wyrm-mcp 7.2.1 → 7.2.2

package/dist/handlers/survivors.js

@@ -1,120 +1 @@
-/**
- * v7 F3 (T021/T022) — the 7.0 SURVIVOR set (spec FR-4): the frozen advertised
- * surface.
- *
- * The frozen ~31-verb surface at 7.0.0 is: the hot-path singles that keep
- * their first-class 6.x names verbatim (§6: "every existing CLAUDE.md
- * contract keeps working unmodified"), the action-param nouns whose 6.x name
- * already IS the noun, and the T022 noun shims (src/handlers/shims.ts).
- *
- * The alias spine generator (scripts/gen-alias-spine.mjs) computes the alias
- * keyset as
- *
- *     aliases = live ListTools names − SURVIVOR_TOOLS
- *
- * and CI (tests/alias-spine.test.ts) asserts that equation against the REAL
- * booted server — never a prose list (spec FR-4; the panel itself misnamed
- * the orchestration trio, which is why generation from the live wire is law).
- * The CI test also asserts SURVIVOR_TOOLS ⊆ live names (a ghost survivor
- * would silently corrupt the subtraction) — the shims are advertised, so the
- * equation needs no special-casing.
- *
- * T022 reconciliation (recorded deviation): spec FR-4 as approved enumerated
- * 15 singles + 19 nouns = 34 advertised names, conflicting with its own §7
- * criterion 1 ("default ListTools advertises ≤32 tools", version-pinned).
- * The T032 findings pass amended the same reconciliation INTO spec.md FR-4,
- * so the spec is again the single source of truth for the frozen surface
- * (tests/hygiene-security-floor.test.ts locks the amendment in place).
- * Two same-domain folds close the gap without losing any advertised
- * capability:
- *   - wyrm_entity_graph → wyrm_entity action=graph (demoted from the T021
- *     survivor list to an alias; its 6.x case is untouched);
- *   - the events noun → wyrm_replication action=publish|since|subscribe|
- *     replicate (the Live-Memory event mesh IS the replication domain).
- * Surface today: 19 + 12 shims + wyrm_run (T027, V7_NEW_TOOL_NAMES) = 32 —
- * exactly at the pin.
- *
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- * @license AGPL-3.0-or-later
- */
-import { SHIM_TOOL_NAMES } from './shims.js';
-/**
- * Survivors whose names exist on the 6.x (pre-shim) surface.
- *
- * Hot-path singles (spec FR-4 / §6 frozen names):
- *   buddy (the well-known Buddy Protocol name — wyrm_buddy folds INTO it,
- *   T021), wyrm_act, wyrm_call_external, wyrm_capabilities (retires to a
- *   resource in 7.1 once the fallback is proven), wyrm_capture,
- *   wyrm_context_build, wyrm_decided_because, wyrm_failure_check,
- *   wyrm_failure_record, wyrm_recall, wyrm_review, wyrm_search,
- *   wyrm_session_prime, wyrm_truth_get, wyrm_truth_set.
- *
- * Action-param nouns whose 6.x name IS already the noun:
- *   wyrm_maintenance, wyrm_replication (absorbing sync_conflicts/sync_resolve
- *   + the events quartet, T022), wyrm_share, wyrm_stats.
- *   (wyrm_entity_graph was in this list at T021; T022 folded it into
- *   wyrm_entity action=graph — see the header deviation.)
- */
-export const LEGACY_SURVIVOR_TOOLS = new Set([
-    'buddy',
-    'wyrm_act',
-    'wyrm_call_external',
-    'wyrm_capabilities',
-    'wyrm_capture',
-    'wyrm_context_build',
-    'wyrm_decided_because',
-    'wyrm_failure_check',
-    'wyrm_failure_record',
-    'wyrm_maintenance',
-    'wyrm_recall',
-    'wyrm_replication',
-    'wyrm_review',
-    'wyrm_search',
-    'wyrm_session_prime',
-    'wyrm_share',
-    'wyrm_stats',
-    'wyrm_truth_get',
-    'wyrm_truth_set',
-]);
-/**
- * v7 F3 (T027): NEW first-class 7.0 tools — neither 6.x names (so never rows
- * in the 137-name disposition table, and excluded from the 6.x-name corpora)
- * nor shims (they have real ToolSpec handlers in the registry, not
- * resolveShimCall translations). Every count formula that was
- * `WYRM_TOOL_COUNT + SHIM_TOOL_NAMES.length` is now `+ V7_NEW_TOOL_NAMES
- * .length` too. wyrm_run (spec FR-5, the run loop) is the 32nd survivor —
- * the surface lands exactly at the spec §7 criterion-1 pin.
- */
-export const V7_NEW_TOOL_NAMES = ['wyrm_run'];
-/**
- * v7 F4 (T040): NEW 7.x tools that are NOT advertised — like V7_NEW_TOOL_NAMES
- * they are neither 6.x names (excluded from the 137-name disposition table +
- * the 6.x-name corpora) nor shims, BUT they are NOT survivors: they live as
- * HIDDEN ALIASES (callable, never on the default ListTools), reached only via a
- * survivor's mode/action. wyrm_capture_trace is reached via
- * wyrm_capture({ mode: 'trace' }) — the same shape wyrm_auto_capture (mode=
- * extract) and wyrm_harvest (mode=artifacts) take, except those were 6.x names
- * so they sit in the legacy corpus; this one is brand-new, so it must be
- * subtracted from the 6.x corpus the same way V7_NEW is, yet stay OUT of
- * SURVIVOR_TOOLS so the §7 criterion-1 ≤32 advertised pin holds.
- */
-export const V7_HIDDEN_TOOL_NAMES = ['wyrm_capture_trace'];
-/** v7 additions over the 6.x set (advertised survivors + hidden aliases) —
- * the subtraction that re-derives the frozen 137-name 6.x corpus from the
- * live wire (tests/alias-leak.test.ts, scripts/gen-*). */
-export const V7_ADDED_TOOL_NAMES = [...V7_NEW_TOOL_NAMES, ...V7_HIDDEN_TOOL_NAMES];
-/**
- * THE frozen advertised surface (default ListTools): legacy-named survivors +
- * the T022 noun shims + the T027 first-class v7 tools. Everything else is a
- * hidden alias (callable, never advertised) or a CLI exile.
- * NOTE: V7_HIDDEN_TOOL_NAMES are deliberately NOT here — they are hidden
- * aliases, reached via a survivor's mode (the ≤32 advertised pin holds).
- */
-export const SURVIVOR_TOOLS = new Set([
-    ...LEGACY_SURVIVOR_TOOLS,
-    ...SHIM_TOOL_NAMES,
-    ...V7_NEW_TOOL_NAMES,
-]);
-/** Sorted array view (codepoint order) for deterministic iteration. */
-export const SURVIVOR_NAMES = [...SURVIVOR_TOOLS].sort();
-//# sourceMappingURL=survivors.js.map
+import{SHIM_TOOL_NAMES as _}from"./shims.js";const e=new Set(["buddy","wyrm_act","wyrm_call_external","wyrm_capabilities","wyrm_capture","wyrm_context_build","wyrm_decided_because","wyrm_failure_check","wyrm_failure_record","wyrm_maintenance","wyrm_recall","wyrm_replication","wyrm_review","wyrm_search","wyrm_session_prime","wyrm_share","wyrm_stats","wyrm_truth_get","wyrm_truth_set"]),r=["wyrm_run"],t=["wyrm_capture_trace"],c=[...r,...t],m=new Set([...e,..._,...r]),y=[...m].sort();export{e as LEGACY_SURVIVOR_TOOLS,y as SURVIVOR_NAMES,m as SURVIVOR_TOOLS,c as V7_ADDED_TOOL_NAMES,t as V7_HIDDEN_TOOL_NAMES,r as V7_NEW_TOOL_NAMES};

package/dist/handlers/symbols.js

@@ -1,109 +1,8 @@
-/**
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- * @license AGPL-3.0-or-later
- */
-import { TOOL_ANNOTATIONS } from "../tool-annotations.js";
-export const symbolsToolSpecs = [
-    {
-        name: "wyrm_symbol_index",
-        description: "Scan a project for function/class/type/interface definitions across TS/JS/Python/Rust/Go/PHP/Ruby and index them. Idempotent — clears the project's symbols before re-indexing.",
-        inputSchema: {
-            type: "object",
-            properties: {
-                projectPath: { type: "string", description: "Project root to scan" },
-            },
-            required: ["projectPath"],
-        },
-        annotations: TOOL_ANNOTATIONS["wyrm_symbol_index"],
-        aliases: [],
-        handler: async (args, ctx) => {
-            const { db, symbols } = ctx;
-            const { projectPath } = args;
-            const project = db.getProject(projectPath);
-            if (!project)
-                return { content: [{ type: "text", text: "Project not found" }], isError: true };
-            const result = symbols.indexProject(project.id, project.path);
-            return { content: [{ type: "text", text: `󱅝 Indexed ${result.symbols} symbol(s) across ${result.files} file(s) in ${project.name}.` }] };
-        },
-    },
-    {
-        name: "wyrm_symbol_search",
-        description: "Look up a symbol across all (or one) project. Cursor's workspace-symbols stops at the repo boundary; this doesn't.",
-        inputSchema: {
-            type: "object",
-            properties: {
-                symbol: { type: "string", description: "Name to search for" },
-                projectPath: { type: "string", description: "Scope to one project (optional)" },
-                kind: { type: "string", enum: ["function", "class", "type", "interface", "const", "export"], description: "Filter by kind" },
-                language: { type: "string", description: "Filter by language: ts/tsx/js/jsx/py/rs/go/php/rb" },
-                exact: { type: "boolean", description: "Exact match (default: substring)" },
-                limit: { type: "number", description: "Max results (default 50)" },
-            },
-            required: ["symbol"],
-        },
-        annotations: TOOL_ANNOTATIONS["wyrm_symbol_search"],
-        aliases: [],
-        handler: async (args, ctx) => {
-            const { db, symbols } = ctx;
-            const { symbol, projectPath, kind, language, exact, limit } = args;
-            const project = projectPath ? db.getProject(projectPath) : null;
-            const rows = symbols.search(symbol, {
-                projectId: project?.id,
-                kind, language, exact,
-                limit: Math.min(Math.max(1, limit ?? 50), 500),
-            });
-            if (rows.length === 0) {
-                return { content: [{ type: "text", text: `󱅝 No symbols match "${symbol}".` }] };
-            }
-            const text = rows.map(r => `• [${r.language}] ${r.kind} ${r.symbol} — ${r.file_path}:${r.line}\n    ${r.signature ?? ''}`).join('\n');
-            return { content: [{ type: "text", text: `󱅝 ${rows.length} match(es):\n${text}` }] };
-        },
-    },
-    {
-        name: "wyrm_symbol_callers",
-        description: "Best-effort caller graph — files in the project (or workspace) whose indexed signature mentions this symbol. Approximate; for a true caller graph use LSP.",
-        inputSchema: {
-            type: "object",
-            properties: {
-                symbol: { type: "string" },
-                projectPath: { type: "string", description: "Scope to one project (optional)" },
-            },
-            required: ["symbol"],
-        },
-        annotations: TOOL_ANNOTATIONS["wyrm_symbol_callers"],
-        aliases: [],
-        handler: async (args, ctx) => {
-            const { db, symbols } = ctx;
-            const { symbol, projectPath } = args;
-            const project = projectPath ? db.getProject(projectPath) : null;
-            const rows = symbols.callers(symbol, project?.id);
-            if (rows.length === 0) {
-                return { content: [{ type: "text", text: `󱅝 No indexed callers for "${symbol}".` }] };
-            }
-            const text = rows.slice(0, 50).map(r => `• ${r.file_path}:${r.line} — ${r.signature?.slice(0, 100) ?? ''}`).join('\n');
-            return { content: [{ type: "text", text: `󱅝 ${rows.length} caller candidate(s) (showing first 50):\n${text}` }] };
-        },
-    },
-    {
-        name: "wyrm_symbol_stats",
-        description: "Symbol-index stats — total count, per-language and per-kind breakdown. Project-scoped if projectPath given, else workspace-wide.",
-        inputSchema: {
-            type: "object",
-            properties: {
-                projectPath: { type: "string", description: "Scope to one project (optional)" },
-            },
-        },
-        annotations: TOOL_ANNOTATIONS["wyrm_symbol_stats"],
-        aliases: [],
-        handler: async (args, ctx) => {
-            const { db, symbols } = ctx;
-            const { projectPath } = args;
-            const project = projectPath ? db.getProject(projectPath) : null;
-            const s = symbols.stats(project?.id);
-            const langs = Object.entries(s.by_language).map(([k, v]) => `${k}: ${v}`).join(', ');
-            const kinds = Object.entries(s.by_kind).map(([k, v]) => `${k}: ${v}`).join(', ');
-            return { content: [{ type: "text", text: `󱅝 Symbols indexed: ${s.total}\nLanguages: ${langs || '—'}\nKinds: ${kinds || '—'}` }] };
-        },
-    },
-];
-//# sourceMappingURL=symbols.js.map
+import{TOOL_ANNOTATIONS as m}from"../tool-annotations.js";const u=[{name:"wyrm_symbol_index",description:"Scan a project for function/class/type/interface definitions across TS/JS/Python/Rust/Go/PHP/Ruby and index them. Idempotent \u2014 clears the project's symbols before re-indexing.",inputSchema:{type:"object",properties:{projectPath:{type:"string",description:"Project root to scan"}},required:["projectPath"]},annotations:m.wyrm_symbol_index,aliases:[],handler:async(s,r)=>{const{db:i,symbols:a}=r,{projectPath:e}=s,t=i.getProject(e);if(!t)return{content:[{type:"text",text:"Project not found"}],isError:!0};const o=a.indexProject(t.id,t.path);return{content:[{type:"text",text:`\u{F115D} Indexed ${o.symbols} symbol(s) across ${o.files} file(s) in ${t.name}.`}]}}},{name:"wyrm_symbol_search",description:"Look up a symbol across all (or one) project. Cursor's workspace-symbols stops at the repo boundary; this doesn't.",inputSchema:{type:"object",properties:{symbol:{type:"string",description:"Name to search for"},projectPath:{type:"string",description:"Scope to one project (optional)"},kind:{type:"string",enum:["function","class","type","interface","const","export"],description:"Filter by kind"},language:{type:"string",description:"Filter by language: ts/tsx/js/jsx/py/rs/go/php/rb"},exact:{type:"boolean",description:"Exact match (default: substring)"},limit:{type:"number",description:"Max results (default 50)"}},required:["symbol"]},annotations:m.wyrm_symbol_search,aliases:[],handler:async(s,r)=>{const{db:i,symbols:a}=r,{symbol:e,projectPath:t,kind:o,language:c,exact:l,limit:n}=s,y=t?i.getProject(t):null,d=a.search(e,{projectId:y?.id,kind:o,language:c,exact:l,limit:Math.min(Math.max(1,n??50),500)});if(d.length===0)return{content:[{type:"text",text:`\u{F115D} No symbols match "${e}".`}]};const b=d.map(p=>`\u2022 [${p.language}] ${p.kind} ${p.symbol} \u2014 ${p.file_path}:${p.line}
+    ${p.signature??""}`).join(`
+`);return{content:[{type:"text",text:`\u{F115D} ${d.length} match(es):
+${b}`}]}}},{name:"wyrm_symbol_callers",description:"Best-effort caller graph \u2014 files in the project (or workspace) whose indexed signature mentions this symbol. Approximate; for a true caller graph use LSP.",inputSchema:{type:"object",properties:{symbol:{type:"string"},projectPath:{type:"string",description:"Scope to one project (optional)"}},required:["symbol"]},annotations:m.wyrm_symbol_callers,aliases:[],handler:async(s,r)=>{const{db:i,symbols:a}=r,{symbol:e,projectPath:t}=s,o=t?i.getProject(t):null,c=a.callers(e,o?.id);if(c.length===0)return{content:[{type:"text",text:`\u{F115D} No indexed callers for "${e}".`}]};const l=c.slice(0,50).map(n=>`\u2022 ${n.file_path}:${n.line} \u2014 ${n.signature?.slice(0,100)??""}`).join(`
+`);return{content:[{type:"text",text:`\u{F115D} ${c.length} caller candidate(s) (showing first 50):
+${l}`}]}}},{name:"wyrm_symbol_stats",description:"Symbol-index stats \u2014 total count, per-language and per-kind breakdown. Project-scoped if projectPath given, else workspace-wide.",inputSchema:{type:"object",properties:{projectPath:{type:"string",description:"Scope to one project (optional)"}}},annotations:m.wyrm_symbol_stats,aliases:[],handler:async(s,r)=>{const{db:i,symbols:a}=r,{projectPath:e}=s,t=e?i.getProject(e):null,o=a.stats(t?.id),c=Object.entries(o.by_language).map(([n,y])=>`${n}: ${y}`).join(", "),l=Object.entries(o.by_kind).map(([n,y])=>`${n}: ${y}`).join(", ");return{content:[{type:"text",text:`\u{F115D} Symbols indexed: ${o.total}
+Languages: ${c||"\u2014"}
+Kinds: ${l||"\u2014"}`}]}}}];export{u as symbolsToolSpecs};

package/dist/handlers/syncops.js

@@ -1,310 +1,12 @@
-/**
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- * @license AGPL-3.0-or-later
- */
-import { TOOL_ANNOTATIONS } from "../tool-annotations.js";
-import { logger } from "../logger.js";
-import { asInt } from "../validate.js";
-import { createCipheriv, createDecipheriv, pbkdf2Sync, randomBytes } from "crypto";
-import { chmodSync, copyFileSync, existsSync as fsExistsSync, readFileSync, unlinkSync, writeFileSync } from "fs";
-import { homedir } from "os";
-import { join as pathJoin } from "path";
-export const syncopsToolSpecs = [
-    {
-        name: "wyrm_prune",
-        description: "Prune low-confidence, stale memory artifacts. Dry-run by default — use dry_run:false with confirm_ids to actually delete. Never deletes artifacts in the review queue.",
-        inputSchema: {
-            type: "object",
-            properties: {
-                project_id: { type: "number", description: "Project ID (optional, all projects if omitted)" },
-                min_confidence: { type: "number", description: "Prune artifacts below this confidence (default: 0.3)" },
-                older_than_days: { type: "number", description: "Last accessed more than N days ago (default: 90)" },
-                types: { type: "array", items: { type: "string" }, description: "Filter by artifact_type (optional)" },
-                dry_run: { type: "boolean", description: "If true (default), return candidates without deleting. Set false to delete." },
-                confirm_ids: { type: "array", items: { type: "number" }, description: "Required when dry_run:false — only IDs in this list will be deleted" },
-            },
-        },
-        annotations: TOOL_ANNOTATIONS["wyrm_prune"],
-        aliases: [],
-        handler: async (args, ctx) => {
-            const { db } = ctx;
-            const a = args || {};
-            const { project_id: pruneProjectId, min_confidence: pruneMinConf = 0.3, older_than_days: pruneOlderDays = 90, types: pruneTypes, dry_run: pruneDryRun = true, confirm_ids: pruneConfirmIds, } = args;
-            const rawDbPrune = db.getDatabase();
-            // SECURITY: project_id must never be string-interpolated into SQL —
-            // validate at the boundary (throws ValidationError → clean isError), then bind.
-            const safePruneProjectId = asInt('project_id', pruneProjectId);
-            const projectClausePrune = safePruneProjectId !== undefined ? 'AND project_id = ?' : '';
-            const projectParamsPrune = safePruneProjectId !== undefined ? [safePruneProjectId] : [];
-            const typeClausePrune = pruneTypes && pruneTypes.length > 0
-                ? `AND kind IN (${pruneTypes.map(() => '?').join(',')})`
-                : '';
-            const typeParamsPrune = pruneTypes ?? [];
-            const candidateRows = rawDbPrune.prepare(`
+import{TOOL_ANNOTATIONS as E}from"../tool-annotations.js";import{logger as R}from"../logger.js";import{asInt as B}from"../validate.js";import{createCipheriv as L,createDecipheriv as F,pbkdf2Sync as O,randomBytes as C}from"crypto";import{chmodSync as U,copyFileSync as j,existsSync as x,readFileSync as M,unlinkSync as c,writeFileSync as I}from"fs";import{homedir as k}from"os";import{join as D}from"path";const K=[{name:"wyrm_prune",description:"Prune low-confidence, stale memory artifacts. Dry-run by default \u2014 use dry_run:false with confirm_ids to actually delete. Never deletes artifacts in the review queue.",inputSchema:{type:"object",properties:{project_id:{type:"number",description:"Project ID (optional, all projects if omitted)"},min_confidence:{type:"number",description:"Prune artifacts below this confidence (default: 0.3)"},older_than_days:{type:"number",description:"Last accessed more than N days ago (default: 90)"},types:{type:"array",items:{type:"string"},description:"Filter by artifact_type (optional)"},dry_run:{type:"boolean",description:"If true (default), return candidates without deleting. Set false to delete."},confirm_ids:{type:"array",items:{type:"number"},description:"Required when dry_run:false \u2014 only IDs in this list will be deleted"}}},annotations:E.wyrm_prune,aliases:[],handler:async(f,b)=>{const{db:i}=b,N=f||{},{project_id:s,min_confidence:g=.3,older_than_days:p=90,types:d,dry_run:e=!0,confirm_ids:t}=f,y=i.getDatabase(),o=B("project_id",s),h=o!==void 0?"AND project_id = ?":"",_=o!==void 0?[o]:[],w=d&&d.length>0?`AND kind IN (${d.map(()=>"?").join(",")})`:"",u=d??[],m=y.prepare(`
           SELECT id, project_id, kind, problem, confidence, last_accessed_at, access_count
           FROM memory_artifacts
           WHERE confidence < ?
             AND (last_accessed_at IS NULL OR last_accessed_at < datetime('now', ?))
             AND needs_review = 0
             AND supersedes_id IS NULL
-            ${projectClausePrune}
-            ${typeClausePrune}
+            ${h}
+            ${w}
           ORDER BY confidence ASC, last_accessed_at ASC
           LIMIT 500
-        `).all(pruneMinConf, `-${pruneOlderDays} days`, ...projectParamsPrune, ...typeParamsPrune);
-            if (pruneDryRun) {
-                return {
-                    content: [{
-                            type: "text",
-                            text: JSON.stringify({
-                                dry_run: true,
-                                count: candidateRows.length,
-                                candidates: candidateRows.map(r => ({
-                                    id: r.id,
-                                    kind: r.kind,
-                                    problem: r.problem.slice(0, 100),
-                                    confidence: r.confidence,
-                                    last_accessed_at: r.last_accessed_at,
-                                })),
-                            }),
-                        }],
-                };
-            }
-            // dry_run: false — require confirm_ids
-            if (!pruneConfirmIds || pruneConfirmIds.length === 0) {
-                return {
-                    content: [{ type: "text", text: `󱅝 **Prune**: dry_run:false requires confirm_ids — provide the IDs from a dry-run to confirm deletion.` }],
-                    isError: true,
-                };
-            }
-            const candidateIds = new Set(candidateRows.map(r => r.id));
-            const toDelete = pruneConfirmIds.filter(id => candidateIds.has(id));
-            if (toDelete.length === 0) {
-                return {
-                    content: [{ type: "text", text: `󱅝 **Prune**: No matching IDs to delete (confirm_ids not in candidate set).` }],
-                };
-            }
-            const placeholdersPrune = toDelete.map(() => '?').join(',');
-            const deleteResult = rawDbPrune.prepare(`DELETE FROM memory_artifacts WHERE id IN (${placeholdersPrune}) AND needs_review = 0`).run(...toDelete);
-            return {
-                content: [{
-                        type: "text",
-                        text: JSON.stringify({ deleted: deleteResult.changes, ids: toDelete }),
-                    }],
-            };
-        },
-    },
-    {
-        name: "wyrm_sync_export",
-        description: "Export an AES-256-GCM encrypted snapshot of the Wyrm database for cross-device sync. Passphrase from WYRM_SYNC_PASSPHRASE env var.",
-        inputSchema: {
-            type: "object",
-            properties: {
-                output_path: { type: "string", description: "File path to write the encrypted snapshot" },
-                description: { type: "string", description: "Optional description of this export" },
-            },
-            required: ["output_path"],
-        },
-        annotations: TOOL_ANNOTATIONS["wyrm_sync_export"],
-        aliases: [],
-        handler: async (args, ctx) => {
-            const { db, server } = ctx;
-            const { output_path: exportPath, description: exportDesc } = args;
-            const passphrase = process.env.WYRM_SYNC_PASSPHRASE;
-            if (!passphrase) {
-                return {
-                    content: [{ type: "text", text: `󱅝 **Sync Export**: Set WYRM_SYNC_PASSPHRASE env var to enable encrypted export.` }],
-                    isError: true,
-                };
-            }
-            const dbPath = db.getDatabasePath();
-            const wyrmDir = pathJoin(homedir(), '.wyrm');
-            const tempDbPath = pathJoin(wyrmDir, 'wyrm_sync_export_temp.db');
-            try {
-                // WAL-safe snapshot via VACUUM INTO
-                const rawDbExport = db.getDatabase();
-                if (fsExistsSync(tempDbPath))
-                    unlinkSync(tempDbPath);
-                rawDbExport.prepare(`VACUUM INTO ?`).run(tempDbPath);
-                // Read snapshot
-                const plaintext = readFileSync(tempDbPath);
-                // Derive key
-                const salt = randomBytes(32);
-                const iv = randomBytes(16);
-                const key = pbkdf2Sync(passphrase, salt, 600000, 32, 'sha256');
-                // Encrypt
-                const cipher = createCipheriv('aes-256-gcm', key, iv);
-                const encrypted = Buffer.concat([cipher.update(plaintext), cipher.final()]);
-                const authTag = cipher.getAuthTag();
-                // Binary format: WYRM(4) + version(1) + salt(32) + iv(16) + authTag(16) + data
-                const magic = Buffer.from('WYRM');
-                const version = Buffer.alloc(1);
-                version.writeUInt8(1, 0);
-                const output = Buffer.concat([magic, version, salt, iv, authTag, encrypted]);
-                writeFileSync(exportPath, output);
-                try {
-                    chmodSync(exportPath, 0o600);
-                }
-                catch { /* non-fatal */ }
-                // Clean up temp
-                try {
-                    unlinkSync(tempDbPath);
-                }
-                catch { /* non-fatal */ }
-                const sizeMb = (output.length / (1024 * 1024)).toFixed(2);
-                return {
-                    content: [{
-                            type: "text",
-                            text: JSON.stringify({
-                                success: true,
-                                path: exportPath,
-                                size_mb: parseFloat(sizeMb),
-                                exported_at: new Date().toISOString(),
-                                description: exportDesc ?? null,
-                            }),
-                        }],
-                };
-            }
-            catch (err) {
-                try {
-                    if (fsExistsSync(tempDbPath))
-                        unlinkSync(tempDbPath);
-                }
-                catch { /* clean up */ }
-                logger.error('Sync export failed', { error: err.message });
-                return {
-                    content: [{ type: "text", text: `󱅝 **Sync Export** failed. Check server logs for details.` }],
-                    isError: true,
-                };
-            }
-        },
-    },
-    {
-        name: "wyrm_sync_import",
-        description: "Import an encrypted Wyrm snapshot. Use restore_mode:'preview' to inspect without touching the DB; 'restore' to replace current DB (backs up first).",
-        inputSchema: {
-            type: "object",
-            properties: {
-                input_path: { type: "string", description: "Path to the encrypted snapshot file" },
-                restore_mode: { type: "string", enum: ["preview", "restore"], description: "preview = show stats only; restore = replace DB (backs up first)" },
-            },
-            required: ["input_path", "restore_mode"],
-        },
-        annotations: TOOL_ANNOTATIONS["wyrm_sync_import"],
-        aliases: [],
-        handler: async (args, ctx) => {
-            const { db, server } = ctx;
-            const { input_path: importPath, restore_mode: restoreMode } = args;
-            const passphrase = process.env.WYRM_SYNC_PASSPHRASE;
-            if (!passphrase) {
-                return {
-                    content: [{ type: "text", text: `󱅝 **Sync Import**: Set WYRM_SYNC_PASSPHRASE env var to enable encrypted import.` }],
-                    isError: true,
-                };
-            }
-            const wyrmDirImport = pathJoin(homedir(), '.wyrm');
-            const tempImportPath = pathJoin(wyrmDirImport, 'wyrm_sync_import_temp.db');
-            try {
-                const fileData = readFileSync(importPath);
-                // Validate magic bytes
-                const magic = fileData.subarray(0, 4).toString('ascii');
-                if (magic !== 'WYRM') {
-                    return { content: [{ type: "text", text: `󱅝 Invalid Wyrm snapshot file (bad magic bytes).` }], isError: true };
-                }
-                const version = fileData.readUInt8(4);
-                if (version !== 1) {
-                    return { content: [{ type: "text", text: `󱅝 Unsupported snapshot version: ${version}` }], isError: true };
-                }
-                const salt = fileData.subarray(5, 37);
-                const iv = fileData.subarray(37, 53);
-                const authTag = fileData.subarray(53, 69);
-                const encrypted = fileData.subarray(69);
-                // Derive key & decrypt
-                const key = pbkdf2Sync(passphrase, salt, 600000, 32, 'sha256');
-                const decipher = createDecipheriv('aes-256-gcm', key, iv);
-                decipher.setAuthTag(authTag);
-                let decrypted;
-                try {
-                    decrypted = Buffer.concat([decipher.update(encrypted), decipher.final()]);
-                }
-                catch {
-                    return { content: [{ type: "text", text: `󱅝 Decryption failed — wrong passphrase or corrupted snapshot.` }], isError: true };
-                }
-                if (restoreMode === 'preview') {
-                    // Open temp DB and return stats
-                    if (fsExistsSync(tempImportPath))
-                        unlinkSync(tempImportPath);
-                    writeFileSync(tempImportPath, decrypted);
-                    let previewStats = {};
-                    try {
-                        const BetterSQLite = (await import('better-sqlite3')).default;
-                        const previewDb = new BetterSQLite(tempImportPath, { readonly: true });
-                        const tables = ['projects', 'sessions', 'ground_truths', 'memory_artifacts', 'quests'];
-                        for (const t of tables) {
-                            try {
-                                const row = previewDb.prepare(`SELECT COUNT(*) as n FROM ${t}`).get();
-                                previewStats[t] = row.n;
-                            }
-                            catch {
-                                previewStats[t] = 0;
-                            }
-                        }
-                        previewDb.close();
-                    }
-                    catch { /* stats optional */ }
-                    try {
-                        unlinkSync(tempImportPath);
-                    }
-                    catch { /* clean up */ }
-                    return {
-                        content: [{
-                                type: "text",
-                                text: JSON.stringify({ preview: true, stats: previewStats }),
-                            }],
-                    };
-                }
-                // restore mode
-                const dbPathImport = db.getDatabasePath();
-                const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
-                const backupPath = `${dbPathImport}.backup.${timestamp}`;
-                // Backup current DB
-                copyFileSync(dbPathImport, backupPath);
-                // Write decrypted to temp
-                if (fsExistsSync(tempImportPath))
-                    unlinkSync(tempImportPath);
-                writeFileSync(tempImportPath, decrypted);
-                // Close current DB connection, replace file, reopen
-                const rawDbImport = db.getDatabase();
-                rawDbImport.close();
-                copyFileSync(tempImportPath, dbPathImport);
-                try {
-                    unlinkSync(tempImportPath);
-                }
-                catch { /* clean up */ }
-                return {
-                    content: [{
-                            type: "text",
-                            text: JSON.stringify({
-                                success: true,
-                                restored_from: importPath,
-                                backup_at: backupPath,
-                            }),
-                        }],
-                };
-            }
-            catch (err) {
-                try {
-                    if (fsExistsSync(tempImportPath))
-                        unlinkSync(tempImportPath);
-                }
-                catch { /* clean up */ }
-                logger.error('Sync import failed', { error: err.message });
-                return {
-                    content: [{ type: "text", text: `󱅝 **Sync Import** failed. Check server logs for details.` }],
-                    isError: true,
-                };
-            }
-        },
-    },
-];
-//# sourceMappingURL=syncops.js.map
+        `).all(g,`-${p} days`,..._,...u);if(e)return{content:[{type:"text",text:JSON.stringify({dry_run:!0,count:m.length,candidates:m.map(r=>({id:r.id,kind:r.kind,problem:r.problem.slice(0,100),confidence:r.confidence,last_accessed_at:r.last_accessed_at}))})}]};if(!t||t.length===0)return{content:[{type:"text",text:"\u{F115D} **Prune**: dry_run:false requires confirm_ids \u2014 provide the IDs from a dry-run to confirm deletion."}],isError:!0};const l=new Set(m.map(r=>r.id)),n=t.filter(r=>l.has(r));if(n.length===0)return{content:[{type:"text",text:"\u{F115D} **Prune**: No matching IDs to delete (confirm_ids not in candidate set)."}]};const a=n.map(()=>"?").join(","),S=y.prepare(`DELETE FROM memory_artifacts WHERE id IN (${a}) AND needs_review = 0`).run(...n);return{content:[{type:"text",text:JSON.stringify({deleted:S.changes,ids:n})}]}}},{name:"wyrm_sync_export",description:"Export an AES-256-GCM encrypted snapshot of the Wyrm database for cross-device sync. Passphrase from WYRM_SYNC_PASSPHRASE env var.",inputSchema:{type:"object",properties:{output_path:{type:"string",description:"File path to write the encrypted snapshot"},description:{type:"string",description:"Optional description of this export"}},required:["output_path"]},annotations:E.wyrm_sync_export,aliases:[],handler:async(f,b)=>{const{db:i,server:N}=b,{output_path:s,description:g}=f,p=process.env.WYRM_SYNC_PASSPHRASE;if(!p)return{content:[{type:"text",text:"\u{F115D} **Sync Export**: Set WYRM_SYNC_PASSPHRASE env var to enable encrypted export."}],isError:!0};const d=i.getDatabasePath(),e=D(k(),".wyrm"),t=D(e,"wyrm_sync_export_temp.db");try{const y=i.getDatabase();x(t)&&c(t),y.prepare("VACUUM INTO ?").run(t);const o=M(t),h=C(32),_=C(16),w=O(p,h,6e5,32,"sha256"),u=L("aes-256-gcm",w,_),m=Buffer.concat([u.update(o),u.final()]),l=u.getAuthTag(),n=Buffer.from("WYRM"),a=Buffer.alloc(1);a.writeUInt8(1,0);const S=Buffer.concat([n,a,h,_,l,m]);I(s,S);try{U(s,384)}catch{}try{c(t)}catch{}const r=(S.length/(1024*1024)).toFixed(2);return{content:[{type:"text",text:JSON.stringify({success:!0,path:s,size_mb:parseFloat(r),exported_at:new Date().toISOString(),description:g??null})}]}}catch(y){try{x(t)&&c(t)}catch{}return R.error("Sync export failed",{error:y.message}),{content:[{type:"text",text:"\u{F115D} **Sync Export** failed. Check server logs for details."}],isError:!0}}}},{name:"wyrm_sync_import",description:"Import an encrypted Wyrm snapshot. Use restore_mode:'preview' to inspect without touching the DB; 'restore' to replace current DB (backs up first).",inputSchema:{type:"object",properties:{input_path:{type:"string",description:"Path to the encrypted snapshot file"},restore_mode:{type:"string",enum:["preview","restore"],description:"preview = show stats only; restore = replace DB (backs up first)"}},required:["input_path","restore_mode"]},annotations:E.wyrm_sync_import,aliases:[],handler:async(f,b)=>{const{db:i,server:N}=b,{input_path:s,restore_mode:g}=f,p=process.env.WYRM_SYNC_PASSPHRASE;if(!p)return{content:[{type:"text",text:"\u{F115D} **Sync Import**: Set WYRM_SYNC_PASSPHRASE env var to enable encrypted import."}],isError:!0};const d=D(k(),".wyrm"),e=D(d,"wyrm_sync_import_temp.db");try{const t=M(s);if(t.subarray(0,4).toString("ascii")!=="WYRM")return{content:[{type:"text",text:"\u{F115D} Invalid Wyrm snapshot file (bad magic bytes)."}],isError:!0};const o=t.readUInt8(4);if(o!==1)return{content:[{type:"text",text:`\u{F115D} Unsupported snapshot version: ${o}`}],isError:!0};const h=t.subarray(5,37),_=t.subarray(37,53),w=t.subarray(53,69),u=t.subarray(69),m=O(p,h,6e5,32,"sha256"),l=F("aes-256-gcm",m,_);l.setAuthTag(w);let n;try{n=Buffer.concat([l.update(u),l.final()])}catch{return{content:[{type:"text",text:"\u{F115D} Decryption failed \u2014 wrong passphrase or corrupted snapshot."}],isError:!0}}if(g==="preview"){x(e)&&c(e),I(e,n);let P={};try{const T=(await import("better-sqlite3")).default,A=new T(e,{readonly:!0}),Y=["projects","sessions","ground_truths","memory_artifacts","quests"];for(const v of Y)try{const W=A.prepare(`SELECT COUNT(*) as n FROM ${v}`).get();P[v]=W.n}catch{P[v]=0}A.close()}catch{}try{c(e)}catch{}return{content:[{type:"text",text:JSON.stringify({preview:!0,stats:P})}]}}const a=i.getDatabasePath(),S=new Date().toISOString().replace(/[:.]/g,"-"),r=`${a}.backup.${S}`;j(a,r),x(e)&&c(e),I(e,n),i.getDatabase().close(),j(e,a);try{c(e)}catch{}return{content:[{type:"text",text:JSON.stringify({success:!0,restored_from:s,backup_at:r})}]}}catch(t){try{x(e)&&c(e)}catch{}return R.error("Sync import failed",{error:t.message}),{content:[{type:"text",text:"\u{F115D} **Sync Import** failed. Check server logs for details."}],isError:!0}}}}];export{K as syncopsToolSpecs};

package/dist/handlers/types.js

@@ -1,27 +1 @@
-/**
- * Handler-module contract (v7 A2 — decompose the index.ts monolith;
- * v7 F3 T018 — ToolSpec contract v2).
- *
- * Tool handlers are being lifted out of the one giant `switch (name)` in
- * index.ts into per-domain modules behind a registry. Each handler is a pure
- * function of (args, ctx) — no module-level closure — which makes it unit-
- * testable and lets the boundary validator (v7 A1) wrap it uniformly.
- *
- * v7 F3 (T018) upgrades the contract from bare handlers to full ToolSpec
- * modules: a domain exports `ToolSpec[]` carrying the COMPLETE tool identity
- * ({name, description, inputSchema, outputSchema, annotations, examples,
- * aliases, handler}), and the registry derives BOTH the dispatch map and the
- * advertised ListTools entries from the same objects — definition and
- * behavior cannot drift because they are one value.
- *
- * @copyright 2026 Ghost Protocol (Pvt) Ltd.
- * @license AGPL-3.0-or-later
- */
-/** Safely read the text of a content block — returns '' for a resource_link
- * (which carries no text). v7 F4 (T034): lets the few call sites that read
- * `content[0].text` survive the union widening without a cast (the text block
- * is always content[0] by renderResult construction, but TS can't prove it). */
-export function blockText(block) {
-    return block && 'text' in block ? block.text : '';
-}
-//# sourceMappingURL=types.js.map
+function e(t){return t&&"text"in t?t.text:""}export{e as blockText};