@caplets/core 0.18.2 → 0.18.4

package/dist/index.js

@@ -1,8 +1,8 @@
-import { $ as assertCompleteRequestPrompt, A as CreateMessageResultSchema, At as toSafeError, B as JSONRPCMessageSchema, C as AjvJsonSchemaValidator, D as CallToolRequestSchema, Dt as CAPLETS_ERROR_CODES, E as toJsonSchemaCompat, Et as SERVER_ID_PATTERN, F as EmptyResultSchema, G as ListRootsResultSchema, H as ListPromptsRequestSchema, I as ErrorCode, J as McpError, K as ListToolsRequestSchema, L as GetPromptRequestSchema, M as CreateTaskResultSchema, Nt as __require, O as CallToolResultSchema, Ot as CapletsError, P as ElicitResultSchema, Pt as __toESM, R as InitializeRequestSchema, S as assertToolsCallTaskCapability, St as resolveProjectCapletsRoot, T as mergeCapabilities, Tt as validateCapletFile, U as ListResourceTemplatesRequestSchema, V as LATEST_PROTOCOL_VERSION, W as ListResourcesRequestSchema, X as SUPPORTED_PROTOCOL_VERSIONS, Y as ReadResourceRequestSchema, Z as SetLevelRequestSchema, _t as parseConfig, a as resolveCapletsServer, at as getLiteralValue, bt as resolveCapletsRoot, c as ServerRegistry, ct as getSchemaDescription, d as runOAuthFlow, dt as normalizeObjectSchema, et as assertCompleteRequestResourceTemplate, f as startGenericOAuthFlow, ft as objectFromShape, g as readTokenBundle, gt as loadConfigWithSources, h as isTokenBundleExpired, ht as loadConfig, i as resolveCapletsMode, it as isJSONRPCResultResponse, j as CreateMessageResultWithToolsSchema, jt as __commonJSMin, k as CompleteRequestSchema, kt as redactSecrets, l as capabilityDescription, lt as isSchemaOptional, m as deleteTokenBundle, mt as safeParseAsync, nt as isJSONRPCErrorResponse, o as CapletsEngine, ot as getObjectShape, p as startOAuthFlow, pt as safeParse, q as LoggingLevelSchema, r as parseServerBaseUrl, rt as isJSONRPCRequest, s as handleServerTool, st as getParseErrorMessage, t as controlUrlForBase, tt as isInitializeRequest, u as runGenericOAuthFlow, ut as isZ4Schema, v as ReadBuffer, w as Protocol, wt as discoverCapletFiles, x as assertClientRequestTaskCapability, xt as resolveConfigPath, y as serializeMessage, z as InitializedNotificationSchema } from "./options-bnsSREid.js";
+import { $ as assertCompleteRequestPrompt, A as CreateMessageResultSchema, At as CAPLETS_ERROR_CODES, B as JSONRPCMessageSchema, C as AjvJsonSchemaValidator, Ct as resolveCapletsRoot, D as CallToolRequestSchema, Dt as discoverCapletFiles, E as toJsonSchemaCompat, Et as resolveProjectConfigPath, F as EmptyResultSchema, G as ListRootsResultSchema, H as ListPromptsRequestSchema, I as ErrorCode, It as __require, J as McpError, K as ListToolsRequestSchema, L as GetPromptRequestSchema, Lt as __toESM, M as CreateTaskResultSchema, Mt as redactSecrets, Nt as toSafeError, O as CallToolResultSchema, Ot as validateCapletFile, P as ElicitResultSchema, Pt as __commonJSMin, R as InitializeRequestSchema, S as assertToolsCallTaskCapability, T as mergeCapabilities, Tt as resolveProjectCapletsRoot, U as ListResourceTemplatesRequestSchema, V as LATEST_PROTOCOL_VERSION, W as ListResourcesRequestSchema, X as SUPPORTED_PROTOCOL_VERSIONS, Y as ReadResourceRequestSchema, Z as SetLevelRequestSchema, _t as loadGlobalConfig, a as resolveCapletsServer, at as getLiteralValue, bt as parseConfig, c as ServerRegistry, ct as getSchemaDescription, d as runOAuthFlow, dt as normalizeObjectSchema, et as assertCompleteRequestResourceTemplate, f as startGenericOAuthFlow, ft as objectFromShape, g as readTokenBundle, gt as loadConfigWithSources, h as isTokenBundleExpired, ht as loadConfig, i as resolveCapletsMode, it as isJSONRPCResultResponse, j as CreateMessageResultWithToolsSchema, jt as CapletsError, k as CompleteRequestSchema, kt as SERVER_ID_PATTERN, l as capabilityDescription, lt as isSchemaOptional, m as deleteTokenBundle, mt as safeParseAsync, nt as isJSONRPCErrorResponse, o as CapletsEngine, ot as getObjectShape, p as startOAuthFlow, pt as safeParse, q as LoggingLevelSchema, r as parseServerBaseUrl, rt as isJSONRPCRequest, s as handleServerTool, st as getParseErrorMessage, t as controlUrlForBase, tt as isInitializeRequest, u as runGenericOAuthFlow, ut as isZ4Schema, v as ReadBuffer, vt as loadLocalOverlayConfigWithSources, w as Protocol, wt as resolveConfigPath, x as assertClientRequestTaskCapability, y as serializeMessage, yt as loadProjectConfig, z as InitializedNotificationSchema } from "./options-BlNyqF_E.js";
 import { A as url, C as object, D as string, b as literal, d as ZodOptional, o as generatedToolInputSchema, s as generatedToolInputSchemaForCaplet } from "./generated-tool-input-schema-BYoyY-l-.js";
-import { a as formatCapletList, c as resolveCliConfigPaths, l as cliCommands, n as completionScript, o as formatConfigPaths, s as listCaplets, t as completeCliWords, u as completionShells } from "./completion-L23s2FGB.js";
-import { accessSync, chmodSync, closeSync, constants, cpSync, existsSync, lstatSync, mkdirSync, mkdtempSync, openSync, readFileSync, rmSync, statSync, writeFileSync, writeSync } from "node:fs";
-import { basename, dirname, join, parse, relative, resolve } from "node:path";
+import { a as formatCapletList, c as resolveCliConfigPaths, l as cliCommands, n as completionScript, o as formatConfigPaths, s as listCaplets, t as completeCliWords, u as completionShells } from "./completion-DRPTunQd.js";
+import { accessSync, chmodSync, closeSync, constants, copyFileSync, cpSync, existsSync, lstatSync, mkdirSync, mkdtempSync, openSync, readFileSync, readdirSync, readlinkSync, realpathSync, rmSync, statSync, writeFileSync, writeSync } from "node:fs";
+import { basename, dirname, isAbsolute, join, parse, relative, resolve, sep } from "node:path";
 import { execFileSync } from "node:child_process";
 import process$1, { stdin, stdout } from "node:process";
 import { tmpdir } from "node:os";
@@ -1320,7 +1320,7 @@ const EMPTY_COMPLETION_RESULT = { completion: {
 } };
 //#endregion
 //#region package.json
-var version = "0.18.2";
+var version = "0.18.4";
 //#endregion
 //#region src/serve/session.ts
 var CapletsMcpSession = class {
@@ -4905,7 +4905,7 @@ function isUrlLike(value) {
 //#endregion
 //#region src/cli/auth.ts
 async function loginAuth(serverId, options) {
-	const server = findAuthTarget(serverId, loadConfig(options.configPath));
+	const server = findAuthTarget(serverId, options.config ?? loadConfig(options.configPath));
 	assertLoginTarget(server, serverId);
 	try {
 		const flowOptions = {
@@ -4927,40 +4927,64 @@ function logoutAuth(serverId, options) {
 	else options.writeOut(`No OAuth credentials found for \`${serverId}\`.\n`);
 }
 function logoutAuthResult(serverId, options) {
-	assertLoginTarget(findAuthTarget(serverId, loadConfig(options.configPath)), serverId);
+	assertLoginTarget(findAuthTarget(serverId, options.config ?? loadConfig(options.configPath)), serverId);
 	return {
 		server: serverId,
 		deleted: deleteTokenBundle(serverId, options.authDir)
 	};
 }
-function listAuth(options) {
-	const rows = listAuthRows(options);
-	const format = options.format ?? "plain";
-	if (format === "json") {
-		options.writeOut(`${JSON.stringify(rows, null, 2)}\n`);
-		return;
+function listAuthRows(options) {
+	return authRowsForTargets(authTargets(loadConfig(options.configPath)), options.authDir);
+}
+function listLocalAuthRows(options) {
+	return authRowsForTargets(localAuthTargets(options), options.authDir);
+}
+function localAuthTargets(options) {
+	return [...options.source === "project" ? [] : authTargetsForSource("global", options), ...options.source === "global" ? [] : authTargetsForSource("project", options)].filter((target) => !options.source || target.source === options.source);
+}
+function localAuthConfigForTarget(options) {
+	assertLoginTarget(localAuthTargets(options).find((candidate) => candidate.server === options.serverId), options.serverId);
+	return loadConfigForSource(options.source, options);
+}
+function authTargetsForSource(source, options) {
+	try {
+		return authTargets(loadConfigForSource(source, options)).map((target) => ({
+			...target,
+			source
+		}));
+	} catch (error) {
+		if (error instanceof CapletsError && error.code === "CONFIG_NOT_FOUND") return [];
+		throw error;
 	}
-	options.writeOut(formatAuthRows(rows, format));
 }
-function listAuthRows(options) {
-	return authTargets(loadConfig(options.configPath)).sort((left, right) => left.server.localeCompare(right.server)).map((server) => {
-		const bundle = readTokenBundle(server.server, options.authDir);
+function loadConfigForSource(source, options) {
+	if (source === "global") return loadGlobalConfig(options.configPath);
+	return loadProjectConfig(options.projectConfigPath);
+}
+function authRowsForTargets(targets, authDir) {
+	return targets.sort((left, right) => left.server.localeCompare(right.server)).map((server) => {
+		const bundle = readTokenBundle(server.server, authDir);
 		const status = !bundle ? "missing" : isTokenBundleExpired(bundle) ? "expired" : "authenticated";
 		return {
 			server: server.server,
 			status,
 			...bundle?.expiresAt ? { expiresAt: bundle.expiresAt } : {},
-			...bundle?.scope ? { scope: bundle.scope } : {}
+			...bundle?.scope ? { scope: bundle.scope } : {},
+			...server.source ? { source: server.source } : {}
 		};
 	});
 }
 function formatAuthRows(rows, format) {
-	if (rows.length === 0) return format === "markdown" ? "## OAuth credentials\n\nNo configured remote OAuth servers found.\n" : "No configured remote OAuth servers found.\n";
+	if (rows.length === 0) return format === "markdown" ? "## OAuth credentials\n\nNo configured OAuth servers found.\n" : "No configured OAuth servers found.\n";
 	let output = "";
 	if (format === "markdown") output += "## OAuth credentials\n\n";
 	else output += "OAuth credentials\n\n";
 	for (const row of rows) {
-		const details = [row.expiresAt ? `expires ${row.expiresAt}` : void 0, row.scope ? `scope ${row.scope}` : void 0].filter(Boolean).join("; ");
+		const details = [
+			row.source ? `source ${row.source}` : void 0,
+			row.expiresAt ? `expires ${row.expiresAt}` : void 0,
+			row.scope ? `scope ${row.scope}` : void 0
+		].filter(Boolean).join("; ");
 		if (format === "markdown") {
 			output += `- \`${row.server}\` — ${row.status}${details ? ` (${details})` : ""}\n`;
 			continue;
@@ -4968,6 +4992,7 @@ function formatAuthRows(rows, format) {
 		output += [
 			row.server,
 			`  Status: ${row.status}`,
+			...row.source ? [`  Source: ${row.source}`] : [],
 			...row.expiresAt ? [`  Expires: ${row.expiresAt}`] : [],
 			...row.scope ? [`  Scope: ${row.scope}`] : []
 		].join("\n") + "\n\n";
@@ -5192,12 +5217,14 @@ function rejectCrossKindDestinationCollision(plan, destinationRoot) {
 function installPlan(caplet, options) {
 	const isDirectory = basename(caplet.path) === "CAPLET.md";
 	const sourcePath = isDirectory ? dirname(caplet.path) : caplet.path;
+	const sourceBoundary = dirname(sourcePath);
 	const sourcePathRelative = relative(options.repoRoot, sourcePath);
 	const destination = isDirectory ? join(options.destinationRoot, caplet.id) : join(options.destinationRoot, `${caplet.id}.md`);
 	return {
 		id: caplet.id,
 		source: `${options.sourceId}#${sourcePathRelative}`,
 		sourcePath,
+		sourceBoundary,
 		destination,
 		kind: isDirectory ? "directory" : "file"
 	};
@@ -5259,16 +5286,40 @@ function removeInstallPath(path, label, force) {
 }
 function copyInstallPath(plan) {
 	try {
+		if (plan.kind === "directory") {
+			copyDirectoryCaplet(plan.sourcePath, plan.destination, realpathSync(plan.sourceBoundary));
+			return;
+		}
 		cpSync(plan.sourcePath, plan.destination, {
-			recursive: plan.kind === "directory",
+			recursive: false,
 			force: false,
 			errorOnExist: true
 		});
 	} catch (error) {
+		if (error instanceof CapletsError) throw error;
 		if (isFsError(error, "EEXIST") || isFsError(error, "EISDIR")) throw new CapletsError("CONFIG_EXISTS", `Caplet ${plan.id} already exists at ${plan.destination}; pass --force to overwrite it`, toSafeError(error));
 		throw new CapletsError("CONFIG_INVALID", `Could not install Caplet ${plan.id} to ${plan.destination}`, toSafeError(error));
 	}
 }
+function copyDirectoryCaplet(source, destination, sourceBoundary, seenDirectories = /* @__PURE__ */ new Set()) {
+	const resolvedSource = lstatSync(source).isSymbolicLink() ? resolveDirectoryCapletSymlink(source, sourceBoundary) : source;
+	if (statSync(resolvedSource).isDirectory()) {
+		const realDirectory = realpathSync(resolvedSource);
+		if (seenDirectories.has(realDirectory)) throw new CapletsError("CONFIG_INVALID", `Directory Caplet symlink ${source} creates a copy cycle`);
+		const childSeenDirectories = new Set(seenDirectories);
+		childSeenDirectories.add(realDirectory);
+		mkdirSync(destination);
+		for (const entry of readdirSync(resolvedSource)) copyDirectoryCaplet(join(resolvedSource, entry), join(destination, entry), sourceBoundary, childSeenDirectories);
+		return;
+	}
+	copyFileSync(resolvedSource, destination);
+}
+function resolveDirectoryCapletSymlink(source, sourceBoundary) {
+	const target = readlinkSync(source);
+	const resolvedTarget = realpathSync(isAbsolute(target) ? target : resolve(dirname(source), target));
+	if (resolvedTarget !== sourceBoundary && !resolvedTarget.startsWith(`${sourceBoundary}${sep}`)) throw new CapletsError("CONFIG_INVALID", `Directory Caplet symlink ${source} resolves outside source Caplets boundary`);
+	return resolvedTarget;
+}
 function isFsError(error, code) {
 	return typeof error === "object" && error !== null && "code" in error && error.code === code;
 }
@@ -5369,7 +5420,7 @@ function redactRemoteMessage(message) {
 	return String(redactSecrets(message)).replace(/\b(authorization\s*:\s*(?:basic|bearer)\s+)[^\s,;]+/giu, "$1[REDACTED]").replace(/\b((?:access_)?token=)[^\s,;]+/giu, "$1[REDACTED]").replace(/\b((?:token|secret|authorization|auth|api[-_]?key|password|credential|clientsecret|client_secret|code|refresh(?:_token)?)\s*[=:]\s*)[^\s,;]+/giu, "$1[REDACTED]");
 }
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/compose.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/compose.js
 var compose = (middleware, onError, onNotFound) => {
 	return (context, next) => {
 		let index = -1;
@@ -5400,7 +5451,7 @@ var compose = (middleware, onError, onNotFound) => {
 	};
 };
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/http-exception.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/http-exception.js
 var HTTPException = class extends Error {
 	res;
 	status;
@@ -5428,10 +5479,10 @@ var HTTPException = class extends Error {
 	}
 };
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/request/constants.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/request/constants.js
 var GET_MATCH_RESULT = /* @__PURE__ */ Symbol();
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/utils/body.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/utils/body.js
 var parseBody = async (request, options = /* @__PURE__ */ Object.create(null)) => {
 	const { all = false, dot = false } = options;
 	const contentType = (request instanceof HonoRequest ? request.raw.headers : request.headers).get("Content-Type");
@@ -5479,7 +5530,7 @@ var handleParsingNestedValues = (form, key, value) => {
 	});
 };
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/utils/url.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/utils/url.js
 var splitPath = (path) => {
 	const paths = path.split("/");
 	if (paths[0] === "") paths.shift();
@@ -5643,7 +5694,7 @@ var getQueryParams = (url, key) => {
 };
 var decodeURIComponent_ = decodeURIComponent;
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/request.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/request.js
 var tryDecodeURIComponent = (str) => tryDecode(str, decodeURIComponent_);
 var HonoRequest = class {
 	/**
@@ -5915,7 +5966,7 @@ var HonoRequest = class {
 	}
 };
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/utils/html.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/utils/html.js
 var HtmlEscapedCallbackPhase = {
 	Stringify: 1,
 	BeforeStream: 2,
@@ -5945,7 +5996,7 @@ var resolveCallback = async (str, phase, preserveCallbacks, context, buffer) =>
 	else return resStr;
 };
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/context.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/context.js
 var TEXT_PLAIN = "text/plain; charset=UTF-8";
 var setDefaultContentType = (contentType, headers) => {
 	return {
@@ -6306,7 +6357,7 @@ var Context = class {
 	};
 };
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/router.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/router.js
 var METHODS = [
 	"get",
 	"post",
@@ -6318,10 +6369,10 @@ var METHODS = [
 var MESSAGE_MATCHER_IS_ALREADY_BUILT = "Can not add a route since the matcher is already built.";
 var UnsupportedPathError = class extends Error {};
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/utils/constants.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/utils/constants.js
 var COMPOSED_HANDLER = "__COMPOSED_HANDLER";
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/hono-base.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/hono-base.js
 var notFoundHandler = (c) => {
 	return c.text("404 Not Found", 404);
 };
@@ -6655,7 +6706,7 @@ var Hono$1 = class _Hono {
 	};
 };
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/router/reg-exp-router/matcher.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/router/reg-exp-router/matcher.js
 var emptyParam = [];
 function match(method, path) {
 	const matchers = this.buildAllMatchers();
@@ -6672,7 +6723,7 @@ function match(method, path) {
 	return match2(method, path);
 }
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/router/reg-exp-router/node.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/router/reg-exp-router/node.js
 var LABEL_REG_EXP_STR = "[^/]+";
 var ONLY_WILDCARD_REG_EXP_STR = ".*";
 var TAIL_WILDCARD_REG_EXP_STR = "(?:|/.*)";
@@ -6751,7 +6802,7 @@ var Node$1 = class _Node {
 	}
 };
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/router/reg-exp-router/trie.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/router/reg-exp-router/trie.js
 var Trie = class {
 	#context = { varIndex: 0 };
 	#root = new Node$1();
@@ -6809,7 +6860,7 @@ var Trie = class {
 	}
 };
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/router/reg-exp-router/router.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/router/reg-exp-router/router.js
 var nullMatcher = [
 	/^$/,
 	[],
@@ -6940,7 +6991,7 @@ var RegExpRouter = class {
 	}
 };
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/router/smart-router/router.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/router/smart-router/router.js
 var SmartRouter = class {
 	name = "SmartRouter";
 	#routers = [];
@@ -6987,7 +7038,7 @@ var SmartRouter = class {
 	}
 };
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/router/trie-router/node.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/router/trie-router/node.js
 var emptyParams = /* @__PURE__ */ Object.create(null);
 var hasChildren = (children) => {
 	for (const _ in children) return true;
@@ -7140,7 +7191,7 @@ var Node = class _Node {
 	}
 };
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/router/trie-router/router.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/router/trie-router/router.js
 var TrieRouter = class {
 	name = "TrieRouter";
 	#node;
@@ -7160,7 +7211,7 @@ var TrieRouter = class {
 	}
 };
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/hono.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/hono.js
 var Hono = class extends Hono$1 {
 	/**
 	* Creates an instance of the Hono class.
@@ -7201,7 +7252,7 @@ object({
 	client_secret: string().optional()
 });
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/utils/stream.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/utils/stream.js
 var StreamingApi = class {
 	writer;
 	encoder;
@@ -7274,7 +7325,7 @@ var StreamingApi = class {
 	}
 };
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/helper/streaming/sse.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/helper/streaming/sse.js
 var SSEStreamingApi = class extends StreamingApi {
 	constructor(writable, readable) {
 		super(writable, readable);
@@ -7298,7 +7349,7 @@ var SSEStreamingApi = class extends StreamingApi {
 	}
 };
 //#endregion
-//#region ../../node_modules/.pnpm/@hono+mcp@0.3.0_@modelcontextprotocol+sdk@1.29.0_zod@4.4.3__hono-rate-limiter@0.5.3_hono@4.12.21__hono@4.12.21_zod@4.4.3/node_modules/@hono/mcp/dist/index.js
+//#region ../../node_modules/.pnpm/@hono+mcp@0.3.0_@modelcontextprotocol+sdk@1.29.0_zod@4.4.3__hono-rate-limiter@0.5.3_hono@4.12.22__hono@4.12.22_zod@4.4.3/node_modules/@hono/mcp/dist/index.js
 let isOldBunVersion = () => {
 	const version = typeof Bun !== "undefined" ? Bun.version : void 0;
 	if (version === void 0) return false;
@@ -7739,7 +7790,7 @@ var StreamableHTTPTransport = class {
 	}
 };
 //#endregion
-//#region ../../node_modules/.pnpm/@hono+node-server@2.0.3_hono@4.12.21/node_modules/@hono/node-server/dist/index.mjs
+//#region ../../node_modules/.pnpm/@hono+node-server@2.0.3_hono@4.12.22/node_modules/@hono/node-server/dist/index.mjs
 var RequestError = class extends Error {
 	constructor(message, options) {
 		super(message, options);
@@ -8662,7 +8713,7 @@ const serve = (options, listeningListener) => {
 	return server;
 };
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/utils/color.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/utils/color.js
 function getColorEnabled() {
 	const { process, Deno } = globalThis;
 	return !(typeof Deno?.noColor === "boolean" ? Deno.noColor : process !== void 0 ? "NO_COLOR" in process?.env : false);
@@ -8679,7 +8730,7 @@ async function getColorEnabledAsync() {
 	})() : !getColorEnabled());
 }
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.21/node_modules/hono/dist/middleware/logger/index.js
+//#region ../../node_modules/.pnpm/hono@4.12.22/node_modules/hono/dist/middleware/logger/index.js
 var humanize = (times) => {
 	const [delimiter, separator] = [",", "."];
 	return times.map((v) => v.replace(/(\d)(?=(\d\d\d)+(?!\d))/g, "$1" + delimiter)).join(separator);
@@ -9517,15 +9568,29 @@ function createProgram(io = {}) {
 		const completionWords = normalizeCompletionWords(words);
 		let suggestions = [];
 		try {
-			suggestions = remote ? await remote.request("complete_cli", {
-				shell,
-				words: completionWords
-			}) : await completeCliWordsLocally(completionWords, {
+			if (remote) {
+				const localOverlay = loadLocalOverlayForCli(io, () => {});
+				const localSuggestions = await completeCliWordsLocally(completionWords, {
+					...configPath ? { configPath } : {},
+					projectConfigPath: envProjectConfigPath(env),
+					...io.authDir ? { authDir: io.authDir } : {},
+					config: localOverlay.config
+				});
+				if (localShadowedCompletionTarget(completionWords, localOverlay.config)) suggestions = localSuggestions;
+				else suggestions = mergeCompletionSuggestions(localSuggestions, await remote.request("complete_cli", {
+					shell,
+					words: completionWords
+				}));
+			} else suggestions = await completeCliWordsLocally(completionWords, {
 				...configPath ? { configPath } : {},
+				projectConfigPath: envProjectConfigPath(env),
 				...io.authDir ? { authDir: io.authDir } : {}
 			});
 		} catch {
-			suggestions = remote ? [] : await completeCliWords(completionWords, configPath ? { configPath } : {});
+			suggestions = remote ? [] : await completeCliWords(completionWords, {
+				...configPath ? { configPath } : {},
+				projectConfigPath: envProjectConfigPath(env)
+			});
 		}
 		if (suggestions.length > 0) writeOut(`${suggestions.join("\n")}\n`);
 	});
@@ -9537,23 +9602,26 @@ function createProgram(io = {}) {
 			...io.authDir ? { authDir: io.authDir } : {}
 		}, writeErr)))(resolved);
 	});
-	program.command(cliCommands.init).description("Create a starter Caplets config file.").option("--force", "overwrite an existing config file").action(async (options) => {
-		const remote = remoteClientForCli(io);
-		if (remote) {
-			writeOut(`Created remote Caplets config at ${(await remote.request("init", { force: Boolean(options.force) })).path}\n`);
+	program.command(cliCommands.init).description("Create a starter Caplets config file.").option("--project", "create the project Caplets config").option("-g, --global", "create the user Caplets config").option("--remote", "create the remote Caplets config").option("--force", "overwrite an existing config file").action(async (options) => {
+		const target = parseMutationTarget(options);
+		if (target === "remote") {
+			writeOut(`Created remote Caplets config at ${(await requireRemoteClientForTarget(io).request("init", { force: Boolean(options.force) })).path}\n`);
 			return;
 		}
-		const configPath = currentConfigPath();
-		writeOut(`Created Caplets config at ${initConfig({
-			...configPath ? { path: configPath } : {},
+		const path = initConfig({
+			path: target === "global" ? resolveConfigPath(currentConfigPath()) : envProjectConfigPath(env),
 			force: Boolean(options.force)
-		})}\n`);
+		});
+		writeOut(`Created ${localMutationTargetLabel(target, io)}Caplets config at ${path}\n`);
 	});
 	program.command(cliCommands.list).description("List configured Caplets.").option("--all", "include disabled Caplets").option("--json", "print JSON output").option("--format <format>", "output format: plain, markdown, md, or json", parseOutputFormat).action(async (options) => {
 		const includeDisabled = Boolean(options.all);
 		const remote = remoteClientForCli(io);
 		if (remote) {
-			const rows = await remote.request("list", { includeDisabled });
+			const rows = mergeRemoteAndLocalRows(await remote.request("list", { includeDisabled }), tryLoadLocalOverlayForCli(io, writeErr), {
+				includeDisabled,
+				writeErr
+			});
 			if (options.json || options.format === "json") {
 				writeOut(`${JSON.stringify(rows, null, 2)}\n`);
 				return;
@@ -9561,18 +9629,17 @@ function createProgram(io = {}) {
 			writeOut(formatCapletList(rows, options.format ?? "plain"));
 			return;
 		}
-		const rows = listCaplets(loadConfigWithSources(currentConfigPath()), { includeDisabled });
+		const rows = listCaplets(loadConfigWithSources(currentConfigPath(), envProjectConfigPath(env)), { includeDisabled });
 		if (options.json || options.format === "json") {
 			writeOut(`${JSON.stringify(rows, null, 2)}\n`);
 			return;
 		}
 		writeOut(formatCapletList(rows, options.format ?? "plain"));
 	});
-	program.command(cliCommands.install).description("Install Caplets from a repo's caplets directory.").argument("<repo>", "local repo path, Git URL, or GitHub owner/repo").argument("[caplets...]", "optional Caplet IDs to install").option("-g, --global", "install to the user Caplets root").option("--force", "overwrite installed Caplets").action(async (repo, capletIds, options) => {
-		const remote = remoteClientForCli(io);
-		if (remote) {
-			if (options.global) writeErr("Warning: --global is not supported in remote mode; the server controls the installation destination.\n");
-			const result = await remote.request("install", {
+	program.command(cliCommands.install).description("Install Caplets from a repo's caplets directory.").argument("<repo>", "local repo path, Git URL, or GitHub owner/repo").argument("[caplets...]", "optional Caplet IDs to install").option("--project", "install to the project Caplets root").option("-g, --global", "install to the user Caplets root").option("--remote", "install through remote control").option("--force", "overwrite installed Caplets").action(async (repo, capletIds, options) => {
+		const target = parseMutationTarget(options);
+		if (target === "remote") {
+			const result = await requireRemoteClientForTarget(io).request("install", {
 				repo,
 				capletIds,
 				force: Boolean(options.force)
@@ -9583,15 +9650,15 @@ function createProgram(io = {}) {
 		const result = installCaplets(repo, {
 			capletIds,
 			force: Boolean(options.force),
-			destinationRoot: options.global ? resolveCapletsRoot(resolveConfigPath(currentConfigPath())) : resolveProjectCapletsRoot()
+			destinationRoot: target === "global" ? resolveCapletsRoot(resolveConfigPath(currentConfigPath())) : envProjectCapletsRoot(env)
 		});
-		for (const caplet of result.installed) writeOut(`Installed ${caplet.id} to ${caplet.destination}\n`);
+		for (const caplet of result.installed) writeOut(`Installed ${caplet.id} to ${localMutationTargetLabel(target, io)}${caplet.destination}\n`);
 	});
 	const add = program.command(cliCommands.add).description("Add generated Caplet files.");
-	add.command("cli").description("Add a CLI tools Caplet.").argument("<id>", "Caplet ID/display seed").option("--repo <path>", "repository path to inspect").option("--include <items>", "comma-separated generators to include: git,gh,package").option("--command <name>", "single CLI command template to generate").option("-g, --global", "write to the user Caplets root").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action(async (id, options) => {
-		const remote = remoteClientForCli(io);
-		if (remote) {
-			writeAddResult(writeOut, "CLI", await remote.request("add", {
+	add.command("cli").description("Add a CLI tools Caplet.").argument("<id>", "Caplet ID/display seed").option("--repo <path>", "repository path to inspect").option("--include <items>", "comma-separated generators to include: git,gh,package").option("--command <name>", "single CLI command template to generate").option("--project", "write to the project Caplets root").option("-g, --global", "write to the user Caplets root").option("--remote", "add through remote control").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action(async (id, options) => {
+		const target = parseMutationTarget(options);
+		if (target === "remote") {
+			writeAddResult(writeOut, "CLI", await requireRemoteClientForTarget(io).request("add", {
 				kind: "cli",
 				id,
 				options: remoteAddOptions(options)
@@ -9600,73 +9667,77 @@ function createProgram(io = {}) {
 		}
 		const result = addCliCaplet(id, {
 			...options,
-			destinationRoot: options.global ? resolveCapletsRoot(resolveConfigPath(currentConfigPath())) : resolveProjectCapletsRoot()
+			destinationRoot: target === "global" ? resolveCapletsRoot(resolveConfigPath(currentConfigPath())) : envProjectCapletsRoot(env)
 		});
 		if (result.path) {
-			writeOut(`Wrote CLI Caplet to ${result.path}\n`);
+			writeOut(`Wrote ${localMutationTargetLabel(target, io)}CLI Caplet to ${result.path}\n`);
 			return;
 		}
 		writeOut(result.text);
 	});
-	add.command("mcp").description("Add an MCP backend Caplet.").argument("<id>", "Caplet ID/display seed").option("--command <name>", "stdio command").option("--arg <value>", "stdio command argument", collect, []).option("--cwd <path>", "stdio working directory").option("--env <KEY=VALUE>", "stdio environment variable", collect, []).option("--url <url>", "remote MCP server URL").option("--transport <transport>", "remote transport: http or sse").option("--token-env <ENV>", "bearer token environment variable reference").option("-g, --global", "write to the user Caplets root").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action(async (id, options) => {
-		const remote = remoteClientForCli(io);
-		if (remote) {
-			writeAddResult(writeOut, "MCP", await remote.request("add", {
+	add.command("mcp").description("Add an MCP backend Caplet.").argument("<id>", "Caplet ID/display seed").option("--command <name>", "stdio command").option("--arg <value>", "stdio command argument", collect, []).option("--cwd <path>", "stdio working directory").option("--env <KEY=VALUE>", "stdio environment variable", collect, []).option("--url <url>", "remote MCP server URL").option("--transport <transport>", "remote transport: http or sse").option("--token-env <ENV>", "bearer token environment variable reference").option("--project", "write to the project Caplets root").option("-g, --global", "write to the user Caplets root").option("--remote", "add through remote control").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action(async (id, options) => {
+		const target = parseMutationTarget(options);
+		if (target === "remote") {
+			writeAddResult(writeOut, "MCP", await requireRemoteClientForTarget(io).request("add", {
 				kind: "mcp",
 				id,
 				options: remoteAddOptions(options)
 			}));
 			return;
 		}
-		writeAddResult(writeOut, "MCP", addMcpCaplet(id, {
+		const result = addMcpCaplet(id, {
 			...options,
-			destinationRoot: addDestinationRoot(options, currentConfigPath())
-		}));
+			destinationRoot: addDestinationRoot(target, currentConfigPath(), env)
+		});
+		writeAddResult(writeOut, `${localMutationTargetLabel(target, io)}MCP`, result);
 	});
-	add.command("openapi").description("Add an OpenAPI backend Caplet.").argument("<id>", "Caplet ID/display seed").option("--spec <path-or-url>", "OpenAPI spec path or URL").option("--base-url <url>", "request base URL override").option("--token-env <ENV>", "bearer token environment variable reference").option("-g, --global", "write to the user Caplets root").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action(async (id, options) => {
-		const remote = remoteClientForCli(io);
-		if (remote) {
-			writeAddResult(writeOut, "OpenAPI", await remote.request("add", {
+	add.command("openapi").description("Add an OpenAPI backend Caplet.").argument("<id>", "Caplet ID/display seed").option("--spec <path-or-url>", "OpenAPI spec path or URL").option("--base-url <url>", "request base URL override").option("--token-env <ENV>", "bearer token environment variable reference").option("--project", "write to the project Caplets root").option("-g, --global", "write to the user Caplets root").option("--remote", "add through remote control").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action(async (id, options) => {
+		const target = parseMutationTarget(options);
+		if (target === "remote") {
+			writeAddResult(writeOut, "OpenAPI", await requireRemoteClientForTarget(io).request("add", {
 				kind: "openapi",
 				id,
 				options: remoteAddOptions(options)
 			}));
 			return;
 		}
-		writeAddResult(writeOut, "OpenAPI", addOpenApiCaplet(id, {
+		const result = addOpenApiCaplet(id, {
 			...options,
-			destinationRoot: addDestinationRoot(options, currentConfigPath())
-		}));
+			destinationRoot: addDestinationRoot(target, currentConfigPath(), env)
+		});
+		writeAddResult(writeOut, `${localMutationTargetLabel(target, io)}OpenAPI`, result);
 	});
-	add.command("graphql").description("Add a GraphQL backend Caplet.").argument("<id>", "Caplet ID/display seed").option("--endpoint-url <url>", "GraphQL endpoint URL").option("--schema <path-or-url>", "GraphQL schema path or URL").option("--introspection", "load schema through endpoint introspection").option("--token-env <ENV>", "bearer token environment variable reference").option("-g, --global", "write to the user Caplets root").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action(async (id, options) => {
-		const remote = remoteClientForCli(io);
-		if (remote) {
-			writeAddResult(writeOut, "GraphQL", await remote.request("add", {
+	add.command("graphql").description("Add a GraphQL backend Caplet.").argument("<id>", "Caplet ID/display seed").option("--endpoint-url <url>", "GraphQL endpoint URL").option("--schema <path-or-url>", "GraphQL schema path or URL").option("--introspection", "load schema through endpoint introspection").option("--token-env <ENV>", "bearer token environment variable reference").option("--project", "write to the project Caplets root").option("-g, --global", "write to the user Caplets root").option("--remote", "add through remote control").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action(async (id, options) => {
+		const target = parseMutationTarget(options);
+		if (target === "remote") {
+			writeAddResult(writeOut, "GraphQL", await requireRemoteClientForTarget(io).request("add", {
 				kind: "graphql",
 				id,
 				options: remoteAddOptions(options)
 			}));
 			return;
 		}
-		writeAddResult(writeOut, "GraphQL", addGraphqlCaplet(id, {
+		const result = addGraphqlCaplet(id, {
 			...options,
-			destinationRoot: addDestinationRoot(options, currentConfigPath())
-		}));
+			destinationRoot: addDestinationRoot(target, currentConfigPath(), env)
+		});
+		writeAddResult(writeOut, `${localMutationTargetLabel(target, io)}GraphQL`, result);
 	});
-	add.command("http").description("Add an HTTP actions backend Caplet.").argument("<id>", "Caplet ID/display seed").option("--base-url <url>", "HTTP API base URL").option("--action <name:METHOD:/path>", "HTTP action", collect, []).option("--token-env <ENV>", "bearer token environment variable reference").option("-g, --global", "write to the user Caplets root").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action(async (id, options) => {
-		const remote = remoteClientForCli(io);
-		if (remote) {
-			writeAddResult(writeOut, "HTTP", await remote.request("add", {
+	add.command("http").description("Add an HTTP actions backend Caplet.").argument("<id>", "Caplet ID/display seed").option("--base-url <url>", "HTTP API base URL").option("--action <name:METHOD:/path>", "HTTP action", collect, []).option("--token-env <ENV>", "bearer token environment variable reference").option("--project", "write to the project Caplets root").option("-g, --global", "write to the user Caplets root").option("--remote", "add through remote control").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action(async (id, options) => {
+		const target = parseMutationTarget(options);
+		if (target === "remote") {
+			writeAddResult(writeOut, "HTTP", await requireRemoteClientForTarget(io).request("add", {
 				kind: "http",
 				id,
 				options: remoteAddOptions(options)
 			}));
 			return;
 		}
-		writeAddResult(writeOut, "HTTP", addHttpCaplet(id, {
+		const result = addHttpCaplet(id, {
 			...options,
-			destinationRoot: addDestinationRoot(options, currentConfigPath())
-		}));
+			destinationRoot: addDestinationRoot(target, currentConfigPath(), env)
+		});
+		writeAddResult(writeOut, `${localMutationTargetLabel(target, io)}HTTP`, result);
 	});
 	program.command(cliCommands.getCaplet).description("Print a configured Caplet card.").argument("<caplet>", "configured Caplet ID").option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (caplet, options) => {
 		await executeOperation(caplet, { operation: "get_caplet" }, {
@@ -9868,7 +9939,7 @@ function createProgram(io = {}) {
 		writeOut(`${resolveConfigPath(currentConfigPath())}\n`);
 	});
 	config.command("paths").description("Print resolved Caplets config, root, and auth paths.").option("--json", "print JSON output").option("--format <format>", "output format: plain, markdown, md, or json", parseOutputFormat).action((options) => {
-		const paths = resolveCliConfigPaths(currentConfigPath(), io.authDir);
+		const paths = resolveCliConfigPaths(currentConfigPath(), envProjectConfigPath(env), io.authDir);
 		if (options.json || options.format === "json") {
 			writeOut(`${JSON.stringify(paths, null, 2)}\n`);
 			return;
@@ -9876,60 +9947,59 @@ function createProgram(io = {}) {
 		writeOut(formatConfigPaths(paths, options.format ?? "plain"));
 	});
 	const auth = program.command(cliCommands.auth).description("Manage OAuth credentials for remote servers.");
-	auth.command("login").description("Authenticate a configured remote OAuth server.").argument("<server>", "configured server ID").option("--no-open", "print the authorization URL without opening a browser").action(async (serverId, options) => {
-		const remote = remoteClientForCli(io);
-		if (remote) {
-			const started = await remote.request("auth_login_start", { server: serverId });
-			if (started.authorizationUrl) {
-				writeOut(`Open this URL to authorize ${serverId}:\n${started.authorizationUrl}\n`);
-				if (options.open !== false) await openBrowser(started.authorizationUrl);
-				writeOut("Complete authentication in your browser. The server callback will store credentials.\n");
-				return;
-			}
-			if (started.authenticated) writeOut(`Authenticated \`${serverId}\`.\n`);
+	auth.command("login").description("Authenticate a configured remote OAuth server.").argument("<server>", "configured server ID").option("--project", "authenticate using the project Caplets config").option("-g, --global", "authenticate using the user Caplets config").option("--remote", "authenticate using the remote server auth store").option("--no-open", "print the authorization URL without opening a browser").action(async (serverId, options) => {
+		const target = await resolveAuthTarget(serverId, options, io);
+		if (target === "remote") {
+			await remoteAuthLogin(requireRemoteClientForTarget(io), serverId, options.open !== false, writeOut);
 			return;
 		}
 		const configPath = currentConfigPath();
+		const projectConfigPath = envProjectConfigPath(env);
 		await loginAuth(serverId, {
 			noOpen: options.open === false,
 			writeOut,
 			writeErr,
 			...configPath ? { configPath } : {},
+			...projectConfigPath ? { projectConfigPath } : {},
+			config: localAuthConfigForTarget({
+				serverId,
+				...configPath ? { configPath } : {},
+				...projectConfigPath ? { projectConfigPath } : {},
+				source: target
+			}),
 			...io.authDir ? { authDir: io.authDir } : {}
 		});
 	});
-	auth.command("logout").description("Delete stored OAuth credentials for a server.").argument("<server>", "configured server ID").action(async (serverId) => {
-		const remote = remoteClientForCli(io);
-		if (remote) {
-			writeOut((await remote.request("auth_logout", { server: serverId })).deleted ? `Deleted remote OAuth credentials for \`${serverId}\`.\n` : `No remote OAuth credentials found for \`${serverId}\`.\n`);
+	auth.command("logout").description("Delete stored OAuth credentials for a server.").argument("<server>", "configured server ID").option("--project", "delete credentials for the project Caplets config target").option("-g, --global", "delete credentials for the user Caplets config target").option("--remote", "delete credentials from the remote server auth store").action(async (serverId, options) => {
+		const target = await resolveAuthTarget(serverId, options, io);
+		if (target === "remote") {
+			writeOut((await requireRemoteClientForTarget(io).request("auth_logout", { server: serverId })).deleted ? `Deleted remote OAuth credentials for \`${serverId}\`.\n` : `No remote OAuth credentials found for \`${serverId}\`.\n`);
 			return;
 		}
 		const configPath = currentConfigPath();
+		const projectConfigPath = envProjectConfigPath(env);
 		logoutAuth(serverId, {
 			writeOut,
 			...configPath ? { configPath } : {},
+			config: localAuthConfigForTarget({
+				serverId,
+				...configPath ? { configPath } : {},
+				...projectConfigPath ? { projectConfigPath } : {},
+				source: target
+			}),
 			...io.authDir ? { authDir: io.authDir } : {}
 		});
 	});
-	auth.command("list").description("List servers with stored OAuth credentials.").option("--json", "print JSON output").option("--format <format>", "output format: plain, markdown, md, or json", parseOutputFormat).action(async (options) => {
+	auth.command("list").description("List servers with stored OAuth credentials.").option("--json", "print JSON output").option("--format <format>", "output format: plain, markdown, md, or json", parseOutputFormat).option("--project", "list auth targets from the project Caplets config").option("-g, --global", "list auth targets from the user Caplets config").option("--remote", "list auth targets from the remote server auth store").action(async (options) => {
 		const configPath = currentConfigPath();
+		const projectConfigPath = envProjectConfigPath(env);
 		const format = options.json || options.format === "json" ? "json" : options.format ?? "plain";
-		const remote = remoteClientForCli(io);
-		if (remote) {
-			const rows = await remote.request("auth_list", {});
-			if (format === "json") {
-				writeOut(`${JSON.stringify(rows, null, 2)}\n`);
-				return;
-			}
-			writeOut(formatAuthRows(rows, format));
+		const rows = await authListRowsForCli(parseAuthFlagTarget(options), io, configPath, projectConfigPath);
+		if (format === "json") {
+			writeOut(`${JSON.stringify(rows, null, 2)}\n`);
 			return;
 		}
-		listAuth({
-			writeOut,
-			format,
-			...configPath ? { configPath } : {},
-			...io.authDir ? { authDir: io.authDir } : {}
-		});
+		writeOut(formatAuthRows(rows, format));
 	});
 	return program;
 }
@@ -9973,12 +10043,90 @@ function remoteCommandForOperation(operation) {
 	}
 }
 function remoteAddOptions(options) {
-	const { output, print, global, destinationRoot, ...remoteOptions } = options;
-	if (global) throw new CapletsError("REQUEST_INVALID", "--global is not supported in remote mode; the server controls the add destination.");
+	const { output, print, global, project, remote, destinationRoot, ...remoteOptions } = options;
 	if (print) throw new CapletsError("REQUEST_INVALID", "--print is not supported in remote mode; the server controls add output.");
 	if (output !== void 0) throw new CapletsError("REQUEST_INVALID", "--output is not supported in remote mode; the server controls the add destination.");
 	return remoteOptions;
 }
+function parseMutationTarget(options) {
+	const selected = [
+		options.project ? "--project" : void 0,
+		options.global ? "--global" : void 0,
+		options.remote ? "--remote" : void 0
+	].filter((value) => value !== void 0);
+	if (selected.length > 1) throw new CapletsError("REQUEST_INVALID", `Cannot combine mutation target flags: ${selected.join(", ")}`);
+	if (options.global) return "global";
+	if (options.remote) return "remote";
+	return "project";
+}
+function localMutationTargetLabel(target, io) {
+	return remoteClientForCli(io) ? `${target} ` : "";
+}
+function parseAuthFlagTarget(options) {
+	const selected = [
+		options.project ? "--project" : void 0,
+		options.global ? "--global" : void 0,
+		options.remote ? "--remote" : void 0
+	].filter((value) => value !== void 0);
+	if (selected.length > 1) throw new CapletsError("REQUEST_INVALID", `Cannot combine auth target flags: ${selected.join(", ")}`);
+	if (options.project) return "project";
+	if (options.global) return "global";
+	if (options.remote) return "remote";
+}
+async function resolveAuthTarget(serverId, options, io) {
+	const explicit = parseAuthFlagTarget(options);
+	if (explicit) return explicit;
+	const env = io.env ?? process.env;
+	const configPath = envConfigPath(env);
+	const projectConfigPath = envProjectConfigPath(env);
+	const matches = localAuthTargets({
+		...configPath ? { configPath } : {},
+		...projectConfigPath ? { projectConfigPath } : {}
+	}).filter((target) => target.server === serverId).map((target) => target.source);
+	const remote = remoteClientForCli(io);
+	if (remote) {
+		if (matches.length === 0) matches.push("remote");
+		else if ((await remoteAuthRows(remote)).some((row) => row.server === serverId)) matches.push("remote");
+	}
+	const unique = [...new Set(matches)];
+	if (unique.length === 1) return unique[0];
+	if (unique.length > 1) throw new CapletsError("REQUEST_INVALID", `Auth target \`${serverId}\` exists in multiple scopes. Pass --project, --global, or --remote.`);
+	throw new CapletsError("SERVER_NOT_FOUND", `Server ${serverId} is not configured for OAuth`);
+}
+async function authListRowsForCli(target, io, configPath, projectConfigPath) {
+	if (target === "remote") return remoteAuthRows(requireRemoteClientForTarget(io));
+	const localRows = listLocalAuthRows({
+		...configPath ? { configPath } : {},
+		...projectConfigPath ? { projectConfigPath } : {},
+		...io.authDir ? { authDir: io.authDir } : {},
+		...target ? { source: target } : {}
+	});
+	if (target) return localRows;
+	const remote = remoteClientForCli(io);
+	if (!remote) return localRows;
+	return [...localRows, ...await remoteAuthRows(remote)].sort((left, right) => left.server.localeCompare(right.server));
+}
+async function remoteAuthRows(remote) {
+	return (await remote.request("auth_list", {})).map((row) => ({
+		...row,
+		source: "remote"
+	}));
+}
+async function remoteAuthLogin(remote, serverId, open, writeOut) {
+	const started = await remote.request("auth_login_start", { server: serverId });
+	if (started.authorizationUrl) {
+		writeOut(`Open this URL to authorize ${serverId}:\n${started.authorizationUrl}\n`);
+		if (open) await openBrowser(started.authorizationUrl);
+		writeOut("Complete authentication in your browser. The server callback will store credentials.\n");
+		return;
+	}
+	if (started.authenticated) writeOut(`Authenticated \`${serverId}\`.\n`);
+}
+function requireRemoteClientForTarget(io) {
+	const remote = remoteClientForCli(io);
+	if (!remote) throw new CapletsError("REQUEST_INVALID", "--remote requires CAPLETS_MODE=remote and CAPLETS_SERVER_URL");
+	return remote;
+}
 function collect(value, previous) {
 	previous.push(value);
 	return previous;
@@ -10015,8 +10163,10 @@ function parseQualifiedTarget(capletOrTarget, toolArgument) {
 async function completeCliWordsLocally(words, options) {
 	const engine = new CapletsEngine({
 		...options.configPath ? { configPath: options.configPath } : {},
+		...options.projectConfigPath ? { projectConfigPath: options.projectConfigPath } : {},
 		...options.authDir ? { authDir: options.authDir } : {},
-		watch: false
+		watch: false,
+		...options.config ? { configLoader: () => options.config } : {}
 	});
 	try {
 		return await engine.completeCliWords(words);
@@ -10024,6 +10174,34 @@ async function completeCliWordsLocally(words, options) {
 		await engine.close();
 	}
 }
+function mergeCompletionSuggestions(...groups) {
+	return [...new Set(groups.flat())];
+}
+function localShadowedCompletionTarget(words, config) {
+	const command = words[0];
+	const target = words[1];
+	if (!command || !target || target.startsWith("-")) return;
+	const qualifiedCommands = new Set([
+		cliCommands.getTool,
+		cliCommands.callTool,
+		cliCommands.getPrompt
+	]);
+	const capletCommands = new Set([
+		cliCommands.getCaplet,
+		cliCommands.checkBackend,
+		cliCommands.listTools,
+		cliCommands.searchTools,
+		cliCommands.listResources,
+		cliCommands.searchResources,
+		cliCommands.listResourceTemplates,
+		cliCommands.readResource,
+		cliCommands.listPrompts,
+		cliCommands.searchPrompts,
+		cliCommands.complete
+	]);
+	const caplet = qualifiedCommands.has(command) ? target.slice(0, target.includes(".") ? target.indexOf(".") : target.length) : capletCommands.has(command) ? target : void 0;
+	return caplet && hasEnabledCaplet(config, caplet) ? caplet : void 0;
+}
 function parseCallToolArgs(value) {
 	if (value === void 0) return {};
 	let parsed;
@@ -10064,6 +10242,11 @@ function isPlainObject(value) {
 async function executeOperation(caplet, request, io) {
 	const command = remoteCommandForOperation(request.operation);
 	if (io.remote && command) {
+		const localOverlay = tryLoadLocalOverlayForCli(io, io.writeErr);
+		if (localOverlay && hasEnabledCaplet(localOverlay.config, caplet)) {
+			await executeLocalOperation(caplet, request, io, localOverlay.config);
+			return;
+		}
 		const result = await io.remote.request(command, {
 			caplet,
 			request
@@ -10076,12 +10259,119 @@ async function executeOperation(caplet, request, io) {
 		if (isPlainObject(result) && result.isError === true) io.setExitCode(1);
 		return;
 	}
+	await executeLocalOperation(caplet, request, io);
+}
+function loadLocalOverlayForCli(io, writeErr) {
+	const env = io.env ?? process.env;
+	const overlay = loadLocalOverlayConfigWithSources(resolveConfigPath(envConfigPath(env)), envProjectConfigPath(env));
+	for (const warning of overlay.warnings) writeErr(`Warning: ${warning.kind} at ${warning.path}: ${warning.message}\n`);
+	return overlay;
+}
+function tryLoadLocalOverlayForCli(io, writeErr) {
+	try {
+		return loadLocalOverlayForCli(io, writeErr);
+	} catch (error) {
+		writeErr(`Warning: Could not load local Caplets overlay: ${formatErrorMessage(error)}\n`);
+		return loadPartialLocalOverlayForCli(io, writeErr);
+	}
+}
+function loadPartialLocalOverlayForCli(io, writeErr) {
+	const env = io.env ?? process.env;
+	const configPath = resolveConfigPath(envConfigPath(env));
+	const projectConfigPath = envProjectConfigPath(env);
+	const absentProjectPath = join(dirname(configPath), ".caplets-overlay-recovery", "config.json");
+	const absentGlobalPath = join(dirname(projectConfigPath), ".caplets-overlay-recovery", "config.json");
+	const globalOverlay = tryLoadPartialOverlayLayer("global", configPath, absentProjectPath, writeErr);
+	const projectOverlay = tryLoadPartialOverlayLayer("project", absentGlobalPath, projectConfigPath, writeErr);
+	if (!globalOverlay) return projectOverlay;
+	if (!projectOverlay) return globalOverlay;
+	return mergePartialLocalOverlays(globalOverlay, projectOverlay);
+}
+function tryLoadPartialOverlayLayer(label, configPath, projectConfigPath, writeErr) {
+	try {
+		const overlay = loadLocalOverlayConfigWithSources(configPath, projectConfigPath);
+		for (const warning of overlay.warnings) writeErr(`Warning: ${warning.kind} at ${warning.path}: ${warning.message}\n`);
+		return overlay;
+	} catch (error) {
+		writeErr(`Warning: Could not load ${label} Caplets overlay: ${formatErrorMessage(error)}\n`);
+		return;
+	}
+}
+function mergePartialLocalOverlays(globalOverlay, projectOverlay) {
+	const config = { ...globalOverlay.config };
+	const sources = { ...globalOverlay.sources };
+	const shadows = { ...globalOverlay.shadows };
+	for (const kind of capletConfigKinds) config[kind] = { ...globalOverlay.config[kind] };
+	for (const kind of capletConfigKinds) for (const id of Object.keys(projectOverlay.config[kind])) {
+		removeCapletFromPartialOverlay(config, sources, shadows, id);
+		config[kind][id] = projectOverlay.config[kind][id];
+	}
+	for (const [id, source] of Object.entries(projectOverlay.sources)) sources[id] = source;
+	for (const [id, shadowedSources] of Object.entries(projectOverlay.shadows)) shadows[id] = [...shadows[id] ?? [], ...shadowedSources];
+	return {
+		config,
+		sources,
+		shadows,
+		warnings: [...globalOverlay.warnings, ...projectOverlay.warnings]
+	};
+}
+const capletConfigKinds = [
+	"mcpServers",
+	"openapiEndpoints",
+	"graphqlEndpoints",
+	"httpApis",
+	"cliTools",
+	"capletSets"
+];
+function removeCapletFromPartialOverlay(config, sources, shadows, id) {
+	for (const kind of capletConfigKinds) delete config[kind][id];
+	if (sources[id]) shadows[id] = [...shadows[id] ?? [], sources[id]];
+	delete sources[id];
+}
+function formatErrorMessage(error) {
+	return error instanceof Error ? error.message : String(error);
+}
+function envProjectConfigPath(env) {
+	return env.CAPLETS_PROJECT_CONFIG?.trim() || resolveProjectConfigPath();
+}
+function envProjectCapletsRoot(env) {
+	const projectConfigPath = env.CAPLETS_PROJECT_CONFIG?.trim();
+	return projectConfigPath ? dirname(projectConfigPath) : resolveProjectCapletsRoot();
+}
+function mergeRemoteAndLocalRows(remoteRows, localOverlay, options) {
+	const rows = /* @__PURE__ */ new Map();
+	for (const row of remoteRows) rows.set(row.server, {
+		...row,
+		source: "remote"
+	});
+	if (!localOverlay) return [...rows.values()].filter((row) => options.includeDisabled || !row.disabled).sort((left, right) => left.server.localeCompare(right.server));
+	for (const row of listCaplets(localOverlay, { includeDisabled: true })) {
+		if (rows.get(row.server)) {
+			if (row.disabled) continue;
+			options.writeErr(`Warning: ${formatOverlaySource(row.source)} Caplet ${row.server} shadows remote Caplet\n`);
+		}
+		rows.set(row.server, row);
+	}
+	return [...rows.values()].filter((row) => options.includeDisabled || !row.disabled).sort((left, right) => left.server.localeCompare(right.server));
+}
+function formatOverlaySource(kind) {
+	if (kind.startsWith("project")) return "project";
+	if (kind.startsWith("global")) return "global";
+	return kind;
+}
+function hasEnabledCaplet(config, id) {
+	const caplet = config.mcpServers[id] ?? config.openapiEndpoints[id] ?? config.graphqlEndpoints[id] ?? config.httpApis[id] ?? config.cliTools[id] ?? config.capletSets[id];
+	return Boolean(caplet && !caplet.disabled);
+}
+async function executeLocalOperation(caplet, request, io, config) {
 	const configPath = envConfigPath(io.env ?? process.env);
 	const engine = new CapletsEngine({
 		...configPath ? { configPath } : {},
+		projectConfigPath: envProjectConfigPath(io.env ?? process.env),
 		...io.authDir ? { authDir: io.authDir } : {},
 		watch: false,
-		writeErr: io.writeErr
+		writeErr: io.writeErr,
+		...config ? { configLoader: () => config } : {}
 	});
 	try {
 		const result = await engine.execute(caplet, request);
@@ -10436,8 +10726,8 @@ function schemaSummary(schema) {
 		required.length > 0 ? `required ${required.join(", ")}` : "no required fields"
 	].filter((part) => Boolean(part)).join("; ");
 }
-function addDestinationRoot(options, configPath) {
-	return options.global ? resolveCapletsRoot(resolveConfigPath(configPath)) : resolveProjectCapletsRoot();
+function addDestinationRoot(target, configPath, env) {
+	return target === "global" ? resolveCapletsRoot(resolveConfigPath(configPath)) : envProjectCapletsRoot(env);
 }
 function writeAddResult(writeOut, label, result) {
 	if (result.path) {