session-collab-mcp 0.5.0 → 0.5.2

package/src/db/__tests__/test-helper.ts

@@ -0,0 +1,216 @@
+// Test helper: In-memory SQLite database for testing
+import Database from 'better-sqlite3';
+import type { DatabaseAdapter, PreparedStatement, QueryResult } from '../sqlite-adapter.js';
+
+class TestPreparedStatement implements PreparedStatement {
+  private bindings: unknown[] = [];
+
+  constructor(
+    private db: Database.Database,
+    private sql: string
+  ) {}
+
+  bind(...values: unknown[]): PreparedStatement {
+    this.bindings = values;
+    return this;
+  }
+
+  async first<T>(): Promise<T | null> {
+    const stmt = this.db.prepare(this.sql);
+    const result = stmt.get(...this.bindings) as T | undefined;
+    return result ?? null;
+  }
+
+  async all<T>(): Promise<QueryResult<T>> {
+    const stmt = this.db.prepare(this.sql);
+    const results = stmt.all(...this.bindings) as T[];
+    return {
+      results,
+      meta: { changes: 0, last_row_id: 0 },
+    };
+  }
+
+  async run(): Promise<{ meta: { changes: number } }> {
+    const stmt = this.db.prepare(this.sql);
+    const result = stmt.run(...this.bindings);
+    return {
+      meta: { changes: result.changes },
+    };
+  }
+
+  _run(): Database.RunResult {
+    const stmt = this.db.prepare(this.sql);
+    return stmt.run(...this.bindings);
+  }
+}
+
+// Schema statements split for initialization
+const SCHEMA_STATEMENTS = [
+  // Sessions table
+  `CREATE TABLE IF NOT EXISTS sessions (
+    id TEXT PRIMARY KEY,
+    name TEXT,
+    project_root TEXT NOT NULL,
+    machine_id TEXT,
+    user_id TEXT,
+    created_at TEXT DEFAULT (datetime('now')),
+    last_heartbeat TEXT DEFAULT (datetime('now')),
+    status TEXT DEFAULT 'active' CHECK (status IN ('active', 'inactive', 'terminated')),
+    current_task TEXT,
+    progress TEXT,
+    todos TEXT,
+    config TEXT
+  )`,
+  `CREATE INDEX IF NOT EXISTS idx_sessions_status ON sessions(status)`,
+  `CREATE INDEX IF NOT EXISTS idx_sessions_project ON sessions(project_root)`,
+
+  // Claims table
+  `CREATE TABLE IF NOT EXISTS claims (
+    id TEXT PRIMARY KEY,
+    session_id TEXT NOT NULL,
+    intent TEXT NOT NULL,
+    scope TEXT DEFAULT 'medium' CHECK (scope IN ('small', 'medium', 'large')),
+    status TEXT DEFAULT 'active' CHECK (status IN ('active', 'completed', 'abandoned')),
+    created_at TEXT DEFAULT (datetime('now')),
+    updated_at TEXT DEFAULT (datetime('now')),
+    completed_summary TEXT,
+    FOREIGN KEY (session_id) REFERENCES sessions(id) ON DELETE CASCADE
+  )`,
+  `CREATE INDEX IF NOT EXISTS idx_claims_session ON claims(session_id)`,
+  `CREATE INDEX IF NOT EXISTS idx_claims_status ON claims(status)`,
+
+  // Claim files
+  `CREATE TABLE IF NOT EXISTS claim_files (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    claim_id TEXT NOT NULL,
+    file_path TEXT NOT NULL,
+    is_pattern INTEGER DEFAULT 0,
+    FOREIGN KEY (claim_id) REFERENCES claims(id) ON DELETE CASCADE,
+    UNIQUE(claim_id, file_path)
+  )`,
+  `CREATE INDEX IF NOT EXISTS idx_claim_files_path ON claim_files(file_path)`,
+  `CREATE INDEX IF NOT EXISTS idx_claim_files_claim ON claim_files(claim_id)`,
+
+  // Claim symbols
+  `CREATE TABLE IF NOT EXISTS claim_symbols (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    claim_id TEXT NOT NULL,
+    file_path TEXT NOT NULL,
+    symbol_name TEXT NOT NULL,
+    symbol_type TEXT DEFAULT 'function' CHECK (symbol_type IN ('function', 'class', 'method', 'variable', 'block', 'other')),
+    created_at TEXT DEFAULT (datetime('now')),
+    FOREIGN KEY (claim_id) REFERENCES claims(id) ON DELETE CASCADE,
+    UNIQUE(claim_id, file_path, symbol_name)
+  )`,
+  `CREATE INDEX IF NOT EXISTS idx_claim_symbols_path ON claim_symbols(file_path)`,
+  `CREATE INDEX IF NOT EXISTS idx_claim_symbols_name ON claim_symbols(symbol_name)`,
+  `CREATE INDEX IF NOT EXISTS idx_claim_symbols_claim ON claim_symbols(claim_id)`,
+  `CREATE INDEX IF NOT EXISTS idx_claim_symbols_lookup ON claim_symbols(file_path, symbol_name)`,
+
+  // Messages table
+  `CREATE TABLE IF NOT EXISTS messages (
+    id TEXT PRIMARY KEY,
+    from_session_id TEXT NOT NULL,
+    to_session_id TEXT,
+    content TEXT NOT NULL,
+    read_at TEXT,
+    created_at TEXT DEFAULT (datetime('now')),
+    FOREIGN KEY (from_session_id) REFERENCES sessions(id) ON DELETE CASCADE
+  )`,
+  `CREATE INDEX IF NOT EXISTS idx_messages_to ON messages(to_session_id)`,
+  `CREATE INDEX IF NOT EXISTS idx_messages_unread ON messages(to_session_id, read_at)`,
+
+  // Decisions table
+  `CREATE TABLE IF NOT EXISTS decisions (
+    id TEXT PRIMARY KEY,
+    session_id TEXT NOT NULL,
+    category TEXT CHECK (category IN ('architecture', 'naming', 'api', 'database', 'ui', 'other')),
+    title TEXT NOT NULL,
+    description TEXT NOT NULL,
+    created_at TEXT DEFAULT (datetime('now')),
+    FOREIGN KEY (session_id) REFERENCES sessions(id) ON DELETE CASCADE
+  )`,
+  `CREATE INDEX IF NOT EXISTS idx_decisions_category ON decisions(category)`,
+
+  // Symbol references
+  `CREATE TABLE IF NOT EXISTS symbol_references (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    source_file TEXT NOT NULL,
+    source_symbol TEXT NOT NULL,
+    ref_file TEXT NOT NULL,
+    ref_line INTEGER,
+    ref_context TEXT,
+    session_id TEXT NOT NULL,
+    created_at TEXT DEFAULT (datetime('now')),
+    FOREIGN KEY (session_id) REFERENCES sessions(id) ON DELETE CASCADE,
+    UNIQUE(source_file, source_symbol, ref_file, ref_line)
+  )`,
+  `CREATE INDEX IF NOT EXISTS idx_symbol_refs_source ON symbol_references(source_file, source_symbol)`,
+  `CREATE INDEX IF NOT EXISTS idx_symbol_refs_ref_file ON symbol_references(ref_file)`,
+  `CREATE INDEX IF NOT EXISTS idx_symbol_refs_session ON symbol_references(session_id)`,
+
+  // Composite indexes for common query patterns
+  `CREATE INDEX IF NOT EXISTS idx_sessions_status_heartbeat ON sessions(status, last_heartbeat)`,
+  `CREATE INDEX IF NOT EXISTS idx_claims_status_session ON claims(status, session_id)`,
+  `CREATE INDEX IF NOT EXISTS idx_claim_files_path_claim ON claim_files(file_path, claim_id)`,
+];
+
+const CLEANUP_STATEMENTS = [
+  'DELETE FROM symbol_references',
+  'DELETE FROM claim_symbols',
+  'DELETE FROM claim_files',
+  'DELETE FROM claims',
+  'DELETE FROM messages',
+  'DELETE FROM decisions',
+  'DELETE FROM sessions',
+];
+
+export class TestDatabase implements DatabaseAdapter {
+  private db: Database.Database;
+
+  constructor() {
+    // Use in-memory database for tests
+    this.db = new Database(':memory:');
+    this.db.pragma('foreign_keys = ON');
+    this.initSchema();
+  }
+
+  private initSchema(): void {
+    for (const sql of SCHEMA_STATEMENTS) {
+      this.db.prepare(sql).run();
+    }
+  }
+
+  prepare(sql: string): PreparedStatement {
+    return new TestPreparedStatement(this.db, sql);
+  }
+
+  async batch(statements: PreparedStatement[]): Promise<QueryResult<unknown>[]> {
+    const transaction = this.db.transaction(() => {
+      return statements.map((stmt) => {
+        const testStmt = stmt as TestPreparedStatement;
+        const result = testStmt._run();
+        return {
+          results: [],
+          meta: { changes: result.changes, last_row_id: Number(result.lastInsertRowid) },
+        };
+      });
+    });
+    return transaction();
+  }
+
+  close(): void {
+    this.db.close();
+  }
+
+  // Helper to reset database between tests
+  reset(): void {
+    for (const sql of CLEANUP_STATEMENTS) {
+      this.db.prepare(sql).run();
+    }
+  }
+}
+
+export function createTestDatabase(): TestDatabase {
+  return new TestDatabase();
+}

package/src/db/queries.ts

@@ -321,18 +321,36 @@ export async function createClaim(
 }
 
 export async function getClaim(db: DatabaseAdapter, id: string): Promise<ClaimWithFiles | null> {
-  const claim = await db.prepare('SELECT * FROM claims WHERE id = ?').bind(id).first<Claim>();
-
-  if (!claim) return null;
-
-  const files = await db.prepare('SELECT file_path FROM claim_files WHERE claim_id = ?').bind(id).all<{ file_path: string }>();
+  // Single query with JOIN to avoid N+1 problem
+  const result = await db
+    .prepare(
+      `SELECT
+        c.id, c.session_id, c.intent, c.scope, c.status,
+        c.created_at, c.updated_at, c.completed_summary,
+        s.name as session_name,
+        GROUP_CONCAT(cf.file_path, '|||') as file_paths
+      FROM claims c
+      LEFT JOIN sessions s ON c.session_id = s.id
+      LEFT JOIN claim_files cf ON c.id = cf.claim_id
+      WHERE c.id = ?
+      GROUP BY c.id`
+    )
+    .bind(id)
+    .first<Claim & { session_name: string | null; file_paths: string | null }>();
 
-  const session = await db.prepare('SELECT name FROM sessions WHERE id = ?').bind(claim.session_id).first<{ name: string | null }>();
+  if (!result) return null;
 
   return {
-    ...claim,
-    files: files.results.map((f) => f.file_path),
-    session_name: session?.name ?? null,
+    id: result.id,
+    session_id: result.session_id,
+    intent: result.intent,
+    scope: result.scope,
+    status: result.status,
+    created_at: result.created_at,
+    updated_at: result.updated_at,
+    completed_summary: result.completed_summary,
+    files: result.file_paths ? result.file_paths.split('|||') : [],
+    session_name: result.session_name,
   };
 }
 

package/src/db/sqlite-adapter.ts

@@ -39,8 +39,7 @@ class SqlitePreparedStatement implements PreparedStatement {
 
   constructor(
     private db: Database.Database,
-    private sql: string,
-    private onWrite?: () => void
+    private sql: string
   ) {}
 
   bind(...values: unknown[]): PreparedStatement {
@@ -66,8 +65,8 @@ class SqlitePreparedStatement implements PreparedStatement {
   async run(): Promise<{ meta: { changes: number } }> {
     const stmt = this.db.prepare(this.sql);
     const result = stmt.run(...this.bindings);
-    // Trigger checkpoint after write
-    this.onWrite?.();
+    // Note: wal_autocheckpoint handles periodic checkpoints automatically
+    // No need to checkpoint after every write - reduces I/O overhead
     return {
       meta: { changes: result.changes },
     };
@@ -104,12 +103,13 @@ class SqliteDatabase implements DatabaseAdapter {
   }
 
   // Force checkpoint to make changes visible to other processes
+  // Only called after batch operations, not after individual writes
   checkpoint(): void {
     this.db.pragma('wal_checkpoint(PASSIVE)');
   }
 
   prepare(sql: string): PreparedStatement {
-    return new SqlitePreparedStatement(this.db, sql, () => this.checkpoint());
+    return new SqlitePreparedStatement(this.db, sql);
   }
 
   async batch(statements: PreparedStatement[]): Promise<QueryResult<unknown>[]> {
@@ -124,7 +124,7 @@ class SqliteDatabase implements DatabaseAdapter {
       });
     });
     const results = transaction();
-    // Checkpoint after batch write
+    // Checkpoint after batch write to ensure visibility to other processes
     this.checkpoint();
     return results;
   }

package/src/mcp/schemas.ts

@@ -0,0 +1,200 @@
+// Zod schemas for MCP tool input validation
+import { z } from 'zod';
+
+// Common schemas
+export const sessionIdSchema = z.string().min(1, 'session_id is required');
+export const claimIdSchema = z.string().min(1, 'claim_id is required');
+export const filePathSchema = z.string().min(1);
+export const filesArraySchema = z.array(filePathSchema).min(1, 'At least one file is required');
+
+// Symbol claim schema
+export const symbolClaimSchema = z.object({
+  file: z.string().min(1),
+  symbols: z.array(z.string().min(1)).min(1),
+  symbol_type: z.enum(['function', 'class', 'method', 'variable', 'block', 'other']).optional(),
+});
+
+export const symbolClaimsArraySchema = z.array(symbolClaimSchema);
+
+// Claim scope schema
+export const claimScopeSchema = z.enum(['small', 'medium', 'large']).default('medium');
+
+// Claim status schema
+export const claimStatusSchema = z.enum(['completed', 'abandoned']);
+
+// Session tools input schemas
+export const sessionStartSchema = z.object({
+  project_root: z.string().min(1, 'project_root is required'),
+  name: z.string().optional(),
+  machine_id: z.string().optional(),
+});
+
+export const sessionEndSchema = z.object({
+  session_id: sessionIdSchema,
+  release_claims: z.enum(['complete', 'abandon']).default('abandon'),
+});
+
+export const sessionListSchema = z.object({
+  include_inactive: z.boolean().optional(),
+  project_root: z.string().optional(),
+});
+
+export const sessionHeartbeatSchema = z.object({
+  session_id: sessionIdSchema,
+  current_task: z.string().optional(),
+  todos: z.array(z.object({
+    content: z.string(),
+    status: z.enum(['pending', 'in_progress', 'completed']),
+  })).optional(),
+});
+
+export const statusUpdateSchema = z.object({
+  session_id: sessionIdSchema,
+  current_task: z.string().optional(),
+  todos: z.array(z.object({
+    content: z.string(),
+    status: z.enum(['pending', 'in_progress', 'completed']),
+  })).optional(),
+});
+
+export const configSchema = z.object({
+  session_id: sessionIdSchema,
+  mode: z.enum(['strict', 'smart', 'bypass']).optional(),
+  allow_release_others: z.boolean().optional(),
+  auto_release_stale: z.boolean().optional(),
+  stale_threshold_hours: z.number().min(0).optional(),
+});
+
+// Claim tools input schemas
+export const claimCreateSchema = z.object({
+  session_id: sessionIdSchema,
+  files: z.array(filePathSchema).optional(),
+  symbols: symbolClaimsArraySchema.optional(),
+  intent: z.string().min(1, 'intent is required'),
+  scope: claimScopeSchema.optional(),
+}).refine(
+  (data) => (data.files && data.files.length > 0) || (data.symbols && data.symbols.length > 0),
+  { message: 'Either files or symbols must be provided' }
+);
+
+export const claimCheckSchema = z.object({
+  files: filesArraySchema,
+  symbols: symbolClaimsArraySchema.optional(),
+  session_id: z.string().optional(),
+});
+
+export const claimReleaseSchema = z.object({
+  session_id: sessionIdSchema,
+  claim_id: claimIdSchema,
+  status: claimStatusSchema,
+  summary: z.string().optional(),
+  force: z.boolean().optional(),
+});
+
+export const claimListSchema = z.object({
+  session_id: z.string().optional(),
+  status: z.enum(['active', 'completed', 'abandoned', 'all']).optional(),
+  project_root: z.string().optional(),
+});
+
+// Message tools input schemas
+export const messageSendSchema = z.object({
+  from_session_id: sessionIdSchema,
+  to_session_id: z.string().optional(),
+  content: z.string().min(1, 'content is required'),
+});
+
+export const messageListSchema = z.object({
+  session_id: sessionIdSchema,
+  unread_only: z.boolean().optional(),
+  mark_as_read: z.boolean().optional(),
+});
+
+// Decision tools input schemas
+export const decisionAddSchema = z.object({
+  session_id: sessionIdSchema,
+  category: z.enum(['architecture', 'naming', 'api', 'database', 'ui', 'other']).optional(),
+  title: z.string().min(1, 'title is required'),
+  description: z.string().min(1, 'description is required'),
+});
+
+export const decisionListSchema = z.object({
+  category: z.enum(['architecture', 'naming', 'api', 'database', 'ui', 'other']).optional(),
+  limit: z.number().min(1).max(100).optional(),
+});
+
+// LSP tools input schemas
+// Using z.ZodType to properly type recursive schema
+type LspSymbol = {
+  name: string;
+  kind: number;
+  range?: { start: { line: number; character: number }; end: { line: number; character: number } };
+  children?: LspSymbol[];
+};
+
+export const lspSymbolSchema: z.ZodType<LspSymbol> = z.object({
+  name: z.string(),
+  kind: z.number(),
+  range: z.object({
+    start: z.object({ line: z.number(), character: z.number() }),
+    end: z.object({ line: z.number(), character: z.number() }),
+  }).optional(),
+  children: z.lazy(() => z.array(lspSymbolSchema)).optional(),
+});
+
+export const analyzeSymbolsSchema = z.object({
+  session_id: sessionIdSchema,
+  files: z.array(z.object({
+    file: z.string(),
+    symbols: z.array(lspSymbolSchema),
+  })),
+  check_symbols: z.array(z.string()).optional(),
+  references: z.array(z.object({
+    symbol: z.string(),
+    file: z.string(),
+    references: z.array(z.object({
+      file: z.string(),
+      line: z.number(),
+      context: z.string().optional(),
+    })),
+  })).optional(),
+});
+
+export const validateSymbolsSchema = z.object({
+  file: z.string().min(1),
+  symbols: z.array(z.string().min(1)),
+  lsp_symbols: z.array(lspSymbolSchema),
+});
+
+export const storeReferencesSchema = z.object({
+  session_id: sessionIdSchema,
+  references: z.array(z.object({
+    source_file: z.string(),
+    source_symbol: z.string(),
+    references: z.array(z.object({
+      file: z.string(),
+      line: z.number(),
+      context: z.string().optional(),
+    })),
+  })),
+  clear_existing: z.boolean().optional(),
+});
+
+export const impactAnalysisSchema = z.object({
+  session_id: sessionIdSchema,
+  file: z.string().min(1),
+  symbol: z.string().min(1),
+});
+
+// Helper function to validate and return parsed data or error result
+export function validateInput<T>(
+  schema: z.ZodSchema<T>,
+  data: unknown
+): { success: true; data: T } | { success: false; error: string } {
+  const result = schema.safeParse(data);
+  if (result.success) {
+    return { success: true, data: result.data };
+  }
+  const errors = result.error.errors.map((e) => `${e.path.join('.')}: ${e.message}`).join(', ');
+  return { success: false, error: errors };
+}

package/src/mcp/tools/claim.ts

@@ -3,9 +3,10 @@
 import type { DatabaseAdapter } from '../../db/sqlite-adapter.js';
 import type { McpTool, McpToolResult } from '../protocol';
 import { createToolResult } from '../protocol';
-import type { ClaimScope, SessionConfig, SymbolClaim } from '../../db/types';
+import type { SessionConfig } from '../../db/types';
 import { DEFAULT_SESSION_CONFIG } from '../../db/types';
 import { createClaim, getClaim, listClaims, checkConflicts, releaseClaim, getSession } from '../../db/queries';
+import { claimCreateSchema, claimCheckSchema, claimReleaseSchema, claimListSchema, validateInput } from '../schemas.js';
 
 export const claimTools: McpTool[] = [
   {
@@ -156,37 +157,17 @@ export async function handleClaimTool(
 ): Promise<McpToolResult> {
   switch (name) {
     case 'collab_claim': {
-      const sessionId = args.session_id as string | undefined;
-      const files = args.files as string[] | undefined;
-      const symbols = args.symbols as SymbolClaim[] | undefined;
-      const intent = args.intent as string | undefined;
-      const scope = (args.scope as ClaimScope) ?? 'medium';
-
-      // Input validation
-      if (!sessionId || typeof sessionId !== 'string') {
+      // Validate input with Zod schema
+      const validation = validateInput(claimCreateSchema, args);
+      if (!validation.success) {
         return createToolResult(
-          JSON.stringify({ error: 'INVALID_INPUT', message: 'session_id is required' }),
+          JSON.stringify({ error: 'INVALID_INPUT', message: validation.error }),
           true
         );
       }
 
-      // Either files or symbols must be provided
-      const hasFiles = files && Array.isArray(files) && files.length > 0;
-      const hasSymbols = symbols && Array.isArray(symbols) && symbols.length > 0;
-
-      if (!hasFiles && !hasSymbols) {
-        return createToolResult(
-          JSON.stringify({ error: 'INVALID_INPUT', message: 'Either files or symbols must be provided' }),
-          true
-        );
-      }
-
-      if (!intent || typeof intent !== 'string' || intent.trim() === '') {
-        return createToolResult(
-          JSON.stringify({ error: 'INVALID_INPUT', message: 'intent is required' }),
-          true
-        );
-      }
+      const { session_id: sessionId, files, symbols, intent, scope = 'medium' } = validation.data;
+      const hasSymbols = symbols && symbols.length > 0;
 
       // Verify session exists and is active
       const session = await getSession(db, sessionId);
@@ -209,10 +190,8 @@ export async function handleClaimTool(
       }
       const fileList = Array.from(allFiles);
 
-      // Check for conflicts before creating claim
-      const conflicts = await checkConflicts(db, fileList, sessionId, symbols);
-
-      // Create the claim
+      // Create the claim FIRST (atomic operation)
+      // This ensures our claim is registered before checking conflicts
       const { claim } = await createClaim(db, {
         session_id: sessionId,
         files: fileList,
@@ -221,6 +200,11 @@ export async function handleClaimTool(
         symbols: hasSymbols ? symbols : undefined,
       });
 
+      // Check for conflicts AFTER creating claim
+      // This eliminates race condition: if two sessions claim simultaneously,
+      // both will see each other's claims and can coordinate
+      const conflicts = await checkConflicts(db, fileList, sessionId, symbols);
+
       if (conflicts.length > 0) {
         // Group conflicts by type (file vs symbol)
         const fileConflicts = conflicts.filter((c) => c.conflict_level === 'file');
@@ -273,18 +257,17 @@ export async function handleClaimTool(
     }
 
     case 'collab_check': {
-      const files = args.files as string[] | undefined;
-      const symbols = args.symbols as SymbolClaim[] | undefined;
-      const sessionId = args.session_id as string | undefined;
-
-      // Input validation
-      if (!files || !Array.isArray(files) || files.length === 0) {
+      // Validate input with Zod schema
+      const validation = validateInput(claimCheckSchema, args);
+      if (!validation.success) {
         return createToolResult(
-          JSON.stringify({ error: 'INVALID_INPUT', message: 'files array cannot be empty' }),
+          JSON.stringify({ error: 'INVALID_INPUT', message: validation.error }),
           true
         );
       }
 
+      const { files, symbols, session_id: sessionId } = validation.data;
+
       // Check todos status if session_id provided
       let hasInProgressTodo = false;
       let todosStatus: { total: number; in_progress: number; completed: number; pending: number } | null = null;
@@ -312,10 +295,6 @@ export async function handleClaimTool(
       const hasSymbols = symbols && Array.isArray(symbols) && symbols.length > 0;
       const conflicts = await checkConflicts(db, files, sessionId, hasSymbols ? symbols : undefined);
 
-      // Separate file-level and symbol-level conflicts
-      const fileConflicts = conflicts.filter((c) => c.conflict_level === 'file');
-      const symbolConflicts = conflicts.filter((c) => c.conflict_level === 'symbol');
-
       // Build per-file status (considering both file and symbol conflicts)
       const blockedFiles = new Set<string>();
       const blockedSymbols = new Map<string, Set<string>>(); // file -> symbols
@@ -464,23 +443,17 @@ export async function handleClaimTool(
     }
 
     case 'collab_release': {
-      const sessionId = args.session_id as string;
-      const claimId = args.claim_id as string;
-      const status = args.status as 'completed' | 'abandoned';
-      const summary = args.summary as string | undefined;
-      const force = args.force as boolean | undefined;
-
-      // Validate session_id
-      if (!sessionId || typeof sessionId !== 'string') {
+      // Validate input with Zod schema
+      const validation = validateInput(claimReleaseSchema, args);
+      if (!validation.success) {
         return createToolResult(
-          JSON.stringify({
-            error: 'INVALID_INPUT',
-            message: 'session_id is required to verify ownership',
-          }),
+          JSON.stringify({ error: 'INVALID_INPUT', message: validation.error }),
           true
         );
       }
 
+      const { session_id: sessionId, claim_id: claimId, status, summary, force } = validation.data;
+
       const claim = await getClaim(db, claimId);
       if (!claim) {
         return createToolResult(
@@ -559,11 +532,17 @@ export async function handleClaimTool(
     }
 
     case 'collab_claims_list': {
-      const claims = await listClaims(db, {
-        session_id: args.session_id as string | undefined,
-        status: (args.status as 'active' | 'completed' | 'abandoned' | 'all') ?? 'active',
-        project_root: args.project_root as string | undefined,
-      });
+      // Validate input with Zod schema (all fields optional)
+      const validation = validateInput(claimListSchema, args);
+      if (!validation.success) {
+        return createToolResult(
+          JSON.stringify({ error: 'INVALID_INPUT', message: validation.error }),
+          true
+        );
+      }
+
+      const { session_id, status = 'active', project_root } = validation.data;
+      const claims = await listClaims(db, { session_id, status, project_root });
 
       return createToolResult(
         JSON.stringify(