@apify/mcpc 0.1.11-beta.4 → 0.1.11-beta.5

package/CHANGELOG.md

@@ -7,42 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-### Changed
-- Revised session states: auth failures (401/403) now show as `unauthorized` (separate from `expired` which is for session ID expiry), with actionable login guidance; new `disconnected` display state surfaces when bridge is alive but server has been unreachable for >2 minutes
-- `DISCONNECTED_THRESHOLD_MS` is now derived from `KEEPALIVE_INTERVAL_MS` (2× ping interval + 5s buffer) via shared constants, eliminating duplicate magic numbers
-
-### Added
-
-- `--async` flag for `tools-call` to opt-in to async task execution (experimental) with a progress spinner showing elapsed time and server status messages in human mode
-- `--detach` flag for `tools-call` to start an async task and return the task ID immediately without waiting for completion (implies `--async`)
-- New `tasks-list`, `tasks-get`, `tasks-cancel` commands for managing async tasks on the server
-- Task capability and `execution.taskSupport` displayed in `tools-get` and server info
-- E2E test server now includes a `slow-task` tool that supports async task execution
-- E2E tests for async task execution, detached mode, task management (list/get/cancel), and synchronous fallback
-- `[async]` indicator in `tools-list` output for tools that support async task execution
-- `--insecure` global option to skip TLS certificate verification, for MCP servers with self-signed certificates
-- E2E test for `--insecure` flag using a self-signed HTTPS test server wrapper
-- `--client-id` and `--client-secret` options for `mcpc login` command, for servers that don't support dynamic client registration
-- `mcpc close @session`, `mcpc restart @session`, and `mcpc shell @session` command-first syntax as alternatives to `mcpc @session close/restart/shell`
-- E2E tests now run under the Bun runtime (in addition to Node.js); use `./test/e2e/run.sh --runtime bun` or `npm run test:e2e:bun`
-- `--no-profile` option for `connect` command to skip OAuth profile auto-detection and connect anonymously
-
 ### Fixed
-- `--async` and `--detach` tool calls now correctly send task creation parameters to the server, fixing "task stream ended without creating a task" errors
-- File lock retries now use randomized exponential backoff to reduce contention when multiple processes compete for the same lock
-- Explicit `--header "Authorization: Bearer ..."` is no longer silently ignored when a default OAuth profile exists for the same server; explicit CLI headers now take precedence over auto-detected profiles
-- Combining `--profile` with `--header "Authorization: ..."` now returns a clear error instead of silently stripping the header
-- `logTarget` no longer prints a misleading `[→ @name (HTTP)]` prefix when a session doesn't exist; only the error message is shown
-- `logging-set-level` JSON output no longer includes a `success` field; output is now `{"level":"<level>"}` consistent with the project's convention of indicating errors via exit codes
-- `--header` / `-H` option is now specific to the `connect` command instead of being shown as a global option in `mcpc --help`
-- Bridge now forwards `logging/message` notifications from the MCP server to connected clients, so `logging-set-level` actually takes effect in interactive shell sessions
-- IPC buffer between CLI and bridge process is now capped at 10 MB; sockets are destroyed if the limit is exceeded, preventing unbounded memory growth
-- `validateOptions()` no longer includes subcommand-specific options (`--full`, `--x402`, `--proxy`, etc.) in global known-options list; misplaced flags now produce clear "Unknown option" errors instead of confusing Commander rejections
-- Sessions requiring authentication now correctly show as `expired` instead of `live` when the server rejects unauthenticated connections
-- Auth errors wrapped in `NetworkError` by bridge IPC are now detected on first health check, avoiding unnecessary bridge restart
-- Fixed flaky E2E invariant check that failed when `lastSeenAt` changed between `--json` and `--json --verbose` calls
-- `--timeout` flag now correctly propagates to MCP requests via session bridge
-- `parseServerArg()` now handles well Windows drive-letter config paths as well as other ambiguous cases
+
+- Fixed auth loss when reconnecting an unauthorized session via `mcpc connect` — the `unauthorized` status was not cleared, causing all subsequent operations to fail with "Authentication required by server" even after successful reconnection
+- HTTP proxy support (`HTTP_PROXY`/`HTTPS_PROXY` env vars) now works for MCP server connections, OAuth token refresh, and x402 payment signing — previously the MCP SDK transport and OAuth calls bypassed the global proxy dispatcher
 
 ### Changed
 
@@ -59,7 +27,47 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
   Direct one-shot URL access (e.g. `mcpc mcp.apify.com tools-list`) is removed; create a session first with `mcpc connect`.
 
+- Renamed `--async` flag to `--task` in `tools-call` for consistency with MCP specification; `--detach` now implies `--task`
+- Revised session states: auth failures (401/403) now show as `unauthorized` (separate from `expired` which is for session ID expiry), with actionable login guidance; new `disconnected` state surfaces when bridge is alive but server has been unreachable for >2 minutes
+- When `--profile` is not specified, only the `default` profile is used; non-default profiles require an explicit `--profile` flag
 - `@napi-rs/keyring` native addon is now loaded lazily: `mcpc` starts and works normally even when `libsecret` (Linux) or the addon itself is missing; a one-time warning is emitted and credentials fall back to `~/.mcpc/credentials.json` (mode 0600)
+- `x402 sign` now takes the PAYMENT-REQUIRED header as a positional argument instead of `-r` flag (e.g. `mcpc x402 sign <base64>`)
+- `tools-list` and `tools-get` now show `[task:optional]`, `[task:required]`, or `[task:forbidden]` instead of `[async]`
+- Tools cache now fetches all pages on startup and on `tools/list_changed` notifications; `tools-get` uses cached list first and only re-fetches if the tool is not found
+- `--header` / `-H` option is now specific to the `connect` command instead of being shown as a global option
+
+### Added
+
+- New `tasks-list`, `tasks-get`, `tasks-cancel` commands for managing async tasks on the server
+- `--task` flag for `tools-call` to opt-in to task execution with a progress spinner showing elapsed time, server status messages, and progress notifications in human mode
+- `--detach` flag for `tools-call` to start a task and return the task ID immediately without waiting for completion (implies `--task`)
+- Press ESC during `--task` execution to detach on the fly — the task continues in the background and the task ID is printed
+- `--insecure` global option to skip TLS certificate verification, for MCP servers with self-signed certificates
+- `--client-id` and `--client-secret` options for `mcpc login` command, for servers that don't support dynamic client registration
+- `--no-profile` option for `connect` command to skip OAuth profile auto-detection and connect anonymously
+- `mcpc close @session`, `mcpc restart @session`, and `mcpc shell @session` command-first syntax as alternatives to `mcpc @session close/restart/shell`
+- `mcpc login` now falls back to accepting a pasted callback URL when the browser cannot be opened (e.g. headless servers, containers)
+- `tools-list` now shows inline parameter signatures (e.g. `read_file(path: string, +4 optional)`) for quick scanning without `--full`
+- `mcpc @session` now shows available tools list from bridge cache (no extra server call)
+- Task capability and `execution.taskSupport` displayed in `tools-get` and server info
+- x402 payments are now also sent via the MCP `_meta["x402/payment"]` field on `tools/call` requests, in addition to the existing HTTP header
+
+### Fixed
+
+- Explicit `--header "Authorization: Bearer ..."` is no longer silently ignored when a default OAuth profile exists for the same server; explicit CLI headers now take precedence over auto-detected profiles
+- Combining `--profile` with `--header "Authorization: ..."` now returns a clear error instead of silently stripping the header
+- Session restart now auto-detects the `default` OAuth profile created after the session was established, fixing the `login` then `restart` flow for unauthorized sessions
+- Sessions requiring authentication now correctly show as `expired` instead of `live` when the server rejects unauthenticated connections
+- Auth errors wrapped in `NetworkError` by bridge IPC are now detected on first health check, avoiding unnecessary bridge restart
+- `--timeout` flag now correctly propagates to MCP requests via session bridge
+- `--task` and `--detach` tool calls now correctly send task creation parameters to the server
+- Bridge now forwards `logging/message` notifications from the MCP server to connected clients, so `logging-set-level` actually takes effect in interactive shell sessions
+- IPC buffer between CLI and bridge process is now capped at 10 MB, preventing unbounded memory growth
+- `parseServerArg()` now handles Windows drive-letter config paths and other ambiguous cases
+- Misplaced subcommand-specific flags (e.g. `--full`, `--proxy`) now produce clear "Unknown option" errors instead of confusing rejections
+- `logging-set-level` JSON output no longer includes a redundant `success` field
+- `logTarget` no longer prints a misleading prefix when a session doesn't exist
+- File lock retries now use randomized exponential backoff to reduce contention
 
 ## [0.1.10] - 2026-03-01
 

package/README.md

@@ -130,7 +130,7 @@ Commands:
   logout <server>              Delete an authentication profile for a server
   clean [resources...]         Clean up mcpc data (sessions, profiles, logs, all)
   x402 [subcommand] [args...]  Configure an x402 payment wallet (EXPERIMENTAL)
-  help [command]               Show help for a specific command
+  help [command] [subcommand]  Show help for a specific command
 
 MCP session commands (after connecting):
   <@session>                   Show MCP server info and capabilities
@@ -316,29 +316,34 @@ Still, sessions can fail due to network disconnects, bridge process crash, or se
 
 **Session states:**
 
-| State            | Meaning                                                                                       |
-| ---------------- | --------------------------------------------------------------------------------------------- |
-| 🟢 **`live`**    | Bridge process is running; server might or might not be operational                           |
-| 🟡 **`crashed`** | Bridge process crashed or was killed; will auto-restart on next use                           |
-| 🔴 **`expired`** | Server rejected the session (auth failed, session ID invalid); requires `close` and reconnect |
+| State                 | Meaning                                                                                           |
+| --------------------- | ------------------------------------------------------------------------------------------------- |
+| 🟢 **`live`**         | Bridge process running and server responding                                                      |
+| 🟡 **`disconnected`** | Bridge process running but server unreachable; auto-recovers when server responds                 |
+| 🟡 **`crashed`**      | Bridge process crashed or was killed; auto-restarts on next use                                   |
+| 🔴 **`unauthorized`** | Server rejected authentication (401/403) or token refresh failed; requires `login` then `restart` |
+| 🔴 **`expired`**      | Server rejected session ID (404); requires `restart`                                              |
 
 Here's how `mcpc` handles various bridge process and server connection states:
 
 - While the **bridge process is running**:
   - If **server positively responds** to pings, the session is marked 🟢 **`live`**, and everything is fine.
-  - If **server stops responding**, the bridge will keep trying to reconnect in the background.
-  - If **server negatively responds** to indicate `MCP-Session-Id` is no longer valid
-    or authentication permanently failed (HTTP 401 or 403),
-    the bridge process will flag the session as 🔴 **`expired`** and **terminate** to avoid wasting resources.
-    Any future attempt to use the session (`mcpc @my-session ...`) will fail.
+  - If **server stops responding**, the session is marked 🟡 **`disconnected`**.
+    The bridge will keep trying to reconnect in the background and will return to 🟢 **`live`** once the server responds again.
+  - If **server rejects authentication** (HTTP 401 or 403) or token refresh fails,
+    the session is marked 🔴 **`unauthorized`**.
+    You need to re-authenticate with `mcpc login <server>` and then `mcpc @my-session restart`.
+  - If **server rejects the session ID** (HTTP 404), indicating the MCP session is no longer valid,
+    the session is marked 🔴 **`expired`**.
+    You need to restart the session with `mcpc @my-session restart` to establish a new connection.
 - If the **bridge process crashes**, `mcpc` will mark the session as 🟡 **`crashed`** on first use.
   Next time you run `mcpc @my-session ...`, it will attempt to restart the bridge process.
   - If bridge **restart succeeds**, everything starts again (see above).
   - If bridge **restart fails**, `mcpc @my-session ...` returns error, and session remains marked 🟡 **`crashed`**.
 
 Note that `mcpc` never automatically removes sessions from the list.
-Instead, it keeps them flagged as 🟡 **`crashed`** or 🔴 **`expired`**,
-and any future attempts to use them will fail.
+Instead, it keeps them flagged as 🟡 **`crashed`**, 🔴 **`unauthorized`**, or 🔴 **`expired`**,
+and any future attempts to use them will show the appropriate error with recovery instructions.
 
 To **remove the session from the list**, you need to explicitly close it:
 
@@ -705,6 +710,35 @@ mcpc x402 remove
 
 After creating a wallet, **fund it with USDC on Base** (mainnet or Sepolia testnet) to enable payments.
 
+### Manual payment signing
+
+You can manually sign a payment from a server's `PAYMENT-REQUIRED` header using `x402 sign`.
+This is useful for pre-signing payments or integrating with tools outside of `mcpc`.
+
+```bash
+# Sign a payment using the base64-encoded PAYMENT-REQUIRED header
+mcpc x402 sign <base64-payment-required>
+
+# Override the amount (in USD, e.g. 2.50 = $2.50)
+mcpc x402 sign <base64-payment-required> --amount 2.50
+
+# Override the expiry (in seconds from now)
+mcpc x402 sign <base64-payment-required> --expiry 7200
+
+# Combine overrides and use JSON output
+mcpc x402 sign <base64-payment-required> --amount 1.00 --expiry 3600 --json
+```
+
+**Options:**
+
+| Option              | Description                                                      |
+| ------------------- | ---------------------------------------------------------------- |
+| `--amount <usd>`    | Override the payment amount in USD (e.g. `0.50` for $0.50)       |
+| `--expiry <seconds>`| Override the payment expiry in seconds from now (e.g. `3600`)    |
+
+The command outputs the signed `PAYMENT-SIGNATURE` header value and an MCP config snippet
+that can be used directly with other MCP clients.
+
 ### Using x402 with MCP servers
 
 Pass the `--x402` flag when connecting to a session or running direct commands:
@@ -1147,23 +1181,25 @@ See [CONTRIBUTING](./CONTRIBUTING.md) for development setup, architecture overvi
 
 <!-- Stars and activity as of March 2026. -->
 
-| Tool | Lang | Stars | Active | Tools | Resources | Prompts | Code mode | Sessions | OAuth | Stdio | HTTP | Tool search | LLM |
-|---|---|--:|---|---|---|---|---|---|---|---|---|---|---|
-| **[apify/mcpc](https://github.com/apify/mcpc)** | TS | ~350 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | — | — |
-| [steipete/mcporter](https://github.com/steipete/mcporter) | TS | ~2.6k | ✅ | ✅ | — | — | ✅ | ✅ | ✅ | ✅ | ✅ | — | — |
-| [IBM/mcp-cli](https://github.com/IBM/mcp-cli) | Python | ~1.9k | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | — | ✅ |
-| [f/mcptools](https://github.com/f/mcptools) | Go | ~1.5k | ⚠️ | ✅ | ✅ | ✅ | ✅ | — | — | ✅ | ✅ | — | — |
-| [philschmid/mcp-cli](https://github.com/philschmid/mcp-cli) | TS | ~950 | ✅ | ✅ | — | — | ✅ | ✅ | — | ✅ | ✅ | ✅ | — |
-| [adhikasp/mcp-client-cli](https://github.com/adhikasp/mcp-client-cli) | Python | ~670 | ⚠️ | ✅ | ✅ | ✅ | — | — | — | ✅ | — | — | ✅ |
-| [thellimist/clihub](https://github.com/thellimist/clihub) | Go | ~590 | ✅ | ✅ | — | — | — | — | ✅ | ✅ | ✅ | ✅ | — |
-| [wong2/mcp-cli](https://github.com/wong2/mcp-cli) | JS | ~420 | ⚠️ | ✅ | ✅ | ✅ | — | — | ✅ | — | ✅ | — | — |
-| [knowsuchagency/mcp2cli](https://github.com/knowsuchagency/mcp2cli) | Python | ~170 | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | — |
-| [mcpshim/mcpshim](https://github.com/mcpshim/mcpshim) | Go | ~46 | ✅ | ✅ | — | — | ✅ | ✅ | ✅ | — | ✅ | ✅ | — |
-| [EstebanForge/mcp-cli-ent](https://github.com/EstebanForge/mcp-cli-ent) | Go | ~13 | ✅ | ✅ | — | — | ✅ | ✅ | — | ✅ | ✅ | ✅ | — |
+| Tool                                                                    | Lang   | Stars | Active | Tools | Resources | Prompts | Code mode | Sessions | OAuth | Stdio | HTTP | Tool search | LLM |
+| ----------------------------------------------------------------------- | ------ | ----: | ------ | ----- | --------- | ------- | --------- | -------- | ----- | ----- | ---- | ----------- | --- |
+| **[apify/mcpc](https://github.com/apify/mcpc)**                         | TS     |  ~350 | ✅     | ✅    | ✅        | ✅      | ✅        | ✅       | ✅    | ✅    | ✅   | —           | —   |
+| [steipete/mcporter](https://github.com/steipete/mcporter)               | TS     | ~2.6k | ✅     | ✅    | —         | —       | ✅        | ✅       | ✅    | ✅    | ✅   | —           | —   |
+| [IBM/mcp-cli](https://github.com/IBM/mcp-cli)                           | Python | ~1.9k | ✅     | ✅    | ✅        | ✅      | ✅        | ✅       | ✅    | ✅    | ✅   | —           | ✅  |
+| [f/mcptools](https://github.com/f/mcptools)                             | Go     | ~1.5k | ⚠️     | ✅    | ✅        | ✅      | ✅        | —        | —     | ✅    | ✅   | —           | —   |
+| [philschmid/mcp-cli](https://github.com/philschmid/mcp-cli)             | TS     |  ~950 | ✅     | ✅    | —         | —       | ✅        | ✅       | —     | ✅    | ✅   | ✅          | —   |
+| [adhikasp/mcp-client-cli](https://github.com/adhikasp/mcp-client-cli)   | Python |  ~670 | ⚠️     | ✅    | ✅        | ✅      | —         | —        | —     | ✅    | —    | —           | ✅  |
+| [thellimist/clihub](https://github.com/thellimist/clihub)               | Go     |  ~590 | ✅     | ✅    | —         | —       | —         | —        | ✅    | ✅    | ✅   | ✅          | —   |
+| [wong2/mcp-cli](https://github.com/wong2/mcp-cli)                       | JS     |  ~420 | ⚠️     | ✅    | ✅        | ✅      | —         | —        | ✅    | —     | ✅   | —           | —   |
+| [knowsuchagency/mcp2cli](https://github.com/knowsuchagency/mcp2cli)     | Python |  ~170 | ✅     | ✅    | ✅        | ✅      | ✅        | ✅       | ✅    | ✅    | ✅   | ✅          | —   |
+| [mcpshim/mcpshim](https://github.com/mcpshim/mcpshim)                   | Go     |   ~46 | ✅     | ✅    | —         | —       | ✅        | ✅       | ✅    | —     | ✅   | ✅          | —   |
+| [evantahler/mcpx](https://github.com/evantahler/mcpx)                   | TS     |   ~26 | ✅     | ✅    | ✅        | ✅      | ✅        | —        | ✅    | ✅    | ✅   | ✅          | —   |
+| [EstebanForge/mcp-cli-ent](https://github.com/EstebanForge/mcp-cli-ent) | Go     |   ~13 | ✅     | ✅    | —         | —       | ✅        | ✅       | —     | ✅    | ✅   | ✅          | —   |
 
 **Legend:** ✅ = supported, ⚠️ = stale (no commits in 3+ months), **LLM** = requires/uses an LLM.
 
 **Notes:**
+
 - [thellimist/clihub](https://github.com/thellimist/clihub) is a code generator that compiles MCP tools into standalone CLI binaries, rather than a runtime client ([HN discussion](https://news.ycombinator.com/item?id=47157398)).
 - [knowsuchagency/mcp2cli](https://github.com/knowsuchagency/mcp2cli) also supports OpenAPI specs directly and uses a custom TOON encoding for token-efficient tool schemas.
 - [IBM/mcp-cli](https://github.com/IBM/mcp-cli) and [mcp-client-cli](https://github.com/adhikasp/mcp-client-cli) integrate an LLM (Ollama, OpenAI, etc.) for chat-style interaction, while the other tools are pure CLI clients.

package/dist/bridge/index.js

@@ -1,12 +1,12 @@
 #!/usr/bin/env node
-import { EnvHttpProxyAgent, setGlobalDispatcher } from 'undici';
+import { initProxy, proxyFetch } from '../lib/proxy.js';
 import { createServer } from 'net';
 import { unlink } from 'fs/promises';
 import { createMcpClient } from '../core/index.js';
 import { KEEPALIVE_INTERVAL_MS } from '../lib/types.js';
 import { createLogger, setVerbose, initFileLogger, closeFileLogger } from '../lib/index.js';
 import { fileExists, getBridgesDir, getSocketPath, ensureDir, cleanupOrphanedLogFiles, isSessionExpiredError, } from '../lib/index.js';
-import { ClientError, NetworkError, isAuthenticationError } from '../lib/index.js';
+import { ClientError, NetworkError, AuthError, isAuthenticationError } from '../lib/index.js';
 import { getSession, loadSessions, updateSession } from '../lib/sessions.js';
 import { OAuthTokenManager } from '../lib/auth/oauth-token-manager.js';
 import { OAuthProvider } from '../lib/auth/oauth-provider.js';
@@ -33,7 +33,6 @@ class BridgeProcess {
     authProvider = null;
     headers = null;
     x402Wallet = null;
-    cachedTools = null;
     activeTasks = new Map();
     authCredentialsReceived = null;
     authCredentialsResolver = null;
@@ -232,8 +231,8 @@ class BridgeProcess {
                 logger.error('Bridge startup failed, will stay alive briefly for CLI to receive error:', error);
                 this.mcpClientReadyRejecter(error);
                 const errorMsg = error.message || '';
-                if (isSessionExpiredError(errorMsg) || isAuthenticationError(errorMsg)) {
-                    logger.warn('Session rejected by server (expired or auth failure), marking as expired');
+                if (isSessionExpiredError(errorMsg)) {
+                    logger.warn('Session rejected by server (expired session ID), marking as expired');
                     try {
                         await updateSession(this.options.sessionName, { status: 'expired' });
                     }
@@ -241,6 +240,15 @@ class BridgeProcess {
                         logger.error('Failed to mark session as expired:', updateError);
                     }
                 }
+                else if (isAuthenticationError(errorMsg)) {
+                    logger.warn('Server requires authentication, marking as unauthorized');
+                    try {
+                        await updateSession(this.options.sessionName, { status: 'unauthorized' });
+                    }
+                    catch (updateError) {
+                        logger.error('Failed to mark session as unauthorized:', updateError);
+                    }
+                }
                 this.setupSignalHandlers();
                 setTimeout(() => {
                     logger.info('Shutting down after startup failure');
@@ -313,9 +321,9 @@ class BridgeProcess {
             logger.debug('Creating x402 fetch middleware for payment signing');
             const wallet = this.x402Wallet;
             const getToolByName = (name) => {
-                return this.cachedTools?.find((t) => t.name === name);
+                return this.client?.getCachedTools()?.find((t) => t.name === name);
             };
-            customFetch = createX402FetchMiddleware(fetch, { wallet, getToolByName });
+            customFetch = createX402FetchMiddleware(proxyFetch, { wallet, getToolByName });
         }
         const clientConfig = {
             clientInfo: { name: 'mcpc', version: mcpcVersion },
@@ -336,12 +344,13 @@ class BridgeProcess {
             ...(customFetch && { customFetch }),
             listChanged: {
                 tools: {
-                    autoRefresh: true,
-                    onChanged: (error, tools) => {
-                        logger.debug('Tools list changed', { error, count: tools?.length });
-                        if (tools) {
-                            this.cachedTools = tools;
-                            logger.debug(`Updated cached tools list (${tools.length} tools)`);
+                    autoRefresh: false,
+                    onChanged: () => {
+                        logger.debug('Tools list changed notification received, refreshing all tools...');
+                        if (this.client) {
+                            this.client.listAllTools({ refreshCache: true }).catch((err) => {
+                                logger.warn('Failed to refresh tools cache:', err);
+                            });
                         }
                         this.broadcastNotification('tools/list_changed');
                         this.updateNotificationTimestamp('tools').catch((err) => {
@@ -401,17 +410,10 @@ class BridgeProcess {
             logger.info(`MCP-Session-Id saved for resumption: ${newMcpSessionId}`);
         }
         await updateSession(this.options.sessionName, sessionUpdate);
-        if (this.x402Wallet) {
-            try {
-                const toolsResult = await this.client.listTools();
-                if (toolsResult.tools) {
-                    this.cachedTools = toolsResult.tools;
-                    logger.debug(`Pre-populated tools cache (${this.cachedTools.length} tools) for x402`);
-                }
-            }
-            catch (error) {
-                logger.warn('Failed to pre-populate tools cache for x402:', error);
-            }
+        if (serverDetails.capabilities?.tools) {
+            await this.client.listAllTools({ refreshCache: true }).catch((err) => {
+                logger.warn('Failed to pre-populate tools cache:', err);
+            });
         }
     }
     async startProxyServer() {
@@ -445,9 +447,9 @@ class BridgeProcess {
     startKeepalive() {
         logger.debug(`Starting keepalive ping every ${KEEPALIVE_INTERVAL_MS / 1000}s`);
         this.keepaliveInterval = setInterval(() => {
-            this.sendKeepalivePing().catch((error) => {
+            this.sendKeepalivePing().catch(async (error) => {
                 logger.error('Keepalive ping failed:', error);
-                this.handlePossibleExpiration(error);
+                await this.handlePossibleExpiration(error);
             });
         }, KEEPALIVE_INTERVAL_MS);
         this.keepaliveInterval.unref();
@@ -471,20 +473,27 @@ class BridgeProcess {
             logger.error('Failed to update lastSeenAt:', error);
         }
     }
-    handlePossibleExpiration(error) {
+    async handlePossibleExpiration(error) {
+        let status = null;
         if (isSessionExpiredError(error.message)) {
             logger.warn('Session appears to be expired, marking as expired and shutting down');
-            this.markSessionStatusAndExit('expired').catch((e) => {
-                logger.error('Failed to mark session as expired:', e);
-                process.exit(1);
-            });
+            status = 'expired';
         }
         else if (isAuthenticationError(error.message)) {
             logger.warn('Authentication rejected, marking session as unauthorized and shutting down');
-            this.markSessionStatusAndExit('unauthorized').catch((e) => {
-                logger.error('Failed to mark session as unauthorized:', e);
-                process.exit(1);
-            });
+            status = 'unauthorized';
+        }
+        if (status) {
+            try {
+                await updateSession(this.options.sessionName, { status });
+                logger.info(`Session ${this.options.sessionName} marked as ${status}`);
+            }
+            catch (e) {
+                logger.error('Failed to update session status:', e);
+            }
+            setTimeout(() => {
+                this.shutdown().catch(() => process.exit(1));
+            }, 100);
         }
     }
     async markSessionStatusAndExit(status) {
@@ -641,7 +650,7 @@ class BridgeProcess {
                     const params = message.params;
                     if (params.useTask && this.client.supportsTasksForToolCall()) {
                         if (params.detach) {
-                            const taskUpdate = await this.client.callToolDetached(params.name, params.arguments);
+                            const taskUpdate = await this.client.callToolDetached(params.name, params.arguments, params._meta);
                             this.activeTasks.set(taskUpdate.taskId, {
                                 taskId: taskUpdate.taskId,
                                 status: taskUpdate.status,
@@ -675,7 +684,7 @@ class BridgeProcess {
                                 onUpdate(update);
                             }, params.name);
                             try {
-                                result = await this.client.callToolWithTask(params.name, params.arguments, wrappedOnUpdate);
+                                result = await this.client.callToolWithTask(params.name, params.arguments, wrappedOnUpdate, params._meta);
                             }
                             finally {
                                 for (const [tid, task] of this.activeTasks) {
@@ -693,7 +702,7 @@ class BridgeProcess {
                         }
                     }
                     else {
-                        result = await this.client.callTool(params.name, params.arguments);
+                        result = await this.client.callTool(params.name, params.arguments, params._meta);
                     }
                     break;
                 }
@@ -782,6 +791,11 @@ class BridgeProcess {
                     }
                     break;
                 }
+                case 'listAllTools': {
+                    const params = message.params;
+                    result = await this.client.listAllTools(params);
+                    break;
+                }
                 default:
                     throw new ClientError(`Unknown MCP method: ${message.method}`);
             }
@@ -795,8 +809,8 @@ class BridgeProcess {
         }
         catch (error) {
             logger.error('Failed to forward MCP request to server:', error);
+            await this.handlePossibleExpiration(error);
             this.sendError(socket, error, message.id);
-            this.handlePossibleExpiration(error);
         }
     }
     async persistActiveTask(taskId, toolName) {
@@ -848,7 +862,13 @@ class BridgeProcess {
         const message = {
             type: 'response',
             error: {
-                code: error instanceof ClientError ? 1 : error instanceof NetworkError ? 3 : 2,
+                code: error instanceof ClientError
+                    ? 1
+                    : error instanceof NetworkError
+                        ? 3
+                        : error instanceof AuthError
+                            ? 4
+                            : 2,
                 message: error.message,
             },
         };
@@ -966,7 +986,7 @@ async function main() {
     }
     const x402 = args.includes('--x402');
     const insecure = args.includes('--insecure');
-    setGlobalDispatcher(new EnvHttpProxyAgent(insecure ? { connect: { rejectUnauthorized: false } } : {}));
+    initProxy({ insecure });
     try {
         const bridgeOptions = {
             sessionName,