npm - wasper-cli - Versions diffs - 0.1.0 → 0.3.0 - Mend

wasper-cli 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cli.js CHANGED Viewed

@@ -21,7 +21,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "wasper-cli",
-    version: "0.1.0",
+    version: "0.3.0",
     description: "Host an MCP server + API proxy from any OpenAPI spec. Like Drizzle Studio, but for APIs.",
     type: "module",
     homepage: "https://wasper.site",
@@ -225,7 +225,7 @@ function printBanner(opts) {
   const hint = [
     `${paint.bold("r")} reload`,
     `${paint.bold("b")} background`,
-    `${paint.bold("/")} commands`,
+    `${paint.bold("/")} commands  ${paint.dim("(Tab to complete)")}`,
     `${paint.bold("q")} quit`,
     `${paint.bold("?")} help`
   ].join(`  ${dot}  `);
@@ -576,6 +576,367 @@ var init_reload = __esm(() => {
   init_ui();
 });
+// src/db/schema.ts
+var SCHEMA = `
+  CREATE TABLE IF NOT EXISTS auth_config (
+    id TEXT PRIMARY KEY DEFAULT 'default',
+    type TEXT NOT NULL DEFAULT 'none',
+    config TEXT NOT NULL DEFAULT '{}',
+    token_cache TEXT,
+    updated_at INTEGER NOT NULL DEFAULT (unixepoch())
+  );
+  CREATE TABLE IF NOT EXISTS request_logs (
+    id TEXT PRIMARY KEY,
+    source TEXT NOT NULL DEFAULT 'mcp',
+    tool_name TEXT,
+    method TEXT NOT NULL,
+    url TEXT NOT NULL,
+    request_headers TEXT,
+    request_body TEXT,
+    status_code INTEGER,
+    response_headers TEXT,
+    response_body TEXT,
+    latency_ms INTEGER,
+    error TEXT,
+    created_at INTEGER NOT NULL DEFAULT (unixepoch())
+  );
+  CREATE INDEX IF NOT EXISTS idx_logs_created ON request_logs(created_at DESC);
+  CREATE TABLE IF NOT EXISTS settings (
+    key TEXT PRIMARY KEY,
+    value TEXT NOT NULL DEFAULT '{}'
+  );
+  CREATE TABLE IF NOT EXISTS intercept_rules (
+    id TEXT PRIMARY KEY,
+    enabled INTEGER NOT NULL DEFAULT 1,
+    name TEXT NOT NULL DEFAULT '',
+    sort_order INTEGER NOT NULL DEFAULT 0,
+    match_path TEXT NOT NULL DEFAULT '',
+    match_method TEXT NOT NULL DEFAULT '',
+    target_host TEXT NOT NULL DEFAULT '',
+    strip_prefix TEXT NOT NULL DEFAULT '',
+    add_prefix TEXT NOT NULL DEFAULT '',
+    add_headers TEXT NOT NULL DEFAULT '{}',
+    created_at INTEGER NOT NULL DEFAULT (unixepoch())
+  );
+  CREATE INDEX IF NOT EXISTS idx_rules_order ON intercept_rules(sort_order, created_at);
+  CREATE TABLE IF NOT EXISTS auth_profiles (
+    id TEXT PRIMARY KEY,
+    name TEXT NOT NULL,
+    description TEXT NOT NULL DEFAULT '',
+    type TEXT NOT NULL DEFAULT 'none',
+    config TEXT NOT NULL DEFAULT '{}',
+    token_cache TEXT,
+    is_active INTEGER NOT NULL DEFAULT 0,
+    created_at INTEGER NOT NULL DEFAULT (unixepoch())
+  );
+  CREATE TABLE IF NOT EXISTS saved_requests (
+    id TEXT PRIMARY KEY,
+    name TEXT NOT NULL DEFAULT 'Untitled',
+    folder TEXT NOT NULL DEFAULT '',
+    method TEXT NOT NULL DEFAULT 'GET',
+    url TEXT NOT NULL DEFAULT '',
+    headers TEXT NOT NULL DEFAULT '[]',
+    params TEXT NOT NULL DEFAULT '[]',
+    body TEXT NOT NULL DEFAULT '',
+    body_type TEXT NOT NULL DEFAULT 'none',
+    raw_type TEXT NOT NULL DEFAULT 'text/plain',
+    form_rows TEXT NOT NULL DEFAULT '[]',
+    auth TEXT NOT NULL DEFAULT '{}',
+    notes TEXT NOT NULL DEFAULT '',
+    created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+    updated_at INTEGER NOT NULL DEFAULT (unixepoch())
+  );
+  CREATE INDEX IF NOT EXISTS idx_saved_folder ON saved_requests(folder, created_at DESC);
+  CREATE TABLE IF NOT EXISTS spec_history (
+    id TEXT PRIMARY KEY,
+    url TEXT NOT NULL UNIQUE,
+    title TEXT,
+    version TEXT,
+    endpoint_count INTEGER,
+    last_used INTEGER NOT NULL DEFAULT (unixepoch()),
+    created_at INTEGER NOT NULL DEFAULT (unixepoch())
+  );
+  CREATE INDEX IF NOT EXISTS idx_spec_history_last_used ON spec_history(last_used DESC);
+  CREATE TABLE IF NOT EXISTS workflows (
+    id TEXT PRIMARY KEY,
+    name TEXT NOT NULL DEFAULT 'Untitled Workflow',
+    description TEXT NOT NULL DEFAULT '',
+    steps TEXT NOT NULL DEFAULT '[]',
+    created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+    updated_at INTEGER NOT NULL DEFAULT (unixepoch())
+  );
+  CREATE INDEX IF NOT EXISTS idx_workflows_updated ON workflows(updated_at DESC);
+  CREATE TABLE IF NOT EXISTS capture_bins (
+    id TEXT PRIMARY KEY,
+    name TEXT NOT NULL DEFAULT '',
+    created_at INTEGER NOT NULL DEFAULT (unixepoch())
+  );
+  CREATE TABLE IF NOT EXISTS chat_memory (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    role TEXT NOT NULL,
+    content TEXT NOT NULL,
+    created_at INTEGER NOT NULL DEFAULT (unixepoch())
+  );
+  CREATE INDEX IF NOT EXISTS idx_memory_created ON chat_memory(created_at DESC);
+`;
+// src/db/index.ts
+import { Database } from "bun:sqlite";
+import { join as join3 } from "path";
+import { mkdirSync, existsSync } from "fs";
+import { homedir as homedir3 } from "os";
+import { randomUUID } from "crypto";
+function resolveDataDir() {
+  if (process.env.WASPER_DATA_DIR ?? process.env.OPENAPI_AGENT_DATA_DIR) {
+    return process.env.WASPER_DATA_DIR ?? process.env.OPENAPI_AGENT_DATA_DIR;
+  }
+  try {
+    const legacy = join3(import.meta.dir, "../../data");
+    if (!Bun.main.includes("$bunfs") && (existsSync(join3(legacy, "wasper.db")) || existsSync(join3(legacy, "openapi-agent.db"))))
+      return legacy;
+  } catch {}
+  const oldDir = join3(homedir3(), ".openapi-agent", "data");
+  if (existsSync(oldDir))
+    return oldDir;
+  return join3(homedir3(), ".wasper", "data");
+}
+var DATA_DIR, DB_PATH, db, hasOldSchema, dbQueries;
+var init_db = __esm(() => {
+  DATA_DIR = resolveDataDir();
+  mkdirSync(DATA_DIR, { recursive: true });
+  DB_PATH = join3(DATA_DIR, existsSync(join3(DATA_DIR, "openapi-agent.db")) && !existsSync(join3(DATA_DIR, "wasper.db")) ? "openapi-agent.db" : "wasper.db");
+  db = new Database(DB_PATH, { create: true });
+  db.exec("PRAGMA journal_mode = WAL;");
+  db.exec("PRAGMA foreign_keys = OFF;");
+  hasOldSchema = db.query("SELECT name FROM sqlite_master WHERE type='table' AND name='specs'").get() !== null;
+  if (hasOldSchema) {
+    db.exec("DROP TABLE IF EXISTS tools; DROP TABLE IF EXISTS specs; DROP TABLE IF EXISTS auth_configs; DROP TABLE IF EXISTS request_logs;");
+  }
+  db.exec(SCHEMA);
+  dbQueries = {
+    getAuthConfig: () => db.query("SELECT * FROM auth_config WHERE id = 'default'").get(),
+    setAuthConfig: (type, config) => db.query(`INSERT INTO auth_config (id, type, config, updated_at)
+              VALUES ('default', ?, ?, unixepoch())
+              ON CONFLICT(id) DO UPDATE SET type = excluded.type, config = excluded.config, updated_at = unixepoch()`).run(type, JSON.stringify(config)),
+    updateTokenCache: (tokenCache) => db.query("UPDATE auth_config SET token_cache = ? WHERE id = 'default'").run(tokenCache ? JSON.stringify(tokenCache) : null),
+    getRecentLogs: (limit = 500) => db.query("SELECT * FROM request_logs ORDER BY created_at DESC LIMIT ?").all(limit),
+    insertLog: (data) => db.query(`INSERT INTO request_logs
+              (id, source, tool_name, method, url, request_headers, request_body,
+               status_code, response_headers, response_body, latency_ms, error)
+              VALUES ($id, $source, $tool_name, $method, $url, $request_headers, $request_body,
+               $status_code, $response_headers, $response_body, $latency_ms, $error)`).run({
+      $id: data.id,
+      $source: data.source,
+      $tool_name: data.tool_name,
+      $method: data.method,
+      $url: data.url,
+      $request_headers: data.request_headers,
+      $request_body: data.request_body,
+      $status_code: data.status_code,
+      $response_headers: data.response_headers,
+      $response_body: data.response_body,
+      $latency_ms: data.latency_ms,
+      $error: data.error
+    }),
+    clearLogs: () => db.query("DELETE FROM request_logs").run(),
+    getRules: () => db.query("SELECT * FROM intercept_rules ORDER BY sort_order, created_at").all(),
+    insertRule: (rule) => db.query(`INSERT INTO intercept_rules (id,enabled,name,sort_order,match_path,match_method,target_host,strip_prefix,add_prefix,add_headers)
+      VALUES ($id,$enabled,$name,$sort_order,$match_path,$match_method,$target_host,$strip_prefix,$add_prefix,$add_headers)`).run({
+      $id: rule.id,
+      $enabled: rule.enabled,
+      $name: rule.name,
+      $sort_order: rule.sort_order,
+      $match_path: rule.match_path,
+      $match_method: rule.match_method,
+      $target_host: rule.target_host,
+      $strip_prefix: rule.strip_prefix,
+      $add_prefix: rule.add_prefix,
+      $add_headers: rule.add_headers
+    }),
+    updateRule: (id, patch) => {
+      const cols = Object.keys(patch).map((k) => `${k} = $${k}`).join(", ");
+      const params = { $id: id };
+      for (const [k, v] of Object.entries(patch))
+        params[`$${k}`] = v;
+      db.query(`UPDATE intercept_rules SET ${cols} WHERE id = $id`).run(params);
+    },
+    deleteRule: (id) => db.query("DELETE FROM intercept_rules WHERE id = ?").run(id),
+    getSettings: () => db.query("SELECT value FROM settings WHERE key='app' LIMIT 1").get() ?? null,
+    setSettings: (value) => {
+      db.run("INSERT INTO settings(key,value) VALUES('app',?) ON CONFLICT(key) DO UPDATE SET value=excluded.value", [JSON.stringify(value)]);
+    },
+    getProfiles: () => db.query("SELECT * FROM auth_profiles ORDER BY name COLLATE NOCASE").all(),
+    getActiveProfile: () => db.query("SELECT * FROM auth_profiles WHERE is_active = 1 LIMIT 1").get(),
+    insertProfile: (p) => db.query(`INSERT INTO auth_profiles (id,name,description,type,config,token_cache,is_active)
+      VALUES ($id,$name,$description,$type,$config,$token_cache,$is_active)`).run({
+      $id: p.id,
+      $name: p.name,
+      $description: p.description,
+      $type: p.type,
+      $config: p.config,
+      $token_cache: p.token_cache,
+      $is_active: p.is_active
+    }),
+    updateProfile: (id, patch) => {
+      const cols = Object.keys(patch).map((k) => `${k} = $${k}`).join(", ");
+      const params = { $id: id };
+      for (const [k, v] of Object.entries(patch))
+        params[`$${k}`] = v;
+      db.query(`UPDATE auth_profiles SET ${cols} WHERE id = $id`).run(params);
+    },
+    deleteProfile: (id) => db.query("DELETE FROM auth_profiles WHERE id = ?").run(id),
+    activateProfile: (id) => {
+      const profile = db.query("SELECT * FROM auth_profiles WHERE id = ?").get(id);
+      if (!profile)
+        return;
+      db.query("UPDATE auth_profiles SET is_active = 0").run();
+      db.query("UPDATE auth_profiles SET is_active = 1 WHERE id = ?").run(id);
+      db.query(`INSERT INTO auth_config (id, type, config, updated_at) VALUES ('default', $type, $config, unixepoch())
+      ON CONFLICT(id) DO UPDATE SET type=excluded.type, config=excluded.config, updated_at=unixepoch()`).run({ $type: profile.type, $config: profile.config });
+    },
+    getSavedRequests: () => db.query("SELECT * FROM saved_requests ORDER BY folder, name COLLATE NOCASE").all(),
+    getSavedRequest: (id) => db.query("SELECT * FROM saved_requests WHERE id = ?").get(id),
+    insertSavedRequest: (r) => db.query(`INSERT INTO saved_requests
+      (id, name, folder, method, url, headers, params, body, body_type, raw_type, form_rows, auth, notes)
+      VALUES ($id,$name,$folder,$method,$url,$headers,$params,$body,$body_type,$raw_type,$form_rows,$auth,$notes)`).run({
+      $id: r.id,
+      $name: r.name,
+      $folder: r.folder,
+      $method: r.method,
+      $url: r.url,
+      $headers: r.headers,
+      $params: r.params,
+      $body: r.body,
+      $body_type: r.body_type,
+      $raw_type: r.raw_type,
+      $form_rows: r.form_rows,
+      $auth: r.auth,
+      $notes: r.notes
+    }),
+    updateSavedRequest: (id, patch) => {
+      const cols = Object.keys(patch).map((k) => `${k} = $${k}`).join(", ");
+      const params = { $id: id };
+      for (const [k, v] of Object.entries(patch))
+        params[`$${k}`] = v;
+      db.query(`UPDATE saved_requests SET ${cols}, updated_at = unixepoch() WHERE id = $id`).run(params);
+    },
+    deleteSavedRequest: (id) => db.query("DELETE FROM saved_requests WHERE id = ?").run(id),
+    getSpecHistory: () => db.query("SELECT * FROM spec_history ORDER BY last_used DESC").all(),
+    getLastSpec: () => db.query("SELECT * FROM spec_history ORDER BY last_used DESC LIMIT 1").get(),
+    upsertSpec: (url, title, version, endpointCount) => {
+      const existing = db.query("SELECT id FROM spec_history WHERE url = ?").get(url);
+      if (existing) {
+        db.query("UPDATE spec_history SET title=?, version=?, endpoint_count=?, last_used=unixepoch() WHERE url=?").run(title, version, endpointCount, url);
+      } else {
+        db.query(`INSERT INTO spec_history (id, url, title, version, endpoint_count)
+        VALUES (?, ?, ?, ?, ?)`).run(randomUUID(), url, title, version, endpointCount);
+      }
+    },
+    deleteSpec: (id) => {
+      db.query("DELETE FROM spec_history WHERE id = ?").run(id);
+    },
+    getWorkflows: () => db.query("SELECT * FROM workflows ORDER BY updated_at DESC").all(),
+    getWorkflow: (id) => db.query("SELECT * FROM workflows WHERE id = ?").get(id),
+    insertWorkflow: (w) => db.query("INSERT INTO workflows (id, name, description, steps) VALUES ($id, $name, $description, $steps)").run({ $id: w.id, $name: w.name, $description: w.description, $steps: w.steps }),
+    updateWorkflow: (id, patch) => {
+      const cols = Object.keys(patch).map((k) => `${k} = $${k}`).join(", ");
+      const params = { $id: id };
+      for (const [k, v] of Object.entries(patch))
+        params[`$${k}`] = v;
+      db.query(`UPDATE workflows SET ${cols}, updated_at = unixepoch() WHERE id = $id`).run(params);
+    },
+    deleteWorkflow: (id) => db.query("DELETE FROM workflows WHERE id = ?").run(id),
+    getCaptureBins: () => db.query("SELECT * FROM capture_bins ORDER BY created_at DESC").all(),
+    getCaptureBin: (id) => db.query("SELECT * FROM capture_bins WHERE id = ?").get(id),
+    insertCaptureBin: (id, name) => {
+      db.query("INSERT INTO capture_bins (id, name) VALUES (?, ?)").run(id, name);
+    },
+    deleteCaptureBin: (id) => {
+      db.query("DELETE FROM capture_bins WHERE id = ?").run(id);
+    },
+    getSetting: (key) => (db.query("SELECT value FROM settings WHERE key = ?").get(key) ?? null)?.value ?? null,
+    setSetting: (key, value) => {
+      db.run("INSERT INTO settings(key,value) VALUES(?,?) ON CONFLICT(key) DO UPDATE SET value=excluded.value", [key, value]);
+    },
+    saveMemory: (role, content) => {
+      db.query("INSERT INTO chat_memory (role, content) VALUES (?, ?)").run(role, content);
+    },
+    getMemory: (limit = 20) => {
+      const rows = db.query("SELECT role, content FROM chat_memory ORDER BY created_at DESC LIMIT ?").all(limit);
+      return rows.reverse();
+    },
+    clearMemory: () => {
+      db.query("DELETE FROM chat_memory").run();
+    },
+    trimMemory: (keepLast = 40) => {
+      db.query("DELETE FROM chat_memory WHERE id NOT IN (SELECT id FROM chat_memory ORDER BY created_at DESC LIMIT ?)").run(keepLast);
+    }
+  };
+});
+// src/commands/ls.ts
+var exports_ls = {};
+__export(exports_ls, {
+  run: () => run5
+});
+function ago(ts) {
+  const secs = Math.floor(Date.now() / 1000) - ts;
+  if (secs < 60)
+    return "just now";
+  if (secs < 3600)
+    return `${Math.floor(secs / 60)}m ago`;
+  if (secs < 86400)
+    return `${Math.floor(secs / 3600)}h ago`;
+  if (secs < 86400 * 30)
+    return `${Math.floor(secs / 86400)}d ago`;
+  return new Date(ts * 1000).toLocaleDateString();
+}
+async function run5() {
+  const history = dbQueries.getSpecHistory();
+  if (history.length === 0) {
+    console.log(`
+  No saved specs yet.
+`);
+    console.log(`  ${paint.dim("Run:")}  wasper --url <spec-url>
+`);
+    process.exit(0);
+  }
+  const COL_URL = isTTY ? 50 : 60;
+  const COL_TITLE = 28;
+  console.log();
+  if (isTTY) {
+    const header = `  ${"#".padEnd(3)}  ${"URL".padEnd(COL_URL)}  ${"Title".padEnd(COL_TITLE)}  ${"Endpoints".padEnd(10)}  Last used`;
+    console.log(paint.dim(header));
+    console.log(paint.dim("  " + "\u2500".repeat(header.length - 2)));
+  }
+  history.forEach((row, i) => {
+    const num = String(i + 1).padEnd(3);
+    const url = row.url.length > COL_URL ? row.url.slice(0, COL_URL - 1) + "\u2026" : row.url.padEnd(COL_URL);
+    const title = (row.title ?? "\u2014").slice(0, COL_TITLE).padEnd(COL_TITLE);
+    const eps = (row.endpoint_count != null ? String(row.endpoint_count) : "\u2014").padEnd(10);
+    const time = ago(row.last_used);
+    console.log(`  ${paint.cyan(num)}  ${url}  ${paint.dim(title)}  ${eps}  ${paint.dim(time)}`);
+  });
+  console.log();
+  console.log(paint.dim(`  wasper use <number>  \u2014 start server with that spec`));
+  console.log(paint.dim(`  wasper rm  <number>  \u2014 remove a spec from history`));
+  console.log();
+}
+var init_ls = __esm(() => {
+  init_db();
+  init_ui();
+});
 // ../../node_modules/js-yaml/dist/js-yaml.mjs
 var __create, __defProp2, __getOwnPropDesc, __getOwnPropNames, __getProtoOf, __hasOwnProp, __commonJSMin = (cb, mod) => () => (mod || (cb((mod = { exports: {} }).exports, mod), cb = null), mod.exports), __copyProps = (to, from, except, desc) => {
   if (from && typeof from === "object" || typeof from === "function")
@@ -3329,7 +3690,7 @@ var init_js_yaml = __esm(() => {
 });
 // src/openapi/parser.ts
-import { randomUUID } from "crypto";
+import { randomUUID as randomUUID2 } from "crypto";
 async function fetchAndParseSpec(url, name) {
   const res = await fetch(url, { headers: { Accept: "application/json, application/yaml, text/yaml, */*" } });
   if (!res.ok)
@@ -3358,402 +3719,261 @@ function parseSpecText(text, url, name) {
     } catch {}
   }
   return {
-    id: randomUUID(),
+    id: randomUUID2(),
     name: name ?? (info.title ?? "Untitled API"),
     url: url ?? null,
     raw: JSON.stringify(raw),
     title: info.title ?? "Untitled API",
     version: info.version ?? "1.0.0",
     baseUrl,
-    operations: extractOperations(doc),
-    securitySchemes: extractSecuritySchemes(doc)
-  };
-}
-function deref(node, root, depth = 0) {
-  if (depth > 20 || node === null || typeof node !== "object")
-    return node;
-  if (Array.isArray(node))
-    return node.map((item) => deref(item, root, depth + 1));
-  const obj = node;
-  if (typeof obj["$ref"] === "string" && obj["$ref"].startsWith("#/")) {
-    return deref(resolveRef(obj["$ref"], root), root, depth + 1);
-  }
-  const result = {};
-  for (const [k, v] of Object.entries(obj)) {
-    result[k] = deref(v, root, depth + 1);
-  }
-  return result;
-}
-function resolveRef(ref, root) {
-  let current = root;
-  for (const part of ref.slice(2).split("/")) {
-    const key = part.replace(/~1/g, "/").replace(/~0/g, "~");
-    if (current && typeof current === "object" && !Array.isArray(current)) {
-      current = current[key];
-    } else
-      return;
-  }
-  return current;
-}
-function extractOperations(doc) {
-  const paths = doc.paths ?? {};
-  const ops = [];
-  let idx = 0;
-  for (const [pathStr, pathItem] of Object.entries(paths)) {
-    if (!pathItem || typeof pathItem !== "object")
-      continue;
-    const pi = pathItem;
-    const pathParams = parseParameters(pi.parameters ?? []);
-    for (const method of HTTP_METHODS) {
-      const opObj = pi[method];
-      if (!opObj)
-        continue;
-      const rawId = opObj.operationId ?? `${method}_${pathStr.replace(/[^a-zA-Z0-9]/g, "_")}_${idx++}`;
-      const operationId = rawId.replace(/[^a-zA-Z0-9_]/g, "_").replace(/^_+|_+$/g, "").replace(/_+/g, "_");
-      const opParams = parseParameters(opObj.parameters ?? []);
-      const paramMap = new Map;
-      for (const p of [...pathParams, ...opParams])
-        paramMap.set(`${p.in}:${p.name}`, p);
-      ops.push({
-        operationId,
-        method,
-        path: pathStr,
-        summary: opObj.summary,
-        description: opObj.description,
-        tags: opObj.tags ?? ["default"],
-        parameters: [...paramMap.values()],
-        requestBody: parseRequestBody(opObj.requestBody),
-        responses: parseResponses(opObj.responses ?? {}),
-        security: opObj.security
-      });
-    }
-  }
-  return ops;
-}
-function parseParameters(params) {
-  return params.flatMap((p) => {
-    if (!p || typeof p !== "object")
-      return [];
-    const param = p;
-    const name = param.name;
-    const paramIn = param.in;
-    if (!name || !paramIn || !["path", "query", "header", "cookie"].includes(paramIn))
-      return [];
-    return [{
-      name,
-      in: paramIn,
-      description: param.description,
-      required: param.required ?? paramIn === "path",
-      schema: param.schema ?? { type: "string" }
-    }];
-  });
-}
-function parseRequestBody(rb) {
-  if (!rb || typeof rb !== "object")
-    return;
-  const body = rb;
-  const content = body.content ?? {};
-  const contentType = Object.keys(content).find((ct) => ct.includes("json")) ?? Object.keys(content)[0];
-  if (!contentType)
-    return;
-  return {
-    description: body.description,
-    required: body.required ?? false,
-    contentType,
-    schema: content[contentType]?.schema ?? { type: "object" }
-  };
-}
-function parseResponses(responses) {
-  const result = {};
-  for (const [code, resp] of Object.entries(responses)) {
-    if (!resp || typeof resp !== "object")
-      continue;
-    const r = resp;
-    const content = r.content;
-    const jsonCt = content ? Object.keys(content).find((ct) => ct.includes("json")) : undefined;
-    result[code] = {
-      description: r.description,
-      contentType: jsonCt,
-      schema: jsonCt ? content?.[jsonCt]?.schema : undefined
-    };
-  }
-  return result;
-}
-function extractSecuritySchemes(doc) {
-  const schemes = doc.components?.securitySchemes;
-  if (!schemes)
-    return {};
-  const result = {};
-  for (const [name, scheme] of Object.entries(schemes)) {
-    if (!scheme || typeof scheme !== "object")
-      continue;
-    const s = scheme;
-    result[name] = {
-      type: s.type,
-      scheme: s.scheme,
-      in: s.in,
-      name: s.name,
-      flows: s.flows,
-      openIdConnectUrl: s.openIdConnectUrl
-    };
-  }
-  return result;
-}
-var HTTP_METHODS;
-var init_parser = __esm(() => {
-  init_js_yaml();
-  HTTP_METHODS = ["get", "post", "put", "patch", "delete", "head", "options", "trace"];
-});
-// src/state.ts
-function hasState() {
-  return _state !== null;
-}
-function getState() {
-  if (!_state)
-    throw new Error("No spec loaded");
-  return _state;
-}
-async function loadSpec(url) {
-  const spec = await fetchAndParseSpec(url);
-  _state = { spec, operations: spec.operations, specUrl: url };
-  return _state;
-}
-function loadSpecFromText(text, filename) {
-  const spec = parseSpecText(text, undefined, filename?.replace(/\.[^.]+$/, ""));
-  _state = { spec, operations: spec.operations };
-  return _state;
-}
-var _state = null;
-var init_state = __esm(() => {
-  init_parser();
-});
-// src/db/schema.ts
-var SCHEMA = `
-  CREATE TABLE IF NOT EXISTS auth_config (
-    id TEXT PRIMARY KEY DEFAULT 'default',
-    type TEXT NOT NULL DEFAULT 'none',
-    config TEXT NOT NULL DEFAULT '{}',
-    token_cache TEXT,
-    updated_at INTEGER NOT NULL DEFAULT (unixepoch())
-  );
-  CREATE TABLE IF NOT EXISTS request_logs (
-    id TEXT PRIMARY KEY,
-    source TEXT NOT NULL DEFAULT 'mcp',
-    tool_name TEXT,
-    method TEXT NOT NULL,
-    url TEXT NOT NULL,
-    request_headers TEXT,
-    request_body TEXT,
-    status_code INTEGER,
-    response_headers TEXT,
-    response_body TEXT,
-    latency_ms INTEGER,
-    error TEXT,
-    created_at INTEGER NOT NULL DEFAULT (unixepoch())
-  );
-  CREATE INDEX IF NOT EXISTS idx_logs_created ON request_logs(created_at DESC);
-  CREATE TABLE IF NOT EXISTS settings (
-    key TEXT PRIMARY KEY,
-    value TEXT NOT NULL DEFAULT '{}'
-  );
-  CREATE TABLE IF NOT EXISTS intercept_rules (
-    id TEXT PRIMARY KEY,
-    enabled INTEGER NOT NULL DEFAULT 1,
-    name TEXT NOT NULL DEFAULT '',
-    sort_order INTEGER NOT NULL DEFAULT 0,
-    match_path TEXT NOT NULL DEFAULT '',
-    match_method TEXT NOT NULL DEFAULT '',
-    target_host TEXT NOT NULL DEFAULT '',
-    strip_prefix TEXT NOT NULL DEFAULT '',
-    add_prefix TEXT NOT NULL DEFAULT '',
-    add_headers TEXT NOT NULL DEFAULT '{}',
-    created_at INTEGER NOT NULL DEFAULT (unixepoch())
-  );
-  CREATE INDEX IF NOT EXISTS idx_rules_order ON intercept_rules(sort_order, created_at);
-  CREATE TABLE IF NOT EXISTS auth_profiles (
-    id TEXT PRIMARY KEY,
-    name TEXT NOT NULL,
-    description TEXT NOT NULL DEFAULT '',
-    type TEXT NOT NULL DEFAULT 'none',
-    config TEXT NOT NULL DEFAULT '{}',
-    token_cache TEXT,
-    is_active INTEGER NOT NULL DEFAULT 0,
-    created_at INTEGER NOT NULL DEFAULT (unixepoch())
-  );
-  CREATE TABLE IF NOT EXISTS saved_requests (
-    id TEXT PRIMARY KEY,
-    name TEXT NOT NULL DEFAULT 'Untitled',
-    folder TEXT NOT NULL DEFAULT '',
-    method TEXT NOT NULL DEFAULT 'GET',
-    url TEXT NOT NULL DEFAULT '',
-    headers TEXT NOT NULL DEFAULT '[]',
-    params TEXT NOT NULL DEFAULT '[]',
-    body TEXT NOT NULL DEFAULT '',
-    body_type TEXT NOT NULL DEFAULT 'none',
-    raw_type TEXT NOT NULL DEFAULT 'text/plain',
-    form_rows TEXT NOT NULL DEFAULT '[]',
-    auth TEXT NOT NULL DEFAULT '{}',
-    notes TEXT NOT NULL DEFAULT '',
-    created_at INTEGER NOT NULL DEFAULT (unixepoch()),
-    updated_at INTEGER NOT NULL DEFAULT (unixepoch())
-  );
-  CREATE INDEX IF NOT EXISTS idx_saved_folder ON saved_requests(folder, created_at DESC);
-`;
-// src/db/index.ts
-import { Database } from "bun:sqlite";
-import { join as join3 } from "path";
-import { mkdirSync, existsSync } from "fs";
-import { homedir as homedir3 } from "os";
-import { randomUUID as randomUUID2 } from "crypto";
-function resolveDataDir() {
-  if (process.env.WASPER_DATA_DIR ?? process.env.OPENAPI_AGENT_DATA_DIR) {
-    return process.env.WASPER_DATA_DIR ?? process.env.OPENAPI_AGENT_DATA_DIR;
+    operations: extractOperations(doc),
+    securitySchemes: extractSecuritySchemes(doc)
+  };
+}
+function deref(node, root, depth = 0) {
+  if (depth > 20 || node === null || typeof node !== "object")
+    return node;
+  if (Array.isArray(node))
+    return node.map((item) => deref(item, root, depth + 1));
+  const obj = node;
+  if (typeof obj["$ref"] === "string" && obj["$ref"].startsWith("#/")) {
+    return deref(resolveRef(obj["$ref"], root), root, depth + 1);
   }
-  try {
-    const legacy = join3(import.meta.dir, "../../data");
-    if (!Bun.main.includes("$bunfs") && (existsSync(join3(legacy, "wasper.db")) || existsSync(join3(legacy, "openapi-agent.db"))))
-      return legacy;
-  } catch {}
-  const oldDir = join3(homedir3(), ".openapi-agent", "data");
-  if (existsSync(oldDir))
-    return oldDir;
-  return join3(homedir3(), ".wasper", "data");
+  const result = {};
+  for (const [k, v] of Object.entries(obj)) {
+    result[k] = deref(v, root, depth + 1);
+  }
+  return result;
 }
-var DATA_DIR, DB_PATH, db, hasOldSchema, dbQueries;
-var init_db = __esm(() => {
-  DATA_DIR = resolveDataDir();
-  mkdirSync(DATA_DIR, { recursive: true });
-  DB_PATH = join3(DATA_DIR, existsSync(join3(DATA_DIR, "openapi-agent.db")) && !existsSync(join3(DATA_DIR, "wasper.db")) ? "openapi-agent.db" : "wasper.db");
-  db = new Database(DB_PATH, { create: true });
-  db.exec("PRAGMA journal_mode = WAL;");
-  db.exec("PRAGMA foreign_keys = OFF;");
-  hasOldSchema = db.query("SELECT name FROM sqlite_master WHERE type='table' AND name='specs'").get() !== null;
-  if (hasOldSchema) {
-    db.exec("DROP TABLE IF EXISTS tools; DROP TABLE IF EXISTS specs; DROP TABLE IF EXISTS auth_configs; DROP TABLE IF EXISTS request_logs;");
+function resolveRef(ref, root) {
+  let current = root;
+  for (const part of ref.slice(2).split("/")) {
+    const key = part.replace(/~1/g, "/").replace(/~0/g, "~");
+    if (current && typeof current === "object" && !Array.isArray(current)) {
+      current = current[key];
+    } else
+      return;
   }
-  db.exec(SCHEMA);
-  dbQueries = {
-    getAuthConfig: () => db.query("SELECT * FROM auth_config WHERE id = 'default'").get(),
-    setAuthConfig: (type, config) => db.query(`INSERT INTO auth_config (id, type, config, updated_at)
-              VALUES ('default', ?, ?, unixepoch())
-              ON CONFLICT(id) DO UPDATE SET type = excluded.type, config = excluded.config, updated_at = unixepoch()`).run(type, JSON.stringify(config)),
-    updateTokenCache: (tokenCache) => db.query("UPDATE auth_config SET token_cache = ? WHERE id = 'default'").run(tokenCache ? JSON.stringify(tokenCache) : null),
-    getRecentLogs: (limit = 500) => db.query("SELECT * FROM request_logs ORDER BY created_at DESC LIMIT ?").all(limit),
-    insertLog: (data) => db.query(`INSERT INTO request_logs
-              (id, source, tool_name, method, url, request_headers, request_body,
-               status_code, response_headers, response_body, latency_ms, error)
-              VALUES ($id, $source, $tool_name, $method, $url, $request_headers, $request_body,
-               $status_code, $response_headers, $response_body, $latency_ms, $error)`).run({
-      $id: data.id,
-      $source: data.source,
-      $tool_name: data.tool_name,
-      $method: data.method,
-      $url: data.url,
-      $request_headers: data.request_headers,
-      $request_body: data.request_body,
-      $status_code: data.status_code,
-      $response_headers: data.response_headers,
-      $response_body: data.response_body,
-      $latency_ms: data.latency_ms,
-      $error: data.error
-    }),
-    clearLogs: () => db.query("DELETE FROM request_logs").run(),
-    getRules: () => db.query("SELECT * FROM intercept_rules ORDER BY sort_order, created_at").all(),
-    insertRule: (rule) => db.query(`INSERT INTO intercept_rules (id,enabled,name,sort_order,match_path,match_method,target_host,strip_prefix,add_prefix,add_headers)
-      VALUES ($id,$enabled,$name,$sort_order,$match_path,$match_method,$target_host,$strip_prefix,$add_prefix,$add_headers)`).run({
-      $id: rule.id,
-      $enabled: rule.enabled,
-      $name: rule.name,
-      $sort_order: rule.sort_order,
-      $match_path: rule.match_path,
-      $match_method: rule.match_method,
-      $target_host: rule.target_host,
-      $strip_prefix: rule.strip_prefix,
-      $add_prefix: rule.add_prefix,
-      $add_headers: rule.add_headers
-    }),
-    updateRule: (id, patch) => {
-      const cols = Object.keys(patch).map((k) => `${k} = $${k}`).join(", ");
-      const params = { $id: id };
-      for (const [k, v] of Object.entries(patch))
-        params[`$${k}`] = v;
-      db.query(`UPDATE intercept_rules SET ${cols} WHERE id = $id`).run(params);
-    },
-    deleteRule: (id) => db.query("DELETE FROM intercept_rules WHERE id = ?").run(id),
-    getSettings: () => db.query("SELECT value FROM settings WHERE key='app' LIMIT 1").get() ?? null,
-    setSettings: (value) => {
-      db.run("INSERT INTO settings(key,value) VALUES('app',?) ON CONFLICT(key) DO UPDATE SET value=excluded.value", [JSON.stringify(value)]);
-    },
-    getProfiles: () => db.query("SELECT * FROM auth_profiles ORDER BY name COLLATE NOCASE").all(),
-    getActiveProfile: () => db.query("SELECT * FROM auth_profiles WHERE is_active = 1 LIMIT 1").get(),
-    insertProfile: (p) => db.query(`INSERT INTO auth_profiles (id,name,description,type,config,token_cache,is_active)
-      VALUES ($id,$name,$description,$type,$config,$token_cache,$is_active)`).run({
-      $id: p.id,
-      $name: p.name,
-      $description: p.description,
-      $type: p.type,
-      $config: p.config,
-      $token_cache: p.token_cache,
-      $is_active: p.is_active
-    }),
-    updateProfile: (id, patch) => {
-      const cols = Object.keys(patch).map((k) => `${k} = $${k}`).join(", ");
-      const params = { $id: id };
-      for (const [k, v] of Object.entries(patch))
-        params[`$${k}`] = v;
-      db.query(`UPDATE auth_profiles SET ${cols} WHERE id = $id`).run(params);
-    },
-    deleteProfile: (id) => db.query("DELETE FROM auth_profiles WHERE id = ?").run(id),
-    activateProfile: (id) => {
-      const profile = db.query("SELECT * FROM auth_profiles WHERE id = ?").get(id);
-      if (!profile)
-        return;
-      db.query("UPDATE auth_profiles SET is_active = 0").run();
-      db.query("UPDATE auth_profiles SET is_active = 1 WHERE id = ?").run(id);
-      db.query(`INSERT INTO auth_config (id, type, config, updated_at) VALUES ('default', $type, $config, unixepoch())
-      ON CONFLICT(id) DO UPDATE SET type=excluded.type, config=excluded.config, updated_at=unixepoch()`).run({ $type: profile.type, $config: profile.config });
-    },
-    getSavedRequests: () => db.query("SELECT * FROM saved_requests ORDER BY folder, name COLLATE NOCASE").all(),
-    getSavedRequest: (id) => db.query("SELECT * FROM saved_requests WHERE id = ?").get(id),
-    insertSavedRequest: (r) => db.query(`INSERT INTO saved_requests
-      (id, name, folder, method, url, headers, params, body, body_type, raw_type, form_rows, auth, notes)
-      VALUES ($id,$name,$folder,$method,$url,$headers,$params,$body,$body_type,$raw_type,$form_rows,$auth,$notes)`).run({
-      $id: r.id,
-      $name: r.name,
-      $folder: r.folder,
-      $method: r.method,
-      $url: r.url,
-      $headers: r.headers,
-      $params: r.params,
-      $body: r.body,
-      $body_type: r.body_type,
-      $raw_type: r.raw_type,
-      $form_rows: r.form_rows,
-      $auth: r.auth,
-      $notes: r.notes
-    }),
-    updateSavedRequest: (id, patch) => {
-      const cols = Object.keys(patch).map((k) => `${k} = $${k}`).join(", ");
-      const params = { $id: id };
-      for (const [k, v] of Object.entries(patch))
-        params[`$${k}`] = v;
-      db.query(`UPDATE saved_requests SET ${cols}, updated_at = unixepoch() WHERE id = $id`).run(params);
-    },
-    deleteSavedRequest: (id) => db.query("DELETE FROM saved_requests WHERE id = ?").run(id),
-    getSetting: (key) => (db.query("SELECT value FROM settings WHERE key = ?").get(key) ?? null)?.value ?? null,
-    setSetting: (key, value) => {
-      db.run("INSERT INTO settings(key,value) VALUES(?,?) ON CONFLICT(key) DO UPDATE SET value=excluded.value", [key, value]);
+  return current;
+}
+function extractOperations(doc) {
+  const paths = doc.paths ?? {};
+  const ops = [];
+  let idx = 0;
+  for (const [pathStr, pathItem] of Object.entries(paths)) {
+    if (!pathItem || typeof pathItem !== "object")
+      continue;
+    const pi = pathItem;
+    const pathParams = parseParameters(pi.parameters ?? []);
+    for (const method of HTTP_METHODS) {
+      const opObj = pi[method];
+      if (!opObj)
+        continue;
+      const rawId = opObj.operationId ?? `${method}_${pathStr.replace(/[^a-zA-Z0-9]/g, "_")}_${idx++}`;
+      const operationId = rawId.replace(/[^a-zA-Z0-9_]/g, "_").replace(/^_+|_+$/g, "").replace(/_+/g, "_");
+      const opParams = parseParameters(opObj.parameters ?? []);
+      const paramMap = new Map;
+      for (const p of [...pathParams, ...opParams])
+        paramMap.set(`${p.in}:${p.name}`, p);
+      ops.push({
+        operationId,
+        method,
+        path: pathStr,
+        summary: opObj.summary,
+        description: opObj.description,
+        tags: opObj.tags ?? ["default"],
+        parameters: [...paramMap.values()],
+        requestBody: parseRequestBody(opObj.requestBody),
+        responses: parseResponses(opObj.responses ?? {}),
+        security: opObj.security
+      });
     }
+  }
+  return ops;
+}
+function parseParameters(params) {
+  return params.flatMap((p) => {
+    if (!p || typeof p !== "object")
+      return [];
+    const param = p;
+    const name = param.name;
+    const paramIn = param.in;
+    if (!name || !paramIn || !["path", "query", "header", "cookie"].includes(paramIn))
+      return [];
+    return [{
+      name,
+      in: paramIn,
+      description: param.description,
+      required: param.required ?? paramIn === "path",
+      schema: param.schema ?? { type: "string" }
+    }];
+  });
+}
+function parseRequestBody(rb) {
+  if (!rb || typeof rb !== "object")
+    return;
+  const body = rb;
+  const content = body.content ?? {};
+  const contentType = Object.keys(content).find((ct) => ct.includes("json")) ?? Object.keys(content)[0];
+  if (!contentType)
+    return;
+  return {
+    description: body.description,
+    required: body.required ?? false,
+    contentType,
+    schema: content[contentType]?.schema ?? { type: "object" }
+  };
+}
+function parseResponses(responses) {
+  const result = {};
+  for (const [code, resp] of Object.entries(responses)) {
+    if (!resp || typeof resp !== "object")
+      continue;
+    const r = resp;
+    const content = r.content;
+    const jsonCt = content ? Object.keys(content).find((ct) => ct.includes("json")) : undefined;
+    result[code] = {
+      description: r.description,
+      contentType: jsonCt,
+      schema: jsonCt ? content?.[jsonCt]?.schema : undefined
+    };
+  }
+  return result;
+}
+function extractSecuritySchemes(doc) {
+  const schemes = doc.components?.securitySchemes;
+  if (!schemes)
+    return {};
+  const result = {};
+  for (const [name, scheme] of Object.entries(schemes)) {
+    if (!scheme || typeof scheme !== "object")
+      continue;
+    const s = scheme;
+    result[name] = {
+      type: s.type,
+      scheme: s.scheme,
+      in: s.in,
+      name: s.name,
+      flows: s.flows,
+      openIdConnectUrl: s.openIdConnectUrl
+    };
+  }
+  return result;
+}
+function toEnvKey(str) {
+  return str.replace(/[^a-zA-Z0-9]+(.)/g, (_, c) => c.toUpperCase()).replace(/^[A-Z]/, (c) => c.toLowerCase()).replace(/[^a-zA-Z0-9_]/g, "") || str.replace(/[^a-zA-Z0-9_]/g, "_").toLowerCase();
+}
+function extractSuggestedVars(rawText, baseUrl) {
+  let raw;
+  try {
+    raw = rawText.trimStart().startsWith("{") ? JSON.parse(rawText) : index_vite_proxy_tmp_default.load(rawText);
+  } catch {
+    return [];
+  }
+  const vars = [];
+  const seen = new Set;
+  const add = (key, value, description, source) => {
+    const k = key.trim();
+    if (!k || seen.has(k))
+      return;
+    seen.add(k);
+    vars.push({ key: k, value, description, source });
   };
+  if (baseUrl)
+    add("baseUrl", baseUrl, "API base URL", "server");
+  const servers = raw.servers ?? [];
+  for (const server of servers.slice(0, 5)) {
+    if (!server.variables)
+      continue;
+    for (const [key, def] of Object.entries(server.variables)) {
+      add(toEnvKey(key), def.default ?? "", def.description ?? `Server variable: ${key}`, "server");
+    }
+  }
+  const components = raw.components ?? {};
+  const secSchemes = components.securitySchemes ?? {};
+  for (const [schemeName, scheme] of Object.entries(secSchemes)) {
+    if (!scheme || typeof scheme !== "object")
+      continue;
+    const type = scheme.type;
+    const slug = toEnvKey(schemeName);
+    if (type === "http") {
+      const httpScheme = (scheme.scheme ?? "").toLowerCase();
+      if (httpScheme === "bearer") {
+        add(`${slug}Token`, "", `Bearer token for ${schemeName}`, "auth");
+      } else if (httpScheme === "basic") {
+        add(`${slug}Username`, "", `Username for ${schemeName}`, "auth");
+        add(`${slug}Password`, "", `Password for ${schemeName}`, "auth");
+      }
+    } else if (type === "apiKey") {
+      const keyName = scheme.name ?? schemeName;
+      add(toEnvKey(keyName), "", `API key header/param: ${keyName}`, "auth");
+    } else if (type === "oauth2") {
+      add(`${slug}ClientId`, "", `OAuth2 client ID for ${schemeName}`, "auth");
+      add(`${slug}ClientSecret`, "", `OAuth2 client secret for ${schemeName}`, "auth");
+      add(`${slug}Token`, "", `OAuth2 access token for ${schemeName}`, "auth");
+    } else if (type === "openIdConnect") {
+      add(`${slug}Token`, "", `Access token for ${schemeName}`, "auth");
+    }
+  }
+  const paths = raw.paths ?? {};
+  const pathKeys = Object.keys(paths);
+  const paramFreq = {};
+  for (const [pathStr, pathItem] of Object.entries(paths)) {
+    if (!pathItem || typeof pathItem !== "object")
+      continue;
+    const params = pathItem.parameters ?? [];
+    const seenInPath = new Set;
+    for (const p of params) {
+      if (p.in === "path" && p.name && !seenInPath.has(p.name)) {
+        seenInPath.add(p.name);
+        paramFreq[p.name] = (paramFreq[p.name] ?? 0) + 1;
+      }
+    }
+    for (const [, param] of pathStr.matchAll(/\{([^}]+)\}/g)) {
+      if (!param)
+        continue;
+      if (!seenInPath.has(param)) {
+        seenInPath.add(param);
+        paramFreq[param] = (paramFreq[param] ?? 0) + 1;
+      }
+    }
+  }
+  const threshold = Math.max(3, Math.floor(pathKeys.length * 0.15));
+  for (const [name, count] of Object.entries(paramFreq)) {
+    if (count >= threshold) {
+      add(toEnvKey(name), "", `Common path param: {${name}}`, "path");
+    }
+  }
+  return vars;
+}
+var HTTP_METHODS;
+var init_parser = __esm(() => {
+  init_js_yaml();
+  HTTP_METHODS = ["get", "post", "put", "patch", "delete", "head", "options", "trace"];
+});
+// src/state.ts
+function hasState() {
+  return _state !== null;
+}
+function getState() {
+  if (!_state)
+    throw new Error("No spec loaded");
+  return _state;
+}
+async function loadSpec(url) {
+  const spec = await fetchAndParseSpec(url);
+  _state = { spec, operations: spec.operations, specUrl: url };
+  return _state;
+}
+function loadSpecFromText(text, filename) {
+  const spec = parseSpecText(text, undefined, filename?.replace(/\.[^.]+$/, ""));
+  _state = { spec, operations: spec.operations };
+  return _state;
+}
+var _state = null;
+var init_state = __esm(() => {
+  init_parser();
 });
 // src/logs/bus.ts
@@ -3787,6 +4007,18 @@ class LogBus {
       }
     }
   }
+  broadcastServerEvent(payload) {
+    if (this.clients.size === 0)
+      return;
+    const data = JSON.stringify({ type: "server_event", ...payload });
+    for (const ws of this.clients) {
+      try {
+        ws.send(data);
+      } catch {
+        this.clients.delete(ws);
+      }
+    }
+  }
   get clientCount() {
     return this.clients.size;
   }
@@ -4262,7 +4494,7 @@ async function executeOperation(op, baseUrl, args) {
     authedHeaders["Content-Type"] = op.requestBody.contentType;
   }
   const startTime = Date.now();
-  const logId = randomUUID2();
+  const logId = randomUUID();
   try {
     const res = await fetch(authedUrl, {
       method: op.method.toUpperCase(),
@@ -4519,7 +4751,7 @@ async function proxyHandler(req) {
   const { url: authedUrl, headers: authedHeaders } = await applyAuth(targetUrl, proxyHeaders, authConfig);
   const requestBody = req.method !== "GET" && req.method !== "HEAD" ? await req.text() : null;
   const startTime = Date.now();
-  const logId = randomUUID2();
+  const logId = randomUUID();
   try {
     const res = await fetch(authedUrl, {
       method: req.method,
@@ -4611,17 +4843,792 @@ async function proxyHandler(req) {
     });
   }
 }
-var CORS2;
-var init_handler = __esm(() => {
-  init_db();
-  init_engine();
-  init_bus();
-  init_state();
-  init_config();
-  CORS2 = {
-    "Access-Control-Allow-Origin": "*",
-    "Access-Control-Allow-Methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS",
-    "Access-Control-Allow-Headers": "Content-Type, Authorization"
+var CORS2;
+var init_handler = __esm(() => {
+  init_db();
+  init_engine();
+  init_bus();
+  init_state();
+  init_config();
+  CORS2 = {
+    "Access-Control-Allow-Origin": "*",
+    "Access-Control-Allow-Methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS",
+    "Access-Control-Allow-Headers": "Content-Type, Authorization"
+  };
+});
+// src/proxy/capture.ts
+async function captureHandler(req) {
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 204, headers: CORS3 });
+  }
+  const url = new URL(req.url);
+  const binId = url.pathname.split("/").filter(Boolean)[1];
+  if (!binId)
+    return new Response("Not found", { status: 404 });
+  const bin = dbQueries.getCaptureBin(binId);
+  if (!bin) {
+    return new Response(JSON.stringify({ error: "Capture bin not found or deleted" }), {
+      status: 404,
+      headers: { "Content-Type": "application/json", ...CORS3 }
+    });
+  }
+  const body = req.method !== "GET" && req.method !== "HEAD" ? await req.text().catch(() => null) : null;
+  const reqHeaders = {};
+  for (const [k, v] of req.headers.entries()) {
+    if (!["host", "connection"].includes(k.toLowerCase()))
+      reqHeaders[k] = v;
+  }
+  const id = randomUUID();
+  const now = Date.now();
+  dbQueries.insertLog({
+    id,
+    source: "capture",
+    tool_name: binId,
+    method: req.method,
+    url: req.url,
+    request_headers: JSON.stringify(reqHeaders),
+    request_body: body,
+    status_code: 200,
+    response_headers: null,
+    response_body: null,
+    latency_ms: 0,
+    error: null
+  });
+  logBus.emit({
+    id,
+    source: "capture",
+    tool_name: binId,
+    method: req.method,
+    url: req.url,
+    request_headers: JSON.stringify(reqHeaders),
+    request_body: body,
+    status_code: 200,
+    response_headers: null,
+    response_body: null,
+    latency_ms: 0,
+    error: null,
+    created_at: now
+  });
+  return new Response(JSON.stringify({ ok: true, id, captured_at: now }), {
+    status: 200,
+    headers: { "Content-Type": "application/json", ...CORS3 }
+  });
+}
+var CORS3;
+var init_capture = __esm(() => {
+  init_db();
+  init_bus();
+  CORS3 = {
+    "Access-Control-Allow-Origin": "*",
+    "Access-Control-Allow-Methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD",
+    "Access-Control-Allow-Headers": "*",
+    "Access-Control-Expose-Headers": "*"
+  };
+});
+// src/workflows/engine.ts
+function interpolate(val, ctx) {
+  return val.replace(/\{\{(\w+)\}\}/g, (_, k) => ctx[k] ?? `{{${k}}}`);
+}
+function interpolateDeep(obj, ctx) {
+  if (typeof obj === "string")
+    return interpolate(obj, ctx);
+  if (Array.isArray(obj))
+    return obj.map((v) => interpolateDeep(v, ctx));
+  if (obj !== null && typeof obj === "object") {
+    const out = {};
+    for (const [k, v] of Object.entries(obj))
+      out[k] = interpolateDeep(v, ctx);
+    return out;
+  }
+  return obj;
+}
+function resolveJsonPath(data, path) {
+  if (!path || path === "$")
+    return data;
+  const normalized = path.startsWith("$.") ? path.slice(2) : path.startsWith("$[") ? path.slice(1) : path;
+  if (!normalized)
+    return data;
+  const parts = [];
+  for (const seg of normalized.split(".")) {
+    const m = seg.match(/^(\w+)\[(\d+)\]$/);
+    if (m) {
+      parts.push(m[1], parseInt(m[2], 10));
+    } else if (/^\d+$/.test(seg)) {
+      parts.push(parseInt(seg, 10));
+    } else {
+      parts.push(seg);
+    }
+  }
+  let cur = data;
+  for (const part of parts) {
+    if (cur === null || cur === undefined)
+      return;
+    cur = typeof part === "number" ? cur[part] : cur[part];
+  }
+  return cur;
+}
+async function executeStep(step, ctx) {
+  const { spec } = getState();
+  let base = spec.baseUrl;
+  if (!base?.startsWith("http") && spec.url) {
+    try {
+      base = new URL(spec.url).origin;
+    } catch {}
+  }
+  if (!base?.startsWith("http"))
+    throw new Error("Spec has no absolute server URL");
+  let urlPath = step.path;
+  for (const [k, v] of Object.entries(step.pathParams ?? {})) {
+    urlPath = urlPath.replace(`{${k}}`, encodeURIComponent(interpolate(v, ctx)));
+  }
+  urlPath = interpolate(urlPath, ctx);
+  const urlObj = new URL(`${base.replace(/\/$/, "")}${urlPath.startsWith("/") ? urlPath : `/${urlPath}`}`);
+  for (const [k, v] of Object.entries(step.queryParams ?? {})) {
+    urlObj.searchParams.set(k, interpolate(v, ctx));
+  }
+  const stepHeaders = {};
+  for (const [k, v] of Object.entries(step.headers ?? {})) {
+    stepHeaders[k] = interpolate(v, ctx);
+  }
+  const authRow = dbQueries.getAuthConfig();
+  const authConfig = authRow ? JSON.parse(authRow.config) : { type: "none" };
+  const { url: authedUrl, headers: authedHeaders } = await applyAuth(urlObj.toString(), stepHeaders, authConfig);
+  const noBodyMethod = ["GET", "HEAD", "OPTIONS"].includes(step.method.toUpperCase());
+  let bodyStr;
+  if (!noBodyMethod && step.body !== undefined && step.body !== null) {
+    const interpolated = interpolateDeep(step.body, ctx);
+    bodyStr = typeof interpolated === "string" ? interpolated : JSON.stringify(interpolated);
+    if (!authedHeaders["Content-Type"] && !authedHeaders["content-type"]) {
+      authedHeaders["Content-Type"] = "application/json";
+    }
+  }
+  const start = Date.now();
+  const res = await fetch(authedUrl, {
+    method: step.method.toUpperCase(),
+    headers: authedHeaders,
+    ...bodyStr !== undefined ? { body: bodyStr } : {},
+    signal: AbortSignal.timeout(30000)
+  });
+  const latency = Date.now() - start;
+  const responseHeaders = {};
+  res.headers.forEach((v, k) => {
+    responseHeaders[k] = v;
+  });
+  const responseText = await res.text();
+  let responseData;
+  try {
+    responseData = JSON.parse(responseText);
+  } catch {
+    responseData = responseText;
+  }
+  const extractedVars = {};
+  for (const ext of step.extract ?? []) {
+    const val = resolveJsonPath(responseData, ext.path);
+    if (val !== undefined && val !== null) {
+      extractedVars[ext.var] = typeof val === "string" ? val : JSON.stringify(val);
+    }
+  }
+  const assertions = [];
+  for (const a of step.assert ?? []) {
+    if (a.type === "status") {
+      const expected = a.statusCode ?? 200;
+      const pass2 = res.status === expected;
+      assertions.push({ pass: pass2, message: `HTTP ${res.status} ${pass2 ? "==" : "!="} ${expected}` });
+    } else if (a.type === "json") {
+      const val = resolveJsonPath(responseData, a.path ?? "$");
+      if ("eq" in a) {
+        const pass2 = JSON.stringify(val) === JSON.stringify(a.eq);
+        assertions.push({ pass: pass2, message: `${a.path} ${pass2 ? "==" : "!="} ${JSON.stringify(a.eq)}` });
+      } else if ("contains" in a && typeof val === "string") {
+        const pass2 = val.includes(a.contains);
+        assertions.push({ pass: pass2, message: `${a.path} ${pass2 ? "contains" : "doesn't contain"} "${a.contains}"` });
+      }
+    }
+  }
+  const pass = assertions.length === 0 ? res.ok : assertions.every((a) => a.pass);
+  return {
+    stepId: step.id,
+    label: step.label,
+    method: step.method,
+    resolvedPath: urlPath,
+    requestUrl: authedUrl,
+    requestHeaders: authedHeaders,
+    requestBody: bodyStr,
+    status: res.status,
+    statusText: res.statusText,
+    responseHeaders,
+    latency,
+    extractedVars,
+    assertions,
+    pass,
+    responseBody: responseText.slice(0, 1e4)
+  };
+}
+async function runWorkflow(steps, emit, signal) {
+  const ctx = {};
+  let passed = 0;
+  emit({ type: "run_start", totalSteps: steps.length });
+  for (const step of steps) {
+    if (signal?.aborted) {
+      emit({ type: "run_aborted", message: "Run cancelled" });
+      return;
+    }
+    emit({ type: "step_start", stepId: step.id, label: step.label, method: step.method, path: step.path });
+    try {
+      const result = await executeStep(step, ctx);
+      for (const [k, v] of Object.entries(result.extractedVars))
+        ctx[k] = v;
+      ctx[`${step.id}_status`] = String(result.status ?? "");
+      if (result.pass)
+        passed++;
+      emit({
+        type: "step_done",
+        stepId: result.stepId,
+        label: result.label,
+        method: result.method,
+        resolvedPath: result.resolvedPath,
+        requestUrl: result.requestUrl,
+        requestHeaders: result.requestHeaders,
+        requestBody: result.requestBody,
+        status: result.status,
+        statusText: result.statusText,
+        responseHeaders: result.responseHeaders,
+        latency: result.latency,
+        extractedVars: result.extractedVars,
+        assertions: result.assertions,
+        pass: result.pass,
+        responseBody: result.responseBody
+      });
+    } catch (e) {
+      emit({
+        type: "step_error",
+        stepId: step.id,
+        label: step.label,
+        method: step.method,
+        path: step.path,
+        error: e instanceof Error ? e.message : String(e),
+        pass: false
+      });
+    }
+  }
+  emit({ type: "run_done", totalSteps: steps.length, passedSteps: passed });
+}
+var init_engine2 = __esm(() => {
+  init_engine();
+  init_db();
+  init_state();
+});
+// src/agent/harness.ts
+function mergeSignals(a, b) {
+  if (!a && !b)
+    return new AbortController().signal;
+  if (!a)
+    return b;
+  if (!b)
+    return a;
+  const ctrl = new AbortController;
+  const abort = () => ctrl.abort();
+  a.addEventListener("abort", abort, { once: true });
+  b.addEventListener("abort", abort, { once: true });
+  return ctrl.signal;
+}
+async function fetchWithRetry(url, opts, emit, signal, maxRetries = 4) {
+  for (let attempt = 0;attempt <= maxRetries; attempt++) {
+    const stepSignal = signal;
+    let res;
+    try {
+      res = await fetch(url, { ...opts, signal: stepSignal });
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      if (signal?.aborted)
+        throw e;
+      if (attempt === maxRetries)
+        throw e;
+      const isNetwork = msg.includes("ECONNREFUSED") || msg.includes("ENOTFOUND") || msg.includes("network") || msg.includes("fetch");
+      if (!isNetwork)
+        throw e;
+      const delay2 = Math.min(1000 * Math.pow(2, attempt) + Math.random() * 300, 15000);
+      emit({ type: "info", message: `Network error, retrying in ${Math.round(delay2 / 1000)}s\u2026` });
+      await new Promise((r) => setTimeout(r, delay2));
+      continue;
+    }
+    if (!RETRYABLE_STATUS.has(res.status) || attempt === maxRetries)
+      return res;
+    const retryAfter = parseInt(res.headers.get("retry-after") ?? "0", 10);
+    const delay = retryAfter > 0 ? retryAfter * 1000 : Math.min(1000 * Math.pow(2, attempt) + Math.random() * 300, 30000);
+    const label = res.status === 429 ? "Rate limited" : `Server error ${res.status}`;
+    emit({ type: "info", message: `${label} \u2014 retrying in ${Math.round(delay / 1000)}s\u2026 (attempt ${attempt + 1}/${maxRetries})` });
+    await new Promise((r) => setTimeout(r, delay));
+  }
+  return fetch(url, opts);
+}
+function trimContext(messages) {
+  if (JSON.stringify(messages).length <= MAX_CONTEXT_CHARS)
+    return { messages, trimmed: false };
+  const result = [...messages];
+  while (JSON.stringify(result).length > MAX_CONTEXT_CHARS && result.length > 2) {
+    let removed = false;
+    const toolIdx = result.findIndex((m) => m.role === "tool");
+    if (toolIdx !== -1) {
+      result.splice(toolIdx, 1);
+      if (toolIdx > 0) {
+        const prev = result[toolIdx - 1];
+        if (prev?.role === "assistant") {
+          const tc = prev.tool_calls;
+          if (Array.isArray(tc) && tc.length)
+            result.splice(toolIdx - 1, 1);
+        }
+      }
+      removed = true;
+    }
+    if (!removed) {
+      const anthropicIdx = result.findIndex((m) => {
+        if (m.role !== "user")
+          return false;
+        const c = m.content;
+        return Array.isArray(c) && c.some((b) => b.type === "tool_result");
+      });
+      if (anthropicIdx !== -1) {
+        result.splice(anthropicIdx, 1);
+        if (anthropicIdx > 0 && result[anthropicIdx - 1]?.role === "assistant") {
+          result.splice(anthropicIdx - 1, 1);
+        }
+        removed = true;
+      }
+    }
+    if (!removed)
+      break;
+  }
+  return { messages: result, trimmed: true };
+}
+async function* readSSE(body) {
+  const reader = body.getReader();
+  const decoder = new TextDecoder;
+  let buf = "";
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done)
+        break;
+      buf += decoder.decode(value, { stream: true });
+      const parts = buf.split(`
+`);
+      buf = parts.pop() ?? "";
+      for (const part of parts) {
+        let data = "";
+        for (const line of part.split(`
+`)) {
+          if (line.startsWith("data: ")) {
+            data = line.slice(6);
+            break;
+          }
+        }
+        if (!data || data === "[DONE]")
+          continue;
+        try {
+          yield JSON.parse(data);
+        } catch {}
+      }
+    }
+  } finally {
+    reader.releaseLock();
+  }
+}
+function buildAnthropicTools(schemas) {
+  return schemas.map((s) => ({
+    name: s.name,
+    description: s.description,
+    input_schema: { type: "object", properties: s.params, required: s.required }
+  }));
+}
+async function streamAnthropic(cfg, system, messages, tools, emit, signal) {
+  const base = (cfg.baseUrl || "https://api.anthropic.com").replace(/\/$/, "");
+  const systemContent = cfg.enablePromptCache ? [{ type: "text", text: system, cache_control: { type: "ephemeral" } }] : system;
+  const stepSignal = mergeSignals(signal, AbortSignal.timeout(cfg.stepTimeoutMs));
+  const res = await fetchWithRetry(`${base}/v1/messages`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "x-api-key": cfg.apiKey,
+      "anthropic-version": "2023-06-01",
+      ...cfg.enablePromptCache ? { "anthropic-beta": "prompt-caching-1-0" } : {},
+      ...cfg.extraHeaders
+    },
+    body: JSON.stringify({
+      model: cfg.model,
+      max_tokens: cfg.maxTokens,
+      temperature: cfg.temperature,
+      ...cfg.topK > 0 ? { top_k: cfg.topK } : {},
+      system: systemContent,
+      messages,
+      tools,
+      stream: true
+    })
+  }, emit, stepSignal);
+  if (!res.ok) {
+    const body = await res.text();
+    const retryable = RETRYABLE_STATUS.has(res.status);
+    throw Object.assign(new Error(`Anthropic ${res.status}: ${body}`), { retryable });
+  }
+  const result = { text: "", thinking: "", stopReason: "", toolUses: [], usage: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 } };
+  const blocks = [];
+  const inputAccum = {};
+  for await (const ev of readSSE(res.body)) {
+    if (signal.aborted)
+      break;
+    const evType = ev.type;
+    if (evType === "message_start") {
+      const usage = ev.message?.usage;
+      if (usage) {
+        result.usage.input = usage.input_tokens ?? 0;
+        result.usage.cacheRead = usage.cache_read_input_tokens ?? 0;
+        result.usage.cacheWrite = usage.cache_creation_input_tokens ?? 0;
+      }
+    } else if (evType === "content_block_start") {
+      const idx = ev.index;
+      const cb = ev.content_block;
+      blocks[idx] = { type: cb.type, id: cb.id, name: cb.name };
+      if (cb.type === "tool_use")
+        inputAccum[idx] = "";
+    } else if (evType === "content_block_delta") {
+      const idx = ev.index;
+      const delta = ev.delta;
+      if (delta.type === "text_delta" && delta.text) {
+        result.text += delta.text;
+        if (!blocks[idx])
+          blocks[idx] = { type: "text" };
+        blocks[idx].text = (blocks[idx].text ?? "") + delta.text;
+        emit({ type: "text_delta", text: delta.text });
+      } else if (delta.type === "thinking_delta" && delta.thinking) {
+        result.thinking += delta.thinking;
+        emit({ type: "thinking", text: delta.thinking });
+      } else if (delta.type === "input_json_delta" && delta.partial_json) {
+        inputAccum[idx] = (inputAccum[idx] ?? "") + delta.partial_json;
+      }
+    } else if (evType === "content_block_stop") {
+      const idx = ev.index;
+      if (blocks[idx]?.type === "tool_use") {
+        try {
+          blocks[idx].input = JSON.parse(inputAccum[idx] ?? "{}");
+        } catch {
+          blocks[idx].input = {};
+        }
+      }
+    } else if (evType === "message_delta") {
+      const delta = ev.delta;
+      const usage = ev.usage;
+      if (delta.stop_reason)
+        result.stopReason = delta.stop_reason;
+      if (usage?.output_tokens)
+        result.usage.output = usage.output_tokens;
+    }
+  }
+  for (const b of blocks) {
+    if (b.type === "tool_use" && b.id && b.name) {
+      result.toolUses.push({ id: b.id, name: b.name, input: b.input ?? {} });
+    }
+  }
+  result._anthropicBlocks = blocks;
+  return result;
+}
+function buildOpenAITools(schemas) {
+  return schemas.map((s) => ({
+    type: "function",
+    function: { name: s.name, description: s.description, parameters: { type: "object", properties: s.params, required: s.required } }
+  }));
+}
+async function streamOpenAI(cfg, system, messages, tools, emit, signal) {
+  const providerBases = {
+    openai: "https://api.openai.com",
+    mistral: "https://api.mistral.ai",
+    groq: "https://api.groq.com/openai",
+    "github-copilot": "https://api.githubcopilot.com"
+  };
+  const base = (cfg.baseUrl || providerBases[cfg.provider] || "https://api.openai.com").replace(/\/$/, "");
+  const providerHeaders = cfg.provider === "github-copilot" ? { "Copilot-Integration-Id": "vscode-chat", "Editor-Version": "vscode/1.85.0" } : {};
+  const authHeaders = cfg.apiKey ? { Authorization: `Bearer ${cfg.apiKey}` } : {};
+  const stepSignal = mergeSignals(signal, AbortSignal.timeout(cfg.stepTimeoutMs));
+  const res = await fetchWithRetry(`${base}/v1/chat/completions`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json", ...authHeaders, ...providerHeaders, ...cfg.extraHeaders },
+    body: JSON.stringify({
+      model: cfg.model,
+      max_tokens: cfg.maxTokens,
+      temperature: cfg.temperature,
+      messages: [{ role: "system", content: system }, ...messages],
+      tools,
+      tool_choice: "auto",
+      stream: true,
+      stream_options: { include_usage: true }
+    })
+  }, emit, stepSignal);
+  if (!res.ok) {
+    const body = await res.text();
+    const retryable = RETRYABLE_STATUS.has(res.status);
+    throw Object.assign(new Error(body), { retryable });
+  }
+  const result = { text: "", thinking: "", stopReason: "", toolUses: [], usage: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 } };
+  const tcAccum = {};
+  for await (const ev of readSSE(res.body)) {
+    if (signal.aborted)
+      break;
+    if (ev.object === "error") {
+      const retryable = ev.code === "1300" || ev.raw_status_code === 429 || ev.raw_status_code === 503;
+      throw Object.assign(new Error(JSON.stringify(ev)), { retryable });
+    }
+    if (ev.usage) {
+      const u = ev.usage;
+      result.usage.input = u.prompt_tokens ?? 0;
+      result.usage.output = u.completion_tokens ?? 0;
+    }
+    const choices = ev.choices;
+    const choice = choices?.[0];
+    if (!choice)
+      continue;
+    const fr = choice.finish_reason;
+    if (fr)
+      result.stopReason = fr;
+    const delta = choice.delta;
+    if (!delta)
+      continue;
+    if (typeof delta.content === "string" && delta.content) {
+      result.text += delta.content;
+      emit({ type: "text_delta", text: delta.content });
+    }
+    const tcDeltas = delta.tool_calls;
+    if (tcDeltas) {
+      for (const tc of tcDeltas) {
+        if (!tcAccum[tc.index])
+          tcAccum[tc.index] = { id: "", name: "", args: "" };
+        const e = tcAccum[tc.index];
+        if (tc.id)
+          e.id += tc.id;
+        if (tc.function?.name)
+          e.name += tc.function.name;
+        if (tc.function?.arguments)
+          e.args += tc.function.arguments;
+      }
+    }
+  }
+  for (const tc of Object.values(tcAccum)) {
+    let input = {};
+    try {
+      input = JSON.parse(tc.args);
+    } catch {}
+    result.toolUses.push({ id: tc.id, name: tc.name, input });
+  }
+  result._openaiTcAccum = tcAccum;
+  return result;
+}
+async function callOllama(cfg, system, messages, emit, signal) {
+  const base = (cfg.baseUrl || "http://localhost:11434").replace(/\/$/, "");
+  const stepSignal = mergeSignals(signal, AbortSignal.timeout(cfg.stepTimeoutMs));
+  const res = await fetchWithRetry(`${base}/api/chat`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ model: cfg.model, messages: [{ role: "system", content: system }, ...messages], stream: false })
+  }, emit, stepSignal);
+  if (!res.ok)
+    throw new Error(`Ollama ${res.status}: ${await res.text()}`);
+  const d = await res.json();
+  const text = d.message?.content ?? "";
+  emit({ type: "text_delta", text });
+  return { text, thinking: "", stopReason: "end_turn", toolUses: [], usage: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 } };
+}
+async function callGemini(cfg, system, messages, emit, signal) {
+  const base = (cfg.baseUrl || "https://generativelanguage.googleapis.com").replace(/\/$/, "");
+  const stepSignal = mergeSignals(signal, AbortSignal.timeout(cfg.stepTimeoutMs));
+  const res = await fetchWithRetry(`${base}/v1beta/models/${cfg.model}:generateContent?key=${cfg.apiKey}`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      systemInstruction: { parts: [{ text: system }] },
+      contents: messages.map((m) => ({
+        role: m.role === "assistant" ? "model" : "user",
+        parts: [{ text: m.content }]
+      })),
+      generationConfig: { maxOutputTokens: cfg.maxTokens }
+    })
+  }, emit, stepSignal);
+  if (!res.ok)
+    throw new Error(`Gemini ${res.status}: ${await res.text()}`);
+  const d = await res.json();
+  const text = d.candidates?.[0]?.content?.parts?.[0]?.text ?? "";
+  emit({ type: "text_delta", text });
+  return { text, thinking: "", stopReason: "end_turn", toolUses: [], usage: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 } };
+}
+async function runAgentLoop(config2, system, initialMessages, toolSchemas, executeTool, emit, signal = new AbortController().signal, toolCache = new Map) {
+  const cfg = { ...DEFAULTS, ...config2 };
+  const isAnthropic = cfg.provider === "anthropic";
+  const isOllama = cfg.provider === "ollama";
+  const isGemini = cfg.provider === "gemini";
+  const anthropicTools = buildAnthropicTools(toolSchemas);
+  const openaiTools = buildOpenAITools(toolSchemas);
+  const messages = [...initialMessages];
+  const allToolCalls = [];
+  const totalTokens = { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 };
+  let totalToolsUsed = 0;
+  let consecutiveErrors = 0;
+  const endpointErrors = {};
+  for (let iter = 0;iter < cfg.maxIterations; iter++) {
+    if (signal.aborted) {
+      return { content: "", toolCalls: allToolCalls, stopReason: "cancelled", tokens: totalTokens };
+    }
+    const { messages: trimmed, trimmed: didTrim } = trimContext(messages);
+    if (didTrim) {
+      emit({ type: "info", message: "Context trimmed to fit within limits." });
+      messages.splice(0, messages.length, ...trimmed);
+    }
+    let turn;
+    try {
+      if (isAnthropic) {
+        turn = await streamAnthropic(cfg, system, messages, anthropicTools, emit, signal);
+      } else if (isOllama) {
+        turn = await callOllama(cfg, system, messages, emit, signal);
+      } else if (isGemini) {
+        turn = await callGemini(cfg, system, messages, emit, signal);
+      } else {
+        turn = await streamOpenAI(cfg, system, messages, openaiTools, emit, signal);
+      }
+    } catch (e) {
+      if (signal.aborted) {
+        return { content: "", toolCalls: allToolCalls, stopReason: "cancelled", tokens: totalTokens };
+      }
+      const msg = e instanceof Error ? e.message : String(e);
+      const retryable = e.retryable ?? false;
+      emit({ type: "error", message: msg, retryable });
+      throw e;
+    }
+    totalTokens.input += turn.usage.input;
+    totalTokens.output += turn.usage.output;
+    totalTokens.cacheRead += turn.usage.cacheRead;
+    totalTokens.cacheWrite += turn.usage.cacheWrite;
+    if (turn.usage.input || turn.usage.output) {
+      emit({ type: "token_usage", ...turn.usage });
+    }
+    const wantsTools = isAnthropic ? turn.stopReason === "tool_use" : turn.stopReason === "tool_calls";
+    if (!wantsTools || turn.toolUses.length === 0) {
+      return { content: turn.text, toolCalls: allToolCalls, stopReason: "end_turn", tokens: totalTokens };
+    }
+    if (totalToolsUsed >= cfg.maxTotalTools) {
+      return {
+        content: `Agent stopped: reached ${cfg.maxTotalTools} tool calls. Break your request into smaller steps.`,
+        toolCalls: allToolCalls,
+        stopReason: "max_tools",
+        tokens: totalTokens
+      };
+    }
+    const dedupeKey = (name, input) => `${name}:${JSON.stringify(input)}`;
+    const turnResults = [];
+    const executeOne = async (use) => {
+      totalToolsUsed++;
+      const key = dedupeKey(use.name, use.input);
+      const cachedResult = toolCache.get(key);
+      const isCached = !!cachedResult;
+      emit({ type: "tool_start", id: use.id, tool: use.name, input: use.input, cached: isCached });
+      let result;
+      let ms = 0;
+      if (isCached) {
+        result = cachedResult;
+      } else {
+        const t0 = Date.now();
+        result = await executeTool(use.name, use.input);
+        ms = Date.now() - t0;
+        if (!result.isError && use.name !== "execute_api_request" && use.name !== "fetch_url") {
+          toolCache.set(key, result);
+        }
+      }
+      emit({ type: "tool_done", id: use.id, tool: use.name, output: result.text, isError: result.isError, ms, cached: isCached });
+      return { id: use.id, name: use.name, text: result.text, isError: result.isError, ms, cached: isCached };
+    };
+    const toolUses = turn.toolUses;
+    if (cfg.parallelTools && toolUses.length > 1) {
+      const pure = toolUses.filter((u) => u.name !== "execute_api_request" && u.name !== "fetch_url");
+      const sideEffect = toolUses.filter((u) => u.name === "execute_api_request" || u.name === "fetch_url");
+      const pureResults = await Promise.all(pure.map((u) => executeOne(u)));
+      const sideEffectResults = [];
+      for (const u of sideEffect)
+        sideEffectResults.push(await executeOne(u));
+      const resultMap = new Map([...pureResults, ...sideEffectResults].map((r) => [r.id, r]));
+      for (const u of toolUses) {
+        const r = resultMap.get(u.id);
+        if (r)
+          turnResults.push(r);
+      }
+    } else {
+      for (const u of toolUses)
+        turnResults.push(await executeOne(u));
+    }
+    for (const r of turnResults) {
+      allToolCalls.push({ id: r.id, tool: r.name, input: turn.toolUses.find((u) => u.id === r.id)?.input ?? {}, output: r.text, isError: r.isError, ms: r.ms, cached: r.cached });
+      if (r.isError) {
+        consecutiveErrors++;
+        if (r.name === "execute_api_request") {
+          const eid = String(turn.toolUses.find((u) => u.id === r.id)?.input?.operationId ?? r.id);
+          endpointErrors[eid] = (endpointErrors[eid] ?? 0) + 1;
+          if (endpointErrors[eid] >= cfg.maxEndpointErrors) {
+            return {
+              content: `Endpoint "${eid}" failed ${cfg.maxEndpointErrors} times. Last error: ${r.text}`,
+              toolCalls: allToolCalls,
+              stopReason: "max_endpoint_errors",
+              tokens: totalTokens
+            };
+          }
+        }
+        if (consecutiveErrors >= cfg.maxConsecutiveErrors) {
+          return {
+            content: `Stopped after ${cfg.maxConsecutiveErrors} consecutive errors. Last: ${r.text}`,
+            toolCalls: allToolCalls,
+            stopReason: "max_errors",
+            tokens: totalTokens
+          };
+        }
+      } else {
+        consecutiveErrors = 0;
+      }
+    }
+    if (isAnthropic) {
+      const blocks = turn._anthropicBlocks ?? [];
+      messages.push({ role: "assistant", content: blocks });
+      messages.push({
+        role: "user",
+        content: turnResults.map((r) => ({ type: "tool_result", tool_use_id: r.id, content: r.text }))
+      });
+    } else {
+      const tc = turn._openaiTcAccum ?? {};
+      messages.push({
+        role: "assistant",
+        content: turn.text || null,
+        tool_calls: Object.values(tc).map((t) => ({ id: t.id, type: "function", function: { name: t.name, arguments: t.args } }))
+      });
+      for (const r of turnResults) {
+        messages.push({ role: "tool", tool_call_id: r.id, content: r.text });
+      }
+    }
+  }
+  return { content: "(max iterations reached)", toolCalls: allToolCalls, stopReason: "max_iterations", tokens: totalTokens };
+}
+var RETRYABLE_STATUS, MAX_CONTEXT_CHARS = 300000, DEFAULTS;
+var init_harness = __esm(() => {
+  RETRYABLE_STATUS = new Set([429, 500, 502, 503, 504]);
+  DEFAULTS = {
+    apiKey: "",
+    baseUrl: "",
+    extraHeaders: {},
+    maxTokens: 4096,
+    temperature: 1,
+    topK: 0,
+    maxIterations: 40,
+    maxTotalTools: 40,
+    maxConsecutiveErrors: 5,
+    maxEndpointErrors: 3,
+    stepTimeoutMs: 60000,
+    parallelTools: true,
+    enablePromptCache: true
   };
 });
@@ -4630,7 +5637,7 @@ import dns from "dns/promises";
 function json(data, status = 200) {
   return new Response(JSON.stringify(data), {
     status,
-    headers: { "Content-Type": "application/json", ...CORS3 }
+    headers: { "Content-Type": "application/json", ...CORS4 }
   });
 }
 function notFound(msg = "Not found") {
@@ -4641,7 +5648,7 @@ function badRequest(msg) {
 }
 async function apiRouter(req) {
   if (req.method === "OPTIONS")
-    return new Response(null, { status: 204, headers: CORS3 });
+    return new Response(null, { status: 204, headers: CORS4 });
   const { pathname: path, searchParams } = new URL(req.url);
   const method = req.method;
   if (path === "/api/status" && method === "GET")
@@ -4688,6 +5695,12 @@ async function apiRouter(req) {
     return handleDeleteRule(path);
   if (path === "/api/ai/chat" && method === "POST")
     return handleAiChat(req);
+  if (path === "/api/ai/memory" && method === "GET")
+    return json({ memory: dbQueries.getMemory(40) });
+  if (path === "/api/ai/memory" && method === "DELETE") {
+    dbQueries.clearMemory();
+    return json({ success: true });
+  }
   if (path === "/api/debug/dns" && method === "GET")
     return handleDnsQuery(searchParams);
   if (path === "/api/debug/ping" && method === "GET")
@@ -4708,6 +5721,24 @@ async function apiRouter(req) {
     return handleUpdateSaved(req, path);
   if (path.startsWith("/api/saved/") && method === "DELETE")
     return handleDeleteSaved(path);
+  if (path === "/api/workflows" && method === "GET")
+    return handleGetWorkflows();
+  if (path === "/api/workflows" && method === "POST")
+    return handleCreateWorkflow(req);
+  if (path === "/api/workflows/generate" && method === "POST")
+    return handleGenerateWorkflow(req);
+  if (path.startsWith("/api/workflows/") && path.endsWith("/run") && method === "POST")
+    return handleRunWorkflow(path);
+  if (path.startsWith("/api/workflows/") && method === "PUT")
+    return handleUpdateWorkflow(req, path);
+  if (path.startsWith("/api/workflows/") && method === "DELETE")
+    return handleDeleteWorkflow(path);
+  if (path === "/api/capture/bins" && method === "GET")
+    return handleGetCaptureBins();
+  if (path === "/api/capture/bins" && method === "POST")
+    return handleCreateCaptureBin(req);
+  if (path.startsWith("/api/capture/bins/") && method === "DELETE")
+    return handleDeleteCaptureBin(path);
   return notFound("API route not found");
 }
 function handleStatus() {
@@ -4749,8 +5780,14 @@ async function handleSetFeatures(req) {
       patch[key] = body[key];
   }
   setFeatures(patch);
+  persistAndBroadcastFeatures();
   return json(getFeatures());
 }
+function persistAndBroadcastFeatures() {
+  const f = getFeatures();
+  dbQueries.setSetting("features", JSON.stringify({ mcp: f.mcp, proxy: f.proxy, ai: f.ai }));
+  logBus.broadcastServerEvent({ kind: "features", data: f });
+}
 function handleServerInfo() {
   const state = hasState() ? getState() : null;
   return json({
@@ -4800,10 +5837,12 @@ async function handleSpecUpload(req) {
     return badRequest("Empty spec content");
   try {
     const state = loadSpecFromText(content, filename);
+    const suggestedVars = extractSuggestedVars(content, state.spec.baseUrl);
     return json({
       ok: true,
       spec: { title: state.spec.title, version: state.spec.version, baseUrl: state.spec.baseUrl },
-      endpointCount: state.operations.length
+      endpointCount: state.operations.length,
+      suggestedVars
     });
   } catch (e) {
     return json({ error: e instanceof Error ? e.message : String(e) }, 400);
@@ -4820,10 +5859,12 @@ async function handleSpecReloadUrl(req) {
     return badRequest("Missing url field");
   try {
     const state = await loadSpec(body.url);
+    const suggestedVars = extractSuggestedVars(state.spec.raw, state.spec.baseUrl);
     return json({
       ok: true,
       spec: { title: state.spec.title, version: state.spec.version, baseUrl: state.spec.baseUrl },
-      endpointCount: state.operations.length
+      endpointCount: state.operations.length,
+      suggestedVars
     });
   } catch (e) {
     return json({ error: e instanceof Error ? e.message : String(e) }, 400);
@@ -4885,39 +5926,54 @@ async function handleSetSettings(req) {
   dbQueries.setSettings(body);
   return json(body);
 }
-async function executeTool(name, args) {
+async function executeTool(name, args, cache = new Map) {
   const { operations, spec } = getState();
   if (name === "search_endpoints") {
+    const cacheKey2 = `search:${String(args.query ?? "").toLowerCase()}`;
+    const hit = cache.get(cacheKey2);
+    if (hit)
+      return hit;
     const q = String(args.query ?? "").toLowerCase();
     const terms = q.split(/\s+/).filter(Boolean);
     const matches = operations.filter((op) => {
       const hay = [op.operationId, op.path, op.method, ...op.tags ?? [], op.summary ?? "", op.description ?? ""].join(" ").toLowerCase();
       return terms.every((t) => hay.includes(t));
     }).slice(0, 30).map((op) => ({ operationId: op.operationId, method: op.method.toUpperCase(), path: op.path, summary: op.summary ?? null, tags: op.tags }));
-    if (!matches.length)
-      return { text: `No endpoints found matching "${args.query}". Total: ${operations.length}.`, isError: false };
-    return { text: JSON.stringify({ count: matches.length, total: operations.length, endpoints: matches }, null, 2), isError: false };
+    const text = !matches.length ? `No endpoints found matching "${args.query}". Total: ${operations.length}.` : JSON.stringify({ count: matches.length, total: operations.length, endpoints: matches }, null, 2);
+    const result = { text, isError: false };
+    cache.set(cacheKey2, result);
+    return result;
   }
   if (name === "get_endpoint_schema") {
+    const cacheKey2 = `schema:${String(args.operationId ?? "")}`;
+    const hit = cache.get(cacheKey2);
+    if (hit)
+      return hit;
     const op = operations.find((o) => o.operationId === args.operationId);
     if (!op)
       return { text: `Endpoint not found: "${args.operationId}"`, isError: true };
-    return {
-      text: JSON.stringify({
-        operationId: op.operationId,
-        method: op.method.toUpperCase(),
-        path: op.path,
-        summary: op.summary ?? null,
-        description: op.description ?? null,
-        tags: op.tags,
-        parameters: op.parameters,
-        requestBody: op.requestBody ?? null,
-        responses: op.responses
-      }, null, 2),
-      isError: false
-    };
+    const text = JSON.stringify({
+      operationId: op.operationId,
+      method: op.method.toUpperCase(),
+      path: op.path,
+      summary: op.summary ?? null,
+      description: op.description ?? null,
+      tags: op.tags,
+      parameters: op.parameters,
+      requestBody: op.requestBody ?? null,
+      responses: op.responses
+    }, null, 2);
+    const result = { text, isError: false };
+    cache.set(cacheKey2, result);
+    return result;
   }
   if (name === "execute_api_request") {
+    const now = Date.now();
+    const gap = now - _lastApiCallMs;
+    if (gap < MIN_API_CALL_INTERVAL_MS) {
+      await new Promise((r) => setTimeout(r, MIN_API_CALL_INTERVAL_MS - gap));
+    }
+    _lastApiCallMs = Date.now();
     const op = operations.find((o) => o.operationId === args.operationId);
     if (!op)
       return { text: `Endpoint not found: "${args.operationId}"`, isError: true };
@@ -4948,20 +6004,81 @@ async function executeTool(name, args) {
     const bodyStr = reqBody !== undefined ? typeof reqBody === "string" ? reqBody : JSON.stringify(reqBody) : null;
     if (bodyStr !== null && op.requestBody?.contentType)
       authedHeaders["Content-Type"] = op.requestBody.contentType;
+    const logId = randomUUID();
     try {
       const start = Date.now();
       const res = await fetch(authedUrl, { method: op.method.toUpperCase(), headers: authedHeaders, body: bodyStr ?? undefined });
-      const text = await res.text();
+      const responseText = await res.text();
       const latency = Date.now() - start;
-      let pretty = text;
+      const resHeaders = Object.fromEntries(res.headers.entries());
+      dbQueries.insertLog({
+        id: logId,
+        source: "ai",
+        tool_name: String(args.operationId ?? op.operationId),
+        method: op.method.toUpperCase(),
+        url: authedUrl,
+        request_headers: JSON.stringify(authedHeaders),
+        request_body: bodyStr,
+        status_code: res.status,
+        response_headers: JSON.stringify(resHeaders),
+        response_body: responseText.slice(0, 8192),
+        latency_ms: latency,
+        error: null
+      });
+      logBus.emit({
+        id: logId,
+        source: "ai",
+        tool_name: String(args.operationId ?? op.operationId),
+        method: op.method.toUpperCase(),
+        url: authedUrl,
+        request_headers: JSON.stringify(authedHeaders),
+        request_body: bodyStr,
+        status_code: res.status,
+        response_headers: JSON.stringify(resHeaders),
+        response_body: responseText.slice(0, 2048),
+        latency_ms: latency,
+        error: null,
+        created_at: Date.now()
+      });
+      let pretty = responseText;
       try {
-        pretty = JSON.stringify(JSON.parse(text), null, 2);
+        pretty = JSON.stringify(JSON.parse(responseText), null, 2);
       } catch {}
       return { text: `HTTP ${res.status} (${latency}ms)
 ${pretty}`, isError: !res.ok };
     } catch (e) {
-      return { text: `Network error: ${e instanceof Error ? e.message : String(e)}`, isError: true };
+      const errMsg = e instanceof Error ? e.message : String(e);
+      dbQueries.insertLog({
+        id: logId,
+        source: "ai",
+        tool_name: String(args.operationId ?? op.operationId),
+        method: op.method.toUpperCase(),
+        url: authedUrl,
+        request_headers: JSON.stringify(authedHeaders),
+        request_body: bodyStr,
+        status_code: null,
+        response_headers: null,
+        response_body: null,
+        latency_ms: null,
+        error: errMsg
+      });
+      logBus.emit({
+        id: logId,
+        source: "ai",
+        tool_name: String(args.operationId ?? op.operationId),
+        method: op.method.toUpperCase(),
+        url: authedUrl,
+        request_headers: null,
+        request_body: bodyStr,
+        status_code: null,
+        response_headers: null,
+        response_body: null,
+        latency_ms: null,
+        error: errMsg,
+        created_at: Date.now()
+      });
+      return { text: `Network error: ${errMsg}`, isError: true };
     }
   }
   if (name === "fetch_url") {
@@ -5111,10 +6228,25 @@ ${stripped}`, isError: !res.ok };
   }
   if (name === "save_auth_token") {
     const profileName = String(args.name ?? "AI Login").trim();
+    const tokenType = String(args.token_type ?? "bearer");
+    if (tokenType === "basic" || args.username && args.password) {
+      const username = String(args.username ?? "").trim();
+      const password = String(args.password ?? "").trim();
+      if (!username || !password)
+        return { text: "Error: username and password are required for basic auth", isError: true };
+      const authConfig2 = { type: "basic", username, password };
+      const profileId2 = randomUUID();
+      try {
+        dbQueries.insertProfile({ id: profileId2, name: profileName, description: "Saved by AI", type: "basic", config: JSON.stringify(authConfig2), token_cache: null, is_active: 0 });
+        dbQueries.activateProfile(profileId2);
+        return { text: JSON.stringify({ success: true, message: `Saved and activated basic auth profile "${profileName}"`, id: profileId2 }), isError: false };
+      } catch (e) {
+        return { text: `Error saving profile: ${e instanceof Error ? e.message : String(e)}`, isError: true };
+      }
+    }
     const token = String(args.token ?? "").trim();
     if (!token)
-      return { text: "Error: token is required", isError: true };
-    const tokenType = String(args.token_type ?? "bearer");
+      return { text: "Error: token is required for bearer/apikey auth", isError: true };
     const headerName = String(args.header_name ?? "X-Api-Key");
     let authConfig;
     let type;
@@ -5128,7 +6260,7 @@ ${stripped}`, isError: !res.ok };
       authConfig = { type: "bearer", token };
       type = "bearer";
     }
-    const profileId = randomUUID2();
+    const profileId = randomUUID();
     try {
       dbQueries.insertProfile({ id: profileId, name: profileName, description: "Saved by AI", type, config: JSON.stringify(authConfig), token_cache: null, is_active: 0 });
       dbQueries.activateProfile(profileId);
@@ -5139,274 +6271,6 @@ ${stripped}`, isError: !res.ok };
   }
   return { text: `Unknown tool: ${name}`, isError: true };
 }
-async function fetchWithRetry(url, opts, emit, maxRetries = 3) {
-  for (let attempt = 0;attempt <= maxRetries; attempt++) {
-    const res = await fetch(url, opts);
-    if (res.status !== 429 || attempt === maxRetries)
-      return res;
-    const retryAfter = parseInt(res.headers.get("retry-after") ?? "0", 10);
-    const delay = retryAfter > 0 ? retryAfter * 1000 : Math.min(1000 * Math.pow(2, attempt) + Math.random() * 500, 30000);
-    emit({ type: "info", message: `Rate limited \u2014 retrying in ${Math.round(delay / 1000)}s\u2026 (attempt ${attempt + 1}/${maxRetries})` });
-    await new Promise((r) => setTimeout(r, delay));
-  }
-  return fetch(url, opts);
-}
-async function anthropicAgentLoop(apiKey, model, system, initialMessages, emit) {
-  const msgs = [...initialMessages];
-  const toolCalls = [];
-  let totalTools = 0;
-  let consecutiveErrors = 0;
-  const endpointErrors = {};
-  for (let iter = 0;iter < 40; iter++) {
-    const res = await fetchWithRetry("https://api.anthropic.com/v1/messages", {
-      method: "POST",
-      headers: { "Content-Type": "application/json", "x-api-key": apiKey, "anthropic-version": "2023-06-01" },
-      body: JSON.stringify({ model, max_tokens: 4096, system, messages: msgs, tools: ANTHROPIC_TOOLS, stream: true })
-    }, emit);
-    if (!res.ok)
-      throw new Error(`Anthropic error: ${await res.text()}`);
-    let fullText = "";
-    let stopReason = "";
-    const contentBlocks = [];
-    const inputAccum = {};
-    const reader = res.body.getReader();
-    const decoder = new TextDecoder;
-    let buf = "";
-    while (true) {
-      const { done, value } = await reader.read();
-      if (done)
-        break;
-      buf += decoder.decode(value, { stream: true });
-      const parts = buf.split(`
-`);
-      buf = parts.pop() ?? "";
-      for (const part of parts) {
-        let dataLine = "";
-        for (const line of part.split(`
-`)) {
-          if (line.startsWith("data: ")) {
-            dataLine = line.slice(6);
-            break;
-          }
-        }
-        if (!dataLine || dataLine === "[DONE]")
-          continue;
-        let ev;
-        try {
-          ev = JSON.parse(dataLine);
-        } catch {
-          continue;
-        }
-        const type = ev.type;
-        if (type === "content_block_start") {
-          const idx = ev.index;
-          const cb = ev.content_block;
-          contentBlocks[idx] = { type: cb.type, id: cb.id, name: cb.name };
-          if (cb.type === "tool_use")
-            inputAccum[idx] = "";
-        } else if (type === "content_block_delta") {
-          const idx = ev.index;
-          const delta = ev.delta;
-          if (delta.type === "text_delta" && delta.text) {
-            fullText += delta.text;
-            if (!contentBlocks[idx])
-              contentBlocks[idx] = { type: "text", text: "" };
-            contentBlocks[idx].text = (contentBlocks[idx].text ?? "") + delta.text;
-            emit({ type: "text_delta", text: delta.text });
-          } else if (delta.type === "input_json_delta" && delta.partial_json) {
-            inputAccum[idx] = (inputAccum[idx] ?? "") + delta.partial_json;
-          }
-        } else if (type === "content_block_stop") {
-          const idx = ev.index;
-          if (contentBlocks[idx]?.type === "tool_use") {
-            try {
-              contentBlocks[idx].input = JSON.parse(inputAccum[idx] ?? "{}");
-            } catch {
-              contentBlocks[idx].input = {};
-            }
-          }
-        } else if (type === "message_delta") {
-          const delta = ev.delta;
-          if (delta.stop_reason)
-            stopReason = delta.stop_reason;
-        }
-      }
-    }
-    if (stopReason !== "tool_use")
-      return { content: fullText, toolCalls };
-    if (totalTools >= MAX_TOTAL_TOOLS) {
-      return { content: `Agent stopped: reached ${MAX_TOTAL_TOOLS} tool calls. Please break your request into smaller steps.`, toolCalls };
-    }
-    msgs.push({ role: "assistant", content: contentBlocks });
-    const toolResults = [];
-    for (const block of contentBlocks) {
-      if (block.type !== "tool_use" || !block.id || !block.name)
-        continue;
-      totalTools++;
-      emit({ type: "tool_start", tool: block.name, input: block.input ?? {} });
-      const result = await executeTool(block.name, block.input ?? {});
-      emit({ type: "tool_done", tool: block.name, input: block.input ?? {}, output: result.text, isError: result.isError });
-      toolCalls.push({ tool: block.name, input: block.input ?? {}, output: result.text, isError: result.isError });
-      if (result.isError) {
-        consecutiveErrors++;
-        if (block.name === "execute_api_request" && block.input?.operationId) {
-          const eid = String(block.input.operationId);
-          endpointErrors[eid] = (endpointErrors[eid] ?? 0) + 1;
-          if (endpointErrors[eid] >= MAX_SAME_ENDPOINT_ERRORS) {
-            const stopContent = result.text + `
-[AGENT LOOP STOPPED: endpoint "${eid}" failed ${MAX_SAME_ENDPOINT_ERRORS} times \u2014 stopping to avoid loop]`;
-            toolResults.push({ type: "tool_result", tool_use_id: block.id, content: stopContent });
-            msgs.push({ role: "user", content: toolResults });
-            return { content: `Endpoint "${eid}" failed ${MAX_SAME_ENDPOINT_ERRORS} times. Last error: ${result.text}`, toolCalls };
-          }
-        }
-        if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
-          const stopMsg = `Stopped after ${MAX_CONSECUTIVE_ERRORS} consecutive errors. Last: ${result.text}`;
-          const stopContent = result.text + `
-[AGENT LOOP STOPPED: ${stopMsg}]`;
-          toolResults.push({ type: "tool_result", tool_use_id: block.id, content: stopContent });
-          msgs.push({ role: "user", content: toolResults });
-          return { content: stopMsg, toolCalls };
-        }
-      } else {
-        consecutiveErrors = 0;
-      }
-      toolResults.push({ type: "tool_result", tool_use_id: block.id, content: result.text });
-    }
-    if (!toolResults.length)
-      return { content: fullText, toolCalls };
-    msgs.push({ role: "user", content: toolResults });
-  }
-  return { content: "(max iterations reached)", toolCalls };
-}
-async function openaiCompatibleLoop(base, apiKey, model, extraHeaders, system, initialMessages, emit) {
-  const msgs = [{ role: "system", content: system }, ...initialMessages];
-  const toolCalls = [];
-  const authHeaders = {};
-  if (apiKey)
-    authHeaders["Authorization"] = `Bearer ${apiKey}`;
-  let totalTools = 0;
-  let consecutiveErrors = 0;
-  const endpointErrors = {};
-  for (let iter = 0;iter < 40; iter++) {
-    const res = await fetchWithRetry(`${base}/v1/chat/completions`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json", ...authHeaders, ...extraHeaders },
-      body: JSON.stringify({ model, messages: msgs, tools: OPENAI_TOOLS, tool_choice: "auto", stream: true })
-    }, emit);
-    if (!res.ok)
-      throw new Error(await res.text());
-    let fullContent = "";
-    let finishReason = "";
-    const tcAccum = {};
-    const reader = res.body.getReader();
-    const dec = new TextDecoder;
-    let buf = "";
-    outer:
-      while (true) {
-        const { done, value } = await reader.read();
-        if (done)
-          break;
-        buf += dec.decode(value, { stream: true });
-        const parts = buf.split(`
-`);
-        buf = parts.pop() ?? "";
-        for (const part of parts) {
-          let data = "";
-          for (const line of part.split(`
-`)) {
-            if (line.startsWith("data: ")) {
-              data = line.slice(6);
-              break;
-            }
-          }
-          if (!data)
-            continue;
-          if (data === "[DONE]")
-            break outer;
-          let ev;
-          try {
-            ev = JSON.parse(data);
-          } catch {
-            continue;
-          }
-          if (ev.object === "error")
-            throw new Error(JSON.stringify(ev));
-          const choices = ev.choices;
-          const choice = choices?.[0];
-          if (!choice)
-            continue;
-          const fr = choice.finish_reason;
-          if (fr)
-            finishReason = fr;
-          const delta = choice.delta;
-          if (!delta)
-            continue;
-          if (typeof delta.content === "string" && delta.content) {
-            fullContent += delta.content;
-            emit({ type: "text_delta", text: delta.content });
-          }
-          const tcDeltas = delta.tool_calls;
-          if (tcDeltas) {
-            for (const tc of tcDeltas) {
-              if (!tcAccum[tc.index])
-                tcAccum[tc.index] = { id: "", name: "", args: "" };
-              const entry = tcAccum[tc.index];
-              if (tc.id)
-                entry.id += tc.id;
-              if (tc.function?.name)
-                entry.name += tc.function.name;
-              if (tc.function?.arguments)
-                entry.args += tc.function.arguments;
-            }
-          }
-        }
-      }
-    if (finishReason !== "tool_calls")
-      return { content: fullContent, toolCalls };
-    if (totalTools >= MAX_TOTAL_TOOLS) {
-      return { content: `Agent stopped: reached ${MAX_TOTAL_TOOLS} tool calls. Please break your request into smaller steps.`, toolCalls };
-    }
-    const msgToolCalls = Object.values(tcAccum).map((tc) => ({
-      id: tc.id,
-      type: "function",
-      function: { name: tc.name, arguments: tc.args }
-    }));
-    msgs.push({ role: "assistant", content: fullContent || null, tool_calls: msgToolCalls });
-    for (const tc of Object.values(tcAccum)) {
-      let args = {};
-      try {
-        args = JSON.parse(tc.args);
-      } catch {}
-      totalTools++;
-      emit({ type: "tool_start", tool: tc.name, input: args });
-      const result = await executeTool(tc.name, args);
-      emit({ type: "tool_done", tool: tc.name, input: args, output: result.text, isError: result.isError });
-      toolCalls.push({ tool: tc.name, input: args, output: result.text, isError: result.isError });
-      msgs.push({ role: "tool", tool_call_id: tc.id, content: result.text });
-      if (result.isError) {
-        consecutiveErrors++;
-        if (tc.name === "execute_api_request" && args.operationId) {
-          const eid = String(args.operationId);
-          endpointErrors[eid] = (endpointErrors[eid] ?? 0) + 1;
-          if (endpointErrors[eid] >= MAX_SAME_ENDPOINT_ERRORS) {
-            return { content: `Endpoint "${eid}" failed ${MAX_SAME_ENDPOINT_ERRORS} times. Last error: ${result.text}`, toolCalls };
-          }
-        }
-        if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
-          return { content: `Stopped after ${MAX_CONSECUTIVE_ERRORS} consecutive errors. Last: ${result.text}`, toolCalls };
-        }
-      } else {
-        consecutiveErrors = 0;
-      }
-    }
-  }
-  return { content: "(max iterations reached)", toolCalls };
-}
 async function handleAiChat(req) {
   let body;
   try {
@@ -5417,39 +6281,58 @@ async function handleAiChat(req) {
   const settingsRow = dbQueries.getSettings();
   const settings = settingsRow ? JSON.parse(settingsRow.value) : {};
   const ai = settings.ai ?? {};
+  const provider = ai.provider ?? "anthropic";
+  const providerDefaults = PROVIDER_DEFAULTS[provider] ?? { model: "" };
+  const requiresKey = provider !== "ollama" && provider !== "custom";
+  if (requiresKey && !ai.apiKey) {
+    return json({ error: "No AI API key configured. Go to Settings \u2192 AI Provider to add one." }, 400);
+  }
+  if (!hasState())
+    return json({ error: "No spec loaded." }, 400);
   const { spec, operations } = getState();
   const preview = operations.slice(0, 40).map((op) => `- ${op.method.toUpperCase()} ${op.path}${op.summary ? `: ${op.summary}` : ""}`).join(`
 `);
   const activeAuth = dbQueries.getActiveProfile();
-  const authLine = activeAuth ? `Active auth: "${activeAuth.name}" (${activeAuth.type})` : "No active auth profile. If the API requires auth, call list_auth_profiles first, then set_active_auth, or login and call save_auth_token.";
+  const authLine = activeAuth ? `Active auth: "${activeAuth.name}" (${activeAuth.type})` : "No active auth profile. Call list_auth_profiles, then set_active_auth or save_auth_token.";
+  const memory = dbQueries.getMemory(20);
+  const memorySection = memory.length ? `
+## Memory from previous sessions
+${memory.map((m) => `${m.role === "user" ? "User" : "Assistant"}: ${m.content.slice(0, 300)}${m.content.length > 300 ? "\u2026" : ""}`).join(`
+`)}
+` : "";
   const system = `You are an AI assistant for the "${spec.title}" API (v${spec.version}). Base URL: ${spec.baseUrl}.
 Total endpoints: ${operations.length}. Sample:
 ${preview}${operations.length > 40 ? `
 ... and ${operations.length - 40} more` : ""}
 ${authLine}
+${memorySection}
+Tools:
+- search_endpoints / get_endpoint_schema \u2014 explore API structure (results cached; never repeat the same query)
+- execute_api_request \u2014 call an endpoint
+- list_auth_profiles / set_active_auth / save_auth_token \u2014 manage credentials
+  \u2022 save_auth_token supports token_type="basic" with username+password for HTTP Basic auth
+- fetch_url \u2014 external docs
+- dns_lookup \u2014 connectivity diagnostics
+- get_recent_logs \u2014 proxy traffic history
+- run_security_check \u2014 static security analysis
-Tools available:
-- search_endpoints / get_endpoint_schema: explore API structure
-- execute_api_request: call an endpoint
-- list_auth_profiles: list all saved auth profiles (name, type, active)
-- set_active_auth(name): switch to a saved profile before making requests
-- save_auth_token(name, token): IMMEDIATELY call this after a successful login that returns a token \u2014 saves the token as a named profile and activates it so subsequent requests are authenticated
-- fetch_url: fetch external docs
-- dns_lookup: DNS resolution / connectivity
-- get_recent_logs: recent request/response traffic
-- run_security_check: security analysis on an endpoint
+Auth workflow: 401/403 \u2192 list_auth_profiles \u2192 set_active_auth OR find login endpoint \u2192 save_auth_token \u2192 retry.
-Authentication workflow: if requests return 401/403, call list_auth_profiles first. If a profile exists, call set_active_auth. If none, find and call the login endpoint, extract the token from the response, then call save_auth_token immediately. After saving, retry the original request.
+Rules:
+- Never repeat a search you already ran \u2014 results are cached.
+- Diagnose errors before retrying. Three failures on the same endpoint stops the agent.
+- Do not fire rapid successive API requests.
-IMPORTANT: if an endpoint returns an error, diagnose it (check the schema, check auth) and fix the root cause before retrying. If the same endpoint fails 3 times the agent will be forcibly stopped. Do not retry without changing something.
+Be concise. Format code and JSON in fenced blocks.${ai.customInstructions ? `
-Be concise and practical. Format code and JSON in code blocks.`;
-  const provider = ai.provider ?? "anthropic";
-  const requiresKey = provider !== "ollama" && provider !== "custom";
-  if (requiresKey && !ai.apiKey) {
-    return json({ error: "No AI API key configured. Go to Settings \u2192 AI Provider to add one." }, 400);
-  }
+---
+## Custom instructions
+${ai.customInstructions}` : ""}${body.extra_context ? `
+---
+## Context
+${body.extra_context}` : ""}`;
   const { readable, writable } = new TransformStream;
   const writer = writable.getWriter();
   const enc = new TextEncoder;
@@ -5459,62 +6342,39 @@ Be concise and practical. Format code and JSON in code blocks.`;
 `)).catch(() => {});
   };
   const msgs = body.messages;
+  const toolCache = new Map;
+  const abortCtrl = new AbortController;
+  const lastUserMsg = [...msgs].reverse().find((m) => m.role === "user");
+  const userMemoryContent = typeof lastUserMsg?.content === "string" ? lastUserMsg.content : null;
   (async () => {
     try {
-      let result;
-      if (provider === "anthropic") {
-        result = await anthropicAgentLoop(ai.apiKey, ai.model || "claude-haiku-4-5-20251001", system, msgs, emit);
-      } else if (provider === "openai") {
-        const base = (ai.baseUrl || "https://api.openai.com").replace(/\/$/, "");
-        result = await openaiCompatibleLoop(base, ai.apiKey, ai.model || "gpt-4o-mini", {}, system, msgs, emit);
-      } else if (provider === "mistral") {
-        const base = (ai.baseUrl || "https://api.mistral.ai").replace(/\/$/, "");
-        result = await openaiCompatibleLoop(base, ai.apiKey, ai.model || "mistral-small-latest", {}, system, msgs, emit);
-      } else if (provider === "github-copilot") {
-        const base = (ai.baseUrl || "https://api.githubcopilot.com").replace(/\/$/, "");
-        result = await openaiCompatibleLoop(base, ai.apiKey, ai.model || "gpt-4o", {
-          "Copilot-Integration-Id": "vscode-chat",
-          "Editor-Version": "vscode/1.85.0"
-        }, system, msgs, emit);
-      } else if (provider === "groq") {
-        const base = (ai.baseUrl || "https://api.groq.com/openai").replace(/\/$/, "");
-        result = await openaiCompatibleLoop(base, ai.apiKey, ai.model || "llama-3.1-70b-versatile", {}, system, msgs, emit);
-      } else if (provider === "custom") {
-        if (!ai.baseUrl) {
-          emit({ type: "error", message: "Custom provider requires a Base URL." });
-          await writer.close();
-          return;
-        }
-        result = await openaiCompatibleLoop(ai.baseUrl.replace(/\/$/, ""), ai.apiKey, ai.model || "", {}, system, msgs, emit);
-      } else if (provider === "ollama") {
-        const base = (ai.baseUrl || "http://localhost:11434").replace(/\/$/, "");
-        const res = await fetch(`${base}/api/chat`, {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ model: ai.model || "llama3", messages: [{ role: "system", content: system }, ...msgs], stream: false })
-        });
-        const d = await res.json();
-        result = { content: d.message.content ?? "", toolCalls: [] };
-      } else if (provider === "gemini") {
-        const model = ai.model || "gemini-1.5-flash";
-        const base = (ai.baseUrl || "https://generativelanguage.googleapis.com").replace(/\/$/, "");
-        const res = await fetch(`${base}/v1beta/models/${model}:generateContent?key=${ai.apiKey}`, {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({
-            systemInstruction: { parts: [{ text: system }] },
-            contents: msgs.map((m) => ({ role: m.role === "assistant" ? "model" : "user", parts: [{ text: m.content }] })),
-            generationConfig: { maxOutputTokens: 4096 }
-          })
-        });
-        const d = await res.json();
-        result = { content: d.candidates[0]?.content.parts[0]?.text ?? "", toolCalls: [] };
-      } else {
-        emit({ type: "error", message: `Unknown provider: ${provider}` });
-        await writer.close();
-        return;
+      const result = await runAgentLoop({
+        provider,
+        apiKey: ai.apiKey,
+        model: ai.model || providerDefaults.model,
+        baseUrl: ai.baseUrl || providerDefaults.baseUrl,
+        maxTokens: ai.maxTokens ?? 4096,
+        stepTimeoutMs: ai.stepTimeoutMs ?? 60000,
+        temperature: ai.temperature,
+        topK: ai.topK && ai.topK > 0 ? ai.topK : undefined,
+        parallelTools: true,
+        enablePromptCache: true
+      }, system, msgs, TOOL_SCHEMAS, (name, args) => executeTool(name, args, toolCache), emit, abortCtrl.signal, toolCache);
+      if (result.content && result.stopReason !== "max_iterations") {
+        try {
+          if (userMemoryContent)
+            dbQueries.saveMemory("user", userMemoryContent.slice(0, 1000));
+          dbQueries.saveMemory("assistant", result.content.slice(0, 1000));
+          dbQueries.trimMemory(40);
+        } catch {}
       }
-      emit({ type: "done", content: result.content, toolCalls: result.toolCalls });
+      emit({
+        type: "done",
+        content: result.content,
+        toolCalls: result.toolCalls,
+        stopReason: result.stopReason,
+        tokens: result.tokens
+      });
     } catch (e) {
       emit({ type: "error", message: e instanceof Error ? e.message : String(e) });
     } finally {
@@ -5524,11 +6384,7 @@ Be concise and practical. Format code and JSON in code blocks.`;
     }
   })();
   return new Response(readable, {
-    headers: {
-      "Content-Type": "text/event-stream",
-      "Cache-Control": "no-cache",
-      ...CORS3
-    }
+    headers: { "Content-Type": "text/event-stream", "Cache-Control": "no-cache", ...CORS4 }
   });
 }
 function handleGetProfiles() {
@@ -5542,7 +6398,7 @@ async function handleCreateProfile(req) {
     return badRequest("Invalid JSON");
   }
   const profile = {
-    id: randomUUID2(),
+    id: randomUUID(),
     name: String(body.name ?? "").trim() || "Unnamed",
     description: String(body.description ?? ""),
     type: String(body.type ?? "none"),
@@ -5595,7 +6451,7 @@ async function handleCreateRule(req) {
     return badRequest("Invalid JSON");
   }
   const rule = {
-    id: randomUUID2(),
+    id: randomUUID(),
     enabled: body.enabled ?? 1,
     name: body.name ?? "",
     sort_order: body.sort_order ?? 0,
@@ -5887,7 +6743,7 @@ async function handleCreateSaved(req) {
   }
   if (!body.name || typeof body.name !== "string")
     return badRequest("name is required");
-  const id = randomUUID2();
+  const id = randomUUID();
   dbQueries.insertSavedRequest({
     id,
     name: String(body.name),
@@ -5905,42 +6761,248 @@ async function handleCreateSaved(req) {
   });
   return json(dbQueries.getSavedRequest(id), 201);
 }
-async function handleUpdateSaved(req, path) {
-  const id = path.replace("/api/saved/", "");
-  if (!dbQueries.getSavedRequest(id))
+async function handleUpdateSaved(req, path) {
+  const id = path.replace("/api/saved/", "");
+  if (!dbQueries.getSavedRequest(id))
+    return notFound();
+  let body;
+  try {
+    body = await req.json();
+  } catch {
+    return badRequest("Invalid JSON");
+  }
+  const patch = {};
+  const allowed = ["name", "folder", "method", "url", "headers", "params", "body", "body_type", "raw_type", "form_rows", "auth", "notes"];
+  for (const key of allowed) {
+    if (key in body)
+      patch[key] = typeof body[key] === "string" ? String(body[key]) : JSON.stringify(body[key]);
+  }
+  if (Object.keys(patch).length)
+    dbQueries.updateSavedRequest(id, patch);
+  return json(dbQueries.getSavedRequest(id));
+}
+function handleDeleteSaved(path) {
+  const id = path.replace("/api/saved/", "");
+  if (!dbQueries.getSavedRequest(id))
+    return notFound();
+  dbQueries.deleteSavedRequest(id);
+  return json({ ok: true });
+}
+function workflowRow(row) {
+  if (!row)
+    return null;
+  let steps = [];
+  try {
+    steps = JSON.parse(row.steps);
+  } catch {}
+  return { ...row, steps };
+}
+function handleGetWorkflows() {
+  const rows = dbQueries.getWorkflows().map((r) => workflowRow(r)).filter(Boolean);
+  return json(rows);
+}
+async function handleCreateWorkflow(req) {
+  let body;
+  try {
+    body = await req.json();
+  } catch {
+    return badRequest("Invalid JSON");
+  }
+  const id = randomUUID();
+  dbQueries.insertWorkflow({
+    id,
+    name: String(body.name ?? "Untitled Workflow"),
+    description: String(body.description ?? ""),
+    steps: typeof body.steps === "string" ? body.steps : JSON.stringify(body.steps ?? [])
+  });
+  return json(workflowRow(dbQueries.getWorkflow(id)), 201);
+}
+async function handleUpdateWorkflow(req, path) {
+  const id = path.slice("/api/workflows/".length);
+  if (!dbQueries.getWorkflow(id))
+    return notFound();
+  let body;
+  try {
+    body = await req.json();
+  } catch {
+    return badRequest("Invalid JSON");
+  }
+  const patch = {};
+  if ("name" in body)
+    patch.name = String(body.name);
+  if ("description" in body)
+    patch.description = String(body.description);
+  if ("steps" in body)
+    patch.steps = typeof body.steps === "string" ? body.steps : JSON.stringify(body.steps);
+  if (Object.keys(patch).length)
+    dbQueries.updateWorkflow(id, patch);
+  return json(workflowRow(dbQueries.getWorkflow(id)));
+}
+function handleDeleteWorkflow(path) {
+  const id = path.slice("/api/workflows/".length);
+  if (!dbQueries.getWorkflow(id))
+    return notFound();
+  dbQueries.deleteWorkflow(id);
+  return json({ ok: true });
+}
+async function handleGenerateWorkflow(req) {
+  if (!hasState())
+    return badRequest("No spec loaded");
+  let body;
+  try {
+    body = await req.json();
+  } catch {
+    return badRequest("Invalid JSON");
+  }
+  const settingsRow = dbQueries.getSettings();
+  const settings = settingsRow ? JSON.parse(settingsRow.value) : {};
+  const ai = settings.ai ?? {};
+  const provider = ai.provider ?? "anthropic";
+  if (provider !== "ollama" && !ai.apiKey) {
+    return json({ error: "No AI API key configured. Go to Settings \u2192 AI Provider to add one." }, 400);
+  }
+  const { spec, operations } = getState();
+  const endpointList = operations.slice(0, 80).map((op) => `${op.method.toUpperCase()} ${op.path}${op.operationId ? ` [${op.operationId}]` : ""}${op.summary ? ` \u2014 ${op.summary}` : ""}`).join(`
+`);
+  const userPrompt = body.prompt?.trim() || "Generate a realistic end-to-end test workflow covering authentication and CRUD operations.";
+  const systemMsg = `You generate API test workflows as JSON for the "${spec.title}" API (base: ${spec.baseUrl}).
+Available endpoints:
+${endpointList}
+Return ONLY valid JSON (no markdown fences) matching this schema exactly:
+{
+  "name": "string",
+  "description": "string",
+  "steps": [
+    {
+      "id": "step_1",
+      "label": "Human-readable name",
+      "method": "GET|POST|PUT|PATCH|DELETE",
+      "path": "/exact/path/from/spec",
+      "operationId": "operationId or null",
+      "pathParams": {},
+      "queryParams": {},
+      "headers": {},
+      "body": null,
+      "extract": [{"var": "varName", "path": "$.field.nested"}],
+      "assert": [{"type": "status", "statusCode": 200}]
+    }
+  ]
+}
+Rules:
+- Use {{varName}} in path/headers/body values to reference vars extracted in prior steps
+- For auth: extract token after login, set headers: {"Authorization": "Bearer {{token}}"}
+- Keep 3\u20138 steps covering a realistic user journey
+- Only use paths that exist in the endpoint list above`;
+  try {
+    let text = "";
+    if (provider === "anthropic") {
+      const res = await fetch("https://api.anthropic.com/v1/messages", {
+        method: "POST",
+        headers: { "Content-Type": "application/json", "x-api-key": ai.apiKey, "anthropic-version": "2023-06-01" },
+        body: JSON.stringify({ model: ai.model || "claude-sonnet-4-6", max_tokens: 4096, system: systemMsg, messages: [{ role: "user", content: userPrompt }] })
+      });
+      if (!res.ok)
+        throw new Error(`Anthropic: ${await res.text()}`);
+      const d = await res.json();
+      text = d.content.find((b) => b.type === "text")?.text ?? "";
+    } else {
+      const base = (ai.baseUrl || (provider === "openai" ? "https://api.openai.com" : provider === "groq" ? "https://api.groq.com/openai" : provider === "mistral" ? "https://api.mistral.ai" : "https://api.openai.com")).replace(/\/$/, "");
+      const hdrs = { "Content-Type": "application/json" };
+      if (ai.apiKey)
+        hdrs["Authorization"] = `Bearer ${ai.apiKey}`;
+      const res = await fetch(`${base}/v1/chat/completions`, {
+        method: "POST",
+        headers: hdrs,
+        body: JSON.stringify({ model: ai.model || "gpt-4o-mini", max_tokens: 2048, response_format: { type: "json_object" }, messages: [{ role: "system", content: systemMsg }, { role: "user", content: userPrompt }] })
+      });
+      if (!res.ok)
+        throw new Error(await res.text());
+      const d = await res.json();
+      text = d.choices[0]?.message.content ?? "";
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(text);
+    } catch {
+      const m = text.match(/```(?:json)?\s*\n?([\s\S]+?)\n?```/);
+      if (m)
+        parsed = JSON.parse(m[1]);
+      else
+        throw new Error("AI response was not valid JSON");
+    }
+    return json(parsed);
+  } catch (e) {
+    return json({ error: e instanceof Error ? e.message : String(e) }, 500);
+  }
+}
+function handleRunWorkflow(path) {
+  const id = path.slice("/api/workflows/".length, -"/run".length);
+  const row = dbQueries.getWorkflow(id);
+  if (!row)
     return notFound();
-  let body;
+  if (!hasState())
+    return badRequest("No spec loaded");
+  let steps;
   try {
-    body = await req.json();
+    steps = JSON.parse(row.steps);
   } catch {
-    return badRequest("Invalid JSON");
-  }
-  const patch = {};
-  const allowed = ["name", "folder", "method", "url", "headers", "params", "body", "body_type", "raw_type", "form_rows", "auth", "notes"];
-  for (const key of allowed) {
-    if (key in body)
-      patch[key] = typeof body[key] === "string" ? String(body[key]) : JSON.stringify(body[key]);
+    return badRequest("Invalid workflow steps JSON");
   }
-  if (Object.keys(patch).length)
-    dbQueries.updateSavedRequest(id, patch);
-  return json(dbQueries.getSavedRequest(id));
+  if (!steps.length)
+    return badRequest("Workflow has no steps");
+  const { readable, writable } = new TransformStream;
+  const writer = writable.getWriter();
+  const enc = new TextEncoder;
+  const emit = (e) => {
+    writer.write(enc.encode(`data: ${JSON.stringify(e)}
+`)).catch(() => {});
+  };
+  (async () => {
+    try {
+      await runWorkflow(steps, emit);
+    } catch (e) {
+      emit({ type: "error", message: e instanceof Error ? e.message : String(e) });
+    } finally {
+      try {
+        await writer.close();
+      } catch {}
+    }
+  })();
+  return new Response(readable, {
+    headers: { "Content-Type": "text/event-stream", "Cache-Control": "no-cache", ...CORS4 }
+  });
 }
-function handleDeleteSaved(path) {
-  const id = path.replace("/api/saved/", "");
-  if (!dbQueries.getSavedRequest(id))
-    return notFound();
-  dbQueries.deleteSavedRequest(id);
+function handleGetCaptureBins() {
+  return json(dbQueries.getCaptureBins());
+}
+async function handleCreateCaptureBin(req) {
+  const body = await req.json().catch(() => ({}));
+  const id = randomUUID().replace(/-/g, "").slice(0, 8);
+  const name = String(body.name ?? "").trim() || "Untitled bin";
+  dbQueries.insertCaptureBin(id, name);
+  return json({ id, name, created_at: Math.floor(Date.now() / 1000) }, 201);
+}
+function handleDeleteCaptureBin(path) {
+  const id = path.replace("/api/capture/bins/", "");
+  dbQueries.deleteCaptureBin(id);
   return json({ ok: true });
 }
-var CORS3, TOOL_DEFS, ANTHROPIC_TOOLS, OPENAI_TOOLS, MAX_TOTAL_TOOLS = 40, MAX_CONSECUTIVE_ERRORS = 5, MAX_SAME_ENDPOINT_ERRORS = 3;
+var CORS4, TOOL_DEFS, _lastApiCallMs = 0, MIN_API_CALL_INTERVAL_MS = 400, TOOL_SCHEMAS, PROVIDER_DEFAULTS;
 var init_routes = __esm(() => {
   init_db();
   init_engine();
   init_bus();
   init_state();
+  init_parser();
   init_config();
   init_version();
-  CORS3 = {
+  init_engine2();
+  init_harness();
+  CORS4 = {
     "Access-Control-Allow-Origin": "*",
     "Access-Control-Allow-Methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS",
     "Access-Control-Allow-Headers": "Content-Type, Authorization"
@@ -6008,38 +7070,433 @@ var init_routes = __esm(() => {
       required: ["name"]
     },
     save_auth_token: {
-      description: "Save a bearer token or API key as a named auth profile and immediately activate it. Call this right after a successful login endpoint returns a token so all subsequent API requests are authenticated.",
+      description: "Save a bearer token, API key, or basic auth credentials as a named auth profile and immediately activate it. Call this right after a successful login endpoint returns a token so all subsequent API requests are authenticated.",
       params: {
         name: { type: "string", description: 'Profile name, e.g. "user session" or the username' },
-        token: { type: "string", description: "The bearer token or API key value to save" },
-        token_type: { type: "string", enum: ["bearer", "apikey_header", "apikey_query"], description: "Token type (default: bearer)" },
-        header_name: { type: "string", description: "Header name for apikey_header type (default: X-Api-Key)" }
+        token: { type: "string", description: "The bearer token or API key value (omit for basic auth)" },
+        token_type: { type: "string", enum: ["bearer", "apikey_header", "apikey_query", "basic"], description: "Token type (default: bearer)" },
+        header_name: { type: "string", description: "Header name for apikey_header type (default: X-Api-Key)" },
+        username: { type: "string", description: "Username for basic auth" },
+        password: { type: "string", description: "Password for basic auth" }
       },
-      required: ["name", "token"]
+      required: ["name"]
     }
   };
-  ANTHROPIC_TOOLS = Object.entries(TOOL_DEFS).map(([name, def]) => ({
+  TOOL_SCHEMAS = Object.entries(TOOL_DEFS).map(([name, def]) => ({
     name,
     description: def.description,
-    input_schema: { type: "object", properties: def.params, required: def.required }
-  }));
-  OPENAI_TOOLS = Object.entries(TOOL_DEFS).map(([name, def]) => ({
-    type: "function",
-    function: { name, description: def.description, parameters: { type: "object", properties: def.params, required: def.required } }
+    params: def.params,
+    required: def.required
   }));
+  PROVIDER_DEFAULTS = {
+    anthropic: { model: "claude-haiku-4-5-20251001" },
+    openai: { model: "gpt-4o-mini", baseUrl: "https://api.openai.com" },
+    mistral: { model: "mistral-small-latest", baseUrl: "https://api.mistral.ai" },
+    groq: { model: "llama-3.1-70b-versatile", baseUrl: "https://api.groq.com/openai" },
+    "github-copilot": { model: "gpt-4o", baseUrl: "https://api.githubcopilot.com" },
+    ollama: { model: "llama3", baseUrl: "http://localhost:11434" },
+    gemini: { model: "gemini-1.5-flash" },
+    custom: { model: "" }
+  };
+});
+// src/repl.ts
+function stripAnsi(s) {
+  return s.replace(/\x1B\[[0-9;]*[A-Za-z]/g, "");
+}
+function visualRows(line, cols) {
+  const len = stripAnsi(line).length;
+  if (len === 0)
+    return 1;
+  return Math.ceil(len / cols);
+}
+class Repl {
+  buf = "";
+  history = [];
+  histIdx = -1;
+  savedBuf = "";
+  running = false;
+  statusText = "";
+  promptDrawn = false;
+  drawingPrompt = false;
+  promptVisualRows = 0;
+  onCmd = null;
+  cols = process.stdout.columns || 80;
+  dynSuggestions = [];
+  constructor() {
+    if (isTTY) {
+      process.stdout.on("resize", () => {
+        this.cols = process.stdout.columns || 80;
+        if (this.running)
+          this.redraw();
+      });
+    }
+  }
+  setDynamicSuggestions(items) {
+    this.dynSuggestions = items;
+    if (this.running)
+      this.redraw();
+  }
+  setStatus(text) {
+    this.statusText = text;
+    if (this.running)
+      this.redraw();
+  }
+  print(line) {
+    process.stdout.write(line + `
+`);
+  }
+  start(onCmd) {
+    this.onCmd = onCmd;
+    this.running = true;
+    if (!isTTY || !process.stdin.setRawMode) {
+      this.startSimple(onCmd);
+      return;
+    }
+    const origWrite = process.stdout.write.bind(process.stdout);
+    const self = this;
+    const patched = function(chunk, enc, cb) {
+      if (self.drawingPrompt)
+        return origWrite(chunk, enc, cb);
+      const str = typeof chunk === "string" ? chunk : chunk instanceof Uint8Array ? new TextDecoder().decode(chunk) : String(chunk);
+      const isSpinnerWrite = str.startsWith("\r") && !str.includes(`
+`);
+      if (isSpinnerWrite || !self.promptDrawn)
+        return origWrite(chunk, enc, cb);
+      self.drawingPrompt = true;
+      for (let i = 0;i < self.promptVisualRows - 1; i++)
+        origWrite("\x1B[A");
+      origWrite("\r\x1B[J");
+      self.promptDrawn = false;
+      const r = origWrite(chunk, enc, cb);
+      if (!str.endsWith(`
+`))
+        origWrite(`
+`);
+      const lines = self.buildPromptLines();
+      self.promptVisualRows = lines.reduce((sum, l) => sum + visualRows(l, self.cols), 0);
+      origWrite(lines.join(`
+`));
+      self.promptDrawn = true;
+      self.drawingPrompt = false;
+      return r;
+    };
+    patched.__orig = origWrite;
+    process.stdout.write = patched;
+    process.stdin.setRawMode(true);
+    process.stdin.resume();
+    process.stdin.setEncoding("utf8");
+    process.stdin.on("data", (key) => {
+      this.handleKey(key).catch(() => {});
+    });
+    this.drawPrompt();
+  }
+  stop() {
+    this.running = false;
+    if (this.promptDrawn)
+      this.clearPrompt();
+    if (process.stdout.write.__orig) {
+      process.stdout.write = process.stdout.write.__orig;
+    }
+    try {
+      process.stdin.setRawMode(false);
+      process.stdin.pause();
+    } catch {}
+  }
+  getSuggestions() {
+    if (!this.buf.startsWith("/"))
+      return [];
+    const raw = this.buf.slice(1);
+    if (!raw)
+      return BASE.slice(0, 6);
+    const parts = raw.split(" ");
+    const base = parts[0] ?? "";
+    if (raw.startsWith("auth use ") && this.dynSuggestions.length) {
+      const typed = raw.slice("auth use ".length);
+      return this.dynSuggestions.filter((s) => s.label.toLowerCase().startsWith(typed.toLowerCase()));
+    }
+    if (parts.length >= 2 && SUB[base]) {
+      return (SUB[base] ?? []).filter((s) => s.value.startsWith(raw));
+    }
+    return BASE.filter((c) => c.value.startsWith(raw));
+  }
+  getGhostText() {
+    if (!this.buf.startsWith("/"))
+      return "";
+    const suggestions = this.getSuggestions();
+    if (!suggestions.length)
+      return "";
+    const first = suggestions[0];
+    const full = "/" + first.value;
+    if (full === this.buf || !full.startsWith(this.buf))
+      return "";
+    return full.slice(this.buf.length);
+  }
+  buildPromptLines() {
+    const lines = [];
+    const suggestions = this.getSuggestions();
+    const DOT = paint.dim(" \xB7 ");
+    if (this.buf.startsWith("/") && suggestions.length > 0) {
+      const items = suggestions.slice(0, 5);
+      const row = items.map((s, i) => {
+        const label = "/" + s.label;
+        const desc = s.desc ? paint.dim("  " + s.desc) : "";
+        return i === 0 ? paint.cyan(label) + desc : paint.dim(label);
+      }).join(DOT);
+      lines.push(`  ${row}`);
+    }
+    if (this.statusText) {
+      const plain = stripAnsi(this.statusText);
+      const truncated = plain.length > this.cols - 4 ? plain.slice(0, this.cols - 7) + "\u2026" : plain;
+      lines.push(`  ${paint.dim(truncated)}`);
+    }
+    const ghost = this.getGhostText();
+    lines.push(`  ${paint.cyan("\u276F")} ${this.buf}${ghost ? paint.dim(ghost) : ""}`);
+    return lines;
+  }
+  clearPrompt() {
+    if (!this.promptDrawn)
+      return;
+    this.drawingPrompt = true;
+    for (let i = 0;i < this.promptVisualRows - 1; i++)
+      process.stdout.write("\x1B[A");
+    process.stdout.write("\r\x1B[J");
+    this.promptDrawn = false;
+    this.drawingPrompt = false;
+  }
+  drawPrompt() {
+    this.drawingPrompt = true;
+    const lines = this.buildPromptLines();
+    this.promptVisualRows = lines.reduce((sum, l) => sum + visualRows(l, this.cols), 0);
+    process.stdout.write(lines.join(`
+`));
+    this.promptDrawn = true;
+    this.drawingPrompt = false;
+  }
+  redraw() {
+    this.clearPrompt();
+    this.drawPrompt();
+  }
+  async handleKey(key) {
+    if (!this.running)
+      return;
+    if (key === "\x03" || key === "\x04") {
+      this.stop();
+      process.emit("SIGINT");
+      return;
+    }
+    if (key === "\f") {
+      this.drawingPrompt = true;
+      process.stdout.write("\x1B[2J\x1B[H");
+      this.drawingPrompt = false;
+      this.promptDrawn = false;
+      this.drawPrompt();
+      return;
+    }
+    if (key === "\x15") {
+      this.buf = "";
+      this.redraw();
+      return;
+    }
+    if (key === "\x17") {
+      this.buf = this.buf.replace(/\S+\s*$/, "");
+      this.redraw();
+      return;
+    }
+    if (key.startsWith("\x1B")) {
+      if (key === "\x1B") {
+        this.buf = "";
+        this.redraw();
+        return;
+      }
+      if (key === "\x1B[A") {
+        this.historyUp();
+        return;
+      }
+      if (key === "\x1B[B") {
+        this.historyDown();
+        return;
+      }
+      if (key === "\x1B[C") {
+        const g = this.getGhostText();
+        if (g) {
+          this.buf += g;
+          const raw = this.buf.slice(1);
+          if (SUB[raw])
+            this.buf += " ";
+          this.redraw();
+        }
+        return;
+      }
+      return;
+    }
+    if (key === "\t") {
+      const g = this.getGhostText();
+      if (g) {
+        this.buf += g;
+        const raw = this.buf.slice(1);
+        if (SUB[raw])
+          this.buf += " ";
+      } else {
+        const suggestions = this.getSuggestions();
+        if (suggestions[0] && "/" + suggestions[0].value !== this.buf) {
+          this.buf = "/" + suggestions[0].value;
+        }
+      }
+      this.redraw();
+      return;
+    }
+    if (key === "\x7F" || key === "\b") {
+      if (this.buf.length > 0) {
+        this.buf = this.buf.slice(0, -1);
+        this.redraw();
+      }
+      return;
+    }
+    if (key === "\r" || key === `
+`) {
+      await this.submit();
+      return;
+    }
+    if (this.buf === "") {
+      switch (key.toLowerCase()) {
+        case "r":
+          await this.dispatchImmediate("r");
+          return;
+        case "b":
+          await this.dispatchImmediate("b");
+          return;
+        case "s":
+          await this.dispatchImmediate("s");
+          return;
+        case "q":
+          await this.dispatchImmediate("q");
+          return;
+        case "?":
+        case "h":
+          await this.dispatchImmediate("h");
+          return;
+        case "/":
+          this.buf = "/";
+          this.redraw();
+          return;
+      }
+    }
+    const printable = key.replace(/[^\x20-\x7E]/g, "");
+    if (printable) {
+      this.buf += printable;
+      this.redraw();
+    }
+  }
+  async submit() {
+    const cmd = this.buf.trim();
+    this.buf = "";
+    this.clearPrompt();
+    process.stdout.write(`
+`);
+    this.promptDrawn = false;
+    if (cmd) {
+      this.history.unshift(cmd);
+      if (this.history.length > 200)
+        this.history.pop();
+      this.histIdx = -1;
+      this.savedBuf = "";
+      if (this.onCmd)
+        await this.onCmd(cmd);
+    }
+    this.drawPrompt();
+  }
+  async dispatchImmediate(key) {
+    this.clearPrompt();
+    process.stdout.write(`
+`);
+    this.promptDrawn = false;
+    if (this.onCmd)
+      await this.onCmd(key);
+    this.drawPrompt();
+  }
+  historyUp() {
+    if (!this.history.length)
+      return;
+    if (this.histIdx === -1)
+      this.savedBuf = this.buf;
+    this.histIdx = Math.min(this.histIdx + 1, this.history.length - 1);
+    this.buf = this.history[this.histIdx] ?? "";
+    this.redraw();
+  }
+  historyDown() {
+    if (this.histIdx === -1)
+      return;
+    this.histIdx--;
+    this.buf = this.histIdx === -1 ? this.savedBuf : this.history[this.histIdx] ?? "";
+    this.redraw();
+  }
+  startSimple(onCmd) {
+    process.stdout.write("  \u276F ");
+    process.stdin.setEncoding("utf8");
+    let line = "";
+    process.stdin.on("data", async (chunk) => {
+      for (const ch of chunk) {
+        if (ch === `
+` || ch === "\r") {
+          const cmd = line.trim();
+          line = "";
+          if (cmd)
+            await onCmd(cmd);
+          process.stdout.write("  \u276F ");
+        } else {
+          line += ch;
+        }
+      }
+    });
+  }
+}
+var BASE, SUB;
+var init_repl = __esm(() => {
+  init_ui();
+  BASE = [
+    { value: "help", label: "help", desc: "Show all commands" },
+    { value: "status", label: "status", desc: "Show server status" },
+    { value: "reload", label: "reload", desc: "Hot-reload the spec" },
+    { value: "spec", label: "spec", desc: "Load a different spec" },
+    { value: "mcp", label: "mcp", desc: "Toggle MCP endpoint" },
+    { value: "proxy", label: "proxy", desc: "Toggle HTTP proxy" },
+    { value: "ai", label: "ai", desc: "Toggle AI chat" },
+    { value: "readonly", label: "readonly", desc: "Toggle read-only mode" },
+    { value: "auth", label: "auth", desc: "Manage auth roles" },
+    { value: "token", label: "token", desc: "Manage access token" },
+    { value: "tail", label: "tail", desc: "Live request log" },
+    { value: "open", label: "open", desc: "Open studio in browser" },
+    { value: "update", label: "update", desc: "Update wasper" },
+    { value: "quit", label: "quit", desc: "Quit" }
+  ];
+  SUB = {
+    auth: [
+      { value: "auth list", label: "list", desc: "List auth profiles" },
+      { value: "auth use ", label: "use", desc: "Switch active profile" },
+      { value: "auth none", label: "none", desc: "Disable auth" }
+    ],
+    mcp: [{ value: "mcp on", label: "on", desc: "" }, { value: "mcp off", label: "off", desc: "" }],
+    proxy: [{ value: "proxy on", label: "on", desc: "" }, { value: "proxy off", label: "off", desc: "" }],
+    ai: [{ value: "ai on", label: "on", desc: "" }, { value: "ai off", label: "off", desc: "" }],
+    readonly: [{ value: "readonly on", label: "on", desc: "" }, { value: "readonly off", label: "off", desc: "" }],
+    token: [{ value: "token new", label: "new", desc: "Generate token" }, { value: "token off", label: "off", desc: "Remove token" }],
+    tail: [{ value: "tail on", label: "on", desc: "" }, { value: "tail off", label: "off", desc: "" }]
+  };
 });
 // src/commands/start.ts
 var exports_start = {};
 __export(exports_start, {
-  run: () => run5
+  run: () => run6
 });
 import { parseArgs } from "util";
 import { createInterface } from "readline";
 import { homedir as homedir4 } from "os";
 import { join as join4, dirname } from "path";
 import { mkdirSync as mkdirSync2 } from "fs";
-async function run5(overrideOpts) {
+async function run6(overrideOpts) {
   const { values } = parseArgs({
     args: process.argv.slice(2).filter((a) => a !== "start"),
     options: {
@@ -6063,18 +7520,44 @@ async function run5(overrideOpts) {
     printHelp();
     process.exit(0);
   }
-  const specUrl = overrideOpts?.url ?? (values.url ? String(values.url) : null) ?? process.env.WASPER_SPEC_URL ?? null;
+  let specUrl = overrideOpts?.url ?? (values.url ? String(values.url) : null) ?? process.env.WASPER_SPEC_URL ?? null;
   const PORT = overrideOpts?.port ?? parseInt(String(values.port ?? "3388"), 10);
   const HOST = overrideOpts?.host ?? (values.host ? String(values.host) : null) ?? process.env.WASPER_HOST ?? "0.0.0.0";
   const ORIGIN = (overrideOpts?.origin ?? (values.origin ? String(values.origin) : null) ?? process.env.WASPER_ORIGIN ?? null)?.replace(/\/$/, "") ?? null;
   const TOKEN = overrideOpts?.token ?? (values.token ? String(values.token) : null) ?? process.env.WASPER_TOKEN ?? null;
   const bgNow = overrideOpts?.daemon ?? !!(values.background || values.daemon);
   const isDaemon = overrideOpts?.isDaemon ?? !!values["_daemon"];
+  if (!specUrl && !isDaemon) {
+    const last = dbQueries.getLastSpec();
+    if (last) {
+      specUrl = last.url;
+      if (isTTY)
+        console.log(`  ${paint.dim("\u21A9")}  Resuming ${paint.cyan(last.title ?? last.url)}  ${paint.dim("(last used)")}
+`);
+    }
+  }
   setServerConfig({ port: PORT, host: HOST, origin: ORIGIN, token: TOKEN });
+  {
+    const saved = dbQueries.getSetting("features");
+    if (saved) {
+      try {
+        const obj = JSON.parse(saved);
+        const patch = {};
+        if (obj.mcp === false)
+          patch.mcp = false;
+        if (obj.proxy === false)
+          patch.proxy = false;
+        if (obj.ai === false)
+          patch.ai = false;
+        if (Object.keys(patch).length)
+          setFeatures(patch);
+      } catch {}
+    }
+  }
   setFeatures({
-    mcp: !values["no-mcp"],
-    proxy: !values["no-proxy"],
-    ai: !values["no-ai"],
+    ...values["no-mcp"] ? { mcp: false } : {},
+    ...values["no-proxy"] ? { proxy: false } : {},
+    ...values["no-ai"] ? { ai: false } : {},
     readonly: !!values.readonly
   });
   if (bgNow) {
@@ -6101,6 +7584,7 @@ async function run5(overrideOpts) {
       specVersion = state.spec.version;
       endpointCount = state.operations.length;
       spinner.stop();
+      dbQueries.upsertSpec(specUrl, specTitle ?? null, specVersion ?? null, endpointCount);
     } catch (e) {
       spinner.stop("\u2717", `Failed to load spec: ${e instanceof Error ? e.message : String(e)}`, "red");
     }
@@ -6123,6 +7607,8 @@ async function run5(overrideOpts) {
         if (req.method === "OPTIONS") {
           return new Response(null, { status: 204, headers: CORS_HEADERS });
         }
+        if (pathname.startsWith("/c/"))
+          return captureHandler(req);
         if (!isAuthorized(req)) {
           return new Response(JSON.stringify({ error: "Unauthorized: pass Authorization: Bearer <token> or ?token=" }), {
             status: 401,
@@ -6213,127 +7699,129 @@ async function run5(overrideOpts) {
 function attachKeyboard(opts) {
   const ctx = { specUrl: opts.specUrl, PORT: opts.PORT, tailOff: null };
   let isReloading = false;
-  let cmdBuf = null;
-  process.stdin.setRawMode(true);
-  process.stdin.resume();
-  process.stdin.setEncoding("utf8");
-  const spinner = new Spinner;
+  const repl = new Repl;
+  const buildStatus = () => {
+    const state = hasState() ? getState() : null;
+    const f = getFeatures();
+    const cfg = getServerConfig();
+    const active = dbQueries.getActiveProfile();
+    const parts = [];
+    if (state) {
+      parts.push(`${state.spec.title} v${state.spec.version} \xB7 ${state.operations.length} ep`);
+    } else {
+      parts.push("no spec");
+    }
+    parts.push(`:${ctx.PORT}`);
+    const flags = [];
+    if (!f.mcp)
+      flags.push("mcp:off");
+    if (!f.proxy)
+      flags.push("proxy:off");
+    if (!f.ai)
+      flags.push("ai:off");
+    if (f.readonly)
+      flags.push("readonly:on");
+    if (flags.length)
+      parts.push(flags.join(" "));
+    parts.push(`auth:${active ? active.name : "none"}`);
+    if (cfg.token)
+      parts.push("token:set");
+    if (ctx.tailOff)
+      parts.push("tail:on");
+    return parts.join("  \xB7  ");
+  };
+  const refreshStatus = () => repl.setStatus(buildStatus());
+  const refreshAuthSuggestions = () => {
+    const profiles = dbQueries.getProfiles();
+    repl.setDynamicSuggestions(profiles.map((p) => ({
+      value: `auth use ${p.name}`,
+      label: p.name,
+      desc: p.type
+    })));
+  };
   const reload = async () => {
     if (isReloading)
       return;
-    process.stdout.write(`
-`);
     if (!ctx.specUrl) {
-      console.log(`  ${paint.yellow("\u25CB")}  No spec URL \u2014 use /spec <url> or start with --url <url>`);
-      console.log();
+      console.log(`
+  ${paint.yellow("\u25CB")}  No spec URL \u2014 use /spec <url>
+`);
       return;
     }
     isReloading = true;
-    spinner.start(`Reloading spec\u2026`);
+    let fi = 0;
+    const base = buildStatus();
+    const spinTimer = setInterval(() => {
+      repl.setStatus(`${SPIN_FRAMES[fi++ % SPIN_FRAMES.length]}  Reloading\u2026  \xB7  ${base}`);
+    }, 80);
     try {
       const state = await loadSpec(ctx.specUrl);
-      spinner.stop("\u2713", `${paint.bold(state.spec.title)}  ${paint.dim("v" + state.spec.version)}  ${paint.dim("\xB7")}  ${paint.green(state.operations.length + " endpoints")}`, "green");
+      clearInterval(spinTimer);
+      dbQueries.upsertSpec(ctx.specUrl, state.spec.title, state.spec.version, state.operations.length);
+      console.log(`  ${paint.green("\u2713")}  ${paint.bold(state.spec.title)}  ${paint.dim("v" + state.spec.version)}  \xB7  ${paint.green(state.operations.length + " endpoints")}
+`);
     } catch (e) {
-      spinner.stop("\u2717", `Reload failed: ${e instanceof Error ? e.message : String(e)}`, "red");
+      clearInterval(spinTimer);
+      console.log(`  ${paint.red("\u2717")}  Reload failed: ${e instanceof Error ? e.message : String(e)}
+`);
     } finally {
       isReloading = false;
+      refreshStatus();
     }
-    console.log();
   };
-  const printPrompt = () => process.stdout.write(`\r\x1B[K  ${paint.cyan("\u276F")} ${cmdBuf}`);
-  process.stdin.on("data", async (chunk) => {
-    if (chunk.startsWith("\x1B") && chunk.length > 1)
-      return;
-    for (const key of chunk)
-      await handleKey(key);
-  });
-  const handleKey = async (key) => {
-    if (key === "\x03") {
-      if (cmdBuf !== null) {
-        cmdBuf = null;
-        process.stdout.write("\r\x1B[K");
-        return;
-      }
-      process.emit("SIGINT");
-      return;
-    }
-    if (cmdBuf !== null) {
-      if (key === "\x1B") {
-        cmdBuf = null;
-        process.stdout.write("\r\x1B[K");
-        return;
-      }
-      if (key === "\x7F" || key === "\b") {
-        cmdBuf = cmdBuf.slice(0, -1);
-        if (!cmdBuf) {
-          cmdBuf = null;
-          process.stdout.write("\r\x1B[K");
+  const handler = async (input) => {
+    const cmd = input.trim();
+    if (cmd.length === 1) {
+      switch (cmd.toLowerCase()) {
+        case "r":
+          await reload();
           return;
-        }
-        printPrompt();
-        return;
-      }
-      if (key === "\r" || key === `
-`) {
-        const cmd = cmdBuf;
-        cmdBuf = null;
-        process.stdout.write("\r\x1B[K");
-        await runSlashCommand(cmd, ctx, reload);
-        return;
-      }
-      const printable = key.replace(/[^\x20-\x7E]/g, "");
-      if (printable) {
-        cmdBuf += printable;
-        printPrompt();
-      }
-      return;
-    }
-    if (key === "/") {
-      cmdBuf = "/";
-      printPrompt();
-      return;
-    }
-    switch (key.toLowerCase()) {
-      case "r":
-        await reload();
-        break;
-      case "b": {
-        process.stdin.setRawMode(false);
-        process.stdin.pause();
-        process.on("SIGHUP", () => {});
-        console.log(`
-  ${paint.green("\u2713")}  Detached  ${paint.dim(`PID ${process.pid}`)}`);
-        console.log(`  ${paint.dim("\u279C")}  ${paint.dim("wasper status")}  ${paint.dim("\xB7")}  ${paint.dim("wasper stop")}
+        case "s":
+          printInlineStatus(ctx);
+          return;
+        case "q":
+          process.emit("SIGINT");
+          return;
+        case "h":
+        case "?":
+          printInteractiveHelp();
+          return;
+        case "b": {
+          repl.stop();
+          process.on("SIGHUP", () => {});
+          console.log(`
+  ${paint.green("\u2713")}  Detached  ${paint.dim("PID " + process.pid)}`);
+          console.log(`  ${paint.dim("\u279C")}  ${paint.dim("wasper status")}  ${paint.dim("\xB7")}  ${paint.dim("wasper stop")}
 `);
-        break;
+          return;
+        }
       }
-      case "s":
-        printInlineStatus(ctx);
-        break;
-      case "?":
-      case "h":
-        printInteractiveHelp();
-        break;
-      case "q":
-        process.emit("SIGINT");
-        break;
     }
+    const slashCmd = cmd.startsWith("/") ? cmd : `/${cmd}`;
+    await runSlashCommand(slashCmd, ctx, reload);
+    refreshStatus();
+    refreshAuthSuggestions();
   };
+  refreshAuthSuggestions();
+  repl.setStatus(buildStatus());
+  repl.start(handler);
 }
 function printInlineStatus(ctx) {
   const state = hasState() ? getState() : null;
   const f = getFeatures();
   const cfg = getServerConfig();
-  const flag = (on) => on ? paint.green("on") : paint.red("off");
+  const on = (v) => v ? paint.green("on") : paint.dim("off");
+  const dot = paint.dim("\xB7");
   console.log(`
-  ${paint.dim("\u25CF")}  ${paint.bold("OpenAPI Agent")}  PID ${process.pid}  port ${ctx.PORT}`);
+  ${paint.green("\u25CF")}  ${paint.bold("wasper")}  ${paint.dim("PID " + process.pid)}  ${dot}  ${paint.dim(":" + ctx.PORT)}`);
   if (state) {
-    console.log(`     ${paint.bold(state.spec.title)} v${state.spec.version} \xB7 ${state.operations.length} endpoints`);
+    console.log(`     ${paint.bold(state.spec.title)}  ${paint.dim("v" + state.spec.version)}  ${dot}  ${paint.green(state.operations.length + " endpoints")}`);
+  } else {
+    console.log(`     ${paint.dim("no spec loaded")}`);
   }
-  console.log(`     mcp ${flag(f.mcp)}  ${paint.dim("\xB7")}  proxy ${flag(f.proxy)}  ${paint.dim("\xB7")}  ai ${flag(f.ai)}  ${paint.dim("\xB7")}  readonly ${flag(f.readonly)}  ${paint.dim("\xB7")}  token ${cfg.token ? paint.green("set") : paint.dim("none")}`);
+  console.log(`     mcp ${on(f.mcp)}  ${dot}  proxy ${on(f.proxy)}  ${dot}  ai ${on(f.ai)}  ${dot}  readonly ${on(f.readonly)}  ${dot}  token ${cfg.token ? paint.green("set") : paint.dim("none")}`);
   const active = dbQueries.getActiveProfile();
-  if (active)
-    console.log(`     auth role: ${paint.bold(active.name)} ${paint.dim(`(${active.type})`)}`);
+  console.log(`     auth ${active ? paint.bold(active.name) + "  " + paint.dim("(" + active.type + ")") : paint.dim("none")}`);
   console.log();
 }
 async function runSlashCommand(input, ctx, reload) {
@@ -6345,6 +7833,7 @@ async function runSlashCommand(input, ctx, reload) {
     const cur = getFeatures()[name];
     const next = arg === "on" ? true : arg === "off" ? false : !cur;
     setFeatures({ [name]: next });
+    persistAndBroadcastFeatures();
     console.log(`  ${next ? paint.green("\u2713") : paint.yellow("\u25CB")}  ${label} ${next ? paint.green("enabled") : paint.yellow("disabled")}
 `);
   };
@@ -6489,40 +7978,48 @@ async function runSlashCommand(input, ctx, reload) {
   }
 }
 function printInteractiveHelp() {
+  const k = (s) => paint.bold(s);
+  const d = (s) => paint.dim(s);
+  const hr = d("\u2500".repeat(50));
   console.log(`
-  ${paint.bold("Keys")}
-  ${paint.dim("\u2500".repeat(46))}
-  ${paint.bold("r")}   Hot-reload OpenAPI spec from URL
-  ${paint.bold("s")}   Print current status
-  ${paint.bold("b")}   Detach to background (survive terminal close)
-  ${paint.bold("q")}   Quit gracefully
-  ${paint.bold("/")}   Type a slash command  ${paint.dim("(Esc cancels)")}
+  ${paint.bold("Keys")}  ${d("(when input is empty)")}
+  ${hr}
+  ${k("r")}   Hot-reload spec          ${k("b")}   Detach to background
+  ${k("s")}   Print status             ${k("q")}   Quit
+  ${k("/")}   Start a command          ${k("?")}   This help
+  ${d("\u2191 / \u2193")} cycle command history  \xB7  ${d("\u2192 or Tab")} accept autocomplete
+  ${d("Ctrl+L")} clear screen  \xB7  ${d("Ctrl+U")} clear input  \xB7  ${d("Esc")} cancel
   ${paint.bold("Slash commands")}
-  ${paint.dim("\u2500".repeat(46))}
-  ${paint.bold("/mcp")} ${paint.dim("[on|off]")}        Toggle the MCP endpoint
-  ${paint.bold("/proxy")} ${paint.dim("[on|off]")}      Toggle the HTTP proxy
-  ${paint.bold("/ai")} ${paint.dim("[on|off]")}         Toggle the AI chat endpoint
-  ${paint.bold("/readonly")} ${paint.dim("[on|off]")}   Block non-GET upstream requests
-  ${paint.bold("/auth")}                List auth roles
-  ${paint.bold("/auth use")} ${paint.dim("<name>")}     Switch active auth role
-  ${paint.bold("/auth none")}           Disable auth
-  ${paint.bold("/token")} ${paint.dim("[new|off|<v>]")} Show / rotate / set the access token
-  ${paint.bold("/spec")} ${paint.dim("<url>")}          Load a different OpenAPI spec
-  ${paint.bold("/tail")} ${paint.dim("[on|off]")}       Live request log in this terminal
-  ${paint.bold("/open")}                Open the studio in a browser
-  ${paint.bold("/status")} ${paint.dim("\xB7")} ${paint.bold("/reload")} ${paint.dim("\xB7")} ${paint.bold("/help")} ${paint.dim("\xB7")} ${paint.bold("/quit")}
+  ${hr}
+  ${k("/spec")} ${d("<url>")}          Load a different OpenAPI spec
+  ${k("/mcp")} ${d("[on|off]")}        Toggle the MCP endpoint
+  ${k("/proxy")} ${d("[on|off]")}      Toggle the HTTP proxy
+  ${k("/ai")} ${d("[on|off]")}         Toggle the AI chat endpoint
+  ${k("/readonly")} ${d("[on|off]")}   Block non-GET upstream requests
+  ${k("/auth")}                List saved auth profiles
+  ${k("/auth use")} ${d("<name>")}     Switch active auth profile
+  ${k("/auth none")}           Disable auth
+  ${k("/token")} ${d("[new|off|<v>]")} Show / rotate / set the access token
+  ${k("/tail")} ${d("[on|off]")}       Live request log in this terminal
+  ${k("/open")}                Open the studio in a browser
+  ${k("/update")}              Update wasper to the latest version
+  ${k("/status")}  ${k("/reload")}  ${k("/help")}  ${k("/quit")}
 `);
 }
 function printHelp() {
   console.log(`
 Usage: wasper [start] [options]
-  openapi-agent [--url <spec-url>] [--port <port>]   Start in foreground
+  wasper [--url <spec-url>] [--port <port>]    Start in foreground (auto-resumes last spec)
   wasper start --background                   Start in background
   wasper stop                                 Stop background server
   wasper status                               Show server status
   wasper reload                               Hot-reload the spec
+  wasper ls                                   List saved specs (history)
+  wasper use <number|url>                     Start with a saved spec
+  wasper rm  <number|url>                     Remove a spec from history
 Options:
   --url, -u        OpenAPI spec URL or local path
@@ -6641,9 +8138,11 @@ async function runFirstTimeSetup(port, origin) {
   ${paint.dim("Skip future prompts: set WASPER_NO_FIRST_RUN=1")}
 `);
 }
+var SPIN_FRAMES;
 var init_start = __esm(() => {
   init_server();
   init_handler();
+  init_capture();
   init_routes();
   init_bus();
   init_db();
@@ -6652,6 +8151,101 @@ var init_start = __esm(() => {
   init_config();
   init_update();
   init_ui();
+  init_repl();
+  init_routes();
+  SPIN_FRAMES = ["\u280B", "\u2819", "\u2839", "\u2838", "\u283C", "\u2834", "\u2826", "\u2827", "\u2807", "\u280F"];
+});
+// src/commands/use.ts
+var exports_use = {};
+__export(exports_use, {
+  run: () => run7
+});
+async function run7() {
+  const args = process.argv.slice(2).filter((a) => !a.startsWith("-"));
+  const target = args[1];
+  if (!target) {
+    console.error(`
+  Usage: wasper use <number|url>
+`);
+    process.exit(1);
+  }
+  const history = dbQueries.getSpecHistory();
+  let url = null;
+  const num = parseInt(target, 10);
+  if (!isNaN(num) && num >= 1 && num <= history.length) {
+    url = history[num - 1]?.url ?? null;
+  } else if (target.startsWith("http")) {
+    url = target;
+  } else {
+    const match = history.find((r) => r.title?.toLowerCase().includes(target.toLowerCase()));
+    if (match)
+      url = match.url;
+  }
+  if (!url) {
+    console.error(`
+  ${paint.red("\u2717")}  Spec not found: ${target}
+`);
+    console.error(`  Run ${paint.cyan("wasper ls")} to see saved specs.
+`);
+    process.exit(1);
+  }
+  console.log(`
+  ${paint.dim("\u2192")}  Starting with ${paint.cyan(url)}
+`);
+  const { run: startRun } = await Promise.resolve().then(() => (init_start(), exports_start));
+  await startRun({ url });
+}
+var init_use = __esm(() => {
+  init_db();
+  init_ui();
+});
+// src/commands/rm.ts
+var exports_rm = {};
+__export(exports_rm, {
+  run: () => run8
+});
+async function run8() {
+  const args = process.argv.slice(2).filter((a) => !a.startsWith("-"));
+  const target = args[1];
+  if (!target) {
+    console.error(`
+  Usage: wasper rm <number|url>
+`);
+    process.exit(1);
+  }
+  const history = dbQueries.getSpecHistory();
+  let id = null;
+  let label = null;
+  const num = parseInt(target, 10);
+  if (!isNaN(num) && num >= 1 && num <= history.length) {
+    const row = history[num - 1];
+    if (row) {
+      id = row.id;
+      label = row.title ?? row.url;
+    }
+  } else {
+    const match = history.find((r) => r.url === target || r.title?.toLowerCase().includes(target.toLowerCase()));
+    if (match) {
+      id = match.id;
+      label = match.title ?? match.url;
+    }
+  }
+  if (!id) {
+    console.error(`
+  ${paint.red("\u2717")}  Spec not found: ${target}
+`);
+    process.exit(1);
+  }
+  dbQueries.deleteSpec(id);
+  console.log(`
+  ${paint.green("\u2713")}  Removed ${paint.dim(label ?? id)}
+`);
+}
+var init_rm = __esm(() => {
+  init_db();
+  init_ui();
 });
 // cli.ts
@@ -6675,6 +8269,17 @@ switch (subcommand) {
   case "reload":
     await Promise.resolve().then(() => (init_reload(), exports_reload)).then((m) => m.run());
     break;
+  case "ls":
+  case "list":
+    await Promise.resolve().then(() => (init_ls(), exports_ls)).then((m) => m.run());
+    break;
+  case "use":
+    await Promise.resolve().then(() => (init_use(), exports_use)).then((m) => m.run());
+    break;
+  case "rm":
+  case "remove":
+    await Promise.resolve().then(() => (init_rm(), exports_rm)).then((m) => m.run());
+    break;
   case "start":
   default:
     await Promise.resolve().then(() => (init_start(), exports_start)).then((m) => m.run());