ofw-mcp 2.3.0 → 2.3.2

package/dist/bundle.js

@@ -10342,10 +10342,10 @@ var require_websocket_server = __commonJS({
             process.nextTick(emitClose, this);
           }
         } else {
-          const server2 = this._server;
+          const server = this._server;
           this._removeListeners();
           this._removeListeners = this._server = null;
-          server2.close(() => {
+          server.close(() => {
             emitClose(this);
           });
         }
@@ -10530,17 +10530,17 @@ var require_websocket_server = __commonJS({
       }
     };
     module.exports = WebSocketServer2;
-    function addListeners(server2, map2) {
-      for (const event of Object.keys(map2)) server2.on(event, map2[event]);
+    function addListeners(server, map2) {
+      for (const event of Object.keys(map2)) server.on(event, map2[event]);
       return function removeListeners() {
         for (const event of Object.keys(map2)) {
-          server2.removeListener(event, map2[event]);
+          server.removeListener(event, map2[event]);
         }
       };
     }
-    function emitClose(server2) {
-      server2._state = CLOSED;
-      server2.emit("close");
+    function emitClose(server) {
+      server._state = CLOSED;
+      server.emit("close");
     }
     function socketOnError() {
       this.destroy();
@@ -10559,11 +10559,11 @@ var require_websocket_server = __commonJS({
 ` + Object.keys(headers).map((h) => `${h}: ${headers[h]}`).join("\r\n") + "\r\n\r\n" + message
       );
     }
-    function abortHandshakeOrEmitwsClientError(server2, req, socket, code, message, headers) {
-      if (server2.listenerCount("wsClientError")) {
+    function abortHandshakeOrEmitwsClientError(server, req, socket, code, message, headers) {
+      if (server.listenerCount("wsClientError")) {
         const err = new Error(message);
         Error.captureStackTrace(err, abortHandshakeOrEmitwsClientError);
-        server2.emit("wsClientError", err, socket, req);
+        server.emit("wsClientError", err, socket, req);
       } else {
         abortHandshake(socket, code, message, headers);
       }
@@ -32189,11 +32189,11 @@ var Protocol = class {
    *
    * The Protocol object assumes ownership of the Transport, replacing any callbacks that have already been set, and expects that it is the only user of the Transport instance going forward.
    */
-  async connect(transport2) {
+  async connect(transport) {
     if (this._transport) {
       throw new Error("Already connected to a transport. Call close() before connecting to a new transport, or use a separate Protocol instance per connection.");
     }
-    this._transport = transport2;
+    this._transport = transport;
     const _onclose = this.transport?.onclose;
     this._transport.onclose = () => {
       _onclose?.();
@@ -33783,8 +33783,8 @@ var McpServer = class {
    *
    * The `server` object assumes ownership of the Transport, replacing any callbacks that have already been set, and expects that it is the only user of the Transport instance going forward.
    */
-  async connect(transport2) {
-    return await this.server.connect(transport2);
+  async connect(transport) {
+    return await this.server.connect(transport);
   }
   /**
    * Closes the connection.
@@ -34634,8 +34634,247 @@ var StdioServerTransport = class {
   }
 };
 
+// node_modules/@chrischall/mcp-utils/dist/server/index.js
+async function createMcpServer(opts) {
+  const server = new McpServer({ name: opts.name, version: opts.version });
+  if (opts.banner !== void 0) {
+    console.error(opts.banner);
+  }
+  const deps = opts.deps;
+  for (const register of opts.tools) {
+    await register(server, deps);
+  }
+  return server;
+}
+function withGracefulShutdown(server, opts = {}) {
+  const shouldExit = opts.exit ?? true;
+  let shuttingDown = false;
+  const handler = (signal) => {
+    if (shuttingDown)
+      return;
+    shuttingDown = true;
+    void (async () => {
+      try {
+        if (opts.onSignal)
+          await opts.onSignal(signal);
+        await server.close();
+      } catch (err) {
+        console.error(`[mcp-utils] error during graceful shutdown on ${signal}: ${err instanceof Error ? err.message : String(err)}`);
+      } finally {
+        if (shouldExit)
+          process.exit(0);
+      }
+    })();
+  };
+  process.on("SIGINT", () => handler("SIGINT"));
+  process.on("SIGTERM", () => handler("SIGTERM"));
+}
+async function runMcp(opts) {
+  const server = await createMcpServer(opts);
+  const shutdown = opts.shutdown ?? true;
+  if (shutdown !== false) {
+    withGracefulShutdown(server, shutdown === true ? {} : shutdown);
+  }
+  const spec = opts.transport ?? "stdio";
+  const transport = spec === "stdio" ? new StdioServerTransport() : spec;
+  await server.connect(transport);
+  return server;
+}
+
+// node_modules/@chrischall/mcp-utils/dist/errors/index.js
+var API_KEY_RE = new RegExp([
+  "sk-[A-Za-z0-9_-]{20,}(?![A-Za-z0-9_-])",
+  // OpenAI / Anthropic (incl. sk-ant-…)
+  "gh[pousr]_[A-Za-z0-9]{36,}\\b",
+  // GitHub ghp_/gho_/ghu_/ghs_/ghr_
+  "xox[baprs]-[A-Za-z0-9-]{10,}(?![A-Za-z0-9-])",
+  // Slack
+  "AIza[0-9A-Za-z_-]{35}(?![0-9A-Za-z_-])",
+  // Google API key (39 chars total)
+  "AKIA[0-9A-Z]{16}\\b",
+  // AWS access key id (20 chars total)
+  "whsec_[A-Za-z0-9]{16,}\\b"
+  // webhook signing secret (Stripe-style)
+].map((p) => `\\b${p}`).join("|"), "g");
+
+// node_modules/@chrischall/mcp-utils/dist/response/index.js
+function textResult(data) {
+  return {
+    content: [{ type: "text", text: JSON.stringify(data, null, 2) }]
+  };
+}
+function rawTextResult(text) {
+  return { content: [{ type: "text", text }] };
+}
+
+// node_modules/@chrischall/mcp-utils/dist/config/index.js
+import { homedir } from "node:os";
+import { isAbsolute, join, resolve } from "node:path";
+var PLACEHOLDER_RE = /^\$\{[^}]*\}$/;
+function readEnvVar(key, opts = {}) {
+  const env = opts.env ?? process.env;
+  const raw = env[key];
+  if (typeof raw === "string") {
+    const trimmed = raw.trim();
+    if (trimmed.length > 0 && trimmed !== "undefined" && trimmed !== "null" && !PLACEHOLDER_RE.test(trimmed)) {
+      return trimmed;
+    }
+  }
+  return opts.default;
+}
+var TRUE_TOKENS = /* @__PURE__ */ new Set(["1", "true", "yes", "on"]);
+var FALSE_TOKENS = /* @__PURE__ */ new Set(["0", "false", "no", "off"]);
+function parseBoolEnv(key, opts = {}) {
+  const fallback = opts.default ?? false;
+  const raw = readEnvVar(key, { env: opts.env });
+  if (raw === void 0)
+    return fallback;
+  const token = raw.toLowerCase();
+  if (TRUE_TOKENS.has(token))
+    return true;
+  if (FALSE_TOKENS.has(token))
+    return false;
+  return fallback;
+}
+function expandPath(p) {
+  let expanded = p;
+  if (p === "~") {
+    expanded = homedir();
+  } else if (p.startsWith("~/")) {
+    expanded = join(homedir(), p.slice(2));
+  }
+  return isAbsolute(expanded) ? expanded : resolve(expanded);
+}
+async function loadDotenvSafely(opts = {}) {
+  try {
+    const mod = await import(
+      /* @vite-ignore */
+      "dotenv"
+    );
+    const result = mod.config({
+      ...opts.path !== void 0 ? { path: opts.path } : {},
+      override: opts.override ?? false,
+      quiet: true
+    });
+    return result.error === void 0;
+  } catch {
+    return false;
+  }
+}
+
+// node_modules/@chrischall/mcp-utils/dist/fs/index.js
+import { openAsBlob } from "node:fs";
+async function fileBlob(path, opts = {}) {
+  let blob;
+  try {
+    blob = await openAsBlob(path, opts.type !== void 0 ? { type: opts.type } : void 0);
+  } catch {
+    throw new Error(`Cannot read file for upload: ${path}`);
+  }
+  if (opts.maxBytes !== void 0 && blob.size > opts.maxBytes) {
+    throw new Error(`${opts.label ?? "File"} is ${blob.size} bytes, over the ${opts.maxBytes}-byte limit: ${path}`);
+  }
+  return blob;
+}
+
+// node_modules/@chrischall/mcp-utils/dist/zod/index.js
+var PositiveInt = external_exports.number().int().positive();
+var NonNegInt = external_exports.number().int().nonnegative();
+var NonEmptyString = external_exports.string().min(1);
+var IsoDate = external_exports.iso.date();
+var IsoTime = external_exports.string().regex(/^([01]?\d|2[0-3]):[0-5]\d$/, "must be HH:MM (24h), e.g. 19:30");
+var NumericIdString = external_exports.string().regex(/^\d+$/, "must be a numeric id (digits only)").describe("A numeric id string (digits only), safe to interpolate into a URL path.");
+var SafePathSegment = external_exports.string().min(1).regex(/^[^/?#\s]+$/, 'must not contain "/", "?", "#", or whitespace').refine((v) => !v.includes(".."), 'must not contain ".."').describe('A single URL path segment, safe to interpolate: no "/", "..", "?", "#", or whitespace.');
+var schemaOrigin = external_exports.string().optional().describe("Portal origin (e.g. https://<vendor>.example.co) selecting which active session to use. Optional when only one session is active.");
+var schemaConfirm = external_exports.boolean().optional().describe("Must be true to proceed. Without this, the tool returns a preview.");
+var paginationSchema = {
+  offset: NonNegInt.default(0).describe("Number of items to skip (0-based)."),
+  limit: external_exports.number().int().min(1).max(200).default(50).describe("Maximum number of items to return (1-200).")
+};
+var pageSchema = {
+  page_num: PositiveInt.default(1).describe("1-based page number."),
+  page_size: external_exports.number().int().min(1).max(200).default(50).describe("Number of items per page (1-200).")
+};
+
+// node_modules/@chrischall/mcp-utils/dist/session/index.js
+var TOKEN_REFRESH_SKEW_MS = 5 * 60 * 1e3;
+var TokenManager = class {
+  accessToken;
+  refreshToken;
+  expiresAt;
+  refreshFn;
+  skewMs;
+  inFlight;
+  constructor(opts) {
+    this.accessToken = opts.initial.accessToken;
+    this.refreshToken = opts.initial.refreshToken;
+    this.expiresAt = opts.initial.expiresAt;
+    this.refreshFn = opts.refresh;
+    this.skewMs = opts.skewMs ?? TOKEN_REFRESH_SKEW_MS;
+  }
+  /** Whether the token is within the skew window of (or past) expiry. */
+  needsRefresh() {
+    return Date.now() >= this.expiresAt - this.skewMs;
+  }
+  /**
+   * Single-flight refresh. Concurrent callers share one in-flight promise; it is
+   * cleared on settle (success or failure) so a subsequent refresh can proceed.
+   */
+  refreshNow() {
+    if (!this.inFlight) {
+      const rt = this.refreshToken;
+      if (rt === void 0) {
+        return Promise.reject(new Error("TokenManager: cannot refresh \u2014 no refresh token is available."));
+      }
+      this.inFlight = (async () => {
+        const tok = await this.refreshFn(rt);
+        this.accessToken = tok.accessToken;
+        if (tok.refreshToken !== void 0 && tok.refreshToken !== "") {
+          this.refreshToken = tok.refreshToken;
+        }
+        this.expiresAt = tok.expiresAt;
+      })().finally(() => {
+        this.inFlight = void 0;
+      });
+    }
+    return this.inFlight;
+  }
+  /** Get a valid access token, refreshing proactively inside the skew window. */
+  async getAccessToken() {
+    if (this.needsRefresh())
+      await this.refreshNow();
+    return this.accessToken;
+  }
+  /** Current absolute expiry (epoch ms). */
+  getExpiresAt() {
+    return this.expiresAt;
+  }
+  /**
+   * Run an authenticated request with reactive 401-replay. `call` receives a
+   * valid access token and returns a `Response`. On `401`, the token is
+   * refreshed once and `call` is invoked again exactly once.
+   *
+   * Guarded against double-refresh: if a concurrent caller already rotated the
+   * token while this request was in flight (single-flight settled and cleared),
+   * a late `401` from a request sent under the OLD token does NOT trigger a
+   * second refresh — under refresh-token rotation that would consume and
+   * invalidate the freshly-issued refresh token. It just replays with the
+   * current token.
+   */
+  async withAuth(call) {
+    const usedToken = await this.getAccessToken();
+    let res = await call(usedToken);
+    if (res.status === 401) {
+      if (this.accessToken === usedToken)
+        await this.refreshNow();
+      res = await call(this.accessToken);
+    }
+    return res;
+  }
+};
+
 // src/client.ts
-import { dirname, join as join3 } from "path";
+import { dirname, join as join4 } from "path";
 import { fileURLToPath } from "url";
 
 // node_modules/@fetchproxy/protocol/dist/frames.js
@@ -34647,7 +34886,9 @@ var KNOWN_CAPABILITIES = /* @__PURE__ */ new Set([
   "read_local_storage",
   "read_session_storage",
   "capture_request_header",
-  "read_indexed_db"
+  "capture_redirect",
+  "read_indexed_db",
+  "download"
 ]);
 
 // node_modules/@fetchproxy/protocol/dist/mcp-id.js
@@ -34794,6 +35035,16 @@ function assertScopeKeyArray(value, label) {
     seen.add(k);
   }
 }
+var CAPTURE_PATH_RE = /^\/[A-Za-z0-9._~%\-/]*\*?$/;
+function hostMatchesAnyDomain(host, domains) {
+  const h = host.toLowerCase();
+  for (const d of domains) {
+    const dom = d.toLowerCase();
+    if (h === dom || h.endsWith("." + dom))
+      return true;
+  }
+  return false;
+}
 function assertCaptureHeadersArray(value, label) {
   if (!Array.isArray(value)) {
     throw new ProtocolError(`${label}: expected array, got ${typeof value}`);
@@ -34802,14 +35053,25 @@ function assertCaptureHeadersArray(value, label) {
   for (let i = 0; i < value.length; i++) {
     const entry = value[i];
     assertObject(entry, `${label}[${i}]`);
-    if (entry.urlPattern === void 0) {
-      throw new ProtocolError(`${label}[${i}].urlPattern: missing`);
+    if (entry.host === void 0) {
+      throw new ProtocolError(`${label}[${i}].host: missing`);
     }
     if (entry.headerName === void 0) {
       throw new ProtocolError(`${label}[${i}].headerName: missing`);
     }
-    if (typeof entry.urlPattern !== "string") {
-      throw new ProtocolError(`${label}[${i}].urlPattern: expected string, got ${typeof entry.urlPattern}`);
+    if (typeof entry.host !== "string") {
+      throw new ProtocolError(`${label}[${i}].host: expected string, got ${typeof entry.host}`);
+    }
+    if (!HOSTNAME_RE.test(entry.host)) {
+      throw new ProtocolError(`${label}[${i}].host: invalid hostname ${JSON.stringify(entry.host)}`);
+    }
+    if (entry.path !== void 0) {
+      if (typeof entry.path !== "string") {
+        throw new ProtocolError(`${label}[${i}].path: expected string, got ${typeof entry.path}`);
+      }
+      if (!CAPTURE_PATH_RE.test(entry.path)) {
+        throw new ProtocolError(`${label}[${i}].path: must start with '/' ${JSON.stringify(entry.path)}`);
+      }
     }
     if (typeof entry.headerName !== "string") {
       throw new ProtocolError(`${label}[${i}].headerName: expected string, got ${typeof entry.headerName}`);
@@ -34817,19 +35079,29 @@ function assertCaptureHeadersArray(value, label) {
     if (!HEADER_NAME_RE.test(entry.headerName)) {
       throw new ProtocolError(`${label}[${i}].headerName: invalid name ${JSON.stringify(entry.headerName)}`);
     }
-    assertCaptureUrlPattern(entry.urlPattern, `${label}[${i}].urlPattern`);
-    const key = `${entry.urlPattern}\0${entry.headerName}`;
+    const normalizedPath = entry.path ?? "/*";
+    const key = `${entry.host}\0${normalizedPath}\0${entry.headerName}`;
     if (seen.has(key)) {
-      throw new ProtocolError(`${label}: duplicate ${JSON.stringify({ urlPattern: entry.urlPattern, headerName: entry.headerName })}`);
+      throw new ProtocolError(`${label}: duplicate ${JSON.stringify({ host: entry.host, path: normalizedPath, headerName: entry.headerName })}`);
     }
     seen.add(key);
     for (const k of Object.keys(entry)) {
-      if (k !== "urlPattern" && k !== "headerName") {
+      if (k !== "host" && k !== "path" && k !== "headerName") {
         throw new ProtocolError(`${label}[${i}]: unexpected field ${JSON.stringify(k)}`);
       }
     }
   }
 }
+function validateCaptureHeaderDecls(value, domains, label = "captureHeaders") {
+  assertCaptureHeadersArray(value, label);
+  const arr = value;
+  for (let i = 0; i < arr.length; i++) {
+    const host = arr[i].host;
+    if (!hostMatchesAnyDomain(host, domains)) {
+      throw new ProtocolError(`${label}[${i}].host: ${JSON.stringify(host)} is not a declared domain or subdomain of [${domains.join(", ")}]`);
+    }
+  }
+}
 function assertStoragePointersArray(value, label, declaredKeys) {
   if (!Array.isArray(value)) {
     throw new ProtocolError(`${label}: expected array, got ${typeof value}`);
@@ -34917,23 +35189,6 @@ function assertIndexedDbScopesArray(value, label) {
     }
   }
 }
-function assertCaptureUrlPattern(pattern, label) {
-  if (!pattern.startsWith("https://")) {
-    throw new ProtocolError(`${label}: must start with https:// (got ${JSON.stringify(pattern)})`);
-  }
-  const afterScheme = pattern.slice("https://".length);
-  const slash = afterScheme.indexOf("/");
-  const host = slash === -1 ? afterScheme : afterScheme.slice(0, slash);
-  if (host.length === 0) {
-    throw new ProtocolError(`${label}: missing host (got ${JSON.stringify(pattern)})`);
-  }
-  if (host.includes("*")) {
-    throw new ProtocolError(`${label}: wildcards not permitted in host (got ${JSON.stringify(pattern)})`);
-  }
-  if (!HOSTNAME_RE.test(host)) {
-    throw new ProtocolError(`${label}: invalid host ${JSON.stringify(host)} in ${JSON.stringify(pattern)}`);
-  }
-}
 function validateFrame(raw) {
   assertObject(raw, "frame");
   const t = raw.type;
@@ -34998,7 +35253,7 @@ function validateHello(raw) {
       assertScopeKeyArray(raw.sessionStorageKeys, "hello.sessionStorageKeys");
     }
     if (raw.captureHeaders !== void 0) {
-      assertCaptureHeadersArray(raw.captureHeaders, "hello.captureHeaders");
+      validateCaptureHeaderDecls(raw.captureHeaders, raw.domains, "hello.captureHeaders");
     }
     if (raw.indexedDbScopes !== void 0) {
       assertIndexedDbScopesArray(raw.indexedDbScopes, "hello.indexedDbScopes");
@@ -35166,24 +35421,58 @@ function validateInnerRequest(raw) {
   }
   if (raw.op === "capture_request_header") {
     assertObject(raw.init, "inner.init");
-    if (raw.init.urlPattern === void 0) {
-      throw new ProtocolError("inner.init.urlPattern: missing");
+    if (raw.init.host === void 0) {
+      throw new ProtocolError("inner.init.host: missing");
     }
     if (raw.init.headerName === void 0) {
       throw new ProtocolError("inner.init.headerName: missing");
     }
-    assertString(raw.init.urlPattern, "inner.init.urlPattern");
+    assertString(raw.init.host, "inner.init.host");
+    if (!HOSTNAME_RE.test(raw.init.host)) {
+      throw new ProtocolError(`inner.init.host: invalid hostname ${JSON.stringify(raw.init.host)}`);
+    }
+    if (raw.init.path !== void 0) {
+      assertString(raw.init.path, "inner.init.path");
+      if (!CAPTURE_PATH_RE.test(raw.init.path)) {
+        throw new ProtocolError(`inner.init.path: must start with '/' ${JSON.stringify(raw.init.path)}`);
+      }
+    }
     assertString(raw.init.headerName, "inner.init.headerName");
     if (raw.init.timeoutMs !== void 0) {
       assertPositiveInt(raw.init.timeoutMs, "inner.init.timeoutMs");
     }
     for (const k of Object.keys(raw.init)) {
-      if (k !== "urlPattern" && k !== "headerName" && k !== "timeoutMs") {
+      if (k !== "host" && k !== "path" && k !== "headerName" && k !== "timeoutMs") {
         throw new ProtocolError(`inner.init: unexpected field ${JSON.stringify(k)} on capture_request_header`);
       }
     }
     return raw;
   }
+  if (raw.op === "capture_redirect") {
+    assertObject(raw.init, "inner.init");
+    if (raw.init.host === void 0) {
+      throw new ProtocolError("inner.init.host: missing");
+    }
+    assertString(raw.init.host, "inner.init.host");
+    if (!HOSTNAME_RE.test(raw.init.host)) {
+      throw new ProtocolError(`inner.init.host: invalid hostname ${JSON.stringify(raw.init.host)}`);
+    }
+    if (raw.init.path !== void 0) {
+      assertString(raw.init.path, "inner.init.path");
+      if (!CAPTURE_PATH_RE.test(raw.init.path)) {
+        throw new ProtocolError(`inner.init.path: must start with '/' ${JSON.stringify(raw.init.path)}`);
+      }
+    }
+    if (raw.init.timeoutMs !== void 0) {
+      assertPositiveInt(raw.init.timeoutMs, "inner.init.timeoutMs");
+    }
+    for (const k of Object.keys(raw.init)) {
+      if (k !== "host" && k !== "path" && k !== "timeoutMs") {
+        throw new ProtocolError(`inner.init: unexpected field ${JSON.stringify(k)} on capture_redirect`);
+      }
+    }
+    return raw;
+  }
   if (raw.op === "read_indexed_db") {
     assertObject(raw.init, "inner.init");
     if (raw.init.origin === void 0)
@@ -35209,7 +35498,32 @@ function validateInnerRequest(raw) {
     }
     return raw;
   }
-  throw new ProtocolError(`inner.op: must be one of "fetch", "read_cookies", "read_local_storage", "read_session_storage", "capture_request_header", "read_indexed_db"; got ${JSON.stringify(raw.op)}`);
+  if (raw.op === "download") {
+    assertObject(raw.init, "inner.init");
+    if (raw.init.url === void 0) {
+      throw new ProtocolError("inner.init.url: missing");
+    }
+    assertHttpUrl(raw.init.url, "inner.init.url");
+    if (raw.init.filename !== void 0) {
+      assertString(raw.init.filename, "inner.init.filename");
+      if (/^([/\\]|[A-Za-z]:)/.test(raw.init.filename)) {
+        throw new ProtocolError(`inner.init.filename: must be relative ${JSON.stringify(raw.init.filename)}`);
+      }
+      if (raw.init.filename.split(/[/\\]/).includes("..")) {
+        throw new ProtocolError(`inner.init.filename: must not contain '..' ${JSON.stringify(raw.init.filename)}`);
+      }
+    }
+    if (raw.init.timeoutMs !== void 0) {
+      assertPositiveInt(raw.init.timeoutMs, "inner.init.timeoutMs");
+    }
+    for (const k of Object.keys(raw.init)) {
+      if (k !== "url" && k !== "filename" && k !== "timeoutMs") {
+        throw new ProtocolError(`inner.init: unexpected field ${JSON.stringify(k)} on download`);
+      }
+    }
+    return raw;
+  }
+  throw new ProtocolError(`inner.op: must be one of "fetch", "read_cookies", "read_local_storage", "read_session_storage", "capture_request_header", "capture_redirect", "read_indexed_db", "download"; got ${JSON.stringify(raw.op)}`);
 }
 function assertNonEmptyKeyArray(value, label) {
   if (!Array.isArray(value)) {
@@ -35280,6 +35594,13 @@ function validateInnerResponse(raw) {
       assertString(raw.value, "inner.value");
       return raw;
     }
+    if (op === "capture_redirect") {
+      if (raw.value === void 0) {
+        throw new ProtocolError("inner.value: missing on capture_redirect response");
+      }
+      assertString(raw.value, "inner.value");
+      return raw;
+    }
     if (op === "read_indexed_db") {
       if (raw.values === void 0) {
         throw new ProtocolError("inner.values: missing on read_indexed_db response");
@@ -35287,6 +35608,25 @@ function validateInnerResponse(raw) {
       assertObject(raw.values, "inner.values");
       return raw;
     }
+    if (op === "download") {
+      assertObject(raw.value, "inner.value");
+      assertString(raw.value.path, "inner.value.path");
+      if (typeof raw.value.bytes !== "number" || !Number.isInteger(raw.value.bytes) || raw.value.bytes < 0) {
+        throw new ProtocolError("inner.value.bytes: expected non-negative integer");
+      }
+      if (raw.value.mime !== void 0) {
+        assertString(raw.value.mime, "inner.value.mime");
+      }
+      if (raw.value.finalUrl !== void 0) {
+        assertString(raw.value.finalUrl, "inner.value.finalUrl");
+      }
+      for (const k of Object.keys(raw.value)) {
+        if (k !== "path" && k !== "bytes" && k !== "mime" && k !== "finalUrl") {
+          throw new ProtocolError(`inner.value: unexpected field ${JSON.stringify(k)} on download response`);
+        }
+      }
+      return raw;
+    }
     throw new ProtocolError(`inner.op: unknown success-response op ${JSON.stringify(raw.op)}`);
   }
   if (raw.ok === false) {
@@ -35494,13 +35834,13 @@ async function openEncryptedFrame(sessionKey, frame) {
 // node_modules/@fetchproxy/server/dist/election.js
 import { createServer, Server as HttpServer } from "node:http";
 async function electRole(opts) {
-  const server2 = createServer();
+  const server = createServer();
   return new Promise((resolve2, reject) => {
     const onError = (e) => {
-      server2.removeListener("listening", onListening);
+      server.removeListener("listening", onListening);
       if (e.code === "EADDRINUSE") {
         try {
-          server2.close();
+          server.close();
         } catch {
         }
         resolve2({ role: "peer" });
@@ -35509,12 +35849,12 @@ async function electRole(opts) {
       }
     };
     const onListening = () => {
-      server2.removeListener("error", onError);
-      resolve2({ role: "host", server: server2 });
+      server.removeListener("error", onError);
+      resolve2({ role: "host", server });
     };
-    server2.once("error", onError);
-    server2.once("listening", onListening);
-    server2.listen(opts.port, opts.host);
+    server.once("error", onError);
+    server.once("listening", onListening);
+    server.listen(opts.port, opts.host);
   });
 }
 
@@ -35558,7 +35898,8 @@ async function buildServerHello(opts) {
   }
   if (opts.captureHeaders && opts.captureHeaders.length > 0) {
     hello.captureHeaders = opts.captureHeaders.map((d) => ({
-      urlPattern: d.urlPattern,
+      host: d.host,
+      ...d.path !== void 0 ? { path: d.path } : {},
       headerName: d.headerName
     }));
   }
@@ -35796,7 +36137,9 @@ async function startHost(opts) {
         } catch {
         }
       }
-      wss.close(() => resolve2());
+      wss.close(() => {
+        opts.httpServer.close(() => resolve2());
+      });
     }),
     sendOwnInner: async (inner) => {
       const session = await ownSessionReady;
@@ -35846,6 +36189,7 @@ async function startPeer(opts) {
   const innerListeners = [];
   const renegotiateListeners = [];
   const pendingPairListeners = [];
+  const closeListeners = [];
   let session = null;
   let pendingPairCode = null;
   let resolveFirstReady;
@@ -35895,6 +36239,7 @@ async function startPeer(opts) {
   ws.on("message", onMessage);
   ws.once("close", () => {
     rejectFirstReady(new Error("peer WS closed before ready"));
+    closeListeners.forEach((cb) => cb());
   });
   sessionPromise.catch(() => {
   });
@@ -35917,6 +36262,9 @@ async function startPeer(opts) {
       pendingPairListeners.push(cb);
     },
     pendingPairCode: () => pendingPairCode,
+    onClose: (cb) => {
+      closeListeners.push(cb);
+    },
     close: () => ws.close()
   };
   return handle;
@@ -35924,19 +36272,19 @@ async function startPeer(opts) {
 
 // node_modules/@fetchproxy/server/dist/identity.js
 import { readFile, writeFile, mkdir, chmod } from "node:fs/promises";
-import { join } from "node:path";
-import { homedir } from "node:os";
+import { join as join2 } from "node:path";
+import { homedir as homedir2 } from "node:os";
 var SAFE_PLAIN = /^[A-Za-z0-9._-]+$/;
 var SAFE_SCOPED = /^@[A-Za-z0-9._-]+\/[A-Za-z0-9._-]+$/;
 function defaultIdentityDir() {
-  return join(homedir(), ".fetchproxy", "identity");
+  return join2(homedir2(), ".fetchproxy", "identity");
 }
 async function loadOrCreateIdentity(serverName, dir = defaultIdentityDir()) {
   if (!serverName || serverName === ".." || serverName.includes("..") || !SAFE_PLAIN.test(serverName) && !SAFE_SCOPED.test(serverName)) {
     throw new Error(`unsafe serverName for identity file: ${JSON.stringify(serverName)}`);
   }
   const safeFile = serverName.replace(/\//g, "_");
-  const path = join(dir, `${safeFile}.json`);
+  const path = join2(dir, `${safeFile}.json`);
   await mkdir(dir, { recursive: true, mode: 448 });
   try {
     const raw = await readFile(path, "utf8");
@@ -36118,6 +36466,12 @@ var FetchproxyServer = class {
   opts;
   hostHandle = null;
   peerHandle = null;
+  // 0.13.0+: true from the start of `close()` until the next `doConnect()`.
+  // Distinguishes an intentional shutdown (whose WS close we must ignore)
+  // from the host process dying (which strands a peer and must trigger
+  // re-election). The WS `close` event fires asynchronously, so this stays
+  // latched across `close()` rather than being reset in its tail.
+  closing = false;
   nextRequestId = 1;
   // 0.8.0+: process-wide freshness counters surfaced via bridgeHealth().
   // Replaces the local copies every downstream MCP was rolling on top
@@ -36143,8 +36497,12 @@ var FetchproxyServer = class {
   pendingStorage = /* @__PURE__ */ new Map();
   // 0.3.0+: capture-header awaiters resolve a single string.
   pendingCapture = /* @__PURE__ */ new Map();
+  // capture_redirect awaiters resolve the captured redirect URL string.
+  pendingRedirect = /* @__PURE__ */ new Map();
   // 0.4.0+: read_indexed_db awaiters resolve a JSON-typed values map.
   pendingIdb = /* @__PURE__ */ new Map();
+  // download awaiters resolve the saved-file metadata (path + size + mime).
+  pendingDownload = /* @__PURE__ */ new Map();
   mcpId = null;
   identity = null;
   // 0.5.3+: in-flight role-election / handle-start promise. Set the
@@ -36190,6 +36548,14 @@ var FetchproxyServer = class {
       }
       capabilities = [...opts.capabilities];
     }
+    if (opts.captureHeaders !== void 0) {
+      try {
+        validateCaptureHeaderDecls(opts.captureHeaders, opts.domains);
+      } catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        throw new Error("FetchproxyServer: invalid captureHeaders \u2014 " + message);
+      }
+    }
     this.opts = {
       port: opts.port ?? 37149,
       host: opts.host ?? "127.0.0.1",
@@ -36201,7 +36567,8 @@ var FetchproxyServer = class {
       localStorageKeys: [...opts.localStorageKeys ?? []],
       sessionStorageKeys: [...opts.sessionStorageKeys ?? []],
       captureHeaders: (opts.captureHeaders ?? []).map((d) => ({
-        urlPattern: d.urlPattern,
+        host: d.host,
+        ...d.path !== void 0 ? { path: d.path } : {},
         headerName: d.headerName
       })),
       indexedDbScopes: (opts.indexedDbScopes ?? []).map((d) => ({
@@ -36319,6 +36686,7 @@ var FetchproxyServer = class {
   async doConnect() {
     const identity = this.identity;
     const mcpId = this.mcpId;
+    this.closing = false;
     const el = await electRole({ host: this.opts.host, port: this.opts.port });
     if (el.role === "host") {
       this.role = "host";
@@ -36378,6 +36746,14 @@ var FetchproxyServer = class {
         const cb = this.opts.onPairCode;
         this.peerHandle.onPendingPair((code) => cb(code));
       }
+      this.peerHandle.onClose(() => {
+        if (this.closing || this.peerHandle === null)
+          return;
+        this.stopKeepalive();
+        this.rejectAllPending();
+        this.peerHandle = null;
+        this.role = null;
+      });
     }
   }
   pairingErrorMessage(code) {
@@ -36952,12 +37328,12 @@ var FetchproxyServer = class {
   /**
    * 0.3.0+: snapshot the next outgoing request's named header. Single-
    * shot: the extension registers a one-time `webRequest` listener
-   * filtered on `urlPattern`, captures the named header on the first
-   * match, removes itself, and resolves with the value. Times out
-   * after `timeoutMs` (default 30s on the extension).
+   * filtered on `https://${host}${path ?? '/*'}`, captures the named
+   * header on the first match, removes itself, and resolves with the
+   * value. Times out after `timeoutMs` (default 30s on the extension).
    *
-   * `(urlPattern, headerName)` must exactly match a declared entry in
-   * `FetchproxyServerOpts.captureHeaders`.
+   * `(host, path?, headerName)` must match a declared entry in
+   * `FetchproxyServerOpts.captureHeaders` (omitted path ≡ `/*`).
    */
   async captureRequestHeader(opts) {
     if (!this.opts.capabilities.includes("capture_request_header")) {
@@ -36966,24 +37342,25 @@ var FetchproxyServer = class {
     await this.ensureConnected();
     this.throwIfPendingPair();
     const decls = this.opts.captureHeaders;
+    const normPath = (p) => p ?? "/*";
     let resolved;
-    if (opts?.urlPattern !== void 0 && opts?.headerName !== void 0) {
-      const found = decls.find((d) => d.urlPattern === opts.urlPattern && d.headerName === opts.headerName);
+    if (opts?.host !== void 0 && opts?.headerName !== void 0) {
+      const found = decls.find((d) => d.host === opts.host && normPath(d.path) === normPath(opts.path) && d.headerName === opts.headerName);
       if (!found) {
-        throw new Error(`FetchproxyServer.captureRequestHeader: (urlPattern=${JSON.stringify(opts.urlPattern)}, headerName=${JSON.stringify(opts.headerName)}) not declared in captureHeaders`);
+        throw new Error(`FetchproxyServer.captureRequestHeader: (host=${JSON.stringify(opts.host)}, path=${JSON.stringify(normPath(opts.path))}, headerName=${JSON.stringify(opts.headerName)}) not declared in captureHeaders`);
       }
       resolved = found;
-    } else if (opts?.urlPattern === void 0 && opts?.headerName === void 0) {
+    } else if (opts?.host === void 0 && opts?.headerName === void 0) {
       if (decls.length === 0) {
-        throw new Error("FetchproxyServer.captureRequestHeader: no captureHeaders declared on this server \u2014 declare at least one entry in FetchproxyServerOpts.captureHeaders, or pass {urlPattern, headerName} explicitly");
+        throw new Error("FetchproxyServer.captureRequestHeader: no captureHeaders declared on this server \u2014 declare at least one entry in FetchproxyServerOpts.captureHeaders, or pass {host, headerName} explicitly");
       }
       if (decls.length > 1) {
-        const list = decls.map((d) => `${JSON.stringify(d.urlPattern)}/${JSON.stringify(d.headerName)}`).join(", ");
-        throw new Error(`FetchproxyServer.captureRequestHeader: multiple captureHeaders declared (${decls.length}: ${list}); pass {urlPattern, headerName} to disambiguate`);
+        const list = decls.map((d) => `${JSON.stringify(d.host)}${JSON.stringify(normPath(d.path))}/${JSON.stringify(d.headerName)}`).join(", ");
+        throw new Error(`FetchproxyServer.captureRequestHeader: multiple captureHeaders declared (${decls.length}: ${list}); pass {host, headerName} to disambiguate`);
       }
       resolved = decls[0];
     } else {
-      throw new Error("FetchproxyServer.captureRequestHeader: pass both urlPattern AND headerName, or neither (which defaults to the single declared entry)");
+      throw new Error("FetchproxyServer.captureRequestHeader: pass both host AND headerName, or neither (which defaults to the single declared entry)");
     }
     const callOpts = { ...resolved, ...opts?.timeoutMs !== void 0 ? { timeoutMs: opts.timeoutMs } : {} };
     try {
@@ -37017,7 +37394,7 @@ var FetchproxyServer = class {
             originalError: retryErr.message,
             retryAttempted: true,
             op: "capture_request_header",
-            url: resolved.urlPattern,
+            url: `https://${resolved.host}${resolved.path ?? "/*"}`,
             role: this.role,
             port: this.opts.port
           });
@@ -37028,7 +37405,7 @@ var FetchproxyServer = class {
         originalError: err.message,
         retryAttempted: false,
         op: "capture_request_header",
-        url: resolved.urlPattern,
+        url: `https://${resolved.host}${resolved.path ?? "/*"}`,
         role: this.role,
         port: this.opts.port
       });
@@ -37041,7 +37418,8 @@ var FetchproxyServer = class {
       id,
       op: "capture_request_header",
       init: {
-        urlPattern: opts.urlPattern,
+        host: opts.host,
+        ...opts.path !== void 0 ? { path: opts.path } : {},
         headerName: opts.headerName,
         ...opts.timeoutMs !== void 0 ? { timeoutMs: opts.timeoutMs } : {}
       }
@@ -37056,6 +37434,181 @@ var FetchproxyServer = class {
     }
     return pending;
   }
+  /**
+   * Snapshot the redirect target URL of the next request the browser
+   * makes to `(host, path?)`. Single-shot: the extension registers a
+   * one-time `chrome.webRequest.onBeforeRedirect` listener filtered on
+   * `https://${host}${path ?? '/*'}`, captures `details.redirectUrl` on
+   * the first match, removes itself, and resolves with the URL. Times out
+   * after `timeoutMs` (default 30s on the extension).
+   *
+   * Use case: a Cloudflare-walled endpoint that 302-redirects cross-origin
+   * to a presigned URL — a page-level fetch sees only an opaque redirect,
+   * but `onBeforeRedirect` exposes the target. Capture is limited to the
+   * MCP's own declared `domains`; no per-entry declared scope is required.
+   */
+  async captureRedirect(opts) {
+    if (!this.opts.capabilities.includes("capture_redirect")) {
+      throw new Error('FetchproxyServer.captureRedirect(): MCP did not declare "capture_redirect" in capabilities');
+    }
+    await this.ensureConnected();
+    this.throwIfPendingPair();
+    try {
+      const result = await this._captureRedirectOnce(opts);
+      this.recordSuccess();
+      return result;
+    } catch (err) {
+      const swDown = err instanceof FetchproxyProtocolError && classifyFetchError(err.message) === "content_script_unreachable";
+      if (!swDown) {
+        this.recordFailure(`capture_redirect: ${err.message ?? String(err)}`);
+        throw err;
+      }
+      this.lastEvictionDetectedAt = Date.now();
+      const reviveMs = this.opts.bridgeReviveDelayMs ?? 0;
+      if (reviveMs > 0) {
+        this.lazyReviveAttempts += 1;
+        await new Promise((r) => setTimeout(r, reviveMs));
+        try {
+          const result = await this._captureRedirectOnce(opts);
+          this.lazyReviveSuccesses += 1;
+          this.recordSuccess();
+          return result;
+        } catch (retryErr) {
+          const stillDown = retryErr instanceof FetchproxyProtocolError && classifyFetchError(retryErr.message) === "content_script_unreachable";
+          if (!stillDown) {
+            this.recordFailure(`capture_redirect: ${retryErr.message ?? String(retryErr)}`);
+            throw retryErr;
+          }
+          this.recordFailure(`capture_redirect bridge-down: ${retryErr.message}`);
+          throw new FetchproxyBridgeDownError({
+            originalError: retryErr.message,
+            retryAttempted: true,
+            op: "capture_redirect",
+            url: `https://${opts.host}${opts.path ?? "/*"}`,
+            role: this.role,
+            port: this.opts.port
+          });
+        }
+      }
+      this.recordFailure(`capture_redirect bridge-down: ${err.message}`);
+      throw new FetchproxyBridgeDownError({
+        originalError: err.message,
+        retryAttempted: false,
+        op: "capture_redirect",
+        url: `https://${opts.host}${opts.path ?? "/*"}`,
+        role: this.role,
+        port: this.opts.port
+      });
+    }
+  }
+  async _captureRedirectOnce(opts) {
+    const id = this.nextRequestId++;
+    const inner = {
+      type: "request",
+      id,
+      op: "capture_redirect",
+      init: {
+        host: opts.host,
+        ...opts.path !== void 0 ? { path: opts.path } : {},
+        ...opts.timeoutMs !== void 0 ? { timeoutMs: opts.timeoutMs } : {}
+      }
+    };
+    const pending = new Promise((resolve2, reject) => {
+      this.pendingRedirect.set(id, { resolve: resolve2, reject });
+    });
+    if (this.hostHandle) {
+      await this.hostHandle.sendOwnInner(inner);
+    } else if (this.peerHandle) {
+      await this.peerHandle.sendInner(inner);
+    }
+    return pending;
+  }
+  /**
+   * Download `url` through the BROWSER's own network stack via
+   * `chrome.downloads` (real cookies + TLS/JA3 fingerprint). Unlike a
+   * page-level `fetch()` (cors mode), this clears a Cloudflare bot-challenge
+   * on the endpoint and follows the cross-origin redirect to the final file.
+   * Resolves the saved local file path + size; the bridge is loopback-only /
+   * single-host, so the MCP reads the bytes from the same disk. Requires
+   * `'download'` in capabilities and the `url` host to be a declared `domain`.
+   */
+  async download(opts) {
+    if (!this.opts.capabilities.includes("download")) {
+      throw new Error('FetchproxyServer.download(): MCP did not declare "download" in capabilities');
+    }
+    assertUrlInDomains("download url", opts.url, this.opts.domains);
+    await this.ensureConnected();
+    this.throwIfPendingPair();
+    try {
+      const result = await this._downloadOnce(opts);
+      this.recordSuccess();
+      return result;
+    } catch (err) {
+      const swDown = err instanceof FetchproxyProtocolError && classifyFetchError(err.message) === "content_script_unreachable";
+      if (!swDown) {
+        this.recordFailure(`download: ${err.message ?? String(err)}`);
+        throw err;
+      }
+      this.lastEvictionDetectedAt = Date.now();
+      const reviveMs = this.opts.bridgeReviveDelayMs ?? 0;
+      if (reviveMs > 0) {
+        this.lazyReviveAttempts += 1;
+        await new Promise((r) => setTimeout(r, reviveMs));
+        try {
+          const result = await this._downloadOnce(opts);
+          this.lazyReviveSuccesses += 1;
+          this.recordSuccess();
+          return result;
+        } catch (retryErr) {
+          const stillDown = retryErr instanceof FetchproxyProtocolError && classifyFetchError(retryErr.message) === "content_script_unreachable";
+          if (!stillDown) {
+            this.recordFailure(`download: ${retryErr.message ?? String(retryErr)}`);
+            throw retryErr;
+          }
+          this.recordFailure(`download bridge-down: ${retryErr.message}`);
+          throw new FetchproxyBridgeDownError({
+            originalError: retryErr.message,
+            retryAttempted: true,
+            op: "download",
+            url: opts.url,
+            role: this.role,
+            port: this.opts.port
+          });
+        }
+      }
+      this.recordFailure(`download bridge-down: ${err.message}`);
+      throw new FetchproxyBridgeDownError({
+        originalError: err.message,
+        retryAttempted: false,
+        op: "download",
+        url: opts.url,
+        role: this.role,
+        port: this.opts.port
+      });
+    }
+  }
+  async _downloadOnce(opts) {
+    const id = this.nextRequestId++;
+    const inner = {
+      type: "request",
+      id,
+      op: "download",
+      init: {
+        url: opts.url,
+        ...opts.filename !== void 0 ? { filename: opts.filename } : {},
+        ...opts.timeoutMs !== void 0 ? { timeoutMs: opts.timeoutMs } : {}
+      }
+    };
+    const pending = new Promise((resolve2, reject) => {
+      this.pendingDownload.set(id, { resolve: resolve2, reject });
+    });
+    if (this.hostHandle) {
+      await this.hostHandle.sendOwnInner(inner);
+    } else if (this.peerHandle) {
+      await this.peerHandle.sendInner(inner);
+    }
+    return pending;
+  }
   /**
    * 0.4.0+: read declared IndexedDB keys from the user's signed-in
    * tab. Requires `'read_indexed_db'` in capabilities AND the
@@ -37203,6 +37756,20 @@ var FetchproxyServer = class {
       }
       return;
     }
+    const redirectCb = this.pendingRedirect.get(inner.id);
+    if (redirectCb) {
+      this.pendingRedirect.delete(inner.id);
+      if (inner.ok) {
+        if (inner.op === "capture_redirect" && typeof inner.value === "string") {
+          redirectCb.resolve(inner.value);
+        } else {
+          redirectCb.reject(new FetchproxyProtocolError(`unexpected ${String(inner.op)} response on capture_redirect awaiter`));
+        }
+      } else {
+        redirectCb.reject(new FetchproxyProtocolError(inner.error));
+      }
+      return;
+    }
     const idbCb = this.pendingIdb.get(inner.id);
     if (idbCb) {
       this.pendingIdb.delete(inner.id);
@@ -37217,6 +37784,20 @@ var FetchproxyServer = class {
       }
       return;
     }
+    const downloadCb = this.pendingDownload.get(inner.id);
+    if (downloadCb) {
+      this.pendingDownload.delete(inner.id);
+      if (inner.ok) {
+        if (inner.op === "download" && inner.value && typeof inner.value === "object") {
+          downloadCb.resolve({ ...inner.value });
+        } else {
+          downloadCb.reject(new FetchproxyProtocolError(`unexpected ${String(inner.op)} response on download awaiter`));
+        }
+      } else {
+        downloadCb.reject(new FetchproxyProtocolError(inner.error));
+      }
+      return;
+    }
     const cookiesCb = this.pendingReadCookies.get(inner.id);
     if (cookiesCb) {
       this.pendingReadCookies.delete(inner.id);
@@ -37259,9 +37840,15 @@ var FetchproxyServer = class {
     for (const { reject } of this.pendingCapture.values())
       reject(err);
     this.pendingCapture.clear();
+    for (const { reject } of this.pendingRedirect.values())
+      reject(err);
+    this.pendingRedirect.clear();
     for (const { reject } of this.pendingIdb.values())
       reject(err);
     this.pendingIdb.clear();
+    for (const { reject } of this.pendingDownload.values())
+      reject(err);
+    this.pendingDownload.clear();
   }
   /**
    * 0.5.2+: read the current pair-pending pair code from whichever handle
@@ -37296,6 +37883,7 @@ var FetchproxyServer = class {
    * twice in a row.
    */
   async close() {
+    this.closing = true;
     this.stopKeepalive();
     this.rejectAllPending();
     if (this.connectingPromise) {
@@ -37343,7 +37931,7 @@ async function bootstrap(opts) {
   const sessionStorageKeys = new Set(opts.declare.sessionStorage);
   for (const p of sessionStoragePointers)
     sessionStorageKeys.add(p.storageKey);
-  const server2 = factory({
+  const server = factory({
     serverName: opts.serverName,
     version: opts.version,
     domains: [...opts.domains],
@@ -37378,10 +37966,10 @@ async function bootstrap(opts) {
   if (opts.storageSubdomain !== void 0)
     storageDomainOpts.subdomain = opts.storageSubdomain;
   try {
-    await server2.listen();
+    await server.listen();
     const cookies = {};
     if (opts.declare.cookies.length > 0) {
-      const joined = await server2.readCookies({
+      const joined = await server.readCookies({
         keys: opts.declare.cookies,
         ...storageDomainOpts
       });
@@ -37401,7 +37989,7 @@ async function bootstrap(opts) {
       for (const p of localStoragePointers) {
         pointers[p.outputKey] = { storageKey: p.storageKey, jsonPointer: p.jsonPointer };
       }
-      localStorage = await server2.readLocalStorage({
+      localStorage = await server.readLocalStorage({
         keys: allKeys,
         ...storageDomainOpts,
         ...localStoragePointers.length > 0 ? { pointers } : {}
@@ -37414,7 +38002,7 @@ async function bootstrap(opts) {
       for (const p of sessionStoragePointers) {
         pointers[p.outputKey] = { storageKey: p.storageKey, jsonPointer: p.jsonPointer };
       }
-      sessionStorage = await server2.readSessionStorage({
+      sessionStorage = await server.readSessionStorage({
         keys: allKeys,
         ...storageDomainOpts,
         ...sessionStoragePointers.length > 0 ? { pointers } : {}
@@ -37423,21 +38011,17 @@ async function bootstrap(opts) {
     const capturedHeaders = {};
     for (const h of opts.declare.captureHeaders) {
       if (opts.onWaiting) {
-        try {
-          const url2 = new URL(h.urlPattern.replace(/\*+/g, "placeholder"));
-          opts.onWaiting(`waiting for next request to ${url2.host} to capture ${h.headerName} \u2014 interact with the page in your browser`);
-        } catch {
-          opts.onWaiting(`waiting to capture ${h.headerName} \u2014 interact with the page in your browser`);
-        }
+        opts.onWaiting(`waiting for next request to ${h.host} to capture ${h.headerName} \u2014 interact with the page in your browser`);
       }
-      capturedHeaders[h.headerName] = await server2.captureRequestHeader({
-        urlPattern: h.urlPattern,
+      capturedHeaders[h.headerName] = await server.captureRequestHeader({
+        host: h.host,
+        ...h.path !== void 0 ? { path: h.path } : {},
         headerName: h.headerName
       });
     }
     const indexedDbBucket = {};
     for (const d of indexedDb) {
-      const values = await server2.readIndexedDb({
+      const values = await server.readIndexedDb({
         database: d.database,
         store: d.store,
         keys: [...d.keys],
@@ -37454,7 +38038,7 @@ async function bootstrap(opts) {
     };
   } finally {
     try {
-      await server2.close();
+      await server.close();
     } catch {
     }
   }
@@ -37519,8 +38103,8 @@ async function loginWithPassword(username, password) {
 
 // src/config.ts
 import { createHash } from "node:crypto";
-import { homedir as homedir2 } from "node:os";
-import { join as join2 } from "node:path";
+import { homedir as homedir3 } from "node:os";
+import { join as join3 } from "node:path";
 function readCacheIdentity() {
   const explicit = process.env.OFW_CACHE_IDENTITY;
   if (typeof explicit === "string" && explicit.trim().length > 0) return explicit.trim();
@@ -37531,31 +38115,29 @@ function readCacheIdentity() {
 function getCacheDir() {
   const override = process.env.OFW_CACHE_DIR;
   if (override && override.trim().length > 0) return override.trim();
-  return join2(homedir2(), ".cache", "ofw-mcp");
+  return join3(homedir3(), ".cache", "ofw-mcp");
 }
 function getCacheDbPath() {
   const identity = readCacheIdentity();
   const hash2 = createHash("sha256").update(identity).digest("hex").slice(0, 16);
-  return join2(getCacheDir(), `${hash2}.db`);
+  return join3(getCacheDir(), `${hash2}.db`);
 }
 function getAttachmentsDir() {
   const override = process.env.OFW_ATTACHMENTS_DIR;
   if (override && override.trim().length > 0) return override.trim();
-  return join2(homedir2(), "Downloads", "ofw-mcp");
+  return join3(homedir3(), "Downloads", "ofw-mcp");
 }
-function parseBoolEnv(name) {
-  const raw = process.env[name];
-  if (typeof raw !== "string") return false;
-  return ["1", "true", "yes", "on"].includes(raw.trim().toLowerCase());
+function parseBoolEnv2(name) {
+  return parseBoolEnv(name);
 }
 function getDefaultInlineAttachments() {
-  return parseBoolEnv("OFW_INLINE_ATTACHMENTS");
+  return parseBoolEnv2("OFW_INLINE_ATTACHMENTS");
 }
 
 // package.json
 var package_default = {
   name: "ofw-mcp",
-  version: "2.3.0",
+  version: "2.3.2",
   mcpName: "io.github.chrischall/ofw-mcp",
   description: "OurFamilyWizard MCP server for Claude \u2014 developed and maintained by AI (Claude Code)",
   author: "Claude Code (AI) <https://www.anthropic.com/claude>",
@@ -37579,11 +38161,12 @@ var package_default = {
     bundle: `esbuild src/index.ts --bundle --platform=node --format=esm --external:dotenv --banner:js='import { createRequire as __createRequire } from "module"; const require = __createRequire(import.meta.url);' --outfile=dist/bundle.js`,
     dev: "node --env-file=.env dist/index.js",
     test: "vitest run",
+    "test:coverage": "vitest run --coverage",
     "test:watch": "vitest"
   },
   dependencies: {
-    "@fetchproxy/bootstrap": "^0.11.0",
-    "@fetchproxy/server": "^0.11.0",
+    "@chrischall/mcp-utils": "^0.9.0",
+    "@fetchproxy/bootstrap": "^1.3.0",
     "@modelcontextprotocol/sdk": "^1.29.0",
     dotenv: "^17.4.2",
     zod: "^4.4.3"
@@ -37599,16 +38182,10 @@ var package_default = {
 
 // src/auth.ts
 function readEnv(key) {
-  const raw = process.env[key];
-  if (typeof raw !== "string") return void 0;
-  const trimmed = raw.trim();
-  if (trimmed.length === 0) return void 0;
-  if (trimmed === "undefined" || trimmed === "null") return void 0;
-  if (/^\$\{[^}]*\}$/.test(trimmed)) return void 0;
-  return trimmed;
+  return readEnvVar(key);
 }
 function fetchproxyDisabled() {
-  return parseBoolEnv("OFW_DISABLE_FETCHPROXY");
+  return parseBoolEnv2("OFW_DISABLE_FETCHPROXY");
 }
 async function resolveAuth() {
   const username = readEnv("OFW_USERNAME");
@@ -37668,12 +38245,8 @@ async function resolveAuth() {
 }
 
 // src/client.ts
-try {
-  const { config: config2 } = await import("dotenv");
-  const __dirname = dirname(fileURLToPath(import.meta.url));
-  config2({ path: join3(__dirname, "..", ".env"), override: false, quiet: true });
-} catch {
-}
+var __dirname = dirname(fileURLToPath(import.meta.url));
+await loadDotenvSafely({ path: join4(__dirname, "..", ".env") });
 function parseContentDispositionFilename(cd) {
   const extMatch = /filename\*=(?:UTF-8'')?([^;]+)/i.exec(cd);
   if (extMatch) {
@@ -37688,7 +38261,7 @@ function parseContentDispositionFilename(cd) {
   return m ? m[1] : null;
 }
 function debugLogEnabled() {
-  return parseBoolEnv("OFW_DEBUG_LOG");
+  return parseBoolEnv2("OFW_DEBUG_LOG");
 }
 function redactHeaders(h) {
   const out = { ...h };
@@ -37702,12 +38275,39 @@ function getRequestTimeoutMs() {
   const n = Number(raw.trim());
   return Number.isFinite(n) && n > 0 ? n : DEFAULT_REQUEST_TIMEOUT_MS;
 }
+var OFW_REFRESH_SENTINEL = "ofw";
 var OFWClient = class {
-  token = null;
-  tokenExpiry = null;
+  // Bearer-token lifecycle is delegated to the shared, race-safe TokenManager
+  // (proactive refresh inside the skew window, single-flight refresh so a burst
+  // of concurrent callers coalesces onto ONE `resolveAuth()`, and a 401-replay
+  // guarded against double-refresh). It is created lazily, seeded with an
+  // already-expired placeholder token so the first request drives the refresh
+  // callback — i.e. the original "log in on first request" behavior.
+  tokenManager;
+  getTokenManager() {
+    if (!this.tokenManager) {
+      this.tokenManager = new TokenManager({
+        initial: { accessToken: "", refreshToken: OFW_REFRESH_SENTINEL, expiresAt: 0 },
+        skewMs: OFW_TOKEN_EXPIRY_SKEW_MS,
+        // Map OFW's mint/refresh onto the refresh callback. `resolveAuth()`
+        // returns a token and a best-effort expiry; when the fetchproxy path
+        // can't supply one we fall back to the same 6h estimate the password
+        // path uses (the 401-replay covers a wrong guess). We re-arm the
+        // sentinel so the manager can refresh again later.
+        refresh: async () => {
+          const { token, expiresAt } = await resolveAuth();
+          return {
+            accessToken: token,
+            refreshToken: OFW_REFRESH_SENTINEL,
+            expiresAt: (expiresAt ?? new Date(Date.now() + OFW_TOKEN_TTL_MS)).getTime()
+          };
+        }
+      });
+    }
+    return this.tokenManager;
+  }
   async request(method, path, body) {
-    await this.ensureAuthenticated();
-    const response = await this.fetchWithRetry(method, path, body, "application/json", false);
+    const response = await this.fetchAuthed(method, path, body, "application/json");
     const text = await response.text();
     if (debugLogEnabled()) {
       console.error(`[ofw-debug] response body: ${text || "<empty>"}`);
@@ -37716,23 +38316,45 @@ var OFWClient = class {
   }
   /** Like `request`, but returns the raw bytes plus Content-Type/-Disposition metadata. */
   async requestBinary(method, path) {
-    await this.ensureAuthenticated();
-    const response = await this.fetchWithRetry(method, path, void 0, "application/octet-stream", false);
+    const response = await this.fetchAuthed(method, path, void 0, "application/octet-stream");
     return {
       body: Buffer.from(await response.arrayBuffer()),
       contentType: response.headers.get("content-type"),
       suggestedFileName: parseContentDispositionFilename(response.headers.get("content-disposition") ?? "")
     };
   }
-  // Single fetch+retry scaffold for both JSON and binary callers. Handles
-  // 401 (re-auth and replay once), 429 (wait 2s and replay once), and
-  // turns any other non-2xx into a thrown Error.
-  async fetchWithRetry(method, path, body, accept, isRetry) {
+  // Authenticated fetch for both JSON and binary callers. Auth (proactive
+  // refresh inside the skew window + one 401-replay, guarded against a
+  // double-refresh under concurrency) is delegated to the shared TokenManager's
+  // `withAuth`. The 429 wait-and-replay and the non-2xx → throw remain here.
+  async fetchAuthed(method, path, body, accept) {
+    let attempt = 0;
+    let response = await this.getTokenManager().withAuth(
+      (token) => this.fetchOnce(method, path, body, accept, token, attempt++ > 0)
+    );
+    if (response.status === 429) {
+      await new Promise((r) => setTimeout(r, 2e3));
+      response = await this.getTokenManager().withAuth(
+        (token) => this.fetchOnce(method, path, body, accept, token, true)
+      );
+      if (response.status === 429) throw new Error("Rate limited by OFW API");
+    }
+    if (!response.ok) {
+      throw new Error(`OFW API error: ${response.status} ${response.statusText} for ${method} ${path}`);
+    }
+    return response;
+  }
+  // A single OFW API fetch with the bearer token supplied by `withAuth`.
+  // Carries the per-request timeout (AbortController + setTimeout so vitest
+  // fake timers can drive it and we attach a clear error message) and the
+  // OFW_DEBUG_LOG instrumentation. Returns the raw Response — 401/429/non-2xx
+  // handling lives in the callers (`withAuth` and `fetchAuthed`).
+  async fetchOnce(method, path, body, accept, token, isRetry = false) {
     const isFormData = body instanceof FormData;
     const headers = {
       ...OFW_PROTOCOL_HEADERS,
       Accept: accept,
-      Authorization: `Bearer ${this.token}`
+      Authorization: `Bearer ${token}`
     };
     if (body !== void 0 && !isFormData) headers["Content-Type"] = "application/json";
     const url2 = `${BASE_URL}${path}`;
@@ -37774,56 +38396,14 @@ var OFWClient = class {
     if (debugLogEnabled()) {
       console.error(`[ofw-debug] \u2190 ${response.status} ${response.statusText} (${Date.now() - startedAt}ms)`);
     }
-    if (response.status === 401 && !isRetry) {
-      this.token = null;
-      this.tokenExpiry = null;
-      await this.ensureAuthenticated();
-      return this.fetchWithRetry(method, path, body, accept, true);
-    }
-    if (response.status === 429) {
-      if (!isRetry) {
-        await new Promise((r) => setTimeout(r, 2e3));
-        return this.fetchWithRetry(method, path, body, accept, true);
-      }
-      throw new Error("Rate limited by OFW API");
-    }
-    if (!response.ok) {
-      throw new Error(`OFW API error: ${response.status} ${response.statusText} for ${method} ${path}`);
-    }
     return response;
   }
-  async ensureAuthenticated() {
-    if (!this.isTokenExpiredSoon()) return;
-    await this.login();
-  }
-  // Auth resolution is delegated to `./auth.ts`. This client doesn't care
-  // whether the token came from a password POST or from a one-shot
-  // fetchproxy session-snapshot — it just consumes the result.
-  //
-  // If `expiresAt` is missing (the fetchproxy path on a tab whose
-  // browser didn't persist tokenExpiry), we fall back to the same 6h
-  // estimate the password path uses. The 401-replay path covers us if
-  // the estimate is wrong.
-  async login() {
-    const { token, expiresAt } = await resolveAuth();
-    this.token = token;
-    this.tokenExpiry = expiresAt ?? new Date(Date.now() + OFW_TOKEN_TTL_MS);
-  }
-  isTokenExpiredSoon() {
-    if (!this.token || !this.tokenExpiry) return true;
-    return this.tokenExpiry.getTime() - Date.now() < OFW_TOKEN_EXPIRY_SKEW_MS;
-  }
 };
 var client = new OFWClient();
 
 // src/tools/_shared.ts
-import { isAbsolute, join as join4, resolve } from "node:path";
-function jsonResponse(payload) {
-  return { content: [{ type: "text", text: JSON.stringify(payload, null, 2) }] };
-}
-function textResponse(text) {
-  return { content: [{ type: "text", text }] };
-}
+var jsonResponse = textResult;
+var textResponse = rawTextResult;
 function mapRecipients(items) {
   return (items ?? []).map((r) => ({
     userId: r.user?.id ?? 0,
@@ -37831,10 +38411,7 @@ function mapRecipients(items) {
     viewedAt: r.viewed?.dateTime ?? null
   }));
 }
-function expandPath(p) {
-  const expanded = p.startsWith("~/") ? join4(process.env.HOME ?? "", p.slice(2)) : p;
-  return isAbsolute(expanded) ? expanded : resolve(expanded);
-}
+var expandPath2 = expandPath;
 async function postMessageAndRefetch(client2, payload) {
   const raw = await client2.request(
     "POST",
@@ -37848,15 +38425,15 @@ async function postMessageAndRefetch(client2, payload) {
 }
 
 // src/tools/user.ts
-function registerUserTools(server2, client2) {
-  server2.registerTool("ofw_get_profile", {
+function registerUserTools(server, client2) {
+  server.registerTool("ofw_get_profile", {
     description: "Get current user and co-parent profile information from OurFamilyWizard",
     annotations: { readOnlyHint: true }
   }, async () => {
     const data = await client2.request("GET", "/pub/v2/profiles");
     return jsonResponse(data);
   });
-  server2.registerTool("ofw_get_notifications", {
+  server.registerTool("ofw_get_notifications", {
     description: "Get OurFamilyWizard dashboard summary: unread message count, upcoming events, outstanding expenses. Note: updates your last-seen status.",
     annotations: { readOnlyHint: false }
   }, async () => {
@@ -37867,7 +38444,7 @@ function registerUserTools(server2, client2) {
 
 // src/cache.ts
 import { DatabaseSync } from "node:sqlite";
-import { mkdirSync } from "node:fs";
+import { mkdirSync, chmodSync, existsSync } from "node:fs";
 import { dirname as dirname2 } from "node:path";
 var instance = null;
 var SCHEMA_V1 = `
@@ -37930,14 +38507,23 @@ function migrate(db) {
     "INSERT INTO meta(key, value) VALUES(?, ?) ON CONFLICT(key) DO UPDATE SET value=excluded.value"
   ).run("schema_version", "2");
 }
+function enforceCachePermissions(dbPath) {
+  chmodSync(dirname2(dbPath), 448);
+  chmodSync(dbPath, 384);
+  for (const sibling of [`${dbPath}-wal`, `${dbPath}-shm`]) {
+    if (existsSync(sibling)) chmodSync(sibling, 384);
+  }
+}
 function openCache() {
   if (instance) return instance;
   const path = getCacheDbPath();
   mkdirSync(dirname2(path), { recursive: true });
   const db = new DatabaseSync(path);
+  enforceCachePermissions(path);
   db.exec("PRAGMA journal_mode = WAL");
   db.exec("PRAGMA foreign_keys = ON");
   migrate(db);
+  enforceCachePermissions(path);
   instance = { db };
   return instance;
 }
@@ -38397,15 +38983,15 @@ function listDataHintsAtFiles(listData) {
   if (Array.isArray(ld.files)) return ld.files.length > 0;
   return false;
 }
-function registerMessageTools(server2, client2) {
-  server2.registerTool("ofw_list_message_folders", {
+function registerMessageTools(server, client2) {
+  server.registerTool("ofw_list_message_folders", {
     description: "List OurFamilyWizard message folders (inbox, sent, etc.) and their unread counts. Returns folder IDs needed to call ofw_list_messages. Does NOT return message content.",
     annotations: { readOnlyHint: true }
   }, async () => {
     const data = await client2.request("GET", "/pub/v1/messageFolders?includeFolderCounts=true");
     return jsonResponse(data);
   });
-  server2.registerTool("ofw_list_messages", {
+  server.registerTool("ofw_list_messages", {
     description: "List messages from the local OurFamilyWizard cache. Supports filtering by folder, date range, and a substring query on subject+body. Pagination is offset-based but if you know what you want (a date range, a topic), prefer the filters over walking pages \u2014 the cache may have 1000+ messages. Call ofw_sync_messages first if the cache is empty or stale.",
     annotations: { readOnlyHint: true },
     inputSchema: {
@@ -38441,7 +39027,7 @@ function registerMessageTools(server2, client2) {
     }
     return jsonResponse(payload);
   });
-  server2.registerTool("ofw_get_message", {
+  server.registerTool("ofw_get_message", {
     description: 'Get a single OurFamilyWizard message OR draft by ID. Reads from local cache when available; otherwise fetches from OFW (which will mark unread inbox messages as read on OFW). For ids that match a draft (in the drafts cache), the response carries folder="drafts" and the body/subject/recipients reflect the drafts cache (which ofw_sync_messages keeps fresh) \u2014 drafts have no `fromUser`, and `sentAt`/`fetchedBodyAt` mirror the draft\'s `modifiedAt`. For inbox/sent messages, folder is "inbox" or "sent" as before.',
     annotations: { readOnlyHint: false },
     inputSchema: {
@@ -38506,7 +39092,7 @@ function registerMessageTools(server2, client2) {
     const attachments = listAttachmentsForMessage(detail.id);
     return jsonResponse({ ...row, attachments });
   });
-  server2.registerTool("ofw_send_message", {
+  server.registerTool("ofw_send_message", {
     description: "Send a message via OurFamilyWizard. To send an existing draft, pass messageId \u2014 subject/body/recipientIds become optional overrides (missing fields default to the draft's cached values) and the draft is deleted after sending. To send a fresh message, supply subject/body/recipientIds directly. draftId is the legacy spelling of messageId and works the same way. If replyToId is provided, the cache may rewrite it to the latest reply in the same thread (a note is included in the response when this happens). Attach files by passing their fileIds (from ofw_upload_attachment) in myFileIDs. After sending, the tool re-fetches the message from OFW to populate the local cache and link attachments to the new message id.",
     annotations: { destructiveHint: true },
     inputSchema: {
@@ -38616,7 +39202,7 @@ function registerMessageTools(server2, client2) {
 
 ${text}` : text);
   });
-  server2.registerTool("ofw_list_drafts", {
+  server.registerTool("ofw_list_drafts", {
     description: "List draft messages from the local OurFamilyWizard cache. Call ofw_sync_messages first if the cache is empty.",
     annotations: { readOnlyHint: true },
     inputSchema: {
@@ -38630,7 +39216,7 @@ ${text}` : text);
     const payload = drafts.length === 0 ? { drafts: [], note: "Cache empty. Call ofw_sync_messages to populate." } : { drafts };
     return jsonResponse(payload);
   });
-  server2.registerTool("ofw_save_draft", {
+  server.registerTool("ofw_save_draft", {
     description: "Save a message as a draft in OurFamilyWizard. Recipients are optional. Pass messageId to replace an existing draft \u2014 note that under the hood this creates a NEW draft and deletes the old one (OFW's update-in-place endpoint silently no-ops while echoing the posted body, so we don't use it); the response.id will be the NEW id, not the messageId you passed, and the change is documented in a transparency NOTE in the response. If replyToId is provided, the cache may rewrite it to the latest reply in the thread (note included in response). Attach files by passing their fileIds (from ofw_upload_attachment) in myFileIDs. After saving, the tool re-fetches the draft from OFW to populate the local cache from authoritative server state.",
     annotations: { readOnlyHint: false },
     inputSchema: {
@@ -38692,7 +39278,7 @@ ${text}` : text);
 
 ${text}` : text);
   });
-  server2.registerTool("ofw_delete_draft", {
+  server.registerTool("ofw_delete_draft", {
     description: "Delete a draft message from OurFamilyWizard. Also removes the draft from the local cache.",
     annotations: { destructiveHint: true },
     inputSchema: {
@@ -38703,7 +39289,7 @@ ${text}` : text);
     deleteDraft(args.messageId);
     return data ? jsonResponse(data) : textResponse("Draft deleted.");
   });
-  server2.registerTool("ofw_get_unread_sent", {
+  server.registerTool("ofw_get_unread_sent", {
     description: "List sent messages that have not been read by one or more recipients. Reads from local cache; call ofw_sync_messages first if cache is stale.",
     annotations: { readOnlyHint: true },
     inputSchema: {
@@ -38729,7 +39315,7 @@ ${text}` : text);
     }
     return jsonResponse(unread);
   });
-  server2.registerTool("ofw_upload_attachment", {
+  server.registerTool("ofw_upload_attachment", {
     description: `Upload a local file to OurFamilyWizard's "My Files" so it can be attached to a message. Returns the fileId \u2014 pass that to ofw_send_message or ofw_save_draft in myFileIDs to attach it. The file is uploaded as PRIVATE (visible only to you) by default; pass shareClass:"SHARED" to share with co-parents directly via the My Files area.`,
     annotations: { destructiveHint: false },
     inputSchema: {
@@ -38739,14 +39325,13 @@ ${text}` : text);
       description: external_exports.string().describe("Description shown in OFW My Files (default: filename)").optional()
     }
   }, async (args) => {
-    const abs = expandPath(args.path);
+    const abs = expandPath2(args.path);
     const stat = statSync(abs);
     if (!stat.isFile()) throw new Error(`Not a file: ${abs}`);
-    const buf = readFileSync(abs);
     const fileName = basename(abs);
     const mime = mimeFromName(fileName);
     const form = new FormData();
-    form.append("file", new Blob([new Uint8Array(buf)], { type: mime }), fileName);
+    form.append("file", await fileBlob(abs, { type: mime }), fileName);
     form.append("source", "message");
     form.append("description", args.description ?? fileName);
     form.append("label", args.label ?? fileName);
@@ -38758,7 +39343,7 @@ ${text}` : text);
       fileName: meta3.fileName ?? fileName,
       label: meta3.label ?? args.label ?? fileName,
       mimeType: meta3.fileType ?? mime,
-      sizeBytes: typeof meta3.sizeInBytes === "number" ? meta3.sizeInBytes : buf.length,
+      sizeBytes: typeof meta3.sizeInBytes === "number" ? meta3.sizeInBytes : stat.size,
       metadata: meta3,
       messageId: 0
     });
@@ -38766,12 +39351,12 @@ ${text}` : text);
       fileId: meta3.fileId,
       fileName: meta3.fileName ?? fileName,
       mimeType: meta3.fileType ?? mime,
-      sizeBytes: meta3.sizeInBytes ?? buf.length,
+      sizeBytes: meta3.sizeInBytes ?? stat.size,
       shareClass: meta3.shareClass ?? args.shareClass ?? "PRIVATE",
       note: "Pass this fileId to ofw_send_message or ofw_save_draft in myFileIDs to attach it."
     });
   });
-  server2.registerTool("ofw_download_attachment", {
+  server.registerTool("ofw_download_attachment", {
     description: 'Download an OFW message attachment by fileId. By default, bytes are saved to disk (~/Downloads/ofw-mcp/) and the response carries the absolute path, mime type, and size for the caller to read back. Pass inline:true to skip disk entirely and return the bytes as MCP content blocks \u2014 images come back as ImageContent (the model sees them directly); other files come back as an EmbeddedResource blob. Use inline for small files where you want the model to read content immediately and the host is sandboxed; use disk for large files or when you want a persistent local copy. The default for `inline` can be flipped server-side via the OFW_INLINE_ATTACHMENTS env var (set to "true" to make inline the default). fileId comes from attachments[].fileId on ofw_get_message. Override disk destination with OFW_ATTACHMENTS_DIR or saveTo. Re-downloading to the same path is a no-op (disk mode only).',
     annotations: { readOnlyHint: false },
     inputSchema: {
@@ -38825,7 +39410,7 @@ ${text}` : text);
     let dest;
     if (args.saveTo) {
       const isDirArg = args.saveTo.endsWith("/") || args.saveTo.endsWith("\\");
-      const abs = expandPath(args.saveTo);
+      const abs = expandPath2(args.saveTo);
       dest = isDirArg ? join5(abs, `${fileId}-${cached2.fileName}`) : abs;
     } else {
       dest = join5(getAttachmentsDir(), `${fileId}-${cached2.fileName}`);
@@ -38852,7 +39437,7 @@ ${text}` : text);
       fileName: response.suggestedFileName ?? cached2.fileName
     });
   });
-  server2.registerTool("ofw_sync_messages", {
+  server.registerTool("ofw_sync_messages", {
     description: "Sync messages from OurFamilyWizard into the local cache. Returns counts per folder and a list of unread inbox messages whose bodies were NOT fetched (to avoid mark-as-read on OFW). Call ofw_get_message(id) on those to read them. Pass deep:true to walk all OFW pages instead of stopping at the first all-cached page (use to backfill suspected gaps).",
     annotations: { readOnlyHint: false },
     inputSchema: {
@@ -38876,8 +39461,8 @@ async function deleteOFWMessages(client2, ids) {
 }
 
 // src/tools/calendar.ts
-function registerCalendarTools(server2, client2) {
-  server2.registerTool("ofw_list_events", {
+function registerCalendarTools(server, client2) {
+  server.registerTool("ofw_list_events", {
     description: "List OurFamilyWizard calendar events in a date range",
     annotations: { readOnlyHint: true },
     inputSchema: {
@@ -38893,7 +39478,7 @@ function registerCalendarTools(server2, client2) {
     );
     return jsonResponse(data);
   });
-  server2.registerTool("ofw_create_event", {
+  server.registerTool("ofw_create_event", {
     description: "Create a calendar event in OurFamilyWizard",
     annotations: { destructiveHint: false },
     inputSchema: {
@@ -38913,7 +39498,7 @@ function registerCalendarTools(server2, client2) {
     const data = await client2.request("POST", "/pub/v1/calendar/events", args);
     return jsonResponse(data);
   });
-  server2.registerTool("ofw_update_event", {
+  server.registerTool("ofw_update_event", {
     description: "Update an existing OurFamilyWizard calendar event",
     annotations: { destructiveHint: true },
     inputSchema: {
@@ -38931,7 +39516,7 @@ function registerCalendarTools(server2, client2) {
     const data = await client2.request("PUT", `/pub/v1/calendar/events/${encodeURIComponent(eventId)}`, updateData);
     return jsonResponse(data);
   });
-  server2.registerTool("ofw_delete_event", {
+  server.registerTool("ofw_delete_event", {
     description: "Delete an OurFamilyWizard calendar event",
     annotations: { destructiveHint: true },
     inputSchema: {
@@ -38944,15 +39529,15 @@ function registerCalendarTools(server2, client2) {
 }
 
 // src/tools/expenses.ts
-function registerExpenseTools(server2, client2) {
-  server2.registerTool("ofw_get_expense_totals", {
+function registerExpenseTools(server, client2) {
+  server.registerTool("ofw_get_expense_totals", {
     description: "Get OurFamilyWizard expense summary totals (owed/paid)",
     annotations: { readOnlyHint: true }
   }, async () => {
     const data = await client2.request("GET", "/pub/v2/expense/expenses/totals");
     return jsonResponse(data);
   });
-  server2.registerTool("ofw_list_expenses", {
+  server.registerTool("ofw_list_expenses", {
     description: "List OurFamilyWizard expenses with pagination",
     annotations: { readOnlyHint: true },
     inputSchema: {
@@ -38965,7 +39550,7 @@ function registerExpenseTools(server2, client2) {
     const data = await client2.request("GET", `/pub/v2/expense/expenses?start=${start}&max=${max}`);
     return jsonResponse(data);
   });
-  server2.registerTool("ofw_create_expense", {
+  server.registerTool("ofw_create_expense", {
     description: "Log a new expense in OurFamilyWizard",
     annotations: { destructiveHint: false },
     inputSchema: {
@@ -38979,8 +39564,8 @@ function registerExpenseTools(server2, client2) {
 }
 
 // src/tools/journal.ts
-function registerJournalTools(server2, client2) {
-  server2.registerTool("ofw_list_journal_entries", {
+function registerJournalTools(server, client2) {
+  server.registerTool("ofw_list_journal_entries", {
     description: "List OurFamilyWizard journal entries",
     annotations: { readOnlyHint: true },
     inputSchema: {
@@ -38993,7 +39578,7 @@ function registerJournalTools(server2, client2) {
     const data = await client2.request("GET", `/pub/v1/journals?start=${start}&max=${max}`);
     return jsonResponse(data);
   });
-  server2.registerTool("ofw_create_journal_entry", {
+  server.registerTool("ofw_create_journal_entry", {
     description: "Create a new journal entry in OurFamilyWizard",
     annotations: { destructiveHint: false },
     inputSchema: {
@@ -39017,12 +39602,17 @@ process.emit = function(event, ...args) {
   }
   return originalEmit(event, ...args);
 };
-var server = new McpServer({ name: "ofw", version: "2.3.0" });
-registerUserTools(server, client);
-registerMessageTools(server, client);
-registerCalendarTools(server, client);
-registerExpenseTools(server, client);
-registerJournalTools(server, client);
-console.error("[ofw-mcp] This project was developed and is maintained by AI (Claude Sonnet 4.6). Use at your own discretion.");
-var transport = new StdioServerTransport();
-await server.connect(transport);
+await runMcp({
+  name: "ofw",
+  version: "2.3.2",
+  // x-release-please-version
+  deps: client,
+  tools: [
+    registerUserTools,
+    registerMessageTools,
+    registerCalendarTools,
+    registerExpenseTools,
+    registerJournalTools
+  ],
+  banner: "[ofw-mcp] This project was developed and is maintained by AI (Claude Sonnet 4.6). Use at your own discretion."
+});