u2014 from session ${tag}`,
+      ...session.taskId ? { linkedTaskId: session.taskId } : {}
     });
     ids.push(item.id);
   }
@@ -43816,10 +44031,13 @@ var register6 = (server, svc) => {
       description: "Add a raw idea to inbox. Returns INBOX-NNN with status=raw.",
       inputSchema: {
         projectId: external_exports3.string().describe("Project ID (required)"),
-        content: external_exports3.string().describe("Raw idea content")
+        content: external_exports3.string().describe("Raw idea content"),
+        workspaceId: external_exports3.string().optional().describe(
+          "App/workspace scope, if already clear. Omit to leave domain-level (null) \u2014 research fills it later via inbox_ready."
+        )
       }
     },
-    async ({ projectId, content }) => textResponse(await svc.createInbox({ projectId, content }))
+    async ({ projectId, content, workspaceId }) => textResponse(await svc.createInbox({ projectId, content, workspaceId }))
   );
   server.registerTool(
     "inbox_update",
@@ -43903,16 +44121,24 @@ var register6 = (server, svc) => {
   server.registerTool(
     "inbox_ready",
     {
-      description: "Mark research complete. Transitions researching \u2192 ready.",
-      inputSchema: { id: external_exports3.string().describe("Inbox item ID") }
+      description: "Mark research complete. Transitions researching \u2192 ready. Pass workspaceId to localize the item to the app research identified (ADR-032 Pillar 6).",
+      inputSchema: {
+        id: external_exports3.string().describe("Inbox item ID"),
+        workspaceId: external_exports3.string().optional().describe("App/workspace identified during research \u2014 localizes the item before convert.")
+      }
     },
-    async ({ id }) => {
+    async ({ id, workspaceId }) => {
       const item = await svc.getInbox(id);
       if (!item) return textResponse(`Inbox ${id} not found`);
       if (item.status !== "researching") {
         return textResponse(`Inbox ${id} is ${item.status}, not researching`);
       }
-      return textResponse(await svc.updateInbox(id, { status: "ready" }));
+      return textResponse(
+        await svc.updateInbox(
+          id,
+          workspaceId !== void 0 ? { status: "ready", workspaceId } : { status: "ready" }
+        )
+      );
     }
   );
   server.registerTool(
@@ -43942,6 +44168,90 @@ var register6 = (server, svc) => {
   );
 };
 
+// src/adapters/mcp/mcp-tools/investigation-tools.ts
+async function tryLifecycle4(fn) {
+  try {
+    return textResponse(await fn());
+  } catch (e) {
+    if (e instanceof LifecycleError) return textResponse(e.message);
+    throw e;
+  }
+}
+var register7 = (server, svc) => {
+  server.registerTool(
+    "investigation_start",
+    {
+      description: "Start a debugging investigation (ADR-035). Creates a container for nonlinear trace state (hypotheses + evidence), status=exploring. Optionally bind to a task/session.",
+      inputSchema: {
+        symptom: external_exports3.string().describe('The observed symptom, e.g. "Test button does not work"'),
+        taskId: external_exports3.string().optional().describe("Optional task to bind to (standalone allowed)"),
+        sessionId: external_exports3.string().optional().describe("Optional session to bind to")
+      }
+    },
+    async ({ symptom, taskId, sessionId }) => tryLifecycle4(() => svc.startInvestigation({ symptom, taskId, sessionId }))
+  );
+  server.registerTool(
+    "investigation_add_hypothesis",
+    {
+      description: "Add a hypothesis to an investigation (status=testing). Blocked once the investigation is resolved.",
+      inputSchema: {
+        investigationId: external_exports3.string().describe("Investigation ID (e.g. INV-001)"),
+        description: external_exports3.string().describe("What you think might be the cause")
+      }
+    },
+    async ({ investigationId, description }) => tryLifecycle4(() => svc.addHypothesis(investigationId, description))
+  );
+  server.registerTool(
+    "investigation_set_hypothesis_status",
+    {
+      description: "Transition a hypothesis: testing \u2192 ruled_out | confirmed. Ruled-out hypotheses persist (dead ends are kept). A terminal hypothesis cannot transition again.",
+      inputSchema: {
+        hypothesisId: external_exports3.string().describe("Hypothesis ID (e.g. HYP-001)"),
+        status: external_exports3.enum(["ruled_out", "confirmed"]).describe("New status")
+      }
+    },
+    async ({ hypothesisId, status }) => tryLifecycle4(() => svc.setHypothesisStatus(hypothesisId, status))
+  );
+  server.registerTool(
+    "investigation_add_evidence",
+    {
+      description: "Attach typed evidence to an investigation, or to a specific hypothesis within it.",
+      inputSchema: {
+        investigationId: external_exports3.string().describe("Investigation ID"),
+        type: external_exports3.enum(["screenshot", "log", "network", "code_snippet"]).describe("Evidence type"),
+        ref: external_exports3.string().describe("Path / URL / locator for the evidence"),
+        hypothesisId: external_exports3.string().optional().describe("Attach to this hypothesis instead of the investigation as a whole"),
+        note: external_exports3.string().optional().describe("Optional note about the evidence")
+      }
+    },
+    async ({ investigationId, type, ref, hypothesisId, note }) => tryLifecycle4(() => svc.addEvidence({ investigationId, type, ref, hypothesisId, note }))
+  );
+  server.registerTool(
+    "investigation_resolve",
+    {
+      description: "Resolve an investigation (status=resolved). Returns a human-gated knowledge_create(gotcha) draft built from pattern_tag + root_cause + fix \u2014 NOT auto-written. Errors if already resolved.",
+      inputSchema: {
+        id: external_exports3.string().describe("Investigation ID"),
+        rootCause: external_exports3.string().describe("The confirmed root cause"),
+        fixSummary: external_exports3.string().describe("How it was fixed"),
+        patternTag: external_exports3.string().optional().describe('Reusable pattern tag, e.g. "expression-no-upstream-data"')
+      }
+    },
+    async ({ id, rootCause, fixSummary, patternTag }) => tryLifecycle4(() => svc.resolveInvestigation(id, { rootCause, fixSummary, patternTag }))
+  );
+  server.registerTool(
+    "investigation_get",
+    {
+      description: "Get full investigation state \u2014 symptom, status, all hypotheses (incl. ruled_out), all evidence, root_cause/fix. Reconstructs a trace without prior context.",
+      inputSchema: { id: external_exports3.string().describe("Investigation ID") }
+    },
+    async ({ id }) => {
+      const inv = await svc.getInvestigation(id);
+      return textResponse(inv ?? `Investigation ${id} not found`);
+    }
+  );
+};
+
 // src/adapters/mcp/mcp-tools/backup-tools.ts
 var import_fs3 = require("fs");
 var import_path3 = require("path");
@@ -44004,7 +44314,7 @@ function runBackup(db, userData, now2 = /* @__PURE__ */ new Date()) {
 }
 
 // src/adapters/mcp/mcp-tools/backup-tools.ts
-function register7(server, svc, dataDir, dbPath) {
+function register8(server, svc, dataDir, dbPath) {
   server.registerTool(
     "backup_list",
     {
@@ -44051,13 +44361,24 @@ function register7(server, svc, dataDir, dbPath) {
 }
 
 // src/adapters/mcp/mcp-tools/knowledge-tools.ts
-var TYPE_ENUM = ["spike", "decision", "postmortem", "learning", "evaluation"];
+var TYPE_ENUM = [
+  "spike",
+  "decision",
+  "postmortem",
+  "learning",
+  "evaluation",
+  "feature",
+  "code_ref",
+  "gotcha"
+];
 var SCOPE_ENUM = ["project", "cross"];
-var register8 = (server, svc) => {
+var EFFORT_BAND_ENUM = ["S", "M", "L", "XL"];
+var FEATURE_STATUS_ENUM = ["planned", "in-progress", "shipped", "blocked"];
+var register9 = (server, svc) => {
   server.registerTool(
     "knowledge_create",
     {
-      description: "Create a knowledge entry (ADR, spike finding, postmortem, learning, evaluation). Project-scope writes to <projectCwd>/docs/knowledge/<slug>.md and tracks staleness against refs[]. When workspaceId is provided, the file is written to <workspaceCwd>/docs/knowledge/<slug>.md instead (workspace must belong to projectId). Cross-scope writes to vault/30-Knowledge/<slug>.md (no staleness).",
+      description: "Create a knowledge entry. Original types (spike/decision/postmortem/learning/evaluation) capture findings/ADRs. First-class graph types (TASK-988): feature (a user-perceivable outcome \u2014 set structured.anchorTaskId/realizesTasks/inWorkspaces/effortBand/status), code_ref (a code anchor note \u2014 pair with the code_ref_upsert tool for the queryable identity row), gotcha (a concern \u2014 set structured.affectedFeatureId pointing at an existing feature slug). Project-scope writes to <projectCwd>/docs/knowledge/<slug>.md and tracks staleness against refs[]. When workspaceId is provided, the file is written to <workspaceCwd>/docs/knowledge/<slug>.md instead (workspace must belong to projectId). Cross-scope writes to vault/30-Knowledge/<slug>.md (no staleness).",
       inputSchema: {
         projectId: external_exports3.string().describe("Project ID"),
         workspaceId: external_exports3.string().optional().describe(
@@ -44073,11 +44394,19 @@ var register8 = (server, svc) => {
             commitSha: external_exports3.string().optional().describe("Pin SHA. Omit to auto-capture current HEAD.")
           })
         ).optional().describe("Code references for staleness tracking. Empty/omitted = no tracking."),
-        slug: external_exports3.string().optional().describe("Override auto-derived slug")
+        slug: external_exports3.string().optional().describe("Override auto-derived slug"),
+        structured: external_exports3.object({
+          anchorTaskId: external_exports3.string().optional().describe("feature: epic-shape task it was promoted from"),
+          realizesTasks: external_exports3.array(external_exports3.string()).optional().describe("feature: task ids that implement/modify it"),
+          inWorkspaces: external_exports3.array(external_exports3.string()).optional().describe("feature: workspaces it touches"),
+          effortBand: external_exports3.enum(EFFORT_BAND_ENUM).optional().describe("feature: S|M|L|XL band (NOT a day count)"),
+          status: external_exports3.enum(FEATURE_STATUS_ENUM).optional().describe("feature: planned|in-progress|shipped|blocked"),
+          affectedFeatureId: external_exports3.string().optional().describe("gotcha: slug of the feature this concern is about (must exist)")
+        }).optional().describe("Structured fields for feature / gotcha first-class types (TASK-988).")
       }
     },
-    async ({ projectId, workspaceId, type, scope, title, body, refs, slug }) => textResponse(
-      svc.createKnowledge({
+    async ({ projectId, workspaceId, type, scope, title, body, refs, slug, structured }) => textResponse(
+      await svc.createKnowledge({
         projectId,
         workspaceId,
         type,
@@ -44085,7 +44414,8 @@ var register8 = (server, svc) => {
         title,
         body,
         refs: refs ?? [],
-        slug
+        slug,
+        structured
       })
     )
   );
@@ -44101,7 +44431,7 @@ var register8 = (server, svc) => {
         )
       }
     },
-    async ({ filePath, projectId, workspaceId }) => textResponse(svc.registerExistingKnowledge({ filePath, projectId, workspaceId }))
+    async ({ filePath, projectId, workspaceId }) => textResponse(await svc.registerExistingKnowledge({ filePath, projectId, workspaceId }))
   );
   server.registerTool(
     "knowledge_get",
@@ -44112,7 +44442,7 @@ var register8 = (server, svc) => {
       }
     },
     async ({ slug }) => {
-      const entry = svc.getKnowledge(slug);
+      const entry = await svc.getKnowledge(slug);
       if (!entry) return textResponse(`Knowledge ${slug} not found`);
       return textResponse(entry);
     }
@@ -44131,7 +44461,7 @@ var register8 = (server, svc) => {
       }
     },
     async ({ projectId, workspaceId, scope, type }) => textResponse(
-      svc.listKnowledge({
+      await svc.listKnowledge({
         projectId,
         workspaceId: workspaceId === "" ? null : workspaceId,
         scope,
@@ -44154,7 +44484,7 @@ var register8 = (server, svc) => {
         ).optional().describe("Replace refs[]. Omit to re-pin existing refs to HEAD.")
       }
     },
-    async ({ slug, body, refs }) => textResponse(svc.updateKnowledge({ slug, body, refs }))
+    async ({ slug, body, refs }) => textResponse(await svc.updateKnowledge({ slug, body, refs }))
   );
   server.registerTool(
     "knowledge_verify",
@@ -44164,7 +44494,7 @@ var register8 = (server, svc) => {
         slug: external_exports3.string().describe("Slug of the entry")
       }
     },
-    async ({ slug }) => textResponse(svc.verifyKnowledge(slug))
+    async ({ slug }) => textResponse(await svc.verifyKnowledge(slug))
   );
   server.registerTool(
     "knowledge_delete",
@@ -44174,7 +44504,7 @@ var register8 = (server, svc) => {
         slug: external_exports3.string().describe("Slug of the entry to delete")
       }
     },
-    async ({ slug }) => textResponse(svc.deleteKnowledge(slug))
+    async ({ slug }) => textResponse(await svc.deleteKnowledge(slug))
   );
   server.registerTool(
     "knowledge_search",
@@ -44189,6 +44519,472 @@ var register8 = (server, svc) => {
   );
 };
 
+// src/adapters/mcp/mcp-tools/code-ref-tools.ts
+var RELATION_ENUM = ["modifies", "reference"];
+var register10 = (server, svc) => {
+  server.registerTool(
+    "code_ref_upsert",
+    {
+      description: "Create or re-pin a code_ref identity row. Identity is (projectId, path, symbol) \u2014 symbol is NULL for file-level refs (.tsx/.md/migrations). A write matching an existing identity UPDATEs commit_sha / line_hint on the original slug instead of inserting a duplicate (ADR Pillar 2c). Returns the stored row.",
+      inputSchema: {
+        slug: external_exports3.string().describe("Slug for a NEW row (ignored when the identity already exists)"),
+        projectId: external_exports3.string().describe("Project ID"),
+        workspaceId: external_exports3.string().optional().describe("Workspace (app) the anchor lives in"),
+        path: external_exports3.string().describe("Repo-relative file path"),
+        symbol: external_exports3.string().optional().describe("Full dotted symbol (Namespace.Class.Method). Omit for file-level refs."),
+        lineHint: external_exports3.number().int().optional().describe("Optional line hint \u2014 not trustworthy over time"),
+        commitSha: external_exports3.string().optional().describe("Commit SHA captured at write time")
+      }
+    },
+    async ({ slug, projectId, workspaceId, path: path9, symbol: symbol2, lineHint, commitSha }) => textResponse(
+      await svc.upsertCodeRef({ slug, projectId, workspaceId, path: path9, symbol: symbol2, lineHint, commitSha })
+    )
+  );
+  server.registerTool(
+    "code_ref_prefix",
+    {
+      description: 'Query code_ref rows by dotted-symbol prefix (e.g. all Domain-layer anchors via symbolPrefix="Ichiba.Pim.TradingCatalog.Domain."), by exact path ("who anchors this file"), or list a whole project. Returns identity rows, not the .md notes.',
+      inputSchema: {
+        projectId: external_exports3.string().describe("Project ID"),
+        symbolPrefix: external_exports3.string().optional().describe("Match symbols starting with this prefix"),
+        path: external_exports3.string().optional().describe("Exact repo-relative path filter")
+      }
+    },
+    async ({ projectId, symbolPrefix, path: path9 }) => textResponse(await svc.listCodeRefsByPrefix({ projectId, symbolPrefix, path: path9 }))
+  );
+  server.registerTool(
+    "code_ref_delete",
+    {
+      description: "Delete a code_ref identity row by slug. Also removes its TOUCHES edges. The matching .md note (if any) is managed separately via knowledge_delete.",
+      inputSchema: {
+        slug: external_exports3.string().describe("Slug of the code_ref row to delete")
+      }
+    },
+    async ({ slug }) => {
+      await svc.deleteCodeRef(slug);
+      return textResponse({ slug, deleted: true });
+    }
+  );
+  server.registerTool(
+    "touches_add",
+    {
+      description: 'Add (or update) a TOUCHES edge: task \u2192 code_ref with a required relation. "modifies" = the task edits the anchor; "reference" = the task reads it as a pattern. Re-adding the same (task, code_ref) pair overwrites the relation.',
+      inputSchema: {
+        taskId: external_exports3.string().describe("Task ID"),
+        codeRefSlug: external_exports3.string().describe("Slug of an existing code_ref row"),
+        relation: external_exports3.enum(RELATION_ENUM).describe("modifies | reference")
+      }
+    },
+    async ({ taskId, codeRefSlug, relation }) => {
+      await svc.addTouches(taskId, codeRefSlug, relation);
+      return textResponse({ taskId, codeRefSlug, relation });
+    }
+  );
+  server.registerTool(
+    "touches_remove",
+    {
+      description: "Remove a TOUCHES edge between a task and a code_ref.",
+      inputSchema: {
+        taskId: external_exports3.string().describe("Task ID"),
+        codeRefSlug: external_exports3.string().describe("Slug of the code_ref row")
+      }
+    },
+    async ({ taskId, codeRefSlug }) => {
+      await svc.removeTouches(taskId, codeRefSlug);
+      return textResponse({ taskId, codeRefSlug, removed: true });
+    }
+  );
+  server.registerTool(
+    "task_touches",
+    {
+      description: "List the TOUCHES edges for a task \u2014 every code_ref it modifies or references, with the relation. Use before starting a task to see which code anchors it will edit vs. read.",
+      inputSchema: {
+        taskId: external_exports3.string().describe("Task ID")
+      }
+    },
+    async ({ taskId }) => textResponse(await svc.getTouchesForTask(taskId))
+  );
+};
+
+// src/adapters/mcp/mcp-tools/graph-tools.ts
+var EDGE_TYPE_ENUM = [
+  "DEPENDS_ON",
+  "IMPLEMENTS",
+  "USES_TECH",
+  "DECIDED_BY",
+  "REALIZES",
+  "ABOUT",
+  "PINS",
+  "IN",
+  "INTEGRATES_WITH"
+];
+var register11 = (server, svc) => {
+  server.registerTool(
+    "graph_edges",
+    {
+      description: 'Query first-class knowledge-graph edges on any node (task ID, feature/gotcha slug, workspace ID, code_ref slug). direction "out" = edges FROM the node, "in" = edges pointing AT it, "both" = either. Examples: which tasks realize a feature \u2192 {nodeId:"feature-x", type:"REALIZES", direction:"in"}; which workspaces a feature is in \u2192 {nodeId:"feature-x", type:"IN", direction:"out"}; which gotchas are about it \u2192 {nodeId:"feature-x", type:"ABOUT", direction:"in"}.',
+      inputSchema: {
+        nodeId: external_exports3.string().describe("Node identity: TASK-NNN, knowledge slug, workspace ID, or code_ref slug"),
+        type: external_exports3.enum(EDGE_TYPE_ENUM).optional().describe("Filter to one edge type. Omit to return all edge types on the node."),
+        direction: external_exports3.enum(["out", "in", "both"]).optional().describe("out = from node, in = to node, both = either (default)")
+      }
+    },
+    async ({ nodeId, type, direction }) => {
+      const dir = direction ?? "both";
+      const t = type;
+      let edges;
+      if (dir === "out") {
+        edges = await svc.getRelationshipsFrom(nodeId, t);
+      } else if (dir === "in") {
+        edges = await svc.getRelationshipsTo(nodeId, t);
+      } else {
+        const all = await svc.getRelationships(nodeId);
+        edges = t ? all.filter((e) => e.type === t) : all;
+      }
+      return textResponse(edges);
+    }
+  );
+};
+
+// src/core/domain/services/feature-projection.ts
+var RoleBleedError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "RoleBleedError";
+  }
+};
+var DAY_NUMBER_RE = /\b\d+(?:\s*[-–]\s*\d+)?\s*(?:d|days?|hrs?|hours?|h|wks?|weeks?)\b/i;
+var FILE_PATH_RE = /\b[\w/\\.-]+\.(?:cs|ts|tsx|js|mjs|sql|md)\b/i;
+var DOTTED_SYMBOL_RE = /\b[A-Z][A-Za-z0-9]+(?:\.[A-Z][A-Za-z0-9]+){2,}\b/;
+var SQL_RE = /\b(?:SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|JOIN|jsonb)\b/;
+var DEPLOY_VERB = "deploy(?:ed|ment)?|releas(?:e|ed|es)|ship(?:ped|s)?|rollout|roll(?:ed)? ?out|launch(?:ed)?|go[- ]?live";
+var ISO_DATE = "\\d{4}-\\d{2}-\\d{2}(?:[T ]\\d{2}:\\d{2})?";
+var DEPLOY_DATE_RE = new RegExp(
+  `(?:\\b(?:${DEPLOY_VERB})\\b[^.\\n]{0,30}?${ISO_DATE})|(?:${ISO_DATE}[^.\\n]{0,20}?\\b(?:${DEPLOY_VERB})\\b)`,
+  "i"
+);
+function assertNoNumberOfDays(label, ...texts) {
+  for (const text of texts) {
+    if (!text) continue;
+    const m = text.match(DAY_NUMBER_RE);
+    if (m) {
+      throw new RoleBleedError(
+        `${label}: effort-band fidelity violation (M4) \u2014 found time quantity "${m[0]}"`
+      );
+    }
+  }
+}
+function assertNoCodeBleed(label, ...texts) {
+  for (const text of texts) {
+    if (!text) continue;
+    const path9 = text.match(FILE_PATH_RE);
+    if (path9) throw new RoleBleedError(`${label}: role bleed (M3) \u2014 file path "${path9[0]}"`);
+    const sym = text.match(DOTTED_SYMBOL_RE);
+    if (sym) throw new RoleBleedError(`${label}: role bleed (M3) \u2014 dotted symbol "${sym[0]}"`);
+    const sql = text.match(SQL_RE);
+    if (sql) throw new RoleBleedError(`${label}: role bleed (M3) \u2014 SQL token "${sql[0]}"`);
+  }
+}
+function assertHasCodeRefs(label, view, expectRefs) {
+  if (expectRefs && view.codeRefs.length === 0) {
+    throw new RoleBleedError(
+      `${label}: role bleed (M3) \u2014 dev answer missing code_refs though REALIZES tasks TOUCH code`
+    );
+  }
+}
+function assertNoSymbolBleed(label, ...texts) {
+  for (const text of texts) {
+    if (!text) continue;
+    const sym = text.match(DOTTED_SYMBOL_RE);
+    if (sym) throw new RoleBleedError(`${label}: role bleed (M3) \u2014 dotted symbol "${sym[0]}"`);
+  }
+}
+function assertNoDeploymentDate(label, ...texts) {
+  for (const text of texts) {
+    if (!text) continue;
+    const m = text.match(DEPLOY_DATE_RE);
+    if (m) {
+      throw new RoleBleedError(`${label}: role bleed (M3) \u2014 deployment date "${m[0]}"`);
+    }
+  }
+}
+function sectionFor(input, ...names) {
+  for (const name of names) {
+    const text = input.sections[name];
+    if (text && text.trim().length > 0) return text.trim();
+  }
+  return null;
+}
+function deriveEffortBand(signal) {
+  if (signal.length === 0) return null;
+  const taskCount = signal.length;
+  const baseIndex = taskCount >= 7 ? 3 : taskCount >= 4 ? 2 : taskCount >= 2 ? 1 : 0;
+  const totalAc = signal.reduce((sum, t) => sum + t.acItemCount, 0);
+  const hasEpic = signal.some((t) => t.labels.includes("epic"));
+  const maxBlocked = signal.reduce((max, t) => Math.max(max, t.blockedByCount), 0);
+  const reasons = [`${taskCount} realized task${taskCount === 1 ? "" : "s"} (base ${EFFORT_BANDS[baseIndex]})`];
+  let index = baseIndex;
+  if (hasEpic) {
+    index += 1;
+    reasons.push("+1 epic task");
+  }
+  if (totalAc >= 15) {
+    index += 1;
+    reasons.push(`+1 heavy spec (${totalAc} AC items)`);
+  }
+  if (maxBlocked >= 2) {
+    index += 1;
+    reasons.push(`+1 blocked work (${maxBlocked} blockers)`);
+  }
+  index = Math.min(index, EFFORT_BANDS.length - 1);
+  return { band: EFFORT_BANDS[index], reasoning: reasons.join("; ") };
+}
+function firstLine(text) {
+  for (const line of text.split("\n")) {
+    const trimmed = line.trim();
+    if (trimmed.length > 0) return trimmed;
+  }
+  return text.trim();
+}
+function deriveCeoBlockers(input) {
+  if (input.status === "shipped") return [];
+  const blocking = sectionFor(input, "currently blocking");
+  if (!blocking) return [];
+  return [{ slug: "currently-blocking", title: firstLine(blocking) }];
+}
+function projectCeo(input) {
+  const authored = input.effortBand ?? null;
+  const derived = authored ? null : deriveEffortBand(input.effortSignal);
+  return {
+    description: sectionFor(input, "description"),
+    apps: input.workspaces,
+    teams: null,
+    effortBand: authored ?? derived?.band ?? null,
+    effortBandSource: authored ? "authored" : derived ? "derived" : null,
+    effortBandReasoning: derived?.reasoning ?? null,
+    status: input.status ?? null,
+    blockers: deriveCeoBlockers(input),
+    // Gotchas are concerns, not blockers. Titles only — bodies carry symbols/SQL.
+    concerns: input.gotchas.map((g) => ({ slug: g.slug, title: g.title }))
+  };
+}
+function projectDev(input) {
+  const blocking = sectionFor(input, "currently blocking");
+  const status = input.status ?? null;
+  return {
+    module: sectionFor(input, "description"),
+    codeRefs: input.codeRefs,
+    gotchas: input.gotchas,
+    relevantDecisions: input.gotchas.map((g) => g.slug),
+    breakingChangeNote: status === "blocked" && blocking ? `Feature is blocked: ${blocking}` : blocking
+  };
+}
+function deriveEdgeCase(g) {
+  const detail = [g.trigger, g.context].filter((s) => s && s.trim().length > 0).join(" \u2014 ");
+  return detail ? `${g.title}: ${detail}` : g.title;
+}
+function projectTester(input) {
+  return {
+    acceptanceCriteria: input.realizesTasks,
+    edgeCases: input.gotchas.map(deriveEdgeCase),
+    regressionScope: input.realizesTasks.filter((t) => t.status === "DONE").map((t) => t.title)
+  };
+}
+function computeHonesty(input, role) {
+  const used = [];
+  const lacked = [];
+  if (sectionFor(input, "description")) used.push("description");
+  if (input.workspaces.length > 0) used.push("workspaces");
+  else lacked.push("workspaces");
+  if (input.gotchas.length > 0) used.push("gotchas");
+  else lacked.push("recall");
+  lacked.push("team-boundaries");
+  if (role === "ceo-po") {
+    if (input.effortBand) used.push("effort-band (authored)");
+    else if (input.effortSignal.length > 0) used.push("effort-band (derived)");
+    else lacked.push("effort-band");
+  }
+  if (role === "dev") {
+    if (input.codeRefs.length > 0) used.push("code-refs");
+    else if (input.realizesTasksHaveTouches) lacked.push("code-refs");
+  }
+  if (role === "tester") {
+    if (input.realizesTasks.some((t) => t.acItems.length > 0)) used.push("acceptance-criteria");
+    else lacked.push("acceptance-criteria");
+    if (input.gotchas.length > 0) used.push("edge-cases");
+    else lacked.push("edge-cases");
+    if (input.realizesTasks.some((t) => t.status === "DONE")) used.push("regression-scope");
+    else lacked.push("regression-scope");
+  }
+  if (input.isStale) lacked.push("stale-refs");
+  return { used, lacked };
+}
+function projectFeature(input, role) {
+  const honesty = computeHonesty(input, role);
+  if (role === "ceo-po") {
+    const view2 = projectCeo(input);
+    const ceoTitles = [...view2.blockers, ...view2.concerns].map((b) => b.title);
+    assertNoCodeBleed("ceo-po", view2.description, view2.effortBandReasoning, ...ceoTitles);
+    assertNoNumberOfDays("ceo-po", view2.description, view2.effortBand, view2.effortBandReasoning, ...ceoTitles);
+    return { featureId: input.featureId, role, view: view2, recall: input.gotchas, honesty };
+  }
+  if (role === "tester") {
+    const view2 = projectTester(input);
+    const derived = [...view2.edgeCases, ...view2.regressionScope, ...view2.acceptanceCriteria.map((t) => t.title)];
+    assertNoSymbolBleed("tester", ...derived);
+    assertNoDeploymentDate("tester", ...derived);
+    return { featureId: input.featureId, role, view: view2, recall: input.gotchas, honesty };
+  }
+  const view = projectDev(input);
+  assertHasCodeRefs("dev", view, input.realizesTasksHaveTouches);
+  return { featureId: input.featureId, role, view, recall: input.gotchas, honesty };
+}
+
+// src/adapters/mcp/mcp-tools/feature-projection-builder.ts
+var FeatureNotFoundError = class extends Error {
+  constructor(featureId) {
+    super(`Feature ${featureId} not found or not a feature node`);
+    this.name = "FeatureNotFoundError";
+  }
+};
+function parseSections(body) {
+  const sections = {};
+  let current = null;
+  let buffer = [];
+  const flush = () => {
+    if (current) sections[current] = buffer.join("\n").trim();
+  };
+  for (const line of splitLines(body)) {
+    const heading = line.match(/^##\s+(.+?)\s*$/);
+    if (heading) {
+      flush();
+      current = heading[1].toLowerCase();
+      buffer = [];
+    } else if (current) {
+      buffer.push(line);
+    }
+  }
+  flush();
+  return sections;
+}
+async function gatherGotchas(svc, featureId) {
+  const aboutEdges = await svc.getRelationshipsTo(featureId, "ABOUT");
+  const gotchas = [];
+  for (const edge of aboutEdges) {
+    const entry = await svc.getKnowledge(edge.fromId);
+    if (!entry) {
+      gotchas.push({ slug: edge.fromId, title: edge.fromId });
+      continue;
+    }
+    const sections = parseSections(entry.body);
+    gotchas.push({
+      slug: entry.slug,
+      title: entry.frontmatter.title,
+      trigger: sections["trigger"],
+      context: sections["context"],
+      resolution: sections["resolution"]
+    });
+  }
+  return gotchas;
+}
+async function gatherRealizesTasks(svc, taskIds) {
+  const tasks = [];
+  for (const taskId of taskIds) {
+    const task = await svc.getTask(taskId);
+    if (!task) continue;
+    tasks.push({
+      taskId,
+      title: task.title,
+      status: task.status,
+      acItems: findAcItems(task.body ?? "").map((i) => i.text)
+    });
+  }
+  return tasks;
+}
+async function gatherEffortSignal(svc, taskIds) {
+  const signal = [];
+  for (const taskId of taskIds) {
+    const task = await svc.getTask(taskId);
+    if (!task) continue;
+    signal.push({
+      taskId,
+      labels: task.labels,
+      acItemCount: findAcItems(task.body ?? "").length,
+      blockedByCount: task.blockedBy.length
+    });
+  }
+  return signal;
+}
+async function gatherCodeRefs(svc, taskIds) {
+  const pointers = [];
+  let hasTouches = false;
+  for (const taskId of taskIds) {
+    const edges = await svc.getTouchesForTask(taskId);
+    if (edges.length > 0) hasTouches = true;
+    for (const edge of edges) {
+      const ref = await svc.getCodeRef(edge.codeRefSlug);
+      pointers.push({
+        taskId,
+        slug: edge.codeRefSlug,
+        path: ref?.path ?? edge.codeRefSlug,
+        symbol: ref?.symbol ?? null,
+        relation: edge.relation
+      });
+    }
+  }
+  return { pointers, hasTouches };
+}
+async function buildFeatureProjection(svc, featureId, role) {
+  const entry = await svc.getKnowledge(featureId);
+  if (!entry || entry.frontmatter.type !== "feature") throw new FeatureNotFoundError(featureId);
+  const structured = entry.frontmatter.structured ?? {};
+  const inEdges = await svc.getRelationshipsFrom(featureId, "IN");
+  const realizesEdges = await svc.getRelationshipsTo(featureId, "REALIZES");
+  const realizesTaskIds = realizesEdges.map((e) => e.fromId);
+  const gotchas = await gatherGotchas(svc, featureId);
+  const dev = role === "dev" ? await gatherCodeRefs(svc, realizesTaskIds) : null;
+  const realizesTasks = role === "tester" ? await gatherRealizesTasks(svc, realizesTaskIds) : [];
+  const effortSignal = role === "ceo-po" && !structured.effortBand ? await gatherEffortSignal(svc, realizesTaskIds) : [];
+  const input = {
+    featureId,
+    title: entry.frontmatter.title,
+    status: structured.status,
+    effortBand: structured.effortBand,
+    sections: parseSections(entry.body),
+    workspaces: inEdges.map((e) => e.toId),
+    realizesTaskIds,
+    effortSignal,
+    gotchas,
+    codeRefs: dev?.pointers ?? [],
+    realizesTasksHaveTouches: dev?.hasTouches ?? false,
+    realizesTasks,
+    isStale: entry.isStale
+  };
+  return projectFeature(input, role);
+}
+
+// src/adapters/mcp/mcp-tools/feature-projection-tools.ts
+var register12 = (server, svc) => {
+  server.registerTool(
+    "feature_projection",
+    {
+      description: 'Project a feature knowledge node to a role-appropriate answer. role="ceo-po" \u2192 business description + apps + effort BAND (never number-of-days) + blockers; role="dev" \u2192 module + code_ref pointers with modifies/reference relation + gotchas recalled before the first question; role="tester" \u2192 acceptance criteria collated per realized task + edge cases derived from gotcha trigger/context + regression scope (shipped tasks that must not break). Each bundle includes an honesty section (what the projection used vs. lacked). featureId is the feature slug (e.g. feature-crawler-list-ui-enhancements).',
+      inputSchema: {
+        featureId: external_exports3.string().describe("Feature knowledge slug"),
+        role: external_exports3.enum(["ceo-po", "dev", "tester"]).describe("Asker role: ceo-po | dev | tester")
+      }
+    },
+    async ({ featureId, role }) => {
+      try {
+        return textResponse(await buildFeatureProjection(svc, featureId, role));
+      } catch (err) {
+        if (err instanceof FeatureNotFoundError) return textResponse(err.message);
+        throw err;
+      }
+    }
+  );
+};
+
 // src/core/domain/stats-service.ts
 var FLOOR_CALLS = 5;
 var BROKEN_ERROR_RATE = 0.2;
@@ -44257,7 +45053,7 @@ function classify(t, mvpThreshold) {
 }
 
 // src/adapters/mcp/mcp-tools/stats-tools.ts
-var register9 = (server, svc) => {
+var register13 = (server, svc) => {
   server.registerTool(
     "stats_report",
     {
@@ -44283,7 +45079,7 @@ var register9 = (server, svc) => {
 // src/adapters/mcp/mcp-tools/cleanup-tools.ts
 var fs6 = __toESM(require("node:fs"));
 var KNOWLEDGE_ACTION_ENUM = ["delete", "leave"];
-var register10 = (server, svc) => {
+var register14 = (server, svc) => {
   server.registerTool(
     "cleanup_worktree_orphans",
     {
@@ -44372,7 +45168,7 @@ function dirSizeBytes(dirPath) {
   }
   return total;
 }
-var register11 = (server, artifactsDir) => {
+var register15 = (server, artifactsDir) => {
   server.registerTool(
     "cleanup_artifacts",
     {
@@ -44457,7 +45253,7 @@ var EVENT_TYPE_ENUM = [
   "memory_write",
   "memory_recall"
 ];
-var register12 = (server, svc) => {
+var register16 = (server, svc) => {
   server.registerTool(
     "session_event_add",
     {
@@ -44490,7 +45286,7 @@ var EVENT_TYPE_ENUM2 = [
   "memory_write",
   "memory_recall"
 ];
-var register13 = (server, svc) => {
+var register17 = (server, svc) => {
   server.registerTool(
     "session_event_list",
     {
@@ -44511,7 +45307,7 @@ var register13 = (server, svc) => {
 // src/adapters/mcp/mcp-tools/memory-write.ts
 var SCOPE_TYPE_ENUM = ["user", "project", "workspace", "task"];
 var MEMORY_TYPE_ENUM = ["episodic", "procedural"];
-var register14 = (server, svc) => {
+var register18 = (server, svc) => {
   server.registerTool(
     "memory_write",
     {
@@ -44544,7 +45340,7 @@ var register14 = (server, svc) => {
 };
 
 // src/adapters/mcp/mcp-tools/memory-recall.ts
-var register15 = (server, svc) => {
+var register19 = (server, svc) => {
   server.registerTool(
     "memory_recall",
     {
@@ -44569,7 +45365,7 @@ var register15 = (server, svc) => {
 };
 
 // src/adapters/mcp/mcp-tools/memory-promote-to-knowledge.ts
-var register16 = (server, svc) => {
+var register20 = (server, svc) => {
   server.registerTool(
     "memory_promote_to_knowledge",
     {
@@ -44607,7 +45403,7 @@ var register16 = (server, svc) => {
 };
 
 // src/adapters/mcp/mcp-tools/ac-check.ts
-var register17 = (server, svc) => {
+var register21 = (server, svc) => {
   server.registerTool(
     "ac_check",
     {
@@ -44667,17 +45463,21 @@ function buildMcpServer(deps, toolAllowlist, sink) {
   register4(instrumented, deps.svc);
   register5(instrumented, deps.svc);
   register6(instrumented, deps.svc);
-  register7(instrumented, deps.svc, deps.dataDir, deps.dbPath);
-  register8(instrumented, deps.svc);
+  register7(instrumented, deps.svc);
+  register8(instrumented, deps.svc, deps.dataDir, deps.dbPath);
   register9(instrumented, deps.svc);
   register10(instrumented, deps.svc);
-  register11(instrumented, deps.artifactsDir);
+  register11(instrumented, deps.svc);
   register12(instrumented, deps.svc);
   register13(instrumented, deps.svc);
   register14(instrumented, deps.svc);
-  register15(instrumented, deps.svc);
+  register15(instrumented, deps.artifactsDir);
   register16(instrumented, deps.svc);
   register17(instrumented, deps.svc);
+  register18(instrumented, deps.svc);
+  register19(instrumented, deps.svc);
+  register20(instrumented, deps.svc);
+  register21(instrumented, deps.svc);
   return { server, toolCount: instrumented.registeredToolNames.length };
 }
 async function startMcpServer() {
@@ -44699,11 +45499,11 @@ async function startMcpServer() {
     dbPath: dataPaths.dbPath
   };
   if (mode === "http") {
-    const oauth = await buildOAuthConfig(backend);
+    const oauth = buildOAuthConfig();
     const token = process.env.MCP_HTTP_TOKEN ?? "";
     if (!oauth && token.length === 0) {
       process.stderr.write(
-        "[choda-deck] MCP_TRANSPORT=http requires MCP_HTTP_TOKEN (or MCP_OAUTH_MODE=1 + MCP_OAUTH_ISSUER) \u2014 refusing to expose unauthenticated\n"
+        "[choda-deck] MCP_TRANSPORT=http requires MCP_HTTP_TOKEN (or MCP_OAUTH_MODE=1 + Keycloak config) \u2014 refusing to expose unauthenticated\n"
       );
       process.exit(2);
     }
@@ -44720,7 +45520,9 @@ async function startMcpServer() {
         port,
         bind,
         token,
-        oauth
+        oauth,
+        // ADR-030 Phase 2 — read-only pull source (GET /sync/since).
+        syncSource: { fetchSince: (since) => svc.fetchSince(since) }
       }
     );
     return;
@@ -44730,44 +45532,44 @@ async function startMcpServer() {
   const transport = new StdioServerTransport();
   await server.connect(transport);
 }
-async function buildOAuthConfig(backend) {
+function buildOAuthConfig() {
   if (process.env.MCP_OAUTH_MODE !== "1") return void 0;
-  const issuer = (process.env.MCP_OAUTH_ISSUER ?? "").replace(/\/$/, "");
-  if (issuer.length === 0) {
-    process.stderr.write(
-      "[choda-deck] MCP_OAUTH_MODE=1 requires MCP_OAUTH_ISSUER (e.g. https://mcp.choda.dev)\n"
-    );
-    process.exit(2);
-  }
-  const passwordFile = process.env.MCP_OAUTH_CONSENT_PASSWORD_FILE ?? path9.join(process.cwd(), "sensitive_information", "oauth-consent-password.txt");
-  if (!fs8.existsSync(passwordFile)) {
-    process.stderr.write(
-      `[choda-deck] MCP_OAUTH_MODE=1 needs consent password file at ${passwordFile}
-`
-    );
-    process.exit(2);
-  }
-  const hash2 = fs8.readFileSync(passwordFile, "utf8").trim();
-  if (!/^[0-9a-f]{64}$/i.test(hash2)) {
-    process.stderr.write(
-      `[choda-deck] consent password file must contain a 64-char hex SHA-256 hash (got ${hash2.length} chars)
-`
-    );
+  const origin = requireEnv("MCP_OAUTH_ISSUER", "public origin e.g. https://mcp.choda.dev").replace(
+    /\/$/,
+    ""
+  );
+  const realmIssuer = requireEnv(
+    "MCP_OIDC_ISSUER",
+    "Keycloak realm issuer e.g. https://id.choda.dev/realms/choda"
+  ).replace(/\/$/, "");
+  const clientId = requireEnv("MCP_OIDC_CLIENT_ID", "pinned Keycloak public client id");
+  const audience = process.env.MCP_OIDC_AUDIENCE ?? clientId;
+  const secretFile = process.env.MCP_OIDC_CLIENT_SECRET_FILE;
+  const clientSecret = secretFile && fs8.existsSync(secretFile) ? fs8.readFileSync(secretFile, "utf8").trim() : void 0;
+  const verifier = createKeycloakVerifier({
+    issuer: realmIssuer,
+    audience,
+    jwksUri: `${realmIssuer}/protocol/openid-connect/certs`
+  });
+  return {
+    origin,
+    keycloak: {
+      authorizationEndpoint: `${realmIssuer}/protocol/openid-connect/auth`,
+      tokenEndpoint: `${realmIssuer}/protocol/openid-connect/token`,
+      clientId,
+      clientSecret
+    },
+    verifier
+  };
+}
+function requireEnv(name, hint) {
+  const value = (process.env[name] ?? "").trim();
+  if (value.length === 0) {
+    process.stderr.write(`[choda-deck] MCP_OAUTH_MODE=1 requires ${name} (${hint})
+`);
     process.exit(2);
   }
-  const repo = backend.kind === "postgres" ? await buildPostgresOAuthRepo(backend.connectionString) : buildSqliteOAuthRepo(backend.dbPath);
-  return { repo, issuer, consentPasswordHashHex: hash2 };
-}
-function buildSqliteOAuthRepo(dbPath) {
-  const oauthDb = new import_better_sqlite32.default(dbPath);
-  oauthDb.pragma("foreign_keys = ON");
-  return new OAuthRepository(oauthDb);
-}
-async function buildPostgresOAuthRepo(connectionString) {
-  const poolMax = Number.parseInt(process.env.CHODA_PG_POOL_SIZE ?? "10", 10);
-  const conn = new PgConnection({ connectionString, max: poolMax });
-  await migrate(conn);
-  return new PostgresOAuthRepository(conn);
+  return value;
 }
 
 // src/adapters/mcp/server.ts