@toolrelay/cli 1.0.0

package/dist/index.js

@@ -0,0 +1,2774 @@
+#!/usr/bin/env node
+import { AuthType, SLUG_REGEX, SLUG_MESSAGE, mcpAnnotationsSchema, PermissionLevel, HttpMethod, TOOL_NAME_REGEX, TOOL_NAME_MESSAGE, buildBackendRequest } from './chunk-7AYNBNB4.js';
+import { readFileSync, writeFileSync, appendFileSync, existsSync, readdirSync, mkdirSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, join, resolve } from 'path';
+import { Command } from 'commander';
+import { z } from 'zod';
+import { createServer } from 'http';
+import crypto, { randomUUID } from 'crypto';
+import { exec } from 'child_process';
+import { createInterface, emitKeypressEvents } from 'readline';
+
+var parameterMappingSchema = z.object({
+  name: z.string().min(1),
+  type: z.enum(["string", "number", "boolean", "object", "array"]),
+  required: z.boolean(),
+  description: z.string().optional(),
+  target: z.enum(["path", "query", "body", "header"]),
+  backend_key: z.string().optional(),
+  default_value: z.unknown().optional()
+});
+var appConfigSchema = z.object({
+  name: z.string().min(1),
+  description: z.string().max(500).optional(),
+  slug: z.string().regex(SLUG_REGEX, SLUG_MESSAGE).optional(),
+  base_url: z.string().url(),
+  auth_type: z.nativeEnum(AuthType),
+  auth_config: z.record(z.unknown()).optional(),
+  global_headers: z.record(z.string(), z.string()).optional()
+});
+var toolConfigSchema = z.object({
+  name: z.string().min(1).regex(TOOL_NAME_REGEX, TOOL_NAME_MESSAGE),
+  description: z.string().optional(),
+  http_method: z.nativeEnum(HttpMethod),
+  endpoint_path: z.string().min(1),
+  parameter_mapping: z.array(parameterMappingSchema).default([]),
+  permission_level: z.nativeEnum(PermissionLevel).optional(),
+  headers_template: z.record(z.string()).optional(),
+  request_schema: z.record(z.unknown()).optional(),
+  response_schema: z.record(z.unknown()).optional(),
+  mcp_annotations: mcpAnnotationsSchema.optional()
+});
+var cliConfigSchema = z.object({
+  app: appConfigSchema,
+  tools: z.array(toolConfigSchema).min(1, "At least one tool is required")
+});
+var ENV_VAR_PATTERN = /\$\{([^}]+)\}/g;
+function interpolateEnvVars(value, missing) {
+  if (typeof value === "string") {
+    return value.replace(ENV_VAR_PATTERN, (_match, varName) => {
+      const envVal = process.env[varName];
+      if (envVal === void 0) {
+        missing.add(varName);
+        return "";
+      }
+      return envVal;
+    });
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => interpolateEnvVars(item, missing));
+  }
+  if (value !== null && typeof value === "object") {
+    const result = {};
+    for (const [key, val] of Object.entries(value)) {
+      result[key] = interpolateEnvVars(val, missing);
+    }
+    return result;
+  }
+  return value;
+}
+function loadConfig(filePath) {
+  let raw;
+  try {
+    raw = readFileSync(filePath, "utf-8");
+  } catch (err) {
+    return {
+      success: false,
+      errors: [{ path: filePath, message: `Cannot read file: ${err.message}` }]
+    };
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    return {
+      success: false,
+      errors: [{ path: filePath, message: `Invalid JSON: ${err.message}` }]
+    };
+  }
+  const missingEnvVars = /* @__PURE__ */ new Set();
+  parsed = interpolateEnvVars(parsed, missingEnvVars);
+  if (missingEnvVars.size > 0) {
+    const vars = [...missingEnvVars].join(", ");
+    return {
+      success: false,
+      errors: [{ path: filePath, message: `Missing environment variables: ${vars}` }]
+    };
+  }
+  const result = cliConfigSchema.safeParse(parsed);
+  if (!result.success) {
+    const errors = result.error.issues.map((issue) => ({
+      path: issue.path.join("."),
+      message: issue.message
+    }));
+    return { success: false, errors };
+  }
+  const config = result.data;
+  new Set(config.tools.map((t) => t.name));
+  const crossErrors = [];
+  for (const tool of config.tools) {
+    const pathParams = tool.parameter_mapping.filter((p) => p.target === "path");
+    for (const param of pathParams) {
+      const key = param.backend_key ?? param.name;
+      if (!tool.endpoint_path.includes(`{${key}}`)) {
+        crossErrors.push({
+          path: `tools[name="${tool.name}"].parameter_mapping[name="${param.name}"]`,
+          message: `Path parameter "${key}" has no matching {${key}} placeholder in endpoint_path "${tool.endpoint_path}"`
+        });
+      }
+    }
+    const placeholderRegex = /\{([^}]+)\}/g;
+    let match;
+    while ((match = placeholderRegex.exec(tool.endpoint_path)) !== null) {
+      const placeholder = match[1];
+      const hasParam = pathParams.some((p) => (p.backend_key ?? p.name) === placeholder);
+      if (!hasParam) {
+        crossErrors.push({
+          path: `tools[name="${tool.name}"].endpoint_path`,
+          message: `Placeholder {${placeholder}} in endpoint has no matching path parameter mapping`
+        });
+      }
+    }
+  }
+  if (crossErrors.length > 0) {
+    return { success: false, config, errors: crossErrors };
+  }
+  return { success: true, config, errors: [] };
+}
+var RESET = "\x1B[0m";
+var BOLD = "\x1B[1m";
+var DIM = "\x1B[2m";
+var RED = "\x1B[31m";
+var GREEN = "\x1B[32m";
+var YELLOW = "\x1B[33m";
+var BLUE = "\x1B[34m";
+var MAGENTA = "\x1B[35m";
+var CYAN = "\x1B[36m";
+var WHITE = "\x1B[37m";
+var BG_RED = "\x1B[41m";
+var BG_GREEN = "\x1B[42m";
+var BG_YELLOW = "\x1B[43m";
+var AuditLogger = class {
+  entries = [];
+  outputPath;
+  verbose;
+  constructor(options = {}) {
+    this.outputPath = options.outputPath;
+    this.verbose = options.verbose ?? false;
+    if (this.outputPath) {
+      writeFileSync(this.outputPath, "");
+    }
+  }
+  /**
+   * Create a new audit entry builder for an invocation.
+   */
+  startInvocation(toolName, toolMethod, toolEndpoint) {
+    return new AuditEntryBuilder(this, toolName, toolMethod, toolEndpoint);
+  }
+  /**
+   * Called by AuditEntryBuilder when an invocation is complete.
+   * Stores the entry, prints it, and optionally writes to file.
+   */
+  recordEntry(entry) {
+    this.entries.push(entry);
+    this.printEntry(entry);
+    if (this.outputPath) {
+      appendFileSync(this.outputPath, JSON.stringify(entry) + "\n");
+    }
+  }
+  /**
+   * Print a final summary of all recorded invocations.
+   */
+  printSummary() {
+    const summary = this.buildSummary();
+    this.renderSummary(summary);
+    return summary;
+  }
+  getEntries() {
+    return this.entries;
+  }
+  // ─── Terminal rendering ─────────────────────────────────────────────────
+  printEntry(entry) {
+    const statusColor = entry.success ? GREEN : RED;
+    const statusIcon = entry.success ? "\u2713" : "\u2717";
+    const statusBg = entry.success ? BG_GREEN : BG_RED;
+    const border = "\u2500".repeat(68);
+    const topBorder = `\u250C${border}`;
+    const midBorder = `\u251C${border}`;
+    const botBorder = `\u2514${border}`;
+    console.log("");
+    console.log(`${statusColor}${topBorder}${RESET}`);
+    console.log(`${statusColor}\u2502${RESET} ${statusBg}${BOLD}${WHITE} ${statusIcon} ${RESET} ${BOLD}${entry.tool_name}${RESET}  ${DIM}${entry.invocation_id}${RESET}`);
+    console.log(`${statusColor}\u2502${RESET}   ${DIM}${entry.timestamp}${RESET}  ${DIM}\u2022${RESET}  ${BOLD}${entry.total_time_ms}ms${RESET}`);
+    console.log(`${statusColor}${midBorder}${RESET}`);
+    console.log(`${statusColor}\u2502${RESET} ${CYAN}${BOLD}INPUT${RESET}`);
+    console.log(`${statusColor}\u2502${RESET}   ${this.formatJson(entry.raw_input, 4)}`);
+    if (entry.parameter_resolutions.length > 0) {
+      console.log(`${statusColor}${midBorder}${RESET}`);
+      console.log(`${statusColor}\u2502${RESET} ${MAGENTA}${BOLD}PARAMETER RESOLUTION${RESET}`);
+      for (const p of entry.parameter_resolutions) {
+        const sourceTag = p.source === "default" ? ` ${YELLOW}(default)${RESET}` : p.source === "missing" ? ` ${RED}(missing)${RESET}` : "";
+        const reqTag = p.required ? ` ${DIM}required${RESET}` : "";
+        const keyInfo = p.backend_key !== p.name ? ` ${DIM}\u2192 ${p.backend_key}${RESET}` : "";
+        console.log(`${statusColor}\u2502${RESET}   ${DIM}\u2022${RESET} ${BOLD}${p.name}${RESET}${keyInfo} \u2192 ${BLUE}${p.target}${RESET}  ${DIM}=${RESET} ${this.formatValue(p.value)}${sourceTag}${reqTag}`);
+      }
+    }
+    if (entry.input_validation) {
+      this.renderValidation(statusColor, "INPUT VALIDATION", entry.input_validation);
+    }
+    console.log(`${statusColor}${midBorder}${RESET}`);
+    console.log(`${statusColor}\u2502${RESET} ${BLUE}${BOLD}REQUEST${RESET}`);
+    console.log(`${statusColor}\u2502${RESET}   ${BOLD}${entry.request_method}${RESET} ${entry.request_url}`);
+    console.log(`${statusColor}\u2502${RESET}   ${DIM}Headers:${RESET}`);
+    for (const [key, value] of Object.entries(entry.request_headers)) {
+      const masked = this.maybeMask(key, value);
+      console.log(`${statusColor}\u2502${RESET}     ${DIM}${key}:${RESET} ${masked}`);
+    }
+    if (entry.request_body !== void 0) {
+      console.log(`${statusColor}\u2502${RESET}   ${DIM}Body:${RESET}`);
+      console.log(`${statusColor}\u2502${RESET}     ${this.formatJson(entry.request_body, 6)}`);
+    }
+    if (entry.response_status !== void 0) {
+      console.log(`${statusColor}${midBorder}${RESET}`);
+      console.log(`${statusColor}\u2502${RESET} ${this.statusColor(entry.response_status)}${BOLD}RESPONSE${RESET}  ${this.statusBadge(entry.response_status, entry.response_status_text)}`);
+      console.log(`${statusColor}\u2502${RESET}   ${DIM}Size:${RESET} ${entry.response_body_size_bytes ?? 0} bytes  ${DIM}\u2022${RESET}  ${DIM}Time:${RESET} ${entry.total_time_ms}ms`);
+      if (this.verbose && entry.response_headers) {
+        console.log(`${statusColor}\u2502${RESET}   ${DIM}Headers:${RESET}`);
+        for (const [key, value] of Object.entries(entry.response_headers)) {
+          console.log(`${statusColor}\u2502${RESET}     ${DIM}${key}:${RESET} ${value}`);
+        }
+      }
+      if (entry.response_body !== void 0) {
+        console.log(`${statusColor}\u2502${RESET}   ${DIM}Body:${RESET}`);
+        console.log(`${statusColor}\u2502${RESET}     ${this.formatJson(entry.response_body, 6)}`);
+      } else if (entry.response_body_raw !== void 0) {
+        console.log(`${statusColor}\u2502${RESET}   ${DIM}Body (raw):${RESET}`);
+        const truncated = entry.response_body_raw.length > 2e3 ? entry.response_body_raw.slice(0, 2e3) + `
+${DIM}... truncated (${entry.response_body_raw.length} bytes total)${RESET}` : entry.response_body_raw;
+        console.log(`${statusColor}\u2502${RESET}     ${truncated}`);
+      }
+    }
+    if (entry.response_validation) {
+      this.renderValidation(statusColor, "RESPONSE VALIDATION", entry.response_validation);
+    }
+    if (entry.error) {
+      console.log(`${statusColor}${midBorder}${RESET}`);
+      console.log(`${statusColor}\u2502${RESET} ${BG_RED}${WHITE}${BOLD} ERROR ${RESET}  ${DIM}phase:${RESET} ${entry.error.phase}`);
+      console.log(`${statusColor}\u2502${RESET}   ${RED}${entry.error.message}${RESET}`);
+      if (entry.error.details) {
+        console.log(`${statusColor}\u2502${RESET}   ${DIM}${entry.error.details}${RESET}`);
+      }
+    }
+    if (entry.diagnostics.length > 0) {
+      console.log(`${statusColor}${midBorder}${RESET}`);
+      console.log(`${statusColor}\u2502${RESET} ${YELLOW}${BOLD}DIAGNOSTICS${RESET}`);
+      for (const diag of entry.diagnostics) {
+        console.log(`${statusColor}\u2502${RESET}   ${YELLOW}\u26A0${RESET}  ${diag}`);
+      }
+    }
+    console.log(`${statusColor}${botBorder}${RESET}`);
+  }
+  renderValidation(statusColor, label, validation) {
+    const icon = validation.valid ? `${GREEN}\u2713${RESET}` : `${RED}\u2717${RESET}`;
+    console.log(`${statusColor}\u2502${RESET}`);
+    console.log(`${statusColor}\u2502${RESET} ${icon} ${DIM}${label}${RESET}`);
+    if (!validation.valid) {
+      for (const err of validation.errors) {
+        console.log(`${statusColor}\u2502${RESET}   ${RED}\u2022 ${err}${RESET}`);
+      }
+    }
+  }
+  renderSummary(summary) {
+    const border = "\u2550".repeat(68);
+    console.log("");
+    console.log(`${BOLD}\u2554${border}\u2557${RESET}`);
+    console.log(`${BOLD}\u2551${RESET}  ${BOLD}AUDIT SUMMARY${RESET}${" ".repeat(55)}${BOLD}\u2551${RESET}`);
+    console.log(`${BOLD}\u2560${border}\u2563${RESET}`);
+    const passRate = summary.total_calls > 0 ? Math.round(summary.passed / summary.total_calls * 100) : 0;
+    const passColor = passRate === 100 ? GREEN : passRate >= 50 ? YELLOW : RED;
+    console.log(`${BOLD}\u2551${RESET}  Total calls:   ${BOLD}${summary.total_calls}${RESET}${" ".repeat(52 - String(summary.total_calls).length)}${BOLD}\u2551${RESET}`);
+    console.log(`${BOLD}\u2551${RESET}  ${GREEN}Passed:${RESET}        ${BOLD}${summary.passed}${RESET}${" ".repeat(52 - String(summary.passed).length)}${BOLD}\u2551${RESET}`);
+    console.log(`${BOLD}\u2551${RESET}  ${RED}Failed:${RESET}        ${BOLD}${summary.failed}${RESET}${" ".repeat(52 - String(summary.failed).length)}${BOLD}\u2551${RESET}`);
+    console.log(`${BOLD}\u2551${RESET}  Pass rate:     ${passColor}${BOLD}${passRate}%${RESET}${" ".repeat(52 - String(passRate).length - 1)}${BOLD}\u2551${RESET}`);
+    console.log(`${BOLD}\u2551${RESET}  Avg latency:   ${BOLD}${summary.avg_response_time_ms}ms${RESET}${" ".repeat(50 - String(summary.avg_response_time_ms).length)}${BOLD}\u2551${RESET}`);
+    if (Object.keys(summary.errors_by_phase).length > 0) {
+      console.log(`${BOLD}\u2560${border}\u2563${RESET}`);
+      console.log(`${BOLD}\u2551${RESET}  ${RED}${BOLD}Errors by phase:${RESET}${" ".repeat(52)}${BOLD}\u2551${RESET}`);
+      for (const [phase, count] of Object.entries(summary.errors_by_phase)) {
+        const padLen = 52 - phase.length - String(count).length - 2;
+        console.log(`${BOLD}\u2551${RESET}    ${phase}: ${RED}${count}${RESET}${" ".repeat(Math.max(0, padLen))}${BOLD}\u2551${RESET}`);
+      }
+    }
+    console.log(`${BOLD}\u255A${border}\u255D${RESET}`);
+    if (this.outputPath) {
+      console.log(`
+${DIM}Full audit log written to: ${this.outputPath}${RESET}`);
+    }
+  }
+  buildSummary() {
+    const total = this.entries.length;
+    const passed = this.entries.filter((e) => e.success).length;
+    const failed = total - passed;
+    const avgTime = total > 0 ? Math.round(this.entries.reduce((sum, e) => sum + e.total_time_ms, 0) / total) : 0;
+    const errorsByPhase = {};
+    for (const entry of this.entries) {
+      if (entry.error) {
+        errorsByPhase[entry.error.phase] = (errorsByPhase[entry.error.phase] ?? 0) + 1;
+      }
+    }
+    return {
+      total_calls: total,
+      passed,
+      failed,
+      avg_response_time_ms: avgTime,
+      errors_by_phase: errorsByPhase,
+      entries: this.entries
+    };
+  }
+  // ─── Formatting helpers ─────────────────────────────────────────────────
+  formatJson(value, indent) {
+    const indentStr = " ".repeat(indent);
+    const raw = JSON.stringify(value, null, 2);
+    return raw.split("\n").join(`
+${indentStr}`);
+  }
+  formatValue(value) {
+    if (value === void 0) return `${DIM}undefined${RESET}`;
+    if (value === null) return `${DIM}null${RESET}`;
+    if (typeof value === "string") return `${GREEN}"${value}"${RESET}`;
+    if (typeof value === "number") return `${CYAN}${value}${RESET}`;
+    if (typeof value === "boolean") return `${YELLOW}${value}${RESET}`;
+    return this.formatJson(value, 0);
+  }
+  maybeMask(headerName, value) {
+    const sensitive = ["authorization", "x-api-key", "cookie", "x-toolrelay-verify"];
+    if (sensitive.includes(headerName.toLowerCase())) {
+      if (value.length <= 12) return `${DIM}***masked***${RESET}`;
+      return `${value.slice(0, 12)}${DIM}...masked${RESET}`;
+    }
+    return value;
+  }
+  statusColor(status) {
+    if (status >= 200 && status < 300) return GREEN;
+    if (status >= 300 && status < 400) return YELLOW;
+    if (status >= 400 && status < 500) return RED;
+    return RED;
+  }
+  statusBadge(status, statusText) {
+    const text = statusText ?? "";
+    if (status >= 200 && status < 300) return `${BG_GREEN}${WHITE}${BOLD} ${status} ${text} ${RESET}`;
+    if (status >= 300 && status < 400) return `${BG_YELLOW}${WHITE}${BOLD} ${status} ${text} ${RESET}`;
+    return `${BG_RED}${WHITE}${BOLD} ${status} ${text} ${RESET}`;
+  }
+};
+var AuditEntryBuilder = class {
+  logger;
+  entry;
+  startTime;
+  constructor(logger, toolName, toolMethod, toolEndpoint) {
+    this.logger = logger;
+    this.startTime = performance.now();
+    this.entry = {
+      invocation_id: randomUUID().slice(0, 8),
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      tool_name: toolName,
+      tool_method: toolMethod,
+      tool_endpoint: toolEndpoint,
+      raw_input: {},
+      parameter_resolutions: [],
+      request_url: "",
+      request_method: toolMethod,
+      request_headers: {},
+      request_body: void 0,
+      total_time_ms: 0,
+      success: false,
+      diagnostics: []
+    };
+  }
+  setInput(input) {
+    this.entry.raw_input = input;
+    return this;
+  }
+  /**
+   * Record how each parameter was resolved — the mapping from input to request.
+   */
+  recordParameterResolutions(mappings, input) {
+    this.entry.parameter_resolutions = mappings.map((m) => {
+      const hasValue = m.name in input;
+      const hasDefault = m.default_value !== void 0;
+      let source;
+      let value;
+      if (hasValue) {
+        source = "input";
+        value = input[m.name];
+      } else if (hasDefault) {
+        source = "default";
+        value = m.default_value;
+      } else {
+        source = "missing";
+        value = void 0;
+      }
+      return {
+        name: m.name,
+        target: m.target,
+        backend_key: m.backend_key ?? m.name,
+        value,
+        source,
+        required: m.required
+      };
+    });
+    return this;
+  }
+  setRequest(url, method, headers, body) {
+    this.entry.request_url = url;
+    this.entry.request_method = method;
+    this.entry.request_headers = { ...headers };
+    this.entry.request_body = body;
+    return this;
+  }
+  setResponse(status, statusText, headers, body, bodyRaw) {
+    this.entry.response_status = status;
+    this.entry.response_status_text = statusText;
+    this.entry.response_headers = headers;
+    this.entry.response_body = body;
+    this.entry.response_body_raw = bodyRaw;
+    this.entry.response_body_size_bytes = Buffer.byteLength(bodyRaw, "utf-8");
+    return this;
+  }
+  setInputValidation(result) {
+    this.entry.input_validation = result;
+    return this;
+  }
+  setResponseValidation(result) {
+    this.entry.response_validation = result;
+    return this;
+  }
+  setError(error) {
+    this.entry.error = error;
+    this.entry.success = false;
+    return this;
+  }
+  addDiagnostic(message) {
+    this.entry.diagnostics.push(message);
+    return this;
+  }
+  /**
+   * Finalize the entry, record timing, and send to the logger.
+   */
+  finish(success) {
+    this.entry.total_time_ms = Math.round(performance.now() - this.startTime);
+    if (success !== void 0) {
+      this.entry.success = success;
+    } else {
+      this.entry.success = !this.entry.error && this.entry.response_status !== void 0 && this.entry.response_status >= 200 && this.entry.response_status < 400;
+    }
+    this.autoDiagnose();
+    this.logger.recordEntry(this.entry);
+    return this.entry;
+  }
+  // ─── Auto-diagnosis ───────────────────────────────────────────────────
+  autoDiagnose() {
+    for (const p of this.entry.parameter_resolutions) {
+      if (p.required && p.source === "missing") {
+        this.entry.diagnostics.push(
+          `Required parameter "${p.name}" was not provided and has no default value`
+        );
+      }
+    }
+    if (this.entry.total_time_ms > 5e3) {
+      this.entry.diagnostics.push(
+        `Response took ${this.entry.total_time_ms}ms \u2014 consider backend optimization or check network`
+      );
+    }
+    if (this.entry.response_body_size_bytes && this.entry.response_body_size_bytes > 1e6) {
+      this.entry.diagnostics.push(
+        `Response body is ${(this.entry.response_body_size_bytes / 1e6).toFixed(1)}MB \u2014 large responses increase latency for AI agents`
+      );
+    }
+    if (this.entry.response_headers && !this.entry.response_headers["content-type"]?.includes("application/json") && this.entry.response_status !== void 0 && this.entry.response_status < 300) {
+      this.entry.diagnostics.push(
+        `Response Content-Type is "${this.entry.response_headers["content-type"] ?? "missing"}" \u2014 MCP tools work best with JSON responses`
+      );
+    }
+    if (this.entry.response_status === 401 || this.entry.response_status === 403) {
+      this.entry.diagnostics.push(
+        "Authentication rejected by backend \u2014 verify auth_config credentials are correct"
+      );
+    }
+    if (this.entry.response_status === 404) {
+      this.entry.diagnostics.push(
+        `Backend returned 404 for ${this.entry.request_method} ${this.entry.request_url} \u2014 verify endpoint_path is correct`
+      );
+    }
+    if (this.entry.response_status === 405) {
+      this.entry.diagnostics.push(
+        `Backend returned 405 Method Not Allowed \u2014 the endpoint may not accept ${this.entry.request_method} requests`
+      );
+    }
+    if (this.entry.response_status === 422 || this.entry.response_status === 400) {
+      this.entry.diagnostics.push(
+        "Backend rejected the request body \u2014 check parameter_mapping targets and backend_key values match what the backend expects"
+      );
+    }
+    if (this.entry.request_url.includes("{") && this.entry.request_url.includes("}")) {
+      const unresolved = this.entry.request_url.match(/\{[^}]+\}/g);
+      if (unresolved) {
+        this.entry.diagnostics.push(
+          `URL contains unresolved placeholders: ${unresolved.join(", ")} \u2014 add path parameter mappings for these`
+        );
+      }
+    }
+    if (this.entry.error?.phase === "network") {
+      if (this.entry.error.message.includes("ECONNREFUSED")) {
+        this.entry.diagnostics.push(
+          "Connection refused \u2014 is the backend server running?"
+        );
+      }
+      if (this.entry.error.message.includes("ENOTFOUND")) {
+        this.entry.diagnostics.push(
+          "DNS resolution failed \u2014 check base_url hostname"
+        );
+      }
+    }
+    if (this.entry.error?.phase === "timeout") {
+      this.entry.diagnostics.push(
+        "Request timed out \u2014 backend may be overloaded or endpoint may be hanging"
+      );
+    }
+  }
+};
+var BOLD2 = "\x1B[1m";
+var DIM2 = "\x1B[2m";
+var RESET2 = "\x1B[0m";
+var RED2 = "\x1B[31m";
+var GREEN2 = "\x1B[32m";
+var YELLOW2 = "\x1B[33m";
+function generateCodeVerifier() {
+  return crypto.randomBytes(32).toString("base64url");
+}
+function generateCodeChallenge(verifier) {
+  return crypto.createHash("sha256").update(verifier).digest("base64url");
+}
+var REFRESH_BUFFER_MS = 6e4;
+var OAuthTokenStore = class {
+  tokens = null;
+  isAuthenticated() {
+    if (!this.tokens) return false;
+    if (this.tokens.expires_at === 0) return true;
+    return Date.now() < this.tokens.expires_at;
+  }
+  needsRefresh() {
+    if (!this.tokens) return false;
+    if (this.tokens.expires_at === 0) return false;
+    return Date.now() >= this.tokens.expires_at - REFRESH_BUFFER_MS;
+  }
+  getTokens() {
+    return this.tokens;
+  }
+  setTokens(tokens) {
+    this.tokens = tokens;
+  }
+  clear() {
+    this.tokens = null;
+  }
+};
+function openBrowser(url) {
+  const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? 'start ""' : "xdg-open";
+  exec(`${cmd} "${url}"`, (err) => {
+    if (err) {
+      console.log(`${YELLOW2}${BOLD2}[OAuth]${RESET2} Could not open browser automatically.`);
+      console.log(`${YELLOW2}${BOLD2}[OAuth]${RESET2} Open this URL in your browser:
+`);
+      console.log(`  ${url}
+`);
+    }
+  });
+}
+var SUCCESS_HTML = `<!DOCTYPE html>
+<html><head><title>ToolRelay \u2014 OAuth Complete</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#f9fafb}
+.card{text-align:center;padding:2rem 3rem;border-radius:12px;background:#fff;box-shadow:0 2px 8px rgba(0,0,0,.08)}
+h1{color:#16a34a;margin:0 0 .5rem}p{color:#6b7280;margin:0}</style></head>
+<body><div class="card"><h1>Authenticated</h1><p>You can close this tab and return to the terminal.</p></div></body></html>`;
+function escapeHtml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+var ERROR_HTML = (msg) => `<!DOCTYPE html>
+<html><head><title>ToolRelay \u2014 OAuth Error</title>
+<style>body{font-family:system-ui,sans-serif;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#f9fafb}
+.card{text-align:center;padding:2rem 3rem;border-radius:12px;background:#fff;box-shadow:0 2px 8px rgba(0,0,0,.08)}
+h1{color:#dc2626;margin:0 0 .5rem}p{color:#6b7280;margin:0}</style></head>
+<body><div class="card"><h1>Authentication Failed</h1><p>${escapeHtml(msg)}</p></div></body></html>`;
+async function exchangeCodeForTokens(config, code, redirectUri, codeVerifier) {
+  const body = new URLSearchParams({
+    grant_type: "authorization_code",
+    code,
+    redirect_uri: redirectUri
+  });
+  if (config.client_id) body.set("client_id", config.client_id);
+  if (config.client_secret) body.set("client_secret", config.client_secret);
+  if (codeVerifier) body.set("code_verifier", codeVerifier);
+  const res = await fetch(config.token_url, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Token exchange failed (${res.status}): ${text}`);
+  }
+  const data = await res.json();
+  const access_token = data.access_token;
+  if (!access_token) {
+    throw new Error("Token response missing access_token");
+  }
+  const expires_in = data.expires_in;
+  return {
+    access_token,
+    refresh_token: data.refresh_token ?? void 0,
+    expires_at: expires_in ? Date.now() + expires_in * 1e3 : 0
+  };
+}
+async function refreshAccessToken(config, refreshToken) {
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: refreshToken
+  });
+  if (config.client_id) body.set("client_id", config.client_id);
+  if (config.client_secret) body.set("client_secret", config.client_secret);
+  const res = await fetch(config.token_url, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: body.toString()
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Token refresh failed (${res.status}): ${text}`);
+  }
+  const data = await res.json();
+  const access_token = data.access_token;
+  if (!access_token) {
+    throw new Error("Refresh response missing access_token");
+  }
+  const expires_in = data.expires_in;
+  return {
+    access_token,
+    // Some providers return a new refresh token; keep the old one if not
+    refresh_token: data.refresh_token ?? refreshToken,
+    expires_at: expires_in ? Date.now() + expires_in * 1e3 : 0
+  };
+}
+var FLOW_TIMEOUT_MS = 3e5;
+async function startOAuthFlow(store, config, callbackPort) {
+  const usePkce = config.use_pkce !== false;
+  const codeVerifier = usePkce ? generateCodeVerifier() : null;
+  const codeChallenge = codeVerifier ? generateCodeChallenge(codeVerifier) : null;
+  const state = crypto.randomBytes(16).toString("hex");
+  return new Promise((resolve2, reject) => {
+    const callbackServer = createServer(async (req, res) => {
+      const url = new URL(req.url ?? "/", `http://localhost`);
+      if (url.pathname !== "/callback") {
+        res.writeHead(404);
+        res.end("Not found");
+        return;
+      }
+      const returnedState = url.searchParams.get("state");
+      if (returnedState !== state) {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(ERROR_HTML("Invalid state parameter \u2014 possible CSRF attack."));
+        cleanup();
+        reject(new Error("OAuth state mismatch"));
+        return;
+      }
+      const error = url.searchParams.get("error");
+      if (error) {
+        const desc = url.searchParams.get("error_description") ?? error;
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(ERROR_HTML(desc));
+        cleanup();
+        reject(new Error(`OAuth error: ${desc}`));
+        return;
+      }
+      const code = url.searchParams.get("code");
+      if (!code) {
+        res.writeHead(400, { "Content-Type": "text/html" });
+        res.end(ERROR_HTML("Missing authorization code."));
+        cleanup();
+        reject(new Error("Missing authorization code"));
+        return;
+      }
+      const redirectUri = `http://localhost:${callbackServer.address().port}/callback`;
+      try {
+        const tokens = await exchangeCodeForTokens(config, code, redirectUri, codeVerifier);
+        store.setTokens(tokens);
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(SUCCESS_HTML);
+        cleanup();
+        resolve2();
+      } catch (err) {
+        const msg = err.message;
+        res.writeHead(500, { "Content-Type": "text/html" });
+        res.end(ERROR_HTML(msg));
+        cleanup();
+        reject(err);
+      }
+    });
+    const timer = setTimeout(() => {
+      cleanup();
+      reject(new Error("OAuth flow timed out \u2014 no callback received within 5 minutes"));
+    }, FLOW_TIMEOUT_MS);
+    function cleanup() {
+      clearTimeout(timer);
+      callbackServer.close();
+    }
+    callbackServer.listen(0, "127.0.0.1", () => {
+      const actualPort = callbackServer.address().port;
+      const redirectUri = `http://localhost:${actualPort}/callback`;
+      const params = new URLSearchParams({
+        response_type: "code",
+        redirect_uri: redirectUri,
+        state
+      });
+      if (config.client_id) params.set("client_id", config.client_id);
+      if (config.scopes) params.set("scope", config.scopes);
+      if (codeChallenge) {
+        params.set("code_challenge", codeChallenge);
+        params.set("code_challenge_method", "S256");
+      }
+      const authorizeUrl = `${config.authorize_url}?${params.toString()}`;
+      console.log(`${YELLOW2}${BOLD2}[OAuth]${RESET2} Opening browser for authorization...`);
+      console.log(`${DIM2}  Callback listening on http://localhost:${actualPort}/callback${RESET2}`);
+      openBrowser(authorizeUrl);
+    });
+  });
+}
+var refreshPromise = null;
+async function getAccessToken(store, config) {
+  const tokens = store.getTokens();
+  if (!tokens) return null;
+  if (store.isAuthenticated() && !store.needsRefresh()) {
+    return tokens.access_token;
+  }
+  if (!tokens.refresh_token) {
+    if (!store.isAuthenticated()) {
+      store.clear();
+      return null;
+    }
+    return tokens.access_token;
+  }
+  if (refreshPromise) {
+    return refreshPromise;
+  }
+  refreshPromise = (async () => {
+    try {
+      console.log(`${DIM2}[OAuth] Refreshing access token...${RESET2}`);
+      const newTokens = await refreshAccessToken(config, tokens.refresh_token);
+      store.setTokens(newTokens);
+      console.log(`${GREEN2}${BOLD2}[OAuth]${RESET2} Token refreshed successfully`);
+      return newTokens.access_token;
+    } catch (err) {
+      console.error(`${RED2}${BOLD2}[OAuth]${RESET2} Token refresh failed: ${err.message}`);
+      store.clear();
+      return null;
+    } finally {
+      refreshPromise = null;
+    }
+  })();
+  return refreshPromise;
+}
+var STORE_DIR_NAME = ".toolrelay";
+var SESSIONS_DIR_NAME = "sessions";
+function getSessionsDir() {
+  const cwd = process.cwd();
+  return join(cwd, STORE_DIR_NAME, SESSIONS_DIR_NAME);
+}
+function ensureSessionsDir() {
+  const dir = getSessionsDir();
+  mkdirSync(dir, { recursive: true });
+  const storeDir = resolve(dir, "..");
+  const gitignorePath = join(storeDir, ".gitignore");
+  if (!existsSync(gitignorePath)) {
+    writeFileSync(gitignorePath, "*\n");
+  }
+  return dir;
+}
+function createSession(opts) {
+  return {
+    id: randomUUID().slice(0, 12),
+    type: opts.type,
+    app_name: opts.appName,
+    started_at: (/* @__PURE__ */ new Date()).toISOString(),
+    finished_at: null,
+    config_path: opts.configPath,
+    base_url: opts.baseUrl,
+    tools: opts.tools,
+    timeline: [],
+    audit_entries: [],
+    summary: null
+  };
+}
+function addTimelineEntry(session, entry) {
+  const lastEntry = session.timeline[session.timeline.length - 1];
+  let gap = null;
+  if (lastEntry) {
+    gap = new Date(entry.timestamp).getTime() - new Date(lastEntry.timestamp).getTime();
+  }
+  session.timeline.push({
+    ...entry,
+    seq: session.timeline.length + 1,
+    gap_since_last_ms: gap
+  });
+}
+function finalizeSession(session, auditEntries, summary) {
+  session.finished_at = (/* @__PURE__ */ new Date()).toISOString();
+  session.audit_entries = [...auditEntries];
+  session.summary = {
+    total_calls: summary.total_calls,
+    passed: summary.passed,
+    failed: summary.failed,
+    avg_response_time_ms: summary.avg_response_time_ms,
+    errors_by_phase: summary.errors_by_phase
+  };
+}
+function saveSession(session) {
+  const dir = ensureSessionsDir();
+  const dateSlug = session.started_at.replace(/[:.]/g, "-").slice(0, 19);
+  const filename = `${dateSlug}_${session.id}.json`;
+  const filepath = join(dir, filename);
+  writeFileSync(filepath, JSON.stringify(session, null, 2) + "\n");
+  return filepath;
+}
+function loadSession(filepath) {
+  const raw = readFileSync(filepath, "utf-8");
+  return JSON.parse(raw);
+}
+function listSessions() {
+  const dir = getSessionsDir();
+  if (!existsSync(dir)) return [];
+  const files = readdirSync(dir).filter((f) => f.endsWith(".json")).sort().reverse();
+  const sessions2 = [];
+  for (const file of files) {
+    const filepath = join(dir, file);
+    try {
+      const session = loadSession(filepath);
+      sessions2.push({ path: filepath, session });
+    } catch {
+    }
+  }
+  return sessions2;
+}
+
+// src/mcp-server.ts
+var MCP_PROTOCOL_VERSION = "2025-03-26";
+var BOLD3 = "\x1B[1m";
+var DIM3 = "\x1B[2m";
+var RESET3 = "\x1B[0m";
+var RED3 = "\x1B[31m";
+var GREEN3 = "\x1B[32m";
+var YELLOW3 = "\x1B[33m";
+var CYAN2 = "\x1B[36m";
+var MAGENTA2 = "\x1B[35m";
+var WHITE2 = "\x1B[37m";
+var BG_BLUE = "\x1B[44m";
+function jsonRpcError(id, code, message) {
+  return { jsonrpc: "2.0", id, error: { code, message } };
+}
+function jsonRpcResult(id, result) {
+  return { jsonrpc: "2.0", id, result };
+}
+var PARSE_ERROR = -32700;
+var INVALID_REQUEST = -32600;
+var METHOD_NOT_FOUND = -32601;
+var INVALID_PARAMS = -32602;
+var INTERNAL_ERROR = -32603;
+var sessions = /* @__PURE__ */ new Map();
+function createSession2() {
+  const id = crypto.randomBytes(16).toString("hex");
+  const session = { id, initialized: false, createdAt: Date.now() };
+  sessions.set(id, session);
+  return session;
+}
+var callTimeline = [];
+var lastCallTime = null;
+var activeStoredSession = null;
+function recordTimelineEntry(entry) {
+  const now = Date.now();
+  const gap = lastCallTime !== null ? now - lastCallTime : null;
+  callTimeline.push({
+    ...entry,
+    seq: callTimeline.length + 1,
+    gap_since_last_ms: gap
+  });
+  lastCallTime = now;
+  if (activeStoredSession) {
+    addTimelineEntry(activeStoredSession, entry);
+  }
+}
+function printTimeline() {
+  if (callTimeline.length === 0) {
+    console.log(`
+${DIM3}No tool calls were made during this session.${RESET3}`);
+    return;
+  }
+  const border = "\u2550".repeat(68);
+  console.log("");
+  console.log(`${BOLD3}\u2554${border}\u2557${RESET3}`);
+  console.log(`${BOLD3}\u2551${RESET3}  ${BG_BLUE}${WHITE2}${BOLD3} CALL TIMELINE ${RESET3}${" ".repeat(53)}${BOLD3}\u2551${RESET3}`);
+  console.log(`${BOLD3}\u2560${border}\u2563${RESET3}`);
+  for (const entry of callTimeline) {
+    const icon = entry.success ? `${GREEN3}\u2713${RESET3}` : `${RED3}\u2717${RESET3}`;
+    const gapStr = entry.gap_since_last_ms !== null ? `${DIM3}+${formatDuration(entry.gap_since_last_ms)} gap${RESET3}  ` : "";
+    const statusStr = entry.status !== null ? `${entry.status}` : "ERR";
+    const statusColor = entry.success ? GREEN3 : RED3;
+    console.log(`${BOLD3}\u2551${RESET3}  ${DIM3}#${entry.seq}${RESET3} ${icon} ${BOLD3}${entry.tool_name}${RESET3}`);
+    console.log(`${BOLD3}\u2551${RESET3}     ${gapStr}${statusColor}${statusStr}${RESET3} in ${BOLD3}${entry.elapsed_ms}ms${RESET3}  ${DIM3}${entry.timestamp}${RESET3}`);
+    const argKeys = Object.keys(entry.arguments);
+    if (argKeys.length > 0) {
+      const argStr = argKeys.map((k) => {
+        const v = entry.arguments[k];
+        const display = typeof v === "string" ? v.length > 30 ? `"${v.slice(0, 30)}..."` : `"${v}"` : JSON.stringify(v);
+        return `${k}=${display}`;
+      }).join(", ");
+      console.log(`${BOLD3}\u2551${RESET3}     ${DIM3}args: ${argStr}${RESET3}`);
+    }
+    if (entry.error) {
+      console.log(`${BOLD3}\u2551${RESET3}     ${RED3}${entry.error}${RESET3}`);
+    }
+    console.log(`${BOLD3}\u2551${RESET3}`);
+  }
+  const totalTime = callTimeline.reduce((s, e) => s + e.elapsed_ms, 0);
+  const successCount = callTimeline.filter((e) => e.success).length;
+  const failCount = callTimeline.length - successCount;
+  const avgGap = callTimeline.filter((e) => e.gap_since_last_ms !== null).reduce((s, e) => s + e.gap_since_last_ms, 0);
+  const gapCount = callTimeline.filter((e) => e.gap_since_last_ms !== null).length;
+  const toolFreq = {};
+  for (const e of callTimeline) {
+    toolFreq[e.tool_name] = (toolFreq[e.tool_name] ?? 0) + 1;
+  }
+  console.log(`${BOLD3}\u2560${border}\u2563${RESET3}`);
+  console.log(`${BOLD3}\u2551${RESET3}  ${BOLD3}Total calls:${RESET3}     ${callTimeline.length} (${GREEN3}${successCount} passed${RESET3}, ${failCount > 0 ? RED3 : DIM3}${failCount} failed${RESET3})`);
+  console.log(`${BOLD3}\u2551${RESET3}  ${BOLD3}Total time:${RESET3}      ${formatDuration(totalTime)} (execution only)`);
+  if (gapCount > 0) {
+    console.log(`${BOLD3}\u2551${RESET3}  ${BOLD3}Avg AI think:${RESET3}    ${formatDuration(Math.round(avgGap / gapCount))} between calls`);
+  }
+  console.log(`${BOLD3}\u2551${RESET3}  ${BOLD3}Tools used:${RESET3}`);
+  for (const [tool, count] of Object.entries(toolFreq).sort((a, b) => b[1] - a[1])) {
+    console.log(`${BOLD3}\u2551${RESET3}    ${DIM3}-${RESET3} ${tool}: ${BOLD3}${count}x${RESET3}`);
+  }
+  console.log(`${BOLD3}\u255A${border}\u255D${RESET3}`);
+}
+function formatDuration(ms) {
+  if (ms < 1e3) return `${ms}ms`;
+  if (ms < 6e4) return `${(ms / 1e3).toFixed(1)}s`;
+  return `${Math.floor(ms / 6e4)}m${Math.round(ms % 6e4 / 1e3)}s`;
+}
+function paramTypeToSchema(param) {
+  const schema = {};
+  switch (param.type) {
+    case "string":
+      schema.type = "string";
+      break;
+    case "number":
+      schema.type = "number";
+      break;
+    case "boolean":
+      schema.type = "boolean";
+      break;
+    case "object":
+      schema.type = "object";
+      schema.additionalProperties = true;
+      break;
+    case "array":
+      schema.type = "array";
+      schema.items = { type: "string" };
+      break;
+    default:
+      schema.type = "string";
+      break;
+  }
+  if (param.description) schema.description = param.description;
+  return schema;
+}
+function buildInputSchema(toolConfig) {
+  if (toolConfig.request_schema && Object.keys(toolConfig.request_schema).length > 0) {
+    return toolConfig.request_schema;
+  }
+  const properties = {};
+  const required = [];
+  for (const param of toolConfig.parameter_mapping) {
+    properties[param.name] = paramTypeToSchema(param);
+    if (param.required) required.push(param.name);
+  }
+  const schema = { type: "object", properties };
+  if (required.length > 0) schema.required = required;
+  return schema;
+}
+function toApp(config, baseUrlOverride) {
+  return {
+    id: "local-mcp",
+    user_id: "local-mcp",
+    name: config.app.name,
+    slug: config.app.name.toLowerCase().replace(/[^a-z0-9]+/g, "-"),
+    description: "",
+    base_url: baseUrlOverride ?? config.app.base_url,
+    auth_type: config.app.auth_type,
+    auth_config: config.app.auth_config ?? {},
+    is_published: true,
+    auto_approve_keys: false,
+    default_key_tier: "free",
+    enable_cli_access: true,
+    global_headers: config.app.global_headers,
+    x402_enabled: false,
+    x402_bazaar_listed: false,
+    created_at: /* @__PURE__ */ new Date(),
+    updated_at: /* @__PURE__ */ new Date()
+  };
+}
+function toTool(toolConfig) {
+  return {
+    id: `local-${toolConfig.name}`,
+    app_id: "local-mcp",
+    name: toolConfig.name,
+    slug: toolConfig.name.toLowerCase().replace(/[^a-z0-9]+/g, "-"),
+    description: toolConfig.description ?? "",
+    http_method: toolConfig.http_method,
+    endpoint_path: toolConfig.endpoint_path,
+    request_schema: toolConfig.request_schema ?? {},
+    response_schema: toolConfig.response_schema,
+    parameter_mapping: toolConfig.parameter_mapping,
+    headers_template: toolConfig.headers_template,
+    permission_level: toolConfig.permission_level ?? "read",
+    mcp_annotations: toolConfig.mcp_annotations,
+    cache_ttl_seconds: 0,
+    sort_order: 0,
+    is_active: true,
+    created_at: /* @__PURE__ */ new Date(),
+    updated_at: /* @__PURE__ */ new Date()
+  };
+}
+async function executeToolCall(app, tool, toolConfig, args, logger, timeout, consumerToken) {
+  const audit = logger.startInvocation(tool.name, tool.http_method, tool.endpoint_path);
+  audit.setInput(args);
+  audit.recordParameterResolutions(tool.parameter_mapping, args);
+  const startTime = performance.now();
+  let request;
+  try {
+    request = buildBackendRequest(tool, app, args, consumerToken);
+  } catch (err) {
+    audit.setError({
+      phase: "request_build",
+      message: err.message,
+      details: "buildBackendRequest() threw \u2014 check parameter_mapping and auth_config"
+    });
+    audit.finish(false);
+    const elapsed2 = Math.round(performance.now() - startTime);
+    return { isError: true, text: err.message, status: null, elapsedMs: elapsed2, errorMessage: err.message };
+  }
+  audit.setRequest(request.url, request.method, request.headers, request.body);
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeout);
+  let response;
+  try {
+    response = await fetch(request.url, {
+      method: request.method,
+      headers: request.headers,
+      body: request.body !== void 0 ? JSON.stringify(request.body) : void 0,
+      signal: controller.signal,
+      redirect: "follow"
+    });
+  } catch (err) {
+    clearTimeout(timeoutId);
+    const error = err;
+    if (error.name === "AbortError") {
+      audit.setError({ phase: "timeout", message: `Request timed out after ${timeout}ms` });
+    } else {
+      audit.setError({ phase: "network", message: error.message });
+    }
+    audit.finish(false);
+    const elapsed2 = Math.round(performance.now() - startTime);
+    return { isError: true, text: error.message, status: null, elapsedMs: elapsed2, errorMessage: error.message };
+  } finally {
+    clearTimeout(timeoutId);
+  }
+  let responseBodyRaw;
+  try {
+    responseBodyRaw = await response.text();
+  } catch (err) {
+    audit.setError({ phase: "response_parse", message: `Failed to read response: ${err.message}` });
+    audit.finish(false);
+    const elapsed2 = Math.round(performance.now() - startTime);
+    return { isError: true, text: err.message, status: response.status, elapsedMs: elapsed2, errorMessage: err.message };
+  }
+  let responseBody;
+  const contentType = response.headers.get("content-type") ?? "";
+  if (contentType.includes("application/json")) {
+    try {
+      responseBody = JSON.parse(responseBodyRaw);
+    } catch {
+      audit.addDiagnostic("Response has Content-Type application/json but body is not valid JSON");
+    }
+  }
+  const responseHeaders = {};
+  response.headers.forEach((value, key) => {
+    responseHeaders[key] = value;
+  });
+  audit.setResponse(
+    response.status,
+    response.statusText,
+    responseHeaders,
+    responseBody ?? responseBodyRaw,
+    responseBodyRaw
+  );
+  if (toolConfig.response_schema && Object.keys(toolConfig.response_schema).length > 0 && responseBody !== void 0) {
+    const errors = [];
+    const schema = toolConfig.response_schema;
+    if (schema["type"] === "object" && typeof responseBody === "object" && responseBody !== null) {
+      const required = schema["required"];
+      if (required) {
+        for (const field of required) {
+          if (!(field in responseBody)) {
+            errors.push(`Missing required field: "${field}"`);
+          }
+        }
+      }
+    }
+    audit.setResponseValidation({ valid: errors.length === 0, errors });
+  }
+  const isSuccess = response.status >= 200 && response.status < 400;
+  audit.finish(isSuccess);
+  const elapsed = Math.round(performance.now() - startTime);
+  if (!isSuccess) {
+    const truncated = responseBodyRaw.length > 500 ? responseBodyRaw.slice(0, 500) + "..." : responseBodyRaw;
+    return { isError: true, text: `Backend returned ${response.status}: ${truncated}`, status: response.status, elapsedMs: elapsed, errorMessage: `Backend returned ${response.status}` };
+  }
+  if (responseBody !== void 0) {
+    return { isError: false, text: JSON.stringify(responseBody, null, 2), status: response.status, elapsedMs: elapsed, errorMessage: null };
+  }
+  return { isError: false, text: responseBodyRaw, status: response.status, elapsedMs: elapsed, errorMessage: null };
+}
+function handleInitialize(rpc, config) {
+  return jsonRpcResult(rpc.id ?? null, {
+    protocolVersion: MCP_PROTOCOL_VERSION,
+    capabilities: {
+      tools: { listChanged: false }
+    },
+    serverInfo: {
+      name: `${config.app.name} (local)`,
+      version: "0.1.0"
+    }
+  });
+}
+function inferAnnotations(toolConfig) {
+  const method = toolConfig.http_method;
+  const isReadOnly = (toolConfig.permission_level ?? "read") === "read" /* read */ || method === "GET" /* GET */;
+  return {
+    readOnlyHint: isReadOnly,
+    destructiveHint: method === "DELETE" /* DELETE */,
+    idempotentHint: method === "GET" /* GET */ || method === "PUT" /* PUT */,
+    openWorldHint: true
+  };
+}
+function handleToolsList(rpc, config) {
+  const appSlug = config.app.name.toLowerCase().replace(/[^a-z0-9]+/g, "-");
+  const mcpTools = config.tools.map((toolConfig) => {
+    const toolSlug = toolConfig.name.toLowerCase().replace(/[^a-z0-9]+/g, "-");
+    return {
+      name: `${appSlug}_${toolSlug}`,
+      description: toolConfig.description ?? toolConfig.name,
+      inputSchema: buildInputSchema(toolConfig),
+      annotations: toolConfig.mcp_annotations ?? inferAnnotations(toolConfig)
+    };
+  });
+  return jsonRpcResult(rpc.id ?? null, { tools: mcpTools });
+}
+async function handleToolsCall(rpc, config, app, logger, timeout, sessionId, oauthStore, oauthConfig) {
+  const params = rpc.params ?? {};
+  const toolName = params.name;
+  const args = params.arguments ?? {};
+  if (!toolName) {
+    return jsonRpcError(rpc.id ?? null, INVALID_PARAMS, "Missing required parameter: name");
+  }
+  const appSlug = config.app.name.toLowerCase().replace(/[^a-z0-9]+/g, "-");
+  const prefix = `${appSlug}_`;
+  const lookupSlug = toolName.startsWith(prefix) ? toolName.slice(prefix.length) : toolName;
+  const toolConfig = config.tools.find((t) => {
+    const slug = t.name.toLowerCase().replace(/[^a-z0-9]+/g, "-");
+    return slug === lookupSlug || t.name === lookupSlug;
+  });
+  if (!toolConfig) {
+    return jsonRpcError(rpc.id ?? null, INVALID_PARAMS, `Tool not found: ${toolName}`);
+  }
+  let consumerToken;
+  if (oauthStore && oauthConfig) {
+    const token = await getAccessToken(oauthStore, oauthConfig);
+    if (token) {
+      consumerToken = token;
+    } else {
+      return jsonRpcError(
+        rpc.id ?? null,
+        INVALID_REQUEST,
+        "OAuth2 authentication required. Visit /oauth/start to authenticate."
+      );
+    }
+  }
+  const tool = toTool(toolConfig);
+  const result = await executeToolCall(app, tool, toolConfig, args, logger, timeout, consumerToken);
+  recordTimelineEntry({
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    session_id: sessionId,
+    tool_name: toolName,
+    arguments: args,
+    success: !result.isError,
+    status: result.status,
+    elapsed_ms: result.elapsedMs,
+    error: result.errorMessage
+  });
+  return jsonRpcResult(rpc.id ?? null, {
+    content: [{ type: "text", text: result.text }],
+    isError: result.isError
+  });
+}
+function readBody(req) {
+  return new Promise((resolve2, reject) => {
+    const chunks = [];
+    req.on("data", (chunk) => chunks.push(chunk));
+    req.on("end", () => resolve2(Buffer.concat(chunks).toString("utf-8")));
+    req.on("error", reject);
+  });
+}
+function sendSseEvent(res, event, data) {
+  res.write(`event: ${event}
+data: ${JSON.stringify(data)}
+
+`);
+}
+function startMcpServer(config, options) {
+  const app = toApp(config, options.baseUrl);
+  const logger = new AuditLogger({
+    outputPath: void 0,
+    verbose: options.verbose
+  });
+  const appSlug = config.app.name.toLowerCase().replace(/[^a-z0-9]+/g, "-");
+  const storedSession = createSession({
+    type: "serve",
+    appName: config.app.name,
+    configPath: options.configPath ?? "unknown",
+    baseUrl: options.baseUrl ?? config.app.base_url,
+    tools: config.tools.map(
+      (t) => `${appSlug}_${t.name.toLowerCase().replace(/[^a-z0-9]+/g, "-")}`
+    )
+  });
+  activeStoredSession = storedSession;
+  const timeout = 3e4;
+  let callCount = 0;
+  let oauthTokenStore = null;
+  let oauthConfig = null;
+  if (config.app.auth_type === "oauth2" /* oauth2 */ && config.app.auth_config) {
+    const ac = config.app.auth_config;
+    if (ac.authorize_url && ac.token_url) {
+      oauthConfig = {
+        authorize_url: ac.authorize_url,
+        token_url: ac.token_url,
+        client_id: ac.client_id ?? "",
+        client_secret: ac.client_secret ?? "",
+        scopes: ac.scopes ?? "",
+        use_pkce: ac.use_pkce !== false
+        // default true
+      };
+      oauthTokenStore = new OAuthTokenStore();
+    }
+  }
+  const server = createServer(async (req, res) => {
+    res.setHeader("Access-Control-Allow-Origin", "*");
+    res.setHeader("Access-Control-Allow-Methods", "GET, POST, DELETE, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, Mcp-Session-Id, Accept");
+    res.setHeader("Access-Control-Expose-Headers", "Mcp-Session-Id");
+    if (req.method === "OPTIONS") {
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+    const url = new URL(req.url ?? "/", `http://localhost:${options.port}`);
+    if (req.method === "GET" && url.pathname === "/health") {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({
+        status: "ok",
+        tools: config.tools.length,
+        calls: callCount,
+        oauth: oauthTokenStore ? { enabled: true, authenticated: oauthTokenStore.isAuthenticated() } : { enabled: false }
+      }));
+      return;
+    }
+    if (req.method === "GET" && url.pathname === "/timeline") {
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ calls: callTimeline }, null, 2));
+      return;
+    }
+    if (req.method === "GET" && url.pathname === "/mcp") {
+      const sessionId = req.headers["mcp-session-id"];
+      if (!sessionId || !sessions.has(sessionId)) {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "Missing or invalid Mcp-Session-Id" }));
+        return;
+      }
+      res.writeHead(200, {
+        "Content-Type": "text/event-stream",
+        "Cache-Control": "no-cache",
+        "Connection": "keep-alive",
+        "Mcp-Session-Id": sessionId
+      });
+      const keepAlive = setInterval(() => {
+        res.write(": keep-alive\n\n");
+      }, 3e4);
+      req.on("close", () => {
+        clearInterval(keepAlive);
+      });
+      return;
+    }
+    if (req.method === "DELETE" && url.pathname === "/mcp") {
+      const sessionId = req.headers["mcp-session-id"];
+      if (sessionId) sessions.delete(sessionId);
+      res.writeHead(204);
+      res.end();
+      return;
+    }
+    if (req.method === "POST" && url.pathname === "/mcp") {
+      let body;
+      try {
+        body = await readBody(req);
+      } catch {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(JSON.stringify(jsonRpcError(null, PARSE_ERROR, "Failed to read request body")));
+        return;
+      }
+      let rpc;
+      try {
+        const parsed = JSON.parse(body);
+        if (!parsed || parsed.jsonrpc !== "2.0" || !parsed.method) {
+          throw new Error("Invalid JSON-RPC");
+        }
+        rpc = parsed;
+      } catch {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(JSON.stringify(jsonRpcError(null, PARSE_ERROR, "Invalid JSON-RPC 2.0 request")));
+        return;
+      }
+      const isNotification = rpc.id === void 0 || rpc.id === null;
+      let session;
+      const sessionId = req.headers["mcp-session-id"];
+      if (rpc.method === "initialize") {
+        session = createSession2();
+      } else if (sessionId) {
+        session = sessions.get(sessionId);
+        if (!session) {
+          res.writeHead(400, { "Content-Type": "application/json" });
+          res.end(JSON.stringify(jsonRpcError(rpc.id ?? null, INVALID_REQUEST, "Invalid or expired session")));
+          return;
+        }
+      }
+      if (isNotification) {
+        if (rpc.method === "notifications/initialized" && session) {
+          session.initialized = true;
+        }
+        res.writeHead(202);
+        res.end();
+        return;
+      }
+      const acceptHeader = req.headers["accept"] ?? "";
+      const wantsSse = acceptHeader.includes("text/event-stream");
+      let response;
+      try {
+        switch (rpc.method) {
+          case "initialize":
+            response = handleInitialize(rpc, config);
+            console.log(`${CYAN2}${BOLD3}[MCP]${RESET3} Session initialized: ${session?.id ?? "unknown"}`);
+            break;
+          case "tools/list":
+            response = handleToolsList(rpc, config);
+            console.log(`${MAGENTA2}${BOLD3}[MCP]${RESET3} tools/list \u2014 returned ${config.tools.length} tool(s)`);
+            break;
+          case "tools/call": {
+            callCount++;
+            const toolName = (rpc.params ?? {}).name;
+            console.log(`
+${YELLOW3}${BOLD3}[MCP]${RESET3} tools/call #${callCount} \u2014 ${toolName ?? "unknown"}`);
+            if (wantsSse) {
+              const sseHeaders = {
+                "Content-Type": "text/event-stream",
+                "Cache-Control": "no-cache",
+                "Connection": "keep-alive"
+              };
+              if (session) sseHeaders["Mcp-Session-Id"] = session.id;
+              res.writeHead(200, sseHeaders);
+              sendSseEvent(res, "message", {
+                jsonrpc: "2.0",
+                method: "notifications/progress",
+                params: { progressToken: rpc.id, progress: 0, total: 1 }
+              });
+              const toolResponse = await handleToolsCall(rpc, config, app, logger, timeout, session?.id ?? null, oauthTokenStore, oauthConfig);
+              sendSseEvent(res, "message", toolResponse);
+              res.end();
+              return;
+            }
+            response = await handleToolsCall(rpc, config, app, logger, timeout, session?.id ?? null, oauthTokenStore, oauthConfig);
+            break;
+          }
+          case "ping":
+            response = jsonRpcResult(rpc.id ?? null, {});
+            break;
+          default:
+            response = jsonRpcError(rpc.id ?? null, METHOD_NOT_FOUND, `Method not found: ${rpc.method}`);
+            break;
+        }
+      } catch (err) {
+        const message = err instanceof Error ? err.message : "Internal error";
+        response = jsonRpcError(rpc.id ?? null, INTERNAL_ERROR, message);
+      }
+      if (session) {
+        res.setHeader("Mcp-Session-Id", session.id);
+      }
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify(response));
+      return;
+    }
+    if (req.method === "GET" && url.pathname === "/oauth/start") {
+      if (!oauthTokenStore || !oauthConfig) {
+        res.writeHead(400, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: "This app does not use OAuth2 authentication" }));
+        return;
+      }
+      if (oauthTokenStore.isAuthenticated() && !oauthTokenStore.needsRefresh()) {
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ status: "already_authenticated" }));
+        return;
+      }
+      try {
+        await startOAuthFlow(oauthTokenStore, oauthConfig);
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ status: "authenticated" }));
+        console.log(`${GREEN3}${BOLD3}[OAuth]${RESET3} Successfully authenticated with upstream provider`);
+      } catch (err) {
+        res.writeHead(500, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ error: err.message }));
+        console.error(`${RED3}${BOLD3}[OAuth]${RESET3} Authentication failed: ${err.message}`);
+      }
+      return;
+    }
+    if (req.method === "GET" && url.pathname === "/oauth/status") {
+      if (!oauthTokenStore) {
+        res.writeHead(200, { "Content-Type": "application/json" });
+        res.end(JSON.stringify({ oauth_enabled: false }));
+        return;
+      }
+      const tokens = oauthTokenStore.getTokens();
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({
+        oauth_enabled: true,
+        authenticated: oauthTokenStore.isAuthenticated(),
+        expires_at: tokens?.expires_at ?? null,
+        has_refresh_token: !!tokens?.refresh_token
+      }));
+      return;
+    }
+    res.writeHead(404, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ error: "Not found. MCP endpoint is POST /mcp" }));
+  });
+  server.listen(options.port, "127.0.0.1", () => {
+    const appSlug2 = config.app.name.toLowerCase().replace(/[^a-z0-9]+/g, "-");
+    const toolSlugs = config.tools.map(
+      (t) => `${appSlug2}_${t.name.toLowerCase().replace(/[^a-z0-9]+/g, "-")}`
+    );
+    console.log("");
+    console.log(`${GREEN3}${BOLD3}ToolRelay MCP Server running${RESET3}`);
+    console.log(`${DIM3}${"\u2500".repeat(60)}${RESET3}`);
+    console.log(`  ${BOLD3}MCP endpoint:${RESET3}  http://localhost:${options.port}/mcp`);
+    console.log(`  ${BOLD3}Health check:${RESET3}  http://localhost:${options.port}/health`);
+    console.log(`  ${BOLD3}Timeline:${RESET3}      http://localhost:${options.port}/timeline`);
+    console.log(`  ${BOLD3}Backend:${RESET3}       ${app.base_url}`);
+    console.log(`  ${BOLD3}Auth:${RESET3}          ${app.auth_type}`);
+    if (oauthTokenStore) {
+      console.log(`  ${BOLD3}OAuth start:${RESET3}   http://localhost:${options.port}/oauth/start`);
+      console.log(`  ${BOLD3}OAuth status:${RESET3}  http://localhost:${options.port}/oauth/status`);
+    }
+    console.log(`  ${BOLD3}Tools (${config.tools.length}):${RESET3}`);
+    for (const slug of toolSlugs) {
+      console.log(`    ${DIM3}-${RESET3} ${slug}`);
+    }
+    console.log(`${DIM3}${"\u2500".repeat(60)}${RESET3}`);
+    console.log("");
+    console.log(`${BOLD3}Claude Desktop config:${RESET3}`);
+    console.log(`  Add to ~/Library/Application Support/Claude/claude_desktop_config.json:`);
+    console.log("");
+    console.log(`  ${DIM3}{${RESET3}`);
+    console.log(`  ${DIM3}  "mcpServers": {${RESET3}`);
+    console.log(`  ${DIM3}    "${appSlug2}-local": {${RESET3}`);
+    console.log(`  ${DIM3}      "url": "http://localhost:${options.port}/mcp"${RESET3}`);
+    console.log(`  ${DIM3}    }${RESET3}`);
+    console.log(`  ${DIM3}  }${RESET3}`);
+    console.log(`  ${DIM3}}${RESET3}`);
+    console.log("");
+    console.log(`${DIM3}Every tools/call will produce a full audit trace below.${RESET3}`);
+    console.log(`${DIM3}Press Ctrl+C to stop.${RESET3}`);
+    console.log("");
+    if (oauthTokenStore && oauthConfig && process.stdout.isTTY) {
+      console.log(`${YELLOW3}${BOLD3}[OAuth]${RESET3} This app requires OAuth2 authentication.`);
+      console.log(`${DIM3}Starting OAuth flow \u2014 your browser will open...${RESET3}
+`);
+      startOAuthFlow(oauthTokenStore, oauthConfig).then(() => {
+        console.log(`${GREEN3}${BOLD3}[OAuth]${RESET3} Authenticated successfully. Tool calls will use your OAuth token.
+`);
+      }).catch((err) => {
+        console.error(`${RED3}${BOLD3}[OAuth]${RESET3} Auto-authentication failed: ${err.message}`);
+        console.error(`${DIM3}You can retry by visiting: http://localhost:${options.port}/oauth/start${RESET3}
+`);
+      });
+    } else if (oauthTokenStore && oauthConfig) {
+      console.log(`${YELLOW3}${BOLD3}[OAuth]${RESET3} This app requires OAuth2 authentication.`);
+      console.log(`${DIM3}Visit http://localhost:${options.port}/oauth/start to authenticate.${RESET3}
+`);
+    }
+  });
+  const shutdown = () => {
+    console.log(`
+${DIM3}Shutting down...${RESET3}`);
+    printTimeline();
+    const summary = logger.printSummary();
+    finalizeSession(storedSession, logger.getEntries(), summary);
+    const sessionPath = saveSession(storedSession);
+    console.log(`
+${DIM3}Session saved: ${sessionPath}${RESET3}`);
+    console.log(`${DIM3}View all sessions: npx @toolrelay/cli ui${RESET3}`);
+    activeStoredSession = null;
+    server.close();
+    process.exit(summary.failed > 0 ? 1 : 0);
+  };
+  process.on("SIGINT", shutdown);
+  process.on("SIGTERM", shutdown);
+}
+
+// src/ui-html.ts
+function buildHtml(sessionsJson) {
+  return HTML_TEMPLATE.replace("{{SESSIONS_JSON}}", sessionsJson);
+}
+var HTML_TEMPLATE = (
+  /* html */
+  `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>ToolRelay \u2014 Session Viewer</title>
+<style>
+  :root {
+    --bg: #0f1117;
+    --surface: #1a1d27;
+    --surface-2: #242837;
+    --border: #2e3348;
+    --text: #e1e4ed;
+    --text-dim: #8b8fa7;
+    --accent: #6c8aff;
+    --accent-dim: #3d5199;
+    --green: #34d399;
+    --green-bg: rgba(52, 211, 153, 0.1);
+    --red: #f87171;
+    --red-bg: rgba(248, 113, 113, 0.1);
+    --yellow: #fbbf24;
+    --yellow-bg: rgba(251, 191, 36, 0.1);
+    --mono: 'SF Mono', 'Cascadia Code', 'Fira Code', 'JetBrains Mono', monospace;
+    --sans: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+  }
+
+  * { margin: 0; padding: 0; box-sizing: border-box; }
+
+  body {
+    font-family: var(--sans);
+    background: var(--bg);
+    color: var(--text);
+    line-height: 1.5;
+    min-height: 100vh;
+  }
+
+  /* \u2500\u2500 Header \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+  .header {
+    border-bottom: 1px solid var(--border);
+    padding: 16px 24px;
+    display: flex;
+    align-items: center;
+    gap: 12px;
+    background: var(--surface);
+  }
+  .header h1 {
+    font-size: 16px;
+    font-weight: 600;
+    letter-spacing: -0.01em;
+  }
+  .header .subtitle {
+    color: var(--text-dim);
+    font-size: 13px;
+  }
+  .header .count-badge {
+    background: var(--accent-dim);
+    color: var(--accent);
+    font-size: 11px;
+    font-weight: 600;
+    padding: 2px 8px;
+    border-radius: 10px;
+    margin-left: auto;
+  }
+
+  /* \u2500\u2500 Layout \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+  .layout {
+    display: flex;
+    height: calc(100vh - 53px);
+  }
+  .sidebar {
+    width: 340px;
+    min-width: 340px;
+    border-right: 1px solid var(--border);
+    overflow-y: auto;
+    background: var(--surface);
+  }
+  .main {
+    flex: 1;
+    overflow-y: auto;
+    padding: 24px;
+  }
+
+  /* \u2500\u2500 Session list \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+  .session-item {
+    padding: 12px 16px;
+    border-bottom: 1px solid var(--border);
+    cursor: pointer;
+    transition: background 0.15s;
+  }
+  .session-item:hover { background: var(--surface-2); }
+  .session-item.active {
+    background: var(--surface-2);
+    border-left: 3px solid var(--accent);
+    padding-left: 13px;
+  }
+  .session-item .row {
+    display: flex;
+    align-items: center;
+    gap: 8px;
+    margin-bottom: 4px;
+  }
+  .session-item .app-name {
+    font-weight: 600;
+    font-size: 14px;
+  }
+  .session-item .type-badge {
+    font-size: 10px;
+    text-transform: uppercase;
+    letter-spacing: 0.05em;
+    font-weight: 700;
+    padding: 1px 6px;
+    border-radius: 3px;
+  }
+  .type-badge.serve { background: rgba(108, 138, 255, 0.15); color: var(--accent); }
+  .type-badge.test { background: var(--yellow-bg); color: var(--yellow); }
+  .session-item .meta {
+    font-size: 12px;
+    color: var(--text-dim);
+    display: flex;
+    gap: 12px;
+  }
+  .session-item .stats {
+    display: flex;
+    gap: 10px;
+    margin-top: 6px;
+    font-size: 12px;
+    font-family: var(--mono);
+  }
+  .stat-pass { color: var(--green); }
+  .stat-fail { color: var(--red); }
+  .stat-time { color: var(--text-dim); }
+
+  /* \u2500\u2500 Empty states \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+  .empty-state {
+    text-align: center;
+    padding: 80px 24px;
+    color: var(--text-dim);
+  }
+  .empty-state h2 { font-size: 18px; margin-bottom: 8px; color: var(--text); }
+  .empty-state p { font-size: 14px; max-width: 400px; margin: 0 auto; }
+  .empty-state code {
+    display: inline-block;
+    margin-top: 16px;
+    background: var(--surface-2);
+    padding: 8px 16px;
+    border-radius: 6px;
+    font-family: var(--mono);
+    font-size: 13px;
+    color: var(--accent);
+  }
+
+  /* \u2500\u2500 Session detail \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+  .detail-header {
+    margin-bottom: 24px;
+    padding-bottom: 16px;
+    border-bottom: 1px solid var(--border);
+  }
+  .detail-header h2 {
+    font-size: 20px;
+    font-weight: 600;
+    margin-bottom: 4px;
+  }
+  .detail-header .detail-meta {
+    font-size: 13px;
+    color: var(--text-dim);
+    display: flex;
+    flex-wrap: wrap;
+    gap: 16px;
+  }
+
+  /* \u2500\u2500 Summary cards \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+  .summary-cards {
+    display: grid;
+    grid-template-columns: repeat(auto-fit, minmax(140px, 1fr));
+    gap: 12px;
+    margin-bottom: 24px;
+  }
+  .card {
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: 8px;
+    padding: 14px 16px;
+  }
+  .card .card-label {
+    font-size: 11px;
+    text-transform: uppercase;
+    letter-spacing: 0.05em;
+    color: var(--text-dim);
+    margin-bottom: 4px;
+  }
+  .card .card-value {
+    font-size: 24px;
+    font-weight: 700;
+    font-family: var(--mono);
+  }
+  .card .card-value.green { color: var(--green); }
+  .card .card-value.red { color: var(--red); }
+  .card .card-value.accent { color: var(--accent); }
+
+  /* \u2500\u2500 Tabs \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+  .tabs {
+    display: flex;
+    gap: 0;
+    border-bottom: 1px solid var(--border);
+    margin-bottom: 20px;
+  }
+  .tab {
+    padding: 8px 16px;
+    font-size: 13px;
+    font-weight: 500;
+    cursor: pointer;
+    color: var(--text-dim);
+    border-bottom: 2px solid transparent;
+    transition: all 0.15s;
+    background: none;
+    border-top: none;
+    border-left: none;
+    border-right: none;
+  }
+  .tab:hover { color: var(--text); }
+  .tab.active {
+    color: var(--accent);
+    border-bottom-color: var(--accent);
+  }
+
+  /* \u2500\u2500 Timeline \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+  .timeline { list-style: none; }
+  .timeline-entry {
+    display: flex;
+    gap: 12px;
+    padding: 10px 0;
+    border-bottom: 1px solid var(--border);
+    cursor: pointer;
+    transition: background 0.15s;
+    border-radius: 4px;
+    padding-left: 8px;
+    padding-right: 8px;
+  }
+  .timeline-entry:hover { background: var(--surface-2); }
+  .timeline-entry.active { background: var(--surface-2); }
+  .timeline-entry .seq {
+    font-family: var(--mono);
+    font-size: 11px;
+    color: var(--text-dim);
+    min-width: 28px;
+    text-align: right;
+    padding-top: 2px;
+  }
+  .timeline-entry .icon {
+    font-size: 14px;
+    padding-top: 1px;
+  }
+  .timeline-entry .icon.pass { color: var(--green); }
+  .timeline-entry .icon.fail { color: var(--red); }
+  .timeline-entry .content { flex: 1; min-width: 0; }
+  .timeline-entry .tool-name {
+    font-weight: 600;
+    font-size: 13px;
+  }
+  .timeline-entry .entry-meta {
+    font-size: 12px;
+    color: var(--text-dim);
+    display: flex;
+    gap: 10px;
+    margin-top: 2px;
+  }
+  .timeline-entry .gap-badge {
+    font-size: 10px;
+    background: var(--surface-2);
+    padding: 1px 6px;
+    border-radius: 3px;
+    color: var(--text-dim);
+  }
+  .timeline-entry .status-badge {
+    font-family: var(--mono);
+    font-size: 11px;
+    font-weight: 600;
+    padding: 1px 6px;
+    border-radius: 3px;
+  }
+  .status-badge.s2xx { background: var(--green-bg); color: var(--green); }
+  .status-badge.s4xx { background: var(--red-bg); color: var(--red); }
+  .status-badge.s5xx { background: var(--red-bg); color: var(--red); }
+  .status-badge.serr { background: var(--red-bg); color: var(--red); }
+  .timeline-entry .timing {
+    font-family: var(--mono);
+    font-size: 11px;
+    color: var(--text-dim);
+    min-width: 60px;
+    text-align: right;
+    padding-top: 2px;
+  }
+
+  /* \u2500\u2500 Call detail panel \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+  .call-detail {
+    background: var(--surface);
+    border: 1px solid var(--border);
+    border-radius: 8px;
+    margin-top: 20px;
+  }
+  .call-detail-header {
+    padding: 14px 16px;
+    border-bottom: 1px solid var(--border);
+    display: flex;
+    align-items: center;
+    gap: 8px;
+  }
+  .call-detail-header h3 {
+    font-size: 14px;
+    font-weight: 600;
+  }
+  .call-detail-section {
+    padding: 14px 16px;
+    border-bottom: 1px solid var(--border);
+  }
+  .call-detail-section:last-child { border-bottom: none; }
+  .call-detail-section h4 {
+    font-size: 11px;
+    text-transform: uppercase;
+    letter-spacing: 0.05em;
+    color: var(--text-dim);
+    margin-bottom: 8px;
+  }
+  pre.code-block {
+    background: var(--bg);
+    border-radius: 6px;
+    padding: 12px;
+    font-family: var(--mono);
+    font-size: 12px;
+    line-height: 1.6;
+    overflow-x: auto;
+    white-space: pre-wrap;
+    word-break: break-all;
+    color: var(--text);
+  }
+  .param-table {
+    width: 100%;
+    font-size: 13px;
+    border-collapse: collapse;
+  }
+  .param-table th {
+    text-align: left;
+    font-weight: 500;
+    color: var(--text-dim);
+    padding: 4px 8px 4px 0;
+    font-size: 11px;
+    text-transform: uppercase;
+    letter-spacing: 0.04em;
+  }
+  .param-table td {
+    padding: 4px 8px 4px 0;
+    font-family: var(--mono);
+    font-size: 12px;
+  }
+  .param-table tr { border-bottom: 1px solid var(--border); }
+  .param-table tr:last-child { border-bottom: none; }
+
+  /* \u2500\u2500 Diagnostics \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+  .diagnostic {
+    padding: 8px 12px;
+    background: var(--yellow-bg);
+    border-radius: 6px;
+    font-size: 13px;
+    margin-bottom: 6px;
+    color: var(--yellow);
+  }
+  .error-block {
+    padding: 8px 12px;
+    background: var(--red-bg);
+    border-radius: 6px;
+    font-size: 13px;
+    color: var(--red);
+  }
+
+  /* \u2500\u2500 Scrollbar \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+  ::-webkit-scrollbar { width: 6px; height: 6px; }
+  ::-webkit-scrollbar-track { background: transparent; }
+  ::-webkit-scrollbar-thumb { background: var(--border); border-radius: 3px; }
+  ::-webkit-scrollbar-thumb:hover { background: var(--text-dim); }
+</style>
+</head>
+<body>
+
+<div class="header">
+  <h1>ToolRelay</h1>
+  <span class="subtitle">Session Viewer</span>
+  <span class="count-badge" id="session-count"></span>
+</div>
+
+<div class="layout">
+  <div class="sidebar" id="sidebar"></div>
+  <div class="main" id="main">
+    <div class="empty-state">
+      <h2>No sessions yet</h2>
+      <p>Run the MCP server or test suite to generate session data.</p>
+      <code>npx @toolrelay/cli serve toolrelay.json</code>
+    </div>
+  </div>
+</div>
+
+<script>
+const SESSIONS = {{SESSIONS_JSON}};
+
+let activeSessionIdx = null;
+let activeTab = 'timeline';
+let activeCallIdx = null;
+
+// \u2500\u2500 Render sidebar \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+function renderSidebar() {
+  const el = document.getElementById('sidebar');
+  document.getElementById('session-count').textContent = SESSIONS.length + ' session' + (SESSIONS.length !== 1 ? 's' : '');
+
+  if (SESSIONS.length === 0) {
+    el.innerHTML = '<div class="empty-state"><p>No sessions found</p></div>';
+    return;
+  }
+
+  el.innerHTML = SESSIONS.map((s, i) => {
+    const date = new Date(s.started_at);
+    const timeStr = date.toLocaleDateString() + ' ' + date.toLocaleTimeString();
+    const passed = s.summary?.passed ?? 0;
+    const failed = s.summary?.failed ?? 0;
+    const avgMs = s.summary?.avg_response_time_ms ?? 0;
+    const active = i === activeSessionIdx ? ' active' : '';
+    return '<div class="session-item' + active + '" onclick="selectSession(' + i + ')">' +
+      '<div class="row">' +
+        '<span class="app-name">' + esc(s.app_name) + '</span>' +
+        '<span class="type-badge ' + s.type + '">' + s.type + '</span>' +
+      '</div>' +
+      '<div class="meta">' +
+        '<span>' + timeStr + '</span>' +
+        '<span>' + s.timeline.length + ' calls</span>' +
+      '</div>' +
+      '<div class="stats">' +
+        (passed > 0 ? '<span class="stat-pass">' + passed + ' passed</span>' : '') +
+        (failed > 0 ? '<span class="stat-fail">' + failed + ' failed</span>' : '') +
+        '<span class="stat-time">' + avgMs + 'ms avg</span>' +
+      '</div>' +
+    '</div>';
+  }).join('');
+}
+
+// \u2500\u2500 Render main panel \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+function selectSession(idx) {
+  activeSessionIdx = idx;
+  activeCallIdx = null;
+  renderSidebar();
+  renderMain();
+}
+
+function renderMain() {
+  const el = document.getElementById('main');
+  if (activeSessionIdx === null) {
+    el.innerHTML = '<div class="empty-state"><h2>Select a session</h2><p>Click a session from the left panel to view its details.</p></div>';
+    return;
+  }
+
+  const s = SESSIONS[activeSessionIdx];
+  const date = new Date(s.started_at);
+  const endDate = s.finished_at ? new Date(s.finished_at) : null;
+  const duration = endDate ? formatMs(endDate.getTime() - date.getTime()) : 'running';
+
+  let html = '<div class="detail-header">' +
+    '<h2>' + esc(s.app_name) + '</h2>' +
+    '<div class="detail-meta">' +
+      '<span>Started: ' + date.toLocaleString() + '</span>' +
+      '<span>Duration: ' + duration + '</span>' +
+      '<span>Base URL: ' + esc(s.base_url) + '</span>' +
+      '<span>Config: ' + esc(s.config_path) + '</span>' +
+    '</div>' +
+  '</div>';
+
+  // Summary cards
+  const summary = s.summary;
+  if (summary) {
+    html += '<div class="summary-cards">' +
+      card('Total Calls', summary.total_calls, 'accent') +
+      card('Passed', summary.passed, 'green') +
+      card('Failed', summary.failed, summary.failed > 0 ? 'red' : '') +
+      card('Avg Latency', summary.avg_response_time_ms + 'ms', '') +
+    '</div>';
+  }
+
+  // Tabs
+  html += '<div class="tabs">' +
+    tabBtn('timeline', 'Timeline (' + s.timeline.length + ')') +
+    tabBtn('audit', 'Audit Log (' + s.audit_entries.length + ')') +
+    tabBtn('tools', 'Tools (' + s.tools.length + ')') +
+  '</div>';
+
+  // Tab content
+  if (activeTab === 'timeline') {
+    html += renderTimeline(s);
+  } else if (activeTab === 'audit') {
+    html += renderAuditLog(s);
+  } else if (activeTab === 'tools') {
+    html += renderTools(s);
+  }
+
+  el.innerHTML = html;
+}
+
+function renderTimeline(s) {
+  if (s.timeline.length === 0) {
+    return '<div class="empty-state"><p>No tool calls recorded in this session.</p></div>';
+  }
+
+  let html = '<ul class="timeline">';
+  for (let i = 0; i < s.timeline.length; i++) {
+    const t = s.timeline[i];
+    const isActive = i === activeCallIdx ? ' active' : '';
+    const iconClass = t.success ? 'pass' : 'fail';
+    const icon = t.success ? '\\u2713' : '\\u2717';
+    const statusClass = t.status === null ? 'serr' : t.status < 300 ? 's2xx' : t.status < 500 ? 's4xx' : 's5xx';
+    const statusText = t.status !== null ? t.status : 'ERR';
+    const gap = t.gap_since_last_ms !== null ? '<span class="gap-badge">+' + formatMs(t.gap_since_last_ms) + ' gap</span>' : '';
+
+    html += '<li class="timeline-entry' + isActive + '" onclick="selectCall(' + i + ')">' +
+      '<span class="seq">#' + t.seq + '</span>' +
+      '<span class="icon ' + iconClass + '">' + icon + '</span>' +
+      '<div class="content">' +
+        '<div class="tool-name">' + esc(t.tool_name) + '</div>' +
+        '<div class="entry-meta">' +
+          '<span class="status-badge ' + statusClass + '">' + statusText + '</span>' +
+          gap +
+          (t.error ? '<span style="color:var(--red);font-size:12px">' + esc(t.error) + '</span>' : '') +
+        '</div>' +
+      '</div>' +
+      '<span class="timing">' + t.elapsed_ms + 'ms</span>' +
+    '</li>';
+  }
+  html += '</ul>';
+
+  // Call detail panel
+  if (activeCallIdx !== null && s.audit_entries[activeCallIdx]) {
+    html += renderCallDetail(s.audit_entries[activeCallIdx], s.timeline[activeCallIdx]);
+  }
+
+  return html;
+}
+
+function renderCallDetail(audit, timeline) {
+  let html = '<div class="call-detail">';
+
+  // Header
+  html += '<div class="call-detail-header">' +
+    '<h3>' + esc(audit.tool_name) + '</h3>' +
+    '<span class="status-badge ' + (audit.success ? 's2xx' : 's4xx') + '">' + (audit.success ? 'PASS' : 'FAIL') + '</span>' +
+    '<span style="color:var(--text-dim);font-size:12px;margin-left:auto">' + audit.total_time_ms + 'ms</span>' +
+  '</div>';
+
+  // Input
+  html += '<div class="call-detail-section"><h4>Input Arguments</h4>' +
+    '<pre class="code-block">' + esc(JSON.stringify(audit.raw_input, null, 2)) + '</pre></div>';
+
+  // Parameter resolution
+  if (audit.parameter_resolutions && audit.parameter_resolutions.length > 0) {
+    html += '<div class="call-detail-section"><h4>Parameter Resolution</h4><table class="param-table">' +
+      '<tr><th>Name</th><th>Target</th><th>Backend Key</th><th>Value</th><th>Source</th></tr>';
+    for (const p of audit.parameter_resolutions) {
+      const sourceColor = p.source === 'missing' ? 'var(--red)' : p.source === 'default' ? 'var(--yellow)' : 'var(--green)';
+      html += '<tr><td>' + esc(p.name) + '</td><td>' + p.target + '</td><td>' + esc(p.backend_key) + '</td>' +
+        '<td>' + esc(JSON.stringify(p.value)) + '</td><td style="color:' + sourceColor + '">' + p.source + '</td></tr>';
+    }
+    html += '</table></div>';
+  }
+
+  // Request
+  html += '<div class="call-detail-section"><h4>Request</h4>' +
+    '<pre class="code-block">' + esc(audit.request_method + ' ' + audit.request_url) + '</pre>';
+  if (audit.request_body !== undefined) {
+    html += '<pre class="code-block" style="margin-top:8px">' + esc(JSON.stringify(audit.request_body, null, 2)) + '</pre>';
+  }
+  html += '</div>';
+
+  // Response
+  if (audit.response_status !== undefined) {
+    html += '<div class="call-detail-section"><h4>Response ' + audit.response_status + ' ' + (audit.response_status_text || '') + '</h4>';
+    if (audit.response_body !== undefined) {
+      const bodyStr = typeof audit.response_body === 'string'
+        ? audit.response_body
+        : JSON.stringify(audit.response_body, null, 2);
+      const truncated = bodyStr.length > 5000 ? bodyStr.slice(0, 5000) + '\\n... truncated' : bodyStr;
+      html += '<pre class="code-block">' + esc(truncated) + '</pre>';
+    }
+    html += '</div>';
+  }
+
+  // Diagnostics
+  if (audit.diagnostics && audit.diagnostics.length > 0) {
+    html += '<div class="call-detail-section"><h4>Diagnostics</h4>';
+    for (const d of audit.diagnostics) {
+      html += '<div class="diagnostic">' + esc(d) + '</div>';
+    }
+    html += '</div>';
+  }
+
+  // Error
+  if (audit.error) {
+    html += '<div class="call-detail-section"><h4>Error</h4>' +
+      '<div class="error-block"><strong>Phase:</strong> ' + esc(audit.error.phase) +
+      '<br>' + esc(audit.error.message) +
+      (audit.error.details ? '<br><span style="opacity:0.7">' + esc(audit.error.details) + '</span>' : '') +
+    '</div></div>';
+  }
+
+  html += '</div>';
+  return html;
+}
+
+function renderAuditLog(s) {
+  if (s.audit_entries.length === 0) {
+    return '<div class="empty-state"><p>No audit entries recorded.</p></div>';
+  }
+
+  let html = '<div style="font-family:var(--mono);font-size:12px">';
+  for (const entry of s.audit_entries) {
+    const icon = entry.success ? '<span style="color:var(--green)">\\u2713</span>' : '<span style="color:var(--red)">\\u2717</span>';
+    const status = entry.response_status ?? 'ERR';
+    html += '<div style="padding:8px 0;border-bottom:1px solid var(--border)">' +
+      icon + ' <strong>' + esc(entry.tool_name) + '</strong> ' +
+      '<span style="color:var(--text-dim)">' + entry.request_method + ' ' + esc(entry.request_url) + '</span> ' +
+      '<span style="color:' + (entry.success ? 'var(--green)' : 'var(--red)') + '">' + status + '</span> ' +
+      '<span style="color:var(--text-dim)">' + entry.total_time_ms + 'ms</span>' +
+    '</div>';
+  }
+  html += '</div>';
+  return html;
+}
+
+function renderTools(s) {
+  let html = '<div>';
+  for (const tool of s.tools) {
+    const callCount = s.timeline.filter(t => t.tool_name === tool).length;
+    const failCount = s.timeline.filter(t => t.tool_name === tool && !t.success).length;
+    html += '<div style="padding:10px 0;border-bottom:1px solid var(--border);display:flex;align-items:center;gap:12px">' +
+      '<span style="font-weight:600;font-size:14px">' + esc(tool) + '</span>' +
+      '<span style="font-family:var(--mono);font-size:12px;color:var(--text-dim)">' + callCount + ' calls</span>' +
+      (failCount > 0 ? '<span style="font-family:var(--mono);font-size:12px;color:var(--red)">' + failCount + ' failed</span>' : '') +
+    '</div>';
+  }
+  html += '</div>';
+  return html;
+}
+
+// \u2500\u2500 Actions \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+function selectCall(idx) {
+  activeCallIdx = activeCallIdx === idx ? null : idx;
+  renderMain();
+}
+
+function switchTab(tab) {
+  activeTab = tab;
+  activeCallIdx = null;
+  renderMain();
+}
+
+// \u2500\u2500 Helpers \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+function card(label, value, colorClass) {
+  return '<div class="card"><div class="card-label">' + label + '</div>' +
+    '<div class="card-value ' + colorClass + '">' + value + '</div></div>';
+}
+
+function tabBtn(id, label) {
+  return '<button class="tab' + (activeTab === id ? ' active' : '') + '" onclick="switchTab(\\'' + id + '\\')">' + label + '</button>';
+}
+
+function formatMs(ms) {
+  if (ms < 1000) return ms + 'ms';
+  if (ms < 60000) return (ms / 1000).toFixed(1) + 's';
+  return Math.floor(ms / 60000) + 'm' + Math.round((ms % 60000) / 1000) + 's';
+}
+
+function esc(str) {
+  if (str === null || str === undefined) return '';
+  return String(str).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+}
+
+// \u2500\u2500 Init \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+renderSidebar();
+if (SESSIONS.length > 0) {
+  selectSession(0);
+} else {
+  renderMain();
+}
+</script>
+</body>
+</html>`
+);
+
+// src/ui-server.ts
+var BOLD4 = "\x1B[1m";
+var DIM4 = "\x1B[2m";
+var RESET4 = "\x1B[0m";
+var GREEN4 = "\x1B[32m";
+var CYAN3 = "\x1B[36m";
+function startUiServer(options) {
+  const server = createServer((req, res) => {
+    const url = new URL(req.url ?? "/", `http://localhost:${options.port}`);
+    if (req.method === "GET" && url.pathname === "/api/sessions") {
+      const sessions2 = listSessions().map((s) => s.session);
+      res.writeHead(200, { "Content-Type": "application/json" });
+      res.end(JSON.stringify(sessions2));
+      return;
+    }
+    if (req.method === "GET" && (url.pathname === "/" || url.pathname === "/index.html")) {
+      const sessions2 = listSessions().map((s) => s.session);
+      const html = buildHtml(JSON.stringify(sessions2));
+      res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+      res.end(html);
+      return;
+    }
+    res.writeHead(404, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ error: "Not found" }));
+  });
+  server.listen(options.port, "127.0.0.1", () => {
+    const sessionsDir = getSessionsDir();
+    const sessionCount = listSessions().length;
+    console.log("");
+    console.log(`${GREEN4}${BOLD4}ToolRelay Session Viewer${RESET4}`);
+    console.log(`${DIM4}${"\u2500".repeat(50)}${RESET4}`);
+    console.log(`  ${BOLD4}UI:${RESET4}        ${CYAN3}http://localhost:${options.port}${RESET4}`);
+    console.log(`  ${BOLD4}API:${RESET4}       http://localhost:${options.port}/api/sessions`);
+    console.log(`  ${BOLD4}Sessions:${RESET4}  ${sessionCount} found in ${sessionsDir}`);
+    console.log(`${DIM4}${"\u2500".repeat(50)}${RESET4}`);
+    console.log(`${DIM4}Press Ctrl+C to stop.${RESET4}`);
+    console.log("");
+    if (options.open) {
+      openBrowser2(`http://localhost:${options.port}`);
+    }
+  });
+  process.on("SIGINT", () => {
+    server.close();
+    process.exit(0);
+  });
+  process.on("SIGTERM", () => {
+    server.close();
+    process.exit(0);
+  });
+}
+function openBrowser2(url) {
+  const platform = process.platform;
+  const cmd = platform === "darwin" ? "open" : platform === "win32" ? "start" : "xdg-open";
+  exec(`${cmd} ${url}`, () => {
+  });
+}
+var BOLD5 = "\x1B[1m";
+var DIM5 = "\x1B[2m";
+var CYAN4 = "\x1B[36m";
+var GREEN5 = "\x1B[32m";
+var RESET5 = "\x1B[0m";
+var HIDE_CURSOR = "\x1B[?25l";
+var SHOW_CURSOR = "\x1B[?25h";
+var rl;
+var usingInjectedRl = false;
+function initReadline(injectedRl) {
+  {
+    rl = createInterface({
+      input: process.stdin,
+      output: process.stdout
+    });
+    usingInjectedRl = false;
+  }
+}
+function closeReadline() {
+  rl.close();
+}
+function ask(question, defaultValue) {
+  const suffix = defaultValue ? ` ${DIM5}(${defaultValue})${RESET5}` : "";
+  return new Promise((resolve2) => {
+    rl.question(`  ${question}${suffix}: `, (answer) => {
+      resolve2(answer.trim() || defaultValue || "");
+    });
+  });
+}
+function askSelectInteractive(question, choices, defaultIdx = 0) {
+  return new Promise((resolve2) => {
+    let selected = defaultIdx;
+    function render() {
+      process.stdout.write(`\x1B[${choices.length}A`);
+      for (let i = 0; i < choices.length; i++) {
+        const isSelected = i === selected;
+        const marker = isSelected ? `${GREEN5}${BOLD5}> ${RESET5}${GREEN5}${choices[i]}${RESET5}` : `  ${DIM5}${choices[i]}${RESET5}`;
+        process.stdout.write(`\x1B[2K  ${marker}
+`);
+      }
+    }
+    console.log(`  ${question}`);
+    process.stdout.write(HIDE_CURSOR);
+    for (let i = 0; i < choices.length; i++) {
+      const isSelected = i === selected;
+      const marker = isSelected ? `${GREEN5}${BOLD5}> ${RESET5}${GREEN5}${choices[i]}${RESET5}` : `  ${DIM5}${choices[i]}${RESET5}`;
+      process.stdout.write(`  ${marker}
+`);
+    }
+    rl.close();
+    const stdin = process.stdin;
+    emitKeypressEvents(stdin);
+    if (stdin.isTTY) stdin.setRawMode(true);
+    stdin.resume();
+    function onKeypress(_ch, key) {
+      if (!key) return;
+      if (key.ctrl && key.name === "c") {
+        process.stdout.write(SHOW_CURSOR);
+        if (stdin.isTTY) stdin.setRawMode(false);
+        stdin.removeListener("keypress", onKeypress);
+        stdin.pause();
+        process.exit(0);
+      }
+      if (key.name === "up" || key.name === "k") {
+        selected = (selected - 1 + choices.length) % choices.length;
+        render();
+      } else if (key.name === "down" || key.name === "j") {
+        selected = (selected + 1) % choices.length;
+        render();
+      } else if (key.name === "return") {
+        process.stdout.write(SHOW_CURSOR);
+        if (stdin.isTTY) stdin.setRawMode(false);
+        stdin.removeListener("keypress", onKeypress);
+        stdin.pause();
+        rl = createInterface({
+          input: process.stdin,
+          output: process.stdout
+        });
+        resolve2(choices[selected]);
+      }
+    }
+    stdin.on("keypress", onKeypress);
+  });
+}
+function askSelectFallback(question, choices, defaultIdx = 0) {
+  console.log(`  ${question}`);
+  for (let i = 0; i < choices.length; i++) {
+    const marker = i === defaultIdx ? `${GREEN5}>${RESET5}` : " ";
+    console.log(`  ${marker} ${CYAN4}${i + 1}${RESET5}) ${choices[i]}`);
+  }
+  return new Promise((resolve2) => {
+    rl.question(`  ${DIM5}Pick [1-${choices.length}]${RESET5} (${defaultIdx + 1}): `, (answer) => {
+      const idx = answer.trim() ? parseInt(answer.trim(), 10) - 1 : defaultIdx;
+      resolve2(choices[idx >= 0 && idx < choices.length ? idx : defaultIdx]);
+    });
+  });
+}
+function askSelect(question, choices, defaultIdx = 0) {
+  if (!usingInjectedRl && process.stdin.isTTY) {
+    return askSelectInteractive(question, choices, defaultIdx);
+  }
+  return askSelectFallback(question, choices, defaultIdx);
+}
+function askConfirm(question, defaultYes = true) {
+  const hint = defaultYes ? "Y/n" : "y/N";
+  return new Promise((resolve2) => {
+    rl.question(`  ${question} ${DIM5}(${hint})${RESET5}: `, (answer) => {
+      const a = answer.trim().toLowerCase();
+      if (a === "") resolve2(defaultYes);
+      else resolve2(a === "y" || a === "yes");
+    });
+  });
+}
+function toSlug(name) {
+  return name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "");
+}
+async function promptApp() {
+  console.log(`
+${BOLD5}App configuration${RESET5}`);
+  console.log(`${DIM5}Tell us about your backend API.${RESET5}
+`);
+  const name = await ask("App name", "My API");
+  const description = await ask("Description (what does your API do?)");
+  const defaultSlug = toSlug(name);
+  const slug = await ask("Slug (URL-safe identifier)", defaultSlug);
+  const base_url = await ask("Base URL (your production API)", "https://api.example.com");
+  console.log(`  ${DIM5}Tip: For local testing, keep your production URL here and use${RESET5}`);
+  console.log(`  ${DIM5}${CYAN4}toolrelay serve config.json --base-url http://localhost:3000${RESET5}${DIM5} to override at runtime.${RESET5}`);
+  const authTypes = Object.values(AuthType);
+  const authLabels = {
+    none: "none \u2014 No authentication",
+    static_token: "static_token \u2014 Bearer token in Authorization header",
+    api_key_relay: "api_key_relay \u2014 Consumer API keys relayed to backend",
+    custom_header: "custom_header \u2014 Custom header with a static value",
+    oauth2: "oauth2 \u2014 OAuth 2.0 flow (authorize + token URLs)"
+  };
+  const authChoices = authTypes.map((t) => authLabels[t] ?? t);
+  const authChoice = await askSelect("Authentication type?", authChoices, 0);
+  const auth_type = authTypes[authChoices.indexOf(authChoice)];
+  const auth_config = await promptAuthConfig(auth_type);
+  let global_headers;
+  const wantHeaders = await askConfirm("Add global headers (sent on every backend request)?", false);
+  if (wantHeaders) {
+    global_headers = {};
+    let more = true;
+    while (more) {
+      const headerName = await ask("Header name");
+      const headerValue = await ask("Header value");
+      if (headerName) global_headers[headerName] = headerValue;
+      more = await askConfirm("Add another header?", false);
+    }
+  }
+  return {
+    name,
+    description: description || void 0,
+    slug: slug || void 0,
+    base_url,
+    auth_type,
+    auth_config,
+    global_headers
+  };
+}
+async function promptAuthConfig(authType) {
+  if (authType === "none" /* none */) return {};
+  console.log(`
+  ${DIM5}Configuring ${authType} credentials...${RESET5}`);
+  if (authType === "static_token" /* static_token */) {
+    const token = await ask("Bearer token");
+    return { token };
+  }
+  if (authType === "custom_header" /* custom_header */) {
+    const header_name = await ask("Header name", "X-API-Key");
+    const header_value = await ask("Header value");
+    return { headers: { [header_name]: header_value } };
+  }
+  if (authType === "api_key_relay" /* api_key_relay */) {
+    const header_name = await ask("Header name for relayed key", "X-API-Key");
+    return { header_name };
+  }
+  if (authType === "oauth2" /* oauth2 */) {
+    const authorize_url = await ask("OAuth authorize URL");
+    const token_url = await ask("OAuth token URL");
+    const client_id = await ask("Client ID (leave blank for public client PKCE)", "");
+    const client_secret = client_id ? await ask("Client secret") : "";
+    const scopes = await ask("Scopes (comma-separated, optional)", "");
+    const config = {
+      authorize_url,
+      token_url,
+      scopes: scopes ? scopes.split(",").map((s) => s.trim()).join(" ") : "",
+      use_pkce: true
+    };
+    if (client_id) config.client_id = client_id;
+    if (client_secret) config.client_secret = client_secret;
+    return config;
+  }
+  return {};
+}
+async function promptTool() {
+  console.log(`
+${BOLD5}New tool${RESET5}`);
+  const name = await ask("Tool name (snake_case, e.g. get_users)", "get_resource");
+  const description = await ask("Description", "");
+  const methodChoices = Object.values(HttpMethod);
+  const http_method = await askSelect("HTTP method?", methodChoices, 0);
+  const endpoint_path = await ask(
+    "Endpoint path",
+    "/api/resource"
+  );
+  const placeholders = [...endpoint_path.matchAll(/\{([^}]+)\}/g)].map((m) => m[1]);
+  const parameter_mapping = [];
+  if (placeholders.length > 0) {
+    console.log(`
+  ${DIM5}Detected path parameters: ${placeholders.map((p) => `{${p}}`).join(", ")}${RESET5}`);
+    for (const ph of placeholders) {
+      parameter_mapping.push({
+        name: ph,
+        type: "string",
+        required: true,
+        description: `The ${ph}`,
+        target: "path"
+      });
+    }
+  }
+  const wantParams = await askConfirm("Add query/body/header parameters?", false);
+  if (wantParams) {
+    let more = true;
+    while (more) {
+      const param = await promptParameter(http_method);
+      parameter_mapping.push(param);
+      more = await askConfirm("Add another parameter?", false);
+    }
+  }
+  const permChoices = [
+    "read \u2014 Read-only access",
+    "write \u2014 Can modify data",
+    "admin \u2014 Full access"
+  ];
+  const permChoice = await askSelect("Permission level?", permChoices, 0);
+  const permValues = Object.values(PermissionLevel);
+  const permission_level = permValues[permChoices.indexOf(permChoice)];
+  return {
+    name,
+    description: description || void 0,
+    http_method,
+    endpoint_path,
+    parameter_mapping,
+    permission_level
+  };
+}
+async function promptParameter(method) {
+  console.log("");
+  const name = await ask("Parameter name");
+  const typeChoices = ["string", "number", "boolean", "object", "array"];
+  const type = await askSelect("Type?", typeChoices, 0);
+  const targetDefault = method === "GET" || method === "DELETE" ? "query" : "body";
+  const targetChoices = ["path", "query", "body", "header"];
+  const target = await askSelect("Maps to?", targetChoices, targetChoices.indexOf(targetDefault));
+  const required = await askConfirm("Required?", true);
+  const description = await ask("Description", "");
+  const backend_key = await ask("Backend key (leave blank if same as name)", "");
+  const default_value = await ask("Default value (leave blank for none)", "");
+  const param = {
+    name,
+    type,
+    required,
+    description: description || void 0,
+    target
+  };
+  if (backend_key) param.backend_key = backend_key;
+  if (default_value) param.default_value = default_value;
+  return param;
+}
+async function runWizard(injectedRl) {
+  console.log(`
+${BOLD5}${GREEN5}ToolRelay Init${RESET5}`);
+  console.log(`${DIM5}Set up your API config \u2014 this generates a toolrelay.json you can`);
+  console.log(`use with ${CYAN4}validate${RESET5}${DIM5}, ${CYAN4}test${RESET5}${DIM5}, ${CYAN4}serve${RESET5}${DIM5}, and later import into ToolRelay Cloud.${RESET5}
+`);
+  initReadline();
+  try {
+    const app = await promptApp();
+    console.log(`
+${BOLD5}Tools${RESET5}`);
+    console.log(`${DIM5}Define the HTTP endpoints you want to expose as AI-callable tools.${RESET5}`);
+    const tools = [];
+    let addMore = true;
+    while (addMore) {
+      const tool = await promptTool();
+      tools.push(tool);
+      console.log(`  ${GREEN5}\u2713${RESET5} Added tool: ${BOLD5}${tool.name}${RESET5} (${tool.http_method} ${tool.endpoint_path})`);
+      addMore = await askConfirm("Add another tool?", false);
+    }
+    return {
+      app,
+      tools
+    };
+  } finally {
+    closeReadline();
+  }
+}
+function buildTemplate() {
+  return {
+    app: {
+      name: "My API",
+      description: "A sample API for getting started with ToolRelay",
+      slug: "my-api",
+      base_url: "https://api.example.com",
+      auth_type: "none" /* none */,
+      auth_config: {}
+    },
+    tools: [
+      {
+        name: "get_users",
+        description: "List all users",
+        http_method: "GET" /* GET */,
+        endpoint_path: "/api/users",
+        parameter_mapping: [],
+        permission_level: "read" /* read */
+      },
+      {
+        name: "get_user",
+        description: "Get a user by ID",
+        http_method: "GET" /* GET */,
+        endpoint_path: "/api/users/{id}",
+        parameter_mapping: [
+          {
+            name: "id",
+            type: "string",
+            required: true,
+            description: "The user ID",
+            target: "path"
+          }
+        ],
+        permission_level: "read" /* read */
+      }
+    ]
+  };
+}
+
+// src/index.ts
+var __dirname$1 = dirname(fileURLToPath(import.meta.url));
+var pkg = JSON.parse(readFileSync(join(__dirname$1, "..", "package.json"), "utf-8"));
+var program = new Command();
+program.name("toolrelay").description("CLI for ToolRelay \u2014 validate configs, serve local MCP servers, and publish to the cloud").version(pkg.version);
+program.command("validate").description("Validate a toolrelay.json config file (no HTTP calls)").argument("<config>", "Path to toolrelay config JSON file").action((configPath) => {
+  const result = loadConfig(configPath);
+  if (!result.success) {
+    console.error("\nConfig validation failed:\n");
+    for (const err of result.errors) {
+      console.error(`  \u2717 ${err.path ? `[${err.path}] ` : ""}${err.message}`);
+    }
+    process.exit(1);
+  }
+  console.log(`
+\u2713 Config is valid: ${result.config.tools.length} tool(s) defined
+`);
+});
+program.command("init").description("Interactive wizard to generate a toolrelay.json config file").option("-o, --output <path>", "Output file path (default: <slug>.toolrelay.json)").option("-y, --yes", "Skip prompts and generate a starter template", false).action(async (opts) => {
+  const { writeFileSync: writeFileSync3, existsSync: existsSync3 } = await import('fs');
+  let config;
+  if (opts.yes) {
+    config = buildTemplate();
+  } else {
+    config = await runWizard();
+  }
+  const outputPath = opts.output ?? `${config.app.slug ?? "toolrelay"}.toolrelay.json`;
+  if (existsSync3(outputPath)) {
+    console.error(`Error: ${outputPath} already exists. Remove it first or use -o to specify a different path.`);
+    process.exit(1);
+  }
+  writeFileSync3(outputPath, JSON.stringify(config, null, 2) + "\n");
+  console.log(`
+\u2713 Created ${outputPath} (${config.tools.length} tool(s))`);
+  console.log(`
+Next steps:`);
+  console.log(`  npx @toolrelay/cli validate ${outputPath}   ${"\x1B[2m"}# Check config${"\x1B[0m"}`);
+  console.log(`  npx @toolrelay/cli serve ${outputPath}      ${"\x1B[2m"}# Start MCP server${"\x1B[0m"}`);
+  console.log(`  npx @toolrelay/cli publish ${outputPath}    ${"\x1B[2m"}# Deploy to ToolRelay${"\x1B[0m"}`);
+  console.log(`
+${"\x1B[2m"}Local testing? Override base_url at runtime:${"\x1B[0m"}`);
+  console.log(`  npx @toolrelay/cli serve ${outputPath} --base-url http://localhost:3000`);
+  console.log("");
+});
+program.command("serve").description("Start a local MCP Streamable HTTP server \u2014 connect Claude Desktop or any MCP client and get audit traces on every tool call").argument("<config>", "Path to toolrelay config JSON file").option("--base-url <url>", "Override base_url from config").option("-p, --port <number>", "Port to listen on", "8787").option("-v, --verbose", "Show response headers and extra detail", false).action((configPath, opts) => {
+  const result = loadConfig(configPath);
+  if (!result.success) {
+    console.error("\nConfig validation failed:\n");
+    for (const err of result.errors) {
+      console.error(`  \u2717 ${err.path ? `[${err.path}] ` : ""}${err.message}`);
+    }
+    process.exit(1);
+  }
+  startMcpServer(result.config, {
+    baseUrl: opts.baseUrl,
+    port: parseInt(opts.port, 10),
+    verbose: opts.verbose,
+    configPath
+  });
+});
+program.command("publish").description("Deploy your toolrelay.json config to ToolRelay \u2014 creates or updates the app and tools").argument("<config>", "Path to toolrelay config JSON file").option("--dry-run", "Show what would change without making any changes", false).option("--prune", "Delete remote tools that are not in the config file", false).action(async (configPath, opts) => {
+  const result = loadConfig(configPath);
+  if (!result.success) {
+    console.error("\nConfig validation failed:\n");
+    for (const err of result.errors) {
+      console.error(`  \u2717 ${err.path ? `[${err.path}] ` : ""}${err.message}`);
+    }
+    process.exit(1);
+  }
+  const { publish } = await import('./publish-RSJ4I6HJ.js');
+  const publishResult = await publish(result.config, {
+    dryRun: opts.dryRun,
+    prune: opts.prune
+  });
+  process.exit(publishResult.success ? 0 : 1);
+});
+program.command("login").description("Authenticate with ToolRelay \u2014 opens a browser to log in").action(async () => {
+  const { loginFlow } = await import('./auth-flow-VQXXGXIV.js');
+  try {
+    await loginFlow();
+  } catch (err) {
+    console.error(`
+Login failed: ${err.message}
+`);
+    process.exit(1);
+  }
+});
+program.command("logout").description("Remove stored credentials").action(async () => {
+  const { clearCredentials } = await import('./credentials-KWHZKJ5O.js');
+  if (clearCredentials()) {
+    console.log("\n\u2713 Logged out. Credentials removed from ~/.toolrelay/credentials.json\n");
+  } else {
+    console.log("\nNo stored credentials found.\n");
+  }
+});
+program.command("whoami").description("Show the currently authenticated user").action(async () => {
+  const { resolveAuth } = await import('./credentials-KWHZKJ5O.js');
+  const { ToolRelayApiClient } = await import('./api-client-7MTO2YNV.js');
+  const auth = resolveAuth();
+  if (!auth) {
+    console.error("\nNot authenticated. Run `toolrelay login` or set TOOLRELAY_DEPLOY_TOKEN.\n");
+    process.exit(1);
+  }
+  try {
+    const client = new ToolRelayApiClient(auth);
+    const user = await client.whoami();
+    console.log(`
+  Email: ${user.email}`);
+    console.log(`  Name:  ${user.name}`);
+    console.log(`  Tier:  ${user.tier}`);
+    console.log(`  Auth:  ${auth.source === "env" ? "TOOLRELAY_DEPLOY_TOKEN" : "~/.toolrelay/credentials.json"}`);
+    console.log(`  API:   ${auth.api_url}
+`);
+  } catch (err) {
+    const apiErr = err;
+    if (apiErr.status === 401) {
+      console.error("\nToken is invalid or expired. Run `toolrelay login` to re-authenticate.\n");
+    } else {
+      console.error(`
+Failed to verify credentials: ${apiErr.message ?? err}
+`);
+    }
+    process.exit(1);
+  }
+});
+program.command("ui").description("Open a local web UI to browse past session logs \u2014 like Playwright's HTML reporter for MCP tool calls").option("-p, --port <number>", "Port to listen on", "8788").option("--no-open", "Don't auto-open the browser").action((opts) => {
+  startUiServer({
+    port: parseInt(opts.port, 10),
+    open: opts.open
+  });
+});
+program.parse();
+//# sourceMappingURL=index.js.map
+//# sourceMappingURL=index.js.map