memory-journal-mcp 7.7.1 → 8.0.0

package/dist/chunk-6OHRCNYW.js

@@ -0,0 +1,3231 @@
+import { AsyncLocalStorage } from 'async_hooks';
+import fs from 'fs';
+import path from 'path';
+import { Octokit } from '@octokit/rest';
+import { graphql } from '@octokit/graphql';
+import * as simpleGitImport from 'simple-git';
+import { createHash } from 'crypto';
+import { z } from 'zod';
+
+// src/utils/errors/suggestions.ts
+var GENERIC_CODES = /* @__PURE__ */ new Set(["QUERY_FAILED", "INTERNAL_ERROR", "UNKNOWN_ERROR"]);
+var ERROR_SUGGESTIONS = [
+  // Resource not found patterns
+  {
+    pattern: /not found/i,
+    suggestion: "Verify the resource identifier and try again",
+    code: "RESOURCE_NOT_FOUND"
+  },
+  {
+    pattern: /no such table/i,
+    suggestion: "The database table does not exist. Run database initialization.",
+    code: "TABLE_NOT_FOUND"
+  },
+  // Permission / access patterns
+  {
+    pattern: /permission denied|SQLITE_READONLY/i,
+    suggestion: "Check file permissions and database access rights",
+    code: "PERMISSION_DENIED"
+  },
+  // Connection / lock patterns
+  {
+    pattern: /database is locked/i,
+    suggestion: "The database is locked by another process. Retry after a short delay.",
+    code: "CONNECTION_FAILED"
+  },
+  // Constraint patterns
+  {
+    pattern: /SQLITE_CONSTRAINT|unique constraint/i,
+    suggestion: "A uniqueness or integrity constraint was violated. Check input values.",
+    code: "VALIDATION_ERROR"
+  },
+  // Disk / space patterns
+  {
+    pattern: /disk I\/O|SQLITE_FULL/i,
+    suggestion: "The disk may be full or the filesystem is read-only."
+  },
+  // Malformed input patterns
+  {
+    pattern: /malformed|invalid json|unexpected token/i,
+    suggestion: "The input appears malformed. Check the format and try again.",
+    code: "VALIDATION_ERROR"
+  },
+  // Schema / types patterns
+  {
+    pattern: /invalid input syntax for type|requires a.*column/i,
+    suggestion: "The provided value is not valid for the assigned type.",
+    code: "VALIDATION_ERROR"
+  },
+  {
+    pattern: /^Missing required parameters:/i,
+    suggestion: "Provide all required parameters in your request.",
+    code: "VALIDATION_ERROR"
+  },
+  // Codemode / Sandbox patterns
+  {
+    pattern: /execution timed out/i,
+    suggestion: "Reduce code complexity or increase timeout (max 30s). Break into smaller operations.",
+    code: "QUERY_FAILED"
+  },
+  {
+    pattern: /code validation failed/i,
+    suggestion: "Check for blocked patterns. Use mj.* API instead.",
+    code: "VALIDATION_ERROR"
+  },
+  {
+    pattern: /sandbox.*not initialized/i,
+    suggestion: "Internal sandbox error. Retry the operation.",
+    code: "INTERNAL_ERROR"
+  },
+  // Zod enum validation patterns — return valid values for self-correction
+  {
+    pattern: /invalid enum value.*significance/i,
+    suggestion: "Valid significance_type values: milestone, breakthrough, decision, architecture, lesson_learned, blocker_resolved, release, security",
+    code: "VALIDATION_ERROR"
+  },
+  {
+    pattern: /invalid enum value.*entry.?type/i,
+    suggestion: "Valid entry_type values: retrospective, bug_fix, project_decision, feature_implementation, technical_note, code_review, planning, research, enhancement, milestone, adversarial_review, development_note, learning, standup, meeting_notes, technical_achievement, plan_draft, plan_refinement, copilot_validation, other, personal_reflection",
+    code: "VALIDATION_ERROR"
+  }
+];
+function matchSuggestion(message) {
+  for (const entry of ERROR_SUGGESTIONS) {
+    if (entry.pattern.test(message)) {
+      return { suggestion: entry.suggestion, code: entry.code };
+    }
+  }
+  return void 0;
+}
+
+// src/types/errors.ts
+var MemoryJournalMcpError = class extends Error {
+  /** Module-prefixed error code */
+  code;
+  /** Error category for programmatic handling */
+  category;
+  /** Actionable suggestion for resolving the error */
+  suggestion;
+  /** Whether the operation can be retried */
+  recoverable;
+  /** Additional structured context */
+  details;
+  constructor(message, code, category, options) {
+    super(message, options?.cause ? { cause: options.cause } : void 0);
+    this.name = "MemoryJournalMcpError";
+    this.category = category;
+    this.recoverable = options?.recoverable ?? false;
+    this.details = options?.details;
+    const matched = matchSuggestion(message);
+    if (GENERIC_CODES.has(code) && matched?.code) {
+      this.code = matched.code;
+    } else {
+      this.code = code;
+    }
+    this.suggestion = options?.suggestion ?? matched?.suggestion;
+  }
+  /**
+   * Convert to a structured ErrorResponse for tool responses.
+   */
+  toResponse() {
+    return {
+      success: false,
+      error: this.message,
+      code: this.code,
+      category: this.category,
+      suggestion: this.suggestion,
+      recoverable: this.recoverable,
+      ...this.details ? { details: this.details } : {}
+    };
+  }
+};
+var ConnectionError = class extends MemoryJournalMcpError {
+  constructor(message, details) {
+    super(message, "CONNECTION_FAILED", "connection" /* CONNECTION */, {
+      suggestion: "Check database path and file permissions",
+      recoverable: true,
+      details
+    });
+    this.name = "ConnectionError";
+  }
+};
+var QueryError = class extends MemoryJournalMcpError {
+  constructor(message, details) {
+    super(message, "QUERY_FAILED", "query" /* QUERY */, {
+      suggestion: "Check query parameters and database state",
+      recoverable: false,
+      details
+    });
+    this.name = "QueryError";
+  }
+};
+var ValidationError = class extends MemoryJournalMcpError {
+  constructor(message, details) {
+    super(message, "VALIDATION_ERROR", "validation" /* VALIDATION */, {
+      suggestion: "Check input parameters against the tool schema",
+      recoverable: false,
+      details
+    });
+    this.name = "ValidationError";
+  }
+};
+var ResourceNotFoundError = class extends MemoryJournalMcpError {
+  constructor(resourceType, identifier) {
+    super(
+      `${resourceType} not found: ${identifier}`,
+      "RESOURCE_NOT_FOUND",
+      "resource" /* RESOURCE */,
+      {
+        suggestion: `Verify the ${resourceType.toLowerCase()} identifier and try again`,
+        recoverable: false,
+        details: { resourceType, identifier }
+      }
+    );
+    this.name = "ResourceNotFoundError";
+  }
+};
+var ConfigurationError = class extends MemoryJournalMcpError {
+  constructor(message, details) {
+    super(message, "CONFIGURATION_ERROR", "configuration" /* CONFIGURATION */, {
+      suggestion: "Check server configuration and environment variables",
+      recoverable: false,
+      details
+    });
+    this.name = "ConfigurationError";
+  }
+};
+var PermissionError = class extends MemoryJournalMcpError {
+  constructor(message, details) {
+    super(message, "PERMISSION_DENIED", "permission" /* PERMISSION */, {
+      suggestion: "Check file permissions and database access rights",
+      recoverable: false,
+      details
+    });
+    this.name = "PermissionError";
+  }
+};
+var authContextStorage = new AsyncLocalStorage();
+function runWithAuthContext(context, fn) {
+  return authContextStorage.run(context, fn);
+}
+function getAuthContext() {
+  return authContextStorage.getStore();
+}
+var SecurityError = class extends MemoryJournalMcpError {
+  constructor(message, code) {
+    super(message, code, "validation" /* VALIDATION */, {
+      suggestion: "Check input for security violations",
+      recoverable: false
+    });
+    this.name = "SecurityError";
+  }
+};
+var InvalidDateFormatError = class extends SecurityError {
+  constructor(value) {
+    super(`Invalid date format pattern: '${value}'`, "INVALID_DATE_FORMAT");
+    this.name = "InvalidDateFormatError";
+  }
+};
+var PathTraversalError = class extends SecurityError {
+  constructor(path2) {
+    super(`Path traversal detected: '${path2}'`, "PATH_TRAVERSAL");
+    this.name = "PathTraversalError";
+  }
+};
+var ALLOWED_DATE_FORMATS = {
+  day: "%Y-%m-%d",
+  week: "%Y-W%W",
+  month: "%Y-%m"
+};
+function validateDateFormatPattern(groupBy) {
+  const format = ALLOWED_DATE_FORMATS[groupBy];
+  if (!format) {
+    throw new InvalidDateFormatError(groupBy);
+  }
+  return format;
+}
+function sanitizeSearchQuery(query) {
+  return query.replace(/\\/g, "\\\\").replace(/%/g, "\\%").replace(/_/g, "\\_");
+}
+function assertNoPathTraversal(filename) {
+  if (filename.includes("/") || filename.includes("\\") || filename.includes("..")) {
+    throw new PathTraversalError(filename);
+  }
+}
+function assertSafeDirectoryPath(dirPath, providedRoots) {
+  const normalized = dirPath.replace(/\\/g, "/");
+  const segments = normalized.split("/");
+  if (segments.some((s) => s === "..")) {
+    throw new PathTraversalError(dirPath);
+  }
+  const resolved = path.resolve(dirPath);
+  let currentDir = resolved;
+  let existingRealPath = "";
+  while (currentDir !== path.parse(currentDir).root) {
+    try {
+      existingRealPath = fs.realpathSync(currentDir);
+      break;
+    } catch {
+      currentDir = path.dirname(currentDir);
+    }
+  }
+  if (!existingRealPath) {
+    try {
+      existingRealPath = fs.realpathSync(currentDir);
+    } catch {
+      existingRealPath = currentDir;
+    }
+  }
+  const remainder = path.relative(currentDir, resolved);
+  const targetPath = remainder ? path.join(existingRealPath, remainder) : existingRealPath;
+  const rawRoots = providedRoots;
+  if (rawRoots.length === 0) {
+    throw new PathTraversalError(
+      "No allowed input/output roots configured for sandbox boundary. Please configure ALLOWED_IO_ROOTS env variable or pass --allowed-io-roots with absolute paths (e.g. C:\\my\\path) to enable filesystem operations."
+    );
+  }
+  const allowedRoots = [];
+  for (const root of rawRoots) {
+    try {
+      allowedRoots.push(fs.realpathSync(path.resolve(root)));
+    } catch {
+      allowedRoots.push(path.resolve(root));
+    }
+  }
+  const isAllowed = allowedRoots.some((root) => {
+    const rel = path.relative(root, targetPath);
+    return rel !== ".." && !rel.startsWith(".." + path.sep) && !path.isAbsolute(rel);
+  });
+  if (!isAllowed) {
+    throw new PathTraversalError(
+      `Directory path escapes allowed sandbox boundaries: ${dirPath}`
+    );
+  }
+}
+function assertSafeFilePath(filePath, providedRoots) {
+  assertSafeDirectoryPath(path.dirname(filePath), providedRoots);
+  try {
+    const stats = fs.lstatSync(filePath);
+    if (stats.isSymbolicLink()) {
+      throw new PathTraversalError(
+        `Symlinks are strictly forbidden for file operations: ${filePath}`
+      );
+    }
+  } catch (err) {
+    if (err instanceof PathTraversalError) {
+      throw err;
+    }
+  }
+}
+var TOKEN_PATTERNS = [
+  // GitHub personal access tokens (classic and fine-grained)
+  /gh[pousr]_[A-Za-z0-9_]{36,}/g,
+  /github_pat_[A-Za-z0-9_]{82,}/g,
+  // JWT Tokens
+  /eyJ[a-zA-Z0-9_-]{2,}\.eyJ[a-zA-Z0-9_-]{2,}\.[a-zA-Z0-9_-]{2,}/g,
+  // Slack tokens
+  /xox[baprs]-[A-Za-z0-9-]+/g,
+  // AWS API Keys
+  /(?:AKIA|ABIA|ACCA|ASIA)[0-9A-Z]{16}/g,
+  // Authorization headers in error dumps (catch-all for token, Bearer, Basic)
+  /Authorization:(?:\s+(?:token|Bearer|Basic))?\s+["']?[A-Za-z0-9._~+/#=-]+["']?/gi,
+  // Generic token patterns standalone
+  /Bearer\s+["']?[A-Za-z0-9._~+/#=-]+["']?/gi,
+  /Basic\s+["']?[A-Za-z0-9._~+/#=-]+["']?/gi
+];
+function sanitizeErrorForLogging(message) {
+  let sanitized = message;
+  for (const pattern of TOKEN_PATTERNS) {
+    pattern.lastIndex = 0;
+    sanitized = sanitized.replace(pattern, "[REDACTED]");
+  }
+  return sanitized;
+}
+function markUntrustedContent(content) {
+  if (!content) return "";
+  let trimmed = content.trim();
+  if (!trimmed) return "";
+  trimmed = trimmed.replace(/<\/?untrusted_remote_content[^>]*>/gi, "");
+  trimmed = trimmed.replace(/</g, "&lt;").replace(/>/g, "&gt;");
+  return `<untrusted_remote_content>
+${trimmed}
+</untrusted_remote_content>`;
+}
+function markUntrustedContentInline(content) {
+  if (!content) return "";
+  let cleaned = content;
+  cleaned = cleaned.replace(/<\/?untrusted_remote_content[^>]*>/gi, "");
+  cleaned = cleaned.replace(/</g, "&lt;").replace(/>/g, "&gt;");
+  return `<untrusted_remote_content>${cleaned}</untrusted_remote_content>`;
+}
+function sanitizeAuthor(raw) {
+  return raw.replace(/[\x00-\x1f\x7f]/g, "").slice(0, 100);
+}
+function resolveAuthenticatedAuthor() {
+  const authCtx = getAuthContext();
+  if (authCtx?.authenticated && authCtx.claims) {
+    const claims = authCtx.claims;
+    const email = typeof claims["email"] === "string" ? claims["email"] : void 0;
+    const prefName = typeof claims["preferred_username"] === "string" ? claims["preferred_username"] : void 0;
+    const subject = typeof claims["subject"] === "string" ? claims["subject"] : void 0;
+    const claimAuthor = email ?? prefName ?? claims.sub ?? subject;
+    if (claimAuthor) {
+      return sanitizeAuthor(claimAuthor);
+    }
+  }
+  return resolveAuthor();
+}
+function resolveAuthor() {
+  const envAuthor = process.env["TEAM_AUTHOR"]?.trim().replace(/"/g, "");
+  if (envAuthor) {
+    return sanitizeAuthor(envAuthor);
+  }
+  const authCtx = getAuthContext();
+  if (authCtx?.claims?.sub) {
+    return sanitizeAuthor(authCtx.claims.sub);
+  }
+  return "unknown";
+}
+
+// src/utils/logger.ts
+var LOG_LEVELS = {
+  debug: 7,
+  info: 6,
+  notice: 5,
+  warning: 4,
+  error: 3,
+  critical: 2
+};
+var Logger = class {
+  minLevel;
+  constructor(level = "info") {
+    this.minLevel = LOG_LEVELS[level];
+  }
+  shouldLog(level) {
+    return LOG_LEVELS[level] <= this.minLevel;
+  }
+  log(level, message, context) {
+    if (!this.shouldLog(level)) return;
+    const safeMessage = message.replace(/\n|\r/g, "");
+    const timestamp = (/* @__PURE__ */ new Date()).toISOString();
+    const levelUpper = level.toUpperCase().padEnd(8);
+    const mod = context?.module ? `[${context.module.replace(/\n|\r/g, "")}]` : "";
+    const op = context?.operation ? `[${context.operation.replace(/\n|\r/g, "")}]` : "";
+    let line = `[${timestamp}] [${levelUpper}] ${mod}${op} ${safeMessage}`;
+    const extras = { ...context };
+    delete extras["module"];
+    delete extras["operation"];
+    if (extras["error"] != null && typeof extras["error"] === "string") {
+      extras["error"] = sanitizeErrorForLogging(extras["error"]);
+    }
+    if (Object.keys(extras).length > 0) {
+      line += ` ${JSON.stringify(extras).replace(/\n|\r/g, "")}`;
+    }
+    console.error(line);
+  }
+  debug(message, context) {
+    this.log("debug", message, context);
+  }
+  info(message, context) {
+    this.log("info", message, context);
+  }
+  notice(message, context) {
+    this.log("notice", message, context);
+  }
+  warning(message, context) {
+    this.log("warning", message, context);
+  }
+  error(message, context) {
+    this.log("error", message, context);
+  }
+  critical(message, context) {
+    this.log("critical", message, context);
+  }
+  setLevel(level) {
+    if (level in LOG_LEVELS) {
+      this.minLevel = LOG_LEVELS[level];
+    }
+  }
+};
+var rawLevel = process.env["LOG_LEVEL"] ?? "info";
+var envLevel = rawLevel in LOG_LEVELS ? rawLevel : "info";
+var logger = new Logger(envLevel);
+
+// src/filtering/tool-filter.ts
+var TOOL_GROUPS = {
+  core: [
+    "create_entry",
+    "get_entry_by_id",
+    "get_recent_entries",
+    "create_entry_minimal",
+    "test_simple",
+    "list_tags"
+  ],
+  search: ["search_entries", "search_by_date_range", "semantic_search", "get_vector_index_stats"],
+  analytics: ["get_statistics", "get_cross_project_insights"],
+  relationships: ["link_entries", "visualize_relationships"],
+  io: ["export_entries", "export_markdown", "import_markdown"],
+  admin: [
+    "update_entry",
+    "delete_entry",
+    "rebuild_vector_index",
+    "add_to_vector_index",
+    "merge_tags"
+  ],
+  github: [
+    "get_github_issues",
+    "get_github_prs",
+    "get_github_issue",
+    "get_github_pr",
+    "get_github_context",
+    "get_kanban_board",
+    "move_kanban_item",
+    "add_kanban_item",
+    "delete_kanban_item",
+    "create_github_issue_with_entry",
+    "close_github_issue_with_entry",
+    "get_github_milestones",
+    "get_github_milestone",
+    "create_github_milestone",
+    "update_github_milestone",
+    "delete_github_milestone",
+    "get_repo_insights",
+    "get_copilot_reviews"
+  ],
+  backup: ["backup_journal", "list_backups", "restore_backup", "cleanup_backups"],
+  team: [
+    "team_create_entry",
+    "team_get_entry_by_id",
+    "team_get_recent",
+    "team_list_tags",
+    "team_search",
+    "team_search_by_date_range",
+    "team_update_entry",
+    "team_delete_entry",
+    "team_merge_tags",
+    "team_get_statistics",
+    "team_link_entries",
+    "team_visualize_relationships",
+    "team_export_entries",
+    "team_export_markdown",
+    "team_import_markdown",
+    "team_backup",
+    "team_list_backups",
+    "team_semantic_search",
+    "team_get_vector_index_stats",
+    "team_rebuild_vector_index",
+    "team_add_to_vector_index",
+    "team_get_cross_project_insights",
+    "team_get_collaboration_matrix",
+    "team_pass_flag",
+    "team_resolve_flag",
+    "team_list_flags",
+    "team_update_flag",
+    "team_get_flag_analytics"
+  ],
+  codemode: ["mj_execute_code"]
+};
+var META_GROUPS = {
+  starter: ["core", "search", "codemode"],
+  essential: ["core", "codemode"],
+  full: [
+    "core",
+    "search",
+    "analytics",
+    "relationships",
+    "io",
+    "admin",
+    "github",
+    "backup",
+    "team",
+    "codemode"
+  ],
+  readonly: ["core", "search", "analytics", "relationships", "io", "codemode"]
+};
+function getAllToolNames() {
+  const allTools = [];
+  for (const tools of Object.values(TOOL_GROUPS)) {
+    allTools.push(...tools);
+  }
+  return allTools;
+}
+function getToolGroup(toolName) {
+  for (const [group, tools] of Object.entries(TOOL_GROUPS)) {
+    if (tools.includes(toolName)) {
+      return group;
+    }
+  }
+  return void 0;
+}
+function getEnabledGroups(enabledTools) {
+  const groups = /* @__PURE__ */ new Set();
+  for (const [group, tools] of Object.entries(TOOL_GROUPS)) {
+    if (tools.some((t) => enabledTools.has(t))) {
+      groups.add(group);
+    }
+  }
+  return groups;
+}
+var GROUP_ALIASES = { export: "io" };
+function resolveGroupAlias(name) {
+  return GROUP_ALIASES[name] ?? name;
+}
+function isGroup(name) {
+  return resolveGroupAlias(name) in TOOL_GROUPS;
+}
+function isMetaGroup(name) {
+  return name in META_GROUPS;
+}
+function parseToolFilter(filterString) {
+  const rules = [];
+  const parts = filterString.split(",").map((p) => p.trim()).filter(Boolean);
+  let enabledTools = /* @__PURE__ */ new Set();
+  let isWhitelistMode = false;
+  for (let i = 0; i < parts.length; i++) {
+    const part = parts[i];
+    if (!part) continue;
+    const isAdd = part.startsWith("+");
+    const isRemove = part.startsWith("-");
+    const name = isAdd || isRemove ? part.slice(1) : part;
+    if (i === 0 && !isAdd && !isRemove) {
+      isWhitelistMode = true;
+      if (isMetaGroup(name)) {
+        for (const group of META_GROUPS[name]) {
+          enabledTools = /* @__PURE__ */ new Set([...enabledTools, ...TOOL_GROUPS[group]]);
+        }
+      } else if (isGroup(name)) {
+        const resolved = resolveGroupAlias(name);
+        enabledTools = /* @__PURE__ */ new Set([...enabledTools, ...TOOL_GROUPS[resolved]]);
+      } else {
+        enabledTools.add(name);
+      }
+      rules.push({
+        type: "include",
+        target: name,
+        isGroup: isGroup(name) || isMetaGroup(name)
+      });
+    } else if (isRemove) {
+      if (isGroup(name)) {
+        const resolved = resolveGroupAlias(name);
+        for (const tool of TOOL_GROUPS[resolved]) {
+          enabledTools.delete(tool);
+        }
+      } else {
+        enabledTools.delete(name);
+      }
+      rules.push({
+        type: "exclude",
+        target: name,
+        isGroup: isGroup(name)
+      });
+    } else {
+      if (isMetaGroup(name)) {
+        for (const group of META_GROUPS[name]) {
+          enabledTools = /* @__PURE__ */ new Set([...enabledTools, ...TOOL_GROUPS[group]]);
+        }
+      } else if (isGroup(name)) {
+        const resolved = resolveGroupAlias(name);
+        enabledTools = /* @__PURE__ */ new Set([...enabledTools, ...TOOL_GROUPS[resolved]]);
+      } else {
+        enabledTools.add(name);
+      }
+      rules.push({
+        type: "include",
+        target: name,
+        isGroup: isGroup(name) || isMetaGroup(name)
+      });
+    }
+  }
+  if (!isWhitelistMode && rules.length > 0 && rules[0]?.type === "exclude") {
+    enabledTools = new Set(getAllToolNames());
+    for (const rule of rules) {
+      if (rule.type === "exclude") {
+        if (isGroup(rule.target)) {
+          const resolved = resolveGroupAlias(rule.target);
+          for (const tool of TOOL_GROUPS[resolved]) {
+            enabledTools.delete(tool);
+          }
+        } else {
+          enabledTools.delete(rule.target);
+        }
+      }
+    }
+  }
+  return {
+    raw: filterString,
+    rules,
+    enabledTools
+  };
+}
+function isToolEnabled(toolName, filterConfig) {
+  return filterConfig.enabledTools.has(toolName);
+}
+function filterTools(tools, filterConfig) {
+  return tools.filter((tool) => isToolEnabled(tool.name, filterConfig));
+}
+function getToolFilterFromEnv() {
+  const filterString = process.env["MEMORY_JOURNAL_MCP_TOOL_FILTER"];
+  if (!filterString) return null;
+  return parseToolFilter(filterString);
+}
+function calculateTokenSavings(totalTools, enabledTools, avgTokensPerTool = 150) {
+  const savedTokens = (totalTools - enabledTools) * avgTokensPerTool;
+  const reduction = (totalTools - enabledTools) / totalTools * 100;
+  return { reduction, savedTokens };
+}
+function getFilterSummary(filterConfig) {
+  const total = getAllToolNames().length;
+  const enabled = filterConfig.enabledTools.size;
+  const { reduction } = calculateTokenSavings(total, enabled);
+  return `${enabled}/${total} tools enabled (${reduction.toFixed(0)}% reduction)`;
+}
+
+// src/auth/scopes.ts
+var SCOPES = {
+  /** Read-only access */
+  READ: "read",
+  /** Read and write access */
+  WRITE: "write",
+  /** Administrative access */
+  ADMIN: "admin",
+  /** Unrestricted access to all operations */
+  FULL: "full",
+  /** Team operations access */
+  TEAM: "team",
+  /** Audit log access */
+  AUDIT: "audit"
+};
+var BASE_SCOPES = ["read", "write", "admin", "full", "team", "audit"];
+var SUPPORTED_SCOPES = ["read", "write", "admin", "full", "team", "audit"];
+var TOOL_GROUP_SCOPES = {
+  core: SCOPES.READ,
+  search: SCOPES.READ,
+  analytics: SCOPES.READ,
+  relationships: SCOPES.READ,
+  io: SCOPES.READ,
+  admin: SCOPES.ADMIN,
+  github: SCOPES.WRITE,
+  backup: SCOPES.ADMIN,
+  // SEC-1.3: Team tools require the dedicated `team` scope, not generic `write`.
+  // This aligns tool-level enforcement with the resource-level boundary at memory://team/*.
+  // Tokens with `admin` or `full` scope still implicitly include `team` via hasScope().
+  team: SCOPES.TEAM,
+  codemode: SCOPES.ADMIN
+};
+var TOOL_SCOPE_OVERRIDES = {
+  import_markdown: SCOPES.WRITE,
+  team_import_markdown: SCOPES.TEAM,
+  mj_execute_code: SCOPES.ADMIN,
+  create_entry: SCOPES.WRITE,
+  create_entry_minimal: SCOPES.WRITE,
+  link_entries: SCOPES.WRITE,
+  export_markdown: SCOPES.WRITE
+};
+var groupsForScope = (maxScope) => {
+  const hierarchy = {
+    read: 0,
+    write: 1,
+    team: 1.5,
+    audit: 1.5,
+    admin: 2,
+    full: 3
+  };
+  const maxLevel = hierarchy[maxScope];
+  return Object.entries(TOOL_GROUP_SCOPES).filter(([, scope]) => hierarchy[scope] <= maxLevel).map(([group]) => group);
+};
+groupsForScope(SCOPES.READ);
+groupsForScope(SCOPES.WRITE);
+groupsForScope(SCOPES.ADMIN);
+function parseScopes(scopeString) {
+  return scopeString.split(/\s+/).map((s) => s.trim()).filter((s) => s.length > 0);
+}
+function isValidScope(scope) {
+  return BASE_SCOPES.includes(scope);
+}
+function hasScope(grantedScopes, requiredScope) {
+  if (grantedScopes.includes(SCOPES.FULL)) {
+    return true;
+  }
+  if (grantedScopes.includes(requiredScope)) {
+    return true;
+  }
+  if (requiredScope === SCOPES.READ || requiredScope === SCOPES.WRITE || requiredScope === SCOPES.TEAM || requiredScope === SCOPES.AUDIT) {
+    if (grantedScopes.includes(SCOPES.ADMIN)) {
+      return true;
+    }
+  }
+  if (requiredScope === SCOPES.READ) {
+    if (grantedScopes.includes(SCOPES.WRITE)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// src/auth/scope-map.ts
+var toolScopeMap = /* @__PURE__ */ new Map();
+for (const [group, tools] of Object.entries(TOOL_GROUPS)) {
+  const scope = TOOL_GROUP_SCOPES[group];
+  if (scope) {
+    for (const toolName of tools) {
+      toolScopeMap.set(toolName, scope);
+    }
+  }
+}
+for (const [toolName, scope] of Object.entries(TOOL_SCOPE_OVERRIDES)) {
+  toolScopeMap.set(toolName, scope);
+}
+function getRequiredScope(toolName) {
+  const scope = toolScopeMap.get(toolName);
+  if (!scope) {
+    throw new Error(
+      `CRITICAL SECURITY FAILURE: Tool '${toolName}' is missing from scope mapping`
+    );
+  }
+  return scope;
+}
+
+// src/auth/validation.ts
+function enforceAccessBoundary(targetName, targetType, capabilities, auditLogger) {
+  const auth = getAuthContext();
+  const isTeam = capabilities?.requiresTeamScope ?? (targetType === "resource" ? targetName.startsWith("memory://team/") || targetName.startsWith("memory://flags") : targetName.startsWith("team_"));
+  const isAdmin = capabilities?.requiresAdminScope ?? (targetType === "resource" ? targetName === "memory://audit" : false);
+  if (isTeam) {
+    const envAuthor = process.env["TEAM_AUTHOR"]?.trim();
+    const hasAuthClaim = auth?.authenticated === true && auth?.claims !== void 0;
+    const bypassCodeMode = process.env["CODEMODE_INTERNAL_FULL_ACCESS"] === "true";
+    if (!envAuthor && !hasAuthClaim && !bypassCodeMode) {
+      logger.warning(`Access to team ${targetType} denied: unauthenticated`, {
+        module: "AUTH",
+        operation: "fail-closed",
+        entityId: targetName
+      });
+      throw new PermissionError(
+        `Access to team ${targetType} '${targetName}' denied: missing TEAM_AUTHOR or active OAuth session.`
+      );
+    }
+  }
+  if (auth) {
+    let requiredScope;
+    if (targetType === "tool") {
+      requiredScope = getRequiredScope(targetName);
+    } else {
+      requiredScope = SCOPES.READ;
+      if (isTeam) {
+        requiredScope = SCOPES.TEAM;
+      } else if (isAdmin) {
+        requiredScope = SCOPES.ADMIN;
+      }
+    }
+    if (!hasScope(auth.claims?.scopes ?? [], requiredScope)) {
+      logger.warning(`Insufficient scope for ${targetType}: ${targetName}`, {
+        module: "AUTH",
+        operation: "scope-check",
+        entityId: targetName
+      });
+      if (auditLogger) {
+        const category = requiredScope === SCOPES.TEAM ? "team" : requiredScope === SCOPES.ADMIN || requiredScope === SCOPES.FULL ? "admin" : "read";
+        auditLogger.logDenial(targetName, "Insufficient scope", {
+          user: auth.claims?.sub,
+          scopes: auth.claims?.scopes ?? [],
+          category,
+          scope: requiredScope
+        });
+      }
+      throw new PermissionError(
+        `Access to ${targetType} '${targetName}' denied: insufficient scope.`
+      );
+    }
+  }
+}
+var CACHE_TTL_MS = 5 * 60 * 1e3;
+var TRAFFIC_CACHE_TTL_MS = 10 * 60 * 1e3;
+var simpleGit2 = simpleGitImport.simpleGit;
+var GitHubClient = class {
+  octokit = null;
+  graphqlWithAuth = null;
+  git;
+  apiCache = /* @__PURE__ */ new Map();
+  totalCacheBytes = 0;
+  MAX_CACHE_BYTES = 50 * 1024 * 1024;
+  // 50MB global limit
+  MAX_ENTRY_BYTES = 10 * 1024 * 1024;
+  // 10MB per-item limit
+  constructor(workingDir = ".", token) {
+    const resolvedToken = token ?? process.env["GITHUB_TOKEN"];
+    const effectiveDir = workingDir;
+    const resolvedDir = effectiveDir === "." ? process.cwd() : effectiveDir;
+    logger.info("GitHub integration using directory", {
+      module: "GitHub",
+      workingDir,
+      effectiveDir,
+      resolvedDir,
+      cwd: process.cwd()
+    });
+    this.git = simpleGit2(effectiveDir);
+    if (resolvedToken) {
+      this.octokit = new Octokit({ auth: resolvedToken });
+      this.graphqlWithAuth = graphql.defaults({
+        headers: { authorization: `token ${resolvedToken}` }
+      });
+      logger.info("GitHub integration initialized with token", { module: "GitHub" });
+    } else {
+      logger.info("GitHub integration initialized without token (limited functionality)", {
+        module: "GitHub"
+      });
+    }
+  }
+  isApiAvailable() {
+    return this.octokit !== null;
+  }
+  getCached(key) {
+    const entry = this.apiCache.get(key);
+    if (entry && Date.now() - entry.timestamp < CACHE_TTL_MS) {
+      this.apiCache.delete(key);
+      this.apiCache.set(key, entry);
+      return entry.data;
+    }
+    if (entry) {
+      this.totalCacheBytes -= entry.sizeBytes;
+      this.apiCache.delete(key);
+    }
+    return void 0;
+  }
+  getCachedWithTtl(key, ttlMs) {
+    const entry = this.apiCache.get(key);
+    if (entry && Date.now() - entry.timestamp < ttlMs) {
+      this.apiCache.delete(key);
+      this.apiCache.set(key, entry);
+      return entry.data;
+    }
+    if (entry) {
+      this.totalCacheBytes -= entry.sizeBytes;
+      this.apiCache.delete(key);
+    }
+    return void 0;
+  }
+  setCache(key, data) {
+    let sizeBytes;
+    try {
+      sizeBytes = Buffer.byteLength(JSON.stringify(data) || "", "utf8");
+    } catch {
+      sizeBytes = 1024;
+    }
+    if (sizeBytes > this.MAX_ENTRY_BYTES) {
+      return;
+    }
+    const existing = this.apiCache.get(key);
+    if (existing) {
+      this.totalCacheBytes -= existing.sizeBytes;
+    }
+    this.apiCache.delete(key);
+    this.apiCache.set(key, { data, timestamp: Date.now(), sizeBytes });
+    this.totalCacheBytes += sizeBytes;
+    while (this.apiCache.size > 1e3 || this.totalCacheBytes > this.MAX_CACHE_BYTES) {
+      const oldestKey = this.apiCache.keys().next().value;
+      if (oldestKey !== void 0) {
+        const oldestEntry = this.apiCache.get(oldestKey);
+        if (oldestEntry) {
+          this.totalCacheBytes -= oldestEntry.sizeBytes;
+        }
+        this.apiCache.delete(oldestKey);
+      } else {
+        break;
+      }
+    }
+  }
+  invalidateCache(prefix) {
+    for (const [key, entry] of this.apiCache.entries()) {
+      if (key.startsWith(prefix)) {
+        this.totalCacheBytes -= entry.sizeBytes;
+        this.apiCache.delete(key);
+      }
+    }
+  }
+  clearCache() {
+    this.apiCache.clear();
+    this.totalCacheBytes = 0;
+  }
+};
+
+// src/github/github-integration/issues.ts
+var IssuesManager = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  async getIssues(owner, repo, state = "open", limit = 20, abortSignal) {
+    if (!this.client.octokit) {
+      throw new Error("GitHub API not available");
+    }
+    const cacheKey = `issues:${owner}:${repo}:${state}:${String(limit)}`;
+    const cached = this.client.getCached(cacheKey);
+    if (cached) return cached;
+    try {
+      const response = await this.client.octokit.issues.listForRepo({
+        owner,
+        repo,
+        state,
+        per_page: Math.min(limit + 5, 100),
+        sort: "updated",
+        direction: "desc",
+        request: { signal: abortSignal }
+      });
+      const result = response.data.filter((issue) => !issue.pull_request).slice(0, limit).map((issue) => ({
+        number: issue.number,
+        title: markUntrustedContentInline(issue.title),
+        url: issue.html_url,
+        state: issue.state === "open" ? "OPEN" : "CLOSED",
+        milestone: issue.milestone ? {
+          number: issue.milestone.number,
+          title: issue.milestone.title
+        } : null
+      }));
+      this.client.setCache(cacheKey, result);
+      return result;
+    } catch (error) {
+      logger.error("Failed to get issues", {
+        module: "GitHub",
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    }
+  }
+  async getIssue(owner, repo, issueNumber) {
+    if (!this.client.octokit) {
+      throw new Error("GitHub API not available");
+    }
+    const cacheKey = `issue:${owner}:${repo}:${String(issueNumber)}`;
+    const cached = this.client.getCached(cacheKey);
+    if (cached !== void 0) return cached;
+    try {
+      const response = await this.client.octokit.issues.get({
+        owner,
+        repo,
+        issue_number: issueNumber
+      });
+      const issue = response.data;
+      if (issue.pull_request) {
+        return null;
+      }
+      const details = {
+        number: issue.number,
+        title: markUntrustedContentInline(issue.title),
+        url: issue.html_url,
+        state: issue.state === "open" ? "OPEN" : "CLOSED",
+        nodeId: issue.node_id,
+        body: issue.body || "",
+        labels: issue.labels.map((l) => typeof l === "string" ? l : l.name ?? ""),
+        assignees: issue.assignees?.map((a) => a.login) ?? [],
+        createdAt: issue.created_at,
+        updatedAt: issue.updated_at,
+        closedAt: issue.closed_at,
+        commentsCount: issue.comments,
+        milestone: issue.milestone ? { number: issue.milestone.number, title: issue.milestone.title } : null
+      };
+      this.client.setCache(cacheKey, details);
+      return details;
+    } catch (error) {
+      if (error instanceof Error && "status" in error && error.status === 404) {
+        return null;
+      }
+      logger.error("Failed to get issue details", {
+        module: "GitHub",
+        entityId: issueNumber,
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    }
+  }
+  async getIssueComments(owner, repo, issueNumber, limit = 30) {
+    const _limit = Math.min(limit, 100);
+    if (_limit <= 0) return [];
+    if (!this.client.octokit) {
+      throw new Error("GitHub API not available");
+    }
+    const cacheKey = `issue-comments:${owner}:${repo}:${String(issueNumber)}:${String(_limit)}`;
+    const cached = this.client.getCached(cacheKey);
+    if (cached) return cached;
+    try {
+      const response = await this.client.octokit.issues.listComments({
+        owner,
+        repo,
+        issue_number: issueNumber,
+        per_page: _limit,
+        sort: "created",
+        direction: "asc"
+      });
+      const comments = response.data.slice(0, _limit).map((comment) => ({
+        author: comment.user?.login ?? "unknown",
+        body: markUntrustedContent(comment.body),
+        createdAt: comment.created_at
+      }));
+      this.client.setCache(cacheKey, comments);
+      return comments;
+    } catch (error) {
+      logger.error("Failed to get issue comments", {
+        module: "GitHub",
+        entityId: issueNumber,
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    }
+  }
+  async createIssue(owner, repo, title, body, labels, assignees, milestone) {
+    if (!this.client.octokit) {
+      logger.error("Cannot create issue: GitHub API not available", { module: "GitHub" });
+      throw new Error("GitHub API not available");
+    }
+    try {
+      const response = await this.client.octokit.issues.create({
+        owner,
+        repo,
+        title,
+        body,
+        labels,
+        assignees,
+        milestone
+      });
+      logger.info("Created GitHub issue", {
+        module: "GitHub",
+        entityId: response.data.number,
+        context: { title, owner, repo }
+      });
+      return {
+        number: response.data.number,
+        url: response.data.html_url,
+        title: response.data.title,
+        nodeId: response.data.node_id
+      };
+    } catch (error) {
+      logger.error("Failed to create issue", {
+        module: "GitHub",
+        error: error instanceof Error ? error.message : String(error),
+        context: { title, owner, repo }
+      });
+      throw error;
+    } finally {
+      this.client.invalidateCache(`issues:${owner}:${repo}`);
+      this.client.invalidateCache("context:");
+    }
+  }
+  async closeIssue(owner, repo, issueNumber, comment) {
+    if (!this.client.octokit) {
+      logger.error("Cannot close issue: GitHub API not available", { module: "GitHub" });
+      throw new Error("GitHub API not available");
+    }
+    try {
+      if (comment) {
+        await this.client.octokit.issues.createComment({
+          owner,
+          repo,
+          issue_number: issueNumber,
+          body: comment
+        });
+      }
+      const response = await this.client.octokit.issues.update({
+        owner,
+        repo,
+        issue_number: issueNumber,
+        state: "closed"
+      });
+      logger.info("Closed GitHub issue", {
+        module: "GitHub",
+        entityId: issueNumber,
+        context: { owner, repo, hadComment: !!comment }
+      });
+      return {
+        success: true,
+        url: response.data.html_url
+      };
+    } catch (error) {
+      logger.error("Failed to close issue", {
+        module: "GitHub",
+        entityId: issueNumber,
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    } finally {
+      this.client.invalidateCache(`issues:${owner}:${repo}`);
+      this.client.invalidateCache(`issue:${owner}:${repo}:${String(issueNumber)}`);
+      this.client.invalidateCache("context:");
+    }
+  }
+};
+
+// src/github/github-integration/pull-requests.ts
+var PullRequestsManager = class _PullRequestsManager {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  /** Known Copilot bot login patterns */
+  static COPILOT_BOT_PATTERNS = [
+    "copilot-pull-request-reviewer[bot]",
+    "github-copilot[bot]",
+    "copilot[bot]"
+  ];
+  async getPullRequests(owner, repo, state = "open", limit = 20, abortSignal) {
+    if (!this.client.octokit) {
+      throw new Error("GitHub API not available");
+    }
+    const cacheKey = `prs:${owner}:${repo}:${state}:${String(limit)}`;
+    const cached = this.client.getCached(cacheKey);
+    if (cached) return cached;
+    try {
+      const response = await this.client.octokit.pulls.list({
+        owner,
+        repo,
+        state,
+        per_page: Math.min(limit, 100),
+        sort: "updated",
+        direction: "desc",
+        request: { signal: abortSignal }
+      });
+      const result = response.data.map((pr) => ({
+        number: pr.number,
+        title: markUntrustedContentInline(pr.title),
+        url: pr.html_url,
+        state: pr.merged_at ? "MERGED" : pr.state === "open" ? "OPEN" : "CLOSED"
+      }));
+      this.client.setCache(cacheKey, result);
+      return result;
+    } catch (error) {
+      logger.error("Failed to get pull requests", {
+        module: "GitHub",
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    }
+  }
+  async getPullRequest(owner, repo, prNumber) {
+    if (!this.client.octokit) {
+      throw new Error("GitHub API not available");
+    }
+    const cacheKey = `pr:${owner}:${repo}:${String(prNumber)}`;
+    const cached = this.client.getCached(cacheKey);
+    if (cached !== void 0) return cached;
+    try {
+      const response = await this.client.octokit.pulls.get({
+        owner,
+        repo,
+        pull_number: prNumber
+      });
+      const pr = response.data;
+      const details = {
+        number: pr.number,
+        title: markUntrustedContentInline(pr.title),
+        url: pr.html_url,
+        state: pr.merged_at ? "MERGED" : pr.state === "open" ? "OPEN" : "CLOSED",
+        body: pr.body || "",
+        draft: pr.draft ?? false,
+        headBranch: pr.head.ref,
+        baseBranch: pr.base.ref,
+        author: pr.user?.login ?? "unknown",
+        createdAt: pr.created_at,
+        updatedAt: pr.updated_at,
+        mergedAt: pr.merged_at,
+        closedAt: pr.closed_at,
+        additions: pr.additions,
+        deletions: pr.deletions,
+        changedFiles: pr.changed_files
+      };
+      this.client.setCache(cacheKey, details);
+      return details;
+    } catch (error) {
+      if (error instanceof Error && "status" in error && error.status === 404) {
+        return null;
+      }
+      logger.error("Failed to get PR details", {
+        module: "GitHub",
+        entityId: prNumber,
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    }
+  }
+  static isCopilotAuthor(login) {
+    const lower = login.toLowerCase();
+    return _PullRequestsManager.COPILOT_BOT_PATTERNS.some(
+      (p) => lower === p || lower.includes("copilot")
+    );
+  }
+  async getReviews(owner, repo, prNumber) {
+    if (!this.client.octokit) throw new Error("GitHub API not available");
+    const cacheKey = `reviews:${owner}:${repo}:${String(prNumber)}`;
+    const cached = this.client.getCached(cacheKey);
+    if (cached) return cached;
+    try {
+      const response = await this.client.octokit.rest.pulls.listReviews({
+        owner,
+        repo,
+        pull_number: prNumber,
+        per_page: 100
+      });
+      const reviews = response.data.map((r) => ({
+        id: r.id,
+        author: r.user?.login ?? "unknown",
+        state: r.state,
+        body: markUntrustedContent(r.body),
+        submittedAt: r.submitted_at ?? r.commit_id ?? (/* @__PURE__ */ new Date()).toISOString(),
+        isCopilot: _PullRequestsManager.isCopilotAuthor(r.user?.login ?? "")
+      }));
+      this.client.setCache(cacheKey, reviews);
+      return reviews;
+    } catch (error) {
+      logger.error("Failed to get PR reviews", {
+        module: "GitHub",
+        entityId: prNumber,
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    }
+  }
+  async getReviewComments(owner, repo, prNumber) {
+    if (!this.client.octokit) throw new Error("GitHub API not available");
+    const cacheKey = `review-comments:${owner}:${repo}:${String(prNumber)}`;
+    const cached = this.client.getCached(cacheKey);
+    if (cached) return cached;
+    try {
+      const response = await this.client.octokit.rest.pulls.listReviewComments({
+        owner,
+        repo,
+        pull_number: prNumber,
+        per_page: 100
+      });
+      const comments = response.data.map((c) => ({
+        id: c.id,
+        author: c.user?.login ?? "unknown",
+        body: markUntrustedContent(c.body),
+        path: c.path,
+        line: c.line ?? c.original_line ?? null,
+        side: c.side ?? "RIGHT",
+        createdAt: c.created_at,
+        isCopilot: _PullRequestsManager.isCopilotAuthor(c.user?.login ?? "")
+      }));
+      this.client.setCache(cacheKey, comments);
+      return comments;
+    } catch (error) {
+      logger.error("Failed to get review comments", {
+        module: "GitHub",
+        entityId: prNumber,
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    }
+  }
+  async getCopilotReviewSummary(owner, repo, prNumber) {
+    const [reviews, comments] = await Promise.all([
+      this.getReviews(owner, repo, prNumber),
+      this.getReviewComments(owner, repo, prNumber)
+    ]);
+    const copilotReviews = reviews.filter((r) => r.isCopilot);
+    const copilotComments = comments.filter((c) => c.isCopilot);
+    let state = "none";
+    if (copilotReviews.length > 0) {
+      const latest = copilotReviews[copilotReviews.length - 1];
+      if (latest !== void 0) {
+        if (latest.state === "APPROVED") state = "approved";
+        else if (latest.state === "CHANGES_REQUESTED") state = "changes_requested";
+        else if (latest.state === "COMMENTED") state = "commented";
+      }
+    }
+    return {
+      prNumber,
+      state,
+      commentCount: copilotComments.length,
+      comments: copilotComments
+    };
+  }
+};
+
+// src/github/github-integration/projects.ts
+var ProjectsManager = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  async getProjectKanban(owner, projectNumber, repo, abortSignal) {
+    if (!this.client.graphqlWithAuth) {
+      logger.debug("GraphQL not available - no token", { module: "GitHub" });
+      throw new Error("GitHub API not available");
+    }
+    const projectFragment = `
+            fragment ProjectData on ProjectV2 {
+                id
+                title
+                fields(first: 20) {
+                    nodes {
+                        ... on ProjectV2SingleSelectField {
+                            id
+                            name
+                            options {
+                                id
+                                name
+                                color
+                            }
+                        }
+                    }
+                }
+                items(first: $itemLimit) {
+                    pageInfo {
+                        hasNextPage
+                    }
+                    nodes {
+                        id
+                        type
+                        createdAt
+                        updatedAt
+                        fieldValues(first: 10) {
+                            nodes {
+                                ... on ProjectV2ItemFieldSingleSelectValue {
+                                    name
+                                    field {
+                                        ... on ProjectV2SingleSelectField {
+                                            name
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                        content {
+                            ... on Issue {
+                                number
+                                title
+                                url
+                                labels(first: 5) {
+                                    nodes { name }
+                                }
+                                assignees(first: 5) {
+                                    nodes { login }
+                                }
+                            }
+                            ... on PullRequest {
+                                number
+                                title
+                                url
+                                labels(first: 5) {
+                                    nodes { name }
+                                }
+                                assignees(first: 5) {
+                                    nodes { login }
+                                }
+                            }
+                            ... on DraftIssue {
+                                title
+                            }
+                        }
+                    }
+                }
+            }
+        `;
+    const userQuery = `
+            ${projectFragment}
+            query($owner: String!, $number: Int!, $itemLimit: Int!) {
+                user(login: $owner) {
+                    projectV2(number: $number) {
+                        ...ProjectData
+                    }
+                }
+            }
+        `;
+    const repoQuery = `
+            ${projectFragment}
+            query($owner: String!, $repo: String!, $number: Int!, $itemLimit: Int!) {
+                repository(owner: $owner, name: $repo) {
+                    projectV2(number: $number) {
+                        ...ProjectData
+                    }
+                }
+            }
+        `;
+    const orgQuery = `
+            ${projectFragment}
+            query($owner: String!, $number: Int!, $itemLimit: Int!) {
+                organization(login: $owner) {
+                    projectV2(number: $number) {
+                        ...ProjectData
+                    }
+                }
+            }
+        `;
+    let project = null;
+    let source = "";
+    try {
+      const response = await this.client.graphqlWithAuth(userQuery, {
+        owner,
+        number: projectNumber,
+        itemLimit: 100,
+        request: { signal: abortSignal }
+      });
+      if (response.user?.projectV2) {
+        project = response.user.projectV2;
+        source = "user";
+      }
+    } catch {
+      logger.debug("User project not found, trying repository...", { module: "GitHub" });
+    }
+    if (!project && repo) {
+      try {
+        const response = await this.client.graphqlWithAuth(repoQuery, {
+          owner,
+          repo,
+          number: projectNumber,
+          itemLimit: 100,
+          request: { signal: abortSignal }
+        });
+        if (response.repository?.projectV2) {
+          project = response.repository.projectV2;
+          source = "repository";
+        }
+      } catch {
+        logger.debug("Repository project not found, trying organization...", {
+          module: "GitHub"
+        });
+      }
+    }
+    if (!project) {
+      try {
+        const response = await this.client.graphqlWithAuth(orgQuery, {
+          owner,
+          number: projectNumber,
+          itemLimit: 100,
+          request: { signal: abortSignal }
+        });
+        if (response.organization?.projectV2) {
+          project = response.organization.projectV2;
+          source = "organization";
+        }
+      } catch {
+        logger.debug("Organization project not found", { module: "GitHub" });
+      }
+    }
+    if (!project) {
+      logger.warning("Project not found", { module: "GitHub", entityId: projectNumber });
+      return null;
+    }
+    const statusField = project.fields.nodes.find(
+      (f) => f.name === "Status" && f.options !== void 0 && f.options.length > 0
+    );
+    if (!statusField?.id || !statusField.options) {
+      logger.warning("Status field not found in project", {
+        module: "GitHub",
+        entityId: projectNumber
+      });
+      return null;
+    }
+    const statusOptions = statusField.options.map((opt) => ({
+      id: opt.id,
+      name: opt.name,
+      color: opt.color
+    }));
+    const columnMap = /* @__PURE__ */ new Map();
+    for (const opt of statusOptions) {
+      columnMap.set(opt.name, []);
+    }
+    columnMap.set("No Status", []);
+    for (const item of project.items.nodes) {
+      const statusValue = item.fieldValues.nodes.find((fv) => fv.field?.name === "Status");
+      const status = statusValue?.name ?? "No Status";
+      const content = item.content;
+      const projectItem = {
+        id: item.id,
+        title: content?.title ?? "Draft Issue",
+        url: content?.url ?? "",
+        type: item.type,
+        status,
+        number: content?.number,
+        labels: content?.labels?.nodes.map((l) => l.name) ?? [],
+        assignees: content?.assignees?.nodes.map((a) => a.login) ?? [],
+        createdAt: item.createdAt,
+        updatedAt: item.updatedAt
+      };
+      const column = columnMap.get(status);
+      if (column) {
+        column.push(projectItem);
+      } else {
+        columnMap.get("No Status")?.push(projectItem);
+      }
+    }
+    const columns = [];
+    for (const opt of statusOptions) {
+      const items = columnMap.get(opt.name) ?? [];
+      columns.push({
+        status: opt.name,
+        statusOptionId: opt.id,
+        items
+      });
+    }
+    const noStatusItems = columnMap.get("No Status") ?? [];
+    if (noStatusItems.length > 0) {
+      columns.push({
+        status: "No Status",
+        statusOptionId: "",
+        items: noStatusItems
+      });
+    }
+    const totalItems = project.items.nodes.length;
+    const truncated = project.items.pageInfo?.hasNextPage ?? false;
+    logger.info("Fetched Kanban board", {
+      module: "GitHub",
+      entityId: projectNumber,
+      context: { columns: columns.length, items: totalItems, source, truncated }
+    });
+    return {
+      projectId: project.id,
+      projectNumber,
+      projectTitle: project.title,
+      statusFieldId: statusField.id,
+      statusOptions,
+      columns,
+      totalItems,
+      truncated
+    };
+  }
+  async moveProjectItem(projectId, itemId, statusFieldId, statusOptionId) {
+    if (!this.client.graphqlWithAuth) {
+      return { success: false, error: "GraphQL not available - no token" };
+    }
+    try {
+      const mutation = `
+                mutation($projectId: ID!, $itemId: ID!, $fieldId: ID!, $optionId: String!) {
+                    updateProjectV2ItemFieldValue(
+                        input: {
+                            projectId: $projectId
+                            itemId: $itemId
+                            fieldId: $fieldId
+                            value: { singleSelectOptionId: $optionId }
+                        }
+                    ) {
+                        projectV2Item {
+                            id
+                        }
+                    }
+                }
+            `;
+      if (typeof this.client.invalidateCache === "function") {
+        this.client.invalidateCache("kanban:");
+      }
+      await this.client.graphqlWithAuth(mutation, {
+        projectId,
+        itemId,
+        fieldId: statusFieldId,
+        optionId: statusOptionId
+      });
+      logger.info("Moved project item", {
+        module: "GitHub",
+        entityId: itemId,
+        context: { targetStatus: statusOptionId }
+      });
+      return { success: true };
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      logger.error("Failed to move project item", {
+        module: "GitHub",
+        entityId: itemId,
+        error: errorMessage
+      });
+      return { success: false, error: errorMessage };
+    } finally {
+      if (typeof this.client.invalidateCache === "function") {
+        this.client.invalidateCache("kanban:");
+      }
+    }
+  }
+  async addProjectItem(projectId, contentId) {
+    if (!this.client.graphqlWithAuth) {
+      return { success: false, error: "GraphQL not available - no token" };
+    }
+    try {
+      const mutation = `
+                mutation($projectId: ID!, $contentId: ID!) {
+                    addProjectV2ItemById(input: { projectId: $projectId, contentId: $contentId }) {
+                        item {
+                            id
+                        }
+                    }
+                }
+            `;
+      if (typeof this.client.invalidateCache === "function") {
+        this.client.invalidateCache("kanban:");
+      }
+      const response = await this.client.graphqlWithAuth(mutation, {
+        projectId,
+        contentId
+      });
+      const itemId = response.addProjectV2ItemById?.item?.id;
+      logger.info("Added item to project", {
+        module: "GitHub",
+        context: { projectId, contentId, itemId }
+      });
+      return { success: true, itemId };
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      logger.error("Failed to add item to project", {
+        module: "GitHub",
+        context: { projectId, contentId },
+        error: errorMessage
+      });
+      return { success: false, error: errorMessage };
+    } finally {
+      if (typeof this.client.invalidateCache === "function") {
+        this.client.invalidateCache("kanban:");
+      }
+    }
+  }
+  async deleteProjectItem(projectId, itemId) {
+    if (!this.client.graphqlWithAuth) {
+      return { success: false, error: "GraphQL not available - no token" };
+    }
+    try {
+      const mutation = `
+                mutation($projectId: ID!, $itemId: ID!) {
+                    deleteProjectV2Item(input: { projectId: $projectId, itemId: $itemId }) {
+                        deletedItemId
+                    }
+                }
+            `;
+      if (typeof this.client.invalidateCache === "function") {
+        this.client.invalidateCache("kanban:");
+      }
+      await this.client.graphqlWithAuth(mutation, {
+        projectId,
+        itemId
+      });
+      logger.info("Deleted project item", {
+        module: "GitHub",
+        context: { projectId, itemId }
+      });
+      return { success: true };
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      logger.error("Failed to delete item from project", {
+        module: "GitHub",
+        context: { projectId, itemId },
+        error: errorMessage
+      });
+      return { success: false, error: errorMessage };
+    } finally {
+      if (typeof this.client.invalidateCache === "function") {
+        this.client.invalidateCache("kanban:");
+      }
+    }
+  }
+};
+
+// src/github/github-integration/milestones.ts
+var MilestonesManager = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  async getMilestones(owner, repo, state = "open", limit = 20, abortSignal) {
+    if (!this.client.octokit) {
+      throw new Error("GitHub API not available");
+    }
+    const cacheKey = `milestones:${owner}:${repo}:${state}:${String(limit)}`;
+    const cached = this.client.getCached(cacheKey);
+    if (cached) return cached;
+    try {
+      const response = await this.client.octokit.issues.listMilestones({
+        owner,
+        repo,
+        state,
+        per_page: limit,
+        sort: "due_on",
+        direction: "asc",
+        request: { signal: abortSignal }
+      });
+      const result = response.data.map((ms) => ({
+        number: ms.number,
+        title: ms.title,
+        description: ms.description ?? null,
+        state: ms.state === "open" ? "open" : "closed",
+        url: ms.html_url,
+        dueOn: ms.due_on ?? null,
+        openIssues: ms.open_issues,
+        closedIssues: ms.closed_issues,
+        createdAt: ms.created_at,
+        updatedAt: ms.updated_at,
+        creator: ms.creator?.login ?? null
+      }));
+      this.client.setCache(cacheKey, result);
+      return result;
+    } catch (error) {
+      logger.error("Failed to get milestones", {
+        module: "GitHub",
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    }
+  }
+  async getMilestone(owner, repo, milestoneNumber) {
+    if (!this.client.octokit) {
+      throw new Error("GitHub API not available");
+    }
+    const cacheKey = `milestone:${owner}:${repo}:${String(milestoneNumber)}`;
+    const cached = this.client.getCached(cacheKey);
+    if (cached !== void 0) return cached;
+    try {
+      const response = await this.client.octokit.issues.getMilestone({
+        owner,
+        repo,
+        milestone_number: milestoneNumber
+      });
+      const ms = response.data;
+      const milestone = {
+        number: ms.number,
+        title: ms.title,
+        description: ms.description ?? null,
+        state: ms.state === "open" ? "open" : "closed",
+        url: ms.html_url,
+        dueOn: ms.due_on ?? null,
+        openIssues: ms.open_issues,
+        closedIssues: ms.closed_issues,
+        createdAt: ms.created_at,
+        updatedAt: ms.updated_at,
+        creator: ms.creator?.login ?? null
+      };
+      this.client.setCache(cacheKey, milestone);
+      return milestone;
+    } catch (error) {
+      if (error instanceof Error && "status" in error && error.status === 404) {
+        return null;
+      }
+      logger.error("Failed to get milestone", {
+        module: "GitHub",
+        entityId: milestoneNumber,
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    }
+  }
+  async createMilestone(owner, repo, title, description, dueOn) {
+    if (!this.client.octokit) {
+      logger.error("Cannot create milestone: GitHub API not available", {
+        module: "GitHub"
+      });
+      throw new Error("GitHub API not available");
+    }
+    try {
+      const response = await this.client.octokit.issues.createMilestone({
+        owner,
+        repo,
+        title,
+        description,
+        due_on: dueOn
+      });
+      const ms = response.data;
+      logger.info("Created GitHub milestone", {
+        module: "GitHub",
+        entityId: ms.number,
+        context: { title, owner, repo }
+      });
+      return {
+        number: ms.number,
+        title: ms.title,
+        description: ms.description ?? null,
+        state: ms.state === "open" ? "open" : "closed",
+        url: ms.html_url,
+        dueOn: ms.due_on ?? null,
+        openIssues: ms.open_issues,
+        closedIssues: ms.closed_issues,
+        createdAt: ms.created_at,
+        updatedAt: ms.updated_at,
+        creator: ms.creator?.login ?? null
+      };
+    } catch (error) {
+      logger.error("Failed to create milestone", {
+        module: "GitHub",
+        error: error instanceof Error ? error.message : String(error),
+        context: { title, owner, repo }
+      });
+      throw error;
+    } finally {
+      this.client.invalidateCache(`milestones:${owner}:${repo}`);
+      this.client.invalidateCache("context:");
+    }
+  }
+  async updateMilestone(owner, repo, milestoneNumber, updates) {
+    if (!this.client.octokit) {
+      logger.error("Cannot update milestone: GitHub API not available", {
+        module: "GitHub"
+      });
+      throw new Error("GitHub API not available");
+    }
+    try {
+      const response = await this.client.octokit.issues.updateMilestone({
+        owner,
+        repo,
+        milestone_number: milestoneNumber,
+        title: updates.title,
+        description: updates.description,
+        due_on: updates.dueOn === null ? void 0 : updates.dueOn,
+        state: updates.state
+      });
+      const ms = response.data;
+      logger.info("Updated GitHub milestone", {
+        module: "GitHub",
+        entityId: milestoneNumber,
+        context: { owner, repo, updates: Object.keys(updates) }
+      });
+      return {
+        number: ms.number,
+        title: ms.title,
+        description: ms.description ?? null,
+        state: ms.state === "open" ? "open" : "closed",
+        url: ms.html_url,
+        dueOn: ms.due_on ?? null,
+        openIssues: ms.open_issues,
+        closedIssues: ms.closed_issues,
+        createdAt: ms.created_at,
+        updatedAt: ms.updated_at,
+        creator: ms.creator?.login ?? null
+      };
+    } catch (error) {
+      logger.error("Failed to update milestone", {
+        module: "GitHub",
+        entityId: milestoneNumber,
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    } finally {
+      this.client.invalidateCache(`milestones:${owner}:${repo}`);
+      this.client.invalidateCache(`milestone:${owner}:${repo}:${String(milestoneNumber)}`);
+      this.client.invalidateCache("context:");
+    }
+  }
+  async deleteMilestone(owner, repo, milestoneNumber) {
+    if (!this.client.octokit) {
+      return { success: false, error: "GitHub API not available" };
+    }
+    try {
+      await this.client.octokit.issues.deleteMilestone({
+        owner,
+        repo,
+        milestone_number: milestoneNumber
+      });
+      logger.info("Deleted GitHub milestone", {
+        module: "GitHub",
+        entityId: milestoneNumber,
+        context: { owner, repo }
+      });
+      return { success: true };
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      logger.error("Failed to delete milestone", {
+        module: "GitHub",
+        entityId: milestoneNumber,
+        error: errorMessage
+      });
+      return { success: false, error: errorMessage };
+    } finally {
+      this.client.invalidateCache(`milestones:${owner}:${repo}`);
+      this.client.invalidateCache(`milestone:${owner}:${repo}:${String(milestoneNumber)}`);
+      this.client.invalidateCache("context:");
+    }
+  }
+};
+
+// src/github/github-integration/insights.ts
+var InsightsManager = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  async getRepoStats(owner, repo) {
+    if (!this.client.octokit) {
+      return null;
+    }
+    const cacheKey = `repostats:${owner}:${repo}`;
+    const cached = this.client.getCachedWithTtl(cacheKey, TRAFFIC_CACHE_TTL_MS);
+    if (cached) return cached;
+    try {
+      const response = await this.client.octokit.repos.get({ owner, repo });
+      const data = response.data;
+      const result = {
+        stars: data.stargazers_count,
+        forks: data.forks_count,
+        watchers: data.subscribers_count,
+        openIssues: data.open_issues_count,
+        size: data.size,
+        defaultBranch: data.default_branch
+      };
+      this.client.setCache(cacheKey, result);
+      return result;
+    } catch (error) {
+      logger.error("Failed to get repo stats", {
+        module: "GitHub",
+        error: error instanceof Error ? error.message : String(error),
+        context: { owner, repo }
+      });
+      return null;
+    }
+  }
+  async getTrafficData(owner, repo) {
+    if (!this.client.octokit) {
+      return null;
+    }
+    const cacheKey = `traffic:${owner}:${repo}`;
+    const cached = this.client.getCachedWithTtl(cacheKey, TRAFFIC_CACHE_TTL_MS);
+    if (cached) return cached;
+    try {
+      const [clonesRes, viewsRes] = await Promise.all([
+        this.client.octokit.rest.repos.getClones({ owner, repo }),
+        this.client.octokit.rest.repos.getViews({ owner, repo })
+      ]);
+      const clonesDays = clonesRes.data.clones?.length ?? 0;
+      const viewsDays = viewsRes.data.views?.length ?? 0;
+      const result = {
+        clones: {
+          total: clonesRes.data.count,
+          unique: clonesRes.data.uniques,
+          dailyAvg: clonesDays > 0 ? Math.round(clonesRes.data.count / clonesDays) : 0
+        },
+        views: {
+          total: viewsRes.data.count,
+          unique: viewsRes.data.uniques,
+          dailyAvg: viewsDays > 0 ? Math.round(viewsRes.data.count / viewsDays) : 0
+        },
+        period: "14 days"
+      };
+      this.client.setCache(cacheKey, result);
+      return result;
+    } catch (error) {
+      logger.error("Failed to get traffic data", {
+        module: "GitHub",
+        error: error instanceof Error ? error.message : String(error),
+        context: { owner, repo }
+      });
+      return null;
+    }
+  }
+  async getTopReferrers(owner, repo, limit = 5) {
+    if (!this.client.octokit) {
+      return [];
+    }
+    const cacheKey = `referrers:${owner}:${repo}`;
+    const cached = this.client.getCachedWithTtl(cacheKey, TRAFFIC_CACHE_TTL_MS);
+    if (cached) return cached.slice(0, limit);
+    try {
+      const response = await this.client.octokit.rest.repos.getTopReferrers({ owner, repo });
+      const result = response.data.map((r) => ({
+        referrer: r.referrer,
+        count: r.count,
+        uniques: r.uniques
+      }));
+      this.client.setCache(cacheKey, result);
+      return result.slice(0, limit);
+    } catch (error) {
+      logger.error("Failed to get top referrers", {
+        module: "GitHub",
+        error: error instanceof Error ? error.message : String(error),
+        context: { owner, repo }
+      });
+      return [];
+    }
+  }
+  async getPopularPaths(owner, repo, limit = 5) {
+    if (!this.client.octokit) {
+      return [];
+    }
+    const cacheKey = `paths:${owner}:${repo}`;
+    const cached = this.client.getCachedWithTtl(cacheKey, TRAFFIC_CACHE_TTL_MS);
+    if (cached) return cached.slice(0, limit);
+    try {
+      const response = await this.client.octokit.rest.repos.getTopPaths({ owner, repo });
+      const result = response.data.map((p) => ({
+        path: p.path,
+        title: p.title,
+        count: p.count,
+        uniques: p.uniques
+      }));
+      this.client.setCache(cacheKey, result);
+      return result.slice(0, limit);
+    } catch (error) {
+      logger.error("Failed to get popular paths", {
+        module: "GitHub",
+        error: error instanceof Error ? error.message : String(error),
+        context: { owner, repo }
+      });
+      return [];
+    }
+  }
+};
+
+// src/github/github-integration/repository.ts
+var RepositoryManager = class {
+  constructor(client) {
+    this.client = client;
+  }
+  client;
+  async getRepoInfo() {
+    const cached = this.getCachedRepoInfo();
+    if (cached) return cached;
+    try {
+      const branchResult = await this.client.git.branch();
+      const branch = branchResult.current || null;
+      const remotes = await this.client.git.getRemotes(true);
+      const origin = remotes.find((r) => r.name === "origin");
+      const remoteUrl = origin?.refs?.fetch || null;
+      const { owner, repo } = this.parseRemoteUrl(remoteUrl);
+      const repoInfo = { owner, repo, branch, remoteUrl };
+      this.client.setCache("repoInfo", repoInfo);
+      return repoInfo;
+    } catch (error) {
+      logger.debug("Failed to get repo info (may not be a git repo)", {
+        module: "GitHub",
+        error: error instanceof Error ? error.message : String(error)
+      });
+      return { owner: null, repo: null, branch: null, remoteUrl: null };
+    }
+  }
+  getCachedRepoInfo() {
+    return this.client.getCached("repoInfo") ?? null;
+  }
+  setCachedRepoInfo(info) {
+    this.client.setCache("repoInfo", info);
+  }
+  parseRemoteUrl(remoteUrl) {
+    if (!remoteUrl) return { owner: null, repo: null };
+    if (remoteUrl.startsWith("git@github.com:")) {
+      const pathPart = remoteUrl.replace("git@github.com:", "").replace(".git", "");
+      const parts = pathPart.split("/");
+      if (parts.length >= 2) {
+        return { owner: parts[0] ?? null, repo: parts[1] ?? null };
+      }
+    }
+    try {
+      const url = new URL(remoteUrl);
+      if (url.hostname === "github.com") {
+        const path2 = url.pathname.replace(".git", "").replace(/^\//, "");
+        const parts = path2.split("/");
+        if (parts.length >= 2) {
+          return { owner: parts[0] ?? null, repo: parts[1] ?? null };
+        }
+      }
+    } catch {
+    }
+    return { owner: null, repo: null };
+  }
+  async getWorkflowRuns(owner, repo, limit = 10, abortSignal) {
+    if (!this.client.octokit) {
+      logger.debug("GitHub API not available - no token", { module: "GitHub" });
+      throw new Error("GitHub API not available");
+    }
+    const cacheKey = `workflows:${owner}:${repo}:${String(limit)}`;
+    const cached = this.client.getCached(cacheKey);
+    if (cached) return cached;
+    try {
+      const response = await this.client.octokit.rest.actions.listWorkflowRunsForRepo({
+        owner,
+        repo,
+        per_page: limit,
+        request: { signal: abortSignal }
+      });
+      const result = response.data.workflow_runs.map((run) => ({
+        id: run.id,
+        name: run.name ?? "Unknown Workflow",
+        status: run.status,
+        conclusion: run.conclusion,
+        url: run.html_url,
+        headBranch: run.head_branch ?? "",
+        headSha: run.head_sha,
+        createdAt: run.created_at,
+        updatedAt: run.updated_at
+      }));
+      this.client.setCache(cacheKey, result);
+      return result;
+    } catch (error) {
+      logger.error("Failed to get workflow runs", {
+        module: "GitHub",
+        error: error instanceof Error ? error.message : String(error)
+      });
+      throw error;
+    }
+  }
+  async getLocalGitStatus() {
+    try {
+      const status = await this.client.git.status();
+      return {
+        modified: status.modified.length,
+        untracked: status.not_added.length,
+        isClean: status.isClean()
+      };
+    } catch (error) {
+      logger.debug("Failed to get local git status", {
+        module: "GitHub",
+        error: error instanceof Error ? error.message : String(error)
+      });
+      return { modified: 0, untracked: 0, isClean: true };
+    }
+  }
+};
+function getGitHubIntegration(workingDir = ".", runtime, token) {
+  const resolvedDir = workingDir === "." ? process.cwd() : workingDir;
+  if (runtime) {
+    runtime.githubClientPool ??= /* @__PURE__ */ new Map();
+    const cacheKey = token ? `${resolvedDir}:${createHash("sha256").update(token).digest("hex").substring(0, 12)}` : resolvedDir;
+    let instance = runtime.githubClientPool.get(cacheKey);
+    if (!instance) {
+      instance = new GitHubIntegration(resolvedDir, token);
+      runtime.githubClientPool.set(cacheKey, instance);
+    }
+    return instance;
+  }
+  return new GitHubIntegration(resolvedDir, token);
+}
+var GitHubIntegration = class {
+  client;
+  issuesManager;
+  pullRequestsManager;
+  projectsManager;
+  milestonesManager;
+  insightsManager;
+  repositoryManager;
+  constructor(workingDir = ".", token) {
+    this.client = new GitHubClient(workingDir, token);
+    this.issuesManager = new IssuesManager(this.client);
+    this.pullRequestsManager = new PullRequestsManager(this.client);
+    this.projectsManager = new ProjectsManager(this.client);
+    this.milestonesManager = new MilestonesManager(this.client);
+    this.insightsManager = new InsightsManager(this.client);
+    this.repositoryManager = new RepositoryManager(this.client);
+  }
+  isApiAvailable() {
+    return this.client.isApiAvailable();
+  }
+  clearCache() {
+    this.client.clearCache();
+  }
+  async getRepoInfo() {
+    return this.repositoryManager.getRepoInfo();
+  }
+  getCachedRepoInfo() {
+    return this.repositoryManager.getCachedRepoInfo();
+  }
+  setCachedRepoInfo(info) {
+    this.repositoryManager.setCachedRepoInfo(info);
+  }
+  async getLocalGitStatus() {
+    return this.repositoryManager.getLocalGitStatus();
+  }
+  async getIssues(owner, repo, state = "open", limit = 20, abortSignal) {
+    return this.issuesManager.getIssues(owner, repo, state, limit, abortSignal);
+  }
+  async getIssue(owner, repo, issueNumber) {
+    return this.issuesManager.getIssue(owner, repo, issueNumber);
+  }
+  async getIssueComments(owner, repo, issueNumber, limit = 30) {
+    return this.issuesManager.getIssueComments(owner, repo, issueNumber, limit);
+  }
+  async createIssue(owner, repo, title, body, labels, assignees, milestone) {
+    return this.issuesManager.createIssue(
+      owner,
+      repo,
+      title,
+      body,
+      labels,
+      assignees,
+      milestone
+    );
+  }
+  async closeIssue(owner, repo, issueNumber, comment) {
+    return this.issuesManager.closeIssue(owner, repo, issueNumber, comment);
+  }
+  async getPullRequests(owner, repo, state = "open", limit = 20, abortSignal) {
+    return this.pullRequestsManager.getPullRequests(owner, repo, state, limit, abortSignal);
+  }
+  async getPullRequest(owner, repo, prNumber) {
+    return this.pullRequestsManager.getPullRequest(owner, repo, prNumber);
+  }
+  async getReviews(owner, repo, prNumber) {
+    return this.pullRequestsManager.getReviews(owner, repo, prNumber);
+  }
+  async getReviewComments(owner, repo, prNumber) {
+    return this.pullRequestsManager.getReviewComments(owner, repo, prNumber);
+  }
+  async getCopilotReviewSummary(owner, repo, prNumber) {
+    return this.pullRequestsManager.getCopilotReviewSummary(owner, repo, prNumber);
+  }
+  async getWorkflowRuns(owner, repo, limit = 10, abortSignal) {
+    return this.repositoryManager.getWorkflowRuns(owner, repo, limit, abortSignal);
+  }
+  async getRepoContext(abortSignal) {
+    const cached = this.client.getCached("context:repo");
+    if (cached) return cached;
+    const repoInfo = await this.repositoryManager.getRepoInfo();
+    const context = {
+      repoName: repoInfo.repo,
+      branch: repoInfo.branch,
+      commit: null,
+      remoteUrl: repoInfo.remoteUrl,
+      projects: [],
+      issues: [],
+      pullRequests: [],
+      workflowRuns: [],
+      milestones: []
+    };
+    try {
+      const log = await this.client.git.log({ maxCount: 1 });
+      context.commit = log.latest?.hash ?? null;
+    } catch {
+    }
+    const degraded = [];
+    if (repoInfo.owner && repoInfo.repo) {
+      const [issuesResult, prsResult, runsResult, milestonesResult] = await Promise.allSettled([
+        this.issuesManager.getIssues(
+          repoInfo.owner,
+          repoInfo.repo,
+          "open",
+          10,
+          abortSignal
+        ),
+        this.pullRequestsManager.getPullRequests(
+          repoInfo.owner,
+          repoInfo.repo,
+          "open",
+          10,
+          abortSignal
+        ),
+        this.repositoryManager.getWorkflowRuns(
+          repoInfo.owner,
+          repoInfo.repo,
+          10,
+          abortSignal
+        ),
+        this.milestonesManager.getMilestones(
+          repoInfo.owner,
+          repoInfo.repo,
+          "open",
+          10,
+          abortSignal
+        )
+      ]);
+      context.issues = issuesResult.status === "fulfilled" ? issuesResult.value : [];
+      if (issuesResult.status === "rejected") degraded.push("issues");
+      context.pullRequests = prsResult.status === "fulfilled" ? prsResult.value : [];
+      if (prsResult.status === "rejected") degraded.push("pullRequests");
+      context.workflowRuns = runsResult.status === "fulfilled" ? runsResult.value : [];
+      if (runsResult.status === "rejected") degraded.push("workflowRuns");
+      context.milestones = milestonesResult.status === "fulfilled" ? milestonesResult.value : [];
+      if (milestonesResult.status === "rejected") degraded.push("milestones");
+    }
+    if (degraded.length > 0) {
+      context.degraded = degraded;
+    }
+    this.client.setCache("context:repo", context);
+    return context;
+  }
+  async getProjectKanban(owner, projectNumber, repo, abortSignal) {
+    return this.projectsManager.getProjectKanban(owner, projectNumber, repo, abortSignal);
+  }
+  async moveProjectItem(projectId, itemId, statusFieldId, statusOptionId) {
+    return this.projectsManager.moveProjectItem(
+      projectId,
+      itemId,
+      statusFieldId,
+      statusOptionId
+    );
+  }
+  async addProjectItem(projectId, contentId) {
+    return this.projectsManager.addProjectItem(projectId, contentId);
+  }
+  async deleteProjectItem(projectId, itemId) {
+    return this.projectsManager.deleteProjectItem(projectId, itemId);
+  }
+  async getMilestones(owner, repo, state = "open", limit = 20, abortSignal) {
+    return this.milestonesManager.getMilestones(owner, repo, state, limit, abortSignal);
+  }
+  async getMilestone(owner, repo, milestoneNumber) {
+    return this.milestonesManager.getMilestone(owner, repo, milestoneNumber);
+  }
+  async createMilestone(owner, repo, title, description, dueOn) {
+    return this.milestonesManager.createMilestone(owner, repo, title, description, dueOn);
+  }
+  async updateMilestone(owner, repo, milestoneNumber, updates) {
+    return this.milestonesManager.updateMilestone(owner, repo, milestoneNumber, updates);
+  }
+  async deleteMilestone(owner, repo, milestoneNumber) {
+    return this.milestonesManager.deleteMilestone(owner, repo, milestoneNumber);
+  }
+  async getRepoStats(owner, repo) {
+    return this.insightsManager.getRepoStats(owner, repo);
+  }
+  async getTrafficData(owner, repo) {
+    return this.insightsManager.getTrafficData(owner, repo);
+  }
+  async getTopReferrers(owner, repo, limit = 5) {
+    return this.insightsManager.getTopReferrers(owner, repo, limit);
+  }
+  async getPopularPaths(owner, repo, limit = 5) {
+    return this.insightsManager.getPopularPaths(owner, repo, limit);
+  }
+};
+var ErrorFieldsMixin = z.object({
+  error: z.string().optional().describe("Human-readable error message"),
+  code: z.string().optional().describe("Error code (e.g. VALIDATION_ERROR, INTERNAL_ERROR)"),
+  category: z.string().optional().describe("Error category (validation, query, connection, internal)"),
+  recoverable: z.boolean().optional().describe("Whether the error is recoverable"),
+  suggestion: z.string().optional().describe("Suggested fix for the error"),
+  details: z.record(z.string(), z.unknown()).optional().describe("Additional error context")
+});
+var ENTRY_TYPES = [
+  "personal_reflection",
+  "project_decision",
+  "technical_achievement",
+  "bug_fix",
+  "feature_implementation",
+  "code_review",
+  "meeting_notes",
+  "learning",
+  "research",
+  "planning",
+  "retrospective",
+  "standup",
+  "technical_note",
+  "development_note",
+  "enhancement",
+  "milestone",
+  "flag",
+  "system_integration_test",
+  "test_entry",
+  "plan_draft",
+  "adversarial_review",
+  "plan_refinement",
+  "copilot_validation",
+  "other"
+];
+var SIGNIFICANCE_TYPES = [
+  "milestone",
+  "breakthrough",
+  "decision",
+  "architecture",
+  "lesson_learned",
+  "blocker_resolved",
+  "release",
+  "security"
+];
+function coerceSignificanceAlias(params) {
+  if (params !== null && params !== void 0 && typeof params === "object") {
+    const obj = params;
+    if (typeof obj["significance_type"] === "string") {
+      const lower = obj["significance_type"].toLowerCase();
+      if (lower === "important") obj["significance_type"] = "milestone";
+      else if (lower === "major") obj["significance_type"] = "breakthrough";
+      else if (lower === "critical") obj["significance_type"] = "security";
+      else if (lower === "learning") obj["significance_type"] = "lesson_learned";
+      else if (lower === "key_decision") obj["significance_type"] = "decision";
+      else if (lower === "resolved") obj["significance_type"] = "blocker_resolved";
+      else if (lower === "maintenance" || lower === "minor") delete obj["significance_type"];
+    }
+  }
+}
+var MAX_CONTENT_LENGTH = 5e4;
+var MAX_QUERY_LIMIT = 500;
+var DATE_MIN_SENTINEL = "1970-01-01";
+var DATE_MAX_SENTINEL = "2999-12-31";
+var DATE_FORMAT_REGEX = /^\d{4}-\d{2}-\d{2}$/;
+var DATE_FORMAT_MESSAGE = "Date must be YYYY-MM-DD format";
+var relaxedNumber = () => z.union([z.number(), z.string()]);
+var StrictProjectNumberSchema = z.number({
+  message: "Missing project_number. You MUST provide a valid project_number (e.g., 1) to associate this action with a specific project context."
+});
+var EntryOutputSchema = z.object({
+  id: z.number(),
+  content: z.string().max(MAX_CONTENT_LENGTH),
+  entryType: z.string(),
+  isPersonal: z.boolean(),
+  timestamp: z.string(),
+  tags: z.array(z.string()).optional(),
+  significanceType: z.string().nullable().optional(),
+  autoContext: z.string().nullable().optional().describe("@deprecated Use author and flagMetadata instead"),
+  author: z.string().nullable().optional(),
+  flagMetadata: z.record(z.string(), z.unknown()).nullable().optional(),
+  deletedAt: z.string().nullable().optional(),
+  projectNumber: z.number().nullable().optional(),
+  projectOwner: z.string().nullable().optional(),
+  issueNumber: z.number().nullable().optional(),
+  issueUrl: z.string().nullable().optional(),
+  prNumber: z.number().nullable().optional(),
+  prUrl: z.string().nullable().optional(),
+  prStatus: z.string().nullable().optional(),
+  workflowRunId: z.number().nullable().optional(),
+  workflowName: z.string().nullable().optional(),
+  workflowStatus: z.string().nullable().optional(),
+  source: z.enum(["personal", "team"]).optional(),
+  importanceScore: z.number().optional().describe("Importance score (0.0-1.0), present when sort_by=importance")
+}).extend(ErrorFieldsMixin.shape);
+var EntriesListOutputSchema = z.object({
+  entries: z.array(EntryOutputSchema).optional(),
+  count: z.number().optional(),
+  searchMode: z.string().optional(),
+  degraded: z.boolean().optional().describe(
+    "True if the search degraded to a slower fallback method due to infrastructure failure"
+  ),
+  success: z.boolean().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var RelationshipOutputSchema = z.object({
+  id: z.number(),
+  fromEntryId: z.number(),
+  toEntryId: z.number(),
+  relationshipType: z.string(),
+  description: z.string().nullable().optional(),
+  createdAt: z.string()
+}).extend(ErrorFieldsMixin.shape);
+var ImportanceBreakdownSchema = z.object({
+  significance: z.number(),
+  relationships: z.number(),
+  causal: z.number(),
+  recency: z.number()
+});
+var TagOutputSchema = z.object({
+  name: z.string(),
+  count: z.number().nullable()
+}).extend(ErrorFieldsMixin.shape);
+
+// src/handlers/resources/shared.ts
+async function resolveGitHubRepo(github, config, targetRepo, runtime) {
+  const lastModified = (/* @__PURE__ */ new Date()).toISOString();
+  let activeGithub = github;
+  if (targetRepo) {
+    if (!/^[a-zA-Z0-9_.-]+(\/[a-zA-Z0-9_.-]+)?$/.test(targetRepo)) {
+      return {
+        data: { error: "Invalid repository name format" },
+        annotations: { lastModified }
+      };
+    }
+    const registry = config?.projectRegistry;
+    let registryKey = targetRepo;
+    if (registry && !Object.prototype.hasOwnProperty.call(registry, targetRepo)) {
+      const parts = targetRepo.split("/");
+      const repoPart = parts[1];
+      if (parts.length === 2 && repoPart && Object.prototype.hasOwnProperty.call(registry, repoPart)) {
+        registryKey = repoPart;
+      }
+    }
+    if (registry && Object.prototype.hasOwnProperty.call(registry, registryKey)) {
+      const entry = registry[registryKey];
+      if (entry) {
+        activeGithub = getGitHubIntegration(entry.path, runtime);
+      }
+    } else {
+      return {
+        data: { error: `Repository not found in registry: ${targetRepo}` },
+        annotations: { lastModified }
+      };
+    }
+  }
+  if (!activeGithub) {
+    const hasRegistry = config?.projectRegistry && Object.keys(config.projectRegistry).length > 0;
+    return {
+      data: {
+        error: "GitHub integration not available",
+        hint: hasRegistry ? "Set GITHUB_TOKEN, or assure the dynamic repo URI correctly matches a registered project." : "Set GITHUB_TOKEN securely."
+      },
+      annotations: { lastModified }
+    };
+  }
+  const repoInfo = await activeGithub.getRepoInfo();
+  const owner = repoInfo.owner;
+  const repo = repoInfo.repo;
+  if (!owner || !repo) {
+    const registry = config?.projectRegistry;
+    const hasRegistry = registry && Object.keys(registry).length > 0;
+    if (!targetRepo && hasRegistry) {
+      for (const key of Object.keys(registry)) {
+        const project = registry[key];
+        if (project) {
+          const fallbackGithub = getGitHubIntegration(project.path, runtime);
+          const fallbackRepoInfo = await fallbackGithub.getRepoInfo();
+          if (fallbackRepoInfo.owner && fallbackRepoInfo.repo) {
+            return {
+              owner: fallbackRepoInfo.owner,
+              repo: fallbackRepoInfo.repo,
+              branch: fallbackRepoInfo.branch ?? null,
+              lastModified,
+              github: fallbackGithub
+            };
+          }
+        }
+      }
+    }
+    return {
+      data: {
+        error: "Could not detect repository",
+        hint: hasRegistry ? "Use a repository-specific URI suffix (e.g., memory://github/status/{repo}) for multi-project setups, or ensure the fallback project is a valid git repository." : "Run the MCP server from a valid git repository or configure PROJECT_REGISTRY.",
+        ...repoInfo.branch ? { branch: repoInfo.branch } : {}
+      },
+      annotations: { lastModified }
+    };
+  }
+  return { owner, repo, branch: repoInfo.branch ?? null, lastModified, github: activeGithub };
+}
+function isResourceError(result) {
+  return "data" in result;
+}
+var DEFAULT_BRIEFING_CONFIG = {
+  entryCount: 3,
+  summaryCount: 1,
+  includeTeam: false,
+  issueCount: 0,
+  prCount: 0,
+  prStatusBreakdown: false,
+  milestoneCount: 3,
+  workflowCount: 0,
+  workflowStatusBreakdown: false,
+  copilotReviews: false
+};
+function milestoneCompletionPct(openIssues, closedIssues) {
+  const total = openIssues + closedIssues;
+  return total > 0 ? Math.round(closedIssues / total * 100) : 0;
+}
+var TeamEntryOutputSchema = EntryOutputSchema.extend({
+  author: z.string().nullable().optional()
+});
+var TeamCreateEntrySchema = z.object({
+  content: z.string().min(1).max(MAX_CONTENT_LENGTH),
+  entry_type: z.enum(ENTRY_TYPES).optional().default("personal_reflection"),
+  tags: z.array(z.string()).optional().default([]),
+  significance_type: z.enum(SIGNIFICANCE_TYPES).optional(),
+  project_number: StrictProjectNumberSchema,
+  project_owner: z.string().optional(),
+  issue_number: z.number().optional(),
+  issue_url: z.string().optional(),
+  pr_number: z.number().optional(),
+  pr_url: z.string().optional(),
+  pr_status: z.enum(["draft", "open", "merged", "closed"]).optional(),
+  author: z.string().optional()
+});
+var TeamCreateEntrySchemaMcp = z.object({
+  content: z.string().optional(),
+  entry_type: z.string().optional().default("personal_reflection"),
+  tags: z.array(z.string()).optional().default([]),
+  significance_type: z.string().optional(),
+  project_number: relaxedNumber().optional(),
+  project_owner: z.string().optional(),
+  issue_number: relaxedNumber().optional(),
+  issue_url: z.string().optional(),
+  pr_number: relaxedNumber().optional(),
+  pr_url: z.string().optional(),
+  pr_status: z.string().optional(),
+  author: z.string().optional()
+});
+var TeamGetRecentSchema = z.object({
+  limit: z.number().min(1).max(500).optional().default(10),
+  project_number: StrictProjectNumberSchema,
+  sort_by: z.enum(["timestamp", "importance"]).optional().default("timestamp").describe("Sort results by timestamp (default) or importance score")
+});
+var TeamGetRecentSchemaMcp = z.object({
+  limit: relaxedNumber().optional().default(10),
+  project_number: relaxedNumber().optional(),
+  sort_by: z.string().optional().default("timestamp").describe("Sort results by timestamp (default) or importance score")
+});
+var TeamSearchSchema = z.object({
+  query: z.string().optional(),
+  tags: z.array(z.string()).optional(),
+  project_number: StrictProjectNumberSchema,
+  limit: z.number().max(500).optional().default(10),
+  sort_by: z.enum(["timestamp", "importance"]).optional().default("timestamp").describe("Sort results by timestamp (default) or importance score")
+});
+var TeamSearchSchemaMcp = z.object({
+  query: z.string().optional(),
+  tags: z.array(z.string()).optional(),
+  project_number: relaxedNumber().optional(),
+  limit: relaxedNumber().optional().default(10),
+  sort_by: z.string().optional().default("timestamp").describe("Sort results by timestamp (default) or importance score")
+});
+var TeamGetEntryByIdSchema = z.object({
+  entry_id: z.number(),
+  include_relationships: z.boolean().optional().default(true),
+  project_number: StrictProjectNumberSchema
+});
+var TeamGetEntryByIdSchemaMcp = z.object({
+  entry_id: relaxedNumber().optional(),
+  include_relationships: z.boolean().optional().default(true),
+  project_number: relaxedNumber().optional()
+});
+var TeamSearchByDateRangeSchema = z.object({
+  start_date: z.string().regex(DATE_FORMAT_REGEX, DATE_FORMAT_MESSAGE),
+  end_date: z.string().regex(DATE_FORMAT_REGEX, DATE_FORMAT_MESSAGE),
+  entry_type: z.enum(ENTRY_TYPES).optional(),
+  tags: z.array(z.string()).optional(),
+  project_number: StrictProjectNumberSchema,
+  limit: z.number().max(500).optional().default(50),
+  sort_by: z.enum(["timestamp", "importance"]).optional().default("timestamp").describe("Sort results by timestamp (default) or importance score")
+});
+var TeamSearchByDateRangeSchemaMcp = z.object({
+  start_date: z.string().optional().describe("Start date (YYYY-MM-DD)"),
+  end_date: z.string().optional().describe("End date (YYYY-MM-DD)"),
+  entry_type: z.string().optional(),
+  tags: z.array(z.string()).optional(),
+  project_number: relaxedNumber().optional(),
+  limit: relaxedNumber().optional().default(50),
+  sort_by: z.string().optional().default("timestamp").describe("Sort results by timestamp (default) or importance score")
+});
+var TeamUpdateEntrySchema = z.object({
+  entry_id: z.number(),
+  content: z.string().min(1).max(MAX_CONTENT_LENGTH).optional(),
+  entry_type: z.enum(ENTRY_TYPES).optional(),
+  tags: z.array(z.string()).optional(),
+  project_number: StrictProjectNumberSchema,
+  significance_type: z.enum(SIGNIFICANCE_TYPES).nullable().optional(),
+  project_owner: z.string().nullable().optional(),
+  issue_number: z.number().nullable().optional(),
+  issue_url: z.string().nullable().optional(),
+  pr_number: z.number().nullable().optional(),
+  pr_url: z.string().nullable().optional(),
+  pr_status: z.enum(["draft", "open", "merged", "closed"]).nullable().optional(),
+  workflow_run_id: z.number().nullable().optional(),
+  workflow_name: z.string().nullable().optional(),
+  workflow_status: z.enum(["queued", "in_progress", "completed"]).nullable().optional()
+});
+var TeamUpdateEntrySchemaMcp = z.object({
+  entry_id: relaxedNumber().optional(),
+  content: z.string().optional(),
+  entry_type: z.string().optional(),
+  tags: z.array(z.string()).optional(),
+  project_number: relaxedNumber().nullable().optional(),
+  significance_type: z.string().nullable().optional(),
+  project_owner: z.string().nullable().optional(),
+  issue_number: relaxedNumber().nullable().optional(),
+  issue_url: z.string().nullable().optional(),
+  pr_number: relaxedNumber().nullable().optional(),
+  pr_url: z.string().nullable().optional(),
+  pr_status: z.string().nullable().optional(),
+  workflow_run_id: relaxedNumber().nullable().optional(),
+  workflow_name: z.string().nullable().optional(),
+  workflow_status: z.string().nullable().optional()
+});
+var TeamDeleteEntrySchema = z.object({
+  entry_id: z.number(),
+  project_number: StrictProjectNumberSchema
+});
+var TeamDeleteEntrySchemaMcp = z.object({
+  entry_id: relaxedNumber().optional(),
+  project_number: relaxedNumber().optional()
+});
+var TeamMergeTagsSchema = z.object({
+  source_tag: z.string().min(1),
+  target_tag: z.string().min(1)
+});
+var TeamMergeTagsSchemaMcp = z.object({
+  source_tag: z.string().optional(),
+  target_tag: z.string().optional()
+});
+var TeamGetStatisticsSchema = z.object({
+  group_by: z.enum(["day", "week", "month"]).optional().default("week")
+});
+var TeamGetStatisticsSchemaMcp = z.object({
+  group_by: z.string().optional().default("week")
+});
+var TeamLinkEntriesSchema = z.object({
+  from_entry_id: z.number(),
+  to_entry_id: z.number(),
+  relationship_type: z.enum([
+    "evolves_from",
+    "references",
+    "implements",
+    "clarifies",
+    "response_to",
+    "blocked_by",
+    "resolved",
+    "caused"
+  ]).optional().default("references"),
+  description: z.string().optional(),
+  project_number: StrictProjectNumberSchema
+});
+var TeamLinkEntriesSchemaMcp = z.object({
+  from_entry_id: relaxedNumber().optional(),
+  to_entry_id: relaxedNumber().optional(),
+  from: relaxedNumber().optional(),
+  to: relaxedNumber().optional(),
+  from_id: relaxedNumber().optional(),
+  to_id: relaxedNumber().optional(),
+  relationship_type: z.string().optional().default("references"),
+  type: z.string().optional(),
+  description: z.string().optional(),
+  project_number: relaxedNumber().optional()
+}).transform((data) => ({
+  from_entry_id: data.from_entry_id ?? data.from_id ?? data.from,
+  to_entry_id: data.to_entry_id ?? data.to_id ?? data.to,
+  relationship_type: data.type ?? data.relationship_type,
+  description: data.description,
+  project_number: data.project_number
+}));
+var TeamVisualizeRelationshipsSchema = z.object({
+  entry_id: z.number().optional(),
+  tag: z.string().optional(),
+  depth: z.number().min(1).max(5).optional().default(2)
+});
+var TeamVisualizeRelationshipsSchemaMcp = z.object({
+  entry_id: relaxedNumber().optional(),
+  tag: z.string().optional(),
+  depth: relaxedNumber().optional().default(2)
+});
+var TeamExportEntriesSchema = z.object({
+  format: z.enum(["json", "markdown"]).optional().default("json"),
+  start_date: z.string().regex(DATE_FORMAT_REGEX, DATE_FORMAT_MESSAGE).optional(),
+  end_date: z.string().regex(DATE_FORMAT_REGEX, DATE_FORMAT_MESSAGE).optional(),
+  entry_type: z.enum(ENTRY_TYPES).optional(),
+  tags: z.array(z.string()).optional(),
+  limit: z.number().max(5e3).optional().default(100)
+});
+var TeamExportEntriesSchemaMcp = z.object({
+  format: z.string().optional().default("json"),
+  start_date: z.string().optional(),
+  end_date: z.string().optional(),
+  entry_type: z.string().optional(),
+  tags: z.array(z.string()).optional(),
+  limit: relaxedNumber().optional().default(100)
+});
+var TeamBackupSchema = z.object({
+  name: z.string().optional()
+});
+var TeamCreateOutputSchema = z.object({
+  success: z.boolean().optional(),
+  entry: TeamEntryOutputSchema.optional(),
+  author: z.string().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamEntriesListOutputSchema = z.object({
+  entries: z.array(TeamEntryOutputSchema).optional(),
+  count: z.number().optional(),
+  success: z.boolean().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamEntryDetailOutputSchema = z.object({
+  success: z.boolean().optional(),
+  entry: TeamEntryOutputSchema.optional(),
+  relationships: z.array(RelationshipOutputSchema).optional(),
+  importance: z.object({
+    score: z.number(),
+    breakdown: z.object({
+      significance: z.number(),
+      relationships: z.number(),
+      causal: z.number(),
+      recency: z.number()
+    }).optional()
+  }).optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamTagsListOutputSchema = z.object({
+  success: z.boolean().optional(),
+  tags: z.array(TagOutputSchema).optional(),
+  count: z.number().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamUpdateOutputSchema = z.object({
+  success: z.boolean().optional(),
+  entry: TeamEntryOutputSchema.optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamDeleteOutputSchema = z.object({
+  success: z.boolean().optional(),
+  message: z.string().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamMergeTagsOutputSchema = z.object({
+  success: z.boolean().optional(),
+  message: z.string().optional(),
+  entriesUpdated: z.number().optional(),
+  sourceDeleted: z.boolean().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamStatisticsOutputSchema = z.object({
+  success: z.boolean().optional(),
+  totalEntries: z.number().optional(),
+  periodEntries: z.number().optional(),
+  entryTypes: z.record(z.string(), z.number()).optional(),
+  topTags: z.array(z.object({ name: z.string(), count: z.number() })).optional(),
+  authors: z.array(z.object({ author: z.string(), count: z.number() })).optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamLinkEntriesOutputSchema = z.object({
+  success: z.boolean().optional(),
+  relationship: RelationshipOutputSchema.optional(),
+  duplicate: z.boolean().optional().describe("True if relationship already existed"),
+  message: z.string().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamVisualizeOutputSchema = z.object({
+  success: z.boolean().optional(),
+  mermaid: z.string().optional(),
+  nodeCount: z.number().optional(),
+  edgeCount: z.number().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamExportOutputSchema = z.object({
+  success: z.boolean().optional(),
+  format: z.string().optional(),
+  data: z.string().optional(),
+  count: z.number().optional(),
+  truncated: z.boolean().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamBackupOutputSchema = z.object({
+  success: z.boolean().optional(),
+  message: z.string().optional(),
+  filename: z.string().optional(),
+  path: z.string().optional(),
+  sizeBytes: z.number().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamBackupsListOutputSchema = z.object({
+  success: z.boolean().optional(),
+  backups: z.array(
+    z.object({
+      filename: z.string(),
+      path: z.string(),
+      sizeBytes: z.number(),
+      createdAt: z.string()
+    })
+  ).optional(),
+  total: z.number().optional(),
+  backupsDirectory: z.string().optional(),
+  hint: z.string().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamSemanticSearchSchema = z.object({
+  query: z.string().optional(),
+  entry_id: z.number().optional().describe("Find entries related to this entry ID"),
+  limit: z.number().max(500).optional().default(10),
+  similarity_threshold: z.number().optional().default(0.25),
+  tags: z.array(z.string()).optional(),
+  entry_type: z.enum(ENTRY_TYPES).optional(),
+  start_date: z.string().regex(DATE_FORMAT_REGEX, DATE_FORMAT_MESSAGE).optional(),
+  end_date: z.string().regex(DATE_FORMAT_REGEX, DATE_FORMAT_MESSAGE).optional(),
+  hint_on_empty: z.boolean().optional().default(true).describe("Include hint when no results found (default: true)"),
+  project_number: StrictProjectNumberSchema
+});
+var TeamSemanticSearchSchemaMcp = z.object({
+  query: z.string().optional(),
+  entry_id: relaxedNumber().optional().describe("Find entries related to this entry ID"),
+  limit: relaxedNumber().optional().default(10),
+  similarity_threshold: relaxedNumber().optional().default(0.25),
+  tags: z.array(z.string()).optional(),
+  entry_type: z.string().optional(),
+  start_date: z.string().optional(),
+  end_date: z.string().optional(),
+  hint_on_empty: z.boolean().optional().default(true).describe("Include hint when no results found (default: true)"),
+  project_number: relaxedNumber().optional()
+});
+var TeamAddToVectorIndexSchema = z.object({
+  entry_id: z.number(),
+  project_number: StrictProjectNumberSchema
+});
+var TeamAddToVectorIndexSchemaMcp = z.object({
+  entry_id: relaxedNumber().optional(),
+  project_number: relaxedNumber().optional()
+});
+var TeamSemanticEntryOutputSchema = TeamEntryOutputSchema.extend({
+  similarity: z.number()
+});
+var TeamSemanticSearchOutputSchema = z.object({
+  query: z.string().optional(),
+  entryId: z.number().optional(),
+  entries: z.array(TeamSemanticEntryOutputSchema).optional(),
+  count: z.number().optional(),
+  hint: z.string().optional(),
+  success: z.boolean().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamVectorStatsOutputSchema = z.object({
+  available: z.boolean(),
+  error: z.string().optional(),
+  itemCount: z.number().optional(),
+  modelName: z.string().optional(),
+  dimensions: z.number().optional(),
+  success: z.boolean().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamRebuildVectorIndexOutputSchema = z.object({
+  success: z.boolean().optional(),
+  partial: z.boolean().optional(),
+  entriesIndexed: z.number().optional(),
+  failedEntries: z.number().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamAddToVectorIndexOutputSchema = z.object({
+  success: z.boolean().optional(),
+  entryId: z.number().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamCrossProjectInsightsSchema = z.object({
+  start_date: z.string().regex(DATE_FORMAT_REGEX, DATE_FORMAT_MESSAGE).optional().describe("Start date (YYYY-MM-DD)"),
+  end_date: z.string().regex(DATE_FORMAT_REGEX, DATE_FORMAT_MESSAGE).optional().describe("End date (YYYY-MM-DD)"),
+  min_entries: z.number().optional().default(3).describe("Minimum entries to include project"),
+  limit: z.number().max(500).optional().default(100).describe("Max projects to return")
+});
+var TeamCrossProjectInsightsSchemaMcp = z.object({
+  start_date: z.string().optional().describe("Start date (YYYY-MM-DD)"),
+  end_date: z.string().optional().describe("End date (YYYY-MM-DD)"),
+  min_entries: relaxedNumber().optional().default(3).describe("Minimum entries to include project"),
+  limit: relaxedNumber().optional().default(100).describe("Max projects to return")
+});
+var TeamProjectSummaryOutputSchema = z.object({
+  project_number: z.number(),
+  entry_count: z.number(),
+  first_entry: z.string(),
+  last_entry: z.string(),
+  active_days: z.number(),
+  top_tags: z.array(z.object({ name: z.string(), count: z.number() }))
+}).extend(ErrorFieldsMixin.shape);
+var TeamCrossProjectInsightsOutputSchema = z.object({
+  project_count: z.number().optional(),
+  total_entries: z.number().optional(),
+  projects: z.array(TeamProjectSummaryOutputSchema).optional(),
+  inactive_projects: z.array(
+    z.object({
+      project_number: z.number(),
+      last_entry_date: z.string()
+    })
+  ).optional(),
+  inactiveThresholdDays: z.number().optional(),
+  time_distribution: z.array(
+    z.object({
+      project_number: z.number(),
+      percentage: z.string()
+    })
+  ).optional(),
+  message: z.string().optional(),
+  success: z.boolean().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var TeamCollaborationMatrixSchema = z.object({
+  period: z.enum(["week", "month", "quarter"]).optional().default("month").describe("Time granularity for the activity heatmap"),
+  limit: z.number().max(100).optional().default(20).describe("Max authors to include")
+});
+var TeamCollaborationMatrixSchemaMcp = z.object({
+  period: z.string().optional().default("month"),
+  limit: relaxedNumber().optional().default(20)
+});
+var TeamCollaborationMatrixOutputSchema = z.object({
+  success: z.boolean().optional(),
+  totalAuthors: z.number().optional(),
+  totalEntries: z.number().optional(),
+  authorActivity: z.array(
+    z.object({
+      author: z.string(),
+      period: z.string(),
+      entryCount: z.number()
+    })
+  ).optional(),
+  crossAuthorLinks: z.array(
+    z.object({
+      fromAuthor: z.string(),
+      toAuthor: z.string(),
+      linkCount: z.number()
+    })
+  ).optional(),
+  impactFactor: z.array(
+    z.object({
+      author: z.string(),
+      inboundLinks: z.number()
+    })
+  ).optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var DEFAULT_FLAG_VOCABULARY = ["blocker", "needs_review", "help_requested", "fyi"];
+var PassTeamFlagSchema = z.object({
+  flag_type: z.string().min(1).describe("Flag type from vocabulary (e.g., blocker, needs_review)"),
+  message: z.string().min(1).max(49e3).describe("Flag message describing the issue or request"),
+  target_user: z.string().optional().describe("Target user to flag (e.g., @sarah)"),
+  link: z.string().optional().describe("Related file path, URL, or reference"),
+  project_number: StrictProjectNumberSchema,
+  issue_number: z.number().optional(),
+  author: z.string().optional()
+});
+var PassTeamFlagSchemaMcp = z.object({
+  flag_type: z.string().optional(),
+  message: z.string().optional(),
+  target_user: z.string().optional(),
+  link: z.string().optional(),
+  project_number: relaxedNumber().optional(),
+  issue_number: relaxedNumber().optional(),
+  author: z.string().optional()
+});
+var ResolveTeamFlagSchema = z.object({
+  flag_id: z.number().describe("Entry ID of the flag to resolve"),
+  resolution: z.string().optional().describe("Optional resolution comment")
+});
+var ResolveTeamFlagSchemaMcp = z.object({
+  flag_id: relaxedNumber().optional(),
+  resolution: z.string().optional()
+});
+var FlagOutputSchema = z.object({
+  success: z.boolean().optional(),
+  entry: TeamEntryOutputSchema.optional(),
+  flag_type: z.string().optional(),
+  target_user: z.string().nullable().optional(),
+  resolved: z.boolean().optional(),
+  author: z.string().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var ResolveFlagOutputSchema = z.object({
+  success: z.boolean().optional(),
+  entry: TeamEntryOutputSchema.optional(),
+  flag_type: z.string().optional(),
+  resolved: z.boolean().optional(),
+  resolution: z.string().nullable().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var ListTeamFlagsSchema = z.object({
+  status: z.enum(["active", "resolved", "all"]).optional().default("active"),
+  flag_type: z.string().optional().describe("Filter by flag type from vocabulary"),
+  target_user: z.string().optional().describe("Filter by target user"),
+  author: z.string().optional().describe("Filter by flag creator"),
+  limit: z.number().min(1).max(500).optional().default(20),
+  project_number: StrictProjectNumberSchema,
+  sort_by: z.enum(["timestamp", "priority"]).optional().default("priority")
+});
+var ListTeamFlagsSchemaMcp = z.object({
+  status: z.string().optional().default("active"),
+  flag_type: z.string().optional(),
+  target_user: z.string().optional(),
+  author: z.string().optional(),
+  limit: relaxedNumber().optional().default(20),
+  project_number: relaxedNumber().optional(),
+  sort_by: z.string().optional().default("priority")
+});
+var UpdateTeamFlagSchema = z.object({
+  flag_id: z.number().describe("Entry ID of the flag to update"),
+  flag_type: z.string().optional().describe("New flag type"),
+  target_user: z.string().nullable().optional().describe("New target user (null to clear)"),
+  message: z.string().min(1).max(49e3).optional().describe("Updated flag message"),
+  link: z.string().nullable().optional().describe("Updated link (null to clear)"),
+  reopen: z.boolean().optional().describe("If true, reopen a resolved flag")
+});
+var UpdateTeamFlagSchemaMcp = z.object({
+  flag_id: relaxedNumber().optional(),
+  flag_type: z.string().optional(),
+  target_user: z.string().nullable().optional(),
+  message: z.string().optional(),
+  link: z.string().nullable().optional(),
+  reopen: z.boolean().optional()
+});
+var FlagAnalyticsSchema = z.object({
+  period: z.enum(["day", "week", "month"]).optional().default("week"),
+  project_number: StrictProjectNumberSchema
+});
+var FlagAnalyticsSchemaMcp = z.object({
+  period: z.string().optional().default("week"),
+  project_number: relaxedNumber().optional()
+});
+var ListFlagsOutputSchema = z.object({
+  success: z.boolean().optional(),
+  flags: z.array(
+    z.object({
+      id: z.number(),
+      flag_type: z.string(),
+      target_user: z.string().nullable().optional(),
+      author: z.string().nullable().optional(),
+      message: z.string(),
+      link: z.string().nullable().optional(),
+      resolved: z.boolean(),
+      resolved_at: z.string().nullable().optional(),
+      resolution: z.string().nullable().optional(),
+      timestamp: z.string(),
+      age_hours: z.number(),
+      is_stale: z.boolean(),
+      tags: z.array(z.string()).optional(),
+      project_number: z.number().nullable().optional()
+    })
+  ).optional(),
+  count: z.number().optional(),
+  active_count: z.number().optional(),
+  resolved_count: z.number().optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var UpdateFlagOutputSchema = z.object({
+  success: z.boolean().optional(),
+  entry: TeamEntryOutputSchema.optional(),
+  flag_type: z.string().optional(),
+  target_user: z.string().nullable().optional(),
+  resolved: z.boolean().optional(),
+  author: z.string().optional(),
+  changes: z.array(z.string()).optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var FlagAnalyticsOutputSchema = z.object({
+  success: z.boolean().optional(),
+  summary: z.object({
+    total_flags: z.number(),
+    active_flags: z.number(),
+    resolved_flags: z.number(),
+    avg_resolution_hours: z.number().nullable(),
+    median_resolution_hours: z.number().nullable(),
+    stale_count: z.number()
+  }).optional(),
+  by_type: z.record(
+    z.string(),
+    z.object({
+      total: z.number(),
+      active: z.number(),
+      avg_resolution_hours: z.number().nullable()
+    })
+  ).optional(),
+  by_target: z.array(
+    z.object({
+      user: z.string(),
+      received: z.number(),
+      active: z.number()
+    })
+  ).optional(),
+  trend: z.object({
+    current_period: z.number(),
+    previous_period: z.number(),
+    change_pct: z.number().nullable()
+  }).optional(),
+  error: z.string().optional()
+}).extend(ErrorFieldsMixin.shape);
+var FlagContextSchema = z.object({
+  flag_type: z.string(),
+  target_user: z.string().nullable().optional(),
+  link: z.string().nullable().optional(),
+  resolved: z.boolean(),
+  resolved_at: z.string().nullable().optional(),
+  resolution: z.string().nullable().optional(),
+  author: z.string().optional()
+});
+var VersionedEnvelopeSchema = z.object({
+  version: z.string(),
+  data: z.unknown()
+});
+var AutoContextSchema = z.union([FlagContextSchema, VersionedEnvelopeSchema]);
+function parseAutoContext(autoContext) {
+  if (!autoContext) return null;
+  try {
+    const parsed = JSON.parse(autoContext);
+    if (typeof parsed !== "object" || parsed === null) {
+      return null;
+    }
+    const result = AutoContextSchema.safeParse(parsed);
+    if (result.success) {
+      return result.data;
+    }
+    logger.debug("AutoContext schema miss", {
+      module: "Validator",
+      issues: result.error.issues
+    });
+    return parsed;
+  } catch (error) {
+    logger.warning("Failed to parse auto_context JSON", {
+      module: "Validator",
+      error: error instanceof Error ? error.message : "Unknown error"
+    });
+    return null;
+  }
+}
+function parseFlagContext(autoContext) {
+  const parsed = parseAutoContext(autoContext);
+  if (parsed === null) return null;
+  const result = FlagContextSchema.safeParse(parsed);
+  return result.success ? result.data : null;
+}
+var requestContextStorage = new AsyncLocalStorage();
+function getRequestContext() {
+  return requestContextStorage.getStore();
+}
+
+export { BASE_SCOPES, ConfigurationError, ConnectionError, DATE_FORMAT_MESSAGE, DATE_FORMAT_REGEX, DATE_MAX_SENTINEL, DATE_MIN_SENTINEL, DEFAULT_BRIEFING_CONFIG, DEFAULT_FLAG_VOCABULARY, ENTRY_TYPES, EntriesListOutputSchema, EntryOutputSchema, ErrorFieldsMixin, FlagAnalyticsOutputSchema, FlagAnalyticsSchema, FlagAnalyticsSchemaMcp, FlagOutputSchema, ImportanceBreakdownSchema, ListFlagsOutputSchema, ListTeamFlagsSchema, ListTeamFlagsSchemaMcp, MAX_CONTENT_LENGTH, MAX_QUERY_LIMIT, META_GROUPS, MemoryJournalMcpError, PassTeamFlagSchema, PassTeamFlagSchemaMcp, QueryError, RelationshipOutputSchema, ResolveFlagOutputSchema, ResolveTeamFlagSchema, ResolveTeamFlagSchemaMcp, ResourceNotFoundError, SCOPES, SIGNIFICANCE_TYPES, SUPPORTED_SCOPES, StrictProjectNumberSchema, TOOL_GROUPS, TagOutputSchema, TeamAddToVectorIndexOutputSchema, TeamAddToVectorIndexSchema, TeamAddToVectorIndexSchemaMcp, TeamBackupOutputSchema, TeamBackupSchema, TeamBackupsListOutputSchema, TeamCollaborationMatrixOutputSchema, TeamCollaborationMatrixSchema, TeamCollaborationMatrixSchemaMcp, TeamCreateEntrySchema, TeamCreateEntrySchemaMcp, TeamCreateOutputSchema, TeamCrossProjectInsightsOutputSchema, TeamCrossProjectInsightsSchema, TeamCrossProjectInsightsSchemaMcp, TeamDeleteEntrySchema, TeamDeleteEntrySchemaMcp, TeamDeleteOutputSchema, TeamEntriesListOutputSchema, TeamEntryDetailOutputSchema, TeamExportEntriesSchema, TeamExportEntriesSchemaMcp, TeamExportOutputSchema, TeamGetEntryByIdSchema, TeamGetEntryByIdSchemaMcp, TeamGetRecentSchema, TeamGetRecentSchemaMcp, TeamGetStatisticsSchema, TeamGetStatisticsSchemaMcp, TeamLinkEntriesOutputSchema, TeamLinkEntriesSchema, TeamLinkEntriesSchemaMcp, TeamMergeTagsOutputSchema, TeamMergeTagsSchema, TeamMergeTagsSchemaMcp, TeamRebuildVectorIndexOutputSchema, TeamSearchByDateRangeSchema, TeamSearchByDateRangeSchemaMcp, TeamSearchSchema, TeamSearchSchemaMcp, TeamSemanticSearchOutputSchema, TeamSemanticSearchSchema, TeamSemanticSearchSchemaMcp, TeamStatisticsOutputSchema, TeamTagsListOutputSchema, TeamUpdateEntrySchema, TeamUpdateEntrySchemaMcp, TeamUpdateOutputSchema, TeamVectorStatsOutputSchema, TeamVisualizeOutputSchema, TeamVisualizeRelationshipsSchema, TeamVisualizeRelationshipsSchemaMcp, UpdateFlagOutputSchema, UpdateTeamFlagSchema, UpdateTeamFlagSchemaMcp, ValidationError, assertNoPathTraversal, assertSafeDirectoryPath, assertSafeFilePath, calculateTokenSavings, coerceSignificanceAlias, enforceAccessBoundary, filterTools, getAllToolNames, getAuthContext, getEnabledGroups, getFilterSummary, getGitHubIntegration, getRequestContext, getRequiredScope, getToolFilterFromEnv, getToolGroup, hasScope, isResourceError, isToolEnabled, isValidScope, logger, markUntrustedContent, markUntrustedContentInline, matchSuggestion, milestoneCompletionPct, parseFlagContext, parseScopes, parseToolFilter, relaxedNumber, requestContextStorage, resolveAuthenticatedAuthor, resolveAuthor, resolveGitHubRepo, runWithAuthContext, sanitizeAuthor, sanitizeSearchQuery, validateDateFormatPattern };