perplexity-user-mcp 0.8.36

package/dist/chunk-S5VD7WTU.mjs

@@ -0,0 +1,2540 @@
+import {
+  appendAuditEntry,
+  getAuditLogPath,
+  readAuditTail
+} from "./chunk-PE23RMXY.mjs";
+import {
+  ensureToken,
+  getTokenPath,
+  rotateToken
+} from "./chunk-HTUAQRKH.mjs";
+import {
+  hydrateCloudHistoryEntry,
+  syncCloudHistory
+} from "./chunk-Q2VY4R5F.mjs";
+import {
+  PerplexityClient,
+  exportThreadViaImpit,
+  readCachedAccountInfoFromDisk,
+  retrieveThreadViaImpit
+} from "./chunk-H4BUAPPO.mjs";
+import {
+  append,
+  findPendingByThread,
+  get,
+  getAttachmentsDir,
+  getHistoryDir,
+  list,
+  update
+} from "./chunk-OF4DMAPJ.mjs";
+import {
+  safeAtomicWriteFileSync
+} from "./chunk-MTDFKNXX.mjs";
+import {
+  getConfigDir
+} from "./chunk-XKSWCEGI.mjs";
+
+// src/daemon/server.ts
+import { createServer } from "http";
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { mcpAuthRouter } from "@modelcontextprotocol/sdk/server/auth/router.js";
+import helmet from "helmet";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import express from "express";
+
+// src/prompts.ts
+import { z } from "zod";
+function registerPrompts(server) {
+  server.registerPrompt(
+    "perplexity.researchPlan",
+    {
+      title: "Perplexity Research Plan",
+      description: "Generate a prompt that routes to the deep research tool.",
+      argsSchema: {
+        topic: z.string()
+      }
+    },
+    ({ topic }) => ({
+      description: `Deep research prompt for ${topic}`,
+      messages: [
+        {
+          role: "user",
+          content: {
+            type: "text",
+            text: `Use perplexity_research to produce a sourced research brief about "${topic}". Emphasize citations, key findings, and next questions.`
+          }
+        }
+      ]
+    })
+  );
+  server.registerPrompt(
+    "perplexity.reasoningPlan",
+    {
+      title: "Perplexity Reasoning Plan",
+      description: "Generate a prompt that routes to the reasoning tool.",
+      argsSchema: {
+        question: z.string()
+      }
+    },
+    ({ question }) => ({
+      description: `Reasoning prompt for ${question}`,
+      messages: [
+        {
+          role: "user",
+          content: {
+            type: "text",
+            text: `Use perplexity_reason on the following question and provide the reasoning trace plus a concise final answer: ${question}`
+          }
+        }
+      ]
+    })
+  );
+}
+
+// src/resources.ts
+import { ResourceTemplate } from "@modelcontextprotocol/sdk/server/mcp.js";
+function registerResources(server, getAccountSnapshot) {
+  if (getAccountSnapshot) {
+    server.registerResource(
+      "perplexity.account",
+      "perplexity://account/status",
+      {
+        title: "Perplexity Account Status",
+        description: "Cached account metadata loaded from the shared Perplexity browser profile.",
+        mimeType: "application/json"
+      },
+      async (uri) => ({
+        contents: [
+          {
+            uri: uri.toString(),
+            mimeType: "application/json",
+            text: JSON.stringify(getAccountSnapshot(), null, 2)
+          }
+        ]
+      })
+    );
+  }
+  server.registerResource(
+    "perplexity.history",
+    "perplexity://history/recent",
+    {
+      title: "Perplexity Query History",
+      description: `Recent tool invocations recorded in ${getHistoryDir()}.`,
+      mimeType: "application/json"
+    },
+    async (uri) => ({
+      contents: [
+        {
+          uri: uri.toString(),
+          mimeType: "application/json",
+          text: JSON.stringify(list(), null, 2)
+        }
+      ]
+    })
+  );
+  server.registerResource(
+    "perplexity.history.entry",
+    new ResourceTemplate("perplexity://history/{id}.md", {
+      list: async () => ({
+        resources: list({ limit: Infinity }).map((item) => ({
+          uri: `perplexity://history/${item.id}.md`,
+          name: item.query.slice(0, 80) || item.id,
+          description: item.tool,
+          mimeType: "text/markdown"
+        }))
+      })
+    }),
+    {
+      title: "Perplexity History Entry",
+      description: "Raw markdown for a single saved history entry.",
+      mimeType: "text/markdown"
+    },
+    async (uri, variables) => {
+      const entry = get(String(variables.id ?? ""));
+      if (!entry) {
+        return { contents: [] };
+      }
+      return {
+        contents: [
+          {
+            uri: uri.toString(),
+            mimeType: "text/markdown",
+            text: entry.body
+          }
+        ]
+      };
+    }
+  );
+}
+
+// src/tool-config.ts
+import { readFileSync, writeFileSync, existsSync, mkdirSync, watchFile } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+var CONFIG_DIR = process.env.PERPLEXITY_CONFIG_DIR || join(homedir(), ".perplexity-mcp");
+var TOOL_CONFIG_PATH = join(CONFIG_DIR, "tools-config.json");
+var CATEGORIES = {
+  read: [
+    "perplexity_search",
+    "perplexity_reason",
+    "perplexity_research",
+    "perplexity_ask",
+    "perplexity_models",
+    "perplexity_retrieve",
+    "perplexity_list_researches",
+    "perplexity_get_research",
+    "perplexity_doctor"
+  ],
+  write: [
+    "perplexity_compute",
+    "perplexity_login",
+    "perplexity_export",
+    "perplexity_sync_cloud",
+    "perplexity_hydrate_cloud_entry"
+  ]
+};
+var PROFILES = {
+  "read-only": ["read"],
+  full: ["read", "write"]
+};
+function loadToolConfig() {
+  if (!existsSync(TOOL_CONFIG_PATH)) return { profile: "full" };
+  try {
+    return JSON.parse(readFileSync(TOOL_CONFIG_PATH, "utf-8"));
+  } catch {
+    return { profile: "full" };
+  }
+}
+function getEnabledTools(config) {
+  if (config.profile === "custom" && config.customEnabled) return new Set(config.customEnabled);
+  const cats = PROFILES[config.profile] ?? PROFILES.full;
+  const enabled = /* @__PURE__ */ new Set();
+  for (const cat of cats) for (const tool of CATEGORIES[cat] ?? []) enabled.add(tool);
+  return enabled;
+}
+function saveToolConfig(config) {
+  mkdirSync(CONFIG_DIR, { recursive: true });
+  writeFileSync(TOOL_CONFIG_PATH, JSON.stringify(config, null, 2));
+}
+function watchToolConfig(onChange) {
+  if (!existsSync(TOOL_CONFIG_PATH)) return;
+  watchFile(TOOL_CONFIG_PATH, { interval: 2e3 }, () => onChange(loadToolConfig()));
+}
+
+// src/tools.ts
+import { mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
+import { dirname, join as join2 } from "path";
+import { z as z2 } from "zod";
+
+// src/format.ts
+function getThreadSlug(result) {
+  const slug = result?.followUp?.threadUrlSlug ?? null;
+  if (slug) return slug;
+  if (!result?.threadUrl) return null;
+  const match = result.threadUrl.match(/\/search\/([^/?#]+)/);
+  return match?.[1] ?? null;
+}
+function formatResponse(result) {
+  const parts = [];
+  if (result.answer) {
+    parts.push(result.answer);
+  }
+  if (result.reasoning) {
+    parts.push(`
+
+---
+**Reasoning:**
+${result.reasoning}`);
+  }
+  if (result.sources.length > 0) {
+    parts.push("\n\n---\n**Sources:**");
+    for (const [index, source] of result.sources.slice(0, 15).entries()) {
+      parts.push(`${index + 1}. [${source.title}](${source.url})`);
+    }
+  }
+  if (result.media.length > 0) {
+    parts.push("\n\n**Media:**");
+    for (const item of result.media.slice(0, 10)) {
+      parts.push(`- [${item.name || "Media"}](${item.url})`);
+    }
+  }
+  if (result.files?.length) {
+    parts.push("\n\n**Generated Files:**");
+    for (const file of result.files) {
+      if (file.localPath) {
+        parts.push(`- **${file.filename}** (${file.assetType}) -> \`${file.localPath}\``);
+      } else if (file.url) {
+        parts.push(`- **${file.filename}** (${file.assetType}) -> [Download](${file.url})`);
+      }
+    }
+  }
+  if (result.suggestedFollowups.length > 0) {
+    parts.push("\n\n**Suggested follow-ups:**");
+    for (const followUp of result.suggestedFollowups.slice(0, 5)) {
+      parts.push(`- ${followUp}`);
+    }
+  }
+  if (result.threadUrl) {
+    parts.push(`
+
+**Full thread:** ${result.threadUrl}`);
+  }
+  return parts.join("\n");
+}
+function buildAnswerPreview(result, error) {
+  if (error) {
+    return error.slice(0, 220);
+  }
+  const answer = result?.answer ?? "";
+  return answer.replace(/\s+/g, " ").trim().slice(0, 220);
+}
+function buildHistoryEntry(options) {
+  return {
+    tool: options.tool,
+    query: options.query,
+    model: options.model,
+    mode: options.mode,
+    language: options.language,
+    answerPreview: buildAnswerPreview(options.result ?? null, options.error),
+    sourceCount: options.result?.sources.length ?? 0,
+    threadUrl: options.result?.threadUrl,
+    error: options.error
+  };
+}
+function buildHistoryBody(result, error) {
+  if (error && !result) {
+    return `# Request failed
+
+${error}`;
+  }
+  if (!result) {
+    return error ? `# Request failed
+
+${error}` : "";
+  }
+  return formatResponse(result);
+}
+function buildStoredHistoryEntry(options) {
+  const base = buildHistoryEntry(options);
+  const createdAt = options.createdAt ?? (/* @__PURE__ */ new Date()).toISOString();
+  const status = options.status ?? (options.error ? "failed" : "completed");
+  const sources = (options.result?.sources ?? []).map((source, index) => ({
+    n: index + 1,
+    title: source.title,
+    url: source.url,
+    ...source.snippet ? { snippet: source.snippet } : {}
+  }));
+  return {
+    ...base,
+    createdAt,
+    body: buildHistoryBody(options.result, options.error),
+    ...status ? { status } : {},
+    ...options.completedAt ? { completedAt: options.completedAt } : status === "completed" ? { completedAt: createdAt } : {},
+    ...options.tier ? { tier: options.tier } : {},
+    ...getThreadSlug(options.result) !== null ? { threadSlug: getThreadSlug(options.result) } : {},
+    ...options.result?.followUp?.backendUuid ? { backendUuid: options.result.followUp.backendUuid } : {},
+    ...options.result?.followUp?.readWriteToken !== void 0 ? { readWriteToken: options.result.followUp.readWriteToken } : {},
+    ...sources.length > 0 ? { sources } : {}
+  };
+}
+
+// src/tools.ts
+function success(text) {
+  return { content: [{ type: "text", text }] };
+}
+function failure(message) {
+  return {
+    content: [{ type: "text", text: `Error: ${message}` }],
+    isError: true
+  };
+}
+function getClientTier(client) {
+  return client.accountInfo.isMax ? "Max" : client.accountInfo.isPro ? "Pro" : client.accountInfo.isEnterprise ? "Enterprise" : client.authenticated ? "Authenticated" : "Anonymous";
+}
+function recordToolRun(options) {
+  try {
+    append(buildStoredHistoryEntry(options));
+  } catch {
+  }
+}
+function isResearchTool(tool) {
+  return tool === "perplexity_compute" || tool === "perplexity_research";
+}
+function buildModelsResponseFromAccountInfo(info, userId, authenticated) {
+  const tier = info.isMax ? "Max" : info.isPro ? "Pro" : info.isEnterprise ? "Enterprise" : authenticated ? "Authenticated" : "Anonymous";
+  const lines = [
+    `**Account tier:** ${tier}`,
+    `**User ID:** ${userId || "anonymous"}`,
+    `**Computer mode:** ${info.canUseComputer ? "Available" : "Not available"}`
+  ];
+  if (info.modelsConfig) {
+    const groups = {};
+    for (const entry of info.modelsConfig.config) {
+      const mode = info.modelsConfig.models[entry.non_reasoning_model || entry.reasoning_model || ""]?.mode || "other";
+      if (!groups[mode]) {
+        groups[mode] = [];
+      }
+      groups[mode].push(entry);
+    }
+    for (const [mode, entries] of Object.entries(groups)) {
+      lines.push("");
+      lines.push(`## ${mode}`);
+      for (const entry of entries) {
+        const tierBadge = entry.subscription_tier === "max" ? " [MAX]" : entry.subscription_tier === "pro" ? " [PRO]" : "";
+        const models = [entry.non_reasoning_model, entry.reasoning_model].filter(Boolean).map((value) => `\`${value}\``).join(", ");
+        lines.push(`- **${entry.label}**${tierBadge}: ${models}`);
+        lines.push(`  ${entry.description}`);
+      }
+    }
+    lines.push("");
+    lines.push("## Default Models");
+    for (const [mode, modelId] of Object.entries(info.modelsConfig.default_models)) {
+      lines.push(`- **${mode}**: \`${modelId}\``);
+    }
+  }
+  if (info.rateLimits) {
+    lines.push("");
+    lines.push("## Rate Limits");
+    for (const [mode, state] of Object.entries(info.rateLimits.modes)) {
+      const remaining = state.remaining_detail.kind === "exact" && typeof state.remaining_detail.remaining === "number" ? ` (${state.remaining_detail.remaining} remaining)` : "";
+      lines.push(`- **${mode}**: ${state.available ? "available" : "unavailable"}${remaining}`);
+    }
+  }
+  return lines.join("\n");
+}
+function buildModelsResponse(client) {
+  return buildModelsResponseFromAccountInfo(client.accountInfo, client.userId, client.authenticated);
+}
+function registerTools(server, getClient, enabledTools, hooks = {}) {
+  function registerDaemonTool(name, config, handler) {
+    const runWithAudit = async (extra, invoke) => {
+      const startedAt = Date.now();
+      try {
+        const result = await invoke();
+        hooks.onToolSettled?.({
+          tool: name,
+          clientId: getClientId(extra),
+          source: getRequestSource(extra),
+          durationMs: Date.now() - startedAt,
+          ok: !Boolean(result?.isError),
+          ...result?.isError ? { error: extractToolError(result) } : {}
+        });
+        return result;
+      } catch (error) {
+        hooks.onToolSettled?.({
+          tool: name,
+          clientId: getClientId(extra),
+          source: getRequestSource(extra),
+          durationMs: Date.now() - startedAt,
+          ok: false,
+          error: error instanceof Error ? error.message : String(error)
+        });
+        throw error;
+      }
+    };
+    if (config.inputSchema) {
+      server.registerTool(
+        name,
+        config,
+        async (args, extra) => runWithAudit(extra, () => handler(args, extra))
+      );
+      return;
+    }
+    server.registerTool(
+      name,
+      config,
+      async (extra) => runWithAudit(extra, () => handler(extra))
+    );
+  }
+  if (!enabledTools || enabledTools.has("perplexity_search")) {
+    registerDaemonTool(
+      "perplexity_search",
+      {
+        title: "Perplexity Search",
+        description: "Search the web using Perplexity AI with automatic anonymous or authenticated defaults.",
+        inputSchema: {
+          query: z2.string().describe("The search query or question to ask."),
+          sources: z2.array(z2.enum(["web", "scholar", "social"])).optional(),
+          language: z2.string().optional()
+        },
+        annotations: {
+          readOnlyHint: true
+        }
+      },
+      async ({ query, sources, language }) => {
+        try {
+          const client = await getClient();
+          const model = process.env.PERPLEXITY_SEARCH_MODEL || (client.authenticated ? "pplx_pro" : "turbo");
+          const mode = client.authenticated ? "copilot" : "concise";
+          const result = await client.search({
+            query,
+            modelPreference: model,
+            mode,
+            sources: sources ?? ["web"],
+            language: language ?? "en-US"
+          });
+          recordToolRun({
+            tool: "perplexity_search",
+            query,
+            model,
+            mode,
+            language: language ?? "en-US",
+            tier: getClientTier(client),
+            result
+          });
+          return success(formatResponse(result));
+        } catch (error) {
+          const message = error.message;
+          recordToolRun({
+            tool: "perplexity_search",
+            query,
+            model: process.env.PERPLEXITY_SEARCH_MODEL || null,
+            mode: null,
+            language: language ?? "en-US",
+            status: "failed",
+            error: message
+          });
+          return failure(message);
+        }
+      }
+    );
+  }
+  if (!enabledTools || enabledTools.has("perplexity_reason")) {
+    registerDaemonTool(
+      "perplexity_reason",
+      {
+        title: "Perplexity Reason",
+        description: "Use a reasoning model for multi-step analysis and explanation.",
+        inputSchema: {
+          query: z2.string(),
+          sources: z2.array(z2.enum(["web", "scholar", "social"])).optional(),
+          language: z2.string().optional(),
+          model: z2.string().optional()
+        },
+        annotations: {
+          readOnlyHint: true
+        }
+      },
+      async ({ query, sources, language, model }) => {
+        const client = await getClient();
+        if (!client.authenticated) {
+          return failure("perplexity_reason requires an authenticated Pro account.");
+        }
+        try {
+          const resolvedModel = model || process.env.PERPLEXITY_REASON_MODEL || "claude46sonnetthinking";
+          const result = await client.search({
+            query,
+            modelPreference: resolvedModel,
+            mode: "copilot",
+            sources: sources ?? ["web"],
+            language: language ?? "en-US"
+          });
+          recordToolRun({
+            tool: "perplexity_reason",
+            query,
+            model: resolvedModel,
+            mode: "copilot",
+            language: language ?? "en-US",
+            tier: getClientTier(client),
+            result
+          });
+          return success(formatResponse(result));
+        } catch (error) {
+          const message = error.message;
+          recordToolRun({
+            tool: "perplexity_reason",
+            query,
+            model: model ?? process.env.PERPLEXITY_REASON_MODEL ?? null,
+            mode: "copilot",
+            language: language ?? "en-US",
+            tier: getClientTier(client),
+            status: "failed",
+            error: message
+          });
+          return failure(message);
+        }
+      }
+    );
+  }
+  if (!enabledTools || enabledTools.has("perplexity_research")) {
+    registerDaemonTool(
+      "perplexity_research",
+      {
+        title: "Perplexity Research",
+        description: "Run a deep research task with the long-form research model.",
+        inputSchema: {
+          query: z2.string(),
+          sources: z2.array(z2.enum(["web", "scholar", "social"])).optional(),
+          language: z2.string().optional()
+        },
+        annotations: {
+          readOnlyHint: true
+        }
+      },
+      async ({ query, sources, language }) => {
+        const client = await getClient();
+        if (!client.authenticated) {
+          return failure("perplexity_research requires an authenticated Pro account.");
+        }
+        try {
+          const model = process.env.PERPLEXITY_RESEARCH_MODEL || "pplx_alpha";
+          console.error("[perplexity-mcp] Starting deep research...");
+          const result = await client.search({
+            query,
+            modelPreference: model,
+            mode: "copilot",
+            sources: sources ?? ["web"],
+            language: language ?? "en-US"
+          });
+          console.error("[perplexity-mcp] Research complete.");
+          recordToolRun({
+            tool: "perplexity_research",
+            query,
+            model,
+            mode: "copilot",
+            language: language ?? "en-US",
+            tier: getClientTier(client),
+            result
+          });
+          return success(formatResponse(result));
+        } catch (error) {
+          const message = error.message;
+          recordToolRun({
+            tool: "perplexity_research",
+            query,
+            model: process.env.PERPLEXITY_RESEARCH_MODEL ?? "pplx_alpha",
+            mode: "copilot",
+            language: language ?? "en-US",
+            tier: getClientTier(client),
+            status: "failed",
+            error: message
+          });
+          return failure(message);
+        }
+      }
+    );
+  }
+  if (!enabledTools || enabledTools.has("perplexity_ask")) {
+    registerDaemonTool(
+      "perplexity_ask",
+      {
+        title: "Perplexity Ask",
+        description: "Query Perplexity with explicit control over model, mode, and follow-up context.",
+        inputSchema: {
+          query: z2.string(),
+          model: z2.string().optional(),
+          mode: z2.enum(["concise", "copilot"]).optional(),
+          sources: z2.array(z2.enum(["web", "scholar", "social"])).optional(),
+          language: z2.string().optional(),
+          follow_up_context: z2.string().optional()
+        },
+        annotations: {
+          readOnlyHint: true
+        }
+      },
+      async ({ query, model, mode, sources, language, follow_up_context }) => {
+        const client = await getClient();
+        let followUp;
+        if (follow_up_context) {
+          try {
+            followUp = JSON.parse(follow_up_context);
+          } catch {
+            return failure("follow_up_context must be valid JSON.");
+          }
+        }
+        try {
+          const resolvedModel = model ?? process.env.PERPLEXITY_SEARCH_MODEL ?? "pplx_pro";
+          const resolvedMode = mode ?? "copilot";
+          const result = await client.search({
+            query,
+            modelPreference: resolvedModel,
+            mode: resolvedMode,
+            sources: sources ?? ["web"],
+            language: language ?? "en-US",
+            followUp
+          });
+          recordToolRun({
+            tool: "perplexity_ask",
+            query,
+            model: resolvedModel,
+            mode: resolvedMode,
+            language: language ?? "en-US",
+            tier: getClientTier(client),
+            result
+          });
+          let response = formatResponse(result);
+          if (result.followUp) {
+            response += `
+
+---
+**Follow-up context:**
+\`\`\`json
+${JSON.stringify(result.followUp, null, 2)}
+\`\`\``;
+          }
+          return success(response);
+        } catch (error) {
+          const message = error.message;
+          recordToolRun({
+            tool: "perplexity_ask",
+            query,
+            model: model ?? process.env.PERPLEXITY_SEARCH_MODEL ?? null,
+            mode: mode ?? "copilot",
+            language: language ?? "en-US",
+            tier: getClientTier(client),
+            status: "failed",
+            error: message
+          });
+          return failure(message);
+        }
+      }
+    );
+  }
+  if (!enabledTools || enabledTools.has("perplexity_models")) {
+    registerDaemonTool(
+      "perplexity_models",
+      {
+        title: "Perplexity Models",
+        description: "List available models and current account capabilities.",
+        annotations: {
+          readOnlyHint: true
+        }
+      },
+      async () => {
+        const cached = readCachedAccountInfoFromDisk();
+        if (cached?.modelsConfig) {
+          return success(buildModelsResponseFromAccountInfo(cached, null, true));
+        }
+        const client = await getClient();
+        return success(buildModelsResponse(client));
+      }
+    );
+  }
+  if (!enabledTools || enabledTools.has("perplexity_compute")) {
+    registerDaemonTool(
+      "perplexity_compute",
+      {
+        title: "Perplexity Compute",
+        description: "Run a task using Perplexity Computer mode (ASI).",
+        inputSchema: {
+          query: z2.string(),
+          model: z2.string().optional(),
+          language: z2.string().optional()
+        }
+      },
+      async ({ query, model, language }) => {
+        const client = await getClient();
+        if (!client.authenticated) {
+          return failure("perplexity_compute requires an authenticated account.");
+        }
+        if (!client.accountInfo.canUseComputer) {
+          return failure("Computer mode is not available on this account.");
+        }
+        try {
+          const defaultModel = client.accountInfo.modelsConfig?.default_models?.asi || "pplx_asi";
+          const resolvedModel = model || process.env.PERPLEXITY_COMPUTE_MODEL || defaultModel;
+          console.error("[perplexity-mcp] Starting ASI compute task...");
+          const result = await client.computeASI({
+            query,
+            modelPreference: resolvedModel,
+            language: language ?? "en-US"
+          });
+          console.error("[perplexity-mcp] Compute task complete.");
+          const isTimeout = result.answer.startsWith("ASI task timed out");
+          const saved = append(buildStoredHistoryEntry({
+            query,
+            tool: "perplexity_compute",
+            model: resolvedModel,
+            mode: "asi",
+            language: language ?? "en-US",
+            tier: getClientTier(client),
+            result,
+            status: isTimeout ? "pending" : "completed",
+            ...isTimeout ? { error: result.answer } : {}
+          }));
+          let response = formatResponse(result);
+          if (isTimeout) {
+            response += `
+
+---
+**Research saved** (id: \`${saved.id}\`). Use \`perplexity_retrieve\` with this id to fetch results once complete.`;
+          } else {
+            response += `
+
+---
+**Research saved** (id: \`${saved.id}\`).`;
+          }
+          return success(response);
+        } catch (error) {
+          const message = error.message;
+          recordToolRun({
+            tool: "perplexity_compute",
+            query,
+            model: model ?? process.env.PERPLEXITY_COMPUTE_MODEL ?? null,
+            mode: "asi",
+            language: language ?? "en-US",
+            tier: getClientTier(client),
+            status: "failed",
+            error: message
+          });
+          return failure(message);
+        }
+      }
+    );
+  }
+  if (!enabledTools || enabledTools.has("perplexity_retrieve")) {
+    registerDaemonTool(
+      "perplexity_retrieve",
+      {
+        title: "Perplexity Retrieve",
+        description: "Retrieve results from a previously timed-out or pending research/compute task.",
+        inputSchema: {
+          research_id: z2.string().optional().describe("ID of a saved research"),
+          thread_slug: z2.string().optional().describe("Perplexity thread slug from the URL")
+        }
+      },
+      async ({ research_id, thread_slug }) => {
+        let threadSlug = thread_slug ?? null;
+        let backendUuid = null;
+        let readWriteToken = null;
+        let savedId = null;
+        if (research_id) {
+          const saved = get(research_id);
+          if (!saved) return failure(`Research '${research_id}' not found.`);
+          threadSlug = saved.threadSlug ?? null;
+          backendUuid = saved.backendUuid ?? null;
+          readWriteToken = saved.readWriteToken ?? null;
+          savedId = saved.id;
+        } else if (thread_slug) {
+          const pending = findPendingByThread(thread_slug);
+          if (pending) {
+            backendUuid = pending.backendUuid ?? null;
+            readWriteToken = pending.readWriteToken ?? null;
+            savedId = pending.id;
+          }
+        }
+        if (!threadSlug && !backendUuid) {
+          return failure("Provide either research_id or thread_slug.");
+        }
+        try {
+          const fast = await retrieveThreadViaImpit({
+            threadSlug: threadSlug ?? "",
+            backendUuid,
+            readWriteToken
+          });
+          if (fast) {
+            if (savedId) {
+              const isStillRunning = fast.answer.includes("still running");
+              const existing = get(savedId);
+              if (existing) {
+                update(savedId, buildStoredHistoryEntry({
+                  tool: existing.tool,
+                  query: existing.query,
+                  model: existing.model,
+                  mode: existing.mode,
+                  language: existing.language,
+                  tier: existing.tier,
+                  createdAt: existing.createdAt,
+                  status: isStillRunning ? "pending" : "completed",
+                  completedAt: isStillRunning ? existing.completedAt : (/* @__PURE__ */ new Date()).toISOString(),
+                  result: fast,
+                  ...isStillRunning ? { error: fast.answer } : {}
+                }));
+              }
+            }
+            return success(formatResponse(fast));
+          }
+        } catch (err) {
+          console.error(`[perplexity-mcp] retrieve impit fast path threw: ${err.message}; falling back to browser.`);
+        }
+        const client = await getClient();
+        try {
+          const result = await client.retrieveThread({
+            threadSlug,
+            backendUuid,
+            readWriteToken
+          });
+          if (savedId) {
+            const isStillRunning = result.answer.includes("still running");
+            const existing = get(savedId);
+            if (existing) {
+              update(savedId, buildStoredHistoryEntry({
+                tool: existing.tool,
+                query: existing.query,
+                model: existing.model,
+                mode: existing.mode,
+                language: existing.language,
+                tier: existing.tier,
+                createdAt: existing.createdAt,
+                status: isStillRunning ? "pending" : "completed",
+                completedAt: isStillRunning ? existing.completedAt : (/* @__PURE__ */ new Date()).toISOString(),
+                result,
+                ...isStillRunning ? { error: result.answer } : {}
+              }));
+            }
+          }
+          return success(formatResponse(result));
+        } catch (error) {
+          return failure(error.message);
+        }
+      }
+    );
+  }
+  if (!enabledTools || enabledTools.has("perplexity_export")) {
+    registerDaemonTool(
+      "perplexity_export",
+      {
+        title: "Perplexity Export",
+        description: "Export a saved history entry using Perplexity's native export endpoint when available, with local markdown fallback.",
+        inputSchema: {
+          history_id: z2.string().describe("Saved history entry id"),
+          format: z2.enum(["pdf", "markdown", "docx"]).describe("Export format")
+        }
+      },
+      async ({ history_id, format }) => {
+        const entry = get(history_id);
+        if (!entry) {
+          return failure(`History entry '${history_id}' not found.`);
+        }
+        const attachmentsDir = getAttachmentsDir(history_id) ?? entry.attachmentsDir;
+        mkdirSync2(attachmentsDir, { recursive: true });
+        if (format === "markdown") {
+          const savedPath2 = join2(attachmentsDir, entry.mdPath.split(/[\\/]/).pop() || `${entry.id}.md`);
+          writeFileSync2(savedPath2, readFileSync2(entry.mdPath, "utf8"), "utf8");
+          return success(`Saved markdown export to \`${savedPath2}\`.`);
+        }
+        if (!entry.threadSlug) {
+          return failure("This entry cannot be exported natively because it has no Perplexity thread slug.");
+        }
+        try {
+          const fast = await exportThreadViaImpit({ threadSlug: entry.threadSlug, format });
+          if (fast) {
+            const savedPath2 = join2(attachmentsDir, fast.filename);
+            mkdirSync2(dirname(savedPath2), { recursive: true });
+            writeFileSync2(savedPath2, fast.buffer);
+            return success(`Saved ${format} export to \`${savedPath2}\` (${fast.buffer.length} bytes).`);
+          }
+        } catch (err) {
+          console.error(`[perplexity-mcp] export impit fast path threw: ${err.message}; falling back to browser.`);
+        }
+        const client = await getClient();
+        const exported = await client.exportThread({ threadSlug: entry.threadSlug, format });
+        const savedPath = join2(attachmentsDir, exported.filename);
+        mkdirSync2(dirname(savedPath), { recursive: true });
+        writeFileSync2(savedPath, exported.buffer);
+        return success(`Saved ${format} export to \`${savedPath}\` (${exported.buffer.length} bytes).`);
+      }
+    );
+  }
+  if (!enabledTools || enabledTools.has("perplexity_sync_cloud")) {
+    registerDaemonTool(
+      "perplexity_sync_cloud",
+      {
+        title: "Perplexity Sync Cloud",
+        description: "Sync Perplexity cloud history into the local history store using the daemon singleton client.",
+        inputSchema: {
+          page_size: z2.number().int().positive().optional().describe("Optional page size for cloud thread pagination.")
+        }
+      },
+      async ({ page_size }, extra) => {
+        const clientId = getClientId(extra);
+        const source = getRequestSource(extra);
+        const result = await syncCloudHistory({
+          getClient,
+          pageSize: page_size,
+          onProgress: (progress) => {
+            hooks.onToolProgress?.({
+              tool: "perplexity_sync_cloud",
+              clientId,
+              source,
+              progress: { ...progress }
+            });
+          }
+        });
+        return success(
+          `Cloud sync complete: fetched=${result.fetched} inserted=${result.inserted} updated=${result.updated} skipped=${result.skipped}`
+        );
+      }
+    );
+  }
+  if (!enabledTools || enabledTools.has("perplexity_hydrate_cloud_entry")) {
+    registerDaemonTool(
+      "perplexity_hydrate_cloud_entry",
+      {
+        title: "Perplexity Hydrate Cloud Entry",
+        description: "Hydrate a single cloud-backed history entry using the daemon singleton client.",
+        inputSchema: {
+          history_id: z2.string().describe("Cloud-backed history entry id to hydrate.")
+        }
+      },
+      async ({ history_id }) => {
+        const result = await hydrateCloudHistoryEntry(history_id, { getClient });
+        return success(`Cloud hydrate ${result.action}: ${result.id ?? history_id}`);
+      }
+    );
+  }
+  if (!enabledTools || enabledTools.has("perplexity_list_researches")) {
+    registerDaemonTool(
+      "perplexity_list_researches",
+      {
+        title: "Perplexity List Researches",
+        description: "List saved researches with their status. Pending ones can be retrieved with perplexity_retrieve.",
+        inputSchema: {
+          status: z2.enum(["completed", "pending", "failed"]).optional(),
+          limit: z2.number().optional().describe("Max results (default 20)")
+        },
+        annotations: {
+          readOnlyHint: true
+        }
+      },
+      async ({ status, limit }) => {
+        const researches = list({
+          status,
+          limit: limit ?? 20,
+          tools: ["perplexity_compute", "perplexity_research"]
+        }).filter((entry) => isResearchTool(entry.tool));
+        if (researches.length === 0) {
+          return success("No saved researches found.");
+        }
+        const lines = [`**Saved Researches** (${researches.length}):
+`];
+        for (const r of researches) {
+          const statusIcon = r.status === "completed" ? "\u2705" : r.status === "pending" ? "\u23F3" : "\u274C";
+          const preview = r.answerPreview || r.error || "(no content)";
+          lines.push(`${statusIcon} **${r.query.slice(0, 80)}**`);
+          lines.push(`   ID: \`${r.id}\` | Tool: ${r.tool} | ${r.createdAt}`);
+          lines.push(`   ${preview}`);
+          if (r.threadUrl) lines.push(`   Thread: ${r.threadUrl}`);
+          lines.push("");
+        }
+        return success(lines.join("\n"));
+      }
+    );
+  }
+  if (!enabledTools || enabledTools.has("perplexity_get_research")) {
+    registerDaemonTool(
+      "perplexity_get_research",
+      {
+        title: "Perplexity Get Research",
+        description: "Get the full content of a saved research by ID, including answer, sources, and files.",
+        inputSchema: {
+          research_id: z2.string().describe("ID of the saved research")
+        },
+        annotations: {
+          readOnlyHint: true
+        }
+      },
+      async ({ research_id }) => {
+        const research = get(research_id);
+        if (!research) return failure(`Research '${research_id}' not found.`);
+        const parts = [
+          `# Research: ${research.query}`,
+          `**Status:** ${research.status || "completed"} | **Tool:** ${research.tool} | **Model:** ${research.model || "default"}`,
+          `**Created:** ${research.createdAt}${research.completedAt ? ` | **Completed:** ${research.completedAt}` : ""}`
+        ];
+        if (research.threadUrl) parts.push(`**Thread:** ${research.threadUrl}`);
+        if (research.body) parts.push("", "---", "", research.body);
+        if (research.sources?.length) {
+          parts.push("", "**Sources:**");
+          for (const [i, s] of research.sources.slice(0, 15).entries()) {
+            parts.push(`${i + 1}. [${s.title}](${s.url})`);
+          }
+        }
+        if (research.attachments?.length) {
+          parts.push("", "**Files:**");
+          for (const file of research.attachments) {
+            parts.push(`- **${file.filename}** -> \`${file.relPath}\``);
+          }
+        }
+        if (research.error) parts.push("", `**Error:** ${research.error}`);
+        if (research.status === "pending") {
+          parts.push("", `---
+*This research is still pending. Use \`perplexity_retrieve\` with id \`${research.id}\` to fetch updated results.*`);
+        }
+        return success(parts.join("\n"));
+      }
+    );
+  }
+  if (!enabledTools || enabledTools.has("perplexity_login")) {
+    registerDaemonTool(
+      "perplexity_login",
+      {
+        title: "Perplexity Login",
+        description: "Returns instructions for completing Perplexity login. Login is interactive (email + OTP) and must be initiated from the IDE extension dashboard or the CLI \u2014 an MCP tool call cannot prompt for the OTP."
+      },
+      async () => {
+        const message = [
+          "**Perplexity login is interactive \u2014 run it from the dashboard or CLI:**",
+          "",
+          "1. **IDE / Extension:** open the Perplexity dashboard and click *Login*. Enter your email; the OTP prompt appears in the dashboard.",
+          "2. **CLI:** `npx perplexity-user-mcp login --mode auto --email YOUR_EMAIL@example.com` \u2014 the OTP is read from your terminal.",
+          "",
+          "Both paths share the same vault, so once you're logged in via either, all MCP tools (search, reason, research, sync, hydrate, etc.) work immediately. Speed Boost (impit) is used automatically when installed."
+        ].join("\n");
+        return {
+          content: [{ type: "text", text: message }],
+          isError: false
+        };
+      }
+    );
+  }
+  if (!enabledTools || enabledTools.has("perplexity_doctor")) {
+    registerDaemonTool(
+      "perplexity_doctor",
+      {
+        title: "Perplexity Doctor",
+        description: "Run diagnostic checks against your Perplexity MCP install. Returns a Markdown report across ten categories; pass probe:true for a live search probe.",
+        inputSchema: {
+          probe: z2.boolean().optional(),
+          profile: z2.string().optional()
+        },
+        annotations: {
+          readOnlyHint: true
+        }
+      },
+      async ({ probe, profile }) => {
+        const { runAll, formatReportMarkdown } = await import("./doctor.mjs");
+        const report = await runAll({ probe: !!probe, profile });
+        return success(formatReportMarkdown(report));
+      }
+    );
+  }
+}
+function getClientId(extra) {
+  return typeof extra?.authInfo?.clientId === "string" && extra.authInfo.clientId.length > 0 ? extra.authInfo.clientId : "daemon-client";
+}
+function getRequestSource(extra) {
+  return extra?.authInfo?.extra?.source === "tunnel" ? "tunnel" : "loopback";
+}
+function extractToolError(result) {
+  const firstText = result?.content?.find?.((item) => item?.type === "text" && typeof item.text === "string");
+  return typeof firstText?.text === "string" ? firstText.text : "Tool returned an error result.";
+}
+
+// src/package-version.ts
+import { readFileSync as readFileSync3 } from "fs";
+var cachedPackageVersion = null;
+function getPackageVersion() {
+  if (cachedPackageVersion) {
+    return cachedPackageVersion;
+  }
+  const moduleUrl = typeof import.meta.url === "string" && import.meta.url.length > 0 ? import.meta.url : null;
+  if (moduleUrl) {
+    for (const relativePath of ["./package.json", "../package.json", "../../package.json"]) {
+      try {
+        const pkg = JSON.parse(readFileSync3(new URL(relativePath, moduleUrl), "utf8"));
+        if (pkg.name === "perplexity-user-mcp" && typeof pkg.version === "string" && pkg.version.length > 0) {
+          cachedPackageVersion = pkg.version;
+          return cachedPackageVersion;
+        }
+      } catch {
+      }
+    }
+  }
+  cachedPackageVersion = typeof process.env.npm_package_version === "string" && process.env.npm_package_version.length > 0 ? process.env.npm_package_version : "0.0.0";
+  return cachedPackageVersion;
+}
+
+// src/daemon/oauth-provider.ts
+import crypto from "crypto";
+import { existsSync as existsSync3, mkdirSync as mkdirSync4, readFileSync as readFileSync5, writeFileSync as writeFileSync3 } from "fs";
+import { dirname as dirname3, join as join4 } from "path";
+
+// src/daemon/oauth-consent-cache.ts
+import { chmodSync, existsSync as existsSync2, mkdirSync as mkdirSync3, readFileSync as readFileSync4 } from "fs";
+import { spawnSync } from "child_process";
+import { dirname as dirname2, join as join3 } from "path";
+function getConsentCachePath(configDir = getConfigDir()) {
+  return join3(configDir, "oauth-consent.json");
+}
+function resolvePath(options) {
+  return options.cachePath ?? getConsentCachePath();
+}
+function resolveNow(options) {
+  return (options.now ?? Date.now)();
+}
+function load(cachePath) {
+  if (!existsSync2(cachePath)) return [];
+  try {
+    const raw = JSON.parse(readFileSync4(cachePath, "utf8"));
+    if (!Array.isArray(raw)) return [];
+    return raw.filter(
+      (e) => e && typeof e === "object" && typeof e.clientId === "string" && typeof e.redirectUri === "string" && typeof e.approvedAt === "string" && typeof e.expiresAt === "number"
+    ).map((e) => ({
+      // Normalize legacy entries (pre-H12 cache files) that lack `resource`.
+      // Absent → undefined (unbound); a non-string → coerce to undefined
+      // so a corrupt record can't accidentally match a bound resource.
+      clientId: e.clientId,
+      redirectUri: e.redirectUri,
+      approvedAt: e.approvedAt,
+      expiresAt: e.expiresAt,
+      resource: typeof e.resource === "string" ? e.resource : void 0
+    }));
+  } catch {
+    return [];
+  }
+}
+function keyMatches(entry, clientId, redirectUri, resource) {
+  return entry.clientId === clientId && entry.redirectUri === redirectUri && entry.resource === resource;
+}
+function persist(cachePath, entries) {
+  mkdirSync3(dirname2(cachePath), { recursive: true });
+  safeAtomicWriteFileSync(cachePath, JSON.stringify(entries, null, 2) + "\n", { encoding: "utf8", mode: 384 });
+  applyPrivatePermissions(cachePath);
+}
+function record(clientId, redirectUri, ttlMs, options = {}) {
+  const cachePath = resolvePath(options);
+  const now = resolveNow(options);
+  const entry = {
+    clientId,
+    redirectUri,
+    approvedAt: new Date(now).toISOString(),
+    expiresAt: now + ttlMs,
+    ...options.resource !== void 0 ? { resource: options.resource } : {}
+  };
+  const all = load(cachePath).filter((e) => !keyMatches(e, clientId, redirectUri, options.resource)).filter((e) => e.expiresAt > now);
+  all.push(entry);
+  persist(cachePath, all);
+  return entry;
+}
+function check(clientId, redirectUri, options = {}) {
+  const cachePath = resolvePath(options);
+  const now = resolveNow(options);
+  const all = load(cachePath);
+  const live = all.filter((e) => e.expiresAt > now);
+  if (live.length !== all.length) {
+    persist(cachePath, live);
+  }
+  return live.some((e) => keyMatches(e, clientId, redirectUri, options.resource));
+}
+function list2(options = {}) {
+  const cachePath = resolvePath(options);
+  const now = resolveNow(options);
+  const all = load(cachePath);
+  const live = all.filter((e) => e.expiresAt > now);
+  if (live.length !== all.length) {
+    persist(cachePath, live);
+  }
+  return live.slice().sort((a, b) => b.expiresAt - a.expiresAt);
+}
+function revoke(options = {}) {
+  const cachePath = resolvePath(options);
+  const now = resolveNow(options);
+  const all = load(cachePath).filter((e) => e.expiresAt > now);
+  const kept = all.filter((e) => {
+    if (!options.clientId) return false;
+    if (e.clientId !== options.clientId) return true;
+    if (options.redirectUri !== void 0 && e.redirectUri !== options.redirectUri) return true;
+    if (options.resource !== void 0 && e.resource !== options.resource) return true;
+    return false;
+  });
+  const removed = all.length - kept.length;
+  if (removed > 0) {
+    persist(cachePath, kept);
+  }
+  return removed;
+}
+function applyPrivatePermissions(cachePath) {
+  if (process.platform === "win32") {
+    restrictWindowsAcl(cachePath);
+    return;
+  }
+  chmodSync(cachePath, 384);
+}
+function restrictWindowsAcl(cachePath) {
+  const username = getWindowsUserName();
+  const grantTarget = `${username}:(R,W)`;
+  const result = spawnSync("icacls", [cachePath, "/inheritance:r", "/grant:r", grantTarget], {
+    encoding: "utf8",
+    windowsHide: true
+  });
+  if (result.status !== 0) {
+    return;
+  }
+}
+function getWindowsUserName() {
+  const username = process.env.USERNAME;
+  const domain = process.env.USERDOMAIN;
+  if (domain && username) return `${domain}\\${username}`;
+  if (username) return username;
+  return "";
+}
+
+// src/daemon/oauth-provider.ts
+var CODE_TTL_MS = 2 * 6e4;
+var TOKEN_TTL_MS = 60 * 6e4;
+var STATIC_CLIENT_ID = "local-static";
+function normalizeResource(input) {
+  if (input === void 0 || input === null) return void 0;
+  if (typeof input === "string" && input.length > 0) return input;
+  if (input instanceof URL) return input.toString().replace(/\/$/, "");
+  return void 0;
+}
+var PerplexityOAuthProvider = class {
+  constructor(options) {
+    this.options = options;
+    this.clientsPath = join4(options.configDir, "oauth-clients.json");
+    this.consentCachePath = join4(options.configDir, "oauth-consent.json");
+    this.loadClients();
+  }
+  codes = /* @__PURE__ */ new Map();
+  tokens = /* @__PURE__ */ new Map();
+  clients = /* @__PURE__ */ new Map();
+  clientsPath;
+  consentCachePath;
+  get clientsStore() {
+    return {
+      getClient: (id) => this.clients.get(id),
+      registerClient: async (client) => {
+        const full = {
+          ...client,
+          client_id: `pplx-${crypto.randomBytes(12).toString("base64url")}`,
+          client_id_issued_at: Math.floor(Date.now() / 1e3)
+        };
+        this.clients.set(full.client_id, full);
+        this.persistClients();
+        return full;
+      }
+    };
+  }
+  async authorize(client, params, res) {
+    const ttlMs = this.options.getConsentCacheTtlMs?.() ?? 0;
+    const resource = normalizeResource(params.resource);
+    const cacheHit = ttlMs > 0 && check(client.client_id, params.redirectUri, {
+      cachePath: this.consentCachePath,
+      resource
+    });
+    if (cacheHit) {
+      console.error(`[trace] oauth consent cache hit clientId=${client.client_id} redirectUri=${params.redirectUri} resource=${resource ?? "<unbound>"}`);
+      try {
+        this.options.onConsentCacheHit?.({
+          clientId: client.client_id,
+          redirectUri: params.redirectUri,
+          res
+        });
+      } catch {
+      }
+      return this.issueAuthorizationCode(client, params, res);
+    }
+    const consentId = crypto.randomBytes(8).toString("base64url");
+    try {
+      const approved = await this.options.requestConsent({
+        clientId: client.client_id,
+        clientName: client.client_name ?? client.client_id,
+        redirectUri: params.redirectUri,
+        consentId,
+        resource
+      });
+      if (!approved) {
+        return redirectTo(res, params.redirectUri, { error: "access_denied", state: params.state });
+      }
+      if (ttlMs > 0) {
+        try {
+          record(client.client_id, params.redirectUri, ttlMs, {
+            cachePath: this.consentCachePath,
+            resource
+          });
+        } catch {
+        }
+      }
+      return this.issueAuthorizationCode(client, params, res);
+    } catch (err) {
+      return redirectTo(res, params.redirectUri, {
+        error: "server_error",
+        error_description: err instanceof Error ? err.message : String(err),
+        state: params.state
+      });
+    }
+  }
+  issueAuthorizationCode(client, params, res) {
+    const code = `pplx_ac_${crypto.randomBytes(24).toString("base64url")}`;
+    const resource = normalizeResource(params.resource);
+    this.codes.set(code, {
+      clientId: client.client_id,
+      redirectUri: params.redirectUri,
+      codeChallenge: params.codeChallenge,
+      scopes: params.scopes ?? [],
+      exp: Date.now() + CODE_TTL_MS,
+      resource
+    });
+    const stored = this.clients.get(client.client_id);
+    if (stored) {
+      stored.consent_last_approved_at = (/* @__PURE__ */ new Date()).toISOString();
+      this.persistClients();
+    }
+    return redirectTo(res, params.redirectUri, { code, state: params.state });
+  }
+  async challengeForAuthorizationCode(_client, authorizationCode) {
+    const entry = this.codes.get(authorizationCode);
+    if (!entry) throw new Error("Invalid authorization code.");
+    if (entry.exp < Date.now()) {
+      this.codes.delete(authorizationCode);
+      throw new Error("Authorization code expired.");
+    }
+    return entry.codeChallenge;
+  }
+  async exchangeAuthorizationCode(client, authorizationCode, codeVerifier, redirectUri, resource) {
+    const entry = this.codes.get(authorizationCode);
+    if (!entry) throw new Error("Invalid authorization code.");
+    if (entry.clientId !== client.client_id) throw new Error("Authorization code does not belong to this client.");
+    if (entry.exp < Date.now()) {
+      this.codes.delete(authorizationCode);
+      throw new Error("Authorization code expired.");
+    }
+    if (redirectUri && entry.redirectUri !== redirectUri) {
+      throw new Error("redirect_uri does not match the code's registered redirect.");
+    }
+    const requestedResource = normalizeResource(resource);
+    if (entry.resource && requestedResource && entry.resource !== requestedResource) {
+      throw new Error("Token exchange resource does not match authorized resource.");
+    }
+    void codeVerifier;
+    this.codes.delete(authorizationCode);
+    const tokens = this.issueTokenPair(client.client_id, entry.scopes, entry.resource ?? requestedResource);
+    const stored = this.clients.get(client.client_id);
+    if (stored) {
+      stored.last_used_at = (/* @__PURE__ */ new Date()).toISOString();
+      this.persistClients();
+    }
+    return tokens;
+  }
+  async exchangeRefreshToken(client, refreshToken, scopes, resource) {
+    let matched = null;
+    for (const [at, rec] of this.tokens.entries()) {
+      if (rec.refreshToken === refreshToken && rec.clientId === client.client_id) {
+        matched = [at, rec];
+        break;
+      }
+    }
+    if (!matched) throw new Error("Invalid refresh token.");
+    const requestedResource = normalizeResource(resource);
+    if (matched[1].resource && requestedResource && matched[1].resource !== requestedResource) {
+      throw new Error("Refresh resource does not match token's bound resource.");
+    }
+    const effectiveResource = matched[1].resource ?? requestedResource;
+    this.tokens.delete(matched[0]);
+    const tokens = this.issueTokenPair(client.client_id, scopes ?? matched[1].scopes, effectiveResource);
+    const stored = this.clients.get(client.client_id);
+    if (stored) {
+      stored.last_used_at = (/* @__PURE__ */ new Date()).toISOString();
+      this.persistClients();
+    }
+    return tokens;
+  }
+  async verifyAccessToken(token, source = "loopback", expectedResource) {
+    if (token === this.options.getStaticBearer()) {
+      if (source === "tunnel") throw new Error("static bearer not valid on tunnel");
+      return {
+        token,
+        clientId: STATIC_CLIENT_ID,
+        scopes: ["local"],
+        expiresAt: Math.floor((Date.now() + TOKEN_TTL_MS) / 1e3)
+      };
+    }
+    const rec = this.tokens.get(token);
+    if (!rec) throw new Error("Invalid access token.");
+    if (rec.exp < Date.now()) {
+      this.tokens.delete(token);
+      throw new Error("Access token expired.");
+    }
+    if (rec.resource && expectedResource && rec.resource !== expectedResource) {
+      throw new Error(`Access token resource mismatch: token bound to ${rec.resource}, request expects ${expectedResource}.`);
+    }
+    if (!rec.resource && source === "tunnel") {
+      throw new Error("resource binding required over tunnel");
+    }
+    return {
+      token,
+      clientId: rec.clientId,
+      scopes: rec.scopes,
+      expiresAt: Math.floor(rec.exp / 1e3),
+      extra: {
+        ...rec.resource ? { resource: rec.resource } : { unboundResource: true }
+      }
+    };
+  }
+  async revokeToken(_client, request) {
+    const target = request.token;
+    if (!target) return;
+    if (this.tokens.delete(target)) return;
+    for (const [at, rec] of this.tokens.entries()) {
+      if (rec.refreshToken === target) {
+        this.tokens.delete(at);
+        return;
+      }
+    }
+  }
+  listClients() {
+    const now = Date.now();
+    return [...this.clients.values()].map((c) => ({
+      clientId: c.client_id,
+      clientName: c.client_name,
+      registeredAt: c.client_id_issued_at ?? 0,
+      lastUsedAt: c.last_used_at,
+      consentLastApprovedAt: c.consent_last_approved_at,
+      activeTokens: [...this.tokens.values()].filter((t) => t.clientId === c.client_id && t.exp >= now).length
+    }));
+  }
+  revokeClient(clientId) {
+    if (!this.clients.has(clientId)) return false;
+    this.clients.delete(clientId);
+    for (const [at, rec] of this.tokens.entries()) {
+      if (rec.clientId === clientId) {
+        this.tokens.delete(at);
+      }
+    }
+    this.persistClients();
+    try {
+      revoke({ cachePath: this.consentCachePath, clientId });
+    } catch {
+    }
+    return true;
+  }
+  /**
+   * Revoke every registered OAuth client and invalidate all outstanding
+   * access/refresh tokens. Returns the count of clients that were removed.
+   * Cached consents for every revoked client are also purged so a
+   * future registration with a colliding id cannot silently inherit them.
+   */
+  revokeAllClients() {
+    const ids = [...this.clients.keys()];
+    if (ids.length === 0) return 0;
+    this.clients.clear();
+    this.tokens.clear();
+    this.persistClients();
+    for (const id of ids) {
+      try {
+        revoke({ cachePath: this.consentCachePath, clientId: id });
+      } catch {
+      }
+    }
+    return ids.length;
+  }
+  listConsents() {
+    return list2({ cachePath: this.consentCachePath });
+  }
+  revokeConsent(clientId, redirectUri) {
+    return revoke({ cachePath: this.consentCachePath, clientId, redirectUri });
+  }
+  issueTokenPair(clientId, scopes, resource) {
+    const accessToken = `pplx_at_${crypto.randomBytes(24).toString("base64url")}`;
+    const refreshToken = `pplx_rt_${crypto.randomBytes(24).toString("base64url")}`;
+    const exp = Date.now() + TOKEN_TTL_MS;
+    this.tokens.set(accessToken, {
+      clientId,
+      scopes,
+      exp,
+      refreshToken,
+      resource
+    });
+    return {
+      access_token: accessToken,
+      token_type: "Bearer",
+      expires_in: Math.floor(TOKEN_TTL_MS / 1e3),
+      refresh_token: refreshToken,
+      scope: scopes.join(" ") || void 0
+    };
+  }
+  loadClients() {
+    if (!existsSync3(this.clientsPath)) return;
+    try {
+      const raw = JSON.parse(readFileSync5(this.clientsPath, "utf8"));
+      for (const c of raw) {
+        if (c && typeof c.client_id === "string") {
+          this.clients.set(c.client_id, c);
+        }
+      }
+    } catch {
+    }
+  }
+  persistClients() {
+    try {
+      mkdirSync4(dirname3(this.clientsPath), { recursive: true });
+      writeFileSync3(this.clientsPath, JSON.stringify([...this.clients.values()], null, 2), { mode: 384 });
+    } catch {
+    }
+  }
+};
+function redirectTo(res, redirectUri, params) {
+  const url = new URL(redirectUri);
+  for (const [key, value] of Object.entries(params)) {
+    if (typeof value === "string" && value.length > 0) {
+      url.searchParams.set(key, value);
+    }
+  }
+  res.redirect(url.toString());
+}
+var ConsentCoordinator = class {
+  pending = /* @__PURE__ */ new Map();
+  request(options) {
+    return new Promise((resolve) => {
+      const timer = setTimeout(() => {
+        this.pending.delete(options.id);
+        resolve(false);
+      }, options.timeoutMs);
+      this.pending.set(options.id, {
+        resolve,
+        timer,
+        info: {
+          clientId: options.clientId,
+          clientName: options.clientName,
+          redirectUri: options.redirectUri,
+          ...options.resource !== void 0 ? { resource: options.resource } : {}
+        }
+      });
+      options.onRequest();
+    });
+  }
+  resolve(id, approved) {
+    const pending = this.pending.get(id);
+    if (!pending) return false;
+    clearTimeout(pending.timer);
+    pending.resolve(approved);
+    this.pending.delete(id);
+    return true;
+  }
+  list() {
+    return [...this.pending.entries()].map(([id, p]) => ({
+      id,
+      clientId: p.info.clientId,
+      clientName: p.info.clientName,
+      redirectUri: p.info.redirectUri,
+      ...p.info.resource !== void 0 ? { resource: p.info.resource } : {}
+    }));
+  }
+};
+
+// src/daemon/public-pages.ts
+var HOMEPAGE_HTML = `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width,initial-scale=1">
+  <meta name="robots" content="noindex,nofollow">
+  <title>Perplexity MCP Server</title>
+  <style>
+    :root { color-scheme: light dark; }
+    html, body { height: 100%; margin: 0; }
+    body {
+      display: flex; align-items: center; justify-content: center;
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif;
+      background: radial-gradient(ellipse at top, #1a1333 0%, #0a0a1a 60%, #000 100%);
+      color: #e7e5f7;
+    }
+    .card {
+      max-width: 520px; padding: 40px; border-radius: 16px;
+      background: rgba(30, 20, 60, 0.55); backdrop-filter: blur(12px);
+      border: 1px solid rgba(200, 180, 255, 0.18);
+      box-shadow: 0 20px 60px rgba(0, 0, 0, 0.4);
+    }
+    h1 { margin: 0 0 8px; font-size: 22px; font-weight: 600; letter-spacing: -0.02em; }
+    .eyebrow { font-size: 11px; text-transform: uppercase; letter-spacing: 0.12em; color: #a69ac2; margin-bottom: 18px; }
+    p { font-size: 14px; line-height: 1.55; color: #cfc8e6; margin: 10px 0; }
+    code { background: rgba(255,255,255,0.08); padding: 2px 6px; border-radius: 4px; font-size: 0.9em; }
+    .muted { font-size: 12px; color: #8e83a8; margin-top: 20px; }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <div class="eyebrow">Perplexity MCP</div>
+    <h1>This endpoint hosts a Model Context Protocol server.</h1>
+    <p>It's a personal tool run locally and optionally exposed through a Cloudflare Quick Tunnel. It's not a public service and there's nothing to see here as an anonymous visitor.</p>
+    <p>If you reached this URL by mistake, you can close this tab. If you're trying to integrate an MCP client, see the project documentation for the correct client configuration (the <code>/mcp</code> endpoint speaks the MCP Streamable HTTP transport).</p>
+    <p class="muted">No requests to this origin are logged beyond the request method, path, status, and a coarse timestamp.</p>
+  </div>
+</body>
+</html>
+`;
+var ROBOTS_TXT = `User-agent: *
+Disallow: /
+`;
+function getHomepageHtml() {
+  return HOMEPAGE_HTML;
+}
+function getRobotsTxt() {
+  return ROBOTS_TXT;
+}
+
+// src/daemon/security.ts
+import { setTimeout as delay } from "timers/promises";
+var DEFAULT_UA_BLOCKLIST = [
+  /\bmasscan\b/i,
+  /\bnmap\b/i,
+  /\bzgrab\b/i,
+  /\bzmap\b/i,
+  /\bsqlmap\b/i,
+  /\bnikto\b/i,
+  /\bgobuster\b/i,
+  /\bdirbuster\b/i,
+  /\bwpscan\b/i,
+  /\bhydra\b/i,
+  /\bcensys\b/i,
+  /\bShodan\b/i
+];
+function createSecurity(options = {}) {
+  const ratelimitRpm = parseRpmEnv() ?? options.ratelimitRpm ?? 60;
+  const tripwireWindowMs = options.tripwireWindowMs ?? 6e4;
+  const tripwireThreshold = options.tripwireThreshold ?? 20;
+  const slow401Ms = options.slow401Ms ?? 150;
+  const uaBlocklist = options.uaBlocklist ?? DEFAULT_UA_BLOCKLIST;
+  const bearerBuckets = /* @__PURE__ */ new Map();
+  const tripwireEvents = [];
+  let rateLimitedBearers = 0;
+  let blockedUas = 0;
+  let tripwireLatched = false;
+  const middleware = (req, res, next) => {
+    const ip = pickClientIp(req);
+    const ua = typeof req.headers?.["user-agent"] === "string" ? req.headers["user-agent"] : "";
+    const bearer = extractBearer(req.headers?.authorization);
+    const existing = req._pplx ?? {};
+    const source = existing.source === "tunnel" || existing.source === "loopback" ? existing.source : isLoopbackRequest(req, ip) ? "loopback" : "tunnel";
+    req._pplx = {
+      ...existing,
+      ip,
+      userAgent: ua,
+      source,
+      bearer,
+      startedAt: Date.now()
+    };
+    if (source === "tunnel" && ua && uaBlocklist.some((re) => re.test(ua))) {
+      blockedUas += 1;
+      res.status(403).json({ error: "Forbidden (user-agent blocklist)" });
+      return;
+    }
+    if (source === "tunnel" && bearer) {
+      const now = Date.now();
+      const bucket = bearerBuckets.get(bearer) ?? [];
+      const cutoff = now - 6e4;
+      const fresh = bucket.filter((ts) => ts >= cutoff);
+      if (fresh.length >= ratelimitRpm) {
+        rateLimitedBearers += 1;
+        res.setHeader("Retry-After", "60");
+        res.status(429).json({ error: "Too Many Requests" });
+        return;
+      }
+      fresh.push(now);
+      bearerBuckets.set(bearer, fresh);
+    }
+    const originalStatus = res.status.bind(res);
+    let slowPending = false;
+    res.status = (code) => {
+      if (code === 401 && source === "tunnel") {
+        slowPending = true;
+        record401({ source, ip });
+      }
+      return originalStatus(code);
+    };
+    if (slow401Ms > 0) {
+      const originalEnd = res.end.bind(res);
+      res.end = (...args) => {
+        if (slowPending) {
+          void delay(slow401Ms).then(() => originalEnd(...args));
+          return res;
+        }
+        return originalEnd(...args);
+      };
+    }
+    next();
+  };
+  const record401 = (info) => {
+    if (info.source !== "tunnel") {
+      return;
+    }
+    const now = Date.now();
+    tripwireEvents.push(now);
+    const cutoff = now - tripwireWindowMs;
+    while (tripwireEvents.length > 0 && tripwireEvents[0] < cutoff) {
+      tripwireEvents.shift();
+    }
+    if (!tripwireLatched && tripwireEvents.length >= tripwireThreshold) {
+      tripwireLatched = true;
+      const failures = tripwireEvents.length;
+      tripwireEvents.length = 0;
+      queueMicrotask(() => {
+        void options.onTripwireTriggered?.({
+          source: info.source,
+          failures,
+          windowMs: tripwireWindowMs,
+          ip: info.ip
+        });
+      });
+    }
+  };
+  const snapshot = () => ({
+    tripwireFailures: tripwireEvents.length,
+    tripwireWindowMs,
+    tripwireThreshold,
+    rateLimitedBearers,
+    blockedUas
+  });
+  return { middleware, record401, snapshot };
+}
+function pickClientIp(req) {
+  const xff = typeof req.headers?.["x-forwarded-for"] === "string" ? req.headers["x-forwarded-for"] : null;
+  if (xff) {
+    return xff.split(",")[0].trim();
+  }
+  const cfip = typeof req.headers?.["cf-connecting-ip"] === "string" ? req.headers["cf-connecting-ip"] : null;
+  if (cfip) return cfip;
+  return req.ip ?? req.connection?.remoteAddress ?? req.socket?.remoteAddress ?? null;
+}
+function isLoopbackRequest(req, ip) {
+  if (req.headers?.["x-perplexity-source"] === "loopback") return true;
+  if (ip === "127.0.0.1" || ip === "::1" || ip === "::ffff:127.0.0.1") {
+    if (req.headers?.["cf-connecting-ip"]) return false;
+    return true;
+  }
+  return false;
+}
+function extractBearer(header) {
+  if (typeof header !== "string") return null;
+  const match = header.match(/^Bearer\s+(.+)$/i);
+  return match?.[1] ?? null;
+}
+function parseRpmEnv() {
+  const raw = process.env.PERPLEXITY_DAEMON_RATELIMIT_RPM;
+  if (!raw) return null;
+  const n = Number.parseInt(raw, 10);
+  return Number.isFinite(n) && n > 0 ? n : null;
+}
+
+// src/daemon/server.ts
+async function startDaemonServer(options = {}) {
+  const host = options.host ?? "127.0.0.1";
+  const requestedPort = options.port ?? 0;
+  const version = options.version ?? getPackageVersion();
+  const auditPath = getAuditLogPath(options.configDir);
+  const tokenPath = getTokenPath(options.configDir);
+  const initialToken = options.bearerToken ? {
+    bearerToken: options.bearerToken,
+    version: 1,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+    rotatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  } : ensureToken({ tokenPath });
+  let currentToken = initialToken;
+  let closed = false;
+  let client;
+  let clientInitPromise = null;
+  const consentCoordinator = new ConsentCoordinator();
+  const oauthProvider = new PerplexityOAuthProvider({
+    configDir: options.configDir ?? ".",
+    getStaticBearer: () => currentToken.bearerToken,
+    getConsentCacheTtlMs: () => {
+      const raw = Number(process.env.PERPLEXITY_OAUTH_CONSENT_TTL_HOURS);
+      const hours = Number.isFinite(raw) && raw >= 0 ? raw : 24;
+      return Math.floor(hours * 60 * 6e4);
+    },
+    onConsentCacheHit: ({ res }) => {
+      const req = res.req;
+      if (req) {
+        req._pplx = req._pplx ?? {};
+        req._pplx.authOverride = "oauth-cached";
+      }
+    },
+    requestConsent: ({ clientId, clientName, redirectUri, consentId, resource }) => {
+      return consentCoordinator.request({
+        id: consentId,
+        clientId,
+        clientName,
+        redirectUri,
+        resource,
+        timeoutMs: 2 * 6e4,
+        onRequest: () => {
+          void options.onOAuthConsentRequest?.({ consentId, clientId, clientName, redirectUri, resource });
+          publishEvent("daemon:oauth-consent-request", { consentId, clientId, clientName, redirectUri, resource });
+        }
+      });
+    }
+  });
+  let httpServer;
+  const startedAt = Date.now();
+  const heartbeatMap = /* @__PURE__ */ new Map();
+  const sseClients = /* @__PURE__ */ new Set();
+  const activeMcpClosers = /* @__PURE__ */ new Set();
+  const expressFactory = express;
+  const app = expressFactory();
+  const getClient = async () => {
+    if (!client) {
+      client = options.createClient ? options.createClient() : new PerplexityClient();
+    }
+    if (!clientInitPromise) {
+      const pending = client.init();
+      pending.catch(() => {
+        client = void 0;
+        clientInitPromise = null;
+      });
+      clientInitPromise = pending;
+    }
+    await clientInitPromise;
+    return client;
+  };
+  app.set?.("trust proxy", 1);
+  app.use((req, _res, next) => {
+    req._pplx = req._pplx ?? {};
+    req._pplx.source = computeRequestSource(req);
+    const declared = req.headers?.["x-perplexity-source"];
+    if (typeof declared === "string") req._pplx.declaredSource = declared;
+    next();
+  });
+  app.use((req, res, next) => {
+    if (req._pplx?.source !== "tunnel") {
+      next();
+      return;
+    }
+    const path = typeof req.originalUrl === "string" ? req.originalUrl : req.url ?? "";
+    if (!pathIsTunnelAllowed(path)) {
+      res.status(404).end();
+      return;
+    }
+    next();
+  });
+  app.use(
+    helmet({
+      contentSecurityPolicy: false,
+      // SDK's OAuth handlers + our homepage serve inline styles; CSP would need a full policy pass
+      crossOriginEmbedderPolicy: false,
+      crossOriginOpenerPolicy: false,
+      crossOriginResourcePolicy: false,
+      // Tunnel front (Cloudflare / ngrok) supplies TLS; our origin is HTTP.
+      // HSTS from the origin would be inaccurate; let the edge control it.
+      hsts: false
+    })
+  );
+  app.use(expressFactory.json({ limit: "1mb" }));
+  const security = createSecurity({
+    onTripwireTriggered: async (info) => {
+      console.error(`[trace] 401-burst tripwire fired: ${info.failures} failures in ${info.windowMs}ms`);
+      try {
+        publishEvent("daemon:tunnel-auto-disabled", {
+          failures: info.failures,
+          windowMs: info.windowMs,
+          ip: info.ip ?? null
+        });
+      } catch {
+      }
+      await options.onTunnelAutoDisable?.({ failures: info.failures, windowMs: info.windowMs });
+    }
+  });
+  app.use((req, res, next) => {
+    const startedAtReq = Date.now();
+    const ctx = req._pplx ?? {};
+    res.on("finish", () => {
+      const durationMs = Date.now() - startedAtReq;
+      const rawPath = typeof req.originalUrl === "string" && req.originalUrl.length > 0 ? req.originalUrl : typeof req.path === "string" ? req.path : req.url ?? "";
+      const path = rawPath.split("?")[0] ?? rawPath;
+      const status = res.statusCode;
+      const hasAuth = typeof req.headers?.authorization === "string";
+      console.error(`[trace] http ${req.method} ${path} auth=${hasAuth ? "yes" : "no"} status=${status} dur=${durationMs}ms ip=${ctx.ip ?? "?"} ua=${(ctx.userAgent ?? "").slice(0, 40)}`);
+      if (path.startsWith("/daemon") || path.startsWith("/mcp") || path.startsWith("/authorize") || path.startsWith("/token") || path.startsWith("/register")) {
+        try {
+          const latestCtx = req._pplx ?? ctx;
+          const authTag = latestCtx.authOverride ?? (hasAuth ? "bearer" : "none");
+          appendAuditEntry(
+            {
+              timestamp: new Date(startedAtReq).toISOString(),
+              clientId: ctx.bearer ? "bearer-client" : "anon",
+              tool: `http:${req.method} ${path}`,
+              durationMs,
+              source: ctx.source ?? (hasAuth ? "loopback" : "tunnel"),
+              ok: status >= 200 && status < 400,
+              ip: ctx.ip ?? void 0,
+              userAgent: ctx.userAgent || void 0,
+              path,
+              httpStatus: status,
+              auth: authTag
+            },
+            { auditPath }
+          );
+        } catch {
+        }
+      }
+    });
+    next();
+  });
+  app.use(security.middleware);
+  const requireBearer = (req, res, next) => {
+    const header = readAuthorizationHeader(req.headers?.authorization);
+    if (header !== currentToken.bearerToken) {
+      res.status(401).json({ error: "Unauthorized" });
+      return;
+    }
+    const computedSource = req._pplx?.source === "tunnel" ? "tunnel" : "loopback";
+    req.auth = {
+      token: currentToken.bearerToken,
+      clientId: readSingleHeader(req.headers?.["x-perplexity-client-id"]) ?? "daemon-client",
+      scopes: [],
+      extra: {
+        source: computedSource
+      }
+    };
+    next();
+  };
+  const getHealth = () => ({
+    ok: true,
+    pid: process.pid,
+    uuid: options.uuid ?? null,
+    version,
+    port: getBoundPort(httpServer),
+    uptimeMs: Date.now() - startedAt,
+    startedAt: new Date(startedAt).toISOString(),
+    heartbeatCount: heartbeatMap.size,
+    tunnel: options.getTunnelState?.() ?? {
+      status: "disabled",
+      url: null,
+      pid: null,
+      error: null
+    }
+  });
+  const publishEvent = (event, payload) => {
+    const frame = `event: ${event}
+data: ${JSON.stringify(payload)}
+
+`;
+    for (const response of sseClients) {
+      response.write(frame);
+    }
+  };
+  const oauthIssuer = new URL("http://localhost");
+  app.get("/.well-known/oauth-authorization-server", (req, res) => {
+    const issuer = resolveIssuer(req, oauthIssuer);
+    const body = {
+      issuer: issuer.href.replace(/\/$/, ""),
+      authorization_endpoint: new URL("/authorize", issuer).href,
+      token_endpoint: new URL("/token", issuer).href,
+      registration_endpoint: new URL("/register", issuer).href,
+      revocation_endpoint: new URL("/revoke", issuer).href,
+      response_types_supported: ["code"],
+      grant_types_supported: ["authorization_code", "refresh_token"],
+      code_challenge_methods_supported: ["S256"],
+      token_endpoint_auth_methods_supported: ["none"]
+    };
+    res.setHeader("Cache-Control", "no-store");
+    res.json(body);
+  });
+  app.get("/.well-known/oauth-protected-resource", (req, res) => {
+    const issuer = resolveIssuer(req, oauthIssuer);
+    const resource = resolveRequestResource(req, oauthIssuer);
+    res.json({
+      resource,
+      authorization_servers: [issuer.href.replace(/\/$/, "")],
+      scopes_supported: ["mcp"],
+      resource_name: "Perplexity MCP"
+    });
+  });
+  const oauthPathRe = /^\/(authorize|register|token|revoke)\b/;
+  const oauthIpHits = /* @__PURE__ */ new Map();
+  app.use((req, res, next) => {
+    if (!oauthPathRe.test(req.path ?? "")) {
+      next();
+      return;
+    }
+    const ctx = req._pplx ?? {};
+    if (ctx.source === "loopback") {
+      next();
+      return;
+    }
+    const key = ctx.ip ?? "?";
+    const now = Date.now();
+    const bucket = (oauthIpHits.get(key) ?? []).filter((ts) => ts >= now - 6e4);
+    bucket.push(now);
+    oauthIpHits.set(key, bucket);
+    if (bucket.length > 30) {
+      res.setHeader("Retry-After", "60");
+      res.status(429).json({ error: "Too Many Requests" });
+      return;
+    }
+    next();
+  });
+  try {
+    app.use(
+      mcpAuthRouter({
+        provider: oauthProvider,
+        issuerUrl: oauthIssuer
+      })
+    );
+  } catch (err) {
+    console.error("[trace] mcpAuthRouter mount failed:", err instanceof Error ? err.message : String(err));
+  }
+  app.post("/daemon/oauth-consent", requireBearer, (req, res) => {
+    const consentId = typeof req.body?.consentId === "string" ? req.body.consentId : null;
+    const approved = req.body?.approved === true;
+    if (!consentId) {
+      res.status(400).json({ error: "consentId required" });
+      return;
+    }
+    const resolved = consentCoordinator.resolve(consentId, approved);
+    res.json({ ok: resolved });
+  });
+  app.get("/daemon/oauth-consents", requireBearer, (_req, res) => {
+    res.json({ consents: oauthProvider.listConsents() });
+  });
+  app.delete("/daemon/oauth-consents", requireBearer, (req, res) => {
+    const clientId = typeof req.body?.clientId === "string" ? req.body.clientId : void 0;
+    const redirectUri = typeof req.body?.redirectUri === "string" ? req.body.redirectUri : void 0;
+    const removed = oauthProvider.revokeConsent(clientId, redirectUri);
+    res.json({ ok: true, removed });
+  });
+  app.get("/daemon/oauth-clients", requireBearer, (_req, res) => {
+    res.json({ clients: oauthProvider.listClients() });
+  });
+  app.delete("/daemon/oauth-clients", requireBearer, (req, res) => {
+    const clientId = typeof req.query?.clientId === "string" && req.query.clientId.length > 0 ? req.query.clientId : typeof req.body?.clientId === "string" && req.body.clientId.length > 0 ? req.body.clientId : void 0;
+    if (clientId) {
+      const ok = oauthProvider.revokeClient(clientId);
+      res.json({ ok, removed: ok ? 1 : 0 });
+      return;
+    }
+    const removed = oauthProvider.revokeAllClients();
+    res.json({ ok: true, removed });
+  });
+  const looksLikeMcpClient = (req) => {
+    const accept = String(req.headers?.accept ?? "").toLowerCase();
+    const contentType = String(req.headers?.["content-type"] ?? "").toLowerCase();
+    if (req.method === "POST") return true;
+    if (accept.includes("text/event-stream")) return true;
+    if (accept.includes("application/json") && !accept.includes("text/html")) return true;
+    if (contentType.includes("application/json")) return true;
+    return false;
+  };
+  app.all("/", (req, res, next) => {
+    if (looksLikeMcpClient(req)) {
+      return next();
+    }
+    if (req.method !== "GET") {
+      res.status(405).setHeader("Allow", "GET").end();
+      return;
+    }
+    res.setHeader("Content-Type", "text/html; charset=utf-8");
+    res.setHeader("Cache-Control", "public, max-age=3600");
+    res.setHeader("X-Robots-Tag", "noindex, nofollow");
+    res.status(200).end(getHomepageHtml());
+  });
+  app.get("/robots.txt", (_req, res) => {
+    res.setHeader("Content-Type", "text/plain; charset=utf-8");
+    res.setHeader("Cache-Control", "public, max-age=86400");
+    res.status(200).end(getRobotsTxt());
+  });
+  app.get("/favicon.ico", (_req, res) => {
+    res.status(204).end();
+  });
+  app.get("/daemon/events", requireBearer, (req, res) => {
+    res.setHeader("Content-Type", "text/event-stream");
+    res.setHeader("Cache-Control", "no-cache");
+    res.setHeader("Connection", "keep-alive");
+    res.flushHeaders?.();
+    res.write(`event: daemon:ready
+data: ${JSON.stringify(getHealth())}
+
+`);
+    sseClients.add(res);
+    req.on("close", () => {
+      sseClients.delete(res);
+    });
+  });
+  app.get("/daemon/health", requireBearer, (_req, res) => {
+    res.json(getHealth());
+  });
+  app.post("/daemon/heartbeat", requireBearer, (req, res) => {
+    const clientId = typeof req.body?.clientId === "string" && req.body.clientId.length > 0 ? req.body.clientId : req.auth?.clientId ?? "daemon-client";
+    heartbeatMap.set(clientId, Date.now());
+    res.json({ ok: true, clientId });
+  });
+  app.post("/daemon/rotate-token", requireBearer, async (_req, res, next) => {
+    try {
+      currentToken = rotateToken({ tokenPath });
+      await options.onTokenRotated?.(currentToken);
+      publishEvent("daemon:token-rotated", {
+        rotatedAt: currentToken.rotatedAt,
+        version: currentToken.version
+      });
+      res.json({
+        ok: true,
+        rotatedAt: currentToken.rotatedAt,
+        version: currentToken.version
+      });
+    } catch (error) {
+      next(error);
+    }
+  });
+  app.post("/daemon/shutdown", requireBearer, (req, res, next) => {
+    res.json({ ok: true });
+    setImmediate(() => {
+      close().catch(next);
+    });
+  });
+  app.post("/daemon/enable-tunnel", requireBearer, async (_req, res, next) => {
+    try {
+      await options.onEnableTunnel?.();
+      res.json({ ok: true, tunnel: getHealth().tunnel });
+    } catch (error) {
+      next(error);
+    }
+  });
+  app.post("/daemon/disable-tunnel", requireBearer, async (_req, res, next) => {
+    try {
+      await options.onDisableTunnel?.();
+      res.json({ ok: true, tunnel: getHealth().tunnel });
+    } catch (error) {
+      next(error);
+    }
+  });
+  const requireMcpAuth = async (req, res, next) => {
+    const sendUnauthorized = (error, description) => {
+      const issuer = resolveIssuer(req, oauthIssuer);
+      const prm = new URL("/.well-known/oauth-protected-resource", issuer).href;
+      res.setHeader(
+        "WWW-Authenticate",
+        `Bearer error="${error}", error_description="${description}", resource_metadata="${prm}"`
+      );
+      res.status(401).json({ error, error_description: description });
+    };
+    try {
+      const authHeader = typeof req.headers?.authorization === "string" ? req.headers.authorization : null;
+      if (!authHeader) {
+        return sendUnauthorized("invalid_token", "Missing Authorization header");
+      }
+      const [type, token] = authHeader.split(/\s+/, 2);
+      if (!token || type.toLowerCase() !== "bearer") {
+        return sendUnauthorized("invalid_token", "Expected 'Bearer TOKEN'");
+      }
+      const source = req._pplx?.source === "tunnel" ? "tunnel" : "loopback";
+      const expectedResource = resolveRequestResource(req, oauthIssuer);
+      const info = await oauthProvider.verifyAccessToken(token, source, expectedResource);
+      if (typeof info.expiresAt === "number" && info.expiresAt < Date.now() / 1e3) {
+        return sendUnauthorized("invalid_token", "Token expired");
+      }
+      req.auth = info;
+      next();
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Invalid token";
+      sendUnauthorized("invalid_token", message);
+    }
+  };
+  const promoteCallerClientId = (req, _res, next) => {
+    try {
+      const auth = req.auth;
+      if (auth && auth.clientId === "local-static") {
+        const header = req.headers?.["x-perplexity-client-id"];
+        const caller = typeof header === "string" ? header : Array.isArray(header) ? header[0] : void 0;
+        if (caller && caller.length > 0) {
+          auth.clientId = caller;
+        }
+      }
+    } catch {
+    }
+    next();
+  };
+  app.all(["/mcp", "/"], requireMcpAuth, promoteCallerClientId, async (req, res, next) => {
+    try {
+      const mcpServer = new McpServer({
+        name: "perplexity",
+        version
+      });
+      const transport = new StreamableHTTPServerTransport({
+        sessionIdGenerator: void 0
+      });
+      registerResources(mcpServer);
+      registerPrompts(mcpServer);
+      registerTools(mcpServer, getClient, getEnabledTools(loadToolConfig()), {
+        onToolSettled: (event) => {
+          appendAuditEntry({
+            timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+            clientId: event.clientId,
+            tool: event.tool,
+            durationMs: event.durationMs,
+            source: event.source,
+            ok: event.ok,
+            ...event.error ? { error: event.error } : {}
+          }, { auditPath });
+        },
+        onToolProgress: (event) => {
+          publishEvent("daemon:tool-progress", { ...event });
+        }
+      });
+      await mcpServer.connect(transport);
+      let cleanedUp = false;
+      const cleanup = async () => {
+        if (cleanedUp) {
+          return;
+        }
+        cleanedUp = true;
+        activeMcpClosers.delete(cleanup);
+        await mcpServer.close().catch(() => void 0);
+      };
+      activeMcpClosers.add(cleanup);
+      res.on("close", () => {
+        void cleanup();
+      });
+      await transport.handleRequest(req, res, req.body);
+    } catch (error) {
+      next(error);
+    }
+  });
+  app.use((error, _req, res, _next) => {
+    res.status(500).json({ error: error instanceof Error ? error.message : String(error) });
+  });
+  httpServer = createServer(app);
+  try {
+    await listenAvoidingBlockedPorts(httpServer, requestedPort, host);
+  } catch (error) {
+    try {
+      httpServer.close();
+    } catch {
+    }
+    httpServer = void 0;
+    throw error;
+  }
+  const runShutdownStep = async (label, fn) => {
+    try {
+      await fn();
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      console.error(`[trace] daemon shutdown step '${label}' failed: ${message}`);
+    }
+  };
+  const close = async () => {
+    if (closed) {
+      return;
+    }
+    closed = true;
+    await runShutdownStep("sse-clients", () => {
+      for (const response of sseClients) {
+        try {
+          response.end();
+        } catch {
+        }
+      }
+      sseClients.clear();
+    });
+    for (const cleanup of Array.from(activeMcpClosers)) {
+      await runShutdownStep("mcp-cleanup", () => cleanup());
+    }
+    await runShutdownStep("client-shutdown", () => client?.shutdown?.() ?? void 0);
+    await runShutdownStep("on-shutdown", () => options.onShutdown?.() ?? void 0);
+    if (httpServer) {
+      await runShutdownStep(
+        "http-close",
+        () => new Promise((resolve, reject) => {
+          httpServer.close((error) => {
+            if (error) {
+              reject(error);
+              return;
+            }
+            resolve();
+          });
+        })
+      );
+    }
+  };
+  return {
+    host,
+    port: getBoundPort(httpServer),
+    url: `http://${host}:${getBoundPort(httpServer)}`,
+    // Live getter: must reflect the CURRENT token after rotation.
+    // A plain snapshot here causes the launcher's syncLockfile to write
+    // the stale pre-rotation bearer back into the lockfile on every
+    // publishTunnelState, breaking auth for probes.
+    get bearerToken() {
+      return currentToken.bearerToken;
+    },
+    auditPath,
+    tokenPath,
+    close,
+    publishEvent,
+    getHealth,
+    readAuditTail: (limit = 50) => readAuditTail(limit, { auditPath }),
+    listOAuthClients: () => oauthProvider.listClients(),
+    revokeOAuthClient: (clientId) => oauthProvider.revokeClient(clientId),
+    revokeAllOAuthClients: () => oauthProvider.revokeAllClients(),
+    resolveOAuthConsent: (consentId, approved) => consentCoordinator.resolve(consentId, approved),
+    listOAuthConsents: () => oauthProvider.listConsents(),
+    revokeOAuthConsents: (filter) => oauthProvider.revokeConsent(filter?.clientId, filter?.redirectUri)
+  };
+}
+function computeRequestSource(req) {
+  if (req.headers?.["x-forwarded-for"]) return "tunnel";
+  if (req.headers?.["cf-connecting-ip"]) return "tunnel";
+  const ip = req.ip ?? req.socket?.remoteAddress ?? "";
+  if (ip && ip !== "127.0.0.1" && ip !== "::1" && ip !== "::ffff:127.0.0.1") return "tunnel";
+  return "loopback";
+}
+var TUNNEL_ALLOWLIST = [
+  /^\/mcp(\/|$|\?)/,
+  /^\/$/,
+  /^\/authorize(\/|$|\?)/,
+  /^\/token(\/|$|\?)/,
+  /^\/register(\/|$|\?)/,
+  /^\/revoke(\/|$|\?)/,
+  /^\/\.well-known\/(oauth-authorization-server|oauth-protected-resource)(\/|$|\?)/,
+  /^\/robots\.txt$/,
+  /^\/favicon\.ico$/
+];
+function pathIsTunnelAllowed(path) {
+  const bare = path.split("?")[0] ?? path;
+  return TUNNEL_ALLOWLIST.some((re) => re.test(bare));
+}
+function resolveIssuer(req, fallback) {
+  const forwardedHostRaw = typeof req.headers?.["x-forwarded-host"] === "string" ? req.headers["x-forwarded-host"] : null;
+  const forwardedHost = forwardedHostRaw ? forwardedHostRaw.split(",")[0].trim() : null;
+  const host = forwardedHost ?? (typeof req.headers?.host === "string" ? req.headers.host : null);
+  const forwardedProto = typeof req.headers?.["x-forwarded-proto"] === "string" ? req.headers["x-forwarded-proto"] : null;
+  const cfConnecting = req.headers?.["cf-connecting-ip"];
+  if (host) {
+    const proto = forwardedProto ?? (cfConnecting ? "https" : "http");
+    try {
+      return new URL(`${proto}://${host}`);
+    } catch {
+    }
+  }
+  return fallback;
+}
+function resolveRequestResource(req, fallback = new URL("http://localhost")) {
+  const issuer = resolveIssuer(req, fallback);
+  return new URL("/mcp", issuer).toString().replace(/\/$/, "");
+}
+function readAuthorizationHeader(value) {
+  const header = readSingleHeader(value);
+  if (!header) {
+    return null;
+  }
+  const match = header.match(/^Bearer\s+(.+)$/i);
+  return match?.[1] ?? null;
+}
+function readSingleHeader(value) {
+  if (Array.isArray(value)) {
+    return value[0] ?? null;
+  }
+  return typeof value === "string" ? value : null;
+}
+function getBoundPort(server) {
+  const address = server?.address();
+  if (!address || typeof address === "string") {
+    throw new Error("Daemon server is not listening on a TCP port.");
+  }
+  return address.port;
+}
+var FETCH_BLOCKED_PORTS = /* @__PURE__ */ new Set([
+  1,
+  7,
+  9,
+  11,
+  13,
+  15,
+  17,
+  19,
+  20,
+  21,
+  22,
+  23,
+  25,
+  37,
+  42,
+  43,
+  53,
+  69,
+  77,
+  79,
+  87,
+  95,
+  101,
+  102,
+  103,
+  104,
+  109,
+  110,
+  111,
+  113,
+  115,
+  117,
+  119,
+  123,
+  135,
+  137,
+  139,
+  143,
+  161,
+  179,
+  389,
+  427,
+  465,
+  512,
+  513,
+  514,
+  515,
+  526,
+  530,
+  531,
+  532,
+  540,
+  548,
+  554,
+  556,
+  563,
+  587,
+  601,
+  636,
+  989,
+  990,
+  993,
+  995,
+  1719,
+  1720,
+  1723,
+  2049,
+  3659,
+  4045,
+  4190,
+  5060,
+  5061,
+  6e3,
+  6566,
+  6665,
+  6666,
+  6667,
+  6668,
+  6669,
+  6679,
+  6697,
+  10080
+]);
+async function listenAvoidingBlockedPorts(server, requestedPort, host) {
+  const maxAttempts = requestedPort === 0 ? 5 : 1;
+  for (let attempt = 0; attempt < maxAttempts; attempt++) {
+    await new Promise((resolve, reject) => {
+      const onError = (error) => {
+        server.removeListener("listening", onListening);
+        reject(error);
+      };
+      const onListening = () => {
+        server.removeListener("error", onError);
+        resolve();
+      };
+      server.once("error", onError);
+      server.once("listening", onListening);
+      server.listen(requestedPort, host);
+    });
+    const boundPort = getBoundPort(server);
+    if (!FETCH_BLOCKED_PORTS.has(boundPort)) {
+      return;
+    }
+    await new Promise((resolve) => server.close(() => resolve()));
+  }
+}
+
+export {
+  formatResponse,
+  buildAnswerPreview,
+  buildHistoryEntry,
+  buildHistoryBody,
+  buildStoredHistoryEntry,
+  registerTools,
+  registerPrompts,
+  registerResources,
+  loadToolConfig,
+  getEnabledTools,
+  saveToolConfig,
+  watchToolConfig,
+  getPackageVersion,
+  startDaemonServer,
+  resolveRequestResource
+};