@stackable-labs/mcp-app-extension 0.24.0 → 1.1.0

package/dist/index.js

@@ -1,9 +1,18 @@
 #!/usr/bin/env node
-import { STANDALONE_CLIENT, MCP_AUTH_FILE, getToken, STANDALONE_CLIENT_AUTH_FILE } from './chunk-DCPV7HMV.js';
 import { StdioServerTransport } from '@modelcontextprotocol/sdk/server/stdio.js';
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
-import { IDENTITY_EVENT, ACTIVITY_EVENT, SURFACE_TARGET, PERMISSIONS, CAPABILITY_PERMISSION_MAP, ALLOWED_ICONS, UI_TAGS, UI_TAG_ATTRIBUTES, tagToComponentName } from '@stackable-labs/sdk-extension-contracts';
+import { IDENTITY_EVENT, ACTIVITY_EVENT, SURFACE_TARGET, TEMPLATE_FLAVORS, PERMISSIONS, CAPABILITY_PERMISSION_MAP, EVENT_HOOK_PERMISSION_MAP, ALLOWED_ICONS, UI_TAGS, UI_TAG_ATTRIBUTES, tagToComponentName } from '@stackable-labs/sdk-extension-contracts';
+import fs4, { readFile, mkdir, writeFile, constants } from 'fs/promises';
+import path, { join } from 'path';
+import os, { homedir } from 'os';
 import { z } from 'zod';
+import { createServer } from 'http';
+import process6 from 'process';
+import { Buffer as Buffer$1 } from 'buffer';
+import { fileURLToPath } from 'url';
+import { promisify } from 'util';
+import childProcess, { execFile } from 'child_process';
+import fs3 from 'fs';
 
 // ../../sdk/extension/ai-docs/src/generated/template-content.ts
 var PATTERN_SECTIONS = [
@@ -1572,10 +1581,10 @@ var generatePatterns = () => {
     description: "Code patterns: store navigation, API wrapper, surface composition",
     globs: ["packages/extension/src/**/*.tsx", "packages/extension/src/**/*.ts"]
   });
-  const sections = PATTERN_SECTIONS.map(({ path, title, code }) => `## ${title}
+  const sections = PATTERN_SECTIONS.map(({ path: path2, title, code }) => `## ${title}
 
 \`\`\`tsx
-// src/${path}
+// src/${path2}
 ${code}
 \`\`\``).join("\n\n");
   const body = `# Code Patterns
@@ -1595,10 +1604,10 @@ var generateRecipes = () => {
     description: "Reference code and recipes for common extension development tasks",
     globs: ["packages/extension/src/**/*.tsx", "packages/extension/src/**/*.ts", "packages/extension/public/manifest.json"]
   });
-  const references = RECIPE_SECTIONS.map(({ path, title, code }) => `## Reference: ${title}
+  const references = RECIPE_SECTIONS.map(({ path: path2, title, code }) => `## Reference: ${title}
 
 \`\`\`tsx
-// src/${path}
+// src/${path2}
 ${code}
 \`\`\``).join("\n\n");
   const body = `# Recipes
@@ -1738,8 +1747,6 @@ export const Header = () => {
 - **Use ScrollArea** \u2014 wrap content surfaces in \`<ui.ScrollArea>\` for overflow handling
 `;
 };
-
-// ../../sdk/extension/ai-docs/src/cli-commands.ts
 var DLX = "pnpm --config.dlx-cache-max-age=0 dlx";
 var CLI = {
   /** Scaffold a new extension project */
@@ -1768,11 +1775,14 @@ var CLI = {
     mcp: `${DLX} @stackable-labs/cli-app-extension@latest ai mcp`
   }
 };
-var TEMPLATE_FLAVORS = [
-  { name: "minimal", label: "Minimal", description: "Bare minimum \u2014 single surface, hello-world component" },
-  { name: "starter", label: "Starter", description: "Common patterns \u2014 store, api helpers, menu (default)" },
-  { name: "kitchen-sink", label: "Kitchen Sink", description: "Everything \u2014 every component, capability, surface, and hook" }
-];
+var TEMPLATE_FLAVOR_META = {
+  minimal: { label: "Minimal", description: "Bare minimum \u2014 single surface, hello-world component" },
+  starter: { label: "Starter", description: "Common patterns \u2014 store, api helpers, menu (default)" },
+  "kitchen-sink": { label: "Kitchen Sink", description: "Everything \u2014 every component, capability, surface, and hook" }
+};
+var TEMPLATE_FLAVOR_DETAILS = TEMPLATE_FLAVORS.map(
+  (name) => ({ name, ...TEMPLATE_FLAVOR_META[name] })
+);
 
 // ../../sdk/extension/ai-docs/src/generators/quick-start.ts
 var generateQuickStart = () => {
@@ -1964,7 +1974,7 @@ var generateCliReference = () => {
     description: "CLI commands for creating, developing, and deploying Stackable extensions",
     globs: ["packages/extension/src/**/*.tsx", "packages/extension/src/**/*.ts"]
   });
-  const templateRows = TEMPLATE_FLAVORS.map((t) => `| \`${t.name}\` | ${t.description} |`).join("\n");
+  const templateRows = TEMPLATE_FLAVOR_DETAILS.map((t) => `| \`${t.name}\` | ${t.description} |`).join("\n");
   return `${fm}
 
 # CLI Reference
@@ -3382,6 +3392,7 @@ var generateValidateExtensionCommand = () => {
     description: "Validate this extension for common errors before deploying (manifest, permissions, surfaces, imports)",
     targets: ["*"]
   });
+  const eventHookBullets = Object.keys(EVENT_HOOK_PERMISSION_MAP).map((hook) => `- \`${hook}\` \u2192 needs \`${EVENT_HOOK_PERMISSION_MAP[hook]}\` permission (also check manifest \`events\` array has matching entries)`).join("\n");
   return `${fm}
 
 # Validate Extension
@@ -3417,9 +3428,7 @@ Scan all \`.tsx\` files in \`packages/extension/src/\` for capability usage:
 - \`capabilities.actions.toast\` \u2192 needs \`actions:toast\` permission
 - \`capabilities.actions.invoke\` \u2192 needs \`actions:invoke\` permission
 - \`useExtendIdentity\` \u2192 needs \`extend:identity\` permission
-- \`useIdentityEvent\` \u2192 needs \`events:identity\` permission (also check manifest \`events\` array has matching entries)
-- \`useMessagingEvent\` \u2192 needs \`events:messaging\` permission (also check manifest \`events\` array has matching entries)
-- \`useActivityEvent\` \u2192 needs \`events:activity\` permission (also check manifest \`events\` array has matching entries)
+${eventHookBullets}
 
 Report:
 - **Missing permissions:** capabilities used in code but not declared in manifest
@@ -4433,6 +4442,108 @@ pair(EXAMPLE_SNIPPETS, EXAMPLE_SNIPPETS2);
 pair(CAPABILITY_SNIPPETS, CAPABILITY_SNIPPETS2);
 pair(EVENT_SNIPPETS, EVENT_SNIPPETS2);
 
+// ../../lib/contracts/src/custom.ts
+var CUSTOM_ROLE = {
+  SUPER_ADMIN: "super_admin"
+};
+new Set(Object.values(CUSTOM_ROLE));
+
+// ../../lib/utils-js/src/crypto.ts
+var getCrypto = () => {
+  if (typeof globalThis !== "undefined" && globalThis.crypto) {
+    return globalThis.crypto;
+  }
+  throw new Error("Web Crypto API not available \u2014 requires Node.js 22+ or a modern browser");
+};
+var getSubtle = () => {
+  const crypto = getCrypto();
+  if (crypto.subtle) {
+    return crypto.subtle;
+  }
+  throw new Error("SubtleCrypto not available \u2014 requires a secure context (HTTPS) or Node.js 22+");
+};
+var encodeBytes = (bytes, encoding) => {
+  if (encoding === "hex") {
+    return [...bytes].map((b2) => b2.toString(16).padStart(2, "0")).join("");
+  }
+  const base64 = btoa(String.fromCharCode(...bytes));
+  if (encoding === "base64url") {
+    return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  }
+  return base64;
+};
+var getRandomBytes = (length, encoding = "base64") => {
+  const bytes = new Uint8Array(length);
+  getCrypto().getRandomValues(bytes);
+  return encodeBytes(bytes, encoding);
+};
+var getDigest = async (input, encoding = "hex") => {
+  const digest = await getSubtle().digest(
+    "SHA-256",
+    new TextEncoder().encode(input)
+  );
+  return encodeBytes(new Uint8Array(digest), encoding);
+};
+var getNonce = () => getRandomBytes(16, "base64url");
+var getVerifier = () => getRandomBytes(32, "base64url");
+
+// ../../lib/utils-auth/src/constants.ts
+var STANDALONE_CLIENT_DATA = {
+  CLI: { name: "@stackable-labs/cli-app-extension", authFile: "cli-auth.json" },
+  MCP: { name: "@stackable-labs/mcp-app-extension", authFile: "mcp-auth.json" }
+};
+var STANDALONE_CLIENT = Object.fromEntries(
+  Object.entries(STANDALONE_CLIENT_DATA).map(([k, v]) => [k, v.name])
+);
+var STANDALONE_CLIENT_AUTH_FILE = Object.fromEntries(
+  Object.entries(STANDALONE_CLIENT_DATA).map(([k, v]) => [k, v.authFile])
+);
+Object.values(STANDALONE_CLIENT);
+
+// ../../lib/utils-auth/src/index.ts
+var deriveClientId = async (clientName) => (await getDigest(clientName)).slice(0, 32);
+var AUTH_DIR = join(homedir(), ".stackable");
+join(AUTH_DIR, STANDALONE_CLIENT_AUTH_FILE.CLI);
+var MCP_AUTH_FILE = join(AUTH_DIR, STANDALONE_CLIENT_AUTH_FILE.MCP);
+var resolveAuthFile = (filename) => join(AUTH_DIR, filename ?? STANDALONE_CLIENT_AUTH_FILE.CLI);
+var readAuthState = async (filename) => {
+  try {
+    const content = await readFile(resolveAuthFile(filename), "utf8");
+    return JSON.parse(content);
+  } catch {
+    return null;
+  }
+};
+var writeAuthState = async (state, filename) => {
+  await mkdir(AUTH_DIR, { recursive: true, mode: 448 });
+  await writeFile(resolveAuthFile(filename), JSON.stringify(state, null, 2), { mode: 384 });
+};
+var decodeJwtPayload = (token) => {
+  try {
+    const [, payload] = token.split(".");
+    if (!payload) {
+      return null;
+    }
+    const json = Buffer.from(payload, "base64url").toString("utf8");
+    return JSON.parse(json);
+  } catch {
+    return null;
+  }
+};
+var getToken = async (filename) => {
+  const state = await readAuthState(filename);
+  if (!state) {
+    throw new Error("Not authenticated. Run `stackable-app-extension auth login` first.");
+  }
+  const payload = decodeJwtPayload(state.token);
+  if (payload?.exp && typeof payload.exp === "number") {
+    if (Date.now() >= payload.exp * 1e3) {
+      throw new Error("Session expired. Run `stackable-app-extension auth login` to re-authenticate.");
+    }
+  }
+  return state.token;
+};
+
 // package.json
 var package_default = {
   version: "0.0.0"};
@@ -4456,19 +4567,23 @@ var createMcpServer = (options = {}) => {
       return await getToken(STANDALONE_CLIENT_AUTH_FILE.MCP);
     } catch {
     }
-    const { performOAuthFlow } = await import('./auth-WHLYYSCQ.js');
+    if (!options.performOAuthFlow) {
+      throw new Error(
+        "No auth token available. Provide authContext (server) or performOAuthFlow (CLI)."
+      );
+    }
     const MCP_API_BASE_URL = process.env.MCP_API_BASE_URL ?? DEFAULT_MCP_API_BASE_URL;
-    return performOAuthFlow(`${MCP_API_BASE_URL}/.well-known/oauth-authorization-server`);
+    return options.performOAuthFlow(`${MCP_API_BASE_URL}/.well-known/oauth-authorization-server`);
   };
   const authHeaders = (token) => ({
     authorization: `Bearer ${token}`,
     "content-type": "application/json",
     "x-client-name": MCP_CLIENT_NAME
   });
-  const callApi = async (path) => {
+  const callApi = async (path2) => {
     const token = await getAuthToken();
     const ADMIN_API_BASE_URL = process.env.ADMIN_API_BASE_URL ?? DEFAULT_ADMIN_API_URL;
-    const url = `${ADMIN_API_BASE_URL}${path}`;
+    const url = `${ADMIN_API_BASE_URL}${path2}`;
     let res;
     try {
       res = await fetch(url, { headers: authHeaders(token) });
@@ -4595,12 +4710,7 @@ ${errors.map((e) => `- ${e}`).join("\n")}`);
         usedPermissions.add(permission);
       }
     }
-    const eventHookMap = {
-      useIdentityEvent: "events:identity",
-      useMessagingEvent: "events:messaging",
-      useActivityEvent: "events:activity"
-    };
-    for (const [hook, permission] of Object.entries(eventHookMap)) {
+    for (const [hook, permission] of Object.entries(EVENT_HOOK_PERMISSION_MAP)) {
       if (allSource.includes(hook)) {
         usedPermissions.add(permission);
       }
@@ -4639,8 +4749,623 @@ ${issues.map((i) => `- ${i}`).join("\n")}`);
   }, async ({ appId }) => withAuth(() => callApi(`/app-extension/${appId}/instances`)));
   return server2;
 };
+var isDockerCached;
+function hasDockerEnv() {
+  try {
+    fs3.statSync("/.dockerenv");
+    return true;
+  } catch {
+    return false;
+  }
+}
+function hasDockerCGroup() {
+  try {
+    return fs3.readFileSync("/proc/self/cgroup", "utf8").includes("docker");
+  } catch {
+    return false;
+  }
+}
+function isDocker() {
+  if (isDockerCached === void 0) {
+    isDockerCached = hasDockerEnv() || hasDockerCGroup();
+  }
+  return isDockerCached;
+}
+
+// ../../../node_modules/.pnpm/is-inside-container@1.0.0/node_modules/is-inside-container/index.js
+var cachedResult;
+var hasContainerEnv = () => {
+  try {
+    fs3.statSync("/run/.containerenv");
+    return true;
+  } catch {
+    return false;
+  }
+};
+function isInsideContainer() {
+  if (cachedResult === void 0) {
+    cachedResult = hasContainerEnv() || isDocker();
+  }
+  return cachedResult;
+}
+
+// ../../../node_modules/.pnpm/is-wsl@3.1.1/node_modules/is-wsl/index.js
+var isWsl = () => {
+  if (process6.platform !== "linux") {
+    return false;
+  }
+  if (os.release().toLowerCase().includes("microsoft")) {
+    if (isInsideContainer()) {
+      return false;
+    }
+    return true;
+  }
+  try {
+    if (fs3.readFileSync("/proc/version", "utf8").toLowerCase().includes("microsoft")) {
+      return !isInsideContainer();
+    }
+  } catch {
+  }
+  if (fs3.existsSync("/proc/sys/fs/binfmt_misc/WSLInterop") || fs3.existsSync("/run/WSL")) {
+    return !isInsideContainer();
+  }
+  return false;
+};
+var is_wsl_default = process6.env.__IS_WSL_TEST__ ? isWsl : isWsl();
+
+// ../../../node_modules/.pnpm/wsl-utils@0.1.0/node_modules/wsl-utils/index.js
+var wslDrivesMountPoint = /* @__PURE__ */ (() => {
+  const defaultMountPoint = "/mnt/";
+  let mountPoint;
+  return async function() {
+    if (mountPoint) {
+      return mountPoint;
+    }
+    const configFilePath = "/etc/wsl.conf";
+    let isConfigFileExists = false;
+    try {
+      await fs4.access(configFilePath, constants.F_OK);
+      isConfigFileExists = true;
+    } catch {
+    }
+    if (!isConfigFileExists) {
+      return defaultMountPoint;
+    }
+    const configContent = await fs4.readFile(configFilePath, { encoding: "utf8" });
+    const configMountPoint = /(?<!#.*)root\s*=\s*(?<mountPoint>.*)/g.exec(configContent);
+    if (!configMountPoint) {
+      return defaultMountPoint;
+    }
+    mountPoint = configMountPoint.groups.mountPoint.trim();
+    mountPoint = mountPoint.endsWith("/") ? mountPoint : `${mountPoint}/`;
+    return mountPoint;
+  };
+})();
+var powerShellPathFromWsl = async () => {
+  const mountPoint = await wslDrivesMountPoint();
+  return `${mountPoint}c/Windows/System32/WindowsPowerShell/v1.0/powershell.exe`;
+};
+var powerShellPath = async () => {
+  if (is_wsl_default) {
+    return powerShellPathFromWsl();
+  }
+  return `${process6.env.SYSTEMROOT || process6.env.windir || String.raw`C:\Windows`}\\System32\\WindowsPowerShell\\v1.0\\powershell.exe`;
+};
+
+// ../../../node_modules/.pnpm/define-lazy-prop@3.0.0/node_modules/define-lazy-prop/index.js
+function defineLazyProperty(object, propertyName, valueGetter) {
+  const define = (value) => Object.defineProperty(object, propertyName, { value, enumerable: true, writable: true });
+  Object.defineProperty(object, propertyName, {
+    configurable: true,
+    enumerable: true,
+    get() {
+      const result = valueGetter();
+      define(result);
+      return result;
+    },
+    set(value) {
+      define(value);
+    }
+  });
+  return object;
+}
+var execFileAsync = promisify(execFile);
+async function defaultBrowserId() {
+  if (process6.platform !== "darwin") {
+    throw new Error("macOS only");
+  }
+  const { stdout } = await execFileAsync("defaults", ["read", "com.apple.LaunchServices/com.apple.launchservices.secure", "LSHandlers"]);
+  const match = /LSHandlerRoleAll = "(?!-)(?<id>[^"]+?)";\s+?LSHandlerURLScheme = (?:http|https);/.exec(stdout);
+  const browserId = match?.groups.id ?? "com.apple.Safari";
+  if (browserId === "com.apple.safari") {
+    return "com.apple.Safari";
+  }
+  return browserId;
+}
+var execFileAsync2 = promisify(execFile);
+async function runAppleScript(script, { humanReadableOutput = true, signal } = {}) {
+  if (process6.platform !== "darwin") {
+    throw new Error("macOS only");
+  }
+  const outputArguments = humanReadableOutput ? [] : ["-ss"];
+  const execOptions = {};
+  if (signal) {
+    execOptions.signal = signal;
+  }
+  const { stdout } = await execFileAsync2("osascript", ["-e", script, outputArguments], execOptions);
+  return stdout.trim();
+}
+
+// ../../../node_modules/.pnpm/bundle-name@4.1.0/node_modules/bundle-name/index.js
+async function bundleName(bundleId) {
+  return runAppleScript(`tell application "Finder" to set app_path to application file id "${bundleId}" as string
+tell application "System Events" to get value of property list item "CFBundleName" of property list file (app_path & ":Contents:Info.plist")`);
+}
+var execFileAsync3 = promisify(execFile);
+var windowsBrowserProgIds = {
+  MSEdgeHTM: { name: "Edge", id: "com.microsoft.edge" },
+  // The missing `L` is correct.
+  MSEdgeBHTML: { name: "Edge Beta", id: "com.microsoft.edge.beta" },
+  MSEdgeDHTML: { name: "Edge Dev", id: "com.microsoft.edge.dev" },
+  AppXq0fevzme2pys62n3e0fbqa7peapykr8v: { name: "Edge", id: "com.microsoft.edge.old" },
+  ChromeHTML: { name: "Chrome", id: "com.google.chrome" },
+  ChromeBHTML: { name: "Chrome Beta", id: "com.google.chrome.beta" },
+  ChromeDHTML: { name: "Chrome Dev", id: "com.google.chrome.dev" },
+  ChromiumHTM: { name: "Chromium", id: "org.chromium.Chromium" },
+  BraveHTML: { name: "Brave", id: "com.brave.Browser" },
+  BraveBHTML: { name: "Brave Beta", id: "com.brave.Browser.beta" },
+  BraveDHTML: { name: "Brave Dev", id: "com.brave.Browser.dev" },
+  BraveSSHTM: { name: "Brave Nightly", id: "com.brave.Browser.nightly" },
+  FirefoxURL: { name: "Firefox", id: "org.mozilla.firefox" },
+  OperaStable: { name: "Opera", id: "com.operasoftware.Opera" },
+  VivaldiHTM: { name: "Vivaldi", id: "com.vivaldi.Vivaldi" },
+  "IE.HTTP": { name: "Internet Explorer", id: "com.microsoft.ie" }
+};
+new Map(Object.entries(windowsBrowserProgIds));
+var UnknownBrowserError = class extends Error {
+};
+async function defaultBrowser(_execFileAsync = execFileAsync3) {
+  const { stdout } = await _execFileAsync("reg", [
+    "QUERY",
+    " HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\Associations\\UrlAssociations\\http\\UserChoice",
+    "/v",
+    "ProgId"
+  ]);
+  const match = /ProgId\s*REG_SZ\s*(?<id>\S+)/.exec(stdout);
+  if (!match) {
+    throw new UnknownBrowserError(`Cannot find Windows browser in stdout: ${JSON.stringify(stdout)}`);
+  }
+  const { id } = match.groups;
+  const dotIndex = id.lastIndexOf(".");
+  const hyphenIndex = id.lastIndexOf("-");
+  const baseIdByDot = dotIndex === -1 ? void 0 : id.slice(0, dotIndex);
+  const baseIdByHyphen = hyphenIndex === -1 ? void 0 : id.slice(0, hyphenIndex);
+  return windowsBrowserProgIds[id] ?? windowsBrowserProgIds[baseIdByDot] ?? windowsBrowserProgIds[baseIdByHyphen] ?? { name: id, id };
+}
+
+// ../../../node_modules/.pnpm/default-browser@5.5.0/node_modules/default-browser/index.js
+var execFileAsync4 = promisify(execFile);
+var titleize = (string) => string.toLowerCase().replaceAll(/(?:^|\s|-)\S/g, (x) => x.toUpperCase());
+async function defaultBrowser2() {
+  if (process6.platform === "darwin") {
+    const id = await defaultBrowserId();
+    const name = await bundleName(id);
+    return { name, id };
+  }
+  if (process6.platform === "linux") {
+    const { stdout } = await execFileAsync4("xdg-mime", ["query", "default", "x-scheme-handler/http"]);
+    const id = stdout.trim();
+    const name = titleize(id.replace(/.desktop$/, "").replace("-", " "));
+    return { name, id };
+  }
+  if (process6.platform === "win32") {
+    return defaultBrowser();
+  }
+  throw new Error("Only macOS, Linux, and Windows are supported");
+}
+
+// ../../../node_modules/.pnpm/open@10.2.0/node_modules/open/index.js
+var execFile5 = promisify(childProcess.execFile);
+var __dirname$1 = path.dirname(fileURLToPath(import.meta.url));
+var localXdgOpenPath = path.join(__dirname$1, "xdg-open");
+var { platform, arch } = process6;
+async function getWindowsDefaultBrowserFromWsl() {
+  const powershellPath = await powerShellPath();
+  const rawCommand = String.raw`(Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice").ProgId`;
+  const encodedCommand = Buffer$1.from(rawCommand, "utf16le").toString("base64");
+  const { stdout } = await execFile5(
+    powershellPath,
+    [
+      "-NoProfile",
+      "-NonInteractive",
+      "-ExecutionPolicy",
+      "Bypass",
+      "-EncodedCommand",
+      encodedCommand
+    ],
+    { encoding: "utf8" }
+  );
+  const progId = stdout.trim();
+  const browserMap = {
+    ChromeHTML: "com.google.chrome",
+    BraveHTML: "com.brave.Browser",
+    MSEdgeHTM: "com.microsoft.edge",
+    FirefoxURL: "org.mozilla.firefox"
+  };
+  return browserMap[progId] ? { id: browserMap[progId] } : {};
+}
+var pTryEach = async (array, mapper) => {
+  let latestError;
+  for (const item of array) {
+    try {
+      return await mapper(item);
+    } catch (error) {
+      latestError = error;
+    }
+  }
+  throw latestError;
+};
+var baseOpen = async (options) => {
+  options = {
+    wait: false,
+    background: false,
+    newInstance: false,
+    allowNonzeroExitCode: false,
+    ...options
+  };
+  if (Array.isArray(options.app)) {
+    return pTryEach(options.app, (singleApp) => baseOpen({
+      ...options,
+      app: singleApp
+    }));
+  }
+  let { name: app, arguments: appArguments = [] } = options.app ?? {};
+  appArguments = [...appArguments];
+  if (Array.isArray(app)) {
+    return pTryEach(app, (appName) => baseOpen({
+      ...options,
+      app: {
+        name: appName,
+        arguments: appArguments
+      }
+    }));
+  }
+  if (app === "browser" || app === "browserPrivate") {
+    const ids = {
+      "com.google.chrome": "chrome",
+      "google-chrome.desktop": "chrome",
+      "com.brave.Browser": "brave",
+      "org.mozilla.firefox": "firefox",
+      "firefox.desktop": "firefox",
+      "com.microsoft.msedge": "edge",
+      "com.microsoft.edge": "edge",
+      "com.microsoft.edgemac": "edge",
+      "microsoft-edge.desktop": "edge"
+    };
+    const flags = {
+      chrome: "--incognito",
+      brave: "--incognito",
+      firefox: "--private-window",
+      edge: "--inPrivate"
+    };
+    const browser = is_wsl_default ? await getWindowsDefaultBrowserFromWsl() : await defaultBrowser2();
+    if (browser.id in ids) {
+      const browserName = ids[browser.id];
+      if (app === "browserPrivate") {
+        appArguments.push(flags[browserName]);
+      }
+      return baseOpen({
+        ...options,
+        app: {
+          name: apps[browserName],
+          arguments: appArguments
+        }
+      });
+    }
+    throw new Error(`${browser.name} is not supported as a default browser`);
+  }
+  let command;
+  const cliArguments = [];
+  const childProcessOptions = {};
+  if (platform === "darwin") {
+    command = "open";
+    if (options.wait) {
+      cliArguments.push("--wait-apps");
+    }
+    if (options.background) {
+      cliArguments.push("--background");
+    }
+    if (options.newInstance) {
+      cliArguments.push("--new");
+    }
+    if (app) {
+      cliArguments.push("-a", app);
+    }
+  } else if (platform === "win32" || is_wsl_default && !isInsideContainer() && !app) {
+    command = await powerShellPath();
+    cliArguments.push(
+      "-NoProfile",
+      "-NonInteractive",
+      "-ExecutionPolicy",
+      "Bypass",
+      "-EncodedCommand"
+    );
+    if (!is_wsl_default) {
+      childProcessOptions.windowsVerbatimArguments = true;
+    }
+    const encodedArguments = ["Start"];
+    if (options.wait) {
+      encodedArguments.push("-Wait");
+    }
+    if (app) {
+      encodedArguments.push(`"\`"${app}\`""`);
+      if (options.target) {
+        appArguments.push(options.target);
+      }
+    } else if (options.target) {
+      encodedArguments.push(`"${options.target}"`);
+    }
+    if (appArguments.length > 0) {
+      appArguments = appArguments.map((argument) => `"\`"${argument}\`""`);
+      encodedArguments.push("-ArgumentList", appArguments.join(","));
+    }
+    options.target = Buffer$1.from(encodedArguments.join(" "), "utf16le").toString("base64");
+  } else {
+    if (app) {
+      command = app;
+    } else {
+      const isBundled = !__dirname$1 || __dirname$1 === "/";
+      let exeLocalXdgOpen = false;
+      try {
+        await fs4.access(localXdgOpenPath, constants.X_OK);
+        exeLocalXdgOpen = true;
+      } catch {
+      }
+      const useSystemXdgOpen = process6.versions.electron ?? (platform === "android" || isBundled || !exeLocalXdgOpen);
+      command = useSystemXdgOpen ? "xdg-open" : localXdgOpenPath;
+    }
+    if (appArguments.length > 0) {
+      cliArguments.push(...appArguments);
+    }
+    if (!options.wait) {
+      childProcessOptions.stdio = "ignore";
+      childProcessOptions.detached = true;
+    }
+  }
+  if (platform === "darwin" && appArguments.length > 0) {
+    cliArguments.push("--args", ...appArguments);
+  }
+  if (options.target) {
+    cliArguments.push(options.target);
+  }
+  const subprocess = childProcess.spawn(command, cliArguments, childProcessOptions);
+  if (options.wait) {
+    return new Promise((resolve, reject) => {
+      subprocess.once("error", reject);
+      subprocess.once("close", (exitCode) => {
+        if (!options.allowNonzeroExitCode && exitCode > 0) {
+          reject(new Error(`Exited with code ${exitCode}`));
+          return;
+        }
+        resolve(subprocess);
+      });
+    });
+  }
+  subprocess.unref();
+  return subprocess;
+};
+var open = (target, options) => {
+  if (typeof target !== "string") {
+    throw new TypeError("Expected a `target`");
+  }
+  return baseOpen({
+    ...options,
+    target
+  });
+};
+function detectArchBinary(binary) {
+  if (typeof binary === "string" || Array.isArray(binary)) {
+    return binary;
+  }
+  const { [arch]: archBinary } = binary;
+  if (!archBinary) {
+    throw new Error(`${arch} is not supported`);
+  }
+  return archBinary;
+}
+function detectPlatformBinary({ [platform]: platformBinary }, { wsl }) {
+  if (wsl && is_wsl_default) {
+    return detectArchBinary(wsl);
+  }
+  if (!platformBinary) {
+    throw new Error(`${platform} is not supported`);
+  }
+  return detectArchBinary(platformBinary);
+}
+var apps = {};
+defineLazyProperty(apps, "chrome", () => detectPlatformBinary({
+  darwin: "google chrome",
+  win32: "chrome",
+  linux: ["google-chrome", "google-chrome-stable", "chromium"]
+}, {
+  wsl: {
+    ia32: "/mnt/c/Program Files (x86)/Google/Chrome/Application/chrome.exe",
+    x64: ["/mnt/c/Program Files/Google/Chrome/Application/chrome.exe", "/mnt/c/Program Files (x86)/Google/Chrome/Application/chrome.exe"]
+  }
+}));
+defineLazyProperty(apps, "brave", () => detectPlatformBinary({
+  darwin: "brave browser",
+  win32: "brave",
+  linux: ["brave-browser", "brave"]
+}, {
+  wsl: {
+    ia32: "/mnt/c/Program Files (x86)/BraveSoftware/Brave-Browser/Application/brave.exe",
+    x64: ["/mnt/c/Program Files/BraveSoftware/Brave-Browser/Application/brave.exe", "/mnt/c/Program Files (x86)/BraveSoftware/Brave-Browser/Application/brave.exe"]
+  }
+}));
+defineLazyProperty(apps, "firefox", () => detectPlatformBinary({
+  darwin: "firefox",
+  win32: String.raw`C:\Program Files\Mozilla Firefox\firefox.exe`,
+  linux: "firefox"
+}, {
+  wsl: "/mnt/c/Program Files/Mozilla Firefox/firefox.exe"
+}));
+defineLazyProperty(apps, "edge", () => detectPlatformBinary({
+  darwin: "microsoft edge",
+  win32: "msedge",
+  linux: ["microsoft-edge", "microsoft-edge-dev"]
+}, {
+  wsl: "/mnt/c/Program Files (x86)/Microsoft/Edge/Application/msedge.exe"
+}));
+defineLazyProperty(apps, "browser", () => "browser");
+defineLazyProperty(apps, "browserPrivate", () => "browserPrivate");
+var open_default = open;
+
+// src/auth.ts
+var LOGIN_TIMEOUT_MS = 5 * 60 * 1e3;
+var generatePKCE = async () => {
+  const codeVerifier = getVerifier();
+  const codeChallenge = await getDigest(codeVerifier, "base64url");
+  return { codeVerifier, codeChallenge };
+};
+var fetchDiscovery = async (discoveryUrl) => {
+  const res = await fetch(discoveryUrl);
+  if (!res.ok) {
+    throw new Error(`Failed to fetch OAuth discovery: ${res.status} ${res.statusText}`);
+  }
+  return res.json();
+};
+var registerClient = async (registrationEndpoint) => {
+  const res = await fetch(registrationEndpoint, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({
+      client_name: STANDALONE_CLIENT.MCP,
+      redirect_uris: ["http://127.0.0.1/callback"]
+    })
+  });
+  if (!res.ok) {
+    throw new Error(`Client registration failed: ${res.status}`);
+  }
+  const data = await res.json();
+  return data.client_id;
+};
+var exchangeCodeForToken = async (tokenEndpoint, code, codeVerifier, clientId, redirectUri) => {
+  const res = await fetch(tokenEndpoint, {
+    method: "POST",
+    headers: { "content-type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      code,
+      code_verifier: codeVerifier,
+      client_id: clientId,
+      redirect_uri: redirectUri
+    }).toString()
+  });
+  if (!res.ok) {
+    const error = await res.json().catch(() => ({}));
+    throw new Error(error.error_description ?? error.error ?? `Token exchange failed: ${res.status}`);
+  }
+  return res.json();
+};
+var decodeJwtPayload2 = (token) => {
+  const [, payload] = token.split(".");
+  if (!payload) {
+    throw new Error("Invalid JWT format");
+  }
+  return JSON.parse(Buffer.from(payload, "base64url").toString("utf8"));
+};
+var performOAuthFlow = async (discoveryUrl) => {
+  const discovery = await fetchDiscovery(discoveryUrl);
+  let clientId = await deriveClientId(STANDALONE_CLIENT.MCP);
+  if (discovery.registration_endpoint) {
+    clientId = await registerClient(discovery.registration_endpoint);
+  }
+  const { codeVerifier, codeChallenge } = await generatePKCE();
+  const state = getNonce();
+  let resolveCode;
+  let rejectCode;
+  const codePromise = new Promise((resolve, reject) => {
+    resolveCode = resolve;
+    rejectCode = reject;
+  });
+  let server2;
+  server2 = createServer((req, res) => {
+    const url = new URL(req.url, "http://localhost");
+    if (url.pathname === "/callback") {
+      const error = url.searchParams.get("error");
+      if (error) {
+        res.writeHead(200, { "content-type": "text/html; charset=utf-8" });
+        res.end("<html><body><h2>Authentication failed</h2><p>You can close this tab.</p></body></html>");
+        rejectCode(new Error(url.searchParams.get("error_description") ?? error));
+        return;
+      }
+      const code2 = url.searchParams.get("code");
+      const returnedState = url.searchParams.get("state");
+      if (!code2) {
+        res.writeHead(400, { "content-type": "text/plain" });
+        res.end("Missing authorization code");
+        return;
+      }
+      if (returnedState !== state) {
+        res.writeHead(400, { "content-type": "text/plain" });
+        res.end("State mismatch");
+        rejectCode(new Error("OAuth state mismatch \u2014 possible CSRF attack"));
+        return;
+      }
+      res.writeHead(200, { "content-type": "text/html; charset=utf-8" });
+      res.end("<html><body><h2>Authenticated</h2><p>You can return to your terminal.</p></body></html>");
+      resolveCode(code2);
+    } else {
+      res.writeHead(404);
+      res.end();
+    }
+  });
+  await new Promise((r) => server2.listen(0, "127.0.0.1", r));
+  const port = server2.address().port;
+  const redirectUri = `http://127.0.0.1:${port}/callback`;
+  const authUrl = new URL(discovery.authorization_endpoint);
+  authUrl.searchParams.set("client_id", clientId);
+  authUrl.searchParams.set("redirect_uri", redirectUri);
+  authUrl.searchParams.set("code_challenge", codeChallenge);
+  authUrl.searchParams.set("code_challenge_method", "S256");
+  authUrl.searchParams.set("state", state);
+  authUrl.searchParams.set("response_type", "code");
+  await open_default(authUrl.toString());
+  const timeout = setTimeout(() => {
+    server2.close();
+    rejectCode(new Error("Authentication timed out. Please try again."));
+  }, LOGIN_TIMEOUT_MS);
+  let code;
+  try {
+    code = await codePromise;
+  } catch (err) {
+    clearTimeout(timeout);
+    server2.close();
+    throw err;
+  }
+  clearTimeout(timeout);
+  server2.close();
+  const tokenResponse = await exchangeCodeForToken(
+    discovery.token_endpoint,
+    code,
+    codeVerifier,
+    clientId,
+    redirectUri
+  );
+  const payload = decodeJwtPayload2(tokenResponse.access_token);
+  await writeAuthState(
+    {
+      token: tokenResponse.access_token,
+      orgId: payload.orgId,
+      userId: payload.sub
+    },
+    STANDALONE_CLIENT_AUTH_FILE.MCP
+  );
+  return tokenResponse.access_token;
+};
 
 // src/index.ts
-var server = createMcpServer();
+var server = createMcpServer({ performOAuthFlow });
 var transport = new StdioServerTransport();
 await server.connect(transport);