@cloudbase/cloudbase-mcp 2.12.1 → 2.14.0

package/dist/index.cjs

@@ -1763,11 +1763,12 @@ warn.forProperties(exports, 'deprecated', ['emitErrs', 'levelLength']);
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.simplifyEnvList = simplifyEnvList;
 exports.registerEnvTools = registerEnvTools;
+const toolbox_1 = __webpack_require__(25901);
 const zod_1 = __webpack_require__(21614);
 const auth_js_1 = __webpack_require__(77291);
 const cloudbase_manager_js_1 = __webpack_require__(3431);
 const logger_js_1 = __webpack_require__(13039);
-const interactive_js_1 = __webpack_require__(3461);
+const tool_result_js_1 = __webpack_require__(9835);
 const rag_js_1 = __webpack_require__(64215);
 /**
  * Simplify environment list data by keeping only essential fields for AI assistant
@@ -1799,17 +1800,119 @@ function simplifyEnvList(envList) {
         return simplified;
     });
 }
+function formatDeviceAuthHint(deviceAuthInfo) {
+    if (!deviceAuthInfo) {
+        return "";
+    }
+    const lines = [
+        "",
+        "### Device Flow 授权信息",
+        `- user_code: ${deviceAuthInfo.user_code}`,
+    ];
+    if (deviceAuthInfo.verification_uri) {
+        lines.push(`- verification_uri: ${deviceAuthInfo.verification_uri}`);
+    }
+    lines.push(`- expires_in: ${deviceAuthInfo.expires_in}s`);
+    lines.push("", "请在另一台可用浏览器设备打开 `verification_uri` 并输入 `user_code` 完成授权。");
+    return lines.join("\n");
+}
+function emitDeviceAuthNotice(server, deviceAuthInfo) {
+    // Temporarily disabled: avoid sending logging notifications for device auth
+}
+async function fetchAvailableEnvCandidates(cloudBaseOptions, server) {
+    try {
+        return await (0, cloudbase_manager_js_1.listAvailableEnvCandidates)({
+            cloudBaseOptions,
+        });
+    }
+    catch {
+        return [];
+    }
+}
+const CODEBUDDY_AUTH_ACTIONS = ["status", "set_env"];
+const DEFAULT_AUTH_ACTIONS = [
+    "status",
+    "start_auth",
+    "set_env",
+    "logout",
+];
+function getCurrentIde(server) {
+    return server.ide || process.env.INTEGRATION_IDE || "";
+}
+function isCodeBuddyIde(server) {
+    return getCurrentIde(server) === "CodeBuddy";
+}
+function getSupportedAuthActions(server) {
+    return isCodeBuddyIde(server) ? CODEBUDDY_AUTH_ACTIONS : DEFAULT_AUTH_ACTIONS;
+}
+function buildAuthRequiredNextStep(server) {
+    if (isCodeBuddyIde(server)) {
+        return (0, tool_result_js_1.buildAuthNextStep)("status", {
+            suggestedArgs: { action: "status" },
+        });
+    }
+    return (0, tool_result_js_1.buildAuthNextStep)("start_auth", {
+        suggestedArgs: { action: "start_auth", authMode: "device" },
+    });
+}
+function buildSetEnvNextStep(envCandidates) {
+    const singleEnvId = envCandidates.length === 1 ? envCandidates[0].envId : undefined;
+    return (0, tool_result_js_1.buildAuthNextStep)("set_env", {
+        requiredParams: singleEnvId ? undefined : ["envId"],
+        suggestedArgs: singleEnvId
+            ? { action: "set_env", envId: singleEnvId }
+            : { action: "set_env" },
+    });
+}
+async function getGuidePrompt(server) {
+    if (getCurrentIde(server) === "CodeBuddy" ||
+        process.env.CLOUDBASE_GUIDE_PROMPT === "false") {
+        return "";
+    }
+    try {
+        return await (0, rag_js_1.getClaudePrompt)();
+    }
+    catch (promptError) {
+        (0, logger_js_1.debug)("Failed to get CLAUDE prompt", { error: promptError });
+        return "";
+    }
+}
 function registerEnvTools(server) {
     // 获取 cloudBaseOptions，如果没有则为 undefined
     const cloudBaseOptions = server.cloudBaseOptions;
     const getManager = () => (0, cloudbase_manager_js_1.getCloudBaseManager)({ cloudBaseOptions, mcpServer: server });
     const hasEnvId = typeof cloudBaseOptions?.envId === 'string' && cloudBaseOptions?.envId.length > 0;
-    // login - 登录云开发环境
-    server.registerTool?.("login", {
-        title: "登录云开发",
-        description: "登录云开发环境，在生成包含云开发 CloudBase 相关功能前**必须**先调用此工具进行登录。登录云开发环境并选择要使用的环境。",
+    const supportedAuthActions = getSupportedAuthActions(server);
+    const authActionEnum = [...supportedAuthActions];
+    // auth - CloudBase (云开发) 开发阶段登录与环境绑定
+    server.registerTool?.("auth", {
+        title: "CloudBase 开发阶段登录与环境",
+        description: "CloudBase（腾讯云开发）开发阶段登录与环境绑定。登录后即可访问云资源；环境(env)是云函数、数据库、静态托管等资源的隔离单元，绑定环境后其他 MCP 工具才能操作该环境。支持：查询状态、发起登录、绑定环境(set_env)、退出登录。",
         inputSchema: {
-            forceUpdate: zod_1.z.boolean().optional().describe("是否强制重新选择环境"),
+            action: zod_1.z
+                .enum(authActionEnum)
+                .optional()
+                .describe("动作：status=查询状态，start_auth=发起登录，set_env=绑定环境(传envId)，logout=退出登录"),
+            ...(supportedAuthActions.includes("start_auth")
+                ? {
+                    authMode: zod_1.z
+                        .enum(["device", "web"])
+                        .optional()
+                        .describe("认证模式：device=设备码授权，web=浏览器回调授权"),
+                }
+                : {}),
+            envId: zod_1.z
+                .string()
+                .optional()
+                .describe("环境ID(CloudBase 环境唯一标识)，绑定后工具将操作该环境。action=set_env 时必填"),
+            ...(supportedAuthActions.includes("logout")
+                ? {
+                    confirm: zod_1.z
+                        .literal("yes")
+                        .optional()
+                        .describe("action=logout 时确认操作，传 yes"),
+                }
+                : {}),
         },
         annotations: {
             readOnlyHint: false,
@@ -1818,135 +1921,326 @@ function registerEnvTools(server) {
             openWorldHint: true,
             category: "env",
         },
-    }, async ({ forceUpdate = false }) => {
-        let isSwitching = false;
+    }, async (rawArgs) => {
+        const action = rawArgs.action ?? "status";
+        const authMode = rawArgs.authMode === "device" || rawArgs.authMode === "web"
+            ? rawArgs.authMode
+            : undefined;
+        const envId = rawArgs.envId;
+        const confirm = rawArgs.confirm === "yes" ? "yes" : undefined;
+        let deviceAuthInfo;
+        const onDeviceCode = (info) => {
+            deviceAuthInfo = info;
+            (0, auth_js_1.setPendingAuthProgressState)(info, "device");
+            // emitDeviceAuthNotice(server, info);
+        };
+        const authChallenge = () => deviceAuthInfo
+            ? {
+                user_code: deviceAuthInfo.user_code,
+                verification_uri: deviceAuthInfo.verification_uri,
+                expires_in: deviceAuthInfo.expires_in,
+            }
+            : undefined;
         try {
-            // 使用 while 循环处理用户切换账号的情况
-            while (true) {
-                // CRITICAL: Ensure server is passed correctly
-                (0, logger_js_1.debug)("[env] Calling _promptAndSetEnvironmentId with server:", {
-                    hasServer: !!server,
-                    serverType: typeof server,
-                    hasServerServer: !!server?.server,
-                    hasServerIde: !!server?.ide,
-                    serverIde: server?.ide
-                });
-                const { selectedEnvId, cancelled, error, noEnvs, switch: switchAccount, } = await (0, interactive_js_1._promptAndSetEnvironmentId)(forceUpdate, {
-                    server, // Pass ExtendedMcpServer instance
-                    loginFromCloudBaseLoginPage: isSwitching,
-                    // When switching account, ignore environment variables to force Web login
-                    ignoreEnvVars: isSwitching,
+            if (!supportedAuthActions.includes(action)) {
+                return (0, tool_result_js_1.buildJsonToolResult)({
+                    ok: false,
+                    code: "NOT_SUPPORTED",
+                    message: `当前 IDE 不支持 auth(action="${action}")。`,
+                    next_step: (0, tool_result_js_1.buildAuthNextStep)("status", {
+                        suggestedArgs: { action: "status" },
+                    }),
                 });
-                isSwitching = Boolean(switchAccount);
-                (0, logger_js_1.debug)("login", {
-                    selectedEnvId,
-                    cancelled,
-                    error,
-                    noEnvs,
-                    switchAccount,
+            }
+            if (action === "status") {
+                const loginState = await (0, auth_js_1.peekLoginState)();
+                const authFlowState = await (0, auth_js_1.getAuthProgressState)();
+                const envId = (0, cloudbase_manager_js_1.getCachedEnvId)() ||
+                    process.env.CLOUDBASE_ENV_ID ||
+                    (typeof loginState?.envId === "string" ? loginState.envId : undefined);
+                const authStatus = loginState
+                    ? "READY"
+                    : authFlowState.status === "PENDING"
+                        ? "PENDING"
+                        : "REQUIRED";
+                const envCandidates = await fetchAvailableEnvCandidates(cloudBaseOptions, server);
+                const envStatus = envId
+                    ? "READY"
+                    : envCandidates.length > 1
+                        ? "MULTIPLE"
+                        : envCandidates.length === 1
+                            ? "READY"
+                            : "NONE";
+                const message = authStatus === "READY"
+                    ? `当前已登录${envId ? `，环境: ${envId}` : "，但未绑定环境"}`
+                    : authStatus === "PENDING"
+                        ? "设备码授权进行中，请完成浏览器授权后再次调用 auth(action=\"status\")"
+                        : isCodeBuddyIde(server)
+                            ? "当前未登录。CodeBuddy 暂不支持在 tool 内发起认证，请在外部完成认证后再次调用 auth(action=\"status\")。"
+                            : "当前未登录，请先执行 auth(action=\"start_auth\")";
+                return (0, tool_result_js_1.buildJsonToolResult)({
+                    ok: true,
+                    code: "STATUS",
+                    auth_status: authStatus,
+                    env_status: envStatus,
+                    current_env_id: envId || null,
+                    env_candidates: envCandidates,
+                    auth_challenge: authFlowState.status === "PENDING" && authFlowState.authChallenge
+                        ? {
+                            user_code: authFlowState.authChallenge.user_code,
+                            verification_uri: authFlowState.authChallenge.verification_uri,
+                            expires_in: authFlowState.authChallenge.expires_in,
+                        }
+                        : undefined,
+                    message,
+                    next_step: authStatus === "REQUIRED"
+                        ? buildAuthRequiredNextStep(server)
+                        : authStatus === "PENDING"
+                            ? (0, tool_result_js_1.buildAuthNextStep)("status", {
+                                suggestedArgs: { action: "status" },
+                            })
+                            : !envId
+                                ? buildSetEnvNextStep(envCandidates)
+                                : (0, tool_result_js_1.buildAuthNextStep)("status", {
+                                    suggestedArgs: { action: "status" },
+                                }),
                 });
-                if (error) {
-                    return { content: [{ type: "text", text: error }] };
-                }
-                if (cancelled) {
-                    return { content: [{ type: "text", text: "用户取消了登录" }] };
+            }
+            if (action === "start_auth") {
+                const region = server.cloudBaseOptions?.region || process.env.TCB_REGION;
+                const auth = toolbox_1.AuthSupervisor.getInstance({});
+                const authFlowState = await (0, auth_js_1.getAuthProgressState)();
+                if (authFlowState.status === "PENDING" && authFlowState.authChallenge) {
+                    return (0, tool_result_js_1.buildJsonToolResult)({
+                        ok: true,
+                        code: "AUTH_PENDING",
+                        message: "设备码授权进行中，请在浏览器中打开 verification_uri 并输入 user_code 完成授权。",
+                        auth_challenge: {
+                            user_code: authFlowState.authChallenge.user_code,
+                            verification_uri: authFlowState.authChallenge.verification_uri,
+                            expires_in: authFlowState.authChallenge.expires_in,
+                        },
+                        next_step: (0, tool_result_js_1.buildAuthNextStep)("status", {
+                            suggestedArgs: { action: "status" },
+                        }),
+                    });
                 }
-                // 用户选择切换账号，先 logout 再重新登录
-                if (switchAccount) {
-                    (0, logger_js_1.debug)("User requested switch account, logging out...");
-                    try {
-                        await (0, auth_js_1.logout)();
-                        (0, cloudbase_manager_js_1.resetCloudBaseManagerCache)();
-                        (0, logger_js_1.debug)("Logged out successfully, restarting login flow...");
-                        // Set isSwitching to true so next iteration will ignore env vars
-                        // and force Web authentication to allow account switching
-                        isSwitching = true;
-                        // 继续循环，重新显示登录界面
-                        continue;
-                    }
-                    catch (logoutError) {
-                        (0, logger_js_1.debug)("Logout failed during switch", { error: logoutError });
-                        continue;
+                // 1. 如果已经有登录态，直接返回 AUTH_READY
+                try {
+                    const existingLoginState = await (0, auth_js_1.peekLoginState)();
+                    if (existingLoginState) {
+                        const envId = typeof existingLoginState.envId === "string" ? existingLoginState.envId : null;
+                        const envCandidates = envId
+                            ? []
+                            : await fetchAvailableEnvCandidates(cloudBaseOptions, server);
+                        return (0, tool_result_js_1.buildJsonToolResult)({
+                            ok: true,
+                            code: "AUTH_READY",
+                            message: envId
+                                ? `认证成功，当前登录态 envId: ${envId}`
+                                : "认证成功",
+                            auth_challenge: authChallenge(),
+                            env_candidates: envCandidates,
+                            next_step: envId
+                                ? (0, tool_result_js_1.buildAuthNextStep)("status", {
+                                    suggestedArgs: { action: "status" },
+                                })
+                                : buildSetEnvNextStep(envCandidates),
+                        });
                     }
                 }
-                if (selectedEnvId) {
-                    // Get CLAUDE.md prompt content (skip for CodeBuddy IDE)
-                    let promptContent = "";
-                    const currentIde = server.ide || process.env.INTEGRATION_IDE;
-                    if (currentIde !== "CodeBuddy" && process.env.CLOUDBASE_GUIDE_PROMPT !== "false") {
-                        try {
-                            promptContent = await (0, rag_js_1.getClaudePrompt)();
+                catch {
+                    // 忽略 getLoginState 错误，继续尝试发起登录
+                }
+                // 2. 设备码模式：监听到 device code 即返回 AUTH_PENDING，后续由 toolbox 异步轮询并更新本地 credential
+                const effectiveMode = authMode && (authMode === "device" || authMode === "web")
+                    ? authMode
+                    : process.env.TCB_AUTH_MODE === "web"
+                        ? "web"
+                        : "device";
+                if (effectiveMode === "device") {
+                    let resolveCode;
+                    let rejectCode;
+                    const codeReady = new Promise((resolve, reject) => {
+                        resolveCode = resolve;
+                        rejectCode = reject;
+                    });
+                    const deviceOnCode = (info) => {
+                        onDeviceCode(info);
+                        if (resolveCode) {
+                            resolveCode();
                         }
-                        catch (promptError) {
-                            (0, logger_js_1.debug)("Failed to get CLAUDE prompt", { error: promptError });
-                            // Continue with login success even if prompt fetch fails
+                    };
+                    try {
+                        // 启动 Device Flow，全流程由 toolbox 负责轮询和写入 credential，这里不等待完成
+                        auth
+                            .loginByWebAuth({
+                            flow: "device",
+                            onDeviceCode: deviceOnCode,
+                        })
+                            .then(() => {
+                            (0, auth_js_1.resolveAuthProgressState)();
+                        })
+                            .catch((err) => {
+                            (0, auth_js_1.rejectAuthProgressState)(err);
+                            // 如果在拿到 device code 之前就失败，则唤醒当前调用并返回错误
+                            if (!deviceAuthInfo && rejectCode) {
+                                rejectCode(err);
+                            }
+                        });
+                    }
+                    catch (err) {
+                        if (rejectCode) {
+                            rejectCode(err);
                         }
                     }
-                    const successMessage = `✅ 登录成功，当前环境: ${selectedEnvId}`;
-                    const promptMessage = promptContent
-                        ? `\n\n⚠️ 重要提示：后续所有云开发相关的开发工作必须严格遵循以下开发规范和最佳实践：\n\n${promptContent}`
-                        : "";
-                    return {
-                        content: [
-                            {
-                                type: "text",
-                                text: successMessage + promptMessage,
-                            },
-                        ],
-                    };
+                    try {
+                        await codeReady;
+                    }
+                    catch (err) {
+                        const message = err instanceof Error ? err.message : String(err ?? "unknown error");
+                        return (0, tool_result_js_1.buildJsonToolResult)({
+                            ok: false,
+                            code: "AUTH_REQUIRED",
+                            message: `设备码登录初始化失败: ${message}`,
+                            next_step: (0, tool_result_js_1.buildAuthNextStep)("start_auth", {
+                                suggestedArgs: { action: "start_auth", authMode: "device" },
+                            }),
+                        });
+                    }
+                    if (!deviceAuthInfo) {
+                        return (0, tool_result_js_1.buildJsonToolResult)({
+                            ok: false,
+                            code: "AUTH_REQUIRED",
+                            message: "未获取到设备码信息，请重试设备码登录",
+                            next_step: (0, tool_result_js_1.buildAuthNextStep)("start_auth", {
+                                suggestedArgs: { action: "start_auth", authMode: "device" },
+                            }),
+                        });
+                    }
+                    const envCandidates = await fetchAvailableEnvCandidates(cloudBaseOptions, server);
+                    return (0, tool_result_js_1.buildJsonToolResult)({
+                        ok: true,
+                        code: "AUTH_PENDING",
+                        message: "已发起设备码登录，请在浏览器中打开 verification_uri 并输入 user_code 完成授权。授权完成后请再次调用 auth(action=\"status\")。",
+                        auth_challenge: authChallenge(),
+                        env_candidates: envCandidates,
+                        next_step: (0, tool_result_js_1.buildAuthNextStep)("status", {
+                            suggestedArgs: { action: "status" },
+                        }),
+                    });
                 }
-                throw new Error("登录失败");
+                // 3. 非 Device Flow（显式 web 模式）仍然使用 getLoginState 阻塞等待
+                const loginState = await (0, auth_js_1.ensureLogin)({
+                    region,
+                    authMode: effectiveMode,
+                });
+                if (!loginState) {
+                    return (0, tool_result_js_1.buildJsonToolResult)({
+                        ok: false,
+                        code: "AUTH_REQUIRED",
+                        message: "未获取到登录态，请先完成认证",
+                        next_step: (0, tool_result_js_1.buildAuthNextStep)("start_auth", {
+                            suggestedArgs: { action: "start_auth", authMode: effectiveMode },
+                        }),
+                    });
+                }
+                const envId = typeof loginState.envId === "string" ? loginState.envId : null;
+                const envCandidates = envId
+                    ? []
+                    : await fetchAvailableEnvCandidates(cloudBaseOptions, server);
+                return (0, tool_result_js_1.buildJsonToolResult)({
+                    ok: true,
+                    code: "AUTH_READY",
+                    message: envId ? `认证成功，当前登录态 envId: ${envId}` : "认证成功",
+                    auth_challenge: authChallenge(),
+                    env_candidates: envCandidates,
+                    next_step: envId
+                        ? (0, tool_result_js_1.buildAuthNextStep)("status", {
+                            suggestedArgs: { action: "status" },
+                        })
+                        : buildSetEnvNextStep(envCandidates),
+                });
             }
+            if (action === "set_env") {
+                const loginState = await (0, auth_js_1.peekLoginState)();
+                if (!loginState) {
+                    return (0, tool_result_js_1.buildJsonToolResult)({
+                        ok: false,
+                        code: "AUTH_REQUIRED",
+                        message: isCodeBuddyIde(server)
+                            ? "当前未登录。CodeBuddy 暂不支持在 tool 内发起认证，请在外部完成认证后再次调用 auth(action=\"status\")。"
+                            : "当前未登录，请先执行 auth(action=\"start_auth\")。",
+                        next_step: buildAuthRequiredNextStep(server),
+                    });
+                }
+                const envCandidates = await fetchAvailableEnvCandidates(cloudBaseOptions, server);
+                if (!envId) {
+                    return (0, tool_result_js_1.buildJsonToolResult)({
+                        ok: false,
+                        code: "INVALID_ARGS",
+                        message: "action=set_env 时必须提供 envId",
+                        env_candidates: envCandidates,
+                        next_step: buildSetEnvNextStep(envCandidates),
+                    });
+                }
+                const target = envCandidates.find((item) => item.envId === envId);
+                if (envCandidates.length > 0 && !target) {
+                    return (0, tool_result_js_1.buildJsonToolResult)({
+                        ok: false,
+                        code: "INVALID_ARGS",
+                        message: `未找到环境: ${envId}`,
+                        env_candidates: envCandidates,
+                        next_step: buildSetEnvNextStep(envCandidates),
+                    });
+                }
+                await cloudbase_manager_js_1.envManager.setEnvId(envId);
+                return (0, tool_result_js_1.buildJsonToolResult)({
+                    ok: true,
+                    code: "ENV_READY",
+                    message: `环境设置成功，当前环境: ${envId}`,
+                    current_env_id: envId,
+                });
+            }
+            if (action === "logout") {
+                if (confirm !== "yes") {
+                    return (0, tool_result_js_1.buildJsonToolResult)({
+                        ok: false,
+                        code: "INVALID_ARGS",
+                        message: "action=logout 时必须传 confirm=\"yes\"",
+                        next_step: (0, tool_result_js_1.buildAuthNextStep)("logout", {
+                            suggestedArgs: { action: "logout", confirm: "yes" },
+                        }),
+                    });
+                }
+                await (0, auth_js_1.logout)();
+                (0, cloudbase_manager_js_1.resetCloudBaseManagerCache)();
+                return (0, tool_result_js_1.buildJsonToolResult)({
+                    ok: true,
+                    code: "LOGGED_OUT",
+                    message: "✅ 已退出登录",
+                });
+            }
+            return (0, tool_result_js_1.buildJsonToolResult)({
+                ok: false,
+                code: "NOT_SUPPORTED",
+                message: `不支持的 auth action: ${action}`,
+                next_step: (0, tool_result_js_1.buildAuthNextStep)("status", {
+                    suggestedArgs: { action: "status" },
+                }),
+            });
         }
         catch (error) {
-            return {
-                content: [
-                    {
-                        type: "text",
-                        text: `登录失败: ${error instanceof Error ? error.message : String(error)}`,
-                    },
-                ],
-            };
-        }
-    });
-    // logout - 退出云开发环境
-    server.registerTool?.("logout", {
-        title: "退出登录",
-        description: "退出云开发环境",
-        inputSchema: {
-            confirm: zod_1.z.literal("yes").describe("确认操作，默认传 yes"),
-        },
-        annotations: {
-            readOnlyHint: false,
-            destructiveHint: false,
-            idempotentHint: true,
-            openWorldHint: false,
-            category: "env",
-        },
-    }, async () => {
-        try {
-            // 登出账户
-            await (0, auth_js_1.logout)();
-            // 清理环境ID缓存
-            (0, cloudbase_manager_js_1.resetCloudBaseManagerCache)();
-            return {
-                content: [
-                    {
-                        type: "text",
-                        text: "✅ 已退出登录",
-                    },
-                ],
-            };
-        }
-        catch (error) {
-            return {
-                content: [
-                    {
-                        type: "text",
-                        text: `退出失败: ${error instanceof Error ? error.message : String(error)}`,
-                    },
-                ],
-            };
+            const message = error instanceof Error ? error.message : String(error);
+            return (0, tool_result_js_1.buildJsonToolResult)({
+                ok: false,
+                code: "INTERNAL_ERROR",
+                message: `auth 执行失败: ${message}`,
+                auth_challenge: authChallenge(),
+                next_step: (0, tool_result_js_1.buildAuthNextStep)("status", {
+                    suggestedArgs: { action: "status" },
+                }),
+            });
         }
     });
     // envQuery - 环境查询（合并 listEnvs + getEnvInfo + getEnvAuthDomains + getWebsiteConfig）
@@ -2020,6 +2314,10 @@ function registerEnvTools(server) {
                             }
                         }
                         catch (fallbackError) {
+                            const toolPayloadResult = (0, tool_result_js_1.toolPayloadErrorToResult)(fallbackError);
+                            if (toolPayloadResult) {
+                                return toolPayloadResult;
+                            }
                             (0, logger_js_1.debug)("降级到 listEnvs() 也失败:", fallbackError instanceof Error ? fallbackError : new Error(String(fallbackError)));
                             return {
                                 content: [
@@ -2083,6 +2381,10 @@ function registerEnvTools(server) {
             };
         }
         catch (error) {
+            const toolPayloadResult = (0, tool_result_js_1.toolPayloadErrorToResult)(error);
+            if (toolPayloadResult) {
+                return toolPayloadResult;
+            }
             return {
                 content: [
                     {
@@ -2136,6 +2438,10 @@ function registerEnvTools(server) {
             };
         }
         catch (error) {
+            const toolPayloadResult = (0, tool_result_js_1.toolPayloadErrorToResult)(error);
+            if (toolPayloadResult) {
+                return toolPayloadResult;
+            }
             return {
                 content: [
                     {
@@ -5336,7 +5642,7 @@ var __WEBPACK_AMD_DEFINE_RESULT__;/**
   var undefined;
 
   /** Used as the semantic version number. */
-  var VERSION = '4.17.21';
+  var VERSION = '4.17.23';
 
   /** Used as the size to enable large array optimizations. */
   var LARGE_ARRAY_SIZE = 200;
@@ -9090,7 +9396,7 @@ var __WEBPACK_AMD_DEFINE_RESULT__;/**
           if (isArray(iteratee)) {
             return function(value) {
               return baseGet(value, iteratee.length === 1 ? iteratee[0] : iteratee);
-            }
+            };
           }
           return iteratee;
         });
@@ -9694,8 +10000,47 @@ var __WEBPACK_AMD_DEFINE_RESULT__;/**
      */
     function baseUnset(object, path) {
       path = castPath(path, object);
-      object = parent(object, path);
-      return object == null || delete object[toKey(last(path))];
+
+      // Prevent prototype pollution, see: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg
+      var index = -1,
+          length = path.length;
+
+      if (!length) {
+        return true;
+      }
+
+      var isRootPrimitive = object == null || (typeof object !== 'object' && typeof object !== 'function');
+
+      while (++index < length) {
+        var key = path[index];
+
+        // skip non-string keys (e.g., Symbols, numbers)
+        if (typeof key !== 'string') {
+          continue;
+        }
+
+        // Always block "__proto__" anywhere in the path if it's not expected
+        if (key === '__proto__' && !hasOwnProperty.call(object, '__proto__')) {
+          return false;
+        }
+
+        // Block "constructor.prototype" chains
+        if (key === 'constructor' &&
+            (index + 1) < length &&
+            typeof path[index + 1] === 'string' &&
+            path[index + 1] === 'prototype') {
+
+          // Allow ONLY when the path starts at a primitive root, e.g., _.unset(0, 'constructor.prototype.a')
+          if (isRootPrimitive && index === 0) {
+            continue;
+          }
+
+          return false;
+        }
+      }
+
+      var obj = parent(object, path);
+      return obj == null || delete obj[toKey(last(path))];
     }
 
     /**
@@ -23781,6 +24126,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.envManager = void 0;
+exports.listAvailableEnvCandidates = listAvailableEnvCandidates;
 exports.getEnvId = getEnvId;
 exports.resetCloudBaseManagerCache = resetCloudBaseManagerCache;
 exports.getCachedEnvId = getCachedEnvId;
@@ -23790,9 +24136,134 @@ exports.extractRequestId = extractRequestId;
 exports.logCloudBaseResult = logCloudBaseResult;
 const manager_node_1 = __importDefault(__webpack_require__(95492));
 const auth_js_1 = __webpack_require__(77291);
-const interactive_js_1 = __webpack_require__(3461);
 const logger_js_1 = __webpack_require__(13039);
-const ENV_ID_TIMEOUT = 600000; // 10 minutes (600 seconds) - matches InteractiveServer timeout
+const tool_result_js_1 = __webpack_require__(9835);
+// Timeout for envId auto-resolution flow.
+// 10 minutes (600 seconds) - matches InteractiveServer timeout
+const ENV_ID_TIMEOUT = 600000;
+function toEnvCandidates(envList) {
+    if (!Array.isArray(envList)) {
+        return [];
+    }
+    return envList
+        .filter((item) => item?.EnvId)
+        .map((item) => ({
+        envId: item.EnvId,
+        alias: item.Alias,
+        region: item.Region,
+        status: item.Status,
+        env_type: item.EnvType,
+    }));
+}
+function createManagerFromLoginState(loginState, region) {
+    return new manager_node_1.default({
+        secretId: loginState.secretId,
+        secretKey: loginState.secretKey,
+        envId: loginState.envId,
+        token: loginState.token,
+        proxy: process.env.http_proxy,
+        region,
+    });
+}
+async function listAvailableEnvCandidates(options) {
+    const { cloudBaseOptions, loginState: providedLoginState } = options ?? {};
+    if (cloudBaseOptions?.envId) {
+        return [{
+                envId: cloudBaseOptions.envId,
+            }];
+    }
+    let cloudbase;
+    if (cloudBaseOptions?.secretId && cloudBaseOptions?.secretKey) {
+        cloudbase = createCloudBaseManagerWithOptions(cloudBaseOptions);
+    }
+    else {
+        const loginState = providedLoginState ?? await (0, auth_js_1.peekLoginState)();
+        if (!loginState?.secretId || !loginState?.secretKey) {
+            return [];
+        }
+        const region = cloudBaseOptions?.region ?? process.env.TCB_REGION ?? undefined;
+        cloudbase = createManagerFromLoginState(loginState, region);
+    }
+    try {
+        const result = await cloudbase.commonService("tcb", "2018-06-08").call({
+            Action: "DescribeEnvs",
+            Param: {
+                EnvTypes: ["weda", "baas"],
+                IsVisible: false,
+                Channels: ["dcloud", "iotenable", "tem", "scene_module"],
+            },
+        });
+        const envList = result?.EnvList || result?.Data?.EnvList || [];
+        return toEnvCandidates(envList);
+    }
+    catch {
+        try {
+            const fallback = await cloudbase.env.listEnvs();
+            return toEnvCandidates(fallback?.EnvList || []);
+        }
+        catch {
+            return [];
+        }
+    }
+}
+function throwAuthRequiredError() {
+    (0, tool_result_js_1.throwToolPayloadError)({
+        ok: false,
+        code: "AUTH_REQUIRED",
+        message: "当前未登录，请先调用 auth 工具完成认证。",
+        next_step: (0, tool_result_js_1.buildAuthNextStep)("start_auth", {
+            suggestedArgs: {
+                action: "start_auth",
+                authMode: "device",
+            },
+        }),
+    });
+}
+async function throwPendingAuthError() {
+    const authState = await (0, auth_js_1.getAuthProgressState)();
+    (0, tool_result_js_1.throwToolPayloadError)({
+        ok: false,
+        code: "AUTH_PENDING",
+        message: authState.lastError || "设备码授权进行中，请先完成登录后再重试当前工具。",
+        auth_challenge: authState.authChallenge
+            ? {
+                user_code: authState.authChallenge.user_code,
+                verification_uri: authState.authChallenge.verification_uri,
+                expires_in: authState.authChallenge.expires_in,
+            }
+            : undefined,
+        next_step: (0, tool_result_js_1.buildAuthNextStep)("status", {
+            suggestedArgs: {
+                action: "status",
+            },
+        }),
+    });
+}
+async function throwEnvRequiredError(options) {
+    const envCandidates = options?.envCandidates ?? (await listAvailableEnvCandidates(options));
+    const singleEnvId = envCandidates.length === 1 ? envCandidates[0].envId : undefined;
+    (0, tool_result_js_1.throwToolPayloadError)({
+        ok: false,
+        code: "ENV_REQUIRED",
+        message: envCandidates.length === 0
+            ? "当前已登录，但还没有可用环境，请先调用 auth 工具完成环境选择或创建环境。"
+            : envCandidates.length === 1
+                ? `当前已登录，但尚未绑定环境。可直接选择环境 ${singleEnvId}。`
+                : "当前已登录，但尚未绑定环境，请先调用 auth 工具选择环境。",
+        env_candidates: envCandidates,
+        next_step: (0, tool_result_js_1.buildAuthNextStep)("set_env", {
+            requiredParams: singleEnvId ? undefined : ["envId"],
+            suggestedArgs: singleEnvId
+                ? {
+                    action: "set_env",
+                    envId: singleEnvId,
+                }
+                : {
+                    action: "set_env",
+                },
+        }),
+    });
+}
 // 统一的环境ID管理类
 class EnvironmentManager {
     cachedEnvId = null;
@@ -23804,7 +24275,7 @@ class EnvironmentManager {
         delete process.env.CLOUDBASE_ENV_ID;
     }
     // 获取环境ID的核心逻辑
-    async getEnvId(mcpServer) {
+    async getEnvId() {
         // 1. 优先使用内存缓存
         if (this.cachedEnvId) {
             (0, logger_js_1.debug)('使用内存缓存的环境ID:', { envId: this.cachedEnvId });
@@ -23814,17 +24285,10 @@ class EnvironmentManager {
         if (this.envIdPromise) {
             return this.envIdPromise;
         }
-        // 3. 开始获取环境ID (pass mcpServer for IDE detection)
-        this.envIdPromise = this._fetchEnvId(mcpServer);
-        // 增加超时保护
-        const timeoutPromise = new Promise((_, reject) => {
-            const id = setTimeout(() => {
-                clearTimeout(id);
-                reject(new Error(`EnvId 获取超时（${ENV_ID_TIMEOUT / 1000}秒）`));
-            }, ENV_ID_TIMEOUT);
-        });
+        // 3. 开始获取环境ID
+        this.envIdPromise = this._fetchEnvId();
         try {
-            const result = await Promise.race([this.envIdPromise, timeoutPromise]);
+            const result = await this.envIdPromise;
             return result;
         }
         catch (err) {
@@ -23832,7 +24296,7 @@ class EnvironmentManager {
             throw err;
         }
     }
-    async _fetchEnvId(mcpServer) {
+    async _fetchEnvId() {
         try {
             // 1. 检查进程环境变量
             if (process.env.CLOUDBASE_ENV_ID) {
@@ -23840,48 +24304,23 @@ class EnvironmentManager {
                 this.cachedEnvId = process.env.CLOUDBASE_ENV_ID;
                 return this.cachedEnvId;
             }
-            // 2. 自动设置环境ID (pass mcpServer for IDE detection)
-            (0, logger_js_1.debug)('未找到环境ID，尝试自动设置...');
-            let setupResult;
-            try {
-                setupResult = await (0, interactive_js_1._promptAndSetEnvironmentId)(true, { server: mcpServer });
-            }
-            catch (setupError) {
-                // Preserve original error information
-                const errorObj = setupError instanceof Error ? setupError : new Error(String(setupError));
-                (0, logger_js_1.error)('自动设置环境ID时发生异常:', {
-                    error: errorObj.message,
-                    stack: errorObj.stack,
-                    name: errorObj.name,
-                });
-                // Re-throw with enhanced context
-                const enhancedError = new Error(`自动设置环境ID失败: ${errorObj.message}`);
-                enhancedError.originalError = errorObj;
-                enhancedError.failureInfo = {
-                    reason: 'unknown_error',
-                    error: errorObj.message,
-                    errorCode: 'SETUP_EXCEPTION',
-                };
-                throw enhancedError;
-            }
-            const autoEnvId = setupResult.selectedEnvId;
-            if (!autoEnvId) {
-                // Build detailed error message from failure info
-                const errorMessage = this._buildDetailedErrorMessage(setupResult.failureInfo);
-                (0, logger_js_1.error)('自动设置环境ID失败:', {
-                    reason: setupResult.failureInfo?.reason,
-                    errorCode: setupResult.failureInfo?.errorCode,
-                    error: setupResult.failureInfo?.error,
-                    details: setupResult.failureInfo?.details,
-                });
-                // Create error with detailed information
-                const detailedError = new Error(errorMessage);
-                detailedError.failureInfo = setupResult.failureInfo;
-                throw detailedError;
+            // 2. 如果登录态里已有 envId，直接复用
+            const loginState = await (0, auth_js_1.peekLoginState)();
+            if (typeof loginState?.envId === 'string' && loginState.envId.length > 0) {
+                (0, logger_js_1.debug)('使用登录态中的环境ID:', { envId: loginState.envId });
+                this._setCachedEnvId(loginState.envId);
+                return loginState.envId;
+            }
+            // 3. 单环境自动绑定；多环境时返回结构化引导，不再触发交互弹窗
+            const envCandidates = await listAvailableEnvCandidates({ loginState });
+            if (envCandidates.length === 1) {
+                const singleEnvId = envCandidates[0].envId;
+                (0, logger_js_1.debug)('自动绑定唯一环境:', { envId: singleEnvId });
+                this._setCachedEnvId(singleEnvId);
+                return singleEnvId;
             }
-            (0, logger_js_1.debug)('自动设置环境ID成功:', { envId: autoEnvId });
-            this._setCachedEnvId(autoEnvId);
-            return autoEnvId;
+            await throwEnvRequiredError({ loginState, envCandidates });
+            throw new Error('Unreachable after throwEnvRequiredError');
         }
         catch (err) {
             // Log the error with full context before re-throwing
@@ -23905,65 +24344,6 @@ class EnvironmentManager {
         process.env.CLOUDBASE_ENV_ID = envId;
         (0, logger_js_1.debug)('已更新环境ID缓存:', { envId });
     }
-    // Build detailed error message from failure info
-    _buildDetailedErrorMessage(failureInfo) {
-        if (!failureInfo) {
-            return "CloudBase Environment ID not found after auto setup. Please set CLOUDBASE_ENV_ID or run setupEnvironmentId tool.";
-        }
-        const { reason, error: errorMsg, errorCode, helpUrl, details } = failureInfo;
-        let message = "CloudBase Environment ID not found after auto setup.\n\n";
-        message += `原因: ${this._getReasonDescription(reason)}\n`;
-        if (errorMsg) {
-            message += `错误: ${errorMsg}\n`;
-        }
-        if (errorCode) {
-            message += `错误代码: ${errorCode}\n`;
-        }
-        // Add specific details based on failure reason
-        if (reason === 'tcb_init_failed' && details?.initTcbError) {
-            const initError = details.initTcbError;
-            if (initError.needRealNameAuth) {
-                message += "\n需要完成实名认证才能使用 CloudBase 服务。\n";
-            }
-            if (initError.needCamAuth) {
-                message += "\n需要 CAM 权限才能使用 CloudBase 服务。\n";
-            }
-        }
-        if (reason === 'env_creation_failed' && details?.createEnvError) {
-            const createError = details.createEnvError;
-            message += `\n环境创建失败: ${createError.message || '未知错误'}\n`;
-        }
-        if (reason === 'env_query_failed' && details?.queryEnvError) {
-            message += `\n环境查询失败: ${details.queryEnvError}\n`;
-        }
-        if (reason === 'timeout' && details?.timeoutDuration) {
-            message += `\n超时时间: ${details.timeoutDuration / 1000} 秒\n`;
-            message += "提示: 请确保浏览器窗口已打开，并在规定时间内完成环境选择。\n";
-        }
-        message += "\n解决方案:\n";
-        message += "1. 手动设置环境ID: 设置环境变量 CLOUDBASE_ENV_ID\n";
-        message += "2. 使用工具设置: 运行 setupEnvironmentId 工具\n";
-        if (helpUrl) {
-            message += `3. 查看帮助文档: ${helpUrl}\n`;
-        }
-        else {
-            message += "3. 查看帮助文档: https://docs.cloudbase.net/cli-v1/env\n";
-        }
-        return message;
-    }
-    _getReasonDescription(reason) {
-        const descriptions = {
-            'timeout': '环境选择超时',
-            'cancelled': '用户取消了环境选择',
-            'no_environments': '没有可用环境',
-            'login_failed': '登录失败',
-            'tcb_init_failed': 'CloudBase 服务初始化失败',
-            'env_query_failed': '环境列表查询失败',
-            'env_creation_failed': '环境创建失败',
-            'unknown_error': '未知错误',
-        };
-        return descriptions[reason] || '未知原因';
-    }
     // 手动设置环境ID（用于外部调用）
     async setEnvId(envId) {
         this._setCachedEnvId(envId);
@@ -23984,6 +24364,16 @@ async function getEnvId(cloudBaseOptions) {
         (0, logger_js_1.debug)('使用传入的 envId:', { envId: cloudBaseOptions.envId });
         return cloudBaseOptions.envId;
     }
+    const cachedEnvId = envManager.getCachedEnvId() || process.env.CLOUDBASE_ENV_ID;
+    if (cachedEnvId) {
+        (0, logger_js_1.debug)('使用缓存中的 envId:', { envId: cachedEnvId });
+        return cachedEnvId;
+    }
+    const loginState = await (0, auth_js_1.peekLoginState)();
+    if (typeof loginState?.envId === 'string' && loginState.envId.length > 0) {
+        (0, logger_js_1.debug)('使用登录态中的 envId:', { envId: loginState.envId });
+        return loginState.envId;
+    }
     // 否则使用默认逻辑
     return envManager.getEnvId();
 }
@@ -23999,37 +24389,89 @@ function getCachedEnvId() {
  * 每次都实时获取最新的 token/secretId/secretKey
  */
 async function getCloudBaseManager(options = {}) {
-    const { requireEnvId = true, cloudBaseOptions, mcpServer } = options;
-    // 如果传入了 cloudBaseOptions，直接使用传入的配置
-    if (cloudBaseOptions) {
+    const { requireEnvId = true, cloudBaseOptions, authStrategy = 'fail_fast', } = options;
+    const hasDirectCredentials = !!(cloudBaseOptions?.secretId && cloudBaseOptions?.secretKey);
+    // 如果传入了完整凭据，优先使用显式 CloudBase 配置
+    if (cloudBaseOptions && hasDirectCredentials) {
+        let resolvedEnvId = cloudBaseOptions.envId;
+        if (requireEnvId && !resolvedEnvId) {
+            const envCandidates = await listAvailableEnvCandidates({ cloudBaseOptions });
+            if (envCandidates.length === 1) {
+                const singleEnvId = envCandidates[0].envId;
+                cloudBaseOptions.envId = singleEnvId;
+                resolvedEnvId = singleEnvId;
+                (0, logger_js_1.debug)('自动绑定唯一环境(显式配置):', { envId: singleEnvId });
+            }
+            else if (authStrategy === 'fail_fast') {
+                await throwEnvRequiredError({ cloudBaseOptions, envCandidates });
+            }
+            else {
+                (0, tool_result_js_1.throwToolPayloadError)({
+                    ok: false,
+                    code: "ENV_REQUIRED",
+                    message: "当前显式 CloudBase 凭据未绑定环境，请补充 envId 或先选择环境。",
+                    env_candidates: envCandidates,
+                    next_step: (0, tool_result_js_1.buildAuthNextStep)("set_env", {
+                        suggestedArgs: { action: "set_env" },
+                        requiredParams: ["envId"],
+                    }),
+                });
+            }
+        }
         (0, logger_js_1.debug)('使用传入的 CloudBase 配置');
-        return createCloudBaseManagerWithOptions(cloudBaseOptions);
+        return createCloudBaseManagerWithOptions({
+            ...cloudBaseOptions,
+            envId: resolvedEnvId,
+        });
     }
     try {
         // Get region from environment variable for auth URL
-        // Note: At this point, cloudBaseOptions is undefined (checked above), so only use env var
-        const region = process.env.TCB_REGION;
-        const loginState = await (0, auth_js_1.getLoginState)({ region });
+        const region = cloudBaseOptions?.region ?? process.env.TCB_REGION;
+        const loginState = authStrategy === 'ensure'
+            ? await (0, auth_js_1.getLoginState)({ region })
+            : await (0, auth_js_1.peekLoginState)();
+        if (!loginState) {
+            const authState = await (0, auth_js_1.getAuthProgressState)();
+            if (authState.status === 'PENDING') {
+                await throwPendingAuthError();
+            }
+            throwAuthRequiredError();
+        }
         const { envId: loginEnvId, secretId, secretKey, token } = loginState;
-        let finalEnvId;
+        let finalEnvId = cloudBaseOptions?.envId;
         if (requireEnvId) {
-            // Optimize: Check if envManager has cached envId first (fast path)
-            // If cached, use it directly; otherwise check loginEnvId before calling getEnvId()
-            // This avoids unnecessary async calls when we have a valid envId available
-            const cachedEnvId = envManager.getCachedEnvId();
-            if (cachedEnvId) {
-                (0, logger_js_1.debug)('使用 envManager 缓存的环境ID:', { cachedEnvId });
-                finalEnvId = cachedEnvId;
-            }
-            else if (loginEnvId) {
-                // If no cache but loginState has envId, use it to avoid triggering auto-setup
-                (0, logger_js_1.debug)('使用 loginState 中的环境ID:', { loginEnvId });
-                finalEnvId = loginEnvId;
-            }
-            else {
-                // Only call envManager.getEnvId() when neither cache nor loginState has envId
-                // This may trigger auto-setup flow (pass mcpServer for IDE detection)
-                finalEnvId = await envManager.getEnvId(mcpServer);
+            if (!finalEnvId) {
+                // Optimize: Check if envManager has cached envId first (fast path)
+                // If cached, use it directly; otherwise check loginEnvId before calling getEnvId()
+                // This avoids unnecessary async calls when we have a valid envId available
+                const cachedEnvId = envManager.getCachedEnvId() || process.env.CLOUDBASE_ENV_ID;
+                if (cachedEnvId) {
+                    (0, logger_js_1.debug)('使用 envManager 缓存的环境ID:', { cachedEnvId });
+                    finalEnvId = cachedEnvId;
+                }
+                else if (loginEnvId) {
+                    // If no cache but loginState has envId, use it directly
+                    (0, logger_js_1.debug)('使用 loginState 中的环境ID:', { loginEnvId });
+                    finalEnvId = loginEnvId;
+                }
+                else {
+                    if (authStrategy === 'fail_fast') {
+                        const envCandidates = await listAvailableEnvCandidates({ loginState });
+                        if (envCandidates.length === 1) {
+                            const singleEnvId = envCandidates[0].envId;
+                            await envManager.setEnvId(singleEnvId);
+                            finalEnvId = singleEnvId;
+                            (0, logger_js_1.debug)('自动绑定唯一环境:', { envId: singleEnvId });
+                        }
+                        else {
+                            await throwEnvRequiredError({ loginState, envCandidates });
+                        }
+                    }
+                    else {
+                        // ensure 模式下也保持非交互：单环境自动绑定，多环境返回 ENV_REQUIRED
+                        finalEnvId = await envManager.getEnvId();
+                    }
+                }
             }
         }
         // envId priority: envManager.cachedEnvId > envManager.getEnvId() > loginState.envId > undefined
@@ -24267,6 +24709,7 @@ async function _promptAndSetEnvironmentId(autoSelectSingle, options) {
         hasServerServer: !!server?.server,
         hasServerIde: !!server?.ide,
         ignoreEnvVars: options?.ignoreEnvVars,
+        authMode: options?.authMode,
         optionsKeys: options ? Object.keys(options).join(', ') : 'null',
     });
     if (!server) {
@@ -24283,6 +24726,9 @@ async function _promptAndSetEnvironmentId(autoSelectSingle, options) {
         fromCloudBaseLoginPage: options?.loginFromCloudBaseLoginPage,
         ignoreEnvVars: options?.ignoreEnvVars,
         region,
+        authMode: options?.authMode,
+        clientId: options?.clientId,
+        onDeviceCode: options?.onDeviceCode,
     });
     (0, logger_js_1.debug)("[interactive] Login state:", {
         hasLoginState: !!loginState,
@@ -33910,7 +34356,13 @@ async function getUinForTelemetry() {
         const loginState = await (0, auth_js_1.getLoginState)({ region });
         // Try to extract UIN from loginState
         // Note: actual field name may vary, adjust based on actual response
-        return loginState.uin || undefined;
+        if (loginState &&
+            typeof loginState === "object" &&
+            "uin" in loginState &&
+            typeof loginState.uin !== "undefined") {
+            return String(loginState.uin);
+        }
+        return undefined;
     }
     catch (err) {
         (0, logger_js_1.debug)('Failed to get UIN for telemetry', { error: err instanceof Error ? err.message : String(err) });
@@ -40675,6 +41127,61 @@ module.exports = (inputFunction, options = {}) => {
 };
 
 
+/***/ }),
+
+/***/ 9835:
+/***/ ((__unused_webpack_module, exports) => {
+
+"use strict";
+
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.ToolPayloadError = void 0;
+exports.buildJsonToolResult = buildJsonToolResult;
+exports.isToolPayloadError = isToolPayloadError;
+exports.toolPayloadErrorToResult = toolPayloadErrorToResult;
+exports.buildAuthNextStep = buildAuthNextStep;
+exports.throwToolPayloadError = throwToolPayloadError;
+function buildJsonToolResult(payload) {
+    return {
+        content: [
+            {
+                type: "text",
+                text: JSON.stringify(payload, null, 2),
+            },
+        ],
+    };
+}
+class ToolPayloadError extends Error {
+    payload;
+    constructor(payload) {
+        super(typeof payload.message === "string" ? payload.message : "Tool payload error");
+        this.name = "ToolPayloadError";
+        this.payload = payload;
+    }
+}
+exports.ToolPayloadError = ToolPayloadError;
+function isToolPayloadError(error) {
+    return error instanceof ToolPayloadError;
+}
+function toolPayloadErrorToResult(error) {
+    if (!isToolPayloadError(error)) {
+        return null;
+    }
+    return buildJsonToolResult(error.payload);
+}
+function buildAuthNextStep(action, options) {
+    return {
+        tool: "auth",
+        action,
+        required_params: options?.requiredParams,
+        suggested_args: options?.suggestedArgs ?? { action },
+    };
+}
+function throwToolPayloadError(payload) {
+    throw new ToolPayloadError(payload);
+}
+
+
 /***/ }),
 
 /***/ 9880:
@@ -83015,12 +83522,14 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.AuthSupevisor = exports.AuthSupervisor = void 0;
 const web_auth_1 = __webpack_require__(76097);
+const oauth_1 = __webpack_require__(92423);
 const common_1 = __webpack_require__(96711);
 const credential_1 = __webpack_require__(99795);
 const error_1 = __webpack_require__(64119);
 __exportStar(__webpack_require__(96711), exports);
 __exportStar(__webpack_require__(99795), exports);
 __exportStar(__webpack_require__(76097), exports);
+__exportStar(__webpack_require__(92423), exports);
 class AuthSupervisor {
     /**
      * 单例模式，全局缓存
@@ -83070,7 +83579,7 @@ class AuthSupervisor {
      */
     loginByWebAuth(options = {}) {
         return __awaiter(this, void 0, void 0, function* () {
-            const { getAuthUrl, throwError, noBrowser, callbackTimeout } = options;
+            const { getAuthUrl, throwError, noBrowser, callbackTimeout, flow = 'device', client_id, onDeviceCode, getOAuthEndpoint, silent } = options;
             if (this.cacheCredential && this.needCache && !this.isCacheExpire()) {
                 return this.cacheCredential;
             }
@@ -83078,12 +83587,19 @@ class AuthSupervisor {
             let credential = yield (0, credential_1.checkAndGetCredential)(this.requestConfig);
             if (credential)
                 return credential;
-            // 兼容临时秘钥
-            credential = yield (0, web_auth_1.getAuthTokenFromWeb)({
-                getAuthUrl,
-                noBrowser,
-                callbackTimeout
-            });
+            // 根据授权方式获取凭证
+            if (flow === 'web') {
+                credential = yield (0, web_auth_1.getAuthTokenFromWeb)({
+                    getAuthUrl,
+                    noBrowser,
+                    callbackTimeout,
+                    silent
+                });
+            }
+            else {
+                credential = yield (0, oauth_1.getAuthTokenByDeviceFlow)({ client_id, onDeviceCode, getOAuthEndpoint, getAuthUrl, silent });
+            }
+            credential = (0, common_1.resolveCredential)(credential);
             try {
                 yield (0, common_1.checkAuth)(credential, this.requestConfig);
             }
@@ -85007,7 +85523,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.getDataFromWeb = void 0;
+exports.getDataFromWeb = exports.openUrl = exports.isTruthyFlag = void 0;
 const open_1 = __importDefault(__webpack_require__(30353));
 const query_string_1 = __importDefault(__webpack_require__(86663));
 const http_1 = __importDefault(__webpack_require__(81630));
@@ -85054,6 +85570,7 @@ function isTruthyFlag(value) {
     }
     return ['1', 'true', 'yes', 'on'].includes(String(value).trim().toLowerCase());
 }
+exports.isTruthyFlag = isTruthyFlag;
 function isVSCodeEnvironment() {
     return Boolean(process.env.VSCODE_IPC_HOOK_CLI
         || process.env.VSCODE_PID
@@ -85109,19 +85626,23 @@ function openUrl(url) {
         }
     });
 }
+exports.openUrl = openUrl;
 // 从 Web 页面中获取数据
 function getDataFromWeb(getUrl, type, options = {}) {
-    var _a, _b;
+    var _a, _b, _c;
     return __awaiter(this, void 0, void 0, function* () {
         const { server, port } = yield createLocalServer();
         const noBrowser = (_a = options.noBrowser) !== null && _a !== void 0 ? _a : isTruthyFlag(process.env.TCB_NO_BROWSER);
         const callbackTimeout = (_b = options.callbackTimeout) !== null && _b !== void 0 ? _b : 180000;
+        const silent = (_c = options.silent) !== null && _c !== void 0 ? _c : false;
         if (!Number.isFinite(callbackTimeout) || callbackTimeout <= 0) {
             throw new error_1.CloudBaseError('callbackTimeout must be a positive number');
         }
         const url = getUrl(port);
-        console.log('\n\n若链接未自动打开，请手动复制至浏览器，或尝试其他登录方式:');
-        console.log(`\n${url}\n`);
+        if (!silent) {
+            console.log('\n\n若链接未自动打开，请手动复制至浏览器，或尝试其他登录方式:');
+            console.log(`\n${url}\n`);
+        }
         if (!noBrowser) {
             // 对 url 转码, 避免 wsl 无法正常打开地址
             // https://www.npmjs.com/package/open#url
@@ -86080,6 +86601,126 @@ class Profiler {
 module.exports = Profiler;
 
 
+/***/ }),
+
+/***/ 23670:
+/***/ ((module, __unused_webpack_exports, __webpack_require__) => {
+
+/* @flow */
+/*::
+
+type DotenvParseOptions = {
+  debug?: boolean
+}
+
+// keys and values from src
+type DotenvParseOutput = { [string]: string }
+
+type DotenvConfigOptions = {
+  path?: string, // path to .env file
+  encoding?: string, // encoding of .env file
+  debug?: string // turn on logging for debugging purposes
+}
+
+type DotenvConfigOutput = {
+  parsed?: DotenvParseOutput,
+  error?: Error
+}
+
+*/
+
+const fs = __webpack_require__(29021)
+const path = __webpack_require__(39902)
+
+function log (message /*: string */) {
+  console.log(`[dotenv][DEBUG] ${message}`)
+}
+
+const NEWLINE = '\n'
+const RE_INI_KEY_VAL = /^\s*([\w.-]+)\s*=\s*(.*)?\s*$/
+const RE_NEWLINES = /\\n/g
+const NEWLINES_MATCH = /\n|\r|\r\n/
+
+// Parses src into an Object
+function parse (src /*: string | Buffer */, options /*: ?DotenvParseOptions */) /*: DotenvParseOutput */ {
+  const debug = Boolean(options && options.debug)
+  const obj = {}
+
+  // convert Buffers before splitting into lines and processing
+  src.toString().split(NEWLINES_MATCH).forEach(function (line, idx) {
+    // matching "KEY' and 'VAL' in 'KEY=VAL'
+    const keyValueArr = line.match(RE_INI_KEY_VAL)
+    // matched?
+    if (keyValueArr != null) {
+      const key = keyValueArr[1]
+      // default undefined or missing values to empty string
+      let val = (keyValueArr[2] || '')
+      const end = val.length - 1
+      const isDoubleQuoted = val[0] === '"' && val[end] === '"'
+      const isSingleQuoted = val[0] === "'" && val[end] === "'"
+
+      // if single or double quoted, remove quotes
+      if (isSingleQuoted || isDoubleQuoted) {
+        val = val.substring(1, end)
+
+        // if double quoted, expand newlines
+        if (isDoubleQuoted) {
+          val = val.replace(RE_NEWLINES, NEWLINE)
+        }
+      } else {
+        // remove surrounding whitespace
+        val = val.trim()
+      }
+
+      obj[key] = val
+    } else if (debug) {
+      log(`did not match key and value when parsing line ${idx + 1}: ${line}`)
+    }
+  })
+
+  return obj
+}
+
+// Populates process.env from .env file
+function config (options /*: ?DotenvConfigOptions */) /*: DotenvConfigOutput */ {
+  let dotenvPath = path.resolve(process.cwd(), '.env')
+  let encoding /*: string */ = 'utf8'
+  let debug = false
+
+  if (options) {
+    if (options.path != null) {
+      dotenvPath = options.path
+    }
+    if (options.encoding != null) {
+      encoding = options.encoding
+    }
+    if (options.debug != null) {
+      debug = true
+    }
+  }
+
+  try {
+    // specifying an encoding returns a string instead of a buffer
+    const parsed = parse(fs.readFileSync(dotenvPath, { encoding }), { debug })
+
+    Object.keys(parsed).forEach(function (key) {
+      if (!Object.prototype.hasOwnProperty.call(process.env, key)) {
+        process.env[key] = parsed[key]
+      } else if (debug) {
+        log(`"${key}" is already defined in \`process.env\` and will not be overwritten`)
+      }
+    })
+
+    return { parsed }
+  } catch (e) {
+    return { error: e }
+  }
+}
+
+module.exports.config = config
+module.exports.parse = parse
+
+
 /***/ }),
 
 /***/ 23697:
@@ -89404,7 +90045,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.TRIGGER_CONFIG_EXAMPLES = exports.SUPPORTED_TRIGGER_TYPES = exports.DEFAULT_NODEJS_RUNTIME = exports.SUPPORTED_NODEJS_RUNTIMES = void 0;
+exports.WRITE_FUNCTION_LAYER_ACTIONS = exports.READ_FUNCTION_LAYER_ACTIONS = exports.TRIGGER_CONFIG_EXAMPLES = exports.SUPPORTED_TRIGGER_TYPES = exports.DEFAULT_NODEJS_RUNTIME = exports.SUPPORTED_NODEJS_RUNTIMES = void 0;
 exports.registerFunctionTools = registerFunctionTools;
 const zod_1 = __webpack_require__(21614);
 const cloudbase_manager_js_1 = __webpack_require__(3431);
@@ -89437,6 +90078,41 @@ exports.TRIGGER_CONFIG_EXAMPLES = {
         ],
     },
 };
+exports.READ_FUNCTION_LAYER_ACTIONS = [
+    "listLayers",
+    "listLayerVersions",
+    "getLayerVersion",
+    "getFunctionLayers",
+];
+exports.WRITE_FUNCTION_LAYER_ACTIONS = [
+    "createLayerVersion",
+    "deleteLayerVersion",
+    "attachLayer",
+    "detachLayer",
+    "updateFunctionLayers",
+];
+function jsonContent(body) {
+    return {
+        content: [
+            {
+                type: "text",
+                text: JSON.stringify(body, null, 2),
+            },
+        ],
+    };
+}
+function normalizeFunctionLayers(layers) {
+    if (!Array.isArray(layers)) {
+        return [];
+    }
+    return layers
+        .filter((layer) => Boolean(layer))
+        .map((layer) => ({
+        LayerName: String(layer.LayerName ?? ""),
+        LayerVersion: Number(layer.LayerVersion ?? 0),
+    }))
+        .filter((layer) => Boolean(layer.LayerName) && Number.isFinite(layer.LayerVersion));
+}
 /**
  * 处理函数根目录路径，确保不包含函数名
  * @param functionRootPath 用户输入的路径
@@ -89464,12 +90140,12 @@ function registerFunctionTools(server) {
     // getFunctionList - 获取云函数列表或详情(推荐)
     server.registerTool?.("getFunctionList", {
         title: "查询云函数列表或详情",
-        description: "获取云函数列表或单个函数详情。通过 action 参数区分操作类型：list=获取函数列表（默认，无需额外参数），detail=获取函数详情（需要提供 name 参数指定函数名称）",
+        description: "获取云函数列表或单个函数详情。通过 action 参数区分操作类型：list=获取函数列表（默认，无需额外参数），detail=获取函数详情（需要提供 name 参数指定函数名称，返回结果中包含函数当前绑定的 Layers 信息）",
         inputSchema: {
             action: zod_1.z
                 .enum(["list", "detail"])
                 .optional()
-                .describe("操作类型：list=获取函数列表（默认，无需额外参数），detail=获取函数详情（需要提供 name 参数）"),
+                .describe("操作类型：list=获取函数列表（默认，无需额外参数），detail=获取函数详情（需要提供 name 参数，返回结果中包含当前绑定的 Layers）"),
             limit: zod_1.z.number().optional().describe("范围（list 操作时使用）"),
             offset: zod_1.z.number().optional().describe("偏移（list 操作时使用）"),
             name: zod_1.z
@@ -89983,6 +90659,379 @@ function registerFunctionTools(server) {
             throw new Error(`不支持的操作类型: ${action}`);
         }
     });
+    server.registerTool?.("readFunctionLayers", {
+        title: "查询云函数层信息",
+        description: "查询云函数层及函数层配置。通过 action 区分操作：listLayers=查询层列表，listLayerVersions=查询指定层的版本列表，getLayerVersion=查询层版本详情（含下载地址/元信息），getFunctionLayers=查询指定函数当前绑定的层。返回格式：JSON 包含 success、data（含 action 与对应结果字段）、message；data.layers 或 data.layerVersions 为数组，getFunctionLayers 的 data.layers 每项为 { LayerName, LayerVersion }。",
+        inputSchema: {
+            action: zod_1.z
+                .enum(exports.READ_FUNCTION_LAYER_ACTIONS)
+                .describe("操作类型：listLayers=查询层列表，listLayerVersions=查询指定层的版本列表，getLayerVersion=查询层版本详情，getFunctionLayers=查询指定函数当前绑定的层"),
+            name: zod_1.z
+                .string()
+                .optional()
+                .describe("层名称。listLayerVersions 和 getLayerVersion 操作时必填"),
+            version: zod_1.z
+                .number()
+                .optional()
+                .describe("层版本号。getLayerVersion 操作时必填"),
+            runtime: zod_1.z
+                .string()
+                .optional()
+                .describe("运行时筛选。listLayers 操作时可选"),
+            searchKey: zod_1.z
+                .string()
+                .optional()
+                .describe("层名称搜索关键字。listLayers 操作时可选"),
+            offset: zod_1.z.number().optional().describe("分页偏移。listLayers 操作时可选"),
+            limit: zod_1.z.number().optional().describe("分页数量。listLayers 操作时可选"),
+            functionName: zod_1.z
+                .string()
+                .optional()
+                .describe("函数名称。getFunctionLayers 操作时必填"),
+            codeSecret: zod_1.z
+                .string()
+                .optional()
+                .describe("代码保护密钥。getFunctionLayers 操作时可选"),
+        },
+        annotations: {
+            readOnlyHint: true,
+            openWorldHint: true,
+            category: "functions",
+        },
+    }, async ({ action, name, version, runtime, searchKey, offset, limit, functionName, codeSecret, }) => {
+        if (action === "listLayers") {
+            const cloudbase = await getManager();
+            const result = await cloudbase.functions.listLayers({
+                offset,
+                limit,
+                runtime,
+                searchKey,
+            });
+            (0, cloudbase_manager_js_1.logCloudBaseResult)(server.logger, result);
+            return jsonContent({
+                success: true,
+                data: {
+                    action,
+                    layers: result.Layers || [],
+                    totalCount: result.TotalCount || 0,
+                    requestId: result.RequestId,
+                },
+                message: `Successfully retrieved ${result.Layers?.length || 0} layer entries`,
+                nextActions: [
+                    { tool: "readFunctionLayers", action: "listLayerVersions", reason: "List versions of a layer" },
+                    { tool: "writeFunctionLayers", action: "createLayerVersion", reason: "Create a new layer version" },
+                ],
+            });
+        }
+        if (action === "listLayerVersions") {
+            if (!name) {
+                throw new Error("查询层版本列表时，name 参数是必需的");
+            }
+            const cloudbase = await getManager();
+            const result = await cloudbase.functions.listLayerVersions({ name });
+            (0, cloudbase_manager_js_1.logCloudBaseResult)(server.logger, result);
+            return jsonContent({
+                success: true,
+                data: {
+                    action,
+                    name,
+                    layerVersions: result.LayerVersions || [],
+                    requestId: result.RequestId,
+                },
+                message: `Successfully retrieved ${result.LayerVersions?.length || 0} versions for layer '${name}'`,
+                nextActions: [
+                    { tool: "readFunctionLayers", action: "getLayerVersion", reason: "Get version details and download info" },
+                    { tool: "writeFunctionLayers", action: "attachLayer", reason: "Bind this layer to a function" },
+                ],
+            });
+        }
+        if (action === "getLayerVersion") {
+            if (!name) {
+                throw new Error("查询层版本详情时，name 参数是必需的");
+            }
+            if (typeof version !== "number") {
+                throw new Error("查询层版本详情时，version 参数是必需的");
+            }
+            const cloudbase = await getManager();
+            const result = await cloudbase.functions.getLayerVersion({
+                name,
+                version,
+            });
+            (0, cloudbase_manager_js_1.logCloudBaseResult)(server.logger, result);
+            return jsonContent({
+                success: true,
+                data: {
+                    action,
+                    name,
+                    version,
+                    layerVersion: result,
+                    downloadInfo: {
+                        location: result.Location,
+                        codeSha256: result.CodeSha256,
+                    },
+                    requestId: result.RequestId,
+                },
+                message: `Successfully retrieved details for layer '${name}' version ${version}`,
+                nextActions: [
+                    { tool: "writeFunctionLayers", action: "attachLayer", reason: "Bind this layer version to a function" },
+                    { tool: "writeFunctionLayers", action: "deleteLayerVersion", reason: "Delete this layer version" },
+                ],
+            });
+        }
+        if (!functionName) {
+            throw new Error("查询函数层配置时，functionName 参数是必需的");
+        }
+        const cloudbase = await getManager();
+        const result = await cloudbase.functions.getFunctionDetail(functionName, codeSecret);
+        (0, cloudbase_manager_js_1.logCloudBaseResult)(server.logger, result);
+        const layers = normalizeFunctionLayers(result.Layers);
+        return jsonContent({
+            success: true,
+            data: {
+                action,
+                functionName,
+                layers,
+                count: layers.length,
+                requestId: result.RequestId,
+            },
+            message: `Successfully retrieved ${layers.length} bound layers for function '${functionName}'`,
+            nextActions: [
+                { tool: "writeFunctionLayers", action: "attachLayer", reason: "Add a layer to this function" },
+                { tool: "writeFunctionLayers", action: "detachLayer", reason: "Remove a layer from this function" },
+                { tool: "writeFunctionLayers", action: "updateFunctionLayers", reason: "Replace or reorder bound layers" },
+            ],
+        });
+    });
+    server.registerTool?.("writeFunctionLayers", {
+        title: "管理云函数层",
+        description: "管理云函数层和函数层绑定。通过 action 区分操作：createLayerVersion=创建层版本，deleteLayerVersion=删除层版本，attachLayer=给函数追加绑定层，detachLayer=解绑函数层，updateFunctionLayers=整体更新函数层数组以调整顺序或批量更新。返回格式：JSON 包含 success、data（含 action 与结果字段，如 layerVersion、layers）、message、nextActions（建议的后续操作）。",
+        inputSchema: {
+            action: zod_1.z
+                .enum(exports.WRITE_FUNCTION_LAYER_ACTIONS)
+                .describe("操作类型：createLayerVersion=创建层版本，deleteLayerVersion=删除层版本，attachLayer=追加绑定层，detachLayer=解绑层，updateFunctionLayers=整体更新函数层数组"),
+            name: zod_1.z
+                .string()
+                .optional()
+                .describe("层名称。createLayerVersion 和 deleteLayerVersion 操作时必填"),
+            version: zod_1.z
+                .number()
+                .optional()
+                .describe("层版本号。deleteLayerVersion 操作时必填"),
+            contentPath: zod_1.z
+                .string()
+                .optional()
+                .describe("层内容路径，可以是目录或 ZIP 文件路径。createLayerVersion 操作时与 base64Content 二选一"),
+            base64Content: zod_1.z
+                .string()
+                .optional()
+                .describe("层内容的 base64 编码。createLayerVersion 操作时与 contentPath 二选一"),
+            runtimes: zod_1.z
+                .array(zod_1.z.string())
+                .optional()
+                .describe("层适用的运行时列表。createLayerVersion 操作时必填"),
+            description: zod_1.z
+                .string()
+                .optional()
+                .describe("层版本描述。createLayerVersion 操作时可选"),
+            licenseInfo: zod_1.z
+                .string()
+                .optional()
+                .describe("许可证信息。createLayerVersion 操作时可选"),
+            functionName: zod_1.z
+                .string()
+                .optional()
+                .describe("函数名称。attachLayer、detachLayer、updateFunctionLayers 操作时必填"),
+            layerName: zod_1.z
+                .string()
+                .optional()
+                .describe("要绑定或解绑的层名称。attachLayer 和 detachLayer 操作时必填"),
+            layerVersion: zod_1.z
+                .number()
+                .optional()
+                .describe("要绑定或解绑的层版本号。attachLayer 和 detachLayer 操作时必填"),
+            layers: zod_1.z
+                .array(zod_1.z.object({
+                LayerName: zod_1.z.string().describe("层名称"),
+                LayerVersion: zod_1.z.number().describe("层版本号"),
+            }))
+                .optional()
+                .describe("目标函数层数组。updateFunctionLayers 操作时必填，顺序即最终顺序"),
+            codeSecret: zod_1.z
+                .string()
+                .optional()
+                .describe("代码保护密钥。attachLayer 和 detachLayer 操作时可选"),
+        },
+        annotations: {
+            readOnlyHint: false,
+            destructiveHint: true,
+            idempotentHint: false,
+            openWorldHint: true,
+            category: "functions",
+        },
+    }, async ({ action, name, version, contentPath, base64Content, runtimes, description, licenseInfo, functionName, layerName, layerVersion, layers, codeSecret, }) => {
+        if (action === "createLayerVersion") {
+            if (!name) {
+                throw new Error("创建层版本时，name 参数是必需的");
+            }
+            if (!runtimes || runtimes.length === 0) {
+                throw new Error("创建层版本时，runtimes 参数是必需的");
+            }
+            if (!contentPath && !base64Content) {
+                throw new Error("创建层版本时，contentPath 和 base64Content 至少需要提供一个");
+            }
+            const cloudbase = await getManager();
+            const result = await cloudbase.functions.createLayer({
+                name,
+                contentPath,
+                base64Content,
+                runtimes,
+                description,
+                licenseInfo,
+            });
+            (0, cloudbase_manager_js_1.logCloudBaseResult)(server.logger, result);
+            return jsonContent({
+                success: true,
+                data: {
+                    action,
+                    name,
+                    layerVersion: result.LayerVersion,
+                    requestId: result.RequestId,
+                },
+                message: `Successfully created a new version for layer '${name}'`,
+                nextActions: [
+                    { tool: "readFunctionLayers", action: "listLayerVersions", reason: "List all versions of this layer" },
+                    { tool: "writeFunctionLayers", action: "attachLayer", reason: "Bind this version to a function" },
+                ],
+            });
+        }
+        if (action === "deleteLayerVersion") {
+            if (!name) {
+                throw new Error("删除层版本时，name 参数是必需的");
+            }
+            if (typeof version !== "number") {
+                throw new Error("删除层版本时，version 参数是必需的");
+            }
+            const cloudbase = await getManager();
+            const result = await cloudbase.functions.deleteLayerVersion({
+                name,
+                version,
+            });
+            (0, cloudbase_manager_js_1.logCloudBaseResult)(server.logger, result);
+            return jsonContent({
+                success: true,
+                data: {
+                    action,
+                    name,
+                    version,
+                    requestId: result.RequestId,
+                },
+                message: `Successfully deleted layer '${name}' version ${version}`,
+                nextActions: [
+                    { tool: "readFunctionLayers", action: "listLayers", reason: "List remaining layers" },
+                ],
+            });
+        }
+        if (action === "attachLayer" ||
+            action === "detachLayer" ||
+            action === "updateFunctionLayers") {
+            if (!functionName) {
+                throw new Error(`${action} 操作时，functionName 参数是必需的`);
+            }
+        }
+        const envId = await (0, cloudbase_manager_js_1.getEnvId)(cloudBaseOptions);
+        const cloudbase = await getManager();
+        if (action === "attachLayer") {
+            if (!layerName) {
+                throw new Error("attachLayer 操作时，layerName 参数是必需的");
+            }
+            if (typeof layerVersion !== "number") {
+                throw new Error("attachLayer 操作时，layerVersion 参数是必需的");
+            }
+            const result = await cloudbase.functions.attachLayer({
+                envId,
+                functionName: functionName,
+                layerName,
+                layerVersion,
+                codeSecret,
+            });
+            (0, cloudbase_manager_js_1.logCloudBaseResult)(server.logger, result);
+            const detail = await cloudbase.functions.getFunctionDetail(functionName, codeSecret);
+            const boundLayers = normalizeFunctionLayers(detail.Layers);
+            return jsonContent({
+                success: true,
+                data: {
+                    action,
+                    functionName,
+                    layers: boundLayers,
+                    requestId: result.RequestId,
+                },
+                message: `Successfully attached layer '${layerName}' version ${layerVersion} to function '${functionName}'`,
+                nextActions: [
+                    { tool: "readFunctionLayers", action: "getFunctionLayers", reason: "Verify bound layers" },
+                    { tool: "writeFunctionLayers", action: "detachLayer", reason: "Remove this layer from function" },
+                ],
+            });
+        }
+        if (action === "detachLayer") {
+            if (!layerName) {
+                throw new Error("detachLayer 操作时，layerName 参数是必需的");
+            }
+            if (typeof layerVersion !== "number") {
+                throw new Error("detachLayer 操作时，layerVersion 参数是必需的");
+            }
+            const result = await cloudbase.functions.unAttachLayer({
+                envId,
+                functionName: functionName,
+                layerName,
+                layerVersion,
+                codeSecret,
+            });
+            (0, cloudbase_manager_js_1.logCloudBaseResult)(server.logger, result);
+            const detail = await cloudbase.functions.getFunctionDetail(functionName, codeSecret);
+            const boundLayers = normalizeFunctionLayers(detail.Layers);
+            return jsonContent({
+                success: true,
+                data: {
+                    action,
+                    functionName,
+                    layers: boundLayers,
+                    requestId: result.RequestId,
+                },
+                message: `Successfully detached layer '${layerName}' version ${layerVersion} from function '${functionName}'`,
+                nextActions: [
+                    { tool: "readFunctionLayers", action: "getFunctionLayers", reason: "Verify current bound layers" },
+                ],
+            });
+        }
+        if (!layers || layers.length === 0) {
+            throw new Error("updateFunctionLayers 操作时，layers 参数是必需的");
+        }
+        const normalizedLayers = normalizeFunctionLayers(layers);
+        if (normalizedLayers.length === 0) {
+            throw new Error("updateFunctionLayers 操作时，layers 参数必须包含有效的 LayerName 和 LayerVersion");
+        }
+        const result = await cloudbase.functions.updateFunctionLayer({
+            envId,
+            functionName: functionName,
+            layers: normalizedLayers,
+        });
+        (0, cloudbase_manager_js_1.logCloudBaseResult)(server.logger, result);
+        const detail = await cloudbase.functions.getFunctionDetail(functionName);
+        const boundLayers = normalizeFunctionLayers(detail.Layers);
+        return jsonContent({
+            success: true,
+            data: {
+                action,
+                functionName,
+                layers: boundLayers,
+                requestId: result.RequestId,
+            },
+            message: `Successfully updated bound layers for function '${functionName}'`,
+            nextActions: [
+                { tool: "readFunctionLayers", action: "getFunctionLayers", reason: "Verify updated layer order" },
+            ],
+        });
+    });
     // // Layer相关功能
     // // createLayer - 创建Layer
     // server.tool(
@@ -102898,6 +103947,7 @@ const security_rule_js_1 = __webpack_require__(7862);
 const cloud_mode_js_1 = __webpack_require__(89684);
 const logger_js_1 = __webpack_require__(13039);
 const tencet_cloud_js_1 = __webpack_require__(95018);
+const tool_result_js_1 = __webpack_require__(9835);
 const tool_wrapper_js_1 = __webpack_require__(71363);
 // 默认插件列表
 const DEFAULT_PLUGINS = [
@@ -103012,6 +104062,18 @@ async function createCloudBaseMcpServer(options) {
             ...(ide === "CodeBuddy" ? { logging: {} } : {}),
         },
     });
+    const originalRegisterTool = server.registerTool.bind(server);
+    server.registerTool = ((name, meta, handler) => originalRegisterTool(name, meta, async (args) => {
+        try {
+            return await handler(args);
+        }
+        catch (error) {
+            if ((0, tool_result_js_1.isToolPayloadError)(error)) {
+                return (0, tool_result_js_1.buildJsonToolResult)(error.payload);
+            }
+            throw error;
+        }
+    }));
     // Only set logging handler if logging capability is declared
     if (ide === "CodeBuddy") {
         server.server.setRequestHandler(types_js_1.SetLevelRequestSchema, (request, extra) => {
@@ -125906,6 +126968,30 @@ function registerCapiTools(server) {
             throw new Error(`Service ${service} is not allowed. Allowed services: ${ALLOWED_SERVICES.join(", ")}`);
         }
         const cloudbase = await getManager();
+        if (['1', 'true'].includes(process.env.CLOUDBASE_EVALUATE_MODE ?? '')) {
+            if (service === 'lowcode') {
+                throw new Error(`${service}/${action} Cloud API is not exposed or does not exist. Please use another API.`);
+            }
+            if (service === 'tcb') {
+                const tcbCapiForbidList = [
+                    // 未明确对外的云API
+                    'DescribeStorageACL', 'ModifyStorageACL', 'DescribeSecurityRule',
+                    // 要下线的云API
+                    "ListTables",
+                    "DescribeCloudBaseGWAPI",
+                    "DescribeCloudBaseGWService",
+                    "CreateCloudBaseGWAPI",
+                    "DeleteCloudBaseGWAPI",
+                    "ModifyCloudBaseGWAPI",
+                    "DeleteCloudBaseGWDomain",
+                    "BindCloudBaseGWDomain",
+                    "BindCloudBaseAccessDomain"
+                ];
+                if (tcbCapiForbidList.includes(action)) {
+                    throw new Error(`${service}/${action} Cloud API is not exposed or does not exist. Please use another API.`);
+                }
+            }
+        }
         const result = await cloudbase.commonService(service).call({
             Action: action,
             Param: params ?? {},
@@ -137511,7 +138597,7 @@ class TelemetryReporter {
         const nodeVersion = process.version; // Node.js版本
         const arch = os_1.default.arch(); // 系统架构
         // 从构建时注入的版本号获取MCP版本信息
-        const mcpVersion = process.env.npm_package_version || "2.12.1" || 0;
+        const mcpVersion = process.env.npm_package_version || "2.14.0" || 0;
         return {
             userAgent: `${osType} ${osRelease} ${arch} ${nodeVersion} CloudBase-MCP/${mcpVersion}`,
             deviceId: this.deviceId,
@@ -155623,7 +156709,7 @@ const fs_1 = __importDefault(__webpack_require__(29021));
 const lodash_1 = __importDefault(__webpack_require__(2543));
 const path_1 = __importDefault(__webpack_require__(39902));
 const yargs_1 = __importDefault(__webpack_require__(5945));
-const dotenv_1 = __importDefault(__webpack_require__(80998));
+const dotenv_1 = __importDefault(__webpack_require__(23670));
 exports.dotenv = dotenv_1.default;
 function readFile(target) {
     try {
@@ -189006,6 +190092,15 @@ async function registerRagTools(server) {
                 ],
             };
         }
+        // 向量检索模式下必须提供 id 和 content，避免后端报「知识库名称不能为空」
+        if (mode === "vector") {
+            if (!id) {
+                throw new Error("知识库名称不能为空: please provide `id` when mode=vector (cloudbase / scf / miniprogram).");
+            }
+            if (!content || !content.trim()) {
+                throw new Error("检索内容不能为空: please provide non-empty `content` when mode=vector.");
+            }
+        }
         // 枚举到后端 id 映射
         const backendId = KnowledgeBaseIdMap[id] || id;
         const signInRes = await fetch("https://tcb-advanced-a656fc.api.tcloudbasegateway.com/auth/v1/signin/anonymously", {
@@ -204163,6 +205258,7 @@ const cloudbase_manager_js_1 = __webpack_require__(3431);
 const cloud_mode_js_1 = __webpack_require__(89684);
 const logger_js_1 = __webpack_require__(13039);
 const telemetry_js_1 = __webpack_require__(45880);
+const tool_result_js_1 = __webpack_require__(9835);
 /**
  * 生成 GitHub Issue 创建链接
  * @param toolName 工具名称
@@ -204210,7 +205306,7 @@ ${envIdSection}
 ## 环境信息
 - 操作系统: ${os_1.default.type()} ${os_1.default.release()}
 - Node.js版本: ${process.version}
-- MCP 版本：${process.env.npm_package_version || "2.12.1" || 0}
+- MCP 版本：${process.env.npm_package_version || "2.14.0" || 0}
 - 系统架构: ${os_1.default.arch()}
 - 时间: ${new Date().toISOString()}
 - 请求ID: ${requestId}
@@ -204275,6 +205371,11 @@ function createWrappedHandler(name, handler, server) {
             if (!isTestEnvironment) {
                 server.logger?.({ type: 'errorToolCall', toolName: name, args: sanitizeArgs(args), message: errorMessage, duration: Date.now() - startTime });
             }
+            // Preserve structured tool guidance such as next_step.
+            // These errors are expected control flow and should be serialized by the outer server wrapper.
+            if ((0, tool_result_js_1.isToolPayloadError)(error)) {
+                throw error;
+            }
             // In tests, avoid any extra work that may block (envId lookup, issue link generation, etc.)
             if (isTestEnvironment) {
                 throw error instanceof Error ? error : new Error(String(error));
@@ -218094,16 +219195,16 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.getAuthTokenFromWeb = void 0;
+exports.getAuthTokenFromWeb = exports.CLI_AUTH_BASE_URL = void 0;
 const common_1 = __webpack_require__(96711);
 const coding_1 = __webpack_require__(40540);
 const web_1 = __webpack_require__(2240);
 const system_1 = __webpack_require__(62179);
-const CliAuthBaseUrl = 'https://tcb.cloud.tencent.com/dev';
+exports.CLI_AUTH_BASE_URL = 'https://tcb.cloud.tencent.com/dev';
 // 打开云开发控制台，获取授权
 function getAuthTokenFromWeb(options = {}) {
     return __awaiter(this, void 0, void 0, function* () {
-        const { getAuthUrl, noBrowser, callbackTimeout } = options;
+        const { getAuthUrl, noBrowser, callbackTimeout, silent } = options;
         const mac = yield (0, system_1.getMacAddress)();
         const os = (0, system_1.getOSInfo)();
         const macHash = (0, coding_1.md5Encoding)(mac);
@@ -218116,7 +219217,7 @@ function getAuthTokenFromWeb(options = {}) {
                 + '&from=cli';
             const encodedCallbackUrl = encodeURIComponent(callbackUrl);
             // 授权链接
-            const rawAuthUrl = `${CliAuthBaseUrl}?authCallbackUrl=${encodedCallbackUrl}#/cli-auth?${encodedQuery}`;
+            const rawAuthUrl = `${exports.CLI_AUTH_BASE_URL}?authCallbackUrl=${encodedCallbackUrl}#/cli-auth?${encodedQuery}`;
             let cliAuthUrl = rawAuthUrl;
             if (getAuthUrl) {
                 try {
@@ -218129,7 +219230,8 @@ function getAuthTokenFromWeb(options = {}) {
             return cliAuthUrl;
         }, 'login', {
             noBrowser,
-            callbackTimeout
+            callbackTimeout,
+            silent
         });
         const credential = (0, common_1.resolveCredential)(query);
         return credential;
@@ -218970,7 +220072,7 @@ function registerSetupTools(server) {
         title: "下载项目模板",
         description: `自动下载并部署CloudBase项目模板。⚠️ **MANDATORY FOR NEW PROJECTS** ⚠️
 
-**CRITICAL**: This tool MUST be called FIRST when starting a new project.\n\n支持的模板:\n- react: React + CloudBase 全栈应用模板\n- vue: Vue + CloudBase 全栈应用模板\n- miniprogram: 微信小程序 + 云开发模板  \n- uniapp: UniApp + CloudBase 跨端应用模板\n- rules: 只包含AI编辑器配置文件（包含Cursor、WindSurf、CodeBuddy等所有主流编辑器配置），适合在已有项目中补充AI编辑器配置\n\n支持的IDE类型:\n- all: 下载所有IDE配置\n- cursor: Cursor AI编辑器\n- 其他IDE类型见下方列表\n\n注意：如果未传入 ide 参数且无法从环境变量检测到 IDE，将提示错误并要求传入 ide 参数\n- windsurf: WindSurf AI编辑器\n- codebuddy: CodeBuddy AI编辑器\n- claude-code: Claude Code AI编辑器\n- cline: Cline AI编辑器\n- gemini-cli: Gemini CLI\n- opencode: OpenCode AI编辑器\n- qwen-code: 通义灵码\n- baidu-comate: 百度Comate\n- openai-codex-cli: OpenAI Codex CLI\n- augment-code: Augment Code\n- github-copilot: GitHub Copilot\n- roocode: RooCode AI编辑器\n- tongyi-lingma: 通义灵码\n- trae: Trae AI编辑器\n- qoder: Qoder AI编辑器\n- antigravity: Google Antigravity AI编辑器\n- vscode: Visual Studio Code\n- kiro: Kiro AI编辑器\n- aider: Aider AI编辑器\n\n特别说明：\n- rules 模板会自动包含当前 mcp 版本号信息（版本号：${ true ? "2.12.1" : 0}），便于后续维护和版本追踪\n- 下载 rules 模板时，如果项目中已存在 README.md 文件，系统会自动保护该文件不被覆盖（除非设置 overwrite=true）`,
+**CRITICAL**: This tool MUST be called FIRST when starting a new project.\n\n支持的模板:\n- react: React + CloudBase 全栈应用模板\n- vue: Vue + CloudBase 全栈应用模板\n- miniprogram: 微信小程序 + 云开发模板  \n- uniapp: UniApp + CloudBase 跨端应用模板\n- rules: 只包含AI编辑器配置文件（包含Cursor、WindSurf、CodeBuddy等所有主流编辑器配置），适合在已有项目中补充AI编辑器配置\n\n支持的IDE类型:\n- all: 下载所有IDE配置\n- cursor: Cursor AI编辑器\n- 其他IDE类型见下方列表\n\n注意：如果未传入 ide 参数且无法从环境变量检测到 IDE，将提示错误并要求传入 ide 参数\n- windsurf: WindSurf AI编辑器\n- codebuddy: CodeBuddy AI编辑器\n- claude-code: Claude Code AI编辑器\n- cline: Cline AI编辑器\n- gemini-cli: Gemini CLI\n- opencode: OpenCode AI编辑器\n- qwen-code: 通义灵码\n- baidu-comate: 百度Comate\n- openai-codex-cli: OpenAI Codex CLI\n- augment-code: Augment Code\n- github-copilot: GitHub Copilot\n- roocode: RooCode AI编辑器\n- tongyi-lingma: 通义灵码\n- trae: Trae AI编辑器\n- qoder: Qoder AI编辑器\n- antigravity: Google Antigravity AI编辑器\n- vscode: Visual Studio Code\n- kiro: Kiro AI编辑器\n- aider: Aider AI编辑器\n\n特别说明：\n- rules 模板会自动包含当前 mcp 版本号信息（版本号：${ true ? "2.14.0" : 0}），便于后续维护和版本追踪\n- 下载 rules 模板时，如果项目中已存在 README.md 文件，系统会自动保护该文件不被覆盖（除非设置 overwrite=true）`,
         inputSchema: {
             template: zod_1.z
                 .enum(["react", "vue", "miniprogram", "uniapp", "rules"])
@@ -220262,56 +221364,181 @@ module.exports.sync = path => {
 "use strict";
 
 Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.getAuthProgressStateSync = getAuthProgressStateSync;
+exports.getAuthProgressState = getAuthProgressState;
+exports.setPendingAuthProgressState = setPendingAuthProgressState;
+exports.resolveAuthProgressState = resolveAuthProgressState;
+exports.rejectAuthProgressState = rejectAuthProgressState;
+exports.resetAuthProgressState = resetAuthProgressState;
+exports.peekLoginState = peekLoginState;
+exports.ensureLogin = ensureLogin;
 exports.getLoginState = getLoginState;
 exports.logout = logout;
 const toolbox_1 = __webpack_require__(25901);
 const logger_js_1 = __webpack_require__(13039);
 const tencet_cloud_js_1 = __webpack_require__(95018);
-const auth = toolbox_1.AuthSupevisor.getInstance({});
-async function getLoginState(options) {
+const auth = toolbox_1.AuthSupervisor.getInstance({});
+const authProgressState = {
+    status: "IDLE",
+    updatedAt: Date.now(),
+};
+function updateAuthProgressState(partial) {
+    Object.assign(authProgressState, partial, {
+        updatedAt: Date.now(),
+    });
+    return getAuthProgressStateSync();
+}
+function normalizeLoginStateFromEnvVars(options) {
     const { TENCENTCLOUD_SECRETID, TENCENTCLOUD_SECRETKEY, TENCENTCLOUD_SESSIONTOKEN, } = process.env;
-    (0, logger_js_1.debug)("TENCENTCLOUD_SECRETID", { secretId: TENCENTCLOUD_SECRETID });
-    // If ignoreEnvVars is true (e.g., when switching account), skip environment variables
-    // and force Web authentication to allow account switching
     if (!options?.ignoreEnvVars && TENCENTCLOUD_SECRETID && TENCENTCLOUD_SECRETKEY) {
-        (0, logger_js_1.debug)("loginByApiSecret");
         return {
             secretId: TENCENTCLOUD_SECRETID,
             secretKey: TENCENTCLOUD_SECRETKEY,
             token: TENCENTCLOUD_SESSIONTOKEN,
+            envId: process.env.CLOUDBASE_ENV_ID,
         };
-        // await auth.loginByApiSecret(TENCENTCLOUD_SECRETID, TENCENTCLOUD_SECRETKEY, TENCENTCLOUD_SESSIONTOKEN)
     }
-    const loginState = await auth.getLoginState();
+    return null;
+}
+function mapAuthErrorStatus(error) {
+    const message = error instanceof Error ? error.message : String(error ?? "");
+    if (message.includes("拒绝") || message.includes("denied")) {
+        return "DENIED";
+    }
+    if (message.includes("过期") || message.includes("expired")) {
+        return "EXPIRED";
+    }
+    return "ERROR";
+}
+function getAuthProgressStateSync() {
+    return {
+        ...authProgressState,
+        authChallenge: authProgressState.authChallenge
+            ? { ...authProgressState.authChallenge }
+            : undefined,
+    };
+}
+async function getAuthProgressState() {
+    const loginState = await peekLoginState();
+    if (loginState && authProgressState.status === "PENDING") {
+        updateAuthProgressState({
+            status: "READY",
+            lastError: undefined,
+        });
+    }
+    if (authProgressState.status === "PENDING" &&
+        authProgressState.authChallenge?.expires_in) {
+        const issuedAt = authProgressState.updatedAt;
+        const expiresAt = issuedAt + authProgressState.authChallenge.expires_in * 1000;
+        if (Date.now() > expiresAt) {
+            updateAuthProgressState({
+                status: "EXPIRED",
+                lastError: "设备码已过期，请重新发起授权",
+            });
+        }
+    }
+    return getAuthProgressStateSync();
+}
+function setPendingAuthProgressState(challenge, authMode = "device") {
+    return updateAuthProgressState({
+        status: "PENDING",
+        authMode,
+        authChallenge: challenge,
+        lastError: undefined,
+    });
+}
+function resolveAuthProgressState() {
+    return updateAuthProgressState({
+        status: "READY",
+        lastError: undefined,
+    });
+}
+function rejectAuthProgressState(error) {
+    const message = error instanceof Error ? error.message : String(error ?? "unknown error");
+    return updateAuthProgressState({
+        status: mapAuthErrorStatus(error),
+        lastError: message,
+    });
+}
+function resetAuthProgressState() {
+    return updateAuthProgressState({
+        status: "IDLE",
+        authMode: undefined,
+        authChallenge: undefined,
+        lastError: undefined,
+    });
+}
+async function peekLoginState(options) {
+    const envVarLoginState = normalizeLoginStateFromEnvVars(options);
+    if (envVarLoginState) {
+        (0, logger_js_1.debug)("loginByApiSecret");
+        return envVarLoginState;
+    }
+    return auth.getLoginState();
+}
+async function ensureLogin(options) {
+    (0, logger_js_1.debug)("TENCENTCLOUD_SECRETID", { secretId: process.env.TENCENTCLOUD_SECRETID });
+    const loginState = await peekLoginState({
+        ignoreEnvVars: options?.ignoreEnvVars,
+    });
     if (!loginState) {
-        await auth.loginByWebAuth((options?.fromCloudBaseLoginPage && !(0, tencet_cloud_js_1.isInternationalRegion)(options?.region))
-            ? {
-                getAuthUrl: (url) => {
-                    // 国际站
-                    const separator = url.includes('?') ? '&' : '?';
-                    const urlWithParam = `${url}${separator}allowNoEnv=true`;
-                    return `https://tcb.cloud.tencent.com/login?_redirect_uri=${encodeURIComponent(urlWithParam)}`;
-                },
-            }
-            : {
-                getAuthUrl: (url) => {
-                    if ((0, tencet_cloud_js_1.isInternationalRegion)(options?.region)) {
-                        url = url.replace('cloud.tencent.com', 'tencentcloud.com');
+        const envMode = process.env.TCB_AUTH_MODE;
+        const normalizedEnvMode = envMode === "web" || envMode === "device" ? envMode : undefined;
+        const mode = options?.authMode || normalizedEnvMode || "device";
+        const loginOptions = { flow: mode };
+        if (mode === "web") {
+            loginOptions.getAuthUrl =
+                options?.fromCloudBaseLoginPage && !(0, tencet_cloud_js_1.isInternationalRegion)(options?.region)
+                    ? (url) => {
+                        const separator = url.includes("?") ? "&" : "?";
+                        const urlWithParam = `${url}${separator}allowNoEnv=true`;
+                        return `https://tcb.cloud.tencent.com/login?_redirect_uri=${encodeURIComponent(urlWithParam)}`;
                     }
-                    const separator = url.includes('?') ? '&' : '?';
-                    return `${url}${separator}allowNoEnv=true`;
-                },
-            });
-        const loginState = await auth.getLoginState();
-        (0, logger_js_1.debug)("loginByWebAuth", loginState);
+                    : (url) => {
+                        if ((0, tencet_cloud_js_1.isInternationalRegion)(options?.region)) {
+                            url = url.replace("cloud.tencent.com", "tencentcloud.com");
+                        }
+                        const separator = url.includes("?") ? "&" : "?";
+                        return `${url}${separator}allowNoEnv=true`;
+                    };
+        }
+        else {
+            if (options?.clientId) {
+                loginOptions.client_id = options.clientId;
+            }
+            if (options?.onDeviceCode) {
+                loginOptions.onDeviceCode = (info) => {
+                    setPendingAuthProgressState(info, mode);
+                    options.onDeviceCode?.(info);
+                };
+            }
+        }
+        (0, logger_js_1.debug)("beforeloginByWebAuth", { loginOptions });
+        try {
+            await auth.loginByWebAuth(loginOptions);
+            resolveAuthProgressState();
+        }
+        catch (error) {
+            rejectAuthProgressState(error);
+            throw error;
+        }
+        const loginState = await peekLoginState({
+            ignoreEnvVars: options?.ignoreEnvVars,
+        });
+        (0, logger_js_1.debug)("loginByWebAuth", { mode, hasLoginState: !!loginState });
         return loginState;
     }
     else {
+        resolveAuthProgressState();
         return loginState;
     }
 }
+async function getLoginState(options) {
+    return ensureLogin(options);
+}
 async function logout() {
     const result = await auth.logout();
+    resetAuthProgressState();
     return result;
 }
 
@@ -229844,126 +231071,6 @@ function onError(sender, err, cb) {
 }
 
 
-/***/ }),
-
-/***/ 80998:
-/***/ ((module, __unused_webpack_exports, __webpack_require__) => {
-
-/* @flow */
-/*::
-
-type DotenvParseOptions = {
-  debug?: boolean
-}
-
-// keys and values from src
-type DotenvParseOutput = { [string]: string }
-
-type DotenvConfigOptions = {
-  path?: string, // path to .env file
-  encoding?: string, // encoding of .env file
-  debug?: string // turn on logging for debugging purposes
-}
-
-type DotenvConfigOutput = {
-  parsed?: DotenvParseOutput,
-  error?: Error
-}
-
-*/
-
-const fs = __webpack_require__(29021)
-const path = __webpack_require__(39902)
-
-function log (message /*: string */) {
-  console.log(`[dotenv][DEBUG] ${message}`)
-}
-
-const NEWLINE = '\n'
-const RE_INI_KEY_VAL = /^\s*([\w.-]+)\s*=\s*(.*)?\s*$/
-const RE_NEWLINES = /\\n/g
-const NEWLINES_MATCH = /\n|\r|\r\n/
-
-// Parses src into an Object
-function parse (src /*: string | Buffer */, options /*: ?DotenvParseOptions */) /*: DotenvParseOutput */ {
-  const debug = Boolean(options && options.debug)
-  const obj = {}
-
-  // convert Buffers before splitting into lines and processing
-  src.toString().split(NEWLINES_MATCH).forEach(function (line, idx) {
-    // matching "KEY' and 'VAL' in 'KEY=VAL'
-    const keyValueArr = line.match(RE_INI_KEY_VAL)
-    // matched?
-    if (keyValueArr != null) {
-      const key = keyValueArr[1]
-      // default undefined or missing values to empty string
-      let val = (keyValueArr[2] || '')
-      const end = val.length - 1
-      const isDoubleQuoted = val[0] === '"' && val[end] === '"'
-      const isSingleQuoted = val[0] === "'" && val[end] === "'"
-
-      // if single or double quoted, remove quotes
-      if (isSingleQuoted || isDoubleQuoted) {
-        val = val.substring(1, end)
-
-        // if double quoted, expand newlines
-        if (isDoubleQuoted) {
-          val = val.replace(RE_NEWLINES, NEWLINE)
-        }
-      } else {
-        // remove surrounding whitespace
-        val = val.trim()
-      }
-
-      obj[key] = val
-    } else if (debug) {
-      log(`did not match key and value when parsing line ${idx + 1}: ${line}`)
-    }
-  })
-
-  return obj
-}
-
-// Populates process.env from .env file
-function config (options /*: ?DotenvConfigOptions */) /*: DotenvConfigOutput */ {
-  let dotenvPath = path.resolve(process.cwd(), '.env')
-  let encoding /*: string */ = 'utf8'
-  let debug = false
-
-  if (options) {
-    if (options.path != null) {
-      dotenvPath = options.path
-    }
-    if (options.encoding != null) {
-      encoding = options.encoding
-    }
-    if (options.debug != null) {
-      debug = true
-    }
-  }
-
-  try {
-    // specifying an encoding returns a string instead of a buffer
-    const parsed = parse(fs.readFileSync(dotenvPath, { encoding }), { debug })
-
-    Object.keys(parsed).forEach(function (key) {
-      if (!Object.prototype.hasOwnProperty.call(process.env, key)) {
-        process.env[key] = parsed[key]
-      } else if (debug) {
-        log(`"${key}" is already defined in \`process.env\` and will not be overwritten`)
-      }
-    })
-
-    return { parsed }
-  } catch (e) {
-    return { error: e }
-  }
-}
-
-module.exports.config = config
-module.exports.parse = parse
-
-
 /***/ }),
 
 /***/ 81115:
@@ -247309,8 +248416,7 @@ function shouldRegisterTool(toolName) {
     // Cloud-incompatible tools that involve local file operations
     const cloudIncompatibleTools = [
         // Auth tools - local file uploads
-        'login',
-        'logout',
+        'auth',
         // Storage tools - local file uploads
         'uploadFile',
         // Hosting tools - local file uploads  
@@ -259853,6 +260959,141 @@ async function getInteractiveServerSafe(mcpServer) {
 }
 
 
+/***/ }),
+
+/***/ 92423:
+/***/ (function(__unused_webpack_module, exports, __webpack_require__) {
+
+"use strict";
+
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.getAuthTokenByDeviceFlow = void 0;
+const net_1 = __webpack_require__(31153);
+const web_1 = __webpack_require__(2240);
+const error_1 = __webpack_require__(64119);
+const coding_1 = __webpack_require__(40540);
+const system_1 = __webpack_require__(62179);
+const web_auth_1 = __webpack_require__(76097);
+/** 默认国内站 应用侧可通过 getOAuthEndpoint 覆写 */
+const OAUTH_ENDPOINT = process.env.TCB_OAUTH_ENDPOINT || 'https://tcb-api.cloud.tencent.com/qcloud-tcb/v1/oauth';
+const DEFAULT_CLIENT_ID = 'cloudbase-toolbox';
+const POLL_ERROR_CODES = {
+    AUTHORIZATION_PENDING: 'authorization_pending',
+    SLOW_DOWN: 'slow_down',
+    EXPIRED_TOKEN: 'expired_token',
+    ACCESS_DENIED: 'access_denied',
+};
+const SUCCESS_CODE = 'NORMAL';
+function fetchDeviceCode(options = {}) {
+    const { client_id = DEFAULT_CLIENT_ID, endpoint = OAUTH_ENDPOINT } = options;
+    return (0, net_1.postFetch)(`${endpoint}/device/code`, { client_id });
+}
+function fetchPollToken(options) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const { device_code, client_id = DEFAULT_CLIENT_ID, endpoint = OAUTH_ENDPOINT } = options;
+        const mac = yield (0, system_1.getMacAddress)();
+        return (0, net_1.postFetch)(`${endpoint}/token`, {
+            device_code,
+            client_id,
+            grant_type: 'urn:ietf:params:oauth:grant-type:device_code',
+            device_info: {
+                mac,
+                os: (0, system_1.getOSInfo)(),
+                hash: (0, coding_1.md5Encoding)(mac),
+            }
+        });
+    });
+}
+function sleep(ms) {
+    return new Promise((resolve) => {
+        setTimeout(resolve, ms);
+    });
+}
+function getAuthTokenByDeviceFlow(options = {}) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const { client_id, onDeviceCode, getOAuthEndpoint, getAuthUrl, silent } = options;
+        const endpoint = getOAuthEndpoint ? getOAuthEndpoint(OAUTH_ENDPOINT) : OAUTH_ENDPOINT;
+        const deviceCodeResp = yield fetchDeviceCode({ client_id, endpoint });
+        if (deviceCodeResp.code !== SUCCESS_CODE) {
+            throw new error_1.CloudBaseError('Device Flow fetchDeviceCode failed', {
+                code: deviceCodeResp.code,
+                requestId: deviceCodeResp.reqId,
+            });
+        }
+        const { device_code, user_code, expires_in, interval } = deviceCodeResp.result;
+        // 暂时不消费 verification_uri，由客户端控制跳转
+        const defaultVerificationUri = `${web_auth_1.CLI_AUTH_BASE_URL}#/cli-auth`;
+        // from=cli 后续考虑改用 client_id，因为 toolbox 作为公共依赖，可能被不同 client 所引用
+        const rawVerificationUri = `${defaultVerificationUri}?user_code=${user_code}&from=cli&flow=device`;
+        const verification_uri = getAuthUrl ? getAuthUrl(rawVerificationUri) : rawVerificationUri;
+        if (!silent) {
+            // 打印授权信息，引导用户操作
+            console.log('\n\n若链接未自动打开，请手动复制至浏览器，或尝试其他登录方式:');
+            console.log(`\n${verification_uri}`);
+            console.log(`\n用户码: ${user_code}\n`);
+        }
+        // 尝试自动打开授权页面
+        yield (0, web_1.openUrl)(verification_uri);
+        if (onDeviceCode) {
+            onDeviceCode({ user_code, verification_uri, device_code, expires_in });
+        }
+        let pollInterval = interval;
+        const deadline = Date.now() + expires_in * 1000;
+        while (Date.now() < deadline) {
+            yield sleep(pollInterval * 1000);
+            let resp;
+            try {
+                resp = yield fetchPollToken({ device_code, interval: pollInterval, client_id, endpoint });
+            }
+            catch (e) {
+                throw new error_1.CloudBaseError('Device Flow 轮询请求失败', { original: e });
+            }
+            const { code, result } = resp;
+            // 服务端返回业务错误（result 中携带 error 字段）
+            if (result && 'error' in result) {
+                const { error, error_description } = result;
+                if (error === POLL_ERROR_CODES.AUTHORIZATION_PENDING) {
+                    continue;
+                }
+                if (error === POLL_ERROR_CODES.SLOW_DOWN) {
+                    pollInterval += 5;
+                    continue;
+                }
+                if (error === POLL_ERROR_CODES.EXPIRED_TOKEN) {
+                    throw new error_1.CloudBaseError('设备码已过期，请重新发起授权');
+                }
+                if (error === POLL_ERROR_CODES.ACCESS_DENIED) {
+                    throw new error_1.CloudBaseError('用户拒绝了授权请求');
+                }
+                throw new error_1.CloudBaseError(error_description || `Device Flow 授权失败，错误: ${error}`, {
+                    code: error,
+                    requestId: resp.reqId,
+                });
+            }
+            // 服务端返回成功的 Credential
+            if (code === SUCCESS_CODE && result) {
+                return result;
+            }
+            throw new error_1.CloudBaseError(`Device Flow 授权失败，错误码: ${code}`, {
+                code,
+                requestId: resp.reqId,
+            });
+        }
+        throw new error_1.CloudBaseError('授权超时，用户未在有效期内完成授权，请重试');
+    });
+}
+exports.getAuthTokenByDeviceFlow = getAuthTokenByDeviceFlow;
+
+
 /***/ }),
 
 /***/ 92472: