mcp-squared 0.3.2 → 0.3.3

package/dist/tui/config.js

@@ -0,0 +1,3521 @@
+// @bun
+var __defProp = Object.defineProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: (newValue) => all[name] = () => newValue
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+var __require = import.meta.require;
+
+// src/config/paths.ts
+import { existsSync, mkdirSync } from "fs";
+import { homedir, platform } from "os";
+import { dirname, join, resolve } from "path";
+function getEnv(key) {
+  return Bun.env[key];
+}
+function getXdgConfigHome() {
+  return getEnv("XDG_CONFIG_HOME") || join(homedir(), ".config");
+}
+function getUserConfigDir() {
+  const os = platform();
+  if (os === "win32") {
+    return join(getEnv("APPDATA") || join(homedir(), "AppData", "Roaming"), APP_NAME);
+  }
+  return join(getXdgConfigHome(), APP_NAME);
+}
+function ensureDir(dir) {
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+}
+function getUserConfigPath() {
+  return join(getUserConfigDir(), "config.toml");
+}
+function getSocketFilePath(instanceId) {
+  if (!instanceId) {
+    return join(getUserConfigDir(), SOCKET_FILENAME);
+  }
+  return join(getSocketDir(), `mcp-squared.${instanceId}.sock`);
+}
+function getDaemonDir(configHash) {
+  if (configHash) {
+    return join(getUserConfigDir(), DAEMON_DIR_NAME, configHash);
+  }
+  return join(getUserConfigDir(), DAEMON_DIR_NAME);
+}
+function getDaemonRegistryPath(configHash) {
+  return join(getDaemonDir(configHash), DAEMON_REGISTRY_FILENAME);
+}
+function getDaemonSocketPath(configHash) {
+  return join(getDaemonDir(configHash), DAEMON_SOCKET_FILENAME);
+}
+function getInstanceRegistryDir() {
+  return join(getUserConfigDir(), INSTANCE_DIR_NAME);
+}
+function getSocketDir() {
+  return join(getUserConfigDir(), SOCKET_DIR_NAME);
+}
+function ensureInstanceRegistryDir() {
+  ensureDir(getInstanceRegistryDir());
+}
+function ensureSocketDir() {
+  ensureDir(getSocketDir());
+}
+function ensureDaemonDir(configHash) {
+  const daemonDir = getDaemonDir(configHash);
+  if (!existsSync(daemonDir)) {
+    mkdirSync(daemonDir, { recursive: true, mode: 448 });
+  }
+}
+function findProjectConfig(startDir) {
+  let currentDir = resolve(startDir);
+  const root = dirname(currentDir);
+  while (currentDir !== root) {
+    const directPath = join(currentDir, CONFIG_FILENAME);
+    if (existsSync(directPath)) {
+      return directPath;
+    }
+    const hiddenDirPath = join(currentDir, CONFIG_DIR_NAME, "config.toml");
+    if (existsSync(hiddenDirPath)) {
+      return hiddenDirPath;
+    }
+    const parentDir = dirname(currentDir);
+    if (parentDir === currentDir)
+      break;
+    currentDir = parentDir;
+  }
+  return null;
+}
+function discoverConfigPath(cwd = process.cwd()) {
+  const envPath = getEnv("MCP_SQUARED_CONFIG");
+  if (envPath) {
+    const resolvedEnvPath = resolve(envPath);
+    if (existsSync(resolvedEnvPath)) {
+      return { path: resolvedEnvPath, source: "env" };
+    }
+  }
+  const projectPath = findProjectConfig(cwd);
+  if (projectPath) {
+    return { path: projectPath, source: "project" };
+  }
+  const userPath = getUserConfigPath();
+  if (existsSync(userPath)) {
+    return { path: userPath, source: "user" };
+  }
+  return null;
+}
+function getDefaultConfigPath() {
+  return {
+    path: getUserConfigPath(),
+    source: "user"
+  };
+}
+function ensureConfigDir(configPath) {
+  const dir = dirname(configPath);
+  ensureDir(dir);
+}
+var SOCKET_FILENAME = "mcp-squared.sock", INSTANCE_DIR_NAME = "instances", SOCKET_DIR_NAME = "sockets", DAEMON_DIR_NAME = "daemon", DAEMON_REGISTRY_FILENAME = "daemon.json", DAEMON_SOCKET_FILENAME = "daemon.sock", CONFIG_FILENAME = "mcp-squared.toml", CONFIG_DIR_NAME = ".mcp-squared", APP_NAME = "mcp-squared";
+var init_paths = () => {};
+
+// src/tui/config.ts
+import {
+  ASCIIFontRenderable,
+  BoxRenderable,
+  createCliRenderer,
+  InputRenderable,
+  RGBA,
+  SelectRenderable,
+  SelectRenderableEvents,
+  TextRenderable
+} from "@opentui/core";
+
+// src/config/instance-registry.ts
+init_paths();
+import {
+  existsSync as existsSync2,
+  mkdirSync as mkdirSync2,
+  readdirSync,
+  readFileSync,
+  renameSync,
+  unlinkSync,
+  writeFileSync
+} from "fs";
+import { connect } from "net";
+import { join as join2 } from "path";
+
+// src/config/pid.ts
+function isProcessRunning(pid) {
+  if (pid <= 0) {
+    return false;
+  }
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err) {
+    const code = err && typeof err === "object" && "code" in err ? err.code : undefined;
+    return code !== "ESRCH";
+  }
+}
+
+// src/config/instance-registry.ts
+var ENTRY_EXTENSION = ".json";
+var DEFAULT_CONNECT_TIMEOUT_MS = 300;
+function ensureRegistryDir() {
+  const dir = getInstanceRegistryDir();
+  if (!existsSync2(dir)) {
+    mkdirSync2(dir, { recursive: true });
+  }
+  return dir;
+}
+function isTcpEndpoint(endpoint) {
+  return endpoint.startsWith("tcp://");
+}
+function parseTcpEndpoint(endpoint) {
+  let url;
+  try {
+    url = new URL(endpoint);
+  } catch {
+    throw new Error(`Invalid TCP endpoint: ${endpoint}`);
+  }
+  if (url.protocol !== "tcp:") {
+    throw new Error(`Invalid TCP endpoint protocol: ${url.protocol}`);
+  }
+  const host = url.hostname;
+  const port = Number.parseInt(url.port, 10);
+  if (!host || Number.isNaN(port)) {
+    throw new Error(`Invalid TCP endpoint: ${endpoint}`);
+  }
+  return { host, port };
+}
+function isValidEntry(data) {
+  if (!data || typeof data !== "object") {
+    return false;
+  }
+  const record = data;
+  const id = record["id"];
+  if (typeof id !== "string" || id.trim() === "") {
+    return false;
+  }
+  const pid = record["pid"];
+  if (typeof pid !== "number" || pid <= 0) {
+    return false;
+  }
+  const socketPath = record["socketPath"];
+  if (typeof socketPath !== "string" || socketPath.trim() === "") {
+    return false;
+  }
+  const startedAt = record["startedAt"];
+  if (typeof startedAt !== "number" || startedAt <= 0) {
+    return false;
+  }
+  const cwd = record["cwd"];
+  if (cwd && typeof cwd !== "string") {
+    return false;
+  }
+  const role = record["role"];
+  if (role && typeof role !== "string") {
+    return false;
+  }
+  const launcher = record["launcher"];
+  if (launcher && typeof launcher !== "string") {
+    return false;
+  }
+  const ppid = record["ppid"];
+  if (ppid && typeof ppid !== "number") {
+    return false;
+  }
+  const user = record["user"];
+  if (user && typeof user !== "string") {
+    return false;
+  }
+  const processName = record["processName"];
+  if (processName && typeof processName !== "string") {
+    return false;
+  }
+  const parentProcessName = record["parentProcessName"];
+  if (parentProcessName && typeof parentProcessName !== "string") {
+    return false;
+  }
+  const parentCommand = record["parentCommand"];
+  if (parentCommand && typeof parentCommand !== "string") {
+    return false;
+  }
+  const configPath = record["configPath"];
+  if (configPath && typeof configPath !== "string") {
+    return false;
+  }
+  const version = record["version"];
+  if (version && typeof version !== "string") {
+    return false;
+  }
+  const command = record["command"];
+  if (command && typeof command !== "string") {
+    return false;
+  }
+  return true;
+}
+function writeInstanceEntry(entry) {
+  const dir = ensureRegistryDir();
+  const entryPath = join2(dir, `${entry.id}${ENTRY_EXTENSION}`);
+  const tempPath = join2(dir, `.${entry.id}.${process.pid}.tmp`);
+  const payload = `${JSON.stringify(entry, null, 2)}
+`;
+  writeFileSync(tempPath, payload, { encoding: "utf8" });
+  renameSync(tempPath, entryPath);
+  return entryPath;
+}
+function readInstanceEntry(entryPath) {
+  if (!existsSync2(entryPath)) {
+    return null;
+  }
+  try {
+    const raw = readFileSync(entryPath, { encoding: "utf8" });
+    const data = JSON.parse(raw);
+    return isValidEntry(data) ? data : null;
+  } catch {
+    return null;
+  }
+}
+function deleteInstanceEntry(entryPath) {
+  if (!existsSync2(entryPath)) {
+    return true;
+  }
+  try {
+    unlinkSync(entryPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function listInstanceEntries(options = {}) {
+  const { pruneInvalid = false } = options;
+  const dir = getInstanceRegistryDir();
+  if (!existsSync2(dir)) {
+    return [];
+  }
+  const files = readdirSync(dir);
+  const entries = [];
+  for (const file of files) {
+    if (!file.endsWith(ENTRY_EXTENSION)) {
+      continue;
+    }
+    const entryPath = join2(dir, file);
+    const entry = readInstanceEntry(entryPath);
+    if (!entry) {
+      if (pruneInvalid) {
+        deleteInstanceEntry(entryPath);
+      }
+      continue;
+    }
+    entries.push({ ...entry, entryPath });
+  }
+  return entries;
+}
+async function canConnect(endpoint, timeoutMs) {
+  if (!isTcpEndpoint(endpoint) && !existsSync2(endpoint)) {
+    return false;
+  }
+  return new Promise((resolve2) => {
+    let socket = null;
+    try {
+      socket = isTcpEndpoint(endpoint) ? connect(parseTcpEndpoint(endpoint)) : connect(endpoint);
+    } catch {
+      resolve2(false);
+      return;
+    }
+    if (!socket) {
+      resolve2(false);
+      return;
+    }
+    const timeoutId = setTimeout(() => {
+      socket.destroy();
+      resolve2(false);
+    }, timeoutMs);
+    socket.once("connect", () => {
+      clearTimeout(timeoutId);
+      socket.destroy();
+      resolve2(true);
+    });
+    socket.once("error", () => {
+      clearTimeout(timeoutId);
+      socket.destroy();
+      resolve2(false);
+    });
+  });
+}
+async function isInstanceAlive(entry, timeoutMs) {
+  if (!isProcessRunning(entry.pid)) {
+    return false;
+  }
+  if (entry.role === "proxy") {
+    return true;
+  }
+  return canConnect(entry.socketPath, timeoutMs);
+}
+async function listActiveInstanceEntries(options = {}) {
+  const { prune = true, timeoutMs = DEFAULT_CONNECT_TIMEOUT_MS } = options;
+  const entries = listInstanceEntries({ pruneInvalid: prune });
+  const active = [];
+  for (const entry of entries) {
+    const alive = await isInstanceAlive(entry, timeoutMs);
+    if (alive) {
+      active.push(entry);
+    } else if (prune) {
+      deleteInstanceEntry(entry.entryPath);
+    }
+  }
+  active.sort((a, b) => b.startedAt - a.startedAt);
+  return active;
+}
+// src/config/load.ts
+import { parse as parseToml } from "smol-toml";
+import { ZodError } from "zod";
+
+// src/config/schema.ts
+import { z } from "zod";
+var LATEST_SCHEMA_VERSION = 1;
+var LogLevelSchema = z.enum([
+  "fatal",
+  "error",
+  "warn",
+  "info",
+  "debug",
+  "trace"
+]);
+var EnvRecordSchema = z.record(z.string(), z.string()).default({});
+var UpstreamBaseSchema = z.object({
+  label: z.string().min(1).optional(),
+  enabled: z.boolean().default(true),
+  env: EnvRecordSchema
+});
+var UpstreamStdioSchema = UpstreamBaseSchema.extend({
+  transport: z.literal("stdio"),
+  stdio: z.object({
+    command: z.string().min(1),
+    args: z.array(z.string()).default([]),
+    cwd: z.string().min(1).optional()
+  })
+});
+var OAuthConfigSchema = z.object({
+  callbackPort: z.number().int().min(1024).max(65535).default(8089),
+  clientName: z.string().default("MCP\xB2")
+});
+var UpstreamSseSchema = UpstreamBaseSchema.extend({
+  transport: z.literal("sse"),
+  sse: z.object({
+    url: z.string().url(),
+    headers: z.record(z.string(), z.string()).default({}),
+    auth: z.union([z.boolean(), OAuthConfigSchema]).optional()
+  })
+});
+var UpstreamServerSchema = z.discriminatedUnion("transport", [
+  UpstreamStdioSchema,
+  UpstreamSseSchema
+]);
+var SecurityToolsSchema = z.object({
+  allow: z.array(z.string()).default([]),
+  block: z.array(z.string()).default([]),
+  confirm: z.array(z.string()).default(["*:*"])
+});
+var SecuritySchema = z.object({
+  tools: SecurityToolsSchema.default({
+    allow: [],
+    block: [],
+    confirm: ["*:*"]
+  })
+}).default({
+  tools: { allow: [], block: [], confirm: ["*:*"] }
+});
+var SearchModeSchema = z.enum(["fast", "semantic", "hybrid"]);
+var DetailLevelSchema = z.enum(["L0", "L1", "L2"]);
+var FindToolsSchema = z.object({
+  defaultLimit: z.number().int().min(1).default(5),
+  maxLimit: z.number().int().min(1).max(200).default(50),
+  defaultMode: SearchModeSchema.default("fast"),
+  defaultDetailLevel: DetailLevelSchema.default("L1")
+});
+var IndexSchema = z.object({
+  refreshIntervalMs: z.number().int().min(1000).default(30000)
+});
+var LoggingSchema = z.object({
+  level: LogLevelSchema.default("info")
+});
+var EmbeddingsSchema = z.object({
+  enabled: z.boolean().default(false)
+});
+var SelectionCacheSchema = z.object({
+  enabled: z.boolean().default(true),
+  minCooccurrenceThreshold: z.number().int().min(1).default(2),
+  maxBundleSuggestions: z.number().int().min(0).default(3)
+});
+var OperationsSchema = z.object({
+  findTools: FindToolsSchema.default({
+    defaultLimit: 5,
+    maxLimit: 50,
+    defaultMode: "fast",
+    defaultDetailLevel: "L1"
+  }),
+  index: IndexSchema.default({ refreshIntervalMs: 30000 }),
+  logging: LoggingSchema.default({ level: "info" }),
+  embeddings: EmbeddingsSchema.default({ enabled: false }),
+  selectionCache: SelectionCacheSchema.default({
+    enabled: true,
+    minCooccurrenceThreshold: 2,
+    maxBundleSuggestions: 3
+  })
+}).default({
+  findTools: {
+    defaultLimit: 5,
+    maxLimit: 50,
+    defaultMode: "fast",
+    defaultDetailLevel: "L1"
+  },
+  index: { refreshIntervalMs: 30000 },
+  logging: { level: "info" },
+  embeddings: { enabled: false },
+  selectionCache: {
+    enabled: true,
+    minCooccurrenceThreshold: 2,
+    maxBundleSuggestions: 3
+  }
+});
+var ConfigSchema = z.object({
+  schemaVersion: z.literal(1).default(1),
+  upstreams: z.record(z.string().min(1), UpstreamServerSchema).default({}),
+  security: SecuritySchema,
+  operations: OperationsSchema
+});
+var DEFAULT_CONFIG = ConfigSchema.parse({});
+
+// src/config/migrations/index.ts
+class UnknownSchemaVersionError extends Error {
+  version;
+  latestVersion;
+  constructor(version, latestVersion) {
+    super(`Unknown schema version ${version} (latest supported: ${latestVersion}). This config may have been created by a newer version of MCP\xB2.`);
+    this.version = version;
+    this.latestVersion = latestVersion;
+    this.name = "UnknownSchemaVersionError";
+  }
+}
+function getSchemaVersion(config) {
+  const version = config["schemaVersion"];
+  if (typeof version === "number" && Number.isInteger(version)) {
+    return version;
+  }
+  return 0;
+}
+function migrateConfig(input) {
+  let config = { ...input };
+  let version = getSchemaVersion(config);
+  if (version > LATEST_SCHEMA_VERSION) {
+    throw new UnknownSchemaVersionError(version, LATEST_SCHEMA_VERSION);
+  }
+  while (version < LATEST_SCHEMA_VERSION) {
+    switch (version) {
+      case 0:
+        config = migrateV0ToV1(config);
+        version = 1;
+        break;
+      default:
+        throw new UnknownSchemaVersionError(version, LATEST_SCHEMA_VERSION);
+    }
+  }
+  config["schemaVersion"] = LATEST_SCHEMA_VERSION;
+  return config;
+}
+function migrateV0ToV1(config) {
+  return { ...config, schemaVersion: 1 };
+}
+
+// src/config/load.ts
+init_paths();
+class ConfigError extends Error {
+  cause;
+  constructor(message, cause) {
+    super(message);
+    this.name = "ConfigError";
+    this.cause = cause;
+  }
+}
+
+class ConfigNotFoundError extends ConfigError {
+  constructor() {
+    super("No configuration file found");
+    this.name = "ConfigNotFoundError";
+  }
+}
+
+class ConfigParseError extends ConfigError {
+  filePath;
+  constructor(filePath, cause) {
+    super(`Failed to parse config file: ${filePath}`, cause);
+    this.filePath = filePath;
+    this.name = "ConfigParseError";
+  }
+}
+
+class ConfigValidationError extends ConfigError {
+  filePath;
+  zodError;
+  constructor(filePath, zodError) {
+    const issues = zodError.issues.map((i) => `  - ${i.path.join(".")}: ${i.message}`).join(`
+`);
+    super(`Invalid configuration in ${filePath}:
+${issues}`, zodError);
+    this.filePath = filePath;
+    this.zodError = zodError;
+    this.name = "ConfigValidationError";
+  }
+}
+async function loadConfig(cwd) {
+  const discovered = discoverConfigPath(cwd);
+  if (!discovered) {
+    return {
+      config: DEFAULT_CONFIG,
+      path: getDefaultConfigPath().path,
+      source: "user"
+    };
+  }
+  return loadConfigFromPath(discovered.path, discovered.source);
+}
+async function loadConfigFromPath(filePath, source) {
+  const file = Bun.file(filePath);
+  const exists = await file.exists();
+  if (!exists) {
+    throw new ConfigNotFoundError;
+  }
+  let content;
+  try {
+    content = await file.text();
+  } catch (err) {
+    throw new ConfigParseError(filePath, err);
+  }
+  let rawConfig;
+  try {
+    rawConfig = parseToml(content);
+  } catch (err) {
+    throw new ConfigParseError(filePath, err);
+  }
+  const migrated = migrateConfig(rawConfig);
+  let config;
+  try {
+    config = ConfigSchema.parse(migrated);
+  } catch (err) {
+    if (err instanceof ZodError) {
+      throw new ConfigValidationError(filePath, err);
+    }
+    throw err;
+  }
+  return { config, path: filePath, source };
+}
+
+// src/config/index.ts
+init_paths();
+
+// src/config/save.ts
+init_paths();
+import { stringify as stringifyToml } from "smol-toml";
+
+class ConfigSaveError extends Error {
+  filePath;
+  constructor(filePath, cause) {
+    super(`Failed to save config file: ${filePath}`);
+    this.filePath = filePath;
+    this.name = "ConfigSaveError";
+    this.cause = cause;
+  }
+}
+async function saveConfig(filePath, config) {
+  ensureConfigDir(filePath);
+  let tomlContent;
+  try {
+    tomlContent = stringifyToml(config);
+  } catch (err) {
+    throw new ConfigSaveError(filePath, err);
+  }
+  try {
+    await Bun.write(filePath, tomlContent);
+  } catch (err) {
+    throw new ConfigSaveError(filePath, err);
+  }
+}
+// src/config/validate.ts
+var COMMANDS_REQUIRING_ARGS = new Set([
+  "npx",
+  "npm",
+  "bunx",
+  "bun",
+  "pnpx",
+  "yarn",
+  "node",
+  "deno",
+  "python",
+  "python3",
+  "uvx",
+  "uv"
+]);
+function validateStdioUpstream(name, config) {
+  const issues = [];
+  const { command, args } = config.stdio;
+  const commandBase = command.split("/").pop() ?? command;
+  if (COMMANDS_REQUIRING_ARGS.has(commandBase) && args.length === 0) {
+    issues.push({
+      severity: "error",
+      upstream: name,
+      message: `Command '${command}' requires arguments but args is empty`,
+      suggestion: `Add the package/script to run, e.g., args = ["-y", "package-name"]`
+    });
+  }
+  if ((commandBase === "bash" || commandBase === "sh") && args.length === 0) {
+    issues.push({
+      severity: "error",
+      upstream: name,
+      message: `Command '${command}' with empty args will read from stdin, not run an MCP server`,
+      suggestion: `Add a script to run, e.g., args = ["-c", "your-command"]`
+    });
+  }
+  if (commandBase === "docker" && args.length === 0) {
+    issues.push({
+      severity: "error",
+      upstream: name,
+      message: `Command 'docker' requires arguments to run a container`,
+      suggestion: `Add docker subcommand and image, e.g., args = ["run", "-i", "image-name"]`
+    });
+  }
+  return issues;
+}
+var LOCAL_HOSTNAMES = new Set(["localhost", "127.0.0.1", "::1"]);
+function validateSseUpstream(name, config) {
+  const issues = [];
+  try {
+    const parsedUrl = new URL(config.sse.url);
+    const hostname = parsedUrl.hostname.toLowerCase();
+    const isLocal = LOCAL_HOSTNAMES.has(hostname);
+    if (parsedUrl.protocol === "http:" && !isLocal) {
+      issues.push({
+        severity: "warning",
+        upstream: name,
+        message: `SSE upstream uses unencrypted HTTP URL: ${config.sse.url}`,
+        suggestion: "Use HTTPS for remote upstreams to prevent token/header exposure in transit"
+      });
+    }
+  } catch {}
+  for (const [headerName, headerValue] of Object.entries(config.sse.headers)) {
+    const isAuthorization = headerName.toLowerCase() === "authorization";
+    const isBearer = /^Bearer\s+/i.test(headerValue);
+    const usesEnvPlaceholder = /^Bearer\s+\$/i.test(headerValue.trim());
+    if (isAuthorization && isBearer && !usesEnvPlaceholder) {
+      issues.push({
+        severity: "warning",
+        upstream: name,
+        message: "Authorization header appears to contain a literal bearer token",
+        suggestion: 'Use an environment placeholder, e.g., Authorization = "Bearer $API_TOKEN"'
+      });
+    }
+  }
+  return issues;
+}
+function validateUpstreamConfig(name, config) {
+  if (config.transport === "stdio") {
+    return validateStdioUpstream(name, config);
+  }
+  return validateSseUpstream(name, config);
+}
+function validateConfig(config) {
+  const issues = [];
+  for (const [name, upstream] of Object.entries(config.upstreams)) {
+    if (!upstream.enabled)
+      continue;
+    issues.push(...validateUpstreamConfig(name, upstream));
+  }
+  return issues;
+}
+function formatValidationIssues(issues) {
+  if (issues.length === 0)
+    return "";
+  const lines = [];
+  const errors = issues.filter((i) => i.severity === "error");
+  const warnings = issues.filter((i) => i.severity === "warning");
+  if (errors.length > 0) {
+    lines.push(`
+\x1B[31mConfiguration Errors:\x1B[0m`);
+    for (const error of errors) {
+      lines.push(`  \x1B[31m\u2717\x1B[0m ${error.upstream}: ${error.message}`);
+      if (error.suggestion) {
+        lines.push(`    \x1B[90m\u2192 ${error.suggestion}\x1B[0m`);
+      }
+    }
+  }
+  if (warnings.length > 0) {
+    lines.push(`
+\x1B[33mConfiguration Warnings:\x1B[0m`);
+    for (const warning of warnings) {
+      lines.push(`  \x1B[33m\u26A0\x1B[0m ${warning.upstream}: ${warning.message}`);
+      if (warning.suggestion) {
+        lines.push(`    \x1B[90m\u2192 ${warning.suggestion}\x1B[0m`);
+      }
+    }
+  }
+  return lines.join(`
+`);
+}
+// src/upstream/cataloger.ts
+import { UnauthorizedError as UnauthorizedError2 } from "@modelcontextprotocol/sdk/client/auth.js";
+import { Client as Client2 } from "@modelcontextprotocol/sdk/client/index.js";
+import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
+import { StreamableHTTPClientTransport as StreamableHTTPClientTransport2 } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+
+// src/oauth/browser.ts
+import { spawn } from "child_process";
+async function openBrowser(url) {
+  const platform2 = process.platform;
+  let command;
+  let args;
+  switch (platform2) {
+    case "darwin":
+      command = "open";
+      args = [url];
+      break;
+    case "win32":
+      command = "powershell";
+      args = [
+        "-NoProfile",
+        "-NonInteractive",
+        "-Command",
+        `Start-Process '${url.replace(/'/g, "''")}'`
+      ];
+      break;
+    default:
+      command = "xdg-open";
+      args = [url];
+      break;
+  }
+  return new Promise((resolve2) => {
+    const child = spawn(command, args, {
+      detached: true,
+      stdio: "ignore"
+    });
+    child.on("error", () => {
+      resolve2(false);
+    });
+    child.on("spawn", () => {
+      child.unref();
+      resolve2(true);
+    });
+  });
+}
+function logAuthorizationUrl(url) {
+  console.error(`
+Please open this URL in your browser to authorize:
+`);
+  console.error(`  ${url}
+`);
+  console.error(`Waiting for authorization...
+`);
+}
+// src/oauth/callback-server.ts
+import { createServer } from "http";
+function getSuccessHtml() {
+  return `<!DOCTYPE html>
+<html>
+<head>
+  <title>Authorization Complete</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      display: flex;
+      justify-content: center;
+      align-items: center;
+      height: 100vh;
+      margin: 0;
+      background: #f5f5f5;
+    }
+    .container {
+      text-align: center;
+      padding: 40px;
+      background: white;
+      border-radius: 8px;
+      box-shadow: 0 2px 10px rgba(0,0,0,0.1);
+    }
+    h1 { color: #22c55e; margin-bottom: 10px; }
+    p { color: #666; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>Authorization Complete</h1>
+    <p>You can close this window and return to your terminal.</p>
+  </div>
+  <script>
+    // Try to close the window after a short delay
+    setTimeout(() => { window.close(); }, 2000);
+  </script>
+</body>
+</html>`;
+}
+function escapeHtml(str) {
+  return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
+}
+function getErrorHtml(error, description) {
+  const safeError = escapeHtml(error);
+  const safeDescription = description ? escapeHtml(description) : undefined;
+  return `<!DOCTYPE html>
+<html>
+<head>
+  <title>Authorization Failed</title>
+  <style>
+    body {
+      font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
+      display: flex;
+      justify-content: center;
+      align-items: center;
+      height: 100vh;
+      margin: 0;
+      background: #f5f5f5;
+    }
+    .container {
+      text-align: center;
+      padding: 40px;
+      background: white;
+      border-radius: 8px;
+      box-shadow: 0 2px 10px rgba(0,0,0,0.1);
+    }
+    h1 { color: #ef4444; margin-bottom: 10px; }
+    p { color: #666; }
+    .error { font-family: monospace; background: #fee; padding: 10px; border-radius: 4px; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>Authorization Failed</h1>
+    <p class="error">${safeError}${safeDescription ? `: ${safeDescription}` : ""}</p>
+    <p>Please close this window and try again.</p>
+  </div>
+</body>
+</html>`;
+}
+
+class OAuthCallbackServer {
+  server = null;
+  port;
+  path;
+  timeoutMs;
+  constructor(options = {}) {
+    this.port = options.port ?? 8089;
+    this.path = options.path ?? "/callback";
+    this.timeoutMs = options.timeoutMs ?? 300000;
+  }
+  async waitForCallback() {
+    return new Promise((resolve2, reject) => {
+      let resolved = false;
+      const timeoutId = setTimeout(() => {
+        fail(new Error(`OAuth callback timeout after ${this.timeoutMs}ms`));
+      }, this.timeoutMs);
+      const cleanup = () => {
+        if (timeoutId) {
+          clearTimeout(timeoutId);
+        }
+        this.stop();
+      };
+      const complete = (result) => {
+        if (resolved)
+          return;
+        resolved = true;
+        cleanup();
+        resolve2(result);
+      };
+      const fail = (error) => {
+        if (resolved)
+          return;
+        resolved = true;
+        cleanup();
+        reject(error);
+      };
+      this.server = createServer((req, res) => {
+        const url = new URL(req.url ?? "/", `http://localhost:${this.port}`);
+        if (url.pathname !== this.path) {
+          res.writeHead(404);
+          res.end("Not Found");
+          return;
+        }
+        const code = url.searchParams.get("code");
+        const error = url.searchParams.get("error");
+        const errorDescription = url.searchParams.get("error_description");
+        const state = url.searchParams.get("state");
+        res.writeHead(200, { "Content-Type": "text/html" });
+        if (error) {
+          res.end(getErrorHtml(error, errorDescription ?? undefined));
+        } else {
+          res.end(getSuccessHtml());
+        }
+        const result = {};
+        if (code)
+          result.code = code;
+        if (error)
+          result.error = error;
+        if (errorDescription)
+          result.errorDescription = errorDescription;
+        if (state)
+          result.state = state;
+        complete(result);
+      });
+      this.server.on("error", (err) => {
+        fail(err);
+      });
+      this.server.listen(this.port, "127.0.0.1", () => {
+        const addr = this.server?.address();
+        if (addr) {}
+      });
+    });
+  }
+  stop() {
+    if (this.server) {
+      this.server.close();
+      this.server = null;
+    }
+  }
+  getCallbackUrl() {
+    return `http://127.0.0.1:${this.port}${this.path}`;
+  }
+}
+// src/oauth/preflight.ts
+import { UnauthorizedError } from "@modelcontextprotocol/sdk/client/auth.js";
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+
+// src/version.ts
+import { readFileSync as readFileSync2 } from "fs";
+import { createRequire } from "module";
+function normalizeVersion(value) {
+  if (typeof value !== "string") {
+    return;
+  }
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : undefined;
+}
+function readManifestFile(manifestUrl) {
+  const raw = readFileSync2(manifestUrl, "utf8");
+  return JSON.parse(raw);
+}
+function readBundledManifestFile() {
+  const require2 = createRequire(import.meta.url);
+  return require2("../package.json");
+}
+function resolveVersion(options = {}) {
+  const readManifest = options.readManifest ?? readManifestFile;
+  const manifestUrl = options.manifestUrl ?? new URL("../package.json", import.meta.url);
+  try {
+    const manifest = readManifest(manifestUrl);
+    const manifestVersion = normalizeVersion(manifest.version);
+    if (manifestVersion) {
+      return manifestVersion;
+    }
+  } catch {}
+  const envVersion = normalizeVersion((options.env ?? process.env)["npm_package_version"]);
+  if (envVersion) {
+    return envVersion;
+  }
+  const readBundledManifest = options.readBundledManifest ?? readBundledManifestFile;
+  try {
+    const bundledVersion = normalizeVersion(readBundledManifest().version);
+    if (bundledVersion) {
+      return bundledVersion;
+    }
+  } catch {}
+  return normalizeVersion(options.fallbackVersion) ?? "0.0.0";
+}
+var VERSION = resolveVersion();
+
+// src/oauth/provider.ts
+var DEFAULT_OAUTH_CALLBACK_PORT = 8089;
+var DEFAULT_OAUTH_CLIENT_NAME = "MCP\xB2";
+function isValidCallbackPort(value) {
+  return Number.isInteger(value) && value >= 1 && value <= 65535;
+}
+function isValidClientName(value) {
+  return value.trim().length > 0;
+}
+function resolveOAuthProviderOptions(authConfig) {
+  if (!authConfig || typeof authConfig !== "object") {
+    return {
+      callbackPort: DEFAULT_OAUTH_CALLBACK_PORT,
+      clientName: DEFAULT_OAUTH_CLIENT_NAME
+    };
+  }
+  const callbackPort = authConfig.callbackPort ?? DEFAULT_OAUTH_CALLBACK_PORT;
+  if (!isValidCallbackPort(callbackPort)) {
+    throw new RangeError(`Invalid OAuth callbackPort: ${callbackPort}`);
+  }
+  const clientName = authConfig.clientName ?? DEFAULT_OAUTH_CLIENT_NAME;
+  if (typeof clientName !== "string" || !isValidClientName(clientName)) {
+    throw new TypeError(`Invalid OAuth clientName: ${String(clientName)}`);
+  }
+  return {
+    callbackPort,
+    clientName
+  };
+}
+
+class McpOAuthProvider {
+  upstreamName;
+  storage;
+  callbackPort;
+  _clientName;
+  _nonInteractive;
+  _state;
+  constructor(upstreamName, storage, options = {}) {
+    this.upstreamName = upstreamName;
+    this.storage = storage;
+    this.callbackPort = options.callbackPort ?? DEFAULT_OAUTH_CALLBACK_PORT;
+    this._clientName = options.clientName ?? DEFAULT_OAUTH_CLIENT_NAME;
+    this._nonInteractive = options.nonInteractive ?? false;
+  }
+  get redirectUrl() {
+    return `http://localhost:${this.callbackPort}/callback`;
+  }
+  get clientMetadata() {
+    return {
+      client_name: this._clientName,
+      redirect_uris: [this.redirectUrl],
+      grant_types: ["authorization_code", "refresh_token"],
+      response_types: ["code"],
+      token_endpoint_auth_method: "none"
+    };
+  }
+  state() {
+    if (!this._state) {
+      const array = new Uint8Array(32);
+      crypto.getRandomValues(array);
+      this._state = Array.from(array, (b) => b.toString(16).padStart(2, "0")).join("");
+    }
+    return this._state;
+  }
+  verifyState(receivedState) {
+    return this._state === receivedState;
+  }
+  clientInformation() {
+    const data = this.storage.load(this.upstreamName);
+    return data?.clientInfo;
+  }
+  saveClientInformation(clientInfo) {
+    const data = this.storage.load(this.upstreamName) ?? {};
+    data.clientInfo = clientInfo;
+    this.storage.save(this.upstreamName, data);
+  }
+  tokens() {
+    const data = this.storage.load(this.upstreamName);
+    return data?.tokens;
+  }
+  saveTokens(tokens) {
+    const data = this.storage.load(this.upstreamName) ?? {};
+    data.tokens = tokens;
+    if (tokens.expires_in) {
+      data.expiresAt = Date.now() + tokens.expires_in * 1000;
+    }
+    this.storage.save(this.upstreamName, data);
+  }
+  async redirectToAuthorization(authorizationUrl) {
+    if (this._nonInteractive) {
+      throw new Error(`OAuth authorization required. Run: mcp-squared auth ${this.upstreamName}`);
+    }
+    const urlString = authorizationUrl.toString();
+    console.error(`
+Opening browser for authorization...`);
+    console.error(`URL: ${urlString}
+`);
+    const opened = await openBrowser(urlString);
+    if (!opened) {
+      logAuthorizationUrl(urlString);
+    }
+  }
+  saveCodeVerifier(codeVerifier) {
+    const data = this.storage.load(this.upstreamName) ?? {};
+    data.codeVerifier = codeVerifier;
+    this.storage.save(this.upstreamName, data);
+  }
+  async codeVerifier() {
+    const data = this.storage.load(this.upstreamName);
+    if (!data?.codeVerifier) {
+      throw new Error("No code verifier stored");
+    }
+    return data.codeVerifier;
+  }
+  clearCodeVerifier() {
+    const data = this.storage.load(this.upstreamName);
+    if (data) {
+      const { codeVerifier: _, ...rest } = data;
+      this.storage.save(this.upstreamName, rest);
+    }
+  }
+  invalidateCredentials(scope) {
+    const data = this.storage.load(this.upstreamName);
+    if (!data)
+      return;
+    switch (scope) {
+      case "all":
+        this.storage.delete(this.upstreamName);
+        break;
+      case "client": {
+        const { clientInfo: _, ...rest } = data;
+        this.storage.save(this.upstreamName, rest);
+        break;
+      }
+      case "tokens": {
+        const { tokens: _, expiresAt: __, ...rest } = data;
+        this.storage.save(this.upstreamName, rest);
+        break;
+      }
+      case "verifier": {
+        const { codeVerifier: _, ...rest } = data;
+        this.storage.save(this.upstreamName, rest);
+        break;
+      }
+    }
+  }
+  isInteractive() {
+    return true;
+  }
+  isNonInteractive() {
+    return this._nonInteractive;
+  }
+  isTokenExpired(bufferMs = 60000) {
+    const data = this.storage.load(this.upstreamName);
+    if (!data?.expiresAt)
+      return true;
+    return Date.now() >= data.expiresAt - bufferMs;
+  }
+  clearAll() {
+    this.storage.delete(this.upstreamName);
+    this._state = undefined;
+  }
+}
+
+// src/oauth/token-storage.ts
+import {
+  chmodSync,
+  existsSync as existsSync3,
+  mkdirSync as mkdirSync3,
+  readFileSync as readFileSync3,
+  unlinkSync as unlinkSync2,
+  writeFileSync as writeFileSync2
+} from "fs";
+import { homedir as homedir2 } from "os";
+import { join as join3 } from "path";
+function getDefaultTokenDir() {
+  const configDir = process.env["XDG_CONFIG_HOME"] || join3(homedir2(), ".config");
+  return join3(configDir, "mcp-squared", "tokens");
+}
+function sanitizeUpstreamName(name) {
+  return name.replace(/[^a-zA-Z0-9_-]/g, "_");
+}
+
+class TokenStorage {
+  baseDir;
+  constructor(baseDir) {
+    this.baseDir = baseDir ?? getDefaultTokenDir();
+    this.ensureDir();
+  }
+  ensureDir() {
+    if (!existsSync3(this.baseDir)) {
+      mkdirSync3(this.baseDir, { recursive: true, mode: 448 });
+    }
+    try {
+      chmodSync(this.baseDir, 448);
+    } catch {}
+  }
+  getFilePath(upstreamName) {
+    const safeName = sanitizeUpstreamName(upstreamName);
+    return join3(this.baseDir, `${safeName}.json`);
+  }
+  load(upstreamName) {
+    const filePath = this.getFilePath(upstreamName);
+    if (!existsSync3(filePath)) {
+      return;
+    }
+    try {
+      const content = readFileSync3(filePath, "utf-8");
+      return JSON.parse(content);
+    } catch {
+      return;
+    }
+  }
+  save(upstreamName, data) {
+    this.ensureDir();
+    const filePath = this.getFilePath(upstreamName);
+    const dataWithTimestamp = {
+      ...data,
+      updatedAt: Date.now()
+    };
+    writeFileSync2(filePath, JSON.stringify(dataWithTimestamp, null, 2), {
+      mode: 384
+    });
+    try {
+      chmodSync(filePath, 384);
+    } catch {}
+  }
+  delete(upstreamName) {
+    const filePath = this.getFilePath(upstreamName);
+    if (existsSync3(filePath)) {
+      unlinkSync2(filePath);
+    }
+  }
+  isExpired(upstreamName, bufferMs = 60000) {
+    const data = this.load(upstreamName);
+    if (!data?.tokens || !data.expiresAt) {
+      return true;
+    }
+    return Date.now() >= data.expiresAt - bufferMs;
+  }
+  updateTokens(upstreamName, tokens) {
+    const existing = this.load(upstreamName) ?? {};
+    const updatedData = {
+      ...existing,
+      tokens
+    };
+    if (tokens.expires_in) {
+      updatedData.expiresAt = Date.now() + tokens.expires_in * 1000;
+    }
+    this.save(upstreamName, updatedData);
+  }
+  saveCodeVerifier(upstreamName, codeVerifier) {
+    const existing = this.load(upstreamName) ?? {};
+    this.save(upstreamName, {
+      ...existing,
+      codeVerifier
+    });
+  }
+  getAndClearCodeVerifier(upstreamName) {
+    const data = this.load(upstreamName);
+    const verifier = data?.codeVerifier;
+    if (verifier && data) {
+      const { codeVerifier: _, ...rest } = data;
+      this.save(upstreamName, rest);
+    }
+    return verifier;
+  }
+  saveState(upstreamName, state) {
+    const existing = this.load(upstreamName) ?? {};
+    this.save(upstreamName, {
+      ...existing,
+      state
+    });
+  }
+  verifyAndClearState(upstreamName, state) {
+    const data = this.load(upstreamName);
+    const storedState = data?.state;
+    if (storedState && data) {
+      const { state: _, ...rest } = data;
+      this.save(upstreamName, rest);
+    }
+    return storedState === state;
+  }
+}
+
+// src/oauth/preflight.ts
+function getPreflightClientMetadata() {
+  return {
+    name: "mcp-squared-preflight",
+    version: VERSION
+  };
+}
+async function performPreflightAuth(config) {
+  const result = {
+    authenticated: [],
+    alreadyValid: [],
+    failed: []
+  };
+  const tokenStorage = new TokenStorage;
+  const sseUpstreams = [];
+  for (const [name, upstream] of Object.entries(config.upstreams)) {
+    if (!upstream.enabled)
+      continue;
+    if (upstream.transport !== "sse")
+      continue;
+    const sseConfig = upstream;
+    if (!sseConfig.sse.auth)
+      continue;
+    sseUpstreams.push({ name, config: sseConfig });
+  }
+  if (sseUpstreams.length === 0) {
+    return result;
+  }
+  for (const { name, config: sseConfig } of sseUpstreams) {
+    try {
+      const { callbackPort, clientName } = resolveOAuthProviderOptions(sseConfig.sse.auth);
+      const authProvider = new McpOAuthProvider(name, tokenStorage, {
+        callbackPort,
+        clientName
+      });
+      const existingTokens = authProvider.tokens();
+      if (existingTokens && !authProvider.isTokenExpired()) {
+        result.alreadyValid.push(name);
+        continue;
+      }
+      console.error(`
+[preflight] OAuth required for '${name}'`);
+      console.error(`[preflight] Server URL: ${sseConfig.sse.url}`);
+      await performInteractiveAuth(name, sseConfig, authProvider, callbackPort);
+      result.authenticated.push(name);
+      console.error(`[preflight] \u2713 Authentication successful for '${name}'`);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      result.failed.push({ name, error: message });
+      console.error(`[preflight] \u2717 Authentication failed for '${name}': ${message}`);
+    }
+  }
+  return result;
+}
+async function performInteractiveAuth(name, sseConfig, authProvider, callbackPort) {
+  const callbackServer = new OAuthCallbackServer({
+    port: callbackPort,
+    path: "/callback",
+    timeoutMs: 300000
+  });
+  console.error(`[preflight:${name}] Callback URL: ${callbackServer.getCallbackUrl()}`);
+  const transport = new StreamableHTTPClientTransport(new URL(sseConfig.sse.url), {
+    authProvider,
+    requestInit: {
+      headers: { ...sseConfig.sse.headers }
+    }
+  });
+  const client = new Client(getPreflightClientMetadata());
+  try {
+    console.error(`[preflight:${name}] Connecting to server (will trigger OAuth)...`);
+    await client.connect(transport);
+    callbackServer.stop();
+    try {
+      await client.close();
+    } catch {}
+    console.error(`[preflight:${name}] Already authenticated!`);
+    return;
+  } catch (err) {
+    if (!(err instanceof UnauthorizedError)) {
+      callbackServer.stop();
+      throw err;
+    }
+    console.error(`[preflight:${name}] Waiting for browser authorization...`);
+  }
+  try {
+    const callbackResult = await callbackServer.waitForCallback();
+    if (callbackResult.error) {
+      throw new Error(`OAuth error: ${callbackResult.error}${callbackResult.errorDescription ? `: ${callbackResult.errorDescription}` : ""}`);
+    }
+    if (!callbackResult.code) {
+      throw new Error("No authorization code received");
+    }
+    if (!callbackResult.state || !authProvider.verifyState(callbackResult.state)) {
+      throw new Error("OAuth state mismatch - possible CSRF attack");
+    }
+    console.error(`[preflight:${name}] Authorization code received, completing...`);
+    await transport.finishAuth(callbackResult.code);
+    authProvider.clearCodeVerifier();
+  } finally {
+    callbackServer.stop();
+    try {
+      await client.close();
+    } catch {}
+  }
+}
+// src/security/policy.ts
+var CONFIRMATION_TTL_MS = 5 * 60 * 1000;
+var pendingConfirmations = new Map;
+function matchesPattern(pattern, serverKey, toolName) {
+  const [patternServer, patternTool] = pattern.split(":", 2);
+  if (!patternServer || !patternTool) {
+    return false;
+  }
+  const serverMatches = patternServer === "*" || patternServer === serverKey;
+  const toolMatches = patternTool === "*" || patternTool === toolName;
+  return serverMatches && toolMatches;
+}
+function matchesAnyPattern(patterns, serverKey, toolName) {
+  return patterns.some((pattern) => matchesPattern(pattern, serverKey, toolName));
+}
+function generateToken() {
+  const bytes = new Uint8Array(32);
+  crypto.getRandomValues(bytes);
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+function cleanupExpiredTokens() {
+  const now = Date.now();
+  for (const [token, confirmation] of pendingConfirmations) {
+    if (now - confirmation.createdAt > CONFIRMATION_TTL_MS) {
+      pendingConfirmations.delete(token);
+    }
+  }
+}
+function validateConfirmationToken(token, serverKey, toolName) {
+  cleanupExpiredTokens();
+  const confirmation = pendingConfirmations.get(token);
+  if (!confirmation) {
+    return false;
+  }
+  if (confirmation.serverKey !== serverKey || confirmation.toolName !== toolName) {
+    return false;
+  }
+  pendingConfirmations.delete(token);
+  return true;
+}
+function createConfirmationToken(serverKey, toolName) {
+  cleanupExpiredTokens();
+  const token = generateToken();
+  pendingConfirmations.set(token, {
+    serverKey,
+    toolName,
+    createdAt: Date.now()
+  });
+  return token;
+}
+function evaluatePolicy(context, config) {
+  const { serverKey, toolName, confirmationToken } = context;
+  const { block, confirm, allow } = config.security.tools;
+  if (matchesAnyPattern(block, serverKey, toolName)) {
+    return {
+      decision: "block",
+      reason: `Tool "${toolName}" on server "${serverKey}" is blocked by security policy`
+    };
+  }
+  if (matchesAnyPattern(allow, serverKey, toolName)) {
+    return {
+      decision: "allow",
+      reason: `Tool "${toolName}" is allowed by security policy`
+    };
+  }
+  if (matchesAnyPattern(confirm, serverKey, toolName)) {
+    if (confirmationToken && validateConfirmationToken(confirmationToken, serverKey, toolName)) {
+      return {
+        decision: "allow",
+        reason: `Tool "${toolName}" confirmed with valid token`
+      };
+    }
+    const token = createConfirmationToken(serverKey, toolName);
+    return {
+      decision: "confirm",
+      reason: `Tool "${toolName}" on server "${serverKey}" requires confirmation`,
+      confirmationToken: token
+    };
+  }
+  return {
+    decision: "block",
+    reason: `Tool "${toolName}" on server "${serverKey}" is not in the allow or confirm list`
+  };
+}
+function compilePolicy(config) {
+  return {
+    blockPatterns: config.security.tools.block,
+    confirmPatterns: config.security.tools.confirm,
+    allowPatterns: config.security.tools.allow
+  };
+}
+function getToolVisibilityCompiled(serverKey, toolName, policy) {
+  return getToolVisibilityFromPatterns(serverKey, toolName, policy.blockPatterns, policy.confirmPatterns, policy.allowPatterns);
+}
+function getToolVisibilityFromPatterns(serverKey, toolName, block, confirm, allow) {
+  if (matchesAnyPattern(block, serverKey, toolName)) {
+    return { visible: false, requiresConfirmation: false };
+  }
+  if (matchesAnyPattern(allow, serverKey, toolName)) {
+    return { visible: true, requiresConfirmation: false };
+  }
+  if (matchesAnyPattern(confirm, serverKey, toolName)) {
+    return { visible: true, requiresConfirmation: true };
+  }
+  return { visible: false, requiresConfirmation: false };
+}
+// src/security/sanitize.ts
+var DEFAULT_MAX_LENGTH = 2000;
+var DEFAULT_INJECTION_PATTERNS = [
+  /ignore\s+(all\s+)?previous\s+instructions?/gi,
+  /disregard\s+(all\s+)?previous/gi,
+  /forget\s+(everything|all|what)\s+(you('ve)?|i)\s+(said|told|learned)/gi,
+  /override\s+(all\s+)?(previous\s+)?instructions?/gi,
+  /you\s+are\s+(now\s+)?(a|an|the)\s+\w+/gi,
+  /act\s+as\s+(a|an|the)?\s*\w+/gi,
+  /pretend\s+(to\s+be|you('re)?)\s+/gi,
+  /your\s+new\s+(role|persona|identity)/gi,
+  /from\s+now\s+on\s+(you|act|behave)/gi,
+  /show\s+(me\s+)?(your\s+)?(system\s+)?prompt/gi,
+  /print\s+(your\s+)?instructions/gi,
+  /reveal\s+(your\s+)?configuration/gi,
+  /what\s+(are|is)\s+your\s+(system\s+)?(prompt|instructions)/gi,
+  /repeat\s+(your\s+)?(system\s+)?prompt/gi,
+  /developer\s+mode/gi,
+  /\bdan\s+mode\b/gi,
+  /\bdeveloper\s+override\b/gi,
+  /\[system\]/gi,
+  /\[admin\]/gi,
+  /\[assistant\]/gi,
+  /\[user\]/gi,
+  /<<\s*system\s*>>/gi,
+  /<<\s*admin\s*>>/gi,
+  /base64[:\s]/gi,
+  /decode\s+this/gi,
+  /execute\s+the\s+following/gi
+];
+function sanitizeDescription(description, options = {}) {
+  if (description === undefined || description === null) {
+    return;
+  }
+  const maxLength = options.maxLength ?? DEFAULT_MAX_LENGTH;
+  const patterns = options.stripPatterns ?? DEFAULT_INJECTION_PATTERNS;
+  const normalizeWs = options.normalizeWhitespace ?? true;
+  let sanitized = description;
+  sanitized = sanitized.normalize("NFC");
+  sanitized = sanitized.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "");
+  for (const pattern of patterns) {
+    pattern.lastIndex = 0;
+    sanitized = sanitized.replace(pattern, "[REDACTED]");
+  }
+  if (normalizeWs) {
+    sanitized = sanitized.replace(/[ \t]+/g, " ").replace(/\n{3,}/g, `
+
+`).trim();
+  }
+  if (sanitized.length > maxLength) {
+    sanitized = `${sanitized.slice(0, maxLength - 3)}...`;
+  }
+  return sanitized;
+}
+// src/utils/tool-names.ts
+function parseQualifiedName(input) {
+  const colonIndex = input.indexOf(":");
+  if (colonIndex === -1) {
+    return {
+      serverKey: null,
+      toolName: input
+    };
+  }
+  return {
+    serverKey: input.slice(0, colonIndex),
+    toolName: input.slice(colonIndex + 1)
+  };
+}
+function formatQualifiedName(serverKey, toolName) {
+  return `${serverKey}:${toolName}`;
+}
+
+// src/utils/transport.ts
+async function safelyCloseTransport(transport, timeoutMs = 1000) {
+  const childProcess = transport?._process;
+  if (childProcess && typeof childProcess.kill === "function") {
+    try {
+      await Promise.race([
+        transport.close(),
+        new Promise((_, reject) => setTimeout(() => reject(new Error("Close timeout")), timeoutMs))
+      ]);
+    } catch (err) {
+      if (err instanceof Error && err.message !== "Close timeout") {
+        console.warn(`[mcp\xB2] Transport close warning: ${err.message}`);
+      }
+    }
+    const processStillRunning = childProcess.exitCode == null && !childProcess.killed;
+    if (processStillRunning) {
+      try {
+        childProcess.kill("SIGTERM");
+        if (typeof childProcess.once === "function") {
+          await waitForProcessExit(childProcess, 5000);
+        }
+      } catch (err) {
+        if (err instanceof Error) {
+          console.warn(`[mcp\xB2] Process cleanup warning: ${err.message}`);
+        }
+      }
+    }
+    return;
+  }
+  try {
+    await transport.close();
+  } catch (err) {
+    if (err instanceof Error) {
+      console.warn(`[mcp\xB2] Transport close warning: ${err.message}`);
+    }
+  }
+}
+async function waitForProcessExit(proc, timeoutMs) {
+  if (proc.exitCode != null) {
+    return;
+  }
+  return new Promise((resolve2) => {
+    const timeoutId = setTimeout(() => {
+      if (proc.exitCode == null) {
+        try {
+          proc.kill("SIGKILL");
+        } catch {}
+      }
+      proc.off("exit", onExit);
+      resolve2();
+    }, timeoutMs);
+    timeoutId.unref();
+    const onExit = () => {
+      clearTimeout(timeoutId);
+      proc.off("exit", onExit);
+      resolve2();
+    };
+    proc.once("exit", onExit);
+  });
+}
+
+// src/upstream/cataloger.ts
+function resolveEnvVars(env) {
+  const resolved = {};
+  for (const [key, value] of Object.entries(env)) {
+    if (value.startsWith("$")) {
+      const envKey = value.slice(1);
+      resolved[key] = process.env[envKey] ?? "";
+    } else {
+      resolved[key] = value;
+    }
+  }
+  return resolved;
+}
+
+class Cataloger {
+  connections = new Map;
+  connectTimeoutMs;
+  constructor(options = {}) {
+    this.connectTimeoutMs = options.connectTimeoutMs ?? 30000;
+  }
+  async connectAll(config) {
+    const connectPromises = [];
+    for (const [key, serverConfig] of Object.entries(config.upstreams)) {
+      if (serverConfig.enabled) {
+        connectPromises.push(this.connect(key, serverConfig));
+      }
+    }
+    await Promise.allSettled(connectPromises);
+  }
+  async connect(key, config) {
+    if (this.connections.has(key)) {
+      await this.disconnect(key);
+    }
+    const connection = {
+      key,
+      config,
+      status: "connecting",
+      error: undefined,
+      serverName: undefined,
+      serverVersion: undefined,
+      tools: [],
+      client: null,
+      transport: null,
+      authProvider: null,
+      authPending: false,
+      authStateVersion: this.getAuthStateVersion(key)
+    };
+    this.connections.set(key, connection);
+    try {
+      const client = new Client2({
+        name: "mcp-squared",
+        version: "1.0.0"
+      });
+      let transport;
+      const isStdio = config.transport === "stdio";
+      if (isStdio) {
+        transport = this.createStdioTransport(config);
+      } else {
+        const { transport: httpTransport, authProvider } = this.createHttpTransport(key, config);
+        transport = httpTransport;
+        connection.authProvider = authProvider;
+      }
+      connection.client = client;
+      connection.transport = transport;
+      const connectPromise = client.connect(transport);
+      let timeoutId;
+      const timeoutPromise = new Promise((_, reject) => {
+        timeoutId = setTimeout(() => reject(new Error("Connection timeout")), this.connectTimeoutMs);
+      });
+      try {
+        await Promise.race([connectPromise, timeoutPromise]);
+        if (isStdio && transport instanceof StdioClientTransport) {
+          const childProcess = transport._process;
+          if (childProcess && childProcess.exitCode !== null) {
+            throw new Error(`Process exited during initialization with code ${childProcess.exitCode}`);
+          }
+        }
+      } catch (err) {
+        if (err instanceof UnauthorizedError2 && connection.authProvider) {
+          if (connection.authProvider.isNonInteractive()) {
+            connection.authPending = true;
+            connection.status = "error";
+            connection.error = `OAuth authorization required. Run: mcp-squared auth ${key}`;
+            return;
+          }
+          throw err;
+        }
+        throw err;
+      } finally {
+        if (timeoutId !== undefined) {
+          clearTimeout(timeoutId);
+        }
+      }
+      const serverInfo = client.getServerVersion();
+      connection.serverName = serverInfo?.name;
+      connection.serverVersion = serverInfo?.version;
+      const { tools } = await client.listTools();
+      connection.tools = tools.map((tool) => ({
+        name: tool.name,
+        description: sanitizeDescription(tool.description),
+        inputSchema: tool.inputSchema,
+        serverKey: key
+      }));
+      connection.status = "connected";
+    } catch (err) {
+      connection.status = "error";
+      connection.error = err instanceof Error ? err.message : String(err);
+      try {
+        await this.cleanupConnection(connection);
+      } catch (_cleanupErr) {}
+    }
+  }
+  async disconnect(key) {
+    const connection = this.connections.get(key);
+    if (!connection)
+      return;
+    await this.cleanupConnection(connection);
+    connection.status = "disconnected";
+    connection.tools = [];
+    this.connections.delete(key);
+  }
+  async disconnectAll() {
+    const disconnectPromises = Array.from(this.connections.keys()).map((key) => this.disconnect(key));
+    await Promise.allSettled(disconnectPromises);
+  }
+  getAllTools() {
+    const allTools = [];
+    for (const connection of this.connections.values()) {
+      if (connection.status === "connected") {
+        allTools.push(...connection.tools);
+      }
+    }
+    return allTools;
+  }
+  getToolsForServer(key) {
+    const connection = this.connections.get(key);
+    if (!connection || connection.status !== "connected") {
+      return [];
+    }
+    return connection.tools;
+  }
+  findToolsByName(toolName) {
+    const matches = [];
+    for (const connection of this.connections.values()) {
+      if (connection.status === "connected") {
+        const tool = connection.tools.find((t) => t.name === toolName);
+        if (tool) {
+          matches.push(tool);
+        }
+      }
+    }
+    return matches;
+  }
+  findTool(name) {
+    const parsed = parseQualifiedName(name);
+    if (parsed.serverKey !== null) {
+      const connection = this.connections.get(parsed.serverKey);
+      if (!connection || connection.status !== "connected") {
+        return { tool: undefined, ambiguous: false, alternatives: [] };
+      }
+      const tool = connection.tools.find((t) => t.name === parsed.toolName);
+      return { tool, ambiguous: false, alternatives: [] };
+    }
+    const matches = this.findToolsByName(parsed.toolName);
+    if (matches.length === 0) {
+      return { tool: undefined, ambiguous: false, alternatives: [] };
+    }
+    if (matches.length === 1) {
+      return { tool: matches[0], ambiguous: false, alternatives: [] };
+    }
+    const alternatives = matches.map((t) => formatQualifiedName(t.serverKey, t.name));
+    return { tool: undefined, ambiguous: true, alternatives };
+  }
+  getStatus() {
+    const status = new Map;
+    for (const [key, connection] of this.connections) {
+      status.set(key, {
+        status: connection.status,
+        error: connection.error
+      });
+    }
+    return status;
+  }
+  getConnection(key) {
+    return this.connections.get(key);
+  }
+  hasConnections() {
+    for (const connection of this.connections.values()) {
+      if (connection.status === "connected") {
+        return true;
+      }
+    }
+    return false;
+  }
+  getConflictingTools() {
+    const toolServers = new Map;
+    const conflicts = new Map;
+    for (const connection of this.connections.values()) {
+      if (connection.status === "connected") {
+        for (const tool of connection.tools) {
+          const servers = toolServers.get(tool.name) ?? [];
+          servers.push(connection.key);
+          toolServers.set(tool.name, servers);
+        }
+      }
+    }
+    for (const [toolName, servers] of toolServers) {
+      if (servers.length > 1) {
+        conflicts.set(toolName, servers.map((serverKey) => formatQualifiedName(serverKey, toolName)));
+      }
+    }
+    return conflicts;
+  }
+  logConflicts() {
+    const conflicts = this.getConflictingTools();
+    if (conflicts.size > 0) {
+      console.warn("[mcp\xB2] Tool name conflicts detected. Use qualified names to avoid ambiguity:");
+      for (const [toolName, qualified] of conflicts) {
+        console.warn(`  - "${toolName}" available as: ${qualified.join(", ")}`);
+      }
+    }
+  }
+  async callTool(toolName, args) {
+    const result = this.findTool(toolName);
+    if (result.ambiguous) {
+      throw new Error(`Ambiguous tool name "${toolName}". Use a qualified name: ${result.alternatives.join(", ")}`);
+    }
+    if (!result.tool) {
+      throw new Error(`Tool not found: ${toolName}`);
+    }
+    const connection = this.connections.get(result.tool.serverKey);
+    if (!connection?.client || connection.status !== "connected") {
+      throw new Error(`Server not connected: ${result.tool.serverKey}`);
+    }
+    const parsed = parseQualifiedName(toolName);
+    const bareToolName = parsed.toolName;
+    const callResult = await connection.client.callTool({
+      name: bareToolName,
+      arguments: args
+    });
+    return {
+      content: callResult.content,
+      isError: callResult.isError
+    };
+  }
+  async refreshTools(key) {
+    const connection = this.connections.get(key);
+    if (!connection) {
+      return;
+    }
+    if (!connection.client || connection.status !== "connected") {
+      await this.reconnectIfAuthStateUpdated(connection);
+      return;
+    }
+    try {
+      const { tools } = await connection.client.listTools();
+      connection.tools = tools.map((tool) => ({
+        name: tool.name,
+        description: sanitizeDescription(tool.description),
+        inputSchema: tool.inputSchema,
+        serverKey: key
+      }));
+      connection.error = undefined;
+      connection.authPending = false;
+    } catch (err) {
+      if (err instanceof UnauthorizedError2 && connection.authProvider) {
+        if (connection.authProvider.isNonInteractive()) {
+          connection.authPending = true;
+          connection.status = "error";
+          connection.error = `OAuth authorization required. Run: mcp-squared auth ${key}`;
+          return;
+        }
+      }
+      connection.status = "error";
+      connection.error = err instanceof Error ? err.message : String(err);
+    }
+  }
+  async refreshAllTools() {
+    const refreshPromises = [];
+    for (const key of this.connections.keys()) {
+      refreshPromises.push(this.refreshTools(key));
+    }
+    await Promise.allSettled(refreshPromises);
+  }
+  async reconnectIfAuthStateUpdated(connection) {
+    if (!connection.authPending || !connection.authProvider) {
+      return;
+    }
+    const authStateVersion = this.getAuthStateVersion(connection.key);
+    if (authStateVersion <= connection.authStateVersion) {
+      return;
+    }
+    connection.authStateVersion = authStateVersion;
+    await this.connect(connection.key, connection.config);
+  }
+  getAuthStateVersion(key) {
+    const tokenStorage = new TokenStorage;
+    return tokenStorage.load(key)?.updatedAt ?? 0;
+  }
+  createStdioTransport(config) {
+    const resolvedEnv = resolveEnvVars(config.env);
+    const envWithDefaults = { ...process.env, ...resolvedEnv };
+    return new StdioClientTransport({
+      command: config.stdio.command,
+      args: config.stdio.args,
+      env: envWithDefaults,
+      ...config.stdio.cwd ? { cwd: config.stdio.cwd } : {},
+      stderr: "pipe"
+    });
+  }
+  createHttpTransport(key, config) {
+    const resolvedEnv = resolveEnvVars(config.env);
+    const headers = {};
+    for (const [key2, value] of Object.entries(config.sse.headers)) {
+      if (value.startsWith("$")) {
+        const envKey = value.slice(1);
+        headers[key2] = resolvedEnv[envKey] ?? process.env[envKey] ?? "";
+      } else {
+        headers[key2] = value;
+      }
+    }
+    let authProvider = null;
+    const tokenStorage = new TokenStorage;
+    const hasStoredTokens = tokenStorage.load(key)?.tokens !== undefined;
+    if (config.sse.auth || hasStoredTokens) {
+      const authOptions = typeof config.sse.auth === "object" ? config.sse.auth : {};
+      authProvider = new McpOAuthProvider(key, tokenStorage, {
+        ...authOptions,
+        nonInteractive: true
+      });
+    }
+    const transportOptions = {
+      requestInit: {
+        headers
+      }
+    };
+    if (authProvider) {
+      transportOptions.authProvider = authProvider;
+    }
+    const transport = new StreamableHTTPClientTransport2(new URL(config.sse.url), transportOptions);
+    return { transport, authProvider };
+  }
+  async cleanupConnection(connection) {
+    if (connection.transport) {
+      await safelyCloseTransport(connection.transport);
+      connection.transport = null;
+    }
+    if (connection.client) {
+      try {
+        await connection.client.close();
+      } catch {}
+      connection.client = null;
+    }
+  }
+}
+// src/upstream/client.ts
+import { UnauthorizedError as UnauthorizedError3 } from "@modelcontextprotocol/sdk/client/auth.js";
+import { Client as Client3 } from "@modelcontextprotocol/sdk/client/index.js";
+import { StdioClientTransport as StdioClientTransport2 } from "@modelcontextprotocol/sdk/client/stdio.js";
+import { StreamableHTTPClientTransport as StreamableHTTPClientTransport3 } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+function resolveEnvVars2(env) {
+  const resolved = {};
+  for (const [key, value] of Object.entries(env)) {
+    if (value.startsWith("$")) {
+      const envKey = value.slice(1);
+      resolved[key] = process.env[envKey] || "";
+    } else {
+      resolved[key] = value;
+    }
+  }
+  return resolved;
+}
+function createStdioTransport(config, log, verbose, onStderr) {
+  const fullCommand = [config.stdio.command, ...config.stdio.args].join(" ");
+  log(`Command: ${fullCommand}`);
+  if (config.stdio.cwd) {
+    log(`Working dir: ${config.stdio.cwd}`);
+  }
+  const resolvedEnv = resolveEnvVars2(config.env || {});
+  if (verbose && Object.keys(resolvedEnv).length > 0) {
+    log(`Environment: ${Object.keys(resolvedEnv).join(", ")}`);
+  }
+  const envWithDefaults = { ...process.env, ...resolvedEnv };
+  log("Creating stdio transport...");
+  const transport = new StdioClientTransport2({
+    command: config.stdio.command,
+    args: config.stdio.args,
+    env: envWithDefaults,
+    ...config.stdio.cwd ? { cwd: config.stdio.cwd } : {},
+    stderr: "pipe"
+  });
+  if (transport.stderr) {
+    transport.stderr.on("data", (chunk) => {
+      onStderr(chunk.toString());
+    });
+  }
+  return transport;
+}
+function createHttpTransport(config, log, verbose, authProvider) {
+  log(`URL: ${config.sse.url}`);
+  const headers = { ...config.sse.headers };
+  if (verbose && Object.keys(headers).length > 0) {
+    log(`Headers: ${Object.keys(headers).join(", ")}`);
+  }
+  if (authProvider) {
+    log("OAuth: dynamic client registration enabled");
+  }
+  log("Creating HTTP streaming transport...");
+  const transportOptions = {
+    requestInit: {
+      headers
+    }
+  };
+  if (authProvider) {
+    transportOptions.authProvider = authProvider;
+  }
+  const transport = new StreamableHTTPClientTransport3(new URL(config.sse.url), transportOptions);
+  return transport;
+}
+async function handleOAuthCallback(transport, provider, log, callbackServerFactory = (options) => new OAuthCallbackServer(options)) {
+  const callbackUrl = new URL(provider.redirectUrl);
+  const callbackPort = Number.parseInt(callbackUrl.port, 10);
+  if (Number.isNaN(callbackPort) || callbackPort <= 0) {
+    throw new Error(`Invalid OAuth callback URL: ${provider.redirectUrl}`);
+  }
+  const callbackServer = callbackServerFactory({
+    port: callbackPort,
+    path: callbackUrl.pathname || "/callback",
+    timeoutMs: 300000
+  });
+  log("Waiting for browser authorization...");
+  log(`Callback URL: ${callbackServer.getCallbackUrl()}`);
+  try {
+    const result = await callbackServer.waitForCallback();
+    if (result.error) {
+      throw new Error(`OAuth error: ${result.error}${result.errorDescription ? `: ${result.errorDescription}` : ""}`);
+    }
+    if (!result.code) {
+      throw new Error("No authorization code received");
+    }
+    if (!result.state || !provider.verifyState(result.state)) {
+      throw new Error("OAuth state mismatch - possible CSRF attack");
+    }
+    log("Received authorization code, exchanging for token...");
+    await transport.finishAuth(result.code);
+    provider.clearCodeVerifier();
+    log("OAuth authentication complete");
+  } finally {
+    callbackServer.stop();
+  }
+}
+async function testUpstreamConnection(name, config, options = {}) {
+  const { timeoutMs = 30000, verbose = false } = options;
+  const startTime = Date.now();
+  const log = (msg) => verbose && console.log(`  [${name}] ${msg}`);
+  let stderrOutput = "";
+  let client = null;
+  let transport = null;
+  let httpTransport = null;
+  let authProvider;
+  try {
+    client = options.clientFactory?.() ?? new Client3({
+      name: "mcp-squared-test",
+      version: "1.0.0"
+    });
+    if (!client) {
+      throw new Error("Client initialization failed");
+    }
+    if (config.transport === "stdio") {
+      const transportFactory = options.stdioTransportFactory ?? createStdioTransport;
+      transport = transportFactory(config, log, verbose, (text) => {
+        stderrOutput += text;
+        if (verbose) {
+          for (const line of text.split(`
+`).filter((l) => l.trim())) {
+            console.log(`  [${name}] stderr: ${line}`);
+          }
+        }
+      });
+    } else if (config.transport === "sse") {
+      const sseConfig = config;
+      const tokenStorage = new TokenStorage;
+      const hasStoredTokens = tokenStorage.load(name)?.tokens !== undefined;
+      if (sseConfig.sse.auth || hasStoredTokens) {
+        const authOptions = resolveOAuthProviderOptions(sseConfig.sse.auth);
+        authProvider = new McpOAuthProvider(name, tokenStorage, authOptions);
+      }
+      const httpTransportFactory = options.httpTransportFactory ?? createHttpTransport;
+      httpTransport = httpTransportFactory(sseConfig, log, verbose, authProvider);
+      transport = httpTransport;
+    } else {
+      const unknownConfig = config;
+      return {
+        success: false,
+        serverName: undefined,
+        serverVersion: undefined,
+        tools: [],
+        error: `Unknown transport type: ${unknownConfig.transport}`,
+        durationMs: Date.now() - startTime,
+        stderr: undefined
+      };
+    }
+    log(`Connecting (timeout: ${timeoutMs}ms)...`);
+    const connectStart = Date.now();
+    const connectPromise = client.connect(transport);
+    let timeoutId;
+    const timeoutPromise = new Promise((_, reject) => {
+      timeoutId = setTimeout(() => reject(new Error("Connection timeout")), timeoutMs);
+    });
+    try {
+      await Promise.race([connectPromise, timeoutPromise]);
+    } catch (err) {
+      if (err instanceof UnauthorizedError3 && authProvider && httpTransport) {
+        if (authProvider.isInteractive()) {
+          log("OAuth authorization required, opening browser...");
+          await handleOAuthCallback(httpTransport, authProvider, log, options.oauthCallbackServerFactory);
+          log("Retrying connection after OAuth...");
+          await Promise.race([client.connect(transport), timeoutPromise]);
+        } else {
+          throw err;
+        }
+      } else {
+        throw err;
+      }
+    } finally {
+      if (timeoutId !== undefined) {
+        clearTimeout(timeoutId);
+      }
+    }
+    log(`Connected in ${Date.now() - connectStart}ms`);
+    const serverInfo = client.getServerVersion();
+    if (serverInfo) {
+      log(`Server: ${serverInfo.name} v${serverInfo.version}`);
+    }
+    log("Fetching tools...");
+    const toolsStart = Date.now();
+    const { tools } = await client.listTools();
+    log(`Got ${tools.length} tools in ${Date.now() - toolsStart}ms`);
+    const toolInfos = tools.map((tool) => {
+      const info = { name: tool.name };
+      if (tool.description !== undefined) {
+        info.description = tool.description;
+      }
+      return info;
+    });
+    return {
+      success: true,
+      serverName: serverInfo?.name,
+      serverVersion: serverInfo?.version,
+      tools: toolInfos,
+      error: undefined,
+      durationMs: Date.now() - startTime,
+      stderr: stderrOutput || undefined
+    };
+  } catch (err) {
+    const errorMessage = err instanceof Error ? err.message : String(err);
+    log(`Error: ${errorMessage}`);
+    return {
+      success: false,
+      serverName: undefined,
+      serverVersion: undefined,
+      tools: [],
+      error: errorMessage,
+      durationMs: Date.now() - startTime,
+      stderr: stderrOutput || undefined
+    };
+  } finally {
+    log("Cleaning up...");
+    if (transport) {
+      await safelyCloseTransport(transport);
+    }
+    if (client) {
+      try {
+        await client.close();
+      } catch {}
+    }
+    log("Done");
+  }
+}
+// src/tui/config.ts
+var PROJECT_DESCRIPTION = "Mercury Control Plane";
+async function runConfigTui() {
+  const renderer = await createCliRenderer({
+    exitOnCtrlC: false,
+    targetFps: 30
+  });
+  const { config, path } = await loadConfig().catch(() => ({
+    config: DEFAULT_CONFIG,
+    path: getDefaultConfigPath().path
+  }));
+  const state = {
+    config: structuredClone(config),
+    configPath: path,
+    isDirty: false,
+    currentScreen: "main",
+    selectedUpstream: null
+  };
+  renderer.setBackgroundColor("#0f172a");
+  const app = new ConfigTuiApp(renderer, state);
+  app.showMainMenu();
+  renderer.keyInput.on("keypress", (key) => {
+    if (key.name === "c" && key.ctrl) {
+      app.handleExit();
+    }
+  });
+}
+
+class ConfigTuiApp {
+  renderer;
+  state;
+  container = null;
+  constructor(renderer, state) {
+    this.renderer = renderer;
+    this.state = state;
+  }
+  clearScreen() {
+    if (this.container) {
+      this.renderer.root.remove(this.container.id);
+    }
+    this.container = new BoxRenderable(this.renderer, {
+      id: "config-container",
+      flexDirection: "column",
+      width: "100%",
+      height: "100%",
+      alignItems: "center",
+      justifyContent: "center",
+      padding: 2
+    });
+    this.renderer.root.add(this.container);
+  }
+  addHeader() {
+    if (!this.container)
+      return;
+    const titleRow = new BoxRenderable(this.renderer, {
+      id: "config-title-row",
+      flexDirection: "row",
+      alignItems: "flex-start",
+      marginBottom: 1
+    });
+    this.container.add(titleRow);
+    const titleMcp = new ASCIIFontRenderable(this.renderer, {
+      id: "config-title-mcp",
+      text: "MCP",
+      font: "tiny",
+      color: RGBA.fromHex("#38bdf8")
+    });
+    titleRow.add(titleMcp);
+    const titleSquared = new TextRenderable(this.renderer, {
+      id: "config-title-squared",
+      content: "\xB2",
+      fg: "#38bdf8"
+    });
+    titleRow.add(titleSquared);
+    const subtitle = new TextRenderable(this.renderer, {
+      id: "config-subtitle",
+      content: PROJECT_DESCRIPTION,
+      fg: "#94a3b8",
+      marginBottom: 1
+    });
+    this.container.add(subtitle);
+    const versionText = new TextRenderable(this.renderer, {
+      id: "config-version",
+      content: `v${VERSION}${this.state.isDirty ? " (unsaved changes)" : ""}`,
+      fg: this.state.isDirty ? "#fbbf24" : "#64748b",
+      marginBottom: 2
+    });
+    this.container.add(versionText);
+  }
+  showMainMenu() {
+    this.state.currentScreen = "main";
+    this.clearScreen();
+    this.addHeader();
+    if (!this.container)
+      return;
+    const upstreamCount = Object.keys(this.state.config.upstreams).length;
+    const menuBox = new BoxRenderable(this.renderer, {
+      id: "config-menu-box",
+      width: 50,
+      height: 12,
+      border: true,
+      borderStyle: "single",
+      borderColor: "#475569",
+      title: "Configuration",
+      titleAlignment: "center",
+      backgroundColor: "#1e293b"
+    });
+    this.container.add(menuBox);
+    const options = [
+      {
+        name: `Upstream Servers (${upstreamCount})`,
+        description: "Manage MCP server connections",
+        value: "upstreams"
+      },
+      {
+        name: "Security Settings",
+        description: "Configure tool access controls",
+        value: "security"
+      },
+      {
+        name: "Operations",
+        description: "Limits, logging, and performance",
+        value: "operations"
+      },
+      {
+        name: this.state.isDirty ? "Save Changes" : "Save",
+        description: this.state.isDirty ? "Write changes to config file" : "No changes to save",
+        value: "save"
+      },
+      {
+        name: "Exit",
+        description: this.state.isDirty ? "Exit (will prompt to save)" : "Exit configuration",
+        value: "exit"
+      }
+    ];
+    const menu = new SelectRenderable(this.renderer, {
+      id: "config-menu",
+      width: "100%",
+      height: "100%",
+      options,
+      backgroundColor: "transparent",
+      selectedBackgroundColor: "#334155",
+      textColor: "#e2e8f0",
+      selectedTextColor: "#38bdf8",
+      showDescription: true,
+      descriptionColor: "#64748b",
+      selectedDescriptionColor: "#94a3b8",
+      wrapSelection: true
+    });
+    menuBox.add(menu);
+    menu.on(SelectRenderableEvents.ITEM_SELECTED, (_index, option) => {
+      this.handleMainMenuSelection(option.value);
+    });
+    menu.focus();
+    this.addInstructions("\u2191\u2193 Navigate | Enter Select | Ctrl+C Quit");
+  }
+  handleMainMenuSelection(value) {
+    switch (value) {
+      case "upstreams":
+        this.showUpstreamsScreen();
+        break;
+      case "security":
+        this.showSecurityScreen();
+        break;
+      case "operations":
+        this.showOperationsScreen();
+        break;
+      case "save":
+        this.handleSave();
+        break;
+      case "exit":
+        this.handleExit();
+        break;
+    }
+  }
+  showUpstreamsScreen() {
+    this.state.currentScreen = "upstreams";
+    this.clearScreen();
+    this.addHeader();
+    if (!this.container)
+      return;
+    const menuBox = new BoxRenderable(this.renderer, {
+      id: "upstreams-box",
+      width: 60,
+      height: 14,
+      border: true,
+      borderStyle: "single",
+      borderColor: "#475569",
+      title: "Upstream Servers",
+      titleAlignment: "center",
+      backgroundColor: "#1e293b"
+    });
+    this.container.add(menuBox);
+    const upstreamEntries = Object.entries(this.state.config.upstreams);
+    const options = [
+      {
+        name: "+ Add New Upstream",
+        description: "Configure a new MCP server connection",
+        value: { action: "add" }
+      }
+    ];
+    for (const [name, upstream] of upstreamEntries) {
+      const status = upstream.enabled ? "\u2713" : "\u2717";
+      const transport = upstream.transport.toUpperCase();
+      options.push({
+        name: `${status} ${name} [${transport}]`,
+        description: this.getUpstreamDescription(upstream),
+        value: { action: "edit", name }
+      });
+    }
+    options.push({
+      name: "\u2190 Back to Main Menu",
+      description: "",
+      value: { action: "back" }
+    });
+    const menu = new SelectRenderable(this.renderer, {
+      id: "upstreams-menu",
+      width: "100%",
+      height: "100%",
+      options,
+      backgroundColor: "transparent",
+      selectedBackgroundColor: "#334155",
+      textColor: "#e2e8f0",
+      selectedTextColor: "#38bdf8",
+      showDescription: true,
+      descriptionColor: "#64748b",
+      selectedDescriptionColor: "#94a3b8",
+      wrapSelection: true
+    });
+    menuBox.add(menu);
+    menu.on(SelectRenderableEvents.ITEM_SELECTED, (_index, option) => {
+      const val = option.value;
+      if (val.action === "add") {
+        this.showAddUpstreamScreen();
+      } else if (val.action === "edit" && val.name) {
+        this.state.selectedUpstream = val.name;
+        this.showEditUpstreamScreen(val.name);
+      } else if (val.action === "back") {
+        this.showMainMenu();
+      }
+    });
+    menu.focus();
+    this.addInstructions("\u2191\u2193 Navigate | Enter Select | Esc Back");
+    this.renderer.keyInput.once("keypress", (key) => {
+      if (key.name === "escape") {
+        this.showMainMenu();
+      }
+    });
+  }
+  getUpstreamDescription(upstream) {
+    const envCount = Object.keys(upstream.env || {}).length;
+    const envSuffix = envCount > 0 ? ` (${envCount} env var${envCount > 1 ? "s" : ""})` : "";
+    if (upstream.transport === "stdio") {
+      return `${upstream.stdio.command} ${upstream.stdio.args.join(" ")}${envSuffix}`;
+    }
+    return `${upstream.sse.url}${envSuffix}`;
+  }
+  showAddUpstreamScreen() {
+    this.state.currentScreen = "add-upstream";
+    this.clearScreen();
+    this.addHeader();
+    if (!this.container)
+      return;
+    const menuBox = new BoxRenderable(this.renderer, {
+      id: "add-upstream-box",
+      width: 60,
+      height: 12,
+      border: true,
+      borderStyle: "single",
+      borderColor: "#475569",
+      title: "Add Upstream Server",
+      titleAlignment: "center",
+      backgroundColor: "#1e293b",
+      flexDirection: "column",
+      padding: 1
+    });
+    this.container.add(menuBox);
+    const descText = new TextRenderable(this.renderer, {
+      id: "transport-desc",
+      content: "Select transport type:",
+      fg: "#94a3b8",
+      marginBottom: 1
+    });
+    menuBox.add(descText);
+    const options = [
+      {
+        name: "Stdio (local process)",
+        description: "Launch a local command as MCP server",
+        value: "stdio"
+      },
+      {
+        name: "HTTP/SSE (remote server)",
+        description: "Connect to a remote MCP server via HTTP",
+        value: "sse"
+      },
+      {
+        name: "\u2190 Back",
+        description: "",
+        value: "back"
+      }
+    ];
+    const menu = new SelectRenderable(this.renderer, {
+      id: "transport-menu",
+      width: "100%",
+      height: "100%",
+      options,
+      backgroundColor: "transparent",
+      selectedBackgroundColor: "#334155",
+      textColor: "#e2e8f0",
+      selectedTextColor: "#38bdf8",
+      showDescription: true,
+      descriptionColor: "#64748b",
+      wrapSelection: true
+    });
+    menuBox.add(menu);
+    menu.on(SelectRenderableEvents.ITEM_SELECTED, (_index, option) => {
+      switch (option.value) {
+        case "stdio":
+          this.showAddStdioScreen();
+          break;
+        case "sse":
+          this.showAddSseScreen();
+          break;
+        case "back":
+          this.showUpstreamsScreen();
+          break;
+      }
+    });
+    menu.focus();
+    this.addInstructions("\u2191\u2193 Navigate | Enter Select | Esc Back");
+  }
+  showAddStdioScreen() {
+    this.state.currentScreen = "add-stdio";
+    this.clearScreen();
+    this.addHeader();
+    if (!this.container)
+      return;
+    const formBox = new BoxRenderable(this.renderer, {
+      id: "add-stdio-box",
+      width: 60,
+      height: 22,
+      border: true,
+      borderStyle: "single",
+      borderColor: "#475569",
+      title: "Add Stdio Upstream",
+      titleAlignment: "center",
+      backgroundColor: "#1e293b",
+      flexDirection: "column",
+      padding: 1
+    });
+    this.container.add(formBox);
+    const nameLabel = new TextRenderable(this.renderer, {
+      id: "name-label",
+      content: "Name (unique identifier):",
+      fg: "#94a3b8",
+      marginBottom: 0
+    });
+    formBox.add(nameLabel);
+    const nameInput = new InputRenderable(this.renderer, {
+      id: "name-input",
+      width: "100%",
+      placeholder: "e.g., github, filesystem",
+      backgroundColor: "#0f172a",
+      focusedBackgroundColor: "#1e293b",
+      textColor: "#e2e8f0",
+      marginBottom: 1,
+      onPaste: (event) => {
+        nameInput.value = (nameInput.value || "") + event.text;
+      }
+    });
+    formBox.add(nameInput);
+    const commandLabel = new TextRenderable(this.renderer, {
+      id: "command-label",
+      content: "Command (with arguments):",
+      fg: "#94a3b8"
+    });
+    formBox.add(commandLabel);
+    const commandInput = new InputRenderable(this.renderer, {
+      id: "command-input",
+      width: "100%",
+      placeholder: "e.g., npx -y @modelcontextprotocol/server-github",
+      backgroundColor: "#0f172a",
+      focusedBackgroundColor: "#1e293b",
+      textColor: "#e2e8f0",
+      marginBottom: 1,
+      onPaste: (event) => {
+        commandInput.value = (commandInput.value || "") + event.text;
+      }
+    });
+    formBox.add(commandInput);
+    const envLabel = new TextRenderable(this.renderer, {
+      id: "env-label",
+      content: "Environment variables (optional, comma-separated):",
+      fg: "#94a3b8",
+      marginBottom: 0
+    });
+    formBox.add(envLabel);
+    const envInput = new InputRenderable(this.renderer, {
+      id: "env-input",
+      width: "100%",
+      placeholder: "e.g., GITHUB_TOKEN=$GITHUB_TOKEN, API_KEY=xxx",
+      backgroundColor: "#0f172a",
+      focusedBackgroundColor: "#1e293b",
+      textColor: "#e2e8f0",
+      marginBottom: 1,
+      onPaste: (event) => {
+        envInput.value = (envInput.value || "") + event.text;
+      }
+    });
+    formBox.add(envInput);
+    const submitOptions = [
+      { name: "[ Save Upstream ]", description: "", value: "save" },
+      { name: "[ Cancel ]", description: "", value: "cancel" }
+    ];
+    const submitSelect = new SelectRenderable(this.renderer, {
+      id: "submit-select",
+      width: "100%",
+      height: 3,
+      options: submitOptions,
+      backgroundColor: "transparent",
+      selectedBackgroundColor: "#334155",
+      textColor: "#e2e8f0",
+      selectedTextColor: "#38bdf8",
+      wrapSelection: true
+    });
+    formBox.add(submitSelect);
+    const fields = [nameInput, commandInput, envInput, submitSelect];
+    let focusIndex = 0;
+    const focusField = (index) => {
+      focusIndex = index;
+      const field = fields[index];
+      if (field)
+        field.focus();
+    };
+    const parseEnvVars = (input) => {
+      const env = {};
+      if (!input.trim())
+        return env;
+      const pairs = input.split(",").map((s) => s.trim()).filter(Boolean);
+      for (const pair of pairs) {
+        const eqIndex = pair.indexOf("=");
+        if (eqIndex > 0) {
+          const key = pair.substring(0, eqIndex).trim();
+          const value = pair.substring(eqIndex + 1).trim();
+          if (key) {
+            env[key] = value;
+          }
+        }
+      }
+      return env;
+    };
+    const saveUpstream = () => {
+      const trimmedName = nameInput.value?.trim() || "";
+      const trimmedCommand = commandInput.value?.trim() || "";
+      if (!trimmedName) {
+        nameInput.focus();
+        return;
+      }
+      if (!trimmedCommand) {
+        commandInput.focus();
+        return;
+      }
+      const envVars = parseEnvVars(envInput.value || "");
+      const parts = trimmedCommand.split(/\s+/);
+      const command = parts[0] || "";
+      const args = parts.slice(1);
+      this.state.config.upstreams[trimmedName] = {
+        transport: "stdio",
+        enabled: true,
+        env: envVars,
+        stdio: { command, args }
+      };
+      this.state.isDirty = true;
+      cleanup();
+      this.showUpstreamsScreen();
+    };
+    submitSelect.on(SelectRenderableEvents.ITEM_SELECTED, (_i, opt) => {
+      if (opt.value === "save") {
+        saveUpstream();
+      } else {
+        cleanup();
+        this.showAddUpstreamScreen();
+      }
+    });
+    const handleKeypress = (key) => {
+      if (key.name === "escape") {
+        cleanup();
+        this.showAddUpstreamScreen();
+        return;
+      }
+      if (key.name === "tab" && !key.shift) {
+        focusField((focusIndex + 1) % fields.length);
+        return;
+      }
+      if (key.name === "tab" && key.shift) {
+        focusField((focusIndex - 1 + fields.length) % fields.length);
+        return;
+      }
+    };
+    const cleanup = () => {
+      this.renderer.keyInput.off("keypress", handleKeypress);
+    };
+    this.renderer.keyInput.on("keypress", handleKeypress);
+    focusField(0);
+    this.addInstructions("Tab: next field | Shift+Tab: prev | Esc: cancel");
+  }
+  showAddSseScreen() {
+    this.state.currentScreen = "add-sse";
+    this.clearScreen();
+    this.addHeader();
+    if (!this.container)
+      return;
+    const formBox = new BoxRenderable(this.renderer, {
+      id: "add-sse-box",
+      width: 60,
+      height: 26,
+      border: true,
+      borderStyle: "single",
+      borderColor: "#475569",
+      title: "Add HTTP/SSE Upstream",
+      titleAlignment: "center",
+      backgroundColor: "#1e293b",
+      flexDirection: "column",
+      padding: 1
+    });
+    this.container.add(formBox);
+    const nameLabel = new TextRenderable(this.renderer, {
+      id: "name-label",
+      content: "Name (unique identifier):",
+      fg: "#94a3b8",
+      marginBottom: 0
+    });
+    formBox.add(nameLabel);
+    const nameInput = new InputRenderable(this.renderer, {
+      id: "name-input",
+      width: "100%",
+      placeholder: "e.g., stripe, remote-api",
+      backgroundColor: "#0f172a",
+      focusedBackgroundColor: "#1e293b",
+      textColor: "#e2e8f0",
+      marginBottom: 1,
+      onPaste: (event) => {
+        nameInput.value = (nameInput.value || "") + event.text;
+      }
+    });
+    formBox.add(nameInput);
+    const urlLabel = new TextRenderable(this.renderer, {
+      id: "url-label",
+      content: "Server URL:",
+      fg: "#94a3b8"
+    });
+    formBox.add(urlLabel);
+    const urlInput = new InputRenderable(this.renderer, {
+      id: "url-input",
+      width: "100%",
+      placeholder: "e.g., https://api.example.com/mcp",
+      backgroundColor: "#0f172a",
+      focusedBackgroundColor: "#1e293b",
+      textColor: "#e2e8f0",
+      marginBottom: 1,
+      onPaste: (event) => {
+        urlInput.value = (urlInput.value || "") + event.text;
+      }
+    });
+    formBox.add(urlInput);
+    const headersLabel = new TextRenderable(this.renderer, {
+      id: "headers-label",
+      content: "HTTP Headers (optional, comma-separated):",
+      fg: "#94a3b8",
+      marginBottom: 0
+    });
+    formBox.add(headersLabel);
+    const headersInput = new InputRenderable(this.renderer, {
+      id: "headers-input",
+      width: "100%",
+      placeholder: "e.g., Authorization=Bearer $API_KEY",
+      backgroundColor: "#0f172a",
+      focusedBackgroundColor: "#1e293b",
+      textColor: "#e2e8f0",
+      marginBottom: 1,
+      onPaste: (event) => {
+        headersInput.value = (headersInput.value || "") + event.text;
+      }
+    });
+    formBox.add(headersInput);
+    const authLabel = new TextRenderable(this.renderer, {
+      id: "auth-label",
+      content: "OAuth Authentication:",
+      fg: "#94a3b8",
+      marginBottom: 0
+    });
+    formBox.add(authLabel);
+    const authOptions = [
+      { name: "Disabled", description: "", value: "disabled" },
+      {
+        name: "Enabled (default port 8089)",
+        description: "",
+        value: "enabled"
+      }
+    ];
+    const authSelect = new SelectRenderable(this.renderer, {
+      id: "auth-select",
+      width: "100%",
+      height: 2,
+      options: authOptions,
+      backgroundColor: "#0f172a",
+      selectedBackgroundColor: "#334155",
+      textColor: "#e2e8f0",
+      selectedTextColor: "#38bdf8",
+      wrapSelection: true
+    });
+    formBox.add(authSelect);
+    const envLabel = new TextRenderable(this.renderer, {
+      id: "env-label",
+      content: "Environment variables (optional, comma-separated):",
+      fg: "#94a3b8",
+      marginBottom: 0,
+      marginTop: 1
+    });
+    formBox.add(envLabel);
+    const envInput = new InputRenderable(this.renderer, {
+      id: "env-input",
+      width: "100%",
+      placeholder: "e.g., API_KEY=$STRIPE_API_KEY",
+      backgroundColor: "#0f172a",
+      focusedBackgroundColor: "#1e293b",
+      textColor: "#e2e8f0",
+      marginBottom: 1,
+      onPaste: (event) => {
+        envInput.value = (envInput.value || "") + event.text;
+      }
+    });
+    formBox.add(envInput);
+    const submitOptions = [
+      { name: "[ Save Upstream ]", description: "", value: "save" },
+      { name: "[ Cancel ]", description: "", value: "cancel" }
+    ];
+    const submitSelect = new SelectRenderable(this.renderer, {
+      id: "submit-select",
+      width: "100%",
+      height: 3,
+      options: submitOptions,
+      backgroundColor: "transparent",
+      selectedBackgroundColor: "#334155",
+      textColor: "#e2e8f0",
+      selectedTextColor: "#38bdf8",
+      wrapSelection: true
+    });
+    formBox.add(submitSelect);
+    const fields = [
+      nameInput,
+      urlInput,
+      headersInput,
+      authSelect,
+      envInput,
+      submitSelect
+    ];
+    let focusIndex = 0;
+    let selectedAuthIndex = 0;
+    const focusField = (index) => {
+      focusIndex = index;
+      const field = fields[index];
+      if (field)
+        field.focus();
+    };
+    authSelect.on(SelectRenderableEvents.ITEM_SELECTED, (index, _opt) => {
+      selectedAuthIndex = index;
+    });
+    const parseKeyValuePairs = (input) => {
+      const result = {};
+      if (!input.trim())
+        return result;
+      const pairs = input.split(",").map((s) => s.trim()).filter(Boolean);
+      for (const pair of pairs) {
+        const eqIndex = pair.indexOf("=");
+        if (eqIndex > 0) {
+          const key = pair.substring(0, eqIndex).trim();
+          const value = pair.substring(eqIndex + 1).trim();
+          if (key) {
+            result[key] = value;
+          }
+        }
+      }
+      return result;
+    };
+    const saveUpstream = () => {
+      const trimmedName = nameInput.value?.trim() || "";
+      const trimmedUrl = urlInput.value?.trim() || "";
+      if (!trimmedName) {
+        nameInput.focus();
+        return;
+      }
+      if (!trimmedUrl) {
+        urlInput.focus();
+        return;
+      }
+      try {
+        new URL(trimmedUrl);
+      } catch {
+        urlInput.focus();
+        return;
+      }
+      const envVars = parseKeyValuePairs(envInput.value || "");
+      const headers = parseKeyValuePairs(headersInput.value || "");
+      const authEnabled = selectedAuthIndex === 1;
+      this.state.config.upstreams[trimmedName] = {
+        transport: "sse",
+        enabled: true,
+        env: envVars,
+        sse: {
+          url: trimmedUrl,
+          headers,
+          auth: authEnabled ? true : undefined
+        }
+      };
+      this.state.isDirty = true;
+      cleanup();
+      this.showUpstreamsScreen();
+    };
+    submitSelect.on(SelectRenderableEvents.ITEM_SELECTED, (_i, opt) => {
+      if (opt.value === "save") {
+        saveUpstream();
+      } else {
+        cleanup();
+        this.showAddUpstreamScreen();
+      }
+    });
+    const handleKeypress = (key) => {
+      if (key.name === "escape") {
+        cleanup();
+        this.showAddUpstreamScreen();
+        return;
+      }
+      if (key.name === "tab" && !key.shift) {
+        focusField((focusIndex + 1) % fields.length);
+        return;
+      }
+      if (key.name === "tab" && key.shift) {
+        focusField((focusIndex - 1 + fields.length) % fields.length);
+        return;
+      }
+    };
+    const cleanup = () => {
+      this.renderer.keyInput.off("keypress", handleKeypress);
+    };
+    this.renderer.keyInput.on("keypress", handleKeypress);
+    focusField(0);
+    this.addInstructions("Tab: next field | Shift+Tab: prev | Esc: cancel");
+  }
+  showEditUpstreamScreen(name) {
+    this.state.currentScreen = "edit-upstream";
+    this.clearScreen();
+    this.addHeader();
+    if (!this.container)
+      return;
+    const upstream = this.state.config.upstreams[name];
+    if (!upstream) {
+      this.showUpstreamsScreen();
+      return;
+    }
+    const boxHeight = upstream.transport === "sse" ? 22 : 18;
+    const menuBox = new BoxRenderable(this.renderer, {
+      id: "edit-upstream-box",
+      width: 60,
+      height: boxHeight,
+      border: true,
+      borderStyle: "single",
+      borderColor: "#475569",
+      title: `Edit: ${name}`,
+      titleAlignment: "center",
+      backgroundColor: "#1e293b",
+      flexDirection: "column",
+      padding: 1
+    });
+    this.container.add(menuBox);
+    const transportText = new TextRenderable(this.renderer, {
+      id: "edit-transport",
+      content: `Transport: ${upstream.transport.toUpperCase()}`,
+      fg: "#94a3b8",
+      marginBottom: 0
+    });
+    menuBox.add(transportText);
+    if (upstream.transport === "stdio") {
+      const cmdText = new TextRenderable(this.renderer, {
+        id: "edit-command",
+        content: `Command: ${upstream.stdio.command} ${upstream.stdio.args.join(" ")}`,
+        fg: "#94a3b8",
+        marginBottom: 0
+      });
+      menuBox.add(cmdText);
+    } else {
+      const urlText = new TextRenderable(this.renderer, {
+        id: "edit-url",
+        content: `URL: ${upstream.sse.url}`,
+        fg: "#94a3b8",
+        marginBottom: 0
+      });
+      menuBox.add(urlText);
+      const headerCount = Object.keys(upstream.sse.headers || {}).length;
+      const headersText = new TextRenderable(this.renderer, {
+        id: "edit-headers",
+        content: `Headers: ${headerCount > 0 ? headerCount : "(none)"}`,
+        fg: "#94a3b8",
+        marginBottom: 0
+      });
+      menuBox.add(headersText);
+      const authStatus = upstream.sse.auth ? "Enabled" : "Disabled";
+      const authText = new TextRenderable(this.renderer, {
+        id: "edit-auth",
+        content: `OAuth: ${authStatus}`,
+        fg: "#94a3b8",
+        marginBottom: 0
+      });
+      menuBox.add(authText);
+    }
+    const envEntries = Object.entries(upstream.env || {});
+    const envLabel = new TextRenderable(this.renderer, {
+      id: "edit-env-label",
+      content: `Environment (${envEntries.length}):`,
+      fg: "#94a3b8",
+      marginTop: 1,
+      marginBottom: 0
+    });
+    menuBox.add(envLabel);
+    if (envEntries.length > 0) {
+      for (const [key, value] of envEntries.slice(0, 3)) {
+        const maskedValue = value.startsWith("$") ? value : "***";
+        const envText = new TextRenderable(this.renderer, {
+          id: `edit-env-${key}`,
+          content: `  ${key}=${maskedValue}`,
+          fg: "#64748b"
+        });
+        menuBox.add(envText);
+      }
+      if (envEntries.length > 3) {
+        const moreText = new TextRenderable(this.renderer, {
+          id: "edit-env-more",
+          content: `  ... and ${envEntries.length - 3} more`,
+          fg: "#64748b"
+        });
+        menuBox.add(moreText);
+      }
+    } else {
+      const noEnvText = new TextRenderable(this.renderer, {
+        id: "edit-env-none",
+        content: "  (none)",
+        fg: "#64748b"
+      });
+      menuBox.add(noEnvText);
+    }
+    const options = [
+      {
+        name: "Test Connection",
+        description: "Connect and list available tools",
+        value: "test"
+      },
+      {
+        name: upstream.enabled ? "Disable" : "Enable",
+        description: upstream.enabled ? "Stop using this upstream" : "Start using this upstream",
+        value: "toggle"
+      },
+      {
+        name: "Delete",
+        description: "Remove this upstream configuration",
+        value: "delete"
+      },
+      {
+        name: "\u2190 Back",
+        description: "",
+        value: "back"
+      }
+    ];
+    const menu = new SelectRenderable(this.renderer, {
+      id: "edit-menu",
+      width: "100%",
+      height: "100%",
+      options,
+      backgroundColor: "transparent",
+      selectedBackgroundColor: "#334155",
+      textColor: "#e2e8f0",
+      selectedTextColor: "#38bdf8",
+      showDescription: true,
+      descriptionColor: "#64748b",
+      wrapSelection: true
+    });
+    menuBox.add(menu);
+    menu.on(SelectRenderableEvents.ITEM_SELECTED, (_index, option) => {
+      switch (option.value) {
+        case "test":
+          this.showTestScreen(name, upstream);
+          break;
+        case "toggle":
+          upstream.enabled = !upstream.enabled;
+          this.state.isDirty = true;
+          this.showEditUpstreamScreen(name);
+          break;
+        case "delete":
+          delete this.state.config.upstreams[name];
+          this.state.isDirty = true;
+          this.showUpstreamsScreen();
+          break;
+        case "back":
+          this.showUpstreamsScreen();
+          break;
+      }
+    });
+    menu.focus();
+    this.addInstructions("\u2191\u2193 Navigate | Enter Select | Esc Back");
+  }
+  async showTestScreen(name, upstream) {
+    this.clearScreen();
+    this.addHeader();
+    if (!this.container)
+      return;
+    const testBox = new BoxRenderable(this.renderer, {
+      id: "test-box",
+      width: 60,
+      height: 16,
+      border: true,
+      borderStyle: "single",
+      borderColor: "#475569",
+      title: `Testing: ${name}`,
+      titleAlignment: "center",
+      backgroundColor: "#1e293b",
+      flexDirection: "column",
+      padding: 1
+    });
+    this.container.add(testBox);
+    const statusText = new TextRenderable(this.renderer, {
+      id: "test-status",
+      content: "Connecting...",
+      fg: "#fbbf24"
+    });
+    testBox.add(statusText);
+    this.addInstructions("Please wait...");
+    const result = await testUpstreamConnection(name, upstream);
+    this.clearScreen();
+    this.addHeader();
+    if (!this.container)
+      return;
+    const resultBox = new BoxRenderable(this.renderer, {
+      id: "result-box",
+      width: 60,
+      height: 18,
+      border: true,
+      borderStyle: "single",
+      borderColor: result.success ? "#4ade80" : "#f87171",
+      title: result.success ? `\u2713 ${name} - Success` : `\u2717 ${name} - Failed`,
+      titleAlignment: "center",
+      backgroundColor: "#1e293b",
+      flexDirection: "column",
+      padding: 1
+    });
+    this.container.add(resultBox);
+    if (result.success) {
+      if (result.serverName) {
+        const serverText = new TextRenderable(this.renderer, {
+          id: "test-server",
+          content: `Server: ${result.serverName}${result.serverVersion ? ` v${result.serverVersion}` : ""}`,
+          fg: "#94a3b8"
+        });
+        resultBox.add(serverText);
+      }
+      const toolsHeader = new TextRenderable(this.renderer, {
+        id: "test-tools-header",
+        content: `Tools available: ${result.tools.length}`,
+        fg: "#e2e8f0",
+        marginTop: 1
+      });
+      resultBox.add(toolsHeader);
+      for (const tool of result.tools.slice(0, 8)) {
+        const toolText = new TextRenderable(this.renderer, {
+          id: `test-tool-${tool.name}`,
+          content: `  \u2022 ${tool.name}`,
+          fg: "#94a3b8"
+        });
+        resultBox.add(toolText);
+      }
+      if (result.tools.length > 8) {
+        const moreText = new TextRenderable(this.renderer, {
+          id: "test-tools-more",
+          content: `  ... and ${result.tools.length - 8} more`,
+          fg: "#64748b"
+        });
+        resultBox.add(moreText);
+      }
+      const timeText = new TextRenderable(this.renderer, {
+        id: "test-time",
+        content: `Time: ${result.durationMs}ms`,
+        fg: "#64748b",
+        marginTop: 1
+      });
+      resultBox.add(timeText);
+    } else {
+      const errorText = new TextRenderable(this.renderer, {
+        id: "test-error",
+        content: `Error: ${result.error}`,
+        fg: "#f87171"
+      });
+      resultBox.add(errorText);
+      const timeText = new TextRenderable(this.renderer, {
+        id: "test-time",
+        content: `Time: ${result.durationMs}ms`,
+        fg: "#64748b",
+        marginTop: 1
+      });
+      resultBox.add(timeText);
+    }
+    const backOption = [
+      { name: "\u2190 Back", description: "", value: "back" }
+    ];
+    const backMenu = new SelectRenderable(this.renderer, {
+      id: "test-back",
+      width: "100%",
+      height: 2,
+      options: backOption,
+      backgroundColor: "transparent",
+      selectedBackgroundColor: "#334155",
+      textColor: "#e2e8f0",
+      selectedTextColor: "#38bdf8",
+      marginTop: 1
+    });
+    resultBox.add(backMenu);
+    backMenu.on(SelectRenderableEvents.ITEM_SELECTED, () => {
+      this.showEditUpstreamScreen(name);
+    });
+    backMenu.focus();
+    this.addInstructions("Enter to go back");
+  }
+  showSecurityScreen() {
+    this.state.currentScreen = "security";
+    this.clearScreen();
+    this.addHeader();
+    if (!this.container)
+      return;
+    const security = this.state.config.security;
+    const infoBox = new BoxRenderable(this.renderer, {
+      id: "security-box",
+      width: 60,
+      height: 14,
+      border: true,
+      borderStyle: "single",
+      borderColor: "#475569",
+      title: "Security Settings",
+      titleAlignment: "center",
+      backgroundColor: "#1e293b",
+      flexDirection: "column",
+      padding: 1
+    });
+    this.container.add(infoBox);
+    const allowText = new TextRenderable(this.renderer, {
+      id: "allow-label",
+      content: `Allow patterns: ${security.tools.allow.join(", ") || "(none)"}`,
+      fg: "#4ade80",
+      marginBottom: 1
+    });
+    infoBox.add(allowText);
+    const blockText = new TextRenderable(this.renderer, {
+      id: "block-label",
+      content: `Block patterns: ${security.tools.block.join(", ") || "(none)"}`,
+      fg: "#f87171",
+      marginBottom: 1
+    });
+    infoBox.add(blockText);
+    const confirmText = new TextRenderable(this.renderer, {
+      id: "confirm-label",
+      content: `Confirm patterns: ${security.tools.confirm.join(", ") || "(none)"}`,
+      fg: "#fbbf24",
+      marginBottom: 2
+    });
+    infoBox.add(confirmText);
+    const hintText = new TextRenderable(this.renderer, {
+      id: "hint-text",
+      content: "Edit mcp-squared.toml directly for advanced security config",
+      fg: "#64748b",
+      marginBottom: 1
+    });
+    infoBox.add(hintText);
+    const backOption = [
+      { name: "\u2190 Back to Main Menu", description: "", value: "back" }
+    ];
+    const backMenu = new SelectRenderable(this.renderer, {
+      id: "security-back",
+      width: "100%",
+      height: 2,
+      options: backOption,
+      backgroundColor: "transparent",
+      selectedBackgroundColor: "#334155",
+      textColor: "#e2e8f0",
+      selectedTextColor: "#38bdf8"
+    });
+    infoBox.add(backMenu);
+    backMenu.on(SelectRenderableEvents.ITEM_SELECTED, () => {
+      this.showMainMenu();
+    });
+    backMenu.focus();
+    this.addInstructions("Enter to go back | Esc Back");
+    const handleEscape = (key) => {
+      if (key.name === "escape") {
+        this.renderer.keyInput.off("keypress", handleEscape);
+        this.showMainMenu();
+      }
+    };
+    this.renderer.keyInput.on("keypress", handleEscape);
+  }
+  showOperationsScreen() {
+    this.state.currentScreen = "operations";
+    this.clearScreen();
+    this.addHeader();
+    if (!this.container)
+      return;
+    const ops = this.state.config.operations;
+    const infoBox = new BoxRenderable(this.renderer, {
+      id: "operations-box",
+      width: 60,
+      height: 14,
+      border: true,
+      borderStyle: "single",
+      borderColor: "#475569",
+      title: "Operations Settings",
+      titleAlignment: "center",
+      backgroundColor: "#1e293b",
+      flexDirection: "column",
+      padding: 1
+    });
+    this.container.add(infoBox);
+    const limitText = new TextRenderable(this.renderer, {
+      id: "limit-label",
+      content: `Default find_tools limit: ${ops.findTools.defaultLimit}`,
+      fg: "#e2e8f0",
+      marginBottom: 1
+    });
+    infoBox.add(limitText);
+    const maxLimitText = new TextRenderable(this.renderer, {
+      id: "max-limit-label",
+      content: `Max find_tools limit: ${ops.findTools.maxLimit}`,
+      fg: "#e2e8f0",
+      marginBottom: 1
+    });
+    infoBox.add(maxLimitText);
+    const refreshText = new TextRenderable(this.renderer, {
+      id: "refresh-label",
+      content: `Index refresh interval: ${ops.index.refreshIntervalMs}ms`,
+      fg: "#e2e8f0",
+      marginBottom: 1
+    });
+    infoBox.add(refreshText);
+    const logText = new TextRenderable(this.renderer, {
+      id: "log-label",
+      content: `Log level: ${ops.logging.level}`,
+      fg: "#e2e8f0",
+      marginBottom: 2
+    });
+    infoBox.add(logText);
+    const hintText = new TextRenderable(this.renderer, {
+      id: "hint-text",
+      content: "Edit mcp-squared.toml directly for advanced settings",
+      fg: "#64748b",
+      marginBottom: 1
+    });
+    infoBox.add(hintText);
+    const backOption = [
+      { name: "\u2190 Back to Main Menu", description: "", value: "back" }
+    ];
+    const backMenu = new SelectRenderable(this.renderer, {
+      id: "ops-back",
+      width: "100%",
+      height: 2,
+      options: backOption,
+      backgroundColor: "transparent",
+      selectedBackgroundColor: "#334155",
+      textColor: "#e2e8f0",
+      selectedTextColor: "#38bdf8"
+    });
+    infoBox.add(backMenu);
+    backMenu.on(SelectRenderableEvents.ITEM_SELECTED, () => {
+      this.showMainMenu();
+    });
+    backMenu.focus();
+    this.addInstructions("Enter to go back | Esc Back");
+    const handleEscape = (key) => {
+      if (key.name === "escape") {
+        this.renderer.keyInput.off("keypress", handleEscape);
+        this.showMainMenu();
+      }
+    };
+    this.renderer.keyInput.on("keypress", handleEscape);
+  }
+  async handleSave() {
+    if (!this.state.isDirty) {
+      this.showMainMenu();
+      return;
+    }
+    try {
+      await saveConfig(this.state.configPath, this.state.config);
+      this.state.isDirty = false;
+      this.showMainMenu();
+    } catch (err) {
+      console.error("Failed to save config:", err);
+      this.showMainMenu();
+    }
+  }
+  handleExit() {
+    if (this.state.isDirty) {
+      this.showExitConfirmation();
+    } else {
+      this.renderer.destroy();
+      process.exit(0);
+    }
+  }
+  showExitConfirmation() {
+    this.clearScreen();
+    this.addHeader();
+    if (!this.container)
+      return;
+    const confirmBox = new BoxRenderable(this.renderer, {
+      id: "confirm-box",
+      width: 50,
+      height: 8,
+      border: true,
+      borderStyle: "single",
+      borderColor: "#fbbf24",
+      title: "Unsaved Changes",
+      titleAlignment: "center",
+      backgroundColor: "#1e293b"
+    });
+    this.container.add(confirmBox);
+    const options = [
+      { name: "Save and Exit", description: "", value: "save-exit" },
+      { name: "Exit without Saving", description: "", value: "exit" },
+      { name: "Cancel", description: "", value: "cancel" }
+    ];
+    const menu = new SelectRenderable(this.renderer, {
+      id: "confirm-menu",
+      width: "100%",
+      height: "100%",
+      options,
+      backgroundColor: "transparent",
+      selectedBackgroundColor: "#334155",
+      textColor: "#e2e8f0",
+      selectedTextColor: "#38bdf8",
+      wrapSelection: true
+    });
+    confirmBox.add(menu);
+    menu.on(SelectRenderableEvents.ITEM_SELECTED, async (_index, option) => {
+      switch (option.value) {
+        case "save-exit":
+          await this.handleSave();
+          this.renderer.destroy();
+          process.exit(0);
+          break;
+        case "exit":
+          this.renderer.destroy();
+          process.exit(0);
+          break;
+        case "cancel":
+          this.showMainMenu();
+          break;
+      }
+    });
+    menu.focus();
+    this.addInstructions("\u2191\u2193 Navigate | Enter Select");
+  }
+  addInstructions(text) {
+    if (!this.container)
+      return;
+    const instructions = new TextRenderable(this.renderer, {
+      id: "config-instructions",
+      content: text,
+      fg: "#64748b",
+      marginTop: 2
+    });
+    this.container.add(instructions);
+  }
+}
+export {
+  runConfigTui
+};