memory-journal-mcp 6.2.1 → 7.0.0

package/dist/{chunk-BI4ZNSKA.js → chunk-2BJHLTYP.js}

@@ -1,163 +1,15 @@
 import { transformAutoReturn } from './chunk-OKOVZ5QE.js';
+import { GitHubIntegration, resolveAuthor, logger, MemoryJournalMcpError, matchSuggestion, ConfigurationError } from './chunk-ARLH46WS.js';
 import { z, ZodError } from 'zod';
-import { execFileSync } from 'child_process';
 import * as vm from 'vm';
 import { MessageChannel, Worker } from 'worker_threads';
 import * as crypto2 from 'crypto';
 import { fileURLToPath } from 'url';
 import * as path from 'path';
+import { dirname } from 'path';
+import { performance as performance$1 } from 'perf_hooks';
+import { open, stat, mkdir, rename, appendFile } from 'fs/promises';
 
-// src/utils/errors/suggestions.ts
-var GENERIC_CODES = /* @__PURE__ */ new Set(["QUERY_FAILED", "INTERNAL_ERROR", "UNKNOWN_ERROR"]);
-var ERROR_SUGGESTIONS = [
-  // Resource not found patterns
-  {
-    pattern: /not found/i,
-    suggestion: "Verify the resource identifier and try again",
-    code: "RESOURCE_NOT_FOUND"
-  },
-  {
-    pattern: /no such table/i,
-    suggestion: "The database table does not exist. Run database initialization.",
-    code: "TABLE_NOT_FOUND"
-  },
-  // Permission / access patterns
-  {
-    pattern: /permission denied|SQLITE_READONLY/i,
-    suggestion: "Check file permissions and database access rights",
-    code: "PERMISSION_DENIED"
-  },
-  // Connection / lock patterns
-  {
-    pattern: /database is locked/i,
-    suggestion: "The database is locked by another process. Retry after a short delay.",
-    code: "CONNECTION_FAILED"
-  },
-  // Constraint patterns
-  {
-    pattern: /SQLITE_CONSTRAINT|unique constraint/i,
-    suggestion: "A uniqueness or integrity constraint was violated. Check input values.",
-    code: "VALIDATION_FAILED"
-  },
-  // Disk / space patterns
-  {
-    pattern: /disk I\/O|SQLITE_FULL/i,
-    suggestion: "The disk may be full or the filesystem is read-only."
-  },
-  // Malformed input patterns
-  {
-    pattern: /malformed|invalid json|unexpected token/i,
-    suggestion: "The input appears malformed. Check the format and try again.",
-    code: "VALIDATION_FAILED"
-  }
-];
-function matchSuggestion(message) {
-  for (const entry of ERROR_SUGGESTIONS) {
-    if (entry.pattern.test(message)) {
-      return { suggestion: entry.suggestion, code: entry.code };
-    }
-  }
-  return void 0;
-}
-
-// src/types/errors.ts
-var MemoryJournalMcpError = class extends Error {
-  /** Module-prefixed error code */
-  code;
-  /** Error category for programmatic handling */
-  category;
-  /** Actionable suggestion for resolving the error */
-  suggestion;
-  /** Whether the operation can be retried */
-  recoverable;
-  /** Additional structured context */
-  details;
-  constructor(message, code, category, options) {
-    super(message, options?.cause ? { cause: options.cause } : void 0);
-    this.name = "MemoryJournalMcpError";
-    this.category = category;
-    this.recoverable = options?.recoverable ?? false;
-    this.details = options?.details;
-    const matched = matchSuggestion(message);
-    if (GENERIC_CODES.has(code) && matched?.code) {
-      this.code = matched.code;
-    } else {
-      this.code = code;
-    }
-    this.suggestion = options?.suggestion ?? matched?.suggestion;
-  }
-  /**
-   * Convert to a structured ErrorResponse for tool responses.
-   */
-  toResponse() {
-    return {
-      success: false,
-      error: this.message,
-      code: this.code,
-      category: this.category,
-      suggestion: this.suggestion,
-      recoverable: this.recoverable,
-      ...this.details ? { details: this.details } : {}
-    };
-  }
-};
-var ConnectionError = class extends MemoryJournalMcpError {
-  constructor(message, details) {
-    super(message, "CONNECTION_FAILED", "connection" /* CONNECTION */, {
-      suggestion: "Check database path and file permissions",
-      recoverable: true,
-      details
-    });
-    this.name = "ConnectionError";
-  }
-};
-var QueryError = class extends MemoryJournalMcpError {
-  constructor(message, details) {
-    super(message, "QUERY_FAILED", "query" /* QUERY */, {
-      suggestion: "Check query parameters and database state",
-      recoverable: false,
-      details
-    });
-    this.name = "QueryError";
-  }
-};
-var ValidationError = class extends MemoryJournalMcpError {
-  constructor(message, details) {
-    super(message, "VALIDATION_FAILED", "validation" /* VALIDATION */, {
-      suggestion: "Check input parameters against the tool schema",
-      recoverable: false,
-      details
-    });
-    this.name = "ValidationError";
-  }
-};
-var ResourceNotFoundError = class extends MemoryJournalMcpError {
-  constructor(resourceType, identifier) {
-    super(
-      `${resourceType} not found: ${identifier}`,
-      "RESOURCE_NOT_FOUND",
-      "resource" /* RESOURCE */,
-      {
-        suggestion: `Verify the ${resourceType.toLowerCase()} identifier and try again`,
-        recoverable: false,
-        details: { resourceType, identifier }
-      }
-    );
-    this.name = "ResourceNotFoundError";
-  }
-};
-var ConfigurationError = class extends MemoryJournalMcpError {
-  constructor(message, details) {
-    super(message, "CONFIGURATION_ERROR", "configuration" /* CONFIGURATION */, {
-      suggestion: "Check server configuration and environment variables",
-      recoverable: false,
-      details
-    });
-    this.name = "ConfigurationError";
-  }
-};
-
-// src/utils/error-helpers.ts
 function formatZodError(error) {
   return error.issues.map((issue) => {
     const path2 = issue.path.length > 0 ? `${issue.path.join(".")}: ` : "";
@@ -189,78 +41,6 @@ function formatHandlerError(err) {
     ...matched?.suggestion ? { suggestion: matched.suggestion } : {}
   };
 }
-var GIT_COMMAND_TIMEOUT_MS = 3e3;
-var SecurityError = class extends MemoryJournalMcpError {
-  constructor(message, code) {
-    super(message, code, "validation" /* VALIDATION */, {
-      suggestion: "Check input for security violations",
-      recoverable: false
-    });
-    this.name = "SecurityError";
-  }
-};
-var InvalidDateFormatError = class extends SecurityError {
-  constructor(value) {
-    super(`Invalid date format pattern: '${value}'`, "INVALID_DATE_FORMAT");
-    this.name = "InvalidDateFormatError";
-  }
-};
-var PathTraversalError = class extends SecurityError {
-  constructor(path2) {
-    super(`Path traversal detected: '${path2}'`, "PATH_TRAVERSAL");
-    this.name = "PathTraversalError";
-  }
-};
-var ALLOWED_DATE_FORMATS = {
-  day: "%Y-%m-%d",
-  week: "%Y-W%W",
-  month: "%Y-%m"
-};
-function validateDateFormatPattern(groupBy) {
-  const format = ALLOWED_DATE_FORMATS[groupBy];
-  if (!format) {
-    throw new InvalidDateFormatError(groupBy);
-  }
-  return format;
-}
-function assertNoPathTraversal(filename) {
-  if (filename.includes("/") || filename.includes("\\") || filename.includes("..")) {
-    throw new PathTraversalError(filename);
-  }
-}
-var TOKEN_PATTERNS = [
-  // GitHub personal access tokens (classic and fine-grained)
-  /ghp_[A-Za-z0-9_]{36,}/g,
-  /github_pat_[A-Za-z0-9_]{82,}/g,
-  // Authorization headers in error dumps
-  /Authorization:\s*(?:token|Bearer)\s+\S+/gi,
-  // Generic Bearer tokens
-  /Bearer\s+[A-Za-z0-9._\-~+/]+=*/gi
-];
-function sanitizeErrorForLogging(message) {
-  let sanitized = message;
-  for (const pattern of TOKEN_PATTERNS) {
-    pattern.lastIndex = 0;
-    sanitized = sanitized.replace(pattern, "[REDACTED]");
-  }
-  return sanitized;
-}
-function sanitizeAuthor(raw) {
-  return raw.replace(/[\x00-\x1f\x7f]/g, "").slice(0, 100);
-}
-function resolveAuthor() {
-  const envAuthor = process.env["TEAM_AUTHOR"]?.trim().replace(/"/g, "");
-  if (envAuthor) return sanitizeAuthor(envAuthor);
-  try {
-    const gitUser = execFileSync("git", ["config", "user.name"], {
-      encoding: "utf-8",
-      timeout: GIT_COMMAND_TIMEOUT_MS
-    }).trim().replace(/"/g, "");
-    if (gitUser) return sanitizeAuthor(gitUser);
-  } catch {
-  }
-  return "unknown";
-}
 
 // src/utils/vector-index-helpers.ts
 function autoIndexEntry(vectorManager, entryId, content) {
@@ -270,12 +50,27 @@ function autoIndexEntry(vectorManager, entryId, content) {
 }
 
 // src/utils/github-helpers.ts
-function resolveIssueUrl(github, issueNumber, existingUrl) {
+async function resolveIssueUrl(context, projectNumber, issueNumber, existingUrl) {
   if (existingUrl) return existingUrl;
-  if (issueNumber === void 0 || !github) return void 0;
-  const cachedRepo = github.getCachedRepoInfo();
-  if (cachedRepo?.owner && cachedRepo?.repo) {
-    return `https://github.com/${cachedRepo.owner}/${cachedRepo.repo}/issues/${String(issueNumber)}`;
+  if (issueNumber === void 0) return void 0;
+  if (projectNumber !== void 0 && context.config?.projectRegistry) {
+    const entry = Object.entries(context.config.projectRegistry).find(
+      ([_, v]) => v.project_number === projectNumber
+    );
+    if (entry) {
+      const { GitHubIntegration: GitHubIntegration2 } = await import('./github-integration-PDRLXKGM.js');
+      const targetGithub = new GitHubIntegration2(entry[1].path);
+      const repoInfo = await targetGithub.getRepoInfo();
+      if (repoInfo.owner && repoInfo.repo) {
+        return `https://github.com/${repoInfo.owner}/${repoInfo.repo}/issues/${String(issueNumber)}`;
+      }
+    }
+  }
+  if (context.github) {
+    const cachedRepo = context.github.getCachedRepoInfo() ?? await context.github.getRepoInfo();
+    if (cachedRepo?.owner && cachedRepo?.repo) {
+      return `https://github.com/${cachedRepo.owner}/${cachedRepo.repo}/issues/${String(issueNumber)}`;
+    }
   }
   return void 0;
 }
@@ -287,70 +82,6 @@ var ErrorFieldsMixin = z.object({
   suggestion: z.string().optional().describe("Suggested fix for the error"),
   details: z.record(z.string(), z.unknown()).optional().describe("Additional error context")
 });
-
-// src/utils/logger.ts
-var LOG_LEVELS = {
-  debug: 7,
-  info: 6,
-  notice: 5,
-  warning: 4,
-  error: 3,
-  critical: 2
-};
-var Logger = class {
-  minLevel;
-  constructor(level = "info") {
-    this.minLevel = LOG_LEVELS[level];
-  }
-  shouldLog(level) {
-    return LOG_LEVELS[level] <= this.minLevel;
-  }
-  log(level, message, context) {
-    if (!this.shouldLog(level)) return;
-    const safeMessage = message.replace(/\n|\r/g, "");
-    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
-    const levelUpper = level.toUpperCase().padEnd(8);
-    const mod = context?.module ? `[${context.module.replace(/\n|\r/g, "")}]` : "";
-    const op = context?.operation ? `[${context.operation.replace(/\n|\r/g, "")}]` : "";
-    let line = `[${timestamp}] [${levelUpper}] ${mod}${op} ${safeMessage}`;
-    const extras = { ...context };
-    delete extras["module"];
-    delete extras["operation"];
-    if (extras["error"] != null && typeof extras["error"] === "string") {
-      extras["error"] = sanitizeErrorForLogging(extras["error"]);
-    }
-    if (Object.keys(extras).length > 0) {
-      line += ` ${JSON.stringify(extras).replace(/\n|\r/g, "")}`;
-    }
-    console.error(line);
-  }
-  debug(message, context) {
-    this.log("debug", message, context);
-  }
-  info(message, context) {
-    this.log("info", message, context);
-  }
-  notice(message, context) {
-    this.log("notice", message, context);
-  }
-  warning(message, context) {
-    this.log("warning", message, context);
-  }
-  error(message, context) {
-    this.log("error", message, context);
-  }
-  critical(message, context) {
-    this.log("critical", message, context);
-  }
-  setLevel(level) {
-    if (level in LOG_LEVELS) {
-      this.minLevel = LOG_LEVELS[level];
-    }
-  }
-};
-var rawLevel = process.env["LOG_LEVEL"] ?? "info";
-var envLevel = rawLevel in LOG_LEVELS ? rawLevel : "info";
-var logger = new Logger(envLevel);
 var ENTRY_TYPES = [
   "personal_reflection",
   "project_decision",
@@ -412,6 +143,7 @@ var EntryOutputSchema = z.object({
 var EntriesListOutputSchema = z.object({
   entries: z.array(EntryOutputSchema).optional(),
   count: z.number().optional(),
+  searchMode: z.string().optional(),
   success: z.boolean().optional(),
   error: z.string().optional()
 }).extend(ErrorFieldsMixin.shape);
@@ -522,7 +254,7 @@ var TagsListOutputSchema = z.object({
   error: z.string().optional()
 }).extend(ErrorFieldsMixin.shape);
 function getCoreTools(context) {
-  const { db, teamDb, vectorManager, github } = context;
+  const { db, teamDb, vectorManager } = context;
   return [
     {
       name: "create_entry",
@@ -532,11 +264,12 @@ function getCoreTools(context) {
       inputSchema: CreateEntrySchemaMcp,
       outputSchema: CreateEntryOutputSchema,
       annotations: { readOnlyHint: false, idempotentHint: false, openWorldHint: false },
-      handler: (params) => {
+      handler: async (params) => {
         try {
           const input = CreateEntrySchema.parse(params);
-          const resolvedIssueUrl = resolveIssueUrl(
-            github,
+          const resolvedIssueUrl = await resolveIssueUrl(
+            context,
+            input.project_number,
             input.issue_number,
             input.issue_url
           );
@@ -716,26 +449,199 @@ function getCoreTools(context) {
     }
   ];
 }
+
+// src/handlers/tools/search/helpers.ts
 var MAX_QUERY_LIMIT = 500;
+var DEDUP_KEY_LENGTH = 200;
+function calcPerDbLimit(limit, hasTeamDb) {
+  return hasTeamDb ? Math.min(limit * 2, MAX_QUERY_LIMIT) : limit;
+}
+function mergeAndDedup(personal, team, limit) {
+  const seen = /* @__PURE__ */ new Set();
+  const merged = [];
+  const all = [...personal, ...team].sort((a, b) => b.timestamp.localeCompare(a.timestamp));
+  for (const entry of all) {
+    const key = entry.content.slice(0, DEDUP_KEY_LENGTH);
+    if (!seen.has(key)) {
+      seen.add(key);
+      merged.push(entry);
+    }
+  }
+  return limit !== void 0 ? merged.slice(0, limit) : merged;
+}
+
+// src/handlers/tools/search/auto.ts
+var QUESTION_PATTERNS = [
+  /^(how|what|why|when|where|who|which|can|does|is|are|was|were|did|should|could|would)\b/i,
+  /\?$/
+];
+var QUOTED_PHRASE_PATTERN = /"[^"]+"/;
+function classifyQuery(query) {
+  const trimmed = query.trim();
+  if (trimmed.length === 0) {
+    return "fts";
+  }
+  if (QUOTED_PHRASE_PATTERN.test(trimmed)) {
+    return "fts";
+  }
+  const words = trimmed.split(/\s+/);
+  const wordCount = words.length;
+  if (wordCount <= 2) {
+    return "fts";
+  }
+  for (const pattern of QUESTION_PATTERNS) {
+    if (pattern.test(trimmed)) {
+      return "semantic";
+    }
+  }
+  return "hybrid";
+}
+function resolveSearchMode(mode, query) {
+  if (mode === "auto") {
+    return { resolvedMode: classifyQuery(query), isAuto: true };
+  }
+  return { resolvedMode: mode, isAuto: false };
+}
+
+// src/handlers/tools/search/fts.ts
+function ftsSearch(query, db, teamDb, options) {
+  const hasFilters = options.projectNumber !== void 0 || options.issueNumber !== void 0 || options.prNumber !== void 0 || options.prStatus !== void 0 || options.workflowRunId !== void 0 || options.isPersonal !== void 0 || options.tags !== void 0 || options.entryType !== void 0 || options.startDate !== void 0 || options.endDate !== void 0;
+  const perDbLimit = calcPerDbLimit(options.limit, !!teamDb);
+  let personalEntries;
+  if (!query && !hasFilters) {
+    personalEntries = db.getRecentEntries(perDbLimit, options.isPersonal);
+  } else {
+    personalEntries = db.searchEntries(query || "", {
+      limit: perDbLimit,
+      isPersonal: options.isPersonal,
+      projectNumber: options.projectNumber,
+      issueNumber: options.issueNumber,
+      prNumber: options.prNumber,
+      prStatus: options.prStatus,
+      workflowRunId: options.workflowRunId,
+      tags: options.tags,
+      entryType: options.entryType,
+      startDate: options.startDate,
+      endDate: options.endDate
+    });
+  }
+  if (teamDb && options.isPersonal !== true) {
+    let teamEntries;
+    if (!query && !hasFilters) {
+      teamEntries = teamDb.getRecentEntries(perDbLimit);
+    } else {
+      teamEntries = teamDb.searchEntries(query || "", {
+        limit: perDbLimit,
+        projectNumber: options.projectNumber,
+        issueNumber: options.issueNumber,
+        prNumber: options.prNumber,
+        prStatus: options.prStatus,
+        workflowRunId: options.workflowRunId,
+        tags: options.tags,
+        entryType: options.entryType,
+        startDate: options.startDate,
+        endDate: options.endDate
+      });
+    }
+    const merged = mergeAndDedup(
+      personalEntries.map((e) => ({ ...e, source: "personal" })),
+      teamEntries.map((e) => ({ ...e, source: "team" })),
+      options.limit
+    );
+    return { entries: merged, count: merged.length };
+  }
+  return {
+    entries: personalEntries.map((e) => ({ ...e, source: "personal" })),
+    count: personalEntries.length
+  };
+}
+
+// src/handlers/tools/search/hybrid.ts
+var RRF_K = 60;
+var OVERFETCH_MULTIPLIER = 3;
+function computeRRFScores(rankedLists) {
+  const scores = /* @__PURE__ */ new Map();
+  for (const list of rankedLists) {
+    for (let rank = 0; rank < list.length; rank++) {
+      const entryId = list[rank];
+      if (entryId === void 0) continue;
+      const rrfScore = 1 / (RRF_K + rank + 1);
+      scores.set(entryId, (scores.get(entryId) ?? 0) + rrfScore);
+    }
+  }
+  return scores;
+}
+async function hybridSearch(query, db, vectorManager, options) {
+  const overfetchLimit = Math.min(options.limit * OVERFETCH_MULTIPLIER, 500);
+  const [ftsResults, semanticResults] = await Promise.all([
+    // FTS5 search
+    Promise.resolve(
+      db.searchEntries(query, {
+        limit: overfetchLimit,
+        isPersonal: options.isPersonal,
+        projectNumber: options.projectNumber,
+        issueNumber: options.issueNumber,
+        prNumber: options.prNumber,
+        prStatus: options.prStatus,
+        workflowRunId: options.workflowRunId,
+        tags: options.tags,
+        entryType: options.entryType,
+        startDate: options.startDate,
+        endDate: options.endDate
+      })
+    ),
+    // Semantic search (returns [] if vectorManager is unavailable)
+    vectorManager ? vectorManager.search(query, overfetchLimit, 0.15) : Promise.resolve([])
+  ]);
+  const ftsRanked = ftsResults.map((e) => e.id);
+  const semanticRanked = semanticResults.map((r) => r.entryId);
+  const fusionScores = computeRRFScores([ftsRanked, semanticRanked]);
+  const sortedIds = [...fusionScores.entries()].sort((a, b) => b[1] - a[1]).slice(0, options.limit).map(([id]) => id);
+  const entriesMap = db.getEntriesByIds(sortedIds);
+  const entries = [];
+  for (const id of sortedIds) {
+    const entry = entriesMap.get(id);
+    if (!entry) continue;
+    if (options.isPersonal !== void 0 && entry.isPersonal !== options.isPersonal) continue;
+    entries.push({ ...entry, source: "personal" });
+  }
+  return { entries, fusionScores };
+}
+
+// src/handlers/tools/search/index.ts
 var SearchEntriesSchema = z.object({
   query: z.string().optional(),
+  mode: z.enum(["auto", "fts", "semantic", "hybrid"]).optional().default("auto").describe(
+    "Search strategy: auto (default, heuristic-based), fts (FTS5 keyword), semantic (vector), hybrid (RRF fusion of FTS5+vector)"
+  ),
   limit: z.number().max(MAX_QUERY_LIMIT).optional().default(10),
   is_personal: z.boolean().optional(),
   project_number: z.number().optional(),
   issue_number: z.number().optional(),
   pr_number: z.number().optional(),
   pr_status: z.enum(["draft", "open", "merged", "closed"]).optional(),
-  workflow_run_id: z.number().optional()
+  workflow_run_id: z.number().optional(),
+  tags: z.array(z.string()).optional(),
+  entry_type: z.enum(ENTRY_TYPES).optional(),
+  start_date: z.string().regex(DATE_FORMAT_REGEX, DATE_FORMAT_MESSAGE).optional(),
+  end_date: z.string().regex(DATE_FORMAT_REGEX, DATE_FORMAT_MESSAGE).optional()
 });
 var SearchEntriesSchemaMcp = z.object({
   query: z.string().optional(),
+  mode: z.string().optional().default("auto").describe(
+    "Search strategy: auto (default, heuristic-based), fts (FTS5 keyword), semantic (vector), hybrid (RRF fusion of FTS5+vector)"
+  ),
   limit: relaxedNumber().optional().default(10),
   is_personal: z.boolean().optional(),
   project_number: relaxedNumber().optional(),
   issue_number: relaxedNumber().optional(),
   pr_number: relaxedNumber().optional(),
   pr_status: z.string().optional(),
-  workflow_run_id: relaxedNumber().optional()
+  workflow_run_id: relaxedNumber().optional(),
+  tags: z.array(z.string()).optional(),
+  entry_type: z.string().optional(),
+  start_date: z.string().optional(),
+  end_date: z.string().optional()
 });
 var SearchByDateRangeSchema = z.object({
   start_date: z.string().regex(DATE_FORMAT_REGEX, DATE_FORMAT_MESSAGE),
@@ -762,17 +668,31 @@ var SearchByDateRangeSchemaMcp = z.object({
   limit: relaxedNumber().optional().default(500)
 });
 var SemanticSearchSchema = z.object({
-  query: z.string(),
+  query: z.string().optional(),
+  entry_id: z.number().optional().describe(
+    "Find entries related to this entry ID (uses existing embedding, skips re-embedding)"
+  ),
   limit: z.number().max(MAX_QUERY_LIMIT).optional().default(10),
   similarity_threshold: z.number().optional().default(0.25),
   is_personal: z.boolean().optional(),
+  tags: z.array(z.string()).optional().describe("Filter results by tags"),
+  entry_type: z.enum(ENTRY_TYPES).optional().describe("Filter results by entry type"),
+  start_date: z.string().regex(DATE_FORMAT_REGEX, DATE_FORMAT_MESSAGE).optional().describe("Filter results from this date (YYYY-MM-DD)"),
+  end_date: z.string().regex(DATE_FORMAT_REGEX, DATE_FORMAT_MESSAGE).optional().describe("Filter results until this date (YYYY-MM-DD)"),
   hint_on_empty: z.boolean().optional().default(true).describe("Include hint when no results found (default: true)")
 });
 var SemanticSearchSchemaMcp = z.object({
-  query: z.string(),
+  query: z.string().optional(),
+  entry_id: relaxedNumber().optional().describe(
+    "Find entries related to this entry ID (uses existing embedding, skips re-embedding)"
+  ),
   limit: relaxedNumber().optional().default(10),
   similarity_threshold: relaxedNumber().optional().default(0.25),
   is_personal: z.boolean().optional(),
+  tags: z.array(z.string()).optional().describe("Filter results by tags"),
+  entry_type: z.string().optional().describe("Filter results by entry type"),
+  start_date: z.string().optional().describe("Filter results from this date (YYYY-MM-DD)"),
+  end_date: z.string().optional().describe("Filter results until this date (YYYY-MM-DD)"),
   hint_on_empty: z.boolean().optional().default(true).describe("Include hint when no results found (default: true)")
 });
 var SemanticEntryOutputSchema = EntryOutputSchema.extend({
@@ -780,6 +700,7 @@ var SemanticEntryOutputSchema = EntryOutputSchema.extend({
 });
 var SemanticSearchOutputSchema = z.object({
   query: z.string().optional(),
+  entryId: z.number().optional(),
   entries: z.array(SemanticEntryOutputSchema).optional(),
   count: z.number().optional(),
   hint: z.string().optional(),
@@ -800,52 +721,84 @@ function getSearchTools(context) {
     {
       name: "search_entries",
       title: "Search Entries",
-      description: 'Full-text search journal entries using FTS5 (supports phrases "exact match", prefix auth*, boolean NOT/OR/AND, ranked by relevance). Optional filters for GitHub Projects, Issues, PRs, and Actions.',
+      description: 'Search journal entries with auto-selecting strategy. Supports modes: auto (default \u2014 heuristic selects best strategy), fts (FTS5 keyword with phrases "exact match", prefix auth*, boolean NOT/OR/AND), semantic (vector similarity), hybrid (RRF fusion of FTS5+vector). Optional filters for GitHub Projects, Issues, PRs, and Actions.',
       group: "search",
       inputSchema: SearchEntriesSchemaMcp,
       outputSchema: EntriesListOutputSchema,
       annotations: { readOnlyHint: true, idempotentHint: true, openWorldHint: false },
-      handler: (params) => {
+      handler: async (params) => {
         try {
           const input = SearchEntriesSchema.parse(params);
-          const hasFilters = input.project_number !== void 0 || input.issue_number !== void 0 || input.pr_number !== void 0 || input.pr_status !== void 0 || input.workflow_run_id !== void 0 || input.is_personal !== void 0;
-          const perDbLimit = calcPerDbLimit(input.limit, !!teamDb);
-          let personalEntries;
-          if (!input.query && !hasFilters) {
-            personalEntries = db.getRecentEntries(perDbLimit, input.is_personal);
-          } else {
-            personalEntries = db.searchEntries(input.query || "", {
-              limit: perDbLimit,
-              isPersonal: input.is_personal,
-              projectNumber: input.project_number,
-              issueNumber: input.issue_number,
-              prNumber: input.pr_number,
-              prStatus: input.pr_status,
-              workflowRunId: input.workflow_run_id
-            });
-          }
-          if (teamDb && input.is_personal !== true) {
-            let teamEntries;
-            if (!input.query && !hasFilters) {
-              teamEntries = teamDb.getRecentEntries(perDbLimit);
-            } else {
-              teamEntries = teamDb.searchEntries(input.query || "", {
-                limit: perDbLimit,
-                projectNumber: input.project_number,
-                issueNumber: input.issue_number,
-                prNumber: input.pr_number,
-                prStatus: input.pr_status,
-                workflowRunId: input.workflow_run_id
-              });
+          const query = input.query || "";
+          const mode = input.mode;
+          const { resolvedMode, isAuto } = resolveSearchMode(mode, query);
+          const hasFilters = input.project_number !== void 0 || input.issue_number !== void 0 || input.pr_number !== void 0 || input.pr_status !== void 0 || input.workflow_run_id !== void 0 || input.is_personal !== void 0 || input.tags !== void 0 || input.entry_type !== void 0 || input.start_date !== void 0 || input.end_date !== void 0;
+          const effectiveMode = !query && !hasFilters ? "fts" : resolvedMode;
+          const searchOptions = {
+            limit: input.limit,
+            isPersonal: input.is_personal,
+            projectNumber: input.project_number,
+            issueNumber: input.issue_number,
+            prNumber: input.pr_number,
+            prStatus: input.pr_status,
+            workflowRunId: input.workflow_run_id,
+            tags: input.tags,
+            entryType: input.entry_type,
+            startDate: input.start_date,
+            endDate: input.end_date
+          };
+          switch (effectiveMode) {
+            case "semantic": {
+              if (!vectorManager) {
+                const result = ftsSearch(input.query, db, teamDb, searchOptions);
+                return { ...result, searchMode: "fts (fallback)" };
+              }
+              const semanticResults = await vectorManager.search(
+                query,
+                input.limit,
+                0.25
+              );
+              const entryIds = semanticResults.map((r) => r.entryId);
+              const entriesMap = db.getEntriesByIds(entryIds);
+              const entries = semanticResults.map((r) => {
+                const entry = entriesMap.get(r.entryId);
+                if (!entry) return null;
+                if (input.is_personal !== void 0 && entry.isPersonal !== input.is_personal)
+                  return null;
+                return { ...entry, source: "personal" };
+              }).filter((e) => e !== null);
+              return {
+                entries,
+                count: entries.length,
+                searchMode: isAuto ? "semantic (auto)" : "semantic"
+              };
+            }
+            case "hybrid": {
+              if (!vectorManager) {
+                const result = ftsSearch(input.query, db, teamDb, searchOptions);
+                return { ...result, searchMode: "fts (fallback)" };
+              }
+              const { entries } = await hybridSearch(
+                query,
+                db,
+                vectorManager,
+                searchOptions
+              );
+              return {
+                entries,
+                count: entries.length,
+                searchMode: isAuto ? "hybrid (auto)" : "hybrid"
+              };
+            }
+            case "fts":
+            default: {
+              const result = ftsSearch(input.query, db, teamDb, searchOptions);
+              return {
+                ...result,
+                searchMode: isAuto ? "fts (auto)" : "fts"
+              };
             }
-            const merged = mergeAndDedup(
-              personalEntries.map((e) => ({ ...e, source: "personal" })),
-              teamEntries.map((e) => ({ ...e, source: "team" })),
-              input.limit
-            );
-            return { entries: merged, count: merged.length };
           }
-          return { entries: personalEntries, count: personalEntries.length };
         } catch (err) {
           return formatHandlerError(err);
         }
@@ -913,7 +866,7 @@ function getSearchTools(context) {
     {
       name: "semantic_search",
       title: "Semantic Search",
-      description: "Perform semantic/vector search on journal entries using AI embeddings",
+      description: "Perform semantic/vector search on journal entries using AI embeddings. Supports find-related-by-ID (entry_id) and metadata filters (tags, entry_type, date range).",
       group: "search",
       inputSchema: SemanticSearchSchemaMcp,
       outputSchema: SemanticSearchOutputSchema,
@@ -921,6 +874,18 @@ function getSearchTools(context) {
       handler: async (params) => {
         try {
           const input = SemanticSearchSchema.parse(params);
+          if (!input.query && input.entry_id === void 0) {
+            return {
+              success: false,
+              error: "Either query or entry_id must be provided",
+              code: "VALIDATION_ERROR",
+              category: "validation",
+              suggestion: "Provide a text query for semantic search, or an entry_id to find related entries",
+              recoverable: true,
+              entries: [],
+              count: 0
+            };
+          }
           if (!vectorManager) {
             return {
               success: false,
@@ -934,11 +899,20 @@ function getSearchTools(context) {
               count: 0
             };
           }
-          const results = await vectorManager.search(
-            input.query,
-            input.limit ?? 10,
-            input.similarity_threshold ?? 0.25
-          );
+          let results;
+          if (input.entry_id !== void 0) {
+            results = await vectorManager.searchByEntryId(
+              input.entry_id,
+              input.limit ?? 10,
+              input.similarity_threshold ?? 0.25
+            );
+          } else {
+            results = await vectorManager.search(
+              input.query ?? "",
+              input.limit ?? 10,
+              input.similarity_threshold ?? 0.25
+            );
+          }
           const entryIds = results.map((r) => r.entryId);
           const entriesMap = db.getEntriesByIds(entryIds);
           const entries = results.map((r) => {
@@ -946,6 +920,22 @@ function getSearchTools(context) {
             if (!entry) return null;
             if (input.is_personal !== void 0 && entry.isPersonal !== input.is_personal)
               return null;
+            if (input.tags && input.tags.length > 0) {
+              const entryTags = db.getTagsForEntry(entry.id);
+              if (!input.tags.some((t) => entryTags.includes(t))) return null;
+            }
+            if (input.entry_type && entry.entryType !== input.entry_type)
+              return null;
+            if (input.start_date) {
+              const entryDate = entry.timestamp.split("T")[0] ?? "";
+              if (entryDate < input.start_date) return null;
+            }
+            if (input.end_date) {
+              const entryDate = entry.timestamp.split("T")[0] ?? "";
+              if (entryDate > input.end_date) return null;
+            }
+            if (input.entry_id !== void 0 && entry.id === input.entry_id)
+              return null;
             return {
               ...entry,
               similarity: Math.round(r.score * 100) / 100
@@ -960,6 +950,7 @@ function getSearchTools(context) {
           const hint = isIndexEmpty && includeHint ? "No entries in vector index. Use rebuild_vector_index to index existing entries." : entries.length === 0 && includeHint ? `No entries matched your query above the similarity threshold (${String(input.similarity_threshold ?? 0.25)}). Try lowering similarity_threshold (e.g., 0.15) for broader matches.` : allNoise ? `Results may be noise \u2014 best similarity (${String(bestSimilarity)}) is below quality floor (${String(QUALITY_FLOOR2)}). Try a more specific query or raise similarity_threshold to filter weak matches.` : void 0;
           return {
             query: input.query,
+            ...input.entry_id !== void 0 ? { entryId: input.entry_id } : {},
             entries,
             count: entries.length,
             ...hint !== void 0 ? { hint } : {}
@@ -999,23 +990,6 @@ function getSearchTools(context) {
     }
   ];
 }
-var DEDUP_KEY_LENGTH = 200;
-function calcPerDbLimit(limit, hasTeamDb) {
-  return hasTeamDb ? Math.min(limit * 2, MAX_QUERY_LIMIT) : limit;
-}
-function mergeAndDedup(personal, team, limit) {
-  const seen = /* @__PURE__ */ new Set();
-  const merged = [];
-  const all = [...personal, ...team].sort((a, b) => b.timestamp.localeCompare(a.timestamp));
-  for (const entry of all) {
-    const key = entry.content.slice(0, DEDUP_KEY_LENGTH);
-    if (!seen.has(key)) {
-      seen.add(key);
-      merged.push(entry);
-    }
-  }
-  return limit !== void 0 ? merged.slice(0, limit) : merged;
-}
 var INACTIVE_THRESHOLD_DAYS = 7;
 var MS_PER_DAY = 864e5;
 var MAX_TAGS_PER_PROJECT = 5;
@@ -1806,8 +1780,8 @@ function getAdminTools(context) {
       description: 'Merge one tag into another to consolidate similar tags (e.g., merge "phase-2" into "phase2"). The source tag is deleted after merge.',
       group: "admin",
       inputSchema: z.object({
-        source_tag: z.string().optional().describe("Tag to merge from (will be deleted)"),
-        target_tag: z.string().optional().describe("Tag to merge into (will be created if not exists)")
+        source_tag: z.union([z.string(), z.number()]).optional().describe("Tag to merge from (will be deleted)"),
+        target_tag: z.union([z.string(), z.number()]).optional().describe("Tag to merge into (will be created if not exists)")
       }),
       outputSchema: MergeTagsOutputSchema,
       annotations: { readOnlyHint: false, idempotentHint: false, openWorldHint: false },
@@ -2261,8 +2235,15 @@ var CopilotReviewsOutputSchema = z.object({
 }).extend(ErrorFieldsMixin.shape);
 
 // src/handlers/tools/github/helpers.ts
+function resolveProjectNumber(context, repo, explicitProjectNumber) {
+  if (explicitProjectNumber != null) return explicitProjectNumber;
+  if (repo && context.config?.projectRegistry?.[repo]?.project_number != null) {
+    return context.config.projectRegistry[repo].project_number;
+  }
+  return context.config?.defaultProjectNumber ?? void 0;
+}
 async function resolveOwner(context, inputOwner, entityLabel) {
-  if (!context.github) {
+  if (!context.github?.isApiAvailable()) {
     return {
       error: true,
       response: {
@@ -2270,8 +2251,9 @@ async function resolveOwner(context, inputOwner, entityLabel) {
         error: "GitHub integration not available",
         code: "CONFIGURATION_ERROR",
         category: "configuration",
-        suggestion: "Set GITHUB_TOKEN and GITHUB_REPO_PATH environment variables to enable GitHub integration.",
-        recoverable: true
+        suggestion: "Set GITHUB_TOKEN environment variable to enable GitHub integration.",
+        recoverable: true,
+        requiresUserInput: true
       }
     };
   }
@@ -2297,7 +2279,14 @@ async function resolveOwner(context, inputOwner, entityLabel) {
   return { owner, detectedOwner, repo, github: context.github };
 }
 async function resolveOwnerRepo(context, input, entityLabel) {
-  if (!context.github) {
+  let toolGithub;
+  const registryEntry = input.repo && context.config?.projectRegistry ? context.config.projectRegistry[input.repo] : void 0;
+  if (registryEntry) {
+    toolGithub = new GitHubIntegration(registryEntry.path);
+  } else if (context.github) {
+    toolGithub = context.github;
+  }
+  if (!toolGithub?.isApiAvailable()) {
     return {
       error: true,
       response: {
@@ -2305,12 +2294,16 @@ async function resolveOwnerRepo(context, input, entityLabel) {
         error: "GitHub integration not available",
         code: "CONFIGURATION_ERROR",
         category: "configuration",
-        suggestion: "Set GITHUB_TOKEN and GITHUB_REPO_PATH environment variables to enable GitHub integration.",
-        recoverable: true
+        suggestion: "Set GITHUB_TOKEN environment variable to enable GitHub integration.",
+        recoverable: true,
+        requiresUserInput: true
       }
     };
   }
-  const repoInfo = await context.github.getRepoInfo();
+  const repoInfo = await toolGithub.getRepoInfo();
+  if (context.github && toolGithub !== context.github) {
+    context.github.setCachedRepoInfo(repoInfo);
+  }
   const detectedOwner = repoInfo.owner;
   const detectedRepo = repoInfo.repo;
   const owner = input.owner ?? detectedOwner ?? void 0;
@@ -2333,7 +2326,7 @@ async function resolveOwnerRepo(context, input, entityLabel) {
       }
     };
   }
-  return { owner, repo, detectedOwner, detectedRepo, github: context.github };
+  return { owner, repo, detectedOwner, detectedRepo, github: toolGithub };
 }
 
 // src/handlers/tools/github/read-tools.ts
@@ -2546,24 +2539,33 @@ function getGitHubReadTools(context) {
     {
       name: "get_github_context",
       title: "Get GitHub Repository Context",
-      description: "Get current repository context including branch, open issues, and open PRs. Only counts OPEN items (closed items excluded).",
+      description: "Get current repository context including branch, open issues, and open PRs. IMPORTANT: Leave owner/repo empty to auto-detect from git, OR specify the repository name if working in a multi-project registry.",
       group: "github",
-      inputSchema: z.object({}).strict(),
+      inputSchema: z.object({
+        owner: z.string().optional().describe("Repository owner"),
+        repo: z.string().optional().describe("Repository name (use this to switch projects dynamically)")
+      }),
       outputSchema: GitHubContextOutputSchema,
       annotations: { readOnlyHint: true, idempotentHint: true, openWorldHint: true },
-      handler: async (_params) => {
+      handler: async (params) => {
         try {
-          if (!context.github) {
-            return {
-              success: false,
-              error: "GitHub integration not available",
-              code: "CONFIGURATION_ERROR",
-              category: "configuration",
-              suggestion: "Set GITHUB_TOKEN and GITHUB_REPO_PATH environment variables to enable GitHub integration.",
-              recoverable: true
-            };
+          const input = z.object({
+            owner: z.string().optional(),
+            repo: z.string().optional()
+          }).parse(params);
+          const resolved = await resolveOwnerRepo(
+            context,
+            input,
+            "would you like the context for"
+          );
+          let targetGithub;
+          if ("error" in resolved) {
+            if (!context.github) return resolved.response;
+            targetGithub = context.github;
+          } else {
+            targetGithub = resolved.github;
           }
-          const ctx = await context.github.getRepoContext();
+          const ctx = await targetGithub.getRepoContext();
           return {
             repoName: ctx.repoName,
             branch: ctx.branch,
@@ -2589,29 +2591,48 @@ function getKanbanTools(context) {
       description: "View a GitHub Project v2 as a Kanban board with items grouped by Status column. Returns all columns with their items.",
       group: "github",
       inputSchema: z.object({
-        project_number: z.number().describe("GitHub Project number"),
-        owner: z.string().optional().describe("Project owner - LEAVE EMPTY to auto-detect")
+        project_number: z.number().optional().describe("GitHub Project number (optional if repo is registered)"),
+        owner: z.string().optional().describe("Project owner - LEAVE EMPTY to auto-detect"),
+        repo: z.string().optional().describe("Repository name - LEAVE EMPTY to auto-detect")
       }),
       outputSchema: KanbanBoardOutputSchema,
       annotations: { readOnlyHint: true, idempotentHint: true, openWorldHint: true },
       handler: async (params) => {
         try {
           const input = z.object({
-            project_number: z.number(),
-            owner: z.string().optional()
+            project_number: z.number().optional(),
+            owner: z.string().optional(),
+            repo: z.string().optional()
           }).parse(params);
           const resolved = await resolveOwner(context, input.owner);
           if ("error" in resolved) return resolved.response;
-          const board = await resolved.github.getProjectKanban(
+          const effectiveRepo = input.repo ?? resolved.repo;
+          const projectNum = resolveProjectNumber(
+            context,
+            effectiveRepo,
+            input.project_number
+          );
+          if (projectNum === void 0) {
+            return {
+              success: false,
+              error: "project_number is required and could not be resolved from registry. Please supply it explicitly.",
+              code: "VALIDATION_ERROR",
+              category: "validation",
+              recoverable: true,
+              requiresUserInput: true,
+              instruction: 'Ask the user: "What is the GitHub Project number for this repository? (Usually found in the URL: projects/<number>)"'
+            };
+          }
+          const board = await resolved.github.getProjectKanban(
             resolved.owner,
-            input.project_number,
-            resolved.repo
+            projectNum,
+            effectiveRepo
           );
           if (!board) {
             return {
               success: false,
-              error: `Project #${String(input.project_number)} not found or Status field not configured`,
-              projectNumber: input.project_number,
+              error: `Project #${String(projectNum)} not found or Status field not configured`,
+              projectNumber: projectNum,
               owner: resolved.owner,
               hint: "Projects can be at user, repository, or organization level.",
               code: "RESOURCE_NOT_FOUND",
@@ -2632,32 +2653,49 @@ function getKanbanTools(context) {
       description: "Move a Kanban item to a different status column. Requires the project board to have a Status field.",
       group: "github",
       inputSchema: z.object({
-        project_number: z.number().describe("GitHub Project number"),
+        project_number: z.number().optional().describe("GitHub Project number (optional if repo is registered)"),
         item_id: z.string().describe("Project item ID (from get_kanban_board)"),
         target_status: z.string().describe('Target status column name (e.g., "In Progress", "Done")'),
-        owner: z.string().optional().describe("Project owner - LEAVE EMPTY to auto-detect")
+        owner: z.string().optional().describe("Project owner - LEAVE EMPTY to auto-detect"),
+        repo: z.string().optional().describe("Repository name - LEAVE EMPTY to auto-detect")
       }),
       outputSchema: MoveKanbanItemOutputSchema,
       annotations: { readOnlyHint: false, idempotentHint: true, openWorldHint: true },
       handler: async (params) => {
         try {
           const input = z.object({
-            project_number: z.number(),
+            project_number: z.number().optional(),
             item_id: z.string(),
             target_status: z.string(),
-            owner: z.string().optional()
+            owner: z.string().optional(),
+            repo: z.string().optional()
           }).parse(params);
           const resolved = await resolveOwner(context, input.owner);
           if ("error" in resolved) return resolved.response;
+          const effectiveRepo = input.repo ?? resolved.repo;
+          const projectNum = resolveProjectNumber(
+            context,
+            effectiveRepo,
+            input.project_number
+          );
+          if (projectNum === void 0) {
+            return {
+              success: false,
+              error: "project_number is required and could not be resolved from registry. Please supply it explicitly.",
+              code: "VALIDATION_ERROR",
+              category: "validation",
+              recoverable: true
+            };
+          }
           const board = await resolved.github.getProjectKanban(
             resolved.owner,
-            input.project_number,
-            resolved.repo
+            projectNum,
+            effectiveRepo
           );
           if (!board) {
             return {
               success: false,
-              error: `Project #${String(input.project_number)} not found`,
+              error: `Project #${String(projectNum)} not found`,
               code: "RESOURCE_NOT_FOUND",
               category: "resource",
               suggestion: "Verify the project number and owner.",
@@ -2688,7 +2726,7 @@ function getKanbanTools(context) {
             success: result.success,
             itemId: input.item_id,
             newStatus: statusOption.name,
-            projectNumber: input.project_number,
+            projectNumber: projectNum,
             message: result.success ? `Moved item to "${statusOption.name}"` : void 0,
             error: result.error
           };
@@ -2756,7 +2794,11 @@ function getGitHubIssueTools(context) {
               error: "Failed to create GitHub issue. Check GITHUB_TOKEN permissions."
             };
           }
-          const projectNumber = input.project_number ?? context.config?.defaultProjectNumber;
+          const projectNumber = resolveProjectNumber(
+            context,
+            resolved.repo,
+            input.project_number
+          );
           let projectResult = void 0;
           if (projectNumber !== void 0 && issue.nodeId) {
             try {
@@ -2931,7 +2973,11 @@ Description: ${input.body.slice(0, 200)}${input.body.length > 200 ? "..." : ""}`
           }
           let kanbanResult;
           if (input.move_to_done) {
-            const projectNum = input.project_number ?? context.config?.defaultProjectNumber;
+            const projectNum = resolveProjectNumber(
+              context,
+              resolved.repo,
+              input.project_number
+            );
             if (projectNum === void 0) {
               kanbanResult = {
                 moved: false,
@@ -2990,7 +3036,11 @@ Description: ${input.body.slice(0, 200)}${input.body.length > 200 ? "..." : ""}`
                 kanbanResult = {
                   moved: false,
                   error: err instanceof Error ? err.message : String(err),
-                  projectNumber: input.project_number ?? context.config?.defaultProjectNumber
+                  projectNumber: resolveProjectNumber(
+                    context,
+                    resolved.repo,
+                    input.project_number
+                  )
                 };
               }
             }
@@ -3040,31 +3090,37 @@ function getGitHubMutationTools(context) {
 }
 
 // src/handlers/resources/shared.ts
-async function resolveGitHubRepo(github) {
+async function resolveGitHubRepo(github, config, targetRepo) {
   const lastModified = (/* @__PURE__ */ new Date()).toISOString();
-  if (!github) {
+  let activeGithub = github;
+  if (targetRepo && config?.projectRegistry?.[targetRepo]) {
+    activeGithub = new GitHubIntegration(config.projectRegistry[targetRepo].path);
+  }
+  if (!activeGithub) {
+    const hasRegistry = config?.projectRegistry && Object.keys(config.projectRegistry).length > 0;
     return {
       data: {
         error: "GitHub integration not available",
-        hint: "Set GITHUB_TOKEN and GITHUB_REPO_PATH environment variables."
+        hint: hasRegistry ? "Set GITHUB_TOKEN, or assure the dynamic repo URI correctly matches a registered project." : "Set GITHUB_TOKEN securely."
       },
       annotations: { lastModified }
     };
   }
-  const repoInfo = await github.getRepoInfo();
+  const repoInfo = await activeGithub.getRepoInfo();
   const owner = repoInfo.owner;
   const repo = repoInfo.repo;
   if (!owner || !repo) {
+    const hasRegistry = config?.projectRegistry && Object.keys(config.projectRegistry).length > 0;
     return {
       data: {
         error: "Could not detect repository",
-        hint: "Set GITHUB_REPO_PATH to your git repository.",
+        hint: hasRegistry ? "Use a repository-specific URI suffix (e.g., memory://github/status/{repo}) for multi-project setups, or ensure the fallback project is a valid git repository." : "Run the MCP server from a valid git repository or configure PROJECT_REGISTRY.",
         ...repoInfo.branch ? { branch: repoInfo.branch } : {}
       },
       annotations: { lastModified }
     };
   }
-  return { owner, repo, branch: repoInfo.branch ?? null, lastModified, github };
+  return { owner, repo, branch: repoInfo.branch ?? null, lastModified, github: activeGithub };
 }
 function isResourceError(result) {
   return "data" in result;
@@ -3263,7 +3319,7 @@ function getGitHubMilestoneTools(context) {
             "What GitHub repository should I create the milestone in?"
           );
           if ("error" in resolved) return resolved.response;
-          const dueOn = input.due_on ? `${input.due_on}T08:00:00Z` : void 0;
+          const dueOn = input.due_on ? input.due_on.includes("T") ? input.due_on : `${input.due_on}T08:00:00Z` : void 0;
           const milestone = await resolved.github.createMilestone(
             resolved.owner,
             resolved.repo,
@@ -3324,7 +3380,7 @@ function getGitHubMilestoneTools(context) {
             "What GitHub repository is this milestone in?"
           );
           if ("error" in resolved) return resolved.response;
-          const dueOn = input.due_on ? `${input.due_on}T08:00:00Z` : void 0;
+          const dueOn = input.due_on ? input.due_on.includes("T") ? input.due_on : `${input.due_on}T08:00:00Z` : void 0;
           const milestone = await resolved.github.updateMilestone(
             resolved.owner,
             resolved.repo,
@@ -4037,13 +4093,15 @@ var TeamBackupsListOutputSchema = z.object({
   error: z.string().optional()
 }).extend(ErrorFieldsMixin.shape);
 var TeamSemanticSearchSchema = z.object({
-  query: z.string(),
+  query: z.string().optional(),
+  entry_id: z.number().optional().describe("Find entries related to this entry ID"),
   limit: z.number().max(500).optional().default(10),
   similarity_threshold: z.number().optional().default(0.25),
   hint_on_empty: z.boolean().optional().default(true).describe("Include hint when no results found (default: true)")
 });
 var TeamSemanticSearchSchemaMcp = z.object({
   query: z.string().optional(),
+  entry_id: relaxedNumber().optional().describe("Find entries related to this entry ID"),
   limit: relaxedNumber().optional().default(10),
   similarity_threshold: relaxedNumber().optional().default(0.25),
   hint_on_empty: z.boolean().optional().default(true).describe("Include hint when no results found (default: true)")
@@ -4059,6 +4117,7 @@ var TeamSemanticEntryOutputSchema = TeamEntryOutputSchema.extend({
 });
 var TeamSemanticSearchOutputSchema = z.object({
   query: z.string().optional(),
+  entryId: z.number().optional(),
   entries: z.array(TeamSemanticEntryOutputSchema).optional(),
   count: z.number().optional(),
   hint: z.string().optional(),
@@ -4128,7 +4187,7 @@ var TeamCrossProjectInsightsOutputSchema = z.object({
 
 // src/handlers/tools/team/core-tools.ts
 function getTeamCoreTools(context) {
-  const { teamDb, github } = context;
+  const { teamDb } = context;
   return [
     {
       name: "team_create_entry",
@@ -4138,15 +4197,16 @@ function getTeamCoreTools(context) {
       inputSchema: TeamCreateEntrySchemaMcp,
       outputSchema: TeamCreateOutputSchema,
       annotations: { readOnlyHint: false, idempotentHint: false, openWorldHint: false },
-      handler: (params) => {
+      handler: async (params) => {
         try {
           if (!teamDb) {
             return { ...TEAM_DB_ERROR_RESPONSE };
           }
           const input = TeamCreateEntrySchema.parse(params);
           const author = input.author ?? resolveAuthor();
-          const resolvedIssueUrl = resolveIssueUrl(
-            github,
+          const resolvedIssueUrl = await resolveIssueUrl(
+            context,
+            input.project_number,
             input.issue_number,
             input.issue_url
           );
@@ -5031,6 +5091,18 @@ function getTeamVectorTools(context) {
             return { ...TEAM_DB_ERROR_RESPONSE };
           }
           const input = TeamSemanticSearchSchema.parse(params);
+          if (!input.query && input.entry_id === void 0) {
+            return {
+              success: false,
+              error: "Either query or entry_id must be provided",
+              code: "VALIDATION_ERROR",
+              category: "validation",
+              suggestion: "Provide a text query for semantic search, or an entry_id to find related entries",
+              recoverable: true,
+              entries: [],
+              count: 0
+            };
+          }
           if (!teamVectorManager) {
             return {
               success: false,
@@ -5044,17 +5116,28 @@ function getTeamVectorTools(context) {
               count: 0
             };
           }
-          const results = await teamVectorManager.search(
-            input.query,
-            input.limit ?? 10,
-            input.similarity_threshold ?? 0.25
-          );
+          let results;
+          if (input.entry_id !== void 0) {
+            results = await teamVectorManager.searchByEntryId(
+              input.entry_id,
+              input.limit ?? 10,
+              input.similarity_threshold ?? 0.25
+            );
+          } else {
+            results = await teamVectorManager.search(
+              input.query ?? "",
+              input.limit ?? 10,
+              input.similarity_threshold ?? 0.25
+            );
+          }
           const entryIds = results.map((r) => r.entryId);
           const entriesMap = teamDb.getEntriesByIds(entryIds);
           const authorMap = batchFetchAuthors(teamDb, entryIds);
           const entries = results.map((r) => {
             const entry = entriesMap.get(r.entryId);
             if (!entry) return null;
+            if (input.entry_id !== void 0 && entry.id === input.entry_id)
+              return null;
             return {
               ...entry,
               author: authorMap.get(r.entryId) ?? null,
@@ -5069,6 +5152,7 @@ function getTeamVectorTools(context) {
           const hint = isIndexEmpty && includeHint ? "No entries in team vector index. Use team_rebuild_vector_index to index existing entries." : entries.length === 0 && includeHint ? `No entries matched your query above the similarity threshold (${String(input.similarity_threshold ?? 0.25)}). Try lowering similarity_threshold (e.g., 0.15) for broader matches.` : allNoise ? `Results may be noise \u2014 best similarity (${String(bestSimilarity)}) is below quality floor (${String(QUALITY_FLOOR)}). Try a more specific query or raise similarity_threshold to filter weak matches.` : void 0;
           return {
             query: input.query,
+            ...input.entry_id !== void 0 ? { entryId: input.entry_id } : {},
             entries,
             count: entries.length,
             ...hint !== void 0 ? { hint } : {}
@@ -5306,8 +5390,10 @@ var GROUP_EXAMPLES = {
   ],
   search: [
     'mj.search.searchEntries({ query: "performance" })',
+    'mj.search.searchEntries({ query: "performance", mode: "hybrid" })',
     'mj.search.searchByDateRange({ start_date: "2026-03-01", end_date: "2026-03-11" })',
-    'mj.search.semanticSearch({ query: "authentication patterns" })'
+    'mj.search.semanticSearch({ query: "authentication patterns" })',
+    "mj.search.semanticSearch({ entry_id: 42 })"
   ],
   analytics: ["mj.analytics.getStatistics()", "mj.analytics.getCrossProjectInsights()"],
   relationships: [
@@ -6089,12 +6175,16 @@ function createSandboxPool(mode, sandboxOptions, poolOptions) {
 var ExecuteCodeSchema = z.object({
   code: z.string().min(1),
   timeout: z.number().max(3e4).optional().default(3e4),
-  readonly: z.boolean().optional().default(false)
+  readonly: z.boolean().optional().default(false),
+  repo: z.string().optional()
 });
 var ExecuteCodeSchemaMcp = z.object({
   code: z.string().describe("JavaScript code to execute in the sandbox"),
   timeout: relaxedNumber().optional().default(3e4).describe("Execution timeout in ms (max 30000)"),
-  readonly: z.boolean().optional().default(false).describe("Restrict to read-only operations")
+  readonly: z.boolean().optional().default(false).describe("Restrict to read-only operations"),
+  repo: z.string().optional().describe(
+    'Target repository name to set as default context for all github/kanban tools executed in this sandbox (e.g., "memory-journal-mcp").'
+  )
 });
 var securityManager = null;
 var sandboxPool = null;
@@ -6139,12 +6229,13 @@ function getCodeModeTools(context) {
         idempotentHint: false,
         openWorldHint: false
       },
-      handler: (params) => {
+      handler: async (params) => {
         try {
           const {
             code,
             timeout,
-            readonly: readonlyMode
+            readonly: readonlyMode,
+            repo
           } = ExecuteCodeSchema.parse(params);
           const security = getSecurityManager();
           const validation = security.validateCode(code);
@@ -6160,24 +6251,42 @@ function getCodeModeTools(context) {
               error: "Rate limit exceeded (60 executions per minute)"
             };
           }
-          const allTools = collectNonCodeModeTools(context);
+          let sessionContext = context;
+          if (repo && context.config?.projectRegistry) {
+            const registryEntry = context.config.projectRegistry[repo];
+            if (registryEntry) {
+              const injectedGithub = new GitHubIntegration(registryEntry.path);
+              try {
+                await injectedGithub.getRepoInfo();
+              } catch {
+              }
+              sessionContext = {
+                ...context,
+                github: injectedGithub,
+                config: {
+                  ...context.config,
+                  defaultProjectNumber: registryEntry.project_number ?? context.config.defaultProjectNumber
+                }
+              };
+            }
+          }
+          const allTools = collectNonCodeModeTools(sessionContext);
           const tools = readonlyMode ? allTools.filter((t) => t.annotations.readOnlyHint === true) : allTools;
           const api = createJournalApi(tools);
           const bindings = api.createSandboxBindings();
           const pool = getSandboxPool();
-          return pool.execute(code, bindings, timeout).then((result) => {
-            if (result.success && result.result !== void 0) {
-              const sizeCheck = security.validateResultSize(result.result);
-              if (!sizeCheck.valid) {
-                return {
-                  success: false,
-                  error: sizeCheck.errors.join("; "),
-                  metrics: result.metrics
-                };
-              }
+          const result = await pool.execute(code, bindings, timeout);
+          if (result.success && result.result !== void 0) {
+            const sizeCheck = security.validateResultSize(result.result);
+            if (!sizeCheck.valid) {
+              return {
+                success: false,
+                error: sizeCheck.errors.join("; "),
+                metrics: result.metrics
+              };
             }
-            return result;
-          });
+          }
+          return result;
         } catch (err) {
           return formatHandlerError(err);
         }
@@ -6186,7 +6295,836 @@ function getCodeModeTools(context) {
   ];
 }
 
+// src/observability/token-estimator.ts
+function estimateTokens(text) {
+  if (!text) return 0;
+  return Math.ceil(Buffer.byteLength(text, "utf8") / 4);
+}
+function estimatePayloadTokens(payload) {
+  if (payload === null || payload === void 0) return 0;
+  try {
+    return estimateTokens(JSON.stringify(payload));
+  } catch {
+    return 0;
+  }
+}
+function injectTokenEstimate(payload) {
+  if (typeof payload !== "object" || payload === null || Array.isArray(payload)) {
+    return payload;
+  }
+  const obj = payload;
+  const serialized = (() => {
+    try {
+      return JSON.stringify(payload);
+    } catch {
+      return "";
+    }
+  })();
+  const tokenEstimate = estimateTokens(serialized);
+  const existingMeta = typeof obj["_meta"] === "object" && obj["_meta"] !== null ? obj["_meta"] : {};
+  return {
+    ...obj,
+    _meta: {
+      ...existingMeta,
+      tokenEstimate
+    }
+  };
+}
+
+// src/observability/metrics.ts
+var MetricsAccumulator = class {
+  toolData = /* @__PURE__ */ new Map();
+  upSince = (/* @__PURE__ */ new Date()).toISOString();
+  startTime = Date.now();
+  /**
+   * Record a single tool invocation result.
+   */
+  record(opts) {
+    const existing = this.toolData.get(opts.toolName);
+    const m = existing ?? {
+      callCount: 0,
+      errorCount: 0,
+      totalDurationMs: 0,
+      totalInputTokens: 0,
+      totalOutputTokens: 0,
+      lastCalledAt: null
+    };
+    m.callCount++;
+    m.totalDurationMs += opts.durationMs;
+    m.totalInputTokens += opts.inputTokens;
+    m.totalOutputTokens += opts.outputTokens;
+    if (opts.isError) m.errorCount++;
+    m.lastCalledAt = (/* @__PURE__ */ new Date()).toISOString();
+    this.toolData.set(opts.toolName, m);
+  }
+  /**
+   * Aggregate summary across all recorded tools.
+   */
+  getSummary() {
+    let totalCalls = 0;
+    let totalErrors = 0;
+    let totalDurationMs = 0;
+    let totalInputTokens = 0;
+    let totalOutputTokens = 0;
+    for (const m of this.toolData.values()) {
+      totalCalls += m.callCount;
+      totalErrors += m.errorCount;
+      totalDurationMs += m.totalDurationMs;
+      totalInputTokens += m.totalInputTokens;
+      totalOutputTokens += m.totalOutputTokens;
+    }
+    return {
+      totalCalls,
+      totalErrors,
+      totalDurationMs,
+      totalInputTokens,
+      totalOutputTokens,
+      upSince: this.upSince,
+      toolBreakdown: Object.fromEntries(this.toolData)
+    };
+  }
+  /**
+   * Per-tool token usage breakdown, sorted by total output tokens desc.
+   */
+  getTokenBreakdown() {
+    return Array.from(this.toolData.entries()).map(([toolName, m]) => ({
+      toolName,
+      inputTokens: m.totalInputTokens,
+      outputTokens: m.totalOutputTokens,
+      callCount: m.callCount,
+      avgOutputTokens: m.callCount > 0 ? Math.round(m.totalOutputTokens / m.callCount) : 0
+    })).sort((a, b) => b.outputTokens - a.outputTokens);
+  }
+  /**
+   * Per-user call counts, sourced from a user tag injected by the interceptor.
+   * When no user tracking is configured this returns an empty breakdown.
+   */
+  getUserBreakdown() {
+    return Object.fromEntries(this.userCounts);
+  }
+  userCounts = /* @__PURE__ */ new Map();
+  recordUser(user) {
+    this.userCounts.set(user, (this.userCounts.get(user) ?? 0) + 1);
+  }
+  /**
+   * System-level metrics snapshot.
+   */
+  getSystemMetrics() {
+    const mem = process.memoryUsage();
+    return {
+      upSince: this.upSince,
+      uptimeSeconds: Math.round((Date.now() - this.startTime) / 1e3),
+      processMemoryMb: Math.round(mem.rss / (1024 * 1024)),
+      nodeVersion: process.version,
+      platform: process.platform
+    };
+  }
+  /**
+   * Reset all accumulated data (primarily useful in tests).
+   */
+  reset() {
+    this.toolData.clear();
+    this.userCounts.clear();
+  }
+};
+var globalMetrics = new MetricsAccumulator();
+function isErrorResult(result) {
+  if (typeof result !== "object" || result === null) return false;
+  const obj = result;
+  return obj["success"] === false && typeof obj["error"] === "string";
+}
+function wrapWithMetrics(toolName, handler, accumulator) {
+  return async (args) => {
+    const start = performance$1.now();
+    let result;
+    let isError;
+    try {
+      result = await handler(args);
+      isError = isErrorResult(result);
+    } catch (err) {
+      const durationMs2 = Math.round(performance$1.now() - start);
+      try {
+        accumulator.record({
+          toolName,
+          durationMs: durationMs2,
+          inputTokens: estimatePayloadTokens(args),
+          outputTokens: 0,
+          isError: true
+        });
+      } catch {
+      }
+      throw err;
+    }
+    const durationMs = Math.round(performance$1.now() - start);
+    try {
+      accumulator.record({
+        toolName,
+        durationMs,
+        inputTokens: estimatePayloadTokens(args),
+        outputTokens: estimatePayloadTokens(result),
+        isError
+      });
+    } catch {
+    }
+    return result;
+  };
+}
+var BUFFER_HIGH_WATER = 50;
+var FLUSH_INTERVAL_MS = 100;
+var DEFAULT_RECENT_COUNT = 50;
+var STDERR_SENTINEL = "stderr";
+var TAIL_READ_BYTES = 65536;
+var MAX_ARCHIVES = 5;
+var AuditLogger = class {
+  config;
+  buffer = [];
+  flushTimer = null;
+  activeFlush = null;
+  closed = false;
+  dirEnsured = false;
+  stderrMode;
+  constructor(config) {
+    this.config = config;
+    this.stderrMode = config.logPath.toLowerCase() === STDERR_SENTINEL;
+    if (config.enabled) {
+      this.flushTimer = setInterval(() => {
+        void this.flush();
+      }, FLUSH_INTERVAL_MS);
+      this.flushTimer.unref();
+    }
+  }
+  /**
+   * Append an audit entry to the buffer.
+   * Non-blocking — the entry is serialised and queued; the
+   * actual file write happens on the next flush cycle.
+   */
+  log(entry) {
+    if (this.closed || !this.config.enabled) return;
+    this.buffer.push(JSON.stringify(entry));
+    if (this.buffer.length >= BUFFER_HIGH_WATER) {
+      void this.flush();
+    }
+  }
+  /**
+   * Flush the buffer to disk.
+   * Safe to call concurrently — serialises via `this.activeFlush` Promise.
+   */
+  async flush() {
+    if (this.activeFlush) {
+      await this.activeFlush;
+      if (this.buffer.length === 0) return;
+    }
+    if (this.buffer.length === 0) return;
+    const doFlush = async () => {
+      await this.rotateIfNeeded();
+      const lines = this.buffer;
+      this.buffer = [];
+      try {
+        if (this.stderrMode) {
+          process.stderr.write(lines.join("\n") + "\n");
+        } else {
+          await this.ensureDirectory();
+          await appendFile(this.config.logPath, lines.join("\n") + "\n", "utf-8");
+        }
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        process.stderr.write(`[AUDIT] Write failed: ${message}
+`);
+        this.buffer.unshift(...lines);
+      }
+    };
+    this.activeFlush = doFlush();
+    try {
+      await this.activeFlush;
+    } finally {
+      this.activeFlush = null;
+    }
+  }
+  /**
+   * Gracefully close the logger — flush remaining entries and stop the timer.
+   */
+  async close() {
+    this.closed = true;
+    if (this.flushTimer) {
+      clearInterval(this.flushTimer);
+      this.flushTimer = null;
+    }
+    await this.flush();
+  }
+  /**
+   * Read the most recent audit entries from the log file.
+   * Uses a streaming tail-read: only the last TAIL_READ_BYTES (64 KB) are
+   * read from disk, preventing O(n) memory spikes for large audit logs.
+   * Used by the `memory://audit` resource.
+   *
+   * @param count Maximum number of entries to return (default 50)
+   */
+  async recent(count = DEFAULT_RECENT_COUNT) {
+    if (this.stderrMode) return [];
+    await this.flush();
+    try {
+      let fh;
+      try {
+        fh = await open(this.config.logPath, "r");
+      } catch {
+        return [];
+      }
+      try {
+        const info = await stat(this.config.logPath);
+        const fileSize = info.size;
+        if (fileSize === 0) return [];
+        const readSize = Math.min(fileSize, TAIL_READ_BYTES);
+        const startOffset = fileSize - readSize;
+        const buf = Buffer.alloc(readSize);
+        await fh.read(buf, 0, readSize, startOffset);
+        const chunk = buf.toString("utf-8");
+        const rawLines = chunk.split("\n").filter(Boolean);
+        const lines = startOffset > 0 ? rawLines.slice(1) : rawLines;
+        const tail = lines.slice(-count);
+        return tail.reduce((acc, line) => {
+          try {
+            acc.push(JSON.parse(line));
+          } catch {
+          }
+          return acc;
+        }, []);
+      } finally {
+        await fh.close();
+      }
+    } catch {
+      return [];
+    }
+  }
+  // =========================================================================
+  // Private helpers
+  // =========================================================================
+  /**
+   * Ensure the parent directory of the log file exists.
+   */
+  async ensureDirectory() {
+    if (this.dirEnsured) return;
+    try {
+      await mkdir(dirname(this.config.logPath), { recursive: true });
+      this.dirEnsured = true;
+    } catch {
+      this.dirEnsured = true;
+    }
+  }
+  /**
+   * Rotate the log file if it exceeds the configured size limit.
+   * Keeps up to 5 rotated files (`.1` through `.5`); older data is discarded.
+   * Rotation failure is non-fatal — audit must not block tool execution.
+   */
+  async rotateIfNeeded() {
+    if (this.stderrMode || !this.config.maxSizeBytes) return;
+    try {
+      const info = await stat(this.config.logPath).catch(() => null);
+      if (!info || info.size < this.config.maxSizeBytes) return;
+      for (let i = MAX_ARCHIVES - 1; i >= 1; i--) {
+        const oldFile = `${this.config.logPath}.${String(i)}`;
+        const newFile = `${this.config.logPath}.${String(i + 1)}`;
+        await rename(oldFile, newFile).catch(() => null);
+      }
+      const rotatedPath = `${this.config.logPath}.1`;
+      await rename(this.config.logPath, rotatedPath);
+    } catch {
+    }
+  }
+};
+
+// src/filtering/tool-filter.ts
+var TOOL_GROUPS = {
+  core: [
+    "create_entry",
+    "get_entry_by_id",
+    "get_recent_entries",
+    "create_entry_minimal",
+    "test_simple",
+    "list_tags"
+  ],
+  search: ["search_entries", "search_by_date_range", "semantic_search", "get_vector_index_stats"],
+  analytics: ["get_statistics", "get_cross_project_insights"],
+  relationships: ["link_entries", "visualize_relationships"],
+  export: ["export_entries"],
+  admin: [
+    "update_entry",
+    "delete_entry",
+    "rebuild_vector_index",
+    "add_to_vector_index",
+    "merge_tags"
+  ],
+  github: [
+    "get_github_issues",
+    "get_github_prs",
+    "get_github_issue",
+    "get_github_pr",
+    "get_github_context",
+    "get_kanban_board",
+    "move_kanban_item",
+    "create_github_issue_with_entry",
+    "close_github_issue_with_entry",
+    "get_github_milestones",
+    "get_github_milestone",
+    "create_github_milestone",
+    "update_github_milestone",
+    "delete_github_milestone",
+    "get_repo_insights",
+    "get_copilot_reviews"
+  ],
+  backup: ["backup_journal", "list_backups", "restore_backup", "cleanup_backups"],
+  team: [
+    "team_create_entry",
+    "team_get_entry_by_id",
+    "team_get_recent",
+    "team_list_tags",
+    "team_search",
+    "team_search_by_date_range",
+    "team_update_entry",
+    "team_delete_entry",
+    "team_merge_tags",
+    "team_get_statistics",
+    "team_link_entries",
+    "team_visualize_relationships",
+    "team_export_entries",
+    "team_backup",
+    "team_list_backups",
+    "team_semantic_search",
+    "team_get_vector_index_stats",
+    "team_rebuild_vector_index",
+    "team_add_to_vector_index",
+    "team_get_cross_project_insights"
+  ],
+  codemode: ["mj_execute_code"]
+};
+var META_GROUPS = {
+  starter: ["core", "search", "codemode"],
+  essential: ["core", "codemode"],
+  full: [
+    "core",
+    "search",
+    "analytics",
+    "relationships",
+    "export",
+    "admin",
+    "github",
+    "backup",
+    "team",
+    "codemode"
+  ],
+  readonly: ["core", "search", "analytics", "relationships", "export"]
+};
+function getAllToolNames() {
+  const allTools = [];
+  for (const tools of Object.values(TOOL_GROUPS)) {
+    allTools.push(...tools);
+  }
+  return allTools;
+}
+function getToolGroup(toolName) {
+  for (const [group, tools] of Object.entries(TOOL_GROUPS)) {
+    if (tools.includes(toolName)) {
+      return group;
+    }
+  }
+  return void 0;
+}
+function getEnabledGroups(enabledTools) {
+  const groups = /* @__PURE__ */ new Set();
+  for (const [group, tools] of Object.entries(TOOL_GROUPS)) {
+    if (tools.some((t) => enabledTools.has(t))) {
+      groups.add(group);
+    }
+  }
+  return groups;
+}
+function isGroup(name) {
+  return name in TOOL_GROUPS;
+}
+function isMetaGroup(name) {
+  return name in META_GROUPS;
+}
+function parseToolFilter(filterString) {
+  const rules = [];
+  const parts = filterString.split(",").map((p) => p.trim()).filter(Boolean);
+  let enabledTools = /* @__PURE__ */ new Set();
+  let isWhitelistMode = false;
+  for (let i = 0; i < parts.length; i++) {
+    const part = parts[i];
+    if (!part) continue;
+    const isAdd = part.startsWith("+");
+    const isRemove = part.startsWith("-");
+    const name = isAdd || isRemove ? part.slice(1) : part;
+    if (i === 0 && !isAdd && !isRemove) {
+      isWhitelistMode = true;
+      if (isMetaGroup(name)) {
+        for (const group of META_GROUPS[name]) {
+          enabledTools = /* @__PURE__ */ new Set([...enabledTools, ...TOOL_GROUPS[group]]);
+        }
+      } else if (isGroup(name)) {
+        enabledTools = /* @__PURE__ */ new Set([...enabledTools, ...TOOL_GROUPS[name]]);
+      } else {
+        enabledTools.add(name);
+      }
+      rules.push({
+        type: "include",
+        target: name,
+        isGroup: isGroup(name) || isMetaGroup(name)
+      });
+    } else if (isRemove) {
+      if (isGroup(name)) {
+        for (const tool of TOOL_GROUPS[name]) {
+          enabledTools.delete(tool);
+        }
+      } else {
+        enabledTools.delete(name);
+      }
+      rules.push({
+        type: "exclude",
+        target: name,
+        isGroup: isGroup(name)
+      });
+    } else {
+      if (isMetaGroup(name)) {
+        for (const group of META_GROUPS[name]) {
+          enabledTools = /* @__PURE__ */ new Set([...enabledTools, ...TOOL_GROUPS[group]]);
+        }
+      } else if (isGroup(name)) {
+        enabledTools = /* @__PURE__ */ new Set([...enabledTools, ...TOOL_GROUPS[name]]);
+      } else {
+        enabledTools.add(name);
+      }
+      rules.push({
+        type: "include",
+        target: name,
+        isGroup: isGroup(name) || isMetaGroup(name)
+      });
+    }
+  }
+  if (!isWhitelistMode && rules.length > 0 && rules[0]?.type === "exclude") {
+    enabledTools = new Set(getAllToolNames());
+    for (const rule of rules) {
+      if (rule.type === "exclude") {
+        if (isGroup(rule.target)) {
+          for (const tool of TOOL_GROUPS[rule.target]) {
+            enabledTools.delete(tool);
+          }
+        } else {
+          enabledTools.delete(rule.target);
+        }
+      }
+    }
+  }
+  return {
+    raw: filterString,
+    rules,
+    enabledTools
+  };
+}
+function isToolEnabled(toolName, filterConfig) {
+  return filterConfig.enabledTools.has(toolName);
+}
+function filterTools(tools, filterConfig) {
+  return tools.filter((tool) => isToolEnabled(tool.name, filterConfig));
+}
+function getToolFilterFromEnv() {
+  const filterString = process.env["MEMORY_JOURNAL_MCP_TOOL_FILTER"];
+  if (!filterString) return null;
+  return parseToolFilter(filterString);
+}
+function calculateTokenSavings(totalTools, enabledTools, avgTokensPerTool = 150) {
+  const savedTokens = (totalTools - enabledTools) * avgTokensPerTool;
+  const reduction = (totalTools - enabledTools) / totalTools * 100;
+  return { reduction, savedTokens };
+}
+function getFilterSummary(filterConfig) {
+  const total = getAllToolNames().length;
+  const enabled = filterConfig.enabledTools.size;
+  const { reduction } = calculateTokenSavings(total, enabled);
+  return `${enabled}/${total} tools enabled (${reduction.toFixed(0)}% reduction)`;
+}
+
+// src/auth/scopes.ts
+var SCOPES = {
+  /** Read-only access */
+  READ: "read",
+  /** Read and write access */
+  WRITE: "write",
+  /** Administrative access */
+  ADMIN: "admin",
+  /** Unrestricted access to all operations */
+  FULL: "full"
+};
+var BASE_SCOPES = ["read", "write", "admin", "full"];
+var SUPPORTED_SCOPES = ["read", "write", "admin", "full"];
+var TOOL_GROUP_SCOPES = {
+  core: SCOPES.READ,
+  search: SCOPES.READ,
+  analytics: SCOPES.READ,
+  relationships: SCOPES.READ,
+  export: SCOPES.READ,
+  admin: SCOPES.ADMIN,
+  github: SCOPES.WRITE,
+  backup: SCOPES.ADMIN,
+  team: SCOPES.WRITE,
+  codemode: SCOPES.ADMIN
+};
+var groupsForScope = (maxScope) => {
+  const hierarchy = {
+    read: 0,
+    write: 1,
+    admin: 2,
+    full: 3
+  };
+  const maxLevel = hierarchy[maxScope];
+  return Object.entries(TOOL_GROUP_SCOPES).filter(([, scope]) => hierarchy[scope] <= maxLevel).map(([group]) => group);
+};
+groupsForScope(SCOPES.READ);
+groupsForScope(SCOPES.WRITE);
+groupsForScope(SCOPES.ADMIN);
+function parseScopes(scopeString) {
+  return scopeString.split(/\s+/).map((s) => s.trim()).filter((s) => s.length > 0);
+}
+function hasScope(grantedScopes, requiredScope) {
+  if (grantedScopes.includes(SCOPES.FULL)) {
+    return true;
+  }
+  if (grantedScopes.includes(requiredScope)) {
+    return true;
+  }
+  if (requiredScope === SCOPES.READ || requiredScope === SCOPES.WRITE) {
+    if (grantedScopes.includes(SCOPES.ADMIN)) {
+      return true;
+    }
+  }
+  if (requiredScope === SCOPES.READ) {
+    if (grantedScopes.includes(SCOPES.WRITE)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/auth/scope-map.ts
+var toolScopeMap = /* @__PURE__ */ new Map();
+for (const [group, tools] of Object.entries(TOOL_GROUPS)) {
+  const scope = TOOL_GROUP_SCOPES[group];
+  if (scope) {
+    for (const toolName of tools) {
+      toolScopeMap.set(toolName, scope);
+    }
+  }
+}
+function getRequiredScope(toolName) {
+  return toolScopeMap.get(toolName) ?? SCOPES.READ;
+}
+
+// src/audit/interceptor.ts
+var ALWAYS_AUDITED_SCOPES = /* @__PURE__ */ new Set(["write", "admin"]);
+function scopeToCategory(scope) {
+  if (scope === "admin") return "admin";
+  if (scope === "read") return "read";
+  return "write";
+}
+function generateRequestId() {
+  const ts = Date.now().toString(36);
+  const rand = Math.random().toString(36).slice(2, 8);
+  return `aud-${ts}-${rand}`;
+}
+function createAuditInterceptor(auditLogger) {
+  const auditReads = auditLogger.config.auditReads;
+  return {
+    async around(toolName, args, fn) {
+      const scope = getRequiredScope(toolName);
+      if (!ALWAYS_AUDITED_SCOPES.has(scope) && !auditReads) {
+        return fn();
+      }
+      const isReadScope = scope === "read";
+      const requestId = generateRequestId();
+      const start = performance$1.now();
+      let success = true;
+      let error;
+      let tokenEstimate;
+      try {
+        const result = await fn();
+        if (typeof result === "object" && result !== null) {
+          try {
+            const json = JSON.stringify({
+              ...result,
+              _meta: { tokenEstimate: 0 }
+            });
+            tokenEstimate = Math.ceil(Buffer.byteLength(json, "utf8") / 4);
+          } catch {
+          }
+        } else if (typeof result === "string") {
+          tokenEstimate = Math.ceil(Buffer.byteLength(result, "utf8") / 4);
+        }
+        return result;
+      } catch (err) {
+        success = false;
+        error = err instanceof Error ? err.message : String(err);
+        const errorResult = {
+          success: false,
+          error,
+          code: "INTERNAL_ERROR",
+          category: "internal",
+          recoverable: false
+        };
+        const enriched = JSON.stringify({
+          ...errorResult,
+          _meta: { tokenEstimate: 0 }
+        });
+        tokenEstimate = Math.ceil(Buffer.byteLength(enriched, "utf8") / 4);
+        throw err;
+      } finally {
+        const durationMs = Math.round(performance$1.now() - start);
+        if (isReadScope) {
+          auditLogger.log({
+            timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+            requestId,
+            tool: toolName,
+            category: "read",
+            scope,
+            user: null,
+            scopes: [],
+            durationMs,
+            success,
+            error,
+            tokenEstimate
+          });
+        } else {
+          auditLogger.log({
+            timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+            requestId,
+            tool: toolName,
+            category: scopeToCategory(scope),
+            scope,
+            user: null,
+            scopes: [],
+            durationMs,
+            success,
+            error,
+            args: auditLogger.config.redact ? void 0 : args,
+            tokenEstimate
+          });
+        }
+      }
+    }
+  };
+}
+
+// src/audit/types.ts
+var DEFAULT_AUDIT_LOG_MAX_SIZE_BYTES = 10 * 1024 * 1024;
+
+// src/utils/resource-annotations.ts
+var HIGH_PRIORITY = {
+  priority: 0.9,
+  audience: ["user", "assistant"]
+};
+var MEDIUM_PRIORITY = {
+  priority: 0.6,
+  audience: ["user", "assistant"]
+};
+var LOW_PRIORITY = {
+  priority: 0.4,
+  audience: ["user", "assistant"]
+};
+var ASSISTANT_FOCUSED = {
+  priority: 0.5,
+  audience: ["assistant"]
+};
+function withPriority(priority, base = MEDIUM_PRIORITY) {
+  return { ...base, priority };
+}
+function withSessionInit(base = HIGH_PRIORITY) {
+  return { ...base, sessionInit: true };
+}
+
+// src/audit/audit-resource.ts
+function getAuditResourceDef(getLogger) {
+  return {
+    uri: "memory://audit",
+    name: "Audit Log",
+    title: "Audit Trail (last 50 entries)",
+    description: "Last 50 write/admin tool call audit entries from the JSONL audit log. Each entry includes tool name, scope, duration, token estimates, and error status. Includes a session summary with total token consumption and error count.",
+    mimeType: "text/plain",
+    annotations: {
+      ...ASSISTANT_FOCUSED
+    },
+    handler: async (_uri, _context) => {
+      const lastModified = (/* @__PURE__ */ new Date()).toISOString();
+      const auditLogger = getLogger();
+      if (!auditLogger) {
+        return {
+          data: "audit: not configured\nhint: Set AUDIT_LOG_PATH env var or --audit-log CLI flag to enable audit logging.",
+          annotations: { lastModified }
+        };
+      }
+      const entries = await auditLogger.recent(50);
+      if (entries.length === 0) {
+        return {
+          data: `audit_log: ${auditLogger.config.logPath}
+entries: 0
+note: No write/admin operations have been audited yet.`,
+          annotations: { lastModified }
+        };
+      }
+      let totalTokens = 0;
+      let errorCount = 0;
+      let totalDuration = 0;
+      for (const e of entries) {
+        totalTokens += e.tokenEstimate ?? 0;
+        totalDuration += e.durationMs;
+        if (!e.success) errorCount++;
+      }
+      const formattedEntries = entries.map((e) => {
+        const parts = [
+          `- timestamp: ${e.timestamp}`,
+          `  tool: ${e.tool}`,
+          `  scope: ${e.scope}`,
+          `  category: ${e.category}`,
+          `  duration_ms: ${String(e.durationMs)}`,
+          `  success: ${String(e.success)}`
+        ];
+        if (e.error) {
+          parts.push(`  error: ${e.error}`);
+        }
+        if (e.tokenEstimate !== void 0) {
+          parts.push(`  token_estimate: ${String(e.tokenEstimate)}`);
+        }
+        if (e.args !== void 0) {
+          parts.push(`  args: ${JSON.stringify(e.args)}`);
+        }
+        return parts.join("\n");
+      }).join("\n");
+      const text = `audit_log: ${auditLogger.config.logPath}
+entries_shown: ${String(entries.length)}
+as_of: ${lastModified}
+session_summary:
+  total_tokens: ${String(totalTokens)}
+  total_duration_ms: ${String(totalDuration)}
+  error_count: ${String(errorCount)}
+  redact_mode: ${String(auditLogger.config.redact)}
+
+` + formattedEntries;
+      return {
+        data: text,
+        annotations: { lastModified }
+      };
+    }
+  };
+}
+
 // src/handlers/tools/index.ts
+var globalAuditLogger = null;
+var globalAuditInterceptor = null;
+function initializeAuditLogger(config) {
+  globalAuditLogger = new AuditLogger(config);
+  globalAuditInterceptor = createAuditInterceptor(globalAuditLogger);
+  return globalAuditLogger;
+}
+function getGlobalAuditLogger() {
+  return globalAuditLogger;
+}
 function getToolIcon(group) {
   const iconMap = {
     core: {
@@ -6270,11 +7208,25 @@ function ensureToolCache(db, vectorManager, github, config, teamDb, teamVectorMa
     return;
   }
   const context = { db, teamDb, vectorManager, teamVectorManager, github, config };
-  toolMapCache = new Map(getAllToolDefinitions(context).map((t) => [t.name, t]));
+  const rawDefs = getAllToolDefinitions(context);
+  const instrumentedDefs = rawDefs.map((t) => {
+    const metricsWrapped = wrapWithMetrics(
+      t.name,
+      (args) => Promise.resolve(t.handler(args)),
+      globalMetrics
+    );
+    const interceptor = globalAuditInterceptor;
+    const finalHandler = interceptor ? (args) => interceptor.around(t.name, args, () => metricsWrapped(args)) : metricsWrapped;
+    return {
+      ...t,
+      handler: finalHandler
+    };
+  });
+  toolMapCache = new Map(instrumentedDefs.map((t) => [t.name, t]));
   mappedToolsCache = null;
   cachedContextRefs = { db, github, vectorManager, config, teamDb, teamVectorManager };
 }
-function callTool(name, args, db, vectorManager, github, config, progress, teamDb, teamVectorManager) {
+async function callTool(name, args, db, vectorManager, github, config, progress, teamDb, teamVectorManager) {
   ensureToolCache(db, vectorManager, github, config, teamDb, teamVectorManager);
   const tool = (toolMapCache ?? EMPTY_TOOL_MAP).get(name);
   if (!tool) {
@@ -6293,10 +7245,18 @@ function callTool(name, args, db, vectorManager, github, config, progress, teamD
     const freshTools = getAllToolDefinitions(context);
     const freshTool = freshTools.find((t) => t.name === name);
     if (freshTool) {
-      return Promise.resolve(freshTool.handler(args));
+      const metricsWrapped = wrapWithMetrics(
+        freshTool.name,
+        (a) => Promise.resolve(freshTool.handler(a)),
+        globalMetrics
+      );
+      const interceptor = globalAuditInterceptor;
+      const freshResult = interceptor ? await interceptor.around(freshTool.name, args, () => metricsWrapped(args)) : await metricsWrapped(args);
+      return injectTokenEstimate(freshResult);
     }
   }
-  return Promise.resolve(tool.handler(args));
+  const result = await Promise.resolve(tool.handler(args));
+  return injectTokenEstimate(result);
 }
 function getAllToolDefinitions(context) {
   return [
@@ -6313,4 +7273,4 @@ function getAllToolDefinitions(context) {
   ];
 }
 
-export { ConfigurationError, ConnectionError, DEFAULT_BRIEFING_CONFIG, MemoryJournalMcpError, QueryError, ResourceNotFoundError, ValidationError, assertNoPathTraversal, callTool, execQuery, getTools, isResourceError, logger, milestoneCompletionPct, resolveGitHubRepo, sendProgress, setDefaultSandboxMode, transformEntryRow, validateDateFormatPattern };
+export { ASSISTANT_FOCUSED, BASE_SCOPES, DEFAULT_AUDIT_LOG_MAX_SIZE_BYTES, DEFAULT_BRIEFING_CONFIG, HIGH_PRIORITY, LOW_PRIORITY, MEDIUM_PRIORITY, META_GROUPS, SUPPORTED_SCOPES, TOOL_GROUPS, calculateTokenSavings, callTool, execQuery, filterTools, getAllToolNames, getAuditResourceDef, getEnabledGroups, getFilterSummary, getGlobalAuditLogger, getRequiredScope, getToolFilterFromEnv, getToolGroup, getTools, globalMetrics, hasScope, initializeAuditLogger, isResourceError, isToolEnabled, milestoneCompletionPct, parseScopes, parseToolFilter, resolveGitHubRepo, sendProgress, setDefaultSandboxMode, transformEntryRow, withPriority, withSessionInit };