@schoolai/shipyard 3.7.0 → 3.8.0-rc.20260529.0

package/dist/chunk-HQ43PHOH.js

@@ -0,0 +1,1203 @@
+#!/usr/bin/env node
+import {
+  logger
+} from "./chunk-ZAOPND5G.js";
+import {
+  external_exports
+} from "./chunk-CNR7O5YH.js";
+
+// src/shared/capabilities/mcp-servers.ts
+import { readFile as readFile2, stat } from "fs/promises";
+import { homedir as homedir2 } from "os";
+import { basename, join as join2, resolve } from "path";
+import { parse as parseToml } from "toml";
+
+// src/shared/mcp/claude-code-credentials.ts
+import { execFile as execFileCb } from "child_process";
+import { readFile } from "fs/promises";
+import { homedir } from "os";
+import { join } from "path";
+import { promisify } from "util";
+
+// src/shared/mcp/schemas.ts
+import {
+  OAuthMetadataSchema,
+  OAuthProtectedResourceMetadataSchema,
+  OpenIdProviderDiscoveryMetadataSchema
+} from "@modelcontextprotocol/sdk/shared/auth.js";
+var AuthorizationServerMetadataSchema = external_exports.union([
+  OAuthMetadataSchema,
+  OpenIdProviderDiscoveryMetadataSchema
+]);
+var DiscoveryStateSchema = external_exports.object({
+  authorizationServerUrl: external_exports.string(),
+  authorizationServerMetadata: AuthorizationServerMetadataSchema.optional(),
+  resourceMetadata: OAuthProtectedResourceMetadataSchema.optional(),
+  resourceMetadataUrl: external_exports.string().optional()
+}).passthrough();
+
+// src/shared/mcp/claude-code-credentials.ts
+var execFile = promisify(execFileCb);
+var ClaudeCodeOAuthEntrySchema = external_exports.object({
+  serverName: external_exports.string().nullable().optional(),
+  serverUrl: external_exports.string().nullable().optional(),
+  clientId: external_exports.string().nullable().optional(),
+  clientSecret: external_exports.string().nullable().optional(),
+  accessToken: external_exports.string().nullable().optional(),
+  refreshToken: external_exports.string().nullable().optional(),
+  expiresAt: external_exports.number().nullable().optional(),
+  discoveryState: DiscoveryStateSchema.nullable().optional()
+}).passthrough();
+var CredentialsFileSchema = external_exports.object({
+  mcpOAuth: external_exports.record(external_exports.string(), external_exports.unknown()).optional()
+}).passthrough();
+var CREDENTIALS_PATH = join(homedir(), ".claude", ".credentials.json");
+var KEYCHAIN_SERVICE = "Claude Code-credentials";
+var PluginMcpJsonSchema = external_exports.record(
+  external_exports.string(),
+  external_exports.object({
+    url: external_exports.string().optional(),
+    oauth: external_exports.object({ clientId: external_exports.string(), callbackPort: external_exports.number().optional() }).optional()
+  }).passthrough()
+);
+async function extractClientIdsFromPlugin(installPath, result) {
+  const raw = await readFile(join(installPath, ".mcp.json"), "utf-8");
+  const json = JSON.parse(raw);
+  const outer = external_exports.record(external_exports.string(), external_exports.unknown()).safeParse(json);
+  if (!outer.success) return;
+  const servers = outer.data.mcpServers ?? outer.data;
+  const validated = PluginMcpJsonSchema.safeParse(servers);
+  if (!validated.success) return;
+  for (const config of Object.values(validated.data)) {
+    if (config.url && config.oauth?.clientId) {
+      result.set(config.url, config.oauth.clientId);
+    }
+  }
+}
+async function readPluginClientIds() {
+  const result = /* @__PURE__ */ new Map();
+  try {
+    const installedPath = join(homedir(), ".claude", "plugins", "installed_plugins.json");
+    const InstalledPluginsSchema = external_exports.object({
+      plugins: external_exports.record(external_exports.string(), external_exports.array(external_exports.object({ installPath: external_exports.string().optional() }))).optional()
+    });
+    const parsed = InstalledPluginsSchema.safeParse(
+      JSON.parse(await readFile(installedPath, "utf-8"))
+    );
+    if (!parsed.success || !parsed.data.plugins) return result;
+    for (const installs of Object.values(parsed.data.plugins)) {
+      const installPath = installs?.[0]?.installPath;
+      if (!installPath) continue;
+      await extractClientIdsFromPlugin(installPath, result).catch(() => {
+      });
+    }
+  } catch {
+  }
+  return result;
+}
+async function readKeychainCredentials() {
+  if (process.platform !== "darwin") return null;
+  try {
+    const { stdout } = await execFile(
+      "security",
+      ["find-generic-password", "-s", KEYCHAIN_SERVICE, "-w"],
+      { timeout: 5e3 }
+    );
+    const result = external_exports.record(external_exports.string(), external_exports.unknown()).safeParse(JSON.parse(stdout.trim()));
+    return result.success ? result.data : null;
+  } catch {
+    return null;
+  }
+}
+function scanEntries(mcpOAuth, serverUrl) {
+  let bestWithToken = null;
+  let clientId;
+  let clientSecret;
+  let discoveryState;
+  for (const value of Object.values(mcpOAuth)) {
+    const entryResult = ClaudeCodeOAuthEntrySchema.safeParse(value);
+    if (!entryResult.success) continue;
+    const entry = entryResult.data;
+    if (entry.serverUrl !== serverUrl) continue;
+    if (entry.clientId && !clientId) {
+      clientId = entry.clientId;
+      clientSecret = entry.clientSecret || void 0;
+    }
+    if (entry.discoveryState && !discoveryState) {
+      discoveryState = entry.discoveryState;
+    }
+    if (entry.accessToken && !bestWithToken) {
+      bestWithToken = entry;
+    }
+  }
+  return { bestWithToken, clientId, clientSecret, discoveryState };
+}
+function findMatchingEntry(credentialsData, serverName, serverUrl) {
+  const fileResult = CredentialsFileSchema.safeParse(credentialsData);
+  if (!fileResult.success) return null;
+  const mcpOAuth = fileResult.data.mcpOAuth;
+  if (!mcpOAuth) return null;
+  const { bestWithToken, clientId, clientSecret, discoveryState } = scanEntries(
+    mcpOAuth,
+    serverUrl
+  );
+  if (!bestWithToken && !clientId) return null;
+  return {
+    serverName: bestWithToken?.serverName ?? serverName,
+    serverUrl,
+    clientId: bestWithToken?.clientId || clientId,
+    clientSecret: bestWithToken?.clientSecret || clientSecret || void 0,
+    accessToken: bestWithToken?.accessToken || void 0,
+    refreshToken: bestWithToken?.refreshToken || void 0,
+    expiresAt: bestWithToken?.expiresAt ?? void 0,
+    discoveryState: bestWithToken?.discoveryState ?? discoveryState ?? void 0
+  };
+}
+async function readClaudeCodeCredentials(serverName, serverUrl) {
+  if (!serverUrl) return null;
+  try {
+    const keychainData = await readKeychainCredentials();
+    if (keychainData) {
+      const entry = findMatchingEntry(keychainData, serverName, serverUrl);
+      if (entry) {
+        logger.debug({ serverUrl }, "Found Claude Code credentials in macOS Keychain");
+        return entry;
+      }
+    }
+  } catch (err) {
+    logger.debug({ err }, "Failed to read Claude Code credentials from Keychain");
+  }
+  try {
+    const raw = await readFile(CREDENTIALS_PATH, "utf-8");
+    const fileResult = CredentialsFileSchema.safeParse(JSON.parse(raw));
+    if (fileResult.success) {
+      const entry = findMatchingEntry(fileResult.data, serverName, serverUrl);
+      if (entry) {
+        logger.debug({ serverUrl }, "Found Claude Code credentials in legacy file");
+        return entry;
+      }
+    }
+    return null;
+  } catch (err) {
+    logger.debug({ err }, "Failed to read Claude Code credentials from file");
+    return null;
+  }
+}
+
+// src/shared/mcp/resolve-servers.ts
+var ENV_VAR_PATTERN = /\$\{([^}]+)\}/g;
+var VAULT_REF_PATTERN = /^\$\{vault:([^}]+)\}$/;
+function interpolateEnvVars(headers) {
+  const result = {};
+  for (const [key, value] of Object.entries(headers)) {
+    result[key] = value.replace(
+      ENV_VAR_PATTERN,
+      (_, varName) => process.env[varName] ?? ""
+    );
+  }
+  return result;
+}
+function resolveHeaders(server) {
+  if (!server.headers) return void 0;
+  return interpolateEnvVars(server.headers);
+}
+function isMcpServerCompatibleWithRuntime(server, runtimeId) {
+  if (!runtimeId) return true;
+  return server.runtimeId === void 0 || server.runtimeId === runtimeId;
+}
+function resolveVaultRefEnvValue(key, value, store, log) {
+  const match = VAULT_REF_PATTERN.exec(value);
+  if (!match) return void 0;
+  const vaultKey = match[1] ?? "";
+  const token = store.getTokenSync(vaultKey);
+  if (token && !store.isExpired(token)) {
+    log?.({
+      event: "vault_ref_resolved",
+      envKey: key,
+      vaultKey,
+      tokenType: token.tokenType,
+      hasExpiry: token.expiresAt !== void 0
+    });
+    return token.accessToken;
+  }
+  log?.({
+    event: "vault_ref_unresolved",
+    envKey: key,
+    vaultKey,
+    tokenFound: token !== null,
+    tokenExpired: token ? store.isExpired(token) : false
+  });
+  return value;
+}
+function resolveStdioEnv(env, store, log) {
+  if (!env) return void 0;
+  if (!store) return env;
+  const result = {};
+  let changed = false;
+  for (const [key, value] of Object.entries(env)) {
+    const vaultResolved = resolveVaultRefEnvValue(key, value, store, log);
+    if (vaultResolved !== void 0) {
+      result[key] = vaultResolved;
+      if (vaultResolved !== value) {
+        changed = true;
+      }
+      continue;
+    }
+    const interpolated = value.replace(
+      ENV_VAR_PATTERN,
+      (_, varName) => process.env[varName] ?? ""
+    );
+    result[key] = interpolated;
+    if (interpolated !== value) {
+      changed = true;
+    }
+  }
+  return changed ? result : env;
+}
+function toResolvedMcpServerConfig(server, mcpTokenStore) {
+  if (server.type === "http" && server.url) {
+    return {
+      type: "http",
+      url: server.url,
+      headers: resolveHeaders(server)
+    };
+  }
+  if (server.type === "sse" && server.url) {
+    return {
+      type: "sse",
+      url: server.url,
+      headers: resolveHeaders(server)
+    };
+  }
+  if (server.command) {
+    return {
+      command: server.command,
+      args: server.args ?? void 0,
+      env: resolveStdioEnv(server.env, mcpTokenStore)
+    };
+  }
+  return null;
+}
+function resolveEnabledMcpServers(overrides, available, mcpTokenStore, runtimeId) {
+  if (!overrides || !available) return void 0;
+  const enabledNames = new Set(overrides.filter((o) => o.enabled).map((o) => o.name));
+  if (enabledNames.size === 0) return {};
+  const result = {};
+  for (const server of available) {
+    if (!isMcpServerCompatibleWithRuntime(server, runtimeId)) continue;
+    if (!enabledNames.has(server.name)) continue;
+    const config = toResolvedMcpServerConfig(server, mcpTokenStore);
+    if (config) result[server.name] = config;
+  }
+  return result;
+}
+
+// src/shared/auth/anthropic-credentials.ts
+import { execFile as execFileCb2 } from "child_process";
+import { promisify as promisify2 } from "util";
+var execFile2 = promisify2(execFileCb2);
+var defaultLog = (entry) => logger.debug(entry, entry.event);
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+async function readKeychainEntry(service) {
+  if (process.platform !== "darwin") return null;
+  try {
+    const { stdout } = await execFile2("security", ["find-generic-password", "-s", service, "-w"], {
+      timeout: 5e3
+    });
+    const value = stdout.trim();
+    return value || null;
+  } catch {
+    return null;
+  }
+}
+async function readKeychainOAuthToken(log = defaultLog) {
+  if (process.platform !== "darwin") {
+    log({ event: "anthropic_keychain_read_skipped", reason: "non_darwin" });
+    return null;
+  }
+  const raw = await readKeychainEntry("Claude Code-credentials");
+  if (!raw) {
+    log({ event: "anthropic_keychain_oauth_missing", reason: "no_credentials_entry" });
+    return null;
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    log({ event: "anthropic_keychain_oauth_corrupt", reason: "json_parse_error" });
+    return null;
+  }
+  if (!isRecord(parsed)) {
+    log({ event: "anthropic_keychain_oauth_corrupt", reason: "json_parse_error" });
+    return null;
+  }
+  const oauth = parsed.claudeAiOauth;
+  if (!isRecord(oauth)) {
+    log({ event: "anthropic_keychain_oauth_missing", reason: "no_oauth_field" });
+    return null;
+  }
+  const token = oauth.accessToken;
+  if (typeof token !== "string" || token.length === 0) {
+    log({ event: "anthropic_keychain_oauth_missing", reason: "no_oauth_field" });
+    return null;
+  }
+  return token;
+}
+
+// src/shared/capabilities/runtime/catalog.ts
+var CLAUDE_CODE_RUNTIME_ID = "claude-code";
+var CODEX_RUNTIME_ID = "codex";
+var CURSOR_RUNTIME_ID = "cursor";
+var CLAUDE_RUNTIME = {
+  runtimeId: CLAUDE_CODE_RUNTIME_ID,
+  providerId: "anthropic",
+  displayName: "Claude Code",
+  buildInstallCommand(platform) {
+    if (platform === "win32") {
+      return {
+        command: "powershell",
+        args: ["-Command", "irm https://claude.ai/install.ps1 | iex"]
+      };
+    }
+    return {
+      command: "bash",
+      args: ["-c", "curl -fsSL https://claude.ai/install.sh | bash"]
+    };
+  }
+};
+var CODEX_RUNTIME = {
+  runtimeId: CODEX_RUNTIME_ID,
+  providerId: "openai",
+  displayName: "Codex",
+  buildInstallCommand(platform) {
+    return {
+      command: platform === "win32" ? "npm.cmd" : "npm",
+      args: ["install", "-g", "@openai/codex"]
+    };
+  }
+};
+var CURSOR_RUNTIME = {
+  runtimeId: CURSOR_RUNTIME_ID,
+  providerId: "cursor",
+  displayName: "Cursor",
+  buildInstallCommand() {
+    return null;
+  }
+};
+var RUNTIME_DESCRIPTORS = /* @__PURE__ */ new Map([
+  [CLAUDE_RUNTIME.runtimeId, CLAUDE_RUNTIME],
+  [CODEX_RUNTIME.runtimeId, CODEX_RUNTIME],
+  [CURSOR_RUNTIME.runtimeId, CURSOR_RUNTIME]
+]);
+function getRuntimeDescriptor(runtimeId) {
+  return RUNTIME_DESCRIPTORS.get(runtimeId) ?? null;
+}
+function getRuntimeDisplayName(runtimeId) {
+  const known = getRuntimeDescriptor(runtimeId);
+  if (known) return known.displayName;
+  return runtimeId.split(/[-_]/).map((word) => word.charAt(0).toUpperCase() + word.slice(1)).join(" ");
+}
+
+// src/shared/capabilities/account-integrations.ts
+var CLAUDEAI_INTEGRATIONS_URL = "https://api.anthropic.com/v1/mcp_servers?limit=1000";
+var ERROR_BODY_MAX_CHARS = 256;
+function parseClaudeAiServers(data, log) {
+  if (typeof data !== "object" || data === null) return [];
+  const obj = data;
+  if (!Array.isArray(obj.data)) return [];
+  const results = [];
+  let legacyNameCount = 0;
+  for (const entry of obj.data) {
+    if (typeof entry !== "object" || entry === null) continue;
+    const rec = entry;
+    if (typeof rec.url !== "string") continue;
+    if (typeof rec.display_name === "string") {
+      results.push({ name: rec.display_name, url: rec.url });
+    } else if (typeof rec.name === "string") {
+      legacyNameCount += 1;
+      results.push({ name: rec.name, url: rec.url });
+    }
+  }
+  if (legacyNameCount > 0 && log) {
+    log({
+      event: "claudeai_integrations_legacy_name_fallback",
+      count: legacyNameCount
+    });
+  }
+  return results;
+}
+function classifyHttpStatus(status) {
+  if (status >= 400 && status < 500) return "http_4xx";
+  if (status >= 500 && status < 600) return "http_5xx";
+  return "http_other";
+}
+function classifyException(err) {
+  if (err instanceof Error) {
+    if (err.name === "AbortError") return "timeout";
+    if (err.name === "SyntaxError") return "parse";
+  }
+  return "network";
+}
+async function readErrorBody(response) {
+  try {
+    const text = await response.text();
+    if (text.length === 0) return null;
+    return text.length <= ERROR_BODY_MAX_CHARS ? text : text.slice(0, ERROR_BODY_MAX_CHARS);
+  } catch {
+    return null;
+  }
+}
+async function fetchClaudeAiIntegrations(log) {
+  const url = CLAUDEAI_INTEGRATIONS_URL;
+  try {
+    const token = await readKeychainOAuthToken(log);
+    if (!token) {
+      log({ event: "claudeai_integrations_skipped", reason: "no_oauth_token" });
+      return [];
+    }
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), 5e3);
+    try {
+      const response = await fetch(url, {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          "anthropic-version": "2023-06-01",
+          "anthropic-beta": "mcp-servers-2025-12-04"
+        },
+        signal: controller.signal
+      });
+      if (!response.ok) {
+        const errorBody = await readErrorBody(response);
+        log({
+          event: "claudeai_integrations_fetch_failed",
+          url,
+          status: response.status,
+          errorClass: classifyHttpStatus(response.status),
+          errorBody
+        });
+        return [];
+      }
+      const body = await response.json();
+      const servers = parseClaudeAiServers(body, log);
+      return servers.map((s) => ({
+        name: s.name,
+        type: "http",
+        runtimeId: CLAUDE_CODE_RUNTIME_ID,
+        url: s.url,
+        enabled: true,
+        source: "claudeai",
+        authStatus: "unknown"
+      }));
+    } finally {
+      clearTimeout(timeout);
+    }
+  } catch (err) {
+    log({
+      event: "claudeai_integrations_fetch_failed",
+      url,
+      status: null,
+      errorClass: classifyException(err),
+      errorBody: null,
+      error: err instanceof Error ? err.message : String(err)
+    });
+    return [];
+  }
+}
+
+// src/shared/capabilities/mcp-servers.ts
+var MCPStdioEntrySchema = external_exports.object({
+  type: external_exports.literal("stdio").optional(),
+  command: external_exports.string(),
+  args: external_exports.array(external_exports.string()).optional(),
+  env: external_exports.record(external_exports.string(), external_exports.string()).optional(),
+  enabled: external_exports.boolean().optional()
+}).passthrough();
+var MCPOAuthConfigSchema = external_exports.object({
+  clientId: external_exports.string().optional(),
+  callbackPort: external_exports.number().optional()
+}).passthrough();
+var MCPHttpEntrySchema = external_exports.object({
+  type: external_exports.literal("http"),
+  url: external_exports.string(),
+  headers: external_exports.record(external_exports.string(), external_exports.string()).optional(),
+  oauth: MCPOAuthConfigSchema.optional(),
+  enabled: external_exports.boolean().optional()
+}).passthrough();
+var MCPSSEEntrySchema = external_exports.object({
+  type: external_exports.literal("sse"),
+  url: external_exports.string(),
+  headers: external_exports.record(external_exports.string(), external_exports.string()).optional(),
+  enabled: external_exports.boolean().optional()
+}).passthrough();
+var MCPServerEntrySchema = external_exports.union([MCPStdioEntrySchema, MCPHttpEntrySchema, MCPSSEEntrySchema]);
+var CodexEnvVarSchema = external_exports.union([
+  external_exports.string(),
+  external_exports.object({
+    name: external_exports.string(),
+    source: external_exports.string().optional()
+  }).passthrough()
+]);
+var CodexMCPStdioEntrySchema = external_exports.object({
+  command: external_exports.string(),
+  args: external_exports.array(external_exports.string()).optional(),
+  env: external_exports.record(external_exports.string(), external_exports.string()).optional(),
+  env_vars: external_exports.array(CodexEnvVarSchema).optional(),
+  enabled: external_exports.boolean().optional()
+}).passthrough();
+var CodexMCPHttpEntrySchema = external_exports.object({
+  url: external_exports.string(),
+  http_headers: external_exports.record(external_exports.string(), external_exports.string()).optional(),
+  env_http_headers: external_exports.record(external_exports.string(), external_exports.string()).optional(),
+  bearer_token_env_var: external_exports.string().optional(),
+  enabled: external_exports.boolean().optional()
+}).passthrough();
+function shouldFetchClaudeAiIntegrations(preferredAuth) {
+  if (preferredAuth == null) return true;
+  return preferredAuth === "claude-ai";
+}
+var SECRET_PATTERNS = /^(sk-|ghp_|gho_|glpat-|xoxb-|xoxp-|Bearer\s|token\s)/i;
+var SECRET_FLAGS = /* @__PURE__ */ new Set(["--api-key", "--token", "--secret", "--password", "--key", "-k"]);
+function redactArgs(args) {
+  return args.map((arg, i) => {
+    if (SECRET_PATTERNS.test(arg)) return "***";
+    const prevArg = i > 0 ? args[i - 1] : void 0;
+    if (prevArg && SECRET_FLAGS.has(prevArg)) return "***";
+    const eqIdx = arg.indexOf("=");
+    if (eqIdx > 0 && SECRET_FLAGS.has(arg.slice(0, eqIdx))) {
+      return `${arg.slice(0, eqIdx + 1)}***`;
+    }
+    return arg;
+  });
+}
+function redactEnv(env) {
+  const result = {};
+  for (const key of Object.keys(env)) {
+    result[key] = "***";
+  }
+  return result;
+}
+function isHttpEntry(data) {
+  return "type" in data && data.type === "http";
+}
+function isSSEEntry(data) {
+  return "type" in data && data.type === "sse";
+}
+function entryToServerInfo(name, data, source, metadata = {}) {
+  if (isHttpEntry(data)) {
+    return {
+      name,
+      type: "http",
+      runtimeId: metadata.runtimeId,
+      url: data.url,
+      headers: data.headers,
+      oauth: data.oauth,
+      enabled: data.enabled ?? true,
+      source,
+      sourceLabel: metadata.sourceLabel,
+      sourcePath: metadata.sourcePath,
+      authStatus: "unknown"
+    };
+  }
+  if (isSSEEntry(data)) {
+    return {
+      name,
+      type: "sse",
+      runtimeId: metadata.runtimeId,
+      url: data.url,
+      headers: data.headers,
+      enabled: data.enabled ?? true,
+      source,
+      sourceLabel: metadata.sourceLabel,
+      sourcePath: metadata.sourcePath,
+      authStatus: "unknown"
+    };
+  }
+  return {
+    name,
+    type: "stdio",
+    runtimeId: metadata.runtimeId,
+    command: data.command,
+    args: data.args,
+    env: data.env,
+    enabled: data.enabled ?? true,
+    source,
+    sourceLabel: metadata.sourceLabel,
+    sourcePath: metadata.sourcePath,
+    authStatus: "unknown"
+  };
+}
+function codexEnvVarsToPlaceholders(envVars) {
+  if (!envVars || envVars.length === 0) return void 0;
+  const result = {};
+  for (const envVar of envVars) {
+    const name = typeof envVar === "string" ? envVar : envVar.name;
+    result[name] = `\${${name}}`;
+  }
+  return result;
+}
+function codexHttpHeadersToPlaceholders(envHeaders) {
+  if (!envHeaders) return void 0;
+  const result = {};
+  for (const [header, envVar] of Object.entries(envHeaders)) {
+    result[header] = `\${${envVar}}`;
+  }
+  return result;
+}
+function codexEntryToServerInfo(name, data, source, metadata) {
+  if (isCodexStdioEntry(data)) {
+    return {
+      name,
+      type: "stdio",
+      runtimeId: metadata.runtimeId,
+      command: data.command,
+      args: data.args,
+      env: {
+        ...data.env ?? {},
+        ...codexEnvVarsToPlaceholders(data.env_vars) ?? {}
+      },
+      enabled: data.enabled ?? true,
+      source,
+      sourceLabel: metadata.sourceLabel,
+      sourcePath: metadata.sourcePath,
+      authStatus: "unknown"
+    };
+  }
+  const headers = {
+    ...data.http_headers ?? {},
+    ...codexHttpHeadersToPlaceholders(data.env_http_headers) ?? {}
+  };
+  if (data.bearer_token_env_var) {
+    headers.Authorization = `Bearer \${${data.bearer_token_env_var}}`;
+  }
+  return {
+    name,
+    type: "http",
+    runtimeId: metadata.runtimeId,
+    url: data.url,
+    headers,
+    enabled: data.enabled ?? true,
+    source,
+    sourceLabel: metadata.sourceLabel,
+    sourcePath: metadata.sourcePath,
+    authStatus: "unknown"
+  };
+}
+function isCodexStdioEntry(data) {
+  return isObjectRecord(data) && typeof data.command === "string";
+}
+function isObjectRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function parseTomlRecord(raw) {
+  const parsed = parseToml(raw);
+  return isObjectRecord(parsed) ? parsed : {};
+}
+var WARN_THROTTLE_MS = 6e4;
+var validationCache = /* @__PURE__ */ new Map();
+var lastWarnAtByPath = /* @__PURE__ */ new Map();
+function resetMCPConfigCaches() {
+  validationCache.clear();
+  lastWarnAtByPath.clear();
+}
+function validateJsonEntries(entries, source, metadata) {
+  const servers = [];
+  const invalid = [];
+  for (const [name, value] of Object.entries(entries)) {
+    if (name === "mcpServers") continue;
+    if (typeof value !== "object" || value === null || Array.isArray(value)) continue;
+    const result = MCPServerEntrySchema.safeParse(value);
+    if (!result.success) {
+      invalid.push({ name, error: result.error.message });
+      continue;
+    }
+    servers.push(entryToServerInfo(name, result.data, source, metadata));
+  }
+  return { servers, invalid };
+}
+function validateCodexEntries(entries, source, metadata) {
+  const servers = [];
+  const invalid = [];
+  for (const [name, value] of Object.entries(entries)) {
+    if (!isObjectRecord(value)) continue;
+    const result = "command" in value ? CodexMCPStdioEntrySchema.safeParse(value) : "url" in value ? CodexMCPHttpEntrySchema.safeParse(value) : { success: false, error: { message: "invalid transport" } };
+    if (!result.success) {
+      invalid.push({ name, error: result.error.message });
+      continue;
+    }
+    servers.push(codexEntryToServerInfo(name, result.data, source, metadata));
+  }
+  return { servers, invalid };
+}
+function emitAggregateInvalid(filePath, source, invalid, log, now) {
+  const payload = {
+    event: "config_entry_invalid",
+    source,
+    filePath,
+    invalidCount: invalid.length,
+    errors: invalid.slice(0, 3)
+  };
+  const last = lastWarnAtByPath.get(filePath) ?? 0;
+  if (now - last >= WARN_THROTTLE_MS) {
+    log(payload);
+    lastWarnAtByPath.set(filePath, now);
+    return;
+  }
+  logger.debug(payload, payload.event);
+}
+async function readCachedMcpConfig(filePath, source, log, parse, now = Date.now) {
+  let mtime;
+  try {
+    const st = await stat(filePath);
+    mtime = st.mtimeMs;
+  } catch {
+    return [];
+  }
+  const cached = validationCache.get(filePath);
+  if (cached && cached.mtime === mtime) {
+    return cached.result;
+  }
+  let servers = [];
+  try {
+    const raw = await readFile2(filePath, "utf-8");
+    const parsed = parse(raw);
+    servers = parsed.servers;
+    if (parsed.invalid.length > 0) {
+      emitAggregateInvalid(filePath, source, parsed.invalid, log, now());
+    }
+  } catch {
+    servers = [];
+  }
+  validationCache.set(filePath, { mtime, result: servers });
+  return servers;
+}
+async function readMCPConfig(filePath, source, log, metadataOrNow = {}, now = Date.now) {
+  const metadata = typeof metadataOrNow === "function" ? {} : metadataOrNow;
+  const effectiveNow = typeof metadataOrNow === "function" ? metadataOrNow : now;
+  return readCachedMcpConfig(
+    filePath,
+    source,
+    log,
+    (raw) => {
+      const json = JSON.parse(raw);
+      const fileName = basename(filePath);
+      const isSettingsFile = fileName === "settings.json" || fileName === "settings.local.json";
+      let entries;
+      if (isObjectRecord(json.mcpServers)) {
+        entries = json.mcpServers;
+      } else if (isSettingsFile) {
+        entries = null;
+      } else {
+        entries = json;
+      }
+      return entries === null ? { servers: [], invalid: [] } : validateJsonEntries(entries, source, metadata);
+    },
+    effectiveNow
+  );
+}
+async function readCodexMCPConfig(filePath, source, log, metadata, now = Date.now) {
+  return readCachedMcpConfig(
+    filePath,
+    source,
+    log,
+    (raw) => {
+      const parsed = parseTomlRecord(raw);
+      return isObjectRecord(parsed.mcp_servers) ? validateCodexEntries(parsed.mcp_servers, source, metadata) : { servers: [], invalid: [] };
+    },
+    now
+  );
+}
+async function readPluginMCPServers(log) {
+  const servers = [];
+  try {
+    const settingsPath = join2(homedir2(), ".claude", "settings.json");
+    const settingsRaw = await readFile2(settingsPath, "utf-8");
+    const settings = JSON.parse(settingsRaw);
+    if (!settings.enabledPlugins) return [];
+    const installedPath = join2(homedir2(), ".claude", "plugins", "installed_plugins.json");
+    const installedRaw = await readFile2(installedPath, "utf-8");
+    const installed = JSON.parse(installedRaw);
+    if (!installed.plugins) return [];
+    for (const [pluginId, enabled] of Object.entries(settings.enabledPlugins)) {
+      if (!enabled) continue;
+      const installs = installed.plugins[pluginId];
+      if (!installs || installs.length === 0) continue;
+      const installPath = installs[0]?.installPath;
+      if (!installPath) continue;
+      const mcpJsonPath = join2(installPath, ".mcp.json");
+      const pluginServers = await readMCPConfig(mcpJsonPath, "plugin", log, {
+        sourceLabel: "Plugin",
+        sourcePath: "~/.claude/plugins/"
+      });
+      servers.push(...pluginServers);
+    }
+  } catch {
+  }
+  return servers;
+}
+var CodexMarketplaceEntrySchema = external_exports.object({
+  source: external_exports.string(),
+  source_type: external_exports.string().optional()
+});
+var CodexMarketplacesSchema = external_exports.record(external_exports.string(), CodexMarketplaceEntrySchema.passthrough());
+var CodexPluginEntrySchema = external_exports.object({
+  enabled: external_exports.boolean().optional()
+});
+var CodexPluginsSchema = external_exports.record(external_exports.string(), CodexPluginEntrySchema.passthrough());
+var CodexConfigTomlSchema = external_exports.object({
+  mcp_servers: external_exports.record(external_exports.string(), external_exports.unknown()).optional(),
+  marketplaces: CodexMarketplacesSchema.optional(),
+  plugins: CodexPluginsSchema.optional()
+});
+var MarketplaceJsonPluginSourceSchema = external_exports.object({
+  source: external_exports.string(),
+  path: external_exports.string()
+});
+var MarketplaceJsonPluginSchema = external_exports.object({
+  name: external_exports.string(),
+  source: MarketplaceJsonPluginSourceSchema.optional()
+});
+var MarketplaceJsonSchema = external_exports.object({
+  name: external_exports.string().optional(),
+  plugins: external_exports.array(MarketplaceJsonPluginSchema)
+});
+var CodexPluginManifestSchema = external_exports.object({
+  mcpServers: external_exports.string().optional(),
+  skills: external_exports.string().optional()
+});
+var CodexPluginMcpServersFileSchema = external_exports.object({
+  mcpServers: external_exports.record(external_exports.string(), external_exports.unknown()).optional()
+});
+async function readCodexTomlConfig(configPath) {
+  try {
+    const raw = await readFile2(configPath, "utf-8");
+    const parsed = parseTomlRecord(raw);
+    const result = CodexConfigTomlSchema.safeParse(parsed);
+    return result.success ? result.data : null;
+  } catch {
+    return null;
+  }
+}
+async function readMarketplaceJson(marketplaceSourceDir) {
+  const candidates = [
+    join2(marketplaceSourceDir, ".agents", "plugins", "marketplace.json"),
+    join2(marketplaceSourceDir, "marketplace.json")
+  ];
+  for (const candidate of candidates) {
+    try {
+      const raw = await readFile2(candidate, "utf-8");
+      const parsed = JSON.parse(raw);
+      const result = MarketplaceJsonSchema.safeParse(parsed);
+      if (result.success) return result.data;
+    } catch {
+    }
+  }
+  return null;
+}
+async function readCodexPluginManifestMcps(pluginRoot, pluginId, marketplaceName, log) {
+  const manifestPath = join2(pluginRoot, ".codex-plugin", "plugin.json");
+  try {
+    const raw = await readFile2(manifestPath, "utf-8");
+    const parsed = JSON.parse(raw);
+    const manifestResult = CodexPluginManifestSchema.safeParse(parsed);
+    if (!manifestResult.success) {
+      log({
+        event: "codex_plugin_manifest_invalid",
+        pluginId,
+        marketplaceName,
+        error: manifestResult.error.message
+      });
+      return [];
+    }
+    const manifest = manifestResult.data;
+    if (!manifest.mcpServers) return [];
+    const mcpFilePath = resolve(pluginRoot, manifest.mcpServers);
+    try {
+      const mcpRaw = await readFile2(mcpFilePath, "utf-8");
+      const mcpParsed = JSON.parse(mcpRaw);
+      const mcpResult = CodexPluginMcpServersFileSchema.safeParse(mcpParsed);
+      if (!mcpResult.success || !mcpResult.data.mcpServers) return [];
+      const sourceLabel = `Codex Plugin (${pluginId})`;
+      const sourcePath = `~/.codex/plugins/${pluginId}`;
+      const { servers, invalid } = validateCodexEntries(mcpResult.data.mcpServers, "plugin", {
+        runtimeId: CODEX_RUNTIME_ID,
+        sourceLabel,
+        sourcePath
+      });
+      if (invalid.length > 0) {
+        log({
+          event: "codex_plugin_mcp_entries_invalid",
+          pluginId,
+          marketplaceName,
+          invalidCount: invalid.length,
+          errors: invalid.slice(0, 3)
+        });
+      }
+      return servers;
+    } catch {
+      log({ event: "codex_plugin_mcp_file_unreadable", pluginId, marketplaceName, mcpFilePath });
+      return [];
+    }
+  } catch {
+    return [];
+  }
+}
+async function detectCodexPluginMcps(codexHome, configToml, log) {
+  const marketplaces = configToml.marketplaces;
+  if (!marketplaces || Object.keys(marketplaces).length === 0) return [];
+  const pluginEnabledMap = configToml.plugins ?? {};
+  const allServers = [];
+  await Promise.all(
+    Object.entries(marketplaces).map(async ([marketplaceName, marketplaceEntry]) => {
+      if (marketplaceEntry.source_type && marketplaceEntry.source_type !== "local") return;
+      const marketplaceSourceDir = marketplaceEntry.source;
+      if (!marketplaceSourceDir) return;
+      const marketplaceJson = await readMarketplaceJson(marketplaceSourceDir);
+      if (!marketplaceJson) {
+        log({ event: "codex_marketplace_json_missing", marketplaceName, marketplaceSourceDir });
+        return;
+      }
+      await Promise.all(
+        marketplaceJson.plugins.map(async (plugin) => {
+          if (!plugin.source || plugin.source.source !== "local") return;
+          const pluginId = `${plugin.name}@${marketplaceName}`;
+          const pluginEnabledEntry = pluginEnabledMap[pluginId];
+          if (pluginEnabledEntry?.enabled === false) return;
+          const pluginRoot = resolve(marketplaceSourceDir, plugin.source.path);
+          const servers = await readCodexPluginManifestMcps(
+            pluginRoot,
+            pluginId,
+            marketplaceName,
+            log
+          );
+          allServers.push(...servers);
+        })
+      );
+    })
+  );
+  if (allServers.length > 0) {
+    log({ event: "codex_plugin_mcps_detected", count: allServers.length, codexHome });
+  }
+  return allServers;
+}
+function pushCandidates(target, servers, priority) {
+  for (const server of servers) {
+    target.push({ server, priority });
+  }
+}
+async function resolveClaudeCodeAuthStatuses(servers) {
+  for (const server of servers.values()) {
+    if (server.authStatus !== "unknown") continue;
+    if (server.type === "stdio") continue;
+    const ccCreds = await readClaudeCodeCredentials(server.name, server.url ?? "");
+    if (ccCreds?.accessToken && ccCreds.expiresAt && ccCreds.expiresAt > Date.now()) {
+      server.authStatus = "authenticated";
+    }
+  }
+}
+function resolveStdioAuthStatus(server, tokens, tokenStore) {
+  if (!server.env) return;
+  for (const value of Object.values(server.env)) {
+    const match = VAULT_REF_PATTERN.exec(value);
+    if (!match) continue;
+    const vaultKey = match[1] ?? "";
+    const token = tokens[vaultKey];
+    if (token) {
+      server.authStatus = tokenStore.isExpired(token) ? "unauthenticated" : "authenticated";
+      return;
+    }
+  }
+}
+async function resolveAuthStatuses(servers, tokenStore) {
+  const tokens = await tokenStore.getAllTokens();
+  for (const server of servers.values()) {
+    if (server.type === "stdio") {
+      resolveStdioAuthStatus(server, tokens, tokenStore);
+      continue;
+    }
+    const token = tokens[server.name];
+    if (token) {
+      server.authStatus = tokenStore.isExpired(token) ? "unauthenticated" : "authenticated";
+    }
+  }
+  await resolveClaudeCodeAuthStatuses(servers);
+}
+async function detectMCPServers(environments, tokenStore, log, lastKnown, activeRuntimeId, preferredAuth, changedCwd) {
+  try {
+    return await detectMCPServersInner(
+      environments,
+      tokenStore,
+      log,
+      activeRuntimeId,
+      preferredAuth,
+      changedCwd,
+      lastKnown
+    );
+  } catch (err) {
+    const { logger: logger2 } = await import("./logger-QHPTO22N.js");
+    if (lastKnown && lastKnown.length > 0) {
+      logger2.warn(
+        { err, lastKnownCount: lastKnown.length },
+        "detectMCPServers threw \u2014 preserving lastKnown"
+      );
+      return lastKnown;
+    }
+    logger2.debug({ err }, "detectMCPServers threw with no lastKnown \u2014 returning []");
+    return [];
+  }
+}
+function runtimeScopeLabel(runtimeId, scope) {
+  return `${getRuntimeDisplayName(runtimeId)} ${scope}`;
+}
+var SOURCE_PRIORITY_FOR_LASTKNOWN = {
+  claudeai: 10,
+  plugin: 20,
+  user: 30,
+  project: 50,
+  local: 60,
+  "mcp-json": 70
+};
+function seedLastKnownCandidates(target, lastKnown) {
+  if (!lastKnown) return;
+  for (const server of lastKnown) {
+    target.push({ server, priority: SOURCE_PRIORITY_FOR_LASTKNOWN[server.source] });
+  }
+}
+function readEnvProjectMcpFiles(env, log) {
+  const projectPath = join2(env.path, ".claude", "settings.json");
+  const localPath = join2(env.path, ".claude", "settings.local.json");
+  const codexProjectPath = join2(env.path, ".codex", "config.toml");
+  const mcpJsonPath = join2(env.path, ".mcp.json");
+  return Promise.all([
+    readMCPConfig(projectPath, "project", log, {
+      runtimeId: CLAUDE_CODE_RUNTIME_ID,
+      sourceLabel: runtimeScopeLabel(CLAUDE_CODE_RUNTIME_ID, "Project"),
+      sourcePath: ".claude/settings.json"
+    }),
+    readMCPConfig(localPath, "local", log, {
+      runtimeId: CLAUDE_CODE_RUNTIME_ID,
+      sourceLabel: runtimeScopeLabel(CLAUDE_CODE_RUNTIME_ID, "Local"),
+      sourcePath: ".claude/settings.local.json"
+    }),
+    readCodexMCPConfig(codexProjectPath, "project", log, {
+      runtimeId: CODEX_RUNTIME_ID,
+      sourceLabel: "Codex Project",
+      sourcePath: ".codex/config.toml"
+    }),
+    readMCPConfig(mcpJsonPath, "mcp-json", log, {
+      sourceLabel: "Project",
+      sourcePath: ".mcp.json"
+    })
+  ]);
+}
+async function detectMCPServersInner(environments, tokenStore, log, activeRuntimeId, preferredAuth, changedCwd, lastKnown) {
+  const allCandidates = [];
+  if (changedCwd) seedLastKnownCandidates(allCandidates, lastKnown);
+  const userSettingsPath = join2(homedir2(), ".claude", "settings.json");
+  const userLocalSettingsPath = join2(homedir2(), ".claude", "settings.local.json");
+  const userCodexConfigPath = join2(homedir2(), ".codex", "config.toml");
+  const userMcpJsonPath = join2(homedir2(), ".mcp.json");
+  const userClaudeJsonPath = join2(homedir2(), ".claude.json");
+  const codexHome = join2(homedir2(), ".codex");
+  const fetchClaudeAi = shouldFetchClaudeAiIntegrations(preferredAuth);
+  const claudeAiPromise = fetchClaudeAi ? fetchClaudeAiIntegrations(log) : Promise.resolve([]);
+  if (!fetchClaudeAi) {
+    log({ event: "claudeai_integrations_skipped_by_method", method: preferredAuth ?? null });
+  }
+  const codexUserConfig = await readCodexTomlConfig(userCodexConfigPath);
+  const [
+    userServers,
+    userLocalServers,
+    userClaudeJsonServers,
+    userCodexServers,
+    userMcpJsonServers,
+    pluginServers,
+    codexPluginServers,
+    claudeAiServers
+  ] = await Promise.all([
+    readMCPConfig(userSettingsPath, "user", log, {
+      runtimeId: CLAUDE_CODE_RUNTIME_ID,
+      sourceLabel: runtimeScopeLabel(CLAUDE_CODE_RUNTIME_ID, "User"),
+      sourcePath: "~/.claude/settings.json"
+    }),
+    readMCPConfig(userLocalSettingsPath, "user", log, {
+      runtimeId: CLAUDE_CODE_RUNTIME_ID,
+      sourceLabel: runtimeScopeLabel(CLAUDE_CODE_RUNTIME_ID, "Local"),
+      sourcePath: "~/.claude/settings.local.json"
+    }),
+    readMCPConfig(userClaudeJsonPath, "user", log, {
+      runtimeId: CLAUDE_CODE_RUNTIME_ID,
+      sourceLabel: runtimeScopeLabel(CLAUDE_CODE_RUNTIME_ID, "User"),
+      sourcePath: "~/.claude.json"
+    }),
+    readCodexMCPConfig(userCodexConfigPath, "user", log, {
+      runtimeId: "codex",
+      sourceLabel: "Codex User",
+      sourcePath: "~/.codex/config.toml"
+    }),
+    readMCPConfig(userMcpJsonPath, "user", log, {
+      sourceLabel: "User",
+      sourcePath: "~/.mcp.json"
+    }),
+    readPluginMCPServers(log),
+    codexUserConfig ? detectCodexPluginMcps(codexHome, codexUserConfig, log) : Promise.resolve([]),
+    claudeAiPromise
+  ]);
+  pushCandidates(allCandidates, claudeAiServers, 10);
+  pushCandidates(allCandidates, pluginServers, 20);
+  pushCandidates(allCandidates, codexPluginServers, 25);
+  pushCandidates(allCandidates, userServers, 30);
+  pushCandidates(allCandidates, userLocalServers, 31);
+  pushCandidates(allCandidates, userClaudeJsonServers, 32);
+  pushCandidates(allCandidates, userCodexServers, 33);
+  pushCandidates(allCandidates, userMcpJsonServers, 40);
+  const envsToScan = changedCwd ? environments.filter((env) => env.path === changedCwd) : environments;
+  const envResults = await Promise.all(envsToScan.map((env) => readEnvProjectMcpFiles(env, log)));
+  for (const [projectServers, localServers, codexProjectServers, mcpJsonServers] of envResults) {
+    pushCandidates(allCandidates, projectServers, 50);
+    pushCandidates(allCandidates, localServers, 60);
+    pushCandidates(allCandidates, codexProjectServers, 65);
+    pushCandidates(allCandidates, mcpJsonServers, 70);
+  }
+  const deduped = /* @__PURE__ */ new Map();
+  for (const candidate of allCandidates) {
+    if (activeRuntimeId && candidate.server.runtimeId && candidate.server.runtimeId !== activeRuntimeId) {
+      continue;
+    }
+    const existing = deduped.get(candidate.server.name);
+    if (!existing || candidate.priority >= existing.priority) {
+      deduped.set(candidate.server.name, candidate);
+    }
+  }
+  if (tokenStore) {
+    await resolveAuthStatuses(
+      new Map([...deduped.entries()].map(([name, candidate]) => [name, candidate.server])),
+      tokenStore
+    );
+  }
+  return [...deduped.values()].map((candidate) => candidate.server);
+}
+
+export {
+  DiscoveryStateSchema,
+  readPluginClientIds,
+  readClaudeCodeCredentials,
+  isMcpServerCompatibleWithRuntime,
+  resolveStdioEnv,
+  resolveEnabledMcpServers,
+  readKeychainOAuthToken,
+  CLAUDE_CODE_RUNTIME_ID,
+  CODEX_RUNTIME_ID,
+  CURSOR_RUNTIME_ID,
+  getRuntimeDescriptor,
+  getRuntimeDisplayName,
+  shouldFetchClaudeAiIntegrations,
+  redactArgs,
+  redactEnv,
+  resetMCPConfigCaches,
+  readMCPConfig,
+  detectCodexPluginMcps,
+  detectMCPServers
+};
+//# sourceMappingURL=chunk-HQ43PHOH.js.map