@modeltoolsprotocol/mtpcli 0.2.2 → 0.3.0

package/dist/index.js

@@ -7350,6 +7350,7 @@ __export(exports_auth, {
   runLogout: () => runLogout,
   runLogin: () => runLogin,
   runEnv: () => runEnv,
+  refreshAccessToken: () => refreshAccessToken,
   oauth2Login: () => oauth2Login,
   login: () => login,
   loadToken: () => loadToken,
@@ -7358,6 +7359,8 @@ __export(exports_auth, {
   getEnvExport: () => getEnvExport,
   getEnvDict: () => getEnvDict,
   getAuthConfig: () => getAuthConfig,
+  generatePkce: () => generatePkce,
+  exchangeCode: () => exchangeCode,
   ensureValidToken: () => ensureValidToken,
   deleteToken: () => deleteToken,
   authStatus: () => authStatus,
@@ -7469,7 +7472,7 @@ function waitForCallback(port, timeoutSecs) {
     });
   });
 }
-async function exchangeCode(tokenUrl, code, clientId, redirectUri, codeVerifier) {
+async function exchangeCode(tokenUrl, code, clientId, redirectUri, codeVerifier, resource) {
   const params = new URLSearchParams({
     grant_type: "authorization_code",
     code,
@@ -7478,6 +7481,8 @@ async function exchangeCode(tokenUrl, code, clientId, redirectUri, codeVerifier)
   });
   if (codeVerifier)
     params.set("code_verifier", codeVerifier);
+  if (resource)
+    params.set("resource", resource);
   const resp = await fetch(tokenUrl, {
     method: "POST",
     headers: {
@@ -7489,12 +7494,14 @@ async function exchangeCode(tokenUrl, code, clientId, redirectUri, codeVerifier)
   const text = await resp.text();
   return parseTokenResponse(text);
 }
-async function refreshAccessToken(tokenUrl, refreshToken, clientId) {
+async function refreshAccessToken(tokenUrl, refreshToken, clientId, resource) {
   const params = new URLSearchParams({
     grant_type: "refresh_token",
     refresh_token: refreshToken,
     client_id: clientId
   });
+  if (resource)
+    params.set("resource", resource);
   const resp = await fetch(tokenUrl, {
     method: "POST",
     headers: {
@@ -7787,35 +7794,465 @@ var init_auth = __esm(() => {
   init_search2();
 });
 
-// src/auth.ts
+// src/mcp-oauth.ts
+var exports_mcp_oauth = {};
+__export(exports_mcp_oauth, {
+  storeClientRegistration: () => storeClientRegistration,
+  serverStorageKey: () => serverStorageKey,
+  registerClient: () => registerClient,
+  promptForClientId: () => promptForClientId,
+  parseWwwAuthenticate: () => parseWwwAuthenticate,
+  mcpOAuthFlow: () => mcpOAuthFlow,
+  mcpAuthToken: () => mcpAuthToken,
+  mcpAuthStatus: () => mcpAuthStatus,
+  mcpAuthRefresh: () => mcpAuthRefresh,
+  mcpAuthLogout: () => mcpAuthLogout,
+  loadOrRefreshMcpToken: () => loadOrRefreshMcpToken,
+  loadClientRegistration: () => loadClientRegistration,
+  fetchResourceMetadata: () => fetchResourceMetadata,
+  fetchAuthServerMetadata: () => fetchAuthServerMetadata
+});
+import { randomBytes as randomBytes2 } from "node:crypto";
 import {
-  chmodSync as chmodSync2,
   existsSync as existsSync3,
   mkdirSync as mkdirSync3,
   readFileSync as readFileSync3,
-  unlinkSync as unlinkSync2,
-  writeFileSync as writeFileSync3
+  writeFileSync as writeFileSync3,
+  chmodSync as chmodSync2
 } from "node:fs";
+import { createServer as createServer2 } from "node:http";
 import { homedir as homedir3 } from "node:os";
 import { dirname as dirname2, join as join3 } from "node:path";
+import { createInterface as createInterface2 } from "node:readline";
+function serverStorageKey(url) {
+  const u = new URL(url);
+  return `mcp_${u.host}`;
+}
+function parseWwwAuthenticate(header) {
+  const result = {};
+  const params = header.replace(/^Bearer\s+/i, "");
+  const re = /(\w+)=(?:"([^"]*)"|(\S+))/g;
+  let match;
+  while ((match = re.exec(params)) !== null) {
+    const key = match[1];
+    const val = match[2] ?? match[3];
+    if (key === "resource_metadata")
+      result.resourceMetadata = val;
+    if (key === "scope")
+      result.scope = val;
+  }
+  return result;
+}
+async function fetchResourceMetadata(url) {
+  const resp = await fetch(url);
+  if (!resp.ok) {
+    throw new Error(`failed to fetch resource metadata from ${url}: ${resp.status}`);
+  }
+  return resp.json();
+}
+async function fetchAuthServerMetadata(serverUrl, wwwAuth) {
+  if (wwwAuth) {
+    const parsed = parseWwwAuthenticate(wwwAuth);
+    if (parsed.resourceMetadata) {
+      try {
+        const resource = await fetchResourceMetadata(parsed.resourceMetadata);
+        if (resource.authorization_servers?.length) {
+          const asUrl = resource.authorization_servers[0];
+          const wellKnown = `${asUrl}/.well-known/oauth-authorization-server`;
+          const resp = await fetch(wellKnown);
+          if (resp.ok) {
+            return resp.json();
+          }
+        }
+      } catch {}
+    }
+  }
+  const origin = new URL(serverUrl).origin;
+  const oauthUrl = `${origin}/.well-known/oauth-authorization-server`;
+  try {
+    const resp = await fetch(oauthUrl);
+    if (resp.ok) {
+      return resp.json();
+    }
+  } catch {}
+  const oidcUrl = `${origin}/.well-known/openid-configuration`;
+  try {
+    const resp = await fetch(oidcUrl);
+    if (resp.ok) {
+      return resp.json();
+    }
+  } catch {}
+  throw new Error(`could not discover OAuth authorization server for ${serverUrl}`);
+}
+async function registerClient(metadata, redirectUri) {
+  if (!metadata.registration_endpoint) {
+    throw new Error("no registration_endpoint in auth server metadata");
+  }
+  const body = {
+    client_name: "mtpcli",
+    redirect_uris: [redirectUri],
+    grant_types: ["authorization_code"],
+    response_types: ["code"],
+    token_endpoint_auth_method: "none"
+  };
+  const resp = await fetch(metadata.registration_endpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Accept: "application/json"
+    },
+    body: JSON.stringify(body)
+  });
+  if (!resp.ok) {
+    const text = await resp.text();
+    throw new Error(`dynamic client registration failed (${resp.status}): ${text}`);
+  }
+  const result = await resp.json();
+  const clientId = result.client_id;
+  if (!clientId)
+    throw new Error("no client_id in registration response");
+  return {
+    clientId,
+    clientSecret: result.client_secret,
+    redirectUri,
+    registeredAt: Date.now()
+  };
+}
+function promptForClientId(serverUrl) {
+  return new Promise((resolve, reject) => {
+    process.stderr.write(`
+No dynamic registration available for ${serverUrl}.
+` + `You need to register a client manually and provide the client_id.
+` + `Enter client_id: `);
+    const rl = createInterface2({ input: process.stdin, output: process.stderr });
+    rl.question("", (answer) => {
+      rl.close();
+      const trimmed = answer.trim();
+      if (!trimmed) {
+        reject(new Error("no client_id provided"));
+        return;
+      }
+      resolve(trimmed);
+    });
+  });
+}
+function clientStorePath() {
+  return join3(homedir3(), ".mtpcli", "mcp-oauth-clients.json");
+}
+function loadClientStore() {
+  const path2 = clientStorePath();
+  if (!existsSync3(path2))
+    return {};
+  try {
+    return JSON.parse(readFileSync3(path2, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function saveClientStore(store) {
+  const path2 = clientStorePath();
+  mkdirSync3(dirname2(path2), { recursive: true });
+  writeFileSync3(path2, JSON.stringify(store, null, 2));
+  chmodSync2(path2, 384);
+}
+function loadClientRegistration(origin) {
+  const store = loadClientStore();
+  return store[origin] ?? null;
+}
+function storeClientRegistration(origin, client, metadata) {
+  const store = loadClientStore();
+  store[origin] = { client, metadata };
+  saveClientStore(store);
+}
+function startCallbackServer() {
+  return new Promise((resolve, reject) => {
+    let codeResolve;
+    let codeReject;
+    const codePromise = new Promise((res, rej) => {
+      codeResolve = res;
+      codeReject = rej;
+    });
+    const server = createServer2((req, res) => {
+      const url = new URL(req.url ?? "/", `http://127.0.0.1`);
+      const code = url.searchParams.get("code");
+      const error = url.searchParams.get("error");
+      if (code) {
+        const html = "<html><body><h2>Authentication successful!</h2>" + "<p>You can close this tab and return to your terminal.</p>" + "<script>window.close()</script></body></html>";
+        res.writeHead(200, {
+          "Content-Type": "text/html",
+          "Content-Length": Buffer.byteLength(html).toString()
+        });
+        res.end(html);
+        server.close();
+        codeResolve(code);
+        return;
+      }
+      if (error) {
+        const desc = url.searchParams.get("error_description") ?? "Unknown error";
+        const html = `<html><body><h2>Authentication failed</h2><p>${desc}</p></body></html>`;
+        res.writeHead(400, {
+          "Content-Type": "text/html",
+          "Content-Length": Buffer.byteLength(html).toString()
+        });
+        res.end(html);
+        server.close();
+        codeReject(new Error(`OAuth error: ${error} - ${desc}`));
+        return;
+      }
+      res.writeHead(404);
+      res.end();
+    });
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      if (!addr || typeof addr === "string") {
+        reject(new Error("failed to get callback server address"));
+        return;
+      }
+      resolve({
+        port: addr.port,
+        waitForCode: () => {
+          const timer = setTimeout(() => {
+            server.close();
+            codeReject(new Error("OAuth callback timed out (120s)"));
+          }, 120000);
+          return codePromise.finally(() => clearTimeout(timer));
+        },
+        server
+      });
+    });
+    server.on("error", (e) => {
+      reject(new Error(`failed to bind callback server: ${e.message}`));
+    });
+  });
+}
+async function mcpOAuthFlow(serverUrl, wwwAuth, clientId) {
+  const origin = new URL(serverUrl).origin;
+  const storageKey = serverStorageKey(serverUrl);
+  const wwwParsed = parseWwwAuthenticate(wwwAuth);
+  process.stderr.write(`Discovering OAuth authorization server...
+`);
+  const metadata = await fetchAuthServerMetadata(serverUrl, wwwAuth);
+  const challengeMethods = metadata.code_challenge_methods_supported;
+  if (challengeMethods && !challengeMethods.includes("S256")) {
+    throw new Error("authorization server does not support S256 PKCE (required)");
+  }
+  const callback = await startCallbackServer();
+  const redirectUri = `http://127.0.0.1:${callback.port}/callback`;
+  let resolvedClientId = clientId;
+  let registration;
+  if (!resolvedClientId) {
+    const cached = loadClientRegistration(origin);
+    if (cached) {
+      resolvedClientId = cached.client.clientId;
+      registration = cached.client;
+      process.stderr.write(`Using cached client registration for ${origin}
+`);
+    }
+  }
+  if (!resolvedClientId) {
+    if (metadata.registration_endpoint) {
+      process.stderr.write(`Registering client dynamically...
+`);
+      registration = await registerClient(metadata, redirectUri);
+      resolvedClientId = registration.clientId;
+      storeClientRegistration(origin, registration, metadata);
+    } else {
+      callback.server.close();
+      resolvedClientId = await promptForClientId(serverUrl);
+      const newCallback = await startCallbackServer();
+      return doOAuthLogin(metadata, resolvedClientId, `http://127.0.0.1:${newCallback.port}/callback`, newCallback, wwwParsed.scope, storageKey, origin);
+    }
+  }
+  return doOAuthLogin(metadata, resolvedClientId, redirectUri, callback, wwwParsed.scope, storageKey, origin);
+}
+async function doOAuthLogin(metadata, clientId, redirectUri, callback, scope, storageKey, origin) {
+  const state = randomBytes2(32).toString("base64url");
+  const pkce = generatePkce();
+  const scopes = scope ?? metadata.scopes_supported?.join(" ") ?? undefined;
+  const params = new URLSearchParams({
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    state,
+    code_challenge: pkce.challenge,
+    code_challenge_method: "S256"
+  });
+  if (scopes)
+    params.set("scope", scopes);
+  const authUrl = `${metadata.authorization_endpoint}?${params.toString()}`;
+  process.stderr.write(`Opening browser for OAuth login...
+`);
+  process.stderr.write(`If the browser doesn't open, visit:
+${authUrl}
+
+`);
+  open_default(authUrl).catch(() => {});
+  process.stderr.write(`Waiting for authentication callback on port ${callback.port}...
+`);
+  const code = await callback.waitForCode();
+  process.stderr.write(`Exchanging authorization code for tokens...
+`);
+  const token = await exchangeCode(metadata.token_endpoint, code, clientId, redirectUri, pkce.verifier);
+  token.provider_id = "mcp-oauth";
+  storeToken(storageKey, "mcp-oauth", token);
+  storeClientRegistration(origin, {
+    clientId,
+    redirectUri,
+    registeredAt: Date.now()
+  }, metadata);
+  process.stderr.write(`Authenticated with ${origin}
+`);
+  return token.access_token;
+}
+function mcpAuthStatus(serverUrl) {
+  const storageKey = serverStorageKey(serverUrl);
+  const origin = new URL(serverUrl).origin;
+  const token = loadToken(storageKey, "mcp-oauth");
+  const reg = loadClientRegistration(origin);
+  const result = {
+    url: serverUrl,
+    authenticated: token !== null
+  };
+  if (token) {
+    result.expired = isTokenExpired(token);
+    result.has_refresh = !!token.refresh_token;
+    if (token.expires_at)
+      result.expires_at = token.expires_at;
+    if (token.scopes)
+      result.scopes = token.scopes;
+  }
+  if (reg) {
+    result.client_id = reg.client.clientId;
+  }
+  return result;
+}
+function mcpAuthLogout(serverUrl) {
+  const storageKey = serverStorageKey(serverUrl);
+  return deleteToken(storageKey, "mcp-oauth");
+}
+async function mcpAuthToken(serverUrl) {
+  return loadOrRefreshMcpToken(serverUrl);
+}
+async function mcpAuthRefresh(serverUrl) {
+  const storageKey = serverStorageKey(serverUrl);
+  const origin = new URL(serverUrl).origin;
+  const token = loadToken(storageKey, "mcp-oauth");
+  if (!token) {
+    throw new Error(`no stored token for '${serverUrl}'. Run: mtpcli auth login --url ${serverUrl}`);
+  }
+  if (!token.refresh_token) {
+    throw new Error(`token for '${serverUrl}' has no refresh_token`);
+  }
+  const cached = loadClientRegistration(origin);
+  if (!cached) {
+    throw new Error(`no cached client registration for ${origin}. Run: mtpcli auth login --url ${serverUrl}`);
+  }
+  const newToken = await refreshAccessToken(cached.metadata.token_endpoint, token.refresh_token, cached.client.clientId);
+  if (!newToken.refresh_token) {
+    newToken.refresh_token = token.refresh_token;
+  }
+  newToken.provider_id = "mcp-oauth";
+  storeToken(storageKey, "mcp-oauth", newToken);
+  process.stderr.write(`Token refreshed for ${serverUrl}
+`);
+}
+async function loadOrRefreshMcpToken(serverUrl) {
+  const storageKey = serverStorageKey(serverUrl);
+  const token = loadToken(storageKey, "mcp-oauth");
+  if (!token)
+    return null;
+  if (!isTokenExpired(token)) {
+    return token.access_token;
+  }
+  if (token.refresh_token) {
+    const origin = new URL(serverUrl).origin;
+    const cached = loadClientRegistration(origin);
+    if (cached) {
+      try {
+        const newToken = await refreshAccessToken(cached.metadata.token_endpoint, token.refresh_token, cached.client.clientId);
+        if (!newToken.refresh_token) {
+          newToken.refresh_token = token.refresh_token;
+        }
+        newToken.provider_id = "mcp-oauth";
+        storeToken(storageKey, "mcp-oauth", newToken);
+        return newToken.access_token;
+      } catch (e) {
+        process.stderr.write(`warning: token refresh failed: ${e instanceof Error ? e.message : e}
+`);
+      }
+    }
+  }
+  return null;
+}
+var init_mcp_oauth = __esm(() => {
+  init_open();
+  init_auth();
+});
+
+// src/auth.ts
+var exports_auth2 = {};
+__export(exports_auth2, {
+  storeToken: () => storeToken2,
+  runToken: () => runToken2,
+  runStatus: () => runStatus2,
+  runRefresh: () => runRefresh2,
+  runLogout: () => runLogout2,
+  runLogin: () => runLogin2,
+  runEnv: () => runEnv2,
+  refreshAccessToken: () => refreshAccessToken2,
+  oauth2Login: () => oauth2Login2,
+  login: () => login2,
+  loadToken: () => loadToken2,
+  isTokenExpired: () => isTokenExpired2,
+  getProvider: () => getProvider2,
+  getEnvExport: () => getEnvExport2,
+  getEnvDict: () => getEnvDict2,
+  getAuthConfig: () => getAuthConfig2,
+  generatePkce: () => generatePkce2,
+  exchangeCode: () => exchangeCode2,
+  ensureValidToken: () => ensureValidToken2,
+  deleteToken: () => deleteToken2,
+  authStatus: () => authStatus2,
+  apiKeyLogin: () => apiKeyLogin2
+});
+import { createHash as createHash2, randomBytes as randomBytes3 } from "node:crypto";
+import {
+  chmodSync as chmodSync3,
+  existsSync as existsSync4,
+  mkdirSync as mkdirSync4,
+  readFileSync as readFileSync4,
+  unlinkSync as unlinkSync2,
+  writeFileSync as writeFileSync4
+} from "node:fs";
+import { createServer as createServer3 } from "node:http";
+import { homedir as homedir4 } from "node:os";
+import { dirname as dirname3, join as join4 } from "node:path";
+import { createInterface as createInterface3 } from "node:readline";
 function tokensDir2(baseDir) {
-  return join3(baseDir ?? join3(homedir3(), ".mtpcli"), "tokens");
+  return join4(baseDir ?? join4(homedir4(), ".mtpcli"), "tokens");
 }
 function tokenPath2(toolName, providerId, baseDir) {
-  return join3(tokensDir2(baseDir), toolName, `${providerId}.json`);
+  return join4(tokensDir2(baseDir), toolName, `${providerId}.json`);
 }
 function storeToken2(toolName, providerId, token, baseDir) {
   const path2 = tokenPath2(toolName, providerId, baseDir);
-  mkdirSync3(dirname2(path2), { recursive: true });
-  writeFileSync3(path2, JSON.stringify(token, null, 2));
-  chmodSync2(path2, 384);
+  mkdirSync4(dirname3(path2), { recursive: true });
+  writeFileSync4(path2, JSON.stringify(token, null, 2));
+  chmodSync3(path2, 384);
   return path2;
 }
 function loadToken2(toolName, providerId, baseDir) {
   const path2 = tokenPath2(toolName, providerId, baseDir);
-  if (!existsSync3(path2))
+  if (!existsSync4(path2))
     return null;
-  return JSON.parse(readFileSync3(path2, "utf-8"));
+  return JSON.parse(readFileSync4(path2, "utf-8"));
+}
+function deleteToken2(toolName, providerId, baseDir) {
+  const path2 = tokenPath2(toolName, providerId, baseDir);
+  if (!existsSync4(path2))
+    return false;
+  unlinkSync2(path2);
+  return true;
 }
 function isTokenExpired2(token) {
   if (!token.expires_at)
@@ -7824,12 +8261,96 @@ function isTokenExpired2(token) {
   const buffer = 5 * 60 * 1000;
   return exp.getTime() - buffer < Date.now();
 }
-async function refreshAccessToken2(tokenUrl, refreshToken, clientId) {
+async function getAuthConfig2(toolName) {
+  const schema = await getToolSchema2(toolName);
+  return schema?.auth ?? null;
+}
+function getProvider2(auth, providerId) {
+  if (providerId)
+    return auth.providers.find((p) => p.id === providerId);
+  return auth.providers[0];
+}
+function generatePkce2() {
+  const bytes = randomBytes3(64);
+  const verifier = bytes.toString("base64url").slice(0, 128);
+  const challenge = createHash2("sha256").update(verifier).digest("base64url");
+  return { verifier, challenge };
+}
+function waitForCallback2(port, timeoutSecs) {
+  return new Promise((resolve, reject) => {
+    const timer = setTimeout(() => {
+      server.close();
+      reject(new Error("OAuth callback timed out"));
+    }, timeoutSecs * 1000);
+    const server = createServer3((req, res) => {
+      const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
+      const code = url.searchParams.get("code");
+      const error = url.searchParams.get("error");
+      if (code) {
+        const html = "<html><body><h2>Authentication successful!</h2>" + "<p>You can close this tab and return to your terminal.</p>" + "<script>window.close()</script></body></html>";
+        res.writeHead(200, {
+          "Content-Type": "text/html",
+          "Content-Length": Buffer.byteLength(html).toString()
+        });
+        res.end(html);
+        clearTimeout(timer);
+        server.close();
+        resolve({ code });
+        return;
+      }
+      if (error) {
+        const desc = url.searchParams.get("error_description") ?? "Unknown error";
+        const html = `<html><body><h2>Authentication failed</h2><p>${desc}</p></body></html>`;
+        res.writeHead(400, {
+          "Content-Type": "text/html",
+          "Content-Length": Buffer.byteLength(html).toString()
+        });
+        res.end(html);
+        clearTimeout(timer);
+        server.close();
+        resolve({ error });
+        return;
+      }
+      res.writeHead(404);
+      res.end();
+    });
+    server.listen(port, "127.0.0.1", () => {});
+    server.on("error", (e) => {
+      clearTimeout(timer);
+      reject(new Error(`failed to bind callback server: ${e.message}`));
+    });
+  });
+}
+async function exchangeCode2(tokenUrl, code, clientId, redirectUri, codeVerifier, resource) {
+  const params = new URLSearchParams({
+    grant_type: "authorization_code",
+    code,
+    client_id: clientId,
+    redirect_uri: redirectUri
+  });
+  if (codeVerifier)
+    params.set("code_verifier", codeVerifier);
+  if (resource)
+    params.set("resource", resource);
+  const resp = await fetch(tokenUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/x-www-form-urlencoded",
+      Accept: "application/json"
+    },
+    body: params.toString()
+  });
+  const text = await resp.text();
+  return parseTokenResponse2(text);
+}
+async function refreshAccessToken2(tokenUrl, refreshToken, clientId, resource) {
   const params = new URLSearchParams({
     grant_type: "refresh_token",
     refresh_token: refreshToken,
     client_id: clientId
   });
+  if (resource)
+    params.set("resource", resource);
   const resp = await fetch(tokenUrl, {
     method: "POST",
     headers: {
@@ -7865,6 +8386,112 @@ function parseTokenResponse2(text) {
     created_at: new Date().toISOString()
   };
 }
+async function oauth2Login2(toolName, provider, port) {
+  if (!provider.authorizationUrl)
+    throw new Error("provider missing authorizationUrl");
+  if (!provider.tokenUrl)
+    throw new Error("provider missing tokenUrl");
+  if (!provider.clientId)
+    throw new Error("provider missing clientId");
+  const redirectUri = `http://127.0.0.1:${port}/callback`;
+  const state = randomBytes3(32).toString("base64url");
+  const params = new URLSearchParams({
+    client_id: provider.clientId,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    state
+  });
+  if (provider.scopes?.length) {
+    params.set("scope", provider.scopes.join(" "));
+  }
+  let codeVerifier;
+  if (provider.type === "oauth2-pkce") {
+    const pkce = generatePkce2();
+    codeVerifier = pkce.verifier;
+    params.set("code_challenge", pkce.challenge);
+    params.set("code_challenge_method", "S256");
+  }
+  const fullUrl = `${provider.authorizationUrl}?${params.toString()}`;
+  const display = provider.displayName ?? provider.id;
+  process.stderr.write(`Opening browser for ${display} login...
+`);
+  process.stderr.write(`If the browser doesn't open, visit:
+${fullUrl}
+
+`);
+  open_default(fullUrl).catch(() => {});
+  process.stderr.write(`Waiting for authentication callback on port ${port}...
+`);
+  const result = await waitForCallback2(port, 120);
+  if (result.error)
+    throw new Error(`OAuth error: ${result.error}`);
+  if (!result.code)
+    throw new Error("no authorization code received (timed out?)");
+  process.stderr.write(`Exchanging authorization code for tokens...
+`);
+  const token = await exchangeCode2(provider.tokenUrl, result.code, provider.clientId, redirectUri, codeVerifier);
+  token.provider_id = provider.id;
+  storeToken2(toolName, provider.id, token);
+  process.stderr.write(`Authenticated with ${display}
+`);
+  return token;
+}
+function apiKeyLogin2(toolName, provider, tokenValue) {
+  return new Promise((resolve, reject) => {
+    const finish = (value) => {
+      if (!value) {
+        reject(new Error("no token provided"));
+        return;
+      }
+      const token = {
+        access_token: value,
+        token_type: provider.type,
+        refresh_token: undefined,
+        expires_at: undefined,
+        scopes: undefined,
+        provider_id: provider.id,
+        created_at: new Date().toISOString()
+      };
+      storeToken2(toolName, provider.id, token);
+      const display = provider.displayName ?? provider.id;
+      process.stderr.write(`Token stored for ${display}
+`);
+      resolve(token);
+    };
+    if (tokenValue) {
+      finish(tokenValue);
+      return;
+    }
+    if (provider.registrationUrl) {
+      process.stderr.write(`Get your API key at: ${provider.registrationUrl}
+`);
+    }
+    if (provider.instructions) {
+      process.stderr.write(`${provider.instructions}
+`);
+    }
+    process.stderr.write("Enter your token/API key: ");
+    const rl = createInterface3({ input: process.stdin, output: process.stderr });
+    rl.question("", (answer) => {
+      rl.close();
+      finish(answer.trim());
+    });
+  });
+}
+async function login2(toolName, provider, token, port = 8914) {
+  switch (provider.type) {
+    case "oauth2":
+    case "oauth2-pkce":
+      if (token)
+        return apiKeyLogin2(toolName, provider, token);
+      return oauth2Login2(toolName, provider, port);
+    case "api-key":
+    case "bearer":
+      return apiKeyLogin2(toolName, provider, token);
+    default:
+      throw new Error(`unknown auth type: ${provider.type}`);
+  }
+}
 async function ensureValidToken2(toolName, auth) {
   const provider = auth.providers[0];
   if (!provider)
@@ -7898,7 +8525,121 @@ async function getEnvDict2(toolName, auth) {
     return {};
   return { [auth.envVar]: token };
 }
+async function getEnvExport2(toolName, auth) {
+  const env = await getEnvDict2(toolName, auth);
+  if (Object.keys(env).length === 0) {
+    return "# No token available. Run: mtpcli auth login <tool>";
+  }
+  return Object.entries(env).map(([key, value]) => {
+    const escaped = value.replace(/'/g, "'\\''");
+    return `export ${key}='${escaped}'`;
+  }).join(`
+`);
+}
+async function authStatus2(toolName, auth) {
+  const providers = [];
+  for (const provider of auth.providers) {
+    const token = loadToken2(toolName, provider.id);
+    const status = {
+      id: provider.id,
+      type: provider.type,
+      display_name: provider.displayName ?? provider.id,
+      authenticated: token !== null
+    };
+    if (token) {
+      status.expired = isTokenExpired2(token);
+      status.has_refresh = !!token.refresh_token;
+      if (token.expires_at)
+        status.expires_at = token.expires_at;
+      if (token.scopes)
+        status.scopes = token.scopes;
+    }
+    providers.push(status);
+  }
+  return {
+    tool: toolName,
+    env_var: auth.envVar,
+    required: auth.required,
+    providers
+  };
+}
+async function runLogin2(toolName, providerId, token) {
+  const auth = await getAuthConfig2(toolName);
+  if (!auth)
+    throw new Error(`tool '${toolName}' does not declare auth`);
+  const provider = getProvider2(auth, providerId);
+  if (!provider)
+    throw new Error("no matching auth provider found");
+  await login2(toolName, provider, token, 8914);
+}
+async function runLogout2(toolName) {
+  const auth = await getAuthConfig2(toolName);
+  if (!auth)
+    throw new Error(`tool '${toolName}' does not declare auth`);
+  let deleted = false;
+  for (const provider of auth.providers) {
+    if (deleteToken2(toolName, provider.id)) {
+      const display = provider.displayName ?? provider.id;
+      process.stderr.write(`Logged out from ${display}
+`);
+      deleted = true;
+    }
+  }
+  if (!deleted)
+    process.stderr.write(`No tokens found for '${toolName}'
+`);
+}
+async function runStatus2(toolName) {
+  const auth = await getAuthConfig2(toolName);
+  if (!auth)
+    throw new Error(`tool '${toolName}' does not declare auth`);
+  const status = await authStatus2(toolName, auth);
+  console.log(JSON.stringify(status, null, 2));
+}
+async function runToken2(toolName) {
+  const auth = await getAuthConfig2(toolName);
+  if (!auth)
+    throw new Error(`tool '${toolName}' does not declare auth`);
+  const t = await ensureValidToken2(toolName, auth);
+  if (!t)
+    throw new Error(`no valid token for '${toolName}'. Run: mtpcli auth login ${toolName}`);
+  console.log(t);
+}
+async function runEnv2(toolName) {
+  const auth = await getAuthConfig2(toolName);
+  if (!auth)
+    throw new Error(`tool '${toolName}' does not declare auth`);
+  console.log(await getEnvExport2(toolName, auth));
+}
+async function runRefresh2(toolName) {
+  const authConfig = await getAuthConfig2(toolName);
+  if (!authConfig)
+    throw new Error(`tool '${toolName}' does not declare auth`);
+  const provider = authConfig.providers[0];
+  if (!provider)
+    throw new Error("no auth provider configured");
+  const token = loadToken2(toolName, provider.id);
+  if (!token) {
+    throw new Error(`no stored token for '${toolName}'. Run: mtpcli auth login ${toolName}`);
+  }
+  if (!token.refresh_token) {
+    throw new Error(`token for '${toolName}' has no refresh_token (provider type: ${provider.type})`);
+  }
+  if (!provider.tokenUrl || !provider.clientId) {
+    throw new Error("provider missing tokenUrl or clientId for refresh");
+  }
+  const newToken = await refreshAccessToken2(provider.tokenUrl, token.refresh_token, provider.clientId);
+  if (!newToken.refresh_token) {
+    newToken.refresh_token = token.refresh_token;
+  }
+  newToken.provider_id = provider.id;
+  storeToken2(toolName, provider.id, newToken);
+  const display = provider.displayName ?? provider.id;
+  process.stderr.write(`Token refreshed for ${display}
+`);
+}
 var init_auth2 = __esm(() => {
+  init_open();
   init_search2();
 });
 
@@ -7963,7 +8704,7 @@ __export(exports_serve, {
   argToJsonSchema: () => argToJsonSchema
 });
 import { execFile as execFile9, spawn } from "node:child_process";
-import { createInterface as createInterface2 } from "node:readline";
+import { createInterface as createInterface4 } from "node:readline";
 import { promisify as promisify9 } from "node:util";
 function argToJsonSchema(arg) {
   const schema = {};
@@ -8139,81 +8880,476 @@ async function handleRequest(state, req) {
       let authEnv;
       const authConfig = state.authConfigs.get(entry.cliTool);
       if (authConfig) {
-        const env = await getEnvDict2(entry.cliTool, authConfig);
+        const env = await getEnvDict(entry.cliTool, authConfig);
         if (Object.keys(env).length > 0)
           authEnv = env;
       }
       const result = await invokeCliTool(entry.cliTool, entry.cmdName, arguments_, entry.cmd, authEnv);
       return jsonRpcSuccess(id, result);
     }
-    default:
-      if (id !== undefined) {
-        return jsonRpcError(id, -32601, `Method not found: ${req.method}`);
-      }
-      return null;
+    default:
+      if (id !== undefined) {
+        return jsonRpcError(id, -32601, `Method not found: ${req.method}`);
+      }
+      return null;
+  }
+}
+async function run(toolNames) {
+  const allTools = [];
+  const allSchemas = new Map;
+  const allAuth = new Map;
+  for (const name of toolNames) {
+    const schema = await getToolSchema2(name);
+    if (!schema)
+      throw new Error(`could not get --describe from '${name}'`);
+    if (schema.auth)
+      allAuth.set(name, schema.auth);
+    for (const cmd of schema.commands) {
+      const mcpTool = commandToMcpTool(schema.name, cmd);
+      allSchemas.set(mcpTool.name, {
+        cliTool: name,
+        cmdName: cmd.name,
+        cmd
+      });
+      allTools.push(mcpTool);
+    }
+  }
+  if (allTools.length === 0)
+    throw new Error("no tools loaded");
+  process.stderr.write(`mtpcli serve: serving ${allTools.length} tool(s) from ${toolNames.length} CLI tool(s)
+`);
+  for (const t of allTools) {
+    process.stderr.write(`  - ${t.name}: ${t.description}
+`);
+  }
+  const state = {
+    tools: allTools,
+    schemas: allSchemas,
+    authConfigs: allAuth
+  };
+  const rl = createInterface4({ input: process.stdin, crlfDelay: Infinity });
+  for await (const line of rl) {
+    const trimmed = line.trim();
+    if (!trimmed)
+      continue;
+    let req;
+    try {
+      req = JsonRpcRequestSchema2.parse(JSON.parse(trimmed));
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      process.stderr.write(`error reading request: ${msg}
+`);
+      writeResponse(process.stdout, jsonRpcError(null, -32700, `Parse error: ${msg}`));
+      continue;
+    }
+    const resp = await handleRequest(state, req);
+    if (resp) {
+      writeResponse(process.stdout, resp);
+    }
+  }
+}
+var execFileAsync7, VERSION = "0.1.0";
+var init_serve = __esm(() => {
+  init_auth();
+  init_mcp();
+  init_models();
+  init_search2();
+  execFileAsync7 = promisify9(execFile9);
+});
+
+// src/mcp-oauth.ts
+var exports_mcp_oauth2 = {};
+__export(exports_mcp_oauth2, {
+  storeClientRegistration: () => storeClientRegistration2,
+  serverStorageKey: () => serverStorageKey2,
+  registerClient: () => registerClient2,
+  promptForClientId: () => promptForClientId2,
+  parseWwwAuthenticate: () => parseWwwAuthenticate2,
+  mcpOAuthFlow: () => mcpOAuthFlow2,
+  mcpAuthToken: () => mcpAuthToken2,
+  mcpAuthStatus: () => mcpAuthStatus2,
+  mcpAuthRefresh: () => mcpAuthRefresh2,
+  mcpAuthLogout: () => mcpAuthLogout2,
+  loadOrRefreshMcpToken: () => loadOrRefreshMcpToken2,
+  loadClientRegistration: () => loadClientRegistration2,
+  fetchResourceMetadata: () => fetchResourceMetadata2,
+  fetchAuthServerMetadata: () => fetchAuthServerMetadata2
+});
+import { randomBytes as randomBytes4 } from "node:crypto";
+import {
+  existsSync as existsSync5,
+  mkdirSync as mkdirSync5,
+  readFileSync as readFileSync5,
+  writeFileSync as writeFileSync5,
+  chmodSync as chmodSync4
+} from "node:fs";
+import { createServer as createServer4 } from "node:http";
+import { homedir as homedir5 } from "node:os";
+import { dirname as dirname4, join as join5 } from "node:path";
+import { createInterface as createInterface5 } from "node:readline";
+function serverStorageKey2(url) {
+  const u = new URL(url);
+  return `mcp_${u.host}`;
+}
+function parseWwwAuthenticate2(header) {
+  const result = {};
+  const params = header.replace(/^Bearer\s+/i, "");
+  const re = /(\w+)=(?:"([^"]*)"|(\S+))/g;
+  let match;
+  while ((match = re.exec(params)) !== null) {
+    const key = match[1];
+    const val = match[2] ?? match[3];
+    if (key === "resource_metadata")
+      result.resourceMetadata = val;
+    if (key === "scope")
+      result.scope = val;
+  }
+  return result;
+}
+async function fetchResourceMetadata2(url) {
+  const resp = await fetch(url);
+  if (!resp.ok) {
+    throw new Error(`failed to fetch resource metadata from ${url}: ${resp.status}`);
+  }
+  return resp.json();
+}
+async function fetchAuthServerMetadata2(serverUrl, wwwAuth) {
+  if (wwwAuth) {
+    const parsed = parseWwwAuthenticate2(wwwAuth);
+    if (parsed.resourceMetadata) {
+      try {
+        const resource = await fetchResourceMetadata2(parsed.resourceMetadata);
+        if (resource.authorization_servers?.length) {
+          const asUrl = resource.authorization_servers[0];
+          const wellKnown = `${asUrl}/.well-known/oauth-authorization-server`;
+          const resp = await fetch(wellKnown);
+          if (resp.ok) {
+            return resp.json();
+          }
+        }
+      } catch {}
+    }
+  }
+  const origin = new URL(serverUrl).origin;
+  const oauthUrl = `${origin}/.well-known/oauth-authorization-server`;
+  try {
+    const resp = await fetch(oauthUrl);
+    if (resp.ok) {
+      return resp.json();
+    }
+  } catch {}
+  const oidcUrl = `${origin}/.well-known/openid-configuration`;
+  try {
+    const resp = await fetch(oidcUrl);
+    if (resp.ok) {
+      return resp.json();
+    }
+  } catch {}
+  throw new Error(`could not discover OAuth authorization server for ${serverUrl}`);
+}
+async function registerClient2(metadata, redirectUri) {
+  if (!metadata.registration_endpoint) {
+    throw new Error("no registration_endpoint in auth server metadata");
+  }
+  const body = {
+    client_name: "mtpcli",
+    redirect_uris: [redirectUri],
+    grant_types: ["authorization_code"],
+    response_types: ["code"],
+    token_endpoint_auth_method: "none"
+  };
+  const resp = await fetch(metadata.registration_endpoint, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Accept: "application/json"
+    },
+    body: JSON.stringify(body)
+  });
+  if (!resp.ok) {
+    const text = await resp.text();
+    throw new Error(`dynamic client registration failed (${resp.status}): ${text}`);
+  }
+  const result = await resp.json();
+  const clientId = result.client_id;
+  if (!clientId)
+    throw new Error("no client_id in registration response");
+  return {
+    clientId,
+    clientSecret: result.client_secret,
+    redirectUri,
+    registeredAt: Date.now()
+  };
+}
+function promptForClientId2(serverUrl) {
+  return new Promise((resolve, reject) => {
+    process.stderr.write(`
+No dynamic registration available for ${serverUrl}.
+` + `You need to register a client manually and provide the client_id.
+` + `Enter client_id: `);
+    const rl = createInterface5({ input: process.stdin, output: process.stderr });
+    rl.question("", (answer) => {
+      rl.close();
+      const trimmed = answer.trim();
+      if (!trimmed) {
+        reject(new Error("no client_id provided"));
+        return;
+      }
+      resolve(trimmed);
+    });
+  });
+}
+function clientStorePath2() {
+  return join5(homedir5(), ".mtpcli", "mcp-oauth-clients.json");
+}
+function loadClientStore2() {
+  const path2 = clientStorePath2();
+  if (!existsSync5(path2))
+    return {};
+  try {
+    return JSON.parse(readFileSync5(path2, "utf-8"));
+  } catch {
+    return {};
+  }
+}
+function saveClientStore2(store) {
+  const path2 = clientStorePath2();
+  mkdirSync5(dirname4(path2), { recursive: true });
+  writeFileSync5(path2, JSON.stringify(store, null, 2));
+  chmodSync4(path2, 384);
+}
+function loadClientRegistration2(origin) {
+  const store = loadClientStore2();
+  return store[origin] ?? null;
+}
+function storeClientRegistration2(origin, client, metadata) {
+  const store = loadClientStore2();
+  store[origin] = { client, metadata };
+  saveClientStore2(store);
+}
+function startCallbackServer2() {
+  return new Promise((resolve, reject) => {
+    let codeResolve;
+    let codeReject;
+    const codePromise = new Promise((res, rej) => {
+      codeResolve = res;
+      codeReject = rej;
+    });
+    const server = createServer4((req, res) => {
+      const url = new URL(req.url ?? "/", `http://127.0.0.1`);
+      const code = url.searchParams.get("code");
+      const error = url.searchParams.get("error");
+      if (code) {
+        const html = "<html><body><h2>Authentication successful!</h2>" + "<p>You can close this tab and return to your terminal.</p>" + "<script>window.close()</script></body></html>";
+        res.writeHead(200, {
+          "Content-Type": "text/html",
+          "Content-Length": Buffer.byteLength(html).toString()
+        });
+        res.end(html);
+        server.close();
+        codeResolve(code);
+        return;
+      }
+      if (error) {
+        const desc = url.searchParams.get("error_description") ?? "Unknown error";
+        const html = `<html><body><h2>Authentication failed</h2><p>${desc}</p></body></html>`;
+        res.writeHead(400, {
+          "Content-Type": "text/html",
+          "Content-Length": Buffer.byteLength(html).toString()
+        });
+        res.end(html);
+        server.close();
+        codeReject(new Error(`OAuth error: ${error} - ${desc}`));
+        return;
+      }
+      res.writeHead(404);
+      res.end();
+    });
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      if (!addr || typeof addr === "string") {
+        reject(new Error("failed to get callback server address"));
+        return;
+      }
+      resolve({
+        port: addr.port,
+        waitForCode: () => {
+          const timer = setTimeout(() => {
+            server.close();
+            codeReject(new Error("OAuth callback timed out (120s)"));
+          }, 120000);
+          return codePromise.finally(() => clearTimeout(timer));
+        },
+        server
+      });
+    });
+    server.on("error", (e) => {
+      reject(new Error(`failed to bind callback server: ${e.message}`));
+    });
+  });
+}
+async function mcpOAuthFlow2(serverUrl, wwwAuth, clientId) {
+  const origin = new URL(serverUrl).origin;
+  const storageKey = serverStorageKey2(serverUrl);
+  const wwwParsed = parseWwwAuthenticate2(wwwAuth);
+  process.stderr.write(`Discovering OAuth authorization server...
+`);
+  const metadata = await fetchAuthServerMetadata2(serverUrl, wwwAuth);
+  const challengeMethods = metadata.code_challenge_methods_supported;
+  if (challengeMethods && !challengeMethods.includes("S256")) {
+    throw new Error("authorization server does not support S256 PKCE (required)");
+  }
+  const callback = await startCallbackServer2();
+  const redirectUri = `http://127.0.0.1:${callback.port}/callback`;
+  let resolvedClientId = clientId;
+  let registration;
+  if (!resolvedClientId) {
+    const cached = loadClientRegistration2(origin);
+    if (cached) {
+      resolvedClientId = cached.client.clientId;
+      registration = cached.client;
+      process.stderr.write(`Using cached client registration for ${origin}
+`);
+    }
   }
-}
-async function run(toolNames) {
-  const allTools = [];
-  const allSchemas = new Map;
-  const allAuth = new Map;
-  for (const name of toolNames) {
-    const schema = await getToolSchema2(name);
-    if (!schema)
-      throw new Error(`could not get --describe from '${name}'`);
-    if (schema.auth)
-      allAuth.set(name, schema.auth);
-    for (const cmd of schema.commands) {
-      const mcpTool = commandToMcpTool(schema.name, cmd);
-      allSchemas.set(mcpTool.name, {
-        cliTool: name,
-        cmdName: cmd.name,
-        cmd
-      });
-      allTools.push(mcpTool);
+  if (!resolvedClientId) {
+    if (metadata.registration_endpoint) {
+      process.stderr.write(`Registering client dynamically...
+`);
+      registration = await registerClient2(metadata, redirectUri);
+      resolvedClientId = registration.clientId;
+      storeClientRegistration2(origin, registration, metadata);
+    } else {
+      callback.server.close();
+      resolvedClientId = await promptForClientId2(serverUrl);
+      const newCallback = await startCallbackServer2();
+      return doOAuthLogin2(metadata, resolvedClientId, `http://127.0.0.1:${newCallback.port}/callback`, newCallback, wwwParsed.scope, storageKey, origin);
     }
   }
-  if (allTools.length === 0)
-    throw new Error("no tools loaded");
-  process.stderr.write(`mtpcli serve: serving ${allTools.length} tool(s) from ${toolNames.length} CLI tool(s)
+  return doOAuthLogin2(metadata, resolvedClientId, redirectUri, callback, wwwParsed.scope, storageKey, origin);
+}
+async function doOAuthLogin2(metadata, clientId, redirectUri, callback, scope, storageKey, origin) {
+  const state = randomBytes4(32).toString("base64url");
+  const pkce = generatePkce();
+  const scopes = scope ?? metadata.scopes_supported?.join(" ") ?? undefined;
+  const params = new URLSearchParams({
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    state,
+    code_challenge: pkce.challenge,
+    code_challenge_method: "S256"
+  });
+  if (scopes)
+    params.set("scope", scopes);
+  const authUrl = `${metadata.authorization_endpoint}?${params.toString()}`;
+  process.stderr.write(`Opening browser for OAuth login...
 `);
-  for (const t of allTools) {
-    process.stderr.write(`  - ${t.name}: ${t.description}
+  process.stderr.write(`If the browser doesn't open, visit:
+${authUrl}
+
 `);
-  }
-  const state = {
-    tools: allTools,
-    schemas: allSchemas,
-    authConfigs: allAuth
+  open_default(authUrl).catch(() => {});
+  process.stderr.write(`Waiting for authentication callback on port ${callback.port}...
+`);
+  const code = await callback.waitForCode();
+  process.stderr.write(`Exchanging authorization code for tokens...
+`);
+  const token = await exchangeCode(metadata.token_endpoint, code, clientId, redirectUri, pkce.verifier);
+  token.provider_id = "mcp-oauth";
+  storeToken(storageKey, "mcp-oauth", token);
+  storeClientRegistration2(origin, {
+    clientId,
+    redirectUri,
+    registeredAt: Date.now()
+  }, metadata);
+  process.stderr.write(`Authenticated with ${origin}
+`);
+  return token.access_token;
+}
+function mcpAuthStatus2(serverUrl) {
+  const storageKey = serverStorageKey2(serverUrl);
+  const origin = new URL(serverUrl).origin;
+  const token = loadToken(storageKey, "mcp-oauth");
+  const reg = loadClientRegistration2(origin);
+  const result = {
+    url: serverUrl,
+    authenticated: token !== null
   };
-  const rl = createInterface2({ input: process.stdin, crlfDelay: Infinity });
-  for await (const line of rl) {
-    const trimmed = line.trim();
-    if (!trimmed)
-      continue;
-    let req;
-    try {
-      req = JsonRpcRequestSchema2.parse(JSON.parse(trimmed));
-    } catch (e) {
-      const msg = e instanceof Error ? e.message : String(e);
-      process.stderr.write(`error reading request: ${msg}
+  if (token) {
+    result.expired = isTokenExpired(token);
+    result.has_refresh = !!token.refresh_token;
+    if (token.expires_at)
+      result.expires_at = token.expires_at;
+    if (token.scopes)
+      result.scopes = token.scopes;
+  }
+  if (reg) {
+    result.client_id = reg.client.clientId;
+  }
+  return result;
+}
+function mcpAuthLogout2(serverUrl) {
+  const storageKey = serverStorageKey2(serverUrl);
+  return deleteToken(storageKey, "mcp-oauth");
+}
+async function mcpAuthToken2(serverUrl) {
+  return loadOrRefreshMcpToken2(serverUrl);
+}
+async function mcpAuthRefresh2(serverUrl) {
+  const storageKey = serverStorageKey2(serverUrl);
+  const origin = new URL(serverUrl).origin;
+  const token = loadToken(storageKey, "mcp-oauth");
+  if (!token) {
+    throw new Error(`no stored token for '${serverUrl}'. Run: mtpcli auth login --url ${serverUrl}`);
+  }
+  if (!token.refresh_token) {
+    throw new Error(`token for '${serverUrl}' has no refresh_token`);
+  }
+  const cached = loadClientRegistration2(origin);
+  if (!cached) {
+    throw new Error(`no cached client registration for ${origin}. Run: mtpcli auth login --url ${serverUrl}`);
+  }
+  const newToken = await refreshAccessToken(cached.metadata.token_endpoint, token.refresh_token, cached.client.clientId);
+  if (!newToken.refresh_token) {
+    newToken.refresh_token = token.refresh_token;
+  }
+  newToken.provider_id = "mcp-oauth";
+  storeToken(storageKey, "mcp-oauth", newToken);
+  process.stderr.write(`Token refreshed for ${serverUrl}
 `);
-      writeResponse(process.stdout, jsonRpcError(null, -32700, `Parse error: ${msg}`));
-      continue;
-    }
-    const resp = await handleRequest(state, req);
-    if (resp) {
-      writeResponse(process.stdout, resp);
+}
+async function loadOrRefreshMcpToken2(serverUrl) {
+  const storageKey = serverStorageKey2(serverUrl);
+  const token = loadToken(storageKey, "mcp-oauth");
+  if (!token)
+    return null;
+  if (!isTokenExpired(token)) {
+    return token.access_token;
+  }
+  if (token.refresh_token) {
+    const origin = new URL(serverUrl).origin;
+    const cached = loadClientRegistration2(origin);
+    if (cached) {
+      try {
+        const newToken = await refreshAccessToken(cached.metadata.token_endpoint, token.refresh_token, cached.client.clientId);
+        if (!newToken.refresh_token) {
+          newToken.refresh_token = token.refresh_token;
+        }
+        newToken.provider_id = "mcp-oauth";
+        storeToken(storageKey, "mcp-oauth", newToken);
+        return newToken.access_token;
+      } catch (e) {
+        process.stderr.write(`warning: token refresh failed: ${e instanceof Error ? e.message : e}
+`);
+      }
     }
   }
+  return null;
 }
-var execFileAsync7, VERSION = "0.1.0";
-var init_serve = __esm(() => {
-  init_auth2();
-  init_mcp();
-  init_models();
-  init_search2();
-  execFileAsync7 = promisify9(execFile9);
+var init_mcp_oauth2 = __esm(() => {
+  init_open();
+  init_auth();
 });
 
 // src/wrap.ts
@@ -8221,12 +9357,14 @@ var exports_wrap = {};
 __export(exports_wrap, {
   run: () => run2,
   parseToolArgs: () => parseToolArgs,
+  parseHeaders: () => parseHeaders,
   mcpToolToCommand: () => mcpToolToCommand,
   jsonSchemaToArg: () => jsonSchemaToArg,
-  McpClient: () => McpClient
+  McpClient: () => McpClient,
+  HttpMcpClient: () => HttpMcpClient
 });
 import { spawn as spawn2 } from "node:child_process";
-import { createInterface as createInterface3 } from "node:readline";
+import { createInterface as createInterface6 } from "node:readline";
 function jsonSchemaToArg(name, prop, required) {
   let argType = "string";
   let values;
@@ -8378,7 +9516,7 @@ class McpClient {
     if (!child.stdout || !child.stdin) {
       throw new Error("failed to start MCP server");
     }
-    const rl = createInterface3({ input: child.stdout, crlfDelay: Infinity });
+    const rl = createInterface6({ input: child.stdout, crlfDelay: Infinity });
     const client = new McpClient(child, rl);
     client.sendRequest("initialize", {
       protocolVersion: "2024-11-05",
@@ -8417,11 +9555,229 @@ class McpClient {
     this.child.kill();
   }
 }
-async function run2(serverCmd, describeMode, toolName, toolArgs = []) {
-  const client = await McpClient.start(serverCmd);
+
+class HttpMcpClient {
+  url;
+  sessionId;
+  protocolVersion;
+  extraHeaders;
+  nextId = 0;
+  accessToken;
+  clientId;
+  oauthAttempted = false;
+  constructor(url, extraHeaders, clientId) {
+    this.url = url;
+    this.extraHeaders = extraHeaders;
+    this.clientId = clientId;
+  }
+  static async start(url, extraHeaders = {}, clientId) {
+    const client = new HttpMcpClient(url, extraHeaders, clientId);
+    if (!extraHeaders["Authorization"] && !extraHeaders["authorization"]) {
+      const { loadOrRefreshMcpToken: loadOrRefreshMcpToken3 } = await Promise.resolve().then(() => (init_mcp_oauth2(), exports_mcp_oauth2));
+      const token = await loadOrRefreshMcpToken3(url);
+      if (token) {
+        client.accessToken = token;
+      }
+    }
+    const initResult = await client.sendRequest("initialize", {
+      protocolVersion: "2025-11-25",
+      capabilities: {},
+      clientInfo: { name: "mtpcli-wrap", version: VERSION2 }
+    });
+    client.protocolVersion = initResult.protocolVersion ?? "2025-11-25";
+    await client.sendNotification("notifications/initialized", {});
+    return client;
+  }
+  buildHeaders() {
+    const headers = {
+      "Content-Type": "application/json",
+      Accept: "application/json, text/event-stream"
+    };
+    if (this.accessToken && !this.extraHeaders["Authorization"] && !this.extraHeaders["authorization"]) {
+      headers["Authorization"] = `Bearer ${this.accessToken}`;
+    }
+    Object.assign(headers, this.extraHeaders);
+    if (this.sessionId) {
+      headers["MCP-Session-Id"] = this.sessionId;
+    }
+    if (this.protocolVersion) {
+      headers["MCP-Protocol-Version"] = this.protocolVersion;
+    }
+    return headers;
+  }
+  parseJsonRpcResponse(json) {
+    if (json.error) {
+      const err = json.error;
+      throw new Error(`MCP error: ${err.message} (${err.code})`);
+    }
+    return json.result ?? {};
+  }
+  async readSseResponse(resp, requestId) {
+    const sid = resp.headers.get("mcp-session-id");
+    if (sid)
+      this.sessionId = sid;
+    const text = await resp.text();
+    const events = text.split(/\n\n+/);
+    for (const event of events) {
+      const dataLines = [];
+      for (const line of event.split(`
+`)) {
+        if (line.startsWith("data:")) {
+          dataLines.push(line.slice(5).trimStart());
+        }
+      }
+      if (dataLines.length === 0)
+        continue;
+      let json;
+      try {
+        json = JSON.parse(dataLines.join(`
+`));
+      } catch {
+        continue;
+      }
+      if (json.id === requestId) {
+        return this.parseJsonRpcResponse(json);
+      }
+    }
+    throw new Error("SSE stream ended without a response matching request ID " + requestId);
+  }
+  async handleOAuth(resp) {
+    if (this.oauthAttempted) {
+      throw new Error(`HTTP 401 from ${this.url} (OAuth already attempted, not retrying)`);
+    }
+    this.oauthAttempted = true;
+    try {
+      const { mcpAuthRefresh: mcpAuthRefresh3, serverStorageKey: serverStorageKey3 } = await Promise.resolve().then(() => (init_mcp_oauth2(), exports_mcp_oauth2));
+      const { loadToken: loadToken3 } = await Promise.resolve().then(() => (init_auth(), exports_auth));
+      await mcpAuthRefresh3(this.url);
+      const token = loadToken3(serverStorageKey3(this.url), "mcp-oauth");
+      if (token) {
+        this.accessToken = token.access_token;
+        return;
+      }
+    } catch {}
+    const wwwAuth = resp.headers.get("www-authenticate") ?? "";
+    const { mcpOAuthFlow: mcpOAuthFlow3 } = await Promise.resolve().then(() => (init_mcp_oauth2(), exports_mcp_oauth2));
+    this.accessToken = await mcpOAuthFlow3(this.url, wwwAuth, this.clientId);
+  }
+  async sendRequest(method, params) {
+    this.nextId++;
+    const body = {
+      jsonrpc: "2.0",
+      id: this.nextId,
+      method,
+      params
+    };
+    const resp = await fetch(this.url, {
+      method: "POST",
+      headers: this.buildHeaders(),
+      body: JSON.stringify(body)
+    });
+    if (resp.status === 401) {
+      await this.handleOAuth(resp);
+      const retryResp = await fetch(this.url, {
+        method: "POST",
+        headers: this.buildHeaders(),
+        body: JSON.stringify(body)
+      });
+      if (!retryResp.ok) {
+        throw new Error(`HTTP ${retryResp.status} ${retryResp.statusText} from ${this.url}`);
+      }
+      const ct2 = retryResp.headers.get("content-type") ?? "";
+      if (ct2.includes("text/event-stream")) {
+        return this.readSseResponse(retryResp, this.nextId);
+      }
+      const sid2 = retryResp.headers.get("mcp-session-id");
+      if (sid2)
+        this.sessionId = sid2;
+      const json2 = await retryResp.json();
+      return this.parseJsonRpcResponse(json2);
+    }
+    if (!resp.ok) {
+      throw new Error(`HTTP ${resp.status} ${resp.statusText} from ${this.url}`);
+    }
+    const ct = resp.headers.get("content-type") ?? "";
+    if (ct.includes("text/event-stream")) {
+      return this.readSseResponse(resp, this.nextId);
+    }
+    const sid = resp.headers.get("mcp-session-id");
+    if (sid) {
+      this.sessionId = sid;
+    }
+    const json = await resp.json();
+    return this.parseJsonRpcResponse(json);
+  }
+  async sendNotification(method, params) {
+    const body = {
+      jsonrpc: "2.0",
+      method,
+      params
+    };
+    const resp = await fetch(this.url, {
+      method: "POST",
+      headers: this.buildHeaders(),
+      body: JSON.stringify(body)
+    });
+    if (resp.status === 401) {
+      await this.handleOAuth(resp);
+      const retryResp = await fetch(this.url, {
+        method: "POST",
+        headers: this.buildHeaders(),
+        body: JSON.stringify(body)
+      });
+      if (!retryResp.ok) {
+        throw new Error(`HTTP ${retryResp.status} ${retryResp.statusText} from ${this.url}`);
+      }
+      const sid2 = retryResp.headers.get("mcp-session-id");
+      if (sid2)
+        this.sessionId = sid2;
+      return;
+    }
+    if (!resp.ok) {
+      throw new Error(`HTTP ${resp.status} ${resp.statusText} from ${this.url}`);
+    }
+    const sid = resp.headers.get("mcp-session-id");
+    if (sid) {
+      this.sessionId = sid;
+    }
+  }
+  async listTools() {
+    const result = await this.sendRequest("tools/list", {});
+    return result.tools ?? [];
+  }
+  async callTool(name, arguments_) {
+    return this.sendRequest("tools/call", { name, arguments: arguments_ });
+  }
+  stop() {}
+}
+function parseHeaders(raw) {
+  const headers = {};
+  for (const h of raw) {
+    const idx = h.indexOf(":");
+    if (idx === -1) {
+      throw new Error(`invalid header (missing ':'): ${h}`);
+    }
+    headers[h.slice(0, idx).trim()] = h.slice(idx + 1).trim();
+  }
+  return headers;
+}
+async function run2(serverCmd, serverUrl, describeMode, toolName, toolArgs = [], rawHeaders = [], clientId) {
+  let client;
+  let serverName;
+  if (serverUrl) {
+    const headers = parseHeaders(rawHeaders);
+    client = await HttpMcpClient.start(serverUrl, headers, clientId);
+    try {
+      serverName = new URL(serverUrl).hostname;
+    } catch {
+      serverName = serverUrl;
+    }
+  } else {
+    client = await McpClient.start(serverCmd);
+    serverName = serverCmd.split("/").pop()?.split(/\s/)[0] ?? serverCmd;
+  }
   try {
     const mcpTools = await client.listTools();
-    const serverName = serverCmd.split("/").pop()?.split(/\s/)[0] ?? serverCmd;
     const commands = mcpTools.map(mcpToolToCommand);
     const schema = {
       name: serverName,
@@ -9208,7 +10564,7 @@ function cleanJson(obj) {
 }
 
 // src/index.ts
-var VERSION3 = "0.2.2";
+var VERSION3 = "0.3.0";
 function selfDescribe() {
   const schema = {
     name: "mtpcli",
@@ -9266,8 +10622,7 @@ function selfDescribe() {
           {
             name: "tool",
             type: "string",
-            required: true,
-            description: "Tool name"
+            description: "Tool name (required unless --url is used)"
           },
           {
             name: "--provider",
@@ -9278,6 +10633,16 @@ function selfDescribe() {
             name: "--token",
             type: "string",
             description: "API key or bearer token"
+          },
+          {
+            name: "--url",
+            type: "string",
+            description: "HTTP MCP server URL (triggers OAuth discovery and login)"
+          },
+          {
+            name: "--client-id",
+            type: "string",
+            description: "Pre-registered OAuth client ID (for --url)"
           }
         ],
         examples: [
@@ -9285,6 +10650,10 @@ function selfDescribe() {
           {
             description: "API key login",
             command: "mtpcli auth login my-tool --token sk-xxx"
+          },
+          {
+            description: "Login to HTTP MCP server",
+            command: "mtpcli auth login --url https://mcp.example.com/v1/mcp"
           }
         ]
       },
@@ -9295,11 +10664,21 @@ function selfDescribe() {
           {
             name: "tool",
             type: "string",
-            required: true,
-            description: "Tool name"
+            description: "Tool name (required unless --url is used)"
+          },
+          {
+            name: "--url",
+            type: "string",
+            description: "HTTP MCP server URL"
           }
         ],
-        examples: [{ command: "mtpcli auth logout gh-tool" }]
+        examples: [
+          { command: "mtpcli auth logout gh-tool" },
+          {
+            description: "Logout from HTTP MCP server",
+            command: "mtpcli auth logout --url https://mcp.example.com/v1/mcp"
+          }
+        ]
       },
       {
         name: "auth status",
@@ -9308,11 +10687,21 @@ function selfDescribe() {
           {
             name: "tool",
             type: "string",
-            required: true,
-            description: "Tool name"
+            description: "Tool name (required unless --url is used)"
+          },
+          {
+            name: "--url",
+            type: "string",
+            description: "HTTP MCP server URL"
           }
         ],
-        examples: [{ command: "mtpcli auth status gh-tool" }]
+        examples: [
+          { command: "mtpcli auth status gh-tool" },
+          {
+            description: "Status for HTTP MCP server",
+            command: "mtpcli auth status --url https://mcp.example.com/v1/mcp"
+          }
+        ]
       },
       {
         name: "auth token",
@@ -9321,11 +10710,21 @@ function selfDescribe() {
           {
             name: "tool",
             type: "string",
-            required: true,
-            description: "Tool name"
+            description: "Tool name (required unless --url is used)"
+          },
+          {
+            name: "--url",
+            type: "string",
+            description: "HTTP MCP server URL"
           }
         ],
-        examples: [{ command: "mtpcli auth token gh-tool" }]
+        examples: [
+          { command: "mtpcli auth token gh-tool" },
+          {
+            description: "Token for HTTP MCP server",
+            command: "mtpcli auth token --url https://mcp.example.com/v1/mcp"
+          }
+        ]
       },
       {
         name: "auth env",
@@ -9347,11 +10746,21 @@ function selfDescribe() {
           {
             name: "tool",
             type: "string",
-            required: true,
-            description: "Tool name"
+            description: "Tool name (required unless --url is used)"
+          },
+          {
+            name: "--url",
+            type: "string",
+            description: "HTTP MCP server URL"
           }
         ],
-        examples: [{ command: "mtpcli auth refresh gh-tool" }]
+        examples: [
+          { command: "mtpcli auth refresh gh-tool" },
+          {
+            description: "Refresh token for HTTP MCP server",
+            command: "mtpcli auth refresh --url https://mcp.example.com/v1/mcp"
+          }
+        ]
       },
       {
         name: "serve",
@@ -9382,8 +10791,22 @@ function selfDescribe() {
           {
             name: "--server",
             type: "string",
-            required: true,
-            description: "MCP server command"
+            description: "MCP server command (stdio transport)"
+          },
+          {
+            name: "--url",
+            type: "string",
+            description: "MCP server URL (Streamable HTTP transport). Mutually exclusive with --server."
+          },
+          {
+            name: "--header",
+            type: "array",
+            description: "HTTP header(s) for --url, e.g. 'Authorization: Bearer tok'. Repeatable."
+          },
+          {
+            name: "--client-id",
+            type: "string",
+            description: "Pre-registered OAuth client ID (for servers without dynamic registration)"
           },
           {
             name: "--describe",
@@ -9398,12 +10821,20 @@ function selfDescribe() {
         ],
         examples: [
           {
-            description: "Describe an MCP server",
+            description: "Describe a stdio MCP server",
             command: 'mtpcli wrap --server "npx @mcp/server-github" --describe'
           },
           {
-            description: "Call a tool",
+            description: "Call a tool on a stdio server",
             command: 'mtpcli wrap --server "npx @mcp/server-github" search_repos -- --query mtpcli'
+          },
+          {
+            description: "Describe an HTTP MCP server",
+            command: "mtpcli wrap --url http://localhost:3000/mcp --describe"
+          },
+          {
+            description: "Call a tool on an HTTP server",
+            command: "mtpcli wrap --url http://localhost:3000/mcp search_repos -- --query mtpcli"
           }
         ]
       },
@@ -9517,29 +10948,90 @@ program2.command("search").description("Search across --describe-compatible tool
   }
 });
 var authCmd = program2.command("auth").description("Manage authentication for tools");
-authCmd.command("login").description("Log in to a tool").argument("<tool>", "Tool name").option("--provider <id>", "Specific provider ID").option("--token <value>", "API key / bearer token (skip OAuth flow)").action(async (tool, opts) => {
-  const { runLogin: runLogin2 } = await Promise.resolve().then(() => (init_auth(), exports_auth));
-  await runLogin2(tool, opts.provider, opts.token);
+authCmd.command("login").description("Log in to a tool").argument("[tool]", "Tool name").option("--provider <id>", "Specific provider ID").option("--token <value>", "API key / bearer token (skip OAuth flow)").option("--url <url>", "HTTP MCP server URL (triggers OAuth discovery)").option("--client-id <id>", "Pre-registered OAuth client ID (for --url)").action(async (tool, opts) => {
+  if (opts.url) {
+    const { mcpOAuthFlow: mcpOAuthFlow3 } = await Promise.resolve().then(() => (init_mcp_oauth(), exports_mcp_oauth));
+    await mcpOAuthFlow3(opts.url, "", opts.clientId);
+    return;
+  }
+  if (!tool) {
+    process.stderr.write(`error: tool name is required (or use --url)
+`);
+    process.exit(1);
+  }
+  const { runLogin: runLogin3 } = await Promise.resolve().then(() => (init_auth2(), exports_auth2));
+  await runLogin3(tool, opts.provider, opts.token);
 });
-authCmd.command("logout").description("Log out from a tool").argument("<tool>", "Tool name").action(async (tool) => {
-  const { runLogout: runLogout2 } = await Promise.resolve().then(() => (init_auth(), exports_auth));
-  await runLogout2(tool);
+authCmd.command("logout").description("Log out from a tool").argument("[tool]", "Tool name").option("--url <url>", "HTTP MCP server URL").action(async (tool, opts) => {
+  if (opts.url) {
+    const { mcpAuthLogout: mcpAuthLogout3 } = await Promise.resolve().then(() => (init_mcp_oauth(), exports_mcp_oauth));
+    const deleted = mcpAuthLogout3(opts.url);
+    if (deleted) {
+      process.stderr.write(`Logged out from ${opts.url}
+`);
+    } else {
+      process.stderr.write(`No tokens found for ${opts.url}
+`);
+    }
+    return;
+  }
+  if (!tool) {
+    process.stderr.write(`error: tool name is required (or use --url)
+`);
+    process.exit(1);
+  }
+  const { runLogout: runLogout3 } = await Promise.resolve().then(() => (init_auth2(), exports_auth2));
+  await runLogout3(tool);
 });
-authCmd.command("status").description("Show auth status for a tool").argument("<tool>", "Tool name").action(async (tool) => {
-  const { runStatus: runStatus2 } = await Promise.resolve().then(() => (init_auth(), exports_auth));
-  await runStatus2(tool);
+authCmd.command("status").description("Show auth status for a tool").argument("[tool]", "Tool name").option("--url <url>", "HTTP MCP server URL").action(async (tool, opts) => {
+  if (opts.url) {
+    const { mcpAuthStatus: mcpAuthStatus3 } = await Promise.resolve().then(() => (init_mcp_oauth(), exports_mcp_oauth));
+    console.log(JSON.stringify(mcpAuthStatus3(opts.url), null, 2));
+    return;
+  }
+  if (!tool) {
+    process.stderr.write(`error: tool name is required (or use --url)
+`);
+    process.exit(1);
+  }
+  const { runStatus: runStatus3 } = await Promise.resolve().then(() => (init_auth2(), exports_auth2));
+  await runStatus3(tool);
 });
-authCmd.command("token").description("Print the access token for a tool").argument("<tool>", "Tool name").action(async (tool) => {
-  const { runToken: runToken2 } = await Promise.resolve().then(() => (init_auth(), exports_auth));
-  await runToken2(tool);
+authCmd.command("token").description("Print the access token for a tool").argument("[tool]", "Tool name").option("--url <url>", "HTTP MCP server URL").action(async (tool, opts) => {
+  if (opts.url) {
+    const { mcpAuthToken: mcpAuthToken3 } = await Promise.resolve().then(() => (init_mcp_oauth(), exports_mcp_oauth));
+    const t = await mcpAuthToken3(opts.url);
+    if (!t) {
+      throw new Error(`no valid token for '${opts.url}'. Run: mtpcli auth login --url ${opts.url}`);
+    }
+    console.log(t);
+    return;
+  }
+  if (!tool) {
+    process.stderr.write(`error: tool name is required (or use --url)
+`);
+    process.exit(1);
+  }
+  const { runToken: runToken3 } = await Promise.resolve().then(() => (init_auth2(), exports_auth2));
+  await runToken3(tool);
 });
 authCmd.command("env").description("Print shell export statement for eval").argument("<tool>", "Tool name").action(async (tool) => {
-  const { runEnv: runEnv2 } = await Promise.resolve().then(() => (init_auth(), exports_auth));
-  await runEnv2(tool);
+  const { runEnv: runEnv3 } = await Promise.resolve().then(() => (init_auth2(), exports_auth2));
+  await runEnv3(tool);
 });
-authCmd.command("refresh").description("Force-refresh the stored OAuth token for a tool").argument("<tool>", "Tool name").action(async (tool) => {
-  const { runRefresh: runRefresh2 } = await Promise.resolve().then(() => (init_auth(), exports_auth));
-  await runRefresh2(tool);
+authCmd.command("refresh").description("Force-refresh the stored OAuth token for a tool").argument("[tool]", "Tool name").option("--url <url>", "HTTP MCP server URL").action(async (tool, opts) => {
+  if (opts.url) {
+    const { mcpAuthRefresh: mcpAuthRefresh3 } = await Promise.resolve().then(() => (init_mcp_oauth(), exports_mcp_oauth));
+    await mcpAuthRefresh3(opts.url);
+    return;
+  }
+  if (!tool) {
+    process.stderr.write(`error: tool name is required (or use --url)
+`);
+    process.exit(1);
+  }
+  const { runRefresh: runRefresh3 } = await Promise.resolve().then(() => (init_auth2(), exports_auth2));
+  await runRefresh3(tool);
 });
 program2.command("serve").description("Serve CLI tools as an MCP server (cli2mcp bridge)").requiredOption("--tool <names...>", "Tool(s) to serve").addHelpText("after", `
 This command is meant to be used as an MCP server, not run directly.
@@ -9580,9 +11072,29 @@ Multiple tools can be combined into a single MCP server:
   const { run: run5 } = await Promise.resolve().then(() => (init_serve(), exports_serve));
   await run5(opts.tool);
 });
-program2.command("wrap").description("Wrap an MCP server as a CLI tool (mcp2cli bridge)").requiredOption("--server <cmd>", "MCP server command to run").option("--describe", "Output --describe JSON instead of invoking", false).argument("[tool_name]", "Tool name to invoke").argument("[args...]", "Arguments for the tool (after --)").action(async (toolName, args, opts) => {
+program2.command("wrap").description("Wrap an MCP server as a CLI tool (mcp2cli bridge)").option("--server <cmd>", "MCP server command to run (stdio transport)").option("--url <url>", "MCP server URL (Streamable HTTP / SSE transport)").option("-H, --header <header...>", "HTTP header(s) for --url (e.g. 'Authorization: Bearer tok')").option("--client-id <id>", "Pre-registered OAuth client ID (for --url)").option("--describe", "Output --describe JSON instead of invoking", false).argument("[tool_name]", "Tool name to invoke").argument("[args...]", "Arguments for the tool (after --)").action(async (toolName, args, opts) => {
+  if (opts.server && opts.url) {
+    process.stderr.write(`error: --server and --url are mutually exclusive
+`);
+    process.exit(1);
+  }
+  if (!opts.server && !opts.url) {
+    process.stderr.write(`error: one of --server or --url is required
+`);
+    process.exit(1);
+  }
+  if (opts.header && !opts.url) {
+    process.stderr.write(`error: --header requires --url
+`);
+    process.exit(1);
+  }
+  if (opts.clientId && !opts.url) {
+    process.stderr.write(`error: --client-id requires --url
+`);
+    process.exit(1);
+  }
   const { run: run5 } = await Promise.resolve().then(() => (init_wrap(), exports_wrap));
-  await run5(opts.server, opts.describe, toolName, args);
+  await run5(opts.server, opts.url, opts.describe, toolName, args, opts.header ?? [], opts.clientId);
 });
 program2.command("validate").description("Validate a tool's --describe output against the MTP spec").argument("[tool]", "Tool name to validate").option("--json", "Output as JSON", false).option("--stdin", "Read JSON from stdin", false).option("--skip-help", "Skip --help cross-reference", false).action(async (tool, opts) => {
   const { run: run5 } = await Promise.resolve().then(() => (init_validate(), exports_validate));