@modeltoolsprotocol/mtpcli 0.2.2 → 0.2.3

package/dist/index.js

@@ -7341,28 +7341,6 @@ var init_search2 = __esm(() => {
 });
 
 // src/auth.ts
-var exports_auth = {};
-__export(exports_auth, {
-  storeToken: () => storeToken,
-  runToken: () => runToken,
-  runStatus: () => runStatus,
-  runRefresh: () => runRefresh,
-  runLogout: () => runLogout,
-  runLogin: () => runLogin,
-  runEnv: () => runEnv,
-  oauth2Login: () => oauth2Login,
-  login: () => login,
-  loadToken: () => loadToken,
-  isTokenExpired: () => isTokenExpired,
-  getProvider: () => getProvider,
-  getEnvExport: () => getEnvExport,
-  getEnvDict: () => getEnvDict,
-  getAuthConfig: () => getAuthConfig,
-  ensureValidToken: () => ensureValidToken,
-  deleteToken: () => deleteToken,
-  authStatus: () => authStatus,
-  apiKeyLogin: () => apiKeyLogin
-});
 import { createHash, randomBytes } from "node:crypto";
 import {
   chmodSync,
@@ -7372,10 +7350,8 @@ import {
   unlinkSync,
   writeFileSync as writeFileSync2
 } from "node:fs";
-import { createServer } from "node:http";
 import { homedir as homedir2 } from "node:os";
 import { dirname, join as join2 } from "node:path";
-import { createInterface } from "node:readline";
 function tokensDir(baseDir) {
   return join2(baseDir ?? join2(homedir2(), ".mtpcli"), "tokens");
 }
@@ -7395,14 +7371,526 @@ function loadToken(toolName, providerId, baseDir) {
     return null;
   return JSON.parse(readFileSync2(path2, "utf-8"));
 }
+function isTokenExpired(token) {
+  if (!token.expires_at)
+    return false;
+  const exp = new Date(token.expires_at);
+  const buffer = 5 * 60 * 1000;
+  return exp.getTime() - buffer < Date.now();
+}
+function generatePkce() {
+  const bytes = randomBytes(64);
+  const verifier = bytes.toString("base64url").slice(0, 128);
+  const challenge = createHash("sha256").update(verifier).digest("base64url");
+  return { verifier, challenge };
+}
+async function exchangeCode(tokenUrl, code, clientId, redirectUri, codeVerifier, resource) {
+  const params = new URLSearchParams({
+    grant_type: "authorization_code",
+    code,
+    client_id: clientId,
+    redirect_uri: redirectUri
+  });
+  if (codeVerifier)
+    params.set("code_verifier", codeVerifier);
+  if (resource)
+    params.set("resource", resource);
+  const resp = await fetch(tokenUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: params.toString()
+  });
+  const text = await resp.text();
+  return parseTokenResponse(text);
+}
+async function refreshAccessToken(tokenUrl, refreshToken, clientId, resource) {
+  const params = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: refreshToken,
+    client_id: clientId
+  });
+  if (resource)
+    params.set("resource", resource);
+  const resp = await fetch(tokenUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: params.toString()
+  });
+  const text = await resp.text();
+  return parseTokenResponse(text);
+}
+function parseTokenResponse(text) {
+  let val;
+  try {
+    val = JSON.parse(text);
+  } catch {
+    val = Object.fromEntries(new URLSearchParams(text));
+  }
+  const accessToken = val.access_token;
+  if (!accessToken)
+    throw new Error("no access_token in response");
+  const expiresIn = typeof val.expires_in === "number" ? val.expires_in : typeof val.expires_in === "string" ? parseInt(val.expires_in, 10) || undefined : undefined;
+  const expiresAt = expiresIn ? new Date(Date.now() + expiresIn * 1000).toISOString() : undefined;
+  const scope = val.scope;
+  const scopes = scope ? scope.split(/\s+/) : undefined;
+  return {
+    access_token: accessToken,
+    token_type: val.token_type ?? undefined,
+    refresh_token: val.refresh_token ?? undefined,
+    expires_at: expiresAt,
+    scopes,
+    provider_id: "",
+    created_at: new Date().toISOString()
+  };
+}
+async function ensureValidToken(toolName, auth) {
+  const provider = auth.providers[0];
+  if (!provider)
+    return null;
+  const token = loadToken(toolName, provider.id);
+  if (!token)
+    return null;
+  if (isTokenExpired(token)) {
+    if (token.refresh_token && provider.tokenUrl && provider.clientId) {
+      try {
+        const newToken = await refreshAccessToken(provider.tokenUrl, token.refresh_token, provider.clientId);
+        if (!newToken.refresh_token) {
+          newToken.refresh_token = token.refresh_token;
+        }
+        newToken.provider_id = provider.id;
+        storeToken(toolName, provider.id, newToken);
+        return newToken.access_token;
+      } catch (e) {
+        process.stderr.write(`warning: token refresh failed: ${e instanceof Error ? e.message : e}
+`);
+        return null;
+      }
+    }
+    return null;
+  }
+  return token.access_token;
+}
+async function getEnvDict(toolName, auth) {
+  const token = await ensureValidToken(toolName, auth);
+  if (!token)
+    return {};
+  return { [auth.envVar]: token };
+}
+var init_auth = __esm(() => {
+  init_search2();
+});
+
+// src/mcp-oauth.ts
+var exports_mcp_oauth = {};
+__export(exports_mcp_oauth, {
+  storeClientRegistration: () => storeClientRegistration,
+  serverStorageKey: () => serverStorageKey,
+  registerClient: () => registerClient,
+  promptForClientId: () => promptForClientId,
+  parseWwwAuthenticate: () => parseWwwAuthenticate,
+  mcpOAuthFlow: () => mcpOAuthFlow,
+  loadOrRefreshMcpToken: () => loadOrRefreshMcpToken,
+  loadClientRegistration: () => loadClientRegistration,
+  fetchResourceMetadata: () => fetchResourceMetadata,
+  fetchAuthServerMetadata: () => fetchAuthServerMetadata
+});
+import { randomBytes as randomBytes2 } from "node:crypto";
+import {
+  existsSync as existsSync3,
+  mkdirSync as mkdirSync3,
+  readFileSync as readFileSync3,
+  writeFileSync as writeFileSync3,
+  chmodSync as chmodSync2
+} from "node:fs";
+import { createServer } from "node:http";
+import { homedir as homedir3 } from "node:os";
+import { dirname as dirname2, join as join3 } from "node:path";
+import { createInterface } from "node:readline";
+function serverStorageKey(url) {
+  const u = new URL(url);
+  return `mcp_${u.host}`;
+}
+function parseWwwAuthenticate(header) {
+  const result = {};
+  const params = header.replace(/^Bearer\s+/i, "");
+  const re = /(\w+)=(?:"([^"]*)"|(\S+))/g;
+  let match;
+  while ((match = re.exec(params)) !== null) {
+    const key = match[1];
+    const val = match[2] ?? match[3];
+    if (key === "resource_metadata")
+      result.resourceMetadata = val;
+    if (key === "scope")
+      result.scope = val;
+  }
+  return result;
+}
+async function fetchResourceMetadata(url) {
+  const resp = await fetch(url);
+  if (!resp.ok) {
+    throw new Error(`failed to fetch resource metadata from ${url}: ${resp.status}`);
+  }
+  return resp.json();
+}
+async function fetchAuthServerMetadata(serverUrl, wwwAuth) {
+  if (wwwAuth) {
+    const parsed = parseWwwAuthenticate(wwwAuth);
+    if (parsed.resourceMetadata) {
+      try {
+        const resource = await fetchResourceMetadata(parsed.resourceMetadata);
+        if (resource.authorization_servers?.length) {
+          const asUrl = resource.authorization_servers[0];
+          const wellKnown = `${asUrl}/.well-known/oauth-authorization-server`;
+          const resp = await fetch(wellKnown);
+          if (resp.ok) {
+            return resp.json();
+          }
+        }
+      } catch {}
+    }
+  }
+  const origin = new URL(serverUrl).origin;
+  const oauthUrl = `${origin}/.well-known/oauth-authorization-server`;
+  try {
+    const resp = await fetch(oauthUrl);
+    if (resp.ok) {
+      return resp.json();
+    }
+  } catch {}
+  const oidcUrl = `${origin}/.well-known/openid-configuration`;
+  try {
+    const resp = await fetch(oidcUrl);
+    if (resp.ok) {
+      return resp.json();
+    }
+  } catch {}
+  throw new Error(`could not discover OAuth authorization server for ${serverUrl}`);
+}
+async function registerClient(metadata, redirectUri) {
+  if (!metadata.registration_endpoint) {
+    throw new Error("no registration_endpoint in auth server metadata");
+  }
+  const body = {
+    client_name: "mtpcli",
+    redirect_uris: [redirectUri],
+    grant_types: ["authorization_code"],
+    response_types: ["code"],
+    token_endpoint_auth_method: "none"
+  };
+  const resp = await fetch(metadata.registration_endpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Accept: "application/json"
+    },
+    body: JSON.stringify(body)
+  });
+  if (!resp.ok) {
+    const text = await resp.text();
+    throw new Error(`dynamic client registration failed (${resp.status}): ${text}`);
+  }
+  const result = await resp.json();
+  const clientId = result.client_id;
+  if (!clientId)
+    throw new Error("no client_id in registration response");
+  return {
+    clientId,
+    clientSecret: result.client_secret,
+    redirectUri,
+    registeredAt: Date.now()
+  };
+}
+function promptForClientId(serverUrl) {
+  return new Promise((resolve, reject) => {
+    process.stderr.write(`
+No dynamic registration available for ${serverUrl}.
+` + `You need to register a client manually and provide the client_id.
+` + `Enter client_id: `);
+    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    rl.question("", (answer) => {
+      rl.close();
+      const trimmed = answer.trim();
+      if (!trimmed) {
+        reject(new Error("no client_id provided"));
+        return;
+      }
+      resolve(trimmed);
+    });
+  });
+}
+function clientStorePath() {
+  return join3(homedir3(), ".mtpcli", "mcp-oauth-clients.json");
+}
+function loadClientStore() {
+  const path2 = clientStorePath();
+  if (!existsSync3(path2))
+    return {};
+  try {
+    return JSON.parse(readFileSync3(path2, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function saveClientStore(store) {
+  const path2 = clientStorePath();
+  mkdirSync3(dirname2(path2), { recursive: true });
+  writeFileSync3(path2, JSON.stringify(store, null, 2));
+  chmodSync2(path2, 384);
+}
+function loadClientRegistration(origin) {
+  const store = loadClientStore();
+  return store[origin] ?? null;
+}
+function storeClientRegistration(origin, client, metadata) {
+  const store = loadClientStore();
+  store[origin] = { client, metadata };
+  saveClientStore(store);
+}
+function startCallbackServer() {
+  return new Promise((resolve, reject) => {
+    let codeResolve;
+    let codeReject;
+    const codePromise = new Promise((res, rej) => {
+      codeResolve = res;
+      codeReject = rej;
+    });
+    const server = createServer((req, res) => {
+      const url = new URL(req.url ?? "/", `http://127.0.0.1`);
+      const code = url.searchParams.get("code");
+      const error = url.searchParams.get("error");
+      if (code) {
+        const html = "<html><body><h2>Authentication successful!</h2>" + "<p>You can close this tab and return to your terminal.</p>" + "<script>window.close()</script></body></html>";
+        res.writeHead(200, {
+          "Content-Type": "text/html",
+          "Content-Length": Buffer.byteLength(html).toString()
+        });
+        res.end(html);
+        server.close();
+        codeResolve(code);
+        return;
+      }
+      if (error) {
+        const desc = url.searchParams.get("error_description") ?? "Unknown error";
+        const html = `<html><body><h2>Authentication failed</h2><p>${desc}</p></body></html>`;
+        res.writeHead(400, {
+          "Content-Type": "text/html",
+          "Content-Length": Buffer.byteLength(html).toString()
+        });
+        res.end(html);
+        server.close();
+        codeReject(new Error(`OAuth error: ${error} - ${desc}`));
+        return;
+      }
+      res.writeHead(404);
+      res.end();
+    });
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      if (!addr || typeof addr === "string") {
+        reject(new Error("failed to get callback server address"));
+        return;
+      }
+      resolve({
+        port: addr.port,
+        waitForCode: () => {
+          const timer = setTimeout(() => {
+            server.close();
+            codeReject(new Error("OAuth callback timed out (120s)"));
+          }, 120000);
+          return codePromise.finally(() => clearTimeout(timer));
+        },
+        server
+      });
+    });
+    server.on("error", (e) => {
+      reject(new Error(`failed to bind callback server: ${e.message}`));
+    });
+  });
+}
+async function mcpOAuthFlow(serverUrl, wwwAuth, clientId) {
+  const origin = new URL(serverUrl).origin;
+  const storageKey = serverStorageKey(serverUrl);
+  const wwwParsed = parseWwwAuthenticate(wwwAuth);
+  process.stderr.write(`Discovering OAuth authorization server...
+`);
+  const metadata = await fetchAuthServerMetadata(serverUrl, wwwAuth);
+  const challengeMethods = metadata.code_challenge_methods_supported;
+  if (challengeMethods && !challengeMethods.includes("S256")) {
+    throw new Error("authorization server does not support S256 PKCE (required)");
+  }
+  const callback = await startCallbackServer();
+  const redirectUri = `http://127.0.0.1:${callback.port}/callback`;
+  let resolvedClientId = clientId;
+  let registration;
+  if (!resolvedClientId) {
+    const cached = loadClientRegistration(origin);
+    if (cached) {
+      resolvedClientId = cached.client.clientId;
+      registration = cached.client;
+      process.stderr.write(`Using cached client registration for ${origin}
+`);
+    }
+  }
+  if (!resolvedClientId) {
+    if (metadata.registration_endpoint) {
+      process.stderr.write(`Registering client dynamically...
+`);
+      registration = await registerClient(metadata, redirectUri);
+      resolvedClientId = registration.clientId;
+      storeClientRegistration(origin, registration, metadata);
+    } else {
+      callback.server.close();
+      resolvedClientId = await promptForClientId(serverUrl);
+      const newCallback = await startCallbackServer();
+      return doOAuthLogin(metadata, resolvedClientId, `http://127.0.0.1:${newCallback.port}/callback`, newCallback, wwwParsed.scope, storageKey, origin);
+    }
+  }
+  return doOAuthLogin(metadata, resolvedClientId, redirectUri, callback, wwwParsed.scope, storageKey, origin);
+}
+async function doOAuthLogin(metadata, clientId, redirectUri, callback, scope, storageKey, origin) {
+  const state = randomBytes2(32).toString("base64url");
+  const pkce = generatePkce();
+  const scopes = scope ?? metadata.scopes_supported?.join(" ") ?? undefined;
+  const params = new URLSearchParams({
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    state,
+    code_challenge: pkce.challenge,
+    code_challenge_method: "S256"
+  });
+  if (scopes)
+    params.set("scope", scopes);
+  const authUrl = `${metadata.authorization_endpoint}?${params.toString()}`;
+  process.stderr.write(`Opening browser for OAuth login...
+`);
+  process.stderr.write(`If the browser doesn't open, visit:
+${authUrl}
+
+`);
+  open_default(authUrl).catch(() => {});
+  process.stderr.write(`Waiting for authentication callback on port ${callback.port}...
+`);
+  const code = await callback.waitForCode();
+  process.stderr.write(`Exchanging authorization code for tokens...
+`);
+  const token = await exchangeCode(metadata.token_endpoint, code, clientId, redirectUri, pkce.verifier);
+  token.provider_id = "mcp-oauth";
+  storeToken(storageKey, "mcp-oauth", token);
+  storeClientRegistration(origin, {
+    clientId,
+    redirectUri,
+    registeredAt: Date.now()
+  }, metadata);
+  process.stderr.write(`Authenticated with ${origin}
+`);
+  return token.access_token;
+}
+async function loadOrRefreshMcpToken(serverUrl) {
+  const storageKey = serverStorageKey(serverUrl);
+  const token = loadToken(storageKey, "mcp-oauth");
+  if (!token)
+    return null;
+  if (!isTokenExpired(token)) {
+    return token.access_token;
+  }
+  if (token.refresh_token) {
+    const origin = new URL(serverUrl).origin;
+    const cached = loadClientRegistration(origin);
+    if (cached) {
+      try {
+        const newToken = await refreshAccessToken(cached.metadata.token_endpoint, token.refresh_token, cached.client.clientId);
+        if (!newToken.refresh_token) {
+          newToken.refresh_token = token.refresh_token;
+        }
+        newToken.provider_id = "mcp-oauth";
+        storeToken(storageKey, "mcp-oauth", newToken);
+        return newToken.access_token;
+      } catch (e) {
+        process.stderr.write(`warning: token refresh failed: ${e instanceof Error ? e.message : e}
+`);
+      }
+    }
+  }
+  return null;
+}
+var init_mcp_oauth = __esm(() => {
+  init_open();
+  init_auth();
+});
+
+// src/auth.ts
+var exports_auth = {};
+__export(exports_auth, {
+  storeToken: () => storeToken2,
+  runToken: () => runToken,
+  runStatus: () => runStatus,
+  runRefresh: () => runRefresh,
+  runLogout: () => runLogout,
+  runLogin: () => runLogin,
+  runEnv: () => runEnv,
+  refreshAccessToken: () => refreshAccessToken2,
+  oauth2Login: () => oauth2Login,
+  login: () => login,
+  loadToken: () => loadToken2,
+  isTokenExpired: () => isTokenExpired2,
+  getProvider: () => getProvider,
+  getEnvExport: () => getEnvExport,
+  getEnvDict: () => getEnvDict2,
+  getAuthConfig: () => getAuthConfig,
+  generatePkce: () => generatePkce2,
+  exchangeCode: () => exchangeCode2,
+  ensureValidToken: () => ensureValidToken2,
+  deleteToken: () => deleteToken,
+  authStatus: () => authStatus,
+  apiKeyLogin: () => apiKeyLogin
+});
+import { createHash as createHash2, randomBytes as randomBytes3 } from "node:crypto";
+import {
+  chmodSync as chmodSync3,
+  existsSync as existsSync4,
+  mkdirSync as mkdirSync4,
+  readFileSync as readFileSync4,
+  unlinkSync as unlinkSync2,
+  writeFileSync as writeFileSync4
+} from "node:fs";
+import { createServer as createServer2 } from "node:http";
+import { homedir as homedir4 } from "node:os";
+import { dirname as dirname3, join as join4 } from "node:path";
+import { createInterface as createInterface2 } from "node:readline";
+function tokensDir2(baseDir) {
+  return join4(baseDir ?? join4(homedir4(), ".mtpcli"), "tokens");
+}
+function tokenPath2(toolName, providerId, baseDir) {
+  return join4(tokensDir2(baseDir), toolName, `${providerId}.json`);
+}
+function storeToken2(toolName, providerId, token, baseDir) {
+  const path2 = tokenPath2(toolName, providerId, baseDir);
+  mkdirSync4(dirname3(path2), { recursive: true });
+  writeFileSync4(path2, JSON.stringify(token, null, 2));
+  chmodSync3(path2, 384);
+  return path2;
+}
+function loadToken2(toolName, providerId, baseDir) {
+  const path2 = tokenPath2(toolName, providerId, baseDir);
+  if (!existsSync4(path2))
+    return null;
+  return JSON.parse(readFileSync4(path2, "utf-8"));
+}
 function deleteToken(toolName, providerId, baseDir) {
-  const path2 = tokenPath(toolName, providerId, baseDir);
-  if (!existsSync2(path2))
+  const path2 = tokenPath2(toolName, providerId, baseDir);
+  if (!existsSync4(path2))
     return false;
-  unlinkSync(path2);
+  unlinkSync2(path2);
   return true;
 }
-function isTokenExpired(token) {
+function isTokenExpired2(token) {
   if (!token.expires_at)
     return false;
   const exp = new Date(token.expires_at);
@@ -7418,10 +7906,10 @@ function getProvider(auth, providerId) {
     return auth.providers.find((p) => p.id === providerId);
   return auth.providers[0];
 }
-function generatePkce() {
-  const bytes = randomBytes(64);
+function generatePkce2() {
+  const bytes = randomBytes3(64);
   const verifier = bytes.toString("base64url").slice(0, 128);
-  const challenge = createHash("sha256").update(verifier).digest("base64url");
+  const challenge = createHash2("sha256").update(verifier).digest("base64url");
   return { verifier, challenge };
 }
 function waitForCallback(port, timeoutSecs) {
@@ -7430,7 +7918,7 @@ function waitForCallback(port, timeoutSecs) {
       server.close();
       reject(new Error("OAuth callback timed out"));
     }, timeoutSecs * 1000);
-    const server = createServer((req, res) => {
+    const server = createServer2((req, res) => {
       const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
       const code = url.searchParams.get("code");
       const error = url.searchParams.get("error");
@@ -7469,7 +7957,7 @@ function waitForCallback(port, timeoutSecs) {
     });
   });
 }
-async function exchangeCode(tokenUrl, code, clientId, redirectUri, codeVerifier) {
+async function exchangeCode2(tokenUrl, code, clientId, redirectUri, codeVerifier, resource) {
   const params = new URLSearchParams({
     grant_type: "authorization_code",
     code,
@@ -7478,6 +7966,8 @@ async function exchangeCode(tokenUrl, code, clientId, redirectUri, codeVerifier)
   });
   if (codeVerifier)
     params.set("code_verifier", codeVerifier);
+  if (resource)
+    params.set("resource", resource);
   const resp = await fetch(tokenUrl, {
     method: "POST",
     headers: {
@@ -7487,14 +7977,16 @@ async function exchangeCode(tokenUrl, code, clientId, redirectUri, codeVerifier)
     body: params.toString()
   });
   const text = await resp.text();
-  return parseTokenResponse(text);
+  return parseTokenResponse2(text);
 }
-async function refreshAccessToken(tokenUrl, refreshToken, clientId) {
+async function refreshAccessToken2(tokenUrl, refreshToken, clientId, resource) {
   const params = new URLSearchParams({
     grant_type: "refresh_token",
     refresh_token: refreshToken,
     client_id: clientId
   });
+  if (resource)
+    params.set("resource", resource);
   const resp = await fetch(tokenUrl, {
     method: "POST",
     headers: {
@@ -7504,9 +7996,9 @@ async function refreshAccessToken(tokenUrl, refreshToken, clientId) {
     body: params.toString()
   });
   const text = await resp.text();
-  return parseTokenResponse(text);
+  return parseTokenResponse2(text);
 }
-function parseTokenResponse(text) {
+function parseTokenResponse2(text) {
   let val;
   try {
     val = JSON.parse(text);
@@ -7538,7 +8030,7 @@ async function oauth2Login(toolName, provider, port) {
   if (!provider.clientId)
     throw new Error("provider missing clientId");
   const redirectUri = `http://127.0.0.1:${port}/callback`;
-  const state = randomBytes(32).toString("base64url");
+  const state = randomBytes3(32).toString("base64url");
   const params = new URLSearchParams({
     client_id: provider.clientId,
     redirect_uri: redirectUri,
@@ -7550,7 +8042,7 @@ async function oauth2Login(toolName, provider, port) {
   }
   let codeVerifier;
   if (provider.type === "oauth2-pkce") {
-    const pkce = generatePkce();
+    const pkce = generatePkce2();
     codeVerifier = pkce.verifier;
     params.set("code_challenge", pkce.challenge);
     params.set("code_challenge_method", "S256");
@@ -7573,9 +8065,9 @@ ${fullUrl}
     throw new Error("no authorization code received (timed out?)");
   process.stderr.write(`Exchanging authorization code for tokens...
 `);
-  const token = await exchangeCode(provider.tokenUrl, result.code, provider.clientId, redirectUri, codeVerifier);
+  const token = await exchangeCode2(provider.tokenUrl, result.code, provider.clientId, redirectUri, codeVerifier);
   token.provider_id = provider.id;
-  storeToken(toolName, provider.id, token);
+  storeToken2(toolName, provider.id, token);
   process.stderr.write(`Authenticated with ${display}
 `);
   return token;
@@ -7596,7 +8088,7 @@ function apiKeyLogin(toolName, provider, tokenValue) {
         provider_id: provider.id,
         created_at: new Date().toISOString()
       };
-      storeToken(toolName, provider.id, token);
+      storeToken2(toolName, provider.id, token);
       const display = provider.displayName ?? provider.id;
       process.stderr.write(`Token stored for ${display}
 `);
@@ -7615,7 +8107,7 @@ function apiKeyLogin(toolName, provider, tokenValue) {
 `);
     }
     process.stderr.write("Enter your token/API key: ");
-    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    const rl = createInterface2({ input: process.stdin, output: process.stderr });
     rl.question("", (answer) => {
       rl.close();
       finish(answer.trim());
@@ -7636,22 +8128,22 @@ async function login(toolName, provider, token, port = 8914) {
       throw new Error(`unknown auth type: ${provider.type}`);
   }
 }
-async function ensureValidToken(toolName, auth) {
+async function ensureValidToken2(toolName, auth) {
   const provider = auth.providers[0];
   if (!provider)
     return null;
-  const token = loadToken(toolName, provider.id);
+  const token = loadToken2(toolName, provider.id);
   if (!token)
     return null;
-  if (isTokenExpired(token)) {
+  if (isTokenExpired2(token)) {
     if (token.refresh_token && provider.tokenUrl && provider.clientId) {
       try {
-        const newToken = await refreshAccessToken(provider.tokenUrl, token.refresh_token, provider.clientId);
+        const newToken = await refreshAccessToken2(provider.tokenUrl, token.refresh_token, provider.clientId);
         if (!newToken.refresh_token) {
           newToken.refresh_token = token.refresh_token;
         }
         newToken.provider_id = provider.id;
-        storeToken(toolName, provider.id, newToken);
+        storeToken2(toolName, provider.id, newToken);
         return newToken.access_token;
       } catch (e) {
         process.stderr.write(`warning: token refresh failed: ${e instanceof Error ? e.message : e}
@@ -7663,14 +8155,14 @@ async function ensureValidToken(toolName, auth) {
   }
   return token.access_token;
 }
-async function getEnvDict(toolName, auth) {
-  const token = await ensureValidToken(toolName, auth);
+async function getEnvDict2(toolName, auth) {
+  const token = await ensureValidToken2(toolName, auth);
   if (!token)
     return {};
   return { [auth.envVar]: token };
 }
 async function getEnvExport(toolName, auth) {
-  const env = await getEnvDict(toolName, auth);
+  const env = await getEnvDict2(toolName, auth);
   if (Object.keys(env).length === 0) {
     return "# No token available. Run: mtpcli auth login <tool>";
   }
@@ -7683,7 +8175,7 @@ async function getEnvExport(toolName, auth) {
 async function authStatus(toolName, auth) {
   const providers = [];
   for (const provider of auth.providers) {
-    const token = loadToken(toolName, provider.id);
+    const token = loadToken2(toolName, provider.id);
     const status = {
       id: provider.id,
       type: provider.type,
@@ -7691,7 +8183,7 @@ async function authStatus(toolName, auth) {
       authenticated: token !== null
     };
     if (token) {
-      status.expired = isTokenExpired(token);
+      status.expired = isTokenExpired2(token);
       status.has_refresh = !!token.refresh_token;
       if (token.expires_at)
         status.expires_at = token.expires_at;
@@ -7744,161 +8236,46 @@ async function runToken(toolName) {
   const auth = await getAuthConfig(toolName);
   if (!auth)
     throw new Error(`tool '${toolName}' does not declare auth`);
-  const t = await ensureValidToken(toolName, auth);
+  const t = await ensureValidToken2(toolName, auth);
   if (!t)
     throw new Error(`no valid token for '${toolName}'. Run: mtpcli auth login ${toolName}`);
   console.log(t);
 }
-async function runEnv(toolName) {
-  const auth = await getAuthConfig(toolName);
-  if (!auth)
-    throw new Error(`tool '${toolName}' does not declare auth`);
-  console.log(await getEnvExport(toolName, auth));
-}
-async function runRefresh(toolName) {
-  const authConfig = await getAuthConfig(toolName);
-  if (!authConfig)
-    throw new Error(`tool '${toolName}' does not declare auth`);
-  const provider = authConfig.providers[0];
-  if (!provider)
-    throw new Error("no auth provider configured");
-  const token = loadToken(toolName, provider.id);
-  if (!token) {
-    throw new Error(`no stored token for '${toolName}'. Run: mtpcli auth login ${toolName}`);
-  }
-  if (!token.refresh_token) {
-    throw new Error(`token for '${toolName}' has no refresh_token (provider type: ${provider.type})`);
-  }
-  if (!provider.tokenUrl || !provider.clientId) {
-    throw new Error("provider missing tokenUrl or clientId for refresh");
-  }
-  const newToken = await refreshAccessToken(provider.tokenUrl, token.refresh_token, provider.clientId);
-  if (!newToken.refresh_token) {
-    newToken.refresh_token = token.refresh_token;
-  }
-  newToken.provider_id = provider.id;
-  storeToken(toolName, provider.id, newToken);
-  const display = provider.displayName ?? provider.id;
-  process.stderr.write(`Token refreshed for ${display}
-`);
-}
-var init_auth = __esm(() => {
-  init_open();
-  init_search2();
-});
-
-// src/auth.ts
-import {
-  chmodSync as chmodSync2,
-  existsSync as existsSync3,
-  mkdirSync as mkdirSync3,
-  readFileSync as readFileSync3,
-  unlinkSync as unlinkSync2,
-  writeFileSync as writeFileSync3
-} from "node:fs";
-import { homedir as homedir3 } from "node:os";
-import { dirname as dirname2, join as join3 } from "node:path";
-function tokensDir2(baseDir) {
-  return join3(baseDir ?? join3(homedir3(), ".mtpcli"), "tokens");
-}
-function tokenPath2(toolName, providerId, baseDir) {
-  return join3(tokensDir2(baseDir), toolName, `${providerId}.json`);
-}
-function storeToken2(toolName, providerId, token, baseDir) {
-  const path2 = tokenPath2(toolName, providerId, baseDir);
-  mkdirSync3(dirname2(path2), { recursive: true });
-  writeFileSync3(path2, JSON.stringify(token, null, 2));
-  chmodSync2(path2, 384);
-  return path2;
-}
-function loadToken2(toolName, providerId, baseDir) {
-  const path2 = tokenPath2(toolName, providerId, baseDir);
-  if (!existsSync3(path2))
-    return null;
-  return JSON.parse(readFileSync3(path2, "utf-8"));
-}
-function isTokenExpired2(token) {
-  if (!token.expires_at)
-    return false;
-  const exp = new Date(token.expires_at);
-  const buffer = 5 * 60 * 1000;
-  return exp.getTime() - buffer < Date.now();
-}
-async function refreshAccessToken2(tokenUrl, refreshToken, clientId) {
-  const params = new URLSearchParams({
-    grant_type: "refresh_token",
-    refresh_token: refreshToken,
-    client_id: clientId
-  });
-  const resp = await fetch(tokenUrl, {
-    method: "POST",
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-      Accept: "application/json"
-    },
-    body: params.toString()
-  });
-  const text = await resp.text();
-  return parseTokenResponse2(text);
-}
-function parseTokenResponse2(text) {
-  let val;
-  try {
-    val = JSON.parse(text);
-  } catch {
-    val = Object.fromEntries(new URLSearchParams(text));
-  }
-  const accessToken = val.access_token;
-  if (!accessToken)
-    throw new Error("no access_token in response");
-  const expiresIn = typeof val.expires_in === "number" ? val.expires_in : typeof val.expires_in === "string" ? parseInt(val.expires_in, 10) || undefined : undefined;
-  const expiresAt = expiresIn ? new Date(Date.now() + expiresIn * 1000).toISOString() : undefined;
-  const scope = val.scope;
-  const scopes = scope ? scope.split(/\s+/) : undefined;
-  return {
-    access_token: accessToken,
-    token_type: val.token_type ?? undefined,
-    refresh_token: val.refresh_token ?? undefined,
-    expires_at: expiresAt,
-    scopes,
-    provider_id: "",
-    created_at: new Date().toISOString()
-  };
-}
-async function ensureValidToken2(toolName, auth) {
-  const provider = auth.providers[0];
-  if (!provider)
-    return null;
-  const token = loadToken2(toolName, provider.id);
-  if (!token)
-    return null;
-  if (isTokenExpired2(token)) {
-    if (token.refresh_token && provider.tokenUrl && provider.clientId) {
-      try {
-        const newToken = await refreshAccessToken2(provider.tokenUrl, token.refresh_token, provider.clientId);
-        if (!newToken.refresh_token) {
-          newToken.refresh_token = token.refresh_token;
-        }
-        newToken.provider_id = provider.id;
-        storeToken2(toolName, provider.id, newToken);
-        return newToken.access_token;
-      } catch (e) {
-        process.stderr.write(`warning: token refresh failed: ${e instanceof Error ? e.message : e}
-`);
-        return null;
-      }
-    }
-    return null;
-  }
-  return token.access_token;
-}
-async function getEnvDict2(toolName, auth) {
-  const token = await ensureValidToken2(toolName, auth);
-  if (!token)
-    return {};
-  return { [auth.envVar]: token };
+async function runEnv(toolName) {
+  const auth = await getAuthConfig(toolName);
+  if (!auth)
+    throw new Error(`tool '${toolName}' does not declare auth`);
+  console.log(await getEnvExport(toolName, auth));
+}
+async function runRefresh(toolName) {
+  const authConfig = await getAuthConfig(toolName);
+  if (!authConfig)
+    throw new Error(`tool '${toolName}' does not declare auth`);
+  const provider = authConfig.providers[0];
+  if (!provider)
+    throw new Error("no auth provider configured");
+  const token = loadToken2(toolName, provider.id);
+  if (!token) {
+    throw new Error(`no stored token for '${toolName}'. Run: mtpcli auth login ${toolName}`);
+  }
+  if (!token.refresh_token) {
+    throw new Error(`token for '${toolName}' has no refresh_token (provider type: ${provider.type})`);
+  }
+  if (!provider.tokenUrl || !provider.clientId) {
+    throw new Error("provider missing tokenUrl or clientId for refresh");
+  }
+  const newToken = await refreshAccessToken2(provider.tokenUrl, token.refresh_token, provider.clientId);
+  if (!newToken.refresh_token) {
+    newToken.refresh_token = token.refresh_token;
+  }
+  newToken.provider_id = provider.id;
+  storeToken2(toolName, provider.id, newToken);
+  const display = provider.displayName ?? provider.id;
+  process.stderr.write(`Token refreshed for ${display}
+`);
 }
 var init_auth2 = __esm(() => {
+  init_open();
   init_search2();
 });
 
@@ -7963,7 +8340,7 @@ __export(exports_serve, {
   argToJsonSchema: () => argToJsonSchema
 });
 import { execFile as execFile9, spawn } from "node:child_process";
-import { createInterface as createInterface2 } from "node:readline";
+import { createInterface as createInterface3 } from "node:readline";
 import { promisify as promisify9 } from "node:util";
 function argToJsonSchema(arg) {
   const schema = {};
@@ -8139,7 +8516,7 @@ async function handleRequest(state, req) {
       let authEnv;
       const authConfig = state.authConfigs.get(entry.cliTool);
       if (authConfig) {
-        const env = await getEnvDict2(entry.cliTool, authConfig);
+        const env = await getEnvDict(entry.cliTool, authConfig);
         if (Object.keys(env).length > 0)
           authEnv = env;
       }
@@ -8186,7 +8563,7 @@ async function run(toolNames) {
     schemas: allSchemas,
     authConfigs: allAuth
   };
-  const rl = createInterface2({ input: process.stdin, crlfDelay: Infinity });
+  const rl = createInterface3({ input: process.stdin, crlfDelay: Infinity });
   for await (const line of rl) {
     const trimmed = line.trim();
     if (!trimmed)
@@ -8209,24 +8586,365 @@ async function run(toolNames) {
 }
 var execFileAsync7, VERSION = "0.1.0";
 var init_serve = __esm(() => {
-  init_auth2();
+  init_auth();
   init_mcp();
   init_models();
   init_search2();
   execFileAsync7 = promisify9(execFile9);
 });
 
+// src/mcp-oauth.ts
+var exports_mcp_oauth2 = {};
+__export(exports_mcp_oauth2, {
+  storeClientRegistration: () => storeClientRegistration2,
+  serverStorageKey: () => serverStorageKey2,
+  registerClient: () => registerClient2,
+  promptForClientId: () => promptForClientId2,
+  parseWwwAuthenticate: () => parseWwwAuthenticate2,
+  mcpOAuthFlow: () => mcpOAuthFlow2,
+  loadOrRefreshMcpToken: () => loadOrRefreshMcpToken2,
+  loadClientRegistration: () => loadClientRegistration2,
+  fetchResourceMetadata: () => fetchResourceMetadata2,
+  fetchAuthServerMetadata: () => fetchAuthServerMetadata2
+});
+import { randomBytes as randomBytes4 } from "node:crypto";
+import {
+  existsSync as existsSync5,
+  mkdirSync as mkdirSync5,
+  readFileSync as readFileSync5,
+  writeFileSync as writeFileSync5,
+  chmodSync as chmodSync4
+} from "node:fs";
+import { createServer as createServer3 } from "node:http";
+import { homedir as homedir5 } from "node:os";
+import { dirname as dirname4, join as join5 } from "node:path";
+import { createInterface as createInterface4 } from "node:readline";
+function serverStorageKey2(url) {
+  const u = new URL(url);
+  return `mcp_${u.host}`;
+}
+function parseWwwAuthenticate2(header) {
+  const result = {};
+  const params = header.replace(/^Bearer\s+/i, "");
+  const re = /(\w+)=(?:"([^"]*)"|(\S+))/g;
+  let match;
+  while ((match = re.exec(params)) !== null) {
+    const key = match[1];
+    const val = match[2] ?? match[3];
+    if (key === "resource_metadata")
+      result.resourceMetadata = val;
+    if (key === "scope")
+      result.scope = val;
+  }
+  return result;
+}
+async function fetchResourceMetadata2(url) {
+  const resp = await fetch(url);
+  if (!resp.ok) {
+    throw new Error(`failed to fetch resource metadata from ${url}: ${resp.status}`);
+  }
+  return resp.json();
+}
+async function fetchAuthServerMetadata2(serverUrl, wwwAuth) {
+  if (wwwAuth) {
+    const parsed = parseWwwAuthenticate2(wwwAuth);
+    if (parsed.resourceMetadata) {
+      try {
+        const resource = await fetchResourceMetadata2(parsed.resourceMetadata);
+        if (resource.authorization_servers?.length) {
+          const asUrl = resource.authorization_servers[0];
+          const wellKnown = `${asUrl}/.well-known/oauth-authorization-server`;
+          const resp = await fetch(wellKnown);
+          if (resp.ok) {
+            return resp.json();
+          }
+        }
+      } catch {}
+    }
+  }
+  const origin = new URL(serverUrl).origin;
+  const oauthUrl = `${origin}/.well-known/oauth-authorization-server`;
+  try {
+    const resp = await fetch(oauthUrl);
+    if (resp.ok) {
+      return resp.json();
+    }
+  } catch {}
+  const oidcUrl = `${origin}/.well-known/openid-configuration`;
+  try {
+    const resp = await fetch(oidcUrl);
+    if (resp.ok) {
+      return resp.json();
+    }
+  } catch {}
+  throw new Error(`could not discover OAuth authorization server for ${serverUrl}`);
+}
+async function registerClient2(metadata, redirectUri) {
+  if (!metadata.registration_endpoint) {
+    throw new Error("no registration_endpoint in auth server metadata");
+  }
+  const body = {
+    client_name: "mtpcli",
+    redirect_uris: [redirectUri],
+    grant_types: ["authorization_code"],
+    response_types: ["code"],
+    token_endpoint_auth_method: "none"
+  };
+  const resp = await fetch(metadata.registration_endpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Accept: "application/json"
+    },
+    body: JSON.stringify(body)
+  });
+  if (!resp.ok) {
+    const text = await resp.text();
+    throw new Error(`dynamic client registration failed (${resp.status}): ${text}`);
+  }
+  const result = await resp.json();
+  const clientId = result.client_id;
+  if (!clientId)
+    throw new Error("no client_id in registration response");
+  return {
+    clientId,
+    clientSecret: result.client_secret,
+    redirectUri,
+    registeredAt: Date.now()
+  };
+}
+function promptForClientId2(serverUrl) {
+  return new Promise((resolve, reject) => {
+    process.stderr.write(`
+No dynamic registration available for ${serverUrl}.
+` + `You need to register a client manually and provide the client_id.
+` + `Enter client_id: `);
+    const rl = createInterface4({ input: process.stdin, output: process.stderr });
+    rl.question("", (answer) => {
+      rl.close();
+      const trimmed = answer.trim();
+      if (!trimmed) {
+        reject(new Error("no client_id provided"));
+        return;
+      }
+      resolve(trimmed);
+    });
+  });
+}
+function clientStorePath2() {
+  return join5(homedir5(), ".mtpcli", "mcp-oauth-clients.json");
+}
+function loadClientStore2() {
+  const path2 = clientStorePath2();
+  if (!existsSync5(path2))
+    return {};
+  try {
+    return JSON.parse(readFileSync5(path2, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function saveClientStore2(store) {
+  const path2 = clientStorePath2();
+  mkdirSync5(dirname4(path2), { recursive: true });
+  writeFileSync5(path2, JSON.stringify(store, null, 2));
+  chmodSync4(path2, 384);
+}
+function loadClientRegistration2(origin) {
+  const store = loadClientStore2();
+  return store[origin] ?? null;
+}
+function storeClientRegistration2(origin, client, metadata) {
+  const store = loadClientStore2();
+  store[origin] = { client, metadata };
+  saveClientStore2(store);
+}
+function startCallbackServer2() {
+  return new Promise((resolve, reject) => {
+    let codeResolve;
+    let codeReject;
+    const codePromise = new Promise((res, rej) => {
+      codeResolve = res;
+      codeReject = rej;
+    });
+    const server = createServer3((req, res) => {
+      const url = new URL(req.url ?? "/", `http://127.0.0.1`);
+      const code = url.searchParams.get("code");
+      const error = url.searchParams.get("error");
+      if (code) {
+        const html = "<html><body><h2>Authentication successful!</h2>" + "<p>You can close this tab and return to your terminal.</p>" + "<script>window.close()</script></body></html>";
+        res.writeHead(200, {
+          "Content-Type": "text/html",
+          "Content-Length": Buffer.byteLength(html).toString()
+        });
+        res.end(html);
+        server.close();
+        codeResolve(code);
+        return;
+      }
+      if (error) {
+        const desc = url.searchParams.get("error_description") ?? "Unknown error";
+        const html = `<html><body><h2>Authentication failed</h2><p>${desc}</p></body></html>`;
+        res.writeHead(400, {
+          "Content-Type": "text/html",
+          "Content-Length": Buffer.byteLength(html).toString()
+        });
+        res.end(html);
+        server.close();
+        codeReject(new Error(`OAuth error: ${error} - ${desc}`));
+        return;
+      }
+      res.writeHead(404);
+      res.end();
+    });
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      if (!addr || typeof addr === "string") {
+        reject(new Error("failed to get callback server address"));
+        return;
+      }
+      resolve({
+        port: addr.port,
+        waitForCode: () => {
+          const timer = setTimeout(() => {
+            server.close();
+            codeReject(new Error("OAuth callback timed out (120s)"));
+          }, 120000);
+          return codePromise.finally(() => clearTimeout(timer));
+        },
+        server
+      });
+    });
+    server.on("error", (e) => {
+      reject(new Error(`failed to bind callback server: ${e.message}`));
+    });
+  });
+}
+async function mcpOAuthFlow2(serverUrl, wwwAuth, clientId) {
+  const origin = new URL(serverUrl).origin;
+  const storageKey = serverStorageKey2(serverUrl);
+  const wwwParsed = parseWwwAuthenticate2(wwwAuth);
+  process.stderr.write(`Discovering OAuth authorization server...
+`);
+  const metadata = await fetchAuthServerMetadata2(serverUrl, wwwAuth);
+  const challengeMethods = metadata.code_challenge_methods_supported;
+  if (challengeMethods && !challengeMethods.includes("S256")) {
+    throw new Error("authorization server does not support S256 PKCE (required)");
+  }
+  const callback = await startCallbackServer2();
+  const redirectUri = `http://127.0.0.1:${callback.port}/callback`;
+  let resolvedClientId = clientId;
+  let registration;
+  if (!resolvedClientId) {
+    const cached = loadClientRegistration2(origin);
+    if (cached) {
+      resolvedClientId = cached.client.clientId;
+      registration = cached.client;
+      process.stderr.write(`Using cached client registration for ${origin}
+`);
+    }
+  }
+  if (!resolvedClientId) {
+    if (metadata.registration_endpoint) {
+      process.stderr.write(`Registering client dynamically...
+`);
+      registration = await registerClient2(metadata, redirectUri);
+      resolvedClientId = registration.clientId;
+      storeClientRegistration2(origin, registration, metadata);
+    } else {
+      callback.server.close();
+      resolvedClientId = await promptForClientId2(serverUrl);
+      const newCallback = await startCallbackServer2();
+      return doOAuthLogin2(metadata, resolvedClientId, `http://127.0.0.1:${newCallback.port}/callback`, newCallback, wwwParsed.scope, storageKey, origin);
+    }
+  }
+  return doOAuthLogin2(metadata, resolvedClientId, redirectUri, callback, wwwParsed.scope, storageKey, origin);
+}
+async function doOAuthLogin2(metadata, clientId, redirectUri, callback, scope, storageKey, origin) {
+  const state = randomBytes4(32).toString("base64url");
+  const pkce = generatePkce();
+  const scopes = scope ?? metadata.scopes_supported?.join(" ") ?? undefined;
+  const params = new URLSearchParams({
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    state,
+    code_challenge: pkce.challenge,
+    code_challenge_method: "S256"
+  });
+  if (scopes)
+    params.set("scope", scopes);
+  const authUrl = `${metadata.authorization_endpoint}?${params.toString()}`;
+  process.stderr.write(`Opening browser for OAuth login...
+`);
+  process.stderr.write(`If the browser doesn't open, visit:
+${authUrl}
+
+`);
+  open_default(authUrl).catch(() => {});
+  process.stderr.write(`Waiting for authentication callback on port ${callback.port}...
+`);
+  const code = await callback.waitForCode();
+  process.stderr.write(`Exchanging authorization code for tokens...
+`);
+  const token = await exchangeCode(metadata.token_endpoint, code, clientId, redirectUri, pkce.verifier);
+  token.provider_id = "mcp-oauth";
+  storeToken(storageKey, "mcp-oauth", token);
+  storeClientRegistration2(origin, {
+    clientId,
+    redirectUri,
+    registeredAt: Date.now()
+  }, metadata);
+  process.stderr.write(`Authenticated with ${origin}
+`);
+  return token.access_token;
+}
+async function loadOrRefreshMcpToken2(serverUrl) {
+  const storageKey = serverStorageKey2(serverUrl);
+  const token = loadToken(storageKey, "mcp-oauth");
+  if (!token)
+    return null;
+  if (!isTokenExpired(token)) {
+    return token.access_token;
+  }
+  if (token.refresh_token) {
+    const origin = new URL(serverUrl).origin;
+    const cached = loadClientRegistration2(origin);
+    if (cached) {
+      try {
+        const newToken = await refreshAccessToken(cached.metadata.token_endpoint, token.refresh_token, cached.client.clientId);
+        if (!newToken.refresh_token) {
+          newToken.refresh_token = token.refresh_token;
+        }
+        newToken.provider_id = "mcp-oauth";
+        storeToken(storageKey, "mcp-oauth", newToken);
+        return newToken.access_token;
+      } catch (e) {
+        process.stderr.write(`warning: token refresh failed: ${e instanceof Error ? e.message : e}
+`);
+      }
+    }
+  }
+  return null;
+}
+var init_mcp_oauth2 = __esm(() => {
+  init_open();
+  init_auth();
+});
+
 // src/wrap.ts
 var exports_wrap = {};
 __export(exports_wrap, {
   run: () => run2,
   parseToolArgs: () => parseToolArgs,
+  parseHeaders: () => parseHeaders,
   mcpToolToCommand: () => mcpToolToCommand,
   jsonSchemaToArg: () => jsonSchemaToArg,
-  McpClient: () => McpClient
+  McpClient: () => McpClient,
+  HttpMcpClient: () => HttpMcpClient
 });
 import { spawn as spawn2 } from "node:child_process";
-import { createInterface as createInterface3 } from "node:readline";
+import { createInterface as createInterface5 } from "node:readline";
 function jsonSchemaToArg(name, prop, required) {
   let argType = "string";
   let values;
@@ -8378,7 +9096,7 @@ class McpClient {
     if (!child.stdout || !child.stdin) {
       throw new Error("failed to start MCP server");
     }
-    const rl = createInterface3({ input: child.stdout, crlfDelay: Infinity });
+    const rl = createInterface5({ input: child.stdout, crlfDelay: Infinity });
     const client = new McpClient(child, rl);
     client.sendRequest("initialize", {
       protocolVersion: "2024-11-05",
@@ -8417,11 +9135,219 @@ class McpClient {
     this.child.kill();
   }
 }
-async function run2(serverCmd, describeMode, toolName, toolArgs = []) {
-  const client = await McpClient.start(serverCmd);
+
+class HttpMcpClient {
+  url;
+  sessionId;
+  protocolVersion;
+  extraHeaders;
+  nextId = 0;
+  accessToken;
+  clientId;
+  oauthAttempted = false;
+  constructor(url, extraHeaders, clientId) {
+    this.url = url;
+    this.extraHeaders = extraHeaders;
+    this.clientId = clientId;
+  }
+  static async start(url, extraHeaders = {}, clientId) {
+    const client = new HttpMcpClient(url, extraHeaders, clientId);
+    if (!extraHeaders["Authorization"] && !extraHeaders["authorization"]) {
+      const { loadOrRefreshMcpToken: loadOrRefreshMcpToken3 } = await Promise.resolve().then(() => (init_mcp_oauth2(), exports_mcp_oauth2));
+      const token = await loadOrRefreshMcpToken3(url);
+      if (token) {
+        client.accessToken = token;
+      }
+    }
+    const initResult = await client.sendRequest("initialize", {
+      protocolVersion: "2025-11-25",
+      capabilities: {},
+      clientInfo: { name: "mtpcli-wrap", version: VERSION2 }
+    });
+    client.protocolVersion = initResult.protocolVersion ?? "2025-11-25";
+    await client.sendNotification("notifications/initialized", {});
+    return client;
+  }
+  buildHeaders() {
+    const headers = {
+      "Content-Type": "application/json",
+      Accept: "application/json, text/event-stream"
+    };
+    if (this.accessToken && !this.extraHeaders["Authorization"] && !this.extraHeaders["authorization"]) {
+      headers["Authorization"] = `Bearer ${this.accessToken}`;
+    }
+    Object.assign(headers, this.extraHeaders);
+    if (this.sessionId) {
+      headers["MCP-Session-Id"] = this.sessionId;
+    }
+    if (this.protocolVersion) {
+      headers["MCP-Protocol-Version"] = this.protocolVersion;
+    }
+    return headers;
+  }
+  parseJsonRpcResponse(json) {
+    if (json.error) {
+      const err = json.error;
+      throw new Error(`MCP error: ${err.message} (${err.code})`);
+    }
+    return json.result ?? {};
+  }
+  async readSseResponse(resp, requestId) {
+    const sid = resp.headers.get("mcp-session-id");
+    if (sid)
+      this.sessionId = sid;
+    const text = await resp.text();
+    const events = text.split(/\n\n+/);
+    for (const event of events) {
+      const dataLines = [];
+      for (const line of event.split(`
+`)) {
+        if (line.startsWith("data:")) {
+          dataLines.push(line.slice(5).trimStart());
+        }
+      }
+      if (dataLines.length === 0)
+        continue;
+      let json;
+      try {
+        json = JSON.parse(dataLines.join(`
+`));
+      } catch {
+        continue;
+      }
+      if (json.id === requestId) {
+        return this.parseJsonRpcResponse(json);
+      }
+    }
+    throw new Error("SSE stream ended without a response matching request ID " + requestId);
+  }
+  async handleOAuth(resp) {
+    if (this.oauthAttempted) {
+      throw new Error(`HTTP 401 from ${this.url} (OAuth already attempted, not retrying)`);
+    }
+    this.oauthAttempted = true;
+    const wwwAuth = resp.headers.get("www-authenticate") ?? "";
+    const { mcpOAuthFlow: mcpOAuthFlow3 } = await Promise.resolve().then(() => (init_mcp_oauth2(), exports_mcp_oauth2));
+    this.accessToken = await mcpOAuthFlow3(this.url, wwwAuth, this.clientId);
+  }
+  async sendRequest(method, params) {
+    this.nextId++;
+    const body = {
+      jsonrpc: "2.0",
+      id: this.nextId,
+      method,
+      params
+    };
+    const resp = await fetch(this.url, {
+      method: "POST",
+      headers: this.buildHeaders(),
+      body: JSON.stringify(body)
+    });
+    if (resp.status === 401) {
+      await this.handleOAuth(resp);
+      const retryResp = await fetch(this.url, {
+        method: "POST",
+        headers: this.buildHeaders(),
+        body: JSON.stringify(body)
+      });
+      if (!retryResp.ok) {
+        throw new Error(`HTTP ${retryResp.status} ${retryResp.statusText} from ${this.url}`);
+      }
+      const ct2 = retryResp.headers.get("content-type") ?? "";
+      if (ct2.includes("text/event-stream")) {
+        return this.readSseResponse(retryResp, this.nextId);
+      }
+      const sid2 = retryResp.headers.get("mcp-session-id");
+      if (sid2)
+        this.sessionId = sid2;
+      const json2 = await retryResp.json();
+      return this.parseJsonRpcResponse(json2);
+    }
+    if (!resp.ok) {
+      throw new Error(`HTTP ${resp.status} ${resp.statusText} from ${this.url}`);
+    }
+    const ct = resp.headers.get("content-type") ?? "";
+    if (ct.includes("text/event-stream")) {
+      return this.readSseResponse(resp, this.nextId);
+    }
+    const sid = resp.headers.get("mcp-session-id");
+    if (sid) {
+      this.sessionId = sid;
+    }
+    const json = await resp.json();
+    return this.parseJsonRpcResponse(json);
+  }
+  async sendNotification(method, params) {
+    const body = {
+      jsonrpc: "2.0",
+      method,
+      params
+    };
+    const resp = await fetch(this.url, {
+      method: "POST",
+      headers: this.buildHeaders(),
+      body: JSON.stringify(body)
+    });
+    if (resp.status === 401) {
+      await this.handleOAuth(resp);
+      const retryResp = await fetch(this.url, {
+        method: "POST",
+        headers: this.buildHeaders(),
+        body: JSON.stringify(body)
+      });
+      if (!retryResp.ok) {
+        throw new Error(`HTTP ${retryResp.status} ${retryResp.statusText} from ${this.url}`);
+      }
+      const sid2 = retryResp.headers.get("mcp-session-id");
+      if (sid2)
+        this.sessionId = sid2;
+      return;
+    }
+    if (!resp.ok) {
+      throw new Error(`HTTP ${resp.status} ${resp.statusText} from ${this.url}`);
+    }
+    const sid = resp.headers.get("mcp-session-id");
+    if (sid) {
+      this.sessionId = sid;
+    }
+  }
+  async listTools() {
+    const result = await this.sendRequest("tools/list", {});
+    return result.tools ?? [];
+  }
+  async callTool(name, arguments_) {
+    return this.sendRequest("tools/call", { name, arguments: arguments_ });
+  }
+  stop() {}
+}
+function parseHeaders(raw) {
+  const headers = {};
+  for (const h of raw) {
+    const idx = h.indexOf(":");
+    if (idx === -1) {
+      throw new Error(`invalid header (missing ':'): ${h}`);
+    }
+    headers[h.slice(0, idx).trim()] = h.slice(idx + 1).trim();
+  }
+  return headers;
+}
+async function run2(serverCmd, serverUrl, describeMode, toolName, toolArgs = [], rawHeaders = [], clientId) {
+  let client;
+  let serverName;
+  if (serverUrl) {
+    const headers = parseHeaders(rawHeaders);
+    client = await HttpMcpClient.start(serverUrl, headers, clientId);
+    try {
+      serverName = new URL(serverUrl).hostname;
+    } catch {
+      serverName = serverUrl;
+    }
+  } else {
+    client = await McpClient.start(serverCmd);
+    serverName = serverCmd.split("/").pop()?.split(/\s/)[0] ?? serverCmd;
+  }
   try {
     const mcpTools = await client.listTools();
-    const serverName = serverCmd.split("/").pop()?.split(/\s/)[0] ?? serverCmd;
     const commands = mcpTools.map(mcpToolToCommand);
     const schema = {
       name: serverName,
@@ -9208,7 +10134,7 @@ function cleanJson(obj) {
 }
 
 // src/index.ts
-var VERSION3 = "0.2.2";
+var VERSION3 = "0.2.3";
 function selfDescribe() {
   const schema = {
     name: "mtpcli",
@@ -9266,8 +10192,7 @@ function selfDescribe() {
           {
             name: "tool",
             type: "string",
-            required: true,
-            description: "Tool name"
+            description: "Tool name (required unless --url is used)"
           },
           {
             name: "--provider",
@@ -9278,6 +10203,16 @@ function selfDescribe() {
             name: "--token",
             type: "string",
             description: "API key or bearer token"
+          },
+          {
+            name: "--url",
+            type: "string",
+            description: "HTTP MCP server URL (triggers OAuth discovery and login)"
+          },
+          {
+            name: "--client-id",
+            type: "string",
+            description: "Pre-registered OAuth client ID (for --url)"
           }
         ],
         examples: [
@@ -9285,6 +10220,10 @@ function selfDescribe() {
           {
             description: "API key login",
             command: "mtpcli auth login my-tool --token sk-xxx"
+          },
+          {
+            description: "Login to HTTP MCP server",
+            command: "mtpcli auth login --url https://mcp.example.com/v1/mcp"
           }
         ]
       },
@@ -9382,8 +10321,22 @@ function selfDescribe() {
           {
             name: "--server",
             type: "string",
-            required: true,
-            description: "MCP server command"
+            description: "MCP server command (stdio transport)"
+          },
+          {
+            name: "--url",
+            type: "string",
+            description: "MCP server URL (Streamable HTTP transport). Mutually exclusive with --server."
+          },
+          {
+            name: "--header",
+            type: "array",
+            description: "HTTP header(s) for --url, e.g. 'Authorization: Bearer tok'. Repeatable."
+          },
+          {
+            name: "--client-id",
+            type: "string",
+            description: "Pre-registered OAuth client ID (for servers without dynamic registration)"
           },
           {
             name: "--describe",
@@ -9398,12 +10351,20 @@ function selfDescribe() {
         ],
         examples: [
           {
-            description: "Describe an MCP server",
+            description: "Describe a stdio MCP server",
             command: 'mtpcli wrap --server "npx @mcp/server-github" --describe'
           },
           {
-            description: "Call a tool",
+            description: "Call a tool on a stdio server",
             command: 'mtpcli wrap --server "npx @mcp/server-github" search_repos -- --query mtpcli'
+          },
+          {
+            description: "Describe an HTTP MCP server",
+            command: "mtpcli wrap --url http://localhost:3000/mcp --describe"
+          },
+          {
+            description: "Call a tool on an HTTP server",
+            command: "mtpcli wrap --url http://localhost:3000/mcp search_repos -- --query mtpcli"
           }
         ]
       },
@@ -9517,28 +10478,38 @@ program2.command("search").description("Search across --describe-compatible tool
   }
 });
 var authCmd = program2.command("auth").description("Manage authentication for tools");
-authCmd.command("login").description("Log in to a tool").argument("<tool>", "Tool name").option("--provider <id>", "Specific provider ID").option("--token <value>", "API key / bearer token (skip OAuth flow)").action(async (tool, opts) => {
-  const { runLogin: runLogin2 } = await Promise.resolve().then(() => (init_auth(), exports_auth));
+authCmd.command("login").description("Log in to a tool").argument("[tool]", "Tool name").option("--provider <id>", "Specific provider ID").option("--token <value>", "API key / bearer token (skip OAuth flow)").option("--url <url>", "HTTP MCP server URL (triggers OAuth discovery)").option("--client-id <id>", "Pre-registered OAuth client ID (for --url)").action(async (tool, opts) => {
+  if (opts.url) {
+    const { mcpOAuthFlow: mcpOAuthFlow3 } = await Promise.resolve().then(() => (init_mcp_oauth(), exports_mcp_oauth));
+    await mcpOAuthFlow3(opts.url, "", opts.clientId);
+    return;
+  }
+  if (!tool) {
+    process.stderr.write(`error: tool name is required (or use --url)
+`);
+    process.exit(1);
+  }
+  const { runLogin: runLogin2 } = await Promise.resolve().then(() => (init_auth2(), exports_auth));
   await runLogin2(tool, opts.provider, opts.token);
 });
 authCmd.command("logout").description("Log out from a tool").argument("<tool>", "Tool name").action(async (tool) => {
-  const { runLogout: runLogout2 } = await Promise.resolve().then(() => (init_auth(), exports_auth));
+  const { runLogout: runLogout2 } = await Promise.resolve().then(() => (init_auth2(), exports_auth));
   await runLogout2(tool);
 });
 authCmd.command("status").description("Show auth status for a tool").argument("<tool>", "Tool name").action(async (tool) => {
-  const { runStatus: runStatus2 } = await Promise.resolve().then(() => (init_auth(), exports_auth));
+  const { runStatus: runStatus2 } = await Promise.resolve().then(() => (init_auth2(), exports_auth));
   await runStatus2(tool);
 });
 authCmd.command("token").description("Print the access token for a tool").argument("<tool>", "Tool name").action(async (tool) => {
-  const { runToken: runToken2 } = await Promise.resolve().then(() => (init_auth(), exports_auth));
+  const { runToken: runToken2 } = await Promise.resolve().then(() => (init_auth2(), exports_auth));
   await runToken2(tool);
 });
 authCmd.command("env").description("Print shell export statement for eval").argument("<tool>", "Tool name").action(async (tool) => {
-  const { runEnv: runEnv2 } = await Promise.resolve().then(() => (init_auth(), exports_auth));
+  const { runEnv: runEnv2 } = await Promise.resolve().then(() => (init_auth2(), exports_auth));
   await runEnv2(tool);
 });
 authCmd.command("refresh").description("Force-refresh the stored OAuth token for a tool").argument("<tool>", "Tool name").action(async (tool) => {
-  const { runRefresh: runRefresh2 } = await Promise.resolve().then(() => (init_auth(), exports_auth));
+  const { runRefresh: runRefresh2 } = await Promise.resolve().then(() => (init_auth2(), exports_auth));
   await runRefresh2(tool);
 });
 program2.command("serve").description("Serve CLI tools as an MCP server (cli2mcp bridge)").requiredOption("--tool <names...>", "Tool(s) to serve").addHelpText("after", `
@@ -9580,9 +10551,29 @@ Multiple tools can be combined into a single MCP server:
   const { run: run5 } = await Promise.resolve().then(() => (init_serve(), exports_serve));
   await run5(opts.tool);
 });
-program2.command("wrap").description("Wrap an MCP server as a CLI tool (mcp2cli bridge)").requiredOption("--server <cmd>", "MCP server command to run").option("--describe", "Output --describe JSON instead of invoking", false).argument("[tool_name]", "Tool name to invoke").argument("[args...]", "Arguments for the tool (after --)").action(async (toolName, args, opts) => {
+program2.command("wrap").description("Wrap an MCP server as a CLI tool (mcp2cli bridge)").option("--server <cmd>", "MCP server command to run (stdio transport)").option("--url <url>", "MCP server URL (Streamable HTTP transport)").option("-H, --header <header...>", "HTTP header(s) for --url (e.g. 'Authorization: Bearer tok')").option("--client-id <id>", "Pre-registered OAuth client ID (for --url)").option("--describe", "Output --describe JSON instead of invoking", false).argument("[tool_name]", "Tool name to invoke").argument("[args...]", "Arguments for the tool (after --)").action(async (toolName, args, opts) => {
+  if (opts.server && opts.url) {
+    process.stderr.write(`error: --server and --url are mutually exclusive
+`);
+    process.exit(1);
+  }
+  if (!opts.server && !opts.url) {
+    process.stderr.write(`error: one of --server or --url is required
+`);
+    process.exit(1);
+  }
+  if (opts.header && !opts.url) {
+    process.stderr.write(`error: --header requires --url
+`);
+    process.exit(1);
+  }
+  if (opts.clientId && !opts.url) {
+    process.stderr.write(`error: --client-id requires --url
+`);
+    process.exit(1);
+  }
   const { run: run5 } = await Promise.resolve().then(() => (init_wrap(), exports_wrap));
-  await run5(opts.server, opts.describe, toolName, args);
+  await run5(opts.server, opts.url, opts.describe, toolName, args, opts.header ?? [], opts.clientId);
 });
 program2.command("validate").description("Validate a tool's --describe output against the MTP spec").argument("[tool]", "Tool name to validate").option("--json", "Output as JSON", false).option("--stdin", "Read JSON from stdin", false).option("--skip-help", "Skip --help cross-reference", false).action(async (tool, opts) => {
   const { run: run5 } = await Promise.resolve().then(() => (init_validate(), exports_validate));