npm - dynmcp - Versions diffs - 0.4.1 → 0.5.0 - Mend

dynmcp 0.4.1 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.cjs CHANGED Viewed

@@ -23,13 +23,13 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 // src/cli.ts
-var import_node_process7 = __toESM(require("process"), 1);
+var import_node_process12 = __toESM(require("process"), 1);
 var import_commander = require("commander");
 // package.json
 var package_default = {
   name: "dynmcp",
-  version: "0.4.1",
+  version: "0.5.0",
   description: "Dynamic MCP context management tool for AI MCP-enabled agents and clients.",
   author: "Brandon Burrus <brandon@burrus.io>",
   license: "MIT",
@@ -91,6 +91,7 @@ var package_default = {
   },
   dependencies: {
     "@modelcontextprotocol/sdk": "^1.29.0",
+    "@napi-rs/keyring": "^1.3.0",
     boxen: "^8.0.1",
     chalk: "^5.6.2",
     commander: "^14.0.3",
@@ -120,9 +121,330 @@ var package_default = {
 var import_figlet = __toESM(require("figlet"), 1);
 var import_chalk = __toESM(require("chalk"), 1);
-// src/proxy/index.ts
-var import_node_process6 = __toESM(require("process"), 1);
-var import_stdio3 = require("@modelcontextprotocol/sdk/client/stdio.js");
+// src/auth/errors.ts
+var AuthRequiredError = class extends Error {
+  mcpName;
+  constructor(mcpName2) {
+    super(
+      `Upstream MCP "${mcpName2}" requires authorization. Run \`dynmcp login ${mcpName2}\` from your terminal, then retry.`
+    );
+    this.name = "AuthRequiredError";
+    this.mcpName = mcpName2;
+  }
+};
+function isAuthRequiredError(error) {
+  let current = error;
+  for (let depth = 0; depth < 8 && current !== null && current !== void 0; depth += 1) {
+    if (current instanceof AuthRequiredError) return true;
+    if (current instanceof Error && current.name === "AuthRequiredError") return true;
+    if (current instanceof Error) {
+      current = current.cause;
+      continue;
+    }
+    return false;
+  }
+  return false;
+}
+// src/auth/keychain-store.ts
+var import_keyring = require("@napi-rs/keyring");
+// src/auth/types.ts
+var KEYCHAIN_BLOB_VERSION = 1;
+// src/auth/keychain-store.ts
+var KEYCHAIN_SERVICE = "dynmcp";
+function buildKeychainAccount(mcpName2, serverUrl) {
+  const origin = new URL(serverUrl).origin;
+  return `${mcpName2}:${origin}`;
+}
+var KeychainStore = class {
+  constructor(mcpName2, serverUrl, service = KEYCHAIN_SERVICE) {
+    this.mcpName = mcpName2;
+    this.serverUrl = serverUrl;
+    this.entry = new import_keyring.Entry(service, buildKeychainAccount(mcpName2, serverUrl));
+  }
+  mcpName;
+  serverUrl;
+  entry;
+  /**
+   * Returns the parsed blob or `undefined` if no entry exists. Entries written under
+   * a different {@link KeychainBlob.version} are treated as absent — the caller must
+   * re-authenticate. Malformed JSON also returns `undefined` (corrupt entries are not
+   * surfaced as errors; recovery is the same: re-auth).
+   */
+  get() {
+    const raw = this.entry.getPassword();
+    if (raw === null) return void 0;
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      return void 0;
+    }
+    if (!isCurrentVersionBlob(parsed)) {
+      return void 0;
+    }
+    return parsed;
+  }
+  /**
+   * Persists the blob atomically. Caller must construct a complete {@link
+   * KeychainBlob} — partial updates are not supported. To mutate, call {@link get},
+   * spread, and pass the result back to {@link set}.
+   */
+  set(blob) {
+    const stamped = { ...blob, version: KEYCHAIN_BLOB_VERSION };
+    this.entry.setPassword(JSON.stringify(stamped));
+  }
+  /**
+   * Deletes the entry. Returns `true` if an entry was present and removed, `false`
+   * if there was nothing to delete. Idempotent: callers should treat both outcomes
+   * as success (a no-op delete is not an error).
+   */
+  delete() {
+    return this.entry.deletePassword();
+  }
+};
+function isCurrentVersionBlob(value) {
+  return typeof value === "object" && value !== null && "version" in value && value.version === KEYCHAIN_BLOB_VERSION;
+}
+// src/auth/oauth-provider.ts
+var import_node_crypto = require("crypto");
+var CLIENT_NAME = "dynmcp";
+var SOFTWARE_ID = "dynmcp";
+var REFRESH_SLACK_SECONDS = 30;
+var BaseOAuthProvider = class {
+  constructor(mcpName2, keychain, configAuth) {
+    this.mcpName = mcpName2;
+    this.keychain = keychain;
+    this.configAuth = configAuth;
+  }
+  mcpName;
+  keychain;
+  configAuth;
+  clientInformation() {
+    if (this.configAuth !== void 0) {
+      const info2 = { client_id: this.configAuth.client_id };
+      if (this.configAuth.client_secret !== void 0) {
+        info2.client_secret = this.configAuth.client_secret;
+      }
+      return info2;
+    }
+    const blob = this.keychain.get();
+    if (blob?.dcr === void 0) return void 0;
+    const info = { client_id: blob.dcr.client_id };
+    if (blob.dcr.client_secret !== void 0) {
+      info.client_secret = blob.dcr.client_secret;
+    }
+    return info;
+  }
+  tokens() {
+    const blob = this.keychain.get();
+    if (blob === void 0) return void 0;
+    const remaining = Math.max(
+      0,
+      blob.expires_at - Math.floor(Date.now() / 1e3) - REFRESH_SLACK_SECONDS
+    );
+    const tokens = {
+      access_token: blob.access_token,
+      token_type: blob.token_type,
+      expires_in: remaining
+    };
+    if (blob.refresh_token !== void 0) tokens.refresh_token = blob.refresh_token;
+    if (blob.scope_granted !== void 0) tokens.scope = blob.scope_granted;
+    return tokens;
+  }
+  /**
+   * Builds the {@link OAuthDiscoveryState} the SDK can use to skip rediscovery,
+   * reconstructed from the cached keychain blob. Returns `undefined` when there is
+   * no cached blob (e.g. fresh login flow before saveTokens fires).
+   */
+  buildDiscoveryStateFromBlob(blob) {
+    if (blob === void 0) return void 0;
+    return {
+      authorizationServerUrl: blob.authorization_server.issuer,
+      authorizationServerMetadata: {
+        issuer: blob.authorization_server.issuer,
+        authorization_endpoint: blob.authorization_server.authorization_endpoint,
+        token_endpoint: blob.authorization_server.token_endpoint,
+        ...blob.authorization_server.registration_endpoint !== void 0 ? { registration_endpoint: blob.authorization_server.registration_endpoint } : {},
+        response_types_supported: ["code"]
+      },
+      resourceMetadata: {
+        resource: blob.resource_metadata.resource,
+        authorization_servers: blob.resource_metadata.authorization_servers
+      }
+    };
+  }
+};
+var ProxyOAuthProvider = class extends BaseOAuthProvider {
+  get redirectUrl() {
+    return void 0;
+  }
+  get clientMetadata() {
+    return {
+      client_name: CLIENT_NAME,
+      software_id: SOFTWARE_ID,
+      redirect_uris: [],
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      token_endpoint_auth_method: this.configAuth?.client_secret !== void 0 ? "client_secret_basic" : "none",
+      ...this.configAuth?.scope !== void 0 ? { scope: this.configAuth.scope } : {}
+    };
+  }
+  saveTokens(tokens) {
+    const existing = this.keychain.get();
+    if (existing === void 0) {
+      throw new AuthRequiredError(this.mcpName);
+    }
+    const expiresAt = tokens.expires_in !== void 0 ? Math.floor(Date.now() / 1e3) + tokens.expires_in : existing.expires_at;
+    const updated = {
+      ...existing,
+      access_token: tokens.access_token,
+      token_type: tokens.token_type ?? "Bearer",
+      expires_at: expiresAt,
+      refresh_token: tokens.refresh_token ?? existing.refresh_token,
+      ...tokens.scope !== void 0 ? { scope_granted: tokens.scope } : {}
+    };
+    this.keychain.set(updated);
+  }
+  redirectToAuthorization(_url) {
+    throw new AuthRequiredError(this.mcpName);
+  }
+  saveCodeVerifier(_verifier) {
+    throw new AuthRequiredError(this.mcpName);
+  }
+  codeVerifier() {
+    throw new AuthRequiredError(this.mcpName);
+  }
+  discoveryState() {
+    return this.buildDiscoveryStateFromBlob(this.keychain.get());
+  }
+  invalidateCredentials(_scope) {
+    this.keychain.delete();
+  }
+};
+var LoginOAuthProvider = class extends BaseOAuthProvider {
+  redirectUriString;
+  pending = {};
+  callbacks;
+  constructor(opts) {
+    super(opts.mcpName, opts.keychain, opts.configAuth);
+    this.redirectUriString = opts.redirectUri;
+    this.callbacks = opts.callbacks;
+  }
+  get redirectUrl() {
+    return this.redirectUriString;
+  }
+  get clientMetadata() {
+    return {
+      client_name: CLIENT_NAME,
+      software_id: SOFTWARE_ID,
+      redirect_uris: [this.redirectUriString],
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      token_endpoint_auth_method: this.configAuth?.client_secret !== void 0 ? "client_secret_basic" : "none",
+      ...this.configAuth?.scope !== void 0 ? { scope: this.configAuth.scope } : {}
+    };
+  }
+  state() {
+    if (this.pending.state !== void 0) return this.pending.state;
+    const generated = (0, import_node_crypto.randomBytes)(32).toString("base64url");
+    this.pending.state = generated;
+    return generated;
+  }
+  /** The state value generated for this flow, for the callback handler to verify. */
+  get currentState() {
+    return this.pending.state;
+  }
+  clientInformation() {
+    if (this.pending.dcr !== void 0) {
+      const info = { client_id: this.pending.dcr.client_id };
+      if (this.pending.dcr.client_secret !== void 0) {
+        info.client_secret = this.pending.dcr.client_secret;
+      }
+      return info;
+    }
+    return super.clientInformation();
+  }
+  saveClientInformation(info) {
+    this.pending.dcr = info;
+  }
+  saveTokens(tokens) {
+    const discovery = this.pending.discovery ?? this.buildDiscoveryStateFromBlob(this.keychain.get());
+    if (discovery === void 0) {
+      throw new Error(
+        `Cannot persist tokens for "${this.mcpName}": no discovery state captured during the flow.`
+      );
+    }
+    if (discovery.authorizationServerMetadata === void 0) {
+      throw new Error(
+        `Cannot persist tokens for "${this.mcpName}": authorization server metadata not available.`
+      );
+    }
+    if (discovery.resourceMetadata === void 0) {
+      throw new Error(
+        `Cannot persist tokens for "${this.mcpName}": protected resource metadata not available.`
+      );
+    }
+    const expiresAt = tokens.expires_in !== void 0 ? Math.floor(Date.now() / 1e3) + tokens.expires_in : Math.floor(Date.now() / 1e3) + 3600;
+    const authorizationServer = {
+      issuer: discovery.authorizationServerMetadata.issuer ?? discovery.authorizationServerUrl,
+      authorization_endpoint: discovery.authorizationServerMetadata.authorization_endpoint,
+      token_endpoint: discovery.authorizationServerMetadata.token_endpoint,
+      ...discovery.authorizationServerMetadata.registration_endpoint !== void 0 ? { registration_endpoint: discovery.authorizationServerMetadata.registration_endpoint } : {}
+    };
+    const resourceMetadata = {
+      resource: discovery.resourceMetadata.resource,
+      authorization_servers: discovery.resourceMetadata.authorization_servers ?? []
+    };
+    const blob = {
+      version: KEYCHAIN_BLOB_VERSION,
+      access_token: tokens.access_token,
+      token_type: tokens.token_type ?? "Bearer",
+      expires_at: expiresAt,
+      ...tokens.refresh_token !== void 0 ? { refresh_token: tokens.refresh_token } : {},
+      ...tokens.scope !== void 0 ? { scope_granted: tokens.scope } : {},
+      authorization_server: authorizationServer,
+      resource_metadata: resourceMetadata,
+      ...this.pending.dcr !== void 0 ? {
+        dcr: {
+          client_id: this.pending.dcr.client_id,
+          ...this.pending.dcr.client_secret !== void 0 ? { client_secret: this.pending.dcr.client_secret } : {}
+        }
+      } : {}
+    };
+    this.keychain.set(blob);
+  }
+  async redirectToAuthorization(url) {
+    await this.callbacks.onAuthorizationUrl(url);
+  }
+  saveCodeVerifier(verifier) {
+    this.pending.codeVerifier = verifier;
+  }
+  codeVerifier() {
+    if (this.pending.codeVerifier === void 0) {
+      throw new Error("Code verifier requested before it was saved.");
+    }
+    return this.pending.codeVerifier;
+  }
+  saveDiscoveryState(state) {
+    this.pending.discovery = state;
+  }
+  /**
+   * Force a fresh RFC 9728 + RFC 8414 discovery for every login flow. We intentionally
+   * do NOT pre-seed from the keychain on login — if endpoints changed since the last
+   * login, we want to pick them up now and persist the new snapshot.
+   */
+  discoveryState() {
+    return void 0;
+  }
+};
+// src/auth/login.ts
+var import_node_process4 = __toESM(require("process"), 1);
+var import_auth = require("@modelcontextprotocol/sdk/client/auth.js");
 // src/config/schema.ts
 var import_zod = require("zod");
@@ -144,17 +466,26 @@ var stdioTransport = import_zod.z.object({
 var httpUrl = import_zod.z.string().url().refine((u) => u.startsWith("http://") || u.startsWith("https://"), {
   message: "URL must use http:// or https:// scheme"
 });
+var authConfig = import_zod.z.object({
+  client_id: import_zod.z.string().min(1, { message: "auth.client_id must be a non-empty string" }).refine((value) => value.trim().length > 0, {
+    message: "auth.client_id must not be whitespace-only"
+  }),
+  client_secret: import_zod.z.string().min(1).optional(),
+  scope: import_zod.z.string().min(1).optional()
+}).strict().optional();
 var streamableHttpTransport = import_zod.z.object({
   transport: import_zod.z.literal("streamable-http"),
   description,
   url: httpUrl,
-  headers: import_zod.z.record(import_zod.z.string(), import_zod.z.string()).optional()
+  headers: import_zod.z.record(import_zod.z.string(), import_zod.z.string()).optional(),
+  auth: authConfig
 }).strict();
 var sseTransport = import_zod.z.object({
   transport: import_zod.z.literal("sse"),
   description,
   url: httpUrl,
-  headers: import_zod.z.record(import_zod.z.string(), import_zod.z.string()).optional()
+  headers: import_zod.z.record(import_zod.z.string(), import_zod.z.string()).optional(),
+  auth: authConfig
 }).strict();
 var transportConfig = import_zod.z.discriminatedUnion("transport", [
   stdioTransport,
@@ -230,9 +561,9 @@ function filterDefined(env) {
 var TOP_LEVEL_PASSTHROUGH_KEYS = /* @__PURE__ */ new Set(["$schema", "env"]);
 var MissingEnvVarsError = class extends Error {
   constructor(missingVars) {
-    const list = missingVars.join(", ");
+    const list2 = missingVars.join(", ");
     const plural = missingVars.length === 1 ? "" : "s";
-    super(`Missing required environment variable${plural}: ${list}`);
+    super(`Missing required environment variable${plural}: ${list2}`);
     this.missingVars = missingVars;
     this.name = "MissingEnvVarsError";
   }
@@ -381,17 +712,1104 @@ function readEnvMode(content) {
   if (typeof value === "string" && VALID_ENV_MODES.includes(value)) {
     return value;
   }
-  return DEFAULT_ENV_MODE;
-}
-function isYamlFile(filePath) {
-  return filePath.endsWith(".yml") || filePath.endsWith(".yaml");
+  return DEFAULT_ENV_MODE;
+}
+function isYamlFile(filePath) {
+  return filePath.endsWith(".yml") || filePath.endsWith(".yaml");
+}
+// src/config/json-schema.ts
+var import_zod2 = require("zod");
+// src/auth/browser.ts
+var import_node_child_process = require("child_process");
+var import_node_process3 = __toESM(require("process"), 1);
+async function openUrl(url) {
+  const { command, args } = openerForPlatform(url);
+  return new Promise((resolve3, reject) => {
+    const child = (0, import_node_child_process.spawn)(command, args, {
+      stdio: "ignore",
+      detached: true
+    });
+    child.once("error", reject);
+    child.once("spawn", () => {
+      child.unref();
+      resolve3();
+    });
+  });
+}
+function openerForPlatform(url) {
+  switch (import_node_process3.default.platform) {
+    case "darwin":
+      return { command: "open", args: [url] };
+    case "win32":
+      return { command: "cmd", args: ["/c", "start", '""', url] };
+    default:
+      return { command: "xdg-open", args: [url] };
+  }
+}
+// src/auth/callback-server.ts
+var import_node_http = require("http");
+var CallbackTimeoutError = class extends Error {
+  constructor(timeoutMs) {
+    super(`Timed out after ${timeoutMs}ms waiting for the OAuth callback.`);
+    this.name = "CallbackTimeoutError";
+  }
+};
+var CallbackOAuthError = class extends Error {
+  constructor(oauthError, oauthErrorDescription) {
+    super(
+      oauthErrorDescription ? `OAuth error from authorization server: ${oauthError} \u2014 ${oauthErrorDescription}` : `OAuth error from authorization server: ${oauthError}`
+    );
+    this.oauthError = oauthError;
+    this.oauthErrorDescription = oauthErrorDescription;
+    this.name = "CallbackOAuthError";
+  }
+  oauthError;
+  oauthErrorDescription;
+};
+var SUCCESS_HTML = `<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <title>dynmcp \u2014 authorization complete</title>
+    <style>
+      body { font-family: -apple-system, BlinkMacSystemFont, sans-serif; padding: 4rem; max-width: 36rem; margin: 0 auto; color: #222; }
+      code { background: #f4f4f4; padding: 0.1rem 0.3rem; border-radius: 3px; }
+    </style>
+  </head>
+  <body>
+    <h1>Authorization complete</h1>
+    <p>You may close this tab and return to your terminal.</p>
+    <p><small>Issued by <code>dynmcp</code>.</small></p>
+  </body>
+</html>
+`;
+var ERROR_HTML_PREFIX = `<!DOCTYPE html>
+<html lang="en">
+  <head><meta charset="utf-8" /><title>dynmcp \u2014 authorization failed</title></head>
+  <body style="font-family: -apple-system, BlinkMacSystemFont, sans-serif; padding: 4rem; max-width: 36rem; margin: 0 auto;">
+    <h1>Authorization failed</h1>
+    <p>`;
+var ERROR_HTML_SUFFIX = `</p>
+    <p>Return to your terminal for details.</p>
+  </body>
+</html>
+`;
+var CallbackServer = class _CallbackServer {
+  server = null;
+  boundPort = null;
+  pending = null;
+  /** The redirect path served. Must match the redirect URI registered with the OAuth client. */
+  static CALLBACK_PATH = "/callback";
+  /** Begins listening on `127.0.0.1` at an OS-assigned port. */
+  async start() {
+    if (this.server !== null) {
+      throw new Error("CallbackServer is already started.");
+    }
+    const server = (0, import_node_http.createServer)((req, res) => this.handleRequest(req, res));
+    await new Promise((resolve3, reject) => {
+      const onError = (err) => {
+        server.removeListener("listening", onListening);
+        reject(err);
+      };
+      const onListening = () => {
+        server.removeListener("error", onError);
+        resolve3();
+      };
+      server.once("error", onError);
+      server.once("listening", onListening);
+      server.listen({ port: 0, host: "127.0.0.1" });
+    });
+    const address = server.address();
+    if (address === null || typeof address === "string") {
+      server.close();
+      throw new Error("Failed to determine bound port for callback server.");
+    }
+    this.boundPort = address.port;
+    this.server = server;
+  }
+  /** The port the OS assigned. Available after {@link start} resolves. */
+  get port() {
+    if (this.boundPort === null) {
+      throw new Error("CallbackServer is not started.");
+    }
+    return this.boundPort;
+  }
+  /** The full redirect URI to register with the authorization server. */
+  get redirectUri() {
+    return `http://127.0.0.1:${this.port}${_CallbackServer.CALLBACK_PATH}`;
+  }
+  /**
+   * Resolves with the captured `code` and `state` once a valid callback is received,
+   * or rejects with {@link CallbackTimeoutError} / {@link CallbackOAuthError} on the
+   * documented failure paths. Only one callback is accepted; subsequent requests to
+   * `/callback` after the first valid hit return `400`.
+   */
+  awaitCallback(timeoutMs) {
+    if (this.server === null) {
+      return Promise.reject(new Error("CallbackServer is not started."));
+    }
+    if (this.pending !== null) {
+      return Promise.reject(new Error("awaitCallback already in progress."));
+    }
+    return new Promise((resolve3, reject) => {
+      const timer = setTimeout(() => {
+        this.pending = null;
+        reject(new CallbackTimeoutError(timeoutMs));
+      }, timeoutMs);
+      this.pending = { resolve: resolve3, reject, timer };
+    });
+  }
+  /** Closes the listening socket. Safe to call multiple times. */
+  async stop() {
+    if (this.pending !== null) {
+      clearTimeout(this.pending.timer);
+      this.pending = null;
+    }
+    if (this.server === null) return;
+    await new Promise((resolve3) => {
+      this.server.close(() => resolve3());
+    });
+    this.server = null;
+    this.boundPort = null;
+  }
+  handleRequest(req, res) {
+    if (req.method !== "GET") {
+      res.writeHead(405, { "content-type": "text/plain", allow: "GET" });
+      res.end("Method Not Allowed");
+      return;
+    }
+    const url = new URL(req.url ?? "/", `http://127.0.0.1:${this.boundPort ?? 0}`);
+    if (url.pathname !== _CallbackServer.CALLBACK_PATH) {
+      res.writeHead(404, { "content-type": "text/plain" });
+      res.end("Not Found");
+      return;
+    }
+    if (this.pending === null) {
+      res.writeHead(400, { "content-type": "text/plain" });
+      res.end("No callback expected.");
+      return;
+    }
+    const oauthError = url.searchParams.get("error");
+    if (oauthError !== null) {
+      const errorDescription = url.searchParams.get("error_description") ?? void 0;
+      this.respondError(res, oauthError, errorDescription);
+      const { reject, timer: timer2 } = this.pending;
+      clearTimeout(timer2);
+      this.pending = null;
+      reject(new CallbackOAuthError(oauthError, errorDescription));
+      return;
+    }
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    if (code === null || state === null) {
+      this.respondError(res, "invalid_callback", "Missing code or state parameter.");
+      const { reject, timer: timer2 } = this.pending;
+      clearTimeout(timer2);
+      this.pending = null;
+      reject(new Error("Callback missing code or state parameter."));
+      return;
+    }
+    res.writeHead(200, { "content-type": "text/html; charset=utf-8" });
+    res.end(SUCCESS_HTML);
+    const { resolve: resolve3, timer } = this.pending;
+    clearTimeout(timer);
+    this.pending = null;
+    resolve3({ code, state });
+  }
+  respondError(res, errorCode, description2) {
+    res.writeHead(400, { "content-type": "text/html; charset=utf-8" });
+    res.end(
+      ERROR_HTML_PREFIX + escapeHtml(description2 ?? `OAuth error: ${errorCode}`) + ERROR_HTML_SUFFIX
+    );
+  }
+};
+function escapeHtml(value) {
+  return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+// src/auth/login.ts
+var CALLBACK_TIMEOUT_MS = 6e4;
+async function login(options) {
+  const config = loadConfig({
+    configPath: options.configPath,
+    envFilePath: options.envFilePath
+  });
+  const entry = resolveOAuthCapableEntry(config, options.mcpName);
+  const writeStatus = options.writeStatus ?? defaultStatusWriter;
+  const openInBrowser = options.openInBrowser ?? openUrl;
+  writeStatus(`Probing ${entry.url} for OAuth challenge...
+`);
+  const resourceMetadataUrl = await probeFor401ResourceMetadata(entry.url);
+  if (resourceMetadataUrl === void 0) {
+    throw new Error(
+      `Upstream "${options.mcpName}" did not return a 401 challenge with a WWW-Authenticate \`resource_metadata\` URL. The server does not appear to require OAuth; no credentials stored.`
+    );
+  }
+  const keychain = new KeychainStore(options.mcpName, entry.url);
+  const callbackServer = new CallbackServer();
+  await callbackServer.start();
+  writeStatus(`Callback server listening on ${callbackServer.redirectUri}
+`);
+  try {
+    const provider = new LoginOAuthProvider({
+      mcpName: options.mcpName,
+      keychain,
+      configAuth: configAuthFromEntry(entry),
+      redirectUri: callbackServer.redirectUri,
+      callbacks: {
+        onAuthorizationUrl: async (url) => {
+          writeStatus(`Opening browser for authorization: ${url.toString()}
+`);
+          try {
+            await openInBrowser(url.toString());
+          } catch (error) {
+            const reason = error instanceof Error ? error.message : String(error);
+            writeStatus(
+              `Failed to launch browser (${reason}). Open this URL manually:
+  ${url.toString()}
+`
+            );
+          }
+        }
+      }
+    });
+    const firstResult = await (0, import_auth.auth)(provider, {
+      serverUrl: entry.url,
+      resourceMetadataUrl,
+      ...entry.auth?.scope !== void 0 ? { scope: entry.auth.scope } : {}
+    });
+    if (firstResult === "AUTHORIZED") {
+      writeStatus(`Already authorized for "${options.mcpName}"; no changes made.
+`);
+      return;
+    }
+    writeStatus(`Waiting for browser callback (timeout ${CALLBACK_TIMEOUT_MS / 1e3}s)...
+`);
+    const { code, state: receivedState } = await callbackServer.awaitCallback(CALLBACK_TIMEOUT_MS);
+    const expectedState = provider.currentState;
+    if (expectedState === void 0 || receivedState !== expectedState) {
+      throw new Error(
+        "OAuth state mismatch on callback. Possible CSRF attempt or stale browser tab; not exchanging the authorization code."
+      );
+    }
+    const secondResult = await (0, import_auth.auth)(provider, {
+      serverUrl: entry.url,
+      authorizationCode: code,
+      resourceMetadataUrl,
+      ...entry.auth?.scope !== void 0 ? { scope: entry.auth.scope } : {}
+    });
+    if (secondResult !== "AUTHORIZED") {
+      throw new Error(`Token exchange did not return AUTHORIZED (got ${secondResult}).`);
+    }
+    writeStatus(`Successfully authenticated "${options.mcpName}".
+`);
+  } finally {
+    await callbackServer.stop();
+  }
+}
+function resolveOAuthCapableEntry(config, mcpName2) {
+  const entry = config.mcp[mcpName2];
+  if (entry === void 0) {
+    const available = Object.keys(config.mcp).sort().join(", ");
+    throw new Error(`Unknown MCP "${mcpName2}". Configured MCPs: ${available || "(none)"}.`);
+  }
+  if (entry.transport !== "streamable-http" && entry.transport !== "sse") {
+    throw new Error(
+      `MCP "${mcpName2}" uses the "${entry.transport}" transport; OAuth is only supported for streamable-http and sse upstreams.`
+    );
+  }
+  return entry;
+}
+function configAuthFromEntry(entry) {
+  if (entry.auth === void 0) return void 0;
+  const overrides = { client_id: entry.auth.client_id };
+  if (entry.auth.client_secret !== void 0) overrides.client_secret = entry.auth.client_secret;
+  if (entry.auth.scope !== void 0) overrides.scope = entry.auth.scope;
+  return overrides;
+}
+async function probeFor401ResourceMetadata(serverUrl) {
+  let response;
+  try {
+    response = await fetch(serverUrl, { method: "GET", redirect: "manual" });
+  } catch (error) {
+    const reason = error instanceof Error ? error.message : String(error);
+    throw new Error(`Failed to reach ${serverUrl}: ${reason}`);
+  }
+  if (response.status !== 401) {
+    return void 0;
+  }
+  const { resourceMetadataUrl } = (0, import_auth.extractWWWAuthenticateParams)(response);
+  return resourceMetadataUrl;
+}
+function defaultStatusWriter(message) {
+  import_node_process4.default.stderr.write(message);
+}
+// src/auth/logout.ts
+var import_node_process5 = __toESM(require("process"), 1);
+async function logout(options) {
+  const config = loadConfig({
+    configPath: options.configPath,
+    envFilePath: options.envFilePath
+  });
+  const entry = resolveOAuthCapableEntry2(config, options.mcpName);
+  const writeStatus = options.writeStatus ?? defaultStatusWriter2;
+  const keychain = new KeychainStore(options.mcpName, entry.url);
+  const removed = keychain.delete();
+  if (removed) {
+    writeStatus(`Removed keychain credentials for "${options.mcpName}".
+`);
+  } else {
+    writeStatus(
+      `No keychain credentials were stored for "${options.mcpName}"; nothing to remove.
+`
+    );
+  }
+}
+function resolveOAuthCapableEntry2(config, mcpName2) {
+  const entry = config.mcp[mcpName2];
+  if (entry === void 0) {
+    const available = Object.keys(config.mcp).sort().join(", ");
+    throw new Error(`Unknown MCP "${mcpName2}". Configured MCPs: ${available || "(none)"}.`);
+  }
+  if (entry.transport !== "streamable-http" && entry.transport !== "sse") {
+    throw new Error(
+      `MCP "${mcpName2}" uses the "${entry.transport}" transport; OAuth is only supported for streamable-http and sse upstreams.`
+    );
+  }
+  return entry;
+}
+function defaultStatusWriter2(message) {
+  import_node_process5.default.stderr.write(message);
+}
+// src/diagnostics/list.ts
+var import_node_process6 = __toESM(require("process"), 1);
+// src/diagnostics/format.ts
+function renderTable(headers, rows) {
+  const allRows = [headers, ...rows];
+  const widths = headers.map(
+    (_, colIdx) => Math.max(...allRows.map((row) => (row[colIdx] ?? "").length))
+  );
+  return allRows.map(
+    (row) => row.map((cell, i) => {
+      if (i === headers.length - 1) return cell;
+      return cell.padEnd(widths[i] ?? 0);
+    }).join("  ").trimEnd()
+  ).join("\n");
+}
+function truncate(value, max) {
+  if (value.length <= max) return value;
+  if (max <= 3) return value.slice(0, max);
+  return `${value.slice(0, max - 3)}...`;
+}
+function humanizeDuration(seconds) {
+  if (seconds < 0) return "expired";
+  if (seconds < 60) return `${Math.floor(seconds)}s`;
+  const totalMinutes = Math.floor(seconds / 60);
+  if (totalMinutes < 60) return `${totalMinutes}m`;
+  const totalHours = Math.floor(totalMinutes / 60);
+  const remainingMinutes = totalMinutes % 60;
+  if (totalHours < 24) {
+    return remainingMinutes > 0 ? `${totalHours}h ${remainingMinutes}m` : `${totalHours}h`;
+  }
+  const totalDays = Math.floor(totalHours / 24);
+  const remainingHours = totalHours % 24;
+  return remainingHours > 0 ? `${totalDays}d ${remainingHours}h` : `${totalDays}d`;
+}
+// src/diagnostics/list.ts
+var ENDPOINT_MAX_WIDTH = 48;
+async function list(options = {}) {
+  const config = loadConfig({
+    configPath: options.configPath,
+    envFilePath: options.envFilePath
+  });
+  const write = options.write ?? ((chunk) => void import_node_process6.default.stdout.write(chunk));
+  const now = options.now ?? (() => Math.floor(Date.now() / 1e3));
+  const entries = buildEntries(config, now);
+  if (options.json === true) {
+    write(`${JSON.stringify(entries, null, 2)}
+`);
+    return;
+  }
+  if (entries.length === 0) {
+    write("No upstream MCPs configured.\n");
+    return;
+  }
+  const headers = ["NAME", "TRANSPORT", "MODE", "ENDPOINT", "AUTH"];
+  const rows = entries.map((entry) => [
+    entry.name,
+    entry.transport,
+    entry.mode,
+    truncate(entry.endpoint, ENDPOINT_MAX_WIDTH),
+    formatAuthStatus(entry.auth)
+  ]);
+  write(`${renderTable(headers, rows)}
+`);
+}
+function buildEntries(config, now) {
+  return Object.entries(config.mcp).map(([name, entry]) => {
+    const mode = entry.description !== void 0 ? "lazy" : "eager";
+    if (entry.transport === "stdio") {
+      const command = entry.command;
+      const args = (entry.args ?? []).join(" ");
+      const endpoint = args.length > 0 ? `${command} ${args}` : command;
+      const built2 = {
+        name,
+        transport: "stdio",
+        mode,
+        endpoint,
+        auth: { kind: "n/a" }
+      };
+      if (entry.description !== void 0) built2.description = entry.description;
+      return built2;
+    }
+    const hasAuthHeader = hasBearerAuthHeader(entry.headers);
+    const keychain = new KeychainStore(name, entry.url);
+    const blob = keychain.get();
+    let auth2;
+    if (blob !== void 0) {
+      const expiresInSeconds = blob.expires_at - now();
+      auth2 = {
+        kind: "oauth",
+        status: "logged_in",
+        expiresInSeconds,
+        expiresAt: blob.expires_at
+      };
+      if (hasAuthHeader) auth2.alsoHeader = true;
+    } else if (hasAuthHeader) {
+      auth2 = { kind: "header" };
+    } else {
+      auth2 = { kind: "oauth", status: "not_logged_in" };
+    }
+    const built = {
+      name,
+      transport: entry.transport,
+      mode,
+      endpoint: entry.url,
+      auth: auth2
+    };
+    if (entry.description !== void 0) built.description = entry.description;
+    return built;
+  });
+}
+function hasBearerAuthHeader(headers) {
+  if (headers === void 0) return false;
+  for (const key of Object.keys(headers)) {
+    if (key.toLowerCase() === "authorization") return true;
+  }
+  return false;
+}
+function formatAuthStatus(auth2) {
+  switch (auth2.kind) {
+    case "n/a":
+      return "n/a";
+    case "header":
+      return "header";
+    case "oauth": {
+      if (auth2.status === "not_logged_in") return "oauth: not logged in";
+      const duration = humanizeDuration(auth2.expiresInSeconds ?? 0);
+      const base = `oauth: logged in (expires in ${duration})`;
+      return auth2.alsoHeader === true ? `${base} (header also set)` : base;
+    }
+  }
+}
+// src/diagnostics/test.ts
+var import_node_process8 = __toESM(require("process"), 1);
+// src/proxy/transport-factory.ts
+var import_stdio = require("@modelcontextprotocol/sdk/client/stdio.js");
+var import_streamableHttp = require("@modelcontextprotocol/sdk/client/streamableHttp.js");
+var import_sse = require("@modelcontextprotocol/sdk/client/sse.js");
+function createTransport(mcpName2, config) {
+  switch (config.transport) {
+    case "stdio":
+      return new import_stdio.StdioClientTransport({
+        command: config.command,
+        args: config.args,
+        env: config.env
+      });
+    case "streamable-http":
+      return new import_streamableHttp.StreamableHTTPClientTransport(new URL(config.url), {
+        ...config.headers !== void 0 ? { requestInit: { headers: config.headers } } : {},
+        authProvider: buildOAuthProvider(mcpName2, config)
+      });
+    case "sse":
+      return new import_sse.SSEClientTransport(new URL(config.url), {
+        ...config.headers !== void 0 ? { requestInit: { headers: config.headers } } : {},
+        authProvider: buildOAuthProvider(mcpName2, config)
+      });
+    default: {
+      const _exhaustive = config;
+      return _exhaustive;
+    }
+  }
+}
+function buildOAuthProvider(mcpName2, config) {
+  const keychain = new KeychainStore(mcpName2, config.url);
+  return new ProxyOAuthProvider(mcpName2, keychain, config.auth);
+}
+// src/proxy/upstream-client.ts
+var import_node_process7 = __toESM(require("process"), 1);
+var import_client = require("@modelcontextprotocol/sdk/client/index.js");
+var import_types4 = require("@modelcontextprotocol/sdk/types.js");
+var UpstreamClient = class {
+  transport;
+  onTransportError;
+  notificationHandlers;
+  serverRequestHandlers;
+  client = null;
+  constructor({
+    name,
+    transport,
+    onTransportError,
+    notifications,
+    serverRequests
+  }) {
+    this.transport = transport;
+    this.notificationHandlers = notifications ?? {};
+    this.serverRequestHandlers = serverRequests ?? {};
+    this.onTransportError = onTransportError ?? ((error) => {
+      import_node_process7.default.stderr.write(`[${name}] Upstream MCP transport error: ${error.message}
+`);
+    });
+  }
+  async connect() {
+    this.transport.onerror = this.onTransportError;
+    this.client = new import_client.Client(
+      { name: "dynamic-discovery-mcp", version: "1.0.0" },
+      {
+        capabilities: {
+          // Declare every client-side capability the proxy may relay on behalf of the host.
+          // Actual reachability of each feature depends on what the host supports — if the
+          // host does not support sampling, for instance, the host call returns an error
+          // which we forward back to the upstream verbatim.
+          sampling: {},
+          elicitation: {},
+          roots: { listChanged: true }
+        }
+      }
+    );
+    this.registerServerRequestHandlers(this.client);
+    if (this.notificationHandlers.onToolsListChanged !== void 0) {
+      this.client.setNotificationHandler(import_types4.ToolListChangedNotificationSchema, async () => {
+        await this.notificationHandlers.onToolsListChanged?.();
+      });
+    }
+    if (this.notificationHandlers.onResourcesListChanged !== void 0) {
+      this.client.setNotificationHandler(import_types4.ResourceListChangedNotificationSchema, async () => {
+        await this.notificationHandlers.onResourcesListChanged?.();
+      });
+    }
+    if (this.notificationHandlers.onResourceUpdated !== void 0) {
+      this.client.setNotificationHandler(import_types4.ResourceUpdatedNotificationSchema, async (notification) => {
+        await this.notificationHandlers.onResourceUpdated?.({ uri: notification.params.uri });
+      });
+    }
+    if (this.notificationHandlers.onPromptsListChanged !== void 0) {
+      this.client.setNotificationHandler(import_types4.PromptListChangedNotificationSchema, async () => {
+        await this.notificationHandlers.onPromptsListChanged?.();
+      });
+    }
+    if (this.notificationHandlers.onLogMessage !== void 0) {
+      this.client.setNotificationHandler(import_types4.LoggingMessageNotificationSchema, async (notification) => {
+        await this.notificationHandlers.onLogMessage?.(notification.params);
+      });
+    }
+    await this.client.connect(this.transport);
+  }
+  async setLoggingLevel(level, options) {
+    const client = this.requireClient();
+    await client.setLoggingLevel(level, options);
+  }
+  async listPrompts(options) {
+    const client = this.requireClient();
+    const result = await client.listPrompts(void 0, options);
+    return result.prompts;
+  }
+  async getPrompt(name, args, options) {
+    const client = this.requireClient();
+    const params = { name };
+    if (args !== void 0) {
+      params.arguments = args;
+    }
+    return client.getPrompt(params, options);
+  }
+  async complete(params, options) {
+    const client = this.requireClient();
+    return client.complete(params, options);
+  }
+  /**
+   * Returns the capabilities advertised by the upstream server during initialize.
+   * Returns `undefined` if the client is not connected, or if the SDK has not yet
+   * recorded the server's capabilities (e.g. during a partially-completed handshake).
+   */
+  getCapabilities() {
+    return this.client?.getServerCapabilities();
+  }
+  async listTools(options) {
+    const client = this.requireClient();
+    const result = await client.listTools(void 0, options);
+    return result.tools.map((tool) => {
+      const upstreamTool = {
+        name: tool.name,
+        description: tool.description ?? "",
+        inputSchema: tool.inputSchema
+      };
+      if (tool.outputSchema !== void 0) {
+        upstreamTool.outputSchema = tool.outputSchema;
+      }
+      if (tool.annotations !== void 0) {
+        upstreamTool.annotations = {
+          title: tool.annotations.title,
+          readOnlyHint: tool.annotations.readOnlyHint,
+          destructiveHint: tool.annotations.destructiveHint,
+          idempotentHint: tool.annotations.idempotentHint,
+          openWorldHint: tool.annotations.openWorldHint
+        };
+      }
+      return upstreamTool;
+    });
+  }
+  async callTool(name, input, options) {
+    const client = this.requireClient();
+    const result = await client.callTool({ name, arguments: input }, void 0, options);
+    return result;
+  }
+  async listResources(options) {
+    const client = this.requireClient();
+    const result = await client.listResources(void 0, options);
+    return result.resources;
+  }
+  async listResourceTemplates(options) {
+    const client = this.requireClient();
+    const result = await client.listResourceTemplates(void 0, options);
+    return result.resourceTemplates;
+  }
+  async readResource(uri, options) {
+    const client = this.requireClient();
+    return client.readResource({ uri }, options);
+  }
+  async subscribeResource(uri, options) {
+    const client = this.requireClient();
+    await client.subscribeResource({ uri }, options);
+  }
+  async unsubscribeResource(uri, options) {
+    const client = this.requireClient();
+    await client.unsubscribeResource({ uri }, options);
+  }
+  async disconnect() {
+    if (this.client === null) {
+      return;
+    }
+    await this.client.close();
+    this.client = null;
+  }
+  /**
+   * Sends `notifications/roots/list_changed` to the upstream, letting it know that
+   * the host's set of filesystem roots has changed.
+   */
+  async sendRootsListChanged() {
+    const client = this.requireClient();
+    await client.sendRootsListChanged();
+  }
+  registerServerRequestHandlers(client) {
+    if (this.serverRequestHandlers.onCreateMessage !== void 0) {
+      client.setRequestHandler(
+        import_types4.CreateMessageRequestSchema,
+        async (request, extra) => {
+          return this.serverRequestHandlers.onCreateMessage(request.params, {
+            signal: extra.signal
+          });
+        }
+      );
+    }
+    if (this.serverRequestHandlers.onElicitInput !== void 0) {
+      client.setRequestHandler(
+        import_types4.ElicitRequestSchema,
+        async (request, extra) => {
+          return this.serverRequestHandlers.onElicitInput(request.params, {
+            signal: extra.signal
+          });
+        }
+      );
+    }
+    if (this.serverRequestHandlers.onListRoots !== void 0) {
+      client.setRequestHandler(
+        import_types4.ListRootsRequestSchema,
+        async (request, extra) => {
+          return this.serverRequestHandlers.onListRoots(request.params, {
+            signal: extra.signal
+          });
+        }
+      );
+    }
+  }
+  requireClient() {
+    if (this.client === null) {
+      throw new Error("Client is not connected. Call connect() first.");
+    }
+    return this.client;
+  }
+};
+// src/diagnostics/test.ts
+var DESCRIPTION_MAX_LENGTH = 100;
+var DEFAULT_TIMEOUT_MS = 15e3;
+async function test(options = {}) {
+  const config = loadConfig({
+    configPath: options.configPath,
+    envFilePath: options.envFilePath
+  });
+  const write = options.write ?? ((chunk) => void import_node_process8.default.stdout.write(chunk));
+  const now = options.now ?? (() => Math.floor(Date.now() / 1e3));
+  const timeoutMs = options.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+  if (options.mcpName !== void 0) {
+    return runSingle(config, options.mcpName, {
+      write,
+      now,
+      timeoutMs,
+      json: options.json === true
+    });
+  }
+  return runAll(config, { write, now, timeoutMs, json: options.json === true });
+}
+async function runSingle(config, mcpName2, options) {
+  const entry = config.mcp[mcpName2];
+  if (entry === void 0) {
+    const available = Object.keys(config.mcp).sort().join(", ");
+    throw new Error(`Unknown MCP "${mcpName2}". Configured MCPs: ${available || "(none)"}.`);
+  }
+  if (!options.json) {
+    options.write(`Testing "${mcpName2}" (${entry.transport}, ${endpointForEntry(entry)})
+`);
+  }
+  const result = await probeOne(mcpName2, entry, options.timeoutMs, options.now);
+  if (options.json) {
+    options.write(`${JSON.stringify(result, null, 2)}
+`);
+  } else {
+    for (const step of result.steps) {
+      options.write(`  [${step.status}] ${step.label}
+`);
+      if (step.error !== void 0) {
+        options.write(`    -> ${step.error}
+`);
+      }
+    }
+    renderDiscoveredSurface(options.write, result);
+    options.write(`Result: ${result.result}
+`);
+  }
+  return result.result === "PASS" ? 0 : 1;
+}
+async function runAll(config, options) {
+  const names = Object.keys(config.mcp);
+  const total = names.length;
+  if (!options.json) {
+    options.write(`Testing all configured upstreams (${total})...
+`);
+  }
+  const results = [];
+  for (let index = 0; index < names.length; index += 1) {
+    const name = names[index];
+    const entry = config.mcp[name];
+    if (!options.json) {
+      options.write(`[${index + 1}/${total}] ${name} (${entry.transport}) ... `);
+    }
+    const result = await probeOne(name, entry, options.timeoutMs, options.now);
+    results.push(result);
+    if (!options.json) {
+      if (result.result === "PASS") {
+        const counts = `${result.tools?.length ?? 0} tools, ${(result.resources?.length ?? 0) + (result.resource_templates?.length ?? 0)} resources, ${result.prompts?.length ?? 0} prompts`;
+        options.write(`PASS (${counts})
+`);
+      } else {
+        options.write(`FAIL (${result.fail_reason ?? "unknown"})
+`);
+      }
+    }
+  }
+  const passed = results.filter((r) => r.result === "PASS").length;
+  const failed = results.length - passed;
+  if (options.json) {
+    const payload = { summary: { passed, failed }, results };
+    options.write(`${JSON.stringify(payload, null, 2)}
+`);
+  } else {
+    options.write(`
+Summary: ${passed} passed, ${failed} failed
+`);
+  }
+  return failed === 0 ? 0 : 1;
+}
+async function probeOne(mcpName2, entry, timeoutMs, now) {
+  const result = {
+    name: mcpName2,
+    result: "PASS",
+    transport: entry.transport,
+    endpoint: endpointForEntry(entry),
+    auth: deriveAuthSummary(mcpName2, entry, now),
+    steps: []
+  };
+  if (entry.transport !== "stdio") {
+    result.steps.push({ label: authStepLabel(result.auth), status: "ok" });
+  }
+  const clientHolder = { value: null };
+  let timeoutHandle;
+  const run = (async () => {
+    const transport = createTransport(mcpName2, entry);
+    const client = new UpstreamClient({
+      name: mcpName2,
+      transport,
+      onTransportError: () => {
+      }
+    });
+    clientHolder.value = client;
+    await client.connect();
+    result.steps.push({ label: "Connected and initialized", status: "ok" });
+    const caps = client.getCapabilities();
+    result.capabilities = caps;
+    result.steps.push({
+      label: `Capabilities: ${describeCapabilities(caps)}`,
+      status: "ok"
+    });
+    const tools = await client.listTools();
+    result.tools = tools.map((tool) => ({
+      name: tool.name,
+      description: tool.description
+    }));
+    result.steps.push({
+      label: `tools/list returned ${tools.length} tool${tools.length === 1 ? "" : "s"}`,
+      status: "ok"
+    });
+    let resources = [];
+    let templates = [];
+    if (caps?.resources !== void 0) {
+      try {
+        resources = await client.listResources();
+        templates = await client.listResourceTemplates();
+        result.resources = resources.map((r) => {
+          const out = {
+            uri: r.uri,
+            name: r.name
+          };
+          if (r.description !== void 0) out.description = r.description;
+          return out;
+        });
+        result.resource_templates = templates.map((t) => {
+          const out = {
+            uriTemplate: t.uriTemplate,
+            name: t.name
+          };
+          if (t.description !== void 0) out.description = t.description;
+          return out;
+        });
+        result.steps.push({
+          label: `resources/list returned ${resources.length} resource${resources.length === 1 ? "" : "s"}, ${templates.length} template${templates.length === 1 ? "" : "s"}`,
+          status: "ok"
+        });
+      } catch (error) {
+        result.steps.push({
+          label: "resources/list",
+          status: "fail",
+          error: errorMessage(error)
+        });
+      }
+    }
+    let prompts = [];
+    if (caps?.prompts !== void 0) {
+      try {
+        prompts = await client.listPrompts();
+        result.prompts = prompts.map((p) => {
+          const out = { name: p.name };
+          if (p.description !== void 0) out.description = p.description;
+          return out;
+        });
+        result.steps.push({
+          label: `prompts/list returned ${prompts.length} prompt${prompts.length === 1 ? "" : "s"}`,
+          status: "ok"
+        });
+      } catch (error) {
+        result.steps.push({
+          label: "prompts/list",
+          status: "fail",
+          error: errorMessage(error)
+        });
+      }
+    }
+  })();
+  const timeout = new Promise((_, reject) => {
+    timeoutHandle = setTimeout(() => {
+      reject(new TestTimeoutError(timeoutMs));
+    }, timeoutMs);
+  });
+  try {
+    await Promise.race([run, timeout]);
+  } catch (error) {
+    result.result = "FAIL";
+    result.fail_reason = failReason(error, mcpName2);
+    result.steps.push({
+      label: `aborted: ${result.fail_reason}`,
+      status: "fail",
+      error: errorMessage(error)
+    });
+  } finally {
+    if (timeoutHandle !== void 0) clearTimeout(timeoutHandle);
+    const connected = clientHolder.value;
+    if (connected !== null) {
+      try {
+        await connected.disconnect();
+      } catch {
+      }
+    }
+  }
+  if (result.result === "PASS" && result.steps.some((s) => s.status === "fail")) {
+    result.result = "FAIL";
+    const failed = result.steps.find((s) => s.status === "fail");
+    result.fail_reason = failed?.error ?? failed?.label ?? "unknown";
+  }
+  return result;
+}
+var TestTimeoutError = class extends Error {
+  constructor(timeoutMs) {
+    super(`Test timed out after ${timeoutMs}ms`);
+    this.name = "TestTimeoutError";
+  }
+};
+function endpointForEntry(entry) {
+  if (entry.transport === "stdio") {
+    const args = (entry.args ?? []).join(" ");
+    return args.length > 0 ? `${entry.command} ${args}` : entry.command;
+  }
+  return entry.url;
+}
+function deriveAuthSummary(mcpName2, entry, now) {
+  if (entry.transport === "stdio") return { kind: "n/a" };
+  const keychain = new KeychainStore(mcpName2, entry.url);
+  const blob = keychain.get();
+  if (blob !== void 0) {
+    return {
+      kind: "oauth",
+      status: "valid",
+      expiresInSeconds: blob.expires_at - now()
+    };
+  }
+  const hasHeader = entry.headers !== void 0 && Object.keys(entry.headers).some((k) => k.toLowerCase() === "authorization");
+  if (hasHeader) return { kind: "header" };
+  return { kind: "oauth", status: "missing" };
+}
+function authStepLabel(auth2) {
+  switch (auth2.kind) {
+    case "n/a":
+      return "(no auth applicable)";
+    case "header":
+      return "Static Authorization header present";
+    case "oauth":
+      if (auth2.status === "missing") return "No cached OAuth token";
+      return `OAuth token present (expires in ${humanizeDuration(auth2.expiresInSeconds ?? 0)})`;
+  }
+}
+function describeCapabilities(caps) {
+  if (caps === void 0) return "(none advertised)";
+  const parts = [];
+  for (const [name, value] of Object.entries(caps)) {
+    if (value === void 0 || value === null) continue;
+    if (typeof value === "object" && Object.keys(value).length > 0) {
+      const flags = Object.entries(value).filter(([, v]) => v === true).map(([k]) => k).join(",");
+      parts.push(flags.length > 0 ? `${name}(${flags})` : name);
+    } else {
+      parts.push(name);
+    }
+  }
+  return parts.length > 0 ? parts.join(", ") : "(none advertised)";
+}
+function failReason(error, mcpName2) {
+  if (isAuthRequiredError(error)) {
+    return `auth required: run \`dynmcp login ${mcpName2}\``;
+  }
+  if (error instanceof TestTimeoutError) return error.message;
+  if (error instanceof Error) return error.message.split("\n")[0] ?? "unknown error";
+  return String(error);
+}
+function errorMessage(error) {
+  if (error instanceof Error) return error.message;
+  return String(error);
+}
+function renderDiscoveredSurface(write, result) {
+  if (result.result !== "PASS") return;
+  const sections = [
+    [
+      `Tools (${result.tools?.length ?? 0})`,
+      result.tools && result.tools.length > 0 ? () => {
+        const sorted = [...result.tools ?? []].sort((a, b) => a.name.localeCompare(b.name));
+        for (const tool of sorted) {
+          write(`  - ${tool.name}: ${truncate(tool.description, DESCRIPTION_MAX_LENGTH)}
+`);
+        }
+      } : void 0
+    ],
+    [
+      `Resources (${result.resources?.length ?? 0})`,
+      result.resources && result.resources.length > 0 ? () => {
+        const sorted = [...result.resources ?? []].sort((a, b) => a.uri.localeCompare(b.uri));
+        for (const r of sorted) {
+          const tail = r.description ?? r.name;
+          write(`  - ${r.uri}: ${truncate(tail, DESCRIPTION_MAX_LENGTH)}
+`);
+        }
+      } : void 0
+    ],
+    [
+      `Resource templates (${result.resource_templates?.length ?? 0})`,
+      result.resource_templates && result.resource_templates.length > 0 ? () => {
+        const sorted = [...result.resource_templates ?? []].sort(
+          (a, b) => a.uriTemplate.localeCompare(b.uriTemplate)
+        );
+        for (const t of sorted) {
+          const tail = t.description ?? t.name;
+          write(`  - ${t.uriTemplate}: ${truncate(tail, DESCRIPTION_MAX_LENGTH)}
+`);
+        }
+      } : void 0
+    ],
+    [
+      `Prompts (${result.prompts?.length ?? 0})`,
+      result.prompts && result.prompts.length > 0 ? () => {
+        const sorted = [...result.prompts ?? []].sort((a, b) => a.name.localeCompare(b.name));
+        for (const p of sorted) {
+          const tail = p.description ?? "";
+          write(
+            `  - ${p.name}${tail.length > 0 ? `: ${truncate(tail, DESCRIPTION_MAX_LENGTH)}` : ""}
+`
+          );
+        }
+      } : void 0
+    ]
+  ];
+  for (const [header, render] of sections) {
+    if (render === void 0) continue;
+    write(`
+${header}:
+`);
+    render();
+  }
 }
-// src/config/json-schema.ts
-var import_zod2 = require("zod");
+// src/proxy/index.ts
+var import_node_process11 = __toESM(require("process"), 1);
+var import_stdio3 = require("@modelcontextprotocol/sdk/client/stdio.js");
 // src/proxy/orchestrator.ts
-var import_node_process4 = __toESM(require("process"), 1);
+var import_node_process9 = __toESM(require("process"), 1);
 // src/proxy/capability-aggregator.ts
 function aggregateCapabilities(upstreams) {
@@ -891,210 +2309,6 @@ function buildAnnotationLines(tool) {
   return lines;
 }
-// src/proxy/upstream-client.ts
-var import_node_process3 = __toESM(require("process"), 1);
-var import_client = require("@modelcontextprotocol/sdk/client/index.js");
-var import_types = require("@modelcontextprotocol/sdk/types.js");
-var UpstreamClient = class {
-  transport;
-  onTransportError;
-  notificationHandlers;
-  serverRequestHandlers;
-  client = null;
-  constructor({
-    name,
-    transport,
-    onTransportError,
-    notifications,
-    serverRequests
-  }) {
-    this.transport = transport;
-    this.notificationHandlers = notifications ?? {};
-    this.serverRequestHandlers = serverRequests ?? {};
-    this.onTransportError = onTransportError ?? ((error) => {
-      import_node_process3.default.stderr.write(`[${name}] Upstream MCP transport error: ${error.message}
-`);
-    });
-  }
-  async connect() {
-    this.transport.onerror = this.onTransportError;
-    this.client = new import_client.Client(
-      { name: "dynamic-discovery-mcp", version: "1.0.0" },
-      {
-        capabilities: {
-          // Declare every client-side capability the proxy may relay on behalf of the host.
-          // Actual reachability of each feature depends on what the host supports — if the
-          // host does not support sampling, for instance, the host call returns an error
-          // which we forward back to the upstream verbatim.
-          sampling: {},
-          elicitation: {},
-          roots: { listChanged: true }
-        }
-      }
-    );
-    this.registerServerRequestHandlers(this.client);
-    if (this.notificationHandlers.onToolsListChanged !== void 0) {
-      this.client.setNotificationHandler(import_types.ToolListChangedNotificationSchema, async () => {
-        await this.notificationHandlers.onToolsListChanged?.();
-      });
-    }
-    if (this.notificationHandlers.onResourcesListChanged !== void 0) {
-      this.client.setNotificationHandler(import_types.ResourceListChangedNotificationSchema, async () => {
-        await this.notificationHandlers.onResourcesListChanged?.();
-      });
-    }
-    if (this.notificationHandlers.onResourceUpdated !== void 0) {
-      this.client.setNotificationHandler(import_types.ResourceUpdatedNotificationSchema, async (notification) => {
-        await this.notificationHandlers.onResourceUpdated?.({ uri: notification.params.uri });
-      });
-    }
-    if (this.notificationHandlers.onPromptsListChanged !== void 0) {
-      this.client.setNotificationHandler(import_types.PromptListChangedNotificationSchema, async () => {
-        await this.notificationHandlers.onPromptsListChanged?.();
-      });
-    }
-    if (this.notificationHandlers.onLogMessage !== void 0) {
-      this.client.setNotificationHandler(import_types.LoggingMessageNotificationSchema, async (notification) => {
-        await this.notificationHandlers.onLogMessage?.(notification.params);
-      });
-    }
-    await this.client.connect(this.transport);
-  }
-  async setLoggingLevel(level, options) {
-    const client = this.requireClient();
-    await client.setLoggingLevel(level, options);
-  }
-  async listPrompts(options) {
-    const client = this.requireClient();
-    const result = await client.listPrompts(void 0, options);
-    return result.prompts;
-  }
-  async getPrompt(name, args, options) {
-    const client = this.requireClient();
-    const params = { name };
-    if (args !== void 0) {
-      params.arguments = args;
-    }
-    return client.getPrompt(params, options);
-  }
-  async complete(params, options) {
-    const client = this.requireClient();
-    return client.complete(params, options);
-  }
-  /**
-   * Returns the capabilities advertised by the upstream server during initialize.
-   * Returns `undefined` if the client is not connected, or if the SDK has not yet
-   * recorded the server's capabilities (e.g. during a partially-completed handshake).
-   */
-  getCapabilities() {
-    return this.client?.getServerCapabilities();
-  }
-  async listTools(options) {
-    const client = this.requireClient();
-    const result = await client.listTools(void 0, options);
-    return result.tools.map((tool) => {
-      const upstreamTool = {
-        name: tool.name,
-        description: tool.description ?? "",
-        inputSchema: tool.inputSchema
-      };
-      if (tool.outputSchema !== void 0) {
-        upstreamTool.outputSchema = tool.outputSchema;
-      }
-      if (tool.annotations !== void 0) {
-        upstreamTool.annotations = {
-          title: tool.annotations.title,
-          readOnlyHint: tool.annotations.readOnlyHint,
-          destructiveHint: tool.annotations.destructiveHint,
-          idempotentHint: tool.annotations.idempotentHint,
-          openWorldHint: tool.annotations.openWorldHint
-        };
-      }
-      return upstreamTool;
-    });
-  }
-  async callTool(name, input, options) {
-    const client = this.requireClient();
-    const result = await client.callTool({ name, arguments: input }, void 0, options);
-    return result;
-  }
-  async listResources(options) {
-    const client = this.requireClient();
-    const result = await client.listResources(void 0, options);
-    return result.resources;
-  }
-  async listResourceTemplates(options) {
-    const client = this.requireClient();
-    const result = await client.listResourceTemplates(void 0, options);
-    return result.resourceTemplates;
-  }
-  async readResource(uri, options) {
-    const client = this.requireClient();
-    return client.readResource({ uri }, options);
-  }
-  async subscribeResource(uri, options) {
-    const client = this.requireClient();
-    await client.subscribeResource({ uri }, options);
-  }
-  async unsubscribeResource(uri, options) {
-    const client = this.requireClient();
-    await client.unsubscribeResource({ uri }, options);
-  }
-  async disconnect() {
-    if (this.client === null) {
-      return;
-    }
-    await this.client.close();
-    this.client = null;
-  }
-  /**
-   * Sends `notifications/roots/list_changed` to the upstream, letting it know that
-   * the host's set of filesystem roots has changed.
-   */
-  async sendRootsListChanged() {
-    const client = this.requireClient();
-    await client.sendRootsListChanged();
-  }
-  registerServerRequestHandlers(client) {
-    if (this.serverRequestHandlers.onCreateMessage !== void 0) {
-      client.setRequestHandler(
-        import_types.CreateMessageRequestSchema,
-        async (request, extra) => {
-          return this.serverRequestHandlers.onCreateMessage(request.params, {
-            signal: extra.signal
-          });
-        }
-      );
-    }
-    if (this.serverRequestHandlers.onElicitInput !== void 0) {
-      client.setRequestHandler(
-        import_types.ElicitRequestSchema,
-        async (request, extra) => {
-          return this.serverRequestHandlers.onElicitInput(request.params, {
-            signal: extra.signal
-          });
-        }
-      );
-    }
-    if (this.serverRequestHandlers.onListRoots !== void 0) {
-      client.setRequestHandler(
-        import_types.ListRootsRequestSchema,
-        async (request, extra) => {
-          return this.serverRequestHandlers.onListRoots(request.params, {
-            signal: extra.signal
-          });
-        }
-      );
-    }
-  }
-  requireClient() {
-    if (this.client === null) {
-      throw new Error("Client is not connected. Call connect() first.");
-    }
-    return this.client;
-  }
-};
 // src/proxy/upstream-registry.ts
 var UpstreamRegistry = class {
   clients = /* @__PURE__ */ new Map();
@@ -1346,6 +2560,9 @@ var Orchestrator = class {
       }
     } catch (error) {
       await this.registry.deleteOne(mcpName2);
+      if (isAuthRequiredError(error)) {
+        throw error;
+      }
       const failures = this.lazyRegistry.recordFailure(mcpName2);
       if (failures >= MAX_LOAD_ATTEMPTS) {
         this.lazyRegistry.take(mcpName2);
@@ -1592,7 +2809,7 @@ var Orchestrator = class {
       targets.push(
         action(client).catch((error) => {
           const message = error instanceof Error ? error.message : String(error);
-          import_node_process4.default.stderr.write(`dynmcp: ${label} failed for "${mcpName2}": ${message}
+          import_node_process9.default.stderr.write(`dynmcp: ${label} failed for "${mcpName2}": ${message}
 `);
         })
       );
@@ -1617,13 +2834,13 @@ function splitNamespacedName(namespacedName, knownMcpNames) {
 }
 function logCollisions(resourceRouter, promptRouter) {
   for (const collision of resourceRouter.collisions()) {
-    import_node_process4.default.stderr.write(
+    import_node_process9.default.stderr.write(
       `dynmcp: resource URI collision: "${collision.uri}" is provided by "${collision.chosen}" and "${collision.shadowed}"; routing to "${collision.chosen}".
 `
     );
   }
   for (const collision of promptRouter.collisions()) {
-    import_node_process4.default.stderr.write(
+    import_node_process9.default.stderr.write(
       `dynmcp: prompt name collision: "${collision.name}" is provided by "${collision.chosen}" and "${collision.shadowed}"; routing to "${collision.chosen}".
 `
     );
@@ -1631,10 +2848,10 @@ function logCollisions(resourceRouter, promptRouter) {
 }
 // src/proxy/server.ts
-var import_node_process5 = __toESM(require("process"), 1);
+var import_node_process10 = __toESM(require("process"), 1);
 var import_server = require("@modelcontextprotocol/sdk/server/index.js");
-var import_stdio = require("@modelcontextprotocol/sdk/server/stdio.js");
-var import_types2 = require("@modelcontextprotocol/sdk/types.js");
+var import_stdio2 = require("@modelcontextprotocol/sdk/server/stdio.js");
+var import_types5 = require("@modelcontextprotocol/sdk/types.js");
 var import_zod3 = require("zod");
 var DISCOVER_TOOL_NAME = "discover_tool";
 var USE_TOOL_NAME = "use_tool";
@@ -1726,7 +2943,7 @@ var ProxyServer = class {
     }
     if (this.onRootsListChangedCallback !== void 0) {
       const callback = this.onRootsListChangedCallback;
-      server.setNotificationHandler(import_types2.RootsListChangedNotificationSchema, async () => {
+      server.setNotificationHandler(import_types5.RootsListChangedNotificationSchema, async () => {
         await callback();
       });
     }
@@ -1764,8 +2981,8 @@ var ProxyServer = class {
   }
   async start() {
     const server = this.buildServer();
-    const transport = new import_stdio.StdioServerTransport();
-    import_node_process5.default.stderr.write("Starting dynamic-discovery-mcp server over stdio\n");
+    const transport = new import_stdio2.StdioServerTransport();
+    import_node_process10.default.stderr.write("Starting dynamic-discovery-mcp server over stdio\n");
     await server.connect(transport);
   }
   /**
@@ -1832,7 +3049,7 @@ var ProxyServer = class {
     return options;
   }
   registerToolHandlers(server) {
-    server.setRequestHandler(import_types2.ListToolsRequestSchema, async () => {
+    server.setRequestHandler(import_types5.ListToolsRequestSchema, async () => {
       const tools = [
         {
           name: DISCOVER_TOOL_NAME,
@@ -1855,7 +3072,7 @@ var ProxyServer = class {
       return { tools };
     });
     server.setRequestHandler(
-      import_types2.CallToolRequestSchema,
+      import_types5.CallToolRequestSchema,
       async (request, extra) => {
         const { name, arguments: rawArgs } = request.params;
         const catalog = this.catalog();
@@ -1906,28 +3123,28 @@ var ProxyServer = class {
   }
   registerResourceHandlers(server, callbacks) {
     server.setRequestHandler(
-      import_types2.ListResourcesRequestSchema,
+      import_types5.ListResourcesRequestSchema,
       async () => ({
         resources: callbacks.listResources()
       })
     );
     server.setRequestHandler(
-      import_types2.ListResourceTemplatesRequestSchema,
+      import_types5.ListResourceTemplatesRequestSchema,
       async () => ({
         resourceTemplates: callbacks.listResourceTemplates()
       })
     );
     server.setRequestHandler(
-      import_types2.ReadResourceRequestSchema,
+      import_types5.ReadResourceRequestSchema,
       async (request, extra) => {
         return callbacks.readResource(request.params.uri, this.buildCallOptions(request, extra));
       }
     );
-    server.setRequestHandler(import_types2.SubscribeRequestSchema, async (request, extra) => {
+    server.setRequestHandler(import_types5.SubscribeRequestSchema, async (request, extra) => {
       await callbacks.subscribeResource(request.params.uri, this.buildCallOptions(request, extra));
       return {};
     });
-    server.setRequestHandler(import_types2.UnsubscribeRequestSchema, async (request, extra) => {
+    server.setRequestHandler(import_types5.UnsubscribeRequestSchema, async (request, extra) => {
       await callbacks.unsubscribeResource(
         request.params.uri,
         this.buildCallOptions(request, extra)
@@ -1937,13 +3154,13 @@ var ProxyServer = class {
   }
   registerPromptHandlers(server, callbacks) {
     server.setRequestHandler(
-      import_types2.ListPromptsRequestSchema,
+      import_types5.ListPromptsRequestSchema,
       async () => ({
         prompts: callbacks.listPrompts()
       })
     );
     server.setRequestHandler(
-      import_types2.GetPromptRequestSchema,
+      import_types5.GetPromptRequestSchema,
       async (request, extra) => {
         return callbacks.getPrompt(
           request.params.name,
@@ -1955,14 +3172,14 @@ var ProxyServer = class {
   }
   registerCompletionHandler(server, callback) {
     server.setRequestHandler(
-      import_types2.CompleteRequestSchema,
+      import_types5.CompleteRequestSchema,
       async (request, extra) => {
         return callback(request.params, this.buildCallOptions(request, extra));
       }
     );
   }
   registerLoggingHandler(server, callback) {
-    server.setRequestHandler(import_types2.SetLevelRequestSchema, async (request, extra) => {
+    server.setRequestHandler(import_types5.SetLevelRequestSchema, async (request, extra) => {
       await callback(request.params.level, this.buildCallOptions(request, extra));
       return {};
     });
@@ -1978,35 +3195,6 @@ var ProxyServer = class {
   }
 };
-// src/proxy/transport-factory.ts
-var import_stdio2 = require("@modelcontextprotocol/sdk/client/stdio.js");
-var import_streamableHttp = require("@modelcontextprotocol/sdk/client/streamableHttp.js");
-var import_sse = require("@modelcontextprotocol/sdk/client/sse.js");
-function createTransport(config) {
-  switch (config.transport) {
-    case "stdio":
-      return new import_stdio2.StdioClientTransport({
-        command: config.command,
-        args: config.args,
-        env: config.env
-      });
-    case "streamable-http":
-      return new import_streamableHttp.StreamableHTTPClientTransport(
-        new URL(config.url),
-        config.headers ? { requestInit: { headers: config.headers } } : void 0
-      );
-    case "sse":
-      return new import_sse.SSEClientTransport(
-        new URL(config.url),
-        config.headers ? { requestInit: { headers: config.headers } } : void 0
-      );
-    default: {
-      const _exhaustive = config;
-      return _exhaustive;
-    }
-  }
-}
 // src/proxy/index.ts
 var SINGLE_MCP_NAME = "__default__";
 async function startProxy(command, args) {
@@ -2024,7 +3212,7 @@ async function startProxyFromConfig(options = {}) {
   const eagerMcps = /* @__PURE__ */ new Map();
   const lazyMcps = /* @__PURE__ */ new Map();
   for (const [name, entry] of Object.entries(config.mcp)) {
-    const transport = createTransport(entry);
+    const transport = createTransport(name, entry);
     if (entry.description !== void 0) {
       lazyMcps.set(name, { transport, description: entry.description });
     } else {
@@ -2046,7 +3234,7 @@ function buildOrchestrator(params) {
     lazyMcps: params.lazyMcps,
     namespaced: params.namespaced,
     onTransportError: (mcpName2, error) => {
-      import_node_process6.default.stderr.write(
+      import_node_process11.default.stderr.write(
         `${params.transportErrorPrefix(mcpName2)} transport error: ${error.message}
 `
       );
@@ -2060,19 +3248,19 @@ async function runProxy(orchestrator) {
     if (isShuttingDown) return;
     isShuttingDown = true;
     orchestrator.disconnectAll().catch((error) => {
-      import_node_process6.default.stderr.write(
+      import_node_process11.default.stderr.write(
         `dynmcp: error during disconnect: ${error instanceof Error ? error.message : String(error)}
 `
       );
-    }).finally(() => import_node_process6.default.exit(exitCode));
+    }).finally(() => import_node_process11.default.exit(exitCode));
   };
   activeShutdown.shutdown = shutdown;
   try {
     await orchestrator.connect();
   } catch (error) {
-    import_node_process6.default.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
+    import_node_process11.default.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
 `);
-    import_node_process6.default.exit(1);
+    import_node_process11.default.exit(1);
     return;
   }
   const proxyServer = new ProxyServer({
@@ -2109,10 +3297,10 @@ async function runProxy(orchestrator) {
     onElicitInput: (params, options) => proxyServer.forwardElicitInput(params, options),
     onListRoots: (params, options) => proxyServer.forwardListRoots(params, options)
   });
-  import_node_process6.default.on("SIGINT", () => shutdown(0));
-  import_node_process6.default.on("SIGTERM", () => shutdown(0));
-  import_node_process6.default.stdin.on("end", () => shutdown(0));
-  import_node_process6.default.stdin.on("close", () => shutdown(0));
+  import_node_process11.default.on("SIGINT", () => shutdown(0));
+  import_node_process11.default.on("SIGTERM", () => shutdown(0));
+  import_node_process11.default.stdin.on("end", () => shutdown(0));
+  import_node_process11.default.stdin.on("close", () => shutdown(0));
   try {
     await proxyServer.start();
   } catch (error) {
@@ -2131,41 +3319,98 @@ var cliBanner = import_chalk.default.bold.magentaBright(
 );
 var cli = new import_commander.Command(package_default.name).description(package_default.description).version(package_default.version).addHelpText("beforeAll", cliBanner).addHelpText(
   "after",
-  "\nExamples:\n  dynmcp -- npx -y chrome-devtools-mcp@latest\n  dynmcp --config ./mcp.json\n"
+  "\nExamples:\n  dynmcp -- npx -y chrome-devtools-mcp@latest\n  dynmcp --config ./mcp.json\n  dynmcp ls\n  dynmcp test github\n  dynmcp login github\n  dynmcp logout github\n"
 ).option("-c, --config <path>", "Path to config file (JSON or YAML)").option("-e, --env <path>", "Path to a .env file for environment variable interpolation").allowExcessArguments(true).passThroughOptions(true).action(async (_options, cmd) => {
-  const separatorIndex = import_node_process7.default.argv.indexOf("--");
+  const separatorIndex = import_node_process12.default.argv.indexOf("--");
   const configPath = cmd.opts().config;
   const envFilePath = cmd.opts().env;
   if (separatorIndex !== -1) {
-    const [command, ...args] = import_node_process7.default.argv.slice(separatorIndex + 1);
+    const [command, ...args] = import_node_process12.default.argv.slice(separatorIndex + 1);
     if (command === void 0) {
-      import_node_process7.default.stderr.write(
+      import_node_process12.default.stderr.write(
         "dynmcp: no upstream command provided after --.\nUsage: dynmcp -- <command> [args...]\n"
       );
-      import_node_process7.default.exit(1);
+      import_node_process12.default.exit(1);
     }
     try {
       await startProxy(command, args);
     } catch (error) {
-      import_node_process7.default.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
+      import_node_process12.default.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
 `);
-      import_node_process7.default.exit(1);
+      import_node_process12.default.exit(1);
     }
     return;
   }
   try {
     await startProxyFromConfig({ configPath, envFilePath });
   } catch (error) {
-    import_node_process7.default.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
+    import_node_process12.default.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
+`);
+    import_node_process12.default.exit(1);
+  }
+});
+cli.command("login <name>").description("Run the OAuth authorization-code flow for an upstream MCP and store tokens.").option("-c, --config <path>", "Path to config file (JSON or YAML)").option("-e, --env <path>", "Path to a .env file for environment variable interpolation").action(async (name, options) => {
+  try {
+    await login({
+      mcpName: name,
+      ...options.config !== void 0 ? { configPath: options.config } : {},
+      ...options.env !== void 0 ? { envFilePath: options.env } : {}
+    });
+  } catch (error) {
+    import_node_process12.default.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
+`);
+    import_node_process12.default.exit(1);
+  }
+});
+cli.command("logout <name>").description("Delete the OAuth keychain entry for an upstream MCP.").option("-c, --config <path>", "Path to config file (JSON or YAML)").option("-e, --env <path>", "Path to a .env file for environment variable interpolation").action(async (name, options) => {
+  try {
+    await logout({
+      mcpName: name,
+      ...options.config !== void 0 ? { configPath: options.config } : {},
+      ...options.env !== void 0 ? { envFilePath: options.env } : {}
+    });
+  } catch (error) {
+    import_node_process12.default.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
+`);
+    import_node_process12.default.exit(1);
+  }
+});
+cli.command("ls").description("List configured upstream MCPs with transport, mode, endpoint, and auth status.").option("-c, --config <path>", "Path to config file (JSON or YAML)").option("-e, --env <path>", "Path to a .env file for environment variable interpolation").option("--json", "Emit JSON instead of the aligned text table").action(async (options) => {
+  try {
+    await list({
+      ...options.config !== void 0 ? { configPath: options.config } : {},
+      ...options.env !== void 0 ? { envFilePath: options.env } : {},
+      ...options.json === true ? { json: true } : {}
+    });
+  } catch (error) {
+    import_node_process12.default.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
 `);
-    import_node_process7.default.exit(1);
+    import_node_process12.default.exit(1);
   }
 });
+cli.command("test [name]").description("Probe one or all configured upstream MCPs and print their discovered catalogs.").option("-c, --config <path>", "Path to config file (JSON or YAML)").option("-e, --env <path>", "Path to a .env file for environment variable interpolation").option("--json", "Emit JSON instead of the formatted text output").option("--timeout <ms>", "Per-MCP timeout in milliseconds (default: 15000)", (v) => Number(v)).action(
+  async (name, options) => {
+    try {
+      const exitCode = await test({
+        ...name !== void 0 ? { mcpName: name } : {},
+        ...options.config !== void 0 ? { configPath: options.config } : {},
+        ...options.env !== void 0 ? { envFilePath: options.env } : {},
+        ...options.json === true ? { json: true } : {},
+        ...options.timeout !== void 0 && !Number.isNaN(options.timeout) ? { timeoutMs: options.timeout } : {}
+      });
+      if (exitCode !== 0) import_node_process12.default.exit(exitCode);
+    } catch (error) {
+      import_node_process12.default.stderr.write(`dynmcp: ${error instanceof Error ? error.message : String(error)}
+`);
+      import_node_process12.default.exit(1);
+    }
+  }
+);
 // src/index.ts
-var import_node_process8 = __toESM(require("process"), 1);
+var import_node_process13 = __toESM(require("process"), 1);
 async function main() {
-  cli.parse(import_node_process8.default.argv);
+  cli.parse(import_node_process13.default.argv);
 }
 main();
 //# sourceMappingURL=index.cjs.map