codeninja 2.0.0

package/mcp-server.js

@@ -0,0 +1,842 @@
+#!/usr/bin/env node
+
+/**
+ * Code Ninja MCP Server
+ * Execution layer for the Code Ninja agent system.
+ * Owns: context management, filesystem intelligence,
+ * surgical file edits, code analysis, and environment validation.
+ */
+
+const { Server } = require('@modelcontextprotocol/sdk/server/index.js');
+const { StdioServerTransport } = require('@modelcontextprotocol/sdk/server/stdio.js');
+const { CallToolRequestSchema, ListToolsRequestSchema, ListResourcesRequestSchema, ReadResourceRequestSchema } = require('@modelcontextprotocol/sdk/types.js');
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+
+const server = new Server(
+    { name: 'codeninja', version: '2.0.0' },
+    { capabilities: { tools: {}, resources: {} } }
+);
+
+// ─── Path Helpers ─────────────────────────────────────────────────────────────
+
+// mcp-server.js lives at <project-root>/.codeninja/mcp-server.js
+// __dirname = <project-root>/.codeninja
+// path.dirname(__dirname) = <project-root>  ← always correct regardless of IDE CWD
+//
+// We deliberately do NOT use process.cwd() here. IDEs launch the MCP server
+// with their own working directory, which is NOT the project root. Using
+// process.cwd() caused context.json to be written into the IDE's installation
+// folder. __dirname is always relative to this file's actual location on disk.
+const ROOT = path.dirname(__dirname);
+const CONTEXT_DIR = path.join(ROOT, '.codeninja', 'context');
+const CONTEXT_FILE = path.join(CONTEXT_DIR, 'context.json');
+
+function abs(rel) { return path.resolve(ROOT, rel); }
+
+function readJSON(filePath) {
+    const full = abs(filePath);
+    if (!fs.existsSync(full)) return null;
+    return JSON.parse(fs.readFileSync(full, 'utf8')); // ← throws on bad JSON
+}
+
+function writeJSON(filePath, obj) {
+    const full = abs(filePath);
+    fs.mkdirSync(path.dirname(full), { recursive: true });
+    fs.writeFileSync(full, JSON.stringify(obj, null, 2), 'utf8');
+}
+
+function deepMerge(target, source) {
+    for (const key of Object.keys(source)) {
+        if (
+            source[key] !== null &&
+            typeof source[key] === 'object' &&
+            !Array.isArray(source[key]) &&
+            target[key] !== null &&
+            typeof target[key] === 'object' &&
+            !Array.isArray(target[key])
+        ) {
+            deepMerge(target[key], source[key]);
+        } else {
+            target[key] = source[key];
+        }
+    }
+    return target;
+}
+
+const EMPTY_CONTEXT = {
+    context_version: 0,
+    project_name: '',
+    initialized_at: '',
+    last_updated_at: '',
+    last_command: '',
+    last_command_at: '',
+    repository_state: '',
+    has_context_file: false,
+    detected_services: [],
+    detected_db: false,
+    project_info: {
+        has_doc: false, doc_url: '', doc_source: '', doc_content: '',
+        has_sow: false, sow_url: '', sow_source: '', sow_content: '',
+        has_figma: false, figma_url: '', figma_accessible: false, figma_screens: '',
+        summary: '', detected_entities: [],
+        from_doc: { project_name: '', domain: '', purpose: '', features: [], entities: [], tech_preferences: [] },
+        from_sow: { phases: [], deliverables: [], apis_expected: [], tables_expected: [], integrations: [], constraints: [], timeline: '' },
+        from_figma: { screens: [], components_hinted: [], color_theme: '' }
+    },
+    db: {
+        type: '', name: '', host: '', port: 0, user: '',
+        schema: { tables: {}, change_log: [] }
+    },
+    services: {},
+    api_routes: [],
+    designs: [],
+    change_log: [],
+    current_init: {}, current_api: {}, current_action: {},
+    current_refactor: {}, current_design: {}, current_test: {}, current_db: {}
+};
+
+// ─── Tool Definitions ─────────────────────────────────────────────────────────
+
+server.setRequestHandler(ListToolsRequestSchema, async () => ({
+    tools: [
+
+        // ── CATEGORY 1: Context Engine ────────────────────────────────────────────
+
+        {
+            name: 'context_read',
+            description: 'Reads context.json and returns the full parsed object. Returns the empty schema if file does not exist. Always call this at agent activation instead of reading the file manually.',
+            inputSchema: { type: 'object', properties: {}, required: [] }
+        },
+        {
+            name: 'context_write',
+            description: 'Merges provided updates into context.json. Reads existing file first, deep-merges updates on top, auto-increments context_version, sets timestamps, writes atomically. This is the ONLY way context.json should ever be written.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    updates: { type: 'object', description: 'Keys to merge into existing context. Supports deep merge for nested objects.' },
+                    operation: { type: 'string', description: 'The command that triggered this write. e.g. "initialize-project", "create-api". Stored in last_command.' }
+                },
+                required: ['updates', 'operation']
+            }
+        },
+        {
+            name: 'context_clear_scratchpad',
+            description: 'Clears one or more current_* scratchpad keys in context.json by setting them to {}. Call at the end of every workflow to clean up in-progress state.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    keys: { type: 'array', items: { type: 'string' }, description: 'Array of current_* keys to clear. e.g. ["current_init", "current_api"]' }
+                },
+                required: ['keys']
+            }
+        },
+        {
+            name: 'context_check_stale',
+            description: 'Checks if any current_* scratchpad key is non-empty and last_command_at is older than the threshold. Returns stale keys with their content and age. Use at activation to detect interrupted workflows.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    threshold_minutes: { type: 'number', description: 'Minutes threshold to consider a key stale. Default: 10.' }
+                },
+                required: []
+            }
+        },
+
+        // ── CATEGORY 2: Filesystem Intelligence ──────────────────────────────────
+
+        {
+            name: 'fs_exists',
+            description: 'Checks whether a file or directory exists at a path relative to project root. Returns { exists, type } where type is "file", "directory", or null.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    path: { type: 'string', description: 'Path relative to project root.' }
+                },
+                required: ['path']
+            }
+        },
+        {
+            name: 'fs_list',
+            description: 'Lists files in a directory relative to project root. Optionally filter by extension. Returns array of filenames sorted alphabetically. Returns empty array if directory does not exist.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    path: { type: 'string', description: 'Directory path relative to project root.' },
+                    extension: { type: 'string', description: 'Optional. Filter by extension e.g. ".sql", ".js". Include the dot.' }
+                },
+                required: ['path']
+            }
+        },
+        {
+            name: 'fs_read',
+            description: 'Reads a file and returns its contents as a string. Use for reading generated files during drift detection, audit, or sync. Returns null if file does not exist.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    path: { type: 'string', description: 'File path relative to project root.' }
+                },
+                required: ['path']
+            }
+        },
+        {
+            name: 'migration_next_number',
+            description: 'Scans the migrations directory for a given db_type and returns the next available integer file number. Parses the numeric prefix from existing filenames. Returns 1 if directory is empty.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    db_type: { type: 'string', description: 'postgresql, mysql, or mongodb.' }
+                },
+                required: ['db_type']
+            }
+        },
+        {
+            name: 'service_scan',
+            description: 'Scans the project root for all service directories (folders containing app.js or package.json, excluding node_modules). Returns array of { name, type, has_env, has_modules } objects. Powers detect-repository-state and @sync.',
+            inputSchema: { type: 'object', properties: {}, required: [] }
+        },
+
+        // ── CATEGORY 3: Surgical Editor ───────────────────────────────────────────
+
+        {
+            name: 'file_insert_after',
+            description: 'Inserts a line of text immediately after the last occurrence of an anchor string in a file. Used for route_manager.js module registration and create-schema.sql \\i entries. Never rewrites the whole file.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    path: { type: 'string', description: 'File path relative to project root.' },
+                    anchor: { type: 'string', description: 'Find the last occurrence of this string and insert after it.' },
+                    line: { type: 'string', description: 'The line to insert. Do not include a trailing newline.' }
+                },
+                required: ['path', 'anchor', 'line']
+            }
+        },
+        {
+            name: 'file_contains',
+            description: 'Checks whether a file contains a specific string. Use before file_insert_after to implement duplicate detection — e.g. check if a module is already registered in route_manager.js before inserting.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    path: { type: 'string', description: 'File path relative to project root.' },
+                    search: { type: 'string', description: 'String to search for.' }
+                },
+                required: ['path', 'search']
+            }
+        },
+
+        // ── CATEGORY 4: Code Intelligence ─────────────────────────────────────────
+
+        {
+            name: 'analyze_middleware_order',
+            description: 'Reads a route_manager.js file and extracts the ordered list of router.use() middleware registrations. Returns array of { middleware, position, has_asyncHandler } objects. Powers drift detection Check 1.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    service: { type: 'string', description: 'Service name. Reads <service>/modules/v1/route_manager.js.' }
+                },
+                required: ['service']
+            }
+        },
+        {
+            name: 'analyze_encryption_library',
+            description: 'Reads encryption.js for a service and detects which encryption library is imported (crypto-js, cryptlib, or neither/both). Returns { library, is_consistent } against the expected client_type from context.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    service: { type: 'string', description: 'Service name.' },
+                    expected_client_type: { type: 'string', description: 'reactjs or app — the expected library based on context.' }
+                },
+                required: ['service', 'expected_client_type']
+            }
+        },
+        {
+            name: 'analyze_language_keys',
+            description: 'Reads all language files in a service\'s languages/ directory and compares their keys against en.js. Returns { missing_per_file, extra_per_file, total_keys_en } for drift detection Check 5.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    service: { type: 'string', description: 'Service name.' }
+                },
+                required: ['service']
+            }
+        },
+        {
+            name: 'analyze_dependencies',
+            description: 'Reads package.json for a service and compares installed dependencies against expected packages for the given client_type and db_type. Returns { missing, unexpected, present } arrays.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    service: { type: 'string', description: 'Service name.' },
+                    client_type: { type: 'string', description: 'reactjs or app.' },
+                    db_type: { type: 'string', description: 'postgresql, mysql, or mongodb.' }
+                },
+                required: ['service', 'client_type', 'db_type']
+            }
+        },
+        {
+            name: 'analyze_env_file',
+            description: 'Reads and parses a .env file for a service. Returns key-value pairs as an object. Sensitive values (KEY, IV, API_KEY, PASSWORD) are masked as "***" in the output. Use for drift detection and sync.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    service: { type: 'string', description: 'Service name.' }
+                },
+                required: ['service']
+            }
+        },
+        {
+            name: 'run_drift_check',
+            description: 'Runs all 7 drift detection checks for a service in one call. Returns a structured drift report with DRIFT items categorized by check number. Powers @sync Phase 7. Equivalent to running all analyze_* tools at once.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    service: { type: 'string', description: 'Service name to check.' }
+                },
+                required: ['service']
+            }
+        },
+
+        // ── CATEGORY 5: Environment Tools ─────────────────────────────────────────
+
+        {
+            name: 'npm_check_package',
+            description: 'Queries the npm registry to verify a package exists and returns its latest version and description. Use before adding a dependency to confirm the package name is correct.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    package_name: { type: 'string', description: 'npm package name to look up.' }
+                },
+                required: ['package_name']
+            }
+        },
+        {
+            name: 'npm_install',
+            description: 'Runs npm install in a service directory. Call after generating package.json so dependencies are ready immediately. Returns stdout/stderr output.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    service: { type: 'string', description: 'Service directory name.' }
+                },
+                required: ['service']
+            }
+        },
+        {
+            name: 'validate_redis_connection',
+            description: 'Attempts to connect to Redis at the given host and port and sends a PING command. Returns { reachable, latency_ms, error }. Use before finalizing .env to confirm Redis is available.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    host: { type: 'string', description: 'Redis host.' },
+                    port: { type: 'number', description: 'Redis port.' }
+                },
+                required: ['host', 'port']
+            }
+        },
+        {
+            name: 'validate_postgres_connection',
+            description: 'Attempts to connect to PostgreSQL with the given credentials and runs SELECT 1. Returns { reachable, version, error }. Use before finalizing .env to confirm database is available.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    host: { type: 'string' },
+                    port: { type: 'number' },
+                    database: { type: 'string' },
+                    user: { type: 'string' },
+                    password: { type: 'string' }
+                },
+                required: ['host', 'port', 'database', 'user']
+            }
+        },
+        {
+            name: 'lint_file',
+            description: 'Runs basic structural checks on a generated JavaScript file. Checks for: syntax errors (via node --check), missing module.exports, direct res.json() calls in model files, express imports in model files. Returns { valid, issues[] }.',
+            inputSchema: {
+                type: 'object',
+                properties: {
+                    path: { type: 'string', description: 'File path relative to project root.' },
+                    file_type: { type: 'string', description: 'model, route, middleware, or utility. Determines which checks to apply.' }
+                },
+                required: ['path', 'file_type']
+            }
+        }
+
+    ]
+}));
+
+// ─── Resources ────────────────────────────────────────────────────────────────
+// Resources are readable data sources the agent can subscribe to.
+
+server.setRequestHandler(ListResourcesRequestSchema, async () => ({
+    resources: [
+        {
+            uri: 'codeninja://context',
+            name: 'Project Context',
+            description: 'The live context.json — full project state including services, db schema, api routes, and change log.',
+            mimeType: 'application/json'
+        },
+        {
+            uri: 'codeninja://services',
+            name: 'Discovered Services',
+            description: 'All service directories found on disk with their detected properties.',
+            mimeType: 'application/json'
+        },
+        {
+            uri: 'codeninja://migrations',
+            name: 'Migration Files',
+            description: 'All migration files across all db_types found in the database/ directory.',
+            mimeType: 'application/json'
+        }
+    ]
+}));
+
+server.setRequestHandler(ReadResourceRequestSchema, async (request) => {
+    const uri = request.params.uri;
+
+    if (uri === 'codeninja://context') {
+        const ctx = readJSON(CONTEXT_FILE) || EMPTY_CONTEXT;
+        return { contents: [{ uri, mimeType: 'application/json', text: JSON.stringify(ctx, null, 2) }] };
+    }
+
+    if (uri === 'codeninja://services') {
+        const services = scanServices();
+        return { contents: [{ uri, mimeType: 'application/json', text: JSON.stringify(services, null, 2) }] };
+    }
+
+    if (uri === 'codeninja://migrations') {
+        const migrations = scanMigrations();
+        return { contents: [{ uri, mimeType: 'application/json', text: JSON.stringify(migrations, null, 2) }] };
+    }
+
+    throw new Error(`Unknown resource: ${uri}`);
+});
+
+// ─── Tool Handlers ────────────────────────────────────────────────────────────
+
+server.setRequestHandler(CallToolRequestSchema, async (request) => {
+    const { name, arguments: args } = request.params;
+
+    try {
+
+        // ── CATEGORY 1: Context Engine ──────────────────────────────────────────
+
+        if (name === 'context_read') {
+            const ctx = readJSON(CONTEXT_FILE) || structuredClone(EMPTY_CONTEXT);
+            return ok(JSON.stringify(ctx, null, 2));
+        }
+
+        if (name === 'context_write') {
+            fs.mkdirSync(CONTEXT_DIR, { recursive: true });
+            const existing = readJSON(CONTEXT_FILE) || structuredClone(EMPTY_CONTEXT);
+            const merged = deepMerge(structuredClone(existing), args.updates);
+            merged.context_version = (existing.context_version || 0) + 1;
+            const now = new Date().toISOString();
+            merged.last_updated_at = now;
+            merged.last_command_at = now;
+            merged.has_context_file = true;
+            if (args.operation) merged.last_command = args.operation;
+            const tmp = CONTEXT_FILE + '.tmp';
+            fs.writeFileSync(tmp, JSON.stringify(merged, null, 2), 'utf8');
+            fs.renameSync(tmp, CONTEXT_FILE);
+            return ok(`✓ context.json written. Version: ${merged.context_version}`);
+        }
+
+        if (name === 'context_clear_scratchpad') {
+            const existing = readJSON(CONTEXT_FILE);
+            if (!existing) return ok('No context.json found — nothing to clear.');
+            for (const key of args.keys) {
+                if (key.startsWith('current_')) existing[key] = {};
+            }
+            existing.context_version = (existing.context_version || 0) + 1;
+            existing.last_updated_at = new Date().toISOString();
+            fs.writeFileSync(CONTEXT_FILE, JSON.stringify(existing, null, 2), 'utf8');
+            return ok(`✓ Cleared: ${args.keys.join(', ')}`);
+        }
+
+        if (name === 'context_check_stale') {
+            const ctx = readJSON(CONTEXT_FILE);
+            if (!ctx) return ok(JSON.stringify({ stale: [], has_context: false }));
+            const threshold = (args.threshold_minutes || 10) * 60 * 1000;
+            const lastCommandAge = ctx.last_command_at
+                ? Date.now() - new Date(ctx.last_command_at).getTime()
+                : Infinity;
+            const stale = [];
+            for (const key of Object.keys(ctx)) {
+                if (key.startsWith('current_') && ctx[key] && Object.keys(ctx[key]).length > 0) {
+                    if (lastCommandAge > threshold) {
+                        stale.push({ key, age_minutes: Math.round(lastCommandAge / 60000), content: ctx[key] });
+                    }
+                }
+            }
+            return ok(JSON.stringify({ stale, has_context: true, last_command: ctx.last_command }));
+        }
+
+        // ── CATEGORY 2: Filesystem Intelligence ────────────────────────────────
+
+        if (name === 'fs_exists') {
+            const full = abs(args.path);
+            if (!fs.existsSync(full)) return ok(JSON.stringify({ exists: false, type: null }));
+            const stat = fs.statSync(full);
+            return ok(JSON.stringify({ exists: true, type: stat.isDirectory() ? 'directory' : 'file' }));
+        }
+
+        if (name === 'fs_list') {
+            const full = abs(args.path);
+            if (!fs.existsSync(full)) return ok(JSON.stringify([]));
+            let files = fs.readdirSync(full).sort();
+            if (args.extension) files = files.filter(f => f.endsWith(args.extension));
+            return ok(JSON.stringify(files));
+        }
+
+        if (name === 'fs_read') {
+            const full = abs(args.path);
+            if (!fs.existsSync(full)) return ok('null');
+            return ok(fs.readFileSync(full, 'utf8'));
+        }
+
+        if (name === 'migration_next_number') {
+            const dir = abs(`database/${args.db_type}/migrations`);
+            if (!fs.existsSync(dir)) return ok('1');
+            const files = fs.readdirSync(dir).filter(f => f.endsWith('.sql'));
+            if (files.length === 0) return ok('1');
+            const nums = files
+                .filter(f => !f.includes('setup-database-indexes'))
+                .map(f => parseInt(f))
+                .filter(n => !isNaN(n));
+            return ok(String(nums.length > 0 ? Math.max(...nums) + 1 : 1));
+        }
+
+        if (name === 'service_scan') {
+            return ok(JSON.stringify(scanServices()));
+        }
+
+        // ── CATEGORY 3: Surgical Editor ─────────────────────────────────────────
+
+        if (name === 'file_insert_after') {
+            const full = abs(args.path);
+            if (!fs.existsSync(full)) return ok(`ERROR: File not found: ${args.path}`);
+            const content = fs.readFileSync(full, 'utf8');
+            const idx = content.lastIndexOf(args.anchor);
+            if (idx === -1) return ok(`ERROR: Anchor not found: "${args.anchor}"`);
+            const insertAt = idx + args.anchor.length;
+            const updated = content.slice(0, insertAt) + '\n' + args.line + content.slice(insertAt);
+            fs.writeFileSync(full, updated, 'utf8');
+            return ok(`✓ Inserted line after anchor in ${args.path}`);
+        }
+
+        if (name === 'file_contains') {
+            const full = abs(args.path);
+            if (!fs.existsSync(full)) return ok(JSON.stringify({ exists: false, contains: false }));
+            const content = fs.readFileSync(full, 'utf8');
+            return ok(JSON.stringify({ exists: true, contains: content.includes(args.search) }));
+        }
+
+        // ── CATEGORY 4: Code Intelligence ───────────────────────────────────────
+
+        if (name === 'analyze_middleware_order') {
+            const filePath = `${args.service}/modules/v1/route_manager.js`;
+            const full = abs(filePath);
+            if (!fs.existsSync(full)) return ok(JSON.stringify({ error: 'File not found', path: filePath }));
+            const content = fs.readFileSync(full, 'utf8');
+            const lines = content.split('\n');
+            const middlewareLines = lines.filter(l => l.includes('router.use') && l.includes('asyncHandler'));
+            const parsed = middlewareLines.map((line, i) => {
+                const match = line.match(/asyncHandler\(middleware\.(\w+)|asyncHandler\((\w+)\)/);
+                const mw = match ? (match[1] || match[2]) : 'unknown';
+                const hasAsync = line.includes('asyncHandler');
+                return { middleware: mw, position: i + 1, has_asyncHandler: hasAsync };
+            });
+            return ok(JSON.stringify(parsed));
+        }
+
+        if (name === 'analyze_encryption_library') {
+            const filePath = `${args.service}/utilities/encryption.js`;
+            const full = abs(filePath);
+            if (!fs.existsSync(full)) return ok(JSON.stringify({ error: 'File not found' }));
+            const content = fs.readFileSync(full, 'utf8');
+            const hasCryptoJs = content.includes('crypto-js');
+            const hasCryptlib = content.includes('cryptlib');
+            const library = hasCryptoJs && hasCryptlib ? 'both' : hasCryptoJs ? 'crypto-js' : hasCryptlib ? 'cryptlib' : 'none';
+            const expected = args.expected_client_type === 'reactjs' ? 'crypto-js' : 'cryptlib';
+            return ok(JSON.stringify({ library, expected, is_consistent: library === expected }));
+        }
+
+        if (name === 'analyze_language_keys') {
+            const langDir = abs(`${args.service}/languages`);
+            if (!fs.existsSync(langDir)) return ok(JSON.stringify({ error: 'languages/ directory not found' }));
+            const files = fs.readdirSync(langDir).filter(f => f.endsWith('.js'));
+            const keyMap = {};
+            for (const file of files) {
+                const content = fs.readFileSync(path.join(langDir, file), 'utf8');
+                const keys = [...content.matchAll(/^\s{2}(\w+):/gm)].map(m => m[1]);
+                keyMap[file] = keys;
+            }
+            const enKeys = new Set(keyMap['en.js'] || []);
+            const report = {};
+            for (const [file, keys] of Object.entries(keyMap)) {
+                if (file === 'en.js') continue;
+                const fileKeys = new Set(keys);
+                report[file] = {
+                    missing: [...enKeys].filter(k => !fileKeys.has(k)),
+                    extra: [...fileKeys].filter(k => !enKeys.has(k))
+                };
+            }
+            return ok(JSON.stringify({ total_keys_en: enKeys.size, report }));
+        }
+
+        if (name === 'analyze_dependencies') {
+            const pkgPath = `${args.service}/package.json`;
+            const full = abs(pkgPath);
+            if (!fs.existsSync(full)) return ok(JSON.stringify({ error: 'package.json not found' }));
+            const pkg = JSON.parse(fs.readFileSync(full, 'utf8'));
+            const installed = new Set(Object.keys(pkg.dependencies || {}));
+            const required = new Set([
+                'express', 'dotenv', 'localizify', 'moment', 'jsonwebtoken',
+                'ioredis', 'nodemailer', 'firebase-admin', 'validatorjs',
+                'pg-format', 'express-rate-limit', 'cors', 'helmet', 'rand-token',
+                args.client_type === 'reactjs' ? 'crypto-js' : 'cryptlib',
+                args.db_type === 'postgresql' ? 'pg' : args.db_type === 'mysql' ? 'mysql2' : 'mongoose'
+            ]);
+            return ok(JSON.stringify({
+                missing: [...required].filter(p => !installed.has(p)),
+                present: [...required].filter(p => installed.has(p)),
+                unexpected_crypto: args.client_type === 'reactjs' && installed.has('cryptlib')
+                    ? 'cryptlib present but client_type is reactjs'
+                    : args.client_type === 'app' && installed.has('crypto-js')
+                        ? 'crypto-js present but client_type is app'
+                        : null
+            }));
+        }
+
+        if (name === 'analyze_env_file') {
+            const envPath = abs(`${args.service}/.env`);
+            if (!fs.existsSync(envPath)) return ok(JSON.stringify({ error: '.env not found' }));
+            const lines = fs.readFileSync(envPath, 'utf8').split('\n');
+            const result = {};
+            const sensitive = new Set(['KEY', 'IV', 'API_KEY', 'DB_PASSWORD', 'SMTP_PASSWORD']);
+            for (const line of lines) {
+                if (!line.trim() || line.startsWith('#')) continue;
+                const eq = line.indexOf('=');
+                if (eq === -1) continue;
+                const k = line.slice(0, eq).trim();
+                const v = line.slice(eq + 1).trim();
+                result[k] = sensitive.has(k) ? '***' : v;
+            }
+            return ok(JSON.stringify(result));
+        }
+
+        if (name === 'run_drift_check') {
+            const service = args.service;
+            const ctx = readJSON(CONTEXT_FILE);
+            const serviceCtx = ctx?.services?.[service];
+            if (!serviceCtx) return ok(JSON.stringify({ error: `Service "${service}" not found in context` }));
+            const drifts = [];
+
+            // Check 1 — middleware order
+            const mwPath = abs(`${service}/modules/v1/route_manager.js`);
+            if (fs.existsSync(mwPath)) {
+                const content = fs.readFileSync(mwPath, 'utf8');
+                const expected = ['rateLimiter', 'extractLanguage', 'validateApiKey', 'validateToken'];
+                if (serviceCtx.encrypted_transport) expected.push('decryptRequest');
+                expected.forEach((mw, i) => {
+                    if (!content.includes(mw)) drifts.push({ check: 1, issue: `Missing middleware: ${mw}` });
+                });
+                if (!serviceCtx.encrypted_transport && content.includes('decryptRequest'))
+                    drifts.push({ check: 1, issue: 'decryptRequest present but encrypted_transport is false' });
+            }
+
+            // Check 2 — encryption library
+            const encPath = abs(`${service}/utilities/encryption.js`);
+            if (fs.existsSync(encPath)) {
+                const content = fs.readFileSync(encPath, 'utf8');
+                const expected = serviceCtx.client_type === 'reactjs' ? 'crypto-js' : 'cryptlib';
+                const wrong = serviceCtx.client_type === 'reactjs' ? 'cryptlib' : 'crypto-js';
+                if (content.includes(wrong))
+                    drifts.push({ check: 2, issue: `encryption.js uses ${wrong} but client_type is ${serviceCtx.client_type}` });
+            }
+
+            // Check 3 — response.js encrypted_transport
+            const respPath = abs(`${service}/utilities/response.js`);
+            if (fs.existsSync(respPath)) {
+                const content = fs.readFileSync(respPath, 'utf8');
+                if (!content.includes('ENCRYPTED_TRANSPORT'))
+                    drifts.push({ check: 3, issue: 'response.js does not reference ENCRYPTED_TRANSPORT' });
+            }
+
+            // Check 4 — headerValidator decryptRequest
+            const hvPath = abs(`${service}/middleware/headerValidator.js`);
+            if (fs.existsSync(hvPath)) {
+                const content = fs.readFileSync(hvPath, 'utf8');
+                const hasDecrypt = content.includes('decryptRequest');
+                if (serviceCtx.encrypted_transport && !hasDecrypt)
+                    drifts.push({ check: 4, issue: 'headerValidator missing decryptRequest but encrypted_transport is true' });
+                if (!serviceCtx.encrypted_transport && hasDecrypt)
+                    drifts.push({ check: 4, issue: 'headerValidator has decryptRequest but encrypted_transport is false' });
+            }
+
+            // Check 5 — language key parity
+            const langDir = abs(`${service}/languages`);
+            if (fs.existsSync(langDir)) {
+
+                const enPath = path.join(langDir, 'en.js');
+                if (!fs.existsSync(enPath)) {
+                    drifts.push({ check: 5, issue: 'languages/en.js not found — language key parity check skipped' });
+                } else {
+                    const files = fs.readdirSync(langDir).filter(f => f.endsWith('.js'));
+                    const enContent = fs.readFileSync(enPath, 'utf8');
+                    const enKeys = new Set([...enContent.matchAll(/^\s{2}(\w+):/gm)].map(m => m[1]));
+                    for (const file of files) {
+                        if (file === 'en.js') continue;
+                        const content = fs.readFileSync(path.join(langDir, file), 'utf8');
+                        const keys = new Set([...content.matchAll(/^\s{2}(\w+):/gm)].map(m => m[1]));
+                        const missing = [...enKeys].filter(k => !keys.has(k));
+                        if (missing.length > 0)
+                            drifts.push({ check: 5, issue: `${file} missing ${missing.length} keys: ${missing.slice(0, 5).join(', ')}${missing.length > 5 ? '...' : ''}` });
+                    }
+                }
+            }
+
+            // Check 6 — package.json dependencies
+            const pkgPath = abs(`${service}/package.json`);
+            if (fs.existsSync(pkgPath)) {
+                const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+                const installed = Object.keys(pkg.dependencies || {});
+                const dbPkg = ctx.db?.type === 'postgresql' ? 'pg' : ctx.db?.type === 'mysql' ? 'mysql2' : 'mongoose';
+                const encPkg = serviceCtx.client_type === 'reactjs' ? 'crypto-js' : 'cryptlib';
+                for (const required of ['express', 'jsonwebtoken', 'ioredis', dbPkg, encPkg]) {
+                    if (!installed.includes(required))
+                        drifts.push({ check: 6, issue: `package.json missing required dependency: ${required}` });
+                }
+            }
+
+            return ok(JSON.stringify({
+                service,
+                drift_count: drifts.length,
+                clean: drifts.length === 0,
+                drifts
+            }));
+        }
+
+        // ── CATEGORY 5: Environment Tools ───────────────────────────────────────
+
+        if (name === 'npm_check_package') {
+            try {
+                const result = execSync(`npm view ${args.package_name} name version description --json 2>/dev/null`, { encoding: 'utf8', timeout: 10000 });
+                return ok(result);
+            } catch {
+                return ok(JSON.stringify({ error: `Package "${args.package_name}" not found on npm registry` }));
+            }
+        }
+
+        if (name === 'npm_install') {
+            const serviceDir = abs(args.service);
+            if (!fs.existsSync(serviceDir)) return ok(`ERROR: Service directory not found: ${args.service}`);
+            try {
+                const result = execSync('npm install', { cwd: serviceDir, encoding: 'utf8', timeout: 120000 });
+                return ok(`✓ npm install completed in ${args.service}\n${result}`);
+            } catch (e) {
+                return ok(`ERROR: npm install failed\n${e.stderr || e.message}`);
+            }
+        }
+
+        if (name === 'validate_redis_connection') {
+            try {
+                const start = Date.now();
+                execSync(`redis-cli -h ${args.host} -p ${args.port} PING`, { encoding: 'utf8', timeout: 5000 });
+                return ok(JSON.stringify({ reachable: true, latency_ms: Date.now() - start }));
+            } catch (e) {
+                return ok(JSON.stringify({ reachable: false, error: e.message }));
+            }
+        }
+
+        if (name === 'validate_postgres_connection') {
+            try {
+                const connStr = `postgresql://${args.user}${args.password ? ':' + args.password : ''}@${args.host}:${args.port}/${args.database}`;
+                const result = execSync(`psql "${connStr}" -c "SELECT version();" --no-password 2>&1`, { encoding: 'utf8', timeout: 8000 });
+                const versionLine = result.split('\n').find(l => l.includes('PostgreSQL'));
+                return ok(JSON.stringify({ reachable: true, version: versionLine?.trim() || 'connected' }));
+            } catch (e) {
+                return ok(JSON.stringify({ reachable: false, error: e.message }));
+            }
+        }
+
+        if (name === 'lint_file') {
+            const full = abs(args.path);
+            if (!fs.existsSync(full)) return ok(JSON.stringify({ valid: false, issues: ['File not found'] }));
+            const content = fs.readFileSync(full, 'utf8');
+            const issues = [];
+
+            // Syntax check
+            try {
+                execSync(`node --check "${full}"`, { encoding: 'utf8', timeout: 5000 });
+            } catch (e) {
+                issues.push(`Syntax error: ${e.stderr?.split('\n')[0] || e.message}`);
+            }
+
+            // Model-specific checks
+            if (args.file_type === 'model') {
+                if (content.includes("require('express')") || content.includes('require("express")'))
+                    issues.push('Model file imports express — express objects must not exist in model files');
+                if (content.includes('res.json(') || content.includes('res.status('))
+                    issues.push('Model file calls res.json/res.status — all responses must go through response.js');
+            }
+
+            // General checks
+            if (!content.includes('module.exports'))
+                issues.push('Missing module.exports — file does not export anything');
+
+            return ok(JSON.stringify({ valid: issues.length === 0, issues }));
+        }
+
+        return ok(`Unknown tool: ${name}`);
+
+    } catch (err) {
+        return ok(`ERROR: ${err.message}`);
+    }
+});
+
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+
+function ok(text) {
+    return { content: [{ type: 'text', text }] };
+}
+
+function scanServices() {
+    const entries = fs.readdirSync(ROOT, { withFileTypes: true });
+    const services = [];
+    const skip = new Set(['.codeninja', 'node_modules', 'database', '.git']);
+    for (const entry of entries) {
+        if (!entry.isDirectory() || skip.has(entry.name)) continue;
+        const dir = path.join(ROOT, entry.name);
+        const hasAppJs = fs.existsSync(path.join(dir, 'app.js'));
+        const hasPkgJson = fs.existsSync(path.join(dir, 'package.json'));
+        const hasReact = fs.existsSync(path.join(dir, 'src', 'main.jsx')) ||
+            fs.existsSync(path.join(dir, 'src', 'index.jsx'));
+        if (hasAppJs || hasPkgJson) {
+            services.push({
+                name: entry.name,
+                type: hasReact ? 'reactjs' : 'nodejs',
+                has_env: fs.existsSync(path.join(dir, '.env')),
+                has_modules: fs.existsSync(path.join(dir, 'modules'))
+            });
+        }
+    }
+    return services;
+}
+
+function scanMigrations() {
+    const dbDir = abs('database');
+    if (!fs.existsSync(dbDir)) return {};
+    const result = {};
+    for (const dbType of fs.readdirSync(dbDir)) {
+        const migrDir = path.join(dbDir, dbType, 'migrations');
+        if (!fs.existsSync(migrDir)) continue;
+        result[dbType] = fs.readdirSync(migrDir).filter(f => f.endsWith('.sql')).sort();
+    }
+    return result;
+}
+
+// ─── Start ────────────────────────────────────────────────────────────────────
+
+const transport = new StdioServerTransport();
+server.connect(transport).catch(console.error);