@hasna/mcps 0.0.14 → 0.0.16

package/bin/index.js

@@ -12040,6 +12040,7 @@ function getDb() {
       command TEXT NOT NULL,
       args TEXT NOT NULL DEFAULT '[]',
       env TEXT NOT NULL DEFAULT '{}',
+      credential_refs TEXT NOT NULL DEFAULT '{}',
       transport TEXT NOT NULL DEFAULT 'stdio',
       url TEXT,
       source TEXT NOT NULL DEFAULT 'local',
@@ -12066,6 +12067,9 @@ function getDb() {
   try {
     db.exec("ALTER TABLE servers ADD COLUMN last_error TEXT");
   } catch {}
+  try {
+    db.exec("ALTER TABLE servers ADD COLUMN credential_refs TEXT NOT NULL DEFAULT '{}'");
+  } catch {}
   db.exec(`
     CREATE TABLE IF NOT EXISTS sources (
       id TEXT PRIMARY KEY,
@@ -19126,17 +19130,17 @@ __export(exports_sources, {
   clearCache: () => clearCache,
   addSource: () => addSource
 });
-import { mkdirSync as mkdirSync6, existsSync as existsSync6, readFileSync as readFileSync2, writeFileSync as writeFileSync2, readdirSync as readdirSync3, unlinkSync } from "fs";
-import { join as join7 } from "path";
+import { mkdirSync as mkdirSync6, existsSync as existsSync7, readFileSync as readFileSync3, writeFileSync as writeFileSync2, readdirSync as readdirSync3, unlinkSync } from "fs";
+import { join as join8 } from "path";
 function getCacheFile(sourceId) {
-  return join7(CACHE_DIR, `${sourceId}.json`);
+  return join8(CACHE_DIR, `${sourceId}.json`);
 }
 function readCache(sourceId) {
   try {
     const file = getCacheFile(sourceId);
-    if (!existsSync6(file))
+    if (!existsSync7(file))
       return null;
-    const data = JSON.parse(readFileSync2(file, "utf-8"));
+    const data = JSON.parse(readFileSync3(file, "utf-8"));
     return data;
   } catch {
     return null;
@@ -19150,7 +19154,7 @@ function writeCache(sourceId, results) {
 }
 function clearCache(sourceId) {
   try {
-    if (!existsSync6(CACHE_DIR))
+    if (!existsSync7(CACHE_DIR))
       return;
     const files = readdirSync3(CACHE_DIR);
     for (const file of files) {
@@ -19158,7 +19162,7 @@ function clearCache(sourceId) {
         continue;
       if (!sourceId || file.startsWith(`${sourceId}.`)) {
         try {
-          unlinkSync(join7(CACHE_DIR, file));
+          unlinkSync(join8(CACHE_DIR, file));
         } catch {}
       }
     }
@@ -19404,7 +19408,7 @@ var CACHE_DIR, DEFAULT_TTL_MS;
 var init_sources = __esm(() => {
   init_db();
   init_config2();
-  CACHE_DIR = join7(MCPS_DIR, "cache");
+  CACHE_DIR = join8(MCPS_DIR, "cache");
   DEFAULT_TTL_MS = 10 * 60 * 1000;
 });
 
@@ -19412,7 +19416,7 @@ var init_sources = __esm(() => {
 var require_package = __commonJS((exports, module) => {
   module.exports = {
     name: "@hasna/mcps",
-    version: "0.0.14",
+    version: "0.0.16",
     description: "Meta-MCP registry & CLI \u2014 discover, manage, and proxy MCP servers",
     type: "module",
     repository: {
@@ -21142,10 +21146,164 @@ var {
 import React10 from "react";
 import { render } from "ink";
 import chalk2 from "chalk";
-import { readFileSync as readFileSync6, writeFileSync as writeFileSync5 } from "fs";
+import { readFileSync as readFileSync7, writeFileSync as writeFileSync5 } from "fs";
 
 // src/lib/registry.ts
 init_db();
+
+// src/lib/credentials.ts
+init_config2();
+import { existsSync as existsSync6, readFileSync as readFileSync2 } from "fs";
+import { join as join7 } from "path";
+
+class CredentialReferenceError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "CredentialReferenceError";
+  }
+}
+var SECRET_KEY_PATTERN = /(?:^|[_-])(api[_-]?key|token|secret|password|passwd|credential|auth|private[_-]?key)(?:$|[_-])/i;
+var SECRET_VALUE_PATTERN = /^(sk_(?:live|test)_[A-Za-z0-9_]+|ghp_[A-Za-z0-9_]+|github_pat_[A-Za-z0-9_]+|xox[baprs]-[A-Za-z0-9-]+|AIza[A-Za-z0-9_-]{20,}|eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+)$/;
+var REDACTED_CREDENTIAL_VALUE = "<redacted>";
+function normalizeKey(key) {
+  return key.trim();
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isSecretLikeEnvKey(key) {
+  return SECRET_KEY_PATTERN.test(key);
+}
+function isSecretLikeValue(value) {
+  return SECRET_VALUE_PATTERN.test(value.trim());
+}
+function normalizeCredentialRef(ref) {
+  const source = ref.source;
+  if (source !== "env" && source !== "local-vault" && source !== "hosted") {
+    throw new CredentialReferenceError(`Unsupported credential reference source: ${String(source)}`);
+  }
+  const name = ref.name?.trim();
+  if (!name) {
+    throw new CredentialReferenceError("Credential reference name is required");
+  }
+  return {
+    source,
+    name,
+    required: ref.required !== false,
+    ...ref.description ? { description: ref.description } : {}
+  };
+}
+function normalizeCredentialRefs(refs) {
+  const normalized = {};
+  for (const [rawKey, ref] of Object.entries(refs ?? {})) {
+    const key = normalizeKey(rawKey);
+    if (!key)
+      throw new CredentialReferenceError("Credential reference env key is required");
+    normalized[key] = normalizeCredentialRef(ref);
+  }
+  return normalized;
+}
+function parseCredentialRefs(value) {
+  if (!isRecord(value))
+    return {};
+  const refs = {};
+  for (const [key, ref] of Object.entries(value)) {
+    if (!isRecord(ref))
+      continue;
+    const source = ref.source;
+    const name = ref.name;
+    if ((source === "env" || source === "local-vault" || source === "hosted") && typeof name === "string" && name.trim()) {
+      refs[key] = normalizeCredentialRef({
+        source,
+        name,
+        required: typeof ref.required === "boolean" ? ref.required : true,
+        description: typeof ref.description === "string" ? ref.description : undefined
+      });
+    }
+  }
+  return refs;
+}
+function normalizeLiteralEnv(env) {
+  const normalized = {};
+  for (const [rawKey, rawValue] of Object.entries(env ?? {})) {
+    const key = normalizeKey(rawKey);
+    if (!key)
+      continue;
+    const value = String(rawValue);
+    if (isSecretLikeEnvKey(key) || isSecretLikeValue(value)) {
+      throw new CredentialReferenceError(`Refusing to store raw secret-like env value for "${key}". Use a credential reference instead.`);
+    }
+    normalized[key] = value;
+  }
+  return normalized;
+}
+function redactEnv(env) {
+  const redacted = {};
+  for (const [key, value] of Object.entries(env)) {
+    redacted[key] = isSecretLikeEnvKey(key) || isSecretLikeValue(value) ? REDACTED_CREDENTIAL_VALUE : value;
+  }
+  return redacted;
+}
+function redactServerCredentials(server) {
+  return {
+    ...server,
+    env: redactEnv(server.env),
+    credentialRefs: normalizeCredentialRefs(server.credentialRefs)
+  };
+}
+function readLocalVault() {
+  const path = process.env.HASNA_MCPS_CREDENTIAL_VAULT_PATH ?? join7(MCPS_DIR, "credentials.local.json");
+  if (!existsSync6(path))
+    return {};
+  const parsed = JSON.parse(readFileSync2(path, "utf-8"));
+  if (!isRecord(parsed))
+    return {};
+  const values = {};
+  for (const [key, value] of Object.entries(parsed)) {
+    if (typeof value === "string")
+      values[key] = value;
+  }
+  return values;
+}
+function resolveCredentialRef(envKey, ref) {
+  if (ref.source === "env") {
+    const value = process.env[ref.name];
+    if (value === undefined && ref.required !== false) {
+      throw new CredentialReferenceError(`Missing required environment credential "${ref.name}" for "${envKey}"`);
+    }
+    return value;
+  }
+  if (ref.source === "local-vault") {
+    const value = readLocalVault()[ref.name];
+    if (value === undefined && ref.required !== false) {
+      throw new CredentialReferenceError(`Missing required local vault credential "${ref.name}" for "${envKey}"`);
+    }
+    return value;
+  }
+  if (ref.required !== false) {
+    throw new CredentialReferenceError(`Hosted credential "${ref.name}" for "${envKey}" cannot be resolved by the local runtime`);
+  }
+  return;
+}
+function resolveServerEnv(server) {
+  const resolved = { ...server.env };
+  const refs = normalizeCredentialRefs(server.credentialRefs);
+  for (const [envKey, ref] of Object.entries(refs)) {
+    const value = resolveCredentialRef(envKey, ref);
+    if (value !== undefined)
+      resolved[envKey] = value;
+  }
+  return resolved;
+}
+function credentialRefPlaceholders(refs) {
+  const placeholders = {};
+  for (const key of Object.keys(refs ?? {})) {
+    placeholders[key] = REDACTED_CREDENTIAL_VALUE;
+  }
+  return placeholders;
+}
+
+// src/lib/registry.ts
 function parseRow(row) {
   return {
     id: row.id,
@@ -21154,6 +21312,7 @@ function parseRow(row) {
     command: row.command,
     args: safeJsonParse(row.args, []),
     env: safeJsonParse(row.env, {}),
+    credentialRefs: parseCredentialRefs(safeJsonParse(row.credential_refs, {})),
     transport: row.transport,
     url: row.url || null,
     source: row.source,
@@ -21221,9 +21380,9 @@ function addServer(opts) {
   if (!id) {
     throw new Error("Unable to generate a valid server ID");
   }
-  const row = db2.prepare(`INSERT INTO servers (id, name, description, command, args, env, transport, url, source)
-       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
-       RETURNING *`).get(id, name, opts.description || null, command, JSON.stringify(opts.args || []), JSON.stringify(opts.env || {}), opts.transport || "stdio", opts.url || null, opts.source || "local");
+  const row = db2.prepare(`INSERT INTO servers (id, name, description, command, args, env, credential_refs, transport, url, source)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+       RETURNING *`).get(id, name, opts.description || null, command, JSON.stringify(opts.args || []), JSON.stringify(normalizeLiteralEnv(opts.env)), JSON.stringify(normalizeCredentialRefs(opts.credentialRefs)), opts.transport || "stdio", opts.url || null, opts.source || "local");
   return parseRow(row);
 }
 function removeServer(id) {
@@ -21262,7 +21421,11 @@ function updateServer(id, updates) {
   }
   if (updates.env !== undefined) {
     sets.push("env = ?");
-    values.push(JSON.stringify(updates.env));
+    values.push(JSON.stringify(normalizeLiteralEnv(updates.env)));
+  }
+  if (updates.credentialRefs !== undefined) {
+    sets.push("credential_refs = ?");
+    values.push(JSON.stringify(normalizeCredentialRefs(updates.credentialRefs)));
   }
   if (updates.transport !== undefined) {
     sets.push("transport = ?");
@@ -21296,7 +21459,7 @@ function setServerEnv(id, key, value) {
   if (!server)
     throw new Error(`Server "${id}" not found`);
   const env = { ...server.env, [key]: value };
-  db2.prepare("UPDATE servers SET env = ?, updated_at = datetime('now') WHERE id = ?").run(JSON.stringify(env), id);
+  db2.prepare("UPDATE servers SET env = ?, updated_at = datetime('now') WHERE id = ?").run(JSON.stringify(normalizeLiteralEnv(env)), id);
 }
 function unsetServerEnv(id, key) {
   const db2 = getDb();
@@ -21307,6 +21470,23 @@ function unsetServerEnv(id, key) {
   delete env[key];
   db2.prepare("UPDATE servers SET env = ?, updated_at = datetime('now') WHERE id = ?").run(JSON.stringify(env), id);
 }
+function setServerCredentialRef(id, key, ref) {
+  const db2 = getDb();
+  const server = getServer(id);
+  if (!server)
+    throw new Error(`Server "${id}" not found`);
+  const credentialRefs = normalizeCredentialRefs({ ...server.credentialRefs ?? {}, [key]: ref });
+  db2.prepare("UPDATE servers SET credential_refs = ?, updated_at = datetime('now') WHERE id = ?").run(JSON.stringify(credentialRefs), id);
+}
+function unsetServerCredentialRef(id, key) {
+  const db2 = getDb();
+  const server = getServer(id);
+  if (!server)
+    throw new Error(`Server "${id}" not found`);
+  const credentialRefs = { ...server.credentialRefs ?? {} };
+  delete credentialRefs[key];
+  db2.prepare("UPDATE servers SET credential_refs = ?, updated_at = datetime('now') WHERE id = ?").run(JSON.stringify(normalizeCredentialRefs(credentialRefs)), id);
+}
 function cacheTools(serverId, tools) {
   const db2 = getDb();
   const insert = db2.prepare("INSERT INTO tool_cache (server_id, name, description, input_schema) VALUES (?, ?, ?, ?)");
@@ -21346,6 +21526,7 @@ function cloneServer(id, newName) {
     command: server.command,
     args: server.args,
     env: server.env,
+    credentialRefs: server.credentialRefs,
     transport: server.transport,
     url: server.url ?? undefined,
     source: server.source
@@ -35591,6 +35772,185 @@ class StreamableHTTPClientTransport {
 // src/lib/proxy.ts
 init_config2();
 init_db();
+
+// src/lib/local-command-consent.ts
+class LocalCommandConsentError extends Error {
+  review;
+  constructor(message, review) {
+    super(message);
+    this.name = "LocalCommandConsentError";
+    this.review = review;
+  }
+}
+var SHELL_COMMANDS = new Set(["bash", "sh", "zsh", "fish", "cmd", "cmd.exe", "powershell", "powershell.exe", "pwsh"]);
+var DESTRUCTIVE_COMMANDS = new Set([
+  "rm",
+  "dd",
+  "mkfs",
+  "shutdown",
+  "reboot",
+  "poweroff",
+  "halt",
+  "killall",
+  "pkill"
+]);
+var SHELL_EVAL_FLAGS = new Set(["-c", "/c", "-Command", "-command", "-EncodedCommand", "-encodedcommand"]);
+var SECRET_FLAG_PATTERN = /(?:^|[-_])(api[-_]?key|token|secret|password|passwd|credential|auth|private[-_]?key)(?:$|[-_])/i;
+var SECRET_KEY_PATTERN2 = /(?:^|[_-])(api[_-]?key|token|secret|password|passwd|credential|auth|private[_-]?key)(?:$|[_-])/i;
+var SECRET_VALUE_PATTERN2 = /^(sk_(?:live|test)_[A-Za-z0-9_]+|ghp_[A-Za-z0-9_]+|github_pat_[A-Za-z0-9_]+|xox[baprs]-[A-Za-z0-9-]+|AIza[A-Za-z0-9_-]{20,}|eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+)$/;
+var SHELL_META_PATTERN = /[;&|`<>]|\$\(/;
+function commandBase(command) {
+  return command.trim().split(/[\\/]/).pop()?.toLowerCase() || command.trim().toLowerCase();
+}
+function normalizeArgs(args) {
+  return (args ?? []).map((arg) => String(arg));
+}
+function isSecretKey(key) {
+  return SECRET_KEY_PATTERN2.test(key) || SECRET_FLAG_PATTERN.test(key);
+}
+function isSecretValue(value) {
+  return SECRET_VALUE_PATTERN2.test(value.trim());
+}
+function isSecretAssignment(arg) {
+  const eqIdx = arg.indexOf("=");
+  if (eqIdx <= 0)
+    return false;
+  const key = arg.slice(0, eqIdx);
+  const value = arg.slice(eqIdx + 1);
+  return isSecretKey(key) || isSecretValue(value);
+}
+function isSecretArg(args, index) {
+  const arg = args[index] ?? "";
+  const previous = args[index - 1] ?? "";
+  return isSecretAssignment(arg) || isSecretValue(arg) || SECRET_FLAG_PATTERN.test(previous);
+}
+function quoteArg(value) {
+  return JSON.stringify(value);
+}
+function displayCommand(command, args) {
+  return [quoteArg(command), ...args.map((arg, index) => quoteArg(isSecretArg(args, index) ? "<redacted>" : arg))].join(" ");
+}
+function pushRisk(risks, risk) {
+  if (risks.some((existing) => existing.code === risk.code && existing.evidence === risk.evidence))
+    return;
+  risks.push(risk);
+}
+function inspectRisks(command, args, env) {
+  const risks = [];
+  const base = commandBase(command);
+  const joined = [command, ...args].join(" ");
+  if (SHELL_COMMANDS.has(base)) {
+    pushRisk(risks, {
+      code: "shell_interpreter",
+      severity: "warning",
+      message: "Command launches a shell interpreter.",
+      evidence: base
+    });
+    if (args.some((arg) => SHELL_EVAL_FLAGS.has(arg))) {
+      pushRisk(risks, {
+        code: "shell_eval",
+        severity: "danger",
+        message: "Shell command evaluates an inline script.",
+        evidence: base
+      });
+    }
+  }
+  if (base === "sudo") {
+    pushRisk(risks, {
+      code: "privilege_escalation",
+      severity: "danger",
+      message: "Command requests elevated privileges.",
+      evidence: base
+    });
+  }
+  if (DESTRUCTIVE_COMMANDS.has(base) || /\brm\s+-[^\s]*[rf][^\s]*\b/.test(joined) || /--no-preserve-root\b/.test(joined)) {
+    pushRisk(risks, {
+      code: "destructive_command",
+      severity: "danger",
+      message: "Command includes a destructive system operation.",
+      evidence: base
+    });
+  }
+  if (/\b(curl|wget)\b[\s\S]*\|[\s\S]*\b(sh|bash|zsh|fish)\b/.test(joined)) {
+    pushRisk(risks, {
+      code: "download_pipe_shell",
+      severity: "danger",
+      message: "Command downloads remote content and pipes it to a shell."
+    });
+  }
+  if ([command, ...args].some((part) => SHELL_META_PATTERN.test(part))) {
+    pushRisk(risks, {
+      code: "shell_metacharacters",
+      severity: "warning",
+      message: "Command or arguments contain shell metacharacters."
+    });
+  }
+  if (args.some((arg, index) => isSecretArg(args, index))) {
+    pushRisk(risks, {
+      code: "inline_secret",
+      severity: "danger",
+      message: "Command arguments appear to contain inline secret material."
+    });
+  }
+  const secretEnvKeys = Object.keys(env).filter(isSecretKey).sort();
+  if (secretEnvKeys.length > 0) {
+    pushRisk(risks, {
+      code: "secret_env",
+      severity: "warning",
+      message: "Environment contains secret-like keys; values are redacted from consent output.",
+      evidence: secretEnvKeys.join(", ")
+    });
+  }
+  return risks;
+}
+function inspectLocalCommand(input) {
+  const args = normalizeArgs(input.args);
+  const env = input.env ?? {};
+  const transport = input.transport ?? "stdio";
+  const risks = inspectRisks(input.command, args, env);
+  return {
+    requiresConsent: transport === "stdio",
+    operation: input.operation ?? "launch",
+    command: input.command,
+    args,
+    displayCommand: displayCommand(input.command, args),
+    envKeys: Object.keys(env).sort(),
+    risks,
+    hasDangerousRisk: risks.some((risk) => risk.severity === "danger")
+  };
+}
+function formatLocalCommandReview(review) {
+  const lines = [
+    `Command: ${review.displayCommand}`,
+    review.envKeys.length > 0 ? `Env keys: ${review.envKeys.join(", ")}` : "Env keys: <none>"
+  ];
+  if (review.risks.length > 0) {
+    lines.push("Risks:");
+    for (const risk of review.risks) {
+      lines.push(`- ${risk.severity}: ${risk.code} - ${risk.message}${risk.evidence ? ` (${risk.evidence})` : ""}`);
+    }
+  } else {
+    lines.push("Risks: none detected");
+  }
+  return lines.join(`
+`);
+}
+function assertLocalCommandConsent(input, consent = {}) {
+  const review = inspectLocalCommand(input);
+  if (!review.requiresConsent)
+    return review;
+  if (consent.approved !== true) {
+    throw new LocalCommandConsentError(`local stdio command approval is required before ${review.operation}.
+${formatLocalCommandReview(review)}`, review);
+  }
+  if (review.hasDangerousRisk && consent.allowRisky !== true) {
+    throw new LocalCommandConsentError(`risky command approval is required before ${review.operation}.
+${formatLocalCommandReview(review)}`, review);
+  }
+  return review;
+}
+
+// src/lib/proxy.ts
 var connections = new Map;
 var inflightConnections = new Map;
 var CONNECT_CONCURRENCY = 4;
@@ -35617,7 +35977,7 @@ function requireUrl(entry) {
     throw new Error(`Server "${entry.id}" has an invalid URL: ${entry.url}`);
   }
 }
-async function connectToServer(entry) {
+async function connectToServer(entry, options = {}) {
   if (connections.has(entry.id)) {
     return connections.get(entry.id);
   }
@@ -35633,10 +35993,17 @@ async function connectToServer(entry) {
         if (!entry.command?.trim()) {
           throw new Error(`Server "${entry.id}" is missing a command`);
         }
+        assertLocalCommandConsent({
+          command: entry.command,
+          args: entry.args,
+          env: { ...entry.env, ...credentialRefPlaceholders(entry.credentialRefs) },
+          transport: entry.transport,
+          operation: "launch"
+        }, options.localCommandConsent);
         transport = new StdioClientTransport({
           command: entry.command,
           args: entry.args,
-          env: buildEnv(entry.env)
+          env: buildEnv(resolveServerEnv(entry))
         });
       } else if (entry.transport === "sse") {
         transport = new SSEClientTransport(requireUrl(entry));
@@ -35749,7 +36116,7 @@ async function callTool(prefixedName, args) {
     ]
   };
 }
-async function connectAllEnabled() {
+async function connectAllEnabled(options = {}) {
   const servers = listServers().filter((s) => s.enabled);
   const results = [];
   let index = 0;
@@ -35761,7 +36128,7 @@ async function connectAllEnabled() {
         return;
       const server = servers[current];
       try {
-        const conn = await connectToServer(server);
+        const conn = await connectToServer(server, options);
         results.push(conn);
       } catch (err) {
         console.error(`Failed to connect to ${server.name}: ${err.message}`);
@@ -35773,13 +36140,28 @@ async function connectAllEnabled() {
 }
 
 // src/lib/doctor.ts
-async function diagnoseServer(server) {
+async function diagnoseServer(server, options = {}) {
   const checks4 = [];
+  let hasLocalConsent = true;
   if (server.transport === "stdio") {
+    try {
+      assertLocalCommandConsent({
+        command: server.command,
+        args: server.args,
+        env: { ...server.env, ...credentialRefPlaceholders(server.credentialRefs) },
+        transport: server.transport,
+        operation: "diagnose"
+      }, options.localCommandConsent);
+    } catch (err) {
+      hasLocalConsent = false;
+      checks4.push({ name: "local command consent", pass: false, message: err.message });
+    }
     try {
       const path = execFileSync("which", [server.command], { stdio: "pipe" }).toString().trim();
       let version2 = "";
       try {
+        if (!hasLocalConsent)
+          throw new Error("local stdio command approval is required before version probing");
         version2 = execFileSync(server.command, ["--version"], { stdio: "pipe" }).toString().trim().split(`
 `)[0];
       } catch {}
@@ -35795,12 +36177,29 @@ async function diagnoseServer(server) {
     }
   }
   const missingEnv = Object.entries(server.env).filter(([, v]) => !v);
-  if (Object.keys(server.env).length === 0) {
-    checks4.push({ name: "env vars", pass: true, message: "no env vars required" });
-  } else if (missingEnv.length > 0) {
-    checks4.push({ name: "env vars", pass: false, message: `missing values for: ${missingEnv.map(([k]) => k).join(", ")}` });
+  const credentialRefCount = Object.keys(server.credentialRefs ?? {}).length;
+  let credentialError = null;
+  try {
+    resolveServerEnv(server);
+  } catch (err) {
+    credentialError = err.message;
+  }
+  if (Object.keys(server.env).length === 0 && credentialRefCount === 0) {
+    checks4.push({ name: "env vars", pass: true, message: "no env vars or credential refs required" });
+  } else if (missingEnv.length > 0 || credentialError) {
+    const parts = [];
+    if (missingEnv.length > 0)
+      parts.push(`missing literal values for: ${missingEnv.map(([k]) => k).join(", ")}`);
+    if (credentialError)
+      parts.push(credentialError);
+    checks4.push({ name: "env vars", pass: false, message: parts.join("; ") });
   } else {
-    checks4.push({ name: "env vars", pass: true, message: `${Object.keys(server.env).length} env var(s) set` });
+    const literalCount = Object.keys(server.env).length;
+    checks4.push({
+      name: "env vars",
+      pass: true,
+      message: `${literalCount} literal env var(s), ${credentialRefCount} credential ref(s) available`
+    });
   }
   if (server.transport !== "stdio" && server.url) {
     try {
@@ -35810,10 +36209,10 @@ async function diagnoseServer(server) {
       checks4.push({ name: "URL reachable", pass: false, message: `unreachable: ${err.message}` });
     }
   }
-  if (server.enabled) {
+  if (server.enabled && hasLocalConsent) {
     try {
       await Promise.race([
-        connectToServer(server),
+        connectToServer(server, { localCommandConsent: options.localCommandConsent }),
         new Promise((_, reject) => setTimeout(() => reject(new Error("timeout after 10s")), 1e4))
       ]);
       await disconnectServer(server.id);
@@ -35821,8 +36220,10 @@ async function diagnoseServer(server) {
     } catch (err) {
       checks4.push({ name: "connect & list tools", pass: false, message: err.message });
     }
-  } else {
+  } else if (!server.enabled) {
     checks4.push({ name: "connect & list tools", pass: true, message: "skipped (server disabled)" });
+  } else {
+    checks4.push({ name: "connect & list tools", pass: false, message: "skipped until local stdio command is approved" });
   }
   return {
     server,
@@ -35863,7 +36264,7 @@ async function getRegistryServer(id) {
   const all = entries.map(parseRegistryEntry);
   return all.find((s) => s.id === id) || null;
 }
-async function installFromRegistry(id) {
+async function installFromRegistry(id, options = {}) {
   const server = await getRegistryServer(id);
   if (!server) {
     throw new Error(`Server "${id}" not found in registry`);
@@ -35883,6 +36284,13 @@ async function installFromRegistry(id) {
       transport = pkg.transport.type;
     }
   }
+  assertLocalCommandConsent({
+    command,
+    args,
+    transport,
+    env: {},
+    operation: "register"
+  }, options.localCommandConsent);
   return addServer({
     name: server.name,
     description: server.description,
@@ -35908,8 +36316,8 @@ init_sources();
 
 // src/lib/install.ts
 import { execFileSync as execFileSync2 } from "child_process";
-import { existsSync as existsSync7, readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync7 } from "fs";
-import { join as join8 } from "path";
+import { existsSync as existsSync8, readFileSync as readFileSync4, writeFileSync as writeFileSync3, mkdirSync as mkdirSync7 } from "fs";
+import { join as join9 } from "path";
 import { homedir as homedir8 } from "os";
 function installToClaude(entry) {
   try {
@@ -35921,7 +36329,7 @@ function installToClaude(entry) {
       "--scope",
       "user"
     ];
-    for (const [k, v] of Object.entries(entry.env)) {
+    for (const [k, v] of Object.entries(assertAgentInstallEnv(entry))) {
       args.push("--env", `${k}=${v}`);
     }
     args.push(entry.id, "--", entry.command, ...entry.args);
@@ -35933,9 +36341,9 @@ function installToClaude(entry) {
 }
 function installToCodex(entry) {
   try {
-    const configDir = join8(homedir8(), ".codex");
-    const configPath = join8(configDir, "config.toml");
-    if (!existsSync7(configDir)) {
+    const configDir = join9(homedir8(), ".codex");
+    const configPath = join9(configDir, "config.toml");
+    if (!existsSync8(configDir)) {
       mkdirSync7(configDir, { recursive: true });
     }
     const block = `
@@ -35943,7 +36351,7 @@ function installToCodex(entry) {
 ` + `command = ${JSON.stringify(entry.command)}
 ` + `args = [${entry.args.map((a) => JSON.stringify(a)).join(", ")}]
 `;
-    const existing = existsSync7(configPath) ? readFileSync3(configPath, "utf-8") : "";
+    const existing = existsSync8(configPath) ? readFileSync4(configPath, "utf-8") : "";
     if (existing.includes(`[mcp_servers.${entry.id}]`)) {
       return { agent: "codex", success: true };
     }
@@ -35955,21 +36363,22 @@ function installToCodex(entry) {
 }
 function installToGemini(entry) {
   try {
-    const configDir = join8(homedir8(), ".gemini");
-    const configPath = join8(configDir, "settings.json");
-    if (!existsSync7(configDir)) {
+    const configDir = join9(homedir8(), ".gemini");
+    const configPath = join9(configDir, "settings.json");
+    if (!existsSync8(configDir)) {
       mkdirSync7(configDir, { recursive: true });
     }
     let settings = {};
-    if (existsSync7(configPath)) {
-      settings = JSON.parse(readFileSync3(configPath, "utf-8"));
+    if (existsSync8(configPath)) {
+      settings = JSON.parse(readFileSync4(configPath, "utf-8"));
     }
     if (!settings.mcpServers)
       settings.mcpServers = {};
+    const env = assertAgentInstallEnv(entry);
     settings.mcpServers[entry.id] = {
       command: entry.command,
       args: entry.args,
-      ...Object.keys(entry.env).length > 0 ? { env: entry.env } : {}
+      ...Object.keys(env).length > 0 ? { env } : {}
     };
     writeFileSync3(configPath, JSON.stringify(settings, null, 2), "utf-8");
     return { agent: "gemini", success: true };
@@ -35977,7 +36386,43 @@ function installToGemini(entry) {
     return { agent: "gemini", success: false, error: err.message };
   }
 }
-function installToAgents(entry, targets = ["claude", "codex", "gemini"]) {
+function assertAgentInstallEnv(entry) {
+  const refs = entry.credentialRefs ?? {};
+  if (Object.keys(refs).length > 0) {
+    throw new CredentialReferenceError(`Server "${entry.id}" uses credential references; refusing to materialize secrets into local agent config files`);
+  }
+  for (const [key, value] of Object.entries(entry.env)) {
+    if (isSecretLikeEnvKey(key) || isSecretLikeValue(value)) {
+      throw new CredentialReferenceError(`Server "${entry.id}" has legacy raw secret-like env "${key}"; move it to a credential reference before installing to agents`);
+    }
+  }
+  return entry.env;
+}
+function installToAgents(entry, targets = ["claude", "codex", "gemini"], options = {}) {
+  try {
+    assertLocalCommandConsent({
+      command: entry.command,
+      args: entry.args,
+      env: { ...entry.env, ...credentialRefPlaceholders(entry.credentialRefs) },
+      transport: entry.transport,
+      operation: "install"
+    }, options.localCommandConsent);
+  } catch (err) {
+    return targets.map((target) => ({
+      agent: target,
+      success: false,
+      error: err.message
+    }));
+  }
+  try {
+    assertAgentInstallEnv(entry);
+  } catch (err) {
+    return targets.map((target) => ({
+      agent: target,
+      success: false,
+      error: err.message
+    }));
+  }
   return targets.map((target) => {
     if (target === "claude")
       return installToClaude(entry);
@@ -36192,11 +36637,11 @@ function seedDefaultMachines() {
 // src/lib/fleet.ts
 init_config2();
 import { spawn as spawn2 } from "child_process";
-import { existsSync as existsSync8, mkdirSync as mkdirSync8, readFileSync as readFileSync4, writeFileSync as writeFileSync4 } from "fs";
-import { join as join9 } from "path";
+import { existsSync as existsSync9, mkdirSync as mkdirSync8, readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "fs";
+import { join as join10 } from "path";
 var NPM_SEARCH_URL = "https://registry.npmjs.org/-/v1/search";
 var NPM_REGISTRY_URL = "https://registry.npmjs.org";
-var CATALOG_CACHE_PATH = join9(MCPS_DIR, "cache", "hasna-catalog.json");
+var CATALOG_CACHE_PATH = join10(MCPS_DIR, "cache", "hasna-catalog.json");
 var DEFAULT_CATALOG_CACHE_TTL_MS = 60 * 60 * 1000;
 var DEFAULT_REMOTE_TIMEOUT_MS = 180000;
 var DEFAULT_HANDSHAKE_TIMEOUT_MS = 2500;
@@ -36206,9 +36651,9 @@ function normalizeQueryList(values) {
 }
 function readCatalogCache(maxAgeMs) {
   try {
-    if (!existsSync8(CATALOG_CACHE_PATH))
+    if (!existsSync9(CATALOG_CACHE_PATH))
       return null;
-    const parsed = JSON.parse(readFileSync4(CATALOG_CACHE_PATH, "utf-8"));
+    const parsed = JSON.parse(readFileSync5(CATALOG_CACHE_PATH, "utf-8"));
     if (!parsed.cachedAt || !Array.isArray(parsed.entries))
       return null;
     if (Date.now() - parsed.cachedAt > maxAgeMs)
@@ -36220,7 +36665,7 @@ function readCatalogCache(maxAgeMs) {
 }
 function writeCatalogCache(entries) {
   try {
-    mkdirSync8(join9(MCPS_DIR, "cache"), { recursive: true });
+    mkdirSync8(join10(MCPS_DIR, "cache"), { recursive: true });
     writeFileSync4(CATALOG_CACHE_PATH, JSON.stringify({ cachedAt: Date.now(), entries }, null, 2), "utf-8");
   } catch {}
 }
@@ -36978,11 +37423,19 @@ function installProviderProfile(id, options = {}) {
   if (!command) {
     throw new Error(`Provider profile "${id}" does not define an install fallback command`);
   }
+  assertLocalCommandConsent({
+    command,
+    args,
+    env: fallback?.env ?? {},
+    transport: useFallback ? "stdio" : profile.transport,
+    operation: "register"
+  }, options.localCommandConsent);
   return addServer({
     name: options.name ?? profile.displayName,
     description: profile.description ?? undefined,
     command,
     args,
+    env: fallback?.env,
     transport: useFallback ? "stdio" : profile.transport,
     url: useFallback ? fallback?.url : profile.endpoint ?? undefined,
     source: "provider-profile"
@@ -38216,22 +38669,22 @@ var EMPTY_COMPLETION_RESULT = {
 };
 
 // src/lib/version.ts
-import { existsSync as existsSync9, readFileSync as readFileSync5 } from "fs";
-import { dirname as dirname3, join as join10 } from "path";
+import { existsSync as existsSync10, readFileSync as readFileSync6 } from "fs";
+import { dirname as dirname3, join as join11 } from "path";
 import { fileURLToPath } from "url";
 var FALLBACK_VERSION = "0.0.1";
 function readPackageVersion(moduleUrl, fallback = FALLBACK_VERSION) {
   const baseDir = dirname3(fileURLToPath(moduleUrl));
   const candidates = [
-    join10(baseDir, "..", "..", "package.json"),
-    join10(baseDir, "..", "package.json"),
-    join10(baseDir, "package.json")
+    join11(baseDir, "..", "..", "package.json"),
+    join11(baseDir, "..", "package.json"),
+    join11(baseDir, "package.json")
   ];
   for (const candidate of candidates) {
-    if (!existsSync9(candidate))
+    if (!existsSync10(candidate))
       continue;
     try {
-      const pkg = JSON.parse(readFileSync5(candidate, "utf-8"));
+      const pkg = JSON.parse(readFileSync6(candidate, "utf-8"));
       if (pkg.version)
         return pkg.version;
     } catch {}
@@ -38257,6 +38710,16 @@ function jsonContent(value) {
 function errorContent(text) {
   return { ...textContent(text), isError: true };
 }
+function localConsent(input) {
+  return {
+    approved: input.allow_local_stdio === true,
+    allowRisky: input.allow_risky_command === true,
+    source: "mcp"
+  };
+}
+function readCredentialRefs(input) {
+  return normalizeCredentialRefs(input.credential_refs ?? input.credentialRefs);
+}
 function buildMcpTools() {
   const definitions = [
     {
@@ -38281,23 +38744,60 @@ function buildMcpTools() {
         description: exports_external2.string().optional().describe("Description"),
         transport: exports_external2.enum(["stdio", "sse", "streamable-http"]).optional().describe("Transport type"),
         url: exports_external2.string().optional().describe("URL for remote transports"),
-        env: exports_external2.record(exports_external2.string()).optional().describe("Environment variables")
+        env: exports_external2.record(exports_external2.string()).optional().describe("Environment variables"),
+        credential_refs: exports_external2.record(exports_external2.object({
+          source: exports_external2.enum(["env", "local-vault", "hosted"]),
+          name: exports_external2.string(),
+          required: exports_external2.boolean().optional(),
+          description: exports_external2.string().optional()
+        })).optional().describe("Credential references by server env key"),
+        allow_local_stdio: exports_external2.boolean().optional().describe("Approve registering this local stdio command"),
+        allow_risky_command: exports_external2.boolean().optional().describe("Approve registering risky local command patterns")
       },
-      run: ({ command, args, name, description, transport, url: url2, env }) => jsonContent(addServer({
-        command: String(command),
-        args: Array.isArray(args) ? args.map(String) : [],
-        name: typeof name === "string" ? name : undefined,
-        description: typeof description === "string" ? description : undefined,
-        transport,
-        url: typeof url2 === "string" ? url2 : undefined,
-        env: isRecordOfStrings(env) ? env : {}
-      }))
+      run: (input) => {
+        const command = String(input.command);
+        const args = Array.isArray(input.args) ? input.args.map(String) : [];
+        const env = isRecordOfStrings(input.env) ? input.env : {};
+        const credentialRefs = readCredentialRefs(input);
+        const transport = input.transport;
+        try {
+          assertLocalCommandConsent({
+            command,
+            args,
+            env: { ...env, ...Object.fromEntries(Object.keys(credentialRefs).map((key) => [key, "<credential-ref>"])) },
+            transport,
+            operation: "register"
+          }, localConsent(input));
+          return jsonContent(addServer({
+            command,
+            args,
+            name: typeof input.name === "string" ? input.name : undefined,
+            description: typeof input.description === "string" ? input.description : undefined,
+            transport,
+            url: typeof input.url === "string" ? input.url : undefined,
+            env,
+            credentialRefs
+          }));
+        } catch (err) {
+          return errorContent(err.message);
+        }
+      }
     },
     {
       name: "install_from_registry",
       description: "Install an MCP server from the official registry",
-      paramsSchema: { id: exports_external2.string().describe("Registry server ID") },
-      run: async ({ id }) => jsonContent(await installFromRegistry(String(id)))
+      paramsSchema: {
+        id: exports_external2.string().describe("Registry server ID"),
+        allow_local_stdio: exports_external2.boolean().optional().describe("Approve registering registry stdio commands"),
+        allow_risky_command: exports_external2.boolean().optional().describe("Approve registering risky local command patterns")
+      },
+      run: async (input) => {
+        try {
+          return jsonContent(await installFromRegistry(String(input.id), { localCommandConsent: localConsent(input) }));
+        } catch (err) {
+          return errorContent(err.message);
+        }
+      }
     },
     {
       name: "remove_server",
@@ -38343,26 +38843,52 @@ function buildMcpTools() {
         command: exports_external2.string().optional().describe("New command"),
         args: exports_external2.array(exports_external2.string()).optional().describe("New args list"),
         transport: exports_external2.enum(["stdio", "sse", "streamable-http"]).optional().describe("New transport type"),
-        url: exports_external2.string().optional().describe("New URL for remote transports")
+        url: exports_external2.string().optional().describe("New URL for remote transports"),
+        credential_refs: exports_external2.record(exports_external2.object({
+          source: exports_external2.enum(["env", "local-vault", "hosted"]),
+          name: exports_external2.string(),
+          required: exports_external2.boolean().optional(),
+          description: exports_external2.string().optional()
+        })).optional().describe("Credential references by server env key"),
+        allow_local_stdio: exports_external2.boolean().optional().describe("Approve updating this local stdio command"),
+        allow_risky_command: exports_external2.boolean().optional().describe("Approve risky local command patterns")
       },
-      run: ({ id, name, description, command, args, transport, url: url2 }) => {
-        const serverId = String(id);
+      run: (input) => {
+        const serverId = String(input.id);
         const existing = getServer(serverId);
         if (!existing)
           return errorContent(`Server "${serverId}" not found.`);
         const fields = {};
-        if (typeof name === "string")
-          fields.name = name;
-        if (typeof description === "string")
-          fields.description = description;
-        if (typeof command === "string")
-          fields.command = command;
-        if (Array.isArray(args))
-          fields.args = args.map(String);
-        if (transport === "stdio" || transport === "sse" || transport === "streamable-http")
-          fields.transport = transport;
-        if (typeof url2 === "string")
-          fields.url = url2;
+        if (typeof input.name === "string")
+          fields.name = input.name;
+        if (typeof input.description === "string")
+          fields.description = input.description;
+        if (typeof input.command === "string")
+          fields.command = input.command;
+        if (Array.isArray(input.args))
+          fields.args = input.args.map(String);
+        if (input.credential_refs !== undefined || input.credentialRefs !== undefined)
+          fields.credentialRefs = readCredentialRefs(input);
+        if (input.transport === "stdio" || input.transport === "sse" || input.transport === "streamable-http")
+          fields.transport = input.transport;
+        if (typeof input.url === "string")
+          fields.url = input.url;
+        if (fields.command !== undefined || fields.args !== undefined || fields.transport !== undefined) {
+          try {
+            assertLocalCommandConsent({
+              command: fields.command ?? existing.command,
+              args: fields.args ?? existing.args,
+              env: {
+                ...existing.env,
+                ...Object.fromEntries(Object.keys(fields.credentialRefs ?? existing.credentialRefs ?? {}).map((key) => [key, "<credential-ref>"]))
+              },
+              transport: fields.transport ?? existing.transport,
+              operation: "register"
+            }, localConsent(input));
+          } catch (err) {
+            return errorContent(err.message);
+          }
+        }
         return jsonContent(redactServerEnv(updateServer(serverId, fields)));
       }
     },
@@ -38444,13 +38970,16 @@ function buildMcpTools() {
       paramsSchema: {
         id: exports_external2.string().describe("Provider profile ID"),
         name: exports_external2.string().optional().describe("Override registered server name"),
-        use_fallback: exports_external2.boolean().optional().describe("Install the stdio fallback command instead of the direct remote transport")
+        use_fallback: exports_external2.boolean().optional().describe("Install the stdio fallback command instead of the direct remote transport"),
+        allow_local_stdio: exports_external2.boolean().optional().describe("Approve registering provider stdio fallback commands"),
+        allow_risky_command: exports_external2.boolean().optional().describe("Approve risky local command patterns")
       },
-      run: ({ id, name, use_fallback }) => {
+      run: (input) => {
         try {
-          return jsonContent(redactServerEnv(installProviderProfile(String(id), {
-            name: typeof name === "string" ? name : undefined,
-            useFallback: use_fallback === true
+          return jsonContent(redactServerEnv(installProviderProfile(String(input.id), {
+            name: typeof input.name === "string" ? input.name : undefined,
+            useFallback: input.use_fallback === true,
+            localCommandConsent: localConsent(input)
           })));
         } catch (err) {
           return errorContent(err.message);
@@ -38523,15 +39052,19 @@ function buildMcpTools() {
       description: "Install a registered MCP server into Claude Code, Codex, and/or Gemini",
       paramsSchema: {
         id: exports_external2.string().describe("Server ID to install (from list_servers)"),
-        targets: exports_external2.array(exports_external2.enum(["claude", "codex", "gemini"])).optional().describe("Target agents to install into (default: all)")
+        targets: exports_external2.array(exports_external2.enum(["claude", "codex", "gemini"])).optional().describe("Target agents to install into (default: all)"),
+        allow_local_stdio: exports_external2.boolean().optional().describe("Approve installing local stdio commands into local agent configs"),
+        allow_risky_command: exports_external2.boolean().optional().describe("Approve installing risky local command patterns")
       },
-      run: ({ id, targets }) => {
-        const serverId = String(id);
+      run: (input) => {
+        const serverId = String(input.id);
         const entry = getServer(serverId);
         if (!entry)
           return errorContent(`Server "${serverId}" not found.`);
-        const agentTargets = Array.isArray(targets) ? targets : undefined;
-        return jsonContent(installToAgents(entry, agentTargets ?? ["claude", "codex", "gemini"]));
+        const agentTargets = Array.isArray(input.targets) ? input.targets : undefined;
+        return jsonContent(installToAgents(entry, agentTargets ?? ["claude", "codex", "gemini"], {
+          localCommandConsent: localConsent(input)
+        }));
       }
     },
     {
@@ -38543,11 +39076,14 @@ function buildMcpTools() {
     {
       name: "connect_and_list_tools",
       description: "Connect to all enabled MCP servers and list their available tools",
-      paramsSchema: {},
-      run: async () => {
+      paramsSchema: {
+        allow_local_stdio: exports_external2.boolean().optional().describe("Approve launching enabled local stdio commands"),
+        allow_risky_command: exports_external2.boolean().optional().describe("Approve launching risky local command patterns")
+      },
+      run: async (input) => {
         let liveTools = [];
         try {
-          await connectAllEnabled();
+          await connectAllEnabled({ localCommandConsent: localConsent(input) });
           liveTools = listAllTools();
         } finally {
           await disconnectAll().catch(() => {
@@ -38562,11 +39098,13 @@ function buildMcpTools() {
       description: `Call a tool on a connected upstream MCP server. Tool name format: server_id${TOOL_PREFIX_SEPARATOR}tool_name`,
       paramsSchema: {
         tool_name: exports_external2.string().describe(`Prefixed tool name (server_id${TOOL_PREFIX_SEPARATOR}tool_name)`),
-        arguments: exports_external2.record(exports_external2.unknown()).optional().describe("Tool arguments as key-value pairs")
+        arguments: exports_external2.record(exports_external2.unknown()).optional().describe("Tool arguments as key-value pairs"),
+        allow_local_stdio: exports_external2.boolean().optional().describe("Approve launching this local stdio command"),
+        allow_risky_command: exports_external2.boolean().optional().describe("Approve launching risky local command patterns")
       },
-      run: async ({ tool_name, arguments: args }) => {
+      run: async (input) => {
         try {
-          const toolName = String(tool_name);
+          const toolName = String(input.tool_name);
           const sepIdx = toolName.indexOf(TOOL_PREFIX_SEPARATOR);
           if (sepIdx === -1)
             return errorContent(`Error: Invalid tool name "${toolName}"`);
@@ -38576,8 +39114,8 @@ function buildMcpTools() {
             return errorContent(`Error: Server "${serverId}" not found.`);
           if (!entry.enabled)
             return errorContent(`Error: Server "${serverId}" is disabled.`);
-          await connectToServer(entry);
-          const result = await callTool(toolName, readRecord(args));
+          await connectToServer(entry, { localCommandConsent: localConsent(input) });
+          const result = await callTool(toolName, readRecord(input.arguments));
           return { content: result.content };
         } catch (error2) {
           return errorContent(`Error: ${error2.message}`);
@@ -38587,13 +39125,17 @@ function buildMcpTools() {
     {
       name: "diagnose_server",
       description: "Run health checks on a registered MCP server",
-      paramsSchema: { id: exports_external2.string().describe("Server ID") },
-      run: async ({ id }) => {
-        const serverId = String(id);
+      paramsSchema: {
+        id: exports_external2.string().describe("Server ID"),
+        allow_local_stdio: exports_external2.boolean().optional().describe("Approve launching local stdio diagnostics"),
+        allow_risky_command: exports_external2.boolean().optional().describe("Approve diagnosing risky local command patterns")
+      },
+      run: async (input) => {
+        const serverId = String(input.id);
         const entry = getServer(serverId);
         if (!entry)
           return errorContent(`Server "${serverId}" not found.`);
-        return jsonContent(await diagnoseServer(entry));
+        return jsonContent(await diagnoseServer(entry, { localCommandConsent: localConsent(input) }));
       }
     },
     {
@@ -38903,32 +39445,32 @@ if (isDirectRun) {
 }
 
 // src/server/serve.ts
-import { existsSync as existsSync10 } from "fs";
-import { join as join11, dirname as dirname4, extname, resolve, relative as relative2, sep } from "path";
+import { existsSync as existsSync11 } from "fs";
+import { join as join12, dirname as dirname4, extname, resolve, relative as relative2, sep } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 init_sources();
 init_db();
 function redactServer(server) {
-  return { ...server, env: {} };
+  return { ...redactServerCredentials(server), env: {} };
 }
 function resolveDashboardDir() {
   const candidates = [];
   try {
     const scriptDir = dirname4(fileURLToPath2(import.meta.url));
-    candidates.push(join11(scriptDir, "..", "dashboard", "dist"));
-    candidates.push(join11(scriptDir, "..", "..", "dashboard", "dist"));
+    candidates.push(join12(scriptDir, "..", "dashboard", "dist"));
+    candidates.push(join12(scriptDir, "..", "..", "dashboard", "dist"));
   } catch {}
   if (process.argv[1]) {
     const mainDir = dirname4(process.argv[1]);
-    candidates.push(join11(mainDir, "..", "dashboard", "dist"));
-    candidates.push(join11(mainDir, "..", "..", "dashboard", "dist"));
+    candidates.push(join12(mainDir, "..", "dashboard", "dist"));
+    candidates.push(join12(mainDir, "..", "..", "dashboard", "dist"));
   }
-  candidates.push(join11(process.cwd(), "dashboard", "dist"));
+  candidates.push(join12(process.cwd(), "dashboard", "dist"));
   for (const candidate of candidates) {
-    if (existsSync10(candidate))
+    if (existsSync11(candidate))
       return candidate;
   }
-  return join11(process.cwd(), "dashboard", "dist");
+  return join12(process.cwd(), "dashboard", "dist");
 }
 var MIME_TYPES = {
   ".html": "text/html; charset=utf-8",
@@ -38962,6 +39504,20 @@ function isValidId(id) {
   return /^[a-z0-9-]+$/.test(id);
 }
 var MAX_BODY_SIZE = 1024 * 1024;
+function consentFromInput(input) {
+  return {
+    approved: input.allow_local_stdio === true || input.allowLocalStdio === true,
+    allowRisky: input.allow_risky_command === true || input.allowRiskyCommand === true,
+    source: "api"
+  };
+}
+function consentFromSearchParams(params) {
+  return {
+    approved: params.get("allow_local_stdio") === "1" || params.get("allow_local_stdio") === "true",
+    allowRisky: params.get("allow_risky_command") === "1" || params.get("allow_risky_command") === "true",
+    source: "api"
+  };
+}
 function isLoopbackHost(hostname3) {
   return hostname3 === "127.0.0.1" || hostname3 === "localhost" || hostname3 === "::1";
 }
@@ -39016,7 +39572,7 @@ function getAllServersWithToolCount() {
   }));
 }
 function serveStaticFile(filePath) {
-  if (!existsSync10(filePath))
+  if (!existsSync11(filePath))
     return null;
   const ext = extname(filePath);
   const contentType = MIME_TYPES[ext] || "application/octet-stream";
@@ -39049,7 +39605,7 @@ async function startServer(port, options) {
   const host = options?.host ?? "127.0.0.1";
   getDb();
   const dashboardDir = resolveDashboardDir();
-  const dashboardExists = existsSync10(dashboardDir);
+  const dashboardExists = existsSync11(dashboardDir);
   if (!dashboardExists) {
     console.error(`
 Dashboard not found at: ${dashboardDir}`);
@@ -39108,16 +39664,33 @@ Dashboard not found at: ${dashboardDir}`);
             return json({ error: "Invalid 'args' format" }, 400, port);
           }
           const args = body.args || [];
+          const credentialRefs = normalizeCredentialRefs(body.credential_refs ?? body.credentialRefs);
+          const env = body.env && typeof body.env === "object" && !Array.isArray(body.env) ? body.env : {};
+          try {
+            assertLocalCommandConsent({
+              command,
+              args,
+              env: { ...env, ...Object.fromEntries(Object.keys(credentialRefs).map((key) => [key, "<credential-ref>"])) },
+              transport,
+              operation: "register"
+            }, consentFromInput(body));
+          } catch (err) {
+            return json({ error: err.message }, 400, port);
+          }
           const entry = addServer({
             name: body.name,
             command,
             args,
             description: body.description,
             transport,
-            url: body.url
+            url: body.url,
+            env,
+            credentialRefs
           });
           return json(entry, 200, port);
         } catch (e) {
+          if (e instanceof CredentialReferenceError)
+            return json({ error: e.message }, 400, port);
           return json({ error: e instanceof Error ? e.message : "Failed to add server" }, 500, port);
         }
       }
@@ -39196,6 +39769,11 @@ Dashboard not found at: ${dashboardDir}`);
             fields.description = body.description;
           if (body.command !== undefined)
             fields.command = body.command;
+          if (body.env !== undefined)
+            fields.env = body.env;
+          if (body.credential_refs !== undefined || body.credentialRefs !== undefined) {
+            fields.credentialRefs = normalizeCredentialRefs(body.credential_refs ?? body.credentialRefs);
+          }
           if (body.transport !== undefined)
             fields.transport = body.transport;
           if (body.url !== undefined)
@@ -39206,6 +39784,22 @@ Dashboard not found at: ${dashboardDir}`);
             }
             fields.args = body.args;
           }
+          if (fields.command !== undefined || fields.args !== undefined || fields.transport !== undefined) {
+            try {
+              assertLocalCommandConsent({
+                command: fields.command ?? existing.command,
+                args: fields.args ?? existing.args,
+                env: {
+                  ...fields.env ?? existing.env,
+                  ...Object.fromEntries(Object.keys(fields.credentialRefs ?? existing.credentialRefs ?? {}).map((key) => [key, "<credential-ref>"]))
+                },
+                transport: fields.transport ?? existing.transport,
+                operation: "register"
+              }, consentFromInput(body));
+            } catch (err) {
+              return json({ error: err.message }, 400, port);
+            }
+          }
           const updated = updateServer(id, fields);
           return json(redactServer(updated), 200, port);
         } catch (e) {
@@ -39234,6 +39828,8 @@ Dashboard not found at: ${dashboardDir}`);
           setServerEnv(id, body.key, body.value);
           return json({ ok: true }, 200, port);
         } catch (e) {
+          if (e instanceof CredentialReferenceError)
+            return json({ error: e.message }, 400, port);
           return json({ error: e instanceof Error ? e.message : "Failed" }, 500, port);
         }
       }
@@ -39281,7 +39877,7 @@ Dashboard not found at: ${dashboardDir}`);
           }
           if (!body.tool || typeof body.tool !== "string")
             return json({ error: "Missing 'tool'" }, 400, port);
-          await connectToServer(entry);
+          await connectToServer(entry, { localCommandConsent: consentFromInput(body) });
           const toolName = `${id}__${body.tool}`;
           const result = await callTool(toolName, body.args || {});
           await disconnectServer(id).catch(() => {
@@ -39292,6 +39888,9 @@ Dashboard not found at: ${dashboardDir}`);
           await disconnectServer(id).catch(() => {
             return;
           });
+          if (e instanceof LocalCommandConsentError) {
+            return json({ error: e.message }, 400, port);
+          }
           return json({ error: e instanceof Error ? e.message : "Failed to call tool" }, 500, port);
         }
       }
@@ -39304,7 +39903,7 @@ Dashboard not found at: ${dashboardDir}`);
         if (!entry)
           return json({ error: `Server '${id}' not found` }, 404, port);
         try {
-          const report = await diagnoseServer(entry);
+          const report = await diagnoseServer(entry, { localCommandConsent: consentFromSearchParams(url2.searchParams) });
           return json(report, 200, port);
         } catch (e) {
           return json({ error: e instanceof Error ? e.message : "Failed to diagnose server" }, 500, port);
@@ -39433,7 +40032,7 @@ Dashboard not found at: ${dashboardDir}`);
               return res2;
           }
         }
-        const indexPath = join11(dashboardDir, "index.html");
+        const indexPath = join12(dashboardDir, "index.html");
         const res = serveStaticFile(indexPath);
         if (res)
           return res;
@@ -39959,6 +40558,13 @@ function ServerDetail({ server, onSelectTool, onBack }) {
   const [tools2, setTools] = useState3([]);
   const [loading, setLoading] = useState3(false);
   const [error2, setError] = useState3(null);
+  const commandReview = inspectLocalCommand({
+    command: server.command,
+    args: server.args,
+    env: server.env,
+    transport: server.transport,
+    operation: "launch"
+  });
   const cachedTools = getCachedTools(server.id);
   const cachedKey = cachedTools.map((t) => `${t.name}|${t.description}|${JSON.stringify(t.input_schema)}`).join(";");
   useEffect3(() => {
@@ -39979,7 +40585,9 @@ function ServerDetail({ server, onSelectTool, onBack }) {
     setLoading(true);
     setError(null);
     try {
-      const conn = await connectToServer(server);
+      const conn = await connectToServer(server, {
+        localCommandConsent: { approved: true, source: "tui" }
+      });
       setTools(conn.tools);
     } catch (err) {
       setError(err.message);
@@ -40038,6 +40646,21 @@ function ServerDetail({ server, onSelectTool, onBack }) {
           server.args.join(" ")
         ]
       }, undefined, true, undefined, this),
+      commandReview.requiresConsent && /* @__PURE__ */ jsxDEV2(Box4, {
+        marginTop: 1,
+        flexDirection: "column",
+        children: [
+          /* @__PURE__ */ jsxDEV2(Text5, {
+            color: commandReview.hasDangerousRisk ? "red" : "yellow",
+            children: "Local stdio command review"
+          }, undefined, false, undefined, this),
+          formatLocalCommandReview(commandReview).split(`
+`).map((line, index) => /* @__PURE__ */ jsxDEV2(Text5, {
+            dimColor: true,
+            children: line
+          }, `${index}:${line}`, false, undefined, this))
+        ]
+      }, undefined, true, undefined, this),
       server.description && /* @__PURE__ */ jsxDEV2(Text5, {
         dimColor: true,
         children: server.description
@@ -40206,7 +40829,9 @@ function SearchView({ onBack }) {
     setInstalling(item.value);
     setMessage(null);
     try {
-      const server = await installFromRegistry(item.value);
+      const server = await installFromRegistry(item.value, {
+        localCommandConsent: { approved: true, source: "tui" }
+      });
       setMessage(`Installed: ${server.name} [${server.id}]`);
     } catch (err) {
       setMessage(`Install failed: ${err.message}`);
@@ -40317,7 +40942,9 @@ function ToolCall({ server, tool, onBack }) {
     setError(null);
     setResult(null);
     try {
-      await connectToServer(server);
+      await connectToServer(server, {
+        localCommandConsent: { approved: true, source: "tui" }
+      });
       const prefixed = `${server.id}${TOOL_PREFIX_SEPARATOR}${tool.name}`;
       const res = await callTool(prefixed, args);
       const text = res.content.map((c) => c.text).join(`
@@ -40537,6 +41164,52 @@ var MACHINE_PLATFORMS = ["linux", "darwin", "unknown"];
 var MACHINE_ARCHES = ["arm64", "x64", "unknown"];
 var MACHINE_INSTALLERS = ["auto", "bun", "npm"];
 var FLEET_INSTALL_MODES = ["missing", "missing-or-outdated", "all"];
+function localConsentFromOptions(opts, approved = false) {
+  return {
+    approved: approved || opts.yes === true || opts.allowLocalStdio === true,
+    allowRisky: opts.allowRiskyCommand === true,
+    source: "cli"
+  };
+}
+function printLocalCommandReviewIfNeeded(input) {
+  const review = inspectLocalCommand(input);
+  if (!review.requiresConsent)
+    return;
+  console.log(chalk2.dim(formatLocalCommandReview(review)));
+}
+function assertCliLocalCommandConsent(input, opts, approved = false) {
+  const consent = localConsentFromOptions(opts, approved);
+  const review = inspectLocalCommand(input);
+  if (review.requiresConsent && consent.approved === true && (!review.hasDangerousRisk || consent.allowRisky === true)) {
+    console.log(chalk2.dim(formatLocalCommandReview(review)));
+  }
+  assertLocalCommandConsent(input, consent);
+  return consent;
+}
+function parseCredentialPairs(pairs, source) {
+  const refs = {};
+  for (const pair of pairs ?? []) {
+    const eqIdx = pair.indexOf("=");
+    if (eqIdx <= 0)
+      throw new Error(`Credential reference must use KEY=NAME format: ${pair}`);
+    const key = pair.slice(0, eqIdx).trim();
+    const name = pair.slice(eqIdx + 1).trim();
+    if (!key || !name)
+      throw new Error(`Credential reference must use KEY=NAME format: ${pair}`);
+    refs[key] = { source, name, required: true };
+  }
+  return refs;
+}
+function credentialRefsFromOptions(opts) {
+  return {
+    ...parseCredentialPairs(opts.credentialEnv, "env"),
+    ...parseCredentialPairs(opts.credentialLocal, "local-vault"),
+    ...parseCredentialPairs(opts.credentialHosted, "hosted")
+  };
+}
+function formatCredentialRef(ref) {
+  return `${ref.source}:${ref.name}`;
+}
 function printProviderProfile(profile) {
   const status = profile.enabled ? chalk2.green("enabled") : chalk2.red("disabled");
   console.log(`  ${chalk2.bold(profile.displayName)} ${chalk2.dim(`[${profile.id}]`)} \u2014 ${chalk2.dim(profile.transport)} \u2014 ${status}`);
@@ -40785,11 +41458,12 @@ providersCmd.command("info").argument("<id>", "Provider profile ID").description
     console.log(`    Docs: ${chalk2.cyan(profile.docsUrl)}`);
   closeDb();
 });
-providersCmd.command("install").argument("<id>", "Provider profile ID").description("Register a curated provider profile as an MCP server").option("--name <name>", "Override registered server name").option("--fallback", "Install the stdio fallback command instead of direct remote transport").option("--json", "Output as JSON").action((id, opts) => {
+providersCmd.command("install").argument("<id>", "Provider profile ID").description("Register a curated provider profile as an MCP server").option("--name <name>", "Override registered server name").option("--fallback", "Install the stdio fallback command instead of direct remote transport").option("--yes", "Approve local stdio fallback commands").option("--allow-local-stdio", "Approve local stdio fallback commands").option("--allow-risky-command", "Approve high-risk local command patterns").option("--json", "Output as JSON").action((id, opts) => {
   try {
     const server = installProviderProfile(id, {
       name: opts.name,
-      useFallback: opts.fallback === true
+      useFallback: opts.fallback === true,
+      localCommandConsent: localConsentFromOptions(opts)
     });
     if (opts.json) {
       printJson(server);
@@ -40820,11 +41494,13 @@ function detectSourceType(url2) {
     return "mcp-registry";
   return null;
 }
-program2.command("add").passThroughOptions().argument("[command]", "Command to run the MCP server").argument("[args...]", "Arguments for the command").option("--name <name>", "Display name for the server").option("--description <desc>", "Description").option("--from-registry <id>", "Install from official registry by ID").option("--transport <type>", "Transport type: stdio, sse, streamable-http", "stdio").option("--url <url>", "URL for remote transports").option("--env <pairs...>", "Environment variables as KEY=VALUE pairs").option("--wizard", "Interactive setup wizard").option("--force", "Register even if duplicate command exists").description("Add a local MCP server").action(async (command, args, opts) => {
+program2.command("add").passThroughOptions().argument("[command]", "Command to run the MCP server").argument("[args...]", "Arguments for the command").option("--name <name>", "Display name for the server").option("--description <desc>", "Description").option("--from-registry <id>", "Install from official registry by ID").option("--transport <type>", "Transport type: stdio, sse, streamable-http", "stdio").option("--url <url>", "URL for remote transports").option("--env <pairs...>", "Environment variables as KEY=VALUE pairs").option("--credential-env <pairs...>", "Credential refs as KEY=ENV_VAR pairs").option("--credential-local <pairs...>", "Credential refs as KEY=LOCAL_VAULT_NAME pairs").option("--credential-hosted <pairs...>", "Credential refs as KEY=HOSTED_CREDENTIAL_ID pairs").option("--wizard", "Interactive setup wizard").option("--force", "Register even if duplicate command exists").option("--yes", "Approve registering local stdio commands").option("--allow-local-stdio", "Approve registering local stdio commands").option("--allow-risky-command", "Approve high-risk local command patterns").description("Add a local MCP server").action(async (command, args, opts) => {
   try {
     if (opts.fromRegistry) {
       console.log(chalk2.dim(`Installing "${opts.fromRegistry}" from registry...`));
-      const server2 = await installFromRegistry(opts.fromRegistry);
+      const server2 = await installFromRegistry(opts.fromRegistry, {
+        localCommandConsent: localConsentFromOptions(opts)
+      });
       console.log(chalk2.green(`Added server: ${server2.name} [${server2.id}]`));
       console.log(chalk2.dim(`  ${server2.command} ${server2.args.join(" ")}`));
       closeDb();
@@ -40863,6 +41539,13 @@ Server to add:`));
         console.log(`  Name:      ${wizardName}`);
       if (Object.keys(env).length)
         console.log(`  Env:       ${Object.keys(env).join(", ")}`);
+      printLocalCommandReviewIfNeeded({
+        command: wizardCommand,
+        args: wizardArgs,
+        env,
+        transport,
+        operation: "register"
+      });
       const confirm = await new Promise((resolve2) => {
         const rl2 = readline.createInterface({ input: process.stdin, output: process.stdout });
         rl2.question(chalk2.bold("Add this server? [Y/n]: "), (ans) => {
@@ -40875,13 +41558,21 @@ Server to add:`));
         closeDb();
         return;
       }
+      assertLocalCommandConsent({
+        command: wizardCommand,
+        args: wizardArgs,
+        env,
+        transport,
+        operation: "register"
+      }, localConsentFromOptions(opts, true));
       const server2 = addServer({
         command: wizardCommand,
         args: wizardArgs,
         name: wizardName || undefined,
         description: wizardDescription || undefined,
         transport,
-        env
+        env,
+        credentialRefs: credentialRefsFromOptions(opts)
       });
       console.log(chalk2.green(`Added: ${server2.name} [${server2.id}]`));
       closeDb();
@@ -40911,6 +41602,14 @@ Server to add:`));
         envMap[key] = rest.join("=");
       }
     }
+    const credentialRefs = credentialRefsFromOptions(opts);
+    assertCliLocalCommandConsent({
+      command,
+      args,
+      env: { ...envMap, ...Object.fromEntries(Object.keys(credentialRefs).map((key) => [key, "<credential-ref>"])) },
+      transport: opts.transport,
+      operation: "register"
+    }, opts);
     const server = addServer({
       name: opts.name,
       description: opts.description,
@@ -40918,7 +41617,8 @@ Server to add:`));
       args,
       transport: opts.transport,
       url: opts.url,
-      env: envMap
+      env: envMap,
+      credentialRefs
     });
     console.log(chalk2.green(`Added server: ${server.name} [${server.id}]`));
     console.log(chalk2.dim(`  ${server.command} ${server.args.join(" ")}`));
@@ -40933,29 +41633,44 @@ Server to add:`));
   }
   closeDb();
 });
-program2.command("update-server").argument("<id>", "Server ID to update").description("Update fields of a registered server").option("--name <name>", "New display name").option("--description <desc>", "New description").option("--command <cmd>", "New command").option("--args <args...>", "New args list").option("--transport <type>", "New transport type").option("--url <url>", "New URL").action((id, opts) => {
-  const server = getServer(id);
-  if (!server) {
-    console.error(chalk2.red(`Server "${id}" not found.`));
+program2.command("update-server").argument("<id>", "Server ID to update").description("Update fields of a registered server").option("--name <name>", "New display name").option("--description <desc>", "New description").option("--command <cmd>", "New command").option("--args <args...>", "New args list").option("--transport <type>", "New transport type").option("--url <url>", "New URL").option("--yes", "Approve updated local stdio commands").option("--allow-local-stdio", "Approve updated local stdio commands").option("--allow-risky-command", "Approve high-risk local command patterns").action((id, opts) => {
+  try {
+    const server = getServer(id);
+    if (!server) {
+      console.error(chalk2.red(`Server "${id}" not found.`));
+      closeDb();
+      process.exit(1);
+    }
+    const fields = {};
+    if (opts.name !== undefined)
+      fields.name = opts.name;
+    if (opts.description !== undefined)
+      fields.description = opts.description;
+    if (opts.command !== undefined)
+      fields.command = opts.command;
+    if (opts.args !== undefined)
+      fields.args = opts.args;
+    if (opts.transport !== undefined)
+      fields.transport = opts.transport;
+    if (opts.url !== undefined)
+      fields.url = opts.url;
+    if (fields.command !== undefined || fields.args !== undefined || fields.transport !== undefined) {
+      assertCliLocalCommandConsent({
+        command: fields.command ?? server.command,
+        args: fields.args ?? server.args,
+        env: server.env,
+        transport: fields.transport ?? server.transport,
+        operation: "register"
+      }, opts);
+    }
+    const updated = updateServer(id, fields);
+    console.log(chalk2.green(`Updated server: ${updated.name} [${updated.id}]`));
+    closeDb();
+  } catch (err) {
+    console.error(chalk2.red(`Failed to update server: ${err.message}`));
     closeDb();
     process.exit(1);
   }
-  const fields = {};
-  if (opts.name !== undefined)
-    fields.name = opts.name;
-  if (opts.description !== undefined)
-    fields.description = opts.description;
-  if (opts.command !== undefined)
-    fields.command = opts.command;
-  if (opts.args !== undefined)
-    fields.args = opts.args;
-  if (opts.transport !== undefined)
-    fields.transport = opts.transport;
-  if (opts.url !== undefined)
-    fields.url = opts.url;
-  const updated = updateServer(id, fields);
-  console.log(chalk2.green(`Updated server: ${updated.name} [${updated.id}]`));
-  closeDb();
 });
 program2.command("clone").argument("<id>", "Server ID to clone").argument("<new-name>", "Name for the cloned server").description("Clone a server with a new name").action((id, newName) => {
   try {
@@ -41002,10 +41717,10 @@ program2.command("disable").argument("<id>", "Server ID to disable").description
   console.log(chalk2.yellow(`Disabled server: ${server.name}`));
   closeDb();
 });
-program2.command("tools").argument("[server-id]", "Optional server ID to filter by").description("List tools (all or per server)").option("--connect", "Connect to servers to fetch live tools").action(async (serverId, opts) => {
+program2.command("tools").argument("[server-id]", "Optional server ID to filter by").description("List tools (all or per server)").option("--connect", "Connect to servers to fetch live tools").option("--yes", "Approve launching local stdio commands when --connect is used").option("--allow-local-stdio", "Approve launching local stdio commands when --connect is used").option("--allow-risky-command", "Approve high-risk local command patterns").action(async (serverId, opts) => {
   if (opts.connect) {
     console.log(chalk2.dim("Connecting to enabled servers..."));
-    await connectAllEnabled();
+    await connectAllEnabled({ localCommandConsent: localConsentFromOptions(opts) });
     const tools2 = listAllTools();
     if (tools2.length === 0) {
       console.log(chalk2.dim("No tools available."));
@@ -41055,7 +41770,7 @@ ${total} tool(s) total.`));
   }
   closeDb();
 });
-program2.command("call").argument("<tool>", "Tool name (server_id__tool_name)").option("--arg <pairs...>", "Arguments as key=value pairs").option("--json <json>", "Arguments as JSON string").description("Call a tool directly").action(async (tool, opts) => {
+program2.command("call").argument("<tool>", "Tool name (server_id__tool_name)").option("--arg <pairs...>", "Arguments as key=value pairs").option("--json <json>", "Arguments as JSON string").option("--yes", "Approve launching local stdio commands").option("--allow-local-stdio", "Approve launching local stdio commands").option("--allow-risky-command", "Approve high-risk local command patterns").description("Call a tool directly").action(async (tool, opts) => {
   let args = {};
   if (opts.json) {
     try {
@@ -41078,7 +41793,7 @@ program2.command("call").argument("<tool>", "Tool name (server_id__tool_name)").
   let exitCode = 0;
   try {
     console.log(chalk2.dim(`Connecting to servers...`));
-    await connectAllEnabled();
+    await connectAllEnabled({ localCommandConsent: localConsentFromOptions(opts) });
     console.log(chalk2.dim(`Calling ${tool}...`));
     const result = await callTool(tool, args);
     for (const c of result.content) {
@@ -41102,20 +41817,24 @@ program2.command("info").argument("<id>", "Server ID").description("Show server
     closeDb();
     process.exit(1);
   }
-  console.log(chalk2.bold(server.name) + " " + chalk2.dim(`[${server.id}]`));
-  console.log(`  Status:    ${server.enabled ? chalk2.green("enabled") : chalk2.red("disabled")}`);
-  console.log(`  Source:    ${server.source}`);
-  console.log(`  Transport: ${server.transport}`);
-  console.log(`  Command:   ${server.command} ${server.args.join(" ")}`);
-  if (server.url)
-    console.log(`  URL:       ${server.url}`);
-  if (server.description)
-    console.log(`  Desc:      ${server.description}`);
-  if (Object.keys(server.env).length > 0) {
-    console.log(`  Env:       ${Object.entries(server.env).map(([k, v]) => `${k}=${v}`).join(", ")}`);
-  }
-  console.log(`  Created:   ${server.created_at}`);
-  console.log(`  Updated:   ${server.updated_at}`);
+  const safeServer = redactServerCredentials(server);
+  console.log(chalk2.bold(safeServer.name) + " " + chalk2.dim(`[${safeServer.id}]`));
+  console.log(`  Status:    ${safeServer.enabled ? chalk2.green("enabled") : chalk2.red("disabled")}`);
+  console.log(`  Source:    ${safeServer.source}`);
+  console.log(`  Transport: ${safeServer.transport}`);
+  console.log(`  Command:   ${safeServer.command} ${safeServer.args.join(" ")}`);
+  if (safeServer.url)
+    console.log(`  URL:       ${safeServer.url}`);
+  if (safeServer.description)
+    console.log(`  Desc:      ${safeServer.description}`);
+  if (Object.keys(safeServer.env).length > 0) {
+    console.log(`  Env:       ${Object.entries(safeServer.env).map(([k, v]) => `${k}=${v}`).join(", ")}`);
+  }
+  if (Object.keys(safeServer.credentialRefs ?? {}).length > 0) {
+    console.log(`  Cred refs: ${Object.entries(safeServer.credentialRefs ?? {}).map(([k, ref]) => `${k}=${formatCredentialRef(ref)}`).join(", ")}`);
+  }
+  console.log(`  Created:   ${safeServer.created_at}`);
+  console.log(`  Updated:   ${safeServer.updated_at}`);
   const cached2 = getCachedTools(id);
   if (cached2.length > 0) {
     console.log(chalk2.bold(`
@@ -41146,7 +41865,7 @@ program2.command("status").description("Show registry stats").option("--json", "
   console.log(`  Tools:    ${totalTools} (cached)`);
   closeDb();
 });
-program2.command("doctor").argument("[id]", "Server ID to check (omit to check all)").description("Diagnose server health \u2014 checks PATH, env vars, connectivity").option("--fix", "Attempt to fix issues automatically").action(async (id, opts) => {
+program2.command("doctor").argument("[id]", "Server ID to check (omit to check all)").description("Diagnose server health \u2014 checks PATH, env vars, connectivity").option("--fix", "Attempt to fix issues automatically").option("--yes", "Approve probing and launching local stdio commands").option("--allow-local-stdio", "Approve probing and launching local stdio commands").option("--allow-risky-command", "Approve high-risk local command patterns").action(async (id, opts) => {
   const { execFileSync: execFileSync22 } = await import("child_process");
   const servers = id ? [getServer(id)].filter(Boolean) : listServers();
   if (servers.length === 0) {
@@ -41158,7 +41877,7 @@ program2.command("doctor").argument("[id]", "Server ID to check (omit to check a
   for (const server of servers) {
     console.log(chalk2.bold(`
 ${server.name} [${server.id}]`));
-    const report = await diagnoseServer(server);
+    const report = await diagnoseServer(server, { localCommandConsent: localConsentFromOptions(opts) });
     for (const check2 of report.checks) {
       const icon = check2.pass ? chalk2.green("\u2713") : chalk2.red("\u2717");
       console.log(`  ${icon} ${check2.name}: ${chalk2.dim(check2.message)}`);
@@ -41244,7 +41963,7 @@ program2.command("update").description("Update mcps to the latest version").acti
     process.exit(1);
   }
 });
-program2.command("find").argument("[query]", "Search query (omit to list all from awesome list)").description("Find MCP servers across npm, GitHub, official registry, and awesome lists").option("--source <sources...>", "Source IDs to search (see `mcps sources list`)").option("--limit <n>", "Max results per source", "20").option("--awesome", "List curated servers from punkpeye/awesome-mcp-servers").option("--json", "Output as JSON").option("--install", "After showing results, prompt to select one and install it").option("--yes", "Auto-install without prompting (only when there is exactly 1 result)").option("--no-cache", "Bypass source cache and fetch fresh results").action(async (query, opts) => {
+program2.command("find").argument("[query]", "Search query (omit to list all from awesome list)").description("Find MCP servers across npm, GitHub, official registry, and awesome lists").option("--source <sources...>", "Source IDs to search (see `mcps sources list`)").option("--limit <n>", "Max results per source", "20").option("--awesome", "List curated servers from punkpeye/awesome-mcp-servers").option("--json", "Output as JSON").option("--install", "After showing results, prompt to select one and install it").option("--yes", "Auto-install without prompting (only when there is exactly 1 result)").option("--allow-risky-command", "Approve high-risk local command patterns").option("--no-cache", "Bypass source cache and fetch fresh results").action(async (query, opts) => {
   try {
     if (opts.awesome) {
       console.log(chalk2.dim("Fetching curated awesome-mcp-servers list..."));
@@ -41354,6 +42073,14 @@ Enter number to install (1-${results.length}), or 0 to cancel: `), resolve2);
         return;
       }
       console.log(chalk2.dim(`Installing ${chosen.name}...`));
+      const localCommandInput = {
+        command: "npx",
+        args: ["-y", pkg],
+        env: {},
+        transport: "stdio",
+        operation: "install"
+      };
+      const localCommandConsent = assertCliLocalCommandConsent(localCommandInput, opts, true);
       const server = addServer({
         command: "npx",
         args: ["-y", pkg],
@@ -41361,7 +42088,7 @@ Enter number to install (1-${results.length}), or 0 to cancel: `), resolve2);
         description: chosen.description,
         transport: "stdio"
       });
-      const results2 = installToAgents(server, ["claude", "codex", "gemini"]);
+      const results2 = installToAgents(server, ["claude", "codex", "gemini"], { localCommandConsent });
       for (const r of results2) {
         if (r.success) {
           console.log(chalk2.green(`  \u2713 ${r.agent}`));
@@ -41506,7 +42233,7 @@ sourcesCmd.command("test").argument("<id>", "Source ID to test").description("Te
   }
   closeDb();
 });
-program2.command("install").argument("[id]", "Server ID (from `mcps list`) to install into AI agents").description("Install a registered MCP server into Claude Code, Codex, and/or Gemini").option("--claude", "Install to Claude Code").option("--codex", "Install to Codex").option("--gemini", "Install to Gemini").option("--all", "Install to all agents (default if none specified)").option("--to <agents...>", "Agents to install to: claude, codex, gemini").option("--from-registry <id>", "Add from official registry and install in one step").option("--npm <package>", "Add an npm package as a server and install in one step").action(async (id, opts) => {
+program2.command("install").argument("[id]", "Server ID (from `mcps list`) to install into AI agents").description("Install a registered MCP server into Claude Code, Codex, and/or Gemini").option("--claude", "Install to Claude Code").option("--codex", "Install to Codex").option("--gemini", "Install to Gemini").option("--all", "Install to all agents (default if none specified)").option("--to <agents...>", "Agents to install to: claude, codex, gemini").option("--from-registry <id>", "Add from official registry and install in one step").option("--npm <package>", "Add an npm package as a server and install in one step").option("--yes", "Approve installing local stdio commands into agents").option("--allow-local-stdio", "Approve installing local stdio commands into agents").option("--allow-risky-command", "Approve high-risk local command patterns").action(async (id, opts) => {
   const targets = [];
   if (opts.to) {
     for (const t of opts.to) {
@@ -41532,7 +42259,9 @@ program2.command("install").argument("[id]", "Server ID (from `mcps list`) to in
   if (opts.fromRegistry) {
     console.log(chalk2.dim(`Installing "${opts.fromRegistry}" from registry...`));
     try {
-      server = await installFromRegistry(opts.fromRegistry);
+      server = await installFromRegistry(opts.fromRegistry, {
+        localCommandConsent: localConsentFromOptions(opts)
+      });
       console.log(chalk2.green(`Added server: ${server.name} [${server.id}]`));
     } catch (err) {
       console.error(chalk2.red(`Failed to install from registry: ${err.message}`));
@@ -41541,6 +42270,13 @@ program2.command("install").argument("[id]", "Server ID (from `mcps list`) to in
     }
   } else if (opts.npm) {
     const pkg = opts.npm;
+    assertCliLocalCommandConsent({
+      command: "npx",
+      args: ["-y", pkg],
+      env: {},
+      transport: "stdio",
+      operation: "install"
+    }, opts);
     server = addServer({ command: "npx", args: ["-y", pkg], name: pkg, transport: "stdio" });
     console.log(chalk2.green(`Added server: ${server.name} [${server.id}]`));
   } else {
@@ -41557,7 +42293,7 @@ program2.command("install").argument("[id]", "Server ID (from `mcps list`) to in
     }
   }
   console.log(chalk2.dim(`Installing "${server.name}" to: ${targets.join(", ")}...`));
-  const results = installToAgents(server, targets);
+  const results = installToAgents(server, targets, { localCommandConsent: localConsentFromOptions(opts) });
   for (const r of results) {
     if (r.success) {
       console.log(chalk2.green(`  \u2713 ${r.agent}`));
@@ -41738,7 +42474,7 @@ fleetCmd.command("install").argument("[machineIds...]", "Optional machine IDs to
   }
 });
 program2.command("export").description("Export all servers and sources to a JSON file").option("--file <path>", "Output file path", `${process.env.HOME ?? "~"}/.hasna/mcps/export.json`).option("--stdout", "Write to stdout instead of a file").action((opts) => {
-  const servers = listServers();
+  const servers = listServers().map(redactServerCredentials);
   const sources = listSources();
   const payload = {
     version: 1,
@@ -41758,7 +42494,7 @@ program2.command("export").description("Export all servers and sources to a JSON
 program2.command("import").argument("<file>", "Path to the export JSON file").description("Import servers and sources from a JSON export file").option("--overwrite", "Overwrite existing entries with matching IDs").action((file, opts) => {
   let payload;
   try {
-    payload = JSON.parse(readFileSync6(file, "utf-8"));
+    payload = JSON.parse(readFileSync7(file, "utf-8"));
   } catch (err) {
     console.error(chalk2.red(`Failed to read file: ${err.message}`));
     closeDb();
@@ -41780,7 +42516,23 @@ program2.command("import").argument("<file>", "Path to the export JSON file").de
       serversSkipped++;
       continue;
     }
-    db2.run(`INSERT ${orReplace} INTO servers (id, name, description, command, args, env, transport, url, source, enabled, created_at, updated_at) VALUES (?,?,?,?,?,?,?,?,?,?,?,?)`, [s.id, s.name, s.description, s.command, JSON.stringify(s.args ?? []), JSON.stringify(s.env ?? {}), s.transport, s.url, s.source, s.enabled ? 1 : 0, s.created_at, s.updated_at]);
+    const literalEnv = normalizeLiteralEnv(s.env ?? {});
+    const credentialRefs = normalizeCredentialRefs(s.credentialRefs ?? s.credential_refs ?? {});
+    db2.run(`INSERT ${orReplace} INTO servers (id, name, description, command, args, env, credential_refs, transport, url, source, enabled, created_at, updated_at) VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?)`, [
+      s.id,
+      s.name,
+      s.description,
+      s.command,
+      JSON.stringify(s.args ?? []),
+      JSON.stringify(literalEnv),
+      JSON.stringify(credentialRefs),
+      s.transport,
+      s.url,
+      s.source,
+      s.enabled ? 1 : 0,
+      s.created_at,
+      s.updated_at
+    ]);
     serversImported++;
   }
   let sourcesImported = 0;
@@ -41806,14 +42558,17 @@ envCmd.command("list").argument("<id>").description("List env vars for a server"
     closeDb();
     process.exit(1);
   }
-  const entries = Object.entries(server.env);
-  if (entries.length === 0) {
-    console.log(chalk2.dim("No env vars set."));
+  const envEntries = Object.entries(redactEnv(server.env));
+  const refEntries = Object.entries(server.credentialRefs ?? {});
+  if (envEntries.length === 0 && refEntries.length === 0) {
+    console.log(chalk2.dim("No env vars or credential refs set."));
     closeDb();
     return;
   }
-  for (const [k, v] of entries)
+  for (const [k, v] of envEntries)
     console.log(`  ${chalk2.bold(k)}=${chalk2.dim(v)}`);
+  for (const [k, ref] of refEntries)
+    console.log(`  ${chalk2.bold(k)}=${chalk2.dim(formatCredentialRef(ref))}`);
   closeDb();
 });
 envCmd.command("set").argument("<id>").argument("<pair>", "KEY=VALUE").description("Set an env var").action((id, pair) => {
@@ -41835,6 +42590,36 @@ envCmd.command("set").argument("<id>").argument("<pair>", "KEY=VALUE").descripti
   }
   closeDb();
 });
+envCmd.command("ref").argument("<id>").argument("<pair>", "KEY=NAME").description("Set a credential reference for a server env key").option("--source <source>", "Credential source: env, local-vault, hosted", "env").action((id, pair, opts) => {
+  const source = opts.source;
+  if (source !== "env" && source !== "local-vault" && source !== "hosted") {
+    console.error(chalk2.red("Source must be one of: env, local-vault, hosted"));
+    closeDb();
+    process.exit(1);
+  }
+  try {
+    const refs = parseCredentialPairs([pair], source);
+    const [key, ref] = Object.entries(refs)[0];
+    setServerCredentialRef(id, key, ref);
+    console.log(chalk2.green(`Set credential ref ${key}=${formatCredentialRef(ref)} on ${id}`));
+  } catch (err) {
+    console.error(chalk2.red(err.message));
+    closeDb();
+    process.exit(1);
+  }
+  closeDb();
+});
+envCmd.command("unset-ref").argument("<id>").argument("<key>").description("Remove a credential reference").action((id, key) => {
+  try {
+    unsetServerCredentialRef(id, key);
+    console.log(chalk2.green(`Unset credential ref ${key} on ${id}`));
+  } catch (err) {
+    console.error(chalk2.red(err.message));
+    closeDb();
+    process.exit(1);
+  }
+  closeDb();
+});
 envCmd.command("unset").argument("<id>").argument("<key>").description("Remove an env var").action((id, key) => {
   try {
     unsetServerEnv(id, key);