@mhingston5/conduit 1.1.4 → 1.1.6

package/dist/index.js

@@ -111,9 +111,13 @@ var ConfigService = class {
   }
   loadConfigFile() {
     const configPath = process.env.CONFIG_FILE || (fs.existsSync(path.resolve(process.cwd(), "conduit.yaml")) ? "conduit.yaml" : fs.existsSync(path.resolve(process.cwd(), "conduit.json")) ? "conduit.json" : null);
-    if (!configPath) return {};
+    if (!configPath) {
+      console.warn(`[Conduit] No config file found in ${process.cwd()}. Running with default settings.`);
+      return {};
+    }
     try {
       const fullPath = path.resolve(process.cwd(), configPath);
+      console.error(`[Conduit] Loading config from ${fullPath}`);
       let fileContent = fs.readFileSync(fullPath, "utf-8");
       fileContent = fileContent.replace(/\$\{([a-zA-Z0-9_]+)(?::-([^}]+))?\}/g, (match, varName, defaultValue) => {
         const value = process.env[varName];
@@ -392,6 +396,7 @@ var StdioTransport = class {
   requestController;
   concurrencyService;
   buffer = "";
+  pendingRequests = /* @__PURE__ */ new Map();
   constructor(logger, requestController, concurrencyService) {
     this.logger = logger;
     this.requestController = requestController;
@@ -405,6 +410,30 @@ var StdioTransport = class {
       this.logger.info("Stdin closed");
     });
   }
+  async callHost(method, params) {
+    const id = Math.random().toString(36).substring(7);
+    const request = {
+      jsonrpc: "2.0",
+      id,
+      method,
+      params
+    };
+    return new Promise((resolve, reject) => {
+      const timeout = setTimeout(() => {
+        this.pendingRequests.delete(id);
+        reject(new Error(`Timeout waiting for host response to ${method}`));
+      }, 3e4);
+      this.pendingRequests.set(id, (response) => {
+        clearTimeout(timeout);
+        if (response.error) {
+          reject(new Error(response.error.message));
+        } else {
+          resolve(response.result);
+        }
+      });
+      this.sendResponse(request);
+    });
+  }
   handleData(chunk) {
     this.buffer += chunk;
     let pos;
@@ -416,11 +445,11 @@ var StdioTransport = class {
     }
   }
   async processLine(line) {
-    let request;
+    let message;
     try {
-      request = JSON.parse(line);
+      message = JSON.parse(line);
     } catch (err) {
-      this.logger.error({ err, line }, "Failed to parse JSON-RPC request");
+      this.logger.error({ err, line }, "Failed to parse JSON-RPC message");
       const errorResponse = {
         jsonrpc: "2.0",
         id: null,
@@ -432,6 +461,15 @@ var StdioTransport = class {
       this.sendResponse(errorResponse);
       return;
     }
+    if (message.id !== void 0 && (message.result !== void 0 || message.error !== void 0)) {
+      const pending = this.pendingRequests.get(message.id);
+      if (pending) {
+        this.pendingRequests.delete(message.id);
+        pending(message);
+        return;
+      }
+    }
+    const request = message;
     const context = new ExecutionContext({
       logger: this.logger,
       remoteAddress: "stdio"
@@ -750,6 +788,9 @@ var RequestController = class {
       // Standard MCP method name
       case "mcp_discover_tools":
         return this.handleDiscoverTools(params, context, id);
+      case "resources/list":
+      case "prompts/list":
+        return { jsonrpc: "2.0", id, result: { items: [] } };
       case "mcp_list_tool_packages":
         return this.handleListToolPackages(params, context, id);
       case "mcp_list_tool_stubs":
@@ -772,12 +813,29 @@ var RequestController = class {
       case "notifications/initialized":
         return null;
       // Notifications don't get responses per MCP spec
+      case "mcp_register_upstream":
+        return this.handleRegisterUpstream(params, context, id);
       case "ping":
         return { jsonrpc: "2.0", id, result: {} };
       default:
         return this.errorResponse(id, -32601, `Method not found: ${method}`);
     }
   }
+  async handleRegisterUpstream(params, context, id) {
+    if (!params || !params.id || !params.type || !params.url && !params.command) {
+      return this.errorResponse(id, -32602, "Missing registration parameters (id, type, url/command)");
+    }
+    try {
+      this.gatewayService.registerUpstream(params);
+      return {
+        jsonrpc: "2.0",
+        id,
+        result: { success: true }
+      };
+    } catch (err) {
+      return this.errorResponse(id, -32001, err.message);
+    }
+  }
   async handleDiscoverTools(params, context, id) {
     const tools = await this.gatewayService.discoverTools(context);
     const standardizedTools = tools.map((t) => ({
@@ -845,17 +903,52 @@ var RequestController = class {
   async handleCallTool(params, context, id) {
     if (!params) return this.errorResponse(id, -32602, "Missing parameters");
     const { name, arguments: toolArgs } = params;
-    switch (name) {
-      case "mcp_execute_typescript":
-        return this.handleExecuteTypeScript(toolArgs, context, id);
-      case "mcp_execute_python":
-        return this.handleExecutePython(toolArgs, context, id);
-      case "mcp_execute_isolate":
-        return this.handleExecuteIsolate(toolArgs, context, id);
+    const toolId = this.gatewayService.policyService.parseToolName(name);
+    const baseName = toolId.name;
+    const isConduit = toolId.namespace === "conduit" || toolId.namespace === "";
+    if (isConduit) {
+      switch (baseName) {
+        case "mcp_execute_typescript":
+          return this.handleExecuteToolCall("typescript", toolArgs, context, id);
+        case "mcp_execute_python":
+          return this.handleExecuteToolCall("python", toolArgs, context, id);
+        case "mcp_execute_isolate":
+          return this.handleExecuteToolCall("isolate", toolArgs, context, id);
+      }
     }
     const response = await this.gatewayService.callTool(name, toolArgs, context);
     return { ...response, id };
   }
+  formatExecutionResult(result) {
+    const structured = {
+      stdout: result.stdout,
+      stderr: result.stderr,
+      exitCode: result.exitCode
+    };
+    return {
+      content: [{
+        type: "text",
+        text: JSON.stringify(structured)
+      }],
+      structuredContent: structured
+    };
+  }
+  async handleExecuteToolCall(mode, params, context, id) {
+    if (!params) return this.errorResponse(id, -32602, "Missing parameters");
+    const { code, limits, allowedTools } = params;
+    if (Array.isArray(allowedTools)) {
+      context.allowedTools = allowedTools;
+    }
+    const result = mode === "typescript" ? await this.executionService.executeTypeScript(code, limits, context, allowedTools) : mode === "python" ? await this.executionService.executePython(code, limits, context, allowedTools) : await this.executionService.executeIsolate(code, limits, context, allowedTools);
+    if (result.error) {
+      return this.errorResponse(id, result.error.code, result.error.message);
+    }
+    return {
+      jsonrpc: "2.0",
+      id,
+      result: this.formatExecutionResult(result)
+    };
+  }
   async handleExecuteTypeScript(params, context, id) {
     if (!params) return this.errorResponse(id, -32602, "Missing parameters");
     const { code, limits, allowedTools } = params;
@@ -976,6 +1069,7 @@ var UpstreamClient = class {
   urlValidator;
   mcpClient;
   transport;
+  connected = false;
   constructor(logger, info, authService, urlValidator) {
     this.logger = logger.child({ upstreamId: info.id });
     this.info = info;
@@ -1002,11 +1096,15 @@ var UpstreamClient = class {
   }
   async ensureConnected() {
     if (!this.mcpClient || !this.transport) return;
+    if (this.connected) return;
     try {
-      if (!this.transport.connection) {
-        await this.mcpClient.connect(this.transport);
-      }
+      this.logger.debug("Connecting to upstream transport...");
+      await this.mcpClient.connect(this.transport);
+      this.connected = true;
+      this.logger.info("Connected to upstream MCP");
     } catch (e) {
+      this.logger.error({ err: e.message }, "Failed to connect to upstream");
+      throw e;
     }
   }
   async call(request, context) {
@@ -1023,23 +1121,29 @@ var UpstreamClient = class {
     }
     try {
       await this.ensureConnected();
-      if (request.method === "list_tools") {
+      if (request.method === "list_tools" || request.method === "tools/list") {
         const result = await this.mcpClient.listTools();
         return {
           jsonrpc: "2.0",
           id: request.id,
           result
         };
-      } else if (request.method === "call_tool") {
+      } else if (request.method === "call_tool" || request.method === "tools/call") {
         const params = request.params;
         const result = await this.mcpClient.callTool({
           name: params.name,
           arguments: params.arguments
         });
+        const normalizedResult = result && Array.isArray(result.content) ? result : {
+          content: [{
+            type: "text",
+            text: typeof result === "string" ? result : JSON.stringify(result ?? null)
+          }]
+        };
         return {
           jsonrpc: "2.0",
           id: request.id,
-          result
+          result: normalizedResult
         };
       } else {
         const result = await this.mcpClient.request(
@@ -1193,21 +1297,29 @@ var AuthService = class {
     }
   }
   async doRefresh(creds, cacheKey) {
-    if (!creds.tokenUrl || !creds.refreshToken || !creds.clientId || !creds.clientSecret) {
+    if (!creds.tokenUrl || !creds.refreshToken || !creds.clientId) {
       throw new Error("OAuth2 credentials missing required fields for refresh");
     }
     this.logger.info({ tokenUrl: creds.tokenUrl, clientId: creds.clientId }, "Refreshing OAuth2 token");
     try {
-      const response = await axios3.post(creds.tokenUrl, {
-        grant_type: "refresh_token",
-        refresh_token: creds.refreshToken,
-        client_id: creds.clientId,
-        client_secret: creds.clientSecret
+      const body = new URLSearchParams();
+      body.set("grant_type", "refresh_token");
+      body.set("refresh_token", creds.refreshToken);
+      body.set("client_id", creds.clientId);
+      if (creds.clientSecret) {
+        body.set("client_secret", creds.clientSecret);
+      }
+      const response = await axios3.post(creds.tokenUrl, body, {
+        headers: {
+          "Content-Type": "application/x-www-form-urlencoded",
+          "Accept": "application/json"
+        }
       });
       const { access_token, expires_in } = response.data;
+      const expiresInSeconds = Number(expires_in) || 3600;
       this.tokenCache.set(cacheKey, {
         accessToken: access_token,
-        expiresAt: Date.now() + expires_in * 1e3
+        expiresAt: Date.now() + expiresInSeconds * 1e3
       });
       return `Bearer ${access_token}`;
     } catch (err) {
@@ -1299,6 +1411,9 @@ var PolicyService = class {
         }
         return true;
       }
+      if (patternParts.length === 1 && toolParts.length > 1) {
+        return patternParts[0] === toolParts[toolParts.length - 1];
+      }
       if (patternParts.length !== toolParts.length) return false;
       for (let i = 0; i < patternParts.length; i++) {
         if (patternParts[i] !== toolParts[i]) return false;
@@ -1314,7 +1429,7 @@ import addFormats from "ajv-formats";
 var BUILT_IN_TOOLS = [
   {
     name: "mcp_execute_typescript",
-    description: "Executes TypeScript code in a secure sandbox with access to `tools.*` SDK.",
+    description: "Executes TypeScript code in a secure sandbox. Access MCP tools via the global `tools` object (e.g. `filesystem__list_directory` -> `await tools.filesystem.list_directory(...)`).",
     inputSchema: {
       type: "object",
       properties: {
@@ -1325,7 +1440,7 @@ var BUILT_IN_TOOLS = [
         allowedTools: {
           type: "array",
           items: { type: "string" },
-          description: 'Optional list of tools the script is allowed to call (e.g. ["github.*"]).'
+          description: 'List of tool names (e.g. "filesystem.list_directory" or "filesystem.*") that the script is allowed to call.'
         }
       },
       required: ["code"]
@@ -1333,7 +1448,7 @@ var BUILT_IN_TOOLS = [
   },
   {
     name: "mcp_execute_python",
-    description: "Executes Python code in a secure sandbox with access to `tools.*` SDK.",
+    description: "Executes Python code in a secure sandbox. Access MCP tools via the global `tools` object (e.g. `filesystem__list_directory` -> `await tools.filesystem.list_directory(...)`).",
     inputSchema: {
       type: "object",
       properties: {
@@ -1344,7 +1459,7 @@ var BUILT_IN_TOOLS = [
         allowedTools: {
           type: "array",
           items: { type: "string" },
-          description: 'Optional list of tools the script is allowed to call (e.g. ["github.*"]).'
+          description: 'List of tool names (e.g. "filesystem.list_directory" or "filesystem.*") that the script is allowed to call.'
         }
       },
       required: ["code"]
@@ -1352,7 +1467,7 @@ var BUILT_IN_TOOLS = [
   },
   {
     name: "mcp_execute_isolate",
-    description: "Executes JavaScript code in a high-speed V8 isolate (no Deno/Node APIs).",
+    description: "Executes JavaScript code in a high-speed V8 isolate. Access MCP tools via the global `tools` object (e.g. `await tools.filesystem.list_directory(...)`). No Deno/Node APIs. Use `console.log` for output.",
     inputSchema: {
       type: "object",
       properties: {
@@ -1363,7 +1478,7 @@ var BUILT_IN_TOOLS = [
         allowedTools: {
           type: "array",
           items: { type: "string" },
-          description: "Optional list of tools the script is allowed to call."
+          description: 'List of tool names (e.g. "filesystem.list_directory" or "filesystem.*") that the script is allowed to call.'
         }
       },
       required: ["code"]
@@ -1381,7 +1496,8 @@ var GatewayService = class {
   // Cache compiled validators to avoid recompilation on every call
   validatorCache = /* @__PURE__ */ new Map();
   constructor(logger, urlValidator, policyService) {
-    this.logger = logger;
+    this.logger = logger.child({ component: "GatewayService" });
+    this.logger.debug("GatewayService instance created");
     this.urlValidator = urlValidator;
     this.authService = new AuthService(logger);
     this.schemaCache = new SchemaCache(logger);
@@ -1392,17 +1508,37 @@ var GatewayService = class {
   registerUpstream(info) {
     const client = new UpstreamClient(this.logger, info, this.authService, this.urlValidator);
     this.clients.set(info.id, client);
-    this.logger.info({ upstreamId: info.id }, "Registered upstream MCP");
+    this.logger.info({ upstreamId: info.id, totalRegistered: this.clients.size }, "Registered upstream MCP");
+  }
+  registerHost(transport) {
+    this.logger.debug("Host transport available but not registered as tool upstream (protocol limitation)");
   }
   async listToolPackages() {
-    return Array.from(this.clients.entries()).map(([id, client]) => ({
+    const upstreams = Array.from(this.clients.entries()).map(([id, client]) => ({
       id,
       description: `Upstream ${id}`,
-      // NOTE: Upstream description fetching deferred to V2
       version: "1.0.0"
     }));
+    return [
+      { id: "conduit", description: "Conduit built-in execution tools", version: "1.0.0" },
+      ...upstreams
+    ];
+  }
+  getBuiltInTools() {
+    return BUILT_IN_TOOLS;
   }
   async listToolStubs(packageId, context) {
+    if (packageId === "conduit") {
+      const stubs2 = BUILT_IN_TOOLS.map((t) => ({
+        id: `conduit__${t.name}`,
+        name: t.name,
+        description: t.description
+      }));
+      if (context.allowedTools) {
+        return stubs2.filter((t) => this.policyService.isToolAllowed(t.id, context.allowedTools));
+      }
+      return stubs2;
+    }
     const client = this.clients.get(packageId);
     if (!client) {
       throw new Error(`Upstream package not found: ${packageId}`);
@@ -1411,33 +1547,33 @@ var GatewayService = class {
     if (!tools) {
       try {
         const manifest = await client.getManifest(context);
-        if (manifest) {
-          const stubs2 = manifest.tools.map((t) => ({
-            id: `${packageId}__${t.name}`,
-            name: t.name,
-            description: t.description
-          }));
-          if (context.allowedTools) {
-            return stubs2.filter((t) => this.policyService.isToolAllowed(t.id, context.allowedTools));
+        if (manifest && manifest.tools) {
+          tools = manifest.tools;
+        } else {
+          if (typeof client.listTools === "function") {
+            tools = await client.listTools();
+          } else {
+            const response = await client.call({
+              jsonrpc: "2.0",
+              id: "discovery",
+              method: "tools/list"
+            }, context);
+            if (response.result?.tools) {
+              tools = response.result.tools;
+            } else {
+              this.logger.warn({ upstreamId: packageId, error: response.error }, "Failed to discover tools via RPC");
+            }
           }
-          return stubs2;
+        }
+        if (tools && tools.length > 0) {
+          this.schemaCache.set(packageId, tools);
+          this.logger.info({ upstreamId: packageId, toolCount: tools.length }, "Discovered tools from upstream");
         }
       } catch (e) {
-        this.logger.debug({ packageId, err: e }, "Manifest fetch failed, falling back to RPC");
-      }
-      const response = await client.call({
-        jsonrpc: "2.0",
-        id: "discovery",
-        method: "list_tools"
-      }, context);
-      if (response.result?.tools) {
-        tools = response.result.tools;
-        this.schemaCache.set(packageId, tools);
-      } else {
-        this.logger.warn({ upstreamId: packageId, error: response.error }, "Failed to discover tools from upstream");
-        tools = [];
+        this.logger.error({ upstreamId: packageId, err: e.message }, "Error during tool discovery");
       }
     }
+    if (!tools) tools = [];
     const stubs = tools.map((t) => ({
       id: `${packageId}__${t.name}`,
       name: t.name,
@@ -1453,10 +1589,22 @@ var GatewayService = class {
       throw new Error(`Access to tool ${toolId} is forbidden by allowlist`);
     }
     const parsed = this.policyService.parseToolName(toolId);
+    const namespace = parsed.namespace;
     const toolName = parsed.name;
-    const builtIn = BUILT_IN_TOOLS.find((t) => t.name === toolId);
-    if (builtIn) return builtIn;
-    const upstreamId = parsed.namespace;
+    if (namespace === "conduit" || namespace === "") {
+      const builtIn = BUILT_IN_TOOLS.find((t) => t.name === toolName);
+      if (builtIn) {
+        return { ...builtIn, name: `conduit__${builtIn.name}` };
+      }
+    }
+    const upstreamId = namespace;
+    if (!upstreamId) {
+      for (const id of this.clients.keys()) {
+        const schema = await this.getToolSchema(`${id}__${toolName}`, context);
+        if (schema) return schema;
+      }
+      return null;
+    }
     if (!this.schemaCache.get(upstreamId)) {
       await this.listToolStubs(upstreamId, context);
     }
@@ -1469,34 +1617,37 @@ var GatewayService = class {
     };
   }
   async discoverTools(context) {
-    const allTools = [...BUILT_IN_TOOLS];
+    const allTools = BUILT_IN_TOOLS.map((t) => ({
+      ...t,
+      name: `conduit__${t.name}`
+    }));
+    this.logger.debug({ clientCount: this.clients.size, clientIds: Array.from(this.clients.keys()) }, "Starting tool discovery");
     for (const [id, client] of this.clients.entries()) {
-      let tools = this.schemaCache.get(id);
-      if (!tools) {
-        const response = await client.call({
-          jsonrpc: "2.0",
-          id: "discovery",
-          method: "list_tools"
-          // Standard MCP method
-        }, context);
-        if (response.result?.tools) {
-          tools = response.result.tools;
-          this.schemaCache.set(id, tools);
+      if (id === "host") {
+        continue;
+      }
+      this.logger.debug({ upstreamId: id }, "Discovering tools from upstream");
+      try {
+        await this.listToolStubs(id, context);
+      } catch (e) {
+        this.logger.error({ upstreamId: id, err: e.message }, "Failed to list tool stubs");
+      }
+      const tools = this.schemaCache.get(id) || [];
+      this.logger.debug({ upstreamId: id, toolCount: tools.length }, "Discovery result");
+      if (tools && tools.length > 0) {
+        const prefixedTools = tools.map((t) => ({ ...t, name: `${id}__${t.name}` }));
+        if (context.allowedTools) {
+          allTools.push(...prefixedTools.filter((t) => this.policyService.isToolAllowed(t.name, context.allowedTools)));
         } else {
-          this.logger.warn({ upstreamId: id, error: response.error }, "Failed to discover tools from upstream");
-          tools = [];
+          allTools.push(...prefixedTools);
         }
       }
-      const prefixedTools = tools.map((t) => ({ ...t, name: `${id}__${t.name}` }));
-      if (context.allowedTools) {
-        allTools.push(...prefixedTools.filter((t) => this.policyService.isToolAllowed(t.name, context.allowedTools)));
-      } else {
-        allTools.push(...prefixedTools);
-      }
     }
+    this.logger.info({ totalTools: allTools.length }, "Tool discovery complete");
     return allTools;
   }
   async callTool(name, params, context) {
+    this.logger.debug({ name, upstreamCount: this.clients.size }, "GatewayService.callTool called");
     if (context.allowedTools && !this.policyService.isToolAllowed(name, context.allowedTools)) {
       this.logger.warn({ name, allowedTools: context.allowedTools }, "Tool call blocked by allowlist");
       return {
@@ -1511,14 +1662,37 @@ var GatewayService = class {
     const toolId = this.policyService.parseToolName(name);
     const upstreamId = toolId.namespace;
     const toolName = toolId.name;
+    this.logger.debug({ name, upstreamId, toolName }, "Parsed tool name");
+    if (!upstreamId) {
+      this.logger.debug({ toolName }, "Namespaceless call, attempting discovery across upstreams");
+      const allStubs = await this.discoverTools(context);
+      const found = allStubs.find((t) => {
+        const parts = t.name.split("__");
+        return parts[parts.length - 1] === toolName;
+      });
+      if (found) {
+        this.logger.debug({ original: name, resolved: found.name }, "Resolved namespaceless tool");
+        return this.callTool(found.name, params, context);
+      }
+      const upstreamList = Array.from(this.clients.keys()).filter((k) => k !== "host");
+      return {
+        jsonrpc: "2.0",
+        id: 0,
+        error: {
+          code: -32601,
+          message: `Tool '${toolName}' not found. Discovered ${allStubs.length} tools from upstreams: [${upstreamList.join(", ") || "none"}]. Available tools: ${allStubs.map((t) => t.name).slice(0, 10).join(", ")}${allStubs.length > 10 ? "..." : ""}`
+        }
+      };
+    }
     const client = this.clients.get(upstreamId);
     if (!client) {
+      this.logger.error({ upstreamId, availableUpstreams: Array.from(this.clients.keys()) }, "Upstream not found");
       return {
         jsonrpc: "2.0",
         id: 0,
         error: {
           code: -32003,
-          message: `Upstream not found: ${upstreamId}`
+          message: `Upstream not found: '${upstreamId}'. Available: ${Array.from(this.clients.keys()).join(", ") || "none"}`
         }
       };
     }
@@ -1578,7 +1752,7 @@ var GatewayService = class {
       response = await client.call({
         jsonrpc: "2.0",
         id: context.correlationId,
-        method: "call_tool",
+        method: "tools/call",
         params: {
           name: toolName,
           arguments: params
@@ -1606,7 +1780,7 @@ var GatewayService = class {
           const response = await client.call({
             jsonrpc: "2.0",
             id: "health",
-            method: "list_tools"
+            method: "tools/list"
           }, context);
           upstreamStatus[id] = response.error ? "degraded" : "active";
         } catch (err) {
@@ -2213,9 +2387,15 @@ var PyodideExecutor = class {
     });
   }
   createWorker(limits) {
-    let workerPath = path5.resolve(__dirname3, "./pyodide.worker.js");
-    if (!fs5.existsSync(workerPath)) {
-      workerPath = path5.resolve(__dirname3, "./pyodide.worker.ts");
+    const candidates = [
+      path5.resolve(__dirname3, "./pyodide.worker.js"),
+      path5.resolve(__dirname3, "./pyodide.worker.ts"),
+      path5.resolve(__dirname3, "./executors/pyodide.worker.js"),
+      path5.resolve(__dirname3, "./executors/pyodide.worker.ts")
+    ];
+    const workerPath = candidates.find((p) => fs5.existsSync(p));
+    if (!workerPath) {
+      throw new Error(`Pyodide worker not found. Tried: ${candidates.join(", ")}`);
     }
     return new Worker(workerPath, {
       execArgv: process.execArgv.includes("--loader") ? process.execArgv : [],
@@ -2666,7 +2846,8 @@ var SDKGenerator = class {
    * Convert camelCase to snake_case for Python
    */
   toSnakeCase(str) {
-    return str.replace(/([A-Z])/g, "_$1").toLowerCase().replace(/^_/, "");
+    const snake = str.replace(/([A-Z])/g, "_$1").toLowerCase().replace(/^_/, "").replace(/[^a-z0-9_]/g, "_");
+    return /^[0-9]/.test(snake) ? `_${snake}` : snake;
   }
   /**
    * Escape a string for use in generated code
@@ -2691,7 +2872,7 @@ var SDKGenerator = class {
     } else {
       lines.push("const __allowedTools = null;");
     }
-    lines.push("const tools = {");
+    lines.push("const _tools = {");
     for (const [namespace, tools] of grouped.entries()) {
       const safeNamespace = this.isValidIdentifier(namespace) ? namespace : `["${this.escapeString(namespace)}"]`;
       if (this.isValidIdentifier(namespace)) {
@@ -2729,6 +2910,29 @@ var SDKGenerator = class {
       lines.push(`  },`);
     }
     lines.push("};");
+    lines.push(`
+const tools = new Proxy(_tools, {
+    get: (target, prop) => {
+        if (prop in target) return target[prop];
+        if (prop === 'then') return undefined;
+        if (typeof prop === 'string') {
+            // Flat tool access fallback: search all namespaces for a matching tool
+            for (const nsName of Object.keys(target)) {
+                if (nsName === '$raw') continue;
+                const ns = target[nsName];
+                if (ns && typeof ns === 'object' && ns[prop]) {
+                    return ns[prop];
+                }
+            }
+
+            const forbidden = ['$raw'];
+            const namespaces = Object.keys(target).filter(k => !forbidden.includes(k));
+            throw new Error(\`Namespace or Tool '\${prop}' not found. Available namespaces: \${namespaces.join(', ') || 'none'}. Use tools.$raw(name, args) for dynamic calls.\`);
+        }
+        return undefined;
+    }
+});
+`);
     lines.push("(globalThis as any).tools = tools;");
     return lines.join("\n");
   }
@@ -2750,28 +2954,39 @@ var SDKGenerator = class {
       lines.push("_allowed_tools = None");
     }
     lines.push("");
-    lines.push("class _ToolNamespace:");
-    lines.push("    def __init__(self, methods):");
-    lines.push("        for name, fn in methods.items():");
-    lines.push("            setattr(self, name, fn)");
-    lines.push("");
-    lines.push("class _Tools:");
-    lines.push("    def __init__(self):");
     for (const [namespace, tools] of grouped.entries()) {
       const safeNamespace = this.toSnakeCase(namespace);
-      const methodsDict = [];
+      lines.push(`class _${safeNamespace}_Namespace:`);
       for (const tool of tools) {
         const methodName = this.toSnakeCase(tool.methodName);
         const fullName = tool.name;
-        methodsDict.push(`            "${methodName}": lambda args, n="${this.escapeString(fullName)}": _internal_call_tool(n, args)`);
+        lines.push(`    async def ${methodName}(self, args=None, **kwargs):`);
+        lines.push(`        params = args if args is not None else kwargs`);
+        lines.push(`        return await _internal_call_tool("${this.escapeString(fullName)}", params)`);
       }
-      lines.push(`        self.${safeNamespace} = _ToolNamespace({`);
-      lines.push(methodsDict.join(",\n"));
-      lines.push(`        })`);
+      lines.push("");
     }
+    lines.push("class _Tools:");
+    lines.push("    def __init__(self):");
+    if (grouped.size === 0) {
+      lines.push("        pass");
+    } else {
+      for (const [namespace] of grouped.entries()) {
+        const safeNamespace = this.toSnakeCase(namespace);
+        lines.push(`        self.${safeNamespace} = _${safeNamespace}_Namespace()`);
+      }
+    }
+    lines.push("");
+    lines.push("    def __getattr__(self, name):");
+    lines.push("        # Flat access fallback: search all namespaces");
+    lines.push("        for attr_name in dir(self):");
+    lines.push("            attr = getattr(self, attr_name, None)");
+    lines.push("            if attr and hasattr(attr, name):");
+    lines.push("                return getattr(attr, name)");
+    lines.push(`        raise AttributeError(f"Namespace or Tool '{name}' not found")`);
     if (enableRawFallback) {
       lines.push("");
-      lines.push("    async def raw(self, name, args):");
+      lines.push("    async def raw(self, name, args=None):");
       lines.push('        """Call a tool by its full name (escape hatch for dynamic/unknown tools)"""');
       lines.push('        normalized = name.replace(".", "__")');
       lines.push("        if _allowed_tools is not None:");
@@ -2781,7 +2996,7 @@ var SDKGenerator = class {
       lines.push("            )");
       lines.push("            if not allowed:");
       lines.push('                raise PermissionError(f"Tool {name} is not in the allowlist")');
-      lines.push("        return await _internal_call_tool(normalized, args)");
+      lines.push("        return await _internal_call_tool(normalized, args or {})");
     }
     lines.push("");
     lines.push("tools = _Tools()");
@@ -2804,7 +3019,7 @@ var SDKGenerator = class {
     } else {
       lines.push("const __allowedTools = null;");
     }
-    lines.push("const tools = {");
+    lines.push("const _tools = {");
     for (const [namespace, tools] of grouped.entries()) {
       const safeNamespace = this.isValidIdentifier(namespace) ? namespace : `["${this.escapeString(namespace)}"]`;
       if (this.isValidIdentifier(namespace)) {
@@ -2823,23 +3038,46 @@ var SDKGenerator = class {
         lines.push(`      return JSON.parse(resStr);`);
         lines.push(`    },`);
       }
-      lines.push(`  },`);
+      lines.push("  },");
     }
     if (enableRawFallback) {
-      lines.push(`  async $raw(name, args) {`);
+      lines.push("  async $raw(name, args) {");
       lines.push(`    const normalized = name.replace(/\\./g, '__');`);
-      lines.push(`    if (__allowedTools) {`);
+      lines.push("    if (__allowedTools) {");
       lines.push(`      const allowed = __allowedTools.some(p => {`);
       lines.push(`        if (p.endsWith('__*')) return normalized.startsWith(p.slice(0, -1));`);
-      lines.push(`        return normalized === p;`);
-      lines.push(`      });`);
-      lines.push(`      if (!allowed) throw new Error(\`Tool \${name} is not in the allowlist\`);`);
-      lines.push(`    }`);
-      lines.push(`    const resStr = await __callTool(normalized, JSON.stringify(args || {}));`);
-      lines.push(`    return JSON.parse(resStr);`);
-      lines.push(`  },`);
+      lines.push("        return normalized === p;");
+      lines.push("      });");
+      lines.push("      if (!allowed) throw new Error(`Tool ${name} is not in the allowlist`);");
+      lines.push("    }");
+      lines.push("    const resStr = await __callTool(normalized, JSON.stringify(args || {}));");
+      lines.push("    return JSON.parse(resStr);");
+      lines.push("  },");
     }
     lines.push("};");
+    lines.push(`
+const tools = new Proxy(_tools, {
+    get: (target, prop) => {
+        if (prop in target) return target[prop];
+        if (prop === 'then') return undefined;
+        if (typeof prop === 'string') {
+            // Flat tool access fallback: search all namespaces for a matching tool
+            for (const nsName of Object.keys(target)) {
+                if (nsName === '$raw') continue;
+                const ns = target[nsName];
+                if (ns && typeof ns === 'object' && ns[prop]) {
+                    return ns[prop];
+                }
+            }
+
+            const forbidden = ['$raw'];
+            const namespaces = Object.keys(target).filter(k => !forbidden.includes(k));
+            throw new Error(\`Namespace or Tool '\${prop}' not found. Available namespaces: \${namespaces.join(', ') || 'none'}. Use tools.$raw(name, args) for dynamic calls.\`);
+        }
+        return undefined;
+    }
+});
+`);
     return lines.join("\n");
   }
   /**
@@ -2929,14 +3167,17 @@ var ExecutionService = class {
   async getToolBindings(context) {
     const packages = await this.gatewayService.listToolPackages();
     const allBindings = [];
+    this.logger.debug({ packageCount: packages.length, packages: packages.map((p) => p.id) }, "Fetching tool bindings");
     for (const pkg of packages) {
       try {
         const stubs = await this.gatewayService.listToolStubs(pkg.id, context);
+        this.logger.debug({ packageId: pkg.id, stubCount: stubs.length }, "Got stubs from package");
         allBindings.push(...stubs.map((s) => toToolBinding(s.id, void 0, s.description)));
       } catch (err) {
         this.logger.warn({ packageId: pkg.id, err: err.message }, "Failed to list stubs for package");
       }
     }
+    this.logger.info({ totalBindings: allBindings.length }, "Tool bindings ready for SDK generation");
     return allBindings;
   }
   async executeIsolate(code, limits, context, allowedTools) {
@@ -3100,11 +3341,97 @@ import Fastify2 from "fastify";
 import axios4 from "axios";
 import open from "open";
 import { v4 as uuidv43 } from "uuid";
+import crypto3 from "crypto";
+var AUTH_REQUEST_PAYLOAD = {
+  jsonrpc: "2.0",
+  id: "conduit-auth",
+  method: "initialize",
+  params: {
+    clientInfo: {
+      name: "conduit-auth",
+      version: "1.0.0"
+    }
+  }
+};
+function base64UrlEncode(buffer) {
+  return buffer.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function createCodeVerifier() {
+  return base64UrlEncode(crypto3.randomBytes(32));
+}
+function createCodeChallenge(verifier) {
+  return base64UrlEncode(crypto3.createHash("sha256").update(verifier).digest());
+}
+function parseResourceMetadataHeader(headerValue) {
+  if (!headerValue) return null;
+  const header = Array.isArray(headerValue) ? headerValue.join(",") : headerValue;
+  const match = header.match(/resource_metadata="([^"]+)"/i) || header.match(/resource_metadata=([^, ]+)/i);
+  return match ? match[1] : null;
+}
+async function discoverOAuthFromMcp(mcpUrl) {
+  const attempts = [
+    () => axios4.get(mcpUrl, { validateStatus: () => true }),
+    () => axios4.post(mcpUrl, AUTH_REQUEST_PAYLOAD, { validateStatus: () => true })
+  ];
+  let resourceMetadataUrl = null;
+  for (const attempt of attempts) {
+    const response = await attempt();
+    resourceMetadataUrl = parseResourceMetadataHeader(response.headers["www-authenticate"]);
+    if (resourceMetadataUrl) break;
+  }
+  if (!resourceMetadataUrl) {
+    throw new Error("Unable to discover OAuth metadata (missing WWW-Authenticate resource_metadata)");
+  }
+  const metadataResponse = await axios4.get(resourceMetadataUrl);
+  const metadata = metadataResponse.data;
+  let authUrl = metadata.authorization_endpoint;
+  let tokenUrl = metadata.token_endpoint;
+  let scopes = Array.isArray(metadata.scopes_supported) ? metadata.scopes_supported : void 0;
+  const resource = typeof metadata.resource === "string" ? metadata.resource : void 0;
+  if (!authUrl || !tokenUrl) {
+    const authServer = Array.isArray(metadata.authorization_servers) && metadata.authorization_servers[0] || metadata.issuer;
+    if (!authServer) {
+      throw new Error("OAuth metadata did not include authorization server info");
+    }
+    const asMetadataUrl = new URL("/.well-known/oauth-authorization-server", authServer).toString();
+    const asMetadataResponse = await axios4.get(asMetadataUrl);
+    const asMetadata = asMetadataResponse.data;
+    authUrl = authUrl || asMetadata.authorization_endpoint;
+    tokenUrl = tokenUrl || asMetadata.token_endpoint;
+    scopes = scopes || (Array.isArray(asMetadata.scopes_supported) ? asMetadata.scopes_supported : void 0);
+  }
+  if (!authUrl || !tokenUrl) {
+    throw new Error("OAuth discovery failed: missing authorization or token endpoint");
+  }
+  return { authUrl, tokenUrl, scopes, resource };
+}
+function normalizeScopes(rawScopes) {
+  if (!rawScopes) return void 0;
+  return rawScopes.split(",").map((scope) => scope.trim()).filter(Boolean).join(" ");
+}
 async function handleAuth(options) {
   const port = options.port || 3333;
   const redirectUri = `http://localhost:${port}/callback`;
   const state = uuidv43();
+  const codeVerifier = options.usePkce ? createCodeVerifier() : void 0;
+  const codeChallenge = codeVerifier ? createCodeChallenge(codeVerifier) : void 0;
   const fastify = Fastify2();
+  let resolvedScopes = normalizeScopes(options.scopes);
+  let resolvedAuthUrl = options.authUrl;
+  let resolvedTokenUrl = options.tokenUrl;
+  let resolvedResource;
+  if (options.mcpUrl) {
+    const discovered = await discoverOAuthFromMcp(options.mcpUrl);
+    resolvedAuthUrl = discovered.authUrl;
+    resolvedTokenUrl = discovered.tokenUrl;
+    resolvedResource = discovered.resource;
+    if (!resolvedScopes && discovered.scopes && discovered.scopes.length > 0) {
+      resolvedScopes = discovered.scopes.join(" ");
+    }
+  }
+  if (!resolvedAuthUrl || !resolvedTokenUrl) {
+    throw new Error("OAuth configuration missing authUrl or tokenUrl (set --mcp-url or provide both)");
+  }
   return new Promise((resolve, reject) => {
     fastify.get("/callback", async (request, reply) => {
       const { code, state: returnedState, error, error_description } = request.query;
@@ -3119,12 +3446,25 @@ async function handleAuth(options) {
         return;
       }
       try {
-        const response = await axios4.post(options.tokenUrl, {
-          grant_type: "authorization_code",
-          code,
-          redirect_uri: redirectUri,
-          client_id: options.clientId,
-          client_secret: options.clientSecret
+        const body = new URLSearchParams();
+        body.set("grant_type", "authorization_code");
+        body.set("code", code);
+        body.set("redirect_uri", redirectUri);
+        body.set("client_id", options.clientId);
+        if (options.clientSecret) {
+          body.set("client_secret", options.clientSecret);
+        }
+        if (codeVerifier) {
+          body.set("code_verifier", codeVerifier);
+        }
+        if (resolvedResource) {
+          body.set("resource", resolvedResource);
+        }
+        const response = await axios4.post(resolvedTokenUrl, body, {
+          headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+            "Accept": "application/json"
+          }
         });
         const { refresh_token, access_token } = response.data;
         console.log("\n--- Authentication Successful ---\n");
@@ -3132,9 +3472,14 @@ async function handleAuth(options) {
         console.log("credentials:");
         console.log("  type: oauth2");
         console.log(`  clientId: ${options.clientId}`);
-        console.log(`  clientSecret: ${options.clientSecret}`);
-        console.log(`  tokenUrl: "${options.tokenUrl}"`);
+        if (options.clientSecret) {
+          console.log(`  clientSecret: ${options.clientSecret}`);
+        }
+        console.log(`  tokenUrl: "${resolvedTokenUrl}"`);
         console.log(`  refreshToken: "${refresh_token || "N/A (No refresh token returned)"}"`);
+        if (resolvedScopes) {
+          console.log(`  scopes: ["${resolvedScopes.split(" ").join('", "')}"]`);
+        }
         if (!refresh_token) {
           console.log('\nWarning: No refresh token was returned. Ensure your app has "offline_access" scope or similar.');
         }
@@ -3154,13 +3499,20 @@ async function handleAuth(options) {
         reject(err);
         return;
       }
-      const authUrl = new URL(options.authUrl);
+      const authUrl = new URL(resolvedAuthUrl);
       authUrl.searchParams.append("client_id", options.clientId);
       authUrl.searchParams.append("redirect_uri", redirectUri);
       authUrl.searchParams.append("response_type", "code");
       authUrl.searchParams.append("state", state);
-      if (options.scopes) {
-        authUrl.searchParams.append("scope", options.scopes);
+      if (resolvedScopes) {
+        authUrl.searchParams.append("scope", resolvedScopes);
+      }
+      if (codeChallenge) {
+        authUrl.searchParams.append("code_challenge", codeChallenge);
+        authUrl.searchParams.append("code_challenge_method", "S256");
+      }
+      if (resolvedResource) {
+        authUrl.searchParams.append("resource", resolvedResource);
       }
       console.log(`Opening browser to: ${authUrl.toString()}`);
       console.log("Waiting for callback...");
@@ -3172,23 +3524,25 @@ async function handleAuth(options) {
 // src/index.ts
 var program = new Command();
 program.name("conduit").description("A secure Code Mode execution substrate for MCP agents").version("1.0.0");
-program.command("serve", { isDefault: true }).description("Start the Conduit server").option("--stdio", "Use stdio transport").action(async (options) => {
+program.command("serve", { isDefault: true }).description("Start the Conduit server").option("--stdio", "Use stdio transport").option("--config <path>", "Path to config file").action(async (options) => {
   try {
-    await startServer();
+    await startServer(options);
   } catch (err) {
     console.error("Failed to start Conduit:", err);
     process.exit(1);
   }
 });
-program.command("auth").description("Help set up OAuth for an upstream MCP server").requiredOption("--client-id <id>", "OAuth Client ID").requiredOption("--client-secret <secret>", "OAuth Client Secret").requiredOption("--auth-url <url>", "OAuth Authorization URL").requiredOption("--token-url <url>", "OAuth Token URL").option("--scopes <scopes>", "OAuth Scopes (comma separated)").option("--port <port>", "Port for the local callback server", "3333").action(async (options) => {
+program.command("auth").description("Help set up OAuth for an upstream MCP server").requiredOption("--client-id <id>", "OAuth Client ID").requiredOption("--client-secret <secret>", "OAuth Client Secret").option("--auth-url <url>", "OAuth Authorization URL").option("--token-url <url>", "OAuth Token URL").option("--mcp-url <url>", "MCP base URL (auto-discover OAuth metadata)").option("--scopes <scopes>", "OAuth Scopes (comma separated)").option("--port <port>", "Port for the local callback server", "3333").option("--pkce", "Use PKCE for the authorization code flow").action(async (options) => {
   try {
     await handleAuth({
       clientId: options.clientId,
       clientSecret: options.clientSecret,
       authUrl: options.authUrl,
       tokenUrl: options.tokenUrl,
+      mcpUrl: options.mcpUrl,
       scopes: options.scopes,
-      port: parseInt(options.port, 10)
+      port: parseInt(options.port, 10),
+      usePkce: options.pkce || Boolean(options.mcpUrl)
     });
     console.log("\nSuccess! Configuration generated.");
   } catch (err) {
@@ -3196,8 +3550,11 @@ program.command("auth").description("Help set up OAuth for an upstream MCP serve
     process.exit(1);
   }
 });
-async function startServer() {
-  const configService = new ConfigService();
+async function startServer(options = {}) {
+  const overrides = {};
+  if (options.stdio) overrides.transport = "stdio";
+  if (options.config) process.env.CONFIG_FILE = options.config;
+  const configService = new ConfigService(overrides);
   const logger = createLogger(configService);
   const otelService = new OtelService(logger);
   await otelService.start();
@@ -3207,6 +3564,7 @@ async function startServer() {
     const securityService = new SecurityService(logger, ipcToken);
     const gatewayService = new GatewayService(logger, securityService);
     const upstreams = configService.get("upstreams") || [];
+    logger.info({ upstreamCount: upstreams.length, upstreamIds: upstreams.map((u) => u.id) }, "Registering upstreams from config");
     for (const upstream of upstreams) {
       gatewayService.registerUpstream(upstream);
     }
@@ -3236,15 +3594,26 @@ async function startServer() {
     let transport;
     let address;
     if (configService.get("transport") === "stdio") {
-      transport = new StdioTransport(logger, requestController, concurrencyService);
+      const stdioTransport = new StdioTransport(logger, requestController, concurrencyService);
+      transport = stdioTransport;
       await transport.start();
+      gatewayService.registerHost(stdioTransport);
       address = "stdio";
+      const internalTransport = new SocketTransport(logger, requestController, concurrencyService);
+      const internalPort = 0;
+      const internalAddress = await internalTransport.listen({ port: internalPort });
+      executionService.ipcAddress = internalAddress;
+      const originalShutdown = transport.close.bind(transport);
+      transport.close = async () => {
+        await originalShutdown();
+        await internalTransport.close();
+      };
     } else {
       transport = new SocketTransport(logger, requestController, concurrencyService);
       const port = configService.get("port");
       address = await transport.listen({ port });
+      executionService.ipcAddress = address;
     }
-    executionService.ipcAddress = address;
     await requestController.warmup();
     logger.info("Conduit server started");
     const shutdown = async () => {