caplets 0.15.0 → 0.17.0

package/dist/index.js

@@ -9,441 +9,25 @@ import { homedir, tmpdir } from "node:os";
 import { PassThrough } from "node:stream";
 import { createServer } from "node:http";
 import { createHash, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
+import { Buffer as Buffer$1 } from "node:buffer";
 import { createInterface } from "node:readline/promises";
 import { createServer as createServer$1 } from "http";
 import { Http2ServerRequest, constants as constants$1 } from "http2";
 import { Readable } from "stream";
 import crypto$1 from "crypto";
-//#region ../core/dist/generated-tool-input-schema.js
-const operations = [
-	"get_caplet",
-	"check_backend",
-	"list_tools",
-	"search_tools",
-	"get_tool",
-	"call_tool"
-];
-const generatedToolInputDescriptions = {
-	operation: "Wrapper operation: get_caplet, check_backend, list_tools, search_tools, get_tool, or call_tool.",
-	query: "Required for search_tools only.",
-	limit: "Optional search_tools result limit.",
-	tool: "Exact downstream tool name for get_tool or call_tool.",
-	arguments: "Required JSON object for call_tool arguments/downstream inputs.",
-	fields: "Optional call_tool structured output paths when outputSchema allows it."
+//#region \0rolldown/runtime.js
+var __defProp$1 = Object.defineProperty;
+var __exportAll$1 = (all, no_symbols) => {
+	let target = {};
+	for (var name in all) __defProp$1(target, name, {
+		get: all[name],
+		enumerable: true
+	});
+	if (!no_symbols) __defProp$1(target, Symbol.toStringTag, { value: "Module" });
+	return target;
 };
-function generatedToolInputJsonSchema() {
-	return {
-		type: "object",
-		properties: {
-			operation: {
-				type: "string",
-				enum: operations,
-				description: generatedToolInputDescriptions.operation
-			},
-			query: {
-				type: "string",
-				description: generatedToolInputDescriptions.query
-			},
-			limit: {
-				type: "integer",
-				minimum: 1,
-				description: generatedToolInputDescriptions.limit
-			},
-			tool: {
-				type: "string",
-				description: generatedToolInputDescriptions.tool
-			},
-			arguments: {
-				type: "object",
-				description: generatedToolInputDescriptions.arguments
-			},
-			fields: {
-				type: "array",
-				items: {
-					type: "string",
-					minLength: 1
-				},
-				minItems: 1,
-				description: generatedToolInputDescriptions.fields
-			}
-		},
-		required: ["operation"],
-		additionalProperties: false
-	};
-}
 //#endregion
-//#region ../core/dist/engine-Brwid_mq.js
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __commonJSMin = (cb, mod) => () => (mod || (cb((mod = { exports: {} }).exports, mod), cb = null), mod.exports);
-var __copyProps = (to, from, except, desc) => {
-	if (from && typeof from === "object" || typeof from === "function") for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
-		key = keys[i];
-		if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, {
-			get: ((k) => from[k]).bind(null, key),
-			enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
-		});
-	}
-	return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
-	value: mod,
-	enumerable: true
-}) : target, mod));
-var __require = /* @__PURE__ */ createRequire(import.meta.url);
-var CapletsError = class extends Error {
-	code;
-	details;
-	constructor(code, message, details) {
-		super(message);
-		this.name = "CapletsError";
-		this.code = code;
-		this.details = details;
-	}
-};
-const SECRET_KEY_PATTERN = /(token|secret|authorization|auth|api[-_]?key|password|credential|clientsecret|client_secret|code|refresh)/i;
-const SECRET_VALUE_PATTERN = /(bearer\s+)[a-z0-9._~+/=-]+|([?&](?:access_token|refresh_token|token|code)=)[^&\s]+/gi;
-function redactSecrets(value) {
-	if (typeof value === "string") return value.replace(SECRET_VALUE_PATTERN, "$1$2[REDACTED]");
-	if (Array.isArray(value)) return value.map((item) => redactSecrets(item));
-	if (value && typeof value === "object") {
-		const redacted = {};
-		for (const [key, nested] of Object.entries(value)) redacted[key] = SECRET_KEY_PATTERN.test(key) ? "[REDACTED]" : redactSecrets(nested);
-		return redacted;
-	}
-	return value;
-}
-function toSafeError(error, fallback = "INTERNAL_ERROR") {
-	if (error instanceof CapletsError) return {
-		code: error.code,
-		message: String(redactSecrets(error.message)),
-		...error.details === void 0 ? {} : { details: redactSecrets(error.details) }
-	};
-	if (error instanceof Error) return {
-		code: fallback,
-		message: String(redactSecrets(error.message))
-	};
-	return {
-		code: fallback,
-		message: String(redactSecrets(error))
-	};
-}
-function errorResult(error, fallback) {
-	const safe = toSafeError(error, fallback);
-	return {
-		isError: true,
-		content: [{
-			type: "text",
-			text: `${safe.code}: ${safe.message}`
-		}],
-		structuredContent: { error: safe }
-	};
-}
-function textContent(text) {
-	return text ? [{
-		type: "text",
-		text
-	}] : [];
-}
-function compactJsonText(value, maxLength = 600) {
-	return compactText(JSON.stringify(value) ?? String(value), maxLength);
-}
-function compactText(value, maxLength = 600) {
-	const collapsed = value.replace(/\s+/gu, " ").trim();
-	return collapsed.length > maxLength ? `${collapsed.slice(0, maxLength - 1).trimEnd()}…` : collapsed;
-}
-function resultKeys(value) {
-	if (!value || typeof value !== "object" || Array.isArray(value)) return "scalar result";
-	const keys = Object.keys(value).filter((key) => key !== "elapsedMs");
-	return keys.length > 0 ? `structured keys: ${keys.join(", ")}` : "empty structured result";
-}
-function statusSummary(value) {
-	if (!value || typeof value !== "object" || Array.isArray(value)) return compactJsonText(value);
-	const record = value;
-	return [
-		typeof record.status === "number" ? `status ${record.status}` : void 0,
-		typeof record.statusText === "string" && record.statusText ? record.statusText : void 0,
-		typeof record.exitCode === "number" ? `exit ${record.exitCode}` : void 0,
-		"body" in record ? "body" : void 0,
-		"json" in record ? "json" : void 0,
-		typeof record.stdout === "string" && record.stdout ? "stdout" : void 0,
-		typeof record.stderr === "string" && record.stderr ? "stderr" : void 0
-	].filter((part) => Boolean(part)).join("; ") || resultKeys(record);
-}
-function compactStructuredContent(value) {
-	return textContent(statusSummary(value));
-}
-function searchToolList(tools, query, limit, compact) {
-	const tokens = query.toLocaleLowerCase().split(/\s+/).filter(Boolean);
-	return tools.filter((tool) => {
-		const haystack = `${tool.name}\n${tool.description ?? ""}`.toLocaleLowerCase();
-		return tokens.some((token) => haystack.includes(token));
-	}).sort((left, right) => left.name.localeCompare(right.name)).slice(0, limit).map(compact);
-}
-const DEFAULT_INPUT_SCHEMA$1 = {
-	type: "object",
-	additionalProperties: true
-};
-var CliToolsManager = class {
-	registry;
-	constructor(registry) {
-		this.registry = registry;
-	}
-	updateRegistry(registry) {
-		this.registry = registry;
-	}
-	invalidate(_serverId) {}
-	async checkTools(config) {
-		const startedAt = Date.now();
-		try {
-			for (const action of actionsFor(config)) {
-				const cwdTemplate = action.cwd ?? config.cwd;
-				if (cwdTemplate && !cwdTemplate.includes("$input")) {
-					if (!existsSync(interpolateRequiredString(cwdTemplate, {}, "cwd"))) throw new CapletsError("CONFIG_INVALID", `CLI cwd does not exist for ${config.server}/${action.name}`);
-				}
-				if (!action.command.includes("$input")) resolveCommandPath(action.command);
-			}
-			this.registry.setStatus(config.server, "available");
-			return {
-				id: config.server,
-				status: "available",
-				toolCount: Object.keys(config.actions).length,
-				elapsedMs: Date.now() - startedAt
-			};
-		} catch (error) {
-			const safe = toSafeError(error, "SERVER_UNAVAILABLE");
-			this.registry.setStatus(config.server, "unavailable", safe);
-			return {
-				id: config.server,
-				status: "unavailable",
-				elapsedMs: Date.now() - startedAt,
-				error: safe
-			};
-		}
-	}
-	async listTools(config) {
-		return actionsFor(config).map((action) => this.toTool(action));
-	}
-	async getTool(config, toolName) {
-		return this.toTool(getAction(config, toolName));
-	}
-	async callTool(config, toolName, args) {
-		const action = getAction(config, toolName);
-		validateInput(action, args);
-		const execution = resolveExecution(config, action, args);
-		const startedAt = Date.now();
-		const controller = new AbortController();
-		const timeout = setTimeout(() => controller.abort(), execution.timeoutMs);
-		try {
-			const result = await spawnCommand(execution, controller.signal, () => Date.now() - startedAt);
-			const structured = parseStructuredResult(action, result, result.exitCode !== 0);
-			return {
-				content: compactStructuredContent(structured),
-				structuredContent: structured,
-				isError: result.exitCode !== 0
-			};
-		} catch (error) {
-			if (isAbortError$1(error)) throw new CapletsError("TOOL_CALL_TIMEOUT", `CLI tool timed out for ${config.server}/${toolName}`);
-			if (error instanceof CapletsError) throw error;
-			throw new CapletsError("DOWNSTREAM_TOOL_ERROR", `CLI tool failed for ${config.server}/${toolName}`, toSafeError(error));
-		} finally {
-			clearTimeout(timeout);
-		}
-	}
-	compact(config, tool) {
-		return {
-			id: config.server,
-			tool: tool.name,
-			...tool.description ? { description: tool.description } : {},
-			hasInputSchema: Boolean(tool.inputSchema),
-			hasOutputSchema: Boolean(tool.outputSchema)
-		};
-	}
-	search(config, tools, query, limit) {
-		return searchToolList(tools, query, limit, (tool) => this.compact(config, tool));
-	}
-	toTool(action) {
-		return {
-			name: action.name,
-			...action.description ? { description: action.description } : {},
-			inputSchema: action.inputSchema ?? DEFAULT_INPUT_SCHEMA$1,
-			...action.outputSchema ? { outputSchema: action.outputSchema } : {},
-			...action.annotations ? { annotations: action.annotations } : {}
-		};
-	}
-};
-function actionsFor(config) {
-	return Object.entries(config.actions).map(([name, action]) => ({
-		name,
-		...action
-	})).sort((left, right) => left.name.localeCompare(right.name));
-}
-function getAction(config, toolName) {
-	const actions = actionsFor(config);
-	const action = actions.find((candidate) => candidate.name === toolName);
-	if (!action) throw new CapletsError("TOOL_NOT_FOUND", `Tool ${toolName} was not found on ${config.server}`, {
-		server: config.server,
-		tool: toolName,
-		suggestions: actions.map((candidate) => candidate.name).filter((name) => name.toLocaleLowerCase().includes(toolName.toLocaleLowerCase()[0] ?? "")).slice(0, 5)
-	});
-	return action;
-}
-function resolveExecution(config, action, input) {
-	const cwd = interpolateString(action.cwd ?? config.cwd, input, "cwd");
-	if (cwd && !existsSync(cwd)) throw new CapletsError("CONFIG_INVALID", `CLI cwd does not exist for ${config.server}/${action.name}`);
-	const env = {
-		...process.env,
-		...resolveEnv(config.env, input),
-		...resolveEnv(action.env, input)
-	};
-	return {
-		command: interpolateString(action.command, input, "command") ?? action.command,
-		args: (action.args ?? []).map((arg, index) => interpolateRequiredString(arg, input, `args.${index}`)),
-		...cwd ? { cwd } : {},
-		env,
-		timeoutMs: action.timeoutMs ?? config.timeoutMs,
-		maxOutputBytes: action.maxOutputBytes ?? config.maxOutputBytes
-	};
-}
-function resolveEnv(env, input) {
-	if (!env) return {};
-	return Object.fromEntries(Object.entries(env).map(([key, value]) => [key, interpolateRequiredString(value, input, `env.${key}`)]));
-}
-function interpolateString(value, input, field) {
-	return value === void 0 ? void 0 : interpolateRequiredString(value, input, field);
-}
-function interpolateRequiredString(value, input, field) {
-	return value.replace(/\$input(?:\.([A-Za-z0-9_.-]+))?/g, (_match, path) => {
-		if (!path) throw new CapletsError("REQUEST_INVALID", `CLI ${field} cannot interpolate $input directly`);
-		const selected = valueAtPath$1(input, path);
-		if (selected === void 0 || selected === null) throw new CapletsError("REQUEST_INVALID", `CLI ${field} references missing input ${path}`);
-		if (typeof selected !== "string" && typeof selected !== "number" && typeof selected !== "boolean") throw new CapletsError("REQUEST_INVALID", `CLI ${field} input ${path} must be a string, number, or boolean`);
-		return String(selected);
-	});
-}
-function valueAtPath$1(input, path) {
-	let current = input;
-	for (const segment of path.split(".")) {
-		if (!current || typeof current !== "object" || Array.isArray(current)) return;
-		current = current[segment];
-	}
-	return current;
-}
-function validateInput(action, input) {
-	const schema = action.inputSchema;
-	if (!schema) return;
-	const required = Array.isArray(schema.required) ? schema.required : [];
-	for (const key of required) if (typeof key === "string" && (input[key] === void 0 || input[key] === null)) throw new CapletsError("REQUEST_INVALID", `CLI tool ${action.name} requires input ${key}`);
-	const properties = isPlainObject$7(schema.properties) ? schema.properties : {};
-	for (const [key, property] of Object.entries(properties)) {
-		if (input[key] === void 0 || !isPlainObject$7(property) || typeof property.type !== "string") continue;
-		if (!matchesJsonType(input[key], property.type)) throw new CapletsError("REQUEST_INVALID", `CLI tool ${action.name} input ${key} must be ${property.type}`);
-	}
-}
-function matchesJsonType(value, type) {
-	switch (type) {
-		case "string": return typeof value === "string";
-		case "number":
-		case "integer": return typeof value === "number" && (type === "number" || Number.isInteger(value));
-		case "boolean": return typeof value === "boolean";
-		case "object": return isPlainObject$7(value);
-		case "array": return Array.isArray(value);
-		case "null": return value === null;
-		default: return true;
-	}
-}
-function spawnCommand(execution, signal, elapsedMs) {
-	return new Promise((resolve, reject) => {
-		let stdout = "";
-		let stderr = "";
-		let outputBytes = 0;
-		const child = spawn(execution.command, execution.args, {
-			cwd: execution.cwd,
-			env: execution.env,
-			shell: false,
-			signal,
-			windowsHide: true
-		});
-		child.on("error", reject);
-		const append = (stream, chunk) => {
-			outputBytes += chunk.byteLength;
-			if (outputBytes > execution.maxOutputBytes) {
-				child.kill();
-				reject(new CapletsError("DOWNSTREAM_TOOL_ERROR", "CLI tool output exceeded byte limit"));
-				return;
-			}
-			if (stream === "stdout") stdout += chunk.toString("utf8");
-			else stderr += chunk.toString("utf8");
-		};
-		child.stdout?.on("data", (chunk) => append("stdout", chunk));
-		child.stderr?.on("data", (chunk) => append("stderr", chunk));
-		child.on("close", (exitCode, childSignal) => {
-			resolve({
-				exitCode,
-				signal: childSignal,
-				stdout,
-				stderr,
-				elapsedMs: elapsedMs()
-			});
-		});
-	});
-}
-function parseStructuredResult(action, result, tolerateInvalidJson = false) {
-	const structured = {
-		exitCode: result.exitCode,
-		stdout: result.stdout,
-		stderr: result.stderr,
-		elapsedMs: result.elapsedMs,
-		...result.signal ? { signal: result.signal } : {}
-	};
-	if (action.output?.type === "json" && result.stdout.trim()) try {
-		structured.json = JSON.parse(result.stdout);
-	} catch (error) {
-		if (tolerateInvalidJson) {
-			structured.jsonParseError = toSafeError(error);
-			return structured;
-		}
-		throw new CapletsError("DOWNSTREAM_PROTOCOL_ERROR", `CLI tool ${action.name} stdout was not valid JSON`, toSafeError(error));
-	}
-	return structured;
-}
-function resolveCommandPath(command) {
-	if (isAbsolute(command) || /[\\/]/.test(command)) {
-		assertExecutable(command);
-		return command;
-	}
-	for (const directory of (process.env.PATH ?? "").split(delimiter)) {
-		if (!directory) continue;
-		const candidate = join(directory, command);
-		if (isExecutable(candidate)) return candidate;
-		if (process.platform === "win32") for (const ext of (process.env.PATHEXT ?? ".EXE;.CMD;.BAT").split(";")) {
-			const windowsCandidate = join(directory, `${command}${ext.toLowerCase()}`);
-			if (isExecutable(windowsCandidate)) return windowsCandidate;
-		}
-	}
-	throw new CapletsError("SERVER_UNAVAILABLE", `CLI command ${command} was not found on PATH`);
-}
-function assertExecutable(path) {
-	if (!isExecutable(path)) throw new CapletsError("SERVER_UNAVAILABLE", `CLI command ${path} is not executable`);
-}
-function isExecutable(path) {
-	try {
-		accessSync(path, constants.X_OK);
-		return true;
-	} catch {
-		return false;
-	}
-}
-function isAbortError$1(error) {
-	return error instanceof Error && error.name === "AbortError";
-}
-function isPlainObject$7(value) {
-	return value !== null && typeof value === "object" && !Array.isArray(value);
-}
+//#region ../core/dist/generated-tool-input-schema-B6rce396.js
 var _a$1;
 /** A special constant with type `never` */
 const NEVER = /* @__PURE__ */ Object.freeze({ status: "aborted" });
@@ -587,7 +171,7 @@ const allowsEval = /* @__PURE__ */ cached(() => {
 		return false;
 	}
 });
-function isPlainObject$6(o) {
+function isPlainObject$8(o) {
 	if (isObject(o) === false) return false;
 	const ctor = o.constructor;
 	if (ctor === void 0) return true;
@@ -598,7 +182,7 @@ function isPlainObject$6(o) {
 	return true;
 }
 function shallowClone(o) {
-	if (isPlainObject$6(o)) return { ...o };
+	if (isPlainObject$8(o)) return { ...o };
 	if (Array.isArray(o)) return [...o];
 	if (o instanceof Map) return new Map(o);
 	if (o instanceof Set) return new Set(o);
@@ -681,7 +265,7 @@ function omit(schema, mask) {
 	}));
 }
 function extend(schema, shape) {
-	if (!isPlainObject$6(shape)) throw new Error("Invalid input to extend: expected a plain object");
+	if (!isPlainObject$8(shape)) throw new Error("Invalid input to extend: expected a plain object");
 	const checks = schema._zod.def.checks;
 	if (checks && checks.length > 0) {
 		const existingShape = schema._zod.def.shape;
@@ -697,7 +281,7 @@ function extend(schema, shape) {
 	} }));
 }
 function safeExtend(schema, shape) {
-	if (!isPlainObject$6(shape)) throw new Error("Invalid input to safeExtend: expected a plain object");
+	if (!isPlainObject$8(shape)) throw new Error("Invalid input to safeExtend: expected a plain object");
 	return clone(schema, mergeDefs(schema._zod.def, { get shape() {
 		const _shape = {
 			...schema._zod.def.shape,
@@ -888,7 +472,7 @@ const _parse = (_Err) => (schema, value, _ctx, _params) => {
 	}
 	return result.value;
 };
-const parse$3 = /* @__PURE__ */ _parse($ZodRealError);
+const parse$1 = /* @__PURE__ */ _parse($ZodRealError);
 const _parseAsync = (_Err) => async (schema, value, _ctx, params) => {
 	const ctx = _ctx ? {
 		..._ctx,
@@ -925,7 +509,7 @@ const _safeParse = (_Err) => (schema, value, _ctx) => {
 		data: result.value
 	};
 };
-const safeParse$2 = /* @__PURE__ */ _safeParse($ZodRealError);
+const safeParse$1 = /* @__PURE__ */ _safeParse($ZodRealError);
 const _safeParseAsync = (_Err) => async (schema, value, _ctx) => {
 	const ctx = _ctx ? {
 		..._ctx,
@@ -944,7 +528,7 @@ const _safeParseAsync = (_Err) => async (schema, value, _ctx) => {
 		data: result.value
 	};
 };
-const safeParseAsync$2 = /* @__PURE__ */ _safeParseAsync($ZodRealError);
+const safeParseAsync$1 = /* @__PURE__ */ _safeParseAsync($ZodRealError);
 const _encode = (_Err) => (schema, value, _ctx) => {
 	const ctx = _ctx ? {
 		..._ctx,
@@ -1043,7 +627,7 @@ const string$1 = (params) => {
 	return new RegExp(`^${regex}$`);
 };
 const integer = /^-?\d+$/;
-const number$2 = /^-?\d+(?:\.\d+)?$/;
+const number$1 = /^-?\d+(?:\.\d+)?$/;
 const boolean$1 = /^(?:true|false)$/i;
 const _null$2 = /^null$/i;
 const lowercase = /^[^A-Z]*$/;
@@ -1517,10 +1101,10 @@ const $ZodType = /* @__PURE__ */ $constructor("$ZodType", (inst, def) => {
 	defineLazy(inst, "~standard", () => ({
 		validate: (value) => {
 			try {
-				const r = safeParse$2(inst, value);
+				const r = safeParse$1(inst, value);
 				return r.success ? { value: r.data } : { issues: r.error?.issues };
 			} catch (_) {
-				return safeParseAsync$2(inst, value).then((r) => r.success ? { value: r.data } : { issues: r.error?.issues });
+				return safeParseAsync$1(inst, value).then((r) => r.success ? { value: r.data } : { issues: r.error?.issues });
 			}
 		},
 		vendor: "zod",
@@ -1810,7 +1394,7 @@ const $ZodJWT = /* @__PURE__ */ $constructor("$ZodJWT", (inst, def) => {
 });
 const $ZodNumber = /* @__PURE__ */ $constructor("$ZodNumber", (inst, def) => {
 	$ZodType.init(inst, def);
-	inst._zod.pattern = inst._zod.bag.pattern ?? number$2;
+	inst._zod.pattern = inst._zod.bag.pattern ?? number$1;
 	inst._zod.parse = (payload, _ctx) => {
 		if (def.coerce) try {
 			payload.value = Number(payload.value);
@@ -2297,7 +1881,7 @@ function mergeValues$1(a, b) {
 		valid: true,
 		data: a
 	};
-	if (isPlainObject$6(a) && isPlainObject$6(b)) {
+	if (isPlainObject$8(a) && isPlainObject$8(b)) {
 		const bKeys = Object.keys(b);
 		const sharedKeys = Object.keys(a).filter((key) => bKeys.indexOf(key) !== -1);
 		const newObj = {
@@ -2373,7 +1957,7 @@ const $ZodRecord = /* @__PURE__ */ $constructor("$ZodRecord", (inst, def) => {
 	$ZodType.init(inst, def);
 	inst._zod.parse = (payload, ctx) => {
 		const input = payload.value;
-		if (!isPlainObject$6(input)) {
+		if (!isPlainObject$8(input)) {
 			payload.issues.push({
 				expected: "record",
 				code: "invalid_type",
@@ -2440,7 +2024,7 @@ const $ZodRecord = /* @__PURE__ */ $constructor("$ZodRecord", (inst, def) => {
 					issues: []
 				}, ctx);
 				if (keyResult instanceof Promise) throw new Error("Async schemas not supported in object keys currently");
-				if (typeof key === "string" && number$2.test(key) && keyResult.issues.length) {
+				if (typeof key === "string" && number$1.test(key) && keyResult.issues.length) {
 					const retryResult = def.keyType._zod.run({
 						value: Number(key),
 						issues: []
@@ -4115,8 +3699,8 @@ const initializer = (inst, issues) => {
 const ZodRealError = /* @__PURE__ */ $constructor("ZodError", initializer, { Parent: Error });
 const parse$2 = /* @__PURE__ */ _parse(ZodRealError);
 const parseAsync = /* @__PURE__ */ _parseAsync(ZodRealError);
-const safeParse$1 = /* @__PURE__ */ _safeParse(ZodRealError);
-const safeParseAsync$1 = /* @__PURE__ */ _safeParseAsync(ZodRealError);
+const safeParse$2 = /* @__PURE__ */ _safeParse(ZodRealError);
+const safeParseAsync$2 = /* @__PURE__ */ _safeParseAsync(ZodRealError);
 const encode = /* @__PURE__ */ _encode(ZodRealError);
 const decode = /* @__PURE__ */ _decode(ZodRealError);
 const encodeAsync = /* @__PURE__ */ _encodeAsync(ZodRealError);
@@ -4172,9 +3756,9 @@ const ZodType$1 = /* @__PURE__ */ $constructor("ZodType", (inst, def) => {
 	inst.type = def.type;
 	Object.defineProperty(inst, "_def", { value: def });
 	inst.parse = (data, params) => parse$2(inst, data, params, { callee: inst.parse });
-	inst.safeParse = (data, params) => safeParse$1(inst, data, params);
+	inst.safeParse = (data, params) => safeParse$2(inst, data, params);
 	inst.parseAsync = async (data, params) => parseAsync(inst, data, params, { callee: inst.parseAsync });
-	inst.safeParseAsync = async (data, params) => safeParseAsync$1(inst, data, params);
+	inst.safeParseAsync = async (data, params) => safeParseAsync$2(inst, data, params);
 	inst.spa = inst.safeParseAsync;
 	inst.encode = (data, params) => encode(inst, data, params);
 	inst.decode = (data, params) => decode(inst, data, params);
@@ -4523,7 +4107,7 @@ const ZodNumber$1 = /* @__PURE__ */ $constructor("ZodNumber", (inst, def) => {
 	inst.isFinite = true;
 	inst.format = bag.format ?? null;
 });
-function number$1(params) {
+function number$2(params) {
 	return /* @__PURE__ */ _number(ZodNumber$1, params);
 }
 const ZodNumberFormat = /* @__PURE__ */ $constructor("ZodNumberFormat", (inst, def) => {
@@ -4969,6 +4553,571 @@ function preprocess(fn, schema) {
 		out: schema
 	});
 }
+const operations = [
+	"get_caplet",
+	"check_backend",
+	"list_tools",
+	"search_tools",
+	"get_tool",
+	"call_tool"
+];
+const mcpOperations = [
+	...operations,
+	"list_resources",
+	"search_resources",
+	"list_resource_templates",
+	"read_resource",
+	"list_prompts",
+	"search_prompts",
+	"get_prompt",
+	"complete"
+];
+const generatedToolInputDescriptions = {
+	operation: "Wrapper operation: get_caplet, check_backend, list_tools, search_tools, get_tool, call_tool. MCP Caplets also expose resources, prompts, and completions.",
+	query: "Required for search operations only.",
+	limit: "Optional list/search result limit.",
+	tool: "Exact downstream tool name for get_tool or call_tool.",
+	arguments: "JSON object for call_tool arguments/downstream inputs or get_prompt arguments.",
+	fields: "Optional call_tool structured output paths when outputSchema allows it.",
+	uri: "Exact downstream resource URI for read_resource.",
+	prompt: "Exact downstream prompt name for get_prompt.",
+	ref: "Completion target reference for complete.",
+	argument: "Completion argument object for complete."
+};
+const completionRefSchema = union([object$1({
+	type: literal("prompt"),
+	name: string().min(1)
+}).strict(), object$1({
+	type: literal("resourceTemplate"),
+	uri: string().min(1)
+}).strict()]);
+const completionArgumentSchema = object$1({
+	name: string().min(1),
+	value: string()
+}).strict();
+const baseShape = {
+	query: string().optional().describe(generatedToolInputDescriptions.query),
+	limit: number$2().int().positive().optional().describe(generatedToolInputDescriptions.limit),
+	tool: string().optional().describe(generatedToolInputDescriptions.tool),
+	arguments: object$1({}).catchall(any()).optional().describe(generatedToolInputDescriptions.arguments),
+	fields: array(string().min(1)).min(1).optional().describe(generatedToolInputDescriptions.fields)
+};
+function generatedToolInputSchemaForCaplet(caplet) {
+	return object$1({
+		operation: (caplet.backend === "mcp" ? _enum(mcpOperations) : _enum(operations)).describe(generatedToolInputDescriptions.operation),
+		...baseShape,
+		...caplet.backend === "mcp" ? {
+			uri: string().optional().describe(generatedToolInputDescriptions.uri),
+			prompt: string().optional().describe(generatedToolInputDescriptions.prompt),
+			ref: completionRefSchema.optional().describe(generatedToolInputDescriptions.ref),
+			argument: completionArgumentSchema.optional().describe(generatedToolInputDescriptions.argument)
+		} : {}
+	}).strict();
+}
+object$1({
+	operation: _enum(operations).describe(generatedToolInputDescriptions.operation),
+	...baseShape
+}).strict();
+function generatedToolInputJsonSchemaForCaplet(caplet) {
+	const mcp = caplet.backend === "mcp";
+	return {
+		type: "object",
+		properties: {
+			operation: {
+				type: "string",
+				enum: mcp ? mcpOperations : operations,
+				description: generatedToolInputDescriptions.operation
+			},
+			query: {
+				type: "string",
+				description: generatedToolInputDescriptions.query
+			},
+			limit: {
+				type: "integer",
+				minimum: 1,
+				description: generatedToolInputDescriptions.limit
+			},
+			tool: {
+				type: "string",
+				description: generatedToolInputDescriptions.tool
+			},
+			arguments: {
+				type: "object",
+				description: generatedToolInputDescriptions.arguments
+			},
+			fields: {
+				type: "array",
+				items: {
+					type: "string",
+					minLength: 1
+				},
+				minItems: 1,
+				description: generatedToolInputDescriptions.fields
+			},
+			...mcp ? {
+				uri: {
+					type: "string",
+					description: generatedToolInputDescriptions.uri
+				},
+				prompt: {
+					type: "string",
+					description: generatedToolInputDescriptions.prompt
+				},
+				ref: {
+					oneOf: [{
+						type: "object",
+						properties: {
+							type: { const: "prompt" },
+							name: {
+								type: "string",
+								minLength: 1
+							}
+						},
+						required: ["type", "name"],
+						additionalProperties: false
+					}, {
+						type: "object",
+						properties: {
+							type: { const: "resourceTemplate" },
+							uri: {
+								type: "string",
+								minLength: 1
+							}
+						},
+						required: ["type", "uri"],
+						additionalProperties: false
+					}],
+					description: generatedToolInputDescriptions.ref
+				},
+				argument: {
+					type: "object",
+					properties: {
+						name: {
+							type: "string",
+							minLength: 1
+						},
+						value: { type: "string" }
+					},
+					required: ["name", "value"],
+					additionalProperties: false,
+					description: generatedToolInputDescriptions.argument
+				}
+			} : {}
+		},
+		required: ["operation"],
+		additionalProperties: false
+	};
+}
+function generatedToolInputJsonSchema() {
+	return generatedToolInputJsonSchemaForCaplet({ backend: "tool" });
+}
+//#endregion
+//#region ../core/dist/options-DM1cMRcp.js
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __commonJSMin = (cb, mod) => () => (mod || (cb((mod = { exports: {} }).exports, mod), cb = null), mod.exports);
+var __exportAll = (all, no_symbols) => {
+	let target = {};
+	for (var name in all) __defProp(target, name, {
+		get: all[name],
+		enumerable: true
+	});
+	if (!no_symbols) __defProp(target, Symbol.toStringTag, { value: "Module" });
+	return target;
+};
+var __copyProps = (to, from, except, desc) => {
+	if (from && typeof from === "object" || typeof from === "function") for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
+		key = keys[i];
+		if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, {
+			get: ((k) => from[k]).bind(null, key),
+			enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+		});
+	}
+	return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
+	value: mod,
+	enumerable: true
+}) : target, mod));
+var __require = /* @__PURE__ */ createRequire(import.meta.url);
+const CAPLETS_ERROR_CODES = [
+	"CONFIG_NOT_FOUND",
+	"CONFIG_EXISTS",
+	"CONFIG_INVALID",
+	"REQUEST_INVALID",
+	"SERVER_NOT_FOUND",
+	"SERVER_UNAVAILABLE",
+	"SERVER_START_TIMEOUT",
+	"UNKNOWN_OPERATION",
+	"TOOL_NOT_FOUND",
+	"TOOL_CALL_TIMEOUT",
+	"AUTH_REQUIRED",
+	"AUTH_FAILED",
+	"AUTH_REFRESH_FAILED",
+	"DOWNSTREAM_PROTOCOL_ERROR",
+	"DOWNSTREAM_TOOL_ERROR",
+	"UNSUPPORTED_OPERATION",
+	"UNSUPPORTED_CAPABILITY",
+	"PROMPT_NOT_FOUND",
+	"DOWNSTREAM_RESOURCE_ERROR",
+	"DOWNSTREAM_PROMPT_ERROR",
+	"DOWNSTREAM_COMPLETION_ERROR",
+	"UNSUPPORTED_TRANSPORT",
+	"INTERNAL_ERROR"
+];
+var CapletsError = class extends Error {
+	code;
+	details;
+	constructor(code, message, details) {
+		super(message);
+		this.name = "CapletsError";
+		this.code = code;
+		this.details = details;
+	}
+};
+const SECRET_KEY_PATTERN = /(token|secret|authorization|auth|api[-_]?key|password|credential|clientsecret|client_secret|code|refresh)/i;
+const SECRET_VALUE_PATTERN = /(bearer\s+)[a-z0-9._~+/=-]+|([?&](?:access_token|refresh_token|token|code)=)[^&\s]+/gi;
+function redactSecrets(value) {
+	if (typeof value === "string") return value.replace(SECRET_VALUE_PATTERN, "$1$2[REDACTED]");
+	if (Array.isArray(value)) return value.map((item) => redactSecrets(item));
+	if (value && typeof value === "object") {
+		const redacted = {};
+		for (const [key, nested] of Object.entries(value)) redacted[key] = SECRET_KEY_PATTERN.test(key) ? "[REDACTED]" : redactSecrets(nested);
+		return redacted;
+	}
+	return value;
+}
+function toSafeError(error, fallback = "INTERNAL_ERROR") {
+	if (error instanceof CapletsError) return {
+		code: error.code,
+		message: String(redactSecrets(error.message)),
+		...error.details === void 0 ? {} : { details: redactSecrets(error.details) }
+	};
+	if (error instanceof Error) return {
+		code: fallback,
+		message: String(redactSecrets(error.message))
+	};
+	return {
+		code: fallback,
+		message: String(redactSecrets(error))
+	};
+}
+function errorResult(error, fallback) {
+	const safe = toSafeError(error, fallback);
+	return {
+		isError: true,
+		content: [{
+			type: "text",
+			text: `${safe.code}: ${safe.message}`
+		}],
+		structuredContent: { error: safe }
+	};
+}
+function textContent(text) {
+	return text ? [{
+		type: "text",
+		text
+	}] : [];
+}
+function compactJsonText(value, maxLength = 600) {
+	return compactText(JSON.stringify(value) ?? String(value), maxLength);
+}
+function compactText(value, maxLength = 600) {
+	const collapsed = value.replace(/\s+/gu, " ").trim();
+	return collapsed.length > maxLength ? `${collapsed.slice(0, maxLength - 1).trimEnd()}…` : collapsed;
+}
+function resultKeys(value) {
+	if (!value || typeof value !== "object" || Array.isArray(value)) return "scalar result";
+	const keys = Object.keys(value).filter((key) => key !== "elapsedMs");
+	return keys.length > 0 ? `structured keys: ${keys.join(", ")}` : "empty structured result";
+}
+function statusSummary(value) {
+	if (!value || typeof value !== "object" || Array.isArray(value)) return compactJsonText(value);
+	const record = value;
+	return [
+		typeof record.status === "number" ? `status ${record.status}` : void 0,
+		typeof record.statusText === "string" && record.statusText ? record.statusText : void 0,
+		typeof record.exitCode === "number" ? `exit ${record.exitCode}` : void 0,
+		"body" in record ? "body" : void 0,
+		"json" in record ? "json" : void 0,
+		typeof record.stdout === "string" && record.stdout ? "stdout" : void 0,
+		typeof record.stderr === "string" && record.stderr ? "stderr" : void 0
+	].filter((part) => Boolean(part)).join("; ") || resultKeys(record);
+}
+function compactStructuredContent(value) {
+	return textContent(statusSummary(value));
+}
+function searchToolList(tools, query, limit, compact) {
+	const tokens = query.toLocaleLowerCase().split(/\s+/).filter(Boolean);
+	return tools.filter((tool) => {
+		const haystack = `${tool.name}\n${tool.description ?? ""}`.toLocaleLowerCase();
+		return tokens.some((token) => haystack.includes(token));
+	}).sort((left, right) => left.name.localeCompare(right.name)).slice(0, limit).map(compact);
+}
+const DEFAULT_INPUT_SCHEMA$1 = {
+	type: "object",
+	additionalProperties: true
+};
+var CliToolsManager = class {
+	registry;
+	constructor(registry) {
+		this.registry = registry;
+	}
+	updateRegistry(registry) {
+		this.registry = registry;
+	}
+	invalidate(_serverId) {}
+	async checkTools(config) {
+		const startedAt = Date.now();
+		try {
+			for (const action of actionsFor(config)) {
+				const cwdTemplate = action.cwd ?? config.cwd;
+				if (cwdTemplate && !cwdTemplate.includes("$input")) {
+					if (!existsSync(interpolateRequiredString(cwdTemplate, {}, "cwd"))) throw new CapletsError("CONFIG_INVALID", `CLI cwd does not exist for ${config.server}/${action.name}`);
+				}
+				if (!action.command.includes("$input")) resolveCommandPath(action.command);
+			}
+			this.registry.setStatus(config.server, "available");
+			return {
+				id: config.server,
+				status: "available",
+				toolCount: Object.keys(config.actions).length,
+				elapsedMs: Date.now() - startedAt
+			};
+		} catch (error) {
+			const safe = toSafeError(error, "SERVER_UNAVAILABLE");
+			this.registry.setStatus(config.server, "unavailable", safe);
+			return {
+				id: config.server,
+				status: "unavailable",
+				elapsedMs: Date.now() - startedAt,
+				error: safe
+			};
+		}
+	}
+	async listTools(config) {
+		return actionsFor(config).map((action) => this.toTool(action));
+	}
+	async getTool(config, toolName) {
+		return this.toTool(getAction(config, toolName));
+	}
+	async callTool(config, toolName, args) {
+		const action = getAction(config, toolName);
+		validateInput(action, args);
+		const execution = resolveExecution(config, action, args);
+		const startedAt = Date.now();
+		const controller = new AbortController();
+		const timeout = setTimeout(() => controller.abort(), execution.timeoutMs);
+		try {
+			const result = await spawnCommand(execution, controller.signal, () => Date.now() - startedAt);
+			const structured = parseStructuredResult(action, result, result.exitCode !== 0);
+			return {
+				content: compactStructuredContent(structured),
+				structuredContent: structured,
+				isError: result.exitCode !== 0
+			};
+		} catch (error) {
+			if (isAbortError$1(error)) throw new CapletsError("TOOL_CALL_TIMEOUT", `CLI tool timed out for ${config.server}/${toolName}`);
+			if (error instanceof CapletsError) throw error;
+			throw new CapletsError("DOWNSTREAM_TOOL_ERROR", `CLI tool failed for ${config.server}/${toolName}`, toSafeError(error));
+		} finally {
+			clearTimeout(timeout);
+		}
+	}
+	compact(config, tool) {
+		return {
+			id: config.server,
+			tool: tool.name,
+			...tool.description ? { description: tool.description } : {},
+			hasInputSchema: Boolean(tool.inputSchema),
+			hasOutputSchema: Boolean(tool.outputSchema)
+		};
+	}
+	search(config, tools, query, limit) {
+		return searchToolList(tools, query, limit, (tool) => this.compact(config, tool));
+	}
+	toTool(action) {
+		return {
+			name: action.name,
+			...action.description ? { description: action.description } : {},
+			inputSchema: action.inputSchema ?? DEFAULT_INPUT_SCHEMA$1,
+			...action.outputSchema ? { outputSchema: action.outputSchema } : {},
+			...action.annotations ? { annotations: action.annotations } : {}
+		};
+	}
+};
+function actionsFor(config) {
+	return Object.entries(config.actions).map(([name, action]) => ({
+		name,
+		...action
+	})).sort((left, right) => left.name.localeCompare(right.name));
+}
+function getAction(config, toolName) {
+	const actions = actionsFor(config);
+	const action = actions.find((candidate) => candidate.name === toolName);
+	if (!action) throw new CapletsError("TOOL_NOT_FOUND", `Tool ${toolName} was not found on ${config.server}`, {
+		server: config.server,
+		tool: toolName,
+		suggestions: actions.map((candidate) => candidate.name).filter((name) => name.toLocaleLowerCase().includes(toolName.toLocaleLowerCase()[0] ?? "")).slice(0, 5)
+	});
+	return action;
+}
+function resolveExecution(config, action, input) {
+	const cwd = interpolateString(action.cwd ?? config.cwd, input, "cwd");
+	if (cwd && !existsSync(cwd)) throw new CapletsError("CONFIG_INVALID", `CLI cwd does not exist for ${config.server}/${action.name}`);
+	const env = {
+		...process.env,
+		...resolveEnv(config.env, input),
+		...resolveEnv(action.env, input)
+	};
+	return {
+		command: interpolateString(action.command, input, "command") ?? action.command,
+		args: (action.args ?? []).map((arg, index) => interpolateRequiredString(arg, input, `args.${index}`)),
+		...cwd ? { cwd } : {},
+		env,
+		timeoutMs: action.timeoutMs ?? config.timeoutMs,
+		maxOutputBytes: action.maxOutputBytes ?? config.maxOutputBytes
+	};
+}
+function resolveEnv(env, input) {
+	if (!env) return {};
+	return Object.fromEntries(Object.entries(env).map(([key, value]) => [key, interpolateRequiredString(value, input, `env.${key}`)]));
+}
+function interpolateString(value, input, field) {
+	return value === void 0 ? void 0 : interpolateRequiredString(value, input, field);
+}
+function interpolateRequiredString(value, input, field) {
+	return value.replace(/\$input(?:\.([A-Za-z0-9_.-]+))?/g, (_match, path) => {
+		if (!path) throw new CapletsError("REQUEST_INVALID", `CLI ${field} cannot interpolate $input directly`);
+		const selected = valueAtPath$1(input, path);
+		if (selected === void 0 || selected === null) throw new CapletsError("REQUEST_INVALID", `CLI ${field} references missing input ${path}`);
+		if (typeof selected !== "string" && typeof selected !== "number" && typeof selected !== "boolean") throw new CapletsError("REQUEST_INVALID", `CLI ${field} input ${path} must be a string, number, or boolean`);
+		return String(selected);
+	});
+}
+function valueAtPath$1(input, path) {
+	let current = input;
+	for (const segment of path.split(".")) {
+		if (!current || typeof current !== "object" || Array.isArray(current)) return;
+		current = current[segment];
+	}
+	return current;
+}
+function validateInput(action, input) {
+	const schema = action.inputSchema;
+	if (!schema) return;
+	const required = Array.isArray(schema.required) ? schema.required : [];
+	for (const key of required) if (typeof key === "string" && (input[key] === void 0 || input[key] === null)) throw new CapletsError("REQUEST_INVALID", `CLI tool ${action.name} requires input ${key}`);
+	const properties = isPlainObject$6(schema.properties) ? schema.properties : {};
+	for (const [key, property] of Object.entries(properties)) {
+		if (input[key] === void 0 || !isPlainObject$6(property) || typeof property.type !== "string") continue;
+		if (!matchesJsonType(input[key], property.type)) throw new CapletsError("REQUEST_INVALID", `CLI tool ${action.name} input ${key} must be ${property.type}`);
+	}
+}
+function matchesJsonType(value, type) {
+	switch (type) {
+		case "string": return typeof value === "string";
+		case "number":
+		case "integer": return typeof value === "number" && (type === "number" || Number.isInteger(value));
+		case "boolean": return typeof value === "boolean";
+		case "object": return isPlainObject$6(value);
+		case "array": return Array.isArray(value);
+		case "null": return value === null;
+		default: return true;
+	}
+}
+function spawnCommand(execution, signal, elapsedMs) {
+	return new Promise((resolve, reject) => {
+		let stdout = "";
+		let stderr = "";
+		let outputBytes = 0;
+		const child = spawn(execution.command, execution.args, {
+			cwd: execution.cwd,
+			env: execution.env,
+			shell: false,
+			signal,
+			windowsHide: true
+		});
+		child.on("error", reject);
+		const append = (stream, chunk) => {
+			outputBytes += chunk.byteLength;
+			if (outputBytes > execution.maxOutputBytes) {
+				child.kill();
+				reject(new CapletsError("DOWNSTREAM_TOOL_ERROR", "CLI tool output exceeded byte limit"));
+				return;
+			}
+			if (stream === "stdout") stdout += chunk.toString("utf8");
+			else stderr += chunk.toString("utf8");
+		};
+		child.stdout?.on("data", (chunk) => append("stdout", chunk));
+		child.stderr?.on("data", (chunk) => append("stderr", chunk));
+		child.on("close", (exitCode, childSignal) => {
+			resolve({
+				exitCode,
+				signal: childSignal,
+				stdout,
+				stderr,
+				elapsedMs: elapsedMs()
+			});
+		});
+	});
+}
+function parseStructuredResult(action, result, tolerateInvalidJson = false) {
+	const structured = {
+		exitCode: result.exitCode,
+		stdout: result.stdout,
+		stderr: result.stderr,
+		elapsedMs: result.elapsedMs,
+		...result.signal ? { signal: result.signal } : {}
+	};
+	if (action.output?.type === "json" && result.stdout.trim()) try {
+		structured.json = JSON.parse(result.stdout);
+	} catch (error) {
+		if (tolerateInvalidJson) {
+			structured.jsonParseError = toSafeError(error);
+			return structured;
+		}
+		throw new CapletsError("DOWNSTREAM_PROTOCOL_ERROR", `CLI tool ${action.name} stdout was not valid JSON`, toSafeError(error));
+	}
+	return structured;
+}
+function resolveCommandPath(command) {
+	if (isAbsolute(command) || /[\\/]/.test(command)) {
+		assertExecutable(command);
+		return command;
+	}
+	for (const directory of (process.env.PATH ?? "").split(delimiter)) {
+		if (!directory) continue;
+		const candidate = join(directory, command);
+		if (isExecutable(candidate)) return candidate;
+		if (process.platform === "win32") for (const ext of (process.env.PATHEXT ?? ".EXE;.CMD;.BAT").split(";")) {
+			const windowsCandidate = join(directory, `${command}${ext.toLowerCase()}`);
+			if (isExecutable(windowsCandidate)) return windowsCandidate;
+		}
+	}
+	throw new CapletsError("SERVER_UNAVAILABLE", `CLI command ${command} was not found on PATH`);
+}
+function assertExecutable(path) {
+	if (!isExecutable(path)) throw new CapletsError("SERVER_UNAVAILABLE", `CLI command ${path} is not executable`);
+}
+function isExecutable(path) {
+	try {
+		accessSync(path, constants.X_OK);
+		return true;
+	} catch {
+		return false;
+	}
+}
+function isAbortError$1(error) {
+	return error instanceof Error && error.name === "AbortError";
+}
+function isPlainObject$6(value) {
+	return value !== null && typeof value === "object" && !Array.isArray(value);
+}
 /** @deprecated Use the raw string literal codes instead, e.g. "invalid_type". */
 const ZodIssueCode$1 = {
 	invalid_type: "invalid_type",
@@ -12489,9 +12638,9 @@ const capletMcpServerSchema = object$1({
 	cwd: string().min(1).optional().describe("Working directory for stdio servers."),
 	url: string().min(1).optional().describe("Remote MCP server URL for http or sse transport."),
 	auth: capletRemoteAuthSchema.optional(),
-	startupTimeoutMs: number$1().int().positive().optional().describe("Timeout in milliseconds for starting or checking a downstream server."),
-	callTimeoutMs: number$1().int().positive().optional().describe("Timeout in milliseconds for downstream tool calls."),
-	toolCacheTtlMs: number$1().int().nonnegative().optional().describe("Milliseconds downstream tool metadata stays fresh. Set 0 to refresh every time."),
+	startupTimeoutMs: number$2().int().positive().optional().describe("Timeout in milliseconds for starting or checking a downstream server."),
+	callTimeoutMs: number$2().int().positive().optional().describe("Timeout in milliseconds for downstream tool calls."),
+	toolCacheTtlMs: number$2().int().nonnegative().optional().describe("Milliseconds downstream tool metadata stays fresh. Set 0 to refresh every time."),
 	disabled: boolean().optional().describe("When true, omit this Caplet from discovery and do not start its MCP server.")
 }).strict().superRefine((server, ctx) => {
 	const effectiveTransport = server.transport ?? (server.command ? "stdio" : void 0);
@@ -12546,8 +12695,8 @@ const capletOpenApiEndpointSchema = object$1({
 	specUrl: string().min(1).optional().describe("Remote OpenAPI specification URL."),
 	baseUrl: string().min(1).optional().describe("Override base URL for OpenAPI requests."),
 	auth: capletEndpointAuthSchema.describe("Explicit OpenAPI request auth config. Use {\"type\":\"none\"} for public APIs."),
-	requestTimeoutMs: number$1().int().positive().optional().describe("Timeout in milliseconds for OpenAPI HTTP requests."),
-	operationCacheTtlMs: number$1().int().nonnegative().optional().describe("Milliseconds OpenAPI operation metadata stays fresh. Set 0 to refresh every time."),
+	requestTimeoutMs: number$2().int().positive().optional().describe("Timeout in milliseconds for OpenAPI HTTP requests."),
+	operationCacheTtlMs: number$2().int().nonnegative().optional().describe("Milliseconds OpenAPI operation metadata stays fresh. Set 0 to refresh every time."),
 	disabled: boolean().optional().describe("When true, omit this Caplet from discovery.")
 }).strict().superRefine((endpoint, ctx) => {
 	if (Boolean(endpoint.specPath) === Boolean(endpoint.specUrl)) ctx.addIssue({
@@ -12584,9 +12733,9 @@ const capletGraphQlEndpointSchema = object$1({
 	introspection: literal(true).optional().describe("Load schema through endpoint introspection."),
 	operations: record(string().regex(SERVER_ID_PATTERN), capletGraphQlOperationSchema).optional().describe("Configured GraphQL operations keyed by stable tool name."),
 	auth: capletEndpointAuthSchema.describe("Explicit GraphQL request auth config. Use {\"type\":\"none\"} for public APIs."),
-	requestTimeoutMs: number$1().int().positive().optional().describe("Timeout in milliseconds for GraphQL HTTP requests."),
-	operationCacheTtlMs: number$1().int().nonnegative().optional().describe("Milliseconds GraphQL operation metadata stays fresh. Set 0 to refresh every time."),
-	selectionDepth: number$1().int().positive().max(5).optional().describe("Maximum depth for auto-generated GraphQL selection sets."),
+	requestTimeoutMs: number$2().int().positive().optional().describe("Timeout in milliseconds for GraphQL HTTP requests."),
+	operationCacheTtlMs: number$2().int().nonnegative().optional().describe("Milliseconds GraphQL operation metadata stays fresh. Set 0 to refresh every time."),
+	selectionDepth: number$2().int().positive().max(5).optional().describe("Maximum depth for auto-generated GraphQL selection sets."),
 	disabled: boolean().optional().describe("When true, omit this Caplet from discovery.")
 }).strict().superRefine((endpoint, ctx) => {
 	if (Number(Boolean(endpoint.schemaPath)) + Number(Boolean(endpoint.schemaUrl)) + Number(endpoint.introspection === true) !== 1) ctx.addIssue({
@@ -12607,7 +12756,7 @@ const capletGraphQlEndpointSchema = object$1({
 });
 const httpScalarMappingSchema$1 = record(string(), union([
 	string(),
-	number$1(),
+	number$2(),
 	boolean()
 ]));
 const capletHttpActionSchema = object$1({
@@ -12635,8 +12784,8 @@ const capletHttpApiSchema = object$1({
 	baseUrl: string().min(1).regex(HTTP_BASE_URL_PATTERN, "HTTP API baseUrl must not include credentials, query, or fragment").describe("Base URL for HTTP action requests."),
 	auth: capletEndpointAuthSchema.describe("Explicit HTTP API request auth config. Use {\"type\":\"none\"} for public APIs."),
 	actions: record(string().regex(SERVER_ID_PATTERN), capletHttpActionSchema).refine((actions) => Object.keys(actions).length > 0, "HTTP API must define at least one action").describe("Configured HTTP actions keyed by stable tool name."),
-	requestTimeoutMs: number$1().int().positive().optional().describe("Timeout in milliseconds for HTTP action requests."),
-	maxResponseBytes: number$1().int().positive().optional().describe("Maximum HTTP action response body bytes to read."),
+	requestTimeoutMs: number$2().int().positive().optional().describe("Timeout in milliseconds for HTTP action requests."),
+	maxResponseBytes: number$2().int().positive().optional().describe("Maximum HTTP action response body bytes to read."),
 	disabled: boolean().optional().describe("When true, omit this Caplet from discovery.")
 }).strict().superRefine((api, ctx) => {
 	if (api.baseUrl && !hasEnvReference$1(api.baseUrl) && !isAllowedHttpBaseUrl(api.baseUrl)) ctx.addIssue({
@@ -12666,8 +12815,8 @@ const capletCliToolActionSchema = object$1({
 	args: array(string()).optional().describe("Arguments passed to the command."),
 	env: record(string(), string()).optional().describe("Additional environment variables."),
 	cwd: string().min(1).optional().describe("Working directory for this action."),
-	timeoutMs: number$1().int().positive().optional(),
-	maxOutputBytes: number$1().int().positive().optional(),
+	timeoutMs: number$2().int().positive().optional(),
+	maxOutputBytes: number$2().int().positive().optional(),
 	output: capletCliToolOutputSchema.optional(),
 	annotations: capletCliToolAnnotationsSchema.optional()
 }).strict();
@@ -12675,16 +12824,16 @@ const capletCliToolsSchema = object$1({
 	actions: record(string().regex(SERVER_ID_PATTERN), capletCliToolActionSchema).refine((actions) => Object.keys(actions).length > 0, "CLI tools backend must define at least one action").describe("Configured CLI actions keyed by stable tool name."),
 	cwd: string().min(1).optional().describe("Default working directory for CLI actions."),
 	env: record(string(), string()).optional().describe("Default environment variables."),
-	timeoutMs: number$1().int().positive().optional(),
-	maxOutputBytes: number$1().int().positive().optional(),
+	timeoutMs: number$2().int().positive().optional(),
+	maxOutputBytes: number$2().int().positive().optional(),
 	disabled: boolean().optional().describe("When true, omit this Caplet from discovery.")
 }).strict();
 const capletSetSchema = object$1({
 	configPath: string().min(1).optional().describe("Child Caplets config.json path."),
 	capletsRoot: string().min(1).optional().describe("Child Markdown Caplets root directory."),
-	defaultSearchLimit: number$1().int().positive().optional(),
-	maxSearchLimit: number$1().int().positive().max(50).optional(),
-	toolCacheTtlMs: number$1().int().nonnegative().optional(),
+	defaultSearchLimit: number$2().int().positive().optional(),
+	maxSearchLimit: number$2().int().positive().max(50).optional(),
+	toolCacheTtlMs: number$2().int().nonnegative().optional(),
 	disabled: boolean().optional().describe("When true, omit this Caplet from discovery.")
 }).strict().superRefine((set, ctx) => {
 	if (!set.configPath && !set.capletsRoot) ctx.addIssue({
@@ -12922,14 +13071,24 @@ function defaultStateBaseDir(env = process.env, home = homedir(), platform = pro
 	if (platform === "win32") return env.LOCALAPPDATA && win32.isAbsolute(env.LOCALAPPDATA) ? env.LOCALAPPDATA : win32.join(home, "AppData", "Local");
 	return env.XDG_STATE_HOME && posix.isAbsolute(env.XDG_STATE_HOME) ? env.XDG_STATE_HOME : posix.join(home, ".local", "state");
 }
+function defaultCacheBaseDir(env = process.env, home = homedir(), platform = process.platform) {
+	if (platform === "win32") return env.LOCALAPPDATA && win32.isAbsolute(env.LOCALAPPDATA) ? env.LOCALAPPDATA : win32.join(home, "AppData", "Local");
+	if (platform === "darwin") return posix.join(home, "Library", "Caches");
+	return env.XDG_CACHE_HOME && posix.isAbsolute(env.XDG_CACHE_HOME) ? env.XDG_CACHE_HOME : posix.join(home, ".cache");
+}
 function defaultConfigPath(env = process.env, home = homedir(), platform = process.platform) {
 	return (platform === "win32" ? win32.join : posix.join)(defaultConfigBaseDir(env, home, platform), "caplets", "config.json");
 }
 function defaultAuthDir(env = process.env, home = homedir(), platform = process.platform) {
 	return (platform === "win32" ? win32.join : posix.join)(defaultStateBaseDir(env, home, platform), "caplets", "auth");
 }
+function defaultCompletionCacheDir(env = process.env, home = homedir(), platform = process.platform) {
+	const pathJoin = platform === "win32" ? win32.join : posix.join;
+	return platform === "win32" ? pathJoin(defaultCacheBaseDir(env, home, platform), "caplets", "cache", "completions") : pathJoin(defaultCacheBaseDir(env, home, platform), "caplets", "completions");
+}
 const DEFAULT_CONFIG_PATH = defaultConfigPath();
 const DEFAULT_AUTH_DIR = defaultAuthDir();
+const DEFAULT_COMPLETION_CACHE_DIR = defaultCompletionCacheDir();
 const PROJECT_CONFIG_FILE = join(".caplets", "config.json");
 function resolveConfigPath(path) {
 	return path ?? DEFAULT_CONFIG_PATH;
@@ -13042,9 +13201,9 @@ const publicServerSchema = object$1({
 	url: string().url().optional().describe("Remote MCP server URL for http or sse transport."),
 	auth: remoteAuthSchema.optional(),
 	tags: array(string().trim().min(1).max(80)).optional(),
-	startupTimeoutMs: number$1().int().positive().default(1e4).describe("Timeout in milliseconds for starting or checking a downstream server."),
-	callTimeoutMs: number$1().int().positive().default(6e4).describe("Timeout in milliseconds for downstream tool calls."),
-	toolCacheTtlMs: number$1().int().nonnegative().default(3e4).describe("Milliseconds downstream tool metadata stays fresh. Set 0 to refresh every time."),
+	startupTimeoutMs: number$2().int().positive().default(1e4).describe("Timeout in milliseconds for starting or checking a downstream server."),
+	callTimeoutMs: number$2().int().positive().default(6e4).describe("Timeout in milliseconds for downstream tool calls."),
+	toolCacheTtlMs: number$2().int().nonnegative().default(3e4).describe("Milliseconds downstream tool metadata stays fresh. Set 0 to refresh every time."),
 	disabled: boolean().default(false).describe("When true, omit this server from Caplets discovery and do not start it.")
 }).strict();
 const normalizedServerSchema = publicServerSchema.extend({ body: string().optional() });
@@ -13056,8 +13215,8 @@ const publicOpenApiEndpointSchema = object$1({
 	baseUrl: string().url().optional().describe("Override base URL for OpenAPI requests."),
 	auth: openApiAuthSchema.describe("Explicit OpenAPI request auth config. Use {\"type\":\"none\"} for public APIs."),
 	tags: array(string().trim().min(1).max(80)).optional(),
-	requestTimeoutMs: number$1().int().positive().default(6e4).describe("Timeout in milliseconds for OpenAPI HTTP requests."),
-	operationCacheTtlMs: number$1().int().nonnegative().default(3e4).describe("Milliseconds OpenAPI operation metadata stays fresh. Set 0 to refresh every time."),
+	requestTimeoutMs: number$2().int().positive().default(6e4).describe("Timeout in milliseconds for OpenAPI HTTP requests."),
+	operationCacheTtlMs: number$2().int().nonnegative().default(3e4).describe("Milliseconds OpenAPI operation metadata stays fresh. Set 0 to refresh every time."),
 	disabled: boolean().default(false).describe("When true, omit this OpenAPI Caplet from discovery.")
 }).strict();
 const normalizedOpenApiEndpointSchema = publicOpenApiEndpointSchema.extend({ body: string().optional() });
@@ -13082,9 +13241,9 @@ const publicGraphQlEndpointSchema = object$1({
 	operations: record(string().regex(SERVER_ID_PATTERN), graphQlOperationSchema).optional().describe("Configured GraphQL operations keyed by stable tool name."),
 	auth: openApiAuthSchema.describe("Explicit GraphQL request auth config. Use {\"type\":\"none\"} for public APIs."),
 	tags: array(string().trim().min(1).max(80)).optional(),
-	requestTimeoutMs: number$1().int().positive().default(6e4).describe("Timeout in milliseconds for GraphQL HTTP requests."),
-	operationCacheTtlMs: number$1().int().nonnegative().default(3e4).describe("Milliseconds GraphQL operation metadata stays fresh. Set 0 to refresh every time."),
-	selectionDepth: number$1().int().positive().max(5).default(2).describe("Maximum depth for auto-generated GraphQL selection sets."),
+	requestTimeoutMs: number$2().int().positive().default(6e4).describe("Timeout in milliseconds for GraphQL HTTP requests."),
+	operationCacheTtlMs: number$2().int().nonnegative().default(3e4).describe("Milliseconds GraphQL operation metadata stays fresh. Set 0 to refresh every time."),
+	selectionDepth: number$2().int().positive().max(5).default(2).describe("Maximum depth for auto-generated GraphQL selection sets."),
 	disabled: boolean().default(false).describe("When true, omit this GraphQL Caplet.")
 }).strict().superRefine((endpoint, ctx) => {
 	if (Number(Boolean(endpoint.schemaPath)) + Number(Boolean(endpoint.schemaUrl)) + Number(endpoint.introspection === true) !== 1) ctx.addIssue({
@@ -13095,7 +13254,7 @@ const publicGraphQlEndpointSchema = object$1({
 const normalizedGraphQlEndpointSchema = publicGraphQlEndpointSchema.extend({ body: string().optional() });
 const httpScalarMappingSchema = record(string(), union([
 	string(),
-	number$1(),
+	number$2(),
 	boolean()
 ]));
 const httpActionSchema = object$1({
@@ -13127,8 +13286,8 @@ const publicHttpApiSchema = object$1({
 	auth: openApiAuthSchema.describe("Explicit HTTP API request auth config. Use {\"type\":\"none\"} for public APIs."),
 	actions: record(string().regex(SERVER_ID_PATTERN), httpActionSchema).refine((actions) => Object.keys(actions).length > 0, "HTTP API must define at least one action").describe("Configured HTTP actions keyed by stable tool name."),
 	tags: array(string().trim().min(1).max(80)).optional(),
-	requestTimeoutMs: number$1().int().positive().default(6e4).describe("Timeout in milliseconds for HTTP action requests."),
-	maxResponseBytes: number$1().int().positive().default(2e5).describe("Maximum HTTP action response body bytes to read."),
+	requestTimeoutMs: number$2().int().positive().default(6e4).describe("Timeout in milliseconds for HTTP action requests."),
+	maxResponseBytes: number$2().int().positive().default(2e5).describe("Maximum HTTP action response body bytes to read."),
 	disabled: boolean().default(false).describe("When true, omit this HTTP API Caplet.")
 }).strict();
 const normalizedHttpApiSchema = publicHttpApiSchema.extend({ body: string().optional() });
@@ -13147,8 +13306,8 @@ const cliToolActionSchema = object$1({
 	args: array(string()).optional().describe("Arguments passed to the command."),
 	env: record(string(), string()).optional().describe("Additional environment variables for the command."),
 	cwd: string().min(1).optional().describe("Working directory for this action."),
-	timeoutMs: number$1().int().positive().optional().describe("Command timeout in milliseconds."),
-	maxOutputBytes: number$1().int().positive().optional().describe("Maximum combined stdout and stderr bytes to keep."),
+	timeoutMs: number$2().int().positive().optional().describe("Command timeout in milliseconds."),
+	maxOutputBytes: number$2().int().positive().optional().describe("Maximum combined stdout and stderr bytes to keep."),
 	output: cliToolOutputSchema.optional(),
 	annotations: cliToolAnnotationsSchema.optional()
 }).strict();
@@ -13159,8 +13318,8 @@ const publicCliToolsSchema = object$1({
 	cwd: string().min(1).optional().describe("Default working directory for CLI actions."),
 	env: record(string(), string()).optional().describe("Default environment variables for CLI actions."),
 	tags: array(string().trim().min(1).max(80)).optional(),
-	timeoutMs: number$1().int().positive().default(6e4).describe("Default timeout in milliseconds for CLI actions."),
-	maxOutputBytes: number$1().int().positive().default(2e5).describe("Default maximum combined stdout and stderr bytes to keep."),
+	timeoutMs: number$2().int().positive().default(6e4).describe("Default timeout in milliseconds for CLI actions."),
+	maxOutputBytes: number$2().int().positive().default(2e5).describe("Default maximum combined stdout and stderr bytes to keep."),
 	disabled: boolean().default(false).describe("When true, omit this CLI tools Caplet.")
 }).strict();
 const normalizedCliToolsSchema = publicCliToolsSchema.extend({ body: string().optional() });
@@ -13169,9 +13328,9 @@ const publicCapletSetSchema = object$1({
 	description: string().describe("Capability description shown before child Caplets are disclosed.").refine((value) => value.trim().length >= 10, "description must contain at least 10 non-whitespace characters").refine((value) => value.length <= 1500, "description must be at most 1500 characters"),
 	configPath: string().min(1).optional().describe("Child Caplets config.json path."),
 	capletsRoot: string().min(1).optional().describe("Child Markdown Caplets root directory."),
-	defaultSearchLimit: number$1().int().positive().default(20).describe("Default maximum number of child Caplet search results."),
-	maxSearchLimit: number$1().int().positive().max(50).default(50).describe("Maximum accepted child Caplet search result limit."),
-	toolCacheTtlMs: number$1().int().nonnegative().default(3e4).describe("Milliseconds child Caplet metadata stays fresh. Set 0 to refresh every time."),
+	defaultSearchLimit: number$2().int().positive().default(20).describe("Default maximum number of child Caplet search results."),
+	maxSearchLimit: number$2().int().positive().max(50).default(50).describe("Maximum accepted child Caplet search result limit."),
+	toolCacheTtlMs: number$2().int().nonnegative().default(3e4).describe("Milliseconds child Caplet metadata stays fresh. Set 0 to refresh every time."),
 	tags: array(string().trim().min(1).max(80)).optional(),
 	disabled: boolean().default(false).describe("When true, omit this Caplet set.")
 }).strict().superRefine((set, ctx) => {
@@ -13190,8 +13349,19 @@ function configSchemaFor(serverValueSchema, openApiEndpointValueSchema, graphQlE
 	return object$1({
 		$schema: string().url().optional().describe("Optional JSON Schema URL for editor validation."),
 		version: literal(1).default(1).describe("Caplets config schema version."),
-		defaultSearchLimit: number$1().int().positive().default(20).describe("Default maximum number of same-server search results."),
-		maxSearchLimit: number$1().int().positive().max(50).default(50).describe("Maximum accepted search_tools limit."),
+		defaultSearchLimit: number$2().int().positive().default(20).describe("Default maximum number of same-server search results."),
+		maxSearchLimit: number$2().int().positive().max(50).default(50).describe("Maximum accepted search_tools limit."),
+		completion: object$1({
+			discoveryTimeoutMs: number$2().int().positive().default(750),
+			overallTimeoutMs: number$2().int().positive().default(1500),
+			cacheTtlMs: number$2().int().nonnegative().default(3e5),
+			negativeCacheTtlMs: number$2().int().nonnegative().default(3e4)
+		}).strict().default({
+			discoveryTimeoutMs: 750,
+			overallTimeoutMs: 1500,
+			cacheTtlMs: 3e5,
+			negativeCacheTtlMs: 3e4
+		}).describe("Shell completion discovery timeout and cache settings."),
 		mcpServers: record(string().regex(SERVER_ID_PATTERN), serverValueSchema).default({}).describe("Downstream MCP servers keyed by stable server ID."),
 		openapiEndpoints: record(string().regex(SERVER_ID_PATTERN), openApiEndpointValueSchema).default({}).describe("OpenAPI endpoints keyed by stable Caplet ID."),
 		graphqlEndpoints: record(string().regex(SERVER_ID_PATTERN), graphQlEndpointValueSchema).default({}).describe("GraphQL endpoints keyed by stable Caplet ID."),
@@ -13442,7 +13612,7 @@ function loadConfigWithSources(path = resolveConfigPath(), projectPath = resolve
 	const userConfig = hasUserConfig ? readPublicConfigInput(path) : void 0;
 	const userCaplets = loadCapletFilesWithPaths(resolveCapletsRoot(path));
 	const projectConfig = hasProjectConfig ? rejectProjectConfigExecutableBackendMaps(readPublicConfigInput(projectPath), projectPath) : void 0;
-	const projectCapletsRoot = resolveProjectCapletsRootForConfigPath(projectPath);
+	const projectCapletsRoot = resolveProjectCapletsRootForConfigPath$1(projectPath);
 	const projectCaplets = projectCapletsRoot ? loadCapletFilesWithPaths(projectCapletsRoot) : void 0;
 	if (!hasUserConfig && !hasProjectConfig && !userCaplets && !projectCaplets) throw new CapletsError("CONFIG_NOT_FOUND", `Caplets config not found at ${path} or ${projectPath}`);
 	try {
@@ -13496,7 +13666,7 @@ function loadIsolatedConfig(options) {
 	if (Object.keys(config.mcpServers).length === 0 && Object.keys(config.openapiEndpoints).length === 0 && Object.keys(config.graphqlEndpoints).length === 0 && Object.keys(config.httpApis).length === 0 && Object.keys(config.cliTools).length === 0 && Object.keys(config.capletSets).length === 0) throw new CapletsError("CONFIG_INVALID", "Nested Caplet set must define at least one Caplet");
 	return config;
 }
-function resolveProjectCapletsRootForConfigPath(projectPath) {
+function resolveProjectCapletsRootForConfigPath$1(projectPath) {
 	const root = dirname(projectPath);
 	return basename(root) === ".caplets" && basename(projectPath) === "config.json" ? root : void 0;
 }
@@ -13706,7 +13876,8 @@ function parseConfig(input) {
 		version: parsed.data.version,
 		options: {
 			defaultSearchLimit: parsed.data.defaultSearchLimit,
-			maxSearchLimit: parsed.data.maxSearchLimit
+			maxSearchLimit: parsed.data.maxSearchLimit,
+			completion: parsed.data.completion
 		},
 		mcpServers: servers,
 		openapiEndpoints,
@@ -17286,10 +17457,10 @@ const ZodMiniType = /* @__PURE__ */ $constructor("ZodMiniType", (inst, def) => {
 	$ZodType.init(inst, def);
 	inst.def = def;
 	inst.type = def.type;
-	inst.parse = (data, params) => parse$3(inst, data, params, { callee: inst.parse });
-	inst.safeParse = (data, params) => safeParse$2(inst, data, params);
+	inst.parse = (data, params) => parse$1(inst, data, params, { callee: inst.parse });
+	inst.safeParse = (data, params) => safeParse$1(inst, data, params);
 	inst.parseAsync = async (data, params) => parseAsync$1(inst, data, params, { callee: inst.parseAsync });
-	inst.safeParseAsync = async (data, params) => safeParseAsync$2(inst, data, params);
+	inst.safeParseAsync = async (data, params) => safeParseAsync$1(inst, data, params);
 	inst.check = (...checks) => {
 		return inst.clone({
 			...def,
@@ -17335,11 +17506,11 @@ function objectFromShape(shape) {
 	throw new Error("Mixed Zod versions detected in object shape.");
 }
 function safeParse(schema, data) {
-	if (isZ4Schema(schema)) return safeParse$2(schema, data);
+	if (isZ4Schema(schema)) return safeParse$1(schema, data);
 	return schema.safeParse(data);
 }
 async function safeParseAsync(schema, data) {
-	if (isZ4Schema(schema)) return await safeParseAsync$2(schema, data);
+	if (isZ4Schema(schema)) return await safeParseAsync$1(schema, data);
 	return await schema.safeParseAsync(data);
 }
 function getObjectShape(schema) {
@@ -17453,7 +17624,7 @@ const AssertObjectSchema = custom((v) => v !== null && (typeof v === "object" ||
 /**
 * A progress token, used to associate progress notifications with the original request.
 */
-const ProgressTokenSchema = union([string(), number$1().int()]);
+const ProgressTokenSchema = union([string(), number$2().int()]);
 /**
 * An opaque token used to represent a cursor for pagination.
 */
@@ -17462,13 +17633,13 @@ looseObject({
 	/**
 	* Requested duration in milliseconds to retain task from creation.
 	*/
-	ttl: number$1().optional(),
+	ttl: number$2().optional(),
 	/**
 	* Time in milliseconds to wait between task status requests.
 	*/
-	pollInterval: number$1().optional()
+	pollInterval: number$2().optional()
 });
-const TaskMetadataSchema = object$1({ ttl: number$1().optional() });
+const TaskMetadataSchema = object$1({ ttl: number$2().optional() });
 /**
 * Metadata for associating messages with a task.
 * Include this in the `_meta` field under the key `io.modelcontextprotocol/related-task`.
@@ -17535,7 +17706,7 @@ _meta: RequestMetaSchema.optional() });
 /**
 * A uniquely identifying ID for a request in JSON-RPC.
 */
-const RequestIdSchema = union([string(), number$1().int()]);
+const RequestIdSchema = union([string(), number$2().int()]);
 /**
 * A request that expects a response.
 */
@@ -17592,7 +17763,7 @@ const JSONRPCErrorResponseSchema = object$1({
 		/**
 		* The error type that occurred.
 		*/
-		code: number$1().int(),
+		code: number$2().int(),
 		/**
 		* A short description of the error. The message SHOULD be limited to a concise single sentence.
 		*/
@@ -17928,11 +18099,11 @@ const ProgressSchema = object$1({
 	/**
 	* The progress thus far. This should increase every time progress is made, even if the total is unknown.
 	*/
-	progress: number$1(),
+	progress: number$2(),
 	/**
 	* Total number of items to process (or total progress required), if known.
 	*/
-	total: optional(number$1()),
+	total: optional(number$2()),
 	/**
 	* An optional message describing the current progress.
 	*/
@@ -17988,7 +18159,7 @@ const TaskSchema = object$1({
 	* Time in milliseconds to keep task results available after completion.
 	* If null, the task has unlimited lifetime until manually cleaned up.
 	*/
-	ttl: union([number$1(), _null()]),
+	ttl: union([number$2(), _null()]),
 	/**
 	* ISO 8601 timestamp when the task was created.
 	*/
@@ -17997,7 +18168,7 @@ const TaskSchema = object$1({
 	* ISO 8601 timestamp when the task was last updated.
 	*/
 	lastUpdatedAt: string(),
-	pollInterval: optional(number$1()),
+	pollInterval: optional(number$2()),
 	/**
 	* Optional diagnostic message for failed tasks or other status information.
 	*/
@@ -18112,7 +18283,7 @@ const AnnotationsSchema = object$1({
 	/**
 	* Importance hint for the resource, from 0 (least) to 1 (most).
 	*/
-	priority: number$1().min(0).max(1).optional(),
+	priority: number$2().min(0).max(1).optional(),
 	/**
 	* ISO 8601 timestamp for the most recent modification.
 	*/
@@ -18143,7 +18314,7 @@ const ResourceSchema = object$1({
 	*
 	* This can be used by Hosts to display file sizes and estimate context window usage.
 	*/
-	size: optional(number$1()),
+	size: optional(number$2()),
 	/**
 	* Optional annotations for the client.
 	*/
@@ -18670,7 +18841,7 @@ const ListChangedOptionsBaseSchema = object$1({
 	*
 	* @default 300
 	*/
-	debounceMs: number$1().int().nonnegative().default(300)
+	debounceMs: number$2().int().nonnegative().default(300)
 });
 /**
 * The severity of a log message.
@@ -18739,15 +18910,15 @@ name: string().optional() })).optional(),
 	/**
 	* How much to prioritize cost when selecting a model.
 	*/
-	costPriority: number$1().min(0).max(1).optional(),
+	costPriority: number$2().min(0).max(1).optional(),
 	/**
 	* How much to prioritize sampling speed (latency) when selecting a model.
 	*/
-	speedPriority: number$1().min(0).max(1).optional(),
+	speedPriority: number$2().min(0).max(1).optional(),
 	/**
 	* How much to prioritize intelligence and capabilities when selecting a model.
 	*/
-	intelligencePriority: number$1().min(0).max(1).optional()
+	intelligencePriority: number$2().min(0).max(1).optional()
 });
 /**
 * Controls tool usage behavior in sampling requests.
@@ -18837,13 +19008,13 @@ const CreateMessageRequestParamsSchema = TaskAugmentedRequestParamsSchema.extend
 		"thisServer",
 		"allServers"
 	]).optional(),
-	temperature: number$1().optional(),
+	temperature: number$2().optional(),
 	/**
 	* The requested maximum number of tokens to sample (to prevent runaway completions).
 	*
 	* The client MAY choose to sample fewer tokens than the requested maximum.
 	*/
-	maxTokens: number$1().int(),
+	maxTokens: number$2().int(),
 	stopSequences: array(string()).optional(),
 	/**
 	* Optional metadata to pass through to the LLM provider. The format of this metadata is provider-specific.
@@ -18947,8 +19118,8 @@ const StringSchemaSchema = object$1({
 	type: literal("string"),
 	title: string().optional(),
 	description: string().optional(),
-	minLength: number$1().optional(),
-	maxLength: number$1().optional(),
+	minLength: number$2().optional(),
+	maxLength: number$2().optional(),
 	format: _enum([
 		"email",
 		"uri",
@@ -18964,9 +19135,9 @@ const NumberSchemaSchema = object$1({
 	type: _enum(["number", "integer"]),
 	title: string().optional(),
 	description: string().optional(),
-	minimum: number$1().optional(),
-	maximum: number$1().optional(),
-	default: number$1().optional()
+	minimum: number$2().optional(),
+	maximum: number$2().optional(),
+	default: number$2().optional()
 });
 /**
 * Schema for single-selection enumeration without display titles for options.
@@ -19009,8 +19180,8 @@ const PrimitiveSchemaDefinitionSchema = union([
 			type: literal("array"),
 			title: string().optional(),
 			description: string().optional(),
-			minItems: number$1().optional(),
-			maxItems: number$1().optional(),
+			minItems: number$2().optional(),
+			maxItems: number$2().optional(),
 			items: object$1({
 				type: literal("string"),
 				enum: array(string())
@@ -19020,8 +19191,8 @@ const PrimitiveSchemaDefinitionSchema = union([
 			type: literal("array"),
 			title: string().optional(),
 			description: string().optional(),
-			minItems: number$1().optional(),
-			maxItems: number$1().optional(),
+			minItems: number$2().optional(),
+			maxItems: number$2().optional(),
 			items: object$1({ anyOf: array(object$1({
 				const: string(),
 				title: string()
@@ -19126,7 +19297,7 @@ const ElicitResultSchema = ResultSchema.extend({
 	*/
 	content: preprocess((val) => val === null ? void 0 : val, record(string(), union([
 		string(),
-		number$1(),
+		number$2(),
 		boolean(),
 		array(string())
 	])).optional())
@@ -19199,7 +19370,7 @@ const CompleteResultSchema = ResultSchema.extend({ completion: looseObject({
 	/**
 	* The total number of completion options available. This can exceed the number of values actually sent in the response.
 	*/
-	total: optional(number$1().int()),
+	total: optional(number$2().int()),
 	/**
 	* Indicates whether there are additional completion options beyond those provided in the current response, even if the exact total is unknown.
 	*/
@@ -28871,8 +29042,8 @@ const OAuthClientMetadataSchema = object$1({
 const OAuthClientInformationSchema = object$1({
 	client_id: string(),
 	client_secret: string().optional(),
-	client_id_issued_at: number$1().optional(),
-	client_secret_expires_at: number$1().optional()
+	client_id_issued_at: number$2().optional(),
+	client_secret_expires_at: number$2().optional()
 }).strip();
 /**
 * RFC 7591 OAuth 2.0 Dynamic Client Registration full response (client information plus metadata)
@@ -30743,8 +30914,45 @@ var FileOAuthProvider = class {
 		headers.set("content-type", "application/x-www-form-urlencoded");
 	};
 };
-async function runOAuthFlow(server, options = {}) {
+async function startOAuthFlow(server, options) {
 	if (server.transport === "stdio" || !server.url || server.auth?.type !== "oauth2" && server.auth?.type !== "oidc") throw new CapletsError("REQUEST_INVALID", `${server.server} is not a configured OAuth remote server`);
+	let redirectUrl;
+	const provider = new FileOAuthProvider(server, options.redirectUri, (url) => {
+		redirectUrl = url;
+		options.print?.(`Open this URL to authorize ${server.server}:\n${url.toString()}`);
+	}, options.authDir);
+	const scope = scopesFor(server.auth);
+	try {
+		if (await auth(provider, {
+			serverUrl: server.url,
+			...scope ? { scope } : {}
+		}) === "AUTHORIZED") return {
+			authorizationUrl: "",
+			complete: async () => {}
+		};
+	} catch (error) {
+		throw normalizeMcpOAuthError(server, error);
+	}
+	if (!redirectUrl) throw new CapletsError("AUTH_FAILED", "OAuth authorization URL was not provided");
+	return {
+		authorizationUrl: redirectUrl.toString(),
+		complete: async (callbackUrl) => {
+			assertNoOAuthCallbackError(server, callbackUrl);
+			const completion = extractCompletion(callbackUrl);
+			if (completion.state !== provider.state()) throw new CapletsError("AUTH_FAILED", "OAuth callback state did not match");
+			try {
+				await auth(provider, {
+					serverUrl: server.url,
+					authorizationCode: completion.code,
+					...scope ? { scope } : {}
+				});
+			} catch (error) {
+				throw normalizeMcpOAuthError(server, error);
+			}
+		}
+	};
+}
+async function runOAuthFlow(server, options = {}) {
 	let callbackCode;
 	let callbackState;
 	const callback = await createLoopbackCallback((url) => {
@@ -30752,37 +30960,43 @@ async function runOAuthFlow(server, options = {}) {
 		callbackCode = url.searchParams.get("code") ?? void 0;
 		callbackState = url.searchParams.get("state") ?? void 0;
 	});
-	let redirectUrl;
-	const provider = new FileOAuthProvider(server, callback.redirectUri, (url) => {
-		redirectUrl = url;
-		options.print?.(`Open this URL to authorize ${server.server}:\n${url.toString()}`);
-	}, options.authDir);
 	try {
-		const scope = scopesFor(server.auth);
-		const first = await auth(provider, {
-			serverUrl: server.url,
-			...scope ? { scope } : {}
+		const started = await startOAuthFlow(server, {
+			redirectUri: callback.redirectUri,
+			...options.authDir ? { authDir: options.authDir } : {},
+			...options.print ? { print: options.print } : {}
 		});
-		if (first === "AUTHORIZED") return first;
-		if (!options.noOpen && redirectUrl) await (options.open ? options.open(redirectUrl.toString()) : openBrowser(redirectUrl.toString()));
+		if (!started.authorizationUrl) return "AUTHORIZED";
+		if (!options.noOpen) await (options.open ? options.open(started.authorizationUrl) : openBrowser$1(started.authorizationUrl));
 		const manualInput = options.manualInput ?? (options.noOpen ? await options.readManualInput?.() : void 0);
 		const completion = manualInput ? extractCompletion(manualInput) : await callback.waitForCode(() => callbackCode ? {
 			code: callbackCode,
 			...callbackState ? { state: callbackState } : {}
 		} : void 0);
-		const expectedState = provider.state();
-		if (completion.state !== expectedState) throw new CapletsError("AUTH_FAILED", "OAuth callback state did not match");
-		return await auth(provider, {
-			serverUrl: server.url,
-			authorizationCode: completion.code,
-			...scope ? { scope } : {}
-		});
+		await started.complete(completion.state ? `${callback.redirectUri}?code=${encodeURIComponent(completion.code)}&state=${encodeURIComponent(completion.state)}` : `${callback.redirectUri}?code=${encodeURIComponent(completion.code)}`);
+		return "AUTHORIZED";
 	} catch (error) {
 		throw normalizeMcpOAuthError(server, error);
 	} finally {
 		await callback.close();
 	}
 }
+function assertNoOAuthCallbackError(target, callbackUrl) {
+	let url;
+	try {
+		url = new URL(callbackUrl);
+	} catch {
+		return;
+	}
+	const error = url.searchParams.get("error");
+	if (!error) return;
+	const description = url.searchParams.get("error_description");
+	throw new CapletsError("AUTH_FAILED", description ? `OAuth provider returned an error: ${description}` : "OAuth provider returned an error", redactSecrets({
+		server: target.server,
+		error,
+		error_description: description ?? void 0
+	}));
+}
 function normalizeMcpOAuthError(server, error) {
 	if ((server.auth?.type === "oauth2" || server.auth?.type === "oidc") && !server.auth.clientId && !server.auth.clientMetadataUrl && error instanceof Error && error.message.includes("does not support dynamic client registration")) return new CapletsError("AUTH_FAILED", "OAuth is not available for this server without a host-specific OAuth app or PAT auth", {
 		server: server.server,
@@ -30790,6 +31004,75 @@ function normalizeMcpOAuthError(server, error) {
 	});
 	return error;
 }
+async function startGenericOAuthFlow(target, options) {
+	if (target.auth?.type !== "oauth2" && target.auth?.type !== "oidc") throw new CapletsError("REQUEST_INVALID", `${target.server} is not configured for OAuth`);
+	const authConfig = target.auth;
+	const redirectUri = authConfig.redirectUri ?? options.redirectUri;
+	const verifier = base64url(randomBytes(32));
+	const state = base64url(randomBytes(24));
+	const allowLoopbackHttp = isLoopbackDevelopmentTarget(target, authConfig);
+	const metadata = await discoverAuthorizationServer(target, authConfig, allowLoopbackHttp);
+	const authorizationEndpoint = authConfig.authorizationUrl ?? metadata.authorization_endpoint;
+	const tokenEndpoint = authConfig.tokenUrl ?? metadata.token_endpoint;
+	if (!authorizationEndpoint || !tokenEndpoint) throw new CapletsError("AUTH_FAILED", "OAuth metadata is missing endpoints", { server: target.server });
+	assertAllowedAuthUrl(authorizationEndpoint, "authorization endpoint", allowLoopbackHttp);
+	assertAllowedAuthUrl(tokenEndpoint, "token endpoint", allowLoopbackHttp);
+	const client = await resolveGenericClient(target, authConfig, metadata, redirectUri, allowLoopbackHttp);
+	const scope = scopesFor(authConfig);
+	const authorizationUrl = new URL(authorizationEndpoint);
+	authorizationUrl.searchParams.set("response_type", "code");
+	authorizationUrl.searchParams.set("client_id", client.clientId);
+	authorizationUrl.searchParams.set("redirect_uri", redirectUri);
+	authorizationUrl.searchParams.set("code_challenge", pkceChallenge(verifier));
+	authorizationUrl.searchParams.set("code_challenge_method", "S256");
+	authorizationUrl.searchParams.set("state", state);
+	if (scope) authorizationUrl.searchParams.set("scope", scope);
+	options.print?.(`Open this URL to authorize ${target.server}:\n${authorizationUrl.toString()}`);
+	return {
+		authorizationUrl: authorizationUrl.toString(),
+		complete: async (callbackUrl) => {
+			assertNoOAuthCallbackError(target, callbackUrl);
+			const completion = extractCompletion(callbackUrl);
+			if (completion.state !== state) throw new CapletsError("AUTH_FAILED", "OAuth callback state did not match");
+			const params = new URLSearchParams({
+				grant_type: "authorization_code",
+				code: completion.code,
+				redirect_uri: redirectUri,
+				client_id: client.clientId,
+				code_verifier: verifier
+			});
+			if (client.clientSecret) params.set("client_secret", client.clientSecret);
+			const tokenResponse = await fetchJson(tokenEndpoint, target.requestTimeoutMs, {
+				method: "POST",
+				headers: { "content-type": "application/x-www-form-urlencoded" },
+				body: params.toString()
+			}, allowLoopbackHttp);
+			const idToken = asString(tokenResponse.id_token);
+			const idClaims = parseJwtPayload(idToken);
+			validateOidcToken(authConfig, metadata, idToken, idClaims, client.clientId);
+			writeTokenBundle(stripUndefined({
+				server: target.server,
+				authType: authConfig.type,
+				accessToken: requireString(tokenResponse.access_token, "access_token"),
+				refreshToken: asString(tokenResponse.refresh_token),
+				tokenType: asString(tokenResponse.token_type),
+				expiresAt: typeof tokenResponse.expires_in === "number" ? new Date(Date.now() + tokenResponse.expires_in * 1e3).toISOString() : void 0,
+				scope: asString(tokenResponse.scope) ?? scope,
+				idToken,
+				issuer: asString(idClaims?.iss) ?? metadata.issuer ?? authConfig.issuer,
+				subject: asString(idClaims?.sub),
+				clientId: client.clientId,
+				clientSecret: client.clientSecret,
+				protectedResourceOrigin: protectedResourceOrigin(target, authConfig),
+				metadata: redactSecrets({
+					protectedResource: target.url ?? target.baseUrl ?? target.specUrl,
+					authorizationServer: metadata,
+					dynamicClient: client.dynamic ? { client_id: client.clientId } : void 0
+				})
+			}), options.authDir);
+		}
+	};
+}
 async function runGenericOAuthFlow(target, options = {}) {
 	if (target.auth?.type !== "oauth2" && target.auth?.type !== "oidc") throw new CapletsError("REQUEST_INVALID", `${target.server} is not configured for OAuth`);
 	const authConfig = target.auth;
@@ -30822,7 +31105,7 @@ async function runGenericOAuthFlow(target, options = {}) {
 		authorizationUrl.searchParams.set("state", state);
 		if (scope) authorizationUrl.searchParams.set("scope", scope);
 		options.print?.(`Open this URL to authorize ${target.server}:\n${authorizationUrl.toString()}`);
-		if (!options.noOpen) await (options.open ? options.open(authorizationUrl.toString()) : openBrowser(authorizationUrl.toString()));
+		if (!options.noOpen) await (options.open ? options.open(authorizationUrl.toString()) : openBrowser$1(authorizationUrl.toString()));
 		const manualInput = options.manualInput ?? (options.noOpen ? await options.readManualInput?.() : void 0);
 		const completion = manualInput ? extractCompletion(manualInput) : await callback.waitForCode(() => callbackCode ? {
 			code: callbackCode,
@@ -30925,7 +31208,7 @@ async function createLoopbackCallback(onCallback) {
 		close: () => new Promise((resolve) => server.close(() => resolve()))
 	};
 }
-async function openBrowser(url) {
+async function openBrowser$1(url) {
 	const { spawn } = await import("node:child_process");
 	spawn(process.platform === "darwin" ? "open" : process.platform === "win32" ? "cmd" : "xdg-open", process.platform === "win32" ? [
 		"/c",
@@ -31135,14 +31418,28 @@ var DownstreamManager = class {
 	async checkServer(server) {
 		const startedAt = Date.now();
 		try {
+			const capabilities = (await this.connect(server)).client.getServerCapabilities() ?? {};
 			const tools = await this.refreshTools(server, true);
 			this.registry.setStatus(server.server, "available");
-			return {
+			const result = {
 				id: server.server,
 				status: "available",
+				capabilities: {
+					tools: Boolean(capabilities.tools),
+					resources: Boolean(capabilities.resources),
+					resourceTemplates: Boolean(capabilities.resources),
+					prompts: Boolean(capabilities.prompts),
+					completions: Boolean(capabilities.completions)
+				},
 				toolCount: tools.length,
 				elapsedMs: Date.now() - startedAt
 			};
+			if (capabilities.resources) Object.assign(result, {
+				resourceCount: (await this.listResources(server, true)).length,
+				resourceTemplateCount: (await this.listResourceTemplates(server, true)).length
+			});
+			if (capabilities.prompts) Object.assign(result, { promptCount: (await this.listPrompts(server, true)).length });
+			return result;
 		} catch (error) {
 			const safe = toSafeError(error, "SERVER_UNAVAILABLE");
 			this.registry.setStatus(server.server, "unavailable", safe);
@@ -31184,6 +31481,86 @@ var DownstreamManager = class {
 			throw new CapletsError("DOWNSTREAM_TOOL_ERROR", `Downstream tool failed for ${server.server}/${toolName}`, toSafeError(error));
 		}
 	}
+	async listResources(server, force = false) {
+		const connection = await this.assertCapability(server, "resources");
+		if (!force && connection.resources && this.isCacheFresh(connection.resourcesFetchedAt, server.toolCacheTtlMs)) return connection.resources;
+		const resources = [];
+		let cursor;
+		do {
+			const result = await connection.client.listResources(cursor ? { cursor } : void 0, { timeout: server.startupTimeoutMs });
+			resources.push(...result.resources ?? []);
+			cursor = result.nextCursor;
+		} while (cursor);
+		connection.resources = resources;
+		connection.resourcesFetchedAt = Date.now();
+		return resources;
+	}
+	async listResourceTemplates(server, force = false) {
+		const connection = await this.assertCapability(server, "resources");
+		if (!force && connection.resourceTemplates && this.isCacheFresh(connection.resourceTemplatesFetchedAt, server.toolCacheTtlMs)) return connection.resourceTemplates;
+		const resourceTemplates = [];
+		let cursor;
+		do {
+			const result = await connection.client.listResourceTemplates(cursor ? { cursor } : void 0, { timeout: server.startupTimeoutMs });
+			resourceTemplates.push(...result.resourceTemplates ?? []);
+			cursor = result.nextCursor;
+		} while (cursor);
+		connection.resourceTemplates = resourceTemplates;
+		connection.resourceTemplatesFetchedAt = Date.now();
+		return resourceTemplates;
+	}
+	async readResource(server, uri) {
+		const connection = await this.assertCapability(server, "resources");
+		try {
+			return await connection.client.readResource({ uri }, { timeout: server.callTimeoutMs });
+		} catch (error) {
+			throw new CapletsError("DOWNSTREAM_RESOURCE_ERROR", `Downstream resource read failed for ${server.server}/${uri}`, toSafeError(error));
+		}
+	}
+	async listPrompts(server, force = false) {
+		const connection = await this.assertCapability(server, "prompts");
+		if (!force && connection.prompts && this.isCacheFresh(connection.promptsFetchedAt, server.toolCacheTtlMs)) return connection.prompts;
+		const prompts = [];
+		let cursor;
+		do {
+			const result = await connection.client.listPrompts(cursor ? { cursor } : void 0, { timeout: server.startupTimeoutMs });
+			prompts.push(...result.prompts ?? []);
+			cursor = result.nextCursor;
+		} while (cursor);
+		connection.prompts = prompts;
+		connection.promptsFetchedAt = Date.now();
+		return prompts;
+	}
+	async getPrompt(server, promptName, args) {
+		if (!(await this.listPrompts(server)).some((prompt) => prompt.name === promptName)) throw new CapletsError("PROMPT_NOT_FOUND", `Prompt ${promptName} was not found on ${server.server}`);
+		const connection = await this.connect(server);
+		try {
+			return await connection.client.getPrompt({
+				name: promptName,
+				arguments: stringifyPromptArgs(args)
+			}, { timeout: server.callTimeoutMs });
+		} catch (error) {
+			throw new CapletsError("DOWNSTREAM_PROMPT_ERROR", `Downstream prompt failed for ${server.server}/${promptName}`, toSafeError(error));
+		}
+	}
+	async complete(server, request) {
+		const connection = await this.assertCapability(server, "completions");
+		const params = {
+			ref: request.ref.type === "prompt" ? {
+				type: "ref/prompt",
+				name: request.ref.name
+			} : {
+				type: "ref/resource",
+				uri: request.ref.uri
+			},
+			argument: request.argument
+		};
+		try {
+			return await connection.client.complete(params, { timeout: server.callTimeoutMs });
+		} catch (error) {
+			throw new CapletsError("DOWNSTREAM_COMPLETION_ERROR", `Downstream completion failed for ${server.server}`, toSafeError(error));
+		}
+	}
 	compact(server, tool) {
 		return {
 			id: server.server,
@@ -31193,9 +31570,75 @@ var DownstreamManager = class {
 			hasOutputSchema: Boolean(tool.outputSchema)
 		};
 	}
+	compactResource(server, resource) {
+		return {
+			id: server.server,
+			kind: "resource",
+			uri: resource.uri,
+			...resource.name ? { name: resource.name } : {},
+			...resource.description ? { description: resource.description } : {},
+			...resource.mimeType ? { mimeType: resource.mimeType } : {},
+			...typeof resource.size === "number" ? { size: resource.size } : {}
+		};
+	}
+	compactResourceTemplate(server, template) {
+		return {
+			id: server.server,
+			kind: "resourceTemplate",
+			uriTemplate: template.uriTemplate,
+			...template.name ? { name: template.name } : {},
+			...template.description ? { description: template.description } : {},
+			...template.mimeType ? { mimeType: template.mimeType } : {}
+		};
+	}
+	compactPrompt(server, prompt) {
+		return {
+			id: server.server,
+			prompt: prompt.name,
+			...prompt.description ? { description: prompt.description } : {},
+			...prompt.arguments ? { arguments: prompt.arguments } : {}
+		};
+	}
+	searchResources(server, resources, query, limit) {
+		const lower = query.toLocaleLowerCase();
+		return resources.map((resource) => this.compactResource(server, resource)).filter((resource) => [
+			resource.uri,
+			resource.name,
+			resource.description,
+			resource.mimeType
+		].some((value) => value?.toLocaleLowerCase().includes(lower))).slice(0, limit);
+	}
+	searchResourceTemplates(server, templates, query, limit) {
+		const lower = query.toLocaleLowerCase();
+		return templates.map((template) => this.compactResourceTemplate(server, template)).filter((template) => [
+			template.uriTemplate,
+			template.name,
+			template.description,
+			template.mimeType
+		].some((value) => value?.toLocaleLowerCase().includes(lower))).slice(0, limit);
+	}
+	searchPrompts(server, prompts, query, limit) {
+		const lower = query.toLocaleLowerCase();
+		return prompts.map((prompt) => this.compactPrompt(server, prompt)).filter((prompt) => [
+			prompt.prompt,
+			prompt.description,
+			...(prompt.arguments ?? []).flatMap((arg) => [arg.name, arg.description])
+		].some((value) => value?.toLocaleLowerCase().includes(lower))).slice(0, limit);
+	}
 	search(server, tools, query, limit) {
 		return searchToolList(tools, query, limit, (tool) => this.compact(server, tool));
 	}
+	async assertCapability(server, capability) {
+		const connection = await this.connect(server);
+		if (!connection.client.getServerCapabilities()?.[capability]) throw new CapletsError("UNSUPPORTED_CAPABILITY", `${server.server} does not advertise MCP ${capability}`, {
+			server: server.server,
+			capability
+		});
+		return connection;
+	}
+	isCacheFresh(fetchedAt, ttlMs) {
+		return fetchedAt !== void 0 && ttlMs > 0 && Date.now() - fetchedAt <= ttlMs;
+	}
 	async refreshTools(server, force) {
 		const connection = await this.connect(server);
 		const now = Date.now();
@@ -31239,6 +31682,20 @@ var DownstreamManager = class {
 				transport,
 				configFingerprint: expectedFingerprint
 			};
+			client.setNotificationHandler(ToolListChangedNotificationSchema, () => {
+				connection.tools = void 0;
+				connection.toolsFetchedAt = void 0;
+			});
+			client.setNotificationHandler(ResourceListChangedNotificationSchema, () => {
+				connection.resources = void 0;
+				connection.resourcesFetchedAt = void 0;
+				connection.resourceTemplates = void 0;
+				connection.resourceTemplatesFetchedAt = void 0;
+			});
+			client.setNotificationHandler(PromptListChangedNotificationSchema, () => {
+				connection.prompts = void 0;
+				connection.promptsFetchedAt = void 0;
+			});
 			pendingConnection = connection;
 			this.connecting.set(server.server, connection);
 			transport.onclose = () => {
@@ -31369,6 +31826,18 @@ function nearbyToolNames(tools, needle) {
 function isTimeoutLike(error) {
 	return error instanceof Error && /timeout|timed out|aborted/i.test(error.message);
 }
+function stringifyPromptArgs(args) {
+	const stringified = {};
+	for (const [key, value] of Object.entries(args)) {
+		if (typeof value === "string") {
+			stringified[key] = value;
+			continue;
+		}
+		const serialized = JSON.stringify(value);
+		if (typeof serialized === "string") stringified[key] = serialized;
+	}
+	return stringified;
+}
 function isAuthRemediationError(error) {
 	return error instanceof CapletsError && (error.code === "AUTH_REQUIRED" || error.code === "AUTH_FAILED");
 }
@@ -56230,7 +56699,7 @@ function capabilityDescription(server) {
 	return [
 		`${server.name} Caplet.`,
 		server.description,
-		"Use get_caplet for details when needed; use search_tools or list_tools to discover downstream operations."
+		server.backend === "mcp" ? "Use get_caplet for details when needed; use tools for actions, resources for readable context, prompts for reusable workflows, and complete for prompt/resource-template arguments." : "Use get_caplet for details when needed; use search_tools or list_tools to discover downstream operations."
 	].filter(Boolean).join(" ");
 }
 var ServerRegistry = class {
@@ -56446,17 +56915,9 @@ function cloneJsonValue(value) {
 function throwInvalid(message) {
 	throw new CapletsError("REQUEST_INVALID", message);
 }
-const generatedToolInputSchema = object$1({
-	operation: _enum(operations).describe(generatedToolInputDescriptions.operation),
-	query: string().optional().describe(generatedToolInputDescriptions.query),
-	limit: number$1().int().positive().optional().describe(generatedToolInputDescriptions.limit),
-	tool: string().optional().describe(generatedToolInputDescriptions.tool),
-	arguments: record(string(), unknown()).optional().describe(generatedToolInputDescriptions.arguments),
-	fields: array(string().min(1)).min(1).optional().describe(generatedToolInputDescriptions.fields)
-}).strict();
 async function handleServerTool(server, request, registry, downstream, openapi, graphql, http, cli, caplets) {
 	const startedAt = Date.now();
-	const parsed = validateOperationRequest(request, registry.config.options.maxSearchLimit);
+	const parsed = validateOperationRequest(request, registry.config.options.maxSearchLimit, server.backend);
 	switch (parsed.operation) {
 		case "get_caplet": return jsonResult(registry.detail(server), metadataFor(server, "get_caplet", void 0, startedAt));
 		case "check_backend": return jsonResult(await backendFor(server, downstream, openapi, graphql, http, cli, caplets).check(server), metadataFor(server, "check_backend", void 0, startedAt));
@@ -56497,11 +56958,75 @@ async function handleServerTool(server, request, registry, downstream, openapi,
 			validateFieldSelection(tool.outputSchema, parsed.fields);
 			return annotateCallToolResult(projectCallToolResult(await backend.callTool(server, parsed.tool, parsed.arguments), tool.outputSchema, parsed.fields), metadataFor(server, "call_tool", parsed.tool, startedAt));
 		}
+		case "list_resources": {
+			const backend = mcpBackendFor(server, downstream);
+			const resources = await backend.listResources(server);
+			const templates = await backend.listResourceTemplates(server);
+			const limit = parsed.limit ?? resources.length + templates.length;
+			return jsonResult({
+				id: server.server,
+				name: server.name,
+				resources: resources.slice(0, limit).map((resource) => backend.compactResource(server, resource)),
+				resourceTemplates: templates.slice(0, Math.max(0, limit - resources.length)).map((template) => backend.compactResourceTemplate(server, template))
+			}, metadataFor(server, "list_resources", void 0, startedAt));
+		}
+		case "search_resources": {
+			const backend = mcpBackendFor(server, downstream);
+			const resources = await backend.listResources(server);
+			const templates = await backend.listResourceTemplates(server);
+			const limit = parsed.limit ?? registry.config.options.defaultSearchLimit;
+			const resourceMatches = backend.searchResources(server, resources, parsed.query, limit);
+			const templateMatches = backend.searchResourceTemplates(server, templates, parsed.query, Math.max(0, limit - resourceMatches.length));
+			return jsonResult({
+				id: server.server,
+				name: server.name,
+				query: parsed.query,
+				matches: [...resourceMatches, ...templateMatches]
+			}, metadataFor(server, "search_resources", void 0, startedAt));
+		}
+		case "list_resource_templates": {
+			const backend = mcpBackendFor(server, downstream);
+			const templates = await backend.listResourceTemplates(server);
+			const limit = parsed.limit ?? templates.length;
+			return jsonResult({
+				id: server.server,
+				name: server.name,
+				resourceTemplates: templates.slice(0, limit).map((template) => backend.compactResourceTemplate(server, template))
+			}, metadataFor(server, "list_resource_templates", void 0, startedAt));
+		}
+		case "read_resource": return annotateMcpResult(await mcpBackendFor(server, downstream).readResource(server, parsed.uri), metadataFor(server, "read_resource", { uri: parsed.uri }, startedAt));
+		case "list_prompts": {
+			const backend = mcpBackendFor(server, downstream);
+			const prompts = await backend.listPrompts(server);
+			const limit = parsed.limit ?? prompts.length;
+			return jsonResult({
+				id: server.server,
+				name: server.name,
+				prompts: prompts.slice(0, limit).map((prompt) => backend.compactPrompt(server, prompt))
+			}, metadataFor(server, "list_prompts", void 0, startedAt));
+		}
+		case "search_prompts": {
+			const backend = mcpBackendFor(server, downstream);
+			const prompts = await backend.listPrompts(server);
+			const limit = parsed.limit ?? registry.config.options.defaultSearchLimit;
+			return jsonResult({
+				id: server.server,
+				name: server.name,
+				query: parsed.query,
+				prompts: backend.searchPrompts(server, prompts, parsed.query, limit)
+			}, metadataFor(server, "search_prompts", void 0, startedAt));
+		}
+		case "get_prompt": return annotateMcpResult(await mcpBackendFor(server, downstream).getPrompt(server, parsed.prompt, parsed.arguments), metadataFor(server, "get_prompt", { prompt: parsed.prompt }, startedAt));
+		case "complete": return annotateMcpResult(await mcpBackendFor(server, downstream).complete(server, {
+			ref: parsed.ref,
+			argument: parsed.argument
+		}), metadataFor(server, "complete", void 0, startedAt));
 	}
 }
-function validateOperationRequest(request, maxSearchLimit) {
-	if (request && typeof request === "object" && "operation" in request && typeof request.operation === "string" && !operations.includes(request.operation)) throw new CapletsError("UNKNOWN_OPERATION", `Unknown operation: ${request.operation}`);
-	const result = generatedToolInputSchema.safeParse(request);
+function validateOperationRequest(request, maxSearchLimit, backend = "tool") {
+	const result = generatedToolInputSchemaForCaplet({ backend }).safeParse(request);
+	if (request && typeof request === "object" && "operation" in request && typeof request.operation === "string" && !mcpOperations.includes(request.operation)) throw new CapletsError("UNKNOWN_OPERATION", `Unknown operation: ${request.operation}`);
+	if (request && typeof request === "object" && "operation" in request && typeof request.operation === "string" && backend !== "mcp" && mcpOperations.includes(request.operation) && !operations.includes(request.operation)) throw new CapletsError("UNSUPPORTED_OPERATION", `${request.operation} is only available for MCP-backed Caplets`);
 	if (!result.success) throw new CapletsError("REQUEST_INVALID", "Generated server tool request is invalid", result.error.issues);
 	const value = result.data;
 	const keys = Object.keys(value).sort();
@@ -56548,7 +57073,7 @@ function validateOperationRequest(request, maxSearchLimit) {
 				"fields"
 			]);
 			if (!value.tool) throw new CapletsError("REQUEST_INVALID", "call_tool requires tool");
-			if (!isPlainObject$8(value.arguments)) throw new CapletsError("REQUEST_INVALID", "call_tool.arguments must be a JSON object");
+			if (!isPlainObject$7(value.arguments)) throw new CapletsError("REQUEST_INVALID", "call_tool.arguments must be a JSON object");
 			return value.fields === void 0 ? {
 				operation: "call_tool",
 				tool: value.tool,
@@ -56559,23 +57084,82 @@ function validateOperationRequest(request, maxSearchLimit) {
 				arguments: value.arguments,
 				fields: value.fields
 			};
+		case "list_resources":
+		case "list_resource_templates":
+		case "list_prompts":
+			allowed(["limit"]);
+			if (value.limit !== void 0 && value.limit > maxSearchLimit) throw new CapletsError("REQUEST_INVALID", `${value.operation} limit must be <= ${maxSearchLimit}`);
+			return value.limit === void 0 ? { operation: value.operation } : {
+				operation: value.operation,
+				limit: value.limit
+			};
+		case "search_resources":
+		case "search_prompts":
+			allowed(["query", "limit"]);
+			if (!value.query) throw new CapletsError("REQUEST_INVALID", `${value.operation} requires query`);
+			if (value.limit !== void 0 && value.limit > maxSearchLimit) throw new CapletsError("REQUEST_INVALID", `${value.operation} limit must be <= ${maxSearchLimit}`);
+			return value.limit === void 0 ? {
+				operation: value.operation,
+				query: value.query
+			} : {
+				operation: value.operation,
+				query: value.query,
+				limit: value.limit
+			};
+		case "read_resource":
+			allowed(["uri"]);
+			if (!value.uri) throw new CapletsError("REQUEST_INVALID", "read_resource requires uri");
+			return {
+				operation: "read_resource",
+				uri: value.uri
+			};
+		case "get_prompt":
+			allowed(["prompt", "arguments"]);
+			if (!value.prompt) throw new CapletsError("REQUEST_INVALID", "get_prompt requires prompt");
+			if (value.arguments !== void 0 && !isPlainObject$7(value.arguments)) throw new CapletsError("REQUEST_INVALID", "get_prompt.arguments must be a JSON object");
+			return {
+				operation: "get_prompt",
+				prompt: value.prompt,
+				arguments: value.arguments ?? {}
+			};
+		case "complete":
+			allowed(["ref", "argument"]);
+			if (!value.ref) throw new CapletsError("REQUEST_INVALID", "complete requires ref");
+			if (!value.argument) throw new CapletsError("REQUEST_INVALID", "complete requires argument");
+			return {
+				operation: "complete",
+				ref: value.ref,
+				argument: value.argument
+			};
 	}
-	return assertNever(value.operation);
+	throw new CapletsError("INTERNAL_ERROR", "Unhandled operation");
 }
-function assertNever(value) {
-	throw new CapletsError("INTERNAL_ERROR", `Unhandled operation: ${String(value)}`);
+function mcpBackendFor(server, downstream) {
+	if (server.backend !== "mcp") throw new CapletsError("UNSUPPORTED_OPERATION", "MCP resource, prompt, and completion operations require an MCP-backed Caplet");
+	return downstream;
 }
-function metadataFor(server, operation, tool, startedAt) {
+function metadataFor(server, operation, target, startedAt) {
+	const targetFields = typeof target === "string" ? { tool: target } : target ?? {};
 	return {
 		id: server.server,
 		name: server.name,
 		backend: server.backend,
 		operation,
-		...tool === void 0 ? {} : { tool },
+		...targetFields,
 		status: "ok",
 		...startedAt === void 0 ? {} : { elapsedMs: Date.now() - startedAt }
 	};
 }
+function annotateMcpResult(result, metadata) {
+	const existingMeta = result._meta;
+	return {
+		...result,
+		_meta: {
+			...isPlainObject$7(existingMeta) ? existingMeta : {},
+			caplets: metadata
+		}
+	};
+}
 function jsonResult(value, metadata) {
 	return {
 		content: [{
@@ -56599,7 +57183,7 @@ function annotateCallToolResult(result, metadata) {
 	return {
 		...result,
 		_meta: {
-			...isPlainObject$8(existingMeta) ? existingMeta : {},
+			...isPlainObject$7(existingMeta) ? existingMeta : {},
 			caplets: annotatedMetadata
 		}
 	};
@@ -56607,7 +57191,7 @@ function annotateCallToolResult(result, metadata) {
 function projectCallToolResult(result, outputSchema, fields) {
 	if (result.isError === true) return result;
 	const structuredContent = result.structuredContent;
-	if (!isPlainObject$8(structuredContent)) throw new CapletsError("DOWNSTREAM_PROTOCOL_ERROR", "Field selection requires the downstream tool to return object structuredContent");
+	if (!isPlainObject$7(structuredContent)) throw new CapletsError("DOWNSTREAM_PROTOCOL_ERROR", "Field selection requires the downstream tool to return object structuredContent");
 	const projected = projectStructuredContent(structuredContent, outputSchema, fields);
 	return {
 		...result,
@@ -56616,11 +57200,11 @@ function projectCallToolResult(result, outputSchema, fields) {
 	};
 }
 function extractArtifacts(result) {
-	if (!isPlainObject$8(result) || !Array.isArray(result.content)) return [];
+	if (!isPlainObject$7(result) || !Array.isArray(result.content)) return [];
 	const artifacts = [];
 	const seen = /* @__PURE__ */ new Set();
 	for (const item of result.content) {
-		if (!isPlainObject$8(item) || item.type !== "text" || typeof item.text !== "string") continue;
+		if (!isPlainObject$7(item) || item.type !== "text" || typeof item.text !== "string") continue;
 		const text = item.text;
 		for (const link of parseMarkdownLinks(text)) {
 			const label = link.label;
@@ -56735,7 +57319,7 @@ function artifactKindFromText(text) {
 	if (/network[-_ ]?(?:log)?|har\b/.test(text)) return "network-log";
 	return "file";
 }
-function isPlainObject$8(value) {
+function isPlainObject$7(value) {
 	return Boolean(value) && typeof value === "object" && !Array.isArray(value);
 }
 function backendFor(server, downstream, openapi, graphql, http, cli, caplets) {
@@ -57043,6 +57627,38 @@ var CapletsEngine = class {
 			return errorResult(error);
 		}
 	}
+	async completeCliWords(words) {
+		const { completeCliWords } = await Promise.resolve().then(() => completion_CxGG6ae3_exports).then((n) => n.r);
+		return await completeCliWords(words, {
+			config: this.registry.config,
+			managers: {
+				listTools: async (server) => this.listCompletionTools(server),
+				listPrompts: async (server) => {
+					if (server.backend !== "mcp") return [];
+					return (await this.downstream.listPrompts(server)).map((prompt) => ({
+						name: prompt.name,
+						...prompt.description ? { description: prompt.description } : {}
+					}));
+				},
+				listResources: async (server) => {
+					if (server.backend !== "mcp") return [];
+					return (await this.downstream.listResources(server)).map((resource) => ({
+						uri: resource.uri,
+						...resource.name ? { name: resource.name } : {},
+						...resource.description ? { description: resource.description } : {}
+					}));
+				},
+				listResourceTemplates: async (server) => {
+					if (server.backend !== "mcp") return [];
+					return (await this.downstream.listResourceTemplates(server)).map((template) => ({
+						uriTemplate: template.uriTemplate,
+						...template.name ? { name: template.name } : {},
+						...template.description ? { description: template.description } : {}
+					}));
+				}
+			}
+		});
+	}
 	async close() {
 		this.closed = true;
 		try {
@@ -57062,6 +57678,12 @@ var CapletsEngine = class {
 			this.reloadListeners.clear();
 		}
 	}
+	async listCompletionTools(server) {
+		return (server.backend === "mcp" ? await this.downstream.listTools(server) : server.backend === "openapi" ? await this.openapi.listTools(server) : server.backend === "graphql" ? await this.graphql.listTools(server) : server.backend === "http" ? await this.http.listTools(server) : server.backend === "cli" ? await this.cli.listTools(server) : await this.capletSets.listTools(server)).map((tool) => ({
+			name: tool.name,
+			...tool.description ? { description: tool.description } : {}
+		}));
+	}
 	async reloadOnce() {
 		if (this.closed) return false;
 		let nextConfig;
@@ -57259,6 +57881,649 @@ function isDirectory(path) {
 		return false;
 	}
 }
+const DEFAULT_SERVER_USER = "caplets";
+function resolveCapletsMode(input = {}, env = process.env) {
+	const mode = parseCapletsMode(input.mode ?? env.CAPLETS_MODE ?? "auto");
+	if (mode === "local") return { mode: "local" };
+	const rawUrl = nonEmpty$1(input.serverUrl, "serverUrl") ?? nonEmpty$1(env.CAPLETS_SERVER_URL, "CAPLETS_SERVER_URL");
+	if (mode === "remote") {
+		if (rawUrl === void 0) throw new CapletsError("REQUEST_INVALID", "CAPLETS_MODE=remote requires CAPLETS_SERVER_URL or serverUrl.");
+		return { mode: "remote" };
+	}
+	return rawUrl === void 0 ? { mode: "local" } : { mode: "remote" };
+}
+function resolveCapletsServer(input = {}, env = process.env) {
+	const rawUrl = nonEmpty$1(input.url, "url") ?? nonEmpty$1(env.CAPLETS_SERVER_URL, "CAPLETS_SERVER_URL");
+	if (rawUrl === void 0) throw new CapletsError("REQUEST_INVALID", "CAPLETS_SERVER_URL or url is required.");
+	const baseUrl = parseServerBaseUrl(rawUrl);
+	const userWasExplicit = input.user !== void 0 || hasEnv$1(env.CAPLETS_SERVER_USER);
+	const user = nonEmpty$1(input.user, "user") ?? nonEmpty$1(env.CAPLETS_SERVER_USER, "CAPLETS_SERVER_USER") ?? DEFAULT_SERVER_USER;
+	const password = nonEmpty$1(input.password, "password") ?? nonEmpty$1(env.CAPLETS_SERVER_PASSWORD, "CAPLETS_SERVER_PASSWORD");
+	if (userWasExplicit && password === void 0) throw new CapletsError("REQUEST_INVALID", "Caplets server Basic Auth requires a password; set CAPLETS_SERVER_PASSWORD or password.");
+	const auth = password === void 0 ? {
+		enabled: false,
+		user
+	} : {
+		enabled: true,
+		user,
+		password
+	};
+	const requestInit = auth.enabled ? { headers: { Authorization: basicAuthHeader(auth.user, auth.password) } } : {};
+	return {
+		baseUrl,
+		mcpUrl: mcpUrlForBase(baseUrl),
+		controlUrl: controlUrlForBase(baseUrl),
+		healthUrl: healthUrlForBase(baseUrl),
+		auth,
+		requestInit,
+		...input.fetch ? { fetch: input.fetch } : {}
+	};
+}
+function mcpUrlForBase(baseUrl) {
+	return appendBasePath(baseUrl, "mcp");
+}
+function controlUrlForBase(baseUrl) {
+	return appendBasePath(baseUrl, "control");
+}
+function healthUrlForBase(baseUrl) {
+	return appendBasePath(baseUrl, "healthz");
+}
+function appendBasePath(baseUrl, path) {
+	const url = new URL(baseUrl.href);
+	url.pathname = `${url.pathname === "/" ? "" : url.pathname}/${path}`;
+	return url;
+}
+function parseServerBaseUrl(value) {
+	let url;
+	try {
+		url = new URL(value);
+	} catch {
+		throw new CapletsError("REQUEST_INVALID", "Invalid Caplets server URL.");
+	}
+	if (url.username !== "" || url.password !== "" || url.search !== "" || url.hash !== "") throw new CapletsError("REQUEST_INVALID", "Caplets server URL must not include username, password, query string, or fragment.");
+	if (url.protocol !== "https:" && !(url.protocol === "http:" && isLoopbackHost$1(url.hostname))) throw new CapletsError("REQUEST_INVALID", "Caplets server URL must use https except loopback development URLs.");
+	url.pathname = url.pathname === "/" ? "/" : url.pathname.replace(/\/+$/u, "");
+	return url;
+}
+function isLoopbackHost$1(host) {
+	const normalized = host.toLocaleLowerCase();
+	return normalized === "localhost" || normalized === "127.0.0.1" || normalized === "::1" || normalized === "[::1]";
+}
+function parseCapletsMode(value) {
+	if (value === "auto" || value === "local" || value === "remote") return value;
+	throw new CapletsError("REQUEST_INVALID", `Expected CAPLETS_MODE to be auto, local, or remote, got ${value}`);
+}
+function basicAuthHeader(user, password) {
+	return `Basic ${Buffer$1.from(`${user}:${password}`).toString("base64")}`;
+}
+function nonEmpty$1(value, label) {
+	if (value === void 0) return;
+	const trimmed = value.trim();
+	if (!trimmed) throw new CapletsError("REQUEST_INVALID", `${label} must not be empty`);
+	return trimmed;
+}
+function hasEnv$1(value) {
+	return value !== void 0 && value.trim() !== "";
+}
+//#endregion
+//#region ../core/dist/completion-CxGG6ae3.js
+var completion_CxGG6ae3_exports = /* @__PURE__ */ __exportAll$1({
+	a: () => formatCapletList,
+	c: () => resolveCliConfigPaths,
+	i: () => trailingSpaceCompletionToken,
+	l: () => cliCommands,
+	n: () => completionScript,
+	o: () => formatConfigPaths,
+	r: () => completion_exports,
+	s: () => listCaplets,
+	t: () => completeCliWords,
+	u: () => completionShells
+});
+const completionShells = [
+	"bash",
+	"zsh",
+	"fish",
+	"powershell",
+	"cmd"
+];
+const cliCommands = {
+	completion: "completion",
+	completeHidden: "__complete",
+	serve: "serve",
+	init: "init",
+	list: "list",
+	install: "install",
+	add: "add",
+	getCaplet: "get-caplet",
+	checkBackend: "check-backend",
+	listTools: "list-tools",
+	searchTools: "search-tools",
+	getTool: "get-tool",
+	callTool: "call-tool",
+	listResources: "list-resources",
+	searchResources: "search-resources",
+	listResourceTemplates: "list-resource-templates",
+	readResource: "read-resource",
+	listPrompts: "list-prompts",
+	searchPrompts: "search-prompts",
+	getPrompt: "get-prompt",
+	complete: "complete",
+	config: "config",
+	auth: "auth"
+};
+const topLevelCommandNames = [
+	cliCommands.serve,
+	cliCommands.init,
+	cliCommands.list,
+	cliCommands.install,
+	cliCommands.add,
+	cliCommands.getCaplet,
+	cliCommands.checkBackend,
+	cliCommands.listTools,
+	cliCommands.searchTools,
+	cliCommands.getTool,
+	cliCommands.callTool,
+	cliCommands.listResources,
+	cliCommands.searchResources,
+	cliCommands.listResourceTemplates,
+	cliCommands.readResource,
+	cliCommands.listPrompts,
+	cliCommands.searchPrompts,
+	cliCommands.getPrompt,
+	cliCommands.complete,
+	cliCommands.config,
+	cliCommands.auth,
+	cliCommands.completion
+];
+const cliSubcommands = {
+	[cliCommands.add]: [
+		"cli",
+		"mcp",
+		"openapi",
+		"graphql",
+		"http"
+	],
+	[cliCommands.auth]: [
+		"login",
+		"logout",
+		"list"
+	],
+	[cliCommands.completion]: [...completionShells],
+	[cliCommands.config]: ["path", "paths"]
+};
+const capletIdCommands = new Set([
+	cliCommands.getCaplet,
+	cliCommands.checkBackend,
+	cliCommands.listTools,
+	cliCommands.searchTools,
+	cliCommands.listResources,
+	cliCommands.searchResources,
+	cliCommands.listResourceTemplates,
+	cliCommands.readResource,
+	cliCommands.listPrompts,
+	cliCommands.searchPrompts,
+	cliCommands.complete
+]);
+const qualifiedToolCommands = new Set([cliCommands.getTool, cliCommands.callTool]);
+const qualifiedPromptCommands = new Set([cliCommands.getPrompt]);
+function listCaplets(configWithSources, options) {
+	const { config, sources, shadows } = configWithSources;
+	return allCaplets(config).filter((server) => options.includeDisabled || !server.disabled).map((server) => ({
+		server: server.server,
+		backend: server.backend,
+		name: server.name,
+		description: server.description,
+		disabled: server.disabled,
+		status: initialServerStatus(server),
+		source: sources[server.server]?.kind ?? "unknown",
+		path: sources[server.server]?.path ?? null,
+		shadows: shadows[server.server] ?? []
+	})).sort((left, right) => left.server.localeCompare(right.server));
+}
+function initialServerStatus(server) {
+	return server.disabled ? "disabled" : "not_started";
+}
+function allCaplets(config) {
+	return [
+		...Object.values(config.mcpServers),
+		...Object.values(config.openapiEndpoints),
+		...Object.values(config.graphqlEndpoints),
+		...Object.values(config.httpApis),
+		...Object.values(config.cliTools)
+	];
+}
+function formatCapletList(rows, format = "plain") {
+	return format === "markdown" ? formatCapletListMarkdown(rows) : formatCapletListPlain(rows);
+}
+function formatCapletListMarkdown(rows) {
+	if (rows.length === 0) return "## Configured Caplets\n\nNo configured Caplets found.\n";
+	const heading = [
+		"## Configured Caplets",
+		"",
+		`${rows.length} ${rows.length === 1 ? "Caplet" : "Caplets"} shown.`,
+		""
+	];
+	const entries = rows.flatMap((row) => [
+		`- \`${row.server}\` — ${row.name}`,
+		`  - Backend: ${row.backend}`,
+		`  - Status: ${row.status}`,
+		`  - Source: ${row.source}`,
+		...row.disabled ? ["  - Disabled: true"] : [],
+		...row.path ? [`  - Path: ${row.path}`] : []
+	]);
+	const warnings = rows.flatMap((row) => row.shadows.map((shadow) => `Warning: ${formatSourceKind(row.source)} Caplet ${row.server} shadows ${formatSourceKind(shadow.kind)} Caplet at ${shadow.path}`));
+	if (warnings.length === 0) return `${[...heading, ...entries].join("\n")}\n`;
+	return `${[
+		...heading,
+		...entries,
+		"",
+		"Warnings:",
+		...warnings.map((warning) => `- ${warning}`)
+	].join("\n")}\n`;
+}
+function formatCapletListPlain(rows) {
+	if (rows.length === 0) return "No configured Caplets found.\n";
+	const entries = rows.map((row) => [
+		row.server,
+		`  Name: ${row.name}`,
+		`  Backend: ${row.backend}`,
+		`  Status: ${row.status}`,
+		`  Source: ${row.source}`,
+		...row.disabled ? ["  Disabled: true"] : [],
+		...row.path ? [`  Path: ${row.path}`] : []
+	].join("\n")).join("\n\n");
+	const warnings = rows.flatMap((row) => row.shadows.map((shadow) => `Warning: ${formatSourceKind(row.source)} Caplet ${row.server} shadows ${formatSourceKind(shadow.kind)} Caplet at ${shadow.path}`));
+	if (warnings.length === 0) return `Configured Caplets (${rows.length})\n\n${entries}\n`;
+	return `Configured Caplets (${rows.length})\n\n${entries}\n\n${warnings.join("\n")}\n`;
+}
+function formatSourceKind(kind) {
+	if (kind.startsWith("project")) return "project";
+	if (kind.startsWith("global")) return "global";
+	return kind;
+}
+function resolveCliConfigPaths(envConfigPath, authDir) {
+	const configPath = resolveConfigPath(envConfigPath);
+	const effectiveAuthDir = authDir ?? DEFAULT_AUTH_DIR;
+	return {
+		userConfig: configPath,
+		projectConfig: resolveProjectConfigPath(),
+		userRoot: resolveCapletsRoot(configPath),
+		stateRoot: dirname(effectiveAuthDir),
+		projectRoot: resolveProjectCapletsRoot(),
+		authDir: effectiveAuthDir,
+		envConfig: envConfigPath ?? null
+	};
+}
+function formatConfigPaths(paths, format = "plain") {
+	if (format === "markdown") return formatConfigPathsMarkdown(paths);
+	return formatConfigPathsPlain(paths);
+}
+function formatConfigPathsMarkdown(paths) {
+	return [
+		"## Caplets paths",
+		"",
+		`- User config: ${paths.userConfig}`,
+		`- Project config: ${paths.projectConfig}`,
+		`- User Caplets root: ${paths.userRoot}`,
+		`- State root: ${paths.stateRoot}`,
+		`- Project Caplets root: ${paths.projectRoot}`,
+		`- Auth directory: ${paths.authDir}`,
+		`- CAPLETS_CONFIG: ${paths.envConfig ?? "unset"}`
+	].join("\n") + "\n";
+}
+function formatConfigPathsPlain(paths) {
+	return [
+		"Caplets paths",
+		"",
+		`User config: ${paths.userConfig}`,
+		`Project config: ${paths.projectConfig}`,
+		`User root: ${paths.userRoot}`,
+		`State root: ${paths.stateRoot}`,
+		`Project root: ${paths.projectRoot}`,
+		`Auth directory: ${paths.authDir}`,
+		`CAPLETS_CONFIG: ${paths.envConfig ?? "unset"}`
+	].join("\n") + "\n";
+}
+function completionCacheKey(input) {
+	return createHash("sha256").update(JSON.stringify(input)).digest("hex");
+}
+function readCompletionCacheEntry(cacheDir, key, now = Date.now()) {
+	try {
+		const parsed = JSON.parse(readFileSync(cachePath(cacheDir, key), "utf8"));
+		if (parsed.status === "positive" && Array.isArray(parsed.candidates)) return {
+			...parsed,
+			fresh: now <= parsed.expiresAt
+		};
+		if (parsed.status === "negative" && typeof parsed.reason === "string") return {
+			...parsed,
+			fresh: now <= parsed.expiresAt
+		};
+	} catch {
+		return;
+	}
+}
+function writeCompletionCacheEntry(cacheDir, key, entry) {
+	mkdirSync(cacheDir, { recursive: true });
+	const path = cachePath(cacheDir, key);
+	const tempPath = `${path}.${process.pid}.tmp`;
+	writeFileSync(tempPath, JSON.stringify(entry), { mode: 384 });
+	renameSync(tempPath, path);
+}
+function cachePath(cacheDir, key) {
+	return join(cacheDir, `${key}.json`);
+}
+async function discoverCompletionCandidates(serverId, kind, options) {
+	const server = enabledServer(serverId, options.config);
+	if (!server) return [];
+	const completion = options.completion ?? options.config.options.completion;
+	const now = options.now ?? Date.now();
+	const configCandidates = configDefinedCandidates(serverId, kind, options.config);
+	const cacheDir = options.cacheDir ?? DEFAULT_COMPLETION_CACHE_DIR;
+	const key = completionCacheKey({
+		server: server.server,
+		backend: server.backend,
+		kind,
+		fingerprint: completionFingerprint(server, kind, completion)
+	});
+	const cached = readCompletionCacheEntry(cacheDir, key, now);
+	if (cached?.status === "positive" && cached.fresh) return cached.candidates;
+	if (cached?.status === "negative" && cached.fresh) return cached.candidates ?? configCandidates;
+	try {
+		const live = await withTimeout(liveCandidates(server, kind, options.managers), Math.min(completion.discoveryTimeoutMs, completion.overallTimeoutMs));
+		const candidates = dedupeCandidates([...configCandidates, ...live]);
+		writeCompletionCacheEntry(cacheDir, key, {
+			status: "positive",
+			fetchedAt: now,
+			expiresAt: now + completion.cacheTtlMs,
+			candidates
+		});
+		return candidates;
+	} catch (error) {
+		writeCompletionCacheEntry(cacheDir, key, {
+			status: "negative",
+			fetchedAt: now,
+			expiresAt: now + completion.negativeCacheTtlMs,
+			reason: negativeReason(error),
+			...cached?.status === "positive" ? { candidates: cached.candidates } : {}
+		});
+		if (cached?.status === "positive") return cached.candidates;
+		return configCandidates;
+	}
+}
+function configDefinedCandidates(serverId, kind, config) {
+	if (kind !== "tools") return [];
+	const cli = config.cliTools[serverId];
+	if (cli && !cli.disabled) return Object.keys(cli.actions).map((name) => ({ value: `${serverId}.${name}` }));
+	const http = config.httpApis[serverId];
+	if (http && !http.disabled) return Object.keys(http.actions).map((name) => ({ value: `${serverId}.${name}` }));
+	const graphql = config.graphqlEndpoints[serverId];
+	if (graphql && !graphql.disabled && graphql.operations) return Object.keys(graphql.operations).map((name) => ({ value: `${serverId}.${name}` }));
+	return [];
+}
+async function liveCandidates(server, kind, managers) {
+	if (kind === "tools" && managers?.listTools) return (await managers.listTools(server)).map((tool) => ({
+		value: `${server.server}.${tool.name}`,
+		description: tool.description
+	}));
+	if (kind === "tools") return [];
+	if (server.backend !== "mcp") return [];
+	if (kind === "prompts" && managers?.listPrompts) return (await managers.listPrompts(server)).map((prompt) => ({
+		value: `${server.server}.${prompt.name}`,
+		description: prompt.description
+	}));
+	if (kind === "resources" && managers?.listResources) return (await managers.listResources(server)).map((resource) => ({
+		value: resource.uri,
+		label: resource.name,
+		description: resource.description
+	}));
+	if (kind === "resourceTemplates" && managers?.listResourceTemplates) return (await managers.listResourceTemplates(server)).map((template) => ({
+		value: template.uriTemplate,
+		label: template.name,
+		description: template.description
+	}));
+	throw new CapletsError("UNSUPPORTED_CAPABILITY", `Completion discovery is unsupported for ${kind}`);
+}
+function completionFingerprint(server, kind, completion) {
+	return JSON.stringify({
+		kind,
+		completion: {
+			discoveryTimeoutMs: completion.discoveryTimeoutMs,
+			cacheTtlMs: completion.cacheTtlMs,
+			negativeCacheTtlMs: completion.negativeCacheTtlMs
+		},
+		server: secretFreeServerShape(server)
+	});
+}
+function secretFreeServerShape(server) {
+	const base = {
+		server: server.server,
+		backend: server.backend,
+		name: server.name,
+		description: server.description,
+		tags: server.tags,
+		disabled: server.disabled
+	};
+	switch (server.backend) {
+		case "mcp": return {
+			...base,
+			transport: server.transport,
+			command: server.command,
+			args: server.args,
+			cwd: server.cwd,
+			url: server.url,
+			authType: server.auth?.type,
+			startupTimeoutMs: server.startupTimeoutMs,
+			callTimeoutMs: server.callTimeoutMs
+		};
+		case "openapi": return {
+			...base,
+			specPath: server.specPath,
+			specUrl: server.specUrl,
+			baseUrl: server.baseUrl,
+			authType: server.auth.type,
+			requestTimeoutMs: server.requestTimeoutMs
+		};
+		case "graphql": return {
+			...base,
+			endpointUrl: server.endpointUrl,
+			schemaPath: server.schemaPath,
+			schemaUrl: server.schemaUrl,
+			authType: server.auth.type,
+			operationNames: server.operations ? Object.keys(server.operations) : void 0
+		};
+		case "http": return {
+			...base,
+			baseUrl: server.baseUrl,
+			authType: server.auth.type,
+			actions: Object.fromEntries(Object.entries(server.actions).map(([name, action]) => [name, {
+				method: action.method,
+				path: action.path
+			}])),
+			requestTimeoutMs: server.requestTimeoutMs
+		};
+		case "cli": return {
+			...base,
+			cwd: server.cwd,
+			actions: Object.fromEntries(Object.entries(server.actions).map(([name, action]) => [name, {
+				command: action.command,
+				args: action.args,
+				cwd: action.cwd
+			}])),
+			timeoutMs: server.timeoutMs,
+			maxOutputBytes: server.maxOutputBytes
+		};
+		case "caplets": return {
+			...base,
+			configPath: server.configPath,
+			capletsRoot: server.capletsRoot,
+			defaultSearchLimit: server.defaultSearchLimit,
+			maxSearchLimit: server.maxSearchLimit
+		};
+	}
+}
+function negativeReason(error) {
+	if (error instanceof CapletsError) {
+		if (error.code === "AUTH_REQUIRED" || error.code === "AUTH_FAILED" || error.code === "AUTH_REFRESH_FAILED") return "auth_required";
+		if (error.code === "SERVER_UNAVAILABLE" || error.code === "SERVER_START_TIMEOUT") return "unavailable";
+		if (error.code === "UNSUPPORTED_CAPABILITY" || error.code === "UNSUPPORTED_OPERATION") return "unsupported";
+		if (error.code === "TOOL_CALL_TIMEOUT" || error.code === "DOWNSTREAM_COMPLETION_ERROR") return "timeout";
+	}
+	return error instanceof Error && error.message.includes("timeout") ? "timeout" : "error";
+}
+async function withTimeout(promise, timeoutMs) {
+	let timeout;
+	try {
+		return await Promise.race([promise, new Promise((_, reject) => {
+			timeout = setTimeout(() => reject(/* @__PURE__ */ new Error("completion discovery timeout")), timeoutMs);
+		})]);
+	} finally {
+		if (timeout) clearTimeout(timeout);
+	}
+}
+function enabledServer(serverId, config) {
+	const server = config.mcpServers[serverId] ?? config.openapiEndpoints[serverId] ?? config.graphqlEndpoints[serverId] ?? config.httpApis[serverId] ?? config.cliTools[serverId] ?? config.capletSets[serverId];
+	return server && !server.disabled ? server : void 0;
+}
+function dedupeCandidates(candidates) {
+	const seen = /* @__PURE__ */ new Set();
+	return candidates.filter((candidate) => {
+		if (seen.has(candidate.value)) return false;
+		seen.add(candidate.value);
+		return true;
+	});
+}
+var completion_exports = /* @__PURE__ */ __exportAll({
+	completeCliWords: () => completeCliWords,
+	completionScript: () => completionScript,
+	trailingSpaceCompletionToken: () => trailingSpaceCompletionToken
+});
+const trailingSpaceCompletionToken = "__CAPLETS_TRAILING_SPACE__";
+const optionValueSuggestions = {
+	"*": { "--format": [
+		"markdown",
+		"md",
+		"plain",
+		"json"
+	] },
+	serve: { "--transport": ["stdio", "http"] },
+	"add:mcp": { "--transport": ["http", "sse"] },
+	"add:cli": { "--include": [
+		"git",
+		"gh",
+		"package"
+	] }
+};
+function completionScript(shell) {
+	switch (shell) {
+		case "bash": return bashCompletionScript();
+		case "zsh": return zshCompletionScript();
+		case "fish": return fishCompletionScript();
+		case "powershell": return powershellCompletionScript();
+		case "cmd": return cmdCompletionScript();
+		default: throw new CapletsError("REQUEST_INVALID", "completion shell must be bash, zsh, fish, powershell, or cmd");
+	}
+}
+async function completeCliWords(words, options = {}) {
+	try {
+		const normalized = words.length === 0 ? [""] : words;
+		const current = normalized.at(-1) ?? "";
+		const previous = normalized.at(-2);
+		const command = normalized[0] ?? "";
+		const subcommand = normalized[1] ?? "";
+		if (command === cliCommands.complete && previous === "--prompt" && subcommand) return prefixFilter((await discoverCompletionCandidates(subcommand, "prompts", discoveryOptions(options))).map((candidate) => candidate.value.replace(`${subcommand}.`, "")), current);
+		if (command === cliCommands.complete && previous === "--resource-template" && subcommand) return prefixFilter((await discoverCompletionCandidates(subcommand, "resourceTemplates", discoveryOptions(options))).map((candidate) => candidate.value), current);
+		const optionValues = suggestionsForOptionValue(command, subcommand, previous);
+		if (optionValues) return prefixFilter(optionValues, current);
+		if (normalized.length === 1) return prefixFilter([...topLevelCommandNames], current);
+		if (normalized.length === 2 && command in cliSubcommands) return prefixFilter(cliSubcommands[command], current);
+		if (normalized.length === 2 && capletIdCommands.has(command)) return prefixFilter(promptResourceCommands.has(command) ? configuredCapletIds(options, { backend: "mcp" }) : configuredCapletIds(options), current);
+		if (normalized.length === 2 && (qualifiedToolCommands.has(command) || qualifiedPromptCommands.has(command))) {
+			if (current.includes(".")) return prefixFilter((await discoverCompletionCandidates(current.slice(0, current.indexOf(".")), qualifiedToolCommands.has(command) ? "tools" : "prompts", discoveryOptions(options))).map((candidate) => candidate.value), current);
+			return prefixFilter(configuredCapletIds(options, qualifiedPromptCommands.has(command) ? { backend: "mcp" } : void 0).map((id) => `${id}.`), current);
+		}
+		if (command === cliCommands.readResource && normalized.length === 3) return prefixFilter((await discoverCompletionCandidates(subcommand, "resources", discoveryOptions(options))).map((candidate) => candidate.value), current);
+		if (command === cliCommands.auth && ["login", "logout"].includes(subcommand) && normalized.length === 3) return prefixFilter(configuredCapletIds(options), current);
+		return [];
+	} catch {
+		return [];
+	}
+}
+function suggestionsForOptionValue(command, subcommand, previous) {
+	if (!previous) return void 0;
+	return optionValueSuggestions[`${command}:${subcommand}`]?.[previous] ?? optionValueSuggestions[command]?.[previous] ?? optionValueSuggestions["*"]?.[previous];
+}
+const promptResourceCommands = new Set([
+	cliCommands.getPrompt,
+	cliCommands.readResource,
+	cliCommands.complete
+]);
+function configuredCapletIds(options, filter = {}) {
+	return listCaplets(options.config ? {
+		config: options.config,
+		sources: {},
+		shadows: {}
+	} : loadConfigWithSources(options.configPath, options.projectConfigPath), { includeDisabled: false }).filter((row) => !filter.backend || row.backend === filter.backend).map((row) => row.server);
+}
+function discoveryOptions(options) {
+	return {
+		config: options.config ?? loadConfigWithSources(options.configPath, options.projectConfigPath).config,
+		completion: options.completion,
+		cacheDir: options.cacheDir,
+		managers: options.managers
+	};
+}
+function prefixFilter(values, prefix) {
+	return values.filter((value) => value.startsWith(prefix));
+}
+function bashCompletionScript() {
+	return `# caplets bash completion
+_caplets_completions() {
+  local IFS=$'\n'
+  COMPREPLY=( $(caplets __complete --shell bash -- "\${COMP_WORDS[@]:1}" 2>/dev/null) )
+}
+complete -o default -F _caplets_completions caplets
+`;
+}
+function zshCompletionScript() {
+	return `#compdef caplets
+_caplets() {
+  local -a suggestions
+  suggestions=("\${(@f)$(caplets __complete --shell zsh -- "\${words[@]:1}" 2>/dev/null)}")
+  compadd -- $suggestions
+}
+_caplets "$@"
+`;
+}
+function fishCompletionScript() {
+	return `# caplets fish completion
+function __caplets_complete
+  set -l tokens (commandline -opc)
+  set -l current (commandline -ct)
+  caplets __complete --shell fish -- $tokens[2..-1] $current 2>/dev/null
+end
+complete -c caplets -f -a '(__caplets_complete)'
+`;
+}
+function powershellCompletionScript() {
+	return `# caplets PowerShell completion
+Register-ArgumentCompleter -Native -CommandName caplets -ScriptBlock {
+  param($wordToComplete, $commandAst, $cursorPosition)
+  $tokens = @($commandAst.CommandElements | Select-Object -Skip 1 | ForEach-Object { $_.ToString() })
+  if ($tokens.Count -eq 0 -or $commandAst.Extent.Text.EndsWith(' ')) { $tokens += '${trailingSpaceCompletionToken}' }
+  caplets __complete --shell powershell -- @tokens 2>$null | ForEach-Object {
+    [System.Management.Automation.CompletionResult]::new($_, $_, 'ParameterValue', $_)
+  }
+}
+`;
+}
+function cmdCompletionScript() {
+	return `@echo off
+REM caplets cmd completion helper
+REM cmd.exe has no native programmable completion API. This doskey macro prints suggestions for the current words.
+doskey caplets-complete=caplets __complete --shell cmd -- $* 2^>nul
+REM Usage: caplets-complete get-caplet 
+`;
+}
 //#endregion
 //#region ../core/dist/index.js
 /**
@@ -58557,7 +59822,7 @@ const EMPTY_COMPLETION_RESULT = { completion: {
 	values: [],
 	hasMore: false
 } };
-var version$1 = "0.16.0";
+var version$1 = "0.18.0";
 var CapletsMcpSession = class {
 	engine;
 	server;
@@ -58599,6 +59864,7 @@ var CapletsMcpSession = class {
 			if (!previousCaplet || serializeCaplet(previousCaplet) !== serializeCaplet(caplet)) tool.update({
 				title: caplet.name,
 				description: capabilityDescription(caplet),
+				paramsSchema: generatedToolInputSchemaForCaplet(caplet).shape,
 				callback: async (request) => this.handleTool(serverId, request),
 				enabled: true
 			});
@@ -58612,7 +59878,7 @@ var CapletsMcpSession = class {
 		return this.server.registerTool(caplet.server, {
 			title: caplet.name,
 			description: capabilityDescription(caplet),
-			inputSchema: generatedToolInputSchema
+			inputSchema: generatedToolInputSchemaForCaplet(caplet).shape
 		}, async (request) => this.handleTool(caplet.server, request));
 	}
 	async handleTool(serverId, request) {
@@ -62090,49 +63356,56 @@ async function loginAuth(serverId, options) {
 	}
 }
 function logoutAuth(serverId, options) {
-	assertLoginTarget(findAuthTarget(serverId, loadConfig(options.configPath)), serverId);
-	if (deleteTokenBundle(serverId, options.authDir)) options.writeOut(`Deleted OAuth credentials for \`${serverId}\`.\n`);
+	if (logoutAuthResult(serverId, options).deleted) options.writeOut(`Deleted OAuth credentials for \`${serverId}\`.\n`);
 	else options.writeOut(`No OAuth credentials found for \`${serverId}\`.\n`);
 }
+function logoutAuthResult(serverId, options) {
+	assertLoginTarget(findAuthTarget(serverId, loadConfig(options.configPath)), serverId);
+	return {
+		server: serverId,
+		deleted: deleteTokenBundle(serverId, options.authDir)
+	};
+}
 function listAuth(options) {
-	const servers = authTargets(loadConfig(options.configPath)).sort((left, right) => left.server.localeCompare(right.server));
+	const rows = listAuthRows(options);
 	const format = options.format ?? "plain";
 	if (format === "json") {
-		const rows = servers.map((server) => {
-			const bundle = readTokenBundle(server.server, options.authDir);
-			const status = !bundle ? "missing" : isTokenBundleExpired(bundle) ? "expired" : "authenticated";
-			return {
-				server: server.server,
-				status,
-				...bundle?.expiresAt ? { expiresAt: bundle.expiresAt } : {},
-				...bundle?.scope ? { scope: bundle.scope } : {}
-			};
-		});
 		options.writeOut(`${JSON.stringify(rows, null, 2)}\n`);
 		return;
 	}
-	if (servers.length === 0) {
-		options.writeOut(format === "markdown" ? "## OAuth credentials\n\nNo configured remote OAuth servers found.\n" : "No configured remote OAuth servers found.\n");
-		return;
-	}
-	if (format === "markdown") options.writeOut("## OAuth credentials\n\n");
-	else options.writeOut("OAuth credentials\n\n");
-	for (const server of servers) {
+	options.writeOut(formatAuthRows(rows, format));
+}
+function listAuthRows(options) {
+	return authTargets(loadConfig(options.configPath)).sort((left, right) => left.server.localeCompare(right.server)).map((server) => {
 		const bundle = readTokenBundle(server.server, options.authDir);
 		const status = !bundle ? "missing" : isTokenBundleExpired(bundle) ? "expired" : "authenticated";
-		const details = [bundle?.expiresAt ? `expires ${bundle.expiresAt}` : void 0, bundle?.scope ? `scope ${bundle.scope}` : void 0].filter(Boolean).join("; ");
+		return {
+			server: server.server,
+			status,
+			...bundle?.expiresAt ? { expiresAt: bundle.expiresAt } : {},
+			...bundle?.scope ? { scope: bundle.scope } : {}
+		};
+	});
+}
+function formatAuthRows(rows, format) {
+	if (rows.length === 0) return format === "markdown" ? "## OAuth credentials\n\nNo configured remote OAuth servers found.\n" : "No configured remote OAuth servers found.\n";
+	let output = "";
+	if (format === "markdown") output += "## OAuth credentials\n\n";
+	else output += "OAuth credentials\n\n";
+	for (const row of rows) {
+		const details = [row.expiresAt ? `expires ${row.expiresAt}` : void 0, row.scope ? `scope ${row.scope}` : void 0].filter(Boolean).join("; ");
 		if (format === "markdown") {
-			options.writeOut(`- \`${server.server}\` — ${status}${details ? ` (${details})` : ""}\n`);
+			output += `- \`${row.server}\` — ${row.status}${details ? ` (${details})` : ""}\n`;
 			continue;
 		}
-		options.writeOut([
-			server.server,
-			`  Status: ${status}`,
-			...bundle?.expiresAt ? [`  Expires: ${bundle.expiresAt}`] : [],
-			...bundle?.scope ? [`  Scope: ${bundle.scope}`] : []
-		].join("\n"));
-		options.writeOut("\n\n");
+		output += [
+			row.server,
+			`  Status: ${row.status}`,
+			...row.expiresAt ? [`  Expires: ${row.expiresAt}`] : [],
+			...row.scope ? [`  Scope: ${row.scope}`] : []
+		].join("\n") + "\n\n";
 	}
+	return output;
 }
 function findAuthTarget(serverId, config = loadConfig()) {
 	return authTargets(config).find((server) => server.server === serverId);
@@ -62201,124 +63474,6 @@ function starterConfig() {
 		} }
 	}, null, 2);
 }
-function listCaplets(configWithSources, options) {
-	const { config, sources, shadows } = configWithSources;
-	return allCaplets(config).filter((server) => options.includeDisabled || !server.disabled).map((server) => ({
-		server: server.server,
-		backend: server.backend,
-		name: server.name,
-		description: server.description,
-		disabled: server.disabled,
-		status: initialServerStatus(server),
-		source: sources[server.server]?.kind ?? "unknown",
-		path: sources[server.server]?.path ?? null,
-		shadows: shadows[server.server] ?? []
-	})).sort((left, right) => left.server.localeCompare(right.server));
-}
-function initialServerStatus(server) {
-	return server.disabled ? "disabled" : "not_started";
-}
-function allCaplets(config) {
-	return [
-		...Object.values(config.mcpServers),
-		...Object.values(config.openapiEndpoints),
-		...Object.values(config.graphqlEndpoints),
-		...Object.values(config.httpApis),
-		...Object.values(config.cliTools)
-	];
-}
-function formatCapletList(rows, format = "plain") {
-	return format === "markdown" ? formatCapletListMarkdown(rows) : formatCapletListPlain(rows);
-}
-function formatCapletListMarkdown(rows) {
-	if (rows.length === 0) return "## Configured Caplets\n\nNo configured Caplets found.\n";
-	const heading = [
-		"## Configured Caplets",
-		"",
-		`${rows.length} ${rows.length === 1 ? "Caplet" : "Caplets"} shown.`,
-		""
-	];
-	const entries = rows.flatMap((row) => [
-		`- \`${row.server}\` — ${row.name}`,
-		`  - Backend: ${row.backend}`,
-		`  - Status: ${row.status}`,
-		`  - Source: ${row.source}`,
-		...row.disabled ? ["  - Disabled: true"] : [],
-		...row.path ? [`  - Path: ${row.path}`] : []
-	]);
-	const warnings = rows.flatMap((row) => row.shadows.map((shadow) => `Warning: ${formatSourceKind(row.source)} Caplet ${row.server} shadows ${formatSourceKind(shadow.kind)} Caplet at ${shadow.path}`));
-	if (warnings.length === 0) return `${[...heading, ...entries].join("\n")}\n`;
-	return `${[
-		...heading,
-		...entries,
-		"",
-		"Warnings:",
-		...warnings.map((warning) => `- ${warning}`)
-	].join("\n")}\n`;
-}
-function formatCapletListPlain(rows) {
-	if (rows.length === 0) return "No configured Caplets found.\n";
-	const entries = rows.map((row) => [
-		row.server,
-		`  Name: ${row.name}`,
-		`  Backend: ${row.backend}`,
-		`  Status: ${row.status}`,
-		`  Source: ${row.source}`,
-		...row.disabled ? ["  Disabled: true"] : [],
-		...row.path ? [`  Path: ${row.path}`] : []
-	].join("\n")).join("\n\n");
-	const warnings = rows.flatMap((row) => row.shadows.map((shadow) => `Warning: ${formatSourceKind(row.source)} Caplet ${row.server} shadows ${formatSourceKind(shadow.kind)} Caplet at ${shadow.path}`));
-	if (warnings.length === 0) return `Configured Caplets (${rows.length})\n\n${entries}\n`;
-	return `Configured Caplets (${rows.length})\n\n${entries}\n\n${warnings.join("\n")}\n`;
-}
-function formatSourceKind(kind) {
-	if (kind.startsWith("project")) return "project";
-	if (kind.startsWith("global")) return "global";
-	return kind;
-}
-function resolveCliConfigPaths(envConfigPath, authDir) {
-	const configPath = resolveConfigPath(envConfigPath);
-	const effectiveAuthDir = authDir ?? DEFAULT_AUTH_DIR;
-	return {
-		userConfig: configPath,
-		projectConfig: resolveProjectConfigPath(),
-		userRoot: resolveCapletsRoot(configPath),
-		stateRoot: dirname(effectiveAuthDir),
-		projectRoot: resolveProjectCapletsRoot(),
-		authDir: effectiveAuthDir,
-		envConfig: envConfigPath ?? null
-	};
-}
-function formatConfigPaths(paths, format = "plain") {
-	if (format === "markdown") return formatConfigPathsMarkdown(paths);
-	return formatConfigPathsPlain(paths);
-}
-function formatConfigPathsMarkdown(paths) {
-	return [
-		"## Caplets paths",
-		"",
-		`- User config: ${paths.userConfig}`,
-		`- Project config: ${paths.projectConfig}`,
-		`- User Caplets root: ${paths.userRoot}`,
-		`- State root: ${paths.stateRoot}`,
-		`- Project Caplets root: ${paths.projectRoot}`,
-		`- Auth directory: ${paths.authDir}`,
-		`- CAPLETS_CONFIG: ${paths.envConfig ?? "unset"}`
-	].join("\n") + "\n";
-}
-function formatConfigPathsPlain(paths) {
-	return [
-		"Caplets paths",
-		"",
-		`User config: ${paths.userConfig}`,
-		`Project config: ${paths.projectConfig}`,
-		`User root: ${paths.userRoot}`,
-		`State root: ${paths.stateRoot}`,
-		`Project root: ${paths.projectRoot}`,
-		`Auth directory: ${paths.authDir}`,
-		`CAPLETS_CONFIG: ${paths.envConfig ?? "unset"}`
-	].join("\n") + "\n";
-}
 function installCaplets(repo, options = {}) {
 	const source = resolveInstallSource(repo);
 	try {
@@ -62552,6 +63707,94 @@ function nearestExistingParent(path) {
 	if (parent === path) return parent;
 	return nearestExistingParent(parent);
 }
+var RemoteControlClient = class {
+	#baseUrl;
+	#requestInit;
+	#fetch;
+	constructor(options) {
+		this.#baseUrl = options.baseUrl;
+		this.#requestInit = options.requestInit;
+		this.#fetch = options.fetch ?? fetch;
+	}
+	async request(command, args) {
+		const controlUrl = controlUrlForBase(this.#baseUrl);
+		let response;
+		try {
+			response = await this.#fetch(controlUrl, {
+				...this.#requestInit,
+				method: "POST",
+				headers: mergeJsonHeaders(this.#requestInit.headers),
+				body: JSON.stringify({
+					command,
+					arguments: args
+				})
+			});
+		} catch (error) {
+			throw new CapletsError("SERVER_UNAVAILABLE", `Could not connect to Caplets server at ${safeBaseUrl(this.#baseUrl)}.`, toSafeError(error, "SERVER_UNAVAILABLE"));
+		}
+		if (response.status === 401 || response.status === 403) throw new CapletsError("AUTH_FAILED", "Caplets server authentication failed. Check CAPLETS_SERVER_USER and CAPLETS_SERVER_PASSWORD.");
+		if (!response.ok) throw new CapletsError("SERVER_UNAVAILABLE", `Caplets server at ${safeBaseUrl(this.#baseUrl)} returned HTTP ${response.status}.`);
+		const payload = await parseRemoteCliResponse(response);
+		if (!payload.ok) throw new CapletsError(payload.error.code, redactRemoteMessage(payload.error.message), payload.error.nextAction === void 0 ? void 0 : { nextAction: payload.error.nextAction });
+		return payload.result;
+	}
+};
+function mergeJsonHeaders(headers) {
+	const merged = new Headers(headers);
+	merged.set("content-type", "application/json");
+	return merged;
+}
+function safeBaseUrl(baseUrl) {
+	const safe = new URL(baseUrl.href);
+	safe.username = "";
+	safe.password = "";
+	safe.search = "";
+	safe.hash = "";
+	return safe.toString();
+}
+async function parseRemoteCliResponse(response) {
+	let payload;
+	try {
+		payload = await response.json();
+	} catch (error) {
+		throw invalidRemoteControlResponse(error);
+	}
+	if (!isRecord(payload)) throw invalidRemoteControlResponse();
+	if (payload.ok === true) {
+		if (!("result" in payload)) throw invalidRemoteControlResponse();
+		return {
+			ok: true,
+			result: payload.result
+		};
+	}
+	if (payload.ok === false) {
+		const error = payload.error;
+		if (!isRecord(error) || typeof error.code !== "string" || typeof error.message !== "string") throw invalidRemoteControlResponse();
+		if ("nextAction" in error && error.nextAction !== void 0 && typeof error.nextAction !== "string") throw invalidRemoteControlResponse();
+		const errorResponse = {
+			ok: false,
+			error: {
+				code: isCapletsErrorCode(error.code) ? error.code : "DOWNSTREAM_TOOL_ERROR",
+				message: error.message
+			}
+		};
+		if (typeof error.nextAction === "string") errorResponse.error.nextAction = error.nextAction;
+		return errorResponse;
+	}
+	throw invalidRemoteControlResponse();
+}
+function invalidRemoteControlResponse(cause) {
+	return new CapletsError("DOWNSTREAM_PROTOCOL_ERROR", "Caplets server returned an invalid remote control response.", cause === void 0 ? void 0 : toSafeError(cause, "DOWNSTREAM_PROTOCOL_ERROR"));
+}
+function isRecord(value) {
+	return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+function isCapletsErrorCode(value) {
+	return CAPLETS_ERROR_CODES.includes(value);
+}
+function redactRemoteMessage(message) {
+	return String(redactSecrets(message)).replace(/\b(authorization\s*:\s*(?:basic|bearer)\s+)[^\s,;]+/giu, "$1[REDACTED]").replace(/\b((?:access_)?token=)[^\s,;]+/giu, "$1[REDACTED]").replace(/\b((?:token|secret|authorization|auth|api[-_]?key|password|credential|clientsecret|client_secret|code|refresh(?:_token)?)\s*[=:]\s*)[^\s,;]+/giu, "$1[REDACTED]");
+}
 var compose = (middleware, onError, onNotFound) => {
 	return (context, next) => {
 		let index = -1;
@@ -65421,29 +66664,367 @@ var logger = (fn = console.log) => {
 		await log(fn, "-->", method, path, c.res.status, time(start));
 	};
 };
+const ENGINE_COMMANDS = new Set([
+	"get_caplet",
+	"check_backend",
+	"list_tools",
+	"search_tools",
+	"get_tool",
+	"call_tool",
+	"list_resources",
+	"search_resources",
+	"list_resource_templates",
+	"read_resource",
+	"list_prompts",
+	"search_prompts",
+	"get_prompt",
+	"complete"
+]);
+async function dispatchRemoteCliRequest(request, context) {
+	try {
+		return {
+			ok: true,
+			result: await dispatch(request, context)
+		};
+	} catch (error) {
+		const safe = toSafeError(error);
+		const action = nextAction(safe.details);
+		return {
+			ok: false,
+			error: {
+				code: safe.code,
+				message: redactControlErrorMessage(safe.message),
+				...action ? { nextAction: action } : {}
+			}
+		};
+	}
+}
+async function dispatch(request, context) {
+	assertObject(request, "remote control request");
+	assertObject(request.arguments, "remote control request arguments");
+	if (request.command === "list") return listCaplets(loadConfigWithSources(context.configPath, context.projectConfigPath), { includeDisabled: optionalBoolean(request.arguments, "includeDisabled") ?? false });
+	if (ENGINE_COMMANDS.has(request.command)) {
+		const caplet = requiredString(request.arguments, "caplet");
+		const toolRequest = requiredEngineRequest(request.arguments, request.command);
+		const engine = new CapletsEngine(context);
+		try {
+			return await engine.execute(caplet, toolRequest);
+		} finally {
+			await engine.close();
+		}
+	}
+	if (request.command === "init") return {
+		remote: true,
+		path: initConfig({
+			...optionalProp("path", context.configPath),
+			...optionalProp("force", optionalBoolean(request.arguments, "force"))
+		})
+	};
+	if (request.command === "add") return dispatchAdd(request.arguments, context);
+	if (request.command === "install") return {
+		remote: true,
+		...installCaplets(requiredString(request.arguments, "repo"), {
+			...optionalProp("capletIds", optionalStringArray(request.arguments, "capletIds")),
+			destinationRoot: context.projectCapletsRoot,
+			...optionalProp("force", optionalBoolean(request.arguments, "force"))
+		})
+	};
+	if (request.command === "complete_cli") {
+		const shell = optionalString(request.arguments, "shell") ?? "bash";
+		if (!completionShells.includes(shell)) return [];
+		const engine = new CapletsEngine(context);
+		try {
+			return await engine.completeCliWords(optionalStringArray(request.arguments, "words") ?? [""]);
+		} finally {
+			await engine.close();
+		}
+	}
+	if (request.command === "auth_list") return listAuthRows({
+		...optionalProp("configPath", context.configPath),
+		...optionalProp("authDir", context.authDir)
+	});
+	if (request.command === "auth_logout") return logoutAuthResult(requiredString(request.arguments, "server"), {
+		...optionalProp("configPath", context.configPath),
+		...optionalProp("authDir", context.authDir)
+	});
+	if (request.command === "auth_login_start") return startRemoteAuthLogin(requiredString(request.arguments, "server"), context);
+	if (request.command === "auth_login_complete") return completeRemoteAuthLogin(requiredString(request.arguments, "flowId"), requiredString(request.arguments, "callbackUrl"), context);
+	throw new CapletsError("UNKNOWN_OPERATION", `Unsupported remote control command ${request.command}`);
+}
+async function startRemoteAuthLogin(serverId, context) {
+	if (!context.authFlowStore || !context.controlCallbackBaseUrl) throw new CapletsError("REQUEST_INVALID", "Remote auth login is not available on this server");
+	const config = loadConfigWithSources(context.configPath, context.projectConfigPath).config;
+	const target = findAuthTarget(serverId, config);
+	assertLoginTarget(target, serverId);
+	const flowId = randomUUID();
+	const baseUrl = context.controlCallbackBaseUrl.endsWith("/") ? context.controlCallbackBaseUrl : `${context.controlCallbackBaseUrl}/`;
+	const redirectUri = new URL(`auth/callback/${flowId}`, baseUrl).toString();
+	const started = target.backend === "mcp" ? await startOAuthFlow(target, {
+		redirectUri,
+		...optionalProp("authDir", context.authDir)
+	}) : await startGenericOAuthFlow(target, {
+		redirectUri,
+		...optionalProp("authDir", context.authDir)
+	});
+	if (!started.authorizationUrl) return {
+		server: serverId,
+		authenticated: true
+	};
+	const flow = context.authFlowStore.create({
+		server: serverId,
+		authorizationUrl: started.authorizationUrl,
+		complete: started.complete
+	}, flowId);
+	return {
+		server: serverId,
+		flowId: flow.id,
+		authorizationUrl: flow.authorizationUrl
+	};
+}
+async function completeRemoteAuthLogin(flowId, callbackUrl, context) {
+	const flow = context.authFlowStore?.get(flowId);
+	if (!flow) throw new CapletsError("REQUEST_INVALID", `Unknown auth flow ${flowId}`);
+	context.authFlowStore?.delete(flowId);
+	await flow.complete(callbackUrl);
+	return {
+		server: flow.server,
+		authenticated: true
+	};
+}
+function dispatchAdd(args, context) {
+	const kind = requiredString(args, "kind");
+	const id = requiredString(args, "id");
+	const options = remoteAddOptions$1(kind, optionalObject(args, "options"));
+	switch (kind) {
+		case "cli": return {
+			remote: true,
+			label: "CLI",
+			...addCliCaplet(id, {
+				...options,
+				destinationRoot: context.projectCapletsRoot,
+				print: false
+			})
+		};
+		case "mcp": return {
+			remote: true,
+			label: "MCP",
+			...addMcpCaplet(id, {
+				...options,
+				destinationRoot: context.projectCapletsRoot,
+				print: false
+			})
+		};
+		case "openapi": return {
+			remote: true,
+			label: "OpenAPI",
+			...addOpenApiCaplet(id, {
+				...options,
+				destinationRoot: context.projectCapletsRoot,
+				print: false
+			})
+		};
+		case "graphql": return {
+			remote: true,
+			label: "GraphQL",
+			...addGraphqlCaplet(id, {
+				...options,
+				destinationRoot: context.projectCapletsRoot,
+				print: false
+			})
+		};
+		case "http": return {
+			remote: true,
+			label: "HTTP",
+			...addHttpCaplet(id, {
+				...options,
+				destinationRoot: context.projectCapletsRoot,
+				print: false
+			})
+		};
+		default: throw new CapletsError("REQUEST_INVALID", "add.kind must be cli, mcp, openapi, graphql, or http");
+	}
+}
+function optionalProp(key, value) {
+	return value === void 0 ? {} : { [key]: value };
+}
+function assertObject(value, label) {
+	if (value === null || typeof value !== "object" || Array.isArray(value)) throw new CapletsError("REQUEST_INVALID", `${label} must be an object`);
+}
+function requiredString(args, key) {
+	const value = args[key];
+	if (typeof value !== "string" || value.length === 0) throw new CapletsError("REQUEST_INVALID", `${key} must be a non-empty string`);
+	return value;
+}
+function optionalString(args, key) {
+	const value = args[key];
+	if (value === void 0) return;
+	if (typeof value !== "string") throw new CapletsError("REQUEST_INVALID", `${key} must be a string`);
+	return value;
+}
+function optionalObject(args, key) {
+	const value = args[key];
+	if (value === void 0) return {};
+	assertObject(value, key);
+	return value;
+}
+function requiredEngineRequest(args, command) {
+	const toolRequest = optionalObject(args, "request");
+	if (typeof toolRequest.operation !== "string") throw new CapletsError("REQUEST_INVALID", "request.operation must be a string");
+	if (toolRequest.operation !== command) throw new CapletsError("REQUEST_INVALID", `request.operation must match remote command ${command}`);
+	return toolRequest;
+}
+function remoteAddOptions$1(kind, options) {
+	rejectServerOwnedAddOptions(options);
+	switch (kind) {
+		case "cli": return pickOptions(options, {
+			repo: "string",
+			include: "string",
+			command: "string",
+			force: "boolean"
+		});
+		case "mcp": return pickOptions(options, {
+			command: "string",
+			arg: "string-array",
+			cwd: "string",
+			env: "string-array",
+			url: "string",
+			transport: "string",
+			tokenEnv: "string",
+			force: "boolean"
+		});
+		case "openapi": return pickOptions(options, {
+			spec: "string",
+			baseUrl: "string",
+			tokenEnv: "string",
+			force: "boolean"
+		});
+		case "graphql": return pickOptions(options, {
+			endpointUrl: "string",
+			schema: "string",
+			introspection: "boolean",
+			tokenEnv: "string",
+			force: "boolean"
+		});
+		case "http": return pickOptions(options, {
+			baseUrl: "string",
+			action: "string-array",
+			tokenEnv: "string",
+			force: "boolean"
+		});
+		default: return options;
+	}
+}
+function pickOptions(options, schema) {
+	const next = {};
+	for (const [key, type] of Object.entries(schema)) {
+		const value = options[key];
+		if (value === void 0) continue;
+		validateOptionType(key, value, type);
+		next[key] = value;
+	}
+	return next;
+}
+function rejectServerOwnedAddOptions(options) {
+	if ("output" in options) throw new CapletsError("REQUEST_INVALID", "Remote add output is not supported remotely; the server owns destinationRoot and output path selection");
+	for (const key of ["destinationRoot", "print"]) if (key in options) throw new CapletsError("REQUEST_INVALID", `Remote add ${key} is not supported remotely; the server owns destinationRoot and print behavior`);
+}
+function validateOptionType(key, value, type) {
+	if (type === "string" && typeof value !== "string") throw new CapletsError("REQUEST_INVALID", `add.options.${key} must be a string`);
+	if (type === "boolean" && typeof value !== "boolean") throw new CapletsError("REQUEST_INVALID", `add.options.${key} must be a boolean`);
+	if (type === "string-array") {
+		if (!Array.isArray(value) || !value.every((item) => typeof item === "string")) throw new CapletsError("REQUEST_INVALID", `add.options.${key} must be an array of strings`);
+	}
+}
+function optionalBoolean(args, key) {
+	const value = args[key];
+	if (value === void 0) return;
+	if (typeof value !== "boolean") throw new CapletsError("REQUEST_INVALID", `${key} must be a boolean`);
+	return value;
+}
+function optionalStringArray(args, key) {
+	const value = args[key];
+	if (value === void 0) return;
+	if (!Array.isArray(value) || !value.every((item) => typeof item === "string")) throw new CapletsError("REQUEST_INVALID", `${key} must be an array of strings`);
+	return value;
+}
+function nextAction(details) {
+	if (details && typeof details === "object" && "nextAction" in details) {
+		const value = details.nextAction;
+		return typeof value === "string" ? value : void 0;
+	}
+}
+function redactControlErrorMessage(message) {
+	return message.replace(/(["'])(authorization|(?:access[_-]?)?token|refresh(?:[_-]?token)?|password|client[_-]?secret|clientsecret|api[-_]?key|apikey|secret|credential|code)\1\s*:\s*(["'])(?:\\.|[^\\])*?\3/giu, "$1$2$1:$3[REDACTED]$3").replace(/\b(authorization\s*:\s*(?:basic|bearer)\s+)[^\s,;]+/giu, "$1[REDACTED]").replace(/\b((?:access[_-]?)?token|refresh(?:[_-]?token)?|password|client[_-]?secret|clientsecret|api[-_]?key|apikey|secret|credential|code)(\s*[=:]\s*)[^\s,;]+/giu, "$1$2[REDACTED]");
+}
+const DEFAULT_AUTH_FLOW_TTL_MS = 600 * 1e3;
+var RemoteAuthFlowStore = class {
+	options;
+	flows = /* @__PURE__ */ new Map();
+	constructor(options = {}) {
+		this.options = options;
+	}
+	create(flow, id = randomUUID()) {
+		this.pruneExpired();
+		const created = {
+			id,
+			createdAt: this.now(),
+			...flow
+		};
+		this.flows.set(created.id, created);
+		return { ...created };
+	}
+	get(id) {
+		this.pruneExpired();
+		const flow = this.flows.get(id);
+		if (flow && this.isExpired(flow)) {
+			this.flows.delete(id);
+			return;
+		}
+		return flow;
+	}
+	delete(id) {
+		this.flows.delete(id);
+	}
+	pruneExpired() {
+		for (const [id, flow] of this.flows) if (this.isExpired(flow)) this.flows.delete(id);
+	}
+	isExpired(flow) {
+		return this.now() - flow.createdAt > (this.options.ttlMs ?? DEFAULT_AUTH_FLOW_TTL_MS);
+	}
+	now() {
+		return this.options.now?.() ?? Date.now();
+	}
+};
 function createHttpServeApp(options, engine, io = {}) {
 	const app = new Hono();
 	const sessions = /* @__PURE__ */ new Map();
 	const writeErr = io.writeErr ?? process.stderr.write.bind(process.stderr);
+	const paths = servicePaths(options.path);
+	const authFlowStore = io.authFlowStore ?? new RemoteAuthFlowStore();
 	app.use("*", logger((message, ...rest) => {
 		writeErr(`${[message, ...rest].join(" ")}\n`);
 	}));
-	app.get("/", (c) => c.json({
+	app.get(paths.base, (c) => c.json({
 		name: "caplets",
 		transport: "http",
-		mcp: options.path,
-		health: "/healthz",
+		base: paths.base,
+		mcp: paths.mcp,
+		control: paths.control,
+		health: paths.health,
 		auth: {
 			type: "basic",
 			enabled: options.auth.enabled
 		}
 	}));
-	app.get("/healthz", (c) => c.json({
+	app.get(paths.health, (c) => c.json({
 		status: "ok",
 		transport: "http",
-		mcpPath: options.path
+		base: paths.base,
+		mcpPath: paths.mcp,
+		controlPath: paths.control,
+		healthPath: paths.health
 	}));
-	app.all(options.path, basicAuth(options.auth), async (c) => {
+	app.all(paths.mcp, basicAuth(options.auth), async (c) => {
 		const sessionId = c.req.header("mcp-session-id");
 		if (sessionId) {
 			const existing = sessions.get(sessionId);
@@ -65474,6 +67055,36 @@ function createHttpServeApp(options, engine, io = {}) {
 		sessions.set(nextSessionId, session);
 		return session.transport.handleRequest(c);
 	});
+	app.post(paths.control, basicAuth(options.auth), async (c) => {
+		let request;
+		try {
+			const parsed = await c.req.json();
+			if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) throw new CapletsError("REQUEST_INVALID", "Control request JSON must be an object");
+			request = parsed;
+		} catch (error) {
+			const safe = toSafeError(error instanceof CapletsError ? error : new CapletsError("REQUEST_INVALID", "Control request body must be valid JSON", error), "REQUEST_INVALID");
+			return c.json({
+				ok: false,
+				error: {
+					code: safe.code,
+					message: safe.message
+				}
+			});
+		}
+		return c.json(await dispatchRemoteCliRequest(request, controlContext(io, writeErr, authFlowStore, c.req.url, paths.control, options.trustProxy, (name) => c.req.header(name))));
+	});
+	app.get(routePath(paths.control, "auth/callback/:flowId"), async (c) => {
+		const flowId = c.req.param("flowId");
+		const result = await dispatchRemoteCliRequest({
+			command: "auth_login_complete",
+			arguments: {
+				flowId,
+				callbackUrl: c.req.url
+			}
+		}, controlContext(io, writeErr, authFlowStore, c.req.url, paths.control, options.trustProxy, (name) => c.req.header(name)));
+		if (!result.ok) writeErr(`Caplets authentication failed for flow ${flowId}: ${result.error.message}\n`);
+		return result.ok ? c.text("Caplets authentication complete. You can return to your terminal.") : c.text("Caplets authentication failed. Check server logs for details.", 400);
+	});
 	app.notFound((c) => c.json({ error: "not_found" }, 404));
 	app.closeCapletsSessions = async () => {
 		await Promise.allSettled([...sessions.values()].map(async (session) => {
@@ -65484,19 +67095,66 @@ function createHttpServeApp(options, engine, io = {}) {
 	if (options.warnUnauthenticatedNetwork) writeErr(`Warning: Caplets MCP HTTP server is listening on ${options.host} without authentication.\n`);
 	return app;
 }
+function controlContext(io, writeErr, authFlowStore, requestUrl, controlPath, trustProxy, header) {
+	return {
+		...io.control,
+		projectCapletsRoot: io.control?.projectCapletsRoot ?? resolveProjectCapletsRoot(),
+		authFlowStore,
+		controlCallbackBaseUrl: new URL(controlPath, publicRequestOrigin(requestUrl, trustProxy, header)).toString(),
+		writeErr
+	};
+}
+function publicRequestOrigin(requestUrl, trustProxy, header) {
+	const url = new URL(requestUrl);
+	if (!trustProxy) return `${url.protocol.slice(0, -1)}://${header("host") ?? url.host}`;
+	const forwardedProto = firstForwardedValue(header("x-forwarded-proto"));
+	const forwardedHost = firstForwardedValue(header("x-forwarded-host"));
+	return `${forwardedProto === "http" || forwardedProto === "https" ? forwardedProto : url.protocol.slice(0, -1)}://${forwardedHost ?? header("host") ?? url.host}`;
+}
+function firstForwardedValue(value) {
+	return value?.split(",", 1)[0]?.trim() || void 0;
+}
 async function serveHttp(options, engineOptions = {}, writeErr = (value) => process.stderr.write(value)) {
 	const engine = new CapletsEngine(engineOptions);
-	const app = createHttpServeApp(options, engine, { writeErr });
+	const app = createHttpServeApp(options, engine, {
+		writeErr,
+		control: {
+			...engineOptions,
+			projectCapletsRoot: projectCapletsRootForEngineOptions(engineOptions)
+		}
+	});
+	const paths = servicePaths(options.path);
+	const origin = `http://${formatHost(options.host)}:${options.port}`;
+	const baseUrl = `${origin}${paths.base === "/" ? "" : paths.base}`;
 	installHttpSignalHandlers(serve({
 		fetch: app.fetch,
 		hostname: options.host,
 		port: options.port
 	}, () => {
-		writeErr(`Caplets MCP HTTP server listening on http://${formatHost(options.host)}:${options.port}${options.path}\n`);
-		writeErr(`Health check: http://${formatHost(options.host)}:${options.port}/healthz\n`);
+		writeErr(`Caplets HTTP service listening on ${baseUrl}\n`);
+		writeErr(`MCP endpoint: ${origin}${paths.mcp}\n`);
+		writeErr(`Control endpoint: ${origin}${paths.control}\n`);
+		writeErr(`Health check: ${origin}${paths.health}\n`);
 		writeErr(`Basic Auth: ${options.auth.enabled ? `enabled (user: ${options.auth.user})` : "disabled"}\n`);
 	}), app, engine, writeErr);
 }
+function projectCapletsRootForEngineOptions(engineOptions) {
+	return engineOptions.projectConfigPath ? resolveProjectCapletsRootForConfigPath(engineOptions.projectConfigPath) : resolveProjectCapletsRoot();
+}
+function resolveProjectCapletsRootForConfigPath(projectConfigPath) {
+	return dirname(projectConfigPath);
+}
+function routePath(base, path) {
+	return base === "/" ? `/${path}` : `${base}/${path}`;
+}
+function servicePaths(base) {
+	return {
+		base,
+		mcp: routePath(base, "mcp"),
+		control: routePath(base, "control"),
+		health: routePath(base, "healthz")
+	};
+}
 async function createHttpSession(engine, sessionId, options, onClose) {
 	const transport = new StreamableHTTPTransport({
 		sessionIdGenerator: () => sessionId,
@@ -65574,7 +67232,8 @@ const HTTP_ONLY_OPTIONS = [
 	"path",
 	"user",
 	"password",
-	"allowUnauthenticatedHttp"
+	"allowUnauthenticatedHttp",
+	"trustProxy"
 ];
 function resolveServeOptions(raw, env = process.env) {
 	const transport = parseTransport(raw.transport ?? "stdio");
@@ -65583,9 +67242,10 @@ function resolveServeOptions(raw, env = process.env) {
 		if (invalid.length > 0) throw new CapletsError("REQUEST_INVALID", `${invalid.map((key) => `--${key}`).join(", ")} ${invalid.length === 1 ? "is" : "are"} only valid with --transport http`);
 		return { transport };
 	}
-	const host = nonEmpty(raw.host, "--host") ?? "127.0.0.1";
-	const port = parsePort(raw.port ?? 5387);
-	const path = normalizeHttpPath(raw.path ?? "/mcp");
+	const serverUrl = env.CAPLETS_SERVER_URL ? parseServeServerUrl(nonEmpty(env.CAPLETS_SERVER_URL, "CAPLETS_SERVER_URL")) : void 0;
+	const host = nonEmpty(raw.host, "--host") ?? serverUrlHost(serverUrl) ?? "127.0.0.1";
+	const port = parsePort(raw.port ?? (serverUrl?.port ? Number(serverUrl.port) : 5387));
+	const path = normalizeHttpPath(raw.path ?? serverUrl?.pathname ?? "/");
 	const userWasExplicit = raw.user !== void 0 || hasEnv(env.CAPLETS_SERVER_USER);
 	const user = nonEmpty(raw.user, "--user") ?? nonEmpty(env.CAPLETS_SERVER_USER, "CAPLETS_SERVER_USER") ?? "caplets";
 	const password = nonEmpty(raw.password, "--password") ?? nonEmpty(env.CAPLETS_SERVER_PASSWORD, "CAPLETS_SERVER_PASSWORD");
@@ -65607,13 +67267,22 @@ function resolveServeOptions(raw, env = process.env) {
 		path,
 		auth,
 		warnUnauthenticatedNetwork: !loopback && !auth.enabled,
-		loopback
+		loopback,
+		trustProxy: raw.trustProxy === true
 	};
 }
 function isLoopbackHost(host) {
 	const normalized = host.toLocaleLowerCase();
 	return normalized === "localhost" || normalized === "127.0.0.1" || normalized === "::1";
 }
+function parseServeServerUrl(value) {
+	try {
+		return parseServerBaseUrl(value);
+	} catch (error) {
+		if (error instanceof CapletsError && error.message.includes("must use https except loopback development URLs")) throw new CapletsError("REQUEST_INVALID", "CAPLETS_SERVER_URL must use https except loopback development URLs; use --host, --port, and --path separately for non-loopback HTTP bind addresses.");
+		throw error;
+	}
+}
 function parseTransport(value) {
 	if (value === "stdio" || value === "http") return value;
 	throw new CapletsError("REQUEST_INVALID", `Expected --transport to be stdio or http, got ${value}`);
@@ -65628,6 +67297,9 @@ function normalizeHttpPath(value) {
 	if (value.includes("?") || value.includes("#")) throw new CapletsError("REQUEST_INVALID", "HTTP --path must not include a query string or fragment");
 	return value === "/" ? value : value.replace(/\/+$/u, "");
 }
+function serverUrlHost(url) {
+	return url?.hostname.replace(/^\[(.*)\]$/u, "$1");
+}
 function nonEmpty(value, label) {
 	if (value === void 0) return;
 	const trimmed = value.trim();
@@ -65751,9 +67423,14 @@ async function runCli(args, io = {}) {
 		throw error;
 	}
 }
+function normalizeCompletionWords(words) {
+	return words.map((word) => word === "__CAPLETS_TRAILING_SPACE__" ? "" : word);
+}
 function createProgram(io = {}) {
 	const writeOut = io.writeOut ?? ((value) => process.stdout.write(value));
 	const writeErr = io.writeErr ?? ((value) => process.stderr.write(value));
+	const env = io.env ?? process.env;
+	const currentConfigPath = () => envConfigPath(env);
 	const setExitCode = io.setExitCode ?? ((code) => {
 		process.exitCode = code;
 	});
@@ -65763,42 +67440,98 @@ function createProgram(io = {}) {
 		writeErr,
 		outputError: (value, write) => write(value)
 	});
-	program.command("serve").description("Serve configured Caplets as an MCP server.").option("--transport <transport>", "server transport: stdio or http").option("--host <host>", "HTTP bind host").option("--port <port>", "HTTP bind port").option("--path <path>", "HTTP MCP endpoint path").option("--user <user>", "HTTP Basic Auth username").option("--password <password>", "HTTP Basic Auth password").option("--allow-unauthenticated-http", "allow unauthenticated HTTP serving on non-loopback hosts").action(async (options) => {
+	program.command(cliCommands.completion).description("Print a shell completion script.").argument("<shell>", "completion shell: bash, zsh, fish, powershell, or cmd").action((shell) => {
+		if (!completionShells.includes(shell)) throw new CapletsError("REQUEST_INVALID", "completion shell must be bash, zsh, fish, powershell, or cmd");
+		writeOut(completionScript(shell));
+	});
+	program.command(cliCommands.completeHidden, { hidden: true }).description("Internal shell completion endpoint.").option("--shell <shell>", "completion shell").allowUnknownOption(true).argument("[words...]", "words to complete").action(async (words, options) => {
+		const shell = completionShells.includes(options.shell) ? options.shell : "bash";
+		const remote = remoteClientForCli(io);
+		const configPath = currentConfigPath();
+		const completionWords = normalizeCompletionWords(words);
+		let suggestions = [];
+		try {
+			suggestions = remote ? await remote.request("complete_cli", {
+				shell,
+				words: completionWords
+			}) : await completeCliWords(completionWords, configPath ? { configPath } : {});
+		} catch {
+			suggestions = [];
+		}
+		if (suggestions.length > 0) writeOut(`${suggestions.join("\n")}\n`);
+	});
+	program.command(cliCommands.serve).description("Serve configured Caplets as an MCP server.").option("--transport <transport>", "server transport: stdio or http").option("--host <host>", "HTTP bind host").option("--port <port>", "HTTP bind port").option("--path <path>", "HTTP service base path").option("--user <user>", "HTTP Basic Auth username").option("--password <password>", "HTTP Basic Auth password").option("--allow-unauthenticated-http", "allow unauthenticated HTTP serving on non-loopback hosts").option("--trust-proxy", "trust X-Forwarded-* headers from a reverse proxy").action(async (options) => {
 		const resolved = resolveServeOptions(options);
-		const configPath = envConfigPath();
+		const configPath = currentConfigPath();
 		await (io.serve ?? ((serveOptions) => serveResolvedCaplets(serveOptions, {
 			...configPath ? { configPath } : {},
 			...io.authDir ? { authDir: io.authDir } : {}
 		}, writeErr)))(resolved);
 	});
-	program.command("init").description("Create a starter Caplets config file.").option("--force", "overwrite an existing config file").action((options) => {
-		const configPath = envConfigPath();
+	program.command(cliCommands.init).description("Create a starter Caplets config file.").option("--force", "overwrite an existing config file").action(async (options) => {
+		const remote = remoteClientForCli(io);
+		if (remote) {
+			writeOut(`Created remote Caplets config at ${(await remote.request("init", { force: Boolean(options.force) })).path}\n`);
+			return;
+		}
+		const configPath = currentConfigPath();
 		writeOut(`Created Caplets config at ${initConfig({
 			...configPath ? { path: configPath } : {},
 			force: Boolean(options.force)
 		})}\n`);
 	});
-	program.command("list").description("List configured Caplets.").option("--all", "include disabled Caplets").option("--json", "print JSON output").option("--format <format>", "output format: plain, markdown, md, or json", parseOutputFormat).action((options) => {
-		const rows = listCaplets(loadConfigWithSources(envConfigPath()), { includeDisabled: Boolean(options.all) });
+	program.command(cliCommands.list).description("List configured Caplets.").option("--all", "include disabled Caplets").option("--json", "print JSON output").option("--format <format>", "output format: plain, markdown, md, or json", parseOutputFormat).action(async (options) => {
+		const includeDisabled = Boolean(options.all);
+		const remote = remoteClientForCli(io);
+		if (remote) {
+			const rows = await remote.request("list", { includeDisabled });
+			if (options.json || options.format === "json") {
+				writeOut(`${JSON.stringify(rows, null, 2)}\n`);
+				return;
+			}
+			writeOut(formatCapletList(rows, options.format ?? "plain"));
+			return;
+		}
+		const rows = listCaplets(loadConfigWithSources(currentConfigPath()), { includeDisabled });
 		if (options.json || options.format === "json") {
 			writeOut(`${JSON.stringify(rows, null, 2)}\n`);
 			return;
 		}
 		writeOut(formatCapletList(rows, options.format ?? "plain"));
 	});
-	program.command("install").description("Install Caplets from a repo's caplets directory.").argument("<repo>", "local repo path, Git URL, or GitHub owner/repo").argument("[caplets...]", "optional Caplet IDs to install").option("-g, --global", "install to the user Caplets root").option("--force", "overwrite installed Caplets").action((repo, capletIds, options) => {
+	program.command(cliCommands.install).description("Install Caplets from a repo's caplets directory.").argument("<repo>", "local repo path, Git URL, or GitHub owner/repo").argument("[caplets...]", "optional Caplet IDs to install").option("-g, --global", "install to the user Caplets root").option("--force", "overwrite installed Caplets").action(async (repo, capletIds, options) => {
+		const remote = remoteClientForCli(io);
+		if (remote) {
+			if (options.global) writeErr("Warning: --global is not supported in remote mode; the server controls the installation destination.\n");
+			const result = await remote.request("install", {
+				repo,
+				capletIds,
+				force: Boolean(options.force)
+			});
+			for (const caplet of result.installed) writeOut(`Installed ${caplet.id} to remote ${caplet.destination}\n`);
+			return;
+		}
 		const result = installCaplets(repo, {
 			capletIds,
 			force: Boolean(options.force),
-			destinationRoot: options.global ? resolveCapletsRoot(resolveConfigPath(envConfigPath())) : resolveProjectCapletsRoot()
+			destinationRoot: options.global ? resolveCapletsRoot(resolveConfigPath(currentConfigPath())) : resolveProjectCapletsRoot()
 		});
 		for (const caplet of result.installed) writeOut(`Installed ${caplet.id} to ${caplet.destination}\n`);
 	});
-	const add = program.command("add").description("Add generated Caplet files.");
-	add.command("cli").description("Add a CLI tools Caplet.").argument("<id>", "Caplet ID/display seed").option("--repo <path>", "repository path to inspect").option("--include <items>", "comma-separated generators to include: git,gh,package").option("--command <name>", "single CLI command template to generate").option("-g, --global", "write to the user Caplets root").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action((id, options) => {
+	const add = program.command(cliCommands.add).description("Add generated Caplet files.");
+	add.command("cli").description("Add a CLI tools Caplet.").argument("<id>", "Caplet ID/display seed").option("--repo <path>", "repository path to inspect").option("--include <items>", "comma-separated generators to include: git,gh,package").option("--command <name>", "single CLI command template to generate").option("-g, --global", "write to the user Caplets root").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action(async (id, options) => {
+		const remote = remoteClientForCli(io);
+		if (remote) {
+			writeAddResult(writeOut, "CLI", await remote.request("add", {
+				kind: "cli",
+				id,
+				options: remoteAddOptions(options)
+			}));
+			return;
+		}
 		const result = addCliCaplet(id, {
 			...options,
-			destinationRoot: options.global ? resolveCapletsRoot(resolveConfigPath(envConfigPath())) : resolveProjectCapletsRoot()
+			destinationRoot: options.global ? resolveCapletsRoot(resolveConfigPath(currentConfigPath())) : resolveProjectCapletsRoot()
 		});
 		if (result.path) {
 			writeOut(`Wrote CLI Caplet to ${result.path}\n`);
@@ -65806,58 +67539,100 @@ function createProgram(io = {}) {
 		}
 		writeOut(result.text);
 	});
-	add.command("mcp").description("Add an MCP backend Caplet.").argument("<id>", "Caplet ID/display seed").option("--command <name>", "stdio command").option("--arg <value>", "stdio command argument", collect, []).option("--cwd <path>", "stdio working directory").option("--env <KEY=VALUE>", "stdio environment variable", collect, []).option("--url <url>", "remote MCP server URL").option("--transport <transport>", "remote transport: http or sse").option("--token-env <ENV>", "bearer token environment variable reference").option("-g, --global", "write to the user Caplets root").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action((id, options) => {
+	add.command("mcp").description("Add an MCP backend Caplet.").argument("<id>", "Caplet ID/display seed").option("--command <name>", "stdio command").option("--arg <value>", "stdio command argument", collect, []).option("--cwd <path>", "stdio working directory").option("--env <KEY=VALUE>", "stdio environment variable", collect, []).option("--url <url>", "remote MCP server URL").option("--transport <transport>", "remote transport: http or sse").option("--token-env <ENV>", "bearer token environment variable reference").option("-g, --global", "write to the user Caplets root").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action(async (id, options) => {
+		const remote = remoteClientForCli(io);
+		if (remote) {
+			writeAddResult(writeOut, "MCP", await remote.request("add", {
+				kind: "mcp",
+				id,
+				options: remoteAddOptions(options)
+			}));
+			return;
+		}
 		writeAddResult(writeOut, "MCP", addMcpCaplet(id, {
 			...options,
-			destinationRoot: addDestinationRoot(options)
+			destinationRoot: addDestinationRoot(options, currentConfigPath())
 		}));
 	});
-	add.command("openapi").description("Add an OpenAPI backend Caplet.").argument("<id>", "Caplet ID/display seed").option("--spec <path-or-url>", "OpenAPI spec path or URL").option("--base-url <url>", "request base URL override").option("--token-env <ENV>", "bearer token environment variable reference").option("-g, --global", "write to the user Caplets root").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action((id, options) => {
+	add.command("openapi").description("Add an OpenAPI backend Caplet.").argument("<id>", "Caplet ID/display seed").option("--spec <path-or-url>", "OpenAPI spec path or URL").option("--base-url <url>", "request base URL override").option("--token-env <ENV>", "bearer token environment variable reference").option("-g, --global", "write to the user Caplets root").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action(async (id, options) => {
+		const remote = remoteClientForCli(io);
+		if (remote) {
+			writeAddResult(writeOut, "OpenAPI", await remote.request("add", {
+				kind: "openapi",
+				id,
+				options: remoteAddOptions(options)
+			}));
+			return;
+		}
 		writeAddResult(writeOut, "OpenAPI", addOpenApiCaplet(id, {
 			...options,
-			destinationRoot: addDestinationRoot(options)
+			destinationRoot: addDestinationRoot(options, currentConfigPath())
 		}));
 	});
-	add.command("graphql").description("Add a GraphQL backend Caplet.").argument("<id>", "Caplet ID/display seed").option("--endpoint-url <url>", "GraphQL endpoint URL").option("--schema <path-or-url>", "GraphQL schema path or URL").option("--introspection", "load schema through endpoint introspection").option("--token-env <ENV>", "bearer token environment variable reference").option("-g, --global", "write to the user Caplets root").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action((id, options) => {
+	add.command("graphql").description("Add a GraphQL backend Caplet.").argument("<id>", "Caplet ID/display seed").option("--endpoint-url <url>", "GraphQL endpoint URL").option("--schema <path-or-url>", "GraphQL schema path or URL").option("--introspection", "load schema through endpoint introspection").option("--token-env <ENV>", "bearer token environment variable reference").option("-g, --global", "write to the user Caplets root").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action(async (id, options) => {
+		const remote = remoteClientForCli(io);
+		if (remote) {
+			writeAddResult(writeOut, "GraphQL", await remote.request("add", {
+				kind: "graphql",
+				id,
+				options: remoteAddOptions(options)
+			}));
+			return;
+		}
 		writeAddResult(writeOut, "GraphQL", addGraphqlCaplet(id, {
 			...options,
-			destinationRoot: addDestinationRoot(options)
+			destinationRoot: addDestinationRoot(options, currentConfigPath())
 		}));
 	});
-	add.command("http").description("Add an HTTP actions backend Caplet.").argument("<id>", "Caplet ID/display seed").option("--base-url <url>", "HTTP API base URL").option("--action <name:METHOD:/path>", "HTTP action", collect, []).option("--token-env <ENV>", "bearer token environment variable reference").option("-g, --global", "write to the user Caplets root").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action((id, options) => {
+	add.command("http").description("Add an HTTP actions backend Caplet.").argument("<id>", "Caplet ID/display seed").option("--base-url <url>", "HTTP API base URL").option("--action <name:METHOD:/path>", "HTTP action", collect, []).option("--token-env <ENV>", "bearer token environment variable reference").option("-g, --global", "write to the user Caplets root").option("--print", "print generated Caplet text without writing a file").option("--output <path>", "output path").option("--force", "overwrite an existing destination file").action(async (id, options) => {
+		const remote = remoteClientForCli(io);
+		if (remote) {
+			writeAddResult(writeOut, "HTTP", await remote.request("add", {
+				kind: "http",
+				id,
+				options: remoteAddOptions(options)
+			}));
+			return;
+		}
 		writeAddResult(writeOut, "HTTP", addHttpCaplet(id, {
 			...options,
-			destinationRoot: addDestinationRoot(options)
+			destinationRoot: addDestinationRoot(options, currentConfigPath())
 		}));
 	});
-	program.command("get-caplet").description("Print a configured Caplet card.").argument("<caplet>", "configured Caplet ID").option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (caplet, options) => {
+	program.command(cliCommands.getCaplet).description("Print a configured Caplet card.").argument("<caplet>", "configured Caplet ID").option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (caplet, options) => {
 		await executeOperation(caplet, { operation: "get_caplet" }, {
 			writeOut,
 			writeErr,
 			setExitCode,
 			authDir: io.authDir,
+			env,
+			remote: remoteClientForCli(io),
 			format: options.format
 		});
 	});
-	program.command("check-backend").description("Check backend availability for a configured Caplet.").argument("<caplet>", "configured Caplet ID").option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (caplet, options) => {
+	program.command(cliCommands.checkBackend).description("Check backend availability for a configured Caplet.").argument("<caplet>", "configured Caplet ID").option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (caplet, options) => {
 		await executeOperation(caplet, { operation: "check_backend" }, {
 			writeOut,
 			writeErr,
 			setExitCode,
 			authDir: io.authDir,
+			env,
+			remote: remoteClientForCli(io),
 			format: options.format
 		});
 	});
-	program.command("list-tools").description("List downstream tools for a configured Caplet.").argument("<caplet>", "configured Caplet ID").option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (caplet, options) => {
+	program.command(cliCommands.listTools).description("List downstream tools for a configured Caplet.").argument("<caplet>", "configured Caplet ID").option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (caplet, options) => {
 		await executeOperation(caplet, { operation: "list_tools" }, {
 			writeOut,
 			writeErr,
 			setExitCode,
 			authDir: io.authDir,
+			env,
+			remote: remoteClientForCli(io),
 			format: options.format
 		});
 	});
-	program.command("search-tools").description("Search downstream tools for a configured Caplet.").argument("<caplet>", "configured Caplet ID").argument("<query>", "search query").option("--limit <n>", "maximum number of tools to return", parsePositiveInteger).option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (caplet, query, options) => {
+	program.command(cliCommands.searchTools).description("Search downstream tools for a configured Caplet.").argument("<caplet>", "configured Caplet ID").argument("<query>", "search query").option("--limit <n>", "maximum number of tools to return", parsePositiveInteger).option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (caplet, query, options) => {
 		await executeOperation(caplet, options.limit === void 0 ? {
 			operation: "search_tools",
 			query
@@ -65870,10 +67645,12 @@ function createProgram(io = {}) {
 			writeErr,
 			setExitCode,
 			authDir: io.authDir,
+			env,
+			remote: remoteClientForCli(io),
 			format: options.format
 		});
 	});
-	program.command("get-tool").description("Print one downstream tool schema.").argument("<caplet.tool>", "qualified target, split on the first dot").option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (target, options) => {
+	program.command(cliCommands.getTool).description("Print one downstream tool schema.").argument("<caplet.tool>", "qualified target, split on the first dot").option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (target, options) => {
 		const { caplet, tool } = parseQualifiedTarget(target);
 		await executeOperation(caplet, {
 			operation: "get_tool",
@@ -65883,10 +67660,12 @@ function createProgram(io = {}) {
 			writeErr,
 			setExitCode,
 			authDir: io.authDir,
+			env,
+			remote: remoteClientForCli(io),
 			format: options.format
 		});
 	});
-	program.command("call-tool").description("Call one downstream tool.").argument("<caplet.tool>", "qualified target, split on the first dot").option("--args <json-object>", "JSON object of downstream tool arguments").option("--field <path>", "project a field from structured output", collect, []).option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (target, options) => {
+	program.command(cliCommands.callTool).description("Call one downstream tool.").argument("<caplet.tool>", "qualified target, split on the first dot").option("--args <json-object>", "JSON object of downstream tool arguments").option("--field <path>", "project a field from structured output", collect, []).option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (target, options) => {
 		const { caplet, tool } = parseQualifiedTarget(target);
 		await executeOperation(caplet, {
 			operation: "call_tool",
@@ -65898,24 +67677,150 @@ function createProgram(io = {}) {
 			writeErr,
 			setExitCode,
 			authDir: io.authDir,
+			env,
+			remote: remoteClientForCli(io),
 			format: options.format
 		});
 	});
-	const config = program.command("config").description("Inspect Caplets config locations.");
+	program.command(cliCommands.listResources).description("List MCP resources for a configured MCP Caplet.").argument("<caplet>").option("--limit <n>", "maximum number of resources to return", parsePositiveInteger).option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (caplet, options) => executeOperation(caplet, options.limit === void 0 ? { operation: "list_resources" } : {
+		operation: "list_resources",
+		limit: options.limit
+	}, {
+		writeOut,
+		writeErr,
+		setExitCode,
+		authDir: io.authDir,
+		env,
+		remote: remoteClientForCli(io),
+		format: options.format
+	}));
+	program.command(cliCommands.searchResources).description("Search MCP resources and resource templates for a configured MCP Caplet.").argument("<caplet>").argument("<query>").option("--limit <n>", "maximum number of matches to return", parsePositiveInteger).option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (caplet, query, options) => executeOperation(caplet, options.limit === void 0 ? {
+		operation: "search_resources",
+		query
+	} : {
+		operation: "search_resources",
+		query,
+		limit: options.limit
+	}, {
+		writeOut,
+		writeErr,
+		setExitCode,
+		authDir: io.authDir,
+		env,
+		remote: remoteClientForCli(io),
+		format: options.format
+	}));
+	program.command(cliCommands.listResourceTemplates).description("List MCP resource templates for a configured MCP Caplet.").argument("<caplet>").option("--limit <n>", "maximum number of templates to return", parsePositiveInteger).option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (caplet, options) => executeOperation(caplet, options.limit === void 0 ? { operation: "list_resource_templates" } : {
+		operation: "list_resource_templates",
+		limit: options.limit
+	}, {
+		writeOut,
+		writeErr,
+		setExitCode,
+		authDir: io.authDir,
+		env,
+		remote: remoteClientForCli(io),
+		format: options.format
+	}));
+	program.command(cliCommands.readResource).description("Read one MCP resource by URI.").argument("<caplet>").argument("<uri>").option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (caplet, uri, options) => executeOperation(caplet, {
+		operation: "read_resource",
+		uri
+	}, {
+		writeOut,
+		writeErr,
+		setExitCode,
+		authDir: io.authDir,
+		env,
+		remote: remoteClientForCli(io),
+		format: options.format
+	}));
+	program.command(cliCommands.listPrompts).description("List MCP prompts for a configured MCP Caplet.").argument("<caplet>").option("--limit <n>", "maximum number of prompts to return", parsePositiveInteger).option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (caplet, options) => executeOperation(caplet, options.limit === void 0 ? { operation: "list_prompts" } : {
+		operation: "list_prompts",
+		limit: options.limit
+	}, {
+		writeOut,
+		writeErr,
+		setExitCode,
+		authDir: io.authDir,
+		env,
+		remote: remoteClientForCli(io),
+		format: options.format
+	}));
+	program.command(cliCommands.searchPrompts).description("Search MCP prompts for a configured MCP Caplet.").argument("<caplet>").argument("<query>").option("--limit <n>", "maximum number of prompts to return", parsePositiveInteger).option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (caplet, query, options) => executeOperation(caplet, options.limit === void 0 ? {
+		operation: "search_prompts",
+		query
+	} : {
+		operation: "search_prompts",
+		query,
+		limit: options.limit
+	}, {
+		writeOut,
+		writeErr,
+		setExitCode,
+		authDir: io.authDir,
+		env,
+		remote: remoteClientForCli(io),
+		format: options.format
+	}));
+	program.command(cliCommands.getPrompt).description("Get one MCP prompt by name.").argument("<caplet.prompt>", "qualified target, split on the first dot").option("--args <json-object>", "JSON object of prompt arguments").option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (target, options) => {
+		const { caplet, tool: prompt } = parseQualifiedTarget(target);
+		await executeOperation(caplet, {
+			operation: "get_prompt",
+			prompt,
+			arguments: parseJsonObjectOption(options.args, "get-prompt --args")
+		}, {
+			writeOut,
+			writeErr,
+			setExitCode,
+			authDir: io.authDir,
+			env,
+			remote: remoteClientForCli(io),
+			format: options.format
+		});
+	});
+	program.command(cliCommands.complete).description("Complete an MCP prompt or resource-template argument.").argument("<caplet>").requiredOption("--argument <name>", "argument name").option("--value <value>", "argument prefix", "").option("--prompt <name>", "prompt name to complete").option("--resource-template <uri-template>", "resource template URI to complete").option("--format <format>", "output format: markdown, md, plain, or json", parseOutputFormat).action(async (caplet, options) => executeOperation(caplet, {
+		operation: "complete",
+		ref: completionRefFromOptions(options),
+		argument: {
+			name: options.argument,
+			value: options.value
+		}
+	}, {
+		writeOut,
+		writeErr,
+		setExitCode,
+		authDir: io.authDir,
+		env,
+		remote: remoteClientForCli(io),
+		format: options.format
+	}));
+	const config = program.command(cliCommands.config).description("Inspect Caplets config locations.");
 	config.command("path").description("Print the effective user config path.").action(() => {
-		writeOut(`${resolveConfigPath(envConfigPath())}\n`);
+		writeOut(`${resolveConfigPath(currentConfigPath())}\n`);
 	});
 	config.command("paths").description("Print resolved Caplets config, root, and auth paths.").option("--json", "print JSON output").option("--format <format>", "output format: plain, markdown, md, or json", parseOutputFormat).action((options) => {
-		const paths = resolveCliConfigPaths(envConfigPath(), io.authDir);
+		const paths = resolveCliConfigPaths(currentConfigPath(), io.authDir);
 		if (options.json || options.format === "json") {
 			writeOut(`${JSON.stringify(paths, null, 2)}\n`);
 			return;
 		}
 		writeOut(formatConfigPaths(paths, options.format ?? "plain"));
 	});
-	const auth = program.command("auth").description("Manage OAuth credentials for remote servers.");
+	const auth = program.command(cliCommands.auth).description("Manage OAuth credentials for remote servers.");
 	auth.command("login").description("Authenticate a configured remote OAuth server.").argument("<server>", "configured server ID").option("--no-open", "print the authorization URL without opening a browser").action(async (serverId, options) => {
-		const configPath = envConfigPath();
+		const remote = remoteClientForCli(io);
+		if (remote) {
+			const started = await remote.request("auth_login_start", { server: serverId });
+			if (started.authorizationUrl) {
+				writeOut(`Open this URL to authorize ${serverId}:\n${started.authorizationUrl}\n`);
+				if (options.open !== false) await openBrowser(started.authorizationUrl);
+				writeOut("Complete authentication in your browser. The server callback will store credentials.\n");
+				return;
+			}
+			if (started.authenticated) writeOut(`Authenticated \`${serverId}\`.\n`);
+			return;
+		}
+		const configPath = currentConfigPath();
 		await loginAuth(serverId, {
 			noOpen: options.open === false,
 			writeOut,
@@ -65924,27 +67829,86 @@ function createProgram(io = {}) {
 			...io.authDir ? { authDir: io.authDir } : {}
 		});
 	});
-	auth.command("logout").description("Delete stored OAuth credentials for a server.").argument("<server>", "configured server ID").action((serverId) => {
-		const configPath = envConfigPath();
+	auth.command("logout").description("Delete stored OAuth credentials for a server.").argument("<server>", "configured server ID").action(async (serverId) => {
+		const remote = remoteClientForCli(io);
+		if (remote) {
+			writeOut((await remote.request("auth_logout", { server: serverId })).deleted ? `Deleted remote OAuth credentials for \`${serverId}\`.\n` : `No remote OAuth credentials found for \`${serverId}\`.\n`);
+			return;
+		}
+		const configPath = currentConfigPath();
 		logoutAuth(serverId, {
 			writeOut,
 			...configPath ? { configPath } : {},
 			...io.authDir ? { authDir: io.authDir } : {}
 		});
 	});
-	auth.command("list").description("List servers with stored OAuth credentials.").option("--json", "print JSON output").option("--format <format>", "output format: plain, markdown, md, or json", parseOutputFormat).action((options) => {
-		const configPath = envConfigPath();
+	auth.command("list").description("List servers with stored OAuth credentials.").option("--json", "print JSON output").option("--format <format>", "output format: plain, markdown, md, or json", parseOutputFormat).action(async (options) => {
+		const configPath = currentConfigPath();
+		const format = options.json || options.format === "json" ? "json" : options.format ?? "plain";
+		const remote = remoteClientForCli(io);
+		if (remote) {
+			const rows = await remote.request("auth_list", {});
+			if (format === "json") {
+				writeOut(`${JSON.stringify(rows, null, 2)}\n`);
+				return;
+			}
+			writeOut(formatAuthRows(rows, format));
+			return;
+		}
 		listAuth({
 			writeOut,
-			format: options.json || options.format === "json" ? "json" : options.format ?? "plain",
+			format,
 			...configPath ? { configPath } : {},
 			...io.authDir ? { authDir: io.authDir } : {}
 		});
 	});
 	return program;
 }
-function envConfigPath() {
-	return process.env.CAPLETS_CONFIG?.trim() || void 0;
+function envConfigPath(env) {
+	return env.CAPLETS_CONFIG?.trim() || void 0;
+}
+function remoteClientForCli(io) {
+	const env = io.env ?? process.env;
+	if (resolveCapletsMode({}, env).mode !== "remote") return;
+	return new RemoteControlClient(resolveCapletsServer(io.fetch ? { fetch: io.fetch } : {}, env));
+}
+async function openBrowser(url) {
+	const { spawn } = await import("node:child_process");
+	spawn(process.platform === "darwin" ? "open" : process.platform === "win32" ? "cmd" : "xdg-open", process.platform === "win32" ? [
+		"/c",
+		"start",
+		"",
+		url
+	] : [url], {
+		stdio: "ignore",
+		detached: true
+	}).unref();
+}
+function remoteCommandForOperation(operation) {
+	switch (operation) {
+		case "get_caplet":
+		case "check_backend":
+		case "list_tools":
+		case "search_tools":
+		case "get_tool":
+		case "call_tool":
+		case "list_resources":
+		case "search_resources":
+		case "list_resource_templates":
+		case "read_resource":
+		case "list_prompts":
+		case "search_prompts":
+		case "get_prompt":
+		case "complete": return operation;
+		default: return;
+	}
+}
+function remoteAddOptions(options) {
+	const { output, print, global, destinationRoot, ...remoteOptions } = options;
+	if (global) throw new CapletsError("REQUEST_INVALID", "--global is not supported in remote mode; the server controls the add destination.");
+	if (print) throw new CapletsError("REQUEST_INVALID", "--print is not supported in remote mode; the server controls add output.");
+	if (output !== void 0) throw new CapletsError("REQUEST_INVALID", "--output is not supported in remote mode; the server controls the add destination.");
+	return remoteOptions;
 }
 function collect(value, previous) {
 	previous.push(value);
@@ -65983,11 +67947,48 @@ function parseCallToolArgs(value) {
 	if (!isPlainObject(parsed)) throw new CapletsError("REQUEST_INVALID", "call-tool --args must be a JSON object");
 	return parsed;
 }
+function parseJsonObjectOption(value, label) {
+	if (value === void 0) return {};
+	let parsed;
+	try {
+		parsed = JSON.parse(value);
+	} catch (error) {
+		throw new CapletsError("REQUEST_INVALID", `${label} must be valid JSON`, error);
+	}
+	if (!isPlainObject(parsed)) throw new CapletsError("REQUEST_INVALID", `${label} must be a JSON object`);
+	return parsed;
+}
+function completionRefFromOptions(options) {
+	if (options.prompt && options.resourceTemplate) throw new CapletsError("REQUEST_INVALID", "complete accepts either --prompt or --resource-template, not both");
+	if (options.prompt) return {
+		type: "prompt",
+		name: options.prompt
+	};
+	if (options.resourceTemplate) return {
+		type: "resourceTemplate",
+		uri: options.resourceTemplate
+	};
+	throw new CapletsError("REQUEST_INVALID", "complete requires --prompt or --resource-template");
+}
 function isPlainObject(value) {
 	return value !== null && typeof value === "object" && !Array.isArray(value);
 }
 async function executeOperation(caplet, request, io) {
-	const configPath = envConfigPath();
+	const command = remoteCommandForOperation(request.operation);
+	if (io.remote && command) {
+		const result = await io.remote.request(command, {
+			caplet,
+			request
+		});
+		const output = cliOutputForOperation(result, {
+			...request,
+			caplet
+		}, io.format ?? "markdown");
+		io.writeOut(typeof output === "string" ? `${output}\n` : `${JSON.stringify(output, null, 2)}\n`);
+		if (isPlainObject(result) && result.isError === true) io.setExitCode(1);
+		return;
+	}
+	const configPath = envConfigPath(io.env ?? process.env);
 	const engine = new CapletsEngine({
 		...configPath ? { configPath } : {},
 		...io.authDir ? { authDir: io.authDir } : {},
@@ -66099,6 +68100,55 @@ function markdownSummaryForOperation(result, request) {
 			"",
 			"Use `--format json` to inspect the full structured result."
 		].filter((line) => line !== void 0).join("\n");
+		case "list_resources":
+		case "search_resources": {
+			const resources = Array.isArray(payload.resources) ? payload.resources : [];
+			const templates = Array.isArray(payload.resourceTemplates) ? payload.resourceTemplates : [];
+			const matches = Array.isArray(payload.matches) ? payload.matches : [...resources, ...templates];
+			return [
+				`## MCP resources for \`${id}\``,
+				"",
+				`${matches.length} item${matches.length === 1 ? "" : "s"} found.`,
+				"",
+				...formatResourceLines(matches, "markdown")
+			].join("\n");
+		}
+		case "list_resource_templates": {
+			const templates = Array.isArray(payload.resourceTemplates) ? payload.resourceTemplates : [];
+			return [
+				`## MCP resource templates for \`${id}\``,
+				"",
+				...formatResourceLines(templates, "markdown")
+			].join("\n");
+		}
+		case "read_resource": return [
+			`## Resource \`${String(request.uri ?? "")}\``,
+			"",
+			summarizeResourceRead(payload),
+			"",
+			"Use `--format json` to inspect all contents."
+		].join("\n");
+		case "list_prompts":
+		case "search_prompts": {
+			const prompts = Array.isArray(payload.prompts) ? payload.prompts : [];
+			return [
+				`## MCP prompts for \`${id}\``,
+				"",
+				...formatPromptLines(prompts, "markdown")
+			].join("\n");
+		}
+		case "get_prompt": return [
+			`## Prompt \`${String(request.caplet)}.${String(request.prompt)}\``,
+			"",
+			summarizePromptResult(payload),
+			"",
+			"Use `--format json` to inspect all messages."
+		].join("\n");
+		case "complete": return [
+			`## Completion for \`${id}\``,
+			"",
+			summarizeCompletionResult(payload)
+		].join("\n");
 		default: return JSON.stringify(payload, null, 2);
 	}
 }
@@ -66155,6 +68205,33 @@ function plainSummaryForOperation(result, request) {
 			`Result: ${summarizeCallResult(payload)}`,
 			"Use --format json to inspect the full structured result."
 		].filter((line) => Boolean(line)).join("\n");
+		case "list_resources":
+		case "search_resources": {
+			const resources = Array.isArray(payload.resources) ? payload.resources : [];
+			const templates = Array.isArray(payload.resourceTemplates) ? payload.resourceTemplates : [];
+			const matches = Array.isArray(payload.matches) ? payload.matches : [...resources, ...templates];
+			return [`MCP resources for ${id} (${matches.length}):`, ...formatResourceLines(matches, "plain")].join("\n");
+		}
+		case "list_resource_templates": {
+			const templates = Array.isArray(payload.resourceTemplates) ? payload.resourceTemplates : [];
+			return [`MCP resource templates for ${id}:`, ...formatResourceLines(templates, "plain")].join("\n");
+		}
+		case "read_resource": return [
+			`Resource ${String(request.uri ?? "")}`,
+			summarizeResourceRead(payload),
+			"Use --format json to inspect all contents."
+		].join("\n");
+		case "list_prompts":
+		case "search_prompts": {
+			const prompts = Array.isArray(payload.prompts) ? payload.prompts : [];
+			return [`MCP prompts for ${id}:`, ...formatPromptLines(prompts, "plain")].join("\n");
+		}
+		case "get_prompt": return [
+			`Prompt ${String(request.caplet)}.${String(request.prompt)}`,
+			summarizePromptResult(payload),
+			"Use --format json to inspect all messages."
+		].join("\n");
+		case "complete": return [`Completion for ${id}`, summarizeCompletionResult(payload)].join("\n");
 		default: return JSON.stringify(payload, null, 2);
 	}
 }
@@ -66171,6 +68248,44 @@ function formatToolLines(tools, format) {
 		return `- ${displayName}${flags ? ` (${flags})` : ""}${tool.description ? ` — ${compactDescription(String(tool.description))}` : ""}`;
 	});
 }
+function formatResourceLines(resources, format) {
+	if (resources.length === 0) return ["- none"];
+	return resources.map((resource) => {
+		if (!isPlainObject(resource)) return `- ${String(resource)}`;
+		const name = String(resource.uri ?? resource.uriTemplate ?? "unknown");
+		const displayName = format === "markdown" ? `\`${name}\`` : name;
+		const label = typeof resource.name === "string" ? ` (${resource.name})` : "";
+		return `- ${typeof resource.kind === "string" ? `${resource.kind}: ` : ""}${displayName}${label}${resource.description ? ` — ${compactDescription(String(resource.description))}` : ""}`;
+	});
+}
+function formatPromptLines(prompts, format) {
+	if (prompts.length === 0) return ["- none"];
+	return prompts.map((prompt) => {
+		if (!isPlainObject(prompt)) return `- ${String(prompt)}`;
+		const name = String(prompt.prompt ?? prompt.name ?? "unknown");
+		return `- ${format === "markdown" ? `\`${name}\`` : name}${Array.isArray(prompt.arguments) ? ` (${prompt.arguments.length} args)` : ""}${prompt.description ? ` — ${compactDescription(String(prompt.description))}` : ""}`;
+	});
+}
+function summarizeResourceRead(payload) {
+	const contents = Array.isArray(payload.contents) ? payload.contents : [];
+	if (contents.length === 0) return "No contents returned.";
+	const first = contents.find(isPlainObject);
+	if (!first) return `${contents.length} content item${contents.length === 1 ? "" : "s"} returned.`;
+	return previewValue(typeof first.text === "string" ? first.text : first.blob) ?? `${contents.length} content item${contents.length === 1 ? "" : "s"} returned.`;
+}
+function summarizePromptResult(payload) {
+	const messages = Array.isArray(payload.messages) ? payload.messages : [];
+	if (messages.length === 0) return "No messages returned.";
+	const first = messages.find(isPlainObject);
+	if (!first) return `${messages.length} message${messages.length === 1 ? "" : "s"} returned.`;
+	return previewValue((isPlainObject(first.content) ? first.content : void 0)?.text ?? first.content) ?? `${messages.length} message${messages.length === 1 ? "" : "s"} returned.`;
+}
+function summarizeCompletionResult(payload) {
+	const completion = isPlainObject(payload.completion) ? payload.completion : void 0;
+	const values = Array.isArray(completion?.values) ? completion.values : [];
+	if (values.length > 0) return values.map((value) => `- ${String(value)}`).join("\n");
+	return previewValue(payload) ?? "No completions returned.";
+}
 function compactDescription(value) {
 	const firstParagraph = value.trim().split(/\n\s*\n/u)[0] ?? "";
 	const collapsed = (firstParagraph.match(/^.*?(?:[.!?](?=\s|$)|$)/u)?.[0] ?? firstParagraph).replace(/\s+/gu, " ").trim();
@@ -66233,19 +68348,19 @@ function schemaSummary(schema) {
 		required.length > 0 ? `required ${required.join(", ")}` : "no required fields"
 	].filter((part) => Boolean(part)).join("; ");
 }
-function addDestinationRoot(options) {
-	return options.global ? resolveCapletsRoot(resolveConfigPath(envConfigPath())) : resolveProjectCapletsRoot();
+function addDestinationRoot(options, configPath) {
+	return options.global ? resolveCapletsRoot(resolveConfigPath(configPath)) : resolveProjectCapletsRoot();
 }
 function writeAddResult(writeOut, label, result) {
 	if (result.path) {
-		writeOut(`Wrote ${label} Caplet to ${result.path}\n`);
+		writeOut(`Wrote ${result.remote ? "remote " : ""}${label} Caplet to ${result.path}\n`);
 		return;
 	}
 	writeOut(result.text);
 }
 //#endregion
 //#region package.json
-var version = "0.15.0";
+var version = "0.17.0";
 //#endregion
 //#region src/index.ts
 async function main() {