npm - @hasna/mcps - Versions diffs - 0.0.14 → 0.0.16 - Mend

@hasna/mcps 0.0.14 → 0.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/README.md +21 -0
package/bin/index.js +967 -182
package/bin/mcp.js +605 -95
package/dist/index.d.ts +5 -2
package/dist/index.js +523 -53
package/dist/lib/credentials.d.ts +18 -0
package/dist/lib/doctor.d.ts +4 -1
package/dist/lib/install.d.ts +5 -1
package/dist/lib/local-command-consent.d.ts +38 -0
package/dist/lib/proxy.d.ts +6 -2
package/dist/lib/registry.d.ts +4 -2
package/dist/lib/remote.d.ts +4 -1
package/dist/mcp/index.js +605 -95
package/dist/types.d.ts +15 -0
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -9547,6 +9547,7 @@ function getDb() {
       command TEXT NOT NULL,
       args TEXT NOT NULL DEFAULT '[]',
       env TEXT NOT NULL DEFAULT '{}',
+      credential_refs TEXT NOT NULL DEFAULT '{}',
       transport TEXT NOT NULL DEFAULT 'stdio',
       url TEXT,
       source TEXT NOT NULL DEFAULT 'local',
@@ -9573,6 +9574,9 @@ function getDb() {
   try {
     db.exec("ALTER TABLE servers ADD COLUMN last_error TEXT");
   } catch {}
+  try {
+    db.exec("ALTER TABLE servers ADD COLUMN credential_refs TEXT NOT NULL DEFAULT '{}'");
+  } catch {}
   db.exec(`
     CREATE TABLE IF NOT EXISTS sources (
       id TEXT PRIMARY KEY,
@@ -16627,17 +16631,17 @@ __export(exports_sources, {
   clearCache: () => clearCache,
   addSource: () => addSource
 });
-import { mkdirSync as mkdirSync6, existsSync as existsSync6, readFileSync as readFileSync2, writeFileSync as writeFileSync2, readdirSync as readdirSync3, unlinkSync } from "fs";
-import { join as join7 } from "path";
+import { mkdirSync as mkdirSync6, existsSync as existsSync7, readFileSync as readFileSync3, writeFileSync as writeFileSync2, readdirSync as readdirSync3, unlinkSync } from "fs";
+import { join as join8 } from "path";
 function getCacheFile(sourceId) {
-  return join7(CACHE_DIR, `${sourceId}.json`);
+  return join8(CACHE_DIR, `${sourceId}.json`);
 }
 function readCache(sourceId) {
   try {
     const file = getCacheFile(sourceId);
-    if (!existsSync6(file))
+    if (!existsSync7(file))
       return null;
-    const data = JSON.parse(readFileSync2(file, "utf-8"));
+    const data = JSON.parse(readFileSync3(file, "utf-8"));
     return data;
   } catch {
     return null;
@@ -16651,7 +16655,7 @@ function writeCache(sourceId, results) {
 }
 function clearCache(sourceId) {
   try {
-    if (!existsSync6(CACHE_DIR))
+    if (!existsSync7(CACHE_DIR))
       return;
     const files = readdirSync3(CACHE_DIR);
     for (const file of files) {
@@ -16659,7 +16663,7 @@ function clearCache(sourceId) {
         continue;
       if (!sourceId || file.startsWith(`${sourceId}.`)) {
         try {
-          unlinkSync(join7(CACHE_DIR, file));
+          unlinkSync(join8(CACHE_DIR, file));
         } catch {}
       }
     }
@@ -16905,12 +16909,166 @@ var CACHE_DIR, DEFAULT_TTL_MS;
 var init_sources = __esm(() => {
   init_db();
   init_config2();
-  CACHE_DIR = join7(MCPS_DIR, "cache");
+  CACHE_DIR = join8(MCPS_DIR, "cache");
   DEFAULT_TTL_MS = 10 * 60 * 1000;
 });
 // src/lib/registry.ts
 init_db();
+// src/lib/credentials.ts
+init_config2();
+import { existsSync as existsSync6, readFileSync as readFileSync2 } from "fs";
+import { join as join7 } from "path";
+class CredentialReferenceError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "CredentialReferenceError";
+  }
+}
+var SECRET_KEY_PATTERN = /(?:^|[_-])(api[_-]?key|token|secret|password|passwd|credential|auth|private[_-]?key)(?:$|[_-])/i;
+var SECRET_VALUE_PATTERN = /^(sk_(?:live|test)_[A-Za-z0-9_]+|ghp_[A-Za-z0-9_]+|github_pat_[A-Za-z0-9_]+|xox[baprs]-[A-Za-z0-9-]+|AIza[A-Za-z0-9_-]{20,}|eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+)$/;
+var REDACTED_CREDENTIAL_VALUE = "<redacted>";
+function normalizeKey(key) {
+  return key.trim();
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isSecretLikeEnvKey(key) {
+  return SECRET_KEY_PATTERN.test(key);
+}
+function isSecretLikeValue(value) {
+  return SECRET_VALUE_PATTERN.test(value.trim());
+}
+function normalizeCredentialRef(ref) {
+  const source = ref.source;
+  if (source !== "env" && source !== "local-vault" && source !== "hosted") {
+    throw new CredentialReferenceError(`Unsupported credential reference source: ${String(source)}`);
+  }
+  const name = ref.name?.trim();
+  if (!name) {
+    throw new CredentialReferenceError("Credential reference name is required");
+  }
+  return {
+    source,
+    name,
+    required: ref.required !== false,
+    ...ref.description ? { description: ref.description } : {}
+  };
+}
+function normalizeCredentialRefs(refs) {
+  const normalized = {};
+  for (const [rawKey, ref] of Object.entries(refs ?? {})) {
+    const key = normalizeKey(rawKey);
+    if (!key)
+      throw new CredentialReferenceError("Credential reference env key is required");
+    normalized[key] = normalizeCredentialRef(ref);
+  }
+  return normalized;
+}
+function parseCredentialRefs(value) {
+  if (!isRecord(value))
+    return {};
+  const refs = {};
+  for (const [key, ref] of Object.entries(value)) {
+    if (!isRecord(ref))
+      continue;
+    const source = ref.source;
+    const name = ref.name;
+    if ((source === "env" || source === "local-vault" || source === "hosted") && typeof name === "string" && name.trim()) {
+      refs[key] = normalizeCredentialRef({
+        source,
+        name,
+        required: typeof ref.required === "boolean" ? ref.required : true,
+        description: typeof ref.description === "string" ? ref.description : undefined
+      });
+    }
+  }
+  return refs;
+}
+function normalizeLiteralEnv(env) {
+  const normalized = {};
+  for (const [rawKey, rawValue] of Object.entries(env ?? {})) {
+    const key = normalizeKey(rawKey);
+    if (!key)
+      continue;
+    const value = String(rawValue);
+    if (isSecretLikeEnvKey(key) || isSecretLikeValue(value)) {
+      throw new CredentialReferenceError(`Refusing to store raw secret-like env value for "${key}". Use a credential reference instead.`);
+    }
+    normalized[key] = value;
+  }
+  return normalized;
+}
+function redactEnv(env) {
+  const redacted = {};
+  for (const [key, value] of Object.entries(env)) {
+    redacted[key] = isSecretLikeEnvKey(key) || isSecretLikeValue(value) ? REDACTED_CREDENTIAL_VALUE : value;
+  }
+  return redacted;
+}
+function redactServerCredentials(server) {
+  return {
+    ...server,
+    env: redactEnv(server.env),
+    credentialRefs: normalizeCredentialRefs(server.credentialRefs)
+  };
+}
+function readLocalVault() {
+  const path = process.env.HASNA_MCPS_CREDENTIAL_VAULT_PATH ?? join7(MCPS_DIR, "credentials.local.json");
+  if (!existsSync6(path))
+    return {};
+  const parsed = JSON.parse(readFileSync2(path, "utf-8"));
+  if (!isRecord(parsed))
+    return {};
+  const values = {};
+  for (const [key, value] of Object.entries(parsed)) {
+    if (typeof value === "string")
+      values[key] = value;
+  }
+  return values;
+}
+function resolveCredentialRef(envKey, ref) {
+  if (ref.source === "env") {
+    const value = process.env[ref.name];
+    if (value === undefined && ref.required !== false) {
+      throw new CredentialReferenceError(`Missing required environment credential "${ref.name}" for "${envKey}"`);
+    }
+    return value;
+  }
+  if (ref.source === "local-vault") {
+    const value = readLocalVault()[ref.name];
+    if (value === undefined && ref.required !== false) {
+      throw new CredentialReferenceError(`Missing required local vault credential "${ref.name}" for "${envKey}"`);
+    }
+    return value;
+  }
+  if (ref.required !== false) {
+    throw new CredentialReferenceError(`Hosted credential "${ref.name}" for "${envKey}" cannot be resolved by the local runtime`);
+  }
+  return;
+}
+function resolveServerEnv(server) {
+  const resolved = { ...server.env };
+  const refs = normalizeCredentialRefs(server.credentialRefs);
+  for (const [envKey, ref] of Object.entries(refs)) {
+    const value = resolveCredentialRef(envKey, ref);
+    if (value !== undefined)
+      resolved[envKey] = value;
+  }
+  return resolved;
+}
+function credentialRefPlaceholders(refs) {
+  const placeholders = {};
+  for (const key of Object.keys(refs ?? {})) {
+    placeholders[key] = REDACTED_CREDENTIAL_VALUE;
+  }
+  return placeholders;
+}
+// src/lib/registry.ts
 function parseRow(row) {
   return {
     id: row.id,
@@ -16919,6 +17077,7 @@ function parseRow(row) {
     command: row.command,
     args: safeJsonParse(row.args, []),
     env: safeJsonParse(row.env, {}),
+    credentialRefs: parseCredentialRefs(safeJsonParse(row.credential_refs, {})),
     transport: row.transport,
     url: row.url || null,
     source: row.source,
@@ -16986,9 +17145,9 @@ function addServer(opts) {
   if (!id) {
     throw new Error("Unable to generate a valid server ID");
   }
-  const row = db2.prepare(`INSERT INTO servers (id, name, description, command, args, env, transport, url, source)
-       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
-       RETURNING *`).get(id, name, opts.description || null, command, JSON.stringify(opts.args || []), JSON.stringify(opts.env || {}), opts.transport || "stdio", opts.url || null, opts.source || "local");
+  const row = db2.prepare(`INSERT INTO servers (id, name, description, command, args, env, credential_refs, transport, url, source)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+       RETURNING *`).get(id, name, opts.description || null, command, JSON.stringify(opts.args || []), JSON.stringify(normalizeLiteralEnv(opts.env)), JSON.stringify(normalizeCredentialRefs(opts.credentialRefs)), opts.transport || "stdio", opts.url || null, opts.source || "local");
   return parseRow(row);
 }
 function removeServer(id) {
@@ -17027,7 +17186,11 @@ function updateServer(id, updates) {
   }
   if (updates.env !== undefined) {
     sets.push("env = ?");
-    values.push(JSON.stringify(updates.env));
+    values.push(JSON.stringify(normalizeLiteralEnv(updates.env)));
+  }
+  if (updates.credentialRefs !== undefined) {
+    sets.push("credential_refs = ?");
+    values.push(JSON.stringify(normalizeCredentialRefs(updates.credentialRefs)));
   }
   if (updates.transport !== undefined) {
     sets.push("transport = ?");
@@ -17061,7 +17224,7 @@ function setServerEnv(id, key, value) {
   if (!server)
     throw new Error(`Server "${id}" not found`);
   const env = { ...server.env, [key]: value };
-  db2.prepare("UPDATE servers SET env = ?, updated_at = datetime('now') WHERE id = ?").run(JSON.stringify(env), id);
+  db2.prepare("UPDATE servers SET env = ?, updated_at = datetime('now') WHERE id = ?").run(JSON.stringify(normalizeLiteralEnv(env)), id);
 }
 function unsetServerEnv(id, key) {
   const db2 = getDb();
@@ -17072,6 +17235,23 @@ function unsetServerEnv(id, key) {
   delete env[key];
   db2.prepare("UPDATE servers SET env = ?, updated_at = datetime('now') WHERE id = ?").run(JSON.stringify(env), id);
 }
+function setServerCredentialRef(id, key, ref) {
+  const db2 = getDb();
+  const server = getServer(id);
+  if (!server)
+    throw new Error(`Server "${id}" not found`);
+  const credentialRefs = normalizeCredentialRefs({ ...server.credentialRefs ?? {}, [key]: ref });
+  db2.prepare("UPDATE servers SET credential_refs = ?, updated_at = datetime('now') WHERE id = ?").run(JSON.stringify(credentialRefs), id);
+}
+function unsetServerCredentialRef(id, key) {
+  const db2 = getDb();
+  const server = getServer(id);
+  if (!server)
+    throw new Error(`Server "${id}" not found`);
+  const credentialRefs = { ...server.credentialRefs ?? {} };
+  delete credentialRefs[key];
+  db2.prepare("UPDATE servers SET credential_refs = ?, updated_at = datetime('now') WHERE id = ?").run(JSON.stringify(normalizeCredentialRefs(credentialRefs)), id);
+}
 function cacheTools(serverId, tools) {
   const db2 = getDb();
   const insert = db2.prepare("INSERT INTO tool_cache (server_id, name, description, input_schema) VALUES (?, ?, ?, ?)");
@@ -17111,6 +17291,7 @@ function cloneServer(id, newName) {
     command: server.command,
     args: server.args,
     env: server.env,
+    credentialRefs: server.credentialRefs,
     transport: server.transport,
     url: server.url ?? undefined,
     source: server.source
@@ -25242,6 +25423,185 @@ class StreamableHTTPClientTransport {
 // src/lib/proxy.ts
 init_config2();
 init_db();
+// src/lib/local-command-consent.ts
+class LocalCommandConsentError extends Error {
+  review;
+  constructor(message, review) {
+    super(message);
+    this.name = "LocalCommandConsentError";
+    this.review = review;
+  }
+}
+var SHELL_COMMANDS = new Set(["bash", "sh", "zsh", "fish", "cmd", "cmd.exe", "powershell", "powershell.exe", "pwsh"]);
+var DESTRUCTIVE_COMMANDS = new Set([
+  "rm",
+  "dd",
+  "mkfs",
+  "shutdown",
+  "reboot",
+  "poweroff",
+  "halt",
+  "killall",
+  "pkill"
+]);
+var SHELL_EVAL_FLAGS = new Set(["-c", "/c", "-Command", "-command", "-EncodedCommand", "-encodedcommand"]);
+var SECRET_FLAG_PATTERN = /(?:^|[-_])(api[-_]?key|token|secret|password|passwd|credential|auth|private[-_]?key)(?:$|[-_])/i;
+var SECRET_KEY_PATTERN2 = /(?:^|[_-])(api[_-]?key|token|secret|password|passwd|credential|auth|private[_-]?key)(?:$|[_-])/i;
+var SECRET_VALUE_PATTERN2 = /^(sk_(?:live|test)_[A-Za-z0-9_]+|ghp_[A-Za-z0-9_]+|github_pat_[A-Za-z0-9_]+|xox[baprs]-[A-Za-z0-9-]+|AIza[A-Za-z0-9_-]{20,}|eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+)$/;
+var SHELL_META_PATTERN = /[;&|`<>]|\$\(/;
+function commandBase(command) {
+  return command.trim().split(/[\\/]/).pop()?.toLowerCase() || command.trim().toLowerCase();
+}
+function normalizeArgs(args) {
+  return (args ?? []).map((arg) => String(arg));
+}
+function isSecretKey(key) {
+  return SECRET_KEY_PATTERN2.test(key) || SECRET_FLAG_PATTERN.test(key);
+}
+function isSecretValue(value) {
+  return SECRET_VALUE_PATTERN2.test(value.trim());
+}
+function isSecretAssignment(arg) {
+  const eqIdx = arg.indexOf("=");
+  if (eqIdx <= 0)
+    return false;
+  const key = arg.slice(0, eqIdx);
+  const value = arg.slice(eqIdx + 1);
+  return isSecretKey(key) || isSecretValue(value);
+}
+function isSecretArg(args, index) {
+  const arg = args[index] ?? "";
+  const previous = args[index - 1] ?? "";
+  return isSecretAssignment(arg) || isSecretValue(arg) || SECRET_FLAG_PATTERN.test(previous);
+}
+function quoteArg(value) {
+  return JSON.stringify(value);
+}
+function displayCommand(command, args) {
+  return [quoteArg(command), ...args.map((arg, index) => quoteArg(isSecretArg(args, index) ? "<redacted>" : arg))].join(" ");
+}
+function pushRisk(risks, risk) {
+  if (risks.some((existing) => existing.code === risk.code && existing.evidence === risk.evidence))
+    return;
+  risks.push(risk);
+}
+function inspectRisks(command, args, env) {
+  const risks = [];
+  const base = commandBase(command);
+  const joined = [command, ...args].join(" ");
+  if (SHELL_COMMANDS.has(base)) {
+    pushRisk(risks, {
+      code: "shell_interpreter",
+      severity: "warning",
+      message: "Command launches a shell interpreter.",
+      evidence: base
+    });
+    if (args.some((arg) => SHELL_EVAL_FLAGS.has(arg))) {
+      pushRisk(risks, {
+        code: "shell_eval",
+        severity: "danger",
+        message: "Shell command evaluates an inline script.",
+        evidence: base
+      });
+    }
+  }
+  if (base === "sudo") {
+    pushRisk(risks, {
+      code: "privilege_escalation",
+      severity: "danger",
+      message: "Command requests elevated privileges.",
+      evidence: base
+    });
+  }
+  if (DESTRUCTIVE_COMMANDS.has(base) || /\brm\s+-[^\s]*[rf][^\s]*\b/.test(joined) || /--no-preserve-root\b/.test(joined)) {
+    pushRisk(risks, {
+      code: "destructive_command",
+      severity: "danger",
+      message: "Command includes a destructive system operation.",
+      evidence: base
+    });
+  }
+  if (/\b(curl|wget)\b[\s\S]*\|[\s\S]*\b(sh|bash|zsh|fish)\b/.test(joined)) {
+    pushRisk(risks, {
+      code: "download_pipe_shell",
+      severity: "danger",
+      message: "Command downloads remote content and pipes it to a shell."
+    });
+  }
+  if ([command, ...args].some((part) => SHELL_META_PATTERN.test(part))) {
+    pushRisk(risks, {
+      code: "shell_metacharacters",
+      severity: "warning",
+      message: "Command or arguments contain shell metacharacters."
+    });
+  }
+  if (args.some((arg, index) => isSecretArg(args, index))) {
+    pushRisk(risks, {
+      code: "inline_secret",
+      severity: "danger",
+      message: "Command arguments appear to contain inline secret material."
+    });
+  }
+  const secretEnvKeys = Object.keys(env).filter(isSecretKey).sort();
+  if (secretEnvKeys.length > 0) {
+    pushRisk(risks, {
+      code: "secret_env",
+      severity: "warning",
+      message: "Environment contains secret-like keys; values are redacted from consent output.",
+      evidence: secretEnvKeys.join(", ")
+    });
+  }
+  return risks;
+}
+function inspectLocalCommand(input) {
+  const args = normalizeArgs(input.args);
+  const env = input.env ?? {};
+  const transport = input.transport ?? "stdio";
+  const risks = inspectRisks(input.command, args, env);
+  return {
+    requiresConsent: transport === "stdio",
+    operation: input.operation ?? "launch",
+    command: input.command,
+    args,
+    displayCommand: displayCommand(input.command, args),
+    envKeys: Object.keys(env).sort(),
+    risks,
+    hasDangerousRisk: risks.some((risk) => risk.severity === "danger")
+  };
+}
+function formatLocalCommandReview(review) {
+  const lines = [
+    `Command: ${review.displayCommand}`,
+    review.envKeys.length > 0 ? `Env keys: ${review.envKeys.join(", ")}` : "Env keys: <none>"
+  ];
+  if (review.risks.length > 0) {
+    lines.push("Risks:");
+    for (const risk of review.risks) {
+      lines.push(`- ${risk.severity}: ${risk.code} - ${risk.message}${risk.evidence ? ` (${risk.evidence})` : ""}`);
+    }
+  } else {
+    lines.push("Risks: none detected");
+  }
+  return lines.join(`
+`);
+}
+function assertLocalCommandConsent(input, consent = {}) {
+  const review = inspectLocalCommand(input);
+  if (!review.requiresConsent)
+    return review;
+  if (consent.approved !== true) {
+    throw new LocalCommandConsentError(`local stdio command approval is required before ${review.operation}.
+${formatLocalCommandReview(review)}`, review);
+  }
+  if (review.hasDangerousRisk && consent.allowRisky !== true) {
+    throw new LocalCommandConsentError(`risky command approval is required before ${review.operation}.
+${formatLocalCommandReview(review)}`, review);
+  }
+  return review;
+}
+// src/lib/proxy.ts
 var connections = new Map;
 var inflightConnections = new Map;
 function buildEnv(extra) {
@@ -25267,7 +25627,7 @@ function requireUrl(entry) {
     throw new Error(`Server "${entry.id}" has an invalid URL: ${entry.url}`);
   }
 }
-async function connectToServer(entry) {
+async function connectToServer(entry, options = {}) {
   if (connections.has(entry.id)) {
     return connections.get(entry.id);
   }
@@ -25283,10 +25643,17 @@ async function connectToServer(entry) {
         if (!entry.command?.trim()) {
           throw new Error(`Server "${entry.id}" is missing a command`);
         }
+        assertLocalCommandConsent({
+          command: entry.command,
+          args: entry.args,
+          env: { ...entry.env, ...credentialRefPlaceholders(entry.credentialRefs) },
+          transport: entry.transport,
+          operation: "launch"
+        }, options.localCommandConsent);
         transport = new StdioClientTransport({
           command: entry.command,
           args: entry.args,
-          env: buildEnv(entry.env)
+          env: buildEnv(resolveServerEnv(entry))
         });
       } else if (entry.transport === "sse") {
         transport = new SSEClientTransport(requireUrl(entry));
@@ -25418,13 +25785,28 @@ async function refreshTools(id) {
 }
 // src/lib/doctor.ts
-async function diagnoseServer(server) {
+async function diagnoseServer(server, options = {}) {
   const checks3 = [];
+  let hasLocalConsent = true;
   if (server.transport === "stdio") {
+    try {
+      assertLocalCommandConsent({
+        command: server.command,
+        args: server.args,
+        env: { ...server.env, ...credentialRefPlaceholders(server.credentialRefs) },
+        transport: server.transport,
+        operation: "diagnose"
+      }, options.localCommandConsent);
+    } catch (err) {
+      hasLocalConsent = false;
+      checks3.push({ name: "local command consent", pass: false, message: err.message });
+    }
     try {
       const path = execFileSync("which", [server.command], { stdio: "pipe" }).toString().trim();
       let version2 = "";
       try {
+        if (!hasLocalConsent)
+          throw new Error("local stdio command approval is required before version probing");
         version2 = execFileSync(server.command, ["--version"], { stdio: "pipe" }).toString().trim().split(`
 `)[0];
       } catch {}
@@ -25440,12 +25822,29 @@ async function diagnoseServer(server) {
     }
   }
   const missingEnv = Object.entries(server.env).filter(([, v]) => !v);
-  if (Object.keys(server.env).length === 0) {
-    checks3.push({ name: "env vars", pass: true, message: "no env vars required" });
-  } else if (missingEnv.length > 0) {
-    checks3.push({ name: "env vars", pass: false, message: `missing values for: ${missingEnv.map(([k]) => k).join(", ")}` });
+  const credentialRefCount = Object.keys(server.credentialRefs ?? {}).length;
+  let credentialError = null;
+  try {
+    resolveServerEnv(server);
+  } catch (err) {
+    credentialError = err.message;
+  }
+  if (Object.keys(server.env).length === 0 && credentialRefCount === 0) {
+    checks3.push({ name: "env vars", pass: true, message: "no env vars or credential refs required" });
+  } else if (missingEnv.length > 0 || credentialError) {
+    const parts = [];
+    if (missingEnv.length > 0)
+      parts.push(`missing literal values for: ${missingEnv.map(([k]) => k).join(", ")}`);
+    if (credentialError)
+      parts.push(credentialError);
+    checks3.push({ name: "env vars", pass: false, message: parts.join("; ") });
   } else {
-    checks3.push({ name: "env vars", pass: true, message: `${Object.keys(server.env).length} env var(s) set` });
+    const literalCount = Object.keys(server.env).length;
+    checks3.push({
+      name: "env vars",
+      pass: true,
+      message: `${literalCount} literal env var(s), ${credentialRefCount} credential ref(s) available`
+    });
   }
   if (server.transport !== "stdio" && server.url) {
     try {
@@ -25455,10 +25854,10 @@ async function diagnoseServer(server) {
       checks3.push({ name: "URL reachable", pass: false, message: `unreachable: ${err.message}` });
     }
   }
-  if (server.enabled) {
+  if (server.enabled && hasLocalConsent) {
     try {
       await Promise.race([
-        connectToServer(server),
+        connectToServer(server, { localCommandConsent: options.localCommandConsent }),
         new Promise((_, reject) => setTimeout(() => reject(new Error("timeout after 10s")), 1e4))
       ]);
       await disconnectServer(server.id);
@@ -25466,8 +25865,10 @@ async function diagnoseServer(server) {
     } catch (err) {
       checks3.push({ name: "connect & list tools", pass: false, message: err.message });
     }
-  } else {
+  } else if (!server.enabled) {
     checks3.push({ name: "connect & list tools", pass: true, message: "skipped (server disabled)" });
+  } else {
+    checks3.push({ name: "connect & list tools", pass: false, message: "skipped until local stdio command is approved" });
   }
   return {
     server,
@@ -25507,7 +25908,7 @@ async function getRegistryServer(id) {
   const all = entries.map(parseRegistryEntry);
   return all.find((s) => s.id === id) || null;
 }
-async function installFromRegistry(id) {
+async function installFromRegistry(id, options = {}) {
   const server = await getRegistryServer(id);
   if (!server) {
     throw new Error(`Server "${id}" not found in registry`);
@@ -25527,6 +25928,13 @@ async function installFromRegistry(id) {
       transport = pkg.transport.type;
     }
   }
+  assertLocalCommandConsent({
+    command,
+    args,
+    transport,
+    env: {},
+    operation: "register"
+  }, options.localCommandConsent);
   return addServer({
     name: server.name,
     description: server.description,
@@ -25763,11 +26171,19 @@ function installProviderProfile(id, options = {}) {
   if (!command) {
     throw new Error(`Provider profile "${id}" does not define an install fallback command`);
   }
+  assertLocalCommandConsent({
+    command,
+    args,
+    env: fallback?.env ?? {},
+    transport: useFallback ? "stdio" : profile.transport,
+    operation: "register"
+  }, options.localCommandConsent);
   return addServer({
     name: options.name ?? profile.displayName,
     description: profile.description ?? undefined,
     command,
     args,
+    env: fallback?.env,
     transport: useFallback ? "stdio" : profile.transport,
     url: useFallback ? fallback?.url : profile.endpoint ?? undefined,
     source: "provider-profile"
@@ -25787,8 +26203,8 @@ init_provider_profile_seeds();
 // src/lib/install.ts
 import { execFileSync as execFileSync2 } from "child_process";
-import { existsSync as existsSync7, readFileSync as readFileSync3, writeFileSync as writeFileSync3, mkdirSync as mkdirSync7 } from "fs";
-import { join as join8 } from "path";
+import { existsSync as existsSync8, readFileSync as readFileSync4, writeFileSync as writeFileSync3, mkdirSync as mkdirSync7 } from "fs";
+import { join as join9 } from "path";
 import { homedir as homedir8 } from "os";
 function installToClaude(entry) {
   try {
@@ -25800,7 +26216,7 @@ function installToClaude(entry) {
       "--scope",
       "user"
     ];
-    for (const [k, v] of Object.entries(entry.env)) {
+    for (const [k, v] of Object.entries(assertAgentInstallEnv(entry))) {
       args.push("--env", `${k}=${v}`);
     }
     args.push(entry.id, "--", entry.command, ...entry.args);
@@ -25812,9 +26228,9 @@ function installToClaude(entry) {
 }
 function installToCodex(entry) {
   try {
-    const configDir = join8(homedir8(), ".codex");
-    const configPath = join8(configDir, "config.toml");
-    if (!existsSync7(configDir)) {
+    const configDir = join9(homedir8(), ".codex");
+    const configPath = join9(configDir, "config.toml");
+    if (!existsSync8(configDir)) {
       mkdirSync7(configDir, { recursive: true });
     }
     const block = `
@@ -25822,7 +26238,7 @@ function installToCodex(entry) {
 ` + `command = ${JSON.stringify(entry.command)}
 ` + `args = [${entry.args.map((a) => JSON.stringify(a)).join(", ")}]
 `;
-    const existing = existsSync7(configPath) ? readFileSync3(configPath, "utf-8") : "";
+    const existing = existsSync8(configPath) ? readFileSync4(configPath, "utf-8") : "";
     if (existing.includes(`[mcp_servers.${entry.id}]`)) {
       return { agent: "codex", success: true };
     }
@@ -25834,21 +26250,22 @@ function installToCodex(entry) {
 }
 function installToGemini(entry) {
   try {
-    const configDir = join8(homedir8(), ".gemini");
-    const configPath = join8(configDir, "settings.json");
-    if (!existsSync7(configDir)) {
+    const configDir = join9(homedir8(), ".gemini");
+    const configPath = join9(configDir, "settings.json");
+    if (!existsSync8(configDir)) {
       mkdirSync7(configDir, { recursive: true });
     }
     let settings = {};
-    if (existsSync7(configPath)) {
-      settings = JSON.parse(readFileSync3(configPath, "utf-8"));
+    if (existsSync8(configPath)) {
+      settings = JSON.parse(readFileSync4(configPath, "utf-8"));
     }
     if (!settings.mcpServers)
       settings.mcpServers = {};
+    const env = assertAgentInstallEnv(entry);
     settings.mcpServers[entry.id] = {
       command: entry.command,
       args: entry.args,
-      ...Object.keys(entry.env).length > 0 ? { env: entry.env } : {}
+      ...Object.keys(env).length > 0 ? { env } : {}
     };
     writeFileSync3(configPath, JSON.stringify(settings, null, 2), "utf-8");
     return { agent: "gemini", success: true };
@@ -25856,7 +26273,43 @@ function installToGemini(entry) {
     return { agent: "gemini", success: false, error: err.message };
   }
 }
-function installToAgents(entry, targets = ["claude", "codex", "gemini"]) {
+function assertAgentInstallEnv(entry) {
+  const refs = entry.credentialRefs ?? {};
+  if (Object.keys(refs).length > 0) {
+    throw new CredentialReferenceError(`Server "${entry.id}" uses credential references; refusing to materialize secrets into local agent config files`);
+  }
+  for (const [key, value] of Object.entries(entry.env)) {
+    if (isSecretLikeEnvKey(key) || isSecretLikeValue(value)) {
+      throw new CredentialReferenceError(`Server "${entry.id}" has legacy raw secret-like env "${key}"; move it to a credential reference before installing to agents`);
+    }
+  }
+  return entry.env;
+}
+function installToAgents(entry, targets = ["claude", "codex", "gemini"], options = {}) {
+  try {
+    assertLocalCommandConsent({
+      command: entry.command,
+      args: entry.args,
+      env: { ...entry.env, ...credentialRefPlaceholders(entry.credentialRefs) },
+      transport: entry.transport,
+      operation: "install"
+    }, options.localCommandConsent);
+  } catch (err) {
+    return targets.map((target) => ({
+      agent: target,
+      success: false,
+      error: err.message
+    }));
+  }
+  try {
+    assertAgentInstallEnv(entry);
+  } catch (err) {
+    return targets.map((target) => ({
+      agent: target,
+      success: false,
+      error: err.message
+    }));
+  }
   return targets.map((target) => {
     if (target === "claude")
       return installToClaude(entry);
@@ -26066,11 +26519,11 @@ function seedDefaultMachines() {
 // src/lib/fleet.ts
 init_config2();
 import { spawn as spawn2 } from "child_process";
-import { existsSync as existsSync8, mkdirSync as mkdirSync8, readFileSync as readFileSync4, writeFileSync as writeFileSync4 } from "fs";
-import { join as join9 } from "path";
+import { existsSync as existsSync9, mkdirSync as mkdirSync8, readFileSync as readFileSync5, writeFileSync as writeFileSync4 } from "fs";
+import { join as join10 } from "path";
 var NPM_SEARCH_URL = "https://registry.npmjs.org/-/v1/search";
 var NPM_REGISTRY_URL = "https://registry.npmjs.org";
-var CATALOG_CACHE_PATH = join9(MCPS_DIR, "cache", "hasna-catalog.json");
+var CATALOG_CACHE_PATH = join10(MCPS_DIR, "cache", "hasna-catalog.json");
 var DEFAULT_CATALOG_CACHE_TTL_MS = 60 * 60 * 1000;
 var DEFAULT_REMOTE_TIMEOUT_MS = 180000;
 var DEFAULT_HANDSHAKE_TIMEOUT_MS = 2500;
@@ -26080,9 +26533,9 @@ function normalizeQueryList(values) {
 }
 function readCatalogCache(maxAgeMs) {
   try {
-    if (!existsSync8(CATALOG_CACHE_PATH))
+    if (!existsSync9(CATALOG_CACHE_PATH))
       return null;
-    const parsed = JSON.parse(readFileSync4(CATALOG_CACHE_PATH, "utf-8"));
+    const parsed = JSON.parse(readFileSync5(CATALOG_CACHE_PATH, "utf-8"));
     if (!parsed.cachedAt || !Array.isArray(parsed.entries))
       return null;
     if (Date.now() - parsed.cachedAt > maxAgeMs)
@@ -26094,7 +26547,7 @@ function readCatalogCache(maxAgeMs) {
 }
 function writeCatalogCache(entries) {
   try {
-    mkdirSync8(join9(MCPS_DIR, "cache"), { recursive: true });
+    mkdirSync8(join10(MCPS_DIR, "cache"), { recursive: true });
     writeFileSync4(CATALOG_CACHE_PATH, JSON.stringify({ cachedAt: Date.now(), entries }, null, 2), "utf-8");
   } catch {}
 }
@@ -26765,22 +27218,22 @@ async function runFleetInstall(options = {}, dependencies = {}) {
   }));
 }
 // src/lib/version.ts
-import { existsSync as existsSync9, readFileSync as readFileSync5 } from "fs";
-import { dirname as dirname3, join as join10 } from "path";
+import { existsSync as existsSync10, readFileSync as readFileSync6 } from "fs";
+import { dirname as dirname3, join as join11 } from "path";
 import { fileURLToPath } from "url";
 var FALLBACK_VERSION = "0.0.1";
 function readPackageVersion(moduleUrl, fallback = FALLBACK_VERSION) {
   const baseDir = dirname3(fileURLToPath(moduleUrl));
   const candidates = [
-    join10(baseDir, "..", "..", "package.json"),
-    join10(baseDir, "..", "package.json"),
-    join10(baseDir, "package.json")
+    join11(baseDir, "..", "..", "package.json"),
+    join11(baseDir, "..", "package.json"),
+    join11(baseDir, "package.json")
   ];
   for (const candidate of candidates) {
-    if (!existsSync9(candidate))
+    if (!existsSync10(candidate))
       continue;
     try {
-      const pkg = JSON.parse(readFileSync5(candidate, "utf-8"));
+      const pkg = JSON.parse(readFileSync6(candidate, "utf-8"));
       if (pkg.version)
         return pkg.version;
     } catch {}
@@ -26796,19 +27249,27 @@ export {
   updateServer,
   updateMachine,
   unsetServerEnv,
+  unsetServerCredentialRef,
   setServerEnv,
+  setServerCredentialRef,
   seedDefaultProviderProfiles,
   seedDefaultMachines,
   searchRegistry,
   searchProviderProfiles,
   runFleetInstall,
   runFleetHealthCheck,
+  resolveServerEnv,
   removeSource,
   removeServer,
   removeProviderProfile,
   removeMachine,
   refreshTools,
+  redactServerCredentials,
+  redactEnv,
   readPackageVersion,
+  normalizeLiteralEnv,
+  normalizeCredentialRefs,
+  normalizeCredentialRef,
   listSources,
   listServers,
   listProviderProfiles,
@@ -26816,9 +27277,12 @@ export {
   listHasnaMcpCatalog,
   listAwesomeServers,
   listAllTools,
+  isSecretLikeValue,
+  isSecretLikeEnvKey,
   installToAgents,
   installProviderProfile,
   installFromRegistry,
+  inspectLocalCommand,
   getToolCounts,
   getSource,
   getServer,
@@ -26827,6 +27291,7 @@ export {
   getMachine,
   getDb,
   getCachedTools,
+  formatLocalCommandReview,
   findServers,
   enableSource,
   enableServer,
@@ -26837,13 +27302,18 @@ export {
   disableServer,
   disableProviderProfile,
   diagnoseServer,
+  credentialRefPlaceholders,
   connectToServer,
   closeDb,
   cloneServer,
   callTool,
+  assertLocalCommandConsent,
   addSource,
   addServer,
   addMachine,
+  REDACTED_CREDENTIAL_VALUE,
+  LocalCommandConsentError,
   DEFAULT_PROVIDER_PROFILE_SEEDS,
-  DEFAULT_MACHINE_SEEDS
+  DEFAULT_MACHINE_SEEDS,
+  CredentialReferenceError
 };