@corbat-tech/coco 2.25.7 → 2.25.9

package/dist/index.js

@@ -1,23 +1,23 @@
-import * as fs16 from 'fs/promises';
-import fs16__default, { readFile, access, readdir } from 'fs/promises';
-import * as path17 from 'path';
-import path17__default, { dirname, join, basename, resolve } from 'path';
-import { randomUUID } from 'crypto';
-import 'http';
-import { fileURLToPath } from 'url';
+import { Logger } from 'tslog';
 import * as fs4 from 'fs';
 import fs4__default, { readFileSync, constants } from 'fs';
+import * as path17 from 'path';
+import path17__default, { dirname, join, basename, resolve } from 'path';
+import * as fs16 from 'fs/promises';
+import fs16__default, { access, readFile, writeFile, mkdir, readdir } from 'fs/promises';
+import { randomUUID, randomBytes, createHash } from 'crypto';
+import * as http from 'http';
+import { fileURLToPath, URL as URL$1 } from 'url';
 import { z } from 'zod';
 import * as p4 from '@clack/prompts';
 import chalk5 from 'chalk';
-import { exec, execSync, execFile } from 'child_process';
+import { exec, execFile, execSync, spawn } from 'child_process';
 import { promisify } from 'util';
 import { homedir } from 'os';
 import JSON5 from 'json5';
 import { execa } from 'execa';
 import { parse } from '@typescript-eslint/typescript-estree';
 import { glob } from 'glob';
-import { Logger } from 'tslog';
 import Anthropic from '@anthropic-ai/sdk';
 import { jsonrepair } from 'jsonrepair';
 import OpenAI from 'openai';
@@ -198,6 +198,60 @@ var init_errors = __esm({
     };
   }
 });
+function levelToNumber(level) {
+  const levels = {
+    silly: 0,
+    trace: 1,
+    debug: 2,
+    info: 3,
+    warn: 4,
+    error: 5,
+    fatal: 6
+  };
+  return levels[level];
+}
+function createLogger(config = {}) {
+  const finalConfig = { ...DEFAULT_CONFIG, ...config };
+  const logger2 = new Logger({
+    name: finalConfig.name,
+    minLevel: levelToNumber(finalConfig.level),
+    prettyLogTemplate: finalConfig.prettyPrint ? "{{yyyy}}-{{mm}}-{{dd}} {{hh}}:{{MM}}:{{ss}} {{logLevelName}} [{{name}}] " : void 0,
+    prettyLogTimeZone: "local",
+    stylePrettyLogs: finalConfig.prettyPrint
+  });
+  if (finalConfig.logToFile && finalConfig.logDir) {
+    setupFileLogging(logger2, finalConfig.logDir, finalConfig.name);
+  }
+  return logger2;
+}
+function setupFileLogging(logger2, logDir, name) {
+  if (!fs4__default.existsSync(logDir)) {
+    fs4__default.mkdirSync(logDir, { recursive: true });
+  }
+  const logFile = path17__default.join(logDir, `${name}.log`);
+  logger2.attachTransport((logObj) => {
+    const line = JSON.stringify(logObj) + "\n";
+    fs4__default.appendFileSync(logFile, line);
+  });
+}
+function getLogger() {
+  if (!globalLogger) {
+    globalLogger = createLogger();
+  }
+  return globalLogger;
+}
+var DEFAULT_CONFIG, globalLogger;
+var init_logger = __esm({
+  "src/utils/logger.ts"() {
+    DEFAULT_CONFIG = {
+      name: "coco",
+      level: "info",
+      prettyPrint: true,
+      logToFile: false
+    };
+    globalLogger = null;
+  }
+});
 async function refreshAccessToken(provider, refreshToken) {
   const config = OAUTH_CONFIGS[provider];
   if (!config) {
@@ -309,8 +363,276 @@ var init_pkce = __esm({
   "src/auth/pkce.ts"() {
   }
 });
+function escapeHtml(unsafe) {
+  return unsafe.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#x27;");
+}
+async function createCallbackServer(expectedState, timeout = 5 * 60 * 1e3, port = OAUTH_CALLBACK_PORT) {
+  let resolveResult;
+  let rejectResult;
+  const resultPromise = new Promise((resolve3, reject) => {
+    resolveResult = resolve3;
+    rejectResult = reject;
+  });
+  const server = http.createServer((req, res) => {
+    console.log(`   [OAuth] ${req.method} ${req.url?.split("?")[0]}`);
+    res.setHeader("Access-Control-Allow-Origin", "*");
+    res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "*");
+    if (req.method === "OPTIONS") {
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+    if (!req.url?.startsWith("/auth/callback")) {
+      res.writeHead(404);
+      res.end("Not Found");
+      return;
+    }
+    try {
+      const url = new URL$1(req.url, `http://localhost`);
+      const code = url.searchParams.get("code");
+      const state = url.searchParams.get("state");
+      const error = url.searchParams.get("error");
+      const errorDescription = url.searchParams.get("error_description");
+      if (error) {
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(ERROR_HTML(errorDescription || error));
+        server.close();
+        rejectResult(new Error(errorDescription || error));
+        return;
+      }
+      if (!code || !state) {
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(ERROR_HTML("Missing authorization code or state"));
+        server.close();
+        rejectResult(new Error("Missing authorization code or state"));
+        return;
+      }
+      if (state !== expectedState) {
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(ERROR_HTML("State mismatch - possible CSRF attack"));
+        server.close();
+        rejectResult(new Error("State mismatch - possible CSRF attack"));
+        return;
+      }
+      res.writeHead(200, { "Content-Type": "text/html" });
+      res.end(SUCCESS_HTML);
+      server.close();
+      resolveResult({ code, state });
+    } catch (err) {
+      res.writeHead(500, { "Content-Type": "text/html" });
+      res.end(ERROR_HTML(String(err)));
+      server.close();
+      rejectResult(err instanceof Error ? err : new Error(String(err)));
+    }
+  });
+  const actualPort = await new Promise((resolve3, reject) => {
+    const errorHandler = (err) => {
+      if (err.code === "EADDRINUSE") {
+        console.log(`   Port ${port} is in use, trying alternative port...`);
+        server.removeListener("error", errorHandler);
+        server.listen(0, () => {
+          const address = server.address();
+          if (typeof address === "object" && address) {
+            resolve3(address.port);
+          } else {
+            reject(new Error("Failed to get server port"));
+          }
+        });
+      } else {
+        reject(err);
+      }
+    };
+    server.on("error", errorHandler);
+    server.listen(port, () => {
+      server.removeListener("error", errorHandler);
+      const address = server.address();
+      if (typeof address === "object" && address) {
+        resolve3(address.port);
+      } else {
+        reject(new Error("Failed to get server port"));
+      }
+    });
+  });
+  const timeoutId = setTimeout(() => {
+    server.close();
+    rejectResult(new Error("Authentication timed out. Please try again."));
+  }, timeout);
+  server.on("close", () => {
+    clearTimeout(timeoutId);
+  });
+  return { port: actualPort, resultPromise };
+}
+var OAUTH_CALLBACK_PORT, SUCCESS_HTML, ERROR_HTML;
 var init_callback_server = __esm({
   "src/auth/callback-server.ts"() {
+    OAUTH_CALLBACK_PORT = 1455;
+    SUCCESS_HTML = `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Authentication Successful</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif;
+      background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+    }
+    .container {
+      background: white;
+      border-radius: 16px;
+      padding: 48px;
+      text-align: center;
+      box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
+      max-width: 400px;
+    }
+    .checkmark {
+      width: 80px;
+      height: 80px;
+      margin: 0 auto 24px;
+      background: linear-gradient(135deg, #10b981 0%, #059669 100%);
+      border-radius: 50%;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+    }
+    .checkmark svg {
+      width: 40px;
+      height: 40px;
+      stroke: white;
+      stroke-width: 3;
+      fill: none;
+    }
+    h1 {
+      font-size: 24px;
+      font-weight: 600;
+      color: #1f2937;
+      margin-bottom: 12px;
+    }
+    p {
+      color: #6b7280;
+      font-size: 16px;
+      line-height: 1.5;
+    }
+    .brand {
+      margin-top: 24px;
+      padding-top: 24px;
+      border-top: 1px solid #e5e7eb;
+      color: #9ca3af;
+      font-size: 14px;
+    }
+    .brand strong {
+      color: #667eea;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="checkmark">
+      <svg viewBox="0 0 24 24">
+        <path d="M20 6L9 17l-5-5" stroke-linecap="round" stroke-linejoin="round"/>
+      </svg>
+    </div>
+    <h1>Authentication Successful!</h1>
+    <p>You can close this window and return to your terminal.</p>
+    <div class="brand">
+      Powered by <strong>Corbat-Coco</strong>
+    </div>
+  </div>
+  <script>
+    // Auto-close after 3 seconds
+    setTimeout(() => window.close(), 3000);
+  </script>
+</body>
+</html>
+`;
+    ERROR_HTML = (error) => {
+      const safeError = escapeHtml(error);
+      return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Authentication Failed</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Helvetica, Arial, sans-serif;
+      background: linear-gradient(135deg, #ef4444 0%, #dc2626 100%);
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+    }
+    .container {
+      background: white;
+      border-radius: 16px;
+      padding: 48px;
+      text-align: center;
+      box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25);
+      max-width: 400px;
+    }
+    .icon {
+      width: 80px;
+      height: 80px;
+      margin: 0 auto 24px;
+      background: linear-gradient(135deg, #ef4444 0%, #dc2626 100%);
+      border-radius: 50%;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+    }
+    .icon svg {
+      width: 40px;
+      height: 40px;
+      stroke: white;
+      stroke-width: 3;
+      fill: none;
+    }
+    h1 {
+      font-size: 24px;
+      font-weight: 600;
+      color: #1f2937;
+      margin-bottom: 12px;
+    }
+    p {
+      color: #6b7280;
+      font-size: 16px;
+      line-height: 1.5;
+    }
+    .error {
+      margin-top: 16px;
+      padding: 12px;
+      background: #fef2f2;
+      border-radius: 8px;
+      color: #dc2626;
+      font-family: monospace;
+      font-size: 14px;
+    }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <div class="icon">
+      <svg viewBox="0 0 24 24">
+        <path d="M18 6L6 18M6 6l12 12" stroke-linecap="round" stroke-linejoin="round"/>
+      </svg>
+    </div>
+    <h1>Authentication Failed</h1>
+    <p>Something went wrong. Please try again.</p>
+    <div class="error">${safeError}</div>
+  </div>
+</body>
+</html>
+`;
+    };
   }
 });
 function detectWSL() {
@@ -506,6 +828,33 @@ var init_auth = __esm({
     init_gcloud();
   }
 });
+
+// src/config/schema.ts
+var schema_exports = {};
+__export(schema_exports, {
+  CocoConfigSchema: () => CocoConfigSchema,
+  GitHubConfigSchema: () => GitHubConfigSchema,
+  IntegrationsConfigSchema: () => IntegrationsConfigSchema,
+  MCPConfigSchema: () => MCPConfigSchema,
+  MCPServerConfigEntrySchema: () => MCPServerConfigEntrySchema,
+  PersistenceConfigSchema: () => PersistenceConfigSchema,
+  ProjectConfigSchema: () => ProjectConfigSchema2,
+  ProviderConfigSchema: () => ProviderConfigSchema,
+  QualityConfigSchema: () => QualityConfigSchema,
+  ShipConfigSchema: () => ShipConfigSchema,
+  SkillsConfigSchema: () => SkillsConfigSchema,
+  StackConfigSchema: () => StackConfigSchema,
+  ToolsConfigSchema: () => ToolsConfigSchema,
+  createDefaultConfigObject: () => createDefaultConfigObject,
+  validateConfig: () => validateConfig
+});
+function validateConfig(config) {
+  const result = CocoConfigSchema.safeParse(config);
+  if (result.success) {
+    return { success: true, data: result.data };
+  }
+  return { success: false, error: result.error };
+}
 function createDefaultConfigObject(projectName, language = "typescript") {
   return {
     project: {
@@ -721,7 +1070,7 @@ var init_schema = __esm({
     });
   }
 });
-var COCO_HOME, CONFIG_PATHS;
+var COCO_HOME, CONFIG_PATHS, LEGACY_PATHS;
 var init_paths = __esm({
   "src/config/paths.ts"() {
     COCO_HOME = join(homedir(), ".coco");
@@ -755,14 +1104,28 @@ var init_paths = __esm({
       /** MCP server registry: ~/.coco/mcp.json */
       mcpRegistry: join(COCO_HOME, "mcp.json")
     };
-    ({
+    LEGACY_PATHS = {
       /** Old config location */
       oldConfig: join(homedir(), ".config", "corbat-coco"),
       /** Old MCP config directory (pre-unification) */
       oldMcpDir: join(homedir(), ".config", "coco", "mcp")
-    });
+    };
   }
 });
+
+// src/config/loader.ts
+var loader_exports = {};
+__export(loader_exports, {
+  configExists: () => configExists,
+  createDefaultConfig: () => createDefaultConfig,
+  findAllConfigPaths: () => findAllConfigPaths,
+  findConfigPath: () => findConfigPath,
+  getConfigValue: () => getConfigValue,
+  loadConfig: () => loadConfig,
+  mergeWithDefaults: () => mergeWithDefaults,
+  saveConfig: () => saveConfig,
+  setConfigValue: () => setConfigValue
+});
 async function loadConfig(configPath) {
   let config = createDefaultConfig("my-project");
   const globalConfig = await loadConfigFile(CONFIG_PATHS.config, { strict: false });
@@ -858,6 +1221,45 @@ async function saveConfig(config, configPath, global = false) {
 function createDefaultConfig(projectName, language = "typescript") {
   return createDefaultConfigObject(projectName, language);
 }
+async function findConfigPath(cwd) {
+  const envPath = process.env["COCO_CONFIG_PATH"];
+  if (envPath) {
+    try {
+      await fs16__default.access(envPath);
+      return envPath;
+    } catch {
+    }
+  }
+  const basePath = cwd || process.cwd();
+  const projectConfigPath = path17__default.join(basePath, ".coco", "config.json");
+  try {
+    await fs16__default.access(projectConfigPath);
+    return projectConfigPath;
+  } catch {
+  }
+  try {
+    await fs16__default.access(CONFIG_PATHS.config);
+    return CONFIG_PATHS.config;
+  } catch {
+    return void 0;
+  }
+}
+async function findAllConfigPaths(cwd) {
+  const result = {};
+  try {
+    await fs16__default.access(CONFIG_PATHS.config);
+    result.global = CONFIG_PATHS.config;
+  } catch {
+  }
+  const basePath = cwd || process.cwd();
+  const projectConfigPath = path17__default.join(basePath, ".coco", "config.json");
+  try {
+    await fs16__default.access(projectConfigPath);
+    result.project = projectConfigPath;
+  } catch {
+  }
+  return result;
+}
 async function configExists(configPath, scope = "any") {
   if (configPath) {
     try {
@@ -885,6 +1287,45 @@ async function configExists(configPath, scope = "any") {
   }
   return false;
 }
+function getConfigValue(config, path42) {
+  const keys = path42.split(".");
+  let current = config;
+  for (const key of keys) {
+    if (current === null || current === void 0 || typeof current !== "object") {
+      return void 0;
+    }
+    current = current[key];
+  }
+  return current;
+}
+function setConfigValue(config, configPath, value) {
+  const keys = configPath.split(".");
+  const result = structuredClone(config);
+  let current = result;
+  for (let i = 0; i < keys.length - 1; i++) {
+    const key = keys[i];
+    if (!key) continue;
+    if (key === "__proto__" || key === "constructor" || key === "prototype") {
+      throw new Error(`Invalid config path: cannot set ${key}`);
+    }
+    if (!(key in current) || typeof current[key] !== "object") {
+      current[key] = {};
+    }
+    current = current[key];
+  }
+  const lastKey = keys[keys.length - 1];
+  if (lastKey) {
+    if (lastKey === "__proto__" || lastKey === "constructor" || lastKey === "prototype") {
+      throw new Error(`Invalid config path: cannot set ${lastKey}`);
+    }
+    current[lastKey] = value;
+  }
+  return result;
+}
+function mergeWithDefaults(partial, projectName) {
+  const defaults = createDefaultConfig(projectName);
+  return deepMergeConfig(defaults, partial);
+}
 var init_loader = __esm({
   "src/config/loader.ts"() {
     init_schema();
@@ -1007,7 +1448,7 @@ function getDefaultModel(provider) {
     case "codex":
       return process.env["CODEX_MODEL"] ?? "codex-mini-latest";
     case "copilot":
-      return process.env["COPILOT_MODEL"] ?? "gpt-4o-copilot";
+      return process.env["COPILOT_MODEL"] ?? "claude-sonnet-4.6";
     case "groq":
       return process.env["GROQ_MODEL"] ?? "llama-3.3-70b-versatile";
     case "openrouter":
@@ -1203,123 +1644,553 @@ var init_heartbeat = __esm({
   }
 });
 
-// src/cli/repl/allow-path-prompt.ts
-var allow_path_prompt_exports = {};
-__export(allow_path_prompt_exports, {
-  promptAllowPath: () => promptAllowPath
-});
-async function promptAllowPath(dirPath) {
-  const absolute = path17__default.resolve(dirPath);
-  console.log();
-  console.log(chalk5.yellow("  \u26A0 Access denied \u2014 path is outside the project directory"));
-  console.log(chalk5.dim(`  \u{1F4C1} ${absolute}`));
-  console.log();
-  const action = await p4.select({
-    message: "Grant access to this directory?",
-    options: [
-      { value: "session-write", label: "\u2713 Allow write (this session)" },
-      { value: "session-read", label: "\u25D0 Allow read-only (this session)" },
-      { value: "persist-write", label: "\u26A1 Allow write (remember for this project)" },
-      { value: "persist-read", label: "\u{1F4BE} Allow read-only (remember for this project)" },
-      { value: "no", label: "\u2717 Deny" }
-    ]
-  });
-  if (p4.isCancel(action) || action === "no") {
-    return false;
+// src/mcp/types.ts
+var init_types = __esm({
+  "src/mcp/types.ts"() {
   }
-  const level = action.includes("read") ? "read" : "write";
-  const persist = action.startsWith("persist");
-  addAllowedPathToSession(absolute, level);
-  if (persist) {
-    await persistAllowedPath(absolute, level);
+});
+
+// src/mcp/errors.ts
+var MCPError, MCPTransportError, MCPConnectionError, MCPTimeoutError;
+var init_errors2 = __esm({
+  "src/mcp/errors.ts"() {
+    init_types();
+    MCPError = class extends Error {
+      code;
+      constructor(code, message) {
+        super(message);
+        this.name = "MCPError";
+        this.code = code;
+      }
+    };
+    MCPTransportError = class extends MCPError {
+      constructor(message) {
+        super(-32001 /* TRANSPORT_ERROR */, message);
+        this.name = "MCPTransportError";
+      }
+    };
+    MCPConnectionError = class extends MCPError {
+      constructor(message) {
+        super(-32003 /* CONNECTION_ERROR */, message);
+        this.name = "MCPConnectionError";
+      }
+    };
+    MCPTimeoutError = class extends MCPError {
+      constructor(message = "Request timed out") {
+        super(-32002 /* TIMEOUT_ERROR */, message);
+        this.name = "MCPTimeoutError";
+      }
+    };
   }
-  const levelLabel = level === "write" ? "write" : "read-only";
-  const persistLabel = persist ? " (remembered)" : "";
-  console.log(chalk5.green(`  \u2713 Access granted: ${levelLabel}${persistLabel}`));
-  return true;
+});
+function getDefaultRegistryPath() {
+  return CONFIG_PATHS.mcpRegistry;
 }
-var init_allow_path_prompt = __esm({
-  "src/cli/repl/allow-path-prompt.ts"() {
-    init_allowed_paths();
+function validateServerConfig(config) {
+  if (!config || typeof config !== "object") {
+    throw new MCPError(-32602 /* INVALID_PARAMS */, "Server config must be an object");
   }
-});
-function findPackageJson() {
-  let dir = dirname(fileURLToPath(import.meta.url));
-  for (let i = 0; i < 10; i++) {
+  const cfg = config;
+  if (!cfg.name || typeof cfg.name !== "string") {
+    throw new MCPError(-32602 /* INVALID_PARAMS */, "Server name is required and must be a string");
+  }
+  if (cfg.name.length < 1 || cfg.name.length > 64) {
+    throw new MCPError(
+      -32602 /* INVALID_PARAMS */,
+      "Server name must be between 1 and 64 characters"
+    );
+  }
+  if (!/^[a-zA-Z0-9_-]+$/.test(cfg.name)) {
+    throw new MCPError(
+      -32602 /* INVALID_PARAMS */,
+      "Server name must contain only letters, numbers, underscores, and hyphens"
+    );
+  }
+  if (!cfg.transport || cfg.transport !== "stdio" && cfg.transport !== "http") {
+    throw new MCPError(-32602 /* INVALID_PARAMS */, 'Transport must be "stdio" or "http"');
+  }
+  if (cfg.transport === "stdio") {
+    if (!cfg.stdio || typeof cfg.stdio !== "object") {
+      throw new MCPError(
+        -32602 /* INVALID_PARAMS */,
+        "stdio transport requires stdio configuration"
+      );
+    }
+    const stdio = cfg.stdio;
+    if (!stdio.command || typeof stdio.command !== "string") {
+      throw new MCPError(-32602 /* INVALID_PARAMS */, "stdio.command is required");
+    }
+  }
+  if (cfg.transport === "http") {
+    if (!cfg.http || typeof cfg.http !== "object") {
+      throw new MCPError(-32602 /* INVALID_PARAMS */, "http transport requires http configuration");
+    }
+    const http2 = cfg.http;
+    if (!http2.url || typeof http2.url !== "string") {
+      throw new MCPError(-32602 /* INVALID_PARAMS */, "http.url is required");
+    }
     try {
-      const content = readFileSync(join(dir, "package.json"), "utf-8");
-      const pkg = JSON.parse(content);
-      if (pkg.name === "@corbat-tech/coco") return pkg;
+      new URL(http2.url);
     } catch {
+      throw new MCPError(-32602 /* INVALID_PARAMS */, "http.url must be a valid URL");
     }
-    dir = dirname(dir);
   }
-  return { version: "0.0.0" };
 }
-var VERSION = findPackageJson().version;
-
-// src/phases/converge/prompts.ts
-var DISCOVERY_SYSTEM_PROMPT = `You are a senior software architect and requirements analyst. Your role is to help gather and clarify requirements for software projects.
-
-Your goals:
-1. Understand what the user wants to build
-2. Extract clear, actionable requirements
-3. Identify ambiguities and ask clarifying questions
-4. Make reasonable assumptions when appropriate
-5. Recommend technology choices when needed
-
-Guidelines:
-- Be thorough but not overwhelming
-- Ask focused, specific questions
-- Group related questions together
-- Prioritize questions by importance
-- Make assumptions for minor details
-- Always explain your reasoning
-
-You communicate in a professional but friendly manner. You use concrete examples to clarify abstract requirements.`;
-var INITIAL_ANALYSIS_PROMPT = `Analyze the following project description and extract:
-
-1. **Project Type**: What kind of software is this? (CLI, API, web app, library, service, etc.)
-2. **Complexity**: How complex is this project? (simple, moderate, complex, enterprise)
-3. **Completeness**: How complete is the description? (0-100%)
-4. **Functional Requirements**: What should the system do?
-5. **Non-Functional Requirements**: Performance, security, scalability needs
-6. **Technical Constraints**: Any specified technologies or limitations
-7. **Assumptions**: What must we assume to proceed?
-8. **Critical Questions**: What must be clarified before proceeding?
-9. **Technology Recommendations**: What tech stack would you recommend?
-
-User's project description:
----
-{{userInput}}
----
-
-Respond in JSON format:
-{
-  "projectType": "string",
-  "complexity": "simple|moderate|complex|enterprise",
-  "completeness": number,
-  "requirements": [
-    {
-      "category": "functional|non_functional|technical|constraint",
-      "priority": "must_have|should_have|could_have|wont_have",
-      "title": "string",
-      "description": "string",
-      "explicit": boolean,
-      "acceptanceCriteria": ["string"]
-    }
-  ],
-  "assumptions": [
-    {
-      "category": "string",
-      "statement": "string",
-      "confidence": "high|medium|low",
-      "impactIfWrong": "string"
+function parseRegistry(json2) {
+  try {
+    const parsed = JSON.parse(json2);
+    if (!parsed.servers || !Array.isArray(parsed.servers)) {
+      return [];
     }
-  ],
-  "questions": [
-    {
-      "category": "clarification|expansion|decision|confirmation|scope|priority",
+    return parsed.servers;
+  } catch {
+    return [];
+  }
+}
+function serializeRegistry(servers) {
+  return JSON.stringify({ servers, version: "1.0" }, null, 2);
+}
+async function migrateMCPData(opts) {
+  const oldDir = LEGACY_PATHS.oldMcpDir;
+  const newRegistry = CONFIG_PATHS.mcpRegistry;
+  const newConfig = CONFIG_PATHS.config;
+  try {
+    await migrateRegistry(oldDir, newRegistry);
+    await migrateGlobalConfig(oldDir, newConfig);
+  } catch (error) {
+    getLogger().warn(
+      `[MCP] Migration failed unexpectedly: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+async function migrateRegistry(oldDir, newRegistry) {
+  const oldFile = join(oldDir, "registry.json");
+  if (await fileExists3(newRegistry)) return;
+  if (!await fileExists3(oldFile)) return;
+  try {
+    const content = await readFile(oldFile, "utf-8");
+    const servers = parseRegistry(content);
+    await mkdir(dirname(newRegistry), { recursive: true });
+    await writeFile(newRegistry, serializeRegistry(servers), "utf-8");
+    getLogger().info(
+      `[MCP] Migrated registry from ${oldFile} to ${newRegistry}. The old file can be safely deleted.`
+    );
+  } catch (error) {
+    getLogger().warn(
+      `[MCP] Could not migrate registry: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+async function migrateGlobalConfig(oldDir, newConfigPath) {
+  const oldFile = join(oldDir, "config.json");
+  if (!await fileExists3(oldFile)) return;
+  try {
+    const oldContent = await readFile(oldFile, "utf-8");
+    const oldMcpConfig = JSON.parse(oldContent);
+    let cocoConfig = {};
+    if (await fileExists3(newConfigPath)) {
+      const existing = await readFile(newConfigPath, "utf-8");
+      cocoConfig = JSON.parse(existing);
+    }
+    const existingMcp = cocoConfig.mcp ?? {};
+    const fieldsToMigrate = ["defaultTimeout", "autoDiscover", "logLevel", "customServersPath"];
+    let didMerge = false;
+    for (const field of fieldsToMigrate) {
+      if (oldMcpConfig[field] !== void 0 && existingMcp[field] === void 0) {
+        existingMcp[field] = oldMcpConfig[field];
+        didMerge = true;
+      }
+    }
+    if (!didMerge) return;
+    cocoConfig.mcp = existingMcp;
+    await mkdir(dirname(newConfigPath), { recursive: true });
+    await writeFile(newConfigPath, JSON.stringify(cocoConfig, null, 2), "utf-8");
+    getLogger().info(`[MCP] Migrated global MCP settings from ${oldFile} into ${newConfigPath}.`);
+  } catch (error) {
+    getLogger().warn(
+      `[MCP] Could not migrate global MCP config: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+}
+async function fileExists3(path42) {
+  try {
+    await access(path42);
+    return true;
+  } catch {
+    return false;
+  }
+}
+var init_config = __esm({
+  "src/mcp/config.ts"() {
+    init_paths();
+    init_types();
+    init_errors2();
+    init_logger();
+  }
+});
+
+// src/mcp/config-loader.ts
+var config_loader_exports = {};
+__export(config_loader_exports, {
+  loadMCPConfigFile: () => loadMCPConfigFile,
+  loadMCPServersFromCOCOConfig: () => loadMCPServersFromCOCOConfig,
+  loadProjectMCPFile: () => loadProjectMCPFile,
+  mergeMCPConfigs: () => mergeMCPConfigs
+});
+function expandEnvVar(value) {
+  return value.replace(/\$\{([^}]+)\}/g, (match, name) => process.env[name] ?? match);
+}
+function expandEnvObject(env2) {
+  const result = {};
+  for (const [k, v] of Object.entries(env2)) {
+    result[k] = expandEnvVar(v);
+  }
+  return result;
+}
+function expandHeaders(headers) {
+  const result = {};
+  for (const [k, v] of Object.entries(headers)) {
+    result[k] = expandEnvVar(v);
+  }
+  return result;
+}
+function convertStandardEntry(name, entry) {
+  if (entry.command) {
+    return {
+      name,
+      transport: "stdio",
+      enabled: entry.enabled ?? true,
+      stdio: {
+        command: entry.command,
+        args: entry.args,
+        env: entry.env ? expandEnvObject(entry.env) : void 0
+      }
+    };
+  }
+  if (entry.url) {
+    const headers = entry.headers ? expandHeaders(entry.headers) : void 0;
+    const authHeader = headers?.["Authorization"] ?? headers?.["authorization"];
+    let auth;
+    if (authHeader) {
+      if (authHeader.startsWith("Bearer ")) {
+        auth = { type: "bearer", token: authHeader.slice(7) };
+      } else {
+        auth = { type: "apikey", token: authHeader };
+      }
+    }
+    return {
+      name,
+      transport: "http",
+      enabled: entry.enabled ?? true,
+      http: {
+        url: entry.url,
+        ...headers && Object.keys(headers).length > 0 ? { headers } : {},
+        ...auth ? { auth } : {}
+      }
+    };
+  }
+  throw new Error(`Server "${name}" must have either "command" (stdio) or "url" (http) defined`);
+}
+async function loadMCPConfigFile(configPath) {
+  try {
+    await access(configPath);
+  } catch {
+    throw new MCPError(-32003 /* CONNECTION_ERROR */, `Config file not found: ${configPath}`);
+  }
+  let content;
+  try {
+    content = await readFile(configPath, "utf-8");
+  } catch (error) {
+    throw new MCPError(
+      -32003 /* CONNECTION_ERROR */,
+      `Failed to read config file: ${error instanceof Error ? error.message : "Unknown error"}`
+    );
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(content);
+  } catch {
+    throw new MCPError(-32700 /* PARSE_ERROR */, "Invalid JSON in config file");
+  }
+  const obj = parsed;
+  if (obj.mcpServers && typeof obj.mcpServers === "object" && !Array.isArray(obj.mcpServers)) {
+    return loadStandardFormat(obj, configPath);
+  }
+  if (obj.servers && Array.isArray(obj.servers)) {
+    return loadCocoFormat(obj, configPath);
+  }
+  throw new MCPError(
+    -32602 /* INVALID_PARAMS */,
+    'Config file must have either a "mcpServers" object (standard) or a "servers" array (Coco format)'
+  );
+}
+function loadStandardFormat(config, configPath) {
+  const validServers = [];
+  const errors = [];
+  for (const [name, entry] of Object.entries(config.mcpServers)) {
+    if (name.startsWith("_")) continue;
+    try {
+      const converted = convertStandardEntry(name, entry);
+      validateServerConfig(converted);
+      validServers.push(converted);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Unknown error";
+      errors.push(`Server '${name}': ${message}`);
+    }
+  }
+  if (errors.length > 0) {
+    getLogger().warn(`[MCP] Some servers in ${configPath} failed to load: ${errors.join("; ")}`);
+  }
+  return validServers;
+}
+async function loadProjectMCPFile(projectPath) {
+  const mcpJsonPath = path17__default.join(projectPath, ".mcp.json");
+  try {
+    await access(mcpJsonPath);
+  } catch {
+    return [];
+  }
+  try {
+    return await loadMCPConfigFile(mcpJsonPath);
+  } catch (error) {
+    getLogger().warn(
+      `[MCP] Failed to load .mcp.json: ${error instanceof Error ? error.message : String(error)}`
+    );
+    return [];
+  }
+}
+function loadCocoFormat(config, configPath) {
+  const validServers = [];
+  const errors = [];
+  for (const server of config.servers) {
+    try {
+      const converted = convertCocoServerEntry(server);
+      validateServerConfig(converted);
+      validServers.push(converted);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Unknown error";
+      errors.push(`Server '${server.name || "unknown"}': ${message}`);
+    }
+  }
+  if (errors.length > 0) {
+    getLogger().warn(`[MCP] Some servers in ${configPath} failed to load: ${errors.join("; ")}`);
+  }
+  return validServers;
+}
+function convertCocoServerEntry(server) {
+  const base = {
+    name: server.name,
+    description: server.description,
+    transport: server.transport,
+    enabled: server.enabled ?? true,
+    metadata: server.metadata
+  };
+  if (server.transport === "stdio" && server.stdio) {
+    return {
+      ...base,
+      stdio: {
+        command: server.stdio.command,
+        args: server.stdio.args,
+        env: server.stdio.env ? expandEnvObject(server.stdio.env) : void 0,
+        cwd: server.stdio.cwd
+      }
+    };
+  }
+  if (server.transport === "http" && server.http) {
+    return {
+      ...base,
+      http: {
+        url: server.http.url,
+        ...server.http.headers ? { headers: expandHeaders(server.http.headers) } : {},
+        ...server.http.auth ? { auth: server.http.auth } : {},
+        ...server.http.timeout !== void 0 ? { timeout: server.http.timeout } : {}
+      }
+    };
+  }
+  throw new Error(`Missing configuration for transport: ${server.transport}`);
+}
+function mergeMCPConfigs(base, ...overrides) {
+  const merged = /* @__PURE__ */ new Map();
+  for (const server of base) {
+    merged.set(server.name, server);
+  }
+  for (const override of overrides) {
+    for (const server of override) {
+      const existing = merged.get(server.name);
+      if (existing) {
+        merged.set(server.name, { ...existing, ...server });
+      } else {
+        merged.set(server.name, server);
+      }
+    }
+  }
+  return Array.from(merged.values());
+}
+async function loadMCPServersFromCOCOConfig(configPath) {
+  const { loadConfig: loadConfig2 } = await Promise.resolve().then(() => (init_loader(), loader_exports));
+  const { MCPServerConfigEntrySchema: MCPServerConfigEntrySchema2 } = await Promise.resolve().then(() => (init_schema(), schema_exports));
+  const config = await loadConfig2(configPath);
+  if (!config.mcp?.servers || config.mcp.servers.length === 0) {
+    return [];
+  }
+  const servers = [];
+  for (const entry of config.mcp.servers) {
+    try {
+      const parsed = MCPServerConfigEntrySchema2.parse(entry);
+      const serverConfig = {
+        name: parsed.name,
+        description: parsed.description,
+        transport: parsed.transport,
+        enabled: parsed.enabled,
+        ...parsed.transport === "stdio" && parsed.command && {
+          stdio: {
+            command: parsed.command,
+            args: parsed.args,
+            env: parsed.env ? expandEnvObject(parsed.env) : void 0
+          }
+        },
+        ...parsed.transport === "http" && parsed.url && {
+          http: {
+            url: parsed.url,
+            auth: parsed.auth
+          }
+        }
+      };
+      validateServerConfig(serverConfig);
+      servers.push(serverConfig);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Unknown error";
+      getLogger().warn(`[MCP] Failed to load server '${entry.name}': ${message}`);
+    }
+  }
+  return servers;
+}
+var init_config_loader = __esm({
+  "src/mcp/config-loader.ts"() {
+    init_config();
+    init_types();
+    init_errors2();
+    init_logger();
+  }
+});
+
+// src/cli/repl/allow-path-prompt.ts
+var allow_path_prompt_exports = {};
+__export(allow_path_prompt_exports, {
+  promptAllowPath: () => promptAllowPath
+});
+async function promptAllowPath(dirPath) {
+  const absolute = path17__default.resolve(dirPath);
+  console.log();
+  console.log(chalk5.yellow("  \u26A0 Access denied \u2014 path is outside the project directory"));
+  console.log(chalk5.dim(`  \u{1F4C1} ${absolute}`));
+  console.log();
+  const action = await p4.select({
+    message: "Grant access to this directory?",
+    options: [
+      { value: "session-write", label: "\u2713 Allow write (this session)" },
+      { value: "session-read", label: "\u25D0 Allow read-only (this session)" },
+      { value: "persist-write", label: "\u26A1 Allow write (remember for this project)" },
+      { value: "persist-read", label: "\u{1F4BE} Allow read-only (remember for this project)" },
+      { value: "no", label: "\u2717 Deny" }
+    ]
+  });
+  if (p4.isCancel(action) || action === "no") {
+    return false;
+  }
+  const level = action.includes("read") ? "read" : "write";
+  const persist = action.startsWith("persist");
+  addAllowedPathToSession(absolute, level);
+  if (persist) {
+    await persistAllowedPath(absolute, level);
+  }
+  const levelLabel = level === "write" ? "write" : "read-only";
+  const persistLabel = persist ? " (remembered)" : "";
+  console.log(chalk5.green(`  \u2713 Access granted: ${levelLabel}${persistLabel}`));
+  return true;
+}
+var init_allow_path_prompt = __esm({
+  "src/cli/repl/allow-path-prompt.ts"() {
+    init_allowed_paths();
+  }
+});
+function findPackageJson() {
+  let dir = dirname(fileURLToPath(import.meta.url));
+  for (let i = 0; i < 10; i++) {
+    try {
+      const content = readFileSync(join(dir, "package.json"), "utf-8");
+      const pkg = JSON.parse(content);
+      if (pkg.name === "@corbat-tech/coco") return pkg;
+    } catch {
+    }
+    dir = dirname(dir);
+  }
+  return { version: "0.0.0" };
+}
+var VERSION = findPackageJson().version;
+
+// src/phases/converge/prompts.ts
+var DISCOVERY_SYSTEM_PROMPT = `You are a senior software architect and requirements analyst. Your role is to help gather and clarify requirements for software projects.
+
+Your goals:
+1. Understand what the user wants to build
+2. Extract clear, actionable requirements
+3. Identify ambiguities and ask clarifying questions
+4. Make reasonable assumptions when appropriate
+5. Recommend technology choices when needed
+
+Guidelines:
+- Be thorough but not overwhelming
+- Ask focused, specific questions
+- Group related questions together
+- Prioritize questions by importance
+- Make assumptions for minor details
+- Always explain your reasoning
+
+You communicate in a professional but friendly manner. You use concrete examples to clarify abstract requirements.`;
+var INITIAL_ANALYSIS_PROMPT = `Analyze the following project description and extract:
+
+1. **Project Type**: What kind of software is this? (CLI, API, web app, library, service, etc.)
+2. **Complexity**: How complex is this project? (simple, moderate, complex, enterprise)
+3. **Completeness**: How complete is the description? (0-100%)
+4. **Functional Requirements**: What should the system do?
+5. **Non-Functional Requirements**: Performance, security, scalability needs
+6. **Technical Constraints**: Any specified technologies or limitations
+7. **Assumptions**: What must we assume to proceed?
+8. **Critical Questions**: What must be clarified before proceeding?
+9. **Technology Recommendations**: What tech stack would you recommend?
+
+User's project description:
+---
+{{userInput}}
+---
+
+Respond in JSON format:
+{
+  "projectType": "string",
+  "complexity": "simple|moderate|complex|enterprise",
+  "completeness": number,
+  "requirements": [
+    {
+      "category": "functional|non_functional|technical|constraint",
+      "priority": "must_have|should_have|could_have|wont_have",
+      "title": "string",
+      "description": "string",
+      "explicit": boolean,
+      "acceptanceCriteria": ["string"]
+    }
+  ],
+  "assumptions": [
+    {
+      "category": "string",
+      "statement": "string",
+      "confidence": "high|medium|low",
+      "impactIfWrong": "string"
+    }
+  ],
+  "questions": [
+    {
+      "category": "clarification|expansion|decision|confirmation|scope|priority",
       "question": "string",
       "context": "string",
       "importance": "critical|important|helpful",
@@ -8666,16 +9537,16 @@ var QualityEvaluator = class {
    * Find source files in project, adapting to the detected language stack.
    */
   async findSourceFiles() {
-    const { access: access10 } = await import('fs/promises');
-    const { join: join18 } = await import('path');
+    const { access: access13 } = await import('fs/promises');
+    const { join: join19 } = await import('path');
     let isJava = false;
     try {
-      await access10(join18(this.projectPath, "pom.xml"));
+      await access13(join19(this.projectPath, "pom.xml"));
       isJava = true;
     } catch {
       for (const f of ["build.gradle", "build.gradle.kts"]) {
         try {
-          await access10(join18(this.projectPath, f));
+          await access13(join19(this.projectPath, f));
           isJava = true;
           break;
         } catch {
@@ -8976,55 +9847,9 @@ function buildFeedbackSection(feedback, issues) {
 
 // src/phases/complete/generator.ts
 init_errors();
-var DEFAULT_CONFIG = {
-  name: "coco",
-  level: "info",
-  prettyPrint: true,
-  logToFile: false
-};
-function levelToNumber(level) {
-  const levels = {
-    silly: 0,
-    trace: 1,
-    debug: 2,
-    info: 3,
-    warn: 4,
-    error: 5,
-    fatal: 6
-  };
-  return levels[level];
-}
-function createLogger(config = {}) {
-  const finalConfig = { ...DEFAULT_CONFIG, ...config };
-  const logger = new Logger({
-    name: finalConfig.name,
-    minLevel: levelToNumber(finalConfig.level),
-    prettyLogTemplate: finalConfig.prettyPrint ? "{{yyyy}}-{{mm}}-{{dd}} {{hh}}:{{MM}}:{{ss}} {{logLevelName}} [{{name}}] " : void 0,
-    prettyLogTimeZone: "local",
-    stylePrettyLogs: finalConfig.prettyPrint
-  });
-  if (finalConfig.logToFile && finalConfig.logDir) {
-    setupFileLogging(logger, finalConfig.logDir, finalConfig.name);
-  }
-  return logger;
-}
-function setupFileLogging(logger, logDir, name) {
-  if (!fs4__default.existsSync(logDir)) {
-    fs4__default.mkdirSync(logDir, { recursive: true });
-  }
-  const logFile = path17__default.join(logDir, `${name}.log`);
-  logger.attachTransport((logObj) => {
-    const line = JSON.stringify(logObj) + "\n";
-    fs4__default.appendFileSync(logFile, line);
-  });
-}
-var globalLogger = null;
-function getLogger() {
-  if (!globalLogger) {
-    globalLogger = createLogger();
-  }
-  return globalLogger;
-}
+
+// src/tools/registry.ts
+init_logger();
 
 // src/utils/error-humanizer.ts
 function extractQuotedPath(msg) {
@@ -9075,12 +9900,12 @@ function humanizeError(message, toolName) {
     return msg;
   }
   if (/ENOENT/i.test(msg)) {
-    const path40 = extractQuotedPath(msg);
-    return path40 ? `File or directory not found: ${path40}` : "File or directory not found";
+    const path42 = extractQuotedPath(msg);
+    return path42 ? `File or directory not found: ${path42}` : "File or directory not found";
   }
   if (/EACCES/i.test(msg)) {
-    const path40 = extractQuotedPath(msg);
-    return path40 ? `Permission denied: ${path40}` : "Permission denied \u2014 check file permissions";
+    const path42 = extractQuotedPath(msg);
+    return path42 ? `Permission denied: ${path42}` : "Permission denied \u2014 check file permissions";
   }
   if (/EISDIR/i.test(msg)) {
     return "Expected a file but found a directory at the specified path";
@@ -12536,6 +13361,7 @@ async function withRetry(fn, config = {}) {
 }
 
 // src/providers/anthropic.ts
+init_logger();
 var DEFAULT_MODEL = "claude-opus-4-6";
 var CONTEXT_WINDOWS = {
   // Kimi Code model (Anthropic-compatible endpoint)
@@ -15068,6 +15894,11 @@ var CONTEXT_WINDOWS4 = {
   "gemini-2.5-pro": 1048576
 };
 var DEFAULT_MODEL4 = "claude-sonnet-4.6";
+function normalizeModel(model) {
+  if (typeof model !== "string") return void 0;
+  const trimmed = model.trim();
+  return trimmed.length > 0 ? trimmed : void 0;
+}
 var COPILOT_HEADERS = {
   "Copilot-Integration-Id": "vscode-chat",
   "Editor-Version": "vscode/1.99.0",
@@ -15091,7 +15922,7 @@ var CopilotProvider = class extends OpenAIProvider {
   async initialize(config) {
     this.config = {
       ...config,
-      model: config.model ?? DEFAULT_MODEL4
+      model: normalizeModel(config.model) ?? DEFAULT_MODEL4
     };
     const tokenResult = await getValidCopilotToken();
     if (tokenResult) {
@@ -15977,12 +16808,17 @@ function createResilientProvider(provider, config) {
 init_copilot();
 init_errors();
 init_env();
+function normalizeProviderModel(model) {
+  if (typeof model !== "string") return void 0;
+  const trimmed = model.trim();
+  return trimmed.length > 0 ? trimmed : void 0;
+}
 async function createProvider(type, config = {}) {
   let provider;
   const mergedConfig = {
     apiKey: config.apiKey ?? getApiKey(type),
     baseUrl: config.baseUrl ?? getBaseUrl(type),
-    model: config.model ?? getDefaultModel(type),
+    model: normalizeProviderModel(config.model) ?? getDefaultModel(type),
     maxTokens: config.maxTokens,
     temperature: config.temperature,
     timeout: config.timeout
@@ -16171,9 +17007,9 @@ function createInitialState(config) {
 }
 async function loadExistingState(projectPath) {
   try {
-    const fs38 = await import('fs/promises');
+    const fs39 = await import('fs/promises');
     const statePath = `${projectPath}/.coco/state/project.json`;
-    const content = await fs38.readFile(statePath, "utf-8");
+    const content = await fs39.readFile(statePath, "utf-8");
     const data = JSON.parse(content);
     data.createdAt = new Date(data.createdAt);
     data.updatedAt = new Date(data.updatedAt);
@@ -16183,13 +17019,13 @@ async function loadExistingState(projectPath) {
   }
 }
 async function saveState(state) {
-  const fs38 = await import('fs/promises');
+  const fs39 = await import('fs/promises');
   const statePath = `${state.path}/.coco/state`;
-  await fs38.mkdir(statePath, { recursive: true });
+  await fs39.mkdir(statePath, { recursive: true });
   const filePath = `${statePath}/project.json`;
   const tmpPath = `${filePath}.tmp.${Date.now()}`;
-  await fs38.writeFile(tmpPath, JSON.stringify(state, null, 2), "utf-8");
-  await fs38.rename(tmpPath, filePath);
+  await fs39.writeFile(tmpPath, JSON.stringify(state, null, 2), "utf-8");
+  await fs39.rename(tmpPath, filePath);
 }
 function getPhaseExecutor(phase) {
   switch (phase) {
@@ -16248,20 +17084,20 @@ async function createPhaseContext(config, state) {
   };
   const tools = {
     file: {
-      async read(path40) {
-        const fs38 = await import('fs/promises');
-        return fs38.readFile(path40, "utf-8");
+      async read(path42) {
+        const fs39 = await import('fs/promises');
+        return fs39.readFile(path42, "utf-8");
       },
-      async write(path40, content) {
-        const fs38 = await import('fs/promises');
+      async write(path42, content) {
+        const fs39 = await import('fs/promises');
         const nodePath = await import('path');
-        await fs38.mkdir(nodePath.dirname(path40), { recursive: true });
-        await fs38.writeFile(path40, content, "utf-8");
+        await fs39.mkdir(nodePath.dirname(path42), { recursive: true });
+        await fs39.writeFile(path42, content, "utf-8");
       },
-      async exists(path40) {
-        const fs38 = await import('fs/promises');
+      async exists(path42) {
+        const fs39 = await import('fs/promises');
         try {
-          await fs38.access(path40);
+          await fs39.access(path42);
           return true;
         } catch {
           return false;
@@ -16410,9 +17246,9 @@ async function createSnapshot(state) {
 var MAX_CHECKPOINT_VERSIONS = 5;
 async function getCheckpointFiles(state, phase) {
   try {
-    const fs38 = await import('fs/promises');
+    const fs39 = await import('fs/promises');
     const checkpointDir = `${state.path}/.coco/checkpoints`;
-    const files = await fs38.readdir(checkpointDir);
+    const files = await fs39.readdir(checkpointDir);
     const phaseFiles = files.filter((f) => f.startsWith(`snapshot-pre-${phase}-`) && f.endsWith(".json")).sort((a, b) => {
       const tsA = parseInt(a.split("-").pop()?.replace(".json", "") ?? "0", 10);
       const tsB = parseInt(b.split("-").pop()?.replace(".json", "") ?? "0", 10);
@@ -16425,11 +17261,11 @@ async function getCheckpointFiles(state, phase) {
 }
 async function cleanupOldCheckpoints(state, phase) {
   try {
-    const fs38 = await import('fs/promises');
+    const fs39 = await import('fs/promises');
     const files = await getCheckpointFiles(state, phase);
     if (files.length > MAX_CHECKPOINT_VERSIONS) {
       const filesToDelete = files.slice(MAX_CHECKPOINT_VERSIONS);
-      await Promise.all(filesToDelete.map((f) => fs38.unlink(f).catch(() => {
+      await Promise.all(filesToDelete.map((f) => fs39.unlink(f).catch(() => {
       })));
     }
   } catch {
@@ -16437,13 +17273,13 @@ async function cleanupOldCheckpoints(state, phase) {
 }
 async function saveSnapshot(state, snapshotId) {
   try {
-    const fs38 = await import('fs/promises');
+    const fs39 = await import('fs/promises');
     const snapshotPath = `${state.path}/.coco/checkpoints/snapshot-${snapshotId}.json`;
     const snapshotDir = `${state.path}/.coco/checkpoints`;
-    await fs38.mkdir(snapshotDir, { recursive: true });
+    await fs39.mkdir(snapshotDir, { recursive: true });
     const createdAt = state.createdAt instanceof Date ? state.createdAt.toISOString() : String(state.createdAt);
     const updatedAt = state.updatedAt instanceof Date ? state.updatedAt.toISOString() : String(state.updatedAt);
-    await fs38.writeFile(
+    await fs39.writeFile(
       snapshotPath,
       JSON.stringify(
         {
@@ -16735,20 +17571,69 @@ var SENSITIVE_PATTERNS = [
   // PyPI auth
 ];
 var BLOCKED_PATHS = ["/etc", "/var", "/usr", "/root", "/sys", "/proc", "/boot"];
+var SAFE_COCO_HOME_READ_FILES = /* @__PURE__ */ new Set([
+  "mcp.json",
+  "config.json",
+  "COCO.md",
+  "AGENTS.md",
+  "CLAUDE.md",
+  "projects.json",
+  "trusted-tools.json",
+  "allowed-paths.json"
+]);
+var SAFE_COCO_HOME_READ_DIR_PREFIXES = ["skills", "memories", "logs", "checkpoints", "sessions"];
 function hasNullByte(str) {
   return str.includes("\0");
 }
 function normalizePath(filePath) {
   let normalized = filePath.replace(/\0/g, "");
+  const home = process.env.HOME || process.env.USERPROFILE;
+  if (home && normalized.startsWith("~")) {
+    if (normalized === "~") {
+      normalized = home;
+    } else if (normalized.startsWith("~/") || normalized.startsWith(`~${path17__default.sep}`)) {
+      normalized = path17__default.join(home, normalized.slice(2));
+    }
+  }
   normalized = path17__default.normalize(normalized);
   return normalized;
 }
+function resolveUserPath(filePath) {
+  return path17__default.resolve(normalizePath(filePath));
+}
+function isWithinDirectory(targetPath, baseDir) {
+  const normalizedTarget = path17__default.normalize(targetPath);
+  const normalizedBase = path17__default.normalize(baseDir);
+  return normalizedTarget === normalizedBase || normalizedTarget.startsWith(normalizedBase + path17__default.sep);
+}
+function isSafeCocoHomeReadPath(absolutePath, homeDir) {
+  const cocoHome = path17__default.join(homeDir, ".coco");
+  if (!isWithinDirectory(absolutePath, cocoHome)) {
+    return false;
+  }
+  const relativePath = path17__default.relative(cocoHome, absolutePath);
+  if (!relativePath || relativePath.startsWith("..")) {
+    return false;
+  }
+  const segments = relativePath.split(path17__default.sep).filter(Boolean);
+  const firstSegment = segments[0];
+  if (!firstSegment) {
+    return false;
+  }
+  if (firstSegment === "tokens" || firstSegment === ".env") {
+    return false;
+  }
+  if (segments.length === 1 && SAFE_COCO_HOME_READ_FILES.has(firstSegment)) {
+    return true;
+  }
+  return SAFE_COCO_HOME_READ_DIR_PREFIXES.includes(firstSegment);
+}
 function isPathAllowed(filePath, operation) {
   if (hasNullByte(filePath)) {
     return { allowed: false, reason: "Path contains invalid characters" };
   }
   const normalized = normalizePath(filePath);
-  const absolute = path17__default.resolve(normalized);
+  const absolute = resolveUserPath(normalized);
   const cwd = process.cwd();
   for (const blocked of BLOCKED_PATHS) {
     const normalizedBlocked = path17__default.normalize(blocked);
@@ -16762,6 +17647,9 @@ function isPathAllowed(filePath, operation) {
     const normalizedCwd = path17__default.normalize(cwd);
     if (absolute.startsWith(normalizedHome) && !absolute.startsWith(normalizedCwd)) {
       if (isWithinAllowedPath(absolute, operation)) ; else if (operation === "read") {
+        if (isSafeCocoHomeReadPath(absolute, normalizedHome)) {
+          return { allowed: true };
+        }
         const allowedHomeReads = [".gitconfig", ".zshrc", ".bashrc"];
         const basename5 = path17__default.basename(absolute);
         if (!allowedHomeReads.includes(basename5)) {
@@ -16804,7 +17692,7 @@ function isENOENT(error) {
   return error.code === "ENOENT";
 }
 async function enrichENOENT(filePath, operation) {
-  const absPath = path17__default.resolve(filePath);
+  const absPath = resolveUserPath(filePath);
   const suggestions = await suggestSimilarFilesDeep(absPath, process.cwd());
   const hint = formatSuggestions(suggestions, path17__default.dirname(absPath));
   const action = operation === "read" ? "Use glob or list_dir to find the correct path." : "Check that the parent directory exists.";
@@ -16812,7 +17700,7 @@ async function enrichENOENT(filePath, operation) {
 ${action}`;
 }
 async function enrichDirENOENT(dirPath) {
-  const absPath = path17__default.resolve(dirPath);
+  const absPath = resolveUserPath(dirPath);
   const suggestions = await suggestSimilarDirsDeep(absPath, process.cwd());
   const hint = formatSuggestions(suggestions, path17__default.dirname(absPath));
   return `Directory not found: ${dirPath}${hint}
@@ -16835,7 +17723,7 @@ Examples:
   async execute({ path: filePath, encoding, maxSize }) {
     validatePath(filePath, "read");
     try {
-      const absolutePath = path17__default.resolve(filePath);
+      const absolutePath = resolveUserPath(filePath);
       const stats = await fs16__default.stat(absolutePath);
       const maxBytes = maxSize ?? DEFAULT_MAX_FILE_SIZE;
       let truncated = false;
@@ -16894,7 +17782,7 @@ Examples:
   async execute({ path: filePath, content, createDirs, dryRun }) {
     validatePath(filePath, "write");
     try {
-      const absolutePath = path17__default.resolve(filePath);
+      const absolutePath = resolveUserPath(filePath);
       let wouldCreate = false;
       try {
         await fs16__default.access(absolutePath);
@@ -16956,7 +17844,7 @@ Examples:
   async execute({ path: filePath, oldText, newText, all, dryRun }) {
     validatePath(filePath, "write");
     try {
-      const absolutePath = path17__default.resolve(filePath);
+      const absolutePath = resolveUserPath(filePath);
       let content = await fs16__default.readFile(absolutePath, "utf-8");
       let replacements = 0;
       if (all) {
@@ -17077,7 +17965,7 @@ Examples:
   }),
   async execute({ path: filePath }) {
     try {
-      const absolutePath = path17__default.resolve(filePath);
+      const absolutePath = resolveUserPath(filePath);
       const stats = await fs16__default.stat(absolutePath);
       return {
         exists: true,
@@ -17108,7 +17996,7 @@ Examples:
   }),
   async execute({ path: dirPath, recursive }) {
     try {
-      const absolutePath = path17__default.resolve(dirPath);
+      const absolutePath = resolveUserPath(dirPath);
       const entries = [];
       async function listDir(dir, prefix = "") {
         const items = await fs16__default.readdir(dir, { withFileTypes: true });
@@ -17168,7 +18056,7 @@ Examples:
     }
     validatePath(filePath, "delete");
     try {
-      const absolutePath = path17__default.resolve(filePath);
+      const absolutePath = resolveUserPath(filePath);
       const stats = await fs16__default.stat(absolutePath);
       if (stats.isDirectory()) {
         if (!recursive) {
@@ -17184,7 +18072,7 @@ Examples:
     } catch (error) {
       if (error instanceof ToolError) throw error;
       if (error.code === "ENOENT") {
-        return { deleted: false, path: path17__default.resolve(filePath) };
+        return { deleted: false, path: resolveUserPath(filePath) };
       }
       throw new FileSystemError(`Failed to delete: ${filePath}`, {
         path: filePath,
@@ -17212,8 +18100,8 @@ Examples:
     validatePath(source, "read");
     validatePath(destination, "write");
     try {
-      const srcPath = path17__default.resolve(source);
-      const destPath = path17__default.resolve(destination);
+      const srcPath = resolveUserPath(source);
+      const destPath = resolveUserPath(destination);
       if (!overwrite) {
         try {
           await fs16__default.access(destPath);
@@ -17273,8 +18161,8 @@ Examples:
     validatePath(source, "delete");
     validatePath(destination, "write");
     try {
-      const srcPath = path17__default.resolve(source);
-      const destPath = path17__default.resolve(destination);
+      const srcPath = resolveUserPath(source);
+      const destPath = resolveUserPath(destination);
       if (!overwrite) {
         try {
           await fs16__default.access(destPath);
@@ -17360,7 +18248,7 @@ Examples:
   }),
   async execute({ path: dirPath, depth, showHidden, dirsOnly }) {
     try {
-      const absolutePath = path17__default.resolve(dirPath ?? ".");
+      const absolutePath = resolveUserPath(dirPath ?? ".");
       let totalFiles = 0;
       let totalDirs = 0;
       const lines = [path17__default.basename(absolutePath) + "/"];
@@ -18271,6 +19159,9 @@ var simpleAutoCommitTool = defineTool({
   }
 });
 var gitSimpleTools = [checkProtectedBranchTool, simpleAutoCommitTool];
+
+// src/cli/repl/agents/manager.ts
+init_logger();
 var AGENT_NAMES = {
   explore: "Explorer",
   plan: "Planner",
@@ -21763,9 +22654,9 @@ async function fileExists(filePath) {
     return false;
   }
 }
-async function fileExists2(path40) {
+async function fileExists2(path42) {
   try {
-    await access(path40);
+    await access(path42);
     return true;
   } catch {
     return false;
@@ -21855,7 +22746,7 @@ async function detectMaturity(cwd) {
   if (!hasLintConfig && hasPackageJson) {
     try {
       const pkgRaw = await import('fs/promises').then(
-        (fs38) => fs38.readFile(join(cwd, "package.json"), "utf-8")
+        (fs39) => fs39.readFile(join(cwd, "package.json"), "utf-8")
       );
       const pkg = JSON.parse(pkgRaw);
       if (pkg.scripts?.lint || pkg.scripts?.["lint:fix"]) {
@@ -25782,6 +26673,1624 @@ Examples:
   }
 });
 var openTools = [openFileTool];
+
+// src/mcp/registry.ts
+init_types();
+init_config();
+init_errors2();
+var MCPRegistryImpl = class {
+  servers = /* @__PURE__ */ new Map();
+  registryPath;
+  constructor(registryPath) {
+    this.registryPath = registryPath || getDefaultRegistryPath();
+  }
+  /**
+   * Add or update a server configuration
+   */
+  async addServer(config) {
+    validateServerConfig(config);
+    const existing = this.servers.get(config.name);
+    if (existing) {
+      this.servers.set(config.name, { ...existing, ...config });
+    } else {
+      this.servers.set(config.name, config);
+    }
+    await this.save();
+  }
+  /**
+   * Remove a server by name
+   */
+  async removeServer(name) {
+    const existed = this.servers.has(name);
+    if (existed) {
+      this.servers.delete(name);
+      await this.save();
+    }
+    return existed;
+  }
+  /**
+   * Get a server configuration by name
+   */
+  getServer(name) {
+    return this.servers.get(name);
+  }
+  /**
+   * List all registered servers
+   */
+  listServers() {
+    return Array.from(this.servers.values());
+  }
+  /**
+   * List enabled servers only
+   */
+  listEnabledServers() {
+    return this.listServers().filter((s) => s.enabled !== false);
+  }
+  /**
+   * Check if a server exists
+   */
+  hasServer(name) {
+    return this.servers.has(name);
+  }
+  /**
+   * Get registry file path
+   */
+  getRegistryPath() {
+    return this.registryPath;
+  }
+  /**
+   * Save registry to disk
+   */
+  async save() {
+    try {
+      await this.ensureDir(this.registryPath);
+      const data = serializeRegistry(this.listServers());
+      await writeFile(this.registryPath, data, "utf-8");
+    } catch (error) {
+      throw new MCPError(
+        -32001 /* TRANSPORT_ERROR */,
+        `Failed to save registry: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+  /**
+   * Load registry from disk
+   */
+  async load() {
+    if (this.registryPath === getDefaultRegistryPath()) {
+      await migrateMCPData();
+    }
+    try {
+      await access(this.registryPath);
+      const content = await readFile(this.registryPath, "utf-8");
+      let servers = parseRegistry(content);
+      if (servers.length === 0) {
+        try {
+          const { loadMCPConfigFile: loadMCPConfigFile2 } = await Promise.resolve().then(() => (init_config_loader(), config_loader_exports));
+          servers = await loadMCPConfigFile2(this.registryPath);
+        } catch {
+        }
+      }
+      this.servers.clear();
+      for (const server of servers) {
+        try {
+          validateServerConfig(server);
+          this.servers.set(server.name, server);
+        } catch {
+        }
+      }
+    } catch {
+      this.servers.clear();
+    }
+  }
+  /**
+   * Ensure directory exists
+   */
+  async ensureDir(path42) {
+    await mkdir(dirname(path42), { recursive: true });
+  }
+};
+
+// src/tools/mcp.ts
+init_config_loader();
+
+// src/mcp/client.ts
+init_errors2();
+var DEFAULT_REQUEST_TIMEOUT = 6e4;
+var MCPClientImpl = class {
+  constructor(transport, requestTimeout = DEFAULT_REQUEST_TIMEOUT) {
+    this.transport = transport;
+    this.requestTimeout = requestTimeout;
+    this.setupTransportHandlers();
+  }
+  requestId = 0;
+  pendingRequests = /* @__PURE__ */ new Map();
+  initialized = false;
+  serverCapabilities = null;
+  /**
+   * Setup transport message handlers
+   */
+  setupTransportHandlers() {
+    this.transport.onMessage((message) => {
+      this.handleMessage(message);
+    });
+    this.transport.onError((error) => {
+      this.rejectAllPending(error);
+    });
+    this.transport.onClose(() => {
+      this.initialized = false;
+      this.rejectAllPending(new MCPConnectionError("Connection closed"));
+    });
+  }
+  /**
+   * Handle incoming messages from transport
+   */
+  handleMessage(message) {
+    const pending = this.pendingRequests.get(message.id);
+    if (!pending) return;
+    clearTimeout(pending.timeout);
+    this.pendingRequests.delete(message.id);
+    if (message.error) {
+      pending.reject(new Error(message.error.message));
+    } else {
+      pending.resolve(message.result);
+    }
+  }
+  /**
+   * Reject all pending requests
+   */
+  rejectAllPending(error) {
+    for (const [, pending] of this.pendingRequests) {
+      clearTimeout(pending.timeout);
+      pending.reject(error);
+    }
+    this.pendingRequests.clear();
+  }
+  /**
+   * Send a request and wait for response
+   */
+  async sendRequest(method, params) {
+    if (!this.transport.isConnected()) {
+      throw new MCPConnectionError("Transport not connected");
+    }
+    const id = ++this.requestId;
+    const request = {
+      jsonrpc: "2.0",
+      id,
+      method,
+      params
+    };
+    return new Promise((resolve3, reject) => {
+      const timeout = setTimeout(() => {
+        this.pendingRequests.delete(id);
+        reject(new MCPTimeoutError(`Request '${method}' timed out after ${this.requestTimeout}ms`));
+      }, this.requestTimeout);
+      this.pendingRequests.set(id, {
+        resolve: resolve3,
+        reject,
+        timeout
+      });
+      this.transport.send(request).catch((error) => {
+        clearTimeout(timeout);
+        this.pendingRequests.delete(id);
+        reject(error);
+      });
+    });
+  }
+  /**
+   * Initialize connection to MCP server
+   */
+  async initialize(params) {
+    if (!this.transport.isConnected()) {
+      await this.transport.connect();
+    }
+    const result = await this.sendRequest("initialize", params);
+    this.serverCapabilities = result.capabilities;
+    this.initialized = true;
+    await this.transport.send({
+      jsonrpc: "2.0",
+      id: ++this.requestId,
+      method: "notifications/initialized"
+    });
+    return result;
+  }
+  /**
+   * List available tools
+   */
+  async listTools() {
+    this.ensureInitialized();
+    return this.sendRequest("tools/list");
+  }
+  /**
+   * Call a tool on the MCP server
+   */
+  async callTool(params) {
+    this.ensureInitialized();
+    return this.sendRequest("tools/call", params);
+  }
+  /**
+   * List available resources
+   */
+  async listResources() {
+    this.ensureInitialized();
+    return this.sendRequest("resources/list");
+  }
+  /**
+   * Read a specific resource by URI
+   */
+  async readResource(uri) {
+    this.ensureInitialized();
+    return this.sendRequest("resources/read", { uri });
+  }
+  /**
+   * List available prompts
+   */
+  async listPrompts() {
+    this.ensureInitialized();
+    return this.sendRequest("prompts/list");
+  }
+  /**
+   * Get a specific prompt with arguments
+   */
+  async getPrompt(name, args) {
+    this.ensureInitialized();
+    return this.sendRequest("prompts/get", {
+      name,
+      arguments: args
+    });
+  }
+  /**
+   * Ensure client is initialized
+   */
+  ensureInitialized() {
+    if (!this.initialized) {
+      throw new MCPConnectionError("Client not initialized. Call initialize() first.");
+    }
+  }
+  /**
+   * Close the client connection
+   */
+  async close() {
+    this.initialized = false;
+    await this.transport.disconnect();
+  }
+  /**
+   * Check if client is connected
+   */
+  isConnected() {
+    return this.transport.isConnected() && this.initialized;
+  }
+  /**
+   * Get server capabilities
+   */
+  getServerCapabilities() {
+    return this.serverCapabilities;
+  }
+};
+
+// src/mcp/transport/stdio.ts
+init_errors2();
+var StdioTransport = class {
+  constructor(config) {
+    this.config = config;
+  }
+  process = null;
+  messageCallback = null;
+  errorCallback = null;
+  closeCallback = null;
+  buffer = "";
+  connected = false;
+  /**
+   * Connect to the stdio transport by spawning the process
+   */
+  async connect() {
+    if (this.connected) {
+      throw new MCPConnectionError("Transport already connected");
+    }
+    return new Promise((resolve3, reject) => {
+      const { command, args = [], env: env2, cwd } = this.config;
+      this.process = spawn(command, args, {
+        stdio: ["pipe", "pipe", "pipe"],
+        env: { ...process.env, ...env2 },
+        cwd
+      });
+      this.process.on("error", (error) => {
+        reject(new MCPConnectionError(`Failed to spawn process: ${error.message}`));
+      });
+      this.process.on("spawn", () => {
+        this.connected = true;
+        this.setupHandlers();
+        resolve3();
+      });
+      this.process.stderr?.on("data", (data) => {
+        console.debug(`[MCP Server stderr]: ${data.toString()}`);
+      });
+    });
+  }
+  /**
+   * Setup data handlers for the process
+   */
+  setupHandlers() {
+    if (!this.process?.stdout) return;
+    this.process.stdout.on("data", (data) => {
+      this.handleData(data);
+    });
+    this.process.on("exit", (code) => {
+      this.connected = false;
+      if (code !== 0 && code !== null) {
+        this.errorCallback?.(new MCPTransportError(`Process exited with code ${code}`));
+      }
+      this.closeCallback?.();
+    });
+    this.process.on("close", () => {
+      this.connected = false;
+      this.closeCallback?.();
+    });
+  }
+  /**
+   * Handle incoming data from stdout
+   */
+  handleData(data) {
+    this.buffer += data.toString();
+    const lines = this.buffer.split("\n");
+    this.buffer = lines.pop() ?? "";
+    for (const line of lines) {
+      const trimmed = line.trim();
+      if (!trimmed) continue;
+      try {
+        const message = JSON.parse(trimmed);
+        this.messageCallback?.(message);
+      } catch {
+        this.errorCallback?.(new MCPTransportError(`Invalid JSON: ${trimmed}`));
+      }
+    }
+  }
+  /**
+   * Send a message through the transport
+   */
+  async send(message) {
+    if (!this.connected || !this.process?.stdin) {
+      throw new MCPTransportError("Transport not connected");
+    }
+    const line = JSON.stringify(message) + "\n";
+    return new Promise((resolve3, reject) => {
+      if (!this.process?.stdin) {
+        reject(new MCPTransportError("stdin not available"));
+        return;
+      }
+      const stdin = this.process.stdin;
+      const canWrite = stdin.write(line, (error) => {
+        if (error) {
+          reject(new MCPTransportError(`Write error: ${error.message}`));
+        } else {
+          resolve3();
+        }
+      });
+      if (!canWrite) {
+        stdin.once("drain", () => resolve3());
+      }
+    });
+  }
+  /**
+   * Disconnect from the transport
+   */
+  async disconnect() {
+    if (!this.process) return;
+    return new Promise((resolve3) => {
+      if (!this.process) {
+        resolve3();
+        return;
+      }
+      this.process.stdin?.end();
+      const timeout = setTimeout(() => {
+        this.process?.kill("SIGTERM");
+      }, 5e3);
+      this.process.on("close", () => {
+        clearTimeout(timeout);
+        this.connected = false;
+        this.process = null;
+        resolve3();
+      });
+      if (this.process.killed || !this.connected) {
+        clearTimeout(timeout);
+        this.process = null;
+        resolve3();
+      }
+    });
+  }
+  /**
+   * Set callback for received messages
+   */
+  onMessage(callback) {
+    this.messageCallback = callback;
+  }
+  /**
+   * Set callback for errors
+   */
+  onError(callback) {
+    this.errorCallback = callback;
+  }
+  /**
+   * Set callback for connection close
+   */
+  onClose(callback) {
+    this.closeCallback = callback;
+  }
+  /**
+   * Check if transport is connected
+   */
+  isConnected() {
+    return this.connected;
+  }
+};
+
+// src/mcp/transport/http.ts
+init_errors2();
+
+// src/mcp/oauth.ts
+init_callback_server();
+init_paths();
+init_logger();
+var execFileAsync2 = promisify(execFile);
+var TOKEN_STORE_PATH = path17__default.join(CONFIG_PATHS.tokens, "mcp-oauth.json");
+var OAUTH_TIMEOUT_MS = 5 * 60 * 1e3;
+var logger = getLogger();
+function getResourceKey(resourceUrl) {
+  const resource = canonicalizeResourceUrl(resourceUrl);
+  return resource.toLowerCase();
+}
+function canonicalizeResourceUrl(resourceUrl) {
+  const parsed = new URL(resourceUrl);
+  parsed.search = "";
+  parsed.hash = "";
+  if (parsed.pathname === "/") {
+    return `${parsed.protocol}//${parsed.host}`;
+  }
+  parsed.pathname = parsed.pathname.replace(/\/+$/, "");
+  return parsed.toString();
+}
+async function loadStore2() {
+  try {
+    const content = await fs16__default.readFile(TOKEN_STORE_PATH, "utf-8");
+    const parsed = JSON.parse(content);
+    return {
+      tokens: parsed.tokens ?? {},
+      clients: parsed.clients ?? {}
+    };
+  } catch {
+    return { tokens: {}, clients: {} };
+  }
+}
+async function saveStore2(store) {
+  await fs16__default.mkdir(path17__default.dirname(TOKEN_STORE_PATH), { recursive: true });
+  await fs16__default.writeFile(TOKEN_STORE_PATH, JSON.stringify(store, null, 2), {
+    encoding: "utf-8",
+    mode: 384
+  });
+}
+function isTokenExpired2(token) {
+  if (!token.expiresAt) return false;
+  return Date.now() >= token.expiresAt - 3e4;
+}
+async function getStoredMcpOAuthToken(resourceUrl) {
+  const store = await loadStore2();
+  const token = store.tokens[getResourceKey(resourceUrl)];
+  if (!token) return void 0;
+  if (isTokenExpired2(token)) return void 0;
+  return token.accessToken;
+}
+function createCodeVerifier() {
+  return randomBytes(32).toString("base64url");
+}
+function createCodeChallenge(verifier) {
+  return createHash("sha256").update(verifier).digest("base64url");
+}
+function createState() {
+  return randomBytes(16).toString("hex");
+}
+async function openBrowser(url) {
+  let safeUrl;
+  try {
+    const parsed = new URL(url);
+    if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+      return false;
+    }
+    safeUrl = parsed.toString();
+  } catch {
+    return false;
+  }
+  const isWSL2 = process.platform === "linux" && (process.env["WSL_DISTRO_NAME"] !== void 0 || process.env["WSL_INTEROP"] !== void 0 || process.env["TERM_PROGRAM"]?.toLowerCase().includes("wsl") === true);
+  const commands = [];
+  if (process.platform === "darwin") {
+    commands.push(
+      { cmd: "open", args: [safeUrl] },
+      { cmd: "open", args: ["-a", "Safari", safeUrl] },
+      { cmd: "open", args: ["-a", "Google Chrome", safeUrl] }
+    );
+  } else if (process.platform === "win32") {
+    commands.push({ cmd: "rundll32", args: ["url.dll,FileProtocolHandler", safeUrl] });
+  } else if (isWSL2) {
+    commands.push(
+      { cmd: "cmd.exe", args: ["/c", "start", "", safeUrl] },
+      { cmd: "powershell.exe", args: ["-Command", `Start-Process '${safeUrl}'`] },
+      { cmd: "wslview", args: [safeUrl] }
+    );
+  } else {
+    commands.push(
+      { cmd: "xdg-open", args: [safeUrl] },
+      { cmd: "sensible-browser", args: [safeUrl] },
+      { cmd: "x-www-browser", args: [safeUrl] },
+      { cmd: "gnome-open", args: [safeUrl] },
+      { cmd: "firefox", args: [safeUrl] },
+      { cmd: "chromium-browser", args: [safeUrl] },
+      { cmd: "google-chrome", args: [safeUrl] }
+    );
+  }
+  for (const { cmd, args } of commands) {
+    try {
+      await execFileAsync2(cmd, args);
+      return true;
+    } catch {
+      continue;
+    }
+  }
+  return false;
+}
+function maskUrlForLogs(rawUrl) {
+  try {
+    const url = new URL(rawUrl);
+    url.search = "";
+    url.hash = "";
+    return url.toString();
+  } catch {
+    return "[invalid-url]";
+  }
+}
+function parseResourceMetadataUrl(wwwAuthenticateHeader) {
+  if (!wwwAuthenticateHeader) return void 0;
+  const match = wwwAuthenticateHeader.match(/resource_metadata="([^"]+)"/i);
+  return match?.[1];
+}
+function createProtectedMetadataCandidates(resourceUrl, headerUrl) {
+  const candidates = [];
+  if (headerUrl) {
+    candidates.push(headerUrl);
+  }
+  const resource = new URL(resourceUrl);
+  const origin = `${resource.protocol}//${resource.host}`;
+  const pathPart = resource.pathname.replace(/\/+$/, "");
+  candidates.push(`${origin}/.well-known/oauth-protected-resource`);
+  if (pathPart && pathPart !== "/") {
+    candidates.push(`${origin}/.well-known/oauth-protected-resource${pathPart}`);
+    candidates.push(`${origin}/.well-known/oauth-protected-resource/${pathPart.replace(/^\//, "")}`);
+  }
+  return Array.from(new Set(candidates));
+}
+async function fetchJson(url) {
+  const res = await fetch(url, { method: "GET", headers: { Accept: "application/json" } });
+  if (!res.ok) {
+    throw new Error(`HTTP ${res.status} while fetching ${url}`);
+  }
+  return await res.json();
+}
+function buildAuthorizationMetadataCandidates(issuer) {
+  const parsed = new URL(issuer);
+  const base = `${parsed.protocol}//${parsed.host}`;
+  const issuerPath = parsed.pathname === "/" ? "" : parsed.pathname.replace(/\/+$/, "");
+  const candidates = [
+    `${base}/.well-known/oauth-authorization-server${issuerPath}`,
+    `${base}/.well-known/oauth-authorization-server`,
+    `${base}/.well-known/openid-configuration${issuerPath}`,
+    `${base}/.well-known/openid-configuration`
+  ];
+  return Array.from(new Set(candidates));
+}
+async function discoverProtectedResourceMetadata(resourceUrl, wwwAuthenticateHeader) {
+  const headerUrl = parseResourceMetadataUrl(wwwAuthenticateHeader);
+  const candidates = createProtectedMetadataCandidates(resourceUrl, headerUrl);
+  for (const candidate of candidates) {
+    try {
+      const metadata = await fetchJson(candidate);
+      if (Array.isArray(metadata.authorization_servers) && metadata.authorization_servers.length > 0) {
+        return metadata;
+      }
+    } catch {
+    }
+  }
+  throw new Error("Could not discover OAuth protected resource metadata for MCP server");
+}
+async function discoverAuthorizationServerMetadata(authorizationServer) {
+  const candidates = buildAuthorizationMetadataCandidates(authorizationServer);
+  for (const candidate of candidates) {
+    try {
+      const metadata = await fetchJson(candidate);
+      if (metadata.authorization_endpoint && metadata.token_endpoint) {
+        return metadata;
+      }
+    } catch {
+    }
+  }
+  throw new Error("Could not discover OAuth authorization server metadata");
+}
+async function ensureClientId(authorizationMetadata, authorizationServer, redirectUri) {
+  const store = await loadStore2();
+  const clientKey = `${authorizationServer}|${redirectUri}`;
+  const existing = store.clients[clientKey]?.clientId;
+  if (existing) return existing;
+  const registrationEndpoint = authorizationMetadata.registration_endpoint;
+  if (!registrationEndpoint) {
+    throw new Error(
+      "Authorization server does not expose dynamic client registration; configure a static OAuth client ID for this MCP server."
+    );
+  }
+  const registrationPayload = {
+    client_name: "corbat-coco-mcp",
+    redirect_uris: [redirectUri],
+    grant_types: ["authorization_code", "refresh_token"],
+    response_types: ["code"],
+    token_endpoint_auth_method: "none"
+  };
+  const response = await fetch(registrationEndpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Accept: "application/json"
+    },
+    body: JSON.stringify(registrationPayload)
+  });
+  if (!response.ok) {
+    throw new Error(`Dynamic client registration failed: HTTP ${response.status}`);
+  }
+  const data = await response.json();
+  const clientId = data.client_id;
+  if (!clientId) {
+    throw new Error("Dynamic client registration did not return client_id");
+  }
+  store.clients[clientKey] = { clientId };
+  await saveStore2(store);
+  return clientId;
+}
+async function refreshAccessToken2(params) {
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    client_id: params.clientId,
+    refresh_token: params.refreshToken,
+    resource: params.resource
+  });
+  const response = await fetch(params.tokenEndpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: body.toString()
+  });
+  if (!response.ok) {
+    throw new Error(`Refresh token exchange failed: HTTP ${response.status}`);
+  }
+  const tokenResponse = await response.json();
+  if (!tokenResponse.access_token) {
+    throw new Error("Refresh token response missing access_token");
+  }
+  return tokenResponse;
+}
+async function exchangeCodeForToken(tokenEndpoint, clientId, code, codeVerifier, redirectUri, resource) {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code,
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    code_verifier: codeVerifier,
+    resource
+  });
+  const response = await fetch(tokenEndpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: body.toString()
+  });
+  if (!response.ok) {
+    throw new Error(`Token exchange failed: HTTP ${response.status}`);
+  }
+  const tokenResponse = await response.json();
+  if (!tokenResponse.access_token) {
+    throw new Error("Token exchange response missing access_token");
+  }
+  return tokenResponse;
+}
+async function persistToken(resourceUrl, token, metadata) {
+  const store = await loadStore2();
+  const expiresAt = typeof token.expires_in === "number" ? Date.now() + Math.max(0, token.expires_in) * 1e3 : void 0;
+  store.tokens[getResourceKey(resourceUrl)] = {
+    accessToken: token.access_token,
+    tokenType: token.token_type,
+    refreshToken: token.refresh_token,
+    authorizationServer: metadata?.authorizationServer,
+    clientId: metadata?.clientId,
+    resource: canonicalizeResourceUrl(resourceUrl),
+    ...expiresAt ? { expiresAt } : {}
+  };
+  await saveStore2(store);
+}
+async function authenticateMcpOAuth(params) {
+  const resource = canonicalizeResourceUrl(params.resourceUrl);
+  const store = await loadStore2();
+  const stored = store.tokens[getResourceKey(resource)];
+  if (stored && !params.forceRefresh && !isTokenExpired2(stored)) {
+    return stored.accessToken;
+  }
+  if (!process.stdout.isTTY) {
+    throw new Error(
+      `MCP server '${params.serverName}' requires interactive OAuth in a TTY session. Run Coco in a terminal, or use mcp-remote (e.g. npx -y mcp-remote@latest ${resource}) for IDE bridge workflows.`
+    );
+  }
+  let authorizationServer;
+  let authorizationMetadata;
+  try {
+    const protectedMetadata = await discoverProtectedResourceMetadata(
+      resource,
+      params.wwwAuthenticateHeader
+    );
+    authorizationServer = protectedMetadata.authorization_servers?.[0];
+    if (authorizationServer) {
+      authorizationMetadata = await discoverAuthorizationServerMetadata(authorizationServer);
+    }
+  } catch {
+  }
+  if (!authorizationMetadata) {
+    authorizationMetadata = await discoverAuthorizationServerMetadata(resource);
+  }
+  authorizationServer = authorizationServer ?? authorizationMetadata.issuer ?? new URL(resource).origin;
+  if (stored && stored.refreshToken && stored.clientId && (params.forceRefresh || isTokenExpired2(stored))) {
+    try {
+      const refreshed = await refreshAccessToken2({
+        tokenEndpoint: authorizationMetadata.token_endpoint,
+        clientId: stored.clientId,
+        refreshToken: stored.refreshToken,
+        resource
+      });
+      await persistToken(resource, refreshed, {
+        authorizationServer,
+        clientId: stored.clientId
+      });
+      return refreshed.access_token;
+    } catch {
+    }
+  }
+  const codeVerifier = createCodeVerifier();
+  const codeChallenge = createCodeChallenge(codeVerifier);
+  const state = createState();
+  const { port, resultPromise } = await createCallbackServer(
+    state,
+    OAUTH_TIMEOUT_MS,
+    OAUTH_CALLBACK_PORT
+  );
+  const redirectUri = `http://localhost:${port}/auth/callback`;
+  const clientId = await ensureClientId(authorizationMetadata, authorizationServer, redirectUri);
+  const authUrl = new URL(authorizationMetadata.authorization_endpoint);
+  authUrl.searchParams.set("response_type", "code");
+  authUrl.searchParams.set("client_id", clientId);
+  authUrl.searchParams.set("redirect_uri", redirectUri);
+  authUrl.searchParams.set("state", state);
+  authUrl.searchParams.set("code_challenge", codeChallenge);
+  authUrl.searchParams.set("code_challenge_method", "S256");
+  authUrl.searchParams.set("resource", resource);
+  if (authorizationMetadata.scopes_supported?.includes("offline_access")) {
+    authUrl.searchParams.set("scope", "offline_access");
+  }
+  const opened = await openBrowser(authUrl.toString());
+  if (!opened) {
+    logger.warn(`[MCP OAuth] Could not open browser automatically for '${params.serverName}'`);
+    logger.warn(`[MCP OAuth] Manual auth URL base: ${maskUrlForLogs(authUrl.toString())}`);
+    console.log(`[MCP OAuth] Open this URL manually: ${authUrl.toString()}`);
+  } else {
+    logger.info(
+      `[MCP OAuth] Opened browser for '${params.serverName}'. Complete login to continue.`
+    );
+  }
+  const callback = await resultPromise;
+  const token = await exchangeCodeForToken(
+    authorizationMetadata.token_endpoint,
+    clientId,
+    callback.code,
+    codeVerifier,
+    redirectUri,
+    resource
+  );
+  await persistToken(resource, token, { authorizationServer, clientId });
+  return token.access_token;
+}
+
+// src/mcp/transport/http.ts
+init_errors2();
+var HTTPTransport = class {
+  constructor(config) {
+    this.config = config;
+    this.config.timeout = config.timeout ?? 6e4;
+    this.config.retries = config.retries ?? 3;
+  }
+  messageCallback = null;
+  errorCallback = null;
+  // Used to report transport errors to the client
+  reportError(error) {
+    this.errorCallback?.(error);
+  }
+  closeCallback = null;
+  connected = false;
+  abortController = null;
+  pendingRequests = /* @__PURE__ */ new Map();
+  oauthToken;
+  oauthInFlight = null;
+  /**
+   * Get authentication token
+   */
+  getAuthToken() {
+    if (this.oauthToken) {
+      return this.oauthToken;
+    }
+    if (!this.config.auth) return void 0;
+    if (this.config.auth.token) {
+      return this.config.auth.token;
+    }
+    if (this.config.auth.tokenEnv) {
+      return process.env[this.config.auth.tokenEnv];
+    }
+    return void 0;
+  }
+  /**
+   * Build request headers
+   */
+  buildHeaders() {
+    const headers = {
+      "Content-Type": "application/json",
+      Accept: "application/json",
+      ...this.config.headers
+    };
+    if (this.oauthToken) {
+      headers["Authorization"] = `Bearer ${this.oauthToken}`;
+      return headers;
+    }
+    const token = this.getAuthToken();
+    if (token && this.config.auth) {
+      if (this.config.auth.type === "apikey") {
+        headers[this.config.auth.headerName || "X-API-Key"] = token;
+      } else {
+        headers["Authorization"] = `Bearer ${token}`;
+      }
+    }
+    return headers;
+  }
+  shouldAttemptOAuth() {
+    if (this.config.auth?.type === "apikey") {
+      return false;
+    }
+    if (this.config.auth?.type === "bearer") {
+      return !this.getAuthToken();
+    }
+    return true;
+  }
+  async ensureOAuthToken(wwwAuthenticateHeader, options) {
+    if (this.oauthToken && !options?.forceRefresh) {
+      return this.oauthToken;
+    }
+    if (this.oauthInFlight) {
+      return this.oauthInFlight;
+    }
+    const serverName = this.config.name ?? this.config.url;
+    if (options?.forceRefresh) {
+      this.oauthToken = void 0;
+    }
+    this.oauthInFlight = authenticateMcpOAuth({
+      serverName,
+      resourceUrl: this.config.url,
+      wwwAuthenticateHeader,
+      forceRefresh: options?.forceRefresh
+    }).then((token) => {
+      this.oauthToken = token;
+      return token;
+    }).finally(() => {
+      this.oauthInFlight = null;
+    });
+    return this.oauthInFlight;
+  }
+  async sendRequestWithOAuthRetry(method, body, signal) {
+    const doFetch = async () => fetch(this.config.url, {
+      method,
+      headers: this.buildHeaders(),
+      ...body ? { body } : {},
+      signal
+    });
+    let response = await doFetch();
+    if (response.status !== 401 || !this.shouldAttemptOAuth()) {
+      if (this.shouldAttemptOAuth() && !this.oauthToken && response.headers.get("www-authenticate")) {
+        await this.ensureOAuthToken(response.headers.get("www-authenticate"));
+        response = await doFetch();
+      }
+      return response;
+    }
+    await this.ensureOAuthToken(response.headers.get("www-authenticate"), { forceRefresh: true });
+    response = await doFetch();
+    return response;
+  }
+  looksLikeAuthErrorMessage(message) {
+    if (!message) return false;
+    const msg = message.toLowerCase();
+    const hasStrongAuthSignal = msg.includes("unauthorized") || msg.includes("unauthorised") || msg.includes("authentication") || msg.includes("oauth") || msg.includes("access token") || msg.includes("invalid_token") || msg.includes("invalid token") || msg.includes("token expired") || msg.includes("bearer") || msg.includes("not authenticated") || msg.includes("not logged") || msg.includes("login") || msg.includes("generate") && msg.includes("token");
+    const hasVendorHint = msg.includes("gemini cli") || msg.includes("jira") || msg.includes("confluence") || msg.includes("atlassian");
+    const hasWeakAuthSignal = msg.includes("authenticate") || msg.includes("token") || msg.includes("authorization");
+    return hasStrongAuthSignal || // Vendor-specific hints alone are not enough; require an auth-related token too.
+    hasVendorHint && hasWeakAuthSignal;
+  }
+  isJsonRpcAuthError(payload) {
+    if (!payload.error) return false;
+    return this.looksLikeAuthErrorMessage(payload.error.message);
+  }
+  /**
+   * Connect to the HTTP transport
+   */
+  async connect() {
+    if (this.connected) {
+      throw new MCPConnectionError("Transport already connected");
+    }
+    try {
+      new URL(this.config.url);
+    } catch {
+      throw new MCPConnectionError(`Invalid URL: ${this.config.url}`);
+    }
+    try {
+      this.abortController = new AbortController();
+      if (this.shouldAttemptOAuth()) {
+        this.oauthToken = await getStoredMcpOAuthToken(this.config.url);
+      }
+      const response = await this.sendRequestWithOAuthRetry(
+        "GET",
+        void 0,
+        this.abortController.signal
+      );
+      if (!response.ok && response.status !== 404) {
+        throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+      }
+      this.connected = true;
+    } catch (error) {
+      if (error instanceof MCPError) {
+        this.reportError(error);
+        throw error;
+      }
+      const connError = new MCPConnectionError(
+        `Failed to connect: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+      this.reportError(connError);
+      throw connError;
+    }
+  }
+  /**
+   * Send a message through the transport
+   */
+  async send(message) {
+    if (!this.connected) {
+      throw new MCPTransportError("Transport not connected");
+    }
+    const abortController = new AbortController();
+    this.pendingRequests.set(message.id, abortController);
+    let lastError;
+    for (let attempt = 0; attempt < this.config.retries; attempt++) {
+      try {
+        const timeoutId = setTimeout(() => {
+          abortController.abort();
+        }, this.config.timeout);
+        const response = await this.sendRequestWithOAuthRetry(
+          "POST",
+          JSON.stringify(message),
+          abortController.signal
+        );
+        clearTimeout(timeoutId);
+        if (!response.ok) {
+          throw new MCPTransportError(`HTTP error ${response.status}: ${response.statusText}`);
+        }
+        const data = await response.json();
+        if (this.shouldAttemptOAuth() && this.isJsonRpcAuthError(data)) {
+          await this.ensureOAuthToken(response.headers.get("www-authenticate"), {
+            forceRefresh: true
+          });
+          const retryResponse = await this.sendRequestWithOAuthRetry(
+            "POST",
+            JSON.stringify(message),
+            abortController.signal
+          );
+          if (!retryResponse.ok) {
+            throw new MCPTransportError(
+              `HTTP error ${retryResponse.status}: ${retryResponse.statusText}`
+            );
+          }
+          const retryData = await retryResponse.json();
+          this.messageCallback?.(retryData);
+          return;
+        }
+        this.messageCallback?.(data);
+        return;
+      } catch (error) {
+        lastError = error instanceof Error ? error : new Error(String(error));
+        if (error instanceof MCPTransportError) {
+          this.reportError(error);
+          throw error;
+        }
+        if (attempt < this.config.retries - 1) {
+          await new Promise((r) => setTimeout(r, Math.pow(2, attempt) * 1e3));
+        }
+      }
+    }
+    this.pendingRequests.delete(message.id);
+    throw new MCPTransportError(
+      `Request failed after ${this.config.retries} attempts: ${lastError?.message}`
+    );
+  }
+  /**
+   * Disconnect from the transport
+   */
+  async disconnect() {
+    for (const [, controller] of this.pendingRequests) {
+      controller.abort();
+    }
+    this.pendingRequests.clear();
+    this.abortController?.abort();
+    this.connected = false;
+    this.closeCallback?.();
+  }
+  /**
+   * Set callback for received messages
+   */
+  onMessage(callback) {
+    this.messageCallback = callback;
+  }
+  /**
+   * Set callback for errors
+   */
+  onError(callback) {
+    this.errorCallback = callback;
+  }
+  /**
+   * Set callback for connection close
+   */
+  onClose(callback) {
+    this.closeCallback = callback;
+  }
+  /**
+   * Check if transport is connected
+   */
+  isConnected() {
+    return this.connected;
+  }
+  /**
+   * Get transport URL
+   */
+  getURL() {
+    return this.config.url;
+  }
+  /**
+   * Get auth type
+   */
+  getAuthType() {
+    return this.config.auth?.type;
+  }
+};
+
+// src/mcp/transport/sse.ts
+init_errors2();
+var DEFAULT_CONFIG2 = {
+  initialReconnectDelay: 1e3,
+  maxReconnectDelay: 3e4,
+  maxReconnectAttempts: 10
+};
+var SSETransport = class {
+  config;
+  connected = false;
+  abortController = null;
+  reconnectAttempts = 0;
+  lastEventId = null;
+  messageEndpoint = null;
+  messageHandler = null;
+  errorHandler = null;
+  closeHandler = null;
+  constructor(config) {
+    this.config = { ...DEFAULT_CONFIG2, ...config };
+  }
+  /**
+   * Connect to the SSE endpoint
+   */
+  async connect() {
+    if (this.connected) return;
+    this.abortController = new AbortController();
+    this.reconnectAttempts = 0;
+    this.connected = true;
+    try {
+      await this.startListening();
+    } catch (error) {
+      this.connected = false;
+      throw error;
+    }
+  }
+  /**
+   * Disconnect from the SSE endpoint
+   */
+  async disconnect() {
+    this.connected = false;
+    this.abortController?.abort();
+    this.abortController = null;
+    this.messageEndpoint = null;
+    this.closeHandler?.();
+  }
+  /**
+   * Send a JSON-RPC message via HTTP POST
+   */
+  async send(message) {
+    if (!this.connected) {
+      throw new MCPConnectionError("Not connected to SSE endpoint");
+    }
+    const endpoint = this.messageEndpoint ?? `${this.config.url}/message`;
+    try {
+      const response = await fetch(endpoint, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          ...this.config.headers
+        },
+        body: JSON.stringify(message),
+        signal: this.abortController?.signal
+      });
+      if (!response.ok) {
+        throw new MCPTransportError(`HTTP POST failed: ${response.status} ${response.statusText}`);
+      }
+    } catch (error) {
+      if (error.name === "AbortError") return;
+      if (error instanceof MCPTransportError) throw error;
+      throw new MCPTransportError(
+        `Failed to send message: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+  /**
+   * Register message handler
+   */
+  onMessage(handler) {
+    this.messageHandler = handler;
+  }
+  /**
+   * Register error handler
+   */
+  onError(handler) {
+    this.errorHandler = handler;
+  }
+  /**
+   * Register close handler
+   */
+  onClose(handler) {
+    this.closeHandler = handler;
+  }
+  /**
+   * Check if connected
+   */
+  isConnected() {
+    return this.connected;
+  }
+  /**
+   * Start listening to the SSE stream
+   */
+  async startListening() {
+    const headers = {
+      Accept: "text/event-stream",
+      "Cache-Control": "no-cache",
+      ...this.config.headers
+    };
+    if (this.lastEventId) {
+      headers["Last-Event-ID"] = this.lastEventId;
+    }
+    try {
+      const response = await fetch(this.config.url, {
+        method: "GET",
+        headers,
+        signal: this.abortController?.signal
+      });
+      if (!response.ok) {
+        throw new MCPConnectionError(
+          `SSE connection failed: ${response.status} ${response.statusText}`
+        );
+      }
+      if (!response.body) {
+        throw new MCPConnectionError("SSE response has no body");
+      }
+      this.processStream(response.body);
+    } catch (error) {
+      if (error.name === "AbortError") return;
+      if (error instanceof MCPConnectionError) throw error;
+      throw new MCPConnectionError(
+        `Failed to connect to SSE: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+  }
+  /**
+   * Process the SSE stream
+   */
+  async processStream(body) {
+    const reader = body.getReader();
+    const decoder = new TextDecoder();
+    let buffer = "";
+    let eventType = "";
+    let eventData = "";
+    let eventId = "";
+    try {
+      while (this.connected) {
+        const { done, value } = await reader.read();
+        if (done) {
+          if (this.connected) {
+            await this.handleReconnect();
+          }
+          return;
+        }
+        buffer += decoder.decode(value, { stream: true });
+        const lines = buffer.split("\n");
+        buffer = lines.pop() ?? "";
+        for (const line of lines) {
+          if (line === "") {
+            if (eventData) {
+              this.handleEvent(eventType, eventData, eventId);
+              eventType = "";
+              eventData = "";
+              eventId = "";
+            }
+            continue;
+          }
+          if (line.startsWith(":")) {
+            continue;
+          }
+          const colonIdx = line.indexOf(":");
+          if (colonIdx === -1) continue;
+          const field = line.slice(0, colonIdx);
+          const value2 = line.slice(colonIdx + 1).trimStart();
+          switch (field) {
+            case "event":
+              eventType = value2;
+              break;
+            case "data":
+              eventData += (eventData ? "\n" : "") + value2;
+              break;
+            case "id":
+              eventId = value2;
+              break;
+            case "retry":
+              const delay = parseInt(value2, 10);
+              if (!isNaN(delay)) {
+                this.config.initialReconnectDelay = delay;
+              }
+              break;
+          }
+        }
+      }
+    } catch (error) {
+      if (error.name === "AbortError") return;
+      this.errorHandler?.(error instanceof Error ? error : new Error(String(error)));
+      if (this.connected) {
+        await this.handleReconnect();
+      }
+    } finally {
+      reader.releaseLock();
+    }
+  }
+  /**
+   * Handle a complete SSE event
+   */
+  handleEvent(type, data, id) {
+    if (id) {
+      this.lastEventId = id;
+    }
+    if (type === "endpoint") {
+      this.messageEndpoint = data;
+      return;
+    }
+    try {
+      const message = JSON.parse(data);
+      this.messageHandler?.(message);
+    } catch {
+      this.errorHandler?.(new Error(`Invalid JSON in SSE event: ${data.slice(0, 100)}`));
+    }
+  }
+  /**
+   * Handle reconnection with exponential backoff
+   */
+  async handleReconnect() {
+    if (!this.connected || this.reconnectAttempts >= this.config.maxReconnectAttempts) {
+      this.connected = false;
+      this.closeHandler?.();
+      return;
+    }
+    this.reconnectAttempts++;
+    const delay = Math.min(
+      this.config.initialReconnectDelay * Math.pow(2, this.reconnectAttempts - 1),
+      this.config.maxReconnectDelay
+    );
+    await new Promise((resolve3) => setTimeout(resolve3, delay));
+    if (!this.connected) return;
+    try {
+      await this.startListening();
+      this.reconnectAttempts = 0;
+    } catch {
+      if (this.connected) {
+        await this.handleReconnect();
+      }
+    }
+  }
+};
+
+// src/mcp/lifecycle.ts
+init_errors2();
+init_logger();
+var MCPServerManager = class {
+  connections = /* @__PURE__ */ new Map();
+  logger = getLogger();
+  /**
+   * Create transport for a server config
+   */
+  createTransport(config) {
+    switch (config.transport) {
+      case "stdio": {
+        if (!config.stdio?.command) {
+          throw new MCPConnectionError(`Server '${config.name}' requires stdio.command`);
+        }
+        return new StdioTransport({
+          command: config.stdio.command,
+          args: config.stdio.args ?? [],
+          env: config.stdio.env
+        });
+      }
+      case "http": {
+        if (!config.http?.url) {
+          throw new MCPConnectionError(`Server '${config.name}' requires http.url`);
+        }
+        return new HTTPTransport({
+          name: config.name,
+          url: config.http.url,
+          headers: config.http.headers,
+          auth: config.http.auth
+        });
+      }
+      case "sse": {
+        if (!config.http?.url) {
+          throw new MCPConnectionError(`Server '${config.name}' requires http.url for SSE`);
+        }
+        return new SSETransport({
+          url: config.http.url,
+          headers: config.http.headers
+        });
+      }
+      default:
+        throw new MCPConnectionError(`Unsupported transport: ${config.transport}`);
+    }
+  }
+  /**
+   * Start a single server
+   */
+  async startServer(config) {
+    if (this.connections.has(config.name)) {
+      this.logger.warn(`Server '${config.name}' already connected`);
+      return this.connections.get(config.name);
+    }
+    this.logger.info(`Starting MCP server: ${config.name}`);
+    const transport = this.createTransport(config);
+    await transport.connect();
+    const client = new MCPClientImpl(transport);
+    await client.initialize({
+      protocolVersion: "2024-11-05",
+      capabilities: {},
+      clientInfo: { name: "coco-mcp-client", version: VERSION }
+    });
+    let toolCount = 0;
+    try {
+      const { tools } = await client.listTools();
+      toolCount = tools.length;
+    } catch {
+    }
+    const connection = {
+      name: config.name,
+      client,
+      transport,
+      config,
+      connectedAt: /* @__PURE__ */ new Date(),
+      toolCount,
+      healthy: true
+    };
+    this.connections.set(config.name, connection);
+    this.logger.info(`Server '${config.name}' started with ${toolCount} tools`);
+    return connection;
+  }
+  /**
+   * Stop a single server
+   */
+  async stopServer(name) {
+    const connection = this.connections.get(name);
+    if (!connection) {
+      this.logger.warn(`Server '${name}' not found`);
+      return;
+    }
+    this.logger.info(`Stopping MCP server: ${name}`);
+    try {
+      await connection.transport.disconnect();
+    } catch (error) {
+      this.logger.error(
+        `Error disconnecting server '${name}': ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+    this.connections.delete(name);
+  }
+  /**
+   * Restart a server
+   */
+  async restartServer(name) {
+    const connection = this.connections.get(name);
+    if (!connection) {
+      throw new MCPConnectionError(`Server '${name}' not found`);
+    }
+    const config = connection.config;
+    await this.stopServer(name);
+    await new Promise((resolve3) => setTimeout(resolve3, 500));
+    return this.startServer(config);
+  }
+  /**
+   * Health check for a server
+   */
+  async healthCheck(name) {
+    const connection = this.connections.get(name);
+    if (!connection) {
+      return {
+        name,
+        healthy: false,
+        toolCount: 0,
+        latencyMs: 0,
+        error: "Server not connected"
+      };
+    }
+    const startTime = performance.now();
+    try {
+      const { tools } = await Promise.race([
+        connection.client.listTools(),
+        new Promise(
+          (_, reject) => setTimeout(() => reject(new Error("Health check timeout")), 5e3)
+        )
+      ]);
+      const latencyMs = performance.now() - startTime;
+      connection.healthy = true;
+      connection.toolCount = tools.length;
+      return {
+        name,
+        healthy: true,
+        toolCount: tools.length,
+        latencyMs
+      };
+    } catch (error) {
+      const latencyMs = performance.now() - startTime;
+      connection.healthy = false;
+      return {
+        name,
+        healthy: false,
+        toolCount: 0,
+        latencyMs,
+        error: error instanceof Error ? error.message : String(error)
+      };
+    }
+  }
+  /**
+   * Start all servers from config list
+   */
+  async startAll(configs) {
+    const results = /* @__PURE__ */ new Map();
+    for (const config of configs) {
+      if (config.enabled === false) continue;
+      try {
+        const connection = await this.startServer(config);
+        results.set(config.name, connection);
+      } catch (error) {
+        this.logger.error(
+          `Failed to start server '${config.name}': ${error instanceof Error ? error.message : String(error)}`
+        );
+      }
+    }
+    return results;
+  }
+  /**
+   * Stop all servers
+   */
+  async stopAll() {
+    const names = Array.from(this.connections.keys());
+    for (const name of names) {
+      await this.stopServer(name);
+    }
+  }
+  /**
+   * Get list of connected server names
+   */
+  getConnectedServers() {
+    return Array.from(this.connections.keys());
+  }
+  /**
+   * Get a specific server connection
+   */
+  getConnection(name) {
+    return this.connections.get(name);
+  }
+  /**
+   * Get all connections
+   */
+  getAllConnections() {
+    return Array.from(this.connections.values());
+  }
+  /**
+   * Get the client for a server
+   */
+  getClient(name) {
+    return this.connections.get(name)?.client;
+  }
+};
+var globalManager = null;
+function getMCPServerManager() {
+  if (!globalManager) {
+    globalManager = new MCPServerManager();
+  }
+  return globalManager;
+}
+
+// src/tools/mcp.ts
+var mcpListServersTool = defineTool({
+  name: "mcp_list_servers",
+  description: `Inspect Coco's MCP configuration and current runtime connections.
+
+Use this instead of bash_exec with "coco mcp ..." and instead of manually reading ~/.coco/mcp.json
+when you need to know which MCP servers are configured, connected, healthy, or which tools they expose.`,
+  category: "config",
+  parameters: z.object({
+    includeDisabled: z.boolean().optional().default(false).describe("Include disabled MCP servers in the result"),
+    includeTools: z.boolean().optional().default(false).describe("Include the list of exposed tool names for connected servers"),
+    projectPath: z.string().optional().describe("Project path whose .mcp.json should be merged. Defaults to process.cwd()")
+  }),
+  async execute({ includeDisabled, includeTools, projectPath }) {
+    const registry = new MCPRegistryImpl();
+    await registry.load();
+    const resolvedProjectPath = projectPath || process.cwd();
+    const configuredServers = mergeMCPConfigs(
+      registry.listServers(),
+      await loadMCPServersFromCOCOConfig(),
+      await loadProjectMCPFile(resolvedProjectPath)
+    ).filter((server) => includeDisabled || server.enabled !== false);
+    const manager = getMCPServerManager();
+    const servers = [];
+    for (const server of configuredServers) {
+      const connection = manager.getConnection(server.name);
+      let tools;
+      if (includeTools && connection) {
+        try {
+          const listed = await connection.client.listTools();
+          tools = listed.tools.map((tool) => tool.name);
+        } catch {
+          tools = [];
+        }
+      }
+      servers.push({
+        name: server.name,
+        transport: server.transport,
+        enabled: server.enabled !== false,
+        connected: connection !== void 0,
+        healthy: connection?.healthy ?? false,
+        toolCount: connection?.toolCount ?? 0,
+        ...includeTools ? { tools: tools ?? [] } : {}
+      });
+    }
+    return {
+      configuredCount: servers.length,
+      connectedCount: servers.filter((server) => server.connected).length,
+      servers
+    };
+  }
+});
+var mcpTools = [mcpListServersTool];
 init_allowed_paths();
 var BLOCKED_SYSTEM_PATHS = [
   "/etc",
@@ -25915,6 +28424,7 @@ function registerAllTools(registry) {
     ...gitEnhancedTools,
     ...githubTools,
     ...openTools,
+    ...mcpTools,
     ...authorizePathTools
   ];
   for (const tool of allTools) {
@@ -25929,6 +28439,7 @@ function createFullToolRegistry() {
 
 // src/index.ts
 init_errors();
+init_logger();
 
 export { ADRGenerator, AnthropicProvider, ArchitectureGenerator, BacklogGenerator, CICDGenerator, CocoError, CodeGenerator, CodeReviewer, CompleteExecutor, ConfigError, ConvergeExecutor, DiscoveryEngine, DockerGenerator, DocsGenerator, OrchestrateExecutor, OutputExecutor, PhaseError, SessionManager, SpecificationGenerator, TaskError, TaskIterator, ToolRegistry, VERSION, configExists, createADRGenerator, createAnthropicProvider, createArchitectureGenerator, createBacklogGenerator, createCICDGenerator, createCodeGenerator, createCodeReviewer, createCompleteExecutor, createConvergeExecutor, createDefaultConfig, createDiscoveryEngine, createDockerGenerator, createDocsGenerator, createFullToolRegistry, createLogger, createOrchestrateExecutor, createOrchestrator, createOutputExecutor, createProvider, createSessionManager, createSpecificationGenerator, createTaskIterator, createToolRegistry, loadConfig, registerAllTools, saveConfig };
 //# sourceMappingURL=index.js.map