@modeltoolsprotocol/mtpcli 0.2.3 → 0.3.0

package/dist/index.js

@@ -7341,6 +7341,31 @@ var init_search2 = __esm(() => {
 });
 
 // src/auth.ts
+var exports_auth = {};
+__export(exports_auth, {
+  storeToken: () => storeToken,
+  runToken: () => runToken,
+  runStatus: () => runStatus,
+  runRefresh: () => runRefresh,
+  runLogout: () => runLogout,
+  runLogin: () => runLogin,
+  runEnv: () => runEnv,
+  refreshAccessToken: () => refreshAccessToken,
+  oauth2Login: () => oauth2Login,
+  login: () => login,
+  loadToken: () => loadToken,
+  isTokenExpired: () => isTokenExpired,
+  getProvider: () => getProvider,
+  getEnvExport: () => getEnvExport,
+  getEnvDict: () => getEnvDict,
+  getAuthConfig: () => getAuthConfig,
+  generatePkce: () => generatePkce,
+  exchangeCode: () => exchangeCode,
+  ensureValidToken: () => ensureValidToken,
+  deleteToken: () => deleteToken,
+  authStatus: () => authStatus,
+  apiKeyLogin: () => apiKeyLogin
+});
 import { createHash, randomBytes } from "node:crypto";
 import {
   chmodSync,
@@ -7350,8 +7375,10 @@ import {
   unlinkSync,
   writeFileSync as writeFileSync2
 } from "node:fs";
+import { createServer } from "node:http";
 import { homedir as homedir2 } from "node:os";
 import { dirname, join as join2 } from "node:path";
+import { createInterface } from "node:readline";
 function tokensDir(baseDir) {
   return join2(baseDir ?? join2(homedir2(), ".mtpcli"), "tokens");
 }
@@ -7371,6 +7398,13 @@ function loadToken(toolName, providerId, baseDir) {
     return null;
   return JSON.parse(readFileSync2(path2, "utf-8"));
 }
+function deleteToken(toolName, providerId, baseDir) {
+  const path2 = tokenPath(toolName, providerId, baseDir);
+  if (!existsSync2(path2))
+    return false;
+  unlinkSync(path2);
+  return true;
+}
 function isTokenExpired(token) {
   if (!token.expires_at)
     return false;
@@ -7378,12 +7412,66 @@ function isTokenExpired(token) {
   const buffer = 5 * 60 * 1000;
   return exp.getTime() - buffer < Date.now();
 }
+async function getAuthConfig(toolName) {
+  const schema = await getToolSchema2(toolName);
+  return schema?.auth ?? null;
+}
+function getProvider(auth, providerId) {
+  if (providerId)
+    return auth.providers.find((p) => p.id === providerId);
+  return auth.providers[0];
+}
 function generatePkce() {
   const bytes = randomBytes(64);
   const verifier = bytes.toString("base64url").slice(0, 128);
   const challenge = createHash("sha256").update(verifier).digest("base64url");
   return { verifier, challenge };
 }
+function waitForCallback(port, timeoutSecs) {
+  return new Promise((resolve, reject) => {
+    const timer = setTimeout(() => {
+      server.close();
+      reject(new Error("OAuth callback timed out"));
+    }, timeoutSecs * 1000);
+    const server = createServer((req, res) => {
+      const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
+      const code = url.searchParams.get("code");
+      const error = url.searchParams.get("error");
+      if (code) {
+        const html = "<html><body><h2>Authentication successful!</h2>" + "<p>You can close this tab and return to your terminal.</p>" + "<script>window.close()</script></body></html>";
+        res.writeHead(200, {
+          "Content-Type": "text/html",
+          "Content-Length": Buffer.byteLength(html).toString()
+        });
+        res.end(html);
+        clearTimeout(timer);
+        server.close();
+        resolve({ code });
+        return;
+      }
+      if (error) {
+        const desc = url.searchParams.get("error_description") ?? "Unknown error";
+        const html = `<html><body><h2>Authentication failed</h2><p>${desc}</p></body></html>`;
+        res.writeHead(400, {
+          "Content-Type": "text/html",
+          "Content-Length": Buffer.byteLength(html).toString()
+        });
+        res.end(html);
+        clearTimeout(timer);
+        server.close();
+        resolve({ error });
+        return;
+      }
+      res.writeHead(404);
+      res.end();
+    });
+    server.listen(port, "127.0.0.1", () => {});
+    server.on("error", (e) => {
+      clearTimeout(timer);
+      reject(new Error(`failed to bind callback server: ${e.message}`));
+    });
+  });
+}
 async function exchangeCode(tokenUrl, code, clientId, redirectUri, codeVerifier, resource) {
   const params = new URLSearchParams({
     grant_type: "authorization_code",
@@ -7449,6 +7537,112 @@ function parseTokenResponse(text) {
     created_at: new Date().toISOString()
   };
 }
+async function oauth2Login(toolName, provider, port) {
+  if (!provider.authorizationUrl)
+    throw new Error("provider missing authorizationUrl");
+  if (!provider.tokenUrl)
+    throw new Error("provider missing tokenUrl");
+  if (!provider.clientId)
+    throw new Error("provider missing clientId");
+  const redirectUri = `http://127.0.0.1:${port}/callback`;
+  const state = randomBytes(32).toString("base64url");
+  const params = new URLSearchParams({
+    client_id: provider.clientId,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    state
+  });
+  if (provider.scopes?.length) {
+    params.set("scope", provider.scopes.join(" "));
+  }
+  let codeVerifier;
+  if (provider.type === "oauth2-pkce") {
+    const pkce = generatePkce();
+    codeVerifier = pkce.verifier;
+    params.set("code_challenge", pkce.challenge);
+    params.set("code_challenge_method", "S256");
+  }
+  const fullUrl = `${provider.authorizationUrl}?${params.toString()}`;
+  const display = provider.displayName ?? provider.id;
+  process.stderr.write(`Opening browser for ${display} login...
+`);
+  process.stderr.write(`If the browser doesn't open, visit:
+${fullUrl}
+
+`);
+  open_default(fullUrl).catch(() => {});
+  process.stderr.write(`Waiting for authentication callback on port ${port}...
+`);
+  const result = await waitForCallback(port, 120);
+  if (result.error)
+    throw new Error(`OAuth error: ${result.error}`);
+  if (!result.code)
+    throw new Error("no authorization code received (timed out?)");
+  process.stderr.write(`Exchanging authorization code for tokens...
+`);
+  const token = await exchangeCode(provider.tokenUrl, result.code, provider.clientId, redirectUri, codeVerifier);
+  token.provider_id = provider.id;
+  storeToken(toolName, provider.id, token);
+  process.stderr.write(`Authenticated with ${display}
+`);
+  return token;
+}
+function apiKeyLogin(toolName, provider, tokenValue) {
+  return new Promise((resolve, reject) => {
+    const finish = (value) => {
+      if (!value) {
+        reject(new Error("no token provided"));
+        return;
+      }
+      const token = {
+        access_token: value,
+        token_type: provider.type,
+        refresh_token: undefined,
+        expires_at: undefined,
+        scopes: undefined,
+        provider_id: provider.id,
+        created_at: new Date().toISOString()
+      };
+      storeToken(toolName, provider.id, token);
+      const display = provider.displayName ?? provider.id;
+      process.stderr.write(`Token stored for ${display}
+`);
+      resolve(token);
+    };
+    if (tokenValue) {
+      finish(tokenValue);
+      return;
+    }
+    if (provider.registrationUrl) {
+      process.stderr.write(`Get your API key at: ${provider.registrationUrl}
+`);
+    }
+    if (provider.instructions) {
+      process.stderr.write(`${provider.instructions}
+`);
+    }
+    process.stderr.write("Enter your token/API key: ");
+    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    rl.question("", (answer) => {
+      rl.close();
+      finish(answer.trim());
+    });
+  });
+}
+async function login(toolName, provider, token, port = 8914) {
+  switch (provider.type) {
+    case "oauth2":
+    case "oauth2-pkce":
+      if (token)
+        return apiKeyLogin(toolName, provider, token);
+      return oauth2Login(toolName, provider, port);
+    case "api-key":
+    case "bearer":
+      return apiKeyLogin(toolName, provider, token);
+    default:
+      throw new Error(`unknown auth type: ${provider.type}`);
+  }
+}
 async function ensureValidToken(toolName, auth) {
   const provider = auth.providers[0];
   if (!provider)
@@ -7482,7 +7676,121 @@ async function getEnvDict(toolName, auth) {
     return {};
   return { [auth.envVar]: token };
 }
+async function getEnvExport(toolName, auth) {
+  const env = await getEnvDict(toolName, auth);
+  if (Object.keys(env).length === 0) {
+    return "# No token available. Run: mtpcli auth login <tool>";
+  }
+  return Object.entries(env).map(([key, value]) => {
+    const escaped = value.replace(/'/g, "'\\''");
+    return `export ${key}='${escaped}'`;
+  }).join(`
+`);
+}
+async function authStatus(toolName, auth) {
+  const providers = [];
+  for (const provider of auth.providers) {
+    const token = loadToken(toolName, provider.id);
+    const status = {
+      id: provider.id,
+      type: provider.type,
+      display_name: provider.displayName ?? provider.id,
+      authenticated: token !== null
+    };
+    if (token) {
+      status.expired = isTokenExpired(token);
+      status.has_refresh = !!token.refresh_token;
+      if (token.expires_at)
+        status.expires_at = token.expires_at;
+      if (token.scopes)
+        status.scopes = token.scopes;
+    }
+    providers.push(status);
+  }
+  return {
+    tool: toolName,
+    env_var: auth.envVar,
+    required: auth.required,
+    providers
+  };
+}
+async function runLogin(toolName, providerId, token) {
+  const auth = await getAuthConfig(toolName);
+  if (!auth)
+    throw new Error(`tool '${toolName}' does not declare auth`);
+  const provider = getProvider(auth, providerId);
+  if (!provider)
+    throw new Error("no matching auth provider found");
+  await login(toolName, provider, token, 8914);
+}
+async function runLogout(toolName) {
+  const auth = await getAuthConfig(toolName);
+  if (!auth)
+    throw new Error(`tool '${toolName}' does not declare auth`);
+  let deleted = false;
+  for (const provider of auth.providers) {
+    if (deleteToken(toolName, provider.id)) {
+      const display = provider.displayName ?? provider.id;
+      process.stderr.write(`Logged out from ${display}
+`);
+      deleted = true;
+    }
+  }
+  if (!deleted)
+    process.stderr.write(`No tokens found for '${toolName}'
+`);
+}
+async function runStatus(toolName) {
+  const auth = await getAuthConfig(toolName);
+  if (!auth)
+    throw new Error(`tool '${toolName}' does not declare auth`);
+  const status = await authStatus(toolName, auth);
+  console.log(JSON.stringify(status, null, 2));
+}
+async function runToken(toolName) {
+  const auth = await getAuthConfig(toolName);
+  if (!auth)
+    throw new Error(`tool '${toolName}' does not declare auth`);
+  const t = await ensureValidToken(toolName, auth);
+  if (!t)
+    throw new Error(`no valid token for '${toolName}'. Run: mtpcli auth login ${toolName}`);
+  console.log(t);
+}
+async function runEnv(toolName) {
+  const auth = await getAuthConfig(toolName);
+  if (!auth)
+    throw new Error(`tool '${toolName}' does not declare auth`);
+  console.log(await getEnvExport(toolName, auth));
+}
+async function runRefresh(toolName) {
+  const authConfig = await getAuthConfig(toolName);
+  if (!authConfig)
+    throw new Error(`tool '${toolName}' does not declare auth`);
+  const provider = authConfig.providers[0];
+  if (!provider)
+    throw new Error("no auth provider configured");
+  const token = loadToken(toolName, provider.id);
+  if (!token) {
+    throw new Error(`no stored token for '${toolName}'. Run: mtpcli auth login ${toolName}`);
+  }
+  if (!token.refresh_token) {
+    throw new Error(`token for '${toolName}' has no refresh_token (provider type: ${provider.type})`);
+  }
+  if (!provider.tokenUrl || !provider.clientId) {
+    throw new Error("provider missing tokenUrl or clientId for refresh");
+  }
+  const newToken = await refreshAccessToken(provider.tokenUrl, token.refresh_token, provider.clientId);
+  if (!newToken.refresh_token) {
+    newToken.refresh_token = token.refresh_token;
+  }
+  newToken.provider_id = provider.id;
+  storeToken(toolName, provider.id, newToken);
+  const display = provider.displayName ?? provider.id;
+  process.stderr.write(`Token refreshed for ${display}
+`);
+}
 var init_auth = __esm(() => {
+  init_open();
   init_search2();
 });
 
@@ -7495,6 +7803,10 @@ __export(exports_mcp_oauth, {
   promptForClientId: () => promptForClientId,
   parseWwwAuthenticate: () => parseWwwAuthenticate,
   mcpOAuthFlow: () => mcpOAuthFlow,
+  mcpAuthToken: () => mcpAuthToken,
+  mcpAuthStatus: () => mcpAuthStatus,
+  mcpAuthRefresh: () => mcpAuthRefresh,
+  mcpAuthLogout: () => mcpAuthLogout,
   loadOrRefreshMcpToken: () => loadOrRefreshMcpToken,
   loadClientRegistration: () => loadClientRegistration,
   fetchResourceMetadata: () => fetchResourceMetadata,
@@ -7508,10 +7820,10 @@ import {
   writeFileSync as writeFileSync3,
   chmodSync as chmodSync2
 } from "node:fs";
-import { createServer } from "node:http";
+import { createServer as createServer2 } from "node:http";
 import { homedir as homedir3 } from "node:os";
 import { dirname as dirname2, join as join3 } from "node:path";
-import { createInterface } from "node:readline";
+import { createInterface as createInterface2 } from "node:readline";
 function serverStorageKey(url) {
   const u = new URL(url);
   return `mcp_${u.host}`;
@@ -7612,7 +7924,7 @@ function promptForClientId(serverUrl) {
 No dynamic registration available for ${serverUrl}.
 ` + `You need to register a client manually and provide the client_id.
 ` + `Enter client_id: `);
-    const rl = createInterface({ input: process.stdin, output: process.stderr });
+    const rl = createInterface2({ input: process.stdin, output: process.stderr });
     rl.question("", (answer) => {
       rl.close();
       const trimmed = answer.trim();
@@ -7660,7 +7972,7 @@ function startCallbackServer() {
       codeResolve = res;
       codeReject = rej;
     });
-    const server = createServer((req, res) => {
+    const server = createServer2((req, res) => {
       const url = new URL(req.url ?? "/", `http://127.0.0.1`);
       const code = url.searchParams.get("code");
       const error = url.searchParams.get("error");
@@ -7792,6 +8104,58 @@ ${authUrl}
 `);
   return token.access_token;
 }
+function mcpAuthStatus(serverUrl) {
+  const storageKey = serverStorageKey(serverUrl);
+  const origin = new URL(serverUrl).origin;
+  const token = loadToken(storageKey, "mcp-oauth");
+  const reg = loadClientRegistration(origin);
+  const result = {
+    url: serverUrl,
+    authenticated: token !== null
+  };
+  if (token) {
+    result.expired = isTokenExpired(token);
+    result.has_refresh = !!token.refresh_token;
+    if (token.expires_at)
+      result.expires_at = token.expires_at;
+    if (token.scopes)
+      result.scopes = token.scopes;
+  }
+  if (reg) {
+    result.client_id = reg.client.clientId;
+  }
+  return result;
+}
+function mcpAuthLogout(serverUrl) {
+  const storageKey = serverStorageKey(serverUrl);
+  return deleteToken(storageKey, "mcp-oauth");
+}
+async function mcpAuthToken(serverUrl) {
+  return loadOrRefreshMcpToken(serverUrl);
+}
+async function mcpAuthRefresh(serverUrl) {
+  const storageKey = serverStorageKey(serverUrl);
+  const origin = new URL(serverUrl).origin;
+  const token = loadToken(storageKey, "mcp-oauth");
+  if (!token) {
+    throw new Error(`no stored token for '${serverUrl}'. Run: mtpcli auth login --url ${serverUrl}`);
+  }
+  if (!token.refresh_token) {
+    throw new Error(`token for '${serverUrl}' has no refresh_token`);
+  }
+  const cached = loadClientRegistration(origin);
+  if (!cached) {
+    throw new Error(`no cached client registration for ${origin}. Run: mtpcli auth login --url ${serverUrl}`);
+  }
+  const newToken = await refreshAccessToken(cached.metadata.token_endpoint, token.refresh_token, cached.client.clientId);
+  if (!newToken.refresh_token) {
+    newToken.refresh_token = token.refresh_token;
+  }
+  newToken.provider_id = "mcp-oauth";
+  storeToken(storageKey, "mcp-oauth", newToken);
+  process.stderr.write(`Token refreshed for ${serverUrl}
+`);
+}
 async function loadOrRefreshMcpToken(serverUrl) {
   const storageKey = serverStorageKey(serverUrl);
   const token = loadToken(storageKey, "mcp-oauth");
@@ -7826,30 +8190,30 @@ var init_mcp_oauth = __esm(() => {
 });
 
 // src/auth.ts
-var exports_auth = {};
-__export(exports_auth, {
+var exports_auth2 = {};
+__export(exports_auth2, {
   storeToken: () => storeToken2,
-  runToken: () => runToken,
-  runStatus: () => runStatus,
-  runRefresh: () => runRefresh,
-  runLogout: () => runLogout,
-  runLogin: () => runLogin,
-  runEnv: () => runEnv,
+  runToken: () => runToken2,
+  runStatus: () => runStatus2,
+  runRefresh: () => runRefresh2,
+  runLogout: () => runLogout2,
+  runLogin: () => runLogin2,
+  runEnv: () => runEnv2,
   refreshAccessToken: () => refreshAccessToken2,
-  oauth2Login: () => oauth2Login,
-  login: () => login,
+  oauth2Login: () => oauth2Login2,
+  login: () => login2,
   loadToken: () => loadToken2,
   isTokenExpired: () => isTokenExpired2,
-  getProvider: () => getProvider,
-  getEnvExport: () => getEnvExport,
+  getProvider: () => getProvider2,
+  getEnvExport: () => getEnvExport2,
   getEnvDict: () => getEnvDict2,
-  getAuthConfig: () => getAuthConfig,
+  getAuthConfig: () => getAuthConfig2,
   generatePkce: () => generatePkce2,
   exchangeCode: () => exchangeCode2,
   ensureValidToken: () => ensureValidToken2,
-  deleteToken: () => deleteToken,
-  authStatus: () => authStatus,
-  apiKeyLogin: () => apiKeyLogin
+  deleteToken: () => deleteToken2,
+  authStatus: () => authStatus2,
+  apiKeyLogin: () => apiKeyLogin2
 });
 import { createHash as createHash2, randomBytes as randomBytes3 } from "node:crypto";
 import {
@@ -7860,10 +8224,10 @@ import {
   unlinkSync as unlinkSync2,
   writeFileSync as writeFileSync4
 } from "node:fs";
-import { createServer as createServer2 } from "node:http";
+import { createServer as createServer3 } from "node:http";
 import { homedir as homedir4 } from "node:os";
 import { dirname as dirname3, join as join4 } from "node:path";
-import { createInterface as createInterface2 } from "node:readline";
+import { createInterface as createInterface3 } from "node:readline";
 function tokensDir2(baseDir) {
   return join4(baseDir ?? join4(homedir4(), ".mtpcli"), "tokens");
 }
@@ -7883,7 +8247,7 @@ function loadToken2(toolName, providerId, baseDir) {
     return null;
   return JSON.parse(readFileSync4(path2, "utf-8"));
 }
-function deleteToken(toolName, providerId, baseDir) {
+function deleteToken2(toolName, providerId, baseDir) {
   const path2 = tokenPath2(toolName, providerId, baseDir);
   if (!existsSync4(path2))
     return false;
@@ -7897,11 +8261,11 @@ function isTokenExpired2(token) {
   const buffer = 5 * 60 * 1000;
   return exp.getTime() - buffer < Date.now();
 }
-async function getAuthConfig(toolName) {
+async function getAuthConfig2(toolName) {
   const schema = await getToolSchema2(toolName);
   return schema?.auth ?? null;
 }
-function getProvider(auth, providerId) {
+function getProvider2(auth, providerId) {
   if (providerId)
     return auth.providers.find((p) => p.id === providerId);
   return auth.providers[0];
@@ -7912,13 +8276,13 @@ function generatePkce2() {
   const challenge = createHash2("sha256").update(verifier).digest("base64url");
   return { verifier, challenge };
 }
-function waitForCallback(port, timeoutSecs) {
+function waitForCallback2(port, timeoutSecs) {
   return new Promise((resolve, reject) => {
     const timer = setTimeout(() => {
       server.close();
       reject(new Error("OAuth callback timed out"));
     }, timeoutSecs * 1000);
-    const server = createServer2((req, res) => {
+    const server = createServer3((req, res) => {
       const url = new URL(req.url ?? "/", `http://127.0.0.1:${port}`);
       const code = url.searchParams.get("code");
       const error = url.searchParams.get("error");
@@ -8022,7 +8386,7 @@ function parseTokenResponse2(text) {
     created_at: new Date().toISOString()
   };
 }
-async function oauth2Login(toolName, provider, port) {
+async function oauth2Login2(toolName, provider, port) {
   if (!provider.authorizationUrl)
     throw new Error("provider missing authorizationUrl");
   if (!provider.tokenUrl)
@@ -8058,7 +8422,7 @@ ${fullUrl}
   open_default(fullUrl).catch(() => {});
   process.stderr.write(`Waiting for authentication callback on port ${port}...
 `);
-  const result = await waitForCallback(port, 120);
+  const result = await waitForCallback2(port, 120);
   if (result.error)
     throw new Error(`OAuth error: ${result.error}`);
   if (!result.code)
@@ -8072,7 +8436,7 @@ ${fullUrl}
 `);
   return token;
 }
-function apiKeyLogin(toolName, provider, tokenValue) {
+function apiKeyLogin2(toolName, provider, tokenValue) {
   return new Promise((resolve, reject) => {
     const finish = (value) => {
       if (!value) {
@@ -8107,23 +8471,23 @@ function apiKeyLogin(toolName, provider, tokenValue) {
 `);
     }
     process.stderr.write("Enter your token/API key: ");
-    const rl = createInterface2({ input: process.stdin, output: process.stderr });
+    const rl = createInterface3({ input: process.stdin, output: process.stderr });
     rl.question("", (answer) => {
       rl.close();
       finish(answer.trim());
     });
   });
 }
-async function login(toolName, provider, token, port = 8914) {
+async function login2(toolName, provider, token, port = 8914) {
   switch (provider.type) {
     case "oauth2":
     case "oauth2-pkce":
       if (token)
-        return apiKeyLogin(toolName, provider, token);
-      return oauth2Login(toolName, provider, port);
+        return apiKeyLogin2(toolName, provider, token);
+      return oauth2Login2(toolName, provider, port);
     case "api-key":
     case "bearer":
-      return apiKeyLogin(toolName, provider, token);
+      return apiKeyLogin2(toolName, provider, token);
     default:
       throw new Error(`unknown auth type: ${provider.type}`);
   }
@@ -8161,7 +8525,7 @@ async function getEnvDict2(toolName, auth) {
     return {};
   return { [auth.envVar]: token };
 }
-async function getEnvExport(toolName, auth) {
+async function getEnvExport2(toolName, auth) {
   const env = await getEnvDict2(toolName, auth);
   if (Object.keys(env).length === 0) {
     return "# No token available. Run: mtpcli auth login <tool>";
@@ -8172,7 +8536,7 @@ async function getEnvExport(toolName, auth) {
   }).join(`
 `);
 }
-async function authStatus(toolName, auth) {
+async function authStatus2(toolName, auth) {
   const providers = [];
   for (const provider of auth.providers) {
     const token = loadToken2(toolName, provider.id);
@@ -8199,22 +8563,22 @@ async function authStatus(toolName, auth) {
     providers
   };
 }
-async function runLogin(toolName, providerId, token) {
-  const auth = await getAuthConfig(toolName);
+async function runLogin2(toolName, providerId, token) {
+  const auth = await getAuthConfig2(toolName);
   if (!auth)
     throw new Error(`tool '${toolName}' does not declare auth`);
-  const provider = getProvider(auth, providerId);
+  const provider = getProvider2(auth, providerId);
   if (!provider)
     throw new Error("no matching auth provider found");
-  await login(toolName, provider, token, 8914);
+  await login2(toolName, provider, token, 8914);
 }
-async function runLogout(toolName) {
-  const auth = await getAuthConfig(toolName);
+async function runLogout2(toolName) {
+  const auth = await getAuthConfig2(toolName);
   if (!auth)
     throw new Error(`tool '${toolName}' does not declare auth`);
   let deleted = false;
   for (const provider of auth.providers) {
-    if (deleteToken(toolName, provider.id)) {
+    if (deleteToken2(toolName, provider.id)) {
       const display = provider.displayName ?? provider.id;
       process.stderr.write(`Logged out from ${display}
 `);
@@ -8225,15 +8589,15 @@ async function runLogout(toolName) {
     process.stderr.write(`No tokens found for '${toolName}'
 `);
 }
-async function runStatus(toolName) {
-  const auth = await getAuthConfig(toolName);
+async function runStatus2(toolName) {
+  const auth = await getAuthConfig2(toolName);
   if (!auth)
     throw new Error(`tool '${toolName}' does not declare auth`);
-  const status = await authStatus(toolName, auth);
+  const status = await authStatus2(toolName, auth);
   console.log(JSON.stringify(status, null, 2));
 }
-async function runToken(toolName) {
-  const auth = await getAuthConfig(toolName);
+async function runToken2(toolName) {
+  const auth = await getAuthConfig2(toolName);
   if (!auth)
     throw new Error(`tool '${toolName}' does not declare auth`);
   const t = await ensureValidToken2(toolName, auth);
@@ -8241,14 +8605,14 @@ async function runToken(toolName) {
     throw new Error(`no valid token for '${toolName}'. Run: mtpcli auth login ${toolName}`);
   console.log(t);
 }
-async function runEnv(toolName) {
-  const auth = await getAuthConfig(toolName);
+async function runEnv2(toolName) {
+  const auth = await getAuthConfig2(toolName);
   if (!auth)
     throw new Error(`tool '${toolName}' does not declare auth`);
-  console.log(await getEnvExport(toolName, auth));
+  console.log(await getEnvExport2(toolName, auth));
 }
-async function runRefresh(toolName) {
-  const authConfig = await getAuthConfig(toolName);
+async function runRefresh2(toolName) {
+  const authConfig = await getAuthConfig2(toolName);
   if (!authConfig)
     throw new Error(`tool '${toolName}' does not declare auth`);
   const provider = authConfig.providers[0];
@@ -8340,7 +8704,7 @@ __export(exports_serve, {
   argToJsonSchema: () => argToJsonSchema
 });
 import { execFile as execFile9, spawn } from "node:child_process";
-import { createInterface as createInterface3 } from "node:readline";
+import { createInterface as createInterface4 } from "node:readline";
 import { promisify as promisify9 } from "node:util";
 function argToJsonSchema(arg) {
   const schema = {};
@@ -8563,7 +8927,7 @@ async function run(toolNames) {
     schemas: allSchemas,
     authConfigs: allAuth
   };
-  const rl = createInterface3({ input: process.stdin, crlfDelay: Infinity });
+  const rl = createInterface4({ input: process.stdin, crlfDelay: Infinity });
   for await (const line of rl) {
     const trimmed = line.trim();
     if (!trimmed)
@@ -8602,6 +8966,10 @@ __export(exports_mcp_oauth2, {
   promptForClientId: () => promptForClientId2,
   parseWwwAuthenticate: () => parseWwwAuthenticate2,
   mcpOAuthFlow: () => mcpOAuthFlow2,
+  mcpAuthToken: () => mcpAuthToken2,
+  mcpAuthStatus: () => mcpAuthStatus2,
+  mcpAuthRefresh: () => mcpAuthRefresh2,
+  mcpAuthLogout: () => mcpAuthLogout2,
   loadOrRefreshMcpToken: () => loadOrRefreshMcpToken2,
   loadClientRegistration: () => loadClientRegistration2,
   fetchResourceMetadata: () => fetchResourceMetadata2,
@@ -8615,10 +8983,10 @@ import {
   writeFileSync as writeFileSync5,
   chmodSync as chmodSync4
 } from "node:fs";
-import { createServer as createServer3 } from "node:http";
+import { createServer as createServer4 } from "node:http";
 import { homedir as homedir5 } from "node:os";
 import { dirname as dirname4, join as join5 } from "node:path";
-import { createInterface as createInterface4 } from "node:readline";
+import { createInterface as createInterface5 } from "node:readline";
 function serverStorageKey2(url) {
   const u = new URL(url);
   return `mcp_${u.host}`;
@@ -8719,7 +9087,7 @@ function promptForClientId2(serverUrl) {
 No dynamic registration available for ${serverUrl}.
 ` + `You need to register a client manually and provide the client_id.
 ` + `Enter client_id: `);
-    const rl = createInterface4({ input: process.stdin, output: process.stderr });
+    const rl = createInterface5({ input: process.stdin, output: process.stderr });
     rl.question("", (answer) => {
       rl.close();
       const trimmed = answer.trim();
@@ -8767,7 +9135,7 @@ function startCallbackServer2() {
       codeResolve = res;
       codeReject = rej;
     });
-    const server = createServer3((req, res) => {
+    const server = createServer4((req, res) => {
       const url = new URL(req.url ?? "/", `http://127.0.0.1`);
       const code = url.searchParams.get("code");
       const error = url.searchParams.get("error");
@@ -8899,6 +9267,58 @@ ${authUrl}
 `);
   return token.access_token;
 }
+function mcpAuthStatus2(serverUrl) {
+  const storageKey = serverStorageKey2(serverUrl);
+  const origin = new URL(serverUrl).origin;
+  const token = loadToken(storageKey, "mcp-oauth");
+  const reg = loadClientRegistration2(origin);
+  const result = {
+    url: serverUrl,
+    authenticated: token !== null
+  };
+  if (token) {
+    result.expired = isTokenExpired(token);
+    result.has_refresh = !!token.refresh_token;
+    if (token.expires_at)
+      result.expires_at = token.expires_at;
+    if (token.scopes)
+      result.scopes = token.scopes;
+  }
+  if (reg) {
+    result.client_id = reg.client.clientId;
+  }
+  return result;
+}
+function mcpAuthLogout2(serverUrl) {
+  const storageKey = serverStorageKey2(serverUrl);
+  return deleteToken(storageKey, "mcp-oauth");
+}
+async function mcpAuthToken2(serverUrl) {
+  return loadOrRefreshMcpToken2(serverUrl);
+}
+async function mcpAuthRefresh2(serverUrl) {
+  const storageKey = serverStorageKey2(serverUrl);
+  const origin = new URL(serverUrl).origin;
+  const token = loadToken(storageKey, "mcp-oauth");
+  if (!token) {
+    throw new Error(`no stored token for '${serverUrl}'. Run: mtpcli auth login --url ${serverUrl}`);
+  }
+  if (!token.refresh_token) {
+    throw new Error(`token for '${serverUrl}' has no refresh_token`);
+  }
+  const cached = loadClientRegistration2(origin);
+  if (!cached) {
+    throw new Error(`no cached client registration for ${origin}. Run: mtpcli auth login --url ${serverUrl}`);
+  }
+  const newToken = await refreshAccessToken(cached.metadata.token_endpoint, token.refresh_token, cached.client.clientId);
+  if (!newToken.refresh_token) {
+    newToken.refresh_token = token.refresh_token;
+  }
+  newToken.provider_id = "mcp-oauth";
+  storeToken(storageKey, "mcp-oauth", newToken);
+  process.stderr.write(`Token refreshed for ${serverUrl}
+`);
+}
 async function loadOrRefreshMcpToken2(serverUrl) {
   const storageKey = serverStorageKey2(serverUrl);
   const token = loadToken(storageKey, "mcp-oauth");
@@ -8944,7 +9364,7 @@ __export(exports_wrap, {
   HttpMcpClient: () => HttpMcpClient
 });
 import { spawn as spawn2 } from "node:child_process";
-import { createInterface as createInterface5 } from "node:readline";
+import { createInterface as createInterface6 } from "node:readline";
 function jsonSchemaToArg(name, prop, required) {
   let argType = "string";
   let values;
@@ -9096,7 +9516,7 @@ class McpClient {
     if (!child.stdout || !child.stdin) {
       throw new Error("failed to start MCP server");
     }
-    const rl = createInterface5({ input: child.stdout, crlfDelay: Infinity });
+    const rl = createInterface6({ input: child.stdout, crlfDelay: Infinity });
     const client = new McpClient(child, rl);
     client.sendRequest("initialize", {
       protocolVersion: "2024-11-05",
@@ -9226,6 +9646,16 @@ class HttpMcpClient {
       throw new Error(`HTTP 401 from ${this.url} (OAuth already attempted, not retrying)`);
     }
     this.oauthAttempted = true;
+    try {
+      const { mcpAuthRefresh: mcpAuthRefresh3, serverStorageKey: serverStorageKey3 } = await Promise.resolve().then(() => (init_mcp_oauth2(), exports_mcp_oauth2));
+      const { loadToken: loadToken3 } = await Promise.resolve().then(() => (init_auth(), exports_auth));
+      await mcpAuthRefresh3(this.url);
+      const token = loadToken3(serverStorageKey3(this.url), "mcp-oauth");
+      if (token) {
+        this.accessToken = token.access_token;
+        return;
+      }
+    } catch {}
     const wwwAuth = resp.headers.get("www-authenticate") ?? "";
     const { mcpOAuthFlow: mcpOAuthFlow3 } = await Promise.resolve().then(() => (init_mcp_oauth2(), exports_mcp_oauth2));
     this.accessToken = await mcpOAuthFlow3(this.url, wwwAuth, this.clientId);
@@ -10134,7 +10564,7 @@ function cleanJson(obj) {
 }
 
 // src/index.ts
-var VERSION3 = "0.2.3";
+var VERSION3 = "0.3.0";
 function selfDescribe() {
   const schema = {
     name: "mtpcli",
@@ -10234,11 +10664,21 @@ function selfDescribe() {
           {
             name: "tool",
             type: "string",
-            required: true,
-            description: "Tool name"
+            description: "Tool name (required unless --url is used)"
+          },
+          {
+            name: "--url",
+            type: "string",
+            description: "HTTP MCP server URL"
           }
         ],
-        examples: [{ command: "mtpcli auth logout gh-tool" }]
+        examples: [
+          { command: "mtpcli auth logout gh-tool" },
+          {
+            description: "Logout from HTTP MCP server",
+            command: "mtpcli auth logout --url https://mcp.example.com/v1/mcp"
+          }
+        ]
       },
       {
         name: "auth status",
@@ -10247,11 +10687,21 @@ function selfDescribe() {
           {
             name: "tool",
             type: "string",
-            required: true,
-            description: "Tool name"
+            description: "Tool name (required unless --url is used)"
+          },
+          {
+            name: "--url",
+            type: "string",
+            description: "HTTP MCP server URL"
           }
         ],
-        examples: [{ command: "mtpcli auth status gh-tool" }]
+        examples: [
+          { command: "mtpcli auth status gh-tool" },
+          {
+            description: "Status for HTTP MCP server",
+            command: "mtpcli auth status --url https://mcp.example.com/v1/mcp"
+          }
+        ]
       },
       {
         name: "auth token",
@@ -10260,11 +10710,21 @@ function selfDescribe() {
           {
             name: "tool",
             type: "string",
-            required: true,
-            description: "Tool name"
+            description: "Tool name (required unless --url is used)"
+          },
+          {
+            name: "--url",
+            type: "string",
+            description: "HTTP MCP server URL"
           }
         ],
-        examples: [{ command: "mtpcli auth token gh-tool" }]
+        examples: [
+          { command: "mtpcli auth token gh-tool" },
+          {
+            description: "Token for HTTP MCP server",
+            command: "mtpcli auth token --url https://mcp.example.com/v1/mcp"
+          }
+        ]
       },
       {
         name: "auth env",
@@ -10286,11 +10746,21 @@ function selfDescribe() {
           {
             name: "tool",
             type: "string",
-            required: true,
-            description: "Tool name"
+            description: "Tool name (required unless --url is used)"
+          },
+          {
+            name: "--url",
+            type: "string",
+            description: "HTTP MCP server URL"
           }
         ],
-        examples: [{ command: "mtpcli auth refresh gh-tool" }]
+        examples: [
+          { command: "mtpcli auth refresh gh-tool" },
+          {
+            description: "Refresh token for HTTP MCP server",
+            command: "mtpcli auth refresh --url https://mcp.example.com/v1/mcp"
+          }
+        ]
       },
       {
         name: "serve",
@@ -10489,28 +10959,79 @@ authCmd.command("login").description("Log in to a tool").argument("[tool]", "Too
 `);
     process.exit(1);
   }
-  const { runLogin: runLogin2 } = await Promise.resolve().then(() => (init_auth2(), exports_auth));
-  await runLogin2(tool, opts.provider, opts.token);
+  const { runLogin: runLogin3 } = await Promise.resolve().then(() => (init_auth2(), exports_auth2));
+  await runLogin3(tool, opts.provider, opts.token);
 });
-authCmd.command("logout").description("Log out from a tool").argument("<tool>", "Tool name").action(async (tool) => {
-  const { runLogout: runLogout2 } = await Promise.resolve().then(() => (init_auth2(), exports_auth));
-  await runLogout2(tool);
+authCmd.command("logout").description("Log out from a tool").argument("[tool]", "Tool name").option("--url <url>", "HTTP MCP server URL").action(async (tool, opts) => {
+  if (opts.url) {
+    const { mcpAuthLogout: mcpAuthLogout3 } = await Promise.resolve().then(() => (init_mcp_oauth(), exports_mcp_oauth));
+    const deleted = mcpAuthLogout3(opts.url);
+    if (deleted) {
+      process.stderr.write(`Logged out from ${opts.url}
+`);
+    } else {
+      process.stderr.write(`No tokens found for ${opts.url}
+`);
+    }
+    return;
+  }
+  if (!tool) {
+    process.stderr.write(`error: tool name is required (or use --url)
+`);
+    process.exit(1);
+  }
+  const { runLogout: runLogout3 } = await Promise.resolve().then(() => (init_auth2(), exports_auth2));
+  await runLogout3(tool);
 });
-authCmd.command("status").description("Show auth status for a tool").argument("<tool>", "Tool name").action(async (tool) => {
-  const { runStatus: runStatus2 } = await Promise.resolve().then(() => (init_auth2(), exports_auth));
-  await runStatus2(tool);
+authCmd.command("status").description("Show auth status for a tool").argument("[tool]", "Tool name").option("--url <url>", "HTTP MCP server URL").action(async (tool, opts) => {
+  if (opts.url) {
+    const { mcpAuthStatus: mcpAuthStatus3 } = await Promise.resolve().then(() => (init_mcp_oauth(), exports_mcp_oauth));
+    console.log(JSON.stringify(mcpAuthStatus3(opts.url), null, 2));
+    return;
+  }
+  if (!tool) {
+    process.stderr.write(`error: tool name is required (or use --url)
+`);
+    process.exit(1);
+  }
+  const { runStatus: runStatus3 } = await Promise.resolve().then(() => (init_auth2(), exports_auth2));
+  await runStatus3(tool);
 });
-authCmd.command("token").description("Print the access token for a tool").argument("<tool>", "Tool name").action(async (tool) => {
-  const { runToken: runToken2 } = await Promise.resolve().then(() => (init_auth2(), exports_auth));
-  await runToken2(tool);
+authCmd.command("token").description("Print the access token for a tool").argument("[tool]", "Tool name").option("--url <url>", "HTTP MCP server URL").action(async (tool, opts) => {
+  if (opts.url) {
+    const { mcpAuthToken: mcpAuthToken3 } = await Promise.resolve().then(() => (init_mcp_oauth(), exports_mcp_oauth));
+    const t = await mcpAuthToken3(opts.url);
+    if (!t) {
+      throw new Error(`no valid token for '${opts.url}'. Run: mtpcli auth login --url ${opts.url}`);
+    }
+    console.log(t);
+    return;
+  }
+  if (!tool) {
+    process.stderr.write(`error: tool name is required (or use --url)
+`);
+    process.exit(1);
+  }
+  const { runToken: runToken3 } = await Promise.resolve().then(() => (init_auth2(), exports_auth2));
+  await runToken3(tool);
 });
 authCmd.command("env").description("Print shell export statement for eval").argument("<tool>", "Tool name").action(async (tool) => {
-  const { runEnv: runEnv2 } = await Promise.resolve().then(() => (init_auth2(), exports_auth));
-  await runEnv2(tool);
+  const { runEnv: runEnv3 } = await Promise.resolve().then(() => (init_auth2(), exports_auth2));
+  await runEnv3(tool);
 });
-authCmd.command("refresh").description("Force-refresh the stored OAuth token for a tool").argument("<tool>", "Tool name").action(async (tool) => {
-  const { runRefresh: runRefresh2 } = await Promise.resolve().then(() => (init_auth2(), exports_auth));
-  await runRefresh2(tool);
+authCmd.command("refresh").description("Force-refresh the stored OAuth token for a tool").argument("[tool]", "Tool name").option("--url <url>", "HTTP MCP server URL").action(async (tool, opts) => {
+  if (opts.url) {
+    const { mcpAuthRefresh: mcpAuthRefresh3 } = await Promise.resolve().then(() => (init_mcp_oauth(), exports_mcp_oauth));
+    await mcpAuthRefresh3(opts.url);
+    return;
+  }
+  if (!tool) {
+    process.stderr.write(`error: tool name is required (or use --url)
+`);
+    process.exit(1);
+  }
+  const { runRefresh: runRefresh3 } = await Promise.resolve().then(() => (init_auth2(), exports_auth2));
+  await runRefresh3(tool);
 });
 program2.command("serve").description("Serve CLI tools as an MCP server (cli2mcp bridge)").requiredOption("--tool <names...>", "Tool(s) to serve").addHelpText("after", `
 This command is meant to be used as an MCP server, not run directly.
@@ -10551,7 +11072,7 @@ Multiple tools can be combined into a single MCP server:
   const { run: run5 } = await Promise.resolve().then(() => (init_serve(), exports_serve));
   await run5(opts.tool);
 });
-program2.command("wrap").description("Wrap an MCP server as a CLI tool (mcp2cli bridge)").option("--server <cmd>", "MCP server command to run (stdio transport)").option("--url <url>", "MCP server URL (Streamable HTTP transport)").option("-H, --header <header...>", "HTTP header(s) for --url (e.g. 'Authorization: Bearer tok')").option("--client-id <id>", "Pre-registered OAuth client ID (for --url)").option("--describe", "Output --describe JSON instead of invoking", false).argument("[tool_name]", "Tool name to invoke").argument("[args...]", "Arguments for the tool (after --)").action(async (toolName, args, opts) => {
+program2.command("wrap").description("Wrap an MCP server as a CLI tool (mcp2cli bridge)").option("--server <cmd>", "MCP server command to run (stdio transport)").option("--url <url>", "MCP server URL (Streamable HTTP / SSE transport)").option("-H, --header <header...>", "HTTP header(s) for --url (e.g. 'Authorization: Bearer tok')").option("--client-id <id>", "Pre-registered OAuth client ID (for --url)").option("--describe", "Output --describe JSON instead of invoking", false).argument("[tool_name]", "Tool name to invoke").argument("[args...]", "Arguments for the tool (after --)").action(async (toolName, args, opts) => {
   if (opts.server && opts.url) {
     process.stderr.write(`error: --server and --url are mutually exclusive
 `);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@modeltoolsprotocol/mtpcli",
-  "version": "0.2.3",
+  "version": "0.3.0",
   "license": "Apache-2.0",
   "type": "module",
   "bin": {