@caplets/core 0.24.1 → 0.25.0

package/dist/{service-Cvnuu9wr.js → service-DjwB8aiW.js}

@@ -14,7 +14,6 @@ import { homedir } from "node:os";
 import { readFile } from "node:fs/promises";
 import ts from "typescript";
 import { getQuickJS, shouldInterruptAfterDeadline } from "quickjs-emscripten";
-import { Buffer as Buffer$1 } from "node:buffer";
 //#region \0rolldown/runtime.js
 var __create = Object.create;
 var __defProp = Object.defineProperty;
@@ -18627,8 +18626,8 @@ function compactToolSafetyHints(tool) {
 	};
 }
 function compactToolSchemaHints(tool) {
-	const schema = isRecord$5(tool.inputSchema) ? tool.inputSchema : void 0;
-	const properties = isRecord$5(schema?.properties) ? schema.properties : {};
+	const schema = isRecord$7(tool.inputSchema) ? tool.inputSchema : void 0;
+	const properties = isRecord$7(schema?.properties) ? schema.properties : {};
 	const acceptedArgs = Object.keys(properties).sort();
 	const requiredArgs = Array.isArray(schema?.required) ? schema.required.filter((value) => typeof value === "string").sort() : [];
 	const argsTemplate = compactArgsTemplate(properties, requiredArgs, acceptedArgs);
@@ -18652,7 +18651,7 @@ function compactArgsTemplate(properties, requiredArgs, acceptedArgs) {
 	if (templateArgs.length === 0 || templateArgs.length > 4) return void 0;
 	if (requiredArgs.length === 0 && acceptedArgs.length > 3) return void 0;
 	const entries = templateArgs.flatMap((name) => {
-		const value = placeholderForSchema(isRecord$5(properties[name]) ? properties[name] : void 0);
+		const value = placeholderForSchema(isRecord$7(properties[name]) ? properties[name] : void 0);
 		return value === void 0 ? [] : [[name, value]];
 	});
 	return entries.length === templateArgs.length ? Object.fromEntries(entries) : void 0;
@@ -18672,13 +18671,13 @@ function placeholderForSchema(schema) {
 	}
 }
 function compactToolSelectionHints(tool) {
-	if (!isRecord$5(tool)) return {};
+	if (!isRecord$7(tool)) return {};
 	return {
 		...typeof tool.useWhen === "string" && tool.useWhen.trim() ? { useWhen: tool.useWhen.trim() } : {},
 		...typeof tool.avoidWhen === "string" && tool.avoidWhen.trim() ? { avoidWhen: tool.avoidWhen.trim() } : {}
 	};
 }
-function isRecord$5(value) {
+function isRecord$7(value) {
 	return value !== null && typeof value === "object" && !Array.isArray(value);
 }
 function sameServerConfig(left, right) {
@@ -18753,7 +18752,7 @@ function markdownCallToolResultContent(result, context = {}) {
 	return textContent(renderStructuredMarkdown(result, context));
 }
 function hasRenderableStructuredContent(value) {
-	if (!isRecord$4(value)) return false;
+	if (!isRecord$6(value)) return false;
 	return Object.keys(value).some((key) => key !== "caplets" && key !== "elapsedMs");
 }
 function renderStructuredMarkdown(value, context) {
@@ -18887,13 +18886,13 @@ function renderErrorMarkdown(value, title) {
 	].join("\n");
 }
 function isDiscoveryWrapper(value) {
-	return isRecord$4(value) && "result" in value;
+	return isRecord$6(value) && "result" in value;
 }
 function isErrorStructuredContent(value) {
-	return isRecord$4(value) && "error" in value;
+	return isRecord$6(value) && "error" in value;
 }
 function isHttpLikeResult(value) {
-	return isRecord$4(value) && ("status" in value || "statusText" in value || "body" in value);
+	return isRecord$6(value) && ("status" in value || "statusText" in value || "body" in value);
 }
 function isGraphQlHttpResult(value) {
 	if (!isHttpLikeResult(value)) return false;
@@ -18901,7 +18900,7 @@ function isGraphQlHttpResult(value) {
 	return Boolean(body && ("data" in body || "errors" in body));
 }
 function isCliResult(value) {
-	return isRecord$4(value) && ("exitCode" in value || "stdout" in value || "stderr" in value);
+	return isRecord$6(value) && ("exitCode" in value || "stdout" in value || "stderr" in value);
 }
 function renderBodyValue(value) {
 	if (value === void 0) return "_No response body._";
@@ -18969,8 +18968,8 @@ function compactListHints(record) {
 	const acceptedArgs = stringArrayValue(record.acceptedArgs);
 	if (requiredArgs.length > 0) hints.push(`required args: ${requiredArgs.join(", ")}`);
 	else if (acceptedArgs.length > 0) hints.push(`args: ${acceptedArgs.join(", ")}`);
-	if (isRecord$4(record.argsTemplate)) hints.push(`args template: ${compactJsonText(record.argsTemplate, 160)}`);
-	if (isRecord$4(record.callTemplate)) hints.push(`call: ${compactJsonText(record.callTemplate, 220)}`);
+	if (isRecord$6(record.argsTemplate)) hints.push(`args template: ${compactJsonText(record.argsTemplate, 160)}`);
+	if (isRecord$6(record.callTemplate)) hints.push(`call: ${compactJsonText(record.callTemplate, 220)}`);
 	if (record.supportsFields === true) hints.push("supports fields");
 	if (record.readOnlyHint === true) hints.push("read-only");
 	if (record.destructiveHint === true) hints.push("destructive");
@@ -19040,9 +19039,9 @@ function humanizeKey(key) {
 	return key.replace(/([A-Z])/gu, " $1").replace(/^./u, (char) => char.toUpperCase());
 }
 function asRecord$3(value) {
-	return isRecord$4(value) ? value : void 0;
+	return isRecord$6(value) ? value : void 0;
 }
-function isRecord$4(value) {
+function isRecord$6(value) {
 	return Boolean(value && typeof value === "object" && !Array.isArray(value));
 }
 //#endregion
@@ -28017,17 +28016,17 @@ function googleDiscoveryScopesForOperations(operations) {
 	return [...new Set(operations.flatMap((operation) => operation.scopes))].sort();
 }
 function validateGoogleDiscoveryDocument(value) {
-	if (!isRecord$3(value)) throw new Error("Invalid Google Discovery document: expected an object");
+	if (!isRecord$5(value)) throw new Error("Invalid Google Discovery document: expected an object");
 	if (value.kind !== void 0 && value.kind !== "discovery#restDescription") throw new Error("Invalid Google Discovery document: expected kind discovery#restDescription");
-	if (value.resources !== void 0 && !isRecord$3(value.resources)) throw new Error("Invalid Google Discovery document: expected resources object");
-	if (value.methods !== void 0 && !isRecord$3(value.methods)) throw new Error("Invalid Google Discovery document: expected methods object");
-	if (!isRecord$3(value.resources) && !isRecord$3(value.methods)) throw new Error("Invalid Google Discovery document: expected resources or methods object");
-	if (value.schemas !== void 0 && !isRecord$3(value.schemas)) throw new Error("Invalid Google Discovery document: expected schemas object");
-	if (value.parameters !== void 0 && !isRecord$3(value.parameters)) throw new Error("Invalid Google Discovery document: expected parameters object");
+	if (value.resources !== void 0 && !isRecord$5(value.resources)) throw new Error("Invalid Google Discovery document: expected resources object");
+	if (value.methods !== void 0 && !isRecord$5(value.methods)) throw new Error("Invalid Google Discovery document: expected methods object");
+	if (!isRecord$5(value.resources) && !isRecord$5(value.methods)) throw new Error("Invalid Google Discovery document: expected resources or methods object");
+	if (value.schemas !== void 0 && !isRecord$5(value.schemas)) throw new Error("Invalid Google Discovery document: expected schemas object");
+	if (value.parameters !== void 0 && !isRecord$5(value.parameters)) throw new Error("Invalid Google Discovery document: expected parameters object");
 	return value;
 }
 function collectDocumentMethods(document) {
-	return [...Object.entries(document.methods ?? {}).filter((entry) => isRecord$3(entry[1])).map(([methodKey, method]) => ({
+	return [...Object.entries(document.methods ?? {}).filter((entry) => isRecord$5(entry[1])).map(([methodKey, method]) => ({
 		resourcePath: [],
 		methodKey,
 		method
@@ -28036,9 +28035,9 @@ function collectDocumentMethods(document) {
 function collectMethods(resources, resourcePath = []) {
 	const entries = [];
 	for (const [resourceName, resource] of Object.entries(resources)) {
-		if (!isRecord$3(resource)) continue;
+		if (!isRecord$5(resource)) continue;
 		const nextPath = [...resourcePath, resourceName];
-		for (const [methodKey, method] of Object.entries(resource.methods ?? {})) if (isRecord$3(method)) entries.push({
+		for (const [methodKey, method] of Object.entries(resource.methods ?? {})) if (isRecord$5(method)) entries.push({
 			resourcePath: nextPath,
 			methodKey,
 			method
@@ -28211,7 +28210,7 @@ function globMatches(pattern, name) {
 function isJsonSchemaObject(value) {
 	return value.type === "object" || "properties" in value || "additionalProperties" in value;
 }
-function isRecord$3(value) {
+function isRecord$5(value) {
 	return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 function collapseWhitespace(value) {
@@ -63435,7 +63434,7 @@ var CapletsEngine = class {
 		}
 	}
 	async completeCliWords(words) {
-		const { completeCliWords } = await import("./completion-BeVXdm9q.js").then((n) => n.r);
+		const { completeCliWords } = await import("./completion-DrPr2vYw.js").then((n) => n.r);
 		return await completeCliWords(words, {
 			config: this.registry.config,
 			managers: {
@@ -63725,7 +63724,7 @@ function annotateDirectResult(result, caplet, operation) {
 	return {
 		...result,
 		_meta: {
-			...isRecord$2(existingMeta) ? existingMeta : {},
+			...isRecord$4(existingMeta) ? existingMeta : {},
 			caplets: {
 				capletId: caplet.server,
 				backend: caplet.backend,
@@ -63738,7 +63737,7 @@ function annotateDirectResult(result, caplet, operation) {
 function isUnsupportedCapability(error) {
 	return error instanceof CapletsError && error.code === "UNSUPPORTED_CAPABILITY";
 }
-function isRecord$2(value) {
+function isRecord$4(value) {
 	return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
 //#endregion
@@ -79735,32 +79734,18 @@ function nativeCapletToolDescription(toolName, caplet) {
 }
 //#endregion
 //#region src/server/options.ts
-const DEFAULT_SERVER_USER = "caplets";
 function resolveCapletsServer(input = {}, env = process.env) {
 	const rawUrl = nonEmpty$1(input.url, "url") ?? nonEmpty$1(env.CAPLETS_SERVER_URL, "CAPLETS_SERVER_URL");
 	if (rawUrl === void 0) throw new CapletsError("REQUEST_INVALID", "CAPLETS_SERVER_URL or url is required.");
 	const baseUrl = parseServerBaseUrl(rawUrl);
-	const userWasExplicit = input.user !== void 0 || hasEnv$1(env.CAPLETS_SERVER_USER);
-	const user = nonEmpty$1(input.user, "user") ?? nonEmpty$1(env.CAPLETS_SERVER_USER, "CAPLETS_SERVER_USER") ?? DEFAULT_SERVER_USER;
-	const password = nonEmpty$1(input.password, "password") ?? nonEmpty$1(env.CAPLETS_SERVER_PASSWORD, "CAPLETS_SERVER_PASSWORD");
-	if (userWasExplicit && password === void 0) throw new CapletsError("REQUEST_INVALID", "Caplets server Basic Auth requires a password; set CAPLETS_SERVER_PASSWORD or password.");
-	const auth = password === void 0 ? {
-		enabled: false,
-		user
-	} : {
-		enabled: true,
-		user,
-		password
-	};
-	const requestInit = auth.enabled ? { headers: { Authorization: basicAuthHeader$1(auth.user, auth.password) } } : {};
 	return {
 		baseUrl,
 		mcpUrl: mcpUrlForBase(baseUrl),
 		attachUrl: attachUrlForBase(baseUrl),
 		controlUrl: controlUrlForBase(baseUrl),
 		healthUrl: healthUrlForBase(baseUrl),
-		auth,
-		requestInit,
+		auth: { type: "none" },
+		requestInit: {},
 		...input.fetch ? { fetch: input.fetch } : {}
 	};
 }
@@ -79797,18 +79782,12 @@ function isLoopbackHost(host) {
 	const normalized = host.toLocaleLowerCase();
 	return normalized === "localhost" || normalized === "127.0.0.1" || normalized === "::1" || normalized === "[::1]";
 }
-function basicAuthHeader$1(user, password) {
-	return `Basic ${Buffer$1.from(`${user}:${password}`).toString("base64")}`;
-}
 function nonEmpty$1(value, label) {
 	if (value === void 0) return;
 	const trimmed = value.trim();
 	if (!trimmed) throw new CapletsError("REQUEST_INVALID", `${label} must not be empty`);
 	return trimmed;
 }
-function hasEnv$1(value) {
-	return value !== void 0 && value.trim() !== "";
-}
 //#endregion
 //#region src/remote/options.ts
 const DEFAULT_REMOTE_USER = "caplets";
@@ -79832,25 +79811,16 @@ function resolveCapletsRemote(input = {}, env = process.env) {
 	const rawUrl = nonEmpty(input.url, "url") ?? nonEmpty(env.CAPLETS_REMOTE_URL, "CAPLETS_REMOTE_URL");
 	if (rawUrl === void 0) throw new CapletsError("REQUEST_INVALID", "CAPLETS_REMOTE_URL or url is required.");
 	const baseUrl = parseServerBaseUrl(rawUrl);
-	const token = nonEmpty(input.token, "token") ?? nonEmpty(env.CAPLETS_REMOTE_TOKEN, "CAPLETS_REMOTE_TOKEN");
-	const userWasExplicit = input.user !== void 0 || hasEnv(env.CAPLETS_REMOTE_USER);
-	const user = nonEmpty(input.user, "user") ?? nonEmpty(env.CAPLETS_REMOTE_USER, "CAPLETS_REMOTE_USER") ?? DEFAULT_REMOTE_USER;
-	const password = nonEmpty(input.password, "password") ?? nonEmpty(env.CAPLETS_REMOTE_PASSWORD, "CAPLETS_REMOTE_PASSWORD");
+	const token = nonEmpty(input.token, "token");
 	const workspace = nonEmpty(input.workspace, "workspace") ?? nonEmpty(env.CAPLETS_REMOTE_WORKSPACE, "CAPLETS_REMOTE_WORKSPACE");
-	if (token && password) throw new CapletsError("REQUEST_INVALID", "Use either CAPLETS_REMOTE_TOKEN or CAPLETS_REMOTE_PASSWORD, not both.");
-	if (!token && userWasExplicit && password === void 0) throw new CapletsError("REQUEST_INVALID", "Remote Caplets Basic Auth requires a password; set CAPLETS_REMOTE_PASSWORD or password.");
 	const auth = token ? {
 		type: "bearer",
 		token
-	} : password === void 0 ? {
-		type: "none",
-		user
 	} : {
-		type: "basic",
-		user,
-		password
+		type: "none",
+		user: DEFAULT_REMOTE_USER
 	};
-	const requestInit = auth.type === "bearer" ? { headers: { Authorization: `Bearer ${auth.token}` } } : auth.type === "basic" ? { headers: { Authorization: basicAuthHeader(auth.user, auth.password) } } : {};
+	const requestInit = auth.type === "bearer" ? { headers: { Authorization: `Bearer ${auth.token}` } } : {};
 	return {
 		baseUrl,
 		mcpUrl: appendBasePath(baseUrl, "v1/mcp"),
@@ -79870,7 +79840,7 @@ function resolveHostedCloudRemote(input = {}, env = process.env) {
 	const cloud = parseHostedCloudRemoteUrl(rawUrl);
 	const workspace = cloud.workspace ?? nonEmpty(input.workspace, "workspace") ?? nonEmpty(env.CAPLETS_REMOTE_WORKSPACE, "CAPLETS_REMOTE_WORKSPACE");
 	if (!workspace) throw new CapletsError("REQUEST_INVALID", "Caplets Cloud remote URL requires a selected workspace.");
-	const token = nonEmpty(input.token, "token") ?? nonEmpty(env.CAPLETS_REMOTE_TOKEN, "CAPLETS_REMOTE_TOKEN");
+	const token = nonEmpty(input.token, "token");
 	const auth = token ? {
 		type: "bearer",
 		token
@@ -79900,6 +79870,11 @@ function hostedCloudWorkspaceFromRemoteUrl(value) {
 		return;
 	}
 }
+function normalizeRemoteProfileHostUrl(value) {
+	const url = parseServerBaseUrl(value);
+	if (isCapletsCloudUrl(url.toString())) return `${url.origin}/`;
+	return url.toString();
+}
 function projectBindingWebSocketUrlForBase(baseUrl) {
 	return webSocketUrl(appendBasePath(baseUrl, "v1/attach/project-bindings/connect"));
 }
@@ -79937,18 +79912,12 @@ function parseCapletsMode(value) {
 	if (value === "auto" || value === "local" || value === "remote" || value === "cloud") return value;
 	throw new CapletsError("REQUEST_INVALID", `Expected CAPLETS_MODE to be auto, local, remote, or cloud, got ${value}`);
 }
-function basicAuthHeader(user, password) {
-	return `Basic ${Buffer$1.from(`${user}:${password}`).toString("base64")}`;
-}
 function nonEmpty(value, label) {
 	if (value === void 0) return void 0;
 	const trimmed = value.trim();
 	if (!trimmed) throw new CapletsError("REQUEST_INVALID", `${label} must not be empty`);
 	return trimmed;
 }
-function hasEnv(value) {
-	return value !== void 0 && value.trim() !== "";
-}
 //#endregion
 //#region src/native/options.ts
 const DEFAULT_POLL_INTERVAL_MS = 3e4;
@@ -79960,7 +79929,11 @@ function resolveNativeCapletsServiceOptions(input = {}, env = process.env) {
 	}, env);
 	if (mode.mode === "local") return { mode: "local" };
 	const remoteFetch = input.remote?.fetch;
-	const server = mode.mode === "cloud" ? resolveNativeHostedCloudRemote(input.remote?.url ?? env.CAPLETS_REMOTE_URL ?? "", optionalWorkspace(input, env).workspace, remoteFetch) : resolveCapletsRemote(input.remote, env);
+	const server = mode.mode === "cloud" ? resolveNativeHostedCloudRemoteOrPlaceholder(input.remote?.url ?? env.CAPLETS_REMOTE_URL ?? "", optionalWorkspace(input, env).workspace, remoteFetch) : resolveCapletsRemote({
+		...input.remote?.url ? { url: input.remote.url } : {},
+		...input.remote?.workspace ? { workspace: input.remote.workspace } : {},
+		...remoteFetch ? { fetch: remoteFetch } : {}
+	}, env);
 	const cloud = resolveNativeCloudPresence(input.remote?.cloud, env);
 	return {
 		mode: mode.mode,
@@ -79981,16 +79954,19 @@ function resolveNativeHostedCloudRemote(url, workspace, fetch) {
 		...fetch ? { fetch } : {}
 	});
 }
+function resolveNativeHostedCloudRemoteOrPlaceholder(url, workspace, fetch) {
+	if (!isCapletsCloudUrl(url)) throw new CapletsError("REQUEST_INVALID", "CAPLETS_MODE=cloud requires Caplets Cloud.");
+	if (workspace) return resolveNativeHostedCloudRemote(url, workspace, fetch);
+	return resolveCapletsRemote({
+		url,
+		...fetch ? { fetch } : {}
+	}, {});
+}
 function optionalWorkspace(input, env) {
 	const workspace = input.remote?.cloud?.workspaceId ?? input.remote?.workspace ?? env.CAPLETS_REMOTE_WORKSPACE ?? env.CAPLETS_CLOUD_WORKSPACE_ID;
 	return workspace ? { workspace } : {};
 }
 function nativeAuthFromRemoteAuth$1(auth) {
-	if (auth.type === "basic") return {
-		enabled: true,
-		user: auth.user,
-		password: auth.password
-	};
 	if (auth.type === "none") return {
 		enabled: false,
 		user: auth.user
@@ -80314,45 +80290,79 @@ function projectSyncFiles(projectRoot) {
 //#endregion
 //#region src/native/remote.ts
 function createSdkRemoteCapletsClient(options) {
-	const fetchImpl = options.fetch ?? fetch;
 	const listeners = /* @__PURE__ */ new Set();
 	let manifest;
 	let exportByName = /* @__PURE__ */ new Map();
 	let eventsAbort;
+	let eventsStartInFlight;
 	let eventsReconnectTimer;
+	let closed = false;
+	const resolveRuntimeOptions = async () => {
+		return options.resolveRuntimeOptions ? await options.resolveRuntimeOptions() : options;
+	};
+	const fetchFor = (runtimeOptions) => runtimeOptions.fetch ?? fetch;
+	const fetchCurrentManifest = async () => {
+		const runtimeOptions = await resolveRuntimeOptions();
+		return await fetchAttachManifest(runtimeOptions.url, runtimeOptions.requestInit, fetchFor(runtimeOptions));
+	};
+	const invokeCurrentExport = async (body) => {
+		const runtimeOptions = await resolveRuntimeOptions();
+		return await invokeAttachExport(runtimeOptions.url, runtimeOptions.requestInit, fetchFor(runtimeOptions), body);
+	};
 	const clearEventsReconnectTimer = () => {
 		if (eventsReconnectTimer) {
 			clearTimeout(eventsReconnectTimer);
 			eventsReconnectTimer = void 0;
 		}
 	};
+	const scheduleEventsReconnect = () => {
+		if (closed || listeners.size === 0) return;
+		clearEventsReconnectTimer();
+		eventsReconnectTimer = setTimeout(() => {
+			eventsReconnectTimer = void 0;
+			startEvents();
+		}, 1e3);
+	};
+	const startEventsNow = async () => {
+		try {
+			const runtimeOptions = await resolveRuntimeOptions();
+			if (closed || eventsAbort || listeners.size === 0) return;
+			eventsAbort = startAttachEvents(runtimeOptions.url, runtimeOptions.requestInit, fetchFor(runtimeOptions), listeners, (closedAbort, retry) => {
+				if (eventsAbort !== closedAbort) return;
+				eventsAbort = void 0;
+				if (!retry || closedAbort.signal.aborted || listeners.size === 0) return;
+				scheduleEventsReconnect();
+			});
+		} catch (error) {
+			if (isPermanentRemoteCredentialsError(error)) {
+				options.writeErr?.(`${remoteAuthError(options.authKind ?? "self_hosted_remote").message}\n`);
+				return;
+			}
+			scheduleEventsReconnect();
+		}
+	};
 	const startEvents = () => {
-		if (eventsAbort || listeners.size === 0) return;
-		eventsAbort = startAttachEvents(options.url, options.requestInit, fetchImpl, listeners, (closedAbort, retry) => {
-			if (eventsAbort !== closedAbort) return;
-			eventsAbort = void 0;
-			if (!retry || closedAbort.signal.aborted || listeners.size === 0) return;
-			clearEventsReconnectTimer();
-			eventsReconnectTimer = setTimeout(() => {
-				eventsReconnectTimer = void 0;
-				startEvents();
-			}, 1e3);
+		if (closed || eventsAbort || eventsStartInFlight || listeners.size === 0) return;
+		const start = startEventsNow();
+		eventsStartInFlight = start;
+		start.finally(() => {
+			if (eventsStartInFlight === start) eventsStartInFlight = void 0;
 		});
 	};
 	return {
 		async listTools() {
-			manifest = await fetchAttachManifest(options.url, options.requestInit, fetchImpl);
+			manifest = await fetchCurrentManifest();
 			exportByName = exportMapFor(manifest);
 			return toolsFromManifest(manifest);
 		},
 		async callTool(name, args) {
 			if (!manifest) {
-				manifest = await fetchAttachManifest(options.url, options.requestInit, fetchImpl);
+				manifest = await fetchCurrentManifest();
 				exportByName = exportMapFor(manifest);
 			}
 			const invokeWithStaleRetry = async (entry, input) => {
 				try {
-					return await invokeAttachExport(options.url, options.requestInit, fetchImpl, {
+					return await invokeCurrentExport({
 						revision: manifest.revision,
 						kind: entry.kind,
 						exportId: entry.exportId,
@@ -80360,12 +80370,12 @@ function createSdkRemoteCapletsClient(options) {
 					});
 				} catch (error) {
 					if (!isAttachManifestStale(error)) throw error;
-					const nextManifest = await fetchAttachManifest(options.url, options.requestInit, fetchImpl);
+					const nextManifest = await fetchCurrentManifest();
 					const nextEntry = compatibleExport(nextManifest, entry);
 					manifest = nextManifest;
 					exportByName = exportMapFor(nextManifest);
 					if (!nextEntry) throw new CapletsError("ATTACH_EXPORT_NOT_FOUND", "Attach export changed after manifest refresh; refetch the manifest before retrying.");
-					return await invokeAttachExport(options.url, options.requestInit, fetchImpl, {
+					return await invokeCurrentExport({
 						revision: nextManifest.revision,
 						kind: nextEntry.kind,
 						exportId: nextEntry.exportId,
@@ -80394,6 +80404,7 @@ function createSdkRemoteCapletsClient(options) {
 			};
 		},
 		async close() {
+			closed = true;
 			clearEventsReconnectTimer();
 			eventsAbort?.abort();
 			eventsAbort = void 0;
@@ -80990,7 +81001,7 @@ function errorMessage$1(error) {
 	return error instanceof Error ? error.message : String(error);
 }
 function remoteAuthError(kind) {
-	return new CapletsError("AUTH_FAILED", kind === "hosted_cloud" ? "Caplets Cloud authentication failed; run caplets cloud auth login." : "Remote Caplets authentication failed; check CAPLETS_REMOTE_TOKEN or CAPLETS_REMOTE_USER and CAPLETS_REMOTE_PASSWORD.");
+	return new CapletsError("AUTH_FAILED", kind === "hosted_cloud" ? "Caplets Cloud authentication failed; run caplets remote login <cloud-url>." : "Remote Caplets authentication failed; run caplets remote login <url>.");
 }
 function isSessionFailure(error) {
 	const candidate = error;
@@ -81007,6 +81018,15 @@ function isAuthFailure(error) {
 	if (status === 401 || status === 403 || statusCode === 401 || statusCode === 403 || code === 401 || code === 403) return true;
 	return /\b(401|403|unauthorized|forbidden)\b/iu.test(errorMessage$1(error));
 }
+function isPermanentRemoteCredentialsError(error) {
+	const candidate = error;
+	if (candidate?.projectBindingCode === "remote_credentials_required" || candidate?.projectBindingCode === "remote_auth_failed") return true;
+	if (isPlainObject(candidate?.details)) {
+		const code = candidate.details.code;
+		if (code === "remote_credentials_required" || code === "remote_auth_failed") return true;
+	}
+	return isAuthFailure(error);
+}
 //#endregion
 //#region src/cloud-auth/errors.ts
 const SECRET_PATTERN = /(cap_access_[a-z0-9._~+/=-]+|cap_refresh_[a-z0-9._~+/=-]+|one_time_code_[a-z0-9._~+/=-]+|Bearer\s+)[^\s"]*/giu;
@@ -81107,7 +81127,7 @@ var CloudAuthClient = class {
 			throw new CapletsError("AUTH_FAILED", message, redactCloudAuthSecrets({
 				code,
 				message,
-				recoveryCommand: code === "workspace_switch_required" ? "caplets cloud auth switch <workspace>" : "caplets cloud auth login",
+				recoveryCommand: code === "workspace_switch_required" ? "caplets remote login <cloud-url> --workspace <workspace>" : "caplets remote login <cloud-url>",
 				requestId
 			}));
 		}
@@ -81147,6 +81167,78 @@ function normalizeCredentials(response, fallbackCloudUrl) {
 	};
 }
 //#endregion
+//#region src/project-binding/errors.ts
+const PROJECT_BINDING_ERROR_CODES = [
+	"cloud_auth_required",
+	"cloud_auth_expired",
+	"cloud_auth_revoked",
+	"workspace_selection_required",
+	"workspace_switch_required",
+	"workspace_forbidden",
+	"project_binding_forbidden",
+	"endpoint_unavailable",
+	"websocket_upgrade_required",
+	"sync_required",
+	"sync_failed",
+	"sync_size_limit_exceeded",
+	"lease_conflict",
+	"lease_expired",
+	"policy_denied",
+	"usage_limit_reached",
+	"billing_required",
+	"subscription_past_due",
+	"email_verification_required",
+	"remote_credentials_required",
+	"remote_auth_failed"
+];
+var ProjectBindingError = class extends CapletsError {
+	projectBindingCode;
+	recoveryCommand;
+	requestId;
+	constructor(input) {
+		super("SERVER_UNAVAILABLE", input.message, input);
+		this.name = "ProjectBindingError";
+		this.projectBindingCode = input.code;
+		this.recoveryCommand = input.recoveryCommand;
+		this.requestId = input.requestId;
+	}
+};
+function projectBindingRecovery(code, message = defaultProjectBindingMessage(code)) {
+	return {
+		code,
+		message,
+		recoveryCommand: recoveryCommandFor(code)
+	};
+}
+function projectBindingError(code, message) {
+	return new ProjectBindingError(projectBindingRecovery(code, message));
+}
+function recoveryCommandFor(code) {
+	switch (code) {
+		case "cloud_auth_required":
+		case "cloud_auth_expired":
+		case "cloud_auth_revoked":
+		case "workspace_selection_required": return "caplets remote login <cloud-url>";
+		case "workspace_switch_required": return "caplets remote login <cloud-url> --workspace <workspace>";
+		case "sync_size_limit_exceeded": return "Add exclusions to .capletsignore or upgrade the workspace plan.";
+		case "remote_credentials_required":
+		case "remote_auth_failed": return "caplets remote login <url>";
+		case "endpoint_unavailable":
+		case "websocket_upgrade_required": return "caplets doctor";
+		default: return;
+	}
+}
+function defaultProjectBindingMessage(code) {
+	switch (code) {
+		case "sync_size_limit_exceeded": return "Project sync size exceeds the selected workspace policy.";
+		case "workspace_switch_required": return "The requested workspace differs from the saved Selected Workspace.";
+		case "cloud_auth_required": return "Hosted Project Binding requires Remote Login.";
+		case "endpoint_unavailable":
+		case "websocket_upgrade_required": return "Project Binding endpoint is unavailable.";
+		default: return code.replace(/_/gu, " ");
+	}
+}
+//#endregion
 //#region src/cloud-auth/store.ts
 var CloudAuthStore = class {
 	path;
@@ -81166,7 +81258,7 @@ var CloudAuthStore = class {
 	}
 };
 function migrateCredentials(value) {
-	const record = isRecord$1(value) ? value : {};
+	const record = isRecord$3(value) ? value : {};
 	const now = (/* @__PURE__ */ new Date()).toISOString();
 	return {
 		version: 2,
@@ -81216,7 +81308,7 @@ function cloudAuthPath(options = {}) {
 	if (platform === "win32") return win32.join(defaultConfigBaseDir(env, home, platform), "Caplets", "cloud-auth.json");
 	return posix.join(defaultConfigBaseDir(env, home, platform), "caplets", "cloud-auth.json");
 }
-function isRecord$1(value) {
+function isRecord$3(value) {
 	return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 function stringValue(value) {
@@ -81227,79 +81319,567 @@ function arrayValue(value) {
 	if (typeof value === "string") return value.split(/\s+/u).filter(Boolean);
 }
 //#endregion
-//#region src/project-binding/errors.ts
-const PROJECT_BINDING_ERROR_CODES = [
-	"cloud_auth_required",
-	"cloud_auth_expired",
-	"cloud_auth_revoked",
-	"workspace_selection_required",
-	"workspace_switch_required",
-	"workspace_forbidden",
-	"project_binding_forbidden",
-	"endpoint_unavailable",
-	"websocket_upgrade_required",
-	"sync_required",
-	"sync_failed",
-	"sync_size_limit_exceeded",
-	"lease_conflict",
-	"lease_expired",
-	"policy_denied",
-	"usage_limit_reached",
-	"billing_required",
-	"subscription_past_due",
-	"email_verification_required",
-	"remote_credentials_required",
-	"remote_auth_failed"
-];
-var ProjectBindingError = class extends CapletsError {
-	projectBindingCode;
-	recoveryCommand;
-	requestId;
-	constructor(input) {
-		super("SERVER_UNAVAILABLE", input.message, input);
-		this.name = "ProjectBindingError";
-		this.projectBindingCode = input.code;
-		this.recoveryCommand = input.recoveryCommand;
-		this.requestId = input.requestId;
+//#region src/remote/credential-store.ts
+var FileRemoteCredentialStore = class {
+	root;
+	constructor(options = {}) {
+		this.root = options.root ?? join(DEFAULT_AUTH_DIR, "remote-credentials");
+	}
+	pathForKey(key) {
+		return join(this.root, `${encodeURIComponent(key)}.json`);
+	}
+	async load(key) {
+		const path = this.pathForKey(key);
+		if (!existsSync(path)) return void 0;
+		return parseRemoteProfileCredential(JSON.parse(readFileSync(path, "utf8")));
+	}
+	async save(key, credential) {
+		mkdirSync(this.root, {
+			recursive: true,
+			mode: 448
+		});
+		try {
+			chmodSync(this.root, 448);
+		} catch {}
+		const path = this.pathForKey(key);
+		const tempPath = `${path}.${process.pid}.${Date.now()}.tmp`;
+		writeFileSync(tempPath, `${JSON.stringify(credential, null, 2)}\n`, { mode: 384 });
+		try {
+			chmodSync(tempPath, 384);
+		} catch {}
+		renameSync(tempPath, path);
+	}
+	async delete(key) {
+		const path = this.pathForKey(key);
+		if (!existsSync(path)) return false;
+		rmSync(path, { force: true });
+		return true;
 	}
 };
-function projectBindingRecovery(code, message = defaultProjectBindingMessage(code)) {
+function parseRemoteProfileCredential(value) {
+	if (!isRecord$2(value)) return void 0;
 	return {
-		code,
-		message,
-		recoveryCommand: recoveryCommandFor(code)
+		...typeof value.accessToken === "string" ? { accessToken: value.accessToken } : {},
+		...typeof value.refreshToken === "string" ? { refreshToken: value.refreshToken } : {},
+		...typeof value.tokenType === "string" ? { tokenType: value.tokenType } : {},
+		...typeof value.expiresAt === "string" ? { expiresAt: value.expiresAt } : {},
+		...Array.isArray(value.scope) ? { scope: value.scope.filter((entry) => typeof entry === "string") } : {},
+		...typeof value.clientSecret === "string" ? { clientSecret: value.clientSecret } : {},
+		...typeof value.pairingCode === "string" ? { pairingCode: value.pairingCode } : {}
 	};
 }
-function projectBindingError(code, message) {
-	return new ProjectBindingError(projectBindingRecovery(code, message));
+function isRecord$2(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
 }
-function recoveryCommandFor(code) {
-	switch (code) {
-		case "cloud_auth_required":
-		case "cloud_auth_expired":
-		case "cloud_auth_revoked":
-		case "workspace_selection_required": return "caplets cloud auth login";
-		case "workspace_switch_required": return "caplets cloud auth switch <workspace>";
-		case "sync_size_limit_exceeded": return "Add exclusions to .capletsignore or upgrade the workspace plan.";
-		case "remote_credentials_required":
-		case "remote_auth_failed": return "Set CAPLETS_REMOTE_URL and remote credentials.";
-		case "endpoint_unavailable":
-		case "websocket_upgrade_required": return "caplets doctor";
-		default: return;
-	}
+//#endregion
+//#region src/remote/profiles.ts
+function remoteProfileKey(input) {
+	const hostUrl = normalizeRemoteProfileHostUrl(input.hostUrl);
+	if (input.kind === "cloud") {
+		const workspace = input.workspace ?? hostedCloudWorkspaceFromRemoteUrl(input.hostUrl);
+		if (!workspace) throw new CapletsError("REQUEST_INVALID", "Cloud Remote Profile requires a workspace.");
+		return `cloud:${hostUrl}:${workspace}`;
+	}
+	return `self-hosted:${hostUrl}`;
+}
+function selectedWorkspaceKey(hostUrl) {
+	return `cloud:${normalizeRemoteProfileHostUrl(hostUrl)}:selected-workspace`;
+}
+function remoteProfileStatus(input) {
+	const hostUrl = normalizeRemoteProfileHostUrl(input.hostUrl);
+	const key = input.key ?? remoteProfileKey({
+		kind: input.kind,
+		hostUrl,
+		workspace: input.workspaceSlug ?? input.workspaceId
+	});
+	const expiresAt = input.credential?.expiresAt;
+	const expired = Number.isFinite(Date.parse(expiresAt ?? "")) ? Date.parse(expiresAt ?? "") <= Date.now() : false;
+	return {
+		authenticated: Boolean(input.credential?.accessToken) && !expired,
+		kind: input.kind,
+		key,
+		hostUrl,
+		...input.workspaceId ? { workspaceId: input.workspaceId } : {},
+		...input.workspaceSlug ? { workspaceSlug: input.workspaceSlug } : {},
+		...input.clientId ? { clientId: input.clientId } : {},
+		selected: Boolean(input.selected),
+		...input.clientLabel ? { clientLabel: input.clientLabel } : {},
+		...input.createdAt ? { createdAt: input.createdAt } : {},
+		...input.updatedAt ? { updatedAt: input.updatedAt } : {},
+		...expiresAt ? { expiresAt } : {},
+		...input.credential?.scope ? { scope: input.credential.scope } : {},
+		...input.credential?.tokenType ? { tokenType: input.credential.tokenType } : {}
+	};
 }
-function defaultProjectBindingMessage(code) {
-	switch (code) {
-		case "sync_size_limit_exceeded": return "Project sync size exceeds the selected workspace policy.";
-		case "workspace_switch_required": return "The requested workspace differs from the saved Selected Workspace.";
-		case "cloud_auth_required": return "Hosted Project Binding requires Cloud Auth.";
-		case "endpoint_unavailable":
-		case "websocket_upgrade_required": return "Project Binding endpoint is unavailable.";
-		default: return code.replace(/_/gu, " ");
+//#endregion
+//#region src/remote/profile-store.ts
+const PROFILE_LOCK_DIR = "remote-profiles.lock";
+const PROFILE_REFRESH_LOCK_DIR = "remote-profile-refresh-locks";
+const PROFILE_LOCK_TIMEOUT_MS = 2e4;
+function createRemoteProfileStore(options = {}) {
+	const env = options.env ?? process.env;
+	return new FileRemoteProfileStore({
+		root: join(options.authDir ?? (env.CAPLETS_CLOUD_AUTH_PATH ? dirname(env.CAPLETS_CLOUD_AUTH_PATH) : void 0) ?? DEFAULT_AUTH_DIR, "remote-profiles"),
+		legacyCloudAuthStore: options.legacyCloudAuthStore ?? new CloudAuthStore(options.authDir ? { path: join(options.authDir, "cloud-auth.json") } : { env })
+	});
+}
+function cloudCredentialsFromRemoteProfile(status, credential) {
+	return {
+		version: 2,
+		cloudUrl: status.hostUrl,
+		workspaceId: status.workspaceId ?? "",
+		...status.workspaceSlug ? { workspaceSlug: status.workspaceSlug } : {},
+		accessToken: credential.accessToken ?? "",
+		refreshToken: credential.refreshToken ?? "",
+		expiresAt: credential.expiresAt ?? (/* @__PURE__ */ new Date(0)).toISOString(),
+		scope: credential.scope,
+		tokenType: credential.tokenType,
+		deviceName: status.clientLabel,
+		createdAt: status.createdAt,
+		lastRefreshAt: status.updatedAt
+	};
+}
+var FileRemoteProfileStore = class {
+	root;
+	credentials;
+	legacyCloudAuthStore;
+	constructor(options = {}) {
+		this.root = options.root ?? join(DEFAULT_AUTH_DIR, "remote-profiles");
+		this.credentials = options.credentials ?? new FileRemoteCredentialStore({ root: join(this.root, "credentials") });
+		this.legacyCloudAuthStore = options.legacyCloudAuthStore;
+	}
+	async saveSelfHostedProfile(input) {
+		return await this.withMutationLock(async () => await this.writeSelfHostedProfile(input));
+	}
+	async getSelfHostedProfileStatus(input) {
+		const key = remoteProfileKey({
+			kind: "self-hosted",
+			hostUrl: normalizeRemoteProfileHostUrl(input.hostUrl)
+		});
+		return this.statusByKey(key, false);
+	}
+	async logoutSelfHostedProfile(input) {
+		return await this.withMutationLock(async () => {
+			const key = remoteProfileKey({
+				kind: "self-hosted",
+				hostUrl: normalizeRemoteProfileHostUrl(input.hostUrl)
+			});
+			if (!this.readProfile(key)) return false;
+			await this.credentials.delete(key);
+			rmSync(this.profilePath(key), { force: true });
+			return true;
+		});
+	}
+	async refreshSelfHostedProfileIfNeeded(input) {
+		const key = remoteProfileKey({
+			kind: "self-hosted",
+			hostUrl: normalizeRemoteProfileHostUrl(input.hostUrl)
+		});
+		return await this.withRefreshLock(key, async () => {
+			const snapshot = await this.withMutationLock(async () => this.selfHostedRefreshSnapshot(key, input));
+			if (!snapshot || !snapshot.needsRefresh) return snapshot?.result;
+			const refreshed = await input.refresh(snapshot.result.status, snapshot.result.credential);
+			return await this.withMutationLock(async () => {
+				const current = await this.selfHostedRefreshSnapshot(key, input);
+				if (!current || !current.needsRefresh) return current?.result;
+				const refreshedStatus = await this.writeSelfHostedProfile(refreshed);
+				const refreshedCredential = await this.credentials.load(refreshedStatus.key);
+				if (!refreshedCredential?.accessToken) return void 0;
+				return {
+					status: refreshedStatus,
+					credential: refreshedCredential
+				};
+			});
+		});
+	}
+	async refreshCloudProfileIfNeeded(input) {
+		const snapshot = await this.withMutationLock(async () => this.cloudRefreshSnapshot(input));
+		if (!snapshot || !snapshot.needsRefresh) return snapshot?.result;
+		return await this.withRefreshLock(snapshot.result.status.key, async () => {
+			const lockedSnapshot = await this.withMutationLock(async () => this.cloudRefreshSnapshot(input));
+			if (!lockedSnapshot || !lockedSnapshot.needsRefresh) return lockedSnapshot?.result;
+			const refreshed = await input.refresh(lockedSnapshot.result.status, lockedSnapshot.result.credential);
+			return await this.withMutationLock(async () => {
+				const current = await this.cloudRefreshSnapshot(input);
+				if (!current || !current.needsRefresh) return current?.result;
+				const refreshedStatus = await this.writeCloudProfile(refreshed, { select: current.result.status.selected });
+				const refreshedCredential = await this.credentials.load(refreshedStatus.key);
+				if (!refreshedCredential?.accessToken) return void 0;
+				return {
+					status: refreshedStatus,
+					credential: refreshedCredential
+				};
+			});
+		});
+	}
+	async saveCloudProfile(input) {
+		return await this.withMutationLock(async () => await this.writeCloudProfile(input));
+	}
+	async getCloudProfileStatus(input) {
+		const hostUrl = normalizeRemoteProfileHostUrl(input.hostUrl);
+		const workspace = input.workspace ?? hostedCloudWorkspaceFromRemoteUrl(input.hostUrl);
+		if (workspace) {
+			const found = await this.findCloudStatus(hostUrl, workspace);
+			if (found) return found;
+			return this.migrateLegacyCloudProfile(hostUrl, workspace);
+		}
+		const selected = this.readSelectedWorkspace(hostUrl);
+		if (selected) return this.statusByKey(selected.profileKey, true);
+		if (this.listProfilesForHost(hostUrl).length > 0) throw new CapletsError("REQUEST_INVALID", "Cloud Remote Profile requires a selected or explicit workspace.");
+		return this.migrateLegacyCloudProfile(hostUrl);
+	}
+	async listCloudProfileStatuses(hostUrlInput) {
+		const hostUrl = normalizeRemoteProfileHostUrl(hostUrlInput);
+		const selected = this.readSelectedWorkspace(hostUrl)?.profileKey;
+		return (await Promise.all(this.listProfilesForHost(hostUrl).map(async (profile) => this.statusFor(profile, void 0, profile.key === selected)))).sort((left, right) => (left.workspaceSlug ?? left.workspaceId ?? "").localeCompare(right.workspaceSlug ?? right.workspaceId ?? ""));
+	}
+	async listProfileStatuses() {
+		const dir = this.profilesDir();
+		if (!existsSync(dir)) return [];
+		return (await Promise.all(readdirSync(dir, { withFileTypes: true }).filter((entry) => entry.isFile() && entry.name.endsWith(".json")).map((entry) => this.readProfileFile(join(dir, entry.name))).filter((profile) => Boolean(profile)).map(async (profile) => {
+			const selected = profile.kind === "cloud" ? this.readSelectedWorkspace(profile.hostUrl)?.profileKey === profile.key : false;
+			return await this.statusFor(profile, void 0, selected);
+		}))).sort((left, right) => {
+			const host = left.hostUrl.localeCompare(right.hostUrl);
+			if (host !== 0) return host;
+			return (left.workspaceSlug ?? left.workspaceId ?? "").localeCompare(right.workspaceSlug ?? right.workspaceId ?? "");
+		});
+	}
+	async logoutCloudProfile(input) {
+		return await this.withMutationLock(async () => {
+			const hostUrl = normalizeRemoteProfileHostUrl(input.hostUrl);
+			const workspace = input.workspace ?? hostedCloudWorkspaceFromRemoteUrl(input.hostUrl);
+			const selected = this.readSelectedWorkspace(hostUrl);
+			let key;
+			if (workspace) key = this.listProfilesForHost(hostUrl).find((profile) => profileMatchesWorkspace(profile, workspace))?.key;
+			else if (selected) key = selected.profileKey;
+			else if (this.listProfilesForHost(hostUrl).length > 0) throw new CapletsError("REQUEST_INVALID", "Cloud Remote Profile requires a selected or explicit workspace.");
+			if (!key) return false;
+			const profile = this.readProfile(key);
+			await this.credentials.delete(key);
+			rmSync(this.profilePath(key), { force: true });
+			if (selected?.profileKey === key) rmSync(this.selectedWorkspacePath(hostUrl), { force: true });
+			await this.clearMatchingLegacyCloudAuth(hostUrl, profile);
+			return true;
+		});
+	}
+	async clearSelectedCloudWorkspace(hostUrlInput) {
+		return await this.withMutationLock(async () => {
+			const path = this.selectedWorkspacePath(normalizeRemoteProfileHostUrl(hostUrlInput));
+			if (!existsSync(path)) return false;
+			rmSync(path, { force: true });
+			return true;
+		});
+	}
+	async selfHostedRefreshSnapshot(key, input) {
+		const profile = this.readProfile(key);
+		if (!profile) return void 0;
+		const credential = await this.credentials.load(key);
+		if (!credential?.accessToken) return void 0;
+		const status = await this.statusFor(profile, credential, false);
+		return {
+			needsRefresh: input.needsRefresh(credential),
+			result: {
+				status,
+				credential
+			}
+		};
+	}
+	async cloudRefreshSnapshot(input) {
+		const hostUrl = normalizeRemoteProfileHostUrl(input.hostUrl);
+		const workspace = input.workspace ?? hostedCloudWorkspaceFromRemoteUrl(input.hostUrl);
+		let status;
+		if (workspace) status = await this.findCloudStatus(hostUrl, workspace);
+		else {
+			const selected = this.readSelectedWorkspace(hostUrl);
+			if (selected) status = await this.statusByKey(selected.profileKey, true);
+			else if (this.listProfilesForHost(hostUrl).length > 0) throw new CapletsError("REQUEST_INVALID", "Cloud Remote Profile requires a selected or explicit workspace.");
+		}
+		if (!status) return void 0;
+		const credential = await this.credentials.load(status.key);
+		if (!credential?.accessToken) return void 0;
+		return {
+			needsRefresh: input.needsRefresh(credential),
+			result: {
+				status,
+				credential
+			}
+		};
+	}
+	async findCloudStatus(hostUrl, workspace) {
+		const selected = this.readSelectedWorkspace(hostUrl)?.profileKey;
+		const profile = this.listProfilesForHost(hostUrl).find((candidate) => profileMatchesWorkspace(candidate, workspace));
+		if (!profile) return void 0;
+		return this.statusFor(profile, void 0, profile.key === selected);
+	}
+	async migrateLegacyCloudProfile(hostUrl, workspace) {
+		const legacy = await this.legacyCloudAuthStore?.load();
+		if (!legacy) return void 0;
+		if (normalizeRemoteProfileHostUrl(legacy.cloudUrl) !== hostUrl) return void 0;
+		if (workspace && workspace !== legacy.workspaceSlug && workspace !== legacy.workspaceId) return;
+		return this.saveCloudProfile({
+			hostUrl,
+			workspaceId: legacy.workspaceId,
+			...legacy.workspaceSlug ? { workspaceSlug: legacy.workspaceSlug } : {},
+			clientLabel: legacy.deviceName,
+			credentials: legacyCredential(legacy),
+			now: legacy.createdAt ? new Date(legacy.createdAt) : void 0
+		});
+	}
+	async clearMatchingLegacyCloudAuth(hostUrl, profile) {
+		const legacy = await this.legacyCloudAuthStore?.load();
+		if (!legacy) return;
+		if (normalizeRemoteProfileHostUrl(legacy.cloudUrl) !== hostUrl) return;
+		if (!profile) return;
+		const workspaceIdMatches = legacy.workspaceId === profile.workspaceId;
+		const workspaceSlugMatches = Boolean(legacy.workspaceSlug && profile.workspaceSlug && legacy.workspaceSlug === profile.workspaceSlug);
+		if (!workspaceIdMatches && !workspaceSlugMatches) return;
+		await this.legacyCloudAuthStore?.clear();
+	}
+	async statusByKey(key, selected) {
+		const profile = this.readProfile(key);
+		if (!profile) return void 0;
+		return this.statusFor(profile, void 0, selected);
+	}
+	async statusFor(profile, credential, selected) {
+		const build = (loadedCredential) => remoteProfileStatus({
+			kind: profile.kind,
+			key: profile.key,
+			hostUrl: profile.hostUrl,
+			workspaceId: profile.workspaceId,
+			workspaceSlug: profile.workspaceSlug,
+			clientId: profile.clientId,
+			clientLabel: profile.clientLabel,
+			createdAt: profile.createdAt,
+			updatedAt: profile.updatedAt,
+			selected,
+			credential: loadedCredential
+		});
+		if (credential !== void 0) return build(credential);
+		return build(await this.credentials.load(profile.key));
+	}
+	async writeSelfHostedProfile(input) {
+		const hostUrl = normalizeRemoteProfileHostUrl(input.hostUrl);
+		const key = remoteProfileKey({
+			kind: "self-hosted",
+			hostUrl
+		});
+		const now = (input.now ?? /* @__PURE__ */ new Date()).toISOString();
+		const existing = this.readProfile(key);
+		const profile = {
+			version: 1,
+			kind: "self-hosted",
+			key,
+			hostUrl,
+			clientId: input.clientId,
+			...input.clientLabel ? { clientLabel: input.clientLabel } : {},
+			createdAt: existing?.createdAt ?? now,
+			updatedAt: now
+		};
+		await this.credentials.save(key, input.credentials);
+		this.writeJson(this.profilePath(key), profile);
+		return await this.statusFor(profile, input.credentials, false);
+	}
+	async writeCloudProfile(input, options = {}) {
+		const hostUrl = normalizeRemoteProfileHostUrl(input.hostUrl);
+		const workspace = cloudWorkspace(input);
+		const key = remoteProfileKey({
+			kind: "cloud",
+			hostUrl,
+			workspace
+		});
+		const now = (input.now ?? /* @__PURE__ */ new Date()).toISOString();
+		const existing = this.readProfile(key);
+		const select = options.select ?? true;
+		const profile = {
+			version: 1,
+			kind: "cloud",
+			key,
+			hostUrl,
+			workspaceId: input.workspaceId,
+			...input.workspaceSlug ? { workspaceSlug: input.workspaceSlug } : {},
+			...input.clientLabel ? { clientLabel: input.clientLabel } : {},
+			createdAt: existing?.createdAt ?? now,
+			updatedAt: now
+		};
+		await this.credentials.save(key, input.credentials);
+		this.writeJson(this.profilePath(key), profile);
+		if (select) this.writeJson(this.selectedWorkspacePath(hostUrl), {
+			version: 1,
+			hostUrl,
+			workspace,
+			profileKey: key,
+			selectedAt: now
+		});
+		return await this.statusFor(profile, input.credentials, select);
+	}
+	listProfilesForHost(hostUrl) {
+		const dir = this.profilesDir();
+		if (!existsSync(dir)) return [];
+		return readdirSync(dir, { withFileTypes: true }).filter((entry) => entry.isFile() && entry.name.endsWith(".json")).map((entry) => this.readProfileFile(join(dir, entry.name))).filter((profile) => Boolean(profile)).filter((profile) => profile.kind === "cloud" && profile.hostUrl === hostUrl);
+	}
+	readProfile(key) {
+		return this.readProfileFile(this.profilePath(key));
+	}
+	readProfileFile(path) {
+		if (!existsSync(path)) return void 0;
+		return parseStoredRemoteProfile(JSON.parse(readFileSync(path, "utf8")));
+	}
+	readSelectedWorkspace(hostUrl) {
+		const path = this.selectedWorkspacePath(hostUrl);
+		if (!existsSync(path)) return void 0;
+		return parseSelectedCloudWorkspace(JSON.parse(readFileSync(path, "utf8")), hostUrl);
+	}
+	profilePath(key) {
+		return join(this.profilesDir(), `${encodeURIComponent(key)}.json`);
 	}
+	selectedWorkspacePath(hostUrl) {
+		return join(this.selectionsDir(), `${encodeURIComponent(selectedWorkspaceKey(hostUrl))}.json`);
+	}
+	profilesDir() {
+		return join(this.root, "profiles");
+	}
+	selectionsDir() {
+		return join(this.root, "selections");
+	}
+	writeJson(path, value) {
+		const directory = dirname(path);
+		mkdirSync(directory, {
+			recursive: true,
+			mode: 448
+		});
+		try {
+			chmodSync(directory, 448);
+		} catch {}
+		const tempPath = `${path}.${process.pid}.${Date.now()}.tmp`;
+		writeFileSync(tempPath, `${JSON.stringify(value, null, 2)}\n`, { mode: 384 });
+		try {
+			chmodSync(tempPath, 384);
+		} catch {}
+		renameSync(tempPath, path);
+	}
+	async withMutationLock(operation) {
+		await this.acquireLock(this.lockPath(), "Remote Profile store is locked.");
+		try {
+			return await operation();
+		} finally {
+			this.releaseLock(this.lockPath());
+		}
+	}
+	async withRefreshLock(key, operation) {
+		const lockPath = this.refreshLockPath(key);
+		await this.acquireLock(lockPath, "Remote Profile refresh is locked.");
+		try {
+			return await operation();
+		} finally {
+			this.releaseLock(lockPath);
+		}
+	}
+	async acquireLock(lockPath, message) {
+		mkdirSync(this.root, {
+			recursive: true,
+			mode: 448
+		});
+		mkdirSync(dirname(lockPath), {
+			recursive: true,
+			mode: 448
+		});
+		const started = Date.now();
+		while (true) try {
+			mkdirSync(lockPath, {
+				recursive: false,
+				mode: 448
+			});
+			return;
+		} catch (error) {
+			if (isFileExistsError(error) && this.clearStaleLock(lockPath)) continue;
+			if (!isFileExistsError(error) || Date.now() - started >= PROFILE_LOCK_TIMEOUT_MS) throw new CapletsError("SERVER_UNAVAILABLE", message);
+			await sleep(10);
+		}
+	}
+	releaseLock(lockPath) {
+		rmSync(lockPath, {
+			recursive: true,
+			force: true
+		});
+	}
+	clearStaleLock(lockPath) {
+		try {
+			if (Date.now() - statSync(lockPath).mtimeMs < PROFILE_LOCK_TIMEOUT_MS) return false;
+			rmSync(lockPath, {
+				recursive: true,
+				force: true
+			});
+			return true;
+		} catch {
+			return false;
+		}
+	}
+	lockPath() {
+		return join(this.root, PROFILE_LOCK_DIR);
+	}
+	refreshLockPath(key) {
+		return join(this.root, PROFILE_REFRESH_LOCK_DIR, `${encodeURIComponent(key)}.lock`);
+	}
+};
+async function sleep(ms) {
+	await new Promise((resolve) => setTimeout(resolve, ms));
+}
+function isFileExistsError(error) {
+	return typeof error === "object" && error !== null && "code" in error && error.code === "EEXIST";
+}
+function cloudWorkspace(input) {
+	return input.workspaceSlug ?? input.workspaceId ?? hostedCloudWorkspaceFromRemoteUrl(input.hostUrl) ?? "";
+}
+function profileMatchesWorkspace(profile, workspace) {
+	return profile.workspaceSlug === workspace || profile.workspaceId === workspace;
+}
+function legacyCredential(credentials) {
+	return {
+		accessToken: credentials.accessToken,
+		refreshToken: credentials.refreshToken,
+		expiresAt: credentials.expiresAt,
+		...credentials.scope ? { scope: credentials.scope } : {},
+		...credentials.tokenType ? { tokenType: credentials.tokenType } : {}
+	};
+}
+function parseStoredRemoteProfile(value) {
+	if (!isRecord$1(value)) return void 0;
+	if (value.version !== 1) return void 0;
+	if (value.kind !== "cloud" && value.kind !== "self-hosted") return void 0;
+	if (typeof value.key !== "string" || typeof value.hostUrl !== "string" || typeof value.createdAt !== "string" || typeof value.updatedAt !== "string") return;
+	if (value.kind === "cloud" && typeof value.workspaceId !== "string") return void 0;
+	if (value.kind === "self-hosted" && typeof value.clientId !== "string") return void 0;
+	return {
+		version: 1,
+		kind: value.kind,
+		key: value.key,
+		hostUrl: value.hostUrl,
+		...typeof value.workspaceId === "string" ? { workspaceId: value.workspaceId } : {},
+		...typeof value.workspaceSlug === "string" ? { workspaceSlug: value.workspaceSlug } : {},
+		...typeof value.clientId === "string" ? { clientId: value.clientId } : {},
+		...typeof value.clientLabel === "string" ? { clientLabel: value.clientLabel } : {},
+		createdAt: value.createdAt,
+		updatedAt: value.updatedAt
+	};
+}
+function parseSelectedCloudWorkspace(value, expectedHostUrl) {
+	if (!isRecord$1(value)) return void 0;
+	if (value.version !== 1 || value.hostUrl !== expectedHostUrl || typeof value.workspace !== "string" || typeof value.profileKey !== "string" || typeof value.selectedAt !== "string") return;
+	return {
+		version: 1,
+		hostUrl: value.hostUrl,
+		workspace: value.workspace,
+		profileKey: value.profileKey,
+		selectedAt: value.selectedAt
+	};
+}
+function isRecord$1(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
 }
 //#endregion
 //#region src/remote/selection.ts
+const SELF_HOSTED_REFRESH_TIMEOUT_MS = 15e3;
 async function resolveRemoteSelection(input = {}, env = process.env) {
 	const modeValue = input.mode ?? env.CAPLETS_MODE;
 	const mode = resolveRemoteMode({
@@ -81307,43 +81887,112 @@ async function resolveRemoteSelection(input = {}, env = process.env) {
 		...input.remoteUrl !== void 0 ? { remoteUrl: input.remoteUrl } : {}
 	}, env);
 	if (mode.mode === "local") throw new CapletsError("REQUEST_INVALID", "caplets attach requires a remote upstream; set CAPLETS_REMOTE_URL or use caplets serve for local-only MCP.");
-	if (mode.mode === "remote") return {
-		kind: "self_hosted_remote",
-		remote: resolveCapletsRemote({
-			...input.remoteUrl !== void 0 ? { url: input.remoteUrl } : {},
-			...input.user !== void 0 ? { user: input.user } : {},
-			...input.password !== void 0 ? { password: input.password } : {},
-			...input.token !== void 0 ? { token: input.token } : {},
-			...input.workspace !== void 0 ? { workspace: input.workspace } : {},
-			...input.fetch !== void 0 ? { fetch: input.fetch } : {}
-		}, env)
-	};
-	const store = new CloudAuthStore({ env });
-	let credentials = await store.load();
-	if (!credentials?.accessToken) throw projectBindingError("cloud_auth_required");
-	if (credentialsNeedRefresh(credentials)) {
-		if (!credentials.refreshToken) throw projectBindingError("cloud_auth_required");
-		const refreshed = await new CloudAuthClient({
-			cloudUrl: credentials.cloudUrl,
-			...input.fetch !== void 0 ? { fetch: input.fetch } : {}
-		}).refresh({ refreshToken: credentials.refreshToken });
-		credentials = {
-			...credentials,
-			...refreshed,
-			refreshToken: refreshed.refreshToken ?? credentials.refreshToken,
-			createdAt: credentials.createdAt,
-			lastRefreshAt: (/* @__PURE__ */ new Date()).toISOString()
+	if (mode.mode === "remote") {
+		const remoteUrl = input.remoteUrl ?? env.CAPLETS_REMOTE_URL;
+		if (!remoteUrl) throw new CapletsError("REQUEST_INVALID", "CAPLETS_REMOTE_URL or remoteUrl is required.");
+		const credential = (await createRemoteProfileStore({
+			authDir: input.authDir,
+			env
+		}).refreshSelfHostedProfileIfNeeded({
+			hostUrl: remoteUrl,
+			needsRefresh: (credential) => credentialsNeedRefresh({ expiresAt: credential.expiresAt ?? "" }),
+			refresh: async (status, credential) => {
+				if (!credential.refreshToken || !status.clientId) throw remoteLoginRequired(remoteUrl);
+				const refreshed = await refreshSelfHostedCredentials(remoteUrl, credential.refreshToken, input.fetch ? { fetch: input.fetch } : {});
+				return {
+					hostUrl: refreshed.hostUrl ?? remoteUrl,
+					clientId: refreshed.clientId,
+					clientLabel: refreshed.clientLabel ?? status.clientLabel,
+					credentials: {
+						accessToken: refreshed.accessToken,
+						refreshToken: refreshed.refreshToken,
+						expiresAt: refreshed.expiresAt,
+						tokenType: refreshed.tokenType
+					}
+				};
+			}
+		}))?.credential;
+		if (!credential?.accessToken) {
+			const normalizedUrl = normalizeRemoteProfileHostUrl(remoteUrl);
+			throw new ProjectBindingError({
+				code: "remote_credentials_required",
+				message: `Remote Login required for ${normalizedUrl}.`,
+				recoveryCommand: `caplets remote login ${normalizedUrl}`
+			});
+		}
+		return {
+			kind: "self_hosted_remote",
+			remote: resolveCapletsRemote({
+				url: remoteUrl,
+				token: credential.accessToken,
+				...input.workspace !== void 0 ? { workspace: input.workspace } : {},
+				...input.fetch !== void 0 ? { fetch: input.fetch } : {}
+			}, env),
+			...credential.expiresAt ? { credentialExpiresAt: credential.expiresAt } : {}
 		};
-		await store.save(credentials);
 	}
-	const selectedWorkspace = credentials.workspaceSlug ?? credentials.workspaceId;
-	if (input.workspace && input.workspace !== credentials.workspaceId && input.workspace !== credentials.workspaceSlug) throw projectBindingError("workspace_switch_required", `Requested workspace ${input.workspace} differs from saved Selected Workspace ${selectedWorkspace}.`);
+	const store = createRemoteProfileStore({
+		authDir: input.authDir,
+		env
+	});
 	const remoteUrl = input.remoteUrl ?? env.CAPLETS_REMOTE_URL;
 	if (!remoteUrl) throw new CapletsError("REQUEST_INVALID", "CAPLETS_MODE=cloud requires CAPLETS_REMOTE_URL or remoteUrl.");
 	const workspaceFromRemoteUrl = hostedCloudWorkspaceFromRemoteUrl(remoteUrl);
+	const explicitWorkspace = input.workspace ?? (workspaceFromRemoteUrl ? void 0 : env.CAPLETS_REMOTE_WORKSPACE);
+	const profileWorkspace = workspaceFromRemoteUrl ?? explicitWorkspace;
+	const normalizedRemoteUrl = normalizeRemoteProfileHostUrl(remoteUrl);
+	let status = await store.getCloudProfileStatus({
+		hostUrl: normalizedRemoteUrl,
+		workspace: profileWorkspace
+	});
+	if (!status && profileWorkspace) status = await store.getCloudProfileStatus({ hostUrl: normalizedRemoteUrl });
+	let credential = status ? await store.credentials.load(status.key) : void 0;
+	if (!status || !credential?.accessToken) throw projectBindingError("cloud_auth_required");
+	let credentials = cloudCredentialsFromRemoteProfile(status, credential);
+	if (credentialsNeedRefresh(credentials)) {
+		const refreshed = await store.refreshCloudProfileIfNeeded({
+			hostUrl: normalizedRemoteUrl,
+			workspace: profileWorkspace,
+			needsRefresh: (candidate) => credentialsNeedRefresh({ expiresAt: candidate.expiresAt ?? "" }),
+			refresh: async (candidateStatus, candidateCredential) => {
+				const candidateCredentials = cloudCredentialsFromRemoteProfile(candidateStatus, candidateCredential);
+				if (!candidateCredentials.refreshToken) throw projectBindingError("cloud_auth_required");
+				const refreshedCredentials = await new CloudAuthClient({
+					cloudUrl: candidateCredentials.cloudUrl,
+					...input.fetch !== void 0 ? { fetch: input.fetch } : {}
+				}).refresh({ refreshToken: candidateCredentials.refreshToken });
+				const nextCredentials = {
+					...candidateCredentials,
+					...refreshedCredentials,
+					refreshToken: refreshedCredentials.refreshToken ?? candidateCredentials.refreshToken,
+					createdAt: candidateCredentials.createdAt,
+					lastRefreshAt: (/* @__PURE__ */ new Date()).toISOString()
+				};
+				return {
+					hostUrl: nextCredentials.cloudUrl,
+					workspaceId: nextCredentials.workspaceId,
+					...nextCredentials.workspaceSlug ? { workspaceSlug: nextCredentials.workspaceSlug } : {},
+					clientLabel: nextCredentials.deviceName,
+					credentials: {
+						accessToken: nextCredentials.accessToken,
+						refreshToken: nextCredentials.refreshToken,
+						expiresAt: nextCredentials.expiresAt,
+						scope: nextCredentials.scope,
+						tokenType: nextCredentials.tokenType
+					}
+				};
+			}
+		});
+		if (!refreshed?.credential?.accessToken) throw projectBindingError("cloud_auth_required");
+		status = refreshed.status;
+		credential = refreshed.credential;
+		credentials = cloudCredentialsFromRemoteProfile(status, credential);
+	}
+	const selectedWorkspace = credentials.workspaceSlug ?? credentials.workspaceId;
+	if (explicitWorkspace && explicitWorkspace !== credentials.workspaceId && explicitWorkspace !== credentials.workspaceSlug) throw projectBindingError("workspace_switch_required", `Requested workspace ${explicitWorkspace} differs from saved Selected Workspace ${selectedWorkspace}.`);
 	if (workspaceFromRemoteUrl && workspaceFromRemoteUrl !== credentials.workspaceSlug && workspaceFromRemoteUrl !== credentials.workspaceId) throw projectBindingError("workspace_switch_required", `Requested workspace ${workspaceFromRemoteUrl} differs from saved Selected Workspace ${selectedWorkspace}.`);
 	const missingScope = requiredHostedCloudAttachScopes().find((scope) => !credentials.scope?.includes(scope));
-	if (missingScope) throw projectBindingError("cloud_auth_required", `Hosted Cloud attach requires Cloud Auth scope ${missingScope}. Run caplets cloud auth login again.`);
+	if (missingScope) throw projectBindingError("cloud_auth_required", `Hosted Cloud attach requires Cloud Auth scope ${missingScope}. Run caplets remote login ${credentials.cloudUrl} again.`);
 	const remote = resolveHostedCloudRemote({
 		url: remoteUrl,
 		token: credentials.accessToken,
@@ -81355,6 +82004,7 @@ async function resolveRemoteSelection(input = {}, env = process.env) {
 		remote,
 		selectedWorkspace,
 		credentials,
+		credentialExpiresAt: credentials.expiresAt,
 		cloudPresence: {
 			url: remote.baseUrl,
 			accessToken: credentials.accessToken,
@@ -81366,6 +82016,74 @@ function credentialsNeedRefresh(credentials) {
 	const expiresAt = Date.parse(credentials.expiresAt);
 	return Number.isFinite(expiresAt) && expiresAt <= Date.now() + 6e4;
 }
+async function refreshSelfHostedCredentials(remoteUrl, refreshToken, options) {
+	const response = await fetchSelfHostedRefresh(appendBasePath(new URL(normalizeRemoteProfileHostUrl(remoteUrl)), "v1/remote/refresh"), refreshToken, options);
+	if (!response.ok) throw await selfHostedRefreshError(remoteUrl, response);
+	return parseSelfHostedRefreshCredentials(response);
+}
+async function selfHostedRefreshError(remoteUrl, response) {
+	const summary = await parseSelfHostedRefreshError(response);
+	if (response.status === 401 || summary?.code === "AUTH_FAILED") return remoteLoginRequired(remoteUrl);
+	if (response.status === 503 || summary?.code === "SERVER_UNAVAILABLE") return new CapletsError("SERVER_UNAVAILABLE", summary?.message ?? "Remote credential refresh is temporarily unavailable.");
+	return new CapletsError("AUTH_REFRESH_FAILED", summary?.message ?? `Remote credential refresh failed with HTTP ${response.status}.`);
+}
+async function parseSelfHostedRefreshError(response) {
+	const parsed = await response.clone().json().catch(() => void 0);
+	if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return void 0;
+	const error = parsed.error;
+	if (!error || typeof error !== "object" || Array.isArray(error)) return void 0;
+	const record = error;
+	return {
+		...typeof record.code === "string" ? { code: record.code } : {},
+		...typeof record.message === "string" ? { message: record.message } : {}
+	};
+}
+async function fetchSelfHostedRefresh(refreshUrl, refreshToken, options) {
+	const controller = new AbortController();
+	let timeout;
+	try {
+		const refresh = (options.fetch ?? fetch)(refreshUrl, {
+			method: "POST",
+			headers: { "content-type": "application/json" },
+			body: JSON.stringify({ refreshToken }),
+			signal: controller.signal
+		});
+		const timedOut = new Promise((_resolve, reject) => {
+			timeout = setTimeout(() => {
+				controller.abort();
+				reject(new CapletsError("SERVER_UNAVAILABLE", "Remote credential refresh timed out."));
+			}, SELF_HOSTED_REFRESH_TIMEOUT_MS);
+		});
+		return await Promise.race([refresh, timedOut]);
+	} catch (error) {
+		if (error instanceof CapletsError) throw error;
+		throw new CapletsError("SERVER_UNAVAILABLE", "Remote credential refresh failed.");
+	} finally {
+		if (timeout) clearTimeout(timeout);
+	}
+}
+function remoteLoginRequired(remoteUrl) {
+	return new ProjectBindingError({
+		code: "remote_credentials_required",
+		message: `Remote Login required for ${normalizeRemoteProfileHostUrl(remoteUrl)}.`,
+		recoveryCommand: `caplets remote login ${normalizeRemoteProfileHostUrl(remoteUrl)}`
+	});
+}
+async function parseSelfHostedRefreshCredentials(response) {
+	const parsed = await response.json();
+	if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) throw new CapletsError("DOWNSTREAM_PROTOCOL_ERROR", "Remote refresh response must be an object.");
+	const record = parsed;
+	if (typeof record.clientId !== "string" || typeof record.accessToken !== "string" || typeof record.refreshToken !== "string") throw new CapletsError("DOWNSTREAM_PROTOCOL_ERROR", "Remote refresh response is missing credentials.");
+	return {
+		...typeof record.hostUrl === "string" ? { hostUrl: record.hostUrl } : {},
+		clientId: record.clientId,
+		...typeof record.clientLabel === "string" ? { clientLabel: record.clientLabel } : {},
+		accessToken: record.accessToken,
+		refreshToken: record.refreshToken,
+		...typeof record.tokenType === "string" ? { tokenType: record.tokenType } : {},
+		...typeof record.expiresAt === "string" ? { expiresAt: record.expiresAt } : {}
+	};
+}
 function requiredHostedCloudAttachScopes() {
 	return HOSTED_CLOUD_AUTH_SCOPES.filter((scope) => scope !== "mcp:tools");
 }
@@ -81376,21 +82094,24 @@ let hasWarnedRemoteProjectBindingFallback = false;
 function createNativeCapletsService(options = {}) {
 	const resolved = resolveNativeCapletsServiceOptions(options);
 	if (resolved.mode === "remote") {
-		const local = createLocalOverlayService(options);
-		try {
-			return createCompositeRemoteService(resolved.remote, local, options, "self_hosted_remote");
-		} catch (error) {
-			if (options.mode !== "remote") {
-				warnRemoteProjectBindingFallback(options);
-				return local;
+		if (options.remoteClientFactory) {
+			const local = createLocalOverlayService(options);
+			try {
+				return createCompositeRemoteService(resolved.remote, local, options, "self_hosted_remote");
+			} catch (error) {
+				if (options.mode !== "remote") {
+					warnRemoteProjectBindingFallback(options);
+					return local;
+				}
+				local.close().catch((closeError) => {
+					writeErr(options, `Could not close local overlay Caplets service: ${errorMessage(closeError)}\n`);
+				});
+				throw error;
 			}
-			local.close().catch((closeError) => {
-				writeErr(options, `Could not close local overlay Caplets service: ${errorMessage(closeError)}\n`);
-			});
-			throw error;
 		}
+		return new ProfileBackedNativeCapletsService(options, resolved.remote, "self_hosted_remote");
 	}
-	if (resolved.mode === "cloud") return new CloudNativeCapletsService(options, resolved.remote);
+	if (resolved.mode === "cloud") return new ProfileBackedNativeCapletsService(options, resolved.remote, "hosted_cloud");
 	return new DefaultNativeCapletsService(options);
 }
 var DefaultNativeCapletsService = class {
@@ -81751,31 +82472,55 @@ function createLocalOverlayService(options) {
 	return (options.localServiceFactory ?? createDefaultNativeCapletsService)(localOptions);
 }
 function createCompositeRemoteService(remoteOptions, local, options, authKind) {
-	return new CompositeNativeCapletsService(new RemoteNativeCapletsService({
-		client: (options.remoteClientFactory ?? createSdkRemoteCapletsClient)(remoteOptions),
-		clientFactory: () => (options.remoteClientFactory ?? createSdkRemoteCapletsClient)(remoteOptions),
+	const { remote, presence } = createCompositeRemoteParts(remoteOptions, local, options, authKind);
+	return new CompositeNativeCapletsService(remote, local, options, presence);
+}
+function createCompositeRemoteParts(remoteOptions, local, options, authKind, resolveRuntimeRemoteOptions) {
+	const remote = new RemoteNativeCapletsService({
+		client: createRemoteClient(remoteOptions, options, authKind, resolveRuntimeRemoteOptions),
+		clientFactory: () => createRemoteClient(remoteOptions, options, authKind, resolveRuntimeRemoteOptions),
 		pollIntervalMs: remoteOptions.pollIntervalMs,
 		authKind,
 		...options.writeErr ? { writeErr: options.writeErr } : {}
-	}), local, options, createProjectBindingSessionManager(remoteOptions.cloud, local, options));
+	});
+	const presence = createProjectBindingSessionManager(remoteOptions.cloud, local, options);
+	return {
+		remote,
+		...presence ? { presence } : {}
+	};
+}
+function createRemoteClient(remoteOptions, options, authKind, resolveRuntimeRemoteOptions) {
+	if (options.remoteClientFactory) return options.remoteClientFactory(remoteOptions);
+	return createSdkRemoteCapletsClient({
+		...remoteOptions,
+		authKind,
+		...options.writeErr ? { writeErr: options.writeErr } : {},
+		...resolveRuntimeRemoteOptions ? { resolveRuntimeOptions: resolveRuntimeRemoteOptions } : {}
+	});
 }
-var CloudNativeCapletsService = class {
+var ProfileBackedNativeCapletsService = class {
 	options;
 	baseRemote;
+	authKind;
 	local;
 	listeners = /* @__PURE__ */ new Set();
 	delegate;
 	unsubscribeDelegate;
+	remoteSignature;
+	credentialExpiresAt;
+	ensureDelegateCurrentInFlight;
 	closed = false;
-	constructor(options, baseRemote) {
+	constructor(options, baseRemote, authKind) {
 		this.options = options;
 		this.baseRemote = baseRemote;
+		this.authKind = authKind;
 		this.local = createLocalOverlayService(options);
 	}
 	listTools() {
 		return this.delegate?.listTools() ?? this.local.listTools();
 	}
 	async execute(capletId, request) {
+		if (!this.delegate || nativeCredentialsNeedRefresh(this.credentialExpiresAt)) await this.ensureDelegateCurrent();
 		return await (this.delegate ?? this.local).execute(capletId, request);
 	}
 	codeModeService() {
@@ -81783,42 +82528,8 @@ var CloudNativeCapletsService = class {
 	}
 	async reload() {
 		if (this.closed) return false;
-		if (!this.delegate) try {
-			const cloudFetch = this.options.remote?.fetch;
-			const remoteUrl = this.options.remote?.url ?? this.baseRemote.url.toString().replace(/\/mcp$/u, "");
-			const selection = await resolveRemoteSelection({
-				mode: "cloud",
-				remoteUrl,
-				...cloudFetch ? { fetch: cloudFetch } : {}
-			}, {
-				...process.env,
-				CAPLETS_MODE: "cloud",
-				CAPLETS_REMOTE_URL: remoteUrl
-			});
-			if (selection.kind !== "hosted_cloud") throw new CapletsError("REQUEST_INVALID", "CAPLETS_MODE=cloud requires Caplets Cloud.");
-			const cloudPresence = {
-				url: selection.cloudPresence.url,
-				accessToken: selection.cloudPresence.accessToken,
-				workspaceId: selection.cloudPresence.workspaceId,
-				...this.options.remote?.cloud?.projectRoot ? { projectRoot: this.options.remote.cloud.projectRoot } : {},
-				heartbeatIntervalMs: this.options.remote?.cloud?.heartbeatIntervalMs ?? this.baseRemote.cloud?.heartbeatIntervalMs ?? 3e4
-			};
-			const remoteOptions = {
-				...this.baseRemote,
-				url: selection.remote.attachUrl,
-				auth: nativeAuthFromRemoteAuth(selection.remote.auth),
-				requestInit: selection.remote.requestInit,
-				...selection.remote.fetch ? { fetch: selection.remote.fetch } : {},
-				cloud: cloudPresence
-			};
-			this.delegate = createCompositeRemoteService(remoteOptions, this.local, this.options, "hosted_cloud");
-			this.unsubscribeDelegate = this.delegate.onToolsChanged((tools) => this.emit(tools));
-		} catch (error) {
-			if (this.options.mode === "cloud") throw error;
-			warnRemoteProjectBindingFallback(this.options);
-			return await this.local.reload();
-		}
-		return await this.delegate.reload();
+		await this.ensureDelegateCurrent();
+		return await (this.delegate ?? this.local).reload();
 	}
 	onToolsChanged(listener) {
 		this.listeners.add(listener);
@@ -81834,13 +82545,110 @@ var CloudNativeCapletsService = class {
 	emit(tools) {
 		for (const listener of this.listeners) listener(tools);
 	}
+	async ensureDelegateCurrent() {
+		if (this.ensureDelegateCurrentInFlight) {
+			await this.ensureDelegateCurrentInFlight;
+			return;
+		}
+		const refresh = this.ensureDelegateCurrentNow();
+		this.ensureDelegateCurrentInFlight = refresh;
+		try {
+			await refresh;
+		} finally {
+			if (this.ensureDelegateCurrentInFlight === refresh) this.ensureDelegateCurrentInFlight = void 0;
+		}
+	}
+	async ensureDelegateCurrentNow() {
+		try {
+			const remoteOptions = await this.resolveProfileRemoteOptions();
+			if (this.closed) return;
+			const signature = remoteOptionsSignature(remoteOptions);
+			if (!this.delegate) {
+				const { remote, presence } = createCompositeRemoteParts(remoteOptions, this.local, this.options, this.authKind, () => this.resolveProfileRemoteOptions());
+				this.delegate = new CompositeNativeCapletsService(remote, this.local, this.options, presence);
+				this.unsubscribeDelegate = this.delegate.onToolsChanged((tools) => this.emit(tools));
+				this.remoteSignature = signature;
+				this.credentialExpiresAt = remoteOptions.credentialExpiresAt;
+				return;
+			}
+			if (signature === this.remoteSignature) return;
+			const { remote, presence } = createCompositeRemoteParts(remoteOptions, this.local, this.options, this.authKind, () => this.resolveProfileRemoteOptions());
+			if (!await remote.reload()) {
+				await Promise.all([remote.close(), presence?.close()]);
+				return;
+			}
+			await this.delegate.replaceRemote(remote, presence);
+			this.remoteSignature = signature;
+			this.credentialExpiresAt = remoteOptions.credentialExpiresAt;
+		} catch (error) {
+			if (this.options.mode === "cloud" || this.options.mode === "remote") {
+				if (this.delegate) throw error;
+				await this.close().catch((closeError) => {
+					writeErr(this.options, `Could not close local overlay Caplets service: ${errorMessage(closeError)}\n`);
+				});
+				throw error;
+			}
+			warnRemoteProjectBindingFallback(this.options);
+			if (!this.delegate) await this.local.reload();
+		}
+	}
+	async resolveProfileRemoteOptions() {
+		const cloudFetch = this.options.remote?.fetch;
+		const remoteUrl = this.options.remote?.url ?? process.env.CAPLETS_REMOTE_URL ?? this.baseRemote.url.toString().replace(/\/v1(?:\/ws\/[^/]+)?\/attach$/u, "");
+		const selection = await resolveRemoteSelection({
+			mode: this.authKind === "hosted_cloud" ? "cloud" : "remote",
+			remoteUrl,
+			...this.options.remote?.workspace ? { workspace: this.options.remote.workspace } : {},
+			...this.options.authDir ? { authDir: this.options.authDir } : {},
+			...cloudFetch ? { fetch: cloudFetch } : {}
+		}, {
+			...process.env,
+			CAPLETS_MODE: this.authKind === "hosted_cloud" ? "cloud" : "remote",
+			CAPLETS_REMOTE_URL: remoteUrl
+		});
+		if (this.authKind === "hosted_cloud" && selection.kind !== "hosted_cloud") throw new CapletsError("REQUEST_INVALID", "CAPLETS_MODE=cloud requires Caplets Cloud.");
+		if (this.authKind === "self_hosted_remote" && selection.kind !== "self_hosted_remote") throw new CapletsError("REQUEST_INVALID", "CAPLETS_MODE=remote requires self-hosted Caplets.");
+		const cloudPresence = selection.kind === "hosted_cloud" ? {
+			url: selection.cloudPresence.url,
+			accessToken: selection.cloudPresence.accessToken,
+			workspaceId: selection.cloudPresence.workspaceId,
+			...this.options.remote?.cloud?.projectRoot ? { projectRoot: this.options.remote.cloud.projectRoot } : {},
+			heartbeatIntervalMs: this.options.remote?.cloud?.heartbeatIntervalMs ?? this.baseRemote.cloud?.heartbeatIntervalMs ?? 3e4
+		} : void 0;
+		return remoteOptionsFromSelection(selection, this.baseRemote, cloudPresence);
+	}
 };
-function nativeAuthFromRemoteAuth(auth) {
-	if (auth.type === "basic") return {
-		enabled: true,
-		user: auth.user,
-		password: auth.password
+function remoteOptionsFromSelection(selection, baseRemote, cloudPresence) {
+	return {
+		...baseRemote,
+		url: selection.remote.attachUrl,
+		auth: nativeAuthFromRemoteAuth(selection.remote.auth),
+		requestInit: selection.remote.requestInit,
+		...selection.remote.fetch ? { fetch: selection.remote.fetch } : {},
+		...cloudPresence ? { cloud: cloudPresence } : {},
+		...selection.credentialExpiresAt ? { credentialExpiresAt: selection.credentialExpiresAt } : {}
 	};
+}
+function remoteOptionsSignature(remoteOptions) {
+	return JSON.stringify({
+		url: remoteOptions.url.toString(),
+		requestInit: remoteOptions.requestInit,
+		credentialExpiresAt: remoteOptions.credentialExpiresAt,
+		cloud: remoteOptions.cloud ? {
+			url: remoteOptions.cloud.url.toString(),
+			accessToken: remoteOptions.cloud.accessToken,
+			workspaceId: remoteOptions.cloud.workspaceId,
+			projectRoot: remoteOptions.cloud.projectRoot,
+			heartbeatIntervalMs: remoteOptions.cloud.heartbeatIntervalMs
+		} : void 0
+	});
+}
+function nativeCredentialsNeedRefresh(expiresAt) {
+	if (!expiresAt) return false;
+	const parsed = Date.parse(expiresAt);
+	return Number.isFinite(parsed) && parsed <= Date.now() + 6e4;
+}
+function nativeAuthFromRemoteAuth(auth) {
 	if (auth.type === "none") return {
 		enabled: false,
 		user: auth.user
@@ -81856,7 +82664,8 @@ var CompositeNativeCapletsService = class {
 	options;
 	presence;
 	listeners = /* @__PURE__ */ new Set();
-	unsubscribers;
+	unsubscribeRemote;
+	unsubscribeLocal;
 	warnedShadowedLocalCaplets = /* @__PURE__ */ new Set();
 	tools = [];
 	closed = false;
@@ -81867,11 +82676,10 @@ var CompositeNativeCapletsService = class {
 		this.local = local;
 		this.options = options;
 		this.presence = presence;
-		this.unsubscribers = [this.remote.onToolsChanged(() => this.updateMergedTools()), this.local.onToolsChanged(() => this.updateMergedTools())];
+		this.unsubscribeRemote = this.remote.onToolsChanged(() => this.updateMergedTools());
+		this.unsubscribeLocal = this.local.onToolsChanged(() => this.updateMergedTools());
 		this.tools = this.mergeTools();
-		this.presence?.start().catch((error) => {
-			writeErr(options, `Could not register Caplets Cloud Project Binding: ${errorMessage(error)}\n`);
-		});
+		this.startPresence();
 	}
 	listTools() {
 		return [...this.tools];
@@ -81909,7 +82717,8 @@ var CompositeNativeCapletsService = class {
 	async close() {
 		if (this.closed) return;
 		this.closed = true;
-		for (const unsubscribe of this.unsubscribers.splice(0)) unsubscribe();
+		this.unsubscribeRemote();
+		this.unsubscribeLocal();
 		this.listeners.clear();
 		this.codeModeSessions.close();
 		await Promise.all([
@@ -81918,6 +82727,22 @@ var CompositeNativeCapletsService = class {
 			this.presence?.close()
 		]);
 	}
+	async replaceRemote(remote, presence) {
+		if (this.closed) {
+			await Promise.all([remote.close(), presence?.close()]);
+			return;
+		}
+		const previousRemote = this.remote;
+		const previousPresence = this.presence;
+		this.unsubscribeRemote();
+		this.remote = remote;
+		this.presence = presence;
+		this.unsubscribeRemote = this.remote.onToolsChanged(() => this.updateMergedTools());
+		await Promise.all([previousRemote.close(), previousPresence?.close()]);
+		if (this.closed) return;
+		this.startPresence();
+		this.updateMergedTools();
+	}
 	updateMergedTools() {
 		if (this.closed || this.batchingReload) return;
 		const tools = this.mergeTools();
@@ -81962,6 +82787,11 @@ var CompositeNativeCapletsService = class {
 			return;
 		}
 	}
+	startPresence() {
+		this.presence?.start().catch((error) => {
+			writeErr(this.options, `Could not register Caplets Cloud Project Binding: ${errorMessage(error)}\n`);
+		});
+	}
 };
 function remoteCodeModeCallableNativeTools(tools) {
 	return codeModeCallableNativeTools(tools, { fallbackToVisible: true });
@@ -82037,4 +82867,4 @@ function errorMessage(error) {
 	return error instanceof Error ? error.message : String(error);
 }
 //#endregion
-export { GoogleDiscoveryManager as $, ListPromptsRequestSchema as $t, emptyCodeModeRunMeta as A, ReadBuffer as At, codeModeDeclarationHash as B, CompleteRequestSchema as Bt, nativeCapletToolDescription as C, safeParse as Cn, defaultCacheBaseDir as Ct, nativeCodeModeToolName as D, resolveConfigPath as Dt, nativeCodeModeToolId as E, resolveCapletsRoot as Et, createCodeModeCapletsApi as F, Protocol as Ft, resolveExposure as G, ElicitResultSchema as Gt, generateCodeModeRunToolDescription as H, CreateMessageResultWithToolsSchema as Ht, listCodeModeCallableCaplets as I, mergeCapabilities as It, findProjectRoot as J, GetPromptRequestSchema as Jt, decodeDirectResourceUri as K, EmptyResultSchema as Kt, CodeModeJournalStore as L, toJsonSchemaCompat as Lt, CodeModeSessionManager as M, assertClientRequestTaskCapability as Mt, QuickJsCodeModeSandbox as N, assertToolsCallTaskCapability as Nt, codeModeRunInputSchema as O, resolveProjectCapletsRoot as Ot, diagnoseCodeModeTypeScript as P, AjvJsonSchemaValidator as Pt, capabilityDescription as Q, LATEST_PROTOCOL_VERSION as Qt, CodeModeLogStore as R, CallToolRequestSchema as Rt, nativeCapletPromptGuidance as S, objectFromShape as Sn, DEFAULT_OBSERVED_OUTPUT_SHAPE_CACHE_DIR as St, nativeCapletsSystemGuidance as T, __exportAll as Tn, defaultStateBaseDir as Tt, minifyCodeModeDeclarationText as U, CreateTaskResultSchema as Ut, generateCodeModeDeclarations as V, CreateMessageResultSchema as Vt, CapletsEngine as W, DEFAULT_NEGOTIATED_PROTOCOL_VERSION as Wt, handleServerTool as X, InitializedNotificationSchema as Xt, fingerprintProjectRoot as Y, InitializeRequestSchema as Yt, ServerRegistry as Z, JSONRPCMessageSchema as Zt, resolveHostedCloudRemote as _, getParseErrorMessage as _n, deleteTokenBundle as _t, projectBindingError as a, McpError as an, parseConfig as at, parseServerBaseUrl as b, isZ4Schema as bn, DEFAULT_AUTH_DIR as bt, cloudAuthPath as c, SetLevelRequestSchema as cn, loadCapletFilesFromMap as ct, CloudAuthClient as d, isInitializeRequest as dn, markdownStructuredContent as dt, ListResourceTemplatesRequestSchema as en, loadConfig as et, RemoteNativeCapletsService as f, isJSONRPCErrorResponse as fn, refreshOAuthTokenBundle as ft, resolveCapletsRemote as g, getObjectShape as gn, startOAuthFlow as gt, resolveNativeCapletsServiceOptions as h, getLiteralValue as hn, startGenericOAuthFlow as ht, ProjectBindingError as i, LoggingLevelSchema as in, loadProjectConfig as it, runCodeMode as j, serializeMessage as jt, codeModeRunParamsSchema as k, resolveProjectConfigPath as kt, migrateCredentials as l, assertCompleteRequestPrompt as ln, hasRenderableStructuredContent as lt, buildProjectSyncManifest as m, isJSONRPCResultResponse as mn, runOAuthFlow as mt, resolveRemoteSelection as n, ListRootsResultSchema as nn, loadGlobalConfig as nt, projectBindingRecovery as o, ReadResourceRequestSchema as on, discoverCapletFiles as ot, createSdkRemoteCapletsClient as p, isJSONRPCRequest as pn, runGenericOAuthFlow as pt, directResourceUriMatchesTemplate as q, ErrorCode as qt, PROJECT_BINDING_ERROR_CODES as r, ListToolsRequestSchema as rn, loadLocalOverlayConfigWithSources as rt, CloudAuthStore as s, SUPPORTED_PROTOCOL_VERSIONS as sn, validateCapletFile as st, createNativeCapletsService as t, ListResourcesRequestSchema as tn, loadConfigWithSources as tt, redactedCloudAuthStatus as u, assertCompleteRequestResourceTemplate as un, markdownCallToolResultContent as ut, resolveRemoteMode as v, getSchemaDescription as vn, isTokenBundleExpired as vt, nativeCapletToolName as w, safeParseAsync as wn, defaultConfigBaseDir as wt, resolveCapletsServer as x, normalizeObjectSchema as xn, DEFAULT_COMPLETION_CACHE_DIR as xt, controlUrlForBase as y, isSchemaOptional as yn, readTokenBundle as yt, redactCodeModeLogText as z, CallToolResultSchema as zt };
+export { decodeDirectResourceUri as $, ElicitResultSchema as $t, nativeCapletToolDescription as A, objectFromShape as An, defaultCacheBaseDir as At, QuickJsCodeModeSandbox as B, assertClientRequestTaskCapability as Bt, resolveRemoteMode as C, getLiteralValue as Cn, startOAuthFlow as Ct, parseServerBaseUrl as D, isSchemaOptional as Dn, DEFAULT_AUTH_DIR as Dt, isLoopbackHost as E, getSchemaDescription as En, readTokenBundle as Et, codeModeRunInputSchema as F, resolveConfigPath as Ft, CodeModeLogStore as G, toJsonSchemaCompat as Gt, createCodeModeCapletsApi as H, AjvJsonSchemaValidator as Ht, codeModeRunParamsSchema as I, resolveProjectCapletsRoot as It, generateCodeModeDeclarations as J, CompleteRequestSchema as Jt, redactCodeModeLogText as K, CallToolRequestSchema as Kt, emptyCodeModeRunMeta as L, resolveProjectConfigPath as Lt, nativeCapletsSystemGuidance as M, safeParseAsync as Mn, defaultConfigPath as Mt, nativeCodeModeToolId as N, __exportAll as Nn, defaultStateBaseDir as Nt, resolveCapletsServer as O, isZ4Schema as On, DEFAULT_COMPLETION_CACHE_DIR as Ot, nativeCodeModeToolName as P, resolveCapletsRoot as Pt, resolveExposure as Q, DEFAULT_NEGOTIATED_PROTOCOL_VERSION as Qt, runCodeMode as R, ReadBuffer as Rt, resolveHostedCloudRemote as S, isJSONRPCResultResponse as Sn, startGenericOAuthFlow as St, controlUrlForBase as T, getParseErrorMessage as Tn, isTokenBundleExpired as Tt, listCodeModeCallableCaplets as U, Protocol as Ut, diagnoseCodeModeTypeScript as V, assertToolsCallTaskCapability as Vt, CodeModeJournalStore as W, mergeCapabilities as Wt, minifyCodeModeDeclarationText as X, CreateMessageResultWithToolsSchema as Xt, generateCodeModeRunToolDescription as Y, CreateMessageResultSchema as Yt, CapletsEngine as Z, CreateTaskResultSchema as Zt, resolveNativeCapletsServiceOptions as _, assertCompleteRequestPrompt as _n, markdownCallToolResultContent as _t, CloudAuthStore as a, JSONRPCMessageSchema as an, capabilityDescription as at, normalizeRemoteProfileHostUrl as b, isJSONRPCErrorResponse as bn, runGenericOAuthFlow as bt, redactedCloudAuthStatus as c, ListResourceTemplatesRequestSchema as cn, loadConfigWithSources as ct, projectBindingError as d, ListToolsRequestSchema as dn, loadProjectConfig as dt, EmptyResultSchema as en, directResourceUriMatchesTemplate as et, projectBindingRecovery as f, LoggingLevelSchema as fn, parseConfig as ft, buildProjectSyncManifest as g, SetLevelRequestSchema as gn, hasRenderableStructuredContent as gt, createSdkRemoteCapletsClient as h, SUPPORTED_PROTOCOL_VERSIONS as hn, loadCapletFilesFromMap as ht, createRemoteProfileStore as i, InitializedNotificationSchema as in, ServerRegistry as it, nativeCapletToolName as j, safeParse as jn, defaultConfigBaseDir as jt, nativeCapletPromptGuidance as k, normalizeObjectSchema as kn, DEFAULT_OBSERVED_OUTPUT_SHAPE_CACHE_DIR as kt, PROJECT_BINDING_ERROR_CODES as l, ListResourcesRequestSchema as ln, loadGlobalConfig as lt, RemoteNativeCapletsService as m, ReadResourceRequestSchema as mn, validateCapletFile as mt, resolveRemoteSelection as n, GetPromptRequestSchema as nn, fingerprintProjectRoot as nt, cloudAuthPath as o, LATEST_PROTOCOL_VERSION as on, GoogleDiscoveryManager as ot, CloudAuthClient as p, McpError as pn, discoverCapletFiles as pt, codeModeDeclarationHash as q, CallToolResultSchema as qt, cloudCredentialsFromRemoteProfile as r, InitializeRequestSchema as rn, handleServerTool as rt, migrateCredentials as s, ListPromptsRequestSchema as sn, loadConfig as st, createNativeCapletsService as t, ErrorCode as tn, findProjectRoot as tt, ProjectBindingError as u, ListRootsResultSchema as un, loadLocalOverlayConfigWithSources as ut, hostedCloudWorkspaceFromRemoteUrl as v, assertCompleteRequestResourceTemplate as vn, markdownStructuredContent as vt, appendBasePath as w, getObjectShape as wn, deleteTokenBundle as wt, resolveCapletsRemote as x, isJSONRPCRequest as xn, runOAuthFlow as xt, isCapletsCloudUrl as y, isInitializeRequest as yn, refreshOAuthTokenBundle as yt, CodeModeSessionManager as z, serializeMessage as zt };