diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c995b7261..46ba4a7de 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -28,10 +28,16 @@ jobs:
       - name: Build core package first
         run: cd packages/core && bun run build
 
+      - name: Build owletto SDK for backend tests
+        run: cd packages/owletto-sdk && bun run build
+
       - name: Run tests with coverage
         run: |
           # Run core, gateway, and cli tests fully
           bun test packages/core packages/gateway packages/cli --coverage
+          # Owletto backend sandbox/auth coverage for MCP execute/search changes
+          bun test packages/owletto-backend/src/__tests__/unit/sandbox
+          bun test packages/owletto-backend/src/auth/__tests__/tool-access.test.ts
           # Worker tests that don't transitively load pi-coding-agent runtime (WASM unavailable on CI)
           bun test packages/worker/src/__tests__/embedded-tools.test.ts packages/worker/src/__tests__/model-resolver.test.ts packages/worker/src/__tests__/tool-policy.test.ts packages/worker/src/__tests__/processor.test.ts packages/worker/src/__tests__/audio-provider-suggestions.test.ts packages/worker/src/__tests__/generated-media.test.ts packages/worker/src/__tests__/tool-implementations.test.ts packages/worker/src/__tests__/instructions.test.ts packages/worker/src/__tests__/custom-tools.test.ts
 
diff --git a/.gitignore b/.gitignore
index 34eb76065..0125ec13d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,6 +31,8 @@ packages/**/*.d.ts.map
 !packages/cli/bin/*.js
 # Tailwind config is a JS config file, not a build artifact
 !packages/gateway/tailwind.config.js
+# Hand-authored type shims for optional native modules (not build output)
+!packages/**/src/types/*.d.ts
 tsconfig.tsbuildinfo
 **/tsconfig.tsbuildinfo
 
diff --git a/bun.lock b/bun.lock
index 0f5fa33e9..d5811b0c0 100644
--- a/bun.lock
+++ b/bun.lock
@@ -16,7 +16,7 @@
     },
     "packages/cli": {
       "name": "@lobu/cli",
-      "version": "4.2.0",
+      "version": "4.3.0",
       "bin": {
         "lobu": "bin/lobu.js",
       },
@@ -40,7 +40,7 @@
     },
     "packages/core": {
       "name": "@lobu/core",
-      "version": "4.2.0",
+      "version": "4.3.0",
       "dependencies": {
         "@opentelemetry/api": "^1.9.0",
         "@opentelemetry/exporter-trace-otlp-grpc": "^0.57.0",
@@ -60,7 +60,7 @@
     },
     "packages/gateway": {
       "name": "@lobu/gateway",
-      "version": "4.2.0",
+      "version": "4.3.0",
       "dependencies": {
         "@anthropic-ai/sdk": "^0.90.0",
         "@aws-sdk/client-bedrock": "^3.1028.0",
@@ -119,7 +119,6 @@
       "version": "1.6.0",
       "dependencies": {
         "@hono/node-server": "^1.13.7",
-        "@jitl/quickjs-ng-wasmfile-release-asyncify": "0.31.0",
         "@lobu/core": "workspace:*",
         "@lobu/gateway": "workspace:*",
         "@lobu/owletto-sdk": "workspace:*",
@@ -127,7 +126,6 @@
         "@polyglot-sql/sdk": "^0.1.13",
         "@react-email/components": "^1.0.12",
         "@react-email/render": "^2.0.7",
-        "@sebastianwessel/quickjs": "^3.0.1",
         "@sentry/node": "^9.0.0",
         "@sinclair/typebox": "^0.34.41",
         "@slack/socket-mode": "^2.0.6",
@@ -160,10 +158,13 @@
         "vite": "^6.0.0",
         "vitest": "^2.1.8",
       },
+      "optionalDependencies": {
+        "isolated-vm": "^5.0.4",
+      },
     },
     "packages/owletto-cli": {
       "name": "owletto",
-      "version": "4.2.0",
+      "version": "4.3.0",
       "bin": {
         "owletto": "./dist/bin.js",
       },
@@ -223,7 +224,7 @@
     },
     "packages/owletto-openclaw": {
       "name": "@lobu/owletto-openclaw",
-      "version": "4.2.0",
+      "version": "4.3.0",
       "devDependencies": {
         "@types/node": "^20.10.0",
         "postgres": "^3.4.7",
@@ -233,7 +234,7 @@
     },
     "packages/owletto-sdk": {
       "name": "@lobu/owletto-sdk",
-      "version": "4.2.0",
+      "version": "4.3.0",
       "dependencies": {
         "@sinclair/typebox": "^0.34.41",
         "ky": "^1.14.0",
@@ -335,7 +336,7 @@
     },
     "packages/worker": {
       "name": "@lobu/worker",
-      "version": "4.2.0",
+      "version": "4.3.0",
       "bin": {
         "lobu-worker": "./dist/index.js",
       },
@@ -835,9 +836,7 @@
 
     "@istanbuljs/schema": ["@istanbuljs/schema@0.1.6", "", {}, "sha512-+Sg6GCR/wy1oSmQDFq4LQDAhm3ETKnorxN+y5nbLULOR3P0c14f2Wurzj3/xqPXtasLFfHd5iRFQ7AJt4KH2cw=="],
 
-    "@jitl/quickjs-ffi-types": ["@jitl/quickjs-ffi-types@0.31.0", "", {}, "sha512-1yrgvXlmXH2oNj3eFTrkwacGJbmM0crwipA3ohCrjv52gBeDaD7PsTvFYinlAnqU8iPME3LGP437yk05a2oejw=="],
-
-    "@jitl/quickjs-ng-wasmfile-release-asyncify": ["@jitl/quickjs-ng-wasmfile-release-asyncify@0.31.0", "", { "dependencies": { "@jitl/quickjs-ffi-types": "0.31.0" } }, "sha512-g/yFBenancWcbDqMMlJJljZBXzFBoqxQhvDoElwTfLNbfLSn+dYXUzHzs36DkX/OEWRWnnu0lS0KSfQ8/wl+QQ=="],
+    "@jitl/quickjs-ffi-types": ["@jitl/quickjs-ffi-types@0.32.0", "", {}, "sha512-v9T+GQpmk43VDJ7d72sf0Nexhk+ArvtUihW27dy7lqAl0zBObFKtSBBIm5RBjwIhE8VwsPPm9PNuvPvNqLWUEg=="],
 
     "@jitl/quickjs-wasmfile-debug-asyncify": ["@jitl/quickjs-wasmfile-debug-asyncify@0.32.0", "", { "dependencies": { "@jitl/quickjs-ffi-types": "0.32.0" } }, "sha512-EX8zbXwGqCgAE764M+qvkHtyXDi/FUoMBea0JnES7vCM3P7a2+EOZOjGv85wtZ2sJhI1oJ+nekmqpOODFDY+hw=="],
 
@@ -873,34 +872,6 @@
 
     "@jsonforms/react": ["@jsonforms/react@3.7.0", "", { "dependencies": { "lodash": "^4.17.21" }, "peerDependencies": { "@jsonforms/core": "3.7.0", "react": "^16.12.0 || ^17.0.0 || ^18.0.0 || ^19.0.0" } }, "sha512-HkY7qAx8vW97wPEgZ7GxCB3iiXG1c95GuObxtcDHGPBJWMwnxWBnVYJmv5h7nthrInKsQKHZL5OusnC/sj/1GQ=="],
 
-    "@jsonjoy.com/base64": ["@jsonjoy.com/base64@1.1.2", "", { "peerDependencies": { "tslib": "2" } }, "sha512-q6XAnWQDIMA3+FTiOYajoYqySkO+JSat0ytXGSuRdq9uXE7o92gzuQwQM14xaCRlBLGq3v5miDGC4vkVTn54xA=="],
-
-    "@jsonjoy.com/buffers": ["@jsonjoy.com/buffers@17.67.0", "", { "peerDependencies": { "tslib": "2" } }, "sha512-tfExRpYxBvi32vPs9ZHaTjSP4fHAfzSmcahOfNxtvGHcyJel+aibkPlGeBB+7AoC6hL7lXIE++8okecBxx7lcw=="],
-
-    "@jsonjoy.com/codegen": ["@jsonjoy.com/codegen@1.0.0", "", { "peerDependencies": { "tslib": "2" } }, "sha512-E8Oy+08cmCf0EK/NMxpaJZmOxPqM+6iSe2S4nlSBrPZOORoDJILxtbSUEDKQyTamm/BVAhIGllOBNU79/dwf0g=="],
-
-    "@jsonjoy.com/fs-core": ["@jsonjoy.com/fs-core@4.57.2", "", { "dependencies": { "@jsonjoy.com/fs-node-builtins": "4.57.2", "@jsonjoy.com/fs-node-utils": "4.57.2", "thingies": "^2.5.0" }, "peerDependencies": { "tslib": "2" } }, "sha512-SVjwklkpIV5wrynpYtuYnfYH1QF4/nDuLBX7VXdb+3miglcAgBVZb/5y0cOsehRV/9Vb+3UqhkMq3/NR3ztdkQ=="],
-
-    "@jsonjoy.com/fs-fsa": ["@jsonjoy.com/fs-fsa@4.57.2", "", { "dependencies": { "@jsonjoy.com/fs-core": "4.57.2", "@jsonjoy.com/fs-node-builtins": "4.57.2", "@jsonjoy.com/fs-node-utils": "4.57.2", "thingies": "^2.5.0" }, "peerDependencies": { "tslib": "2" } }, "sha512-fhO8+iR2I+OCw668ISDJdn1aArc9zx033sWejIyzQ8RBeXa9bDSaUeA3ix0poYOfrj1KdOzytmYNv2/uLDfV6g=="],
-
-    "@jsonjoy.com/fs-node": ["@jsonjoy.com/fs-node@4.57.2", "", { "dependencies": { "@jsonjoy.com/fs-core": "4.57.2", "@jsonjoy.com/fs-node-builtins": "4.57.2", "@jsonjoy.com/fs-node-utils": "4.57.2", "@jsonjoy.com/fs-print": "4.57.2", "@jsonjoy.com/fs-snapshot": "4.57.2", "glob-to-regex.js": "^1.0.0", "thingies": "^2.5.0" }, "peerDependencies": { "tslib": "2" } }, "sha512-nX2AdL6cOFwLdju9G4/nbRnYevmCJbh7N7hvR3gGm97Cs60uEjyd0rpR+YBS7cTg175zzl22pGKXR5USaQMvKg=="],
-
-    "@jsonjoy.com/fs-node-builtins": ["@jsonjoy.com/fs-node-builtins@4.57.2", "", { "peerDependencies": { "tslib": "2" } }, "sha512-xhiegylRmhw43Ki2HO1ZBL7DQ5ja/qpRsL29VtQ2xuUHiuDGbgf2uD4p9Qd8hJI5P6RCtGYD50IXHXVq/Ocjcg=="],
-
-    "@jsonjoy.com/fs-node-to-fsa": ["@jsonjoy.com/fs-node-to-fsa@4.57.2", "", { "dependencies": { "@jsonjoy.com/fs-fsa": "4.57.2", "@jsonjoy.com/fs-node-builtins": "4.57.2", "@jsonjoy.com/fs-node-utils": "4.57.2" }, "peerDependencies": { "tslib": "2" } }, "sha512-18LmWTSONhoAPW+IWRuf8w/+zRolPFGPeGwMxlAhhfY11EKzX+5XHDBPAw67dBF5dxDErHJbl40U+3IXSDRXSQ=="],
-
-    "@jsonjoy.com/fs-node-utils": ["@jsonjoy.com/fs-node-utils@4.57.2", "", { "dependencies": { "@jsonjoy.com/fs-node-builtins": "4.57.2" }, "peerDependencies": { "tslib": "2" } }, "sha512-rsPSJgekz43IlNbLyAM/Ab+ouYLWGp5DDBfYBNNEqDaSpsbXfthBn29Q4muFA9L0F+Z3mKo+CWlgSCXrf+mOyQ=="],
-
-    "@jsonjoy.com/fs-print": ["@jsonjoy.com/fs-print@4.57.2", "", { "dependencies": { "@jsonjoy.com/fs-node-utils": "4.57.2", "tree-dump": "^1.1.0" }, "peerDependencies": { "tslib": "2" } }, "sha512-wK9NSow48i4DbDl9F1CQE5TqnyZOJ04elU3WFG5aJ76p+YxO/ulyBBQvKsessPxdo381Bc2pcEoyPujMOhcRqQ=="],
-
-    "@jsonjoy.com/fs-snapshot": ["@jsonjoy.com/fs-snapshot@4.57.2", "", { "dependencies": { "@jsonjoy.com/buffers": "^17.65.0", "@jsonjoy.com/fs-node-utils": "4.57.2", "@jsonjoy.com/json-pack": "^17.65.0", "@jsonjoy.com/util": "^17.65.0" }, "peerDependencies": { "tslib": "2" } }, "sha512-GdduDZuoP5V/QCgJkx9+BZ6SC0EZ/smXAdTS7PfMqgMTGXLlt/bH/FqMYaqB9JmLf05sJPtO0XRbAwwkEEPbVw=="],
-
-    "@jsonjoy.com/json-pack": ["@jsonjoy.com/json-pack@1.21.0", "", { "dependencies": { "@jsonjoy.com/base64": "^1.1.2", "@jsonjoy.com/buffers": "^1.2.0", "@jsonjoy.com/codegen": "^1.0.0", "@jsonjoy.com/json-pointer": "^1.0.2", "@jsonjoy.com/util": "^1.9.0", "hyperdyperid": "^1.2.0", "thingies": "^2.5.0", "tree-dump": "^1.1.0" }, "peerDependencies": { "tslib": "2" } }, "sha512-+AKG+R2cfZMShzrF2uQw34v3zbeDYUqnQ+jg7ORic3BGtfw9p/+N6RJbq/kkV8JmYZaINknaEQ2m0/f693ZPpg=="],
-
-    "@jsonjoy.com/json-pointer": ["@jsonjoy.com/json-pointer@1.0.2", "", { "dependencies": { "@jsonjoy.com/codegen": "^1.0.0", "@jsonjoy.com/util": "^1.9.0" }, "peerDependencies": { "tslib": "2" } }, "sha512-Fsn6wM2zlDzY1U+v4Nc8bo3bVqgfNTGcn6dMgs6FjrEnt4ZCe60o6ByKRjOGlI2gow0aE/Q41QOigdTqkyK5fg=="],
-
-    "@jsonjoy.com/util": ["@jsonjoy.com/util@1.9.0", "", { "dependencies": { "@jsonjoy.com/buffers": "^1.0.0", "@jsonjoy.com/codegen": "^1.0.0" }, "peerDependencies": { "tslib": "2" } }, "sha512-pLuQo+VPRnN8hfPqUTLTHk126wuYdXVxE6aDmjSeV4NCAgyxWbiOIeNJVtID3h1Vzpoi9m4jXezf73I6LgabgQ=="],
-
     "@kubernetes/client-node": ["@kubernetes/client-node@0.21.0", "", { "dependencies": { "@types/js-yaml": "^4.0.1", "@types/node": "^20.1.1", "@types/request": "^2.47.1", "@types/ws": "^8.5.3", "byline": "^5.0.0", "isomorphic-ws": "^5.0.0", "js-yaml": "^4.1.0", "jsonpath-plus": "^8.0.0", "request": "^2.88.0", "rfc4648": "^1.3.0", "stream-buffers": "^3.0.2", "tar": "^7.0.0", "tslib": "^2.4.1", "ws": "^8.11.0" }, "optionalDependencies": { "openid-client": "^5.3.0" } }, "sha512-yYRbgMeyQbvZDHt/ZqsW3m4lRefzhbbJEuj8sVXM+bufKrgmzriA2oq7lWPH/k/LQIicAME9ixPUadTrxIF6dQ=="],
 
     "@levischuck/tiny-cbor": ["@levischuck/tiny-cbor@0.2.11", "", {}, "sha512-llBRm4dT4Z89aRsm6u2oEZ8tfwL/2l6BwpZ7JcyieouniDECM5AqNgr/y08zalEIvW3RSK4upYyybDcmjXqAow=="],
@@ -1447,8 +1418,6 @@
 
     "@scalar/types": ["@scalar/types@0.6.10", "", { "dependencies": { "@scalar/helpers": "0.2.18", "nanoid": "^5.1.6", "type-fest": "^5.3.1", "zod": "^4.3.5" } }, "sha512-fZkelRwcEeAhsn4c0wjYXWrzSzLaEyfxTn/eazXJ4XfCIsgJTQyK0FD8mnOBZJ2vEIbtT2E1mBKnCbDxrJIlxA=="],
 
-    "@sebastianwessel/quickjs": ["@sebastianwessel/quickjs@3.0.1", "", { "dependencies": { "memfs": "^4.56.10", "quickjs-emscripten-core": "^0.31.0", "rate-limiter-flexible": "^9.1.1" }, "peerDependencies": { "typescript": ">= 5.5.4" }, "optionalPeers": ["typescript"] }, "sha512-9pKTzjtsHIBxokMhYgNPyqvBSpX9WLus5j+cqspB2VHOKbC0L45NQiVQhbEiaWXEyBtxd3W8MLnvlxvtBLo0Ew=="],
-
     "@selderee/plugin-htmlparser2": ["@selderee/plugin-htmlparser2@0.11.0", "", { "dependencies": { "domhandler": "^5.0.3", "selderee": "^0.11.0" } }, "sha512-P33hHGdldxGabLFjPPpaTxVolMrzrcegejx+0GxjrIb9Zv48D8yAIA/QTDR2dFl7Uz7urX8aX6+5bCZslr+gWQ=="],
 
     "@sentry/core": ["@sentry/core@10.50.0", "", {}, "sha512-J4A+vzUO3adl0TkFCjaN1+4miamrjHiEIYuLHiuu1lmAjq5WIVw32ObvAh4yMwNtxyaEMosTrrh5M6f12XSJFg=="],
@@ -2371,8 +2340,6 @@
 
     "glob-parent": ["glob-parent@5.1.2", "", { "dependencies": { "is-glob": "^4.0.1" } }, "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow=="],
 
-    "glob-to-regex.js": ["glob-to-regex.js@1.2.0", "", { "peerDependencies": { "tslib": "2" } }, "sha512-QMwlOQKU/IzqMUOAZWubUOT8Qft+Y0KQWnX9nK3ch0CJg0tTp4TvGZsTfudYKv2NzoQSyPcnA6TYeIQ3jGichQ=="],
-
     "goober": ["goober@2.1.18", "", { "peerDependencies": { "csstype": "^3.0.10" } }, "sha512-2vFqsaDVIT9Gz7N6kAL++pLpp41l3PfDuusHcjnGLfR6+huZkl6ziX+zgVC3ZxpqWhzH6pyDdGrCeDhMIvwaxw=="],
 
     "google-auth-library": ["google-auth-library@10.6.2", "", { "dependencies": { "base64-js": "^1.3.0", "ecdsa-sig-formatter": "^1.0.11", "gaxios": "^7.1.4", "gcp-metadata": "8.1.2", "google-logging-utils": "1.1.3", "jws": "^4.0.0" } }, "sha512-e27Z6EThmVNNvtYASwQxose/G57rkRuaRbQyxM2bvYLLX/GqWZ5chWq2EBoUchJbCc57eC9ArzO5wMsEmWftCw=="],
@@ -2479,8 +2446,6 @@
 
     "husky": ["husky@9.1.7", "", { "bin": { "husky": "bin.js" } }, "sha512-5gs5ytaNjBrh5Ow3zrvdUUY+0VxIuWVL4i9irt6friV+BqdCfmV11CQTWMiBYWHbXhco+J1kHfTOUkePhCDvMA=="],
 
-    "hyperdyperid": ["hyperdyperid@1.2.0", "", {}, "sha512-Y93lCzHYgGWdrJ66yIktxiaGULYc6oGiABxhcO5AufBeOyoIdZF7bIfLaOrbM0iGIOXQQgxxRrFEnb+Y6w1n4A=="],
-
     "i18next": ["i18next@23.16.8", "", { "dependencies": { "@babel/runtime": "^7.23.2" } }, "sha512-06r/TitrM88Mg5FdUXAKL96dJMzgqLE5dv3ryBAra4KCwD9mJ4ndOTS95ZuymIGoE+2hzfdaMak2X11/es7ZWg=="],
 
     "iconv-lite": ["iconv-lite@0.7.2", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw=="],
@@ -2561,6 +2526,8 @@
 
     "isexe": ["isexe@2.0.0", "", {}, "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw=="],
 
+    "isolated-vm": ["isolated-vm@5.0.4", "", { "dependencies": { "prebuild-install": "^7.1.2" } }, "sha512-RYUf/JC4ldWz/oi2BVs8a1XIprQ71q6eQPBwySaF5Apu0KMyf2gIpElbCyPh2OEmRT+FYw1GOKSdkv7jw2KLxw=="],
+
     "isomorphic-ws": ["isomorphic-ws@5.0.0", "", { "peerDependencies": { "ws": "*" } }, "sha512-muId7Zzn9ywDsyXgTIafTry2sV3nySZeUDe6YedVd1Hvuuep5AsIlqK+XefWpYTyJG5e503F2xIuT2lcU6rCSw=="],
 
     "isstream": ["isstream@0.1.2", "", {}, "sha512-Yljz7ffyPbrLpLngrMtZ7NduUgVvi6wG9RJ9IUcyCd59YQ911PBJphODUcbOVbqYfxe1wuYf/LJ8PauMRwsM/g=="],
@@ -2781,8 +2748,6 @@
 
     "media-typer": ["media-typer@1.1.0", "", {}, "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw=="],
 
-    "memfs": ["memfs@4.57.2", "", { "dependencies": { "@jsonjoy.com/fs-core": "4.57.2", "@jsonjoy.com/fs-fsa": "4.57.2", "@jsonjoy.com/fs-node": "4.57.2", "@jsonjoy.com/fs-node-builtins": "4.57.2", "@jsonjoy.com/fs-node-to-fsa": "4.57.2", "@jsonjoy.com/fs-node-utils": "4.57.2", "@jsonjoy.com/fs-print": "4.57.2", "@jsonjoy.com/fs-snapshot": "4.57.2", "@jsonjoy.com/json-pack": "^1.11.0", "@jsonjoy.com/util": "^1.9.0", "glob-to-regex.js": "^1.0.1", "thingies": "^2.5.0", "tree-dump": "^1.0.3", "tslib": "^2.0.0" } }, "sha512-2nWzSsJzrukurSDna4Z0WywuScK4Id3tSKejgu74u8KCdW4uNrseKRSIDg75C6Yw5ZRqBe0F0EtMNlTbUq8bAQ=="],
-
     "merge-descriptors": ["merge-descriptors@2.0.0", "", {}, "sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g=="],
 
     "merge-stream": ["merge-stream@2.0.0", "", {}, "sha512-abv/qOcuPfk3URPfDzmZU1LKmuw8kT+0nIHvKrKgFrwifol/doWcdA4ZqsWQ8ENrFKkd67Mfpo/LovbIUsbt3w=="],
@@ -3203,14 +3168,12 @@
 
     "quickjs-emscripten": ["quickjs-emscripten@0.32.0", "", { "dependencies": { "@jitl/quickjs-wasmfile-debug-asyncify": "0.32.0", "@jitl/quickjs-wasmfile-debug-sync": "0.32.0", "@jitl/quickjs-wasmfile-release-asyncify": "0.32.0", "@jitl/quickjs-wasmfile-release-sync": "0.32.0", "quickjs-emscripten-core": "0.32.0" } }, "sha512-So0Sqw869y/S2oE3Nuc0uT3Dhqgvsj8FSrwBdsuTosVsG8ME5/OcudU1GxsrIFdFABgy17GHnTVO9TYV/bLQcA=="],
 
-    "quickjs-emscripten-core": ["quickjs-emscripten-core@0.31.0", "", { "dependencies": { "@jitl/quickjs-ffi-types": "0.31.0" } }, "sha512-oQz8p0SiKDBc1TC7ZBK2fr0GoSHZKA0jZIeXxsnCyCs4y32FStzCW4d1h6E1sE0uHDMbGITbk2zhNaytaoJwXQ=="],
+    "quickjs-emscripten-core": ["quickjs-emscripten-core@0.32.0", "", { "dependencies": { "@jitl/quickjs-ffi-types": "0.32.0" } }, "sha512-QFnPfjFey8EqknSrSxe1hZrf1/8z7/6s1QzGOmKo6++02r7QRRX7ZoyNaZh7JuVjWsVW87KnQrbZqnHkOAzUyg=="],
 
     "radix3": ["radix3@1.1.2", "", {}, "sha512-b484I/7b8rDEdSDKckSSBA8knMpcdsXudlE/LNL639wFoHKwLbEkQFZHWEYwDC0wa0FKUcCY+GAF73Z7wxNVFA=="],
 
     "range-parser": ["range-parser@1.2.1", "", {}, "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg=="],
 
-    "rate-limiter-flexible": ["rate-limiter-flexible@9.1.1", "", {}, "sha512-imxFjzPCmvDLMe7d2tsgiSQvs5EI2fI9SNymmslAfOqznZhsZ+PqbIjIYKpuSbd3pKovR1aMG47qfCLIO/adVg=="],
-
     "raw-body": ["raw-body@3.0.2", "", { "dependencies": { "bytes": "~3.1.2", "http-errors": "~2.0.1", "iconv-lite": "~0.7.0", "unpipe": "~1.0.0" } }, "sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA=="],
 
     "rc": ["rc@1.2.8", "", { "dependencies": { "deep-extend": "^0.6.0", "ini": "~1.3.0", "minimist": "^1.2.0", "strip-json-comments": "~2.0.1" }, "bin": { "rc": "./cli.js" } }, "sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw=="],
@@ -3531,8 +3494,6 @@
 
     "thenify-all": ["thenify-all@1.6.0", "", { "dependencies": { "thenify": ">= 3.1.0 < 4" } }, "sha512-RNxQH/qI8/t3thXJDwcstUO4zeqo64+Uy/+sNVRBx4Xn2OX+OZ9oP+iJnNFqplFra2ZUVeKCSa2oVWi3T4uVmA=="],
 
-    "thingies": ["thingies@2.6.0", "", { "peerDependencies": { "tslib": "^2" } }, "sha512-rMHRjmlFLM1R96UYPvpmnc3LYtdFrT33JIB7L9hetGue1qAPfn1N2LJeEjxUSidu1Iku+haLZXDuEXUHNGO/lg=="],
-
     "thread-stream": ["thread-stream@4.0.0", "", { "dependencies": { "real-require": "^0.2.0" } }, "sha512-4iMVL6HAINXWf1ZKZjIPcz5wYaOdPhtO8ATvZ+Xqp3BTdaqtAwQkNmKORqcIo5YkQqGXq5cwfswDwMqqQNrpJA=="],
 
     "tiny-inflate": ["tiny-inflate@1.0.3", "", {}, "sha512-pkY1fj1cKHb2seWDy0B16HeWyczlJA9/WW3u3c4z/NiWDsO3DOU5D7nhTLE9CF0yXv/QZFY7sEJmj24dK+Rrqw=="],
@@ -3561,8 +3522,6 @@
 
     "tough-cookie": ["tough-cookie@2.5.0", "", { "dependencies": { "psl": "^1.1.28", "punycode": "^2.1.1" } }, "sha512-nlLsUzgm1kfLXSXfRZMc1KLAugd4hqJHDTvc2hDIwS3mZAfMEuMbc03SujMF+GEcpaX/qboeycw6iO8JwVv2+g=="],
 
-    "tree-dump": ["tree-dump@1.1.0", "", { "peerDependencies": { "tslib": "2" } }, "sha512-rMuvhU4MCDbcbnleZTFezWsaZXRFemSqAM+7jPnzUl1fo9w3YEKOxAeui0fz3OI4EU4hf23iyA7uQRVko+UaBA=="],
-
     "tree-kill": ["tree-kill@1.2.2", "", { "bin": { "tree-kill": "cli.js" } }, "sha512-L0Orpi8qGpRG//Nd+H90vFB+3iHnue1zSSGmNOOCh1GLJ7rUKVwV2HvijphGQS2UmhUZewS9VgvxYIdgr+fG1A=="],
 
     "trim-lines": ["trim-lines@3.0.1", "", {}, "sha512-kRj8B+YHZCc9kQYdWfJB2/oUl9rA99qbowYYBtr4ui4mZyAQ2JpvVBd/6U2YloATfqBhBTSMhTpgBHtU0Mf3Rg=="],
@@ -3815,24 +3774,8 @@
 
     "@isaacs/cliui/wrap-ansi": ["wrap-ansi@8.1.0", "", { "dependencies": { "ansi-styles": "^6.1.0", "string-width": "^5.0.1", "strip-ansi": "^7.0.1" } }, "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ=="],
 
-    "@jitl/quickjs-wasmfile-debug-asyncify/@jitl/quickjs-ffi-types": ["@jitl/quickjs-ffi-types@0.32.0", "", {}, "sha512-v9T+GQpmk43VDJ7d72sf0Nexhk+ArvtUihW27dy7lqAl0zBObFKtSBBIm5RBjwIhE8VwsPPm9PNuvPvNqLWUEg=="],
-
-    "@jitl/quickjs-wasmfile-debug-sync/@jitl/quickjs-ffi-types": ["@jitl/quickjs-ffi-types@0.32.0", "", {}, "sha512-v9T+GQpmk43VDJ7d72sf0Nexhk+ArvtUihW27dy7lqAl0zBObFKtSBBIm5RBjwIhE8VwsPPm9PNuvPvNqLWUEg=="],
-
-    "@jitl/quickjs-wasmfile-release-asyncify/@jitl/quickjs-ffi-types": ["@jitl/quickjs-ffi-types@0.32.0", "", {}, "sha512-v9T+GQpmk43VDJ7d72sf0Nexhk+ArvtUihW27dy7lqAl0zBObFKtSBBIm5RBjwIhE8VwsPPm9PNuvPvNqLWUEg=="],
-
-    "@jitl/quickjs-wasmfile-release-sync/@jitl/quickjs-ffi-types": ["@jitl/quickjs-ffi-types@0.32.0", "", {}, "sha512-v9T+GQpmk43VDJ7d72sf0Nexhk+ArvtUihW27dy7lqAl0zBObFKtSBBIm5RBjwIhE8VwsPPm9PNuvPvNqLWUEg=="],
-
     "@jsonforms/core/ajv-formats": ["ajv-formats@2.1.1", "", { "dependencies": { "ajv": "^8.0.0" } }, "sha512-Wx0Kx52hxE7C18hkMEggYlEifqWZtYaRgouJor+WMdPnQyEK13vgEWyVNup7SoeeoLMsr4kf5h6dOW11I15MUA=="],
 
-    "@jsonjoy.com/fs-snapshot/@jsonjoy.com/json-pack": ["@jsonjoy.com/json-pack@17.67.0", "", { "dependencies": { "@jsonjoy.com/base64": "17.67.0", "@jsonjoy.com/buffers": "17.67.0", "@jsonjoy.com/codegen": "17.67.0", "@jsonjoy.com/json-pointer": "17.67.0", "@jsonjoy.com/util": "17.67.0", "hyperdyperid": "^1.2.0", "thingies": "^2.5.0", "tree-dump": "^1.1.0" }, "peerDependencies": { "tslib": "2" } }, "sha512-t0ejURcGaZsn1ClbJ/3kFqSOjlryd92eQY465IYrezsXmPcfHPE/av4twRSxf6WE+TkZgLY+71vCZbiIiFKA/w=="],
-
-    "@jsonjoy.com/fs-snapshot/@jsonjoy.com/util": ["@jsonjoy.com/util@17.67.0", "", { "dependencies": { "@jsonjoy.com/buffers": "17.67.0", "@jsonjoy.com/codegen": "17.67.0" }, "peerDependencies": { "tslib": "2" } }, "sha512-6+8xBaz1rLSohlGh68D1pdw3AwDi9xydm8QNlAFkvnavCJYSze+pxoW2VKP8p308jtlMRLs5NTHfPlZLd4w7ew=="],
-
-    "@jsonjoy.com/json-pack/@jsonjoy.com/buffers": ["@jsonjoy.com/buffers@1.2.1", "", { "peerDependencies": { "tslib": "2" } }, "sha512-12cdlDwX4RUM3QxmUbVJWqZ/mrK6dFQH4Zxq6+r1YXKXYBNgZXndx2qbCJwh3+WWkCSn67IjnlG3XYTvmvYtgA=="],
-
-    "@jsonjoy.com/util/@jsonjoy.com/buffers": ["@jsonjoy.com/buffers@1.2.1", "", { "peerDependencies": { "tslib": "2" } }, "sha512-12cdlDwX4RUM3QxmUbVJWqZ/mrK6dFQH4Zxq6+r1YXKXYBNgZXndx2qbCJwh3+WWkCSn67IjnlG3XYTvmvYtgA=="],
-
     "@lobu/gateway/commander": ["commander@14.0.3", "", {}, "sha512-H+y0Jo/T1RZ9qPP4Eh1pkcQcLRglraJaSLoyOtHxu6AapkjWVCy2Sit1QQ4x3Dng8qDlSsZEet7g5Pq06MvTgw=="],
 
     "@lobu/owletto-backend/@sentry/node": ["@sentry/node@9.47.1", "", { "dependencies": { "@opentelemetry/api": "^1.9.0", "@opentelemetry/context-async-hooks": "^1.30.1", "@opentelemetry/core": "^1.30.1", "@opentelemetry/instrumentation": "^0.57.2", "@opentelemetry/instrumentation-amqplib": "^0.46.1", "@opentelemetry/instrumentation-connect": "0.43.1", "@opentelemetry/instrumentation-dataloader": "0.16.1", "@opentelemetry/instrumentation-express": "0.47.1", "@opentelemetry/instrumentation-fs": "0.19.1", "@opentelemetry/instrumentation-generic-pool": "0.43.1", "@opentelemetry/instrumentation-graphql": "0.47.1", "@opentelemetry/instrumentation-hapi": "0.45.2", "@opentelemetry/instrumentation-http": "0.57.2", "@opentelemetry/instrumentation-ioredis": "0.47.1", "@opentelemetry/instrumentation-kafkajs": "0.7.1", "@opentelemetry/instrumentation-knex": "0.44.1", "@opentelemetry/instrumentation-koa": "0.47.1", "@opentelemetry/instrumentation-lru-memoizer": "0.44.1", "@opentelemetry/instrumentation-mongodb": "0.52.0", "@opentelemetry/instrumentation-mongoose": "0.46.1", "@opentelemetry/instrumentation-mysql": "0.45.1", "@opentelemetry/instrumentation-mysql2": "0.45.2", "@opentelemetry/instrumentation-pg": "0.51.1", "@opentelemetry/instrumentation-redis-4": "0.46.1", "@opentelemetry/instrumentation-tedious": "0.18.1", "@opentelemetry/instrumentation-undici": "0.10.1", "@opentelemetry/resources": "^1.30.1", "@opentelemetry/sdk-trace-base": "^1.30.1", "@opentelemetry/semantic-conventions": "^1.34.0", "@prisma/instrumentation": "6.11.1", "@sentry/core": "9.47.1", "@sentry/node-core": "9.47.1", "@sentry/opentelemetry": "9.47.1", "import-in-the-middle": "^1.14.2", "minimatch": "^9.0.0" } }, "sha512-CDbkasBz3fnWRKSFs6mmaRepM2pa+tbZkrqhPWifFfIkJDidtVW40p6OnquTvPXyPAszCnDZRnZT14xyvNmKPQ=="],
@@ -4103,8 +4046,6 @@
 
     "proxy-agent/lru-cache": ["lru-cache@7.18.3", "", {}, "sha512-jumlc0BIUrS3qJGgIkWZsyfAM7NCWiBcCDhnd+3NNM5KbBmLTgHVfWBcg6W+rLUsIpzpERPsvwUP7CckAQSOoA=="],
 
-    "quickjs-emscripten/quickjs-emscripten-core": ["quickjs-emscripten-core@0.32.0", "", { "dependencies": { "@jitl/quickjs-ffi-types": "0.32.0" } }, "sha512-QFnPfjFey8EqknSrSxe1hZrf1/8z7/6s1QzGOmKo6++02r7QRRX7ZoyNaZh7JuVjWsVW87KnQrbZqnHkOAzUyg=="],
-
     "rc/ini": ["ini@1.3.8", "", {}, "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew=="],
 
     "rc/strip-json-comments": ["strip-json-comments@2.0.1", "", {}, "sha512-4gB8na07fecVVkOI6Rs4e7T6NOTki5EmL7TUduTs6bu3EdnSycntVJ4re8kgZA+wx9IueI2Y11bfbgwtzuE0KQ=="],
@@ -4223,14 +4164,6 @@
 
     "@isaacs/cliui/wrap-ansi/ansi-styles": ["ansi-styles@6.2.3", "", {}, "sha512-4Dj6M28JB+oAH8kFkTLUo+a2jwOFkuqb3yucU0CANcRRUbxS0cP0nZYCGjcc3BNXwRIsUVmDGgzawme7zvJHvg=="],
 
-    "@jsonjoy.com/fs-snapshot/@jsonjoy.com/json-pack/@jsonjoy.com/base64": ["@jsonjoy.com/base64@17.67.0", "", { "peerDependencies": { "tslib": "2" } }, "sha512-5SEsJGsm15aP8TQGkDfJvz9axgPwAEm98S5DxOuYe8e1EbfajcDmgeXXzccEjh+mLnjqEKrkBdjHWS5vFNwDdw=="],
-
-    "@jsonjoy.com/fs-snapshot/@jsonjoy.com/json-pack/@jsonjoy.com/codegen": ["@jsonjoy.com/codegen@17.67.0", "", { "peerDependencies": { "tslib": "2" } }, "sha512-idnkUplROpdBOV0HMcwhsCUS5TRUi9poagdGs70A6S4ux9+/aPuKbh8+UYRTLYQHtXvAdNfQWXDqZEx5k4Dj2Q=="],
-
-    "@jsonjoy.com/fs-snapshot/@jsonjoy.com/json-pack/@jsonjoy.com/json-pointer": ["@jsonjoy.com/json-pointer@17.67.0", "", { "dependencies": { "@jsonjoy.com/util": "17.67.0" }, "peerDependencies": { "tslib": "2" } }, "sha512-+iqOFInH+QZGmSuaybBUNdh7yvNrXvqR+h3wjXm0N/3JK1EyyFAeGJvqnmQL61d1ARLlk/wJdFKSL+LHJ1eaUA=="],
-
-    "@jsonjoy.com/fs-snapshot/@jsonjoy.com/util/@jsonjoy.com/codegen": ["@jsonjoy.com/codegen@17.67.0", "", { "peerDependencies": { "tslib": "2" } }, "sha512-idnkUplROpdBOV0HMcwhsCUS5TRUi9poagdGs70A6S4ux9+/aPuKbh8+UYRTLYQHtXvAdNfQWXDqZEx5k4Dj2Q=="],
-
     "@lobu/owletto-backend/@sentry/node/@opentelemetry/instrumentation": ["@opentelemetry/instrumentation@0.57.2", "", { "dependencies": { "@opentelemetry/api-logs": "0.57.2", "@types/shimmer": "^1.2.0", "import-in-the-middle": "^1.8.1", "require-in-the-middle": "^7.1.1", "semver": "^7.5.2", "shimmer": "^1.2.1" }, "peerDependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-BdBGhQBh8IjZ2oIIX6F2/Q3LKm/FDDKi6ccYKcBTeilh6SNdNKveDOLk73BkSJjQLJk6qe4Yh+hHw1UPhCDdrg=="],
 
     "@lobu/owletto-backend/@sentry/node/@opentelemetry/instrumentation-amqplib": ["@opentelemetry/instrumentation-amqplib@0.46.1", "", { "dependencies": { "@opentelemetry/core": "^1.8.0", "@opentelemetry/instrumentation": "^0.57.1", "@opentelemetry/semantic-conventions": "^1.27.0" }, "peerDependencies": { "@opentelemetry/api": "^1.3.0" } }, "sha512-AyXVnlCf/xV3K/rNumzKxZqsULyITJH6OVLiW6730JPRqWA7Zc9bvYoVNpN6iOpTU8CasH34SU/ksVJmObFibQ=="],
@@ -4361,8 +4294,6 @@
 
     "onnx-proto/protobufjs/long": ["long@4.0.0", "", {}, "sha512-XsP+KhQif4bjX1kbuSiySJFNAehNxgLb6hPRGJ9QsUr8ajHkuXGdrHmFUTUUXhDwVX2R5bY4JNZEwbUiMhV+MA=="],
 
-    "quickjs-emscripten/quickjs-emscripten-core/@jitl/quickjs-ffi-types": ["@jitl/quickjs-ffi-types@0.32.0", "", {}, "sha512-v9T+GQpmk43VDJ7d72sf0Nexhk+ArvtUihW27dy7lqAl0zBObFKtSBBIm5RBjwIhE8VwsPPm9PNuvPvNqLWUEg=="],
-
     "send/mime-types/mime-db": ["mime-db@1.54.0", "", {}, "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ=="],
 
     "string-width-cjs/strip-ansi/ansi-regex": ["ansi-regex@5.0.1", "", {}, "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ=="],
diff --git a/docker/app/Dockerfile b/docker/app/Dockerfile
index 5baba7c93..f491a7f48 100644
--- a/docker/app/Dockerfile
+++ b/docker/app/Dockerfile
@@ -8,8 +8,10 @@ FROM node:22-slim AS builder
 WORKDIR /app
 
 # Bun for workspace install + tsc. git needed because some deps ship git URLs.
+# python3 + build-essential needed for isolated-vm native build (node-gyp).
 RUN apt-get update && apt-get install -y --no-install-recommends \
       git ca-certificates curl unzip \
+      python3 build-essential \
     && rm -rf /var/lib/apt/lists/* \
     && curl -fsSL https://bun.sh/install | BUN_INSTALL=/usr/local bash \
     && chmod +x /usr/local/bin/bun
diff --git a/docs/plans/mcp-multi-org-and-execute.md b/docs/plans/mcp-multi-org-and-execute.md
new file mode 100644
index 000000000..21c40135d
--- /dev/null
+++ b/docs/plans/mcp-multi-org-and-execute.md
@@ -0,0 +1,332 @@
+# MCP multi-org + `execute`/`search`: addendum to the search-execute design doc
+
+Extends `docs/mcp-search-execute-design-doc.md` (owletto proper, status "Planned, not yet implemented") with two scopes the original didn't fully land: (1) cross-org addressing inside `execute`, and (2) the full frontend + UX surface the new tools imply. Language decision: **TypeScript over a typed `ClientSDK` in `isolated-vm`** — reviewed by a second and third opinion (codex, pi), both concurred. Bash-as-primary was evaluated and rejected because reactions are the real workload and shell quoting degrades stored user code.
+
+Target repo for implementation: `packages/owletto-backend` + `packages/owletto-web` in the `lobu` monorepo. The owletto repo is deprecated.
+
+## Decisions locked in
+
+- `execute` runtime: `isolated-vm` V8 isolate (not bash, not node:vm, not subprocess).
+- `execute` authoring language: TypeScript compiled via esbuild, same path as today's reaction scripts.
+- Cross-org addressing: `client.org(slugOrId)` accessor returning a proxy SDK bound to a re-validated `ToolContext`. No per-tool `org_slug` parameter.
+- Access level for `execute`: `write` (member-tier), not `admin`. Per-call `checkToolAccess` on every SDK method is the actual gate.
+- `search` + `execute` exposed on **both** scoped (`/mcp/{slug}`) and unscoped (`/mcp`) endpoints. Scoped is the default for Claude/Cursor connectors today.
+- `list_organizations` + `switch_organization` exposed on scoped endpoints too. Non-script users and read-tier members still need the serial-hop path. Rename `join_organization` → drop it (semantically it's a switch when the user is already a member, and a no-op entry when they're not).
+
+## Why TypeScript, short version
+
+Bash + a CLI was seriously considered. Rejected on four axes:
+
+1. **Reactions are stored, deferred user code.** Picking bash means stored reactions inherit shell quoting, pipe-failure semantics, `jq` shape drift, CLI version skew, and re-auth overhead — all as part of the durable product surface. Typed TS with TypeBox `Value.Errors` gives the model field-level repair signal.
+2. **Multi-org efficiency.** One SDK client holds session context, caches membership, and reuses an auth handshake across N orgs. Bash turns a cross-org walk into N CLI invocations with N auth handshakes and N JSON parses.
+3. **Runtime compounding.** Reactions today are TS source compiled by esbuild, stored in DB. `execute` and reactions sharing one SDK + one sandbox collapses two runtimes into one. Splitting them would cost a second sandbox forever.
+4. **Agent fluency is an affordance problem.** LLMs write bash more natively than typed SDKs, but LLMs also repair typed errors far faster than shell errors. Solve fluency with tiny authored surface (one global `client`, top-level `await`, plain objects) and `search` returning copy-pasteable signatures — not by changing language.
+
+## Cross-org SDK: the `client.org()` accessor
+
+Today's `ClientSDK` is built once per request with a fixed `toolCtx.organizationId`. The cross-org accessor returns a proxy bound to a fresh `ToolContext`:
+
+```ts
+export default async (ctx, client) => {
+  const orgs = await client.organizations.list();           // user's memberships + public orgs they can read
+  const buremba = orgs.find(o => o.slug === 'buremba');
+  if (!buremba) throw new Error('buremba not found');
+  const watchers = await client.org(buremba.id).watchers.list({ template: 'reddit' });
+  return watchers.filter(w => w.status !== 'active' || w.pending > 0);
+};
+```
+
+Contract:
+
+- `client.org(slugOrId)` returns `ClientSDK`. Accepts slug or UUID. First call per `(userId, orgId)` tuple verifies membership against `member`; subsequent calls within the same isolate hit an in-process LRU cache keyed by `(userId, orgId)` with a 30s TTL.
+- Membership lookup populates `memberRole` (`owner | admin | member`) into the swapped `ToolContext`. Public-visibility orgs the user isn't a member of return a `memberRole: null` context, and the existing `isPublicReadable(toolName, args)` path in `src/auth/tool-access.ts` gates writes.
+- Non-member on a private org: `.org()` throws `AccessDenied` synchronously, before any SDK method dispatches.
+- `client.organizations.{list, current}` — new SDK namespace. `list` wraps `listOrganizations`; `current` returns the session's default org.
+- The `ctx` passed to `execute` scripts carries `organization_id` = the session's default org (pinned URL or last `switch_organization`). `client` with no `.org()` call uses that same default.
+
+Authz invariants preserved:
+
+- Every SDK method still fires `checkToolAccess(toolName, args, ctx)`. The org swap changes `ctx`, never bypasses the check.
+- Membership is re-verified on each `.org()` call, not cached across calls for >30s. A script that calls `.org(X).entities.create()` after membership was revoked mid-script fails on the second call.
+- Public-workspace scripts (`role: null` on session default) can read but never write, same as today's tool surface.
+
+## `execute` access level: write, not admin
+
+The original design doc says `getRequiredAccessLevel('execute') = 'admin'`. Flip to `write`. Rationale:
+
+- Per-method access checks already exist in the SDK dispatch. A member running `execute` can call any method they could call as a direct tool — composition does not create new authorization.
+- An `admin`-only gate on `execute` would force members onto the aggregation-tool path we're explicitly killing. Members either deserve scripted composition or they don't.
+- Read-tier sessions (no `mcp:write` scope or no member role) cannot call `execute`; they can still use `search` and the normal public-read tools.
+- Entry gate: `execute` requires write-tier access. Admin-only SDK calls still re-check owner/admin role plus `mcp:admin` scope at the delegated handler boundary.
+
+Public-workspace callers (`role: null`) can use `search` and public-read tools but cannot run `execute`. `search` is read-only and available to everyone.
+
+## Scoped-endpoint UX fix: expose org tools everywhere
+
+Drop the "org-switching tools only on /mcp" rule in `src/tools/execute.ts` (`ORG_AGNOSTIC_TOOLS`). Expose `list_organizations` + `switch_organization` on `/mcp/{slug}` too. Reasons:
+
+- On a scoped URL the default org is the pinned one, but nothing is actually at risk by letting the user list memberships or switch mid-session. The pin is ergonomic, not a hard wall.
+- Drop `join_organization` entirely. For already-authenticated users on a scoped URL, "join" is a misnomer — they're either already a member (no-op), or not (should fail with a "not a member" error, identical to `switch_organization`'s behavior). One tool, one semantic.
+
+Session-resume behavior (`src/mcp-handler.ts` line 356) still rejects cross-scope recovery (scoped ↔ unscoped mismatch). Unchanged — that's correct.
+
+## Authoring affordances
+
+These make "LLMs write bash more fluently than typed SDKs" a non-concern:
+
+- **Tiny surface in authored scripts.** `export default async (ctx, client) => { ... }`. One `client` global. No imports. Top-level `await` supported via esbuild's `format: 'esm'` wrapper. Plain objects/arrays. No classes, no decorators, no framework ceremony.
+- **`search("ns.method")` returns signature + copy-pasteable example.** The design doc already specifies inline TypeBox-derived signatures. Extend each method's metadata with a minimal example literal:
+
+  ```ts
+  // Example:
+  // const w = await client.watchers.list({ entity_id: 42, status: 'active' });
+  ```
+
+  Stored in `src/sandbox/method-metadata.ts` next to the summary/throws annotations.
+- **Structured errors keyed for repair.** TypeBox `Value.Errors` surface as:
+
+  ```ts
+  { name: 'ValidationError', method: 'watchers.create',
+    fields: [{ path: 'extraction_schema', expected: 'object', got: 'string',
+               example: { type: 'object', properties: { ... } } }] }
+  ```
+
+  The `example` field on validation errors nudges the model to the right shape on retry.
+- **Dry-run first-class.** `client.watchers.testReaction` already exists in the design doc. Add `execute` dry-run mode too: `{ script, dry_run: true }` runs under the same write-interception wrapper that reactions use, returning the `would_have` list without committing. Cost is one wrapper branch, same SDK.
+
+## Frontend plan
+
+Two new surfaces in `packages/owletto-web`, plus two upgrades.
+
+### New: `/[owner]/tools/execute` — script console
+
+A first-class execute + search page. Inspired by SQL console patterns; no equivalent exists today.
+
+- Monaco editor with TypeScript language mode. Seeded with the standard preamble: `export default async (ctx, client) => {`.
+- Inline signature panel on the right — driven by the `search` tool. Search box + namespace tree. Selecting a method injects its example into the editor at cursor.
+- Org selector dropdown (top of page) — defaults to session org, switches the default `ctx.organization_id` for the run. Independent of the `client.org()` in-script accessor (which overrides per-call).
+- "Dry-run" button (writes intercepted, surfaced as `would_have` list) and "Run" button. Results pane below with structured JSON output, `logs` array, `error` with line/col mapping back to user source.
+- Visible run history (last 20 per org) — click to reload a script. Stored per-user in localStorage initially; DB-backed later if needed.
+
+Files:
+- `src/app/[owner]/tools/execute/page.tsx` (new route)
+- `src/components/tools/execute-console/{editor,signature-panel,results-pane,run-history}.tsx`
+- `src/hooks/use-execute.ts` → POSTs `{ script, dry_run, org_slug }` to `/api/mcp/execute` (internal proxy to the backend's MCP `execute` tool).
+
+### New: `/[owner]/settings/organizations` — org membership + invites
+
+Today org CRUD is a dropdown overlay. A dedicated page is needed for cross-org work:
+
+- Tab "Members" — list members of the current org with roles.
+- Tab "Invites" — pending `invitation` rows sent to this user's email. Accept/decline.
+- Tab "Your Organizations" — flat list of all orgs the user belongs to with direct-link switch.
+- Tab "Delete" (owners only).
+
+Files:
+- `src/app/[owner]/settings/organizations/page.tsx`
+- `src/components/settings/organizations/{members,invites,my-orgs,delete}-tab.tsx`
+
+### Upgrade: watcher reaction editor
+
+Today: plain `<Textarea>` in `src/components/entity-tabs/watchers-tab/from-scratch-panel.tsx:461–466`. No syntax highlighting, no dry-run, no compile feedback until save.
+
+- Replace textarea with Monaco (reusing whatever component the new execute console lands).
+- "Test reaction" button — calls `client.watchers.testReaction` against the most recent window, surfaces the `would_have` list + logs inline.
+- Inline compile errors (line/col) from esbuild — fire on blur or debounced keystroke.
+- Collapsible "Context" card showing the `ctx.extracted_rows` shape for this watcher's extraction_schema.
+
+Files touched:
+- `src/components/entity-tabs/watchers-tab/from-scratch-panel.tsx`
+- `src/hooks/use-watchers.ts` (`useTestReaction` new hook)
+
+### Upgrade: sidebar org dropdown
+
+Already calls `organization.setActive({ organizationId })`. Two small changes:
+
+- Add a persistent badge for pending invitations (count from `/api/organizations/invites/pending`).
+- "Manage organizations" entry at the bottom of the dropdown → `/[owner]/settings/organizations`.
+
+No other frontend pages need to change.
+
+## Edge cases and how each is handled
+
+From a BLOCKER/GUARD/BENIGN survey of the current codebase:
+
+### Cross-org access
+
+- **Non-member on private org via `.org()`** — synchronous throw from the accessor, before SDK dispatch. Already covered by the per-call membership check.
+- **Public-visibility org, `memberRole: null`** — accessor returns a read-only SDK. Writes fail at `isPublicReadable` check. Existing handler behavior, no new code.
+- **Org hard-delete mid-script** — `member` row disappears, LRU cache invalidated by TTL (≤30s) or by the next dispatch if a write reaches the handler and the row is gone. Reads during the window succeed, consistent with Postgres-level visibility; no stale membership beyond 30s.
+- **No soft-delete on `organization` today** (confirmed: `db/schema.sql` has no `deleted_at`). If it's added later, the `organizations.list`/`.org()` path needs the filter too — tracked as a follow-up.
+- **Slug vs UUID both accepted** — accessor resolves by length heuristic (`startsWith` UUID regex) + DB lookup. Matches the ergonomic norm of the rest of the API.
+
+### Reactions
+
+- **Stored reaction calls `client.org(X)` after reaction owner lost membership of X** — fires per-call membership check. SDK throws `AccessDenied` inside the isolate; `watcher_reactions` row logs the failure. Reaction run completes with `success: false`, no partial writes to X (because the accessor throws before dispatch).
+- **Reaction fires on a watcher whose org was hard-deleted** — upstream `watcher` row is already gone by FK cascade; the reaction never schedules. BENIGN.
+- **Dry-run must classify cross-org calls** — the dry-run wrapper wraps the entire `ClientSDK`, so `client.org(X).entities.create(...)` goes through the same interceptor. Classification is method-keyed in `method-metadata.ts`, unaffected by org swap.
+- **Public-workspace reactions** — reactions today run with `memberRole: null` and `isAuthenticated: true` (system context). A public-org reaction that tries to write fails at `isPublicReadable`. Unchanged.
+
+### Sandbox limits
+
+- **Large `query_sql` result OOMs the 64MB isolate** — cap `query_sql` result size at 32MB server-side (before handoff). Documented limit; `search("knowledge.search")` example shows pagination.
+- **200 SDK call quota hit by a cross-org walk** — document with an example: iterating 30 orgs × 10 method calls = 300, needs batching or summary reads. Error message includes `sdk_calls_remaining: 0` so the model can retry with narrower scope.
+- **60s wall-clock timeout on external-call chains** — `operations.execute` counts against wall-clock. Error `{ name: 'TimeoutError', phase: 'external_chain', last_method: 'operations.execute' }` so the model can shorten.
+- **Recursive `execute`** — banned statically: `method-metadata.ts` doesn't expose `client.execute`. Tested via a ship-blocking assertion.
+
+### Session and auth
+
+- **Concurrent unscoped sessions with independent switches** — `sessions` Map in `mcp-handler.ts` is sessionId-keyed. Isolated. BENIGN.
+- **Session resume after `switch_organization` on unscoped URL** — `persisted.organizationId` is replayed into the recovered session. BENIGN.
+- **Session resume with scoped↔unscoped URL mismatch** — already rejects (line 356). Correct.
+
+### Audit
+
+- **50 SDK calls fired by one `execute` get no top-level invocation row** — add `execute_invocations` table:
+
+  ```sql
+  CREATE TABLE public.execute_invocation (
+    id              uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    organization_id text NOT NULL REFERENCES public.organization(id),
+    user_id         text NOT NULL REFERENCES public."user"(id),
+    script_hash     text NOT NULL,
+    script_source   text,
+    status          text NOT NULL,  -- 'success' | 'error' | 'timeout' | 'quota'
+    sdk_calls       int  NOT NULL,
+    duration_ms     int  NOT NULL,
+    error_json      jsonb,
+    started_at      timestamptz NOT NULL DEFAULT now()
+  );
+  ```
+
+  Plus a nullable `execute_invocation_id uuid` column on every change-event table the SDK writes to (already uniform today — single `event` table per the existing schema). The SDK sets the column from `ctx` on every write. Admins can now query "all side effects of invocation X" in one SQL.
+
+- Reactions get their own path already (`watcher_reactions` table). Don't double-log.
+
+## File-by-file changes
+
+### `packages/owletto-backend`
+
+New:
+- `src/sandbox/client-sdk.ts` — `buildClientSDK(toolCtx, env, opts?: { dryRun?: boolean })`. Top-level `org(slugOrId)` accessor returns a proxy SDK with swapped ToolContext after a membership check.
+- `src/sandbox/run-script.ts` — shared `isolated-vm` runner.
+- `src/sandbox/namespaces/{entities, entitySchema, connections, feeds, authProfiles, operations, watchers, classifiers, viewTemplates, knowledge, organizations}.ts` — per-namespace thin delegations.
+- `src/sandbox/method-metadata.ts` — summary, throws, cost, access, **example** per SDK path.
+- `src/sandbox/typebox-to-signature.ts` — formatter.
+- `src/tools/sdk_search.ts`, `src/tools/sdk_execute.ts`.
+- `migrations/YYYYMMDDhhmmss_add_execute_invocation.sql` — new table + FK column on `event`.
+
+Modified:
+- `src/tools/registry.ts` — drop `join_organization` registration; add `list_organizations` + `switch_organization` unconditionally (drop `orgSwitching: true` gating, handle both scoped and unscoped); register `search` + `execute`.
+- `src/tools/execute.ts` — drop `ORG_AGNOSTIC_TOOLS` scoping restriction. `switch_organization` allowed on scoped endpoints; session mutates default org in place (same code path as today's unscoped handler).
+- `src/tools/organizations.ts` — `listOrganizations` surfaces `role` in addition to `is_member`. Drop the old `join_organization` handler entirely.
+- `src/auth/tool-access.ts` — `execute: 'write'`; `search: 'read'`. Drop `join_organization`. Per-method check table remains authoritative.
+- `src/watchers/reaction-executor.ts` — swap `buildReactionSDK` for `buildClientSDK(reactionCtx, env)`. `runScript({ entryPoint: 'react', ... })` shared with `execute`.
+- `src/mcp-handler.ts` — `includeOrgSwitching` gating removed (always true).
+
+Deleted:
+- `src/tools/admin/` MCP registrations for the 14 `manage_*` tools — handlers stay, MCP-surface entries go.
+- `src/tools/admin/index.ts` after `query_sql` registration moves.
+
+### `packages/owletto-web`
+
+New:
+- `src/app/[owner]/tools/execute/page.tsx`
+- `src/components/tools/execute-console/{editor, signature-panel, results-pane, run-history}.tsx`
+- `src/app/[owner]/settings/organizations/page.tsx`
+- `src/components/settings/organizations/{members, invites, my-orgs, delete}-tab.tsx`
+- `src/hooks/{use-execute, use-invitations}.ts`
+
+Modified:
+- `src/components/entity-tabs/watchers-tab/from-scratch-panel.tsx` — Monaco + test-reaction button.
+- `src/hooks/use-watchers.ts` — `useTestReaction` hook.
+- `src/components/sidebar/organization-dropdown.tsx` — pending-invites badge + "Manage organizations" link.
+
+## PR plan
+
+Five PRs, landable in order. Each is independently mergeable; later PRs stack only if an earlier one hasn't landed.
+
+### PR-1: SDK + sandbox scaffolding, no new MCP tools yet
+
+Scope:
+- `src/sandbox/{run-script, client-sdk, method-metadata, typebox-to-signature}.ts`
+- Per-namespace delegations (most thin wrappers; `organizations` and `watchers` have real logic).
+- `client.org()` accessor with membership check + LRU cache.
+- Add `isolated-vm` dep; verify Docker build on Debian base image.
+
+Validation:
+- Unit tests: `client-sdk.test.ts` covers `org()` accessor (slug, UUID, non-member throw, public-workspace read-only, revocation mid-script).
+- Sandbox smoke test: trivial script `return 1 + 1` runs to completion under 50ms cold.
+
+### PR-2: `search` + `execute` MCP tools, drop `admin` gating
+
+Scope:
+- `src/tools/{sdk_search, sdk_execute}.ts` — register in `src/tools/registry.ts`.
+- `src/auth/tool-access.ts` — `execute: 'write'`, `search: 'read'`.
+- Drop the 14 `manage_*` tool registrations from MCP surface (handlers preserved).
+- Execute dry-run mode plumbing.
+
+Validation:
+- Integration tests: 17 scenarios from the original design doc's `## Verification` section, plus:
+  - Cross-org read in `execute` by a write-tier member.
+  - Cross-org write by a member of the second org.
+  - Cross-org write rejected for non-member.
+  - Read-tier session runs read-only script successfully; write attempt fails mid-execution with typed error.
+- Migration: ~20 integration tests that call `executeTool('manage_*', { action, ... })` rewrite to call handlers directly.
+
+### PR-3: audit trail — `execute_invocation` table + event linkage
+
+Scope:
+- Migration: new table + nullable `execute_invocation_id` FK on `event`.
+- `execute` handler writes the invocation row pre-run; SDK writes the FK into every change-event.
+- Admin SQL examples in docs.
+
+Validation:
+- Integration test: script creating 3 entities + 1 watcher → `SELECT * FROM event WHERE execute_invocation_id = $1` returns 4 rows.
+
+### PR-4: scoped-endpoint UX fix
+
+Scope:
+- Expose `list_organizations` + `switch_organization` on `/mcp/{slug}`.
+- Drop `join_organization` entirely.
+- Update `src/utils/workspace-instructions.ts` preamble.
+
+Validation:
+- Integration test: scoped session calls `switch_organization`, next tool call runs against the new org.
+- MCP client config verified on Claude Desktop and Codex after the rename.
+
+### PR-5: frontend — execute console + settings + reaction editor upgrade
+
+Scope:
+- New routes + components listed above.
+- `useExecute` posts through the existing `/api/mcp/*` proxy.
+- Monaco upgrade on the reaction editor.
+- Sidebar pending-invite badge.
+
+Validation:
+- Manual QA: create a 3-line script, run, verify result. Run dry-run, verify `would_have` list. Switch orgs via selector, re-run. Open a watcher, hit "Test reaction", verify inline logs.
+
+## Risks and gotchas
+
+- **`isolated-vm` native build.** Debian-based Docker image, Node version pin, `python3` + `build-essential`. Half-day risk if the current image is Alpine; verify before deep work.
+- **Existing reaction scripts in DB.** Stored scripts target the legacy `ReactionSDK` shape (`actions.execute`, `content.save`, `notify`, `query(sql, params)`, `react(ctx, sdk)` export). The new `ClientSDK` is a different surface — namespace renames (`content.save` → `knowledge.save`, `actions.execute` → `operations.execute`), object-shaped args instead of positional, no `notify` primitive, and the entry point is `default async (ctx, client, params?)`. Old scripts will not transparently keep working — they must be rewritten and recompiled. Migration ran in PR #348 against `watchers.reaction_script` / `reaction_script_compiled`; backup table `_reactions_backup_2026_04_25` holds originals for rollback. Audit query: `SELECT COUNT(*) FROM watchers WHERE reaction_script ~ 'export\s+async\s+function\s+react\s*\(' OR reaction_script ~ 'sdk\.(notify|content|actions)';` returns 0 post-migration.
+- **Dry-run write classification misses a handler.** If a new method is added without metadata, dry-run might treat it as a read and mutate prod. Ship-blocking test: `method-metadata.ts` must cover every public SDK path; CI fails if not.
+- **Async SDK bridge leaks.** `isolated-vm` `Reference.apply` patterns have known footguns (un-disposed references, leaked promises). Budget unit-test time here up front.
+- **Token budgets of `search`.** A namespace listing in a crowded namespace (watchers has ~15 methods) can still run ~500 tokens. Document a `depth` param later if needed.
+- **Frontend bundle size from Monaco.** ~2MB gzipped. Lazy-load the editor behind a dynamic import; never ship it on non-console pages.
+
+## Critical files
+
+Backend:
+- `src/tools/execute.ts` (lines 30–82, 145–165)
+- `src/tools/registry.ts` (lines 130–165)
+- `src/tools/organizations.ts` (the whole file)
+- `src/mcp-handler.ts` (lines 100–170, 350–360)
+- `src/auth/tool-access.ts`
+- `src/watchers/reaction-executor.ts`
+- `db/schema.sql` (additions for `execute_invocation` + FK on `event`)
+
+Frontend:
+- `src/components/sidebar/organization-dropdown.tsx`
+- `src/components/entity-tabs/watchers-tab/from-scratch-panel.tsx` (lines 461–466)
+- `src/hooks/{use-org-context, use-watchers}.ts`
diff --git a/packages/landing/src/content/docs/reference/owletto-cli.md b/packages/landing/src/content/docs/reference/owletto-cli.md
index 3bf81af93..9a334ff67 100644
--- a/packages/landing/src/content/docs/reference/owletto-cli.md
+++ b/packages/landing/src/content/docs/reference/owletto-cli.md
@@ -138,11 +138,14 @@ npx owletto@latest run
 # Search knowledge
 npx owletto@latest run search_knowledge '{"query":"Acme"}'
 
-# Read saved content
-npx owletto@latest run read_knowledge '{"query":"customer preferences"}'
-
 # Save new knowledge
 npx owletto@latest run save_knowledge '{"content":"Prefers weekly summaries","semantic_type":"preference","metadata":{}}'
+
+# Discover SDK methods (namespaces, signatures, examples)
+npx owletto@latest run search '{"query":"watchers.create"}'
+
+# Run a TypeScript script over the typed client SDK
+npx owletto@latest run execute '{"script":"export default async (ctx, client) => client.entities.list({ entity_type: \"company\", limit: 5 })"}'
 ```
 
 This is the most direct way to inspect or test Owletto behavior outside an agent runtime.
@@ -151,13 +154,13 @@ This is the most direct way to inspect or test Owletto behavior outside an agent
 
 The exact tool list depends on the endpoint and your session scope. Run `owletto run` with no arguments to see what is available.
 
-**Core memory:** `search_knowledge`, `read_knowledge`, `save_knowledge`
+**Core memory:** `search_knowledge`, `save_knowledge`
 
-**Watchers:** `list_watchers`, `get_watcher`
+**SDK surface:** `search` (method discovery), `execute` (run TS over the typed `ClientSDK` — replaces the previous `manage_*` MCP tools; reach handlers via `client.<namespace>.<method>(...)` from inside the script)
 
-**Organization:** `list_organizations`, `switch_organization` (unscoped endpoint only)
+**Read-only SQL:** `query_sql` (admin/owner only)
 
-**Admin / workspace** (admin sessions only): `manage_entity`, `manage_entity_schema`, `manage_connections`, `manage_feeds`, `manage_auth_profiles`, `manage_operations`, `manage_watchers`, `manage_classifiers`, `query_sql`
+**Organization:** `list_organizations`, `switch_organization` (exposed on both unscoped and scoped endpoints)
 
 ## Other Useful Commands
 
diff --git a/packages/owletto-backend/package.json b/packages/owletto-backend/package.json
index dbaab4e7e..a02006038 100644
--- a/packages/owletto-backend/package.json
+++ b/packages/owletto-backend/package.json
@@ -18,7 +18,6 @@
   },
   "dependencies": {
     "@hono/node-server": "^1.13.7",
-    "@jitl/quickjs-ng-wasmfile-release-asyncify": "0.31.0",
     "@lobu/core": "workspace:*",
     "@lobu/gateway": "workspace:*",
     "@lobu/owletto-sdk": "workspace:*",
@@ -26,7 +25,6 @@
     "@polyglot-sql/sdk": "^0.1.13",
     "@react-email/components": "^1.0.12",
     "@react-email/render": "^2.0.7",
-    "@sebastianwessel/quickjs": "^3.0.1",
     "@sentry/node": "^9.0.0",
     "@sinclair/typebox": "^0.34.41",
     "@slack/socket-mode": "^2.0.6",
@@ -58,5 +56,8 @@
     "typescript": "^5.7.2",
     "vite": "^6.0.0",
     "vitest": "^2.1.8"
+  },
+  "optionalDependencies": {
+    "isolated-vm": "^5.0.4"
   }
 }
diff --git a/packages/owletto-backend/src/__tests__/integration/mcp/auth.test.ts b/packages/owletto-backend/src/__tests__/integration/mcp/auth.test.ts
index 76d92aedf..cd25cf232 100644
--- a/packages/owletto-backend/src/__tests__/integration/mcp/auth.test.ts
+++ b/packages/owletto-backend/src/__tests__/integration/mcp/auth.test.ts
@@ -262,17 +262,15 @@ describe('MCP Authentication', () => {
       const body = await response.json();
       const toolNames = body.result.tools.map((tool: any) => tool.name);
 
+      // Public reads survive: search_knowledge, search (SDK discovery).
       expect(toolNames).toContain('search_knowledge');
+      expect(toolNames).toContain('search');
+      // Writes and admin reads must not be visible to anonymous public callers.
       expect(toolNames).not.toContain('save_knowledge');
       expect(toolNames).not.toContain('query_sql');
-
-      const manageEntity = body.result.tools.find((tool: any) => tool.name === 'manage_entity');
-      expect(manageEntity).toBeDefined();
-      expect(manageEntity.inputSchema.properties.action.enum).toEqual([
-        'list',
-        'get',
-        'list_links',
-      ]);
+      expect(toolNames).not.toContain('execute');
+      // Legacy `manage_*` tools are no longer registered as external MCP tools.
+      expect(toolNames).not.toContain('manage_entity');
     });
 
     it('allows anonymous public-read tool calls on public org MCP routes', async () => {
@@ -379,16 +377,11 @@ describe('MCP Authentication', () => {
       const toolNames = body.result.tools.map((tool: any) => tool.name);
 
       expect(toolNames).toContain('search_knowledge');
+      expect(toolNames).toContain('search');
       expect(toolNames).not.toContain('save_knowledge');
       expect(toolNames).not.toContain('query_sql');
-
-      const manageEntity = body.result.tools.find((tool: any) => tool.name === 'manage_entity');
-      expect(manageEntity).toBeDefined();
-      expect(manageEntity.inputSchema.properties.action.enum).toEqual([
-        'list',
-        'get',
-        'list_links',
-      ]);
+      expect(toolNames).not.toContain('execute');
+      expect(toolNames).not.toContain('manage_entity');
     });
 
     it('should reject expired OAuth access token', async () => {
@@ -730,7 +723,10 @@ describe('MCP Authentication', () => {
       expect(body.error?.message).toContain("Agent 'missing-agent' was not found");
     });
 
-    it('hides org switching tools on scoped /mcp/:org routes', async () => {
+    it('exposes org switching tools on scoped /mcp/:org routes too', async () => {
+      // PR-2: list_organizations + switch_organization are no longer
+      // gated behind the unscoped /mcp endpoint. Scoped sessions can still
+      // call switch_organization to move off the URL pin.
       const { token } = await createTestAccessToken(user.id, org.id, client.client_id);
 
       const response = await post(`/mcp/${org.slug}`, {
@@ -747,8 +743,8 @@ describe('MCP Authentication', () => {
       const body = await response.json();
       const toolNames = body.result.tools.map((tool: any) => tool.name);
 
-      expect(toolNames).not.toContain('list_organizations');
-      expect(toolNames).not.toContain('switch_organization');
+      expect(toolNames).toContain('list_organizations');
+      expect(toolNames).toContain('switch_organization');
     });
   });
 
@@ -924,12 +920,19 @@ describe('MCP Authentication', () => {
 
       expect(result.tools).toBeInstanceOf(Array);
 
-      // Verify expected tools are present
+      // Verify expected tools are present. The legacy `manage_*`,
+      // `read_knowledge`, `get_watcher`, `list_watchers` MCP tools are now
+      // internal-only and reachable via the SDK from `execute` scripts.
       const toolNames = result.tools.map((t: any) => t.name);
       expect(toolNames).toContain('search_knowledge');
-      expect(toolNames).toContain('read_knowledge');
-      expect(toolNames).toContain('get_watcher');
-      expect(toolNames).toContain('list_watchers');
+      expect(toolNames).toContain('save_knowledge');
+      expect(toolNames).toContain('search');
+      expect(toolNames).toContain('execute');
+      expect(toolNames).not.toContain('read_knowledge');
+      expect(toolNames).not.toContain('get_watcher');
+      expect(toolNames).not.toContain('list_watchers');
+      expect(toolNames).not.toContain('manage_entity');
+      expect(toolNames).not.toContain('join_organization');
     });
 
     it('should include tool descriptions', async () => {
diff --git a/packages/owletto-backend/src/__tests__/integration/mcp/public-org-join.test.ts b/packages/owletto-backend/src/__tests__/integration/mcp/public-org-join.test.ts
deleted file mode 100644
index 7d6c786ac..000000000
--- a/packages/owletto-backend/src/__tests__/integration/mcp/public-org-join.test.ts
+++ /dev/null
@@ -1,337 +0,0 @@
-import { beforeAll, describe, expect, it } from 'vitest';
-import { getTestDb, cleanupTestDatabase } from '../../setup/test-db';
-import {
-  createTestAccessToken,
-  createTestOAuthClient,
-  createTestOrganization,
-  createTestSession,
-  createTestUser,
-  seedSystemEntityTypes,
-} from '../../setup/test-fixtures';
-import { get, post } from '../../setup/test-helpers';
-
-describe('Public org read access + self-serve join', () => {
-  let publicOrg: Awaited<ReturnType<typeof createTestOrganization>>;
-  let privateOrg: Awaited<ReturnType<typeof createTestOrganization>>;
-  let outsiderUser: Awaited<ReturnType<typeof createTestUser>>;
-  let outsiderSessionCookie: string;
-  let client: Awaited<ReturnType<typeof createTestOAuthClient>>;
-
-  beforeAll(async () => {
-    await cleanupTestDatabase();
-    await seedSystemEntityTypes();
-    publicOrg = await createTestOrganization({
-      name: 'Public Join Org',
-      slug: 'public-join-org',
-      description: 'Anyone can read',
-      visibility: 'public',
-    });
-    privateOrg = await createTestOrganization({
-      name: 'Private Join Org',
-      slug: 'private-join-org',
-      visibility: 'private',
-    });
-    outsiderUser = await createTestUser({ email: 'outsider@test.example.com' });
-    outsiderSessionCookie = (await createTestSession(outsiderUser.id)).cookieHeader;
-    client = await createTestOAuthClient();
-  });
-
-  async function initializeScopedSession(path: string, token: string) {
-    const initResponse = await post(path, {
-      body: {
-        jsonrpc: '2.0',
-        id: '__test_init__',
-        method: 'initialize',
-        params: {
-          protocolVersion: '2025-03-26',
-          capabilities: {},
-          clientInfo: { name: 'owletto-test', version: '1.0' },
-        },
-      },
-      token,
-    });
-    const sessionId = initResponse.headers.get('mcp-session-id');
-    expect(sessionId).toBeTruthy();
-    await post(path, {
-      body: { jsonrpc: '2.0', method: 'notifications/initialized' },
-      headers: { 'mcp-session-id': sessionId! },
-      token,
-    });
-    return sessionId!;
-  }
-
-  // (a) non-member reads on public org succeed via public/* routes
-  describe('public/* REST endpoints', () => {
-    it('returns sanitized organization metadata to anonymous callers', async () => {
-      const response = await get(`/api/${publicOrg.slug}/public/organization`);
-      expect(response.status).toBe(200);
-      const body = await response.json();
-      expect(body.organization.slug).toBe(publicOrg.slug);
-      expect(body.organization.name).toBe(publicOrg.name);
-      expect(body.organization.visibility).toBe('public');
-      expect(body.organization).toHaveProperty('agent_count');
-      expect(body.organization).toHaveProperty('entity_type_count');
-      expect(body.organization).not.toHaveProperty('members');
-    });
-
-    it('returns agent list without credentials to anonymous callers', async () => {
-      const response = await get(`/api/${publicOrg.slug}/public/agents`);
-      expect(response.status).toBe(200);
-      const body = await response.json();
-      expect(Array.isArray(body.agents)).toBe(true);
-      for (const agent of body.agents) {
-        expect(agent).not.toHaveProperty('auth_profile_id');
-        expect(agent).not.toHaveProperty('mcp_servers');
-        expect(agent).not.toHaveProperty('config');
-      }
-    });
-
-    it('404s when the org is private (no leak of existence)', async () => {
-      const response = await get(`/api/${privateOrg.slug}/public/organization`);
-      expect(response.status).toBe(404);
-    });
-  });
-
-  // (b) self-serve join inserts member + (d) duplicate join idempotent
-  describe('POST /api/:orgSlug/join', () => {
-    it('requires an authenticated session', async () => {
-      const response = await post(`/api/${publicOrg.slug}/join`, { body: {} });
-      expect(response.status).toBe(401);
-    });
-
-    it('inserts a member row with role=member and is idempotent on re-call', async () => {
-      const firstResponse = await post(`/api/${publicOrg.slug}/join`, {
-        body: {},
-        cookie: outsiderSessionCookie,
-      });
-      expect(firstResponse.status).toBe(200);
-      const first = await firstResponse.json();
-      expect(first.status).toBe('joined');
-      expect(first.role).toBe('member');
-      expect(first.organizationId).toBe(publicOrg.id);
-
-      const sql = getTestDb();
-      const rows = await sql`
-        SELECT role FROM "member"
-        WHERE "organizationId" = ${publicOrg.id} AND "userId" = ${outsiderUser.id}
-      `;
-      expect(rows).toHaveLength(1);
-      expect(rows[0].role).toBe('member');
-
-      // (d) duplicate join returns already_member without inserting a second row
-      const secondResponse = await post(`/api/${publicOrg.slug}/join`, {
-        body: {},
-        cookie: outsiderSessionCookie,
-      });
-      expect(secondResponse.status).toBe(200);
-      const second = await secondResponse.json();
-      expect(second.status).toBe('already_member');
-      expect(second.role).toBe('member');
-
-      const rowsAfter = await sql`
-        SELECT id FROM "member"
-        WHERE "organizationId" = ${publicOrg.id} AND "userId" = ${outsiderUser.id}
-      `;
-      expect(rowsAfter).toHaveLength(1);
-    });
-
-    // (c) join on private org 403s
-    it('403s when the workspace is private', async () => {
-      const otherUser = await createTestUser({ email: 'private-joiner@test.example.com' });
-      const cookie = (await createTestSession(otherUser.id)).cookieHeader;
-      const response = await post(`/api/${privateOrg.slug}/join`, {
-        body: {},
-        cookie,
-      });
-      expect(response.status).toBe(403);
-      const body = await response.json();
-      expect(body.error).toBe('forbidden');
-    });
-
-    it('404s for an unknown slug', async () => {
-      const response = await post('/api/does-not-exist-xyz/join', {
-        body: {},
-        cookie: outsiderSessionCookie,
-      });
-      expect(response.status).toBe(404);
-    });
-  });
-
-  // (e) MCP write tool on public org (non-member) returns new error message
-  describe('MCP write denial surfaces join_organization', () => {
-    it('surfaces a join_organization hint when a non-member tries to write', async () => {
-      const user = await createTestUser({ email: 'mcp-nonmember@test.example.com' });
-      const { token } = await createTestAccessToken(user.id, publicOrg.id, client.client_id, {
-        scope: 'mcp:write profile:read',
-      });
-      const sessionId = await initializeScopedSession(`/mcp/${publicOrg.slug}`, token);
-
-      const response = await post(`/mcp/${publicOrg.slug}`, {
-        body: {
-          jsonrpc: '2.0',
-          id: 1,
-          method: 'tools/call',
-          params: {
-            name: 'save_knowledge',
-            arguments: {
-              content: 'non-member should be denied with join hint',
-              semantic_type: 'content',
-              metadata: {},
-            },
-          },
-        },
-        headers: { 'mcp-session-id': sessionId },
-        token,
-      });
-
-      expect(response.status).toBe(200);
-      const body = await response.json();
-      expect(body.result?.isError).toBe(true);
-      const text = body.result?.content?.[0]?.text ?? '';
-      expect(text).toContain('join_organization');
-    });
-  });
-
-  // (f) join_organization flips subsequent write from denied to allowed
-  describe('MCP join_organization tool', () => {
-    it('upgrades a writeable session so a subsequent entity create succeeds', async () => {
-      const user = await createTestUser({ email: 'mcp-joiner@test.example.com' });
-      const { token } = await createTestAccessToken(user.id, publicOrg.id, client.client_id, {
-        scope: 'mcp:write profile:read',
-      });
-      const sessionId = await initializeScopedSession(`/mcp/${publicOrg.slug}`, token);
-
-      // Before join: manage_entity:create must be denied (non-member).
-      const beforeResponse = await post(`/mcp/${publicOrg.slug}`, {
-        body: {
-          jsonrpc: '2.0',
-          id: 1,
-          method: 'tools/call',
-          params: {
-            name: 'manage_entity',
-            arguments: {
-              action: 'create',
-              name: 'Pre-join Entity',
-              entity_type: 'brand',
-            },
-          },
-        },
-        headers: { 'mcp-session-id': sessionId },
-        token,
-      });
-      const beforeBody = await beforeResponse.json();
-      expect(beforeBody.result?.isError).toBe(true);
-      expect(beforeBody.result?.content?.[0]?.text ?? '').toContain('join_organization');
-
-      // Join via MCP tool
-      const joinResponse = await post(`/mcp/${publicOrg.slug}`, {
-        body: {
-          jsonrpc: '2.0',
-          id: 2,
-          method: 'tools/call',
-          params: { name: 'join_organization', arguments: {} },
-        },
-        headers: { 'mcp-session-id': sessionId },
-        token,
-      });
-      const joinBody = await joinResponse.json();
-      expect(joinBody.result?.isError).not.toBe(true);
-      const joinText = joinBody.result?.content?.[0]?.text ?? '';
-      const parsed = JSON.parse(joinText);
-      expect(parsed.status === 'joined' || parsed.status === 'already_member').toBe(true);
-      expect(parsed.org.role).toBe('member');
-      // Write-scoped session shouldn't receive the read-only note
-      expect(parsed.note).toBeUndefined();
-
-      // After join: manage_entity:create must succeed.
-      const afterResponse = await post(`/mcp/${publicOrg.slug}`, {
-        body: {
-          jsonrpc: '2.0',
-          id: 3,
-          method: 'tools/call',
-          params: {
-            name: 'manage_entity',
-            arguments: {
-              action: 'create',
-              name: 'Post-join Entity',
-              entity_type: 'brand',
-            },
-          },
-        },
-        headers: { 'mcp-session-id': sessionId },
-        token,
-      });
-      const afterBody = await afterResponse.json();
-      expect(afterBody.result?.isError).not.toBe(true);
-    });
-
-    it('returns a read-only scope note when the session cannot write', async () => {
-      const user = await createTestUser({ email: 'mcp-readonly-joiner@test.example.com' });
-      const { token } = await createTestAccessToken(user.id, publicOrg.id, client.client_id, {
-        scope: 'mcp:read profile:read',
-      });
-      const sessionId = await initializeScopedSession(`/mcp/${publicOrg.slug}`, token);
-
-      const joinResponse = await post(`/mcp/${publicOrg.slug}`, {
-        body: {
-          jsonrpc: '2.0',
-          id: 1,
-          method: 'tools/call',
-          params: { name: 'join_organization', arguments: {} },
-        },
-        headers: { 'mcp-session-id': sessionId },
-        token,
-      });
-      const joinBody = await joinResponse.json();
-      expect(joinBody.result?.isError).not.toBe(true);
-      const text = joinBody.result?.content?.[0]?.text ?? '';
-      const parsed = JSON.parse(text);
-      expect(parsed.note).toBeDefined();
-      expect(parsed.note).toContain('mcp:write');
-    });
-
-    it('rejects join_organization when the token has no mcp:* scope', async () => {
-      const user = await createTestUser({ email: 'mcp-noscope-joiner@test.example.com' });
-      const { token } = await createTestAccessToken(user.id, publicOrg.id, client.client_id, {
-        scope: 'profile:read',
-      });
-      const sessionId = await initializeScopedSession(`/mcp/${publicOrg.slug}`, token);
-
-      const joinResponse = await post(`/mcp/${publicOrg.slug}`, {
-        body: {
-          jsonrpc: '2.0',
-          id: 1,
-          method: 'tools/call',
-          params: { name: 'join_organization', arguments: {} },
-        },
-        headers: { 'mcp-session-id': sessionId },
-        token,
-      });
-      const joinBody = await joinResponse.json();
-      expect(joinBody.result?.isError).toBe(true);
-      expect(joinBody.result?.content?.[0]?.text ?? '').toContain('mcp:');
-    });
-
-    it('rejects joining a private workspace via MCP tool', async () => {
-      const user = await createTestUser({ email: 'mcp-private-joiner@test.example.com' });
-      const { token } = await createTestAccessToken(user.id, privateOrg.id, client.client_id, {
-        scope: 'mcp:write profile:read',
-      });
-      const sessionId = await initializeScopedSession(`/mcp/${privateOrg.slug}`, token);
-
-      const joinResponse = await post(`/mcp/${privateOrg.slug}`, {
-        body: {
-          jsonrpc: '2.0',
-          id: 1,
-          method: 'tools/call',
-          params: { name: 'join_organization', arguments: {} },
-        },
-        headers: { 'mcp-session-id': sessionId },
-        token,
-      });
-      const joinBody = await joinResponse.json();
-      expect(joinBody.result?.isError).toBe(true);
-      expect(joinBody.result?.content?.[0]?.text ?? '').toContain('not public');
-    });
-  });
-});
diff --git a/packages/owletto-backend/src/__tests__/integration/sandbox/client-sdk-org.test.ts b/packages/owletto-backend/src/__tests__/integration/sandbox/client-sdk-org.test.ts
new file mode 100644
index 000000000..d93c9dafa
--- /dev/null
+++ b/packages/owletto-backend/src/__tests__/integration/sandbox/client-sdk-org.test.ts
@@ -0,0 +1,197 @@
+/**
+ * Integration tests for `ClientSDK.org()` — the cross-org accessor.
+ *
+ * Exercises the real `organization` / `member` tables and the shared
+ * auth-layer cache (`multi-tenant.ts#memberRoleCache`). Covers slug and id
+ * resolution, AccessDenied / OrgNotFound error shape, public-workspace
+ * fallback, and revocation flowing through the explicit cache invalidation.
+ */
+
+import { afterEach, beforeAll, describe, expect, it } from "vitest";
+import type { Env } from "../../../index";
+import {
+  AccessDeniedError,
+  buildClientSDK,
+  OrgNotFoundError,
+  resolveOrgMembership,
+} from "../../../sandbox/client-sdk";
+import type { ToolContext } from "../../../tools/registry";
+import { invalidateMembershipRoleCache } from "../../../workspace/multi-tenant";
+import { cleanupTestDatabase, getTestDb } from "../../setup/test-db";
+import {
+  addUserToOrganization,
+  createTestOrganization,
+  createTestUser,
+} from "../../setup/test-fixtures";
+
+const testEnv: Env = {
+  ENVIRONMENT: "test",
+  DATABASE_URL: process.env.DATABASE_URL,
+};
+
+describe("ClientSDK.org() accessor", () => {
+  let orgA: Awaited<ReturnType<typeof createTestOrganization>>;
+  let orgB: Awaited<ReturnType<typeof createTestOrganization>>;
+  let orgPublic: Awaited<ReturnType<typeof createTestOrganization>>;
+  let user1: Awaited<ReturnType<typeof createTestUser>>;
+  let user2: Awaited<ReturnType<typeof createTestUser>>;
+
+  beforeAll(async () => {
+    await cleanupTestDatabase();
+    orgA = await createTestOrganization({ name: "Org A", slug: "org-a-sdk" });
+    orgB = await createTestOrganization({ name: "Org B", slug: "org-b-sdk" });
+    orgPublic = await createTestOrganization({
+      name: "Org Public",
+      slug: "org-public-sdk",
+      visibility: "public",
+    });
+    user1 = await createTestUser({ email: "user1-sdk@test.example.com" });
+    user2 = await createTestUser({ email: "user2-sdk@test.example.com" });
+    await addUserToOrganization(user1.id, orgA.id, "owner");
+    await addUserToOrganization(user2.id, orgB.id, "admin");
+  });
+
+  function buildCtx(userId: string, orgId: string): ToolContext {
+    return {
+      organizationId: orgId,
+      userId,
+      memberRole: "owner",
+      isAuthenticated: true,
+    };
+  }
+
+  describe("resolveOrgMembership", () => {
+    it("resolves by slug for a member", async () => {
+      const ctx = buildCtx(user1.id, orgA.id);
+      const record = await resolveOrgMembership(orgA.slug, ctx);
+      expect(record.orgId).toBe(orgA.id);
+      expect(record.role).toBe("owner");
+      expect(record.visibility).toBe("private");
+    });
+
+    it("resolves by id when slug lookup misses", async () => {
+      const ctx = buildCtx(user1.id, orgA.id);
+      const record = await resolveOrgMembership(orgA.id, ctx);
+      expect(record.slug).toBe(orgA.slug);
+    });
+
+    it("throws AccessDenied on private org the user is not a member of", async () => {
+      const ctx = buildCtx(user1.id, orgA.id);
+      await expect(
+        resolveOrgMembership(orgB.slug, ctx),
+      ).rejects.toBeInstanceOf(AccessDeniedError);
+    });
+
+    it("returns record with role=null on public org for non-members", async () => {
+      const ctx = buildCtx(user1.id, orgA.id);
+      const record = await resolveOrgMembership(orgPublic.slug, ctx);
+      expect(record.visibility).toBe("public");
+      expect(record.role).toBeNull();
+    });
+
+    it("throws OrgNotFound for an unknown slug-or-id", async () => {
+      const ctx = buildCtx(user1.id, orgA.id);
+      await expect(
+        resolveOrgMembership("does-not-exist-xyz", ctx),
+      ).rejects.toBeInstanceOf(OrgNotFoundError);
+    });
+
+    it("resolves slugs that are long (no id-regex false-positive)", async () => {
+      const longSlug = "very-long-customer-success-platform-slug";
+      const longOrg = await createTestOrganization({
+        name: "Long Slug Org",
+        slug: longSlug,
+      });
+      await addUserToOrganization(user1.id, longOrg.id, "member");
+      const ctx = buildCtx(user1.id, orgA.id);
+      const record = await resolveOrgMembership(longSlug, ctx);
+      expect(record.slug).toBe(longSlug);
+      expect(record.role).toBe("member");
+    });
+  });
+
+  describe("buildClientSDK", () => {
+    it("exposes every namespace", () => {
+      const ctx = buildCtx(user1.id, orgA.id);
+      const sdk = buildClientSDK(ctx, testEnv);
+      expect(sdk.entities).toBeDefined();
+      expect(sdk.entitySchema).toBeDefined();
+      expect(sdk.connections).toBeDefined();
+      expect(sdk.feeds).toBeDefined();
+      expect(sdk.authProfiles).toBeDefined();
+      expect(sdk.operations).toBeDefined();
+      expect(sdk.watchers).toBeDefined();
+      expect(sdk.classifiers).toBeDefined();
+      expect(sdk.viewTemplates).toBeDefined();
+      expect(sdk.knowledge).toBeDefined();
+      expect(sdk.organizations).toBeDefined();
+      expect(sdk.query).toBeInstanceOf(Function);
+      expect(sdk.log).toBeInstanceOf(Function);
+      expect(sdk.org).toBeInstanceOf(Function);
+    });
+
+    it(".org() throws AccessDenied on a non-member private org", async () => {
+      const ctx = buildCtx(user1.id, orgA.id);
+      const sdk = buildClientSDK(ctx, testEnv);
+      await expect(sdk.org(orgB.slug)).rejects.toBeInstanceOf(
+        AccessDeniedError,
+      );
+    });
+
+    it(".org() returns a public-org SDK with memberRole=null for non-members", async () => {
+      const ctx = buildCtx(user1.id, orgA.id);
+      const sdk = buildClientSDK(ctx, testEnv);
+      const sdkPub = await sdk.org(orgPublic.slug);
+      expect(sdkPub).toBeDefined();
+    });
+  });
+
+  describe("buildClientSDK with user1 also a member of orgB", () => {
+    beforeAll(async () => {
+      await addUserToOrganization(user1.id, orgB.id, "member");
+      // Clear any stale "not-a-member" negative cache from earlier tests.
+      invalidateMembershipRoleCache(orgB.id, user1.id);
+    });
+
+    it(".org() returns a fresh SDK for the other member org", async () => {
+      const ctx = buildCtx(user1.id, orgA.id);
+      const sdk = buildClientSDK(ctx, testEnv);
+      const sdkB = await sdk.org(orgB.slug);
+      expect(sdkB).toBeDefined();
+      expect(sdkB).not.toBe(sdk);
+      expect(sdkB.org).toBeInstanceOf(Function);
+    });
+
+    it("chained .org() re-validates against the original user", async () => {
+      const ctx = buildCtx(user1.id, orgA.id);
+      const sdk = buildClientSDK(ctx, testEnv);
+      const sdkB = await sdk.org(orgB.slug);
+      const sdkBackToA = await sdkB.org(orgA.slug);
+      expect(sdkBackToA).toBeDefined();
+    });
+
+    it("revocation is detected after explicit cache invalidation", async () => {
+      const ctx = buildCtx(user1.id, orgA.id);
+      const sdk = buildClientSDK(ctx, testEnv);
+      await sdk.org(orgB.slug);
+
+      const sql = getTestDb();
+      await sql`DELETE FROM "member" WHERE "userId" = ${user1.id} AND "organizationId" = ${orgB.id}`;
+      invalidateMembershipRoleCache(orgB.id, user1.id);
+
+      await expect(sdk.org(orgB.slug)).rejects.toBeInstanceOf(
+        AccessDeniedError,
+      );
+    });
+  });
+
+  describe("non-member isolation", () => {
+    it("user2 cannot access orgA", async () => {
+      const ctx = buildCtx(user2.id, orgB.id);
+      const sdk = buildClientSDK(ctx, testEnv);
+      await expect(sdk.org(orgA.slug)).rejects.toBeInstanceOf(
+        AccessDeniedError,
+      );
+    });
+  });
+});
diff --git a/packages/owletto-backend/src/__tests__/integration/sandbox/namespace-dispatch.test.ts b/packages/owletto-backend/src/__tests__/integration/sandbox/namespace-dispatch.test.ts
new file mode 100644
index 000000000..dabbecbc1
--- /dev/null
+++ b/packages/owletto-backend/src/__tests__/integration/sandbox/namespace-dispatch.test.ts
@@ -0,0 +1,132 @@
+/**
+ * Integration smoke test that actually dispatches through every namespace's
+ * read path. Catches field-name drift between the SDK wrapper and the handler
+ * TypeBox schema — the kind of bug static `as never` casts hide.
+ *
+ * Only read/list methods are exercised here; write smoke coverage lives in
+ * the per-tool integration tests that already exist in the repo.
+ */
+
+import { beforeAll, describe, expect, it } from "vitest";
+import type { Env } from "../../../index";
+import { buildClientSDK, type ClientSDK } from "../../../sandbox/client-sdk";
+import type { ToolContext } from "../../../tools/registry";
+import { initWorkspaceProvider } from "../../../workspace";
+import { cleanupTestDatabase } from "../../setup/test-db";
+import {
+  addUserToOrganization,
+  createTestOrganization,
+  createTestUser,
+  seedSystemEntityTypes,
+} from "../../setup/test-fixtures";
+
+const testEnv: Env = {
+  ENVIRONMENT: "test",
+  DATABASE_URL: process.env.DATABASE_URL,
+};
+
+/**
+ * Some handlers compose postgres.js tagged-template fragments
+ * (`sql\`${query} ORDER BY ...\``). PGlite's socket shim treats the fragment
+ * as a parameter instead of inlining, which produces "Promise" as $1 and a
+ * syntax error. Those dispatches work on real Postgres. The test suite runs
+ * under PGlite by default (fast, zero-deps) so we skip those cases here.
+ */
+const IS_PGLITE = process.env.OWLETTO_TEST_BACKEND === "pglite";
+const pgOnlyIt = IS_PGLITE ? it.skip : it;
+
+describe("ClientSDK namespace dispatch (read paths)", () => {
+  let sdk: ClientSDK;
+
+  beforeAll(async () => {
+    await cleanupTestDatabase();
+    await seedSystemEntityTypes();
+    await initWorkspaceProvider();
+    const org = await createTestOrganization({
+      name: "Dispatch Org",
+      slug: "dispatch-sdk",
+    });
+    const user = await createTestUser({
+      email: "dispatch-sdk@test.example.com",
+    });
+    await addUserToOrganization(user.id, org.id, "owner");
+    const ctx: ToolContext = {
+      organizationId: org.id,
+      userId: user.id,
+      memberRole: "owner",
+      isAuthenticated: true,
+    };
+    sdk = buildClientSDK(ctx, testEnv);
+  });
+
+  pgOnlyIt("entities.list dispatches cleanly", async () => {
+    await expect(sdk.entities.list()).resolves.toBeDefined();
+  });
+
+  pgOnlyIt("entitySchema.listTypes dispatches cleanly", async () => {
+    await expect(sdk.entitySchema.listTypes()).resolves.toBeDefined();
+  });
+
+  it("entitySchema.listRelTypes dispatches cleanly", async () => {
+    await expect(sdk.entitySchema.listRelTypes()).resolves.toBeDefined();
+  });
+
+  pgOnlyIt("connections.list dispatches cleanly", async () => {
+    await expect(sdk.connections.list()).resolves.toBeDefined();
+  });
+
+  pgOnlyIt(
+    "connections.listConnectorDefinitions dispatches cleanly",
+    async () => {
+      await expect(
+        sdk.connections.listConnectorDefinitions(),
+      ).resolves.toBeDefined();
+    },
+  );
+
+  pgOnlyIt("feeds.list dispatches cleanly", async () => {
+    await expect(sdk.feeds.list()).resolves.toBeDefined();
+  });
+
+  pgOnlyIt("authProfiles.list dispatches cleanly", async () => {
+    await expect(sdk.authProfiles.list()).resolves.toBeDefined();
+  });
+
+  pgOnlyIt("operations.listAvailable dispatches cleanly", async () => {
+    await expect(sdk.operations.listAvailable()).resolves.toBeDefined();
+  });
+
+  // NOTE: operations.listRuns trips a pre-existing handler bug on PGlite
+  // (un-awaited SQL fragment injected as $1). Covered separately once that
+  // handler is fixed — the wrapper dispatch itself is asserted by the
+  // listAvailable test above.
+
+  pgOnlyIt("watchers.list dispatches cleanly", async () => {
+    await expect(sdk.watchers.list()).resolves.toBeDefined();
+  });
+
+  pgOnlyIt("classifiers.list dispatches cleanly", async () => {
+    await expect(sdk.classifiers.list()).resolves.toBeDefined();
+  });
+
+  pgOnlyIt("organizations.list dispatches cleanly", async () => {
+    const orgs = await sdk.organizations.list();
+    expect(Array.isArray(orgs)).toBe(true);
+  });
+
+  pgOnlyIt("organizations.current returns the session org", async () => {
+    const current = await sdk.organizations.current();
+    expect(current.slug).toBe("dispatch-sdk");
+  });
+
+  pgOnlyIt("knowledge.search dispatches cleanly", async () => {
+    await expect(
+      sdk.knowledge.search({ query: "nothing-here-likely" }),
+    ).resolves.toBeDefined();
+  });
+
+  it("query runs a scoped read-only statement", async () => {
+    const rows = await sdk.query("SELECT COUNT(*)::int AS n FROM entities");
+    expect(Array.isArray(rows)).toBe(true);
+  });
+});
diff --git a/packages/owletto-backend/src/__tests__/setup/test-db.ts b/packages/owletto-backend/src/__tests__/setup/test-db.ts
index 6a674b135..7533e0b8f 100644
--- a/packages/owletto-backend/src/__tests__/setup/test-db.ts
+++ b/packages/owletto-backend/src/__tests__/setup/test-db.ts
@@ -5,10 +5,28 @@
  * Uses a separate test database to avoid affecting development data.
  */
 
-import { join } from 'node:path';
+import { existsSync } from 'node:fs';
+import { dirname, join } from 'node:path';
 import postgres from 'postgres';
 import { listMigrationFiles, loadMigrationUpSection } from '../../db/migration-loader';
 
+/**
+ * Walk up from startDir looking for `db/migrations`. Falls back to cwd so the
+ * historical behaviour (vitest invoked from repo root) still works even when
+ * no match is found upstream.
+ */
+function resolveMigrationsDir(startDir: string): string {
+  let dir = startDir;
+  for (let i = 0; i < 6; i++) {
+    const candidate = join(dir, 'db/migrations');
+    if (existsSync(candidate)) return candidate;
+    const parent = dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return join(startDir, 'db/migrations');
+}
+
 const TEST_SEED_USER_ID = 'test-seed-user';
 const TEST_SEED_USER_EMAIL = 'test-seed-user@example.com';
 const SKIP_ON_FRESH_SETUP = new Set<string>();
@@ -75,9 +93,10 @@ export async function setupTestDatabase(): Promise<void> {
   await db`CREATE EXTENSION IF NOT EXISTS "vector"`;
   await db`CREATE EXTENSION IF NOT EXISTS "pg_trgm"`;
 
-  // Run migrations in order
-  // Use process.cwd() since globalSetup runs from project root
-  const migrationsDir = join(process.cwd(), 'db/migrations');
+  // Run migrations in order. Resolves `db/migrations` by walking up from the
+  // current working directory so vitest works whether invoked at the repo
+  // root or inside the package.
+  const migrationsDir = resolveMigrationsDir(process.cwd());
 
   let migrationFiles: string[];
   try {
diff --git a/packages/owletto-backend/src/__tests__/setup/test-helpers.ts b/packages/owletto-backend/src/__tests__/setup/test-helpers.ts
index 8df66dfc4..8969379fc 100644
--- a/packages/owletto-backend/src/__tests__/setup/test-helpers.ts
+++ b/packages/owletto-backend/src/__tests__/setup/test-helpers.ts
@@ -223,7 +223,13 @@ export async function mcpRequest<T = any>(
 }
 
 /**
- * Make an MCP tools/call request with JSON format for raw results
+ * Make an MCP tools/call request with JSON format for raw results.
+ *
+ * After PR-2 the legacy `manage_*`/`list_watchers`/`get_watcher`/
+ * `read_knowledge` tools are gone from the MCP surface. Historical tests
+ * that call those names still go through this function and will get
+ * `Tool not found` — those tests are tracked for migration to either
+ * direct handler imports or `executeScript` script form.
  */
 export async function mcpToolsCall<T = any>(
   toolName: string,
diff --git a/packages/owletto-backend/src/__tests__/unit/sandbox/method-metadata.test.ts b/packages/owletto-backend/src/__tests__/unit/sandbox/method-metadata.test.ts
new file mode 100644
index 000000000..06eb4aaba
--- /dev/null
+++ b/packages/owletto-backend/src/__tests__/unit/sandbox/method-metadata.test.ts
@@ -0,0 +1,152 @@
+import { describe, expect, it } from "bun:test";
+import {
+  BANNED_PATHS,
+  METHOD_METADATA,
+  type MethodAccess,
+} from "../../../sandbox/method-metadata";
+
+/**
+ * Static surface description of every namespace method. Hand-maintained — when
+ * a namespace adds a method, this list must add it too, and a metadata entry
+ * must exist. The coverage test below enforces the latter.
+ */
+const NAMESPACE_METHODS: Record<string, readonly string[]> = {
+  entities: [
+    "list",
+    "get",
+    "create",
+    "update",
+    "delete",
+    "link",
+    "unlink",
+    "updateLink",
+    "listLinks",
+    "search",
+  ],
+  entitySchema: [
+    "listTypes",
+    "getType",
+    "createType",
+    "updateType",
+    "deleteType",
+    "auditType",
+    "listRelTypes",
+    "getRelType",
+    "createRelType",
+    "updateRelType",
+    "deleteRelType",
+    "addRule",
+    "removeRule",
+    "listRules",
+  ],
+  connections: [
+    "list",
+    "listConnectorDefinitions",
+    "get",
+    "create",
+    "connect",
+    "update",
+    "delete",
+    "test",
+    "installConnector",
+    "uninstallConnector",
+    "toggleConnectorLogin",
+    "updateConnectorAuth",
+  ],
+  feeds: ["list", "get", "create", "update", "delete", "trigger"],
+  authProfiles: ["list", "get", "test", "create", "update", "delete"],
+  operations: [
+    "listAvailable",
+    "execute",
+    "listRuns",
+    "getRun",
+    "approve",
+    "reject",
+  ],
+  watchers: [
+    "list",
+    "get",
+    "create",
+    "update",
+    "delete",
+    "setReactionScript",
+    "completeWindow",
+  ],
+  classifiers: [
+    "list",
+    "create",
+    "createVersion",
+    "getVersions",
+    "setCurrentVersion",
+    "generateEmbeddings",
+    "delete",
+    "classify",
+  ],
+  viewTemplates: ["get", "set", "rollback", "removeTab"],
+  knowledge: ["search", "save", "read"],
+  organizations: ["list", "current"],
+};
+
+/** Top-level SDK methods that aren't inside a namespace. */
+const TOP_LEVEL_METHODS = ["query", "log"] as const;
+
+describe("method-metadata", () => {
+  it("has at least one entry per namespace method", () => {
+    const missing: string[] = [];
+    for (const [ns, methods] of Object.entries(NAMESPACE_METHODS)) {
+      for (const m of methods) {
+        const key = `${ns}.${m}`;
+        if (!(key in METHOD_METADATA)) missing.push(key);
+      }
+    }
+    expect(missing).toEqual([]);
+  });
+
+  it("has entries for top-level methods", () => {
+    for (const m of TOP_LEVEL_METHODS) {
+      expect(METHOD_METADATA).toHaveProperty(m);
+    }
+  });
+
+  it("has valid access levels on every entry", () => {
+    const valid: MethodAccess[] = ["read", "write", "external"];
+    for (const [path, meta] of Object.entries(METHOD_METADATA)) {
+      expect(valid).toContain(meta.access);
+      expect(meta.summary.length).toBeGreaterThan(0);
+      if (meta.example) {
+        expect(meta.example).toContain("client.");
+      }
+      void path;
+    }
+  });
+
+  it("uses dotted path keys", () => {
+    for (const path of Object.keys(METHOD_METADATA)) {
+      expect(path).toMatch(/^[a-zA-Z]+(\.[a-zA-Z]+)?$/);
+    }
+  });
+
+  it("never exposes banned paths", () => {
+    for (const banned of BANNED_PATHS) {
+      expect(METHOD_METADATA).not.toHaveProperty(banned);
+    }
+  });
+
+  it("classifies external side-effects correctly for known methods", () => {
+    expect(METHOD_METADATA["operations.execute"].access).toBe("external");
+    expect(METHOD_METADATA["feeds.trigger"].access).toBe("external");
+    expect(METHOD_METADATA["connections.test"].access).toBe("external");
+    expect(METHOD_METADATA["authProfiles.test"].access).toBe("external");
+  });
+
+  it("classifies reads correctly for known methods", () => {
+    expect(METHOD_METADATA["entities.list"].access).toBe("read");
+    expect(METHOD_METADATA["watchers.list"].access).toBe("read");
+    expect(METHOD_METADATA["organizations.list"].access).toBe("read");
+  });
+
+  it("does not claim SQL positional parameters in the query example", () => {
+    const example = METHOD_METADATA.query.example ?? "";
+    expect(example).not.toMatch(/\$\d+/);
+  });
+});
diff --git a/packages/owletto-backend/src/__tests__/unit/sandbox/run-script.test.ts b/packages/owletto-backend/src/__tests__/unit/sandbox/run-script.test.ts
new file mode 100644
index 000000000..ba6a9d3fb
--- /dev/null
+++ b/packages/owletto-backend/src/__tests__/unit/sandbox/run-script.test.ts
@@ -0,0 +1,44 @@
+import { describe, expect, it } from "bun:test";
+import type { ClientSDK } from "../../../sandbox/client-sdk";
+import { getDefaultLimits, runScript } from "../../../sandbox/run-script";
+
+describe("runScript", () => {
+  it("exposes default resource limits", () => {
+    const limits = getDefaultLimits();
+    expect(limits.memoryMb).toBe(64);
+    expect(limits.timeoutMs).toBe(60_000);
+    expect(limits.sdkCallQuota).toBe(200);
+    expect(limits.outputBytes).toBe(262_144);
+  });
+
+  it("returns structured result shape", async () => {
+    const stubSdk = { log: () => undefined } as unknown as ClientSDK;
+    const result = await runScript({
+      source: "export default async () => 42;",
+      sdk: stubSdk,
+    });
+    expect(result).toHaveProperty("success");
+    expect(result).toHaveProperty("logs");
+    expect(result).toHaveProperty("durationMs");
+    expect(result).toHaveProperty("sdkCalls");
+    expect(result.durationMs).toBeGreaterThanOrEqual(0);
+  });
+
+  it("runs a default-export script and returns its value", async () => {
+    const stubSdk = { log: () => undefined } as unknown as ClientSDK;
+    const result = await runScript({
+      source: "export default async () => 1 + 2;",
+      sdk: stubSdk,
+    });
+    // Skip on environments where the optional native module is unavailable
+    // (the runner reports RuntimeUnavailable). Otherwise the bridge must
+    // succeed and forward the return value.
+    if (result.error?.name === "RuntimeUnavailable") {
+      expect(result.success).toBe(false);
+      return;
+    }
+    expect(result.success).toBe(true);
+    expect(result.returnValue).toBe(3);
+    expect(result.sdkCalls).toBe(0);
+  });
+});
diff --git a/packages/owletto-backend/src/__tests__/unit/sandbox/sdk-search.test.ts b/packages/owletto-backend/src/__tests__/unit/sandbox/sdk-search.test.ts
new file mode 100644
index 000000000..ef167cdd7
--- /dev/null
+++ b/packages/owletto-backend/src/__tests__/unit/sandbox/sdk-search.test.ts
@@ -0,0 +1,56 @@
+import { describe, expect, it } from "bun:test";
+import { sdkSearch } from "../../../tools/sdk_search";
+
+const stubEnv = {} as never;
+const stubCtx = {} as never;
+
+describe("sdkSearch", () => {
+  it("returns drill-down for an exact path", async () => {
+    const result = await sdkSearch(
+      { query: "watchers.list" },
+      stubEnv,
+      stubCtx,
+    );
+    expect(result.match_count).toBe(1);
+    expect(result.results[0]).toContain("watchers.list");
+    expect(result.results[0]).toContain("access:");
+  });
+
+  it("returns namespace listing for a top-level namespace", async () => {
+    const result = await sdkSearch({ query: "watchers" }, stubEnv, stubCtx);
+    expect(result.match_count).toBeGreaterThan(2);
+    const joined = result.results.join("\n");
+    expect(joined).toContain("watchers.list");
+    expect(joined).toContain("watchers.create");
+  });
+
+  it("substring-matches across paths and summaries", async () => {
+    const result = await sdkSearch(
+      { query: "extraction" },
+      stubEnv,
+      stubCtx,
+    );
+    // "extraction_schema" appears in watchers.create's summary or example.
+    expect(result.match_count).toBeGreaterThan(0);
+  });
+
+  it("returns empty + helpful note for unknown queries", async () => {
+    const result = await sdkSearch(
+      { query: "definitelyNotAMethod" },
+      stubEnv,
+      stubCtx,
+    );
+    expect(result.match_count).toBe(0);
+    expect(result.notes).toBeDefined();
+  });
+
+  it("respects the limit parameter", async () => {
+    const result = await sdkSearch(
+      { query: "watchers", limit: 2 },
+      stubEnv,
+      stubCtx,
+    );
+    expect(result.results.length).toBeLessThanOrEqual(2);
+    expect(result.notes).toContain("more matches");
+  });
+});
diff --git a/packages/owletto-backend/src/__tests__/unit/sandbox/typebox-to-signature.test.ts b/packages/owletto-backend/src/__tests__/unit/sandbox/typebox-to-signature.test.ts
new file mode 100644
index 000000000..93956714f
--- /dev/null
+++ b/packages/owletto-backend/src/__tests__/unit/sandbox/typebox-to-signature.test.ts
@@ -0,0 +1,84 @@
+import { describe, expect, it } from "bun:test";
+import { Type } from "@sinclair/typebox";
+import { typeboxToSignature } from "../../../sandbox/typebox-to-signature";
+
+describe("typeboxToSignature", () => {
+  it("renders primitives", () => {
+    expect(typeboxToSignature(Type.String())).toBe("string");
+    expect(typeboxToSignature(Type.Number())).toBe("number");
+    expect(typeboxToSignature(Type.Integer())).toBe("number");
+    expect(typeboxToSignature(Type.Boolean())).toBe("boolean");
+    expect(typeboxToSignature(Type.Null())).toBe("null");
+  });
+
+  it("renders enum literal unions", () => {
+    const schema = Type.Union([Type.Literal("asc"), Type.Literal("desc")]);
+    expect(typeboxToSignature(schema)).toBe("'asc' | 'desc'");
+  });
+
+  it("renders arrays with primitive element", () => {
+    expect(typeboxToSignature(Type.Array(Type.String()))).toBe("string[]");
+  });
+
+  it("uses Array<> syntax when element has spaces", () => {
+    const schema = Type.Array(
+      Type.Union([Type.Literal("a"), Type.Literal("b")])
+    );
+    expect(typeboxToSignature(schema)).toBe("Array<'a' | 'b'>");
+  });
+
+  it("renders objects with required + optional fields", () => {
+    const schema = Type.Object({
+      id: Type.Number(),
+      name: Type.Optional(Type.String()),
+    });
+    const sig = typeboxToSignature(schema);
+    expect(sig).toContain("id: number;");
+    expect(sig).toContain("name?: string;");
+  });
+
+  it("annotates with description as inline comment", () => {
+    const schema = Type.Object({
+      status: Type.String({ description: "Entity status" }),
+    });
+    const sig = typeboxToSignature(schema);
+    expect(sig).toContain("// Entity status");
+  });
+
+  it("inlines nested objects", () => {
+    const schema = Type.Object({
+      outer: Type.Object({
+        inner: Type.String(),
+      }),
+    });
+    const sig = typeboxToSignature(schema);
+    expect(sig).toContain("outer: {");
+    expect(sig).toContain("inner: string;");
+  });
+
+  it("caps recursion at maxDepth", () => {
+    // A self-reference would recurse forever; use a fake depth trap.
+    const schema: unknown = { type: "object", properties: {} };
+    (schema as Record<string, unknown>).properties = { self: schema };
+    expect(typeboxToSignature(schema as never, { maxDepth: 2 })).toContain(
+      "unknown"
+    );
+  });
+
+  it("handles const literal", () => {
+    const schema = Type.Literal("fixed");
+    expect(typeboxToSignature(schema)).toBe("'fixed'");
+  });
+
+  it("escapes backslashes in literal values", () => {
+    // Regression: an unescaped trailing backslash would produce the
+    // unterminated literal `'\'`.
+    const schema = Type.Literal("path\\to\\file");
+    expect(typeboxToSignature(schema)).toBe("'path\\\\to\\\\file'");
+  });
+
+  it("escapes single quotes in literal values", () => {
+    const schema = Type.Literal("it's");
+    expect(typeboxToSignature(schema)).toBe("'it\\'s'");
+  });
+});
diff --git a/packages/owletto-backend/src/auth/__tests__/tool-access.test.ts b/packages/owletto-backend/src/auth/__tests__/tool-access.test.ts
index 39a94ba72..67281cc4f 100644
--- a/packages/owletto-backend/src/auth/__tests__/tool-access.test.ts
+++ b/packages/owletto-backend/src/auth/__tests__/tool-access.test.ts
@@ -5,7 +5,9 @@
  */
 
 import { describe, expect, it } from 'vitest';
+import { routeAction } from '../../tools/admin/action-router';
 import { type AuthContext, checkToolAccess } from '../../tools/execute';
+import type { ToolContext } from '../../tools/registry';
 import {
   getRequiredAccessLevel,
   isPublicReadable,
@@ -46,9 +48,21 @@ describe('requiresOwnerAdmin', () => {
     expect(
       requiresOwnerAdmin('manage_connections', { action: 'update_connector_auth' }, false)
     ).toBe(true);
+    expect(
+      requiresOwnerAdmin('manage_connections', { action: 'update_connector_default_config' }, false)
+    ).toBe(true);
+    expect(requiresOwnerAdmin('manage_connections', { action: 'reauthenticate' }, false)).toBe(
+      true
+    );
   });
 
-  it('should require admin for manage_auth_profiles mutations', () => {
+  it('should require admin for manage_auth_profiles sensitive actions', () => {
+    expect(requiresOwnerAdmin('manage_auth_profiles', { action: 'get_auth_profile' }, false)).toBe(
+      true
+    );
+    expect(
+      requiresOwnerAdmin('manage_auth_profiles', { action: 'test_auth_profile' }, false)
+    ).toBe(true);
     expect(
       requiresOwnerAdmin('manage_auth_profiles', { action: 'create_auth_profile' }, false)
     ).toBe(true);
@@ -68,6 +82,10 @@ describe('requiresOwnerAdmin', () => {
     expect(requiresOwnerAdmin('manage_watchers', { action: 'set_reaction_script' }, false)).toBe(
       true
     );
+    expect(requiresOwnerAdmin('manage_watchers', { action: 'trigger' }, false)).toBe(true);
+    expect(requiresOwnerAdmin('manage_watchers', { action: 'create_from_version' }, false)).toBe(
+      true
+    );
   });
 
   it('should not require admin for manage_watchers read actions', () => {
@@ -78,6 +96,13 @@ describe('requiresOwnerAdmin', () => {
     expect(
       requiresOwnerAdmin('manage_watchers', { action: 'get_component_reference' }, false)
     ).toBe(false);
+    expect(requiresOwnerAdmin('manage_watchers', { action: 'get_feedback' }, false)).toBe(false);
+  });
+
+  it('should require admin for view template mutations while leaving reads as read-tier', () => {
+    expect(requiresOwnerAdmin('manage_view_templates', { action: 'set' }, false)).toBe(true);
+    expect(requiresOwnerAdmin('manage_view_templates', { action: 'rollback' }, false)).toBe(true);
+    expect(requiresOwnerAdmin('manage_view_templates', { action: 'get' }, false)).toBe(false);
   });
 });
 
@@ -166,6 +191,63 @@ describe('isPublicReadable', () => {
   });
 });
 
+describe('routeAction per-action enforcement', () => {
+  const memberWriteCtx: ToolContext = {
+    organizationId: 'org_123',
+    userId: 'user_123',
+    memberRole: 'member',
+    isAuthenticated: true,
+    scopes: ['mcp:write'],
+  };
+
+  it('blocks admin-only handler actions reached through execute for write-tier members', async () => {
+    let called = false;
+    await expect(
+      routeAction('manage_entity_schema', 'create', memberWriteCtx, {
+        create: async () => {
+          called = true;
+          return { ok: true };
+        },
+      })
+    ).rejects.toThrow(/requires admin or owner access/i);
+    expect(called).toBe(false);
+  });
+
+  it('requires admin MCP scope even for owner/admin roles', async () => {
+    await expect(
+      routeAction(
+        'manage_connections',
+        'install_connector',
+        {
+          ...memberWriteCtx,
+          memberRole: 'admin',
+        },
+        {
+          install_connector: async () => ({ ok: true }),
+        }
+      )
+    ).rejects.toThrow(/requires an MCP session with admin access/i);
+  });
+
+  it('preserves system reaction calls', async () => {
+    await expect(
+      routeAction(
+        'manage_operations',
+        'execute',
+        {
+          organizationId: 'org_123',
+          userId: null,
+          memberRole: null,
+          isAuthenticated: true,
+        },
+        {
+          execute: async () => ({ ok: true }),
+        }
+      )
+    ).resolves.toEqual({ ok: true });
+  });
+});
+
 describe('checkToolAccess', () => {
   const baseAuth: AuthContext = {
     organizationId: 'org_123',
@@ -181,18 +263,16 @@ describe('checkToolAccess', () => {
     scopedToOrg: true,
   };
 
-  it('explains the public read-only upgrade path on write attempts', () => {
+  it('explains the public read-only situation on write attempts', () => {
     expect(() => checkToolAccess('save_knowledge', {}, baseAuth)).toThrow(
-      'This public workspace is read-only for your account. Ask an organization admin to invite you for write access.'
+      /public workspace is read-only/i
     );
   });
 
   it('requires write scope for member writes', () => {
     expect(() =>
       checkToolAccess('save_knowledge', {}, { ...baseAuth, memberRole: 'member' })
-    ).toThrow(
-      'This MCP session is read-only. Reconnect with write access after you are added to the organization.'
-    );
+    ).toThrow(/MCP session is read-only/i);
   });
 
   it('allows members with write scope to save knowledge', () => {
@@ -209,11 +289,29 @@ describe('checkToolAccess', () => {
     ).not.toThrow();
   });
 
-  it('keeps admin-only actions restricted for members', () => {
+  it('hides legacy internal tools from external MCP calls even when the name is known', () => {
+    expect(() =>
+      checkToolAccess('manage_entity', { action: 'list' }, { ...baseAuth, memberRole: 'owner' })
+    ).toThrow('Tool not found: manage_entity');
+  });
+
+  it('allows REST compatibility paths to reach legacy internal tools subject to access', () => {
+    expect(() =>
+      checkToolAccess('manage_entity', { action: 'create' }, {
+        ...baseAuth,
+        memberRole: 'member',
+        scopes: ['mcp:write'],
+        allowInternalTools: true,
+      })
+    ).not.toThrow();
+  });
+
+  it('keeps admin-only tools restricted for members', () => {
+    // query_sql is the canonical admin-only tool on the post-PR-2 surface.
     expect(() =>
       checkToolAccess(
-        'manage_connections',
-        { action: 'create' },
+        'query_sql',
+        { sql: 'SELECT 1', sort_by: 'id' },
         {
           ...baseAuth,
           memberRole: 'member',
diff --git a/packages/owletto-backend/src/auth/tool-access.ts b/packages/owletto-backend/src/auth/tool-access.ts
index d87980aaa..08740d5c0 100644
--- a/packages/owletto-backend/src/auth/tool-access.ts
+++ b/packages/owletto-backend/src/auth/tool-access.ts
@@ -3,12 +3,23 @@
  *
  * Centralizes role/scoped MCP access checks and what anonymous/public
  * callers are allowed to read.
+ *
+ * Note on `execute`: the MCP entry point requires write-tier access, and
+ * admin-only SDK methods still re-check role + MCP scope at the delegated
+ * handler boundary before any mutation runs.
  */
 
-type ToolAccessLevel = 'read' | 'write' | 'admin';
+export type ToolAccessLevel = 'read' | 'write' | 'admin';
 
 const MEMBER_WRITE_ACTIONS: Record<string, Set<string> | null> = {
   save_knowledge: null,
+  // `execute` reaches admin handlers inside the script; per-call gates fire
+  // on each SDK method, so the entry-point check is just write-tier.
+  execute: null,
+  // Legacy `manage_*` policy entries — the tools themselves are no longer
+  // registered with MCP, but the handlers are still reached via SDK
+  // namespace wrappers from inside `execute`, and `routeAction` consults
+  // these tables to fire the same per-action access decisions.
   manage_entity: new Set(['create', 'update', 'link', 'unlink', 'update_link']),
 };
 
@@ -20,15 +31,19 @@ const OWNER_ADMIN_ACTIONS: Record<string, Set<string>> = {
     'update',
     'delete',
     'connect',
+    'reauthenticate',
     'test',
     'install_connector',
     'uninstall_connector',
     'toggle_connector_login',
     'update_connector_auth',
+    'update_connector_default_config',
     'set_connector_entity_link_overrides',
   ]),
   manage_feeds: new Set(['create_feed', 'update_feed', 'delete_feed', 'trigger_feed']),
   manage_auth_profiles: new Set([
+    'get_auth_profile',
+    'test_auth_profile',
     'create_auth_profile',
     'update_auth_profile',
     'delete_auth_profile',
@@ -40,9 +55,11 @@ const OWNER_ADMIN_ACTIONS: Record<string, Set<string>> = {
     'create_version',
     'upgrade',
     'complete_window',
+    'trigger',
     'delete',
     'set_reaction_script',
     'submit_feedback',
+    'create_from_version',
   ]),
   manage_classifiers: new Set([
     'create',
@@ -52,26 +69,33 @@ const OWNER_ADMIN_ACTIONS: Record<string, Set<string>> = {
     'delete',
     'classify',
   ]),
+  manage_view_templates: new Set(['set', 'rollback', 'remove_tab']),
 };
 
 const PUBLIC_READ_ACTIONS: Record<string, Set<string> | null> = {
   resolve_path: null,
   search_knowledge: null,
+  // SDK method discovery — safe to expose; surfaces no data.
+  search: null,
+  // Internal read-paths — kept for tests that exercise public-readability
+  // semantics; legitimate external access is via `execute`.
   read_knowledge: null,
   get_watcher: null,
   list_watchers: null,
-  // Visible to anonymous/non-member sessions so the LLM can discover the
-  // self-serve join path on a public workspace. The tool itself enforces
-  // authentication and public-org policy at call time.
-  join_organization: null,
   manage_entity: new Set(['list', 'get', 'list_links']),
   manage_entity_schema: new Set(['list', 'get', 'audit', 'list_rules']),
   manage_connections: new Set(['list', 'get', 'list_connector_definitions']),
   manage_feeds: new Set(['list_feeds', 'get_feed']),
   manage_auth_profiles: new Set(['list_auth_profiles']),
   manage_operations: new Set(['list_available', 'list_runs', 'get_run']),
-  manage_watchers: new Set(['get_versions', 'get_version_details', 'get_component_reference']),
+  manage_watchers: new Set([
+    'get_versions',
+    'get_version_details',
+    'get_component_reference',
+    'get_feedback',
+  ]),
   manage_classifiers: new Set(['list', 'get_versions']),
+  manage_view_templates: new Set(['get']),
 };
 
 function getAction(args: unknown): string | null {
@@ -106,7 +130,8 @@ export function requiresOwnerAdmin(
   args: unknown,
   readOnlyHint: boolean
 ): boolean {
-  // query_sql is intentionally owner/admin only despite being read-only.
+  // query_sql is intentionally owner/admin only despite being read-only —
+  // it can read across the whole org's data, including audit/event tables.
   if (toolName === 'query_sql') return true;
 
   if (actionMatches(OWNER_ADMIN_ACTIONS, toolName, args)) return true;
@@ -123,11 +148,28 @@ export function getRequiredAccessLevel(
   readOnlyHint: boolean
 ): ToolAccessLevel {
   if (toolName === 'switch_organization') return 'read';
+  if (toolName === 'list_organizations') return 'read';
   if (requiresOwnerAdmin(toolName, args, readOnlyHint)) return 'admin';
   if (requiresMemberWrite(toolName, args, readOnlyHint)) return 'write';
   return 'read';
 }
 
+export function hasRequiredMcpScope(
+  requiredAccess: ToolAccessLevel,
+  scopes: string[] | null | undefined
+): boolean {
+  if (scopes == null) return true;
+  if (scopes.length === 0) return false;
+  const scopeSet = new Set(scopes);
+  if (requiredAccess === 'read') {
+    return scopeSet.has('mcp:read') || scopeSet.has('mcp:write') || scopeSet.has('mcp:admin');
+  }
+  if (requiredAccess === 'write') {
+    return scopeSet.has('mcp:write') || scopeSet.has('mcp:admin');
+  }
+  return scopeSet.has('mcp:admin');
+}
+
 export function isPublicReadable(toolName: string, args: unknown): boolean {
   return actionMatches(PUBLIC_READ_ACTIONS, toolName, args);
 }
diff --git a/packages/owletto-backend/src/mcp-handler.ts b/packages/owletto-backend/src/mcp-handler.ts
index 32d5d1362..0420471cc 100644
--- a/packages/owletto-backend/src/mcp-handler.ts
+++ b/packages/owletto-backend/src/mcp-handler.ts
@@ -109,7 +109,7 @@ function createServerForContext(
   // tools/list — return our TypeBox JSON Schemas
   // Read auth state dynamically so the list updates after auth upgrades or org switches.
   server.setRequestHandler(ListToolsRequestSchema, async () => {
-    const includeInternalTools = !authCtx.clientId;
+    const includeInternalTools = authCtx.allowInternalTools === true && !authCtx.clientId;
     const includeOrgSwitching = !authCtx.scopedToOrg;
     const publicOnly = !!authCtx.organizationId && !authCtx.memberRole;
     const roleAccessLevel = !authCtx.memberRole
diff --git a/packages/owletto-backend/src/sandbox/client-sdk.ts b/packages/owletto-backend/src/sandbox/client-sdk.ts
new file mode 100644
index 000000000..26b96d8e7
--- /dev/null
+++ b/packages/owletto-backend/src/sandbox/client-sdk.ts
@@ -0,0 +1,240 @@
+/**
+ * ClientSDK — one in-process SDK shared by the `execute` MCP tool (PR-2) and
+ * watcher reactions (PR-2 swap). Each namespace delegates to existing tool
+ * handlers, preserving per-call auth checks and audit/change events.
+ *
+ * Multi-org support is provided by `client.org(slugOrId)`: it resolves the
+ * identifier (slug preferred, id fallback) via the auth layer's existing
+ * caches (see `workspace/multi-tenant.ts`), re-reads the caller's role on
+ * every call, and returns a proxy SDK bound to a swapped `ToolContext`.
+ *
+ * No separate LRU lives here — `MultiTenantProvider.memberRoleCache` is the
+ * single source of truth, which means explicit invalidations from member-write
+ * paths flow through to sandbox callers without extra plumbing.
+ */
+
+import { hasRequiredMcpScope } from "../auth/tool-access";
+import type { Env } from "../index";
+import type { ToolContext } from "../tools/registry";
+import {
+  getCachedMembershipRole,
+  getCachedOrgBySlug,
+  getOrgById,
+} from "../workspace/multi-tenant";
+import {
+  buildAuthProfilesNamespace,
+  buildClassifiersNamespace,
+  buildConnectionsNamespace,
+  buildEntitiesNamespace,
+  buildEntitySchemaNamespace,
+  buildFeedsNamespace,
+  buildKnowledgeNamespace,
+  buildOperationsNamespace,
+  buildOrganizationsNamespace,
+  buildViewTemplatesNamespace,
+  buildWatchersNamespace,
+} from "./namespaces";
+import type { AuthProfilesNamespace } from "./namespaces/auth-profiles";
+import type { ClassifiersNamespace } from "./namespaces/classifiers";
+import type { ConnectionsNamespace } from "./namespaces/connections";
+import type { EntitiesNamespace } from "./namespaces/entities";
+import type { EntitySchemaNamespace } from "./namespaces/entity-schema";
+import type { FeedsNamespace } from "./namespaces/feeds";
+import type { KnowledgeNamespace } from "./namespaces/knowledge";
+import type { OperationsNamespace } from "./namespaces/operations";
+import type { OrganizationsNamespace } from "./namespaces/organizations";
+import type { ViewTemplatesNamespace } from "./namespaces/view-templates";
+import type { WatchersNamespace } from "./namespaces/watchers";
+
+export interface ClientSDK {
+  entities: EntitiesNamespace;
+  entitySchema: EntitySchemaNamespace;
+  connections: ConnectionsNamespace;
+  feeds: FeedsNamespace;
+  authProfiles: AuthProfilesNamespace;
+  operations: OperationsNamespace;
+  watchers: WatchersNamespace;
+  classifiers: ClassifiersNamespace;
+  viewTemplates: ViewTemplatesNamespace;
+  knowledge: KnowledgeNamespace;
+  organizations: OrganizationsNamespace;
+
+  /**
+   * Return a ClientSDK bound to a different organization the caller belongs
+   * to. Resolves `slugOrId` against the organization table (slug first, id
+   * fallback), then re-reads the caller's role from `member` via the shared
+   * `memberRoleCache`. Throws `AccessDenied` for private orgs the caller isn't
+   * a member of.
+   *
+   * Public-visibility orgs return an SDK with `memberRole: null` — reads
+   * succeed, writes fail at the handler-level access check.
+   *
+   * Chained hops like `client.org('a').org('b')` are legal when the caller is
+   * a member of both; each hop re-validates against the original user.
+   */
+  org(slugOrId: string): Promise<ClientSDK>;
+
+  /**
+   * Run a read-only SQL query scoped to the current organization. User-side
+   * positional parameters are not supported (`validateAndScopeQuery` rejects
+   * `$N`); pass values via Handlebars `{{query.name}}` substitutions instead.
+   */
+  query(sql: string): Promise<unknown[]>;
+
+  /** Emit a structured log entry (captured by the invocation audit row in PR-3). */
+  log(message: string, data?: Record<string, unknown>): void;
+}
+
+// ---------------------------------------------------------------------------
+// Errors
+// ---------------------------------------------------------------------------
+
+export class SdkError extends Error {
+  readonly code: string;
+  constructor(code: string, message: string) {
+    super(message);
+    this.name = code;
+    this.code = code;
+  }
+}
+
+export class AccessDeniedError extends SdkError {
+  constructor(message: string) {
+    super("AccessDenied", message);
+  }
+}
+
+export class OrgNotFoundError extends SdkError {
+  constructor(message: string) {
+    super("OrgNotFound", message);
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Membership resolution
+// ---------------------------------------------------------------------------
+
+export interface ResolvedOrgMembership {
+  orgId: string;
+  slug: string;
+  role: string | null;
+  visibility: "public" | "private";
+}
+
+/**
+ * Resolve an org identifier (slug or id) into a membership record. Slug is
+ * tried first (covers the common case and hits the auth-layer cache); on miss,
+ * the id path runs. Throws `OrgNotFound` if neither matches, `AccessDenied` if
+ * the caller has no read access (non-member on a private org).
+ */
+export async function resolveOrgMembership(
+  slugOrId: string,
+  ctx: ToolContext,
+): Promise<ResolvedOrgMembership> {
+  let orgId: string;
+  let slug: string;
+  let visibility: "public" | "private";
+
+  const bySlug = await getCachedOrgBySlug(slugOrId);
+  if (bySlug) {
+    orgId = bySlug.id;
+    slug = slugOrId;
+    visibility = bySlug.visibility === "public" ? "public" : "private";
+  } else {
+    const byId = await getOrgById(slugOrId);
+    if (!byId) {
+      throw new OrgNotFoundError(`Organization '${slugOrId}' not found.`);
+    }
+    orgId = slugOrId;
+    slug = byId.slug;
+    visibility = byId.visibility === "public" ? "public" : "private";
+  }
+
+  const role = await getCachedMembershipRole(orgId, ctx.userId);
+
+  if (visibility === "private" && role === null) {
+    throw new AccessDeniedError(
+      `You are not a member of organization '${slug}'.`,
+    );
+  }
+
+  return { orgId, slug, role, visibility };
+}
+
+// ---------------------------------------------------------------------------
+// SDK construction
+// ---------------------------------------------------------------------------
+
+function isSystemContext(ctx: ToolContext): boolean {
+  return ctx.isAuthenticated === true && ctx.userId === null && ctx.memberRole === null;
+}
+
+/**
+ * Build a `ClientSDK` bound to the caller's current `ToolContext`. The SDK
+ * exposes `.org()` which constructs a fresh `ClientSDK` after re-validating
+ * membership against the shared auth-layer cache.
+ */
+export function buildClientSDK(ctx: ToolContext, env: Env): ClientSDK {
+  const sdk: ClientSDK = {
+    entities: buildEntitiesNamespace(ctx, env),
+    entitySchema: buildEntitySchemaNamespace(ctx, env),
+    connections: buildConnectionsNamespace(ctx, env),
+    feeds: buildFeedsNamespace(ctx, env),
+    authProfiles: buildAuthProfilesNamespace(ctx, env),
+    operations: buildOperationsNamespace(ctx, env),
+    watchers: buildWatchersNamespace(ctx, env),
+    classifiers: buildClassifiersNamespace(ctx, env),
+    viewTemplates: buildViewTemplatesNamespace(ctx, env),
+    knowledge: buildKnowledgeNamespace(ctx, env),
+    organizations: buildOrganizationsNamespace(ctx),
+
+    async org(slugOrId) {
+      const member = await resolveOrgMembership(slugOrId, ctx);
+      const swapped: ToolContext = {
+        ...ctx,
+        organizationId: member.orgId,
+        memberRole: member.role,
+      };
+      return buildClientSDK(swapped, env);
+    },
+
+    async query(querySql) {
+      // Mirrors `query_sql` MCP tool: admin/owner only for user sessions,
+      // even though the method is read-only. The query allowlist exposes
+      // audit/event tables that should not be reachable by member-tier callers
+      // via `execute`. Watcher reactions remain system calls and are allowed.
+      if (!isSystemContext(ctx)) {
+        if (ctx.memberRole !== "owner" && ctx.memberRole !== "admin") {
+          throw new AccessDeniedError(
+            "client.query requires admin or owner access in the current organization.",
+          );
+        }
+        if (!hasRequiredMcpScope("admin", ctx.scopes)) {
+          throw new AccessDeniedError(
+            "client.query requires an MCP session with admin access.",
+          );
+        }
+      }
+      const [{ getDb }, { validateAndScopeQuery }] = await Promise.all([
+        import("../db/client"),
+        import("../utils/execute-data-sources"),
+      ]);
+      const scoped = validateAndScopeQuery(querySql, ctx.organizationId);
+      const db = getDb();
+      const rows = await db.begin(async (tx) => {
+        await tx.unsafe("SET TRANSACTION READ ONLY");
+        await tx.unsafe("SET LOCAL statement_timeout = '5000'");
+        return tx.unsafe(scoped.sql, scoped.params as unknown[]);
+      });
+      return rows.map((r: Record<string, unknown>) => ({ ...r }));
+    },
+
+    log(message, data) {
+      // Structured log; PR-3 routes these into the execute_invocation audit row.
+      // biome-ignore lint/suspicious/noConsole: dev-level fallback; PR-3 swaps for a proper sink.
+      console.log(`[client-sdk] ${message}`, data ?? {});
+    },
+  };
+
+  return sdk;
+}
diff --git a/packages/owletto-backend/src/sandbox/method-metadata.ts b/packages/owletto-backend/src/sandbox/method-metadata.ts
new file mode 100644
index 000000000..caba55641
--- /dev/null
+++ b/packages/owletto-backend/src/sandbox/method-metadata.ts
@@ -0,0 +1,390 @@
+/**
+ * ClientSDK method metadata.
+ *
+ * Describes each SDK method for:
+ * - `search` MCP tool (summary, example, throws)
+ * - Dry-run classification (read | write | external) — PR-2 wires this into
+ *   the wrapper so writes and external side-effects are intercepted.
+ * - Static bans (e.g. `client.execute` must not be exposed recursively)
+ *
+ * Keyed by dotted SDK path (e.g. `watchers.list`, `entities.create`). The
+ * PR-1 coverage unit test asserts every method exported from a namespace has
+ * an entry here.
+ */
+
+export type MethodAccess = "read" | "write" | "external";
+
+export interface MethodMetadata {
+  /** One-line human description. Shown in namespace listings. */
+  summary: string;
+  /** Dry-run classification. Writes are intercepted; externals are never sent. */
+  access: MethodAccess;
+  /** Declared error names the method may throw. Surfaces in drill-down. */
+  throws?: readonly string[];
+  /** Copy-pasteable TS snippet. Kept short (≤2 lines). */
+  example?: string;
+  /** Cost hint: 'cheap' | 'normal' | 'expensive'. Normal if omitted. */
+  cost?: "cheap" | "normal" | "expensive";
+}
+
+export const METHOD_METADATA: Record<string, MethodMetadata> = {
+  // organizations
+  "organizations.list": {
+    summary:
+      "List organizations the authenticated user belongs to, plus public orgs they can read.",
+    access: "read",
+    example: "const orgs = await client.organizations.list();",
+  },
+  "organizations.current": {
+    summary: "Return the session's current organization context.",
+    access: "read",
+    example: "const org = await client.organizations.current();",
+  },
+
+  // entities
+  "entities.list": {
+    summary: "List entities in the current organization with optional filters.",
+    access: "read",
+    example:
+      "const rows = await client.entities.list({ entity_type: 'company' });",
+  },
+  "entities.get": {
+    summary: "Fetch a single entity by id.",
+    access: "read",
+    throws: ["EntityNotFound"],
+    example: "const entity = await client.entities.get(42);",
+  },
+  "entities.create": {
+    summary:
+      "Create an entity with metadata validated against the entity type schema.",
+    access: "write",
+    throws: ["EntityTypeNotFound", "ValidationError"],
+    example:
+      "await client.entities.create({ type: 'company', name: 'Acme', metadata: {} });",
+  },
+  "entities.update": {
+    summary: "Update an existing entity.",
+    access: "write",
+  },
+  "entities.delete": {
+    summary: "Delete an entity, optionally cascading to descendants.",
+    access: "write",
+  },
+  "entities.link": {
+    summary: "Create a relationship between two entities.",
+    access: "write",
+  },
+  "entities.unlink": {
+    summary: "Soft-delete an entity relationship.",
+    access: "write",
+  },
+  "entities.updateLink": {
+    summary: "Update metadata / confidence on an existing relationship.",
+    access: "write",
+  },
+  "entities.listLinks": {
+    summary: "List relationships for an entity.",
+    access: "read",
+  },
+  "entities.search": {
+    summary: "Fuzzy search entities by name, optionally filtered by type.",
+    access: "read",
+  },
+
+  // entitySchema
+  "entitySchema.listTypes": {
+    summary: "List entity types in the organization.",
+    access: "read",
+  },
+  "entitySchema.getType": {
+    summary: "Get an entity type by slug.",
+    access: "read",
+  },
+  "entitySchema.createType": {
+    summary: "Create an entity type.",
+    access: "write",
+  },
+  "entitySchema.updateType": {
+    summary: "Update an entity type.",
+    access: "write",
+  },
+  "entitySchema.deleteType": {
+    summary: "Delete an entity type.",
+    access: "write",
+  },
+  "entitySchema.auditType": {
+    summary: "List historical changes to an entity type.",
+    access: "read",
+  },
+  "entitySchema.listRelTypes": {
+    summary: "List relationship types.",
+    access: "read",
+  },
+  "entitySchema.getRelType": {
+    summary: "Get a relationship type by slug.",
+    access: "read",
+  },
+  "entitySchema.createRelType": {
+    summary: "Create a relationship type.",
+    access: "write",
+  },
+  "entitySchema.updateRelType": {
+    summary: "Update a relationship type.",
+    access: "write",
+  },
+  "entitySchema.deleteRelType": {
+    summary: "Delete a relationship type.",
+    access: "write",
+  },
+  "entitySchema.addRule": {
+    summary:
+      "Add an allowed source/target entity-type rule to a relationship type.",
+    access: "write",
+  },
+  "entitySchema.removeRule": {
+    summary: "Remove a rule from a relationship type.",
+    access: "write",
+  },
+  "entitySchema.listRules": {
+    summary: "List rules attached to a relationship type.",
+    access: "read",
+  },
+
+  // knowledge
+  "knowledge.search": {
+    summary: "Semantic + structured search over stored knowledge events.",
+    access: "read",
+    example:
+      "const hits = await client.knowledge.search({ query: 'revenue update', limit: 10 });",
+  },
+  "knowledge.save": {
+    summary: "Persist a knowledge event, optionally associated with entities.",
+    access: "write",
+  },
+  "knowledge.read": {
+    summary: "Read a knowledge event by id, or watcher-window context.",
+    access: "read",
+  },
+
+  // watchers
+  "watchers.list": {
+    summary: "List watchers, optionally filtered by entity.",
+    access: "read",
+    example: "const ws = await client.watchers.list({ entity_id: 42 });",
+  },
+  "watchers.get": {
+    summary: "Fetch a watcher by id.",
+    access: "read",
+    throws: ["WatcherNotFound"],
+  },
+  "watchers.create": {
+    summary: "Create a watcher with prompt, extraction schema, and sources.",
+    access: "write",
+    throws: ["EntityNotFound", "InvalidExtractionSchema"],
+  },
+  "watchers.update": {
+    summary: "Update watcher config (schedule, model, sources).",
+    access: "write",
+  },
+  "watchers.delete": {
+    summary: "Delete one or more watchers.",
+    access: "write",
+  },
+  "watchers.setReactionScript": {
+    summary:
+      "Attach a raw TS reaction script (fires on window completion). Empty string removes it.",
+    access: "write",
+    throws: ["CompileError"],
+  },
+  "watchers.completeWindow": {
+    summary:
+      "Submit LLM-extracted data for a watcher window. Requires a signed window_token.",
+    access: "write",
+  },
+
+  // connections
+  "connections.list": {
+    summary: "List configured connections in the current organization.",
+    access: "read",
+  },
+  "connections.listConnectorDefinitions": {
+    summary: "List connector definitions installed in this organization.",
+    access: "read",
+  },
+  "connections.get": { summary: "Get a connection by id.", access: "read" },
+  "connections.create": {
+    summary:
+      "Create a connection manually (for connectors that do not require OAuth).",
+    access: "write",
+  },
+  "connections.connect": {
+    summary:
+      "Start an OAuth / auth-profile flow. Returns a connect_url to share with the user.",
+    access: "write",
+  },
+  "connections.update": {
+    summary: "Update connection config or auth profile.",
+    access: "write",
+  },
+  "connections.delete": { summary: "Delete a connection.", access: "write" },
+  "connections.test": {
+    summary: "Test connection credentials (sends an external probe).",
+    access: "external",
+  },
+  "connections.installConnector": {
+    summary: "Install a connector definition into this organization.",
+    access: "write",
+  },
+  "connections.uninstallConnector": {
+    summary: "Uninstall a connector definition.",
+    access: "write",
+  },
+  "connections.toggleConnectorLogin": {
+    summary: "Enable/disable the login-with-connector flow.",
+    access: "write",
+  },
+  "connections.updateConnectorAuth": {
+    summary: "Update org-wide auth config for a connector.",
+    access: "write",
+  },
+
+  // operations
+  "operations.listAvailable": {
+    summary: "List operations exposed by the active connections.",
+    access: "read",
+  },
+  "operations.execute": {
+    summary: "Execute a connector action. Sends an external request.",
+    access: "external",
+    cost: "expensive",
+  },
+  "operations.listRuns": {
+    summary: "List past operation runs.",
+    access: "read",
+  },
+  "operations.getRun": { summary: "Get a single run by id.", access: "read" },
+  "operations.approve": {
+    summary: "Approve a pending run that required human approval.",
+    access: "write",
+  },
+  "operations.reject": {
+    summary: "Reject a pending run.",
+    access: "write",
+  },
+
+  // feeds
+  "feeds.list": { summary: "List data-sync feeds.", access: "read" },
+  "feeds.get": { summary: "Get a feed by id.", access: "read" },
+  "feeds.create": {
+    summary: "Create a data-sync feed for a connection.",
+    access: "write",
+  },
+  "feeds.update": { summary: "Update a feed.", access: "write" },
+  "feeds.delete": { summary: "Delete a feed.", access: "write" },
+  "feeds.trigger": {
+    summary: "Trigger an immediate sync for a feed (external side-effect).",
+    access: "external",
+  },
+
+  // authProfiles
+  "authProfiles.list": {
+    summary: "List reusable auth profiles.",
+    access: "read",
+  },
+  "authProfiles.get": {
+    summary: "Get an auth profile by slug.",
+    access: "read",
+  },
+  "authProfiles.test": {
+    summary: "Test auth-profile credentials.",
+    access: "external",
+  },
+  "authProfiles.create": {
+    summary: "Create an auth profile.",
+    access: "write",
+  },
+  "authProfiles.update": {
+    summary: "Update an auth profile.",
+    access: "write",
+  },
+  "authProfiles.delete": {
+    summary: "Delete an auth profile.",
+    access: "write",
+  },
+
+  // classifiers
+  "classifiers.list": {
+    summary: "List classifier templates.",
+    access: "read",
+  },
+  "classifiers.create": {
+    summary: "Create a classifier template.",
+    access: "write",
+  },
+  "classifiers.createVersion": {
+    summary: "Create a new version of an existing classifier.",
+    access: "write",
+  },
+  "classifiers.getVersions": {
+    summary: "List versions of a classifier.",
+    access: "read",
+  },
+  "classifiers.setCurrentVersion": {
+    summary: "Promote a version to current.",
+    access: "write",
+  },
+  "classifiers.generateEmbeddings": {
+    summary: "Generate embeddings for attribute values (cost-heavy).",
+    access: "write",
+    cost: "expensive",
+  },
+  "classifiers.delete": {
+    summary: "Delete a classifier.",
+    access: "write",
+  },
+  "classifiers.classify": {
+    summary:
+      "Apply a manual classification to one or many content records (single or batch).",
+    access: "write",
+  },
+
+  // viewTemplates
+  "viewTemplates.get": {
+    summary: "Get the active view template for a resource.",
+    access: "read",
+  },
+  "viewTemplates.set": {
+    summary: "Create or update a view template.",
+    access: "write",
+  },
+  "viewTemplates.rollback": {
+    summary: "Roll back to a previous template version.",
+    access: "write",
+  },
+  "viewTemplates.removeTab": {
+    summary: "Remove a named tab from a template.",
+    access: "write",
+  },
+
+  // top-level
+  query: {
+    summary:
+      "Run a read-only SQL query against the organization-scoped virtual tables. No positional parameters — use Handlebars {{query.name}} substitutions inside the SQL when you need values.",
+    access: "read",
+    example:
+      "const rows = await client.query(\"SELECT id, name FROM entities WHERE entity_type = 'company'\");",
+  },
+  log: {
+    summary:
+      "Emit a structured log line (captured in the invocation audit row).",
+    access: "read",
+    cost: "cheap",
+  },
+};
+
+/** Paths that must never appear as SDK methods. Enforced by the coverage test. */
+export const BANNED_PATHS = [
+  "execute",
+  "client.execute",
+  "sdk.execute",
+] as const;
diff --git a/packages/owletto-backend/src/sandbox/namespaces/auth-profiles.ts b/packages/owletto-backend/src/sandbox/namespaces/auth-profiles.ts
new file mode 100644
index 000000000..e1b0cc301
--- /dev/null
+++ b/packages/owletto-backend/src/sandbox/namespaces/auth-profiles.ts
@@ -0,0 +1,86 @@
+/**
+ * ClientSDK `authProfiles` namespace. Thin wrapper over `manageAuthProfiles`.
+ *
+ * Field-name conventions mirror the handler schema exactly:
+ *   - `create` takes an optional `slug` for the new profile (the handler
+ *     auto-derives one from display_name if omitted).
+ *   - `get`, `test`, `delete` look profiles up by `auth_profile_slug`.
+ *   - `update` takes the existing `auth_profile_slug` plus an optional
+ *     new `slug` if the caller wants to rename.
+ *   - Credentials use `credentials` (key/value) or `auth_data` (OAuth/browser
+ *     session state).
+ */
+
+import type { Env } from "../../index";
+import { manageAuthProfiles } from "../../tools/admin/manage_auth_profiles";
+import type { ToolContext } from "../../tools/registry";
+
+export type AuthProfileKind =
+  | "env"
+  | "oauth_app"
+  | "oauth_account"
+  | "browser_session";
+
+export interface AuthProfileCreateInput {
+  profile_kind: AuthProfileKind;
+  connector_key: string;
+  display_name: string;
+  /** Optional stable slug for the new profile. Auto-derived when omitted. */
+  slug?: string;
+  credentials?: Record<string, string>;
+  auth_data?: Record<string, unknown>;
+  requested_scopes?: string[];
+}
+
+export interface AuthProfileUpdateInput {
+  /** Identifies the profile to mutate. */
+  auth_profile_slug: string;
+  display_name?: string;
+  /** Rename the profile. */
+  slug?: string;
+  credentials?: Record<string, string>;
+  auth_data?: Record<string, unknown>;
+  requested_scopes?: string[];
+  status?: string;
+  reconnect?: boolean;
+}
+
+export interface AuthProfilesNamespace {
+  list(input?: {
+    connector_key?: string;
+    provider?: string;
+    profile_kind?: AuthProfileKind;
+  }): Promise<unknown>;
+  get(auth_profile_slug: string): Promise<unknown>;
+  test(auth_profile_slug: string): Promise<unknown>;
+  create(input: AuthProfileCreateInput): Promise<unknown>;
+  update(input: AuthProfileUpdateInput): Promise<unknown>;
+  delete(
+    auth_profile_slug: string,
+    options?: { force?: boolean },
+  ): Promise<unknown>;
+}
+
+export function buildAuthProfilesNamespace(
+  ctx: ToolContext,
+  env: Env,
+): AuthProfilesNamespace {
+  const call = <T>(payload: Record<string, unknown>): Promise<T> =>
+    manageAuthProfiles(payload as never, env, ctx) as Promise<T>;
+
+  return {
+    list: (input) => call({ action: "list_auth_profiles", ...input }),
+    get: (auth_profile_slug) =>
+      call({ action: "get_auth_profile", auth_profile_slug }),
+    test: (auth_profile_slug) =>
+      call({ action: "test_auth_profile", auth_profile_slug }),
+    create: (input) => call({ action: "create_auth_profile", ...input }),
+    update: (input) => call({ action: "update_auth_profile", ...input }),
+    delete: (auth_profile_slug, options) =>
+      call({
+        action: "delete_auth_profile",
+        auth_profile_slug,
+        ...options,
+      }),
+  };
+}
diff --git a/packages/owletto-backend/src/sandbox/namespaces/classifiers.ts b/packages/owletto-backend/src/sandbox/namespaces/classifiers.ts
new file mode 100644
index 000000000..b274e32ec
--- /dev/null
+++ b/packages/owletto-backend/src/sandbox/namespaces/classifiers.ts
@@ -0,0 +1,89 @@
+/**
+ * ClientSDK `classifiers` namespace. Thin wrapper over `manageClassifiers`.
+ *
+ * Most CRUD actions use `classifier_id: number`; `classify` uses
+ * `classifier_slug: string`. The namespace keeps those distinct.
+ */
+
+import type { Env } from "../../index";
+import { manageClassifiers } from "../../tools/admin/manage_classifiers";
+import type { ToolContext } from "../../tools/registry";
+
+export interface ClassifierCreateInput {
+  slug: string;
+  name: string;
+  description?: string;
+  attribute_key: string;
+  attribute_values?: Record<string, unknown>;
+  entity_id?: number;
+  watcher_id: number;
+  min_similarity?: number;
+  fallback_value?: unknown;
+  created_by?: string;
+}
+
+export interface ClassifierCreateVersionInput {
+  classifier_id: number;
+  name?: string;
+  description?: string;
+  attribute_values?: Record<string, unknown>;
+  min_similarity?: number;
+  fallback_value?: unknown;
+  change_notes?: string;
+  set_as_current?: boolean;
+  created_by?: string;
+}
+
+export interface ClassifierClassifyInput {
+  classifier_slug: string;
+  /** Single-mode update. */
+  content_id?: number;
+  value?: string | null;
+  /** Batch mode. */
+  classifications?: Array<{
+    content_id: number;
+    value: string | null;
+    reasoning?: string;
+  }>;
+  source?: "llm" | "user";
+  reasoning?: string;
+}
+
+export interface ClassifiersNamespace {
+  list(input?: { entity_id?: number; status?: string }): Promise<unknown>;
+  create(input: ClassifierCreateInput): Promise<unknown>;
+  createVersion(input: ClassifierCreateVersionInput): Promise<unknown>;
+  getVersions(classifier_id: number): Promise<unknown>;
+  setCurrentVersion(input: {
+    classifier_id: number;
+    version: number;
+  }): Promise<unknown>;
+  generateEmbeddings(input: {
+    classifier_id: number;
+    force_regenerate?: boolean;
+  }): Promise<unknown>;
+  delete(classifier_id: number): Promise<unknown>;
+  classify(input: ClassifierClassifyInput): Promise<unknown>;
+}
+
+export function buildClassifiersNamespace(
+  ctx: ToolContext,
+  env: Env,
+): ClassifiersNamespace {
+  const call = <T>(payload: Record<string, unknown>): Promise<T> =>
+    manageClassifiers(payload as never, env, ctx) as Promise<T>;
+
+  return {
+    list: (input) => call({ action: "list", ...input }),
+    create: (input) => call({ action: "create", ...input }),
+    createVersion: (input) => call({ action: "create_version", ...input }),
+    getVersions: (classifier_id) =>
+      call({ action: "get_versions", classifier_id }),
+    setCurrentVersion: (input) =>
+      call({ action: "set_current_version", ...input }),
+    generateEmbeddings: (input) =>
+      call({ action: "generate_embeddings", ...input }),
+    delete: (classifier_id) => call({ action: "delete", classifier_id }),
+    classify: (input) => call({ action: "classify", ...input }),
+  };
+}
diff --git a/packages/owletto-backend/src/sandbox/namespaces/connections.ts b/packages/owletto-backend/src/sandbox/namespaces/connections.ts
new file mode 100644
index 000000000..712870344
--- /dev/null
+++ b/packages/owletto-backend/src/sandbox/namespaces/connections.ts
@@ -0,0 +1,100 @@
+/**
+ * ClientSDK `connections` namespace. Thin wrapper over `manageConnections`.
+ *
+ * `connect` is the entry point for setting up a new authenticated connection —
+ * the handler returns a `connect_url` that the caller must surface to the
+ * user's browser. Field names follow the handler schema.
+ */
+
+import type { Env } from "../../index";
+import { manageConnections } from "../../tools/admin/manage_connections";
+import type { ToolContext } from "../../tools/registry";
+
+export interface ConnectionsConnectInput {
+  connector_key: string;
+  display_name?: string;
+  auth_profile_slug?: string;
+  app_auth_profile_slug?: string;
+  config?: Record<string, unknown>;
+}
+
+export interface ConnectionsCreateInput {
+  connector_key: string;
+  display_name?: string;
+  auth_profile_slug?: string;
+  app_auth_profile_slug?: string;
+  config?: Record<string, unknown>;
+  created_by?: string;
+}
+
+export interface ConnectionsUpdateInput {
+  connection_id: number;
+  display_name?: string;
+  status?: string;
+  auth_profile_slug?: string | null;
+  app_auth_profile_slug?: string | null;
+  config?: Record<string, unknown>;
+}
+
+/**
+ * `install_connector` accepts any of `source_url`, `source_uri`, `source_code`,
+ * or `mcp_url`. The handler picks the first non-null source. `auth_values` is
+ * an optional key-value map the handler stores as auth profiles.
+ */
+export interface ConnectionsInstallConnectorInput {
+  source_url?: string;
+  source_uri?: string;
+  source_code?: string;
+  compiled?: boolean;
+  mcp_url?: string;
+  auth_values?: Record<string, string>;
+}
+
+export interface ConnectionsNamespace {
+  list(input?: { connector_key?: string }): Promise<unknown>;
+  listConnectorDefinitions(): Promise<unknown>;
+  get(connection_id: number): Promise<unknown>;
+  create(input: ConnectionsCreateInput): Promise<unknown>;
+  connect(input: ConnectionsConnectInput): Promise<unknown>;
+  update(input: ConnectionsUpdateInput): Promise<unknown>;
+  delete(connection_id: number): Promise<unknown>;
+  test(connection_id: number): Promise<unknown>;
+  installConnector(input: ConnectionsInstallConnectorInput): Promise<unknown>;
+  uninstallConnector(connector_key: string): Promise<unknown>;
+  toggleConnectorLogin(input: {
+    connector_key: string;
+    enabled: boolean;
+  }): Promise<unknown>;
+  updateConnectorAuth(input: {
+    connector_key: string;
+    auth_values: Record<string, string>;
+  }): Promise<unknown>;
+}
+
+export function buildConnectionsNamespace(
+  ctx: ToolContext,
+  env: Env,
+): ConnectionsNamespace {
+  const call = <T>(payload: Record<string, unknown>): Promise<T> =>
+    manageConnections(payload as never, env, ctx) as Promise<T>;
+
+  return {
+    list: (input) => call({ action: "list", ...input }),
+    listConnectorDefinitions: () =>
+      call({ action: "list_connector_definitions" }),
+    get: (connection_id) => call({ action: "get", connection_id }),
+    create: (input) => call({ action: "create", ...input }),
+    connect: (input) => call({ action: "connect", ...input }),
+    update: (input) => call({ action: "update", ...input }),
+    delete: (connection_id) => call({ action: "delete", connection_id }),
+    test: (connection_id) => call({ action: "test", connection_id }),
+    installConnector: (input) =>
+      call({ action: "install_connector", ...input }),
+    uninstallConnector: (connector_key) =>
+      call({ action: "uninstall_connector", connector_key }),
+    toggleConnectorLogin: (input) =>
+      call({ action: "toggle_connector_login", ...input }),
+    updateConnectorAuth: (input) =>
+      call({ action: "update_connector_auth", ...input }),
+  };
+}
diff --git a/packages/owletto-backend/src/sandbox/namespaces/entities.ts b/packages/owletto-backend/src/sandbox/namespaces/entities.ts
new file mode 100644
index 000000000..18c719cd5
--- /dev/null
+++ b/packages/owletto-backend/src/sandbox/namespaces/entities.ts
@@ -0,0 +1,170 @@
+/**
+ * ClientSDK `entities` namespace.
+ *
+ * Delegates to `manageEntity` with action-discriminated payloads. Per-call auth
+ * checks fire inside the handler; this wrapper does not duplicate them.
+ */
+
+import type { Env } from "../../index";
+import { manageEntity } from "../../tools/admin/manage_entity";
+import type { ToolContext } from "../../tools/registry";
+
+export interface EntityListFilter {
+  entity_type?: string;
+  search?: string;
+  limit?: number;
+  offset?: number;
+  sort_by?: string;
+  sort_order?: "asc" | "desc";
+  category?: string;
+  main_market?: string;
+  market?: string;
+}
+
+export interface EntityCreateInput {
+  type: string;
+  name: string;
+  slug?: string;
+  content?: string;
+  parent_id?: number;
+  metadata?: Record<string, unknown>;
+  enabled_classifiers?: string[];
+}
+
+export interface EntityUpdateInput {
+  entity_id: number;
+  name?: string;
+  slug?: string;
+  content?: string;
+  metadata?: Record<string, unknown>;
+  enabled_classifiers?: string[];
+}
+
+export interface EntityLinkInput {
+  from_entity_id: number;
+  to_entity_id: number;
+  relationship_type_slug: string;
+  metadata?: Record<string, unknown>;
+}
+
+export interface EntitiesNamespace {
+  list(filter?: EntityListFilter): Promise<unknown>;
+  get(entity_id: number): Promise<unknown>;
+  create(input: EntityCreateInput): Promise<unknown>;
+  update(input: EntityUpdateInput): Promise<unknown>;
+  delete(
+    entity_id: number,
+    options?: { force_delete_tree?: boolean }
+  ): Promise<unknown>;
+  link(input: EntityLinkInput): Promise<unknown>;
+  unlink(input: {
+    from_entity_id: number;
+    to_entity_id: number;
+    relationship_type_slug: string;
+  }): Promise<unknown>;
+  updateLink(input: {
+    from_entity_id: number;
+    to_entity_id: number;
+    relationship_type_slug: string;
+    metadata?: Record<string, unknown>;
+  }): Promise<unknown>;
+  listLinks(input: {
+    entity_id: number;
+    relationship_type_slug?: string;
+    limit?: number;
+    offset?: number;
+  }): Promise<unknown>;
+  search(query: string, options?: { limit?: number }): Promise<unknown>;
+}
+
+export function buildEntitiesNamespace(
+  ctx: ToolContext,
+  env: Env
+): EntitiesNamespace {
+  return {
+    list(filter) {
+      return manageEntity(
+        { action: "list", ...filter } as never,
+        env,
+        ctx
+      ) as Promise<unknown>;
+    },
+    get(entity_id) {
+      return manageEntity(
+        { action: "get", entity_id } as never,
+        env,
+        ctx
+      ) as Promise<unknown>;
+    },
+    create(input) {
+      return manageEntity(
+        {
+          action: "create",
+          entity_type: input.type,
+          name: input.name,
+          slug: input.slug,
+          content: input.content,
+          parent_id: input.parent_id,
+          metadata: input.metadata,
+          enabled_classifiers: input.enabled_classifiers,
+        } as never,
+        env,
+        ctx
+      ) as Promise<unknown>;
+    },
+    update(input) {
+      return manageEntity(
+        { action: "update", ...input } as never,
+        env,
+        ctx
+      ) as Promise<unknown>;
+    },
+    delete(entity_id, options) {
+      return manageEntity(
+        {
+          action: "delete",
+          entity_id,
+          force_delete_tree: options?.force_delete_tree,
+        } as never,
+        env,
+        ctx
+      ) as Promise<unknown>;
+    },
+    link(input) {
+      return manageEntity(
+        { action: "link", ...input } as never,
+        env,
+        ctx
+      ) as Promise<unknown>;
+    },
+    unlink(input) {
+      return manageEntity(
+        { action: "unlink", ...input } as never,
+        env,
+        ctx
+      ) as Promise<unknown>;
+    },
+    updateLink(input) {
+      return manageEntity(
+        { action: "update_link", ...input } as never,
+        env,
+        ctx
+      ) as Promise<unknown>;
+    },
+    listLinks(input) {
+      return manageEntity(
+        { action: "list_links", ...input } as never,
+        env,
+        ctx
+      ) as Promise<unknown>;
+    },
+    async search(query, options) {
+      const { search } = await import("../../tools/search");
+      return search(
+        { query, limit: options?.limit } as never,
+        env,
+        ctx
+      ) as Promise<unknown>;
+    },
+  };
+}
diff --git a/packages/owletto-backend/src/sandbox/namespaces/entity-schema.ts b/packages/owletto-backend/src/sandbox/namespaces/entity-schema.ts
new file mode 100644
index 000000000..b2bfae65c
--- /dev/null
+++ b/packages/owletto-backend/src/sandbox/namespaces/entity-schema.ts
@@ -0,0 +1,103 @@
+/**
+ * ClientSDK `entitySchema` namespace. Delegates to `manageEntitySchema`, which
+ * is doubly discriminated by `schema_type` (entity_type vs relationship_type)
+ * and `action`.
+ *
+ * Field names mirror the handler: plain `slug` for the type identifier,
+ * `source_entity_type_slug` / `target_entity_type_slug` / `relationship_type_slug`
+ * for add_rule.
+ */
+
+import type { Env } from "../../index";
+import { manageEntitySchema } from "../../tools/admin/manage_entity_schema";
+import type { ToolContext } from "../../tools/registry";
+
+export interface EntitySchemaAddRuleInput {
+  slug: string;
+  source_entity_type_slug: string;
+  target_entity_type_slug: string;
+  relationship_type_slug?: string;
+  description?: string;
+}
+
+export interface EntitySchemaNamespace {
+  listTypes(): Promise<unknown>;
+  getType(slug: string): Promise<unknown>;
+  createType(input: {
+    slug: string;
+    name: string;
+    description?: string;
+    icon?: string;
+    color?: string;
+    metadata_schema?: Record<string, unknown>;
+    event_kinds?: Record<string, unknown>;
+  }): Promise<unknown>;
+  updateType(input: {
+    slug: string;
+    name?: string;
+    description?: string;
+    icon?: string;
+    color?: string;
+    metadata_schema?: Record<string, unknown>;
+    event_kinds?: Record<string, unknown>;
+  }): Promise<unknown>;
+  deleteType(slug: string): Promise<unknown>;
+  auditType(slug: string): Promise<unknown>;
+
+  listRelTypes(): Promise<unknown>;
+  getRelType(slug: string): Promise<unknown>;
+  createRelType(input: {
+    slug: string;
+    name: string;
+    description?: string;
+    inverse_type_slug?: string | null;
+  }): Promise<unknown>;
+  updateRelType(input: {
+    slug: string;
+    name?: string;
+    description?: string;
+    inverse_type_slug?: string | null;
+  }): Promise<unknown>;
+  deleteRelType(slug: string): Promise<unknown>;
+
+  addRule(input: EntitySchemaAddRuleInput): Promise<unknown>;
+  removeRule(input: { slug: string; rule_id: number }): Promise<unknown>;
+  listRules(slug: string): Promise<unknown>;
+}
+
+export function buildEntitySchemaNamespace(
+  ctx: ToolContext,
+  env: Env,
+): EntitySchemaNamespace {
+  const callEntity = <T>(payload: Record<string, unknown>): Promise<T> =>
+    manageEntitySchema(
+      { schema_type: "entity_type", ...payload } as never,
+      env,
+      ctx,
+    ) as Promise<T>;
+  const callRel = <T>(payload: Record<string, unknown>): Promise<T> =>
+    manageEntitySchema(
+      { schema_type: "relationship_type", ...payload } as never,
+      env,
+      ctx,
+    ) as Promise<T>;
+
+  return {
+    listTypes: () => callEntity({ action: "list" }),
+    getType: (slug) => callEntity({ action: "get", slug }),
+    createType: (input) => callEntity({ action: "create", ...input }),
+    updateType: (input) => callEntity({ action: "update", ...input }),
+    deleteType: (slug) => callEntity({ action: "delete", slug }),
+    auditType: (slug) => callEntity({ action: "audit", slug }),
+
+    listRelTypes: () => callRel({ action: "list" }),
+    getRelType: (slug) => callRel({ action: "get", slug }),
+    createRelType: (input) => callRel({ action: "create", ...input }),
+    updateRelType: (input) => callRel({ action: "update", ...input }),
+    deleteRelType: (slug) => callRel({ action: "delete", slug }),
+
+    addRule: (input) => callRel({ action: "add_rule", ...input }),
+    removeRule: (input) => callRel({ action: "remove_rule", ...input }),
+    listRules: (slug) => callRel({ action: "list_rules", slug }),
+  };
+}
diff --git a/packages/owletto-backend/src/sandbox/namespaces/feeds.ts b/packages/owletto-backend/src/sandbox/namespaces/feeds.ts
new file mode 100644
index 000000000..8e610bd44
--- /dev/null
+++ b/packages/owletto-backend/src/sandbox/namespaces/feeds.ts
@@ -0,0 +1,52 @@
+/**
+ * ClientSDK `feeds` namespace. Thin wrapper over `manageFeeds`.
+ *
+ * `create_feed` requires `feed_key` — the connector-declared identifier for the
+ * data surface this feed will sync.
+ */
+
+import type { Env } from "../../index";
+import { manageFeeds } from "../../tools/admin/manage_feeds";
+import type { ToolContext } from "../../tools/registry";
+
+export interface FeedsCreateInput {
+  connection_id: number;
+  feed_key: string;
+  display_name?: string;
+  entity_ids?: number[];
+  config?: Record<string, unknown>;
+  schedule?: string;
+}
+
+export interface FeedsNamespace {
+  list(input?: { connection_id?: number }): Promise<unknown>;
+  get(feed_id: number): Promise<unknown>;
+  create(input: FeedsCreateInput): Promise<unknown>;
+  update(input: {
+    feed_id: number;
+    display_name?: string;
+    status?: string;
+    entity_ids?: number[];
+    config?: Record<string, unknown>;
+    schedule?: string;
+  }): Promise<unknown>;
+  delete(feed_id: number): Promise<unknown>;
+  trigger(feed_id: number): Promise<unknown>;
+}
+
+export function buildFeedsNamespace(
+  ctx: ToolContext,
+  env: Env,
+): FeedsNamespace {
+  const call = <T>(payload: Record<string, unknown>): Promise<T> =>
+    manageFeeds(payload as never, env, ctx) as Promise<T>;
+
+  return {
+    list: (input) => call({ action: "list_feeds", ...input }),
+    get: (feed_id) => call({ action: "get_feed", feed_id }),
+    create: (input) => call({ action: "create_feed", ...input }),
+    update: (input) => call({ action: "update_feed", ...input }),
+    delete: (feed_id) => call({ action: "delete_feed", feed_id }),
+    trigger: (feed_id) => call({ action: "trigger_feed", feed_id }),
+  };
+}
diff --git a/packages/owletto-backend/src/sandbox/namespaces/index.ts b/packages/owletto-backend/src/sandbox/namespaces/index.ts
new file mode 100644
index 000000000..d0ee1fb9c
--- /dev/null
+++ b/packages/owletto-backend/src/sandbox/namespaces/index.ts
@@ -0,0 +1,15 @@
+/**
+ * Re-exports for the per-namespace SDK builders.
+ */
+
+export { buildAuthProfilesNamespace } from "./auth-profiles";
+export { buildClassifiersNamespace } from "./classifiers";
+export { buildConnectionsNamespace } from "./connections";
+export { buildEntitiesNamespace } from "./entities";
+export { buildEntitySchemaNamespace } from "./entity-schema";
+export { buildFeedsNamespace } from "./feeds";
+export { buildKnowledgeNamespace } from "./knowledge";
+export { buildOperationsNamespace } from "./operations";
+export { buildOrganizationsNamespace } from "./organizations";
+export { buildViewTemplatesNamespace } from "./view-templates";
+export { buildWatchersNamespace } from "./watchers";
diff --git a/packages/owletto-backend/src/sandbox/namespaces/knowledge.ts b/packages/owletto-backend/src/sandbox/namespaces/knowledge.ts
new file mode 100644
index 000000000..9b105b557
--- /dev/null
+++ b/packages/owletto-backend/src/sandbox/namespaces/knowledge.ts
@@ -0,0 +1,70 @@
+/**
+ * ClientSDK `knowledge` namespace.
+ *
+ * Wraps `search` (aka search_knowledge), `saveContent` (save_knowledge), and
+ * `getContent` (read_knowledge). These are the hot-path tools kept in PR-2 —
+ * the SDK surface mirrors the MCP tool surface for consistency.
+ */
+
+import type { Env } from "../../index";
+import type { ToolContext } from "../../tools/registry";
+
+export interface KnowledgeSearchInput {
+  query?: string;
+  entity_type?: string;
+  entity_id?: number;
+  parent_id?: number;
+  market?: string;
+  category?: string;
+  fuzzy?: boolean;
+  min_similarity?: number;
+  include_connections?: boolean;
+  include_content?: boolean;
+  limit?: number;
+}
+
+export interface KnowledgeSaveInput {
+  entity_ids?: number[];
+  content: string;
+  semantic_type: string;
+  metadata?: Record<string, unknown>;
+  title?: string;
+  slug?: string;
+}
+
+export interface KnowledgeReadInput {
+  /** Fetch a single content event by id. */
+  content_id?: number;
+  /** Fetch knowledge for a watcher window (prompt rendering). */
+  watcher_id?: number;
+  since?: string;
+  until?: string;
+  limit?: number;
+  entity_ids?: number[];
+}
+
+export interface KnowledgeNamespace {
+  search(input: KnowledgeSearchInput): Promise<unknown>;
+  save(input: KnowledgeSaveInput): Promise<unknown>;
+  read(input: KnowledgeReadInput): Promise<unknown>;
+}
+
+export function buildKnowledgeNamespace(
+  ctx: ToolContext,
+  env: Env
+): KnowledgeNamespace {
+  return {
+    async search(input) {
+      const { search } = await import("../../tools/search");
+      return search(input as never, env, ctx) as Promise<unknown>;
+    },
+    async save(input) {
+      const { saveContent } = await import("../../tools/save_content");
+      return saveContent(input as never, env, ctx) as Promise<unknown>;
+    },
+    async read(input) {
+      const { getContent } = await import("../../tools/get_content");
+      return getContent(input as never, env, ctx) as Promise<unknown>;
+    },
+  };
+}
diff --git a/packages/owletto-backend/src/sandbox/namespaces/operations.ts b/packages/owletto-backend/src/sandbox/namespaces/operations.ts
new file mode 100644
index 000000000..5c05bcec8
--- /dev/null
+++ b/packages/owletto-backend/src/sandbox/namespaces/operations.ts
@@ -0,0 +1,57 @@
+/**
+ * ClientSDK `operations` namespace. Thin wrapper over `manageOperations`.
+ *
+ * `execute` is the only method flagged `access: 'external'` — dry-run mode
+ * (PR-2) intercepts these calls instead of sending them.
+ */
+
+import type { Env } from "../../index";
+import { manageOperations } from "../../tools/admin/manage_operations";
+import type { ToolContext } from "../../tools/registry";
+
+export interface OperationsExecuteInput {
+  connection_id: number;
+  operation_key: string;
+  input?: Record<string, unknown>;
+  /**
+   * Watcher provenance when this operation fires from a reaction. Both ids are
+   * numeric.
+   */
+  watcher_source?: { watcher_id: number; window_id: number };
+}
+
+export interface OperationsNamespace {
+  listAvailable(input?: { entity_id?: number }): Promise<unknown>;
+  execute(input: OperationsExecuteInput): Promise<unknown>;
+  listRuns(input?: {
+    connection_id?: number;
+    operation_key?: string;
+    status?: string;
+    approval_status?: string;
+    limit?: number;
+    offset?: number;
+  }): Promise<unknown>;
+  getRun(run_id: number): Promise<unknown>;
+  approve(input: {
+    run_id: number;
+    input?: Record<string, unknown>;
+  }): Promise<unknown>;
+  reject(input: { run_id: number; reason?: string }): Promise<unknown>;
+}
+
+export function buildOperationsNamespace(
+  ctx: ToolContext,
+  env: Env,
+): OperationsNamespace {
+  const call = <T>(payload: Record<string, unknown>): Promise<T> =>
+    manageOperations(payload as never, env, ctx) as Promise<T>;
+
+  return {
+    listAvailable: (input) => call({ action: "list_available", ...input }),
+    execute: (input) => call({ action: "execute", ...input }),
+    listRuns: (input) => call({ action: "list_runs", ...input }),
+    getRun: (run_id) => call({ action: "get_run", run_id }),
+    approve: (input) => call({ action: "approve", ...input }),
+    reject: (input) => call({ action: "reject", ...input }),
+  };
+}
diff --git a/packages/owletto-backend/src/sandbox/namespaces/organizations.ts b/packages/owletto-backend/src/sandbox/namespaces/organizations.ts
new file mode 100644
index 000000000..52f50b417
--- /dev/null
+++ b/packages/owletto-backend/src/sandbox/namespaces/organizations.ts
@@ -0,0 +1,78 @@
+/**
+ * ClientSDK `organizations` namespace.
+ *
+ * Lets user scripts enumerate the orgs the caller belongs to and read the
+ * session's current org. The `.org()` accessor on the root SDK (see
+ * `client-sdk.ts`) handles the actual cross-org context swap.
+ */
+
+import type { ToolContext } from "../../tools/registry";
+import { getWorkspaceProvider } from "../../workspace";
+import type { OrgInfo } from "../../workspace/types";
+
+export interface OrgSummary {
+  id: string;
+  slug: string;
+  name: string;
+  is_member: boolean;
+  visibility: "public" | "private";
+}
+
+export interface OrganizationsNamespace {
+  /**
+   * List organizations accessible to the caller: member-ofs plus any public
+   * workspaces the session can read.
+   */
+  list(options?: { search?: string }): Promise<OrgSummary[]>;
+  /**
+   * Return the session's current organization context. Reflects the URL pin
+   * (`/mcp/{slug}`) or the last successful `switch_organization`.
+   */
+  current(): Promise<OrgSummary>;
+}
+
+export function buildOrganizationsNamespace(
+  ctx: ToolContext,
+): OrganizationsNamespace {
+  return {
+    async list(options) {
+      const provider = getWorkspaceProvider();
+      const orgs = await provider.listOrganizations(
+        options?.search,
+        ctx.userId
+      );
+      return orgs.map((o: OrgInfo) => ({
+        id: o.id,
+        slug: o.slug,
+        name: o.name,
+        is_member: o.is_member,
+        visibility: o.visibility,
+      }));
+    },
+    async current() {
+      const provider = getWorkspaceProvider();
+      const orgs = await provider.listOrganizations(undefined, ctx.userId);
+      const current = orgs.find((o) => o.id === ctx.organizationId);
+      if (!current) {
+        // Public-workspace session where the user isn't a member: the org is
+        // readable but absent from listOrganizations. Fall back to a slug
+        // resolve so current() still returns something useful.
+        const slug = await provider.getOrgSlug(ctx.organizationId);
+        return {
+          id: ctx.organizationId,
+          slug: slug ?? ctx.organizationId,
+          name: slug ?? "unknown",
+          is_member: false,
+          visibility: "public",
+        };
+      }
+      return {
+        id: current.id,
+        slug: current.slug,
+        name: current.name,
+        is_member: current.is_member,
+        visibility: current.visibility,
+      };
+    },
+  };
+}
diff --git a/packages/owletto-backend/src/sandbox/namespaces/view-templates.ts b/packages/owletto-backend/src/sandbox/namespaces/view-templates.ts
new file mode 100644
index 000000000..723b392e2
--- /dev/null
+++ b/packages/owletto-backend/src/sandbox/namespaces/view-templates.ts
@@ -0,0 +1,60 @@
+/**
+ * ClientSDK `viewTemplates` namespace. Thin wrapper over `manageViewTemplates`.
+ *
+ * `resource_id` can be a string (entity_type slug) or a number (entity id)
+ * depending on `resource_type`. The handler stores the whole template as a
+ * single `json_template` object — callers may nest a `data_sources` key
+ * inside it when they want SQL-backed sources.
+ */
+
+import type { Env } from "../../index";
+import { manageViewTemplates } from "../../tools/admin/manage_view_templates";
+import type { ToolContext } from "../../tools/registry";
+
+type ResourceType = "entity_type" | "entity";
+type ResourceId = string | number;
+
+export interface ViewTemplateSetInput {
+  resource_type: ResourceType;
+  resource_id: ResourceId;
+  json_template: Record<string, unknown>;
+  tab_name?: string;
+  tab_order?: number;
+  change_notes?: string;
+}
+
+export interface ViewTemplatesNamespace {
+  get(input: {
+    resource_type: ResourceType;
+    resource_id: ResourceId;
+    tab_name?: string;
+  }): Promise<unknown>;
+  set(input: ViewTemplateSetInput): Promise<unknown>;
+  rollback(input: {
+    resource_type: ResourceType;
+    resource_id: ResourceId;
+    /** Version number (not the row id) to roll back to. */
+    version: number;
+    tab_name?: string;
+  }): Promise<unknown>;
+  removeTab(input: {
+    resource_type: ResourceType;
+    resource_id: ResourceId;
+    tab_name: string;
+  }): Promise<unknown>;
+}
+
+export function buildViewTemplatesNamespace(
+  ctx: ToolContext,
+  env: Env,
+): ViewTemplatesNamespace {
+  const call = <T>(payload: Record<string, unknown>): Promise<T> =>
+    manageViewTemplates(payload as never, env, ctx) as Promise<T>;
+
+  return {
+    get: (input) => call({ action: "get", ...input }),
+    set: (input) => call({ action: "set", ...input }),
+    rollback: (input) => call({ action: "rollback", ...input }),
+    removeTab: (input) => call({ action: "remove_tab", ...input }),
+  };
+}
diff --git a/packages/owletto-backend/src/sandbox/namespaces/watchers.ts b/packages/owletto-backend/src/sandbox/namespaces/watchers.ts
new file mode 100644
index 000000000..d4cf83bec
--- /dev/null
+++ b/packages/owletto-backend/src/sandbox/namespaces/watchers.ts
@@ -0,0 +1,156 @@
+/**
+ * ClientSDK `watchers` namespace. Thin wrapper over `manageWatchers` +
+ * `listWatchers` + `getWatcher`.
+ *
+ * Field names mirror the underlying handlers (see
+ * `packages/owletto-backend/src/tools/admin/manage_watchers.ts`):
+ * - `watcher_id` is a numeric string
+ * - `delete` takes `watcher_ids: string[]`
+ * - `complete_window` requires `window_token` (JWT) not a raw window id
+ * - `set_reaction_script` uses `reaction_script` as the source field
+ */
+
+import type { Env } from "../../index";
+import {
+  listWatchers,
+  manageWatchers,
+} from "../../tools/admin/manage_watchers";
+import type { ToolContext } from "../../tools/registry";
+
+export interface WatcherListFilter {
+  entity_id?: number;
+  status?: "active" | "paused" | "draft";
+  limit?: number;
+  offset?: number;
+}
+
+export interface WatcherCreateInput {
+  entity_id: number;
+  prompt: string;
+  extraction_schema: Record<string, unknown>;
+  sources?: Array<{ name: string; query: string }>;
+  schedule?: string;
+  slug?: string;
+  name?: string;
+  description?: string;
+  json_template?: Record<string, unknown>;
+  keying_config?: Record<string, unknown>;
+  classifiers?: Record<string, unknown>;
+  condensation_prompt?: string;
+  reactions_guidance?: string;
+  agent_id?: string;
+  tags?: string[];
+}
+
+export interface WatcherUpdateInput {
+  watcher_id: string;
+  schedule?: string;
+  agent_id?: string;
+  model_config?: Record<string, unknown>;
+  sources?: Array<{ name: string; query: string }>;
+}
+
+export interface WatcherCompleteWindowInput {
+  watcher_id: string;
+  /** JWT obtained from read_knowledge(watcher_id, since, until). */
+  window_token: string;
+  extracted_data: Record<string, unknown>;
+  replace_existing?: boolean;
+  model?: string;
+  run_metadata?: Record<string, unknown>;
+}
+
+export interface WatchersNamespace {
+  list(filter?: WatcherListFilter): Promise<unknown>;
+  get(watcher_id: string | number): Promise<unknown>;
+  create(input: WatcherCreateInput): Promise<unknown>;
+  update(input: WatcherUpdateInput): Promise<unknown>;
+  /**
+   * Delete one or more watchers. Accepts a single id or an array; internally
+   * dispatched as `watcher_ids`.
+   */
+  delete(watcher_id: string | string[]): Promise<unknown>;
+  setReactionScript(input: {
+    watcher_id: string;
+    /** TypeScript source. Empty string removes the script. */
+    reaction_script: string;
+  }): Promise<unknown>;
+  completeWindow(input: WatcherCompleteWindowInput): Promise<unknown>;
+}
+
+function asWatcherIdString(v: string | number): string {
+  return typeof v === "number" ? String(v) : v;
+}
+
+export function buildWatchersNamespace(
+  ctx: ToolContext,
+  env: Env,
+): WatchersNamespace {
+  return {
+    list(filter) {
+      return listWatchers(
+        (filter ?? {}) as never,
+        env,
+        ctx,
+      ) as Promise<unknown>;
+    },
+    async get(watcher_id) {
+      const { getWatcher } = await import("../../tools/get_watchers");
+      return getWatcher(
+        { watcher_id: asWatcherIdString(watcher_id) } as never,
+        env,
+        ctx,
+      ) as Promise<unknown>;
+    },
+    create(input) {
+      return manageWatchers(
+        { action: "create", ...input } as never,
+        env,
+        ctx,
+      ) as Promise<unknown>;
+    },
+    update(input) {
+      return manageWatchers(
+        {
+          action: "update",
+          ...input,
+          watcher_id: asWatcherIdString(input.watcher_id),
+        } as never,
+        env,
+        ctx,
+      ) as Promise<unknown>;
+    },
+    delete(watcher_id) {
+      const watcher_ids = Array.isArray(watcher_id)
+        ? watcher_id.map(asWatcherIdString)
+        : [asWatcherIdString(watcher_id)];
+      return manageWatchers(
+        { action: "delete", watcher_ids } as never,
+        env,
+        ctx,
+      ) as Promise<unknown>;
+    },
+    setReactionScript(input) {
+      return manageWatchers(
+        {
+          action: "set_reaction_script",
+          watcher_id: asWatcherIdString(input.watcher_id),
+          reaction_script: input.reaction_script,
+        } as never,
+        env,
+        ctx,
+      ) as Promise<unknown>;
+    },
+    completeWindow(input) {
+      return manageWatchers(
+        {
+          action: "complete_window",
+          ...input,
+          watcher_id: asWatcherIdString(input.watcher_id),
+        } as never,
+        env,
+        ctx,
+      ) as Promise<unknown>;
+    },
+  };
+}
diff --git a/packages/owletto-backend/src/sandbox/run-script.ts b/packages/owletto-backend/src/sandbox/run-script.ts
new file mode 100644
index 000000000..33533fbc4
--- /dev/null
+++ b/packages/owletto-backend/src/sandbox/run-script.ts
@@ -0,0 +1,365 @@
+/**
+ * Isolated-vm script runner.
+ *
+ * Compiles a TypeScript user-script via esbuild, runs it inside a V8 isolate
+ * with a bridge back to the host `ClientSDK`, and returns a structured result.
+ *
+ * Design invariants
+ * - Every call creates a fresh Isolate and disposes it. No pooling in v1.
+ * - Memory cap enforced by V8; CPU interrupts via `script.run({ timeout })`.
+ * - SDK calls cross the isolate boundary as JSON (Reference + ExternalCopy).
+ * - Console logs and the return value are captured and returned structurally.
+ * - `client.org()` is stateless: each guest call carries `orgPath` so the
+ *   host can re-walk org swaps deterministically without holding refs.
+ */
+
+import type { ClientSDK } from "./client-sdk";
+
+/** Hard limits enforced by the runner. Callers can lower but not raise. */
+export interface RunLimits {
+  /** V8 isolate heap cap, MB. Default 64. */
+  memoryMb?: number;
+  /** Wall-clock budget for the script body, ms. Default 60_000. */
+  timeoutMs?: number;
+  /** SDK call quota. Scripts exceeding throw QuotaExceeded. Default 200. */
+  sdkCallQuota?: number;
+  /** Captured output size cap (logs + return value), bytes. Default 262_144. */
+  outputBytes?: number;
+}
+
+export interface RunScriptOptions {
+  /** TypeScript source of the user script. esbuild compiles to CJS + esnext target. */
+  source: string;
+  /** Injected into the guest as `ctx`. JSON-serializable. */
+  context?: Record<string, unknown>;
+  /** Host SDK the guest calls via the bridge. */
+  sdk: ClientSDK;
+  limits?: RunLimits;
+  /**
+   * Extra positional arguments passed to the entry point after `(ctx, client)`.
+   * Reactions use this to forward `params` from the stored watcher version.
+   */
+  extraArgs?: unknown[];
+}
+
+export interface LogEntry {
+  level: "log" | "warn" | "error";
+  message: string;
+  data?: Record<string, unknown>;
+  ts: number;
+}
+
+export interface RunScriptResult {
+  success: boolean;
+  returnValue?: unknown;
+  logs: LogEntry[];
+  error?: {
+    name: string;
+    message: string;
+    stack?: string;
+    line?: number;
+    column?: number;
+  };
+  durationMs: number;
+  sdkCalls: number;
+}
+
+const DEFAULT_LIMITS: Required<RunLimits> = {
+  memoryMb: 64,
+  timeoutMs: 60_000,
+  sdkCallQuota: 200,
+  outputBytes: 262_144,
+};
+
+/**
+ * Load `isolated-vm` lazily. Returns null when the optional native module is
+ * not installed (e.g. local dev on a Node version without a prebuild).
+ */
+async function loadIsolatedVm(): Promise<typeof import("isolated-vm") | null> {
+  try {
+    return await import("isolated-vm");
+  } catch {
+    return null;
+  }
+}
+
+const GUEST_PREAMBLE = `
+const ctx = JSON.parse(__ctx_json);
+
+// Symbol/awaitable/coercion keys that JS may probe automatically (e.g. when a
+// guest accidentally awaits a namespace proxy or runs JSON.stringify(client.x)).
+// Returning undefined here avoids turning every accidental probe into a host
+// SDK call that consumes quota or throws \`Unknown SDK method\`.
+function __isReservedKey(k) {
+  return typeof k === 'symbol'
+    || k === 'then'
+    || k === 'catch'
+    || k === 'finally'
+    || k === 'inspect'
+    || k === 'constructor'
+    || k === '__proto__'
+    || k === 'toJSON'
+    || k === 'toString'
+    || k === 'valueOf';
+}
+
+function __makeClient(orgPath) {
+  return new Proxy({}, {
+    get(_, key) {
+      if (__isReservedKey(key)) return undefined;
+      const k = String(key);
+      if (k === 'org') {
+        return async (slug) => __makeClient([...orgPath, String(slug)]);
+      }
+      if (k === 'query' || k === 'log') {
+        return async (...args) => {
+          const payload = JSON.stringify({ args, orgPath });
+          const r = await __sdk_dispatch.apply(undefined, [k, payload], { result: { promise: true, copy: true } });
+          return r === undefined ? undefined : JSON.parse(r);
+        };
+      }
+      // Namespace proxy
+      return new Proxy({}, {
+        get(_, methodKey) {
+          if (__isReservedKey(methodKey)) return undefined;
+          const m = String(methodKey);
+          return async (...args) => {
+            const payload = JSON.stringify({ args, orgPath });
+            const r = await __sdk_dispatch.apply(undefined, [k + '.' + m, payload], { result: { promise: true, copy: true } });
+            return r === undefined ? undefined : JSON.parse(r);
+          };
+        }
+      });
+    }
+  });
+}
+
+const client = __makeClient([]);
+
+const console = {
+  log: (...a) => { try { __console_call.applySync(undefined, ['log', a.map(String).join(' ')]); } catch (e) {} },
+  warn: (...a) => { try { __console_call.applySync(undefined, ['warn', a.map(String).join(' ')]); } catch (e) {} },
+  error: (...a) => { try { __console_call.applySync(undefined, ['error', a.map(String).join(' ')]); } catch (e) {} },
+};
+
+const module = { exports: {} };
+const exports = module.exports;
+`;
+
+// Picks `default`, falling back to the bare module export when the script
+// was written as a single function expression. Stored reaction scripts must
+// use the new `export default async (ctx, client, params?) => ...` shape;
+// migrate the database when shipping this change.
+const GUEST_RUNNER = `
+(async () => {
+  const __entry = module.exports.default
+    ?? (typeof module.exports === 'function' ? module.exports : null);
+  if (typeof __entry !== 'function') {
+    throw new Error('Script must \`export default\` an async function');
+  }
+  const __extra = JSON.parse(__extra_args_json);
+  const __result = await __entry(ctx, client, ...__extra);
+  return __result === undefined ? null : JSON.stringify(__result);
+})()
+`;
+
+export async function runScript(
+  options: RunScriptOptions,
+): Promise<RunScriptResult> {
+  const started = Date.now();
+  const limits = { ...DEFAULT_LIMITS, ...(options.limits ?? {}) };
+
+  const logs: LogEntry[] = [];
+  let sdkCalls = 0;
+  let outputBytes = 0;
+
+  const ivm = await loadIsolatedVm();
+  if (!ivm) {
+    return {
+      success: false,
+      logs: [],
+      error: {
+        name: "RuntimeUnavailable",
+        message:
+          "isolated-vm is not installed for this platform. Install with `bun install` on a supported Node version (18–24 with prebuilt binaries, or any version with python3 + build-essential available).",
+      },
+      durationMs: Date.now() - started,
+      sdkCalls: 0,
+    };
+  }
+
+  // Compile TS via the existing esbuild path. CompileError surfaces with line/col.
+  let compiled: string;
+  try {
+    const { compileSource } = await import("../utils/compiler-core");
+    const result = await compileSource(options.source, {
+      tmpPrefix: ".execute-compile-",
+      label: "ExecuteCompiler",
+      buildOptions: {
+        format: "cjs",
+        target: "esnext",
+        platform: "node",
+        external: [],
+      },
+    });
+    compiled = result.compiledCode;
+  } catch (err) {
+    const e = err as Error & { errors?: Array<{ location?: { line?: number; column?: number } }> };
+    const loc = e.errors?.[0]?.location;
+    return {
+      success: false,
+      logs,
+      error: {
+        name: "CompileError",
+        message: e.message,
+        line: loc?.line,
+        column: loc?.column,
+      },
+      durationMs: Date.now() - started,
+      sdkCalls: 0,
+    };
+  }
+
+  const isolate = new ivm.Isolate({ memoryLimit: limits.memoryMb });
+  try {
+    const context = await isolate.createContext();
+    const jail = context.global;
+    await jail.set("global", jail.derefInto());
+
+    // Async dispatch back to the host SDK.
+    await jail.set(
+      "__sdk_dispatch",
+      new ivm.Reference(async (path: string, payloadJson: string) => {
+        sdkCalls++;
+        if (sdkCalls > limits.sdkCallQuota) {
+          throw new Error(
+            `QuotaExceeded: SDK call quota of ${limits.sdkCallQuota} reached`,
+          );
+        }
+        const { args, orgPath } = JSON.parse(payloadJson) as {
+          args: unknown[];
+          orgPath: string[];
+        };
+
+        // Walk org chain: each .org() returns a new SDK; chain re-validates.
+        let target: ClientSDK = options.sdk;
+        for (const slug of orgPath) {
+          target = await target.org(slug);
+        }
+
+        let result: unknown;
+        if (path === "log") {
+          target.log(args[0] as string, args[1] as Record<string, unknown> | undefined);
+          result = undefined;
+        } else if (path === "query") {
+          result = await target.query(args[0] as string);
+        } else {
+          const [ns, method] = path.split(".");
+          if (!ns || !method) {
+            throw new Error(`Invalid SDK path: '${path}'`);
+          }
+          // Restrict to actual SDK namespaces (own enumerable keys of the
+          // resolved target). Anything else (constructor, __proto__, etc.)
+          // is rejected before the function call. Belt-and-braces with the
+          // guest-side reserved-key filter.
+          if (!Object.prototype.hasOwnProperty.call(target, ns)) {
+            throw new Error(`Unknown SDK namespace: '${ns}'`);
+          }
+          const namespace = (target as unknown as Record<string, Record<string, (...a: unknown[]) => unknown>>)[ns];
+          if (
+            !namespace ||
+            typeof namespace !== "object" ||
+            !Object.prototype.hasOwnProperty.call(namespace, method) ||
+            typeof namespace[method] !== "function"
+          ) {
+            throw new Error(`Unknown SDK method: '${path}'`);
+          }
+          result = await namespace[method](...args);
+        }
+
+        if (result === undefined) return undefined;
+        const json = JSON.stringify(result);
+        outputBytes += json.length;
+        if (outputBytes > limits.outputBytes) {
+          throw new Error(
+            `OutputSizeExceeded: combined output exceeded ${limits.outputBytes} bytes`,
+          );
+        }
+        return json;
+      }),
+    );
+
+    // Console capture (synchronous; logs counted toward output budget).
+    await jail.set(
+      "__console_call",
+      new ivm.Reference((level: "log" | "warn" | "error", message: string) => {
+        outputBytes += message.length;
+        if (outputBytes > limits.outputBytes) return; // silently drop overflow
+        logs.push({ level, message, ts: Date.now() });
+      }),
+    );
+
+    await jail.set("__ctx_json", JSON.stringify(options.context ?? {}));
+    await jail.set(
+      "__extra_args_json",
+      JSON.stringify(options.extraArgs ?? []),
+    );
+
+    // Compile preamble + user code + runner into one script. The runner
+    // returns a JSON string of the user's return value (or null).
+    const fullSource = `${GUEST_PREAMBLE}\n${compiled}\n${GUEST_RUNNER}`;
+    const script = await isolate.compileScript(fullSource);
+
+    const resultPromise = script.run(context, {
+      timeout: limits.timeoutMs,
+      promise: true,
+      copy: true,
+    });
+    const returnJson = (await resultPromise) as string | null;
+    if (returnJson) {
+      outputBytes += returnJson.length;
+      if (outputBytes > limits.outputBytes) {
+        throw new Error(
+          `OutputSizeExceeded: combined output exceeded ${limits.outputBytes} bytes`,
+        );
+      }
+    }
+    const returnValue = returnJson ? JSON.parse(returnJson) : null;
+
+    return {
+      success: true,
+      returnValue,
+      logs,
+      durationMs: Date.now() - started,
+      sdkCalls,
+    };
+  } catch (err) {
+    const e = err as Error;
+    const isTimeout = /script execution timed out/i.test(e.message);
+    const isQuota = /QuotaExceeded/.test(e.message);
+    const isOom = /memory|allocation|isolate was disposed/i.test(e.message);
+    const name = isTimeout
+      ? "TimeoutError"
+      : isQuota
+        ? "QuotaExceeded"
+        : isOom
+          ? "OutOfMemory"
+          : "ScriptError";
+    return {
+      success: false,
+      logs,
+      error: { name, message: e.message, stack: e.stack },
+      durationMs: Date.now() - started,
+      sdkCalls,
+    };
+  } finally {
+    if (!isolate.isDisposed) {
+      isolate.dispose();
+    }
+  }
+}
+
+/** Exposed for tests that need to assert default limits without invoking the runner. */
+export function getDefaultLimits(): Required<RunLimits> {
+  return { ...DEFAULT_LIMITS };
+}
diff --git a/packages/owletto-backend/src/sandbox/typebox-to-signature.ts b/packages/owletto-backend/src/sandbox/typebox-to-signature.ts
new file mode 100644
index 000000000..9faf06e12
--- /dev/null
+++ b/packages/owletto-backend/src/sandbox/typebox-to-signature.ts
@@ -0,0 +1,112 @@
+/**
+ * TypeBox schema → inline TypeScript signature formatter.
+ *
+ * Used by the `search` MCP tool (PR-2) to render method signatures as
+ * copy-pasteable TS for LLMs. Walks a TypeBox schema and emits the
+ * inline-expanded type with JSDoc comments derived from `description`.
+ *
+ * Design notes
+ * - Enums become `'a' | 'b'` literal unions.
+ * - Optional/required flow from the schema.
+ * - Nested objects are inlined; array element types are inlined.
+ * - References ($ref) are not followed — emit the last path segment as an
+ *   identifier. This keeps output bounded; search has explicit drill-down.
+ */
+
+import type { TSchema } from "@sinclair/typebox";
+
+export interface SignatureOptions {
+  /** Top-level indent (spaces) for nested fields. Default 2. */
+  indent?: number;
+  /** Maximum recursion depth to prevent runaway on cyclic schemas. Default 6. */
+  maxDepth?: number;
+}
+
+export function typeboxToSignature(
+  schema: TSchema,
+  options: SignatureOptions = {}
+): string {
+  const indent = options.indent ?? 2;
+  const maxDepth = options.maxDepth ?? 6;
+  return render(schema, 0, indent, maxDepth);
+}
+
+function render(
+  schema: unknown,
+  depth: number,
+  indent: number,
+  maxDepth: number
+): string {
+  if (depth > maxDepth) return "unknown";
+  if (!schema || typeof schema !== "object") return "unknown";
+
+  const s = schema as Record<string, unknown>;
+
+  // Literal union via enum
+  if (Array.isArray(s.enum)) {
+    return (s.enum as unknown[]).map(formatLiteral).join(" | ");
+  }
+
+  // Const literal
+  if (s.const !== undefined) {
+    return formatLiteral(s.const);
+  }
+
+  // Union
+  if (Array.isArray(s.anyOf)) {
+    return (s.anyOf as unknown[])
+      .map((v) => render(v, depth + 1, indent, maxDepth))
+      .join(" | ");
+  }
+  if (Array.isArray(s.oneOf)) {
+    return (s.oneOf as unknown[])
+      .map((v) => render(v, depth + 1, indent, maxDepth))
+      .join(" | ");
+  }
+
+  // Array
+  if (s.type === "array" && s.items) {
+    const inner = render(s.items, depth + 1, indent, maxDepth);
+    return inner.includes("|") || inner.includes(" ")
+      ? `Array<${inner}>`
+      : `${inner}[]`;
+  }
+
+  // Object
+  if (s.type === "object" && s.properties && typeof s.properties === "object") {
+    const props = s.properties as Record<string, unknown>;
+    const required = new Set((s.required as string[] | undefined) ?? []);
+    const keys = Object.keys(props);
+    if (keys.length === 0) return "Record<string, unknown>";
+
+    const pad = " ".repeat(indent * (depth + 1));
+    const closingPad = " ".repeat(indent * depth);
+    const lines = keys.map((key) => {
+      const prop = props[key] as Record<string, unknown> | undefined;
+      const optional = required.has(key) ? "" : "?";
+      const typeStr = render(prop, depth + 1, indent, maxDepth);
+      const description = prop?.description ? ` // ${prop.description}` : "";
+      return `${pad}${key}${optional}: ${typeStr};${description}`;
+    });
+    return `{\n${lines.join("\n")}\n${closingPad}}`;
+  }
+
+  // Primitive
+  if (s.type === "string") return "string";
+  if (s.type === "number" || s.type === "integer") return "number";
+  if (s.type === "boolean") return "boolean";
+  if (s.type === "null") return "null";
+
+  return "unknown";
+}
+
+function formatLiteral(value: unknown): string {
+  if (typeof value === "string") {
+    // Escape backslashes first, then single quotes — order matters so that the
+    // backslashes inserted by the quote escape don't get re-escaped.
+    const escaped = value.replace(/\\/g, "\\\\").replace(/'/g, "\\'");
+    return `'${escaped}'`;
+  }
+  if (value === null) return "null";
+  return String(value);
+}
diff --git a/packages/owletto-backend/src/tools/admin/action-router.ts b/packages/owletto-backend/src/tools/admin/action-router.ts
index ce529f674..6a3469f0b 100644
--- a/packages/owletto-backend/src/tools/admin/action-router.ts
+++ b/packages/owletto-backend/src/tools/admin/action-router.ts
@@ -1,18 +1,55 @@
+import { getRequiredAccessLevel, hasRequiredMcpScope } from '../../auth/tool-access';
 import logger from '../../utils/logger';
+import type { ToolContext } from '../registry';
 
 /**
  * Routes admin tool actions to handler functions with standardized error wrapping.
  *
  * Usage:
- *   return routeAction('manage_entity', args.action, {
+ *   return routeAction('manage_entity', args.action, ctx, {
  *     create: () => handleCreate(args, env, ctx),
  *     update: () => handleUpdate(id, args, env, ctx),
  *     list: () => handleList(args, env, ctx),
  *   });
  */
+function isSystemContext(ctx: ToolContext): boolean {
+  return ctx.isAuthenticated === true && ctx.userId === null && ctx.memberRole === null;
+}
+
+function enforceActionAccess(toolName: string, action: string, ctx: ToolContext): void {
+  // Watcher reactions and other in-process system calls historically run with
+  // userId=null + isAuthenticated=true. Preserve that path while enforcing the
+  // policy table for real user/OAuth sessions that reach handlers via execute.
+  if (isSystemContext(ctx)) return;
+
+  const requiredAccess = getRequiredAccessLevel(toolName, { action }, false);
+  if (requiredAccess === 'admin' && ctx.memberRole !== 'owner' && ctx.memberRole !== 'admin') {
+    throw new Error(
+      `Action ${toolName}.${action} requires admin or owner access. Ask an organization owner to grant elevated access.`
+    );
+  }
+
+  if (requiredAccess === 'write' && !ctx.memberRole) {
+    throw new Error(
+      `Action ${toolName}.${action} requires workspace membership with write access.`
+    );
+  }
+
+  if (!hasRequiredMcpScope(requiredAccess, ctx.scopes)) {
+    if (requiredAccess === 'read') {
+      throw new Error(`Action ${toolName}.${action} requires an MCP session with read access.`);
+    }
+    if (requiredAccess === 'write') {
+      throw new Error(`Action ${toolName}.${action} requires an MCP session with write access.`);
+    }
+    throw new Error(`Action ${toolName}.${action} requires an MCP session with admin access.`);
+  }
+}
+
 export async function routeAction<TResult>(
   toolName: string,
   action: string,
+  ctx: ToolContext,
   handlers: Record<string, () => Promise<TResult>>
 ): Promise<TResult> {
   const handler = handlers[action];
@@ -20,6 +57,8 @@ export async function routeAction<TResult>(
     throw new Error(`Unknown action: ${action}`);
   }
 
+  enforceActionAccess(toolName, action, ctx);
+
   try {
     return await handler();
   } catch (error) {
diff --git a/packages/owletto-backend/src/tools/admin/index.ts b/packages/owletto-backend/src/tools/admin/index.ts
index 91d271598..5e9b4d1c8 100644
--- a/packages/owletto-backend/src/tools/admin/index.ts
+++ b/packages/owletto-backend/src/tools/admin/index.ts
@@ -1,16 +1,6 @@
 /**
- * Admin Tools Module
- *
- * This module exports all admin-related tools and their schemas.
- *
- * Consolidated admin tools surface:
- * - manage_entity: entity CRUD + relationship actions
- * - manage_entity_schema: entity type + relationship type schema actions
- * - manage_connections: connection + connector actions
- * - manage_feeds: data sync feed actions
- * - manage_auth_profiles: reusable auth profile actions
- * - manage_watchers: watcher instance actions + versioning
- * - manage_classifiers: classifier template + manual classification actions
+ * Legacy admin tools kept for REST/session callers while external MCP clients
+ * use the smaller search/execute surface.
  */
 
 import type { Static } from '@sinclair/typebox';
@@ -25,19 +15,15 @@ import { ManageFeedsSchema, manageFeeds } from './manage_feeds';
 import { ManageOperationsSchema, manageOperations } from './manage_operations';
 import { ManageViewTemplatesSchema, manageViewTemplates } from './manage_view_templates';
 import { ManageWatchersSchema, manageWatchers } from './manage_watchers';
-import { QuerySqlSchema, querySql } from './query_sql';
 
-// ============================================
-// Admin Tool Definitions
-// ============================================
-
-export const ADMIN_TOOLS: ToolDefinition[] = [
+export const LEGACY_ADMIN_TOOLS: ToolDefinition[] = [
   {
     name: 'manage_entity',
     description:
-      'Entity management and relationships. Actions: create (new entity), update (modify metadata), list (browse with filters), get (view details), delete (remove entity), link (create relationship between entities), unlink (soft-delete relationship), update_link (change metadata/confidence/source), list_links (browse entity relationships).',
+      'Legacy internal entity management tool for REST/session callers. External MCP clients should use execute + client.entities instead.',
     inputSchema: ManageEntitySchema,
     annotations: { destructiveHint: false },
+    internal: true,
     handler: async (args: Static<typeof ManageEntitySchema>, env: Env, ctx: ToolContext) => {
       return await manageEntity(args, env, ctx);
     },
@@ -45,22 +31,22 @@ export const ADMIN_TOOLS: ToolDefinition[] = [
   {
     name: 'manage_entity_schema',
     description:
-      'Manage entity type definitions and relationship type definitions. Set schema_type="entity_type" for entity types or schema_type="relationship_type" for relationship types. Entity type actions: list, get, create, update, delete, audit. Relationship type actions: list, get, create, update, delete, add_rule, remove_rule, list_rules.',
+      'Legacy internal schema management tool for REST/session callers. External MCP clients should use execute + client.entitySchema instead.',
     inputSchema: ManageEntitySchemaSchema,
     annotations: { destructiveHint: false },
+    internal: true,
     handler: async (args: Static<typeof ManageEntitySchemaSchema>, env: Env, ctx: ToolContext) => {
       return await manageEntitySchema(args, env, ctx);
     },
   },
   {
+    // Kept on the public MCP surface (not internal) because owletto-cli's
+    // `browser-auth` flow drives connection setup via MCP RPC. New external
+    // clients should still prefer execute + client.connections; we'll flip
+    // this back to internal once the CLI migrates.
     name: 'manage_connections',
     description:
-      'Manage integration connections and connectors.\n\n' +
-      'To set up a new connection: use action="connect" with the connector_key. ' +
-      'This returns a connect_url — share it with the user to open in their browser for authentication. ' +
-      'Then poll with action="get" until status="active". ' +
-      'NEVER fabricate URLs — always use the connect_url from the response.\n\n' +
-      'Actions: list, list_connector_definitions, get, create, connect, update, delete, test, install_connector, uninstall_connector, update_connector_auth, toggle_connector_login.',
+      'Connection management. New external MCP clients should prefer execute + client.connections; this tool is kept public for the owletto-cli browser-auth flow.',
     inputSchema: ManageConnectionsSchema,
     annotations: { destructiveHint: false },
     handler: async (args: Static<typeof ManageConnectionsSchema>, env: Env, ctx: ToolContext) => {
@@ -70,17 +56,22 @@ export const ADMIN_TOOLS: ToolDefinition[] = [
   {
     name: 'manage_feeds',
     description:
-      'Manage data sync feeds for connections. Actions: list_feeds, get_feed, create_feed, update_feed, delete_feed, trigger_feed.',
+      'Legacy internal feed management tool for REST/session callers. External MCP clients should use execute + client.feeds instead.',
     inputSchema: ManageFeedsSchema,
     annotations: { destructiveHint: false },
+    internal: true,
     handler: async (args: Static<typeof ManageFeedsSchema>, env: Env, ctx: ToolContext) => {
       return await manageFeeds(args, env, ctx);
     },
   },
   {
+    // Kept on the public MCP surface (not internal) because owletto-cli's
+    // `browser-auth` flow exchanges credential blobs via MCP RPC. New external
+    // clients should still prefer execute + client.authProfiles; we'll flip
+    // this back to internal once the CLI migrates.
     name: 'manage_auth_profiles',
     description:
-      'Manage reusable auth profiles for connector authentication. Actions: list_auth_profiles, get_auth_profile, test_auth_profile, create_auth_profile, update_auth_profile, delete_auth_profile.',
+      'Auth-profile management. New external MCP clients should prefer execute + client.authProfiles; this tool is kept public for the owletto-cli browser-auth flow.',
     inputSchema: ManageAuthProfilesSchema,
     annotations: { destructiveHint: false },
     handler: async (args: Static<typeof ManageAuthProfilesSchema>, env: Env, ctx: ToolContext) => {
@@ -90,26 +81,21 @@ export const ADMIN_TOOLS: ToolDefinition[] = [
   {
     name: 'manage_operations',
     description:
-      'Discover and execute connector-backed operations. Operations can be local connector actions, upstream MCP tools, or OpenAPI-derived HTTP operations. Actions: list_available, execute, list_runs, get_run, approve, reject.',
+      'Legacy internal operations tool for REST/session callers. External MCP clients should use execute + client.operations instead.',
     inputSchema: ManageOperationsSchema,
     annotations: { destructiveHint: false, openWorldHint: true },
+    internal: true,
     handler: async (args: Static<typeof ManageOperationsSchema>, env: Env, ctx: ToolContext) => {
       return await manageOperations(args, env, ctx);
     },
   },
   {
     name: 'manage_watchers',
-    description: `Manage self-contained watchers with versioned analysis configs. Actions: create (new watcher with prompt/schema/sources), update (model/schedule), create_version (new version with updated config), upgrade (switch to a version), complete_window (submit LLM output), delete, set_reaction_script, get_versions, get_version_details, get_component_reference, submit_feedback, get_feedback.
-
-WATCHER CONFIG: prompt (Handlebars), extraction_schema (JSON Schema), sources (SQL queries — auto-incremental if referencing events table), json_template (UI rendering), keying_config, classifiers, condensation_prompt, reactions_guidance.
-
-EXECUTION WORKFLOW: Use read_knowledge(watcher_id, since/until) to fetch prompt_rendered + extraction_schema + window_token + reactions_guidance + available_operations, run your LLM externally, then submit extracted_data via complete_window.
-
-REACTION SCRIPTS: Use set_reaction_script to attach TypeScript that auto-executes after complete_window. Script receives ReactionContext + ReactionSDK for entities, actions, content, and notifications.
-
-FEEDBACK: Use submit_feedback(watcher_id, window_id, corrections=[{field_path, mutation?, value?, note?}]) to correct extraction. Mutation defaults to 'set'; use 'remove' to drop an array item, 'add' to append one. Each entry is stored as its own row so later submissions supersede earlier ones per field. Use get_feedback(watcher_id) to retrieve corrections. Most-recent-per-field corrections are injected into future prompts.`,
+    description:
+      'Legacy internal watcher management tool for REST/session callers. External MCP clients should use execute + client.watchers instead.',
     inputSchema: ManageWatchersSchema,
     annotations: { destructiveHint: false },
+    internal: true,
     handler: async (args: Static<typeof ManageWatchersSchema>, env: Env, ctx: ToolContext) => {
       return await manageWatchers(args, env, ctx);
     },
@@ -117,9 +103,10 @@ FEEDBACK: Use submit_feedback(watcher_id, window_id, corrections=[{field_path, m
   {
     name: 'manage_classifiers',
     description:
-      'Manage classifier templates and manual classifications. Template actions: create, create_version, list, get_versions, set_current_version, generate_embeddings, delete. Manual classification: classify (single or batch content classification with classifier_slug + value). Enable classifiers per entity via manage_entity(action="update", enabled_classifiers=[...]).',
+      'Legacy internal classifier management tool for REST/session callers. External MCP clients should use execute + client.classifiers instead.',
     inputSchema: ManageClassifiersSchema,
     annotations: { destructiveHint: false },
+    internal: true,
     handler: async (args: Static<typeof ManageClassifiersSchema>, env: Env, ctx: ToolContext) => {
       return await manageClassifiers(args, env, ctx);
     },
@@ -127,21 +114,12 @@ FEEDBACK: Use submit_feedback(watcher_id, window_id, corrections=[{field_path, m
   {
     name: 'manage_view_templates',
     description:
-      'Manage view templates for entity types and individual entities. One tool for all template operations. Actions: set (create/update template), get (view current + history), rollback (revert to previous version), remove_tab (delete a named tab). Specify resource_type (entity_type/entity) and resource_id (entity type slug or entity id). Templates can include a data_sources key with named SQL queries that execute server-side. Queries run against org-scoped virtual tables (entities, events, connections, watchers, event_classifications) or entity type slugs as table names. Results are returned as template_data in resolve_path.',
+      'Legacy internal view-template management tool for REST/session callers. External MCP clients should use execute + client.viewTemplates instead.',
     inputSchema: ManageViewTemplatesSchema,
     annotations: { destructiveHint: false },
+    internal: true,
     handler: async (args: Static<typeof ManageViewTemplatesSchema>, env: Env, ctx: ToolContext) => {
       return await manageViewTemplates(args, env, ctx);
     },
   },
-  {
-    name: 'query_sql',
-    description:
-      'Execute paginated, sortable, searchable read-only SQL queries. Table references are auto-scoped to your organization. Do NOT include ORDER BY/LIMIT/OFFSET or positional parameters in your SQL.',
-    inputSchema: QuerySqlSchema,
-    annotations: { readOnlyHint: true, idempotentHint: true },
-    handler: async (args: Static<typeof QuerySqlSchema>, env: Env, ctx: ToolContext) => {
-      return await querySql(args, env, ctx);
-    },
-  },
 ];
diff --git a/packages/owletto-backend/src/tools/admin/manage_auth_profiles.ts b/packages/owletto-backend/src/tools/admin/manage_auth_profiles.ts
index b61ac4ad4..1a67a7cbf 100644
--- a/packages/owletto-backend/src/tools/admin/manage_auth_profiles.ts
+++ b/packages/owletto-backend/src/tools/admin/manage_auth_profiles.ts
@@ -179,7 +179,7 @@ export async function manageAuthProfiles(
   _env: Env,
   ctx: ToolContext
 ): Promise<ManageAuthProfilesResult> {
-  return routeAction<ManageAuthProfilesResult>('manage_auth_profiles', args.action, {
+  return routeAction<ManageAuthProfilesResult>('manage_auth_profiles', args.action, ctx, {
     list_auth_profiles: () =>
       handleListAuthProfiles(
         args as Extract<AuthProfilesArgs, { action: 'list_auth_profiles' }>,
diff --git a/packages/owletto-backend/src/tools/admin/manage_classifiers.ts b/packages/owletto-backend/src/tools/admin/manage_classifiers.ts
index 44db6da83..4e4461400 100644
--- a/packages/owletto-backend/src/tools/admin/manage_classifiers.ts
+++ b/packages/owletto-backend/src/tools/admin/manage_classifiers.ts
@@ -243,9 +243,9 @@ function stripEmbeddingsFromAttributeValues(
 export async function manageClassifiers(
   args: ManageClassifiersArgs,
   env: Env,
-  _ctx: ToolContext
+  ctx: ToolContext
 ): Promise<ManageClassifiersResult> {
-  return routeAction<ManageClassifiersResult>('manage_classifiers', args.action, {
+  return routeAction<ManageClassifiersResult>('manage_classifiers', args.action, ctx, {
     create: () => handleCreate(args, env),
     create_version: () => handleCreateVersion(args, env),
     list: () => handleList(args),
diff --git a/packages/owletto-backend/src/tools/admin/manage_connections.ts b/packages/owletto-backend/src/tools/admin/manage_connections.ts
index 8b4611702..8dac32fa5 100644
--- a/packages/owletto-backend/src/tools/admin/manage_connections.ts
+++ b/packages/owletto-backend/src/tools/admin/manage_connections.ts
@@ -371,7 +371,7 @@ export async function manageConnections(
   env: Env,
   ctx: ToolContext
 ): Promise<ManageConnectionsResult> {
-  return routeAction<ManageConnectionsResult>('manage_connections', args.action, {
+  return routeAction<ManageConnectionsResult>('manage_connections', args.action, ctx, {
     list_connector_definitions: () =>
       handleListConnectorDefinitions(
         args as Extract<ConnectionsArgs, { action: 'list_connector_definitions' }>,
diff --git a/packages/owletto-backend/src/tools/admin/manage_entity.ts b/packages/owletto-backend/src/tools/admin/manage_entity.ts
index ba0c9f1cc..20f57dba8 100644
--- a/packages/owletto-backend/src/tools/admin/manage_entity.ts
+++ b/packages/owletto-backend/src/tools/admin/manage_entity.ts
@@ -383,7 +383,7 @@ export async function manageEntity(
 ): Promise<ManageEntityResult> {
   const id = () => requireField(args.entity_id, 'entity_id', args.action);
 
-  const result = await routeAction('manage_entity', args.action, {
+  const result = await routeAction('manage_entity', args.action, ctx, {
     create: () => handleCreate(args, env, ctx),
     update: () => handleUpdate(id(), args, env, ctx),
     list: () => handleList(args, env, ctx),
diff --git a/packages/owletto-backend/src/tools/admin/manage_entity_schema.ts b/packages/owletto-backend/src/tools/admin/manage_entity_schema.ts
index 78139e215..aa67e48d9 100644
--- a/packages/owletto-backend/src/tools/admin/manage_entity_schema.ts
+++ b/packages/owletto-backend/src/tools/admin/manage_entity_schema.ts
@@ -209,7 +209,7 @@ export async function manageEntitySchema(
   ctx: ToolContext
 ): Promise<ManageEntitySchemaResult> {
   if (args.schema_type === 'entity_type') {
-    return routeAction('manage_entity_schema', args.action, {
+    return routeAction('manage_entity_schema', args.action, ctx, {
       list: () => etHandleList(ctx),
       get: () => etHandleGet(args.slug, ctx),
       create: () => etHandleCreate(args, ctx),
@@ -219,7 +219,7 @@ export async function manageEntitySchema(
     });
   }
 
-  return routeAction('manage_entity_schema', args.action, {
+  return routeAction('manage_entity_schema', args.action, ctx, {
     list: () => rtHandleList(args, ctx),
     get: () => rtHandleGet(args, ctx),
     create: () => rtHandleCreate(args, ctx),
diff --git a/packages/owletto-backend/src/tools/admin/manage_feeds.ts b/packages/owletto-backend/src/tools/admin/manage_feeds.ts
index 8407133ad..a1be16ed0 100644
--- a/packages/owletto-backend/src/tools/admin/manage_feeds.ts
+++ b/packages/owletto-backend/src/tools/admin/manage_feeds.ts
@@ -115,7 +115,7 @@ export async function manageFeeds(
   env: Env,
   ctx: ToolContext
 ): Promise<ManageFeedsResult> {
-  return routeAction<ManageFeedsResult>('manage_feeds', args.action, {
+  return routeAction<ManageFeedsResult>('manage_feeds', args.action, ctx, {
     list_feeds: () => handleListFeeds(args as Extract<FeedsArgs, { action: 'list_feeds' }>, ctx),
     get_feed: () => handleGetFeed(args as Extract<FeedsArgs, { action: 'get_feed' }>, ctx),
     create_feed: () =>
diff --git a/packages/owletto-backend/src/tools/admin/manage_operations.ts b/packages/owletto-backend/src/tools/admin/manage_operations.ts
index 128e3f6d3..3773a9503 100644
--- a/packages/owletto-backend/src/tools/admin/manage_operations.ts
+++ b/packages/owletto-backend/src/tools/admin/manage_operations.ts
@@ -145,7 +145,7 @@ export async function manageOperations(
   env: Env,
   ctx: ToolContext
 ): Promise<ManageOperationsResult> {
-  return routeAction<ManageOperationsResult>('manage_operations', args.action, {
+  return routeAction<ManageOperationsResult>('manage_operations', args.action, ctx, {
     list_available: () =>
       handleListAvailable(args as Extract<OperationsArgs, { action: 'list_available' }>, ctx),
     execute: () => handleExecute(args as Extract<OperationsArgs, { action: 'execute' }>, env, ctx),
diff --git a/packages/owletto-backend/src/tools/admin/manage_view_templates.ts b/packages/owletto-backend/src/tools/admin/manage_view_templates.ts
index e201a1d2b..1a281af49 100644
--- a/packages/owletto-backend/src/tools/admin/manage_view_templates.ts
+++ b/packages/owletto-backend/src/tools/admin/manage_view_templates.ts
@@ -81,7 +81,7 @@ export async function manageViewTemplates(
   _env: unknown,
   ctx: ToolContext
 ): Promise<ManageViewTemplatesResult> {
-  return routeAction<ManageViewTemplatesResult>('manage_view_templates', args.action, {
+  return routeAction<ManageViewTemplatesResult>('manage_view_templates', args.action, ctx, {
     set: () => handleSet(args, ctx),
     get: () => handleGet(args, ctx),
     rollback: () => handleRollback(args, ctx),
diff --git a/packages/owletto-backend/src/tools/admin/manage_watchers.ts b/packages/owletto-backend/src/tools/admin/manage_watchers.ts
index 203db9450..a08e36aae 100644
--- a/packages/owletto-backend/src/tools/admin/manage_watchers.ts
+++ b/packages/owletto-backend/src/tools/admin/manage_watchers.ts
@@ -655,7 +655,7 @@ export async function manageWatchers(
     }
   }
 
-  return routeAction<ManageWatchersResult>('manage_watchers', args.action, {
+  return routeAction<ManageWatchersResult>('manage_watchers', args.action, ctx, {
     create: () => handleCreate(args, env, ctx),
     update: () => handleUpdate(args, env),
     create_version: () => handleCreateVersion(args, env, ctx),
diff --git a/packages/owletto-backend/src/tools/admin/notify.ts b/packages/owletto-backend/src/tools/admin/notify.ts
index a1a0afc8d..5dd99146a 100644
--- a/packages/owletto-backend/src/tools/admin/notify.ts
+++ b/packages/owletto-backend/src/tools/admin/notify.ts
@@ -76,7 +76,7 @@ export async function notify(
   _env: Env,
   ctx: ToolContext
 ): Promise<{ notified_count: number }> {
-  return routeAction('notify', args.action, {
+  return routeAction('notify', args.action, ctx, {
     send: () => handleSend(args, ctx),
   });
 }
diff --git a/packages/owletto-backend/src/tools/execute.ts b/packages/owletto-backend/src/tools/execute.ts
index 25c5639ad..c39ca4a7f 100644
--- a/packages/owletto-backend/src/tools/execute.ts
+++ b/packages/owletto-backend/src/tools/execute.ts
@@ -5,11 +5,11 @@
  */
 
 import type { Context } from 'hono';
-import { getRequiredAccessLevel, isPublicReadable } from '../auth/tool-access';
+import { getRequiredAccessLevel, hasRequiredMcpScope, isPublicReadable } from '../auth/tool-access';
 import type { Env } from '../index';
 import { trackMCPToolCall } from '../sentry';
 import { getConfiguredPublicOrigin } from '../utils/public-origin';
-import { joinOrganization, listOrganizations, switchOrganization } from './organizations';
+import { listOrganizations, switchOrganization } from './organizations';
 import { getTool, type ToolContext } from './registry';
 
 /**
@@ -30,12 +30,15 @@ export interface AuthContext {
   scopedToOrg: boolean;
   /** Workspace instructions (populated after org resolution in MCP sessions). */
   instructions?: string;
+  /** REST/session compatibility path may invoke tools hidden from external MCP. */
+  allowInternalTools?: boolean;
 }
 
 /**
  * Extract auth context from a Hono request context.
  */
 export function extractAuthContext(c: Context<{ Bindings: Env }>): AuthContext {
+  const pathname = new URL(c.req.url).pathname;
   return {
     organizationId: c.var.organizationId,
     userId: c.var.mcpAuthInfo?.userId || c.var.session?.userId || null,
@@ -48,6 +51,7 @@ export function extractAuthContext(c: Context<{ Bindings: Env }>): AuthContext {
     requestUrl: c.req.url,
     baseUrl: getConfiguredPublicOrigin() ?? '',
     scopedToOrg: !!c.req.param('orgSlug'),
+    allowInternalTools: !pathname.startsWith('/mcp'),
   };
 }
 
@@ -56,30 +60,20 @@ export function extractAuthContext(c: Context<{ Bindings: Env }>): AuthContext {
  */
 const ORG_AGNOSTIC_TOOLS = new Set(['list_organizations', 'switch_organization']);
 
-function hasRequiredMcpScope(
-  requiredAccess: 'read' | 'write' | 'admin',
-  scopes: string[] | null | undefined
-): boolean {
-  if (scopes == null) return true;
-  if (scopes.length === 0) return false;
-  const scopeSet = new Set(scopes);
-  if (requiredAccess === 'read') {
-    return scopeSet.has('mcp:read') || scopeSet.has('mcp:write') || scopeSet.has('mcp:admin');
-  }
-  if (requiredAccess === 'write') {
-    return scopeSet.has('mcp:write') || scopeSet.has('mcp:admin');
-  }
-  return scopeSet.has('mcp:admin');
-}
-
 export function checkToolAccess(toolName: string, args: unknown, authCtx: AuthContext): void {
   if (ORG_AGNOSTIC_TOOLS.has(toolName)) {
     if (!authCtx.isAuthenticated) {
       throw new Error('Authentication required.');
     }
-    if (authCtx.scopedToOrg) {
-      throw new Error(`Tool '${toolName}' is only available on the unscoped /mcp endpoint.`);
+    // list_organizations + switch_organization are read-tier; OAuth tokens
+    // without `mcp:read` (e.g. profile-only) must not call them.
+    if (!hasRequiredMcpScope('read', authCtx.scopes)) {
+      throw new Error(
+        'This MCP session does not include read access. Reconnect with read access to list or switch organizations.'
+      );
     }
+    // Exposed on both unscoped /mcp and scoped /mcp/{slug} endpoints. The URL
+    // pin defines the default org; switching moves the session.
     return;
   }
 
@@ -88,7 +82,9 @@ export function checkToolAccess(toolName: string, args: unknown, authCtx: AuthCo
   }
 
   const tool = getTool(toolName);
-  if (!tool) throw new Error(`Tool not found: ${toolName}`);
+  if (!tool || (tool.internal && !authCtx.allowInternalTools)) {
+    throw new Error(`Tool not found: ${toolName}`);
+  }
 
   const isReadOnly = tool.annotations?.readOnlyHint === true;
   const { memberRole: role } = authCtx;
@@ -97,11 +93,11 @@ export function checkToolAccess(toolName: string, args: unknown, authCtx: AuthCo
   if (!role && !isPublicReadable(toolName, args)) {
     if (authCtx.userId) {
       throw new Error(
-        'This public workspace is read-only for your account. Call the `join_organization` tool to become a member and unlock write access (or join via the web UI).'
+        'This public workspace is read-only for your account. Ask an organization owner for an invite to unlock write access.'
       );
     }
     throw new Error(
-      'This public workspace is read-only for anonymous access. Sign in with an OAuth client that has write access, then call `join_organization` to become a member.'
+      'This public workspace is read-only for anonymous access. Sign in with an OAuth client that has write access.'
     );
   }
 
@@ -121,7 +117,7 @@ export function checkToolAccess(toolName: string, args: unknown, authCtx: AuthCo
     }
     if (requiredAccess === 'write') {
       throw new Error(
-        'This MCP session is read-only. If this is a public workspace, call `join_organization` first, then reconnect with write-scoped OAuth. Otherwise ask an owner to add you.'
+        'This MCP session is read-only. Reconnect with write-scoped OAuth, or ask an owner to add you.'
       );
     }
     throw new Error(
@@ -140,29 +136,6 @@ export async function executeTool(
   env: Env,
   authCtx: AuthContext
 ): Promise<unknown> {
-  // join_organization bypasses the standard membership/role check — its whole
-  // purpose is to upgrade a non-member / read-only session into a member.
-  // It still requires the caller to hold at least mcp:read, so OAuth tokens
-  // without any MCP scope cannot change membership. The tool itself enforces
-  // public-org policy.
-  if (toolName === 'join_organization') {
-    if (!authCtx.userId) {
-      throw new Error('Authentication required to join an organization. Sign in with OAuth first.');
-    }
-    if (!hasRequiredMcpScope('read', authCtx.scopes)) {
-      throw new Error(
-        'This MCP session does not include any mcp:* scope. Reconnect with at least read access before calling `join_organization`.'
-      );
-    }
-    return trackMCPToolCall(toolName, args, () =>
-      joinOrganization(args as any, env, {
-        userId: authCtx.userId!,
-        currentOrgId: authCtx.organizationId,
-        scopes: authCtx.scopes ?? null,
-      })
-    );
-  }
-
   checkToolAccess(toolName, args, authCtx);
 
   // Org-agnostic tools get a minimal context with just userId
@@ -205,6 +178,7 @@ export function toToolContext(authCtx: AuthContext): ToolContext {
     agentId: authCtx.agentId,
     isAuthenticated: authCtx.isAuthenticated,
     clientId: authCtx.clientId,
+    scopes: authCtx.scopes,
     requestUrl: authCtx.requestUrl,
     baseUrl: authCtx.baseUrl,
   };
diff --git a/packages/owletto-backend/src/tools/organizations.ts b/packages/owletto-backend/src/tools/organizations.ts
index 0c13d9b6e..b1c9d2ff1 100644
--- a/packages/owletto-backend/src/tools/organizations.ts
+++ b/packages/owletto-backend/src/tools/organizations.ts
@@ -1,17 +1,16 @@
 /**
  * Tools: list_organizations, switch_organization
  *
- * Exposed only when the MCP session was initiated from the unscoped /mcp endpoint.
- * Allows agents to discover orgs and switch context mid-session.
+ * Exposed on both unscoped /mcp and scoped /mcp/{slug} endpoints. The URL
+ * pin defines the default org; switch_organization moves the session
+ * regardless of how it was initiated.
  */
 
 import { type Static, Type } from '@sinclair/typebox';
 import { getDb } from '../db/client';
 import type { Env } from '../index';
-import { getRateLimiter, RateLimitPresets } from '../utils/rate-limiter';
 import { buildWorkspaceInstructions } from '../utils/workspace-instructions';
 import { getWorkspaceProvider } from '../workspace';
-import { joinPublicOrganization } from '../workspace/join-public';
 import type { OrgInfo } from '../workspace/types';
 
 // ---------------------------------------------------------------------------
@@ -32,16 +31,6 @@ export const SwitchOrganizationSchema = Type.Object({
   }),
 });
 
-export const JoinOrganizationSchema = Type.Object({
-  organization_slug: Type.Optional(
-    Type.String({
-      description:
-        'Organization slug to join. Optional on scoped /mcp/{slug} sessions (defaults to the current workspace). Required on the unscoped /mcp endpoint.',
-      minLength: 1,
-    })
-  ),
-});
-
 // ---------------------------------------------------------------------------
 // Handlers
 // ---------------------------------------------------------------------------
@@ -110,70 +99,3 @@ export async function switchOrganization(
   };
 }
 
-export async function joinOrganization(
-  args: Static<typeof JoinOrganizationSchema>,
-  _env: Env,
-  ctx: { userId: string; currentOrgId: string | null; scopes: string[] | null }
-): Promise<{
-  status: 'joined' | 'already_member';
-  org: { slug: string; name: string; id: string; role: string };
-  note?: string;
-}> {
-  // Match the REST endpoint's 10/hour cap (keyed on userId here since MCP tool
-  // calls don't carry a client IP).
-  const rateLimit = getRateLimiter().checkLimit(
-    `rate:join-public-org:user:${ctx.userId}`,
-    RateLimitPresets.JOIN_PUBLIC_ORG_PER_IP_HOUR
-  );
-  if (!rateLimit.allowed) {
-    throw new Error(
-      rateLimit.errorMessage ??
-        'Join rate limit exceeded. Maximum 10 join attempts per hour.'
-    );
-  }
-
-  let slug = args.organization_slug ?? null;
-  if (!slug) {
-    if (!ctx.currentOrgId) {
-      throw new Error(
-        'organization_slug is required when calling join_organization on the unscoped /mcp endpoint.'
-      );
-    }
-    slug = await getWorkspaceProvider().getOrgSlug(ctx.currentOrgId);
-    if (!slug) {
-      throw new Error('Could not resolve the current organization slug.');
-    }
-  }
-
-  const result = await joinPublicOrganization({ userId: ctx.userId, orgSlug: slug });
-  if (result.status === 'not_found') {
-    throw new Error(`Organization '${slug}' not found.`);
-  }
-  if (result.status === 'not_public') {
-    throw new Error(
-      `Organization '${slug}' is not public. Ask an organization owner for an invitation.`
-    );
-  }
-
-  const sql = getDb();
-  const rows = await sql<{ name: string }>`
-    SELECT name FROM "organization" WHERE id = ${result.organizationId} LIMIT 1
-  `;
-  const name = rows[0]?.name ?? slug;
-
-  const scopes = ctx.scopes;
-  const readOnlyScopes =
-    Array.isArray(scopes) &&
-    scopes.length > 0 &&
-    !scopes.includes('mcp:write') &&
-    !scopes.includes('mcp:admin');
-  const note = readOnlyScopes
-    ? 'Your current OAuth session is read-only. Reconnect with write access (mcp:write) to push data to this workspace.'
-    : undefined;
-
-  return {
-    status: result.status,
-    org: { slug, name, id: result.organizationId, role: result.role },
-    ...(note ? { note } : {}),
-  };
-}
diff --git a/packages/owletto-backend/src/tools/registry.ts b/packages/owletto-backend/src/tools/registry.ts
index ad89bc2fe..08ba1a200 100644
--- a/packages/owletto-backend/src/tools/registry.ts
+++ b/packages/owletto-backend/src/tools/registry.ts
@@ -8,19 +8,17 @@
 import type { Static } from '@sinclair/typebox';
 import { getPublicReadableActions, getRequiredAccessLevel } from '../auth/tool-access';
 import type { Env } from '../index';
-import { ADMIN_TOOLS } from './admin';
-import { ListWatchersSchema, listWatchers } from './admin/manage_watchers';
-import { GetContentSchema, getContent } from './get_content';
-import { GetWatcherSchema, getWatcher } from './get_watchers';
+import { LEGACY_ADMIN_TOOLS } from './admin';
+import { QuerySqlSchema, querySql } from './admin/query_sql';
 import {
-  JoinOrganizationSchema,
   ListOrganizationsSchema,
   SwitchOrganizationSchema,
 } from './organizations';
 import { ResolvePathSchema, resolvePath } from './resolve_path';
 import { SaveContentSchema, saveContent } from './save_content';
-// Import tool implementations and their schemas
 import { SearchSchema, search } from './search';
+import { ExecuteSchema, executeScript } from './sdk_execute';
+import { SdkSearchSchema, sdkSearch } from './sdk_search';
 
 // ============================================
 // Tool Definitions
@@ -58,6 +56,8 @@ export interface ToolContext {
   isAuthenticated: boolean;
   /** OAuth client ID that created this request (null for session/anonymous) */
   clientId?: string | null;
+  /** OAuth scopes granted to this MCP/tool session, when applicable. */
+  scopes?: string[] | null;
   /** Original request URL, used to derive public-facing origin for URL generation */
   requestUrl?: string;
   /** PUBLIC_WEB_URL env var fallback for URL generation when requestUrl is unreliable */
@@ -77,10 +77,11 @@ export interface ToolDefinition<T = any> {
 }
 
 const TOOLS: ToolDefinition[] = [
+  // ─── Hot-path read/write surface ──────────────────────────────────────────
   {
     name: 'search_knowledge',
     description:
-      'Search the workspace knowledge graph and saved memory for entities and related context. Supports fuzzy matching and filtering by entity_type. Use this as the FIRST step when the user asks about a specific entity. If entity is missing, create it with manage_entity then configure ingestion with manage_connections.',
+      'Search the workspace knowledge graph and saved memory for entities and related context. Supports fuzzy matching and filtering by entity_type. Use this as the FIRST step when the user asks about a specific entity. To create or modify entities, use the `execute` tool with a TypeScript script over the `client` SDK.',
     inputSchema: SearchSchema,
     annotations: { readOnlyHint: true, idempotentHint: true },
     handler: async (args: Static<typeof SearchSchema>, env: Env, ctx: ToolContext) => {
@@ -88,41 +89,51 @@ const TOOLS: ToolDefinition[] = [
     },
   },
   {
-    name: 'list_watchers',
+    name: 'save_knowledge',
     description:
-      'List watcher definitions and metadata for the current organization. Use optional filters like entity_id, watcher_id, or status. This is the discovery tool for finding watchers before using get_watcher on a specific watcher.',
-    inputSchema: ListWatchersSchema,
-    annotations: { readOnlyHint: true, idempotentHint: true },
-    handler: async (args: Static<typeof ListWatchersSchema>, env: Env, ctx: ToolContext) => {
-      return await listWatchers(args, env, ctx);
+      "Save knowledge to the workspace, optionally associated with entities via entity_ids. Supports multiple content formats via payload_type: 'text' (default), 'markdown' (rich text), 'json_template' (structured UI with payload_template + payload_data), 'media' (media-focused), 'empty' (metadata only). Metadata is validated against the entity type schema when entities are provided. To update an existing fact, pass supersedes_event_id with the old event ID — the old event is hidden from future searches. Always search first to avoid duplicates.",
+    inputSchema: SaveContentSchema,
+    annotations: { readOnlyHint: false, destructiveHint: false },
+    handler: async (args: Static<typeof SaveContentSchema>, env: Env, ctx: ToolContext) => {
+      return await saveContent(args, env, ctx);
     },
   },
   {
-    name: 'get_watcher',
+    name: 'query_sql',
     description:
-      'Query saved analysis windows and metadata for a single watcher. Requires watcher_id. Use list_watchers to discover watchers first. Pair with read_knowledge + manage_watchers(action="complete_window") for client-driven LLM execution.',
-    inputSchema: GetWatcherSchema,
+      'Execute paginated, sortable, searchable read-only SQL queries. Table references are auto-scoped to your organization. Do NOT include ORDER BY/LIMIT/OFFSET or positional parameters in your SQL.',
+    inputSchema: QuerySqlSchema,
     annotations: { readOnlyHint: true, idempotentHint: true },
-    handler: async (args: Static<typeof GetWatcherSchema>, env: Env, ctx: ToolContext) => {
-      return await getWatcher(args, env, ctx);
+    handler: async (args: Static<typeof QuerySqlSchema>, env: Env, ctx: ToolContext) => {
+      return await querySql(args, env, ctx);
     },
   },
+  // ─── Generic surface: discover + execute over the typed ClientSDK ─────────
   {
-    name: 'read_knowledge',
-    description: `List or search saved knowledge and content for an entity. Provide \`query\` parameter to perform semantic/text search (combines vector similarity for longer queries with full-text matching). Omit \`query\` to list all saved knowledge with filters. Returns content ordered by relevance (when searching) or date (when listing).
-
-WATCHER MODE: When \`watcher_id\` is provided with \`since\`/\`until\`, returns everything needed for external LLM processing:
-- window_token: JWT for complete_window action
-- prompt_rendered: Ready-to-use prompt for LLM
-- extraction_schema: JSON Schema defining expected output structure
-- content: The content data to analyze
-- classifiers: Current classifier values for context`,
-    inputSchema: GetContentSchema,
+    name: 'search',
+    description:
+      "Discover ClientSDK methods. Pass a namespace ('watchers', 'entities', etc.) for a listing, a dotted path ('watchers.create') for a drill-down with signature/throws/example, or a free-text query for fuzzy matches. Pair with `execute` to actually call methods.",
+    inputSchema: SdkSearchSchema,
     annotations: { readOnlyHint: true, idempotentHint: true },
-    handler: async (args: Static<typeof GetContentSchema>, env: Env, ctx: ToolContext) => {
-      return await getContent(args, env, ctx);
+    handler: async (args: Static<typeof SdkSearchSchema>, env: Env, ctx: ToolContext) => {
+      return await sdkSearch(args, env, ctx);
     },
   },
+  {
+    name: 'execute',
+    description:
+      "Run a TypeScript script in a sandboxed isolate over the typed `ClientSDK`. The script must `export default async (ctx, client) => { ... }` and may use `client.entities`, `client.watchers`, `client.knowledge`, `client.org(slug)` for cross-org calls, `client.query(sql)` for read-only SQL, etc. Use `search` to find method names and signatures. Replaces the previous `manage_*` MCP tool surface — call those handlers via `client.<namespace>.<method>(...)` from inside the script.",
+    inputSchema: ExecuteSchema,
+    // The script can delete entities, drop watchers, trigger external operations
+    // — host clients should treat it as destructive and require approval.
+    annotations: { destructiveHint: true },
+    handler: async (args: Static<typeof ExecuteSchema>, env: Env, ctx: ToolContext) => {
+      return await executeScript(args, env, ctx);
+    },
+  },
+  // ─── Legacy REST/session-only admin tools ────────────────────────────────
+  ...LEGACY_ADMIN_TOOLS,
+  // ─── Path resolution (frontend internal) ──────────────────────────────────
   {
     name: 'resolve_path',
     description:
@@ -134,24 +145,13 @@ WATCHER MODE: When \`watcher_id\` is provided with \`since\`/\`until\`, returns
       return await resolvePath(args, env, ctx);
     },
   },
-  {
-    name: 'save_knowledge',
-    description:
-      "Save knowledge to the workspace, optionally associated with entities via entity_ids. Supports multiple content formats via payload_type: 'text' (default), 'markdown' (rich text), 'json_template' (structured UI with payload_template + payload_data), 'media' (media-focused), 'empty' (metadata only). Metadata is validated against the entity type schema when entities are provided. To update an existing fact, pass supersedes_event_id with the old event ID — the old event is hidden from future searches. Always search first to avoid duplicates.",
-    inputSchema: SaveContentSchema,
-    annotations: { readOnlyHint: false, destructiveHint: false },
-    handler: async (args: Static<typeof SaveContentSchema>, env: Env, ctx: ToolContext) => {
-      return await saveContent(args, env, ctx);
-    },
-  },
-  // Org switching tools (only exposed on unscoped /mcp endpoint)
+  // ─── Org tools (now exposed on both unscoped and scoped /mcp endpoints) ───
   {
     name: 'list_organizations',
     description:
-      'List organizations the authenticated user belongs to. Only available when the MCP session uses the unscoped /mcp endpoint.',
+      'List organizations the authenticated user belongs to, plus any public workspaces the session can read.',
     inputSchema: ListOrganizationsSchema,
     annotations: { readOnlyHint: true, idempotentHint: true },
-    orgSwitching: true,
     handler: async () => {
       throw new Error('Handled directly in executeTool');
     },
@@ -159,28 +159,13 @@ WATCHER MODE: When \`watcher_id\` is provided with \`since\`/\`until\`, returns
   {
     name: 'switch_organization',
     description:
-      'Switch the current session to a different organization. The org slug must have appeared in a prior list_organizations result. After switching, all subsequent tool calls operate in the new org context. Returns workspace instructions for the new org.',
+      'Switch the current session to a different organization the user is a member of. After switching, all subsequent tool calls operate in the new org context. Available on both /mcp and /mcp/{slug} endpoints — on a scoped endpoint the URL pin defines the default, but a switch can move the session.',
     inputSchema: SwitchOrganizationSchema,
     annotations: { readOnlyHint: false },
-    orgSwitching: true,
-    handler: async () => {
-      throw new Error('Handled directly in executeTool');
-    },
-  },
-  {
-    name: 'join_organization',
-    description:
-      'Join the current public workspace as a member so you can write (create entities, save knowledge, update classifications). Only works on workspaces with visibility=public; private workspaces still require an invitation. Idempotent — calling when already a member is safe. On the unscoped /mcp endpoint, pass `organization_slug`; on /mcp/{slug} sessions the current workspace is used.',
-    inputSchema: JoinOrganizationSchema,
-    // readOnlyHint:true lets read-scoped MCP sessions invoke it — the whole
-    // point of this tool is to flip an anonymous reader into a member.
-    annotations: { readOnlyHint: true, idempotentHint: true },
     handler: async () => {
       throw new Error('Handled directly in executeTool');
     },
   },
-  // Admin tools
-  ...ADMIN_TOOLS,
 ];
 
 // ============================================
diff --git a/packages/owletto-backend/src/tools/sdk_execute.ts b/packages/owletto-backend/src/tools/sdk_execute.ts
new file mode 100644
index 000000000..960580531
--- /dev/null
+++ b/packages/owletto-backend/src/tools/sdk_execute.ts
@@ -0,0 +1,60 @@
+/**
+ * MCP tool `execute` — runs a TypeScript script in an isolated-vm sandbox
+ * over the typed `ClientSDK`. Replaces the action-discriminated `manage_*`
+ * tool surface (those handlers stay; the SDK delegates to them).
+ *
+ * Auth: requires `write` access. Per-method access checks fire inside the
+ * delegated handlers, so admin-only SDK calls still require admin role and
+ * `mcp:admin` scope before they run.
+ */
+
+import { type Static, Type } from "@sinclair/typebox";
+import type { Env } from "../index";
+import { buildClientSDK } from "../sandbox/client-sdk";
+import { runScript } from "../sandbox/run-script";
+import type { ToolContext } from "./registry";
+
+export const ExecuteSchema = Type.Object({
+  script: Type.String({
+    description:
+      "TypeScript source. Must `export default async (ctx, client) => { ... }`. The `client` global exposes typed namespaces (entities, watchers, knowledge, etc.) plus `client.org(slug)` for cross-org calls. Use `search` to discover methods.",
+    minLength: 1,
+    maxLength: 100_000,
+  }),
+  timeout_ms: Type.Optional(
+    Type.Number({
+      description: "Wall-clock budget. Default 60000 (max 60000).",
+      minimum: 100,
+      maximum: 60_000,
+    }),
+  ),
+});
+
+export type ExecuteArgs = Static<typeof ExecuteSchema>;
+
+export async function executeScript(
+  args: ExecuteArgs,
+  env: Env,
+  ctx: ToolContext,
+): Promise<unknown> {
+  const sdk = buildClientSDK(ctx, env);
+  const result = await runScript({
+    source: args.script,
+    sdk,
+    context: {
+      organization_id: ctx.organizationId,
+      user_id: ctx.userId,
+      mode: "execute",
+    },
+    limits: args.timeout_ms ? { timeoutMs: args.timeout_ms } : undefined,
+  });
+
+  return {
+    success: result.success,
+    return_value: result.returnValue,
+    logs: result.logs,
+    error: result.error,
+    duration_ms: result.durationMs,
+    sdk_calls: result.sdkCalls,
+  };
+}
diff --git a/packages/owletto-backend/src/tools/sdk_search.ts b/packages/owletto-backend/src/tools/sdk_search.ts
new file mode 100644
index 000000000..1843f281d
--- /dev/null
+++ b/packages/owletto-backend/src/tools/sdk_search.ts
@@ -0,0 +1,160 @@
+/**
+ * MCP tool `search` — method discovery against the `ClientSDK`.
+ *
+ * Two-tier output:
+ *   - Namespace listing for queries like "watchers" — one line per method.
+ *   - Drill-down for "watchers.create" — summary, access tier, throws,
+ *     example call.
+ *
+ * Match order: exact path → namespace prefix → substring on path + summary.
+ *
+ * The data source is `method-metadata.ts`. PR-2 ships hand-maintained
+ * entries; PR-2 also adds a CI test that fails if a new SDK method is
+ * exposed without a metadata entry.
+ */
+
+import { type Static, Type } from "@sinclair/typebox";
+import type { Env } from "../index";
+import { METHOD_METADATA, type MethodMetadata } from "../sandbox/method-metadata";
+import type { ToolContext } from "./registry";
+
+export const SdkSearchSchema = Type.Object({
+  query: Type.String({
+    description:
+      "Method-discovery query. Use a namespace name (e.g. 'watchers') for a listing, a dotted path (e.g. 'watchers.create') for a drill-down, or a free-text term to substring-match across paths and summaries.",
+    minLength: 1,
+  }),
+  limit: Type.Optional(
+    Type.Number({
+      description: "Max matches to return. Default 20, max 100.",
+      minimum: 1,
+      maximum: 100,
+    }),
+  ),
+});
+
+export type SdkSearchArgs = Static<typeof SdkSearchSchema>;
+
+interface MatchRow {
+  path: string;
+  summary: string;
+  access: MethodMetadata["access"];
+}
+
+/**
+ * Render a one-line method entry for namespace listings.
+ */
+function renderListLine(path: string, meta: MethodMetadata): string {
+  return `${path} — ${meta.summary}`;
+}
+
+/**
+ * Render a multi-line drill-down for a single method.
+ */
+function renderDrillDown(path: string, meta: MethodMetadata): string {
+  const lines: string[] = [];
+  lines.push(path);
+  lines.push(`  ${meta.summary}`);
+  lines.push(`  access: ${meta.access}${meta.cost ? ` (cost: ${meta.cost})` : ""}`);
+  if (meta.throws && meta.throws.length > 0) {
+    lines.push(`  throws: ${meta.throws.join(", ")}`);
+  }
+  if (meta.example) {
+    lines.push(`  example: ${meta.example}`);
+  }
+  return lines.join("\n");
+}
+
+export async function sdkSearch(
+  args: SdkSearchArgs,
+  _env: Env,
+  _ctx: ToolContext,
+): Promise<{
+  query: string;
+  match_count: number;
+  results: string[];
+  notes?: string;
+}> {
+  const limit = Math.min(args.limit ?? 20, 100);
+  const query = args.query.trim();
+  const lower = query.toLowerCase();
+
+  const all: Array<[string, MethodMetadata]> = Object.entries(METHOD_METADATA);
+
+  // Tier 1: exact path drill-down.
+  if (lower in METHOD_METADATA) {
+    const meta = METHOD_METADATA[lower];
+    return {
+      query,
+      match_count: 1,
+      results: [renderDrillDown(lower, meta)],
+    };
+  }
+
+  // Tier 2: namespace prefix listing.
+  if (lower.indexOf(".") === -1) {
+    const prefix = `${lower}.`;
+    const ns = all.filter(([p]) => p.startsWith(prefix));
+    // Top-level methods (no dot) live as bare paths — match those too.
+    const topLevel = all.filter(([p]) => p === lower);
+    const combined = [...topLevel, ...ns];
+    if (combined.length > 0) {
+      return {
+        query,
+        match_count: combined.length,
+        results: combined
+          .slice(0, limit)
+          .map(([p, m]) => renderListLine(p, m)),
+        notes:
+          combined.length > limit
+            ? `${combined.length - limit} more matches; raise \`limit\` or refine the query.`
+            : undefined,
+      };
+    }
+  }
+
+  // Tier 3: substring on path + summary.
+  const seen = new Set<string>();
+  const matches: MatchRow[] = [];
+  for (const [path, meta] of all) {
+    if (path.toLowerCase().includes(lower)) {
+      if (!seen.has(path)) {
+        seen.add(path);
+        matches.push({ path, summary: meta.summary, access: meta.access });
+      }
+    }
+  }
+  for (const [path, meta] of all) {
+    if (meta.summary.toLowerCase().includes(lower) && !seen.has(path)) {
+      seen.add(path);
+      matches.push({ path, summary: meta.summary, access: meta.access });
+    }
+  }
+
+  if (matches.length === 0) {
+    return {
+      query,
+      match_count: 0,
+      results: [],
+      notes:
+        "No matches. Try a top-level namespace (entities, watchers, knowledge, organizations) or a verb (create, list, search).",
+    };
+  }
+
+  return {
+    query,
+    match_count: matches.length,
+    results: matches
+      .slice(0, limit)
+      .map((m) =>
+        renderListLine(m.path, {
+          summary: m.summary,
+          access: m.access,
+        } as MethodMetadata),
+      ),
+    notes:
+      matches.length > limit
+        ? `${matches.length - limit} more matches; raise \`limit\` or refine the query.`
+        : undefined,
+  };
+}
diff --git a/packages/owletto-backend/src/tools/search.ts b/packages/owletto-backend/src/tools/search.ts
index b08f8dfd1..dc2a79e26 100644
--- a/packages/owletto-backend/src/tools/search.ts
+++ b/packages/owletto-backend/src/tools/search.ts
@@ -3,7 +3,8 @@
  *
  * Search existing entities in the database.
  * Searches all entity types when entity_type not specified.
- * For new entities, use manage_entity action='create' and then manage_connections.
+ * For new entities, write a TS script for `execute` that calls
+ * `client.entities.create(...)` then `client.connections.create(...)`.
  */
 
 import { type Static, Type } from '@sinclair/typebox';
@@ -377,10 +378,10 @@ export async function search(
 
   const suggestionText =
     `No matches found for "${query}" in existing database.\n\n` +
-    '**Next steps:**\n' +
-    `1. Create the entity: manage_entity action='create' name='${query}' (optionally set entity_type, parent_id for hierarchy)\n` +
-    "2. Create a connection: manage_connections action='create' connector_key='<connector>', then scope it with manage_feeds action='create_feed' entity_ids=[<entity_id>]\n" +
-    '3. Wait for ingestion to start automatically, then discover watchers with list_watchers and inspect results with read_knowledge/get_watcher.\n\n' +
+    '**Next steps:** call `execute` with a TS script over `client`:\n' +
+    `1. Create the entity: \`await client.entities.create({ type: '<entity_type>', name: '${query}' })\` (optionally pass parent_id for hierarchy)\n` +
+    "2. Create a connection: `await client.connections.create({ connector_key: '<connector>', ... })`, then scope it with `await client.feeds.create({ ... })`\n" +
+    '3. Wait for ingestion to start automatically, then discover watchers with `client.watchers.list(...)` and inspect results with `client.knowledge.read(...)` / `client.watchers.get(...)`.\n\n' +
     '**Alternative:** If you know this entity should exist, verify the spelling or try a different search term.';
 
   // Fetch top entities per type so the LLM knows what exists
diff --git a/packages/owletto-backend/src/types/isolated-vm.d.ts b/packages/owletto-backend/src/types/isolated-vm.d.ts
new file mode 100644
index 000000000..6c5a7c7bf
--- /dev/null
+++ b/packages/owletto-backend/src/types/isolated-vm.d.ts
@@ -0,0 +1,69 @@
+/**
+ * Minimal type shim for `isolated-vm` so TypeScript compiles even when the
+ * native module is missing locally (it's an optionalDependency — fails to
+ * build on Node versions without a prebuild). Production Docker installs the
+ * real module which ships its own types; this shim is only consulted when
+ * the package isn't on disk.
+ *
+ * Surface kept narrow on purpose — only the bits `src/sandbox/run-script.ts`
+ * uses. If a future caller needs more, extend here.
+ */
+
+declare module "isolated-vm" {
+  export interface IsolateOptions {
+    memoryLimit?: number;
+  }
+
+  export interface ScriptRunOptions {
+    timeout?: number;
+    promise?: boolean;
+    copy?: boolean;
+  }
+
+  export interface ReferenceApplyOptions {
+    timeout?: number;
+    result?: { promise?: boolean; copy?: boolean };
+  }
+
+  export class Isolate {
+    constructor(options?: IsolateOptions);
+    readonly isDisposed: boolean;
+    createContext(): Promise<Context>;
+    compileScript(source: string): Promise<Script>;
+    dispose(): void;
+  }
+
+  export class Context {
+    readonly global: Reference;
+  }
+
+  export class Script {
+    run(context: Context, options?: ScriptRunOptions): Promise<unknown>;
+  }
+
+  export class Reference<T = unknown> {
+    constructor(value: T);
+    set(name: string, value: unknown): Promise<void>;
+    derefInto(): unknown;
+    apply(
+      thisArg: unknown,
+      args: unknown[],
+      options?: ReferenceApplyOptions,
+    ): Promise<unknown>;
+    applySync(
+      thisArg: unknown,
+      args: unknown[],
+      options?: ReferenceApplyOptions,
+    ): unknown;
+    applyIgnored(
+      thisArg: unknown,
+      args: unknown[],
+      options?: ReferenceApplyOptions,
+    ): void;
+  }
+
+  export class ExternalCopy<T = unknown> {
+    constructor(value: T);
+    copyInto(): T;
+  }
+}
diff --git a/packages/owletto-backend/src/utils/openapi-generator.ts b/packages/owletto-backend/src/utils/openapi-generator.ts
index f55ede05b..fbbf4bb13 100644
--- a/packages/owletto-backend/src/utils/openapi-generator.ts
+++ b/packages/owletto-backend/src/utils/openapi-generator.ts
@@ -166,7 +166,7 @@ function truncateDescription(text: string, maxLength: number = 300): string {
  * Generates OpenAPI 3.1.0 spec from tool registry
  */
 export function generateOpenAPISpec(serverUrl: string) {
-  const tools = getAllTools();
+  const tools = getAllTools({ includeInternalTools: false });
   const paths: Record<string, any> = {};
 
   for (const tool of tools) {
diff --git a/packages/owletto-backend/src/utils/workspace-instructions.ts b/packages/owletto-backend/src/utils/workspace-instructions.ts
index 36cae94ad..6005f3a75 100644
--- a/packages/owletto-backend/src/utils/workspace-instructions.ts
+++ b/packages/owletto-backend/src/utils/workspace-instructions.ts
@@ -130,7 +130,10 @@ export async function buildWorkspaceInstructions(organizationId: string): Promis
     `;
 
     if (operationConnections.length > 0) {
-      sections.push('', '### Connector Operations (use manage_operations tool)');
+      sections.push(
+        '',
+        '### Connector Operations (call via `execute` → `client.operations.execute(...)`)'
+      );
       for (const conn of operationConnections) {
         const actionCount =
           conn.actions_schema && typeof conn.actions_schema === 'object'
@@ -147,28 +150,31 @@ export async function buildWorkspaceInstructions(organizationId: string): Promis
     }
 
     sections.push(
+      '',
+      '### Tool surface',
+      'External MCP tools: `search_knowledge`, `save_knowledge`, `query_sql`, `search` (SDK method discovery), `execute` (run TS over the typed client SDK), `list_organizations`, `switch_organization`, `resolve_path`.',
+      'For everything else (entity CRUD, watchers, classifiers, connections, feeds, view templates, operations) write a TS script and call via `execute`. Use `search` to discover method names.',
       '',
       '### Saving (do this automatically)',
       'When the user shares any of these, save immediately:',
-      '- Preferences, opinions, or personal details → save_knowledge to matching entity, create entity first if needed',
-      '- Facts about people, projects, or topics → save_knowledge to the relevant entity',
-      '- Relationships between things → manage_entity(action="link") with the appropriate relationship type',
+      '- Preferences, opinions, or personal details → `save_knowledge` to matching entity (create the entity first via `execute({script: "client.entities.create(...)"})` if needed)',
+      '- Facts about people, projects, or topics → `save_knowledge` to the relevant entity',
+      '- Relationships between things → `execute` calling `client.entities.link({...})`',
       '',
       "### Updating Facts (supersede, don't duplicate)",
       'When a fact changes (e.g. updated preference, corrected info):',
-      '1. Search for the existing fact: read_knowledge(query=…, entity_id=…)',
-      '2. Save the updated fact with supersedes_event_id pointing to the old one:',
-      '   save_knowledge({ content: "new fact", semantic_type: …, supersedes_event_id: <old_id> })',
+      '1. Search for the existing fact via `search_knowledge` or `execute({script: "client.knowledge.read({...})"})`',
+      '2. Save the updated fact with `supersedes_event_id` pointing to the old one in `save_knowledge`',
       'The old fact is automatically hidden from future searches. Never save a duplicate — always search first.',
       '',
       '### Recalling',
       '- Always search before creating to avoid duplicates',
-      '- search_knowledge(entity_type=…) to find entities by name',
-      '- read_knowledge(query=…) for semantic recall across saved content',
-      '- manage_entity(action="list_links") to explore connections',
+      '- `search_knowledge(query=…, entity_type=…)` to find entities + semantic content matches',
+      '- `execute({script: "client.entities.listLinks({entity_id: ...})"})` to explore relationships',
       '',
-      '### Full Schema Details',
-      '- manage_entity_schema(schema_type=…, action="list") for field definitions and relationship rules'
+      '### Full schema details',
+      '- `execute({script: "client.entitySchema.listTypes()"})` for entity types',
+      '- `execute({script: "client.entitySchema.listRelTypes()"})` for relationship types and rules'
     );
 
     return sections.join('\n');
diff --git a/packages/owletto-backend/src/watchers/reaction-executor.ts b/packages/owletto-backend/src/watchers/reaction-executor.ts
index 721a494bc..cf101d0d8 100644
--- a/packages/owletto-backend/src/watchers/reaction-executor.ts
+++ b/packages/owletto-backend/src/watchers/reaction-executor.ts
@@ -1,17 +1,21 @@
 /**
  * Reaction Executor
  *
- * Executes compiled watcher reaction scripts in a QuickJS WASM sandbox.
- * Scripts interact with the system only through the ReactionSDK,
- * which is exposed as host functions via the sandbox env.
+ * Executes compiled watcher reaction scripts inside the shared `runScript`
+ * isolate runner over the typed `ClientSDK`. Stored scripts MUST export
+ * `default async (ctx, client, params?) => ...`; the legacy `react(ctx, sdk)`
+ * export and the old `ReactionSDK` surface (actions/content/notify/query) are
+ * gone. A one-time DB migration is required before deploy — see PR #348.
+ *
+ * Reactions run with `userId: null` + `isAuthenticated: true` so handler-
+ * level access checks treat them as system calls, just like before.
  */
 
-import type { ReactionContext, ReactionSDK } from '@lobu/owletto-sdk';
-import { getDb } from '../db/client';
-import { validateAndScopeQuery } from '../utils/execute-data-sources';
+import type { ReactionContext } from '@lobu/owletto-sdk';
+import type { Env } from '../index';
+import { buildClientSDK } from '../sandbox/client-sdk';
+import { runScript } from '../sandbox/run-script';
 import logger from '../utils/logger';
-import { getOrganizationSlug, getPublicWebUrl } from '../utils/url-builder';
-import { getAvailableOperations, trackWatcherReaction } from '../utils/watcher-reactions';
 
 const REACTION_TIMEOUT_MS = 60_000;
 
@@ -19,420 +23,81 @@ interface ExecuteReactionOptions {
   compiledScript: string;
   context: ReactionContext;
   env: Record<string, string | undefined>;
+  /** Optional params object captured at reaction definition time. */
+  params?: Record<string, unknown>;
   timeoutMs?: number;
 }
 
 /**
- * Build a ReactionSDK that delegates to existing tool handlers.
- * All mutations go through the same auth/validation as MCP calls.
- */
-function buildReactionSDK(
-  context: ReactionContext,
-  env: Record<string, string | undefined>
-): ReactionSDK {
-  const { organization_id, window } = context;
-  const watcherId = window.watcher_id;
-  const windowId = window.id;
-  // userId=null + isAuthenticated=true signals a system/internal call (e.g. reaction scripts).
-  // canWriteEntity() in organization-access.ts grants write access on org match alone for this case.
-  const toolCtx = {
-    organizationId: organization_id,
-    userId: null,
-    memberRole: null,
-    isAuthenticated: true,
-  };
-  const entityIds = context.entities.map((e) => e.id);
-
-  function track(
-    reactionType: string,
-    toolName: string,
-    toolArgs: Record<string, unknown>,
-    toolResult?: Record<string, unknown>,
-    entityId?: number
-  ): Promise<void> {
-    return trackWatcherReaction({
-      organizationId: organization_id,
-      watcherId,
-      windowId,
-      reactionType,
-      toolName,
-      toolArgs,
-      toolResult,
-      entityId,
-    });
-  }
-
-  return {
-    entities: {
-      async get(id) {
-        const sql = getDb();
-        const rows = await sql`
-          SELECT id, name, entity_type, metadata FROM entities WHERE id = ${id} AND organization_id = ${organization_id} LIMIT 1
-        `;
-        if (rows.length === 0) return null;
-        const r = rows[0];
-        return {
-          id: Number(r.id),
-          name: r.name as string,
-          entity_type: r.entity_type as string,
-          metadata: (r.metadata ?? {}) as Record<string, unknown>,
-        };
-      },
-      async create(params) {
-        const { manageEntity } = await import('../tools/admin/manage_entity');
-        const result = await manageEntity(
-          {
-            action: 'create',
-            entity_type: params.type,
-            name: params.name,
-            metadata: params.metadata,
-          } as any,
-          env as any,
-          toolCtx
-        );
-        const entity = (result as any)?.entity;
-        if (!entity) throw new Error('manage_entity create did not return an entity');
-        await track('entity_created', 'manage_entity', params, result as any, entity.id);
-        return { id: entity.id, slug: entity.slug };
-      },
-      async update(params) {
-        const { manageEntity } = await import('../tools/admin/manage_entity');
-        const result = await manageEntity(
-          {
-            action: 'update',
-            entity_id: params.entity_id,
-            name: params.name,
-            metadata: params.metadata,
-          } as any,
-          env as any,
-          toolCtx
-        );
-        await track('entity_updated', 'manage_entity', params, result as any, params.entity_id);
-      },
-      async link(
-        fromId: number,
-        toId: number,
-        relationshipType: string,
-        metadata: Record<string, unknown>
-      ) {
-        const { manageEntity } = await import('../tools/admin/manage_entity');
-        const result = await manageEntity(
-          {
-            action: 'link',
-            from_entity_id: fromId,
-            to_entity_id: toId,
-            relationship_type_slug: relationshipType,
-            metadata,
-          } as any,
-          env as any,
-          toolCtx
-        );
-        await track(
-          'entity_linked',
-          'manage_entity',
-          { from: fromId, to: toId, type: relationshipType },
-          result as any
-        );
-      },
-      async search(query: string, options?: { limit?: number }) {
-        const limit = Math.min(options?.limit ?? 10, 100);
-        const { search: searchTool } = await import('../tools/search');
-        const result = await searchTool({ query, limit } as any, env as any, toolCtx);
-        return ((result as any).results ?? []).map((r: any) => ({
-          id: r.id,
-          name: r.name,
-          type: r.entity_type,
-        }));
-      },
-    },
-    actions: {
-      async execute(connectionId: number, actionKey: string, input: Record<string, unknown>) {
-        const { manageOperations } = await import('../tools/admin/manage_operations');
-        const result = await manageOperations(
-          {
-            action: 'execute',
-            connection_id: connectionId,
-            operation_key: actionKey,
-            input,
-            watcher_source: { watcher_id: watcherId, window_id: windowId },
-          } as any,
-          env as any,
-          toolCtx
-        );
-        return { run_id: (result as any).run_id ?? 0, output: (result as any).output ?? {} };
-      },
-      async listAvailable() {
-        return getAvailableOperations(entityIds, organization_id);
-      },
-    },
-    content: {
-      async save(entityId: number, content: string, semanticType: string) {
-        const { saveContent } = await import('../tools/save_content');
-        await saveContent(
-          {
-            entity_ids: [entityId],
-            content,
-            semantic_type: semanticType,
-            metadata: {},
-            watcher_source: { watcher_id: watcherId, window_id: windowId },
-          } as any,
-          env as any,
-          toolCtx
-        );
-      },
-    },
-    async notify(
-      title: string,
-      body: string,
-      options?: { resource_url?: string; connection_id?: string }
-    ) {
-      let resourceUrl = options?.resource_url;
-      if (!resourceUrl) {
-        try {
-          const ownerSlug = await getOrganizationSlug(organization_id);
-          if (ownerSlug) {
-            const base = getPublicWebUrl() ?? '';
-            resourceUrl = `${base}/${ownerSlug}/watchers/${watcherId}`;
-          }
-        } catch {
-          // Best-effort URL generation
-        }
-      }
-      const connectionId = options?.connection_id ?? undefined;
-      const { notify: notifyTool } = await import('../tools/admin/notify');
-      await notifyTool(
-        {
-          action: 'send',
-          title,
-          body,
-          resource_url: resourceUrl,
-          connection_id: connectionId,
-          watcher_source: { watcher_id: watcherId, window_id: windowId },
-        } as any,
-        env as any,
-        toolCtx
-      );
-    },
-    async query(querySql: string, _params: unknown[] = []) {
-      // Validate, parse, and org-scope the query using the shared pipeline
-      // (SQL parser + allowlisted tables + org-scoped CTEs).
-      const scoped = validateAndScopeQuery(querySql, organization_id);
-      const db = getDb();
-      const rows = await db.begin(async (tx) => {
-        await tx.unsafe('SET TRANSACTION READ ONLY');
-        await tx.unsafe("SET LOCAL statement_timeout = '5000'");
-        return tx.unsafe(scoped.sql, scoped.params as any[]);
-      });
-      await track('query', 'sql', { sql: querySql }, { row_count: rows.length });
-      return rows.map((r: Record<string, unknown>) => ({ ...r }));
-    },
-    log(message: string, data?: Record<string, unknown>) {
-      logger.info({ watcher_id: watcherId, window_id: windowId, ...data }, `[reaction] ${message}`);
-      track('log', 'log', { message, ...data }).catch(() => {});
-    },
-  };
-}
-
-// Preamble injected into the guest to reconstruct sdk/ctx from flat env functions
-const GUEST_PREAMBLE = `
-const ctx = JSON.parse(env.__ctx);
-const sdk = {
-  entities: {
-    get: async (id) => { const r = await env.__sdk_entities_get(JSON.stringify(id)); return JSON.parse(r); },
-    create: async (params) => { const r = await env.__sdk_entities_create(JSON.stringify(params)); return JSON.parse(r); },
-    update: async (params) => { await env.__sdk_entities_update(JSON.stringify(params)); },
-    link: async (fromId, toId, type, metadata) => { await env.__sdk_entities_link(JSON.stringify({ fromId, toId, type, metadata })); },
-    search: async (query, options) => { const r = await env.__sdk_entities_search(JSON.stringify({ query, options })); return JSON.parse(r); },
-  },
-  actions: {
-    execute: async (connId, actionKey, input) => { const r = await env.__sdk_actions_execute(JSON.stringify({ connId, actionKey, input })); return JSON.parse(r); },
-    listAvailable: async () => { const r = await env.__sdk_actions_listAvailable(); return JSON.parse(r); },
-  },
-  content: {
-    save: async (entityId, content, semanticType) => { await env.__sdk_content_save(JSON.stringify({ entityId, content, semanticType })); },
-  },
-  notify: async (title, body, options) => { await env.__sdk_notify(JSON.stringify({ title, body, options })); },
-  query: async (sql, params) => { const r = await env.__sdk_query(JSON.stringify({ sql, params })); return JSON.parse(r); },
-  log: (message, data) => { env.__sdk_log(JSON.stringify({ message, data })); },
-};
-`;
-
-/**
- * Build the flat env object that maps SDK methods to host-side async functions.
- * Values are serialized as JSON across the WASM boundary.
- */
-function buildSandboxEnv(context: ReactionContext, sdk: ReactionSDK): Record<string, unknown> {
-  return {
-    __ctx: JSON.stringify(context),
-
-    // entities
-    __sdk_entities_get: async (argsJson: string) => {
-      const id = JSON.parse(argsJson);
-      const result = await sdk.entities.get(id);
-      return JSON.stringify(result);
-    },
-    __sdk_entities_create: async (argsJson: string) => {
-      const params = JSON.parse(argsJson);
-      const result = await sdk.entities.create(params);
-      return JSON.stringify(result);
-    },
-    __sdk_entities_update: async (argsJson: string) => {
-      const params = JSON.parse(argsJson);
-      await sdk.entities.update(params);
-      return '{}';
-    },
-    __sdk_entities_link: async (argsJson: string) => {
-      const { fromId, toId, type, metadata } = JSON.parse(argsJson);
-      await sdk.entities.link(fromId, toId, type, metadata);
-      return '{}';
-    },
-    __sdk_entities_search: async (argsJson: string) => {
-      const { query, options } = JSON.parse(argsJson);
-      const result = await sdk.entities.search(query, options);
-      return JSON.stringify(result);
-    },
-
-    // actions
-    __sdk_actions_execute: async (argsJson: string) => {
-      const { connId, actionKey, input } = JSON.parse(argsJson);
-      const result = await sdk.actions.execute(connId, actionKey, input);
-      return JSON.stringify(result);
-    },
-    __sdk_actions_listAvailable: async () => {
-      const result = await sdk.actions.listAvailable();
-      return JSON.stringify(result);
-    },
-
-    // content
-    __sdk_content_save: async (argsJson: string) => {
-      const { entityId, content, semanticType } = JSON.parse(argsJson);
-      await sdk.content.save(entityId, content, semanticType);
-      return '{}';
-    },
-
-    // notify
-    __sdk_notify: async (argsJson: string) => {
-      const { title, body, options } = JSON.parse(argsJson);
-      await sdk.notify(title, body, options);
-      return '{}';
-    },
-
-    // query
-    __sdk_query: async (argsJson: string) => {
-      const { sql, params } = JSON.parse(argsJson);
-      const result = await sdk.query(sql, params);
-      return JSON.stringify(result);
-    },
-
-    // log (sync — fire and forget)
-    __sdk_log: (argsJson: string) => {
-      const { message, data } = JSON.parse(argsJson);
-      sdk.log(message, data);
-    },
-  };
-}
-
-// Lazy-loaded sandbox runner
-let runSandboxedFn: ((fn: any, opts?: any) => Promise<any>) | null = null;
-
-async function getRunner() {
-  if (!runSandboxedFn) {
-    const { loadAsyncQuickJs } = await import('@sebastianwessel/quickjs');
-    const variant = (await import('@jitl/quickjs-ng-wasmfile-release-asyncify')).default;
-    const { runSandboxed } = await loadAsyncQuickJs(variant);
-    runSandboxedFn = runSandboxed;
-  }
-  return runSandboxedFn;
-}
-
-/**
- * Execute a compiled reaction script in a QuickJS WASM sandbox.
- *
- * The script runs in complete isolation — no access to Node.js APIs,
- * filesystem, or host objects. SDK methods are exposed as env functions.
+ * Execute a compiled reaction script. Delegates to `runScript`, which compiles
+ * the source via esbuild and runs it in an `isolated-vm` V8 isolate.
  */
 export async function executeReaction(options: ExecuteReactionOptions): Promise<{
   success: boolean;
   error?: string;
 }> {
-  const { compiledScript, context, env, timeoutMs = REACTION_TIMEOUT_MS } = options;
-  const sdk = buildReactionSDK(context, env);
-  const sandboxEnv = buildSandboxEnv(context, sdk);
-  const runSandboxed = await getRunner();
-
-  const guestCode = `
-${GUEST_PREAMBLE}
-
-const module = { exports: {} };
-const exports = module.exports;
-${compiledScript}
-const __react = module.exports?.react ?? exports?.react ?? (typeof react === 'function' ? react : undefined);
-if (typeof __react !== 'function') {
-  throw new Error('Reaction script must export a "react" function');
-}
-export default await __react(ctx, sdk);
-`;
-
-  try {
-    let timer: ReturnType<typeof setTimeout> | undefined;
-    const timeoutPromise = new Promise<never>((_, reject) => {
-      timer = setTimeout(
-        () => reject(new Error(`Reaction script timed out after ${timeoutMs}ms`)),
-        timeoutMs
-      );
-    });
-
-    const execPromise = runSandboxed(
-      async ({ evalCode }: { evalCode: (code: string) => any }) => evalCode(guestCode),
-      {
-        allowFetch: false,
-        allowFs: false,
-        env: sandboxEnv,
-        executionTimeout: timeoutMs,
-      }
-    );
-
-    let result: any;
-    try {
-      result = await Promise.race([execPromise, timeoutPromise]);
-    } finally {
-      clearTimeout(timer);
-    }
-
-    if (result && !result.ok) {
-      const errorMessage =
-        typeof result.error === 'string' ? result.error : JSON.stringify(result.error);
-      logger.error(
-        {
-          watcher_id: context.window.watcher_id,
-          window_id: context.window.id,
-          error: errorMessage,
-        },
-        'Reaction script execution failed'
-      );
-      return { success: false, error: errorMessage };
-    }
+  const { compiledScript, context, env, params, timeoutMs = REACTION_TIMEOUT_MS } = options;
+
+  const sdk = buildClientSDK(
+    {
+      organizationId: context.organization_id,
+      userId: null,
+      memberRole: null,
+      isAuthenticated: true,
+    },
+    env as Env
+  );
+
+  const result = await runScript({
+    source: compiledScript,
+    sdk,
+    context: context as unknown as Record<string, unknown>,
+    extraArgs: params ? [params] : [],
+    limits: { timeoutMs },
+  });
 
+  if (result.success) {
     logger.info(
-      { watcher_id: context.window.watcher_id, window_id: context.window.id },
+      {
+        watcher_id: context.window.watcher_id,
+        window_id: context.window.id,
+        sdk_calls: result.sdkCalls,
+        duration_ms: result.durationMs,
+      },
       'Reaction script executed successfully'
     );
     return { success: true };
-  } catch (err) {
-    const errorMessage = err instanceof Error ? err.message : String(err);
-    logger.error(
-      { err, watcher_id: context.window.watcher_id, window_id: context.window.id },
-      'Reaction script execution failed'
-    );
-    return { success: false, error: errorMessage };
   }
+
+  const errorMessage = result.error
+    ? `${result.error.name}: ${result.error.message}`
+    : 'Unknown reaction error';
+
+  logger.error(
+    {
+      watcher_id: context.window.watcher_id,
+      window_id: context.window.id,
+      error: errorMessage,
+    },
+    'Reaction script execution failed'
+  );
+  return { success: false, error: errorMessage };
 }
 
 /**
  * Compile a TypeScript reaction script to JavaScript using esbuild.
+ *
+ * Stays exported because `manage_watchers.set_reaction_script` calls it at
+ * save time to surface compile errors back to the agent. Run-time compile
+ * also happens inside `runScript` itself; this is a fast-path for
+ * pre-validation.
  */
 export async function compileReactionScript(source: string): Promise<string> {
   const { compileSource } = await import('../utils/compiler-core');
+  // Match `runScript`'s execute-time esbuild config exactly so save-time and
+  // runtime accept the same set of imports. Drift here used to externalize
+  // `@owletto/reactions`, which the runtime recompile would then fail to
+  // resolve.
   const result = await compileSource(source, {
     tmpPrefix: '.reaction-compile-',
     label: 'ReactionCompiler',
@@ -440,7 +105,7 @@ export async function compileReactionScript(source: string): Promise<string> {
       format: 'cjs',
       target: 'esnext',
       platform: 'node',
-      external: ['@owletto/reactions'],
+      external: [],
     },
   });
   return result.compiledCode;
diff --git a/packages/owletto-backend/src/workspace/multi-tenant.ts b/packages/owletto-backend/src/workspace/multi-tenant.ts
index aa60a5974..c8d59ed05 100644
--- a/packages/owletto-backend/src/workspace/multi-tenant.ts
+++ b/packages/owletto-backend/src/workspace/multi-tenant.ts
@@ -32,6 +32,72 @@ export function invalidateMembershipRoleCache(
   memberRoleCache.delete(`${organizationId}:${userId}`);
 }
 
+/**
+ * Cache-backed membership-role lookup. Reuses the same 60s cache the auth
+ * middleware populates so writes on the `member` table that call
+ * `invalidateMembershipRoleCache` take effect for sandbox callers too.
+ */
+export async function getCachedMembershipRole(
+  organizationId: string,
+  userId: string | null
+): Promise<string | null> {
+  if (!userId) return null;
+  const key = `${organizationId}:${userId}`;
+  const cached = memberRoleCache.get(key);
+  if (cached !== undefined) return cached;
+  const rows = await simpleQuery(
+    getDb()`
+      SELECT role FROM "member"
+      WHERE "organizationId" = ${organizationId} AND "userId" = ${userId}
+      LIMIT 1
+    `
+  );
+  const role = rows.length > 0 ? (rows[0].role as string) : null;
+  memberRoleCache.set(key, role);
+  return role;
+}
+
+/**
+ * Cache-backed org lookup by slug. Returns `null` for unknown slugs.
+ */
+export async function getCachedOrgBySlug(
+  slug: string
+): Promise<{ id: string; visibility: string } | null> {
+  const cached = orgSlugCache.get(slug);
+  if (cached) return cached;
+  const rows = await simpleQuery(
+    getDb()`
+      SELECT id, visibility FROM "organization" WHERE slug = ${slug} LIMIT 1
+    `
+  );
+  if (rows.length === 0) return null;
+  const record = {
+    id: rows[0].id as string,
+    visibility: (rows[0].visibility as string) ?? "private",
+  };
+  orgSlugCache.set(slug, record);
+  return record;
+}
+
+/**
+ * Direct org lookup by id. Uncached — ids are a fallback path for the sandbox's
+ * `.org(slugOrId)` accessor, so the TTL cache hit rate would be near-zero.
+ */
+export async function getOrgById(
+  organizationId: string
+): Promise<{ slug: string; visibility: string } | null> {
+  const rows = await simpleQuery(
+    getDb()`
+      SELECT slug, visibility FROM "organization" WHERE id = ${organizationId} LIMIT 1
+    `
+  );
+  if (rows.length === 0) return null;
+  return {
+    slug: rows[0].slug as string,
+    visibility: (rows[0].visibility as string) ?? "private",
+  };
+}
+
 /**
  * Test-only: clear all multi-tenant auth caches so a freshly-reset database
  * (new org/user/token IDs) is not shadowed by TTL'd entries from the previous run.
diff --git a/packages/owletto-backend/vitest.config.ts b/packages/owletto-backend/vitest.config.ts
new file mode 100644
index 000000000..28d3e44ba
--- /dev/null
+++ b/packages/owletto-backend/vitest.config.ts
@@ -0,0 +1,28 @@
+import { fileURLToPath } from "node:url";
+import { defineConfig } from "vitest/config";
+
+const PACKAGE_ROOT = fileURLToPath(new URL(".", import.meta.url));
+
+export default defineConfig({
+  // Anchor vitest to this package so test-db.ts's `process.cwd()`-based
+  // migration resolution works the same way whether `vitest` is invoked from
+  // the repo root (e.g. via `bunx vitest --config packages/...`) or from
+  // inside the package.
+  root: PACKAGE_ROOT,
+  test: {
+    globalSetup: ["./src/__tests__/setup/global-setup.ts"],
+    // Integration tests need a DB ready before any test file starts. Unit tests
+    // don't touch the DB, so they run fast regardless.
+    include: ["src/**/*.test.ts"],
+    // bun:test-style unit tests live alongside vitest integration tests — skip
+    // those for vitest. They run via `bun test` (see the existing CI command).
+    exclude: ["src/__tests__/unit/**", "**/node_modules/**", "**/dist/**"],
+    testTimeout: 30_000,
+    hookTimeout: 60_000,
+    // Integration tests share one Postgres/PGlite. Running multiple files in
+    // parallel means one file's `cleanupTestDatabase()` can wipe another file's
+    // fixtures mid-run. Serialize files so fixtures stay stable.
+    pool: "forks",
+    poolOptions: { forks: { singleFork: true } },
+  },
+});
diff --git a/packages/owletto-connectors/src/README.md b/packages/owletto-connectors/src/README.md
index 4604879be..1414f8597 100644
--- a/packages/owletto-connectors/src/README.md
+++ b/packages/owletto-connectors/src/README.md
@@ -498,7 +498,7 @@ Connectors are **not** pre-installed globally. When an org first uses a connecto
 3. Stores the metadata in `connector_definitions` scoped to that org
 4. Stores a `source_path` reference (e.g. `github.ts`) in `connector_versions` — **compiled code is NOT stored**
 
-Connectors can also be installed manually via the `manage_connections` tool with a `source_url` or inline `source_code`. Manual installs store compiled code in the database as before.
+Connectors can also be installed manually via `client.connections.installConnector(...)` from inside an `execute` script (or the equivalent admin REST endpoint), passing a `source_url` or inline `source_code`. Manual installs store compiled code in the database as before.
 
 ### How connector code runs
 
diff --git a/packages/owletto-openclaw/src/index.ts b/packages/owletto-openclaw/src/index.ts
index 22b9de323..64b911427 100644
--- a/packages/owletto-openclaw/src/index.ts
+++ b/packages/owletto-openclaw/src/index.ts
@@ -1120,7 +1120,7 @@ const plugin = {
                     text: JSON.stringify({
                       status: 'already_authenticated',
                       message:
-                        "You are already authenticated with Owletto. Do NOT call owletto_login again. Proceed directly with the user's request using the available owletto tools like owletto_manage_connections, owletto_manage_watchers, etc.",
+                        "You are already authenticated with Owletto. Do NOT call owletto_login again. Proceed directly with the user's request using the available owletto tools (owletto_search to discover SDK methods, owletto_execute to run TypeScript over the typed client SDK, owletto_search_knowledge for entity/knowledge search, owletto_save_knowledge to persist).",
                     }),
                   },
                 ],
diff --git a/packages/owletto-sdk/src/index.ts b/packages/owletto-sdk/src/index.ts
index 2abeb3c31..5cee25ae4 100644
--- a/packages/owletto-sdk/src/index.ts
+++ b/packages/owletto-sdk/src/index.ts
@@ -137,7 +137,7 @@ export type {
   PaginationConfig,
 } from './paginated.js';
 export { PaginatedFeed } from './paginated.js';
-export type { ReactionContext, ReactionHandler, ReactionSDK } from './reaction-sdk.js';
+export type { ReactionContext, ReactionEntity } from './reaction-sdk.js';
 export type {
   Checkpoint,
   Content,
diff --git a/packages/owletto-sdk/src/reaction-sdk.ts b/packages/owletto-sdk/src/reaction-sdk.ts
index d55b754cf..c72b56d31 100644
--- a/packages/owletto-sdk/src/reaction-sdk.ts
+++ b/packages/owletto-sdk/src/reaction-sdk.ts
@@ -1,9 +1,9 @@
 /**
- * Reaction SDK Types
+ * Reaction context types.
  *
- * Type definitions for watcher reaction scripts. These scripts run automatically
- * after a watcher window completes, allowing watchers to take actions based on
- * their analysis results.
+ * The runtime SDK reaction scripts call is `ClientSDK` (defined in
+ * `packages/owletto-backend/src/sandbox/client-sdk.ts`); only the context
+ * shape is shared across packages, so only those types live here.
  */
 
 export interface ReactionEntity {
@@ -15,7 +15,8 @@ export interface ReactionEntity {
 
 /**
  * Context passed to reaction scripts containing the analysis results
- * and metadata about the watcher window.
+ * and metadata about the watcher window. Reaction scripts have the
+ * shape `default async (ctx: ReactionContext, client, params?)`.
  */
 export interface ReactionContext {
   /** The extracted analysis data from the completed window */
@@ -41,85 +42,3 @@ export interface ReactionContext {
   /** Organization context */
   organization_id: string;
 }
-
-/**
- * SDK provided to reaction scripts for interacting with the system.
- * All operations are tracked in watcher_reactions for attribution.
- */
-export interface ReactionSDK {
-  entities: {
-    /** Get an entity by ID */
-    get(id: number): Promise<ReactionEntity | null>;
-
-    /** Create a new entity */
-    create(params: {
-      type: string;
-      name: string;
-      metadata?: Record<string, unknown>;
-    }): Promise<{ id: number; slug: string }>;
-
-    /** Update an existing entity */
-    update(params: {
-      entity_id: number;
-      name?: string;
-      metadata?: Record<string, unknown>;
-    }): Promise<void>;
-
-    /** Create a relationship between two entities */
-    link(
-      fromId: number,
-      toId: number,
-      relationshipType: string,
-      metadata?: Record<string, unknown>
-    ): Promise<void>;
-
-    /** Search for entities by name */
-    search(
-      query: string,
-      options?: { limit?: number }
-    ): Promise<Array<{ id: number; name: string; type: string }>>;
-  };
-
-  actions: {
-    /** Execute a connection operation (e.g., create issue, send email) */
-    execute(
-      connectionId: number,
-      operationKey: string,
-      input: Record<string, unknown>
-    ): Promise<{ run_id: number; output: Record<string, unknown> }>;
-
-    /** List available operations from entity's connections */
-    listAvailable(): Promise<
-      Array<{
-        connection_id: number;
-        operation_key: string;
-        name: string;
-        kind: 'read' | 'write';
-        requires_approval: boolean;
-      }>
-    >;
-  };
-
-  content: {
-    /** Save content to an entity */
-    save(entityId: number, content: string, semanticType?: string): Promise<void>;
-  };
-
-  /** Send a notification to organization members */
-  notify(
-    title: string,
-    body: string,
-    options?: { resource_url?: string; connection_id?: string }
-  ): Promise<void>;
-
-  /** Run a read-only parameterized SQL query */
-  query(sql: string, params?: unknown[]): Promise<Record<string, unknown>[]>;
-
-  /** Structured logging (tracked in watcher_reactions) */
-  log(message: string, data?: Record<string, unknown>): void;
-}
-
-/**
- * The main export that reaction scripts must implement.
- */
-export type ReactionHandler = (ctx: ReactionContext, sdk: ReactionSDK) => Promise<void>;