dynmcp 0.4.0 → 0.5.0

package/dist/index.js

@@ -1,18 +1,18 @@
 #!/usr/bin/env node
 
 // src/cli.ts
-import process7 from "process";
+import process12 from "process";
 import { Command } from "commander";
 
 // package.json
 var package_default = {
   name: "dynmcp",
-  version: "0.4.0",
+  version: "0.5.0",
   description: "Dynamic MCP context management tool for AI MCP-enabled agents and clients.",
   author: "Brandon Burrus <brandon@burrus.io>",
   license: "MIT",
   type: "module",
-  homepage: "https://github.com/brandonburrus/dynamic-discovery-mcp#readme",
+  homepage: "https://dynamicmcp.tools",
   keywords: [
     "mcp",
     "model-context-protocol",
@@ -52,12 +52,10 @@ var package_default = {
     }
   },
   files: [
-    "dist",
-    "schema"
+    "dist"
   ],
   scripts: {
     "generate:schema": "tsx scripts/generate-schema.ts",
-    prebuild: "tsx scripts/generate-schema.ts",
     build: "tsup",
     dev: "tsx src/index.ts",
     typecheck: "tsc --noEmit",
@@ -71,6 +69,7 @@ var package_default = {
   },
   dependencies: {
     "@modelcontextprotocol/sdk": "^1.29.0",
+    "@napi-rs/keyring": "^1.3.0",
     boxen: "^8.0.1",
     chalk: "^5.6.2",
     commander: "^14.0.3",
@@ -100,9 +99,330 @@ var package_default = {
 import figlet from "figlet";
 import chalk from "chalk";
 
-// src/proxy/index.ts
-import process6 from "process";
-import { StdioClientTransport as StdioClientTransport2 } from "@modelcontextprotocol/sdk/client/stdio.js";
+// src/auth/errors.ts
+var AuthRequiredError = class extends Error {
+  mcpName;
+  constructor(mcpName2) {
+    super(
+      `Upstream MCP "${mcpName2}" requires authorization. Run \`dynmcp login ${mcpName2}\` from your terminal, then retry.`
+    );
+    this.name = "AuthRequiredError";
+    this.mcpName = mcpName2;
+  }
+};
+function isAuthRequiredError(error) {
+  let current = error;
+  for (let depth = 0; depth < 8 && current !== null && current !== void 0; depth += 1) {
+    if (current instanceof AuthRequiredError) return true;
+    if (current instanceof Error && current.name === "AuthRequiredError") return true;
+    if (current instanceof Error) {
+      current = current.cause;
+      continue;
+    }
+    return false;
+  }
+  return false;
+}
+
+// src/auth/keychain-store.ts
+import { Entry } from "@napi-rs/keyring";
+
+// src/auth/types.ts
+var KEYCHAIN_BLOB_VERSION = 1;
+
+// src/auth/keychain-store.ts
+var KEYCHAIN_SERVICE = "dynmcp";
+function buildKeychainAccount(mcpName2, serverUrl) {
+  const origin = new URL(serverUrl).origin;
+  return `${mcpName2}:${origin}`;
+}
+var KeychainStore = class {
+  constructor(mcpName2, serverUrl, service = KEYCHAIN_SERVICE) {
+    this.mcpName = mcpName2;
+    this.serverUrl = serverUrl;
+    this.entry = new Entry(service, buildKeychainAccount(mcpName2, serverUrl));
+  }
+  mcpName;
+  serverUrl;
+  entry;
+  /**
+   * Returns the parsed blob or `undefined` if no entry exists. Entries written under
+   * a different {@link KeychainBlob.version} are treated as absent — the caller must
+   * re-authenticate. Malformed JSON also returns `undefined` (corrupt entries are not
+   * surfaced as errors; recovery is the same: re-auth).
+   */
+  get() {
+    const raw = this.entry.getPassword();
+    if (raw === null) return void 0;
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      return void 0;
+    }
+    if (!isCurrentVersionBlob(parsed)) {
+      return void 0;
+    }
+    return parsed;
+  }
+  /**
+   * Persists the blob atomically. Caller must construct a complete {@link
+   * KeychainBlob} — partial updates are not supported. To mutate, call {@link get},
+   * spread, and pass the result back to {@link set}.
+   */
+  set(blob) {
+    const stamped = { ...blob, version: KEYCHAIN_BLOB_VERSION };
+    this.entry.setPassword(JSON.stringify(stamped));
+  }
+  /**
+   * Deletes the entry. Returns `true` if an entry was present and removed, `false`
+   * if there was nothing to delete. Idempotent: callers should treat both outcomes
+   * as success (a no-op delete is not an error).
+   */
+  delete() {
+    return this.entry.deletePassword();
+  }
+};
+function isCurrentVersionBlob(value) {
+  return typeof value === "object" && value !== null && "version" in value && value.version === KEYCHAIN_BLOB_VERSION;
+}
+
+// src/auth/oauth-provider.ts
+import { randomBytes } from "crypto";
+var CLIENT_NAME = "dynmcp";
+var SOFTWARE_ID = "dynmcp";
+var REFRESH_SLACK_SECONDS = 30;
+var BaseOAuthProvider = class {
+  constructor(mcpName2, keychain, configAuth) {
+    this.mcpName = mcpName2;
+    this.keychain = keychain;
+    this.configAuth = configAuth;
+  }
+  mcpName;
+  keychain;
+  configAuth;
+  clientInformation() {
+    if (this.configAuth !== void 0) {
+      const info2 = { client_id: this.configAuth.client_id };
+      if (this.configAuth.client_secret !== void 0) {
+        info2.client_secret = this.configAuth.client_secret;
+      }
+      return info2;
+    }
+    const blob = this.keychain.get();
+    if (blob?.dcr === void 0) return void 0;
+    const info = { client_id: blob.dcr.client_id };
+    if (blob.dcr.client_secret !== void 0) {
+      info.client_secret = blob.dcr.client_secret;
+    }
+    return info;
+  }
+  tokens() {
+    const blob = this.keychain.get();
+    if (blob === void 0) return void 0;
+    const remaining = Math.max(
+      0,
+      blob.expires_at - Math.floor(Date.now() / 1e3) - REFRESH_SLACK_SECONDS
+    );
+    const tokens = {
+      access_token: blob.access_token,
+      token_type: blob.token_type,
+      expires_in: remaining
+    };
+    if (blob.refresh_token !== void 0) tokens.refresh_token = blob.refresh_token;
+    if (blob.scope_granted !== void 0) tokens.scope = blob.scope_granted;
+    return tokens;
+  }
+  /**
+   * Builds the {@link OAuthDiscoveryState} the SDK can use to skip rediscovery,
+   * reconstructed from the cached keychain blob. Returns `undefined` when there is
+   * no cached blob (e.g. fresh login flow before saveTokens fires).
+   */
+  buildDiscoveryStateFromBlob(blob) {
+    if (blob === void 0) return void 0;
+    return {
+      authorizationServerUrl: blob.authorization_server.issuer,
+      authorizationServerMetadata: {
+        issuer: blob.authorization_server.issuer,
+        authorization_endpoint: blob.authorization_server.authorization_endpoint,
+        token_endpoint: blob.authorization_server.token_endpoint,
+        ...blob.authorization_server.registration_endpoint !== void 0 ? { registration_endpoint: blob.authorization_server.registration_endpoint } : {},
+        response_types_supported: ["code"]
+      },
+      resourceMetadata: {
+        resource: blob.resource_metadata.resource,
+        authorization_servers: blob.resource_metadata.authorization_servers
+      }
+    };
+  }
+};
+var ProxyOAuthProvider = class extends BaseOAuthProvider {
+  get redirectUrl() {
+    return void 0;
+  }
+  get clientMetadata() {
+    return {
+      client_name: CLIENT_NAME,
+      software_id: SOFTWARE_ID,
+      redirect_uris: [],
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      token_endpoint_auth_method: this.configAuth?.client_secret !== void 0 ? "client_secret_basic" : "none",
+      ...this.configAuth?.scope !== void 0 ? { scope: this.configAuth.scope } : {}
+    };
+  }
+  saveTokens(tokens) {
+    const existing = this.keychain.get();
+    if (existing === void 0) {
+      throw new AuthRequiredError(this.mcpName);
+    }
+    const expiresAt = tokens.expires_in !== void 0 ? Math.floor(Date.now() / 1e3) + tokens.expires_in : existing.expires_at;
+    const updated = {
+      ...existing,
+      access_token: tokens.access_token,
+      token_type: tokens.token_type ?? "Bearer",
+      expires_at: expiresAt,
+      refresh_token: tokens.refresh_token ?? existing.refresh_token,
+      ...tokens.scope !== void 0 ? { scope_granted: tokens.scope } : {}
+    };
+    this.keychain.set(updated);
+  }
+  redirectToAuthorization(_url) {
+    throw new AuthRequiredError(this.mcpName);
+  }
+  saveCodeVerifier(_verifier) {
+    throw new AuthRequiredError(this.mcpName);
+  }
+  codeVerifier() {
+    throw new AuthRequiredError(this.mcpName);
+  }
+  discoveryState() {
+    return this.buildDiscoveryStateFromBlob(this.keychain.get());
+  }
+  invalidateCredentials(_scope) {
+    this.keychain.delete();
+  }
+};
+var LoginOAuthProvider = class extends BaseOAuthProvider {
+  redirectUriString;
+  pending = {};
+  callbacks;
+  constructor(opts) {
+    super(opts.mcpName, opts.keychain, opts.configAuth);
+    this.redirectUriString = opts.redirectUri;
+    this.callbacks = opts.callbacks;
+  }
+  get redirectUrl() {
+    return this.redirectUriString;
+  }
+  get clientMetadata() {
+    return {
+      client_name: CLIENT_NAME,
+      software_id: SOFTWARE_ID,
+      redirect_uris: [this.redirectUriString],
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      token_endpoint_auth_method: this.configAuth?.client_secret !== void 0 ? "client_secret_basic" : "none",
+      ...this.configAuth?.scope !== void 0 ? { scope: this.configAuth.scope } : {}
+    };
+  }
+  state() {
+    if (this.pending.state !== void 0) return this.pending.state;
+    const generated = randomBytes(32).toString("base64url");
+    this.pending.state = generated;
+    return generated;
+  }
+  /** The state value generated for this flow, for the callback handler to verify. */
+  get currentState() {
+    return this.pending.state;
+  }
+  clientInformation() {
+    if (this.pending.dcr !== void 0) {
+      const info = { client_id: this.pending.dcr.client_id };
+      if (this.pending.dcr.client_secret !== void 0) {
+        info.client_secret = this.pending.dcr.client_secret;
+      }
+      return info;
+    }
+    return super.clientInformation();
+  }
+  saveClientInformation(info) {
+    this.pending.dcr = info;
+  }
+  saveTokens(tokens) {
+    const discovery = this.pending.discovery ?? this.buildDiscoveryStateFromBlob(this.keychain.get());
+    if (discovery === void 0) {
+      throw new Error(
+        `Cannot persist tokens for "${this.mcpName}": no discovery state captured during the flow.`
+      );
+    }
+    if (discovery.authorizationServerMetadata === void 0) {
+      throw new Error(
+        `Cannot persist tokens for "${this.mcpName}": authorization server metadata not available.`
+      );
+    }
+    if (discovery.resourceMetadata === void 0) {
+      throw new Error(
+        `Cannot persist tokens for "${this.mcpName}": protected resource metadata not available.`
+      );
+    }
+    const expiresAt = tokens.expires_in !== void 0 ? Math.floor(Date.now() / 1e3) + tokens.expires_in : Math.floor(Date.now() / 1e3) + 3600;
+    const authorizationServer = {
+      issuer: discovery.authorizationServerMetadata.issuer ?? discovery.authorizationServerUrl,
+      authorization_endpoint: discovery.authorizationServerMetadata.authorization_endpoint,
+      token_endpoint: discovery.authorizationServerMetadata.token_endpoint,
+      ...discovery.authorizationServerMetadata.registration_endpoint !== void 0 ? { registration_endpoint: discovery.authorizationServerMetadata.registration_endpoint } : {}
+    };
+    const resourceMetadata = {
+      resource: discovery.resourceMetadata.resource,
+      authorization_servers: discovery.resourceMetadata.authorization_servers ?? []
+    };
+    const blob = {
+      version: KEYCHAIN_BLOB_VERSION,
+      access_token: tokens.access_token,
+      token_type: tokens.token_type ?? "Bearer",
+      expires_at: expiresAt,
+      ...tokens.refresh_token !== void 0 ? { refresh_token: tokens.refresh_token } : {},
+      ...tokens.scope !== void 0 ? { scope_granted: tokens.scope } : {},
+      authorization_server: authorizationServer,
+      resource_metadata: resourceMetadata,
+      ...this.pending.dcr !== void 0 ? {
+        dcr: {
+          client_id: this.pending.dcr.client_id,
+          ...this.pending.dcr.client_secret !== void 0 ? { client_secret: this.pending.dcr.client_secret } : {}
+        }
+      } : {}
+    };
+    this.keychain.set(blob);
+  }
+  async redirectToAuthorization(url) {
+    await this.callbacks.onAuthorizationUrl(url);
+  }
+  saveCodeVerifier(verifier) {
+    this.pending.codeVerifier = verifier;
+  }
+  codeVerifier() {
+    if (this.pending.codeVerifier === void 0) {
+      throw new Error("Code verifier requested before it was saved.");
+    }
+    return this.pending.codeVerifier;
+  }
+  saveDiscoveryState(state) {
+    this.pending.discovery = state;
+  }
+  /**
+   * Force a fresh RFC 9728 + RFC 8414 discovery for every login flow. We intentionally
+   * do NOT pre-seed from the keychain on login — if endpoints changed since the last
+   * login, we want to pick them up now and persist the new snapshot.
+   */
+  discoveryState() {
+    return void 0;
+  }
+};
+
+// src/auth/login.ts
+import process4 from "process";
+import { auth, extractWWWAuthenticateParams } from "@modelcontextprotocol/sdk/client/auth.js";
 
 // src/config/schema.ts
 import { z } from "zod";
@@ -124,17 +444,26 @@ var stdioTransport = z.object({
 var httpUrl = z.string().url().refine((u) => u.startsWith("http://") || u.startsWith("https://"), {
   message: "URL must use http:// or https:// scheme"
 });
+var authConfig = z.object({
+  client_id: z.string().min(1, { message: "auth.client_id must be a non-empty string" }).refine((value) => value.trim().length > 0, {
+    message: "auth.client_id must not be whitespace-only"
+  }),
+  client_secret: z.string().min(1).optional(),
+  scope: z.string().min(1).optional()
+}).strict().optional();
 var streamableHttpTransport = z.object({
   transport: z.literal("streamable-http"),
   description,
   url: httpUrl,
-  headers: z.record(z.string(), z.string()).optional()
+  headers: z.record(z.string(), z.string()).optional(),
+  auth: authConfig
 }).strict();
 var sseTransport = z.object({
   transport: z.literal("sse"),
   description,
   url: httpUrl,
-  headers: z.record(z.string(), z.string()).optional()
+  headers: z.record(z.string(), z.string()).optional(),
+  auth: authConfig
 }).strict();
 var transportConfig = z.discriminatedUnion("transport", [
   stdioTransport,
@@ -210,9 +539,9 @@ function filterDefined(env) {
 var TOP_LEVEL_PASSTHROUGH_KEYS = /* @__PURE__ */ new Set(["$schema", "env"]);
 var MissingEnvVarsError = class extends Error {
   constructor(missingVars) {
-    const list = missingVars.join(", ");
+    const list2 = missingVars.join(", ");
     const plural = missingVars.length === 1 ? "" : "s";
-    super(`Missing required environment variable${plural}: ${list}`);
+    super(`Missing required environment variable${plural}: ${list2}`);
     this.missingVars = missingVars;
     this.name = "MissingEnvVarsError";
   }
@@ -341,37 +670,1133 @@ function loadConfig(options = {}) {
     const message = parseError instanceof Error ? parseError.message : String(parseError);
     throw new Error(`Failed to parse config file (${resolvedPath}): ${message}`);
   }
-  const envMode = readEnvMode(content);
-  const loadedEnv = loadEnv({ mode: envMode, envFilePath });
-  const interpolated = loadedEnv.interpolationEnabled ? interpolateConfig(content, loadedEnv.variables) : content;
-  const result = mcpConfigSchema.safeParse(interpolated);
-  if (!result.success) {
-    const formatted = result.error.issues.map((issue) => `  - ${issue.path.join(".")}: ${issue.message}`).join("\n");
-    throw new Error(`Invalid config file (${resolvedPath}):
-${formatted}`);
+  const envMode = readEnvMode(content);
+  const loadedEnv = loadEnv({ mode: envMode, envFilePath });
+  const interpolated = loadedEnv.interpolationEnabled ? interpolateConfig(content, loadedEnv.variables) : content;
+  const result = mcpConfigSchema.safeParse(interpolated);
+  if (!result.success) {
+    const formatted = result.error.issues.map((issue) => `  - ${issue.path.join(".")}: ${issue.message}`).join("\n");
+    throw new Error(`Invalid config file (${resolvedPath}):
+${formatted}`);
+  }
+  return result.data;
+}
+function readEnvMode(content) {
+  if (content === null || typeof content !== "object" || Array.isArray(content)) {
+    return DEFAULT_ENV_MODE;
+  }
+  const value = content.env;
+  if (value === void 0) return DEFAULT_ENV_MODE;
+  if (typeof value === "string" && VALID_ENV_MODES.includes(value)) {
+    return value;
+  }
+  return DEFAULT_ENV_MODE;
+}
+function isYamlFile(filePath) {
+  return filePath.endsWith(".yml") || filePath.endsWith(".yaml");
+}
+
+// src/config/json-schema.ts
+import { z as z2 } from "zod";
+
+// src/auth/browser.ts
+import { spawn } from "child_process";
+import process3 from "process";
+async function openUrl(url) {
+  const { command, args } = openerForPlatform(url);
+  return new Promise((resolve3, reject) => {
+    const child = spawn(command, args, {
+      stdio: "ignore",
+      detached: true
+    });
+    child.once("error", reject);
+    child.once("spawn", () => {
+      child.unref();
+      resolve3();
+    });
+  });
+}
+function openerForPlatform(url) {
+  switch (process3.platform) {
+    case "darwin":
+      return { command: "open", args: [url] };
+    case "win32":
+      return { command: "cmd", args: ["/c", "start", '""', url] };
+    default:
+      return { command: "xdg-open", args: [url] };
+  }
+}
+
+// src/auth/callback-server.ts
+import { createServer } from "http";
+var CallbackTimeoutError = class extends Error {
+  constructor(timeoutMs) {
+    super(`Timed out after ${timeoutMs}ms waiting for the OAuth callback.`);
+    this.name = "CallbackTimeoutError";
+  }
+};
+var CallbackOAuthError = class extends Error {
+  constructor(oauthError, oauthErrorDescription) {
+    super(
+      oauthErrorDescription ? `OAuth error from authorization server: ${oauthError} \u2014 ${oauthErrorDescription}` : `OAuth error from authorization server: ${oauthError}`
+    );
+    this.oauthError = oauthError;
+    this.oauthErrorDescription = oauthErrorDescription;
+    this.name = "CallbackOAuthError";
+  }
+  oauthError;
+  oauthErrorDescription;
+};
+var SUCCESS_HTML = `<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <title>dynmcp \u2014 authorization complete</title>
+    <style>
+      body { font-family: -apple-system, BlinkMacSystemFont, sans-serif; padding: 4rem; max-width: 36rem; margin: 0 auto; color: #222; }
+      code { background: #f4f4f4; padding: 0.1rem 0.3rem; border-radius: 3px; }
+    </style>
+  </head>
+  <body>
+    <h1>Authorization complete</h1>
+    <p>You may close this tab and return to your terminal.</p>
+    <p><small>Issued by <code>dynmcp</code>.</small></p>
+  </body>
+</html>
+`;
+var ERROR_HTML_PREFIX = `<!DOCTYPE html>
+<html lang="en">
+  <head><meta charset="utf-8" /><title>dynmcp \u2014 authorization failed</title></head>
+  <body style="font-family: -apple-system, BlinkMacSystemFont, sans-serif; padding: 4rem; max-width: 36rem; margin: 0 auto;">
+    <h1>Authorization failed</h1>
+    <p>`;
+var ERROR_HTML_SUFFIX = `</p>
+    <p>Return to your terminal for details.</p>
+  </body>
+</html>
+`;
+var CallbackServer = class _CallbackServer {
+  server = null;
+  boundPort = null;
+  pending = null;
+  /** The redirect path served. Must match the redirect URI registered with the OAuth client. */
+  static CALLBACK_PATH = "/callback";
+  /** Begins listening on `127.0.0.1` at an OS-assigned port. */
+  async start() {
+    if (this.server !== null) {
+      throw new Error("CallbackServer is already started.");
+    }
+    const server = createServer((req, res) => this.handleRequest(req, res));
+    await new Promise((resolve3, reject) => {
+      const onError = (err) => {
+        server.removeListener("listening", onListening);
+        reject(err);
+      };
+      const onListening = () => {
+        server.removeListener("error", onError);
+        resolve3();
+      };
+      server.once("error", onError);
+      server.once("listening", onListening);
+      server.listen({ port: 0, host: "127.0.0.1" });
+    });
+    const address = server.address();
+    if (address === null || typeof address === "string") {
+      server.close();
+      throw new Error("Failed to determine bound port for callback server.");
+    }
+    this.boundPort = address.port;
+    this.server = server;
+  }
+  /** The port the OS assigned. Available after {@link start} resolves. */
+  get port() {
+    if (this.boundPort === null) {
+      throw new Error("CallbackServer is not started.");
+    }
+    return this.boundPort;
+  }
+  /** The full redirect URI to register with the authorization server. */
+  get redirectUri() {
+    return `http://127.0.0.1:${this.port}${_CallbackServer.CALLBACK_PATH}`;
+  }
+  /**
+   * Resolves with the captured `code` and `state` once a valid callback is received,
+   * or rejects with {@link CallbackTimeoutError} / {@link CallbackOAuthError} on the
+   * documented failure paths. Only one callback is accepted; subsequent requests to
+   * `/callback` after the first valid hit return `400`.
+   */
+  awaitCallback(timeoutMs) {
+    if (this.server === null) {
+      return Promise.reject(new Error("CallbackServer is not started."));
+    }
+    if (this.pending !== null) {
+      return Promise.reject(new Error("awaitCallback already in progress."));
+    }
+    return new Promise((resolve3, reject) => {
+      const timer = setTimeout(() => {
+        this.pending = null;
+        reject(new CallbackTimeoutError(timeoutMs));
+      }, timeoutMs);
+      this.pending = { resolve: resolve3, reject, timer };
+    });
+  }
+  /** Closes the listening socket. Safe to call multiple times. */
+  async stop() {
+    if (this.pending !== null) {
+      clearTimeout(this.pending.timer);
+      this.pending = null;
+    }
+    if (this.server === null) return;
+    await new Promise((resolve3) => {
+      this.server.close(() => resolve3());
+    });
+    this.server = null;
+    this.boundPort = null;
+  }
+  handleRequest(req, res) {
+    if (req.method !== "GET") {
+      res.writeHead(405, { "content-type": "text/plain", allow: "GET" });
+      res.end("Method Not Allowed");
+      return;
+    }
+    const url = new URL(req.url ?? "/", `http://127.0.0.1:${this.boundPort ?? 0}`);
+    if (url.pathname !== _CallbackServer.CALLBACK_PATH) {
+      res.writeHead(404, { "content-type": "text/plain" });
+      res.end("Not Found");
+      return;
+    }
+    if (this.pending === null) {
+      res.writeHead(400, { "content-type": "text/plain" });
+      res.end("No callback expected.");
+      return;
+    }
+    const oauthError = url.searchParams.get("error");
+    if (oauthError !== null) {
+      const errorDescription = url.searchParams.get("error_description") ?? void 0;
+      this.respondError(res, oauthError, errorDescription);
+      const { reject, timer: timer2 } = this.pending;
+      clearTimeout(timer2);
+      this.pending = null;
+      reject(new CallbackOAuthError(oauthError, errorDescription));
+      return;
+    }
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    if (code === null || state === null) {
+      this.respondError(res, "invalid_callback", "Missing code or state parameter.");
+      const { reject, timer: timer2 } = this.pending;
+      clearTimeout(timer2);
+      this.pending = null;
+      reject(new Error("Callback missing code or state parameter."));
+      return;
+    }
+    res.writeHead(200, { "content-type": "text/html; charset=utf-8" });
+    res.end(SUCCESS_HTML);
+    const { resolve: resolve3, timer } = this.pending;
+    clearTimeout(timer);
+    this.pending = null;
+    resolve3({ code, state });
+  }
+  respondError(res, errorCode, description2) {
+    res.writeHead(400, { "content-type": "text/html; charset=utf-8" });
+    res.end(
+      ERROR_HTML_PREFIX + escapeHtml(description2 ?? `OAuth error: ${errorCode}`) + ERROR_HTML_SUFFIX
+    );
+  }
+};
+function escapeHtml(value) {
+  return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+
+// src/auth/login.ts
+var CALLBACK_TIMEOUT_MS = 6e4;
+async function login(options) {
+  const config = loadConfig({
+    configPath: options.configPath,
+    envFilePath: options.envFilePath
+  });
+  const entry = resolveOAuthCapableEntry(config, options.mcpName);
+  const writeStatus = options.writeStatus ?? defaultStatusWriter;
+  const openInBrowser = options.openInBrowser ?? openUrl;
+  writeStatus(`Probing ${entry.url} for OAuth challenge...
+`);
+  const resourceMetadataUrl = await probeFor401ResourceMetadata(entry.url);
+  if (resourceMetadataUrl === void 0) {
+    throw new Error(
+      `Upstream "${options.mcpName}" did not return a 401 challenge with a WWW-Authenticate \`resource_metadata\` URL. The server does not appear to require OAuth; no credentials stored.`
+    );
+  }
+  const keychain = new KeychainStore(options.mcpName, entry.url);
+  const callbackServer = new CallbackServer();
+  await callbackServer.start();
+  writeStatus(`Callback server listening on ${callbackServer.redirectUri}
+`);
+  try {
+    const provider = new LoginOAuthProvider({
+      mcpName: options.mcpName,
+      keychain,
+      configAuth: configAuthFromEntry(entry),
+      redirectUri: callbackServer.redirectUri,
+      callbacks: {
+        onAuthorizationUrl: async (url) => {
+          writeStatus(`Opening browser for authorization: ${url.toString()}
+`);
+          try {
+            await openInBrowser(url.toString());
+          } catch (error) {
+            const reason = error instanceof Error ? error.message : String(error);
+            writeStatus(
+              `Failed to launch browser (${reason}). Open this URL manually:
+  ${url.toString()}
+`
+            );
+          }
+        }
+      }
+    });
+    const firstResult = await auth(provider, {
+      serverUrl: entry.url,
+      resourceMetadataUrl,
+      ...entry.auth?.scope !== void 0 ? { scope: entry.auth.scope } : {}
+    });
+    if (firstResult === "AUTHORIZED") {
+      writeStatus(`Already authorized for "${options.mcpName}"; no changes made.
+`);
+      return;
+    }
+    writeStatus(`Waiting for browser callback (timeout ${CALLBACK_TIMEOUT_MS / 1e3}s)...
+`);
+    const { code, state: receivedState } = await callbackServer.awaitCallback(CALLBACK_TIMEOUT_MS);
+    const expectedState = provider.currentState;
+    if (expectedState === void 0 || receivedState !== expectedState) {
+      throw new Error(
+        "OAuth state mismatch on callback. Possible CSRF attempt or stale browser tab; not exchanging the authorization code."
+      );
+    }
+    const secondResult = await auth(provider, {
+      serverUrl: entry.url,
+      authorizationCode: code,
+      resourceMetadataUrl,
+      ...entry.auth?.scope !== void 0 ? { scope: entry.auth.scope } : {}
+    });
+    if (secondResult !== "AUTHORIZED") {
+      throw new Error(`Token exchange did not return AUTHORIZED (got ${secondResult}).`);
+    }
+    writeStatus(`Successfully authenticated "${options.mcpName}".
+`);
+  } finally {
+    await callbackServer.stop();
+  }
+}
+function resolveOAuthCapableEntry(config, mcpName2) {
+  const entry = config.mcp[mcpName2];
+  if (entry === void 0) {
+    const available = Object.keys(config.mcp).sort().join(", ");
+    throw new Error(`Unknown MCP "${mcpName2}". Configured MCPs: ${available || "(none)"}.`);
+  }
+  if (entry.transport !== "streamable-http" && entry.transport !== "sse") {
+    throw new Error(
+      `MCP "${mcpName2}" uses the "${entry.transport}" transport; OAuth is only supported for streamable-http and sse upstreams.`
+    );
+  }
+  return entry;
+}
+function configAuthFromEntry(entry) {
+  if (entry.auth === void 0) return void 0;
+  const overrides = { client_id: entry.auth.client_id };
+  if (entry.auth.client_secret !== void 0) overrides.client_secret = entry.auth.client_secret;
+  if (entry.auth.scope !== void 0) overrides.scope = entry.auth.scope;
+  return overrides;
+}
+async function probeFor401ResourceMetadata(serverUrl) {
+  let response;
+  try {
+    response = await fetch(serverUrl, { method: "GET", redirect: "manual" });
+  } catch (error) {
+    const reason = error instanceof Error ? error.message : String(error);
+    throw new Error(`Failed to reach ${serverUrl}: ${reason}`);
+  }
+  if (response.status !== 401) {
+    return void 0;
+  }
+  const { resourceMetadataUrl } = extractWWWAuthenticateParams(response);
+  return resourceMetadataUrl;
+}
+function defaultStatusWriter(message) {
+  process4.stderr.write(message);
+}
+
+// src/auth/logout.ts
+import process5 from "process";
+async function logout(options) {
+  const config = loadConfig({
+    configPath: options.configPath,
+    envFilePath: options.envFilePath
+  });
+  const entry = resolveOAuthCapableEntry2(config, options.mcpName);
+  const writeStatus = options.writeStatus ?? defaultStatusWriter2;
+  const keychain = new KeychainStore(options.mcpName, entry.url);
+  const removed = keychain.delete();
+  if (removed) {
+    writeStatus(`Removed keychain credentials for "${options.mcpName}".
+`);
+  } else {
+    writeStatus(
+      `No keychain credentials were stored for "${options.mcpName}"; nothing to remove.
+`
+    );
+  }
+}
+function resolveOAuthCapableEntry2(config, mcpName2) {
+  const entry = config.mcp[mcpName2];
+  if (entry === void 0) {
+    const available = Object.keys(config.mcp).sort().join(", ");
+    throw new Error(`Unknown MCP "${mcpName2}". Configured MCPs: ${available || "(none)"}.`);
+  }
+  if (entry.transport !== "streamable-http" && entry.transport !== "sse") {
+    throw new Error(
+      `MCP "${mcpName2}" uses the "${entry.transport}" transport; OAuth is only supported for streamable-http and sse upstreams.`
+    );
+  }
+  return entry;
+}
+function defaultStatusWriter2(message) {
+  process5.stderr.write(message);
+}
+
+// src/diagnostics/list.ts
+import process6 from "process";
+
+// src/diagnostics/format.ts
+function renderTable(headers, rows) {
+  const allRows = [headers, ...rows];
+  const widths = headers.map(
+    (_, colIdx) => Math.max(...allRows.map((row) => (row[colIdx] ?? "").length))
+  );
+  return allRows.map(
+    (row) => row.map((cell, i) => {
+      if (i === headers.length - 1) return cell;
+      return cell.padEnd(widths[i] ?? 0);
+    }).join("  ").trimEnd()
+  ).join("\n");
+}
+function truncate(value, max) {
+  if (value.length <= max) return value;
+  if (max <= 3) return value.slice(0, max);
+  return `${value.slice(0, max - 3)}...`;
+}
+function humanizeDuration(seconds) {
+  if (seconds < 0) return "expired";
+  if (seconds < 60) return `${Math.floor(seconds)}s`;
+  const totalMinutes = Math.floor(seconds / 60);
+  if (totalMinutes < 60) return `${totalMinutes}m`;
+  const totalHours = Math.floor(totalMinutes / 60);
+  const remainingMinutes = totalMinutes % 60;
+  if (totalHours < 24) {
+    return remainingMinutes > 0 ? `${totalHours}h ${remainingMinutes}m` : `${totalHours}h`;
+  }
+  const totalDays = Math.floor(totalHours / 24);
+  const remainingHours = totalHours % 24;
+  return remainingHours > 0 ? `${totalDays}d ${remainingHours}h` : `${totalDays}d`;
+}
+
+// src/diagnostics/list.ts
+var ENDPOINT_MAX_WIDTH = 48;
+async function list(options = {}) {
+  const config = loadConfig({
+    configPath: options.configPath,
+    envFilePath: options.envFilePath
+  });
+  const write = options.write ?? ((chunk) => void process6.stdout.write(chunk));
+  const now = options.now ?? (() => Math.floor(Date.now() / 1e3));
+  const entries = buildEntries(config, now);
+  if (options.json === true) {
+    write(`${JSON.stringify(entries, null, 2)}
+`);
+    return;
+  }
+  if (entries.length === 0) {
+    write("No upstream MCPs configured.\n");
+    return;
+  }
+  const headers = ["NAME", "TRANSPORT", "MODE", "ENDPOINT", "AUTH"];
+  const rows = entries.map((entry) => [
+    entry.name,
+    entry.transport,
+    entry.mode,
+    truncate(entry.endpoint, ENDPOINT_MAX_WIDTH),
+    formatAuthStatus(entry.auth)
+  ]);
+  write(`${renderTable(headers, rows)}
+`);
+}
+function buildEntries(config, now) {
+  return Object.entries(config.mcp).map(([name, entry]) => {
+    const mode = entry.description !== void 0 ? "lazy" : "eager";
+    if (entry.transport === "stdio") {
+      const command = entry.command;
+      const args = (entry.args ?? []).join(" ");
+      const endpoint = args.length > 0 ? `${command} ${args}` : command;
+      const built2 = {
+        name,
+        transport: "stdio",
+        mode,
+        endpoint,
+        auth: { kind: "n/a" }
+      };
+      if (entry.description !== void 0) built2.description = entry.description;
+      return built2;
+    }
+    const hasAuthHeader = hasBearerAuthHeader(entry.headers);
+    const keychain = new KeychainStore(name, entry.url);
+    const blob = keychain.get();
+    let auth2;
+    if (blob !== void 0) {
+      const expiresInSeconds = blob.expires_at - now();
+      auth2 = {
+        kind: "oauth",
+        status: "logged_in",
+        expiresInSeconds,
+        expiresAt: blob.expires_at
+      };
+      if (hasAuthHeader) auth2.alsoHeader = true;
+    } else if (hasAuthHeader) {
+      auth2 = { kind: "header" };
+    } else {
+      auth2 = { kind: "oauth", status: "not_logged_in" };
+    }
+    const built = {
+      name,
+      transport: entry.transport,
+      mode,
+      endpoint: entry.url,
+      auth: auth2
+    };
+    if (entry.description !== void 0) built.description = entry.description;
+    return built;
+  });
+}
+function hasBearerAuthHeader(headers) {
+  if (headers === void 0) return false;
+  for (const key of Object.keys(headers)) {
+    if (key.toLowerCase() === "authorization") return true;
+  }
+  return false;
+}
+function formatAuthStatus(auth2) {
+  switch (auth2.kind) {
+    case "n/a":
+      return "n/a";
+    case "header":
+      return "header";
+    case "oauth": {
+      if (auth2.status === "not_logged_in") return "oauth: not logged in";
+      const duration = humanizeDuration(auth2.expiresInSeconds ?? 0);
+      const base = `oauth: logged in (expires in ${duration})`;
+      return auth2.alsoHeader === true ? `${base} (header also set)` : base;
+    }
+  }
+}
+
+// src/diagnostics/test.ts
+import process8 from "process";
+
+// src/proxy/transport-factory.ts
+import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
+function createTransport(mcpName2, config) {
+  switch (config.transport) {
+    case "stdio":
+      return new StdioClientTransport({
+        command: config.command,
+        args: config.args,
+        env: config.env
+      });
+    case "streamable-http":
+      return new StreamableHTTPClientTransport(new URL(config.url), {
+        ...config.headers !== void 0 ? { requestInit: { headers: config.headers } } : {},
+        authProvider: buildOAuthProvider(mcpName2, config)
+      });
+    case "sse":
+      return new SSEClientTransport(new URL(config.url), {
+        ...config.headers !== void 0 ? { requestInit: { headers: config.headers } } : {},
+        authProvider: buildOAuthProvider(mcpName2, config)
+      });
+    default: {
+      const _exhaustive = config;
+      return _exhaustive;
+    }
+  }
+}
+function buildOAuthProvider(mcpName2, config) {
+  const keychain = new KeychainStore(mcpName2, config.url);
+  return new ProxyOAuthProvider(mcpName2, keychain, config.auth);
+}
+
+// src/proxy/upstream-client.ts
+import process7 from "process";
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import {
+  CreateMessageRequestSchema,
+  ElicitRequestSchema,
+  ListRootsRequestSchema,
+  LoggingMessageNotificationSchema,
+  PromptListChangedNotificationSchema,
+  ResourceListChangedNotificationSchema,
+  ResourceUpdatedNotificationSchema,
+  ToolListChangedNotificationSchema
+} from "@modelcontextprotocol/sdk/types.js";
+var UpstreamClient = class {
+  transport;
+  onTransportError;
+  notificationHandlers;
+  serverRequestHandlers;
+  client = null;
+  constructor({
+    name,
+    transport,
+    onTransportError,
+    notifications,
+    serverRequests
+  }) {
+    this.transport = transport;
+    this.notificationHandlers = notifications ?? {};
+    this.serverRequestHandlers = serverRequests ?? {};
+    this.onTransportError = onTransportError ?? ((error) => {
+      process7.stderr.write(`[${name}] Upstream MCP transport error: ${error.message}
+`);
+    });
+  }
+  async connect() {
+    this.transport.onerror = this.onTransportError;
+    this.client = new Client(
+      { name: "dynamic-discovery-mcp", version: "1.0.0" },
+      {
+        capabilities: {
+          // Declare every client-side capability the proxy may relay on behalf of the host.
+          // Actual reachability of each feature depends on what the host supports — if the
+          // host does not support sampling, for instance, the host call returns an error
+          // which we forward back to the upstream verbatim.
+          sampling: {},
+          elicitation: {},
+          roots: { listChanged: true }
+        }
+      }
+    );
+    this.registerServerRequestHandlers(this.client);
+    if (this.notificationHandlers.onToolsListChanged !== void 0) {
+      this.client.setNotificationHandler(ToolListChangedNotificationSchema, async () => {
+        await this.notificationHandlers.onToolsListChanged?.();
+      });
+    }
+    if (this.notificationHandlers.onResourcesListChanged !== void 0) {
+      this.client.setNotificationHandler(ResourceListChangedNotificationSchema, async () => {
+        await this.notificationHandlers.onResourcesListChanged?.();
+      });
+    }
+    if (this.notificationHandlers.onResourceUpdated !== void 0) {
+      this.client.setNotificationHandler(ResourceUpdatedNotificationSchema, async (notification) => {
+        await this.notificationHandlers.onResourceUpdated?.({ uri: notification.params.uri });
+      });
+    }
+    if (this.notificationHandlers.onPromptsListChanged !== void 0) {
+      this.client.setNotificationHandler(PromptListChangedNotificationSchema, async () => {
+        await this.notificationHandlers.onPromptsListChanged?.();
+      });
+    }
+    if (this.notificationHandlers.onLogMessage !== void 0) {
+      this.client.setNotificationHandler(LoggingMessageNotificationSchema, async (notification) => {
+        await this.notificationHandlers.onLogMessage?.(notification.params);
+      });
+    }
+    await this.client.connect(this.transport);
+  }
+  async setLoggingLevel(level, options) {
+    const client = this.requireClient();
+    await client.setLoggingLevel(level, options);
+  }
+  async listPrompts(options) {
+    const client = this.requireClient();
+    const result = await client.listPrompts(void 0, options);
+    return result.prompts;
+  }
+  async getPrompt(name, args, options) {
+    const client = this.requireClient();
+    const params = { name };
+    if (args !== void 0) {
+      params.arguments = args;
+    }
+    return client.getPrompt(params, options);
+  }
+  async complete(params, options) {
+    const client = this.requireClient();
+    return client.complete(params, options);
+  }
+  /**
+   * Returns the capabilities advertised by the upstream server during initialize.
+   * Returns `undefined` if the client is not connected, or if the SDK has not yet
+   * recorded the server's capabilities (e.g. during a partially-completed handshake).
+   */
+  getCapabilities() {
+    return this.client?.getServerCapabilities();
+  }
+  async listTools(options) {
+    const client = this.requireClient();
+    const result = await client.listTools(void 0, options);
+    return result.tools.map((tool) => {
+      const upstreamTool = {
+        name: tool.name,
+        description: tool.description ?? "",
+        inputSchema: tool.inputSchema
+      };
+      if (tool.outputSchema !== void 0) {
+        upstreamTool.outputSchema = tool.outputSchema;
+      }
+      if (tool.annotations !== void 0) {
+        upstreamTool.annotations = {
+          title: tool.annotations.title,
+          readOnlyHint: tool.annotations.readOnlyHint,
+          destructiveHint: tool.annotations.destructiveHint,
+          idempotentHint: tool.annotations.idempotentHint,
+          openWorldHint: tool.annotations.openWorldHint
+        };
+      }
+      return upstreamTool;
+    });
+  }
+  async callTool(name, input, options) {
+    const client = this.requireClient();
+    const result = await client.callTool({ name, arguments: input }, void 0, options);
+    return result;
+  }
+  async listResources(options) {
+    const client = this.requireClient();
+    const result = await client.listResources(void 0, options);
+    return result.resources;
+  }
+  async listResourceTemplates(options) {
+    const client = this.requireClient();
+    const result = await client.listResourceTemplates(void 0, options);
+    return result.resourceTemplates;
+  }
+  async readResource(uri, options) {
+    const client = this.requireClient();
+    return client.readResource({ uri }, options);
+  }
+  async subscribeResource(uri, options) {
+    const client = this.requireClient();
+    await client.subscribeResource({ uri }, options);
+  }
+  async unsubscribeResource(uri, options) {
+    const client = this.requireClient();
+    await client.unsubscribeResource({ uri }, options);
+  }
+  async disconnect() {
+    if (this.client === null) {
+      return;
+    }
+    await this.client.close();
+    this.client = null;
+  }
+  /**
+   * Sends `notifications/roots/list_changed` to the upstream, letting it know that
+   * the host's set of filesystem roots has changed.
+   */
+  async sendRootsListChanged() {
+    const client = this.requireClient();
+    await client.sendRootsListChanged();
+  }
+  registerServerRequestHandlers(client) {
+    if (this.serverRequestHandlers.onCreateMessage !== void 0) {
+      client.setRequestHandler(
+        CreateMessageRequestSchema,
+        async (request, extra) => {
+          return this.serverRequestHandlers.onCreateMessage(request.params, {
+            signal: extra.signal
+          });
+        }
+      );
+    }
+    if (this.serverRequestHandlers.onElicitInput !== void 0) {
+      client.setRequestHandler(
+        ElicitRequestSchema,
+        async (request, extra) => {
+          return this.serverRequestHandlers.onElicitInput(request.params, {
+            signal: extra.signal
+          });
+        }
+      );
+    }
+    if (this.serverRequestHandlers.onListRoots !== void 0) {
+      client.setRequestHandler(
+        ListRootsRequestSchema,
+        async (request, extra) => {
+          return this.serverRequestHandlers.onListRoots(request.params, {
+            signal: extra.signal
+          });
+        }
+      );
+    }
+  }
+  requireClient() {
+    if (this.client === null) {
+      throw new Error("Client is not connected. Call connect() first.");
+    }
+    return this.client;
+  }
+};
+
+// src/diagnostics/test.ts
+var DESCRIPTION_MAX_LENGTH = 100;
+var DEFAULT_TIMEOUT_MS = 15e3;
+async function test(options = {}) {
+  const config = loadConfig({
+    configPath: options.configPath,
+    envFilePath: options.envFilePath
+  });
+  const write = options.write ?? ((chunk) => void process8.stdout.write(chunk));
+  const now = options.now ?? (() => Math.floor(Date.now() / 1e3));
+  const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  if (options.mcpName !== void 0) {
+    return runSingle(config, options.mcpName, {
+      write,
+      now,
+      timeoutMs,
+      json: options.json === true
+    });
+  }
+  return runAll(config, { write, now, timeoutMs, json: options.json === true });
+}
+async function runSingle(config, mcpName2, options) {
+  const entry = config.mcp[mcpName2];
+  if (entry === void 0) {
+    const available = Object.keys(config.mcp).sort().join(", ");
+    throw new Error(`Unknown MCP "${mcpName2}". Configured MCPs: ${available || "(none)"}.`);
+  }
+  if (!options.json) {
+    options.write(`Testing "${mcpName2}" (${entry.transport}, ${endpointForEntry(entry)})
+`);
+  }
+  const result = await probeOne(mcpName2, entry, options.timeoutMs, options.now);
+  if (options.json) {
+    options.write(`${JSON.stringify(result, null, 2)}
+`);
+  } else {
+    for (const step of result.steps) {
+      options.write(`  [${step.status}] ${step.label}
+`);
+      if (step.error !== void 0) {
+        options.write(`    -> ${step.error}
+`);
+      }
+    }
+    renderDiscoveredSurface(options.write, result);
+    options.write(`Result: ${result.result}
+`);
+  }
+  return result.result === "PASS" ? 0 : 1;
+}
+async function runAll(config, options) {
+  const names = Object.keys(config.mcp);
+  const total = names.length;
+  if (!options.json) {
+    options.write(`Testing all configured upstreams (${total})...
+
+`);
+  }
+  const results = [];
+  for (let index = 0; index < names.length; index += 1) {
+    const name = names[index];
+    const entry = config.mcp[name];
+    if (!options.json) {
+      options.write(`[${index + 1}/${total}] ${name} (${entry.transport}) ... `);
+    }
+    const result = await probeOne(name, entry, options.timeoutMs, options.now);
+    results.push(result);
+    if (!options.json) {
+      if (result.result === "PASS") {
+        const counts = `${result.tools?.length ?? 0} tools, ${(result.resources?.length ?? 0) + (result.resource_templates?.length ?? 0)} resources, ${result.prompts?.length ?? 0} prompts`;
+        options.write(`PASS (${counts})
+`);
+      } else {
+        options.write(`FAIL (${result.fail_reason ?? "unknown"})
+`);
+      }
+    }
+  }
+  const passed = results.filter((r) => r.result === "PASS").length;
+  const failed = results.length - passed;
+  if (options.json) {
+    const payload = { summary: { passed, failed }, results };
+    options.write(`${JSON.stringify(payload, null, 2)}
+`);
+  } else {
+    options.write(`
+Summary: ${passed} passed, ${failed} failed
+`);
+  }
+  return failed === 0 ? 0 : 1;
+}
+async function probeOne(mcpName2, entry, timeoutMs, now) {
+  const result = {
+    name: mcpName2,
+    result: "PASS",
+    transport: entry.transport,
+    endpoint: endpointForEntry(entry),
+    auth: deriveAuthSummary(mcpName2, entry, now),
+    steps: []
+  };
+  if (entry.transport !== "stdio") {
+    result.steps.push({ label: authStepLabel(result.auth), status: "ok" });
+  }
+  const clientHolder = { value: null };
+  let timeoutHandle;
+  const run = (async () => {
+    const transport = createTransport(mcpName2, entry);
+    const client = new UpstreamClient({
+      name: mcpName2,
+      transport,
+      onTransportError: () => {
+      }
+    });
+    clientHolder.value = client;
+    await client.connect();
+    result.steps.push({ label: "Connected and initialized", status: "ok" });
+    const caps = client.getCapabilities();
+    result.capabilities = caps;
+    result.steps.push({
+      label: `Capabilities: ${describeCapabilities(caps)}`,
+      status: "ok"
+    });
+    const tools = await client.listTools();
+    result.tools = tools.map((tool) => ({
+      name: tool.name,
+      description: tool.description
+    }));
+    result.steps.push({
+      label: `tools/list returned ${tools.length} tool${tools.length === 1 ? "" : "s"}`,
+      status: "ok"
+    });
+    let resources = [];
+    let templates = [];
+    if (caps?.resources !== void 0) {
+      try {
+        resources = await client.listResources();
+        templates = await client.listResourceTemplates();
+        result.resources = resources.map((r) => {
+          const out = {
+            uri: r.uri,
+            name: r.name
+          };
+          if (r.description !== void 0) out.description = r.description;
+          return out;
+        });
+        result.resource_templates = templates.map((t) => {
+          const out = {
+            uriTemplate: t.uriTemplate,
+            name: t.name
+          };
+          if (t.description !== void 0) out.description = t.description;
+          return out;
+        });
+        result.steps.push({
+          label: `resources/list returned ${resources.length} resource${resources.length === 1 ? "" : "s"}, ${templates.length} template${templates.length === 1 ? "" : "s"}`,
+          status: "ok"
+        });
+      } catch (error) {
+        result.steps.push({
+          label: "resources/list",
+          status: "fail",
+          error: errorMessage(error)
+        });
+      }
+    }
+    let prompts = [];
+    if (caps?.prompts !== void 0) {
+      try {
+        prompts = await client.listPrompts();
+        result.prompts = prompts.map((p) => {
+          const out = { name: p.name };
+          if (p.description !== void 0) out.description = p.description;
+          return out;
+        });
+        result.steps.push({
+          label: `prompts/list returned ${prompts.length} prompt${prompts.length === 1 ? "" : "s"}`,
+          status: "ok"
+        });
+      } catch (error) {
+        result.steps.push({
+          label: "prompts/list",
+          status: "fail",
+          error: errorMessage(error)
+        });
+      }
+    }
+  })();
+  const timeout = new Promise((_, reject) => {
+    timeoutHandle = setTimeout(() => {
+      reject(new TestTimeoutError(timeoutMs));
+    }, timeoutMs);
+  });
+  try {
+    await Promise.race([run, timeout]);
+  } catch (error) {
+    result.result = "FAIL";
+    result.fail_reason = failReason(error, mcpName2);
+    result.steps.push({
+      label: `aborted: ${result.fail_reason}`,
+      status: "fail",
+      error: errorMessage(error)
+    });
+  } finally {
+    if (timeoutHandle !== void 0) clearTimeout(timeoutHandle);
+    const connected = clientHolder.value;
+    if (connected !== null) {
+      try {
+        await connected.disconnect();
+      } catch {
+      }
+    }
+  }
+  if (result.result === "PASS" && result.steps.some((s) => s.status === "fail")) {
+    result.result = "FAIL";
+    const failed = result.steps.find((s) => s.status === "fail");
+    result.fail_reason = failed?.error ?? failed?.label ?? "unknown";
+  }
+  return result;
+}
+var TestTimeoutError = class extends Error {
+  constructor(timeoutMs) {
+    super(`Test timed out after ${timeoutMs}ms`);
+    this.name = "TestTimeoutError";
+  }
+};
+function endpointForEntry(entry) {
+  if (entry.transport === "stdio") {
+    const args = (entry.args ?? []).join(" ");
+    return args.length > 0 ? `${entry.command} ${args}` : entry.command;
+  }
+  return entry.url;
+}
+function deriveAuthSummary(mcpName2, entry, now) {
+  if (entry.transport === "stdio") return { kind: "n/a" };
+  const keychain = new KeychainStore(mcpName2, entry.url);
+  const blob = keychain.get();
+  if (blob !== void 0) {
+    return {
+      kind: "oauth",
+      status: "valid",
+      expiresInSeconds: blob.expires_at - now()
+    };
+  }
+  const hasHeader = entry.headers !== void 0 && Object.keys(entry.headers).some((k) => k.toLowerCase() === "authorization");
+  if (hasHeader) return { kind: "header" };
+  return { kind: "oauth", status: "missing" };
+}
+function authStepLabel(auth2) {
+  switch (auth2.kind) {
+    case "n/a":
+      return "(no auth applicable)";
+    case "header":
+      return "Static Authorization header present";
+    case "oauth":
+      if (auth2.status === "missing") return "No cached OAuth token";
+      return `OAuth token present (expires in ${humanizeDuration(auth2.expiresInSeconds ?? 0)})`;
   }
-  return result.data;
 }
-function readEnvMode(content) {
-  if (content === null || typeof content !== "object" || Array.isArray(content)) {
-    return DEFAULT_ENV_MODE;
+function describeCapabilities(caps) {
+  if (caps === void 0) return "(none advertised)";
+  const parts = [];
+  for (const [name, value] of Object.entries(caps)) {
+    if (value === void 0 || value === null) continue;
+    if (typeof value === "object" && Object.keys(value).length > 0) {
+      const flags = Object.entries(value).filter(([, v]) => v === true).map(([k]) => k).join(",");
+      parts.push(flags.length > 0 ? `${name}(${flags})` : name);
+    } else {
+      parts.push(name);
+    }
   }
-  const value = content.env;
-  if (value === void 0) return DEFAULT_ENV_MODE;
-  if (typeof value === "string" && VALID_ENV_MODES.includes(value)) {
-    return value;
+  return parts.length > 0 ? parts.join(", ") : "(none advertised)";
+}
+function failReason(error, mcpName2) {
+  if (isAuthRequiredError(error)) {
+    return `auth required: run \`dynmcp login ${mcpName2}\``;
   }
-  return DEFAULT_ENV_MODE;
+  if (error instanceof TestTimeoutError) return error.message;
+  if (error instanceof Error) return error.message.split("\n")[0] ?? "unknown error";
+  return String(error);
 }
-function isYamlFile(filePath) {
-  return filePath.endsWith(".yml") || filePath.endsWith(".yaml");
+function errorMessage(error) {
+  if (error instanceof Error) return error.message;
+  return String(error);
+}
+function renderDiscoveredSurface(write, result) {
+  if (result.result !== "PASS") return;
+  const sections = [
+    [
+      `Tools (${result.tools?.length ?? 0})`,
+      result.tools && result.tools.length > 0 ? () => {
+        const sorted = [...result.tools ?? []].sort((a, b) => a.name.localeCompare(b.name));
+        for (const tool of sorted) {
+          write(`  - ${tool.name}: ${truncate(tool.description, DESCRIPTION_MAX_LENGTH)}
+`);
+        }
+      } : void 0
+    ],
+    [
+      `Resources (${result.resources?.length ?? 0})`,
+      result.resources && result.resources.length > 0 ? () => {
+        const sorted = [...result.resources ?? []].sort((a, b) => a.uri.localeCompare(b.uri));
+        for (const r of sorted) {
+          const tail = r.description ?? r.name;
+          write(`  - ${r.uri}: ${truncate(tail, DESCRIPTION_MAX_LENGTH)}
+`);
+        }
+      } : void 0
+    ],
+    [
+      `Resource templates (${result.resource_templates?.length ?? 0})`,
+      result.resource_templates && result.resource_templates.length > 0 ? () => {
+        const sorted = [...result.resource_templates ?? []].sort(
+          (a, b) => a.uriTemplate.localeCompare(b.uriTemplate)
+        );
+        for (const t of sorted) {
+          const tail = t.description ?? t.name;
+          write(`  - ${t.uriTemplate}: ${truncate(tail, DESCRIPTION_MAX_LENGTH)}
+`);
+        }
+      } : void 0
+    ],
+    [
+      `Prompts (${result.prompts?.length ?? 0})`,
+      result.prompts && result.prompts.length > 0 ? () => {
+        const sorted = [...result.prompts ?? []].sort((a, b) => a.name.localeCompare(b.name));
+        for (const p of sorted) {
+          const tail = p.description ?? "";
+          write(
+            `  - ${p.name}${tail.length > 0 ? `: ${truncate(tail, DESCRIPTION_MAX_LENGTH)}` : ""}
+`
+          );
+        }
+      } : void 0
+    ]
+  ];
+  for (const [header, render] of sections) {
+    if (render === void 0) continue;
+    write(`
+${header}:
+`);
+    render();
+  }
 }
 
-// src/config/json-schema.ts
-import { z as z2 } from "zod";
+// src/proxy/index.ts
+import process11 from "process";
+import { StdioClientTransport as StdioClientTransport2 } from "@modelcontextprotocol/sdk/client/stdio.js";
 
 // src/proxy/orchestrator.ts
-import process4 from "process";
+import process9 from "process";
 
 // src/proxy/capability-aggregator.ts
 function aggregateCapabilities(upstreams) {
@@ -749,340 +2174,127 @@ var ToolCatalog = class _ToolCatalog {
     this.tools = tools;
     this.discoverToolDescription = description2;
   }
-  static fromFlat(upstreamTools) {
-    const toolMap = /* @__PURE__ */ new Map();
-    for (const tool of upstreamTools) {
-      toolMap.set(tool.name, tool);
-    }
-    const description2 = buildFlatDescription(upstreamTools);
-    return new _ToolCatalog(toolMap, description2);
-  }
-  static fromGrouped(groups) {
-    return _ToolCatalog.fromGroupedWithLazy(groups, /* @__PURE__ */ new Map());
-  }
-  /**
-   * Same as {@link fromGrouped} but additionally accepts a map of lazy upstream MCPs
-   * (those declared with a `description` field but not yet loaded). When the map is
-   * non-empty, the rendered `discover_tool` description includes a `<mcp_servers>`
-   * block listing them with their descriptions and an explanatory paragraph telling
-   * the agent how to call `load_mcp`. When `groups` is empty, the `<tools>` block is
-   * omitted in favor of a trailing sentence directing the agent to `load_mcp`.
-   */
-  static fromGroupedWithLazy(groups, lazyDescriptions) {
-    const toolMap = /* @__PURE__ */ new Map();
-    for (const [mcpName2, tools] of groups) {
-      for (const tool of tools) {
-        toolMap.set(`${mcpName2}/${tool.name}`, tool);
-      }
-    }
-    const description2 = buildGroupedDescription(groups, lazyDescriptions);
-    return new _ToolCatalog(toolMap, description2);
-  }
-  getToolDetails(toolName) {
-    const tool = this.tools.get(toolName);
-    if (tool === void 0) {
-      const sortedNames = [...this.tools.keys()].sort().join(", ");
-      return `Unknown tool: "${toolName}". Available tools: ${sortedNames}`;
-    }
-    return buildToolDetailsString(toolName, tool);
-  }
-};
-function buildFlatDescription(tools) {
-  const sortedTools = [...tools].sort((a, b) => a.name.localeCompare(b.name));
-  const toolLines = sortedTools.map((tool) => `- ${tool.name}: ${tool.description}`).join("\n");
-  return `${DISCOVER_TOOL_PREAMBLE}
-
-<tools>
-${toolLines}
-</tools>`;
-}
-function buildGroupedDescription(groups, lazyDescriptions) {
-  const parts = [DISCOVER_TOOL_PREAMBLE];
-  if (lazyDescriptions.size > 0) {
-    parts.push(DYNAMIC_DISCOVERY_PREAMBLE);
-    parts.push(buildMcpServersBlock(lazyDescriptions));
-  }
-  if (groups.size > 0) {
-    parts.push(buildToolsBlock(groups));
-  } else if (lazyDescriptions.size > 0) {
-    parts.push(NO_TOOLS_LOADED_FOOTER);
-  } else {
-    parts.push("<tools>\n</tools>");
-  }
-  return parts.join("\n\n");
-}
-function buildToolsBlock(groups) {
-  const sortedMcpNames = [...groups.keys()].sort();
-  const sections = sortedMcpNames.map((mcpName2) => {
-    const tools = groups.get(mcpName2);
-    const sortedTools = [...tools].sort((a, b) => a.name.localeCompare(b.name));
-    const toolLines = sortedTools.map((tool) => `- ${mcpName2}/${tool.name}: ${tool.description}`).join("\n");
-    return `${mcpName2}:
-${toolLines}`;
-  });
-  return `<tools>
-${sections.join("\n\n")}
-</tools>`;
-}
-function buildMcpServersBlock(lazyDescriptions) {
-  const lines = [...lazyDescriptions].map(([name, desc]) => `- ${name}: ${desc}`).join("\n");
-  return `<mcp_servers>
-${lines}
-</mcp_servers>`;
-}
-function buildToolDetailsString(displayName, tool) {
-  const lines = [
-    `Tool: ${displayName}`,
-    `Description: ${tool.description}`,
-    "",
-    "Input Schema:",
-    JSON.stringify(tool.inputSchema, null, 2)
-  ];
-  if (tool.outputSchema !== void 0) {
-    lines.push("", "Output Schema:", JSON.stringify(tool.outputSchema, null, 2));
-  }
-  const annotationLines = buildAnnotationLines(tool);
-  if (annotationLines.length > 0) {
-    lines.push("", "Annotations:", ...annotationLines);
-  }
-  return lines.join("\n");
-}
-function buildAnnotationLines(tool) {
-  if (tool.annotations === void 0) {
-    return [];
-  }
-  const { annotations } = tool;
-  const lines = [];
-  if (annotations.title !== void 0) {
-    lines.push(`- title: ${annotations.title}`);
-  }
-  if (annotations.readOnlyHint !== void 0) {
-    lines.push(`- readOnlyHint: ${annotations.readOnlyHint}`);
-  }
-  if (annotations.destructiveHint !== void 0) {
-    lines.push(`- destructiveHint: ${annotations.destructiveHint}`);
-  }
-  if (annotations.idempotentHint !== void 0) {
-    lines.push(`- idempotentHint: ${annotations.idempotentHint}`);
-  }
-  if (annotations.openWorldHint !== void 0) {
-    lines.push(`- openWorldHint: ${annotations.openWorldHint}`);
-  }
-  return lines;
-}
-
-// src/proxy/upstream-client.ts
-import process3 from "process";
-import { Client } from "@modelcontextprotocol/sdk/client/index.js";
-import {
-  CreateMessageRequestSchema,
-  ElicitRequestSchema,
-  ListRootsRequestSchema,
-  LoggingMessageNotificationSchema,
-  PromptListChangedNotificationSchema,
-  ResourceListChangedNotificationSchema,
-  ResourceUpdatedNotificationSchema,
-  ToolListChangedNotificationSchema
-} from "@modelcontextprotocol/sdk/types.js";
-var UpstreamClient = class {
-  transport;
-  onTransportError;
-  notificationHandlers;
-  serverRequestHandlers;
-  client = null;
-  constructor({
-    name,
-    transport,
-    onTransportError,
-    notifications,
-    serverRequests
-  }) {
-    this.transport = transport;
-    this.notificationHandlers = notifications ?? {};
-    this.serverRequestHandlers = serverRequests ?? {};
-    this.onTransportError = onTransportError ?? ((error) => {
-      process3.stderr.write(`[${name}] Upstream MCP transport error: ${error.message}
-`);
-    });
-  }
-  async connect() {
-    this.transport.onerror = this.onTransportError;
-    this.client = new Client(
-      { name: "dynamic-discovery-mcp", version: "1.0.0" },
-      {
-        capabilities: {
-          // Declare every client-side capability the proxy may relay on behalf of the host.
-          // Actual reachability of each feature depends on what the host supports — if the
-          // host does not support sampling, for instance, the host call returns an error
-          // which we forward back to the upstream verbatim.
-          sampling: {},
-          elicitation: {},
-          roots: { listChanged: true }
-        }
-      }
-    );
-    this.registerServerRequestHandlers(this.client);
-    if (this.notificationHandlers.onToolsListChanged !== void 0) {
-      this.client.setNotificationHandler(ToolListChangedNotificationSchema, async () => {
-        await this.notificationHandlers.onToolsListChanged?.();
-      });
-    }
-    if (this.notificationHandlers.onResourcesListChanged !== void 0) {
-      this.client.setNotificationHandler(ResourceListChangedNotificationSchema, async () => {
-        await this.notificationHandlers.onResourcesListChanged?.();
-      });
-    }
-    if (this.notificationHandlers.onResourceUpdated !== void 0) {
-      this.client.setNotificationHandler(ResourceUpdatedNotificationSchema, async (notification) => {
-        await this.notificationHandlers.onResourceUpdated?.({ uri: notification.params.uri });
-      });
-    }
-    if (this.notificationHandlers.onPromptsListChanged !== void 0) {
-      this.client.setNotificationHandler(PromptListChangedNotificationSchema, async () => {
-        await this.notificationHandlers.onPromptsListChanged?.();
-      });
-    }
-    if (this.notificationHandlers.onLogMessage !== void 0) {
-      this.client.setNotificationHandler(LoggingMessageNotificationSchema, async (notification) => {
-        await this.notificationHandlers.onLogMessage?.(notification.params);
-      });
-    }
-    await this.client.connect(this.transport);
-  }
-  async setLoggingLevel(level, options) {
-    const client = this.requireClient();
-    await client.setLoggingLevel(level, options);
-  }
-  async listPrompts(options) {
-    const client = this.requireClient();
-    const result = await client.listPrompts(void 0, options);
-    return result.prompts;
-  }
-  async getPrompt(name, args, options) {
-    const client = this.requireClient();
-    const params = { name };
-    if (args !== void 0) {
-      params.arguments = args;
+  static fromFlat(upstreamTools) {
+    const toolMap = /* @__PURE__ */ new Map();
+    for (const tool of upstreamTools) {
+      toolMap.set(tool.name, tool);
     }
-    return client.getPrompt(params, options);
+    const description2 = buildFlatDescription(upstreamTools);
+    return new _ToolCatalog(toolMap, description2);
   }
-  async complete(params, options) {
-    const client = this.requireClient();
-    return client.complete(params, options);
+  static fromGrouped(groups) {
+    return _ToolCatalog.fromGroupedWithLazy(groups, /* @__PURE__ */ new Map());
   }
   /**
-   * Returns the capabilities advertised by the upstream server during initialize.
-   * Returns `undefined` if the client is not connected, or if the SDK has not yet
-   * recorded the server's capabilities (e.g. during a partially-completed handshake).
+   * Same as {@link fromGrouped} but additionally accepts a map of lazy upstream MCPs
+   * (those declared with a `description` field but not yet loaded). When the map is
+   * non-empty, the rendered `discover_tool` description includes a `<mcp_servers>`
+   * block listing them with their descriptions and an explanatory paragraph telling
+   * the agent how to call `load_mcp`. When `groups` is empty, the `<tools>` block is
+   * omitted in favor of a trailing sentence directing the agent to `load_mcp`.
    */
-  getCapabilities() {
-    return this.client?.getServerCapabilities();
-  }
-  async listTools(options) {
-    const client = this.requireClient();
-    const result = await client.listTools(void 0, options);
-    return result.tools.map((tool) => {
-      const upstreamTool = {
-        name: tool.name,
-        description: tool.description ?? "",
-        inputSchema: tool.inputSchema
-      };
-      if (tool.outputSchema !== void 0) {
-        upstreamTool.outputSchema = tool.outputSchema;
-      }
-      if (tool.annotations !== void 0) {
-        upstreamTool.annotations = {
-          title: tool.annotations.title,
-          readOnlyHint: tool.annotations.readOnlyHint,
-          destructiveHint: tool.annotations.destructiveHint,
-          idempotentHint: tool.annotations.idempotentHint,
-          openWorldHint: tool.annotations.openWorldHint
-        };
+  static fromGroupedWithLazy(groups, lazyDescriptions) {
+    const toolMap = /* @__PURE__ */ new Map();
+    for (const [mcpName2, tools] of groups) {
+      for (const tool of tools) {
+        toolMap.set(`${mcpName2}/${tool.name}`, tool);
       }
-      return upstreamTool;
-    });
+    }
+    const description2 = buildGroupedDescription(groups, lazyDescriptions);
+    return new _ToolCatalog(toolMap, description2);
   }
-  async callTool(name, input, options) {
-    const client = this.requireClient();
-    const result = await client.callTool({ name, arguments: input }, void 0, options);
-    return result;
+  getToolDetails(toolName) {
+    const tool = this.tools.get(toolName);
+    if (tool === void 0) {
+      const sortedNames = [...this.tools.keys()].sort().join(", ");
+      return `Unknown tool: "${toolName}". Available tools: ${sortedNames}`;
+    }
+    return buildToolDetailsString(toolName, tool);
   }
-  async listResources(options) {
-    const client = this.requireClient();
-    const result = await client.listResources(void 0, options);
-    return result.resources;
+};
+function buildFlatDescription(tools) {
+  const sortedTools = [...tools].sort((a, b) => a.name.localeCompare(b.name));
+  const toolLines = sortedTools.map((tool) => `- ${tool.name}: ${tool.description}`).join("\n");
+  return `${DISCOVER_TOOL_PREAMBLE}
+
+<tools>
+${toolLines}
+</tools>`;
+}
+function buildGroupedDescription(groups, lazyDescriptions) {
+  const parts = [DISCOVER_TOOL_PREAMBLE];
+  if (lazyDescriptions.size > 0) {
+    parts.push(DYNAMIC_DISCOVERY_PREAMBLE);
+    parts.push(buildMcpServersBlock(lazyDescriptions));
   }
-  async listResourceTemplates(options) {
-    const client = this.requireClient();
-    const result = await client.listResourceTemplates(void 0, options);
-    return result.resourceTemplates;
+  if (groups.size > 0) {
+    parts.push(buildToolsBlock(groups));
+  } else if (lazyDescriptions.size > 0) {
+    parts.push(NO_TOOLS_LOADED_FOOTER);
+  } else {
+    parts.push("<tools>\n</tools>");
   }
-  async readResource(uri, options) {
-    const client = this.requireClient();
-    return client.readResource({ uri }, options);
+  return parts.join("\n\n");
+}
+function buildToolsBlock(groups) {
+  const sortedMcpNames = [...groups.keys()].sort();
+  const sections = sortedMcpNames.map((mcpName2) => {
+    const tools = groups.get(mcpName2);
+    const sortedTools = [...tools].sort((a, b) => a.name.localeCompare(b.name));
+    const toolLines = sortedTools.map((tool) => `- ${tool.name}: ${tool.description}`).join("\n");
+    return `${mcpName2}:
+${toolLines}`;
+  });
+  return `<tools>
+${sections.join("\n\n")}
+</tools>`;
+}
+function buildMcpServersBlock(lazyDescriptions) {
+  const lines = [...lazyDescriptions].map(([name, desc]) => `- ${name}: ${desc}`).join("\n");
+  return `<mcp_servers>
+${lines}
+</mcp_servers>`;
+}
+function buildToolDetailsString(displayName, tool) {
+  const lines = [
+    `Tool: ${displayName}`,
+    `Description: ${tool.description}`,
+    "",
+    "Input Schema:",
+    JSON.stringify(tool.inputSchema, null, 2)
+  ];
+  if (tool.outputSchema !== void 0) {
+    lines.push("", "Output Schema:", JSON.stringify(tool.outputSchema, null, 2));
   }
-  async subscribeResource(uri, options) {
-    const client = this.requireClient();
-    await client.subscribeResource({ uri }, options);
+  const annotationLines = buildAnnotationLines(tool);
+  if (annotationLines.length > 0) {
+    lines.push("", "Annotations:", ...annotationLines);
   }
-  async unsubscribeResource(uri, options) {
-    const client = this.requireClient();
-    await client.unsubscribeResource({ uri }, options);
+  return lines.join("\n");
+}
+function buildAnnotationLines(tool) {
+  if (tool.annotations === void 0) {
+    return [];
   }
-  async disconnect() {
-    if (this.client === null) {
-      return;
-    }
-    await this.client.close();
-    this.client = null;
+  const { annotations } = tool;
+  const lines = [];
+  if (annotations.title !== void 0) {
+    lines.push(`- title: ${annotations.title}`);
   }
-  /**
-   * Sends `notifications/roots/list_changed` to the upstream, letting it know that
-   * the host's set of filesystem roots has changed.
-   */
-  async sendRootsListChanged() {
-    const client = this.requireClient();
-    await client.sendRootsListChanged();
+  if (annotations.readOnlyHint !== void 0) {
+    lines.push(`- readOnlyHint: ${annotations.readOnlyHint}`);
   }
-  registerServerRequestHandlers(client) {
-    if (this.serverRequestHandlers.onCreateMessage !== void 0) {
-      client.setRequestHandler(
-        CreateMessageRequestSchema,
-        async (request, extra) => {
-          return this.serverRequestHandlers.onCreateMessage(request.params, {
-            signal: extra.signal
-          });
-        }
-      );
-    }
-    if (this.serverRequestHandlers.onElicitInput !== void 0) {
-      client.setRequestHandler(
-        ElicitRequestSchema,
-        async (request, extra) => {
-          return this.serverRequestHandlers.onElicitInput(request.params, {
-            signal: extra.signal
-          });
-        }
-      );
-    }
-    if (this.serverRequestHandlers.onListRoots !== void 0) {
-      client.setRequestHandler(
-        ListRootsRequestSchema,
-        async (request, extra) => {
-          return this.serverRequestHandlers.onListRoots(request.params, {
-            signal: extra.signal
-          });
-        }
-      );
-    }
+  if (annotations.destructiveHint !== void 0) {
+    lines.push(`- destructiveHint: ${annotations.destructiveHint}`);
   }
-  requireClient() {
-    if (this.client === null) {
-      throw new Error("Client is not connected. Call connect() first.");
-    }
-    return this.client;
+  if (annotations.idempotentHint !== void 0) {
+    lines.push(`- idempotentHint: ${annotations.idempotentHint}`);
   }
-};
+  if (annotations.openWorldHint !== void 0) {
+    lines.push(`- openWorldHint: ${annotations.openWorldHint}`);
+  }
+  return lines;
+}
 
 // src/proxy/upstream-registry.ts
 var UpstreamRegistry = class {
@@ -1335,6 +2547,9 @@ var Orchestrator = class {
       }
     } catch (error) {
       await this.registry.deleteOne(mcpName2);
+      if (isAuthRequiredError(error)) {
+        throw error;
+      }
       const failures = this.lazyRegistry.recordFailure(mcpName2);
       if (failures >= MAX_LOAD_ATTEMPTS) {
         this.lazyRegistry.take(mcpName2);
@@ -1581,7 +2796,7 @@ var Orchestrator = class {
       targets.push(
         action(client).catch((error) => {
           const message = error instanceof Error ? error.message : String(error);
-          process4.stderr.write(`dynmcp: ${label} failed for "${mcpName2}": ${message}
+          process9.stderr.write(`dynmcp: ${label} failed for "${mcpName2}": ${message}
 `);
         })
       );
@@ -1606,13 +2821,13 @@ function splitNamespacedName(namespacedName, knownMcpNames) {
 }
 function logCollisions(resourceRouter, promptRouter) {
   for (const collision of resourceRouter.collisions()) {
-    process4.stderr.write(
+    process9.stderr.write(
       `dynmcp: resource URI collision: "${collision.uri}" is provided by "${collision.chosen}" and "${collision.shadowed}"; routing to "${collision.chosen}".
 `
     );
   }
   for (const collision of promptRouter.collisions()) {
-    process4.stderr.write(
+    process9.stderr.write(
       `dynmcp: prompt name collision: "${collision.name}" is provided by "${collision.chosen}" and "${collision.shadowed}"; routing to "${collision.chosen}".
 `
     );
@@ -1620,7 +2835,7 @@ function logCollisions(resourceRouter, promptRouter) {
 }
 
 // src/proxy/server.ts
-import process5 from "process";
+import process10 from "process";
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import {
@@ -1767,7 +2982,7 @@ var ProxyServer = class {
   async start() {
     const server = this.buildServer();
     const transport = new StdioServerTransport();
-    process5.stderr.write("Starting dynamic-discovery-mcp server over stdio\n");
+    process10.stderr.write("Starting dynamic-discovery-mcp server over stdio\n");
     await server.connect(transport);
   }
   /**
@@ -1980,35 +3195,6 @@ var ProxyServer = class {
   }
 };
 
-// src/proxy/transport-factory.ts
-import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
-import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
-import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
-function createTransport(config) {
-  switch (config.transport) {
-    case "stdio":
-      return new StdioClientTransport({
-        command: config.command,
-        args: config.args,
-        env: config.env
-      });
-    case "streamable-http":
-      return new StreamableHTTPClientTransport(
-        new URL(config.url),
-        config.headers ? { requestInit: { headers: config.headers } } : void 0
-      );
-    case "sse":
-      return new SSEClientTransport(
-        new URL(config.url),
-        config.headers ? { requestInit: { headers: config.headers } } : void 0
-      );
-    default: {
-      const _exhaustive = config;
-      return _exhaustive;
-    }
-  }
-}
-
 // src/proxy/index.ts
 var SINGLE_MCP_NAME = "__default__";
 async function startProxy(command, args) {
@@ -2026,7 +3212,7 @@ async function startProxyFromConfig(options = {}) {
   const eagerMcps = /* @__PURE__ */ new Map();
   const lazyMcps = /* @__PURE__ */ new Map();
   for (const [name, entry] of Object.entries(config.mcp)) {
-    const transport = createTransport(entry);
+    const transport = createTransport(name, entry);
     if (entry.description !== void 0) {
       lazyMcps.set(name, { transport, description: entry.description });
     } else {
@@ -2048,7 +3234,7 @@ function buildOrchestrator(params) {
     lazyMcps: params.lazyMcps,
     namespaced: params.namespaced,
     onTransportError: (mcpName2, error) => {
-      process6.stderr.write(
+      process11.stderr.write(
         `${params.transportErrorPrefix(mcpName2)} transport error: ${error.message}
 `
       );
@@ -2062,19 +3248,19 @@ async function runProxy(orchestrator) {
     if (isShuttingDown) return;
     isShuttingDown = true;
     orchestrator.disconnectAll().catch((error) => {
-      process6.stderr.write(
+      process11.stderr.write(
         `dynmcp: error during disconnect: ${error instanceof Error ? error.message : String(error)}
 `
       );
-    }).finally(() => process6.exit(exitCode));
+    }).finally(() => process11.exit(exitCode));
   };
   activeShutdown.shutdown = shutdown;
   try {
     await orchestrator.connect();
   } catch (error) {
-    process6.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
+    process11.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
 `);
-    process6.exit(1);
+    process11.exit(1);
     return;
   }
   const proxyServer = new ProxyServer({
@@ -2111,10 +3297,10 @@ async function runProxy(orchestrator) {
     onElicitInput: (params, options) => proxyServer.forwardElicitInput(params, options),
     onListRoots: (params, options) => proxyServer.forwardListRoots(params, options)
   });
-  process6.on("SIGINT", () => shutdown(0));
-  process6.on("SIGTERM", () => shutdown(0));
-  process6.stdin.on("end", () => shutdown(0));
-  process6.stdin.on("close", () => shutdown(0));
+  process11.on("SIGINT", () => shutdown(0));
+  process11.on("SIGTERM", () => shutdown(0));
+  process11.stdin.on("end", () => shutdown(0));
+  process11.stdin.on("close", () => shutdown(0));
   try {
     await proxyServer.start();
   } catch (error) {
@@ -2133,41 +3319,98 @@ var cliBanner = chalk.bold.magentaBright(
 );
 var cli = new Command(package_default.name).description(package_default.description).version(package_default.version).addHelpText("beforeAll", cliBanner).addHelpText(
   "after",
-  "\nExamples:\n  dynmcp -- npx -y chrome-devtools-mcp@latest\n  dynmcp --config ./mcp.json\n"
+  "\nExamples:\n  dynmcp -- npx -y chrome-devtools-mcp@latest\n  dynmcp --config ./mcp.json\n  dynmcp ls\n  dynmcp test github\n  dynmcp login github\n  dynmcp logout github\n"
 ).option("-c, --config <path>", "Path to config file (JSON or YAML)").option("-e, --env <path>", "Path to a .env file for environment variable interpolation").allowExcessArguments(true).passThroughOptions(true).action(async (_options, cmd) => {
-  const separatorIndex = process7.argv.indexOf("--");
+  const separatorIndex = process12.argv.indexOf("--");
   const configPath = cmd.opts().config;
   const envFilePath = cmd.opts().env;
   if (separatorIndex !== -1) {
-    const [command, ...args] = process7.argv.slice(separatorIndex + 1);
+    const [command, ...args] = process12.argv.slice(separatorIndex + 1);
     if (command === void 0) {
-      process7.stderr.write(
+      process12.stderr.write(
         "dynmcp: no upstream command provided after --.\nUsage: dynmcp -- <command> [args...]\n"
       );
-      process7.exit(1);
+      process12.exit(1);
     }
     try {
       await startProxy(command, args);
     } catch (error) {
-      process7.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
+      process12.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
 `);
-      process7.exit(1);
+      process12.exit(1);
     }
     return;
   }
   try {
     await startProxyFromConfig({ configPath, envFilePath });
   } catch (error) {
-    process7.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
+    process12.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
+`);
+    process12.exit(1);
+  }
+});
+cli.command("login <name>").description("Run the OAuth authorization-code flow for an upstream MCP and store tokens.").option("-c, --config <path>", "Path to config file (JSON or YAML)").option("-e, --env <path>", "Path to a .env file for environment variable interpolation").action(async (name, options) => {
+  try {
+    await login({
+      mcpName: name,
+      ...options.config !== void 0 ? { configPath: options.config } : {},
+      ...options.env !== void 0 ? { envFilePath: options.env } : {}
+    });
+  } catch (error) {
+    process12.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
+`);
+    process12.exit(1);
+  }
+});
+cli.command("logout <name>").description("Delete the OAuth keychain entry for an upstream MCP.").option("-c, --config <path>", "Path to config file (JSON or YAML)").option("-e, --env <path>", "Path to a .env file for environment variable interpolation").action(async (name, options) => {
+  try {
+    await logout({
+      mcpName: name,
+      ...options.config !== void 0 ? { configPath: options.config } : {},
+      ...options.env !== void 0 ? { envFilePath: options.env } : {}
+    });
+  } catch (error) {
+    process12.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
+`);
+    process12.exit(1);
+  }
+});
+cli.command("ls").description("List configured upstream MCPs with transport, mode, endpoint, and auth status.").option("-c, --config <path>", "Path to config file (JSON or YAML)").option("-e, --env <path>", "Path to a .env file for environment variable interpolation").option("--json", "Emit JSON instead of the aligned text table").action(async (options) => {
+  try {
+    await list({
+      ...options.config !== void 0 ? { configPath: options.config } : {},
+      ...options.env !== void 0 ? { envFilePath: options.env } : {},
+      ...options.json === true ? { json: true } : {}
+    });
+  } catch (error) {
+    process12.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
 `);
-    process7.exit(1);
+    process12.exit(1);
   }
 });
+cli.command("test [name]").description("Probe one or all configured upstream MCPs and print their discovered catalogs.").option("-c, --config <path>", "Path to config file (JSON or YAML)").option("-e, --env <path>", "Path to a .env file for environment variable interpolation").option("--json", "Emit JSON instead of the formatted text output").option("--timeout <ms>", "Per-MCP timeout in milliseconds (default: 15000)", (v) => Number(v)).action(
+  async (name, options) => {
+    try {
+      const exitCode = await test({
+        ...name !== void 0 ? { mcpName: name } : {},
+        ...options.config !== void 0 ? { configPath: options.config } : {},
+        ...options.env !== void 0 ? { envFilePath: options.env } : {},
+        ...options.json === true ? { json: true } : {},
+        ...options.timeout !== void 0 && !Number.isNaN(options.timeout) ? { timeoutMs: options.timeout } : {}
+      });
+      if (exitCode !== 0) process12.exit(exitCode);
+    } catch (error) {
+      process12.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
+`);
+      process12.exit(1);
+    }
+  }
+);
 
 // src/index.ts
-import process8 from "process";
+import process13 from "process";
 async function main() {
-  cli.parse(process8.argv);
+  cli.parse(process13.argv);
 }
 main();
 //# sourceMappingURL=index.js.map