npm - wasper-cli - Versions diffs - 0.1.0 → 0.3.0 - Mend

wasper-cli 0.1.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.js CHANGED Viewed

@@ -2938,6 +2938,92 @@ function extractSecuritySchemes(doc) {
   }
   return result;
 }
+function toEnvKey(str) {
+  return str.replace(/[^a-zA-Z0-9]+(.)/g, (_, c) => c.toUpperCase()).replace(/^[A-Z]/, (c) => c.toLowerCase()).replace(/[^a-zA-Z0-9_]/g, "") || str.replace(/[^a-zA-Z0-9_]/g, "_").toLowerCase();
+}
+function extractSuggestedVars(rawText, baseUrl) {
+  let raw;
+  try {
+    raw = rawText.trimStart().startsWith("{") ? JSON.parse(rawText) : index_vite_proxy_tmp_default.load(rawText);
+  } catch {
+    return [];
+  }
+  const vars = [];
+  const seen = new Set;
+  const add = (key, value, description, source) => {
+    const k = key.trim();
+    if (!k || seen.has(k))
+      return;
+    seen.add(k);
+    vars.push({ key: k, value, description, source });
+  };
+  if (baseUrl)
+    add("baseUrl", baseUrl, "API base URL", "server");
+  const servers = raw.servers ?? [];
+  for (const server of servers.slice(0, 5)) {
+    if (!server.variables)
+      continue;
+    for (const [key, def] of Object.entries(server.variables)) {
+      add(toEnvKey(key), def.default ?? "", def.description ?? `Server variable: ${key}`, "server");
+    }
+  }
+  const components = raw.components ?? {};
+  const secSchemes = components.securitySchemes ?? {};
+  for (const [schemeName, scheme] of Object.entries(secSchemes)) {
+    if (!scheme || typeof scheme !== "object")
+      continue;
+    const type = scheme.type;
+    const slug = toEnvKey(schemeName);
+    if (type === "http") {
+      const httpScheme = (scheme.scheme ?? "").toLowerCase();
+      if (httpScheme === "bearer") {
+        add(`${slug}Token`, "", `Bearer token for ${schemeName}`, "auth");
+      } else if (httpScheme === "basic") {
+        add(`${slug}Username`, "", `Username for ${schemeName}`, "auth");
+        add(`${slug}Password`, "", `Password for ${schemeName}`, "auth");
+      }
+    } else if (type === "apiKey") {
+      const keyName = scheme.name ?? schemeName;
+      add(toEnvKey(keyName), "", `API key header/param: ${keyName}`, "auth");
+    } else if (type === "oauth2") {
+      add(`${slug}ClientId`, "", `OAuth2 client ID for ${schemeName}`, "auth");
+      add(`${slug}ClientSecret`, "", `OAuth2 client secret for ${schemeName}`, "auth");
+      add(`${slug}Token`, "", `OAuth2 access token for ${schemeName}`, "auth");
+    } else if (type === "openIdConnect") {
+      add(`${slug}Token`, "", `Access token for ${schemeName}`, "auth");
+    }
+  }
+  const paths = raw.paths ?? {};
+  const pathKeys = Object.keys(paths);
+  const paramFreq = {};
+  for (const [pathStr, pathItem] of Object.entries(paths)) {
+    if (!pathItem || typeof pathItem !== "object")
+      continue;
+    const params = pathItem.parameters ?? [];
+    const seenInPath = new Set;
+    for (const p of params) {
+      if (p.in === "path" && p.name && !seenInPath.has(p.name)) {
+        seenInPath.add(p.name);
+        paramFreq[p.name] = (paramFreq[p.name] ?? 0) + 1;
+      }
+    }
+    for (const [, param] of pathStr.matchAll(/\{([^}]+)\}/g)) {
+      if (!param)
+        continue;
+      if (!seenInPath.has(param)) {
+        seenInPath.add(param);
+        paramFreq[param] = (paramFreq[param] ?? 0) + 1;
+      }
+    }
+  }
+  const threshold = Math.max(3, Math.floor(pathKeys.length * 0.15));
+  for (const [name, count] of Object.entries(paramFreq)) {
+    if (count >= threshold) {
+      add(toEnvKey(name), "", `Common path param: {${name}}`, "path");
+    }
+  }
+  return vars;
+}
 var HTTP_METHODS;
 var init_parser = __esm(() => {
   init_js_yaml();
@@ -3045,6 +3131,41 @@ var SCHEMA = `
     updated_at INTEGER NOT NULL DEFAULT (unixepoch())
   );
   CREATE INDEX IF NOT EXISTS idx_saved_folder ON saved_requests(folder, created_at DESC);
+  CREATE TABLE IF NOT EXISTS spec_history (
+    id TEXT PRIMARY KEY,
+    url TEXT NOT NULL UNIQUE,
+    title TEXT,
+    version TEXT,
+    endpoint_count INTEGER,
+    last_used INTEGER NOT NULL DEFAULT (unixepoch()),
+    created_at INTEGER NOT NULL DEFAULT (unixepoch())
+  );
+  CREATE INDEX IF NOT EXISTS idx_spec_history_last_used ON spec_history(last_used DESC);
+  CREATE TABLE IF NOT EXISTS workflows (
+    id TEXT PRIMARY KEY,
+    name TEXT NOT NULL DEFAULT 'Untitled Workflow',
+    description TEXT NOT NULL DEFAULT '',
+    steps TEXT NOT NULL DEFAULT '[]',
+    created_at INTEGER NOT NULL DEFAULT (unixepoch()),
+    updated_at INTEGER NOT NULL DEFAULT (unixepoch())
+  );
+  CREATE INDEX IF NOT EXISTS idx_workflows_updated ON workflows(updated_at DESC);
+  CREATE TABLE IF NOT EXISTS capture_bins (
+    id TEXT PRIMARY KEY,
+    name TEXT NOT NULL DEFAULT '',
+    created_at INTEGER NOT NULL DEFAULT (unixepoch())
+  );
+  CREATE TABLE IF NOT EXISTS chat_memory (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    role TEXT NOT NULL,
+    content TEXT NOT NULL,
+    created_at INTEGER NOT NULL DEFAULT (unixepoch())
+  );
+  CREATE INDEX IF NOT EXISTS idx_memory_created ON chat_memory(created_at DESC);
 `;
 // src/db/index.ts
@@ -3188,9 +3309,55 @@ var init_db = __esm(() => {
       db.query(`UPDATE saved_requests SET ${cols}, updated_at = unixepoch() WHERE id = $id`).run(params);
     },
     deleteSavedRequest: (id) => db.query("DELETE FROM saved_requests WHERE id = ?").run(id),
+    getSpecHistory: () => db.query("SELECT * FROM spec_history ORDER BY last_used DESC").all(),
+    getLastSpec: () => db.query("SELECT * FROM spec_history ORDER BY last_used DESC LIMIT 1").get(),
+    upsertSpec: (url, title, version, endpointCount) => {
+      const existing = db.query("SELECT id FROM spec_history WHERE url = ?").get(url);
+      if (existing) {
+        db.query("UPDATE spec_history SET title=?, version=?, endpoint_count=?, last_used=unixepoch() WHERE url=?").run(title, version, endpointCount, url);
+      } else {
+        db.query(`INSERT INTO spec_history (id, url, title, version, endpoint_count)
+        VALUES (?, ?, ?, ?, ?)`).run(randomUUID2(), url, title, version, endpointCount);
+      }
+    },
+    deleteSpec: (id) => {
+      db.query("DELETE FROM spec_history WHERE id = ?").run(id);
+    },
+    getWorkflows: () => db.query("SELECT * FROM workflows ORDER BY updated_at DESC").all(),
+    getWorkflow: (id) => db.query("SELECT * FROM workflows WHERE id = ?").get(id),
+    insertWorkflow: (w) => db.query("INSERT INTO workflows (id, name, description, steps) VALUES ($id, $name, $description, $steps)").run({ $id: w.id, $name: w.name, $description: w.description, $steps: w.steps }),
+    updateWorkflow: (id, patch) => {
+      const cols = Object.keys(patch).map((k) => `${k} = $${k}`).join(", ");
+      const params = { $id: id };
+      for (const [k, v] of Object.entries(patch))
+        params[`$${k}`] = v;
+      db.query(`UPDATE workflows SET ${cols}, updated_at = unixepoch() WHERE id = $id`).run(params);
+    },
+    deleteWorkflow: (id) => db.query("DELETE FROM workflows WHERE id = ?").run(id),
+    getCaptureBins: () => db.query("SELECT * FROM capture_bins ORDER BY created_at DESC").all(),
+    getCaptureBin: (id) => db.query("SELECT * FROM capture_bins WHERE id = ?").get(id),
+    insertCaptureBin: (id, name) => {
+      db.query("INSERT INTO capture_bins (id, name) VALUES (?, ?)").run(id, name);
+    },
+    deleteCaptureBin: (id) => {
+      db.query("DELETE FROM capture_bins WHERE id = ?").run(id);
+    },
     getSetting: (key) => (db.query("SELECT value FROM settings WHERE key = ?").get(key) ?? null)?.value ?? null,
     setSetting: (key, value) => {
       db.run("INSERT INTO settings(key,value) VALUES(?,?) ON CONFLICT(key) DO UPDATE SET value=excluded.value", [key, value]);
+    },
+    saveMemory: (role, content) => {
+      db.query("INSERT INTO chat_memory (role, content) VALUES (?, ?)").run(role, content);
+    },
+    getMemory: (limit = 20) => {
+      const rows = db.query("SELECT role, content FROM chat_memory ORDER BY created_at DESC LIMIT ?").all(limit);
+      return rows.reverse();
+    },
+    clearMemory: () => {
+      db.query("DELETE FROM chat_memory").run();
+    },
+    trimMemory: (keepLast = 40) => {
+      db.query("DELETE FROM chat_memory WHERE id NOT IN (SELECT id FROM chat_memory ORDER BY created_at DESC LIMIT ?)").run(keepLast);
     }
   };
 });
@@ -3226,6 +3393,18 @@ class LogBus {
       }
     }
   }
+  broadcastServerEvent(payload) {
+    if (this.clients.size === 0)
+      return;
+    const data = JSON.stringify({ type: "server_event", ...payload });
+    for (const ws of this.clients) {
+      try {
+        ws.send(data);
+      } catch {
+        this.clients.delete(ws);
+      }
+    }
+  }
   get clientCount() {
     return this.clients.size;
   }
@@ -3428,7 +3607,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "wasper-cli",
-    version: "0.1.0",
+    version: "0.3.0",
     description: "Host an MCP server + API proxy from any OpenAPI spec. Like Drizzle Studio, but for APIs.",
     type: "module",
     homepage: "https://wasper.site",
@@ -4156,160 +4335,965 @@ var init_handler = __esm(() => {
   };
 });
-// src/api/routes.ts
-import dns from "dns/promises";
-function json(data, status = 200) {
-  return new Response(JSON.stringify(data), {
-    status,
+// src/proxy/capture.ts
+async function captureHandler(req) {
+  if (req.method === "OPTIONS") {
+    return new Response(null, { status: 204, headers: CORS3 });
+  }
+  const url = new URL(req.url);
+  const binId = url.pathname.split("/").filter(Boolean)[1];
+  if (!binId)
+    return new Response("Not found", { status: 404 });
+  const bin = dbQueries.getCaptureBin(binId);
+  if (!bin) {
+    return new Response(JSON.stringify({ error: "Capture bin not found or deleted" }), {
+      status: 404,
+      headers: { "Content-Type": "application/json", ...CORS3 }
+    });
+  }
+  const body = req.method !== "GET" && req.method !== "HEAD" ? await req.text().catch(() => null) : null;
+  const reqHeaders = {};
+  for (const [k, v] of req.headers.entries()) {
+    if (!["host", "connection"].includes(k.toLowerCase()))
+      reqHeaders[k] = v;
+  }
+  const id = randomUUID2();
+  const now = Date.now();
+  dbQueries.insertLog({
+    id,
+    source: "capture",
+    tool_name: binId,
+    method: req.method,
+    url: req.url,
+    request_headers: JSON.stringify(reqHeaders),
+    request_body: body,
+    status_code: 200,
+    response_headers: null,
+    response_body: null,
+    latency_ms: 0,
+    error: null
+  });
+  logBus.emit({
+    id,
+    source: "capture",
+    tool_name: binId,
+    method: req.method,
+    url: req.url,
+    request_headers: JSON.stringify(reqHeaders),
+    request_body: body,
+    status_code: 200,
+    response_headers: null,
+    response_body: null,
+    latency_ms: 0,
+    error: null,
+    created_at: now
+  });
+  return new Response(JSON.stringify({ ok: true, id, captured_at: now }), {
+    status: 200,
     headers: { "Content-Type": "application/json", ...CORS3 }
   });
 }
-function notFound(msg = "Not found") {
-  return json({ error: msg }, 404);
-}
-function badRequest(msg) {
-  return json({ error: msg }, 400);
-}
-async function apiRouter(req) {
-  if (req.method === "OPTIONS")
-    return new Response(null, { status: 204, headers: CORS3 });
-  const { pathname: path, searchParams } = new URL(req.url);
-  const method = req.method;
-  if (path === "/api/status" && method === "GET")
-    return handleStatus();
-  if (path === "/api/logs" && method === "GET")
-    return handleGetLogs(searchParams);
-  if (path === "/api/logs" && method === "DELETE")
-    return handleClearLogs();
-  if (path === "/api/auth/profiles" && method === "GET")
-    return handleGetProfiles();
-  if (path === "/api/auth/profiles" && method === "POST")
-    return handleCreateProfile(req);
-  if (path.startsWith("/api/auth/profiles/") && method === "PUT")
-    return handleUpdateProfile(req, path);
-  if (path.startsWith("/api/auth/profiles/") && method === "DELETE")
-    return handleDeleteProfile(path);
-  if (path.match(/^\/api\/auth\/profiles\/[^/]+\/activate$/) && method === "POST")
-    return handleActivateProfile(path);
-  if (path === "/api/auth" && method === "GET")
-    return handleGetAuth();
-  if (path === "/api/auth" && method === "PUT")
-    return handleSetAuth(req);
-  if (path === "/api/auth/test" && method === "POST")
-    return handleTestAuth();
-  if (path === "/api/explorer/request" && method === "POST")
-    return handleExplorerRequest(req);
-  if (path === "/api/spec/endpoints" && method === "GET")
-    return handleGetEndpoints();
-  if (path === "/api/settings" && method === "GET")
-    return handleGetSettings();
-  if (path === "/api/settings" && method === "PUT")
-    return handleSetSettings(req);
-  if (path === "/api/spec/upload" && method === "POST")
-    return handleSpecUpload(req);
-  if (path === "/api/spec/reload-url" && method === "POST")
-    return handleSpecReloadUrl(req);
-  if (path === "/api/intercept" && method === "GET")
-    return handleGetRules();
-  if (path === "/api/intercept" && method === "POST")
-    return handleCreateRule(req);
-  if (path.startsWith("/api/intercept/") && method === "PUT")
-    return handleUpdateRule(req, path);
-  if (path.startsWith("/api/intercept/") && method === "DELETE")
-    return handleDeleteRule(path);
-  if (path === "/api/ai/chat" && method === "POST")
-    return handleAiChat(req);
-  if (path === "/api/debug/dns" && method === "GET")
-    return handleDnsQuery(searchParams);
-  if (path === "/api/debug/ping" && method === "GET")
-    return handlePing(searchParams);
-  if (path === "/api/reload" && method === "POST")
-    return handleReload();
-  if (path === "/api/server-info" && method === "GET")
-    return handleServerInfo();
-  if (path === "/api/features" && method === "GET")
-    return json(getFeatures());
-  if (path === "/api/features" && method === "PUT")
-    return handleSetFeatures(req);
-  if (path === "/api/saved" && method === "GET")
-    return handleGetSaved();
-  if (path === "/api/saved" && method === "POST")
-    return handleCreateSaved(req);
-  if (path.startsWith("/api/saved/") && method === "PUT")
-    return handleUpdateSaved(req, path);
-  if (path.startsWith("/api/saved/") && method === "DELETE")
-    return handleDeleteSaved(path);
-  return notFound("API route not found");
+var CORS3;
+var init_capture = __esm(() => {
+  init_db();
+  init_bus();
+  CORS3 = {
+    "Access-Control-Allow-Origin": "*",
+    "Access-Control-Allow-Methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD",
+    "Access-Control-Allow-Headers": "*",
+    "Access-Control-Expose-Headers": "*"
+  };
+});
+// src/workflows/engine.ts
+function interpolate(val, ctx) {
+  return val.replace(/\{\{(\w+)\}\}/g, (_, k) => ctx[k] ?? `{{${k}}}`);
 }
-function handleStatus() {
-  if (!hasState()) {
-    return json({ ok: true, version: VERSION, spec: null, endpointCount: 0, wsClients: logBus.clientCount });
+function interpolateDeep(obj, ctx) {
+  if (typeof obj === "string")
+    return interpolate(obj, ctx);
+  if (Array.isArray(obj))
+    return obj.map((v) => interpolateDeep(v, ctx));
+  if (obj !== null && typeof obj === "object") {
+    const out = {};
+    for (const [k, v] of Object.entries(obj))
+      out[k] = interpolateDeep(v, ctx);
+    return out;
   }
-  const { spec, operations } = getState();
-  return json({
-    ok: true,
-    version: VERSION,
-    spec: { title: spec.title, version: spec.version, baseUrl: spec.baseUrl, url: spec.url },
-    endpointCount: operations.length,
-    wsClients: logBus.clientCount
-  });
+  return obj;
 }
-async function handleReload() {
-  if (!hasState())
-    return badRequest("No spec loaded");
-  const { specUrl } = getState();
-  if (!specUrl)
-    return json({ error: "Spec was uploaded manually \u2014 cannot reload from URL" }, 400);
-  try {
-    const s = await loadSpec(specUrl);
-    return json({ ok: true, spec: s.spec.title, version: s.spec.version, endpoints: s.operations.length });
-  } catch (e) {
-    return json({ error: e instanceof Error ? e.message : String(e) }, 500);
+function resolveJsonPath(data, path) {
+  if (!path || path === "$")
+    return data;
+  const normalized = path.startsWith("$.") ? path.slice(2) : path.startsWith("$[") ? path.slice(1) : path;
+  if (!normalized)
+    return data;
+  const parts = [];
+  for (const seg of normalized.split(".")) {
+    const m = seg.match(/^(\w+)\[(\d+)\]$/);
+    if (m) {
+      parts.push(m[1], parseInt(m[2], 10));
+    } else if (/^\d+$/.test(seg)) {
+      parts.push(parseInt(seg, 10));
+    } else {
+      parts.push(seg);
+    }
+  }
+  let cur = data;
+  for (const part of parts) {
+    if (cur === null || cur === undefined)
+      return;
+    cur = typeof part === "number" ? cur[part] : cur[part];
   }
+  return cur;
 }
-async function handleSetFeatures(req) {
-  let body;
+async function executeStep(step, ctx) {
+  const { spec } = getState();
+  let base = spec.baseUrl;
+  if (!base?.startsWith("http") && spec.url) {
+    try {
+      base = new URL(spec.url).origin;
+    } catch {}
+  }
+  if (!base?.startsWith("http"))
+    throw new Error("Spec has no absolute server URL");
+  let urlPath = step.path;
+  for (const [k, v] of Object.entries(step.pathParams ?? {})) {
+    urlPath = urlPath.replace(`{${k}}`, encodeURIComponent(interpolate(v, ctx)));
+  }
+  urlPath = interpolate(urlPath, ctx);
+  const urlObj = new URL(`${base.replace(/\/$/, "")}${urlPath.startsWith("/") ? urlPath : `/${urlPath}`}`);
+  for (const [k, v] of Object.entries(step.queryParams ?? {})) {
+    urlObj.searchParams.set(k, interpolate(v, ctx));
+  }
+  const stepHeaders = {};
+  for (const [k, v] of Object.entries(step.headers ?? {})) {
+    stepHeaders[k] = interpolate(v, ctx);
+  }
+  const authRow = dbQueries.getAuthConfig();
+  const authConfig = authRow ? JSON.parse(authRow.config) : { type: "none" };
+  const { url: authedUrl, headers: authedHeaders } = await applyAuth(urlObj.toString(), stepHeaders, authConfig);
+  const noBodyMethod = ["GET", "HEAD", "OPTIONS"].includes(step.method.toUpperCase());
+  let bodyStr;
+  if (!noBodyMethod && step.body !== undefined && step.body !== null) {
+    const interpolated = interpolateDeep(step.body, ctx);
+    bodyStr = typeof interpolated === "string" ? interpolated : JSON.stringify(interpolated);
+    if (!authedHeaders["Content-Type"] && !authedHeaders["content-type"]) {
+      authedHeaders["Content-Type"] = "application/json";
+    }
+  }
+  const start = Date.now();
+  const res = await fetch(authedUrl, {
+    method: step.method.toUpperCase(),
+    headers: authedHeaders,
+    ...bodyStr !== undefined ? { body: bodyStr } : {},
+    signal: AbortSignal.timeout(30000)
+  });
+  const latency = Date.now() - start;
+  const responseHeaders = {};
+  res.headers.forEach((v, k) => {
+    responseHeaders[k] = v;
+  });
+  const responseText = await res.text();
+  let responseData;
   try {
-    body = await req.json();
+    responseData = JSON.parse(responseText);
   } catch {
-    return badRequest("Invalid JSON");
+    responseData = responseText;
   }
-  const patch = {};
-  for (const key of ["mcp", "proxy", "ai", "readonly"]) {
-    if (typeof body[key] === "boolean")
-      patch[key] = body[key];
+  const extractedVars = {};
+  for (const ext of step.extract ?? []) {
+    const val = resolveJsonPath(responseData, ext.path);
+    if (val !== undefined && val !== null) {
+      extractedVars[ext.var] = typeof val === "string" ? val : JSON.stringify(val);
+    }
   }
-  setFeatures(patch);
-  return json(getFeatures());
-}
-function handleServerInfo() {
-  const state = hasState() ? getState() : null;
-  return json({
-    pid: process.pid,
-    port: parseInt(process.env._OA_PORT ?? "3388", 10),
-    startedAt: parseInt(process.env._OA_STARTED ?? "0", 10),
-    features: getFeatures(),
-    spec: state ? {
-      title: state.spec.title,
-      version: state.spec.version,
-      endpointCount: state.operations.length,
-      specUrl: state.specUrl ?? null
-    } : null
-  });
+  const assertions = [];
+  for (const a of step.assert ?? []) {
+    if (a.type === "status") {
+      const expected = a.statusCode ?? 200;
+      const pass2 = res.status === expected;
+      assertions.push({ pass: pass2, message: `HTTP ${res.status} ${pass2 ? "==" : "!="} ${expected}` });
+    } else if (a.type === "json") {
+      const val = resolveJsonPath(responseData, a.path ?? "$");
+      if ("eq" in a) {
+        const pass2 = JSON.stringify(val) === JSON.stringify(a.eq);
+        assertions.push({ pass: pass2, message: `${a.path} ${pass2 ? "==" : "!="} ${JSON.stringify(a.eq)}` });
+      } else if ("contains" in a && typeof val === "string") {
+        const pass2 = val.includes(a.contains);
+        assertions.push({ pass: pass2, message: `${a.path} ${pass2 ? "contains" : "doesn't contain"} "${a.contains}"` });
+      }
+    }
+  }
+  const pass = assertions.length === 0 ? res.ok : assertions.every((a) => a.pass);
+  return {
+    stepId: step.id,
+    label: step.label,
+    method: step.method,
+    resolvedPath: urlPath,
+    requestUrl: authedUrl,
+    requestHeaders: authedHeaders,
+    requestBody: bodyStr,
+    status: res.status,
+    statusText: res.statusText,
+    responseHeaders,
+    latency,
+    extractedVars,
+    assertions,
+    pass,
+    responseBody: responseText.slice(0, 1e4)
+  };
 }
-async function handleSpecUpload(req) {
-  let content;
-  let filename = "spec";
-  const ct = req.headers.get("content-type") ?? "";
-  if (ct.includes("multipart/form-data")) {
-    let form;
+async function runWorkflow(steps, emit, signal) {
+  const ctx = {};
+  let passed = 0;
+  emit({ type: "run_start", totalSteps: steps.length });
+  for (const step of steps) {
+    if (signal?.aborted) {
+      emit({ type: "run_aborted", message: "Run cancelled" });
+      return;
+    }
+    emit({ type: "step_start", stepId: step.id, label: step.label, method: step.method, path: step.path });
     try {
-      form = await req.formData();
-    } catch {
-      return badRequest("Invalid form data");
+      const result = await executeStep(step, ctx);
+      for (const [k, v] of Object.entries(result.extractedVars))
+        ctx[k] = v;
+      ctx[`${step.id}_status`] = String(result.status ?? "");
+      if (result.pass)
+        passed++;
+      emit({
+        type: "step_done",
+        stepId: result.stepId,
+        label: result.label,
+        method: result.method,
+        resolvedPath: result.resolvedPath,
+        requestUrl: result.requestUrl,
+        requestHeaders: result.requestHeaders,
+        requestBody: result.requestBody,
+        status: result.status,
+        statusText: result.statusText,
+        responseHeaders: result.responseHeaders,
+        latency: result.latency,
+        extractedVars: result.extractedVars,
+        assertions: result.assertions,
+        pass: result.pass,
+        responseBody: result.responseBody
+      });
+    } catch (e) {
+      emit({
+        type: "step_error",
+        stepId: step.id,
+        label: step.label,
+        method: step.method,
+        path: step.path,
+        error: e instanceof Error ? e.message : String(e),
+        pass: false
+      });
     }
-    const file = form.get("file");
-    if (!file || typeof file === "string")
+  }
+  emit({ type: "run_done", totalSteps: steps.length, passedSteps: passed });
+}
+var init_engine2 = __esm(() => {
+  init_engine();
+  init_db();
+  init_state();
+});
+// src/agent/harness.ts
+function mergeSignals(a, b) {
+  if (!a && !b)
+    return new AbortController().signal;
+  if (!a)
+    return b;
+  if (!b)
+    return a;
+  const ctrl = new AbortController;
+  const abort = () => ctrl.abort();
+  a.addEventListener("abort", abort, { once: true });
+  b.addEventListener("abort", abort, { once: true });
+  return ctrl.signal;
+}
+async function fetchWithRetry(url, opts, emit, signal, maxRetries = 4) {
+  for (let attempt = 0;attempt <= maxRetries; attempt++) {
+    const stepSignal = signal;
+    let res;
+    try {
+      res = await fetch(url, { ...opts, signal: stepSignal });
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      if (signal?.aborted)
+        throw e;
+      if (attempt === maxRetries)
+        throw e;
+      const isNetwork = msg.includes("ECONNREFUSED") || msg.includes("ENOTFOUND") || msg.includes("network") || msg.includes("fetch");
+      if (!isNetwork)
+        throw e;
+      const delay2 = Math.min(1000 * Math.pow(2, attempt) + Math.random() * 300, 15000);
+      emit({ type: "info", message: `Network error, retrying in ${Math.round(delay2 / 1000)}s\u2026` });
+      await new Promise((r) => setTimeout(r, delay2));
+      continue;
+    }
+    if (!RETRYABLE_STATUS.has(res.status) || attempt === maxRetries)
+      return res;
+    const retryAfter = parseInt(res.headers.get("retry-after") ?? "0", 10);
+    const delay = retryAfter > 0 ? retryAfter * 1000 : Math.min(1000 * Math.pow(2, attempt) + Math.random() * 300, 30000);
+    const label = res.status === 429 ? "Rate limited" : `Server error ${res.status}`;
+    emit({ type: "info", message: `${label} \u2014 retrying in ${Math.round(delay / 1000)}s\u2026 (attempt ${attempt + 1}/${maxRetries})` });
+    await new Promise((r) => setTimeout(r, delay));
+  }
+  return fetch(url, opts);
+}
+function trimContext(messages) {
+  if (JSON.stringify(messages).length <= MAX_CONTEXT_CHARS)
+    return { messages, trimmed: false };
+  const result = [...messages];
+  while (JSON.stringify(result).length > MAX_CONTEXT_CHARS && result.length > 2) {
+    let removed = false;
+    const toolIdx = result.findIndex((m) => m.role === "tool");
+    if (toolIdx !== -1) {
+      result.splice(toolIdx, 1);
+      if (toolIdx > 0) {
+        const prev = result[toolIdx - 1];
+        if (prev?.role === "assistant") {
+          const tc = prev.tool_calls;
+          if (Array.isArray(tc) && tc.length)
+            result.splice(toolIdx - 1, 1);
+        }
+      }
+      removed = true;
+    }
+    if (!removed) {
+      const anthropicIdx = result.findIndex((m) => {
+        if (m.role !== "user")
+          return false;
+        const c = m.content;
+        return Array.isArray(c) && c.some((b) => b.type === "tool_result");
+      });
+      if (anthropicIdx !== -1) {
+        result.splice(anthropicIdx, 1);
+        if (anthropicIdx > 0 && result[anthropicIdx - 1]?.role === "assistant") {
+          result.splice(anthropicIdx - 1, 1);
+        }
+        removed = true;
+      }
+    }
+    if (!removed)
+      break;
+  }
+  return { messages: result, trimmed: true };
+}
+async function* readSSE(body) {
+  const reader = body.getReader();
+  const decoder = new TextDecoder;
+  let buf = "";
+  try {
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done)
+        break;
+      buf += decoder.decode(value, { stream: true });
+      const parts = buf.split(`
+`);
+      buf = parts.pop() ?? "";
+      for (const part of parts) {
+        let data = "";
+        for (const line of part.split(`
+`)) {
+          if (line.startsWith("data: ")) {
+            data = line.slice(6);
+            break;
+          }
+        }
+        if (!data || data === "[DONE]")
+          continue;
+        try {
+          yield JSON.parse(data);
+        } catch {}
+      }
+    }
+  } finally {
+    reader.releaseLock();
+  }
+}
+function buildAnthropicTools(schemas) {
+  return schemas.map((s) => ({
+    name: s.name,
+    description: s.description,
+    input_schema: { type: "object", properties: s.params, required: s.required }
+  }));
+}
+async function streamAnthropic(cfg, system, messages, tools, emit, signal) {
+  const base = (cfg.baseUrl || "https://api.anthropic.com").replace(/\/$/, "");
+  const systemContent = cfg.enablePromptCache ? [{ type: "text", text: system, cache_control: { type: "ephemeral" } }] : system;
+  const stepSignal = mergeSignals(signal, AbortSignal.timeout(cfg.stepTimeoutMs));
+  const res = await fetchWithRetry(`${base}/v1/messages`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      "x-api-key": cfg.apiKey,
+      "anthropic-version": "2023-06-01",
+      ...cfg.enablePromptCache ? { "anthropic-beta": "prompt-caching-1-0" } : {},
+      ...cfg.extraHeaders
+    },
+    body: JSON.stringify({
+      model: cfg.model,
+      max_tokens: cfg.maxTokens,
+      temperature: cfg.temperature,
+      ...cfg.topK > 0 ? { top_k: cfg.topK } : {},
+      system: systemContent,
+      messages,
+      tools,
+      stream: true
+    })
+  }, emit, stepSignal);
+  if (!res.ok) {
+    const body = await res.text();
+    const retryable = RETRYABLE_STATUS.has(res.status);
+    throw Object.assign(new Error(`Anthropic ${res.status}: ${body}`), { retryable });
+  }
+  const result = { text: "", thinking: "", stopReason: "", toolUses: [], usage: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 } };
+  const blocks = [];
+  const inputAccum = {};
+  for await (const ev of readSSE(res.body)) {
+    if (signal.aborted)
+      break;
+    const evType = ev.type;
+    if (evType === "message_start") {
+      const usage = ev.message?.usage;
+      if (usage) {
+        result.usage.input = usage.input_tokens ?? 0;
+        result.usage.cacheRead = usage.cache_read_input_tokens ?? 0;
+        result.usage.cacheWrite = usage.cache_creation_input_tokens ?? 0;
+      }
+    } else if (evType === "content_block_start") {
+      const idx = ev.index;
+      const cb = ev.content_block;
+      blocks[idx] = { type: cb.type, id: cb.id, name: cb.name };
+      if (cb.type === "tool_use")
+        inputAccum[idx] = "";
+    } else if (evType === "content_block_delta") {
+      const idx = ev.index;
+      const delta = ev.delta;
+      if (delta.type === "text_delta" && delta.text) {
+        result.text += delta.text;
+        if (!blocks[idx])
+          blocks[idx] = { type: "text" };
+        blocks[idx].text = (blocks[idx].text ?? "") + delta.text;
+        emit({ type: "text_delta", text: delta.text });
+      } else if (delta.type === "thinking_delta" && delta.thinking) {
+        result.thinking += delta.thinking;
+        emit({ type: "thinking", text: delta.thinking });
+      } else if (delta.type === "input_json_delta" && delta.partial_json) {
+        inputAccum[idx] = (inputAccum[idx] ?? "") + delta.partial_json;
+      }
+    } else if (evType === "content_block_stop") {
+      const idx = ev.index;
+      if (blocks[idx]?.type === "tool_use") {
+        try {
+          blocks[idx].input = JSON.parse(inputAccum[idx] ?? "{}");
+        } catch {
+          blocks[idx].input = {};
+        }
+      }
+    } else if (evType === "message_delta") {
+      const delta = ev.delta;
+      const usage = ev.usage;
+      if (delta.stop_reason)
+        result.stopReason = delta.stop_reason;
+      if (usage?.output_tokens)
+        result.usage.output = usage.output_tokens;
+    }
+  }
+  for (const b of blocks) {
+    if (b.type === "tool_use" && b.id && b.name) {
+      result.toolUses.push({ id: b.id, name: b.name, input: b.input ?? {} });
+    }
+  }
+  result._anthropicBlocks = blocks;
+  return result;
+}
+function buildOpenAITools(schemas) {
+  return schemas.map((s) => ({
+    type: "function",
+    function: { name: s.name, description: s.description, parameters: { type: "object", properties: s.params, required: s.required } }
+  }));
+}
+async function streamOpenAI(cfg, system, messages, tools, emit, signal) {
+  const providerBases = {
+    openai: "https://api.openai.com",
+    mistral: "https://api.mistral.ai",
+    groq: "https://api.groq.com/openai",
+    "github-copilot": "https://api.githubcopilot.com"
+  };
+  const base = (cfg.baseUrl || providerBases[cfg.provider] || "https://api.openai.com").replace(/\/$/, "");
+  const providerHeaders = cfg.provider === "github-copilot" ? { "Copilot-Integration-Id": "vscode-chat", "Editor-Version": "vscode/1.85.0" } : {};
+  const authHeaders = cfg.apiKey ? { Authorization: `Bearer ${cfg.apiKey}` } : {};
+  const stepSignal = mergeSignals(signal, AbortSignal.timeout(cfg.stepTimeoutMs));
+  const res = await fetchWithRetry(`${base}/v1/chat/completions`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json", ...authHeaders, ...providerHeaders, ...cfg.extraHeaders },
+    body: JSON.stringify({
+      model: cfg.model,
+      max_tokens: cfg.maxTokens,
+      temperature: cfg.temperature,
+      messages: [{ role: "system", content: system }, ...messages],
+      tools,
+      tool_choice: "auto",
+      stream: true,
+      stream_options: { include_usage: true }
+    })
+  }, emit, stepSignal);
+  if (!res.ok) {
+    const body = await res.text();
+    const retryable = RETRYABLE_STATUS.has(res.status);
+    throw Object.assign(new Error(body), { retryable });
+  }
+  const result = { text: "", thinking: "", stopReason: "", toolUses: [], usage: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 } };
+  const tcAccum = {};
+  for await (const ev of readSSE(res.body)) {
+    if (signal.aborted)
+      break;
+    if (ev.object === "error") {
+      const retryable = ev.code === "1300" || ev.raw_status_code === 429 || ev.raw_status_code === 503;
+      throw Object.assign(new Error(JSON.stringify(ev)), { retryable });
+    }
+    if (ev.usage) {
+      const u = ev.usage;
+      result.usage.input = u.prompt_tokens ?? 0;
+      result.usage.output = u.completion_tokens ?? 0;
+    }
+    const choices = ev.choices;
+    const choice = choices?.[0];
+    if (!choice)
+      continue;
+    const fr = choice.finish_reason;
+    if (fr)
+      result.stopReason = fr;
+    const delta = choice.delta;
+    if (!delta)
+      continue;
+    if (typeof delta.content === "string" && delta.content) {
+      result.text += delta.content;
+      emit({ type: "text_delta", text: delta.content });
+    }
+    const tcDeltas = delta.tool_calls;
+    if (tcDeltas) {
+      for (const tc of tcDeltas) {
+        if (!tcAccum[tc.index])
+          tcAccum[tc.index] = { id: "", name: "", args: "" };
+        const e = tcAccum[tc.index];
+        if (tc.id)
+          e.id += tc.id;
+        if (tc.function?.name)
+          e.name += tc.function.name;
+        if (tc.function?.arguments)
+          e.args += tc.function.arguments;
+      }
+    }
+  }
+  for (const tc of Object.values(tcAccum)) {
+    let input = {};
+    try {
+      input = JSON.parse(tc.args);
+    } catch {}
+    result.toolUses.push({ id: tc.id, name: tc.name, input });
+  }
+  result._openaiTcAccum = tcAccum;
+  return result;
+}
+async function callOllama(cfg, system, messages, emit, signal) {
+  const base = (cfg.baseUrl || "http://localhost:11434").replace(/\/$/, "");
+  const stepSignal = mergeSignals(signal, AbortSignal.timeout(cfg.stepTimeoutMs));
+  const res = await fetchWithRetry(`${base}/api/chat`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ model: cfg.model, messages: [{ role: "system", content: system }, ...messages], stream: false })
+  }, emit, stepSignal);
+  if (!res.ok)
+    throw new Error(`Ollama ${res.status}: ${await res.text()}`);
+  const d = await res.json();
+  const text = d.message?.content ?? "";
+  emit({ type: "text_delta", text });
+  return { text, thinking: "", stopReason: "end_turn", toolUses: [], usage: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 } };
+}
+async function callGemini(cfg, system, messages, emit, signal) {
+  const base = (cfg.baseUrl || "https://generativelanguage.googleapis.com").replace(/\/$/, "");
+  const stepSignal = mergeSignals(signal, AbortSignal.timeout(cfg.stepTimeoutMs));
+  const res = await fetchWithRetry(`${base}/v1beta/models/${cfg.model}:generateContent?key=${cfg.apiKey}`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      systemInstruction: { parts: [{ text: system }] },
+      contents: messages.map((m) => ({
+        role: m.role === "assistant" ? "model" : "user",
+        parts: [{ text: m.content }]
+      })),
+      generationConfig: { maxOutputTokens: cfg.maxTokens }
+    })
+  }, emit, stepSignal);
+  if (!res.ok)
+    throw new Error(`Gemini ${res.status}: ${await res.text()}`);
+  const d = await res.json();
+  const text = d.candidates?.[0]?.content?.parts?.[0]?.text ?? "";
+  emit({ type: "text_delta", text });
+  return { text, thinking: "", stopReason: "end_turn", toolUses: [], usage: { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 } };
+}
+async function runAgentLoop(config2, system, initialMessages, toolSchemas, executeTool, emit, signal = new AbortController().signal, toolCache = new Map) {
+  const cfg = { ...DEFAULTS, ...config2 };
+  const isAnthropic = cfg.provider === "anthropic";
+  const isOllama = cfg.provider === "ollama";
+  const isGemini = cfg.provider === "gemini";
+  const anthropicTools = buildAnthropicTools(toolSchemas);
+  const openaiTools = buildOpenAITools(toolSchemas);
+  const messages = [...initialMessages];
+  const allToolCalls = [];
+  const totalTokens = { input: 0, output: 0, cacheRead: 0, cacheWrite: 0 };
+  let totalToolsUsed = 0;
+  let consecutiveErrors = 0;
+  const endpointErrors = {};
+  for (let iter = 0;iter < cfg.maxIterations; iter++) {
+    if (signal.aborted) {
+      return { content: "", toolCalls: allToolCalls, stopReason: "cancelled", tokens: totalTokens };
+    }
+    const { messages: trimmed, trimmed: didTrim } = trimContext(messages);
+    if (didTrim) {
+      emit({ type: "info", message: "Context trimmed to fit within limits." });
+      messages.splice(0, messages.length, ...trimmed);
+    }
+    let turn;
+    try {
+      if (isAnthropic) {
+        turn = await streamAnthropic(cfg, system, messages, anthropicTools, emit, signal);
+      } else if (isOllama) {
+        turn = await callOllama(cfg, system, messages, emit, signal);
+      } else if (isGemini) {
+        turn = await callGemini(cfg, system, messages, emit, signal);
+      } else {
+        turn = await streamOpenAI(cfg, system, messages, openaiTools, emit, signal);
+      }
+    } catch (e) {
+      if (signal.aborted) {
+        return { content: "", toolCalls: allToolCalls, stopReason: "cancelled", tokens: totalTokens };
+      }
+      const msg = e instanceof Error ? e.message : String(e);
+      const retryable = e.retryable ?? false;
+      emit({ type: "error", message: msg, retryable });
+      throw e;
+    }
+    totalTokens.input += turn.usage.input;
+    totalTokens.output += turn.usage.output;
+    totalTokens.cacheRead += turn.usage.cacheRead;
+    totalTokens.cacheWrite += turn.usage.cacheWrite;
+    if (turn.usage.input || turn.usage.output) {
+      emit({ type: "token_usage", ...turn.usage });
+    }
+    const wantsTools = isAnthropic ? turn.stopReason === "tool_use" : turn.stopReason === "tool_calls";
+    if (!wantsTools || turn.toolUses.length === 0) {
+      return { content: turn.text, toolCalls: allToolCalls, stopReason: "end_turn", tokens: totalTokens };
+    }
+    if (totalToolsUsed >= cfg.maxTotalTools) {
+      return {
+        content: `Agent stopped: reached ${cfg.maxTotalTools} tool calls. Break your request into smaller steps.`,
+        toolCalls: allToolCalls,
+        stopReason: "max_tools",
+        tokens: totalTokens
+      };
+    }
+    const dedupeKey = (name, input) => `${name}:${JSON.stringify(input)}`;
+    const turnResults = [];
+    const executeOne = async (use) => {
+      totalToolsUsed++;
+      const key = dedupeKey(use.name, use.input);
+      const cachedResult = toolCache.get(key);
+      const isCached = !!cachedResult;
+      emit({ type: "tool_start", id: use.id, tool: use.name, input: use.input, cached: isCached });
+      let result;
+      let ms = 0;
+      if (isCached) {
+        result = cachedResult;
+      } else {
+        const t0 = Date.now();
+        result = await executeTool(use.name, use.input);
+        ms = Date.now() - t0;
+        if (!result.isError && use.name !== "execute_api_request" && use.name !== "fetch_url") {
+          toolCache.set(key, result);
+        }
+      }
+      emit({ type: "tool_done", id: use.id, tool: use.name, output: result.text, isError: result.isError, ms, cached: isCached });
+      return { id: use.id, name: use.name, text: result.text, isError: result.isError, ms, cached: isCached };
+    };
+    const toolUses = turn.toolUses;
+    if (cfg.parallelTools && toolUses.length > 1) {
+      const pure = toolUses.filter((u) => u.name !== "execute_api_request" && u.name !== "fetch_url");
+      const sideEffect = toolUses.filter((u) => u.name === "execute_api_request" || u.name === "fetch_url");
+      const pureResults = await Promise.all(pure.map((u) => executeOne(u)));
+      const sideEffectResults = [];
+      for (const u of sideEffect)
+        sideEffectResults.push(await executeOne(u));
+      const resultMap = new Map([...pureResults, ...sideEffectResults].map((r) => [r.id, r]));
+      for (const u of toolUses) {
+        const r = resultMap.get(u.id);
+        if (r)
+          turnResults.push(r);
+      }
+    } else {
+      for (const u of toolUses)
+        turnResults.push(await executeOne(u));
+    }
+    for (const r of turnResults) {
+      allToolCalls.push({ id: r.id, tool: r.name, input: turn.toolUses.find((u) => u.id === r.id)?.input ?? {}, output: r.text, isError: r.isError, ms: r.ms, cached: r.cached });
+      if (r.isError) {
+        consecutiveErrors++;
+        if (r.name === "execute_api_request") {
+          const eid = String(turn.toolUses.find((u) => u.id === r.id)?.input?.operationId ?? r.id);
+          endpointErrors[eid] = (endpointErrors[eid] ?? 0) + 1;
+          if (endpointErrors[eid] >= cfg.maxEndpointErrors) {
+            return {
+              content: `Endpoint "${eid}" failed ${cfg.maxEndpointErrors} times. Last error: ${r.text}`,
+              toolCalls: allToolCalls,
+              stopReason: "max_endpoint_errors",
+              tokens: totalTokens
+            };
+          }
+        }
+        if (consecutiveErrors >= cfg.maxConsecutiveErrors) {
+          return {
+            content: `Stopped after ${cfg.maxConsecutiveErrors} consecutive errors. Last: ${r.text}`,
+            toolCalls: allToolCalls,
+            stopReason: "max_errors",
+            tokens: totalTokens
+          };
+        }
+      } else {
+        consecutiveErrors = 0;
+      }
+    }
+    if (isAnthropic) {
+      const blocks = turn._anthropicBlocks ?? [];
+      messages.push({ role: "assistant", content: blocks });
+      messages.push({
+        role: "user",
+        content: turnResults.map((r) => ({ type: "tool_result", tool_use_id: r.id, content: r.text }))
+      });
+    } else {
+      const tc = turn._openaiTcAccum ?? {};
+      messages.push({
+        role: "assistant",
+        content: turn.text || null,
+        tool_calls: Object.values(tc).map((t) => ({ id: t.id, type: "function", function: { name: t.name, arguments: t.args } }))
+      });
+      for (const r of turnResults) {
+        messages.push({ role: "tool", tool_call_id: r.id, content: r.text });
+      }
+    }
+  }
+  return { content: "(max iterations reached)", toolCalls: allToolCalls, stopReason: "max_iterations", tokens: totalTokens };
+}
+var RETRYABLE_STATUS, MAX_CONTEXT_CHARS = 300000, DEFAULTS;
+var init_harness = __esm(() => {
+  RETRYABLE_STATUS = new Set([429, 500, 502, 503, 504]);
+  DEFAULTS = {
+    apiKey: "",
+    baseUrl: "",
+    extraHeaders: {},
+    maxTokens: 4096,
+    temperature: 1,
+    topK: 0,
+    maxIterations: 40,
+    maxTotalTools: 40,
+    maxConsecutiveErrors: 5,
+    maxEndpointErrors: 3,
+    stepTimeoutMs: 60000,
+    parallelTools: true,
+    enablePromptCache: true
+  };
+});
+// src/api/routes.ts
+import dns from "dns/promises";
+function json(data, status = 200) {
+  return new Response(JSON.stringify(data), {
+    status,
+    headers: { "Content-Type": "application/json", ...CORS4 }
+  });
+}
+function notFound(msg = "Not found") {
+  return json({ error: msg }, 404);
+}
+function badRequest(msg) {
+  return json({ error: msg }, 400);
+}
+async function apiRouter(req) {
+  if (req.method === "OPTIONS")
+    return new Response(null, { status: 204, headers: CORS4 });
+  const { pathname: path, searchParams } = new URL(req.url);
+  const method = req.method;
+  if (path === "/api/status" && method === "GET")
+    return handleStatus();
+  if (path === "/api/logs" && method === "GET")
+    return handleGetLogs(searchParams);
+  if (path === "/api/logs" && method === "DELETE")
+    return handleClearLogs();
+  if (path === "/api/auth/profiles" && method === "GET")
+    return handleGetProfiles();
+  if (path === "/api/auth/profiles" && method === "POST")
+    return handleCreateProfile(req);
+  if (path.startsWith("/api/auth/profiles/") && method === "PUT")
+    return handleUpdateProfile(req, path);
+  if (path.startsWith("/api/auth/profiles/") && method === "DELETE")
+    return handleDeleteProfile(path);
+  if (path.match(/^\/api\/auth\/profiles\/[^/]+\/activate$/) && method === "POST")
+    return handleActivateProfile(path);
+  if (path === "/api/auth" && method === "GET")
+    return handleGetAuth();
+  if (path === "/api/auth" && method === "PUT")
+    return handleSetAuth(req);
+  if (path === "/api/auth/test" && method === "POST")
+    return handleTestAuth();
+  if (path === "/api/explorer/request" && method === "POST")
+    return handleExplorerRequest(req);
+  if (path === "/api/spec/endpoints" && method === "GET")
+    return handleGetEndpoints();
+  if (path === "/api/settings" && method === "GET")
+    return handleGetSettings();
+  if (path === "/api/settings" && method === "PUT")
+    return handleSetSettings(req);
+  if (path === "/api/spec/upload" && method === "POST")
+    return handleSpecUpload(req);
+  if (path === "/api/spec/reload-url" && method === "POST")
+    return handleSpecReloadUrl(req);
+  if (path === "/api/intercept" && method === "GET")
+    return handleGetRules();
+  if (path === "/api/intercept" && method === "POST")
+    return handleCreateRule(req);
+  if (path.startsWith("/api/intercept/") && method === "PUT")
+    return handleUpdateRule(req, path);
+  if (path.startsWith("/api/intercept/") && method === "DELETE")
+    return handleDeleteRule(path);
+  if (path === "/api/ai/chat" && method === "POST")
+    return handleAiChat(req);
+  if (path === "/api/ai/memory" && method === "GET")
+    return json({ memory: dbQueries.getMemory(40) });
+  if (path === "/api/ai/memory" && method === "DELETE") {
+    dbQueries.clearMemory();
+    return json({ success: true });
+  }
+  if (path === "/api/debug/dns" && method === "GET")
+    return handleDnsQuery(searchParams);
+  if (path === "/api/debug/ping" && method === "GET")
+    return handlePing(searchParams);
+  if (path === "/api/reload" && method === "POST")
+    return handleReload();
+  if (path === "/api/server-info" && method === "GET")
+    return handleServerInfo();
+  if (path === "/api/features" && method === "GET")
+    return json(getFeatures());
+  if (path === "/api/features" && method === "PUT")
+    return handleSetFeatures(req);
+  if (path === "/api/saved" && method === "GET")
+    return handleGetSaved();
+  if (path === "/api/saved" && method === "POST")
+    return handleCreateSaved(req);
+  if (path.startsWith("/api/saved/") && method === "PUT")
+    return handleUpdateSaved(req, path);
+  if (path.startsWith("/api/saved/") && method === "DELETE")
+    return handleDeleteSaved(path);
+  if (path === "/api/workflows" && method === "GET")
+    return handleGetWorkflows();
+  if (path === "/api/workflows" && method === "POST")
+    return handleCreateWorkflow(req);
+  if (path === "/api/workflows/generate" && method === "POST")
+    return handleGenerateWorkflow(req);
+  if (path.startsWith("/api/workflows/") && path.endsWith("/run") && method === "POST")
+    return handleRunWorkflow(path);
+  if (path.startsWith("/api/workflows/") && method === "PUT")
+    return handleUpdateWorkflow(req, path);
+  if (path.startsWith("/api/workflows/") && method === "DELETE")
+    return handleDeleteWorkflow(path);
+  if (path === "/api/capture/bins" && method === "GET")
+    return handleGetCaptureBins();
+  if (path === "/api/capture/bins" && method === "POST")
+    return handleCreateCaptureBin(req);
+  if (path.startsWith("/api/capture/bins/") && method === "DELETE")
+    return handleDeleteCaptureBin(path);
+  return notFound("API route not found");
+}
+function handleStatus() {
+  if (!hasState()) {
+    return json({ ok: true, version: VERSION, spec: null, endpointCount: 0, wsClients: logBus.clientCount });
+  }
+  const { spec, operations } = getState();
+  return json({
+    ok: true,
+    version: VERSION,
+    spec: { title: spec.title, version: spec.version, baseUrl: spec.baseUrl, url: spec.url },
+    endpointCount: operations.length,
+    wsClients: logBus.clientCount
+  });
+}
+async function handleReload() {
+  if (!hasState())
+    return badRequest("No spec loaded");
+  const { specUrl } = getState();
+  if (!specUrl)
+    return json({ error: "Spec was uploaded manually \u2014 cannot reload from URL" }, 400);
+  try {
+    const s = await loadSpec(specUrl);
+    return json({ ok: true, spec: s.spec.title, version: s.spec.version, endpoints: s.operations.length });
+  } catch (e) {
+    return json({ error: e instanceof Error ? e.message : String(e) }, 500);
+  }
+}
+async function handleSetFeatures(req) {
+  let body;
+  try {
+    body = await req.json();
+  } catch {
+    return badRequest("Invalid JSON");
+  }
+  const patch = {};
+  for (const key of ["mcp", "proxy", "ai", "readonly"]) {
+    if (typeof body[key] === "boolean")
+      patch[key] = body[key];
+  }
+  setFeatures(patch);
+  persistAndBroadcastFeatures();
+  return json(getFeatures());
+}
+function persistAndBroadcastFeatures() {
+  const f = getFeatures();
+  dbQueries.setSetting("features", JSON.stringify({ mcp: f.mcp, proxy: f.proxy, ai: f.ai }));
+  logBus.broadcastServerEvent({ kind: "features", data: f });
+}
+function handleServerInfo() {
+  const state = hasState() ? getState() : null;
+  return json({
+    pid: process.pid,
+    port: parseInt(process.env._OA_PORT ?? "3388", 10),
+    startedAt: parseInt(process.env._OA_STARTED ?? "0", 10),
+    features: getFeatures(),
+    spec: state ? {
+      title: state.spec.title,
+      version: state.spec.version,
+      endpointCount: state.operations.length,
+      specUrl: state.specUrl ?? null
+    } : null
+  });
+}
+async function handleSpecUpload(req) {
+  let content;
+  let filename = "spec";
+  const ct = req.headers.get("content-type") ?? "";
+  if (ct.includes("multipart/form-data")) {
+    let form;
+    try {
+      form = await req.formData();
+    } catch {
+      return badRequest("Invalid form data");
+    }
+    const file = form.get("file");
+    if (!file || typeof file === "string")
       return badRequest("No file in form data");
     filename = file.name ?? "spec";
     content = await file.text();
@@ -4331,10 +5315,12 @@ async function handleSpecUpload(req) {
     return badRequest("Empty spec content");
   try {
     const state = loadSpecFromText(content, filename);
+    const suggestedVars = extractSuggestedVars(content, state.spec.baseUrl);
     return json({
       ok: true,
       spec: { title: state.spec.title, version: state.spec.version, baseUrl: state.spec.baseUrl },
-      endpointCount: state.operations.length
+      endpointCount: state.operations.length,
+      suggestedVars
     });
   } catch (e) {
     return json({ error: e instanceof Error ? e.message : String(e) }, 400);
@@ -4351,10 +5337,12 @@ async function handleSpecReloadUrl(req) {
     return badRequest("Missing url field");
   try {
     const state = await loadSpec(body.url);
+    const suggestedVars = extractSuggestedVars(state.spec.raw, state.spec.baseUrl);
     return json({
       ok: true,
       spec: { title: state.spec.title, version: state.spec.version, baseUrl: state.spec.baseUrl },
-      endpointCount: state.operations.length
+      endpointCount: state.operations.length,
+      suggestedVars
     });
   } catch (e) {
     return json({ error: e instanceof Error ? e.message : String(e) }, 400);
@@ -4416,39 +5404,54 @@ async function handleSetSettings(req) {
   dbQueries.setSettings(body);
   return json(body);
 }
-async function executeTool(name, args) {
+async function executeTool(name, args, cache = new Map) {
   const { operations, spec } = getState();
   if (name === "search_endpoints") {
+    const cacheKey2 = `search:${String(args.query ?? "").toLowerCase()}`;
+    const hit = cache.get(cacheKey2);
+    if (hit)
+      return hit;
     const q = String(args.query ?? "").toLowerCase();
     const terms = q.split(/\s+/).filter(Boolean);
     const matches = operations.filter((op) => {
       const hay = [op.operationId, op.path, op.method, ...op.tags ?? [], op.summary ?? "", op.description ?? ""].join(" ").toLowerCase();
       return terms.every((t) => hay.includes(t));
     }).slice(0, 30).map((op) => ({ operationId: op.operationId, method: op.method.toUpperCase(), path: op.path, summary: op.summary ?? null, tags: op.tags }));
-    if (!matches.length)
-      return { text: `No endpoints found matching "${args.query}". Total: ${operations.length}.`, isError: false };
-    return { text: JSON.stringify({ count: matches.length, total: operations.length, endpoints: matches }, null, 2), isError: false };
+    const text = !matches.length ? `No endpoints found matching "${args.query}". Total: ${operations.length}.` : JSON.stringify({ count: matches.length, total: operations.length, endpoints: matches }, null, 2);
+    const result = { text, isError: false };
+    cache.set(cacheKey2, result);
+    return result;
   }
   if (name === "get_endpoint_schema") {
+    const cacheKey2 = `schema:${String(args.operationId ?? "")}`;
+    const hit = cache.get(cacheKey2);
+    if (hit)
+      return hit;
     const op = operations.find((o) => o.operationId === args.operationId);
     if (!op)
       return { text: `Endpoint not found: "${args.operationId}"`, isError: true };
-    return {
-      text: JSON.stringify({
-        operationId: op.operationId,
-        method: op.method.toUpperCase(),
-        path: op.path,
-        summary: op.summary ?? null,
-        description: op.description ?? null,
-        tags: op.tags,
-        parameters: op.parameters,
-        requestBody: op.requestBody ?? null,
-        responses: op.responses
-      }, null, 2),
-      isError: false
-    };
+    const text = JSON.stringify({
+      operationId: op.operationId,
+      method: op.method.toUpperCase(),
+      path: op.path,
+      summary: op.summary ?? null,
+      description: op.description ?? null,
+      tags: op.tags,
+      parameters: op.parameters,
+      requestBody: op.requestBody ?? null,
+      responses: op.responses
+    }, null, 2);
+    const result = { text, isError: false };
+    cache.set(cacheKey2, result);
+    return result;
   }
   if (name === "execute_api_request") {
+    const now = Date.now();
+    const gap = now - _lastApiCallMs;
+    if (gap < MIN_API_CALL_INTERVAL_MS) {
+      await new Promise((r) => setTimeout(r, MIN_API_CALL_INTERVAL_MS - gap));
+    }
+    _lastApiCallMs = Date.now();
     const op = operations.find((o) => o.operationId === args.operationId);
     if (!op)
       return { text: `Endpoint not found: "${args.operationId}"`, isError: true };
@@ -4479,20 +5482,81 @@ async function executeTool(name, args) {
     const bodyStr = reqBody !== undefined ? typeof reqBody === "string" ? reqBody : JSON.stringify(reqBody) : null;
     if (bodyStr !== null && op.requestBody?.contentType)
       authedHeaders["Content-Type"] = op.requestBody.contentType;
+    const logId = randomUUID2();
     try {
       const start = Date.now();
       const res = await fetch(authedUrl, { method: op.method.toUpperCase(), headers: authedHeaders, body: bodyStr ?? undefined });
-      const text = await res.text();
+      const responseText = await res.text();
       const latency = Date.now() - start;
-      let pretty = text;
+      const resHeaders = Object.fromEntries(res.headers.entries());
+      dbQueries.insertLog({
+        id: logId,
+        source: "ai",
+        tool_name: String(args.operationId ?? op.operationId),
+        method: op.method.toUpperCase(),
+        url: authedUrl,
+        request_headers: JSON.stringify(authedHeaders),
+        request_body: bodyStr,
+        status_code: res.status,
+        response_headers: JSON.stringify(resHeaders),
+        response_body: responseText.slice(0, 8192),
+        latency_ms: latency,
+        error: null
+      });
+      logBus.emit({
+        id: logId,
+        source: "ai",
+        tool_name: String(args.operationId ?? op.operationId),
+        method: op.method.toUpperCase(),
+        url: authedUrl,
+        request_headers: JSON.stringify(authedHeaders),
+        request_body: bodyStr,
+        status_code: res.status,
+        response_headers: JSON.stringify(resHeaders),
+        response_body: responseText.slice(0, 2048),
+        latency_ms: latency,
+        error: null,
+        created_at: Date.now()
+      });
+      let pretty = responseText;
       try {
-        pretty = JSON.stringify(JSON.parse(text), null, 2);
+        pretty = JSON.stringify(JSON.parse(responseText), null, 2);
       } catch {}
       return { text: `HTTP ${res.status} (${latency}ms)
 ${pretty}`, isError: !res.ok };
     } catch (e) {
-      return { text: `Network error: ${e instanceof Error ? e.message : String(e)}`, isError: true };
+      const errMsg = e instanceof Error ? e.message : String(e);
+      dbQueries.insertLog({
+        id: logId,
+        source: "ai",
+        tool_name: String(args.operationId ?? op.operationId),
+        method: op.method.toUpperCase(),
+        url: authedUrl,
+        request_headers: JSON.stringify(authedHeaders),
+        request_body: bodyStr,
+        status_code: null,
+        response_headers: null,
+        response_body: null,
+        latency_ms: null,
+        error: errMsg
+      });
+      logBus.emit({
+        id: logId,
+        source: "ai",
+        tool_name: String(args.operationId ?? op.operationId),
+        method: op.method.toUpperCase(),
+        url: authedUrl,
+        request_headers: null,
+        request_body: bodyStr,
+        status_code: null,
+        response_headers: null,
+        response_body: null,
+        latency_ms: null,
+        error: errMsg,
+        created_at: Date.now()
+      });
+      return { text: `Network error: ${errMsg}`, isError: true };
     }
   }
   if (name === "fetch_url") {
@@ -4642,10 +5706,25 @@ ${stripped}`, isError: !res.ok };
   }
   if (name === "save_auth_token") {
     const profileName = String(args.name ?? "AI Login").trim();
+    const tokenType = String(args.token_type ?? "bearer");
+    if (tokenType === "basic" || args.username && args.password) {
+      const username = String(args.username ?? "").trim();
+      const password = String(args.password ?? "").trim();
+      if (!username || !password)
+        return { text: "Error: username and password are required for basic auth", isError: true };
+      const authConfig2 = { type: "basic", username, password };
+      const profileId2 = randomUUID2();
+      try {
+        dbQueries.insertProfile({ id: profileId2, name: profileName, description: "Saved by AI", type: "basic", config: JSON.stringify(authConfig2), token_cache: null, is_active: 0 });
+        dbQueries.activateProfile(profileId2);
+        return { text: JSON.stringify({ success: true, message: `Saved and activated basic auth profile "${profileName}"`, id: profileId2 }), isError: false };
+      } catch (e) {
+        return { text: `Error saving profile: ${e instanceof Error ? e.message : String(e)}`, isError: true };
+      }
+    }
     const token = String(args.token ?? "").trim();
     if (!token)
-      return { text: "Error: token is required", isError: true };
-    const tokenType = String(args.token_type ?? "bearer");
+      return { text: "Error: token is required for bearer/apikey auth", isError: true };
     const headerName = String(args.header_name ?? "X-Api-Key");
     let authConfig;
     let type;
@@ -4670,274 +5749,6 @@ ${stripped}`, isError: !res.ok };
   }
   return { text: `Unknown tool: ${name}`, isError: true };
 }
-async function fetchWithRetry(url, opts, emit, maxRetries = 3) {
-  for (let attempt = 0;attempt <= maxRetries; attempt++) {
-    const res = await fetch(url, opts);
-    if (res.status !== 429 || attempt === maxRetries)
-      return res;
-    const retryAfter = parseInt(res.headers.get("retry-after") ?? "0", 10);
-    const delay = retryAfter > 0 ? retryAfter * 1000 : Math.min(1000 * Math.pow(2, attempt) + Math.random() * 500, 30000);
-    emit({ type: "info", message: `Rate limited \u2014 retrying in ${Math.round(delay / 1000)}s\u2026 (attempt ${attempt + 1}/${maxRetries})` });
-    await new Promise((r) => setTimeout(r, delay));
-  }
-  return fetch(url, opts);
-}
-async function anthropicAgentLoop(apiKey, model, system, initialMessages, emit) {
-  const msgs = [...initialMessages];
-  const toolCalls = [];
-  let totalTools = 0;
-  let consecutiveErrors = 0;
-  const endpointErrors = {};
-  for (let iter = 0;iter < 40; iter++) {
-    const res = await fetchWithRetry("https://api.anthropic.com/v1/messages", {
-      method: "POST",
-      headers: { "Content-Type": "application/json", "x-api-key": apiKey, "anthropic-version": "2023-06-01" },
-      body: JSON.stringify({ model, max_tokens: 4096, system, messages: msgs, tools: ANTHROPIC_TOOLS, stream: true })
-    }, emit);
-    if (!res.ok)
-      throw new Error(`Anthropic error: ${await res.text()}`);
-    let fullText = "";
-    let stopReason = "";
-    const contentBlocks = [];
-    const inputAccum = {};
-    const reader = res.body.getReader();
-    const decoder = new TextDecoder;
-    let buf = "";
-    while (true) {
-      const { done, value } = await reader.read();
-      if (done)
-        break;
-      buf += decoder.decode(value, { stream: true });
-      const parts = buf.split(`
-`);
-      buf = parts.pop() ?? "";
-      for (const part of parts) {
-        let dataLine = "";
-        for (const line of part.split(`
-`)) {
-          if (line.startsWith("data: ")) {
-            dataLine = line.slice(6);
-            break;
-          }
-        }
-        if (!dataLine || dataLine === "[DONE]")
-          continue;
-        let ev;
-        try {
-          ev = JSON.parse(dataLine);
-        } catch {
-          continue;
-        }
-        const type = ev.type;
-        if (type === "content_block_start") {
-          const idx = ev.index;
-          const cb = ev.content_block;
-          contentBlocks[idx] = { type: cb.type, id: cb.id, name: cb.name };
-          if (cb.type === "tool_use")
-            inputAccum[idx] = "";
-        } else if (type === "content_block_delta") {
-          const idx = ev.index;
-          const delta = ev.delta;
-          if (delta.type === "text_delta" && delta.text) {
-            fullText += delta.text;
-            if (!contentBlocks[idx])
-              contentBlocks[idx] = { type: "text", text: "" };
-            contentBlocks[idx].text = (contentBlocks[idx].text ?? "") + delta.text;
-            emit({ type: "text_delta", text: delta.text });
-          } else if (delta.type === "input_json_delta" && delta.partial_json) {
-            inputAccum[idx] = (inputAccum[idx] ?? "") + delta.partial_json;
-          }
-        } else if (type === "content_block_stop") {
-          const idx = ev.index;
-          if (contentBlocks[idx]?.type === "tool_use") {
-            try {
-              contentBlocks[idx].input = JSON.parse(inputAccum[idx] ?? "{}");
-            } catch {
-              contentBlocks[idx].input = {};
-            }
-          }
-        } else if (type === "message_delta") {
-          const delta = ev.delta;
-          if (delta.stop_reason)
-            stopReason = delta.stop_reason;
-        }
-      }
-    }
-    if (stopReason !== "tool_use")
-      return { content: fullText, toolCalls };
-    if (totalTools >= MAX_TOTAL_TOOLS) {
-      return { content: `Agent stopped: reached ${MAX_TOTAL_TOOLS} tool calls. Please break your request into smaller steps.`, toolCalls };
-    }
-    msgs.push({ role: "assistant", content: contentBlocks });
-    const toolResults = [];
-    for (const block of contentBlocks) {
-      if (block.type !== "tool_use" || !block.id || !block.name)
-        continue;
-      totalTools++;
-      emit({ type: "tool_start", tool: block.name, input: block.input ?? {} });
-      const result = await executeTool(block.name, block.input ?? {});
-      emit({ type: "tool_done", tool: block.name, input: block.input ?? {}, output: result.text, isError: result.isError });
-      toolCalls.push({ tool: block.name, input: block.input ?? {}, output: result.text, isError: result.isError });
-      if (result.isError) {
-        consecutiveErrors++;
-        if (block.name === "execute_api_request" && block.input?.operationId) {
-          const eid = String(block.input.operationId);
-          endpointErrors[eid] = (endpointErrors[eid] ?? 0) + 1;
-          if (endpointErrors[eid] >= MAX_SAME_ENDPOINT_ERRORS) {
-            const stopContent = result.text + `
-[AGENT LOOP STOPPED: endpoint "${eid}" failed ${MAX_SAME_ENDPOINT_ERRORS} times \u2014 stopping to avoid loop]`;
-            toolResults.push({ type: "tool_result", tool_use_id: block.id, content: stopContent });
-            msgs.push({ role: "user", content: toolResults });
-            return { content: `Endpoint "${eid}" failed ${MAX_SAME_ENDPOINT_ERRORS} times. Last error: ${result.text}`, toolCalls };
-          }
-        }
-        if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
-          const stopMsg = `Stopped after ${MAX_CONSECUTIVE_ERRORS} consecutive errors. Last: ${result.text}`;
-          const stopContent = result.text + `
-[AGENT LOOP STOPPED: ${stopMsg}]`;
-          toolResults.push({ type: "tool_result", tool_use_id: block.id, content: stopContent });
-          msgs.push({ role: "user", content: toolResults });
-          return { content: stopMsg, toolCalls };
-        }
-      } else {
-        consecutiveErrors = 0;
-      }
-      toolResults.push({ type: "tool_result", tool_use_id: block.id, content: result.text });
-    }
-    if (!toolResults.length)
-      return { content: fullText, toolCalls };
-    msgs.push({ role: "user", content: toolResults });
-  }
-  return { content: "(max iterations reached)", toolCalls };
-}
-async function openaiCompatibleLoop(base, apiKey, model, extraHeaders, system, initialMessages, emit) {
-  const msgs = [{ role: "system", content: system }, ...initialMessages];
-  const toolCalls = [];
-  const authHeaders = {};
-  if (apiKey)
-    authHeaders["Authorization"] = `Bearer ${apiKey}`;
-  let totalTools = 0;
-  let consecutiveErrors = 0;
-  const endpointErrors = {};
-  for (let iter = 0;iter < 40; iter++) {
-    const res = await fetchWithRetry(`${base}/v1/chat/completions`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json", ...authHeaders, ...extraHeaders },
-      body: JSON.stringify({ model, messages: msgs, tools: OPENAI_TOOLS, tool_choice: "auto", stream: true })
-    }, emit);
-    if (!res.ok)
-      throw new Error(await res.text());
-    let fullContent = "";
-    let finishReason = "";
-    const tcAccum = {};
-    const reader = res.body.getReader();
-    const dec = new TextDecoder;
-    let buf = "";
-    outer:
-      while (true) {
-        const { done, value } = await reader.read();
-        if (done)
-          break;
-        buf += dec.decode(value, { stream: true });
-        const parts = buf.split(`
-`);
-        buf = parts.pop() ?? "";
-        for (const part of parts) {
-          let data = "";
-          for (const line of part.split(`
-`)) {
-            if (line.startsWith("data: ")) {
-              data = line.slice(6);
-              break;
-            }
-          }
-          if (!data)
-            continue;
-          if (data === "[DONE]")
-            break outer;
-          let ev;
-          try {
-            ev = JSON.parse(data);
-          } catch {
-            continue;
-          }
-          if (ev.object === "error")
-            throw new Error(JSON.stringify(ev));
-          const choices = ev.choices;
-          const choice = choices?.[0];
-          if (!choice)
-            continue;
-          const fr = choice.finish_reason;
-          if (fr)
-            finishReason = fr;
-          const delta = choice.delta;
-          if (!delta)
-            continue;
-          if (typeof delta.content === "string" && delta.content) {
-            fullContent += delta.content;
-            emit({ type: "text_delta", text: delta.content });
-          }
-          const tcDeltas = delta.tool_calls;
-          if (tcDeltas) {
-            for (const tc of tcDeltas) {
-              if (!tcAccum[tc.index])
-                tcAccum[tc.index] = { id: "", name: "", args: "" };
-              const entry = tcAccum[tc.index];
-              if (tc.id)
-                entry.id += tc.id;
-              if (tc.function?.name)
-                entry.name += tc.function.name;
-              if (tc.function?.arguments)
-                entry.args += tc.function.arguments;
-            }
-          }
-        }
-      }
-    if (finishReason !== "tool_calls")
-      return { content: fullContent, toolCalls };
-    if (totalTools >= MAX_TOTAL_TOOLS) {
-      return { content: `Agent stopped: reached ${MAX_TOTAL_TOOLS} tool calls. Please break your request into smaller steps.`, toolCalls };
-    }
-    const msgToolCalls = Object.values(tcAccum).map((tc) => ({
-      id: tc.id,
-      type: "function",
-      function: { name: tc.name, arguments: tc.args }
-    }));
-    msgs.push({ role: "assistant", content: fullContent || null, tool_calls: msgToolCalls });
-    for (const tc of Object.values(tcAccum)) {
-      let args = {};
-      try {
-        args = JSON.parse(tc.args);
-      } catch {}
-      totalTools++;
-      emit({ type: "tool_start", tool: tc.name, input: args });
-      const result = await executeTool(tc.name, args);
-      emit({ type: "tool_done", tool: tc.name, input: args, output: result.text, isError: result.isError });
-      toolCalls.push({ tool: tc.name, input: args, output: result.text, isError: result.isError });
-      msgs.push({ role: "tool", tool_call_id: tc.id, content: result.text });
-      if (result.isError) {
-        consecutiveErrors++;
-        if (tc.name === "execute_api_request" && args.operationId) {
-          const eid = String(args.operationId);
-          endpointErrors[eid] = (endpointErrors[eid] ?? 0) + 1;
-          if (endpointErrors[eid] >= MAX_SAME_ENDPOINT_ERRORS) {
-            return { content: `Endpoint "${eid}" failed ${MAX_SAME_ENDPOINT_ERRORS} times. Last error: ${result.text}`, toolCalls };
-          }
-        }
-        if (consecutiveErrors >= MAX_CONSECUTIVE_ERRORS) {
-          return { content: `Stopped after ${MAX_CONSECUTIVE_ERRORS} consecutive errors. Last: ${result.text}`, toolCalls };
-        }
-      } else {
-        consecutiveErrors = 0;
-      }
-    }
-  }
-  return { content: "(max iterations reached)", toolCalls };
-}
 async function handleAiChat(req) {
   let body;
   try {
@@ -4948,39 +5759,58 @@ async function handleAiChat(req) {
   const settingsRow = dbQueries.getSettings();
   const settings = settingsRow ? JSON.parse(settingsRow.value) : {};
   const ai = settings.ai ?? {};
+  const provider = ai.provider ?? "anthropic";
+  const providerDefaults = PROVIDER_DEFAULTS[provider] ?? { model: "" };
+  const requiresKey = provider !== "ollama" && provider !== "custom";
+  if (requiresKey && !ai.apiKey) {
+    return json({ error: "No AI API key configured. Go to Settings \u2192 AI Provider to add one." }, 400);
+  }
+  if (!hasState())
+    return json({ error: "No spec loaded." }, 400);
   const { spec, operations } = getState();
   const preview = operations.slice(0, 40).map((op) => `- ${op.method.toUpperCase()} ${op.path}${op.summary ? `: ${op.summary}` : ""}`).join(`
 `);
   const activeAuth = dbQueries.getActiveProfile();
-  const authLine = activeAuth ? `Active auth: "${activeAuth.name}" (${activeAuth.type})` : "No active auth profile. If the API requires auth, call list_auth_profiles first, then set_active_auth, or login and call save_auth_token.";
+  const authLine = activeAuth ? `Active auth: "${activeAuth.name}" (${activeAuth.type})` : "No active auth profile. Call list_auth_profiles, then set_active_auth or save_auth_token.";
+  const memory = dbQueries.getMemory(20);
+  const memorySection = memory.length ? `
+## Memory from previous sessions
+${memory.map((m) => `${m.role === "user" ? "User" : "Assistant"}: ${m.content.slice(0, 300)}${m.content.length > 300 ? "\u2026" : ""}`).join(`
+`)}
+` : "";
   const system = `You are an AI assistant for the "${spec.title}" API (v${spec.version}). Base URL: ${spec.baseUrl}.
 Total endpoints: ${operations.length}. Sample:
 ${preview}${operations.length > 40 ? `
 ... and ${operations.length - 40} more` : ""}
 ${authLine}
+${memorySection}
+Tools:
+- search_endpoints / get_endpoint_schema \u2014 explore API structure (results cached; never repeat the same query)
+- execute_api_request \u2014 call an endpoint
+- list_auth_profiles / set_active_auth / save_auth_token \u2014 manage credentials
+  \u2022 save_auth_token supports token_type="basic" with username+password for HTTP Basic auth
+- fetch_url \u2014 external docs
+- dns_lookup \u2014 connectivity diagnostics
+- get_recent_logs \u2014 proxy traffic history
+- run_security_check \u2014 static security analysis
-Tools available:
-- search_endpoints / get_endpoint_schema: explore API structure
-- execute_api_request: call an endpoint
-- list_auth_profiles: list all saved auth profiles (name, type, active)
-- set_active_auth(name): switch to a saved profile before making requests
-- save_auth_token(name, token): IMMEDIATELY call this after a successful login that returns a token \u2014 saves the token as a named profile and activates it so subsequent requests are authenticated
-- fetch_url: fetch external docs
-- dns_lookup: DNS resolution / connectivity
-- get_recent_logs: recent request/response traffic
-- run_security_check: security analysis on an endpoint
+Auth workflow: 401/403 \u2192 list_auth_profiles \u2192 set_active_auth OR find login endpoint \u2192 save_auth_token \u2192 retry.
-Authentication workflow: if requests return 401/403, call list_auth_profiles first. If a profile exists, call set_active_auth. If none, find and call the login endpoint, extract the token from the response, then call save_auth_token immediately. After saving, retry the original request.
+Rules:
+- Never repeat a search you already ran \u2014 results are cached.
+- Diagnose errors before retrying. Three failures on the same endpoint stops the agent.
+- Do not fire rapid successive API requests.
-IMPORTANT: if an endpoint returns an error, diagnose it (check the schema, check auth) and fix the root cause before retrying. If the same endpoint fails 3 times the agent will be forcibly stopped. Do not retry without changing something.
+Be concise. Format code and JSON in fenced blocks.${ai.customInstructions ? `
-Be concise and practical. Format code and JSON in code blocks.`;
-  const provider = ai.provider ?? "anthropic";
-  const requiresKey = provider !== "ollama" && provider !== "custom";
-  if (requiresKey && !ai.apiKey) {
-    return json({ error: "No AI API key configured. Go to Settings \u2192 AI Provider to add one." }, 400);
-  }
+---
+## Custom instructions
+${ai.customInstructions}` : ""}${body.extra_context ? `
+---
+## Context
+${body.extra_context}` : ""}`;
   const { readable, writable } = new TransformStream;
   const writer = writable.getWriter();
   const enc = new TextEncoder;
@@ -4990,62 +5820,39 @@ Be concise and practical. Format code and JSON in code blocks.`;
 `)).catch(() => {});
   };
   const msgs = body.messages;
+  const toolCache = new Map;
+  const abortCtrl = new AbortController;
+  const lastUserMsg = [...msgs].reverse().find((m) => m.role === "user");
+  const userMemoryContent = typeof lastUserMsg?.content === "string" ? lastUserMsg.content : null;
   (async () => {
     try {
-      let result;
-      if (provider === "anthropic") {
-        result = await anthropicAgentLoop(ai.apiKey, ai.model || "claude-haiku-4-5-20251001", system, msgs, emit);
-      } else if (provider === "openai") {
-        const base = (ai.baseUrl || "https://api.openai.com").replace(/\/$/, "");
-        result = await openaiCompatibleLoop(base, ai.apiKey, ai.model || "gpt-4o-mini", {}, system, msgs, emit);
-      } else if (provider === "mistral") {
-        const base = (ai.baseUrl || "https://api.mistral.ai").replace(/\/$/, "");
-        result = await openaiCompatibleLoop(base, ai.apiKey, ai.model || "mistral-small-latest", {}, system, msgs, emit);
-      } else if (provider === "github-copilot") {
-        const base = (ai.baseUrl || "https://api.githubcopilot.com").replace(/\/$/, "");
-        result = await openaiCompatibleLoop(base, ai.apiKey, ai.model || "gpt-4o", {
-          "Copilot-Integration-Id": "vscode-chat",
-          "Editor-Version": "vscode/1.85.0"
-        }, system, msgs, emit);
-      } else if (provider === "groq") {
-        const base = (ai.baseUrl || "https://api.groq.com/openai").replace(/\/$/, "");
-        result = await openaiCompatibleLoop(base, ai.apiKey, ai.model || "llama-3.1-70b-versatile", {}, system, msgs, emit);
-      } else if (provider === "custom") {
-        if (!ai.baseUrl) {
-          emit({ type: "error", message: "Custom provider requires a Base URL." });
-          await writer.close();
-          return;
-        }
-        result = await openaiCompatibleLoop(ai.baseUrl.replace(/\/$/, ""), ai.apiKey, ai.model || "", {}, system, msgs, emit);
-      } else if (provider === "ollama") {
-        const base = (ai.baseUrl || "http://localhost:11434").replace(/\/$/, "");
-        const res = await fetch(`${base}/api/chat`, {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({ model: ai.model || "llama3", messages: [{ role: "system", content: system }, ...msgs], stream: false })
-        });
-        const d = await res.json();
-        result = { content: d.message.content ?? "", toolCalls: [] };
-      } else if (provider === "gemini") {
-        const model = ai.model || "gemini-1.5-flash";
-        const base = (ai.baseUrl || "https://generativelanguage.googleapis.com").replace(/\/$/, "");
-        const res = await fetch(`${base}/v1beta/models/${model}:generateContent?key=${ai.apiKey}`, {
-          method: "POST",
-          headers: { "Content-Type": "application/json" },
-          body: JSON.stringify({
-            systemInstruction: { parts: [{ text: system }] },
-            contents: msgs.map((m) => ({ role: m.role === "assistant" ? "model" : "user", parts: [{ text: m.content }] })),
-            generationConfig: { maxOutputTokens: 4096 }
-          })
-        });
-        const d = await res.json();
-        result = { content: d.candidates[0]?.content.parts[0]?.text ?? "", toolCalls: [] };
-      } else {
-        emit({ type: "error", message: `Unknown provider: ${provider}` });
-        await writer.close();
-        return;
+      const result = await runAgentLoop({
+        provider,
+        apiKey: ai.apiKey,
+        model: ai.model || providerDefaults.model,
+        baseUrl: ai.baseUrl || providerDefaults.baseUrl,
+        maxTokens: ai.maxTokens ?? 4096,
+        stepTimeoutMs: ai.stepTimeoutMs ?? 60000,
+        temperature: ai.temperature,
+        topK: ai.topK && ai.topK > 0 ? ai.topK : undefined,
+        parallelTools: true,
+        enablePromptCache: true
+      }, system, msgs, TOOL_SCHEMAS, (name, args) => executeTool(name, args, toolCache), emit, abortCtrl.signal, toolCache);
+      if (result.content && result.stopReason !== "max_iterations") {
+        try {
+          if (userMemoryContent)
+            dbQueries.saveMemory("user", userMemoryContent.slice(0, 1000));
+          dbQueries.saveMemory("assistant", result.content.slice(0, 1000));
+          dbQueries.trimMemory(40);
+        } catch {}
       }
-      emit({ type: "done", content: result.content, toolCalls: result.toolCalls });
+      emit({
+        type: "done",
+        content: result.content,
+        toolCalls: result.toolCalls,
+        stopReason: result.stopReason,
+        tokens: result.tokens
+      });
     } catch (e) {
       emit({ type: "error", message: e instanceof Error ? e.message : String(e) });
     } finally {
@@ -5055,11 +5862,7 @@ Be concise and practical. Format code and JSON in code blocks.`;
     }
   })();
   return new Response(readable, {
-    headers: {
-      "Content-Type": "text/event-stream",
-      "Cache-Control": "no-cache",
-      ...CORS3
-    }
+    headers: { "Content-Type": "text/event-stream", "Cache-Control": "no-cache", ...CORS4 }
   });
 }
 function handleGetProfiles() {
@@ -5406,72 +6209,278 @@ async function handlePing(params) {
   }
   return json({ host, port, resolvedIp, checks, timestamp: new Date().toISOString() });
 }
-function handleGetSaved() {
-  return json(dbQueries.getSavedRequests());
+function handleGetSaved() {
+  return json(dbQueries.getSavedRequests());
+}
+async function handleCreateSaved(req) {
+  let body;
+  try {
+    body = await req.json();
+  } catch {
+    return badRequest("Invalid JSON");
+  }
+  if (!body.name || typeof body.name !== "string")
+    return badRequest("name is required");
+  const id = randomUUID2();
+  dbQueries.insertSavedRequest({
+    id,
+    name: String(body.name),
+    folder: String(body.folder ?? ""),
+    method: String(body.method ?? "GET"),
+    url: String(body.url ?? ""),
+    headers: typeof body.headers === "string" ? body.headers : JSON.stringify(body.headers ?? []),
+    params: typeof body.params === "string" ? body.params : JSON.stringify(body.params ?? []),
+    body: String(body.body ?? ""),
+    body_type: String(body.body_type ?? "none"),
+    raw_type: String(body.raw_type ?? "text/plain"),
+    form_rows: typeof body.form_rows === "string" ? body.form_rows : JSON.stringify(body.form_rows ?? []),
+    auth: typeof body.auth === "string" ? body.auth : JSON.stringify(body.auth ?? {}),
+    notes: String(body.notes ?? "")
+  });
+  return json(dbQueries.getSavedRequest(id), 201);
+}
+async function handleUpdateSaved(req, path) {
+  const id = path.replace("/api/saved/", "");
+  if (!dbQueries.getSavedRequest(id))
+    return notFound();
+  let body;
+  try {
+    body = await req.json();
+  } catch {
+    return badRequest("Invalid JSON");
+  }
+  const patch = {};
+  const allowed = ["name", "folder", "method", "url", "headers", "params", "body", "body_type", "raw_type", "form_rows", "auth", "notes"];
+  for (const key of allowed) {
+    if (key in body)
+      patch[key] = typeof body[key] === "string" ? String(body[key]) : JSON.stringify(body[key]);
+  }
+  if (Object.keys(patch).length)
+    dbQueries.updateSavedRequest(id, patch);
+  return json(dbQueries.getSavedRequest(id));
+}
+function handleDeleteSaved(path) {
+  const id = path.replace("/api/saved/", "");
+  if (!dbQueries.getSavedRequest(id))
+    return notFound();
+  dbQueries.deleteSavedRequest(id);
+  return json({ ok: true });
+}
+function workflowRow(row) {
+  if (!row)
+    return null;
+  let steps = [];
+  try {
+    steps = JSON.parse(row.steps);
+  } catch {}
+  return { ...row, steps };
+}
+function handleGetWorkflows() {
+  const rows = dbQueries.getWorkflows().map((r) => workflowRow(r)).filter(Boolean);
+  return json(rows);
+}
+async function handleCreateWorkflow(req) {
+  let body;
+  try {
+    body = await req.json();
+  } catch {
+    return badRequest("Invalid JSON");
+  }
+  const id = randomUUID2();
+  dbQueries.insertWorkflow({
+    id,
+    name: String(body.name ?? "Untitled Workflow"),
+    description: String(body.description ?? ""),
+    steps: typeof body.steps === "string" ? body.steps : JSON.stringify(body.steps ?? [])
+  });
+  return json(workflowRow(dbQueries.getWorkflow(id)), 201);
+}
+async function handleUpdateWorkflow(req, path) {
+  const id = path.slice("/api/workflows/".length);
+  if (!dbQueries.getWorkflow(id))
+    return notFound();
+  let body;
+  try {
+    body = await req.json();
+  } catch {
+    return badRequest("Invalid JSON");
+  }
+  const patch = {};
+  if ("name" in body)
+    patch.name = String(body.name);
+  if ("description" in body)
+    patch.description = String(body.description);
+  if ("steps" in body)
+    patch.steps = typeof body.steps === "string" ? body.steps : JSON.stringify(body.steps);
+  if (Object.keys(patch).length)
+    dbQueries.updateWorkflow(id, patch);
+  return json(workflowRow(dbQueries.getWorkflow(id)));
+}
+function handleDeleteWorkflow(path) {
+  const id = path.slice("/api/workflows/".length);
+  if (!dbQueries.getWorkflow(id))
+    return notFound();
+  dbQueries.deleteWorkflow(id);
+  return json({ ok: true });
 }
-async function handleCreateSaved(req) {
+async function handleGenerateWorkflow(req) {
+  if (!hasState())
+    return badRequest("No spec loaded");
   let body;
   try {
     body = await req.json();
   } catch {
     return badRequest("Invalid JSON");
   }
-  if (!body.name || typeof body.name !== "string")
-    return badRequest("name is required");
-  const id = randomUUID2();
-  dbQueries.insertSavedRequest({
-    id,
-    name: String(body.name),
-    folder: String(body.folder ?? ""),
-    method: String(body.method ?? "GET"),
-    url: String(body.url ?? ""),
-    headers: typeof body.headers === "string" ? body.headers : JSON.stringify(body.headers ?? []),
-    params: typeof body.params === "string" ? body.params : JSON.stringify(body.params ?? []),
-    body: String(body.body ?? ""),
-    body_type: String(body.body_type ?? "none"),
-    raw_type: String(body.raw_type ?? "text/plain"),
-    form_rows: typeof body.form_rows === "string" ? body.form_rows : JSON.stringify(body.form_rows ?? []),
-    auth: typeof body.auth === "string" ? body.auth : JSON.stringify(body.auth ?? {}),
-    notes: String(body.notes ?? "")
-  });
-  return json(dbQueries.getSavedRequest(id), 201);
+  const settingsRow = dbQueries.getSettings();
+  const settings = settingsRow ? JSON.parse(settingsRow.value) : {};
+  const ai = settings.ai ?? {};
+  const provider = ai.provider ?? "anthropic";
+  if (provider !== "ollama" && !ai.apiKey) {
+    return json({ error: "No AI API key configured. Go to Settings \u2192 AI Provider to add one." }, 400);
+  }
+  const { spec, operations } = getState();
+  const endpointList = operations.slice(0, 80).map((op) => `${op.method.toUpperCase()} ${op.path}${op.operationId ? ` [${op.operationId}]` : ""}${op.summary ? ` \u2014 ${op.summary}` : ""}`).join(`
+`);
+  const userPrompt = body.prompt?.trim() || "Generate a realistic end-to-end test workflow covering authentication and CRUD operations.";
+  const systemMsg = `You generate API test workflows as JSON for the "${spec.title}" API (base: ${spec.baseUrl}).
+Available endpoints:
+${endpointList}
+Return ONLY valid JSON (no markdown fences) matching this schema exactly:
+{
+  "name": "string",
+  "description": "string",
+  "steps": [
+    {
+      "id": "step_1",
+      "label": "Human-readable name",
+      "method": "GET|POST|PUT|PATCH|DELETE",
+      "path": "/exact/path/from/spec",
+      "operationId": "operationId or null",
+      "pathParams": {},
+      "queryParams": {},
+      "headers": {},
+      "body": null,
+      "extract": [{"var": "varName", "path": "$.field.nested"}],
+      "assert": [{"type": "status", "statusCode": 200}]
+    }
+  ]
 }
-async function handleUpdateSaved(req, path) {
-  const id = path.replace("/api/saved/", "");
-  if (!dbQueries.getSavedRequest(id))
+Rules:
+- Use {{varName}} in path/headers/body values to reference vars extracted in prior steps
+- For auth: extract token after login, set headers: {"Authorization": "Bearer {{token}}"}
+- Keep 3\u20138 steps covering a realistic user journey
+- Only use paths that exist in the endpoint list above`;
+  try {
+    let text = "";
+    if (provider === "anthropic") {
+      const res = await fetch("https://api.anthropic.com/v1/messages", {
+        method: "POST",
+        headers: { "Content-Type": "application/json", "x-api-key": ai.apiKey, "anthropic-version": "2023-06-01" },
+        body: JSON.stringify({ model: ai.model || "claude-sonnet-4-6", max_tokens: 4096, system: systemMsg, messages: [{ role: "user", content: userPrompt }] })
+      });
+      if (!res.ok)
+        throw new Error(`Anthropic: ${await res.text()}`);
+      const d = await res.json();
+      text = d.content.find((b) => b.type === "text")?.text ?? "";
+    } else {
+      const base = (ai.baseUrl || (provider === "openai" ? "https://api.openai.com" : provider === "groq" ? "https://api.groq.com/openai" : provider === "mistral" ? "https://api.mistral.ai" : "https://api.openai.com")).replace(/\/$/, "");
+      const hdrs = { "Content-Type": "application/json" };
+      if (ai.apiKey)
+        hdrs["Authorization"] = `Bearer ${ai.apiKey}`;
+      const res = await fetch(`${base}/v1/chat/completions`, {
+        method: "POST",
+        headers: hdrs,
+        body: JSON.stringify({ model: ai.model || "gpt-4o-mini", max_tokens: 2048, response_format: { type: "json_object" }, messages: [{ role: "system", content: systemMsg }, { role: "user", content: userPrompt }] })
+      });
+      if (!res.ok)
+        throw new Error(await res.text());
+      const d = await res.json();
+      text = d.choices[0]?.message.content ?? "";
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(text);
+    } catch {
+      const m = text.match(/```(?:json)?\s*\n?([\s\S]+?)\n?```/);
+      if (m)
+        parsed = JSON.parse(m[1]);
+      else
+        throw new Error("AI response was not valid JSON");
+    }
+    return json(parsed);
+  } catch (e) {
+    return json({ error: e instanceof Error ? e.message : String(e) }, 500);
+  }
+}
+function handleRunWorkflow(path) {
+  const id = path.slice("/api/workflows/".length, -"/run".length);
+  const row = dbQueries.getWorkflow(id);
+  if (!row)
     return notFound();
-  let body;
+  if (!hasState())
+    return badRequest("No spec loaded");
+  let steps;
   try {
-    body = await req.json();
+    steps = JSON.parse(row.steps);
   } catch {
-    return badRequest("Invalid JSON");
-  }
-  const patch = {};
-  const allowed = ["name", "folder", "method", "url", "headers", "params", "body", "body_type", "raw_type", "form_rows", "auth", "notes"];
-  for (const key of allowed) {
-    if (key in body)
-      patch[key] = typeof body[key] === "string" ? String(body[key]) : JSON.stringify(body[key]);
+    return badRequest("Invalid workflow steps JSON");
   }
-  if (Object.keys(patch).length)
-    dbQueries.updateSavedRequest(id, patch);
-  return json(dbQueries.getSavedRequest(id));
+  if (!steps.length)
+    return badRequest("Workflow has no steps");
+  const { readable, writable } = new TransformStream;
+  const writer = writable.getWriter();
+  const enc = new TextEncoder;
+  const emit = (e) => {
+    writer.write(enc.encode(`data: ${JSON.stringify(e)}
+`)).catch(() => {});
+  };
+  (async () => {
+    try {
+      await runWorkflow(steps, emit);
+    } catch (e) {
+      emit({ type: "error", message: e instanceof Error ? e.message : String(e) });
+    } finally {
+      try {
+        await writer.close();
+      } catch {}
+    }
+  })();
+  return new Response(readable, {
+    headers: { "Content-Type": "text/event-stream", "Cache-Control": "no-cache", ...CORS4 }
+  });
 }
-function handleDeleteSaved(path) {
-  const id = path.replace("/api/saved/", "");
-  if (!dbQueries.getSavedRequest(id))
-    return notFound();
-  dbQueries.deleteSavedRequest(id);
+function handleGetCaptureBins() {
+  return json(dbQueries.getCaptureBins());
+}
+async function handleCreateCaptureBin(req) {
+  const body = await req.json().catch(() => ({}));
+  const id = randomUUID2().replace(/-/g, "").slice(0, 8);
+  const name = String(body.name ?? "").trim() || "Untitled bin";
+  dbQueries.insertCaptureBin(id, name);
+  return json({ id, name, created_at: Math.floor(Date.now() / 1000) }, 201);
+}
+function handleDeleteCaptureBin(path) {
+  const id = path.replace("/api/capture/bins/", "");
+  dbQueries.deleteCaptureBin(id);
   return json({ ok: true });
 }
-var CORS3, TOOL_DEFS, ANTHROPIC_TOOLS, OPENAI_TOOLS, MAX_TOTAL_TOOLS = 40, MAX_CONSECUTIVE_ERRORS = 5, MAX_SAME_ENDPOINT_ERRORS = 3;
+var CORS4, TOOL_DEFS, _lastApiCallMs = 0, MIN_API_CALL_INTERVAL_MS = 400, TOOL_SCHEMAS, PROVIDER_DEFAULTS;
 var init_routes = __esm(() => {
   init_db();
   init_engine();
   init_bus();
   init_state();
+  init_parser();
   init_config();
   init_version();
-  CORS3 = {
+  init_engine2();
+  init_harness();
+  CORS4 = {
     "Access-Control-Allow-Origin": "*",
     "Access-Control-Allow-Methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS",
     "Access-Control-Allow-Headers": "Content-Type, Authorization"
@@ -5539,25 +6548,34 @@ var init_routes = __esm(() => {
       required: ["name"]
     },
     save_auth_token: {
-      description: "Save a bearer token or API key as a named auth profile and immediately activate it. Call this right after a successful login endpoint returns a token so all subsequent API requests are authenticated.",
+      description: "Save a bearer token, API key, or basic auth credentials as a named auth profile and immediately activate it. Call this right after a successful login endpoint returns a token so all subsequent API requests are authenticated.",
       params: {
         name: { type: "string", description: 'Profile name, e.g. "user session" or the username' },
-        token: { type: "string", description: "The bearer token or API key value to save" },
-        token_type: { type: "string", enum: ["bearer", "apikey_header", "apikey_query"], description: "Token type (default: bearer)" },
-        header_name: { type: "string", description: "Header name for apikey_header type (default: X-Api-Key)" }
+        token: { type: "string", description: "The bearer token or API key value (omit for basic auth)" },
+        token_type: { type: "string", enum: ["bearer", "apikey_header", "apikey_query", "basic"], description: "Token type (default: bearer)" },
+        header_name: { type: "string", description: "Header name for apikey_header type (default: X-Api-Key)" },
+        username: { type: "string", description: "Username for basic auth" },
+        password: { type: "string", description: "Password for basic auth" }
       },
-      required: ["name", "token"]
+      required: ["name"]
     }
   };
-  ANTHROPIC_TOOLS = Object.entries(TOOL_DEFS).map(([name, def]) => ({
+  TOOL_SCHEMAS = Object.entries(TOOL_DEFS).map(([name, def]) => ({
     name,
     description: def.description,
-    input_schema: { type: "object", properties: def.params, required: def.required }
-  }));
-  OPENAI_TOOLS = Object.entries(TOOL_DEFS).map(([name, def]) => ({
-    type: "function",
-    function: { name, description: def.description, parameters: { type: "object", properties: def.params, required: def.required } }
+    params: def.params,
+    required: def.required
   }));
+  PROVIDER_DEFAULTS = {
+    anthropic: { model: "claude-haiku-4-5-20251001" },
+    openai: { model: "gpt-4o-mini", baseUrl: "https://api.openai.com" },
+    mistral: { model: "mistral-small-latest", baseUrl: "https://api.mistral.ai" },
+    groq: { model: "llama-3.1-70b-versatile", baseUrl: "https://api.groq.com/openai" },
+    "github-copilot": { model: "gpt-4o", baseUrl: "https://api.githubcopilot.com" },
+    ollama: { model: "llama3", baseUrl: "http://localhost:11434" },
+    gemini: { model: "gemini-1.5-flash" },
+    custom: { model: "" }
+  };
 });
 // src/daemon.ts
@@ -5677,7 +6695,7 @@ function printBanner(opts) {
   const hint = [
     `${paint.bold("r")} reload`,
     `${paint.bold("b")} background`,
-    `${paint.bold("/")} commands`,
+    `${paint.bold("/")} commands  ${paint.dim("(Tab to complete)")}`,
     `${paint.bold("q")} quit`,
     `${paint.bold("?")} help`
   ].join(`  ${dot}  `);
@@ -5908,6 +6926,392 @@ var init_update = __esm(() => {
   CHECK_INTERVAL = 24 * 60 * 60 * 1000;
 });
+// src/repl.ts
+function stripAnsi(s) {
+  return s.replace(/\x1B\[[0-9;]*[A-Za-z]/g, "");
+}
+function visualRows(line, cols) {
+  const len = stripAnsi(line).length;
+  if (len === 0)
+    return 1;
+  return Math.ceil(len / cols);
+}
+class Repl {
+  buf = "";
+  history = [];
+  histIdx = -1;
+  savedBuf = "";
+  running = false;
+  statusText = "";
+  promptDrawn = false;
+  drawingPrompt = false;
+  promptVisualRows = 0;
+  onCmd = null;
+  cols = process.stdout.columns || 80;
+  dynSuggestions = [];
+  constructor() {
+    if (isTTY) {
+      process.stdout.on("resize", () => {
+        this.cols = process.stdout.columns || 80;
+        if (this.running)
+          this.redraw();
+      });
+    }
+  }
+  setDynamicSuggestions(items) {
+    this.dynSuggestions = items;
+    if (this.running)
+      this.redraw();
+  }
+  setStatus(text) {
+    this.statusText = text;
+    if (this.running)
+      this.redraw();
+  }
+  print(line) {
+    process.stdout.write(line + `
+`);
+  }
+  start(onCmd) {
+    this.onCmd = onCmd;
+    this.running = true;
+    if (!isTTY || !process.stdin.setRawMode) {
+      this.startSimple(onCmd);
+      return;
+    }
+    const origWrite = process.stdout.write.bind(process.stdout);
+    const self = this;
+    const patched = function(chunk, enc, cb) {
+      if (self.drawingPrompt)
+        return origWrite(chunk, enc, cb);
+      const str = typeof chunk === "string" ? chunk : chunk instanceof Uint8Array ? new TextDecoder().decode(chunk) : String(chunk);
+      const isSpinnerWrite = str.startsWith("\r") && !str.includes(`
+`);
+      if (isSpinnerWrite || !self.promptDrawn)
+        return origWrite(chunk, enc, cb);
+      self.drawingPrompt = true;
+      for (let i = 0;i < self.promptVisualRows - 1; i++)
+        origWrite("\x1B[A");
+      origWrite("\r\x1B[J");
+      self.promptDrawn = false;
+      const r = origWrite(chunk, enc, cb);
+      if (!str.endsWith(`
+`))
+        origWrite(`
+`);
+      const lines = self.buildPromptLines();
+      self.promptVisualRows = lines.reduce((sum, l) => sum + visualRows(l, self.cols), 0);
+      origWrite(lines.join(`
+`));
+      self.promptDrawn = true;
+      self.drawingPrompt = false;
+      return r;
+    };
+    patched.__orig = origWrite;
+    process.stdout.write = patched;
+    process.stdin.setRawMode(true);
+    process.stdin.resume();
+    process.stdin.setEncoding("utf8");
+    process.stdin.on("data", (key) => {
+      this.handleKey(key).catch(() => {});
+    });
+    this.drawPrompt();
+  }
+  stop() {
+    this.running = false;
+    if (this.promptDrawn)
+      this.clearPrompt();
+    if (process.stdout.write.__orig) {
+      process.stdout.write = process.stdout.write.__orig;
+    }
+    try {
+      process.stdin.setRawMode(false);
+      process.stdin.pause();
+    } catch {}
+  }
+  getSuggestions() {
+    if (!this.buf.startsWith("/"))
+      return [];
+    const raw = this.buf.slice(1);
+    if (!raw)
+      return BASE.slice(0, 6);
+    const parts = raw.split(" ");
+    const base = parts[0] ?? "";
+    if (raw.startsWith("auth use ") && this.dynSuggestions.length) {
+      const typed = raw.slice("auth use ".length);
+      return this.dynSuggestions.filter((s) => s.label.toLowerCase().startsWith(typed.toLowerCase()));
+    }
+    if (parts.length >= 2 && SUB[base]) {
+      return (SUB[base] ?? []).filter((s) => s.value.startsWith(raw));
+    }
+    return BASE.filter((c) => c.value.startsWith(raw));
+  }
+  getGhostText() {
+    if (!this.buf.startsWith("/"))
+      return "";
+    const suggestions = this.getSuggestions();
+    if (!suggestions.length)
+      return "";
+    const first = suggestions[0];
+    const full = "/" + first.value;
+    if (full === this.buf || !full.startsWith(this.buf))
+      return "";
+    return full.slice(this.buf.length);
+  }
+  buildPromptLines() {
+    const lines = [];
+    const suggestions = this.getSuggestions();
+    const DOT = paint.dim(" \xB7 ");
+    if (this.buf.startsWith("/") && suggestions.length > 0) {
+      const items = suggestions.slice(0, 5);
+      const row = items.map((s, i) => {
+        const label = "/" + s.label;
+        const desc = s.desc ? paint.dim("  " + s.desc) : "";
+        return i === 0 ? paint.cyan(label) + desc : paint.dim(label);
+      }).join(DOT);
+      lines.push(`  ${row}`);
+    }
+    if (this.statusText) {
+      const plain = stripAnsi(this.statusText);
+      const truncated = plain.length > this.cols - 4 ? plain.slice(0, this.cols - 7) + "\u2026" : plain;
+      lines.push(`  ${paint.dim(truncated)}`);
+    }
+    const ghost = this.getGhostText();
+    lines.push(`  ${paint.cyan("\u276F")} ${this.buf}${ghost ? paint.dim(ghost) : ""}`);
+    return lines;
+  }
+  clearPrompt() {
+    if (!this.promptDrawn)
+      return;
+    this.drawingPrompt = true;
+    for (let i = 0;i < this.promptVisualRows - 1; i++)
+      process.stdout.write("\x1B[A");
+    process.stdout.write("\r\x1B[J");
+    this.promptDrawn = false;
+    this.drawingPrompt = false;
+  }
+  drawPrompt() {
+    this.drawingPrompt = true;
+    const lines = this.buildPromptLines();
+    this.promptVisualRows = lines.reduce((sum, l) => sum + visualRows(l, this.cols), 0);
+    process.stdout.write(lines.join(`
+`));
+    this.promptDrawn = true;
+    this.drawingPrompt = false;
+  }
+  redraw() {
+    this.clearPrompt();
+    this.drawPrompt();
+  }
+  async handleKey(key) {
+    if (!this.running)
+      return;
+    if (key === "\x03" || key === "\x04") {
+      this.stop();
+      process.emit("SIGINT");
+      return;
+    }
+    if (key === "\f") {
+      this.drawingPrompt = true;
+      process.stdout.write("\x1B[2J\x1B[H");
+      this.drawingPrompt = false;
+      this.promptDrawn = false;
+      this.drawPrompt();
+      return;
+    }
+    if (key === "\x15") {
+      this.buf = "";
+      this.redraw();
+      return;
+    }
+    if (key === "\x17") {
+      this.buf = this.buf.replace(/\S+\s*$/, "");
+      this.redraw();
+      return;
+    }
+    if (key.startsWith("\x1B")) {
+      if (key === "\x1B") {
+        this.buf = "";
+        this.redraw();
+        return;
+      }
+      if (key === "\x1B[A") {
+        this.historyUp();
+        return;
+      }
+      if (key === "\x1B[B") {
+        this.historyDown();
+        return;
+      }
+      if (key === "\x1B[C") {
+        const g = this.getGhostText();
+        if (g) {
+          this.buf += g;
+          const raw = this.buf.slice(1);
+          if (SUB[raw])
+            this.buf += " ";
+          this.redraw();
+        }
+        return;
+      }
+      return;
+    }
+    if (key === "\t") {
+      const g = this.getGhostText();
+      if (g) {
+        this.buf += g;
+        const raw = this.buf.slice(1);
+        if (SUB[raw])
+          this.buf += " ";
+      } else {
+        const suggestions = this.getSuggestions();
+        if (suggestions[0] && "/" + suggestions[0].value !== this.buf) {
+          this.buf = "/" + suggestions[0].value;
+        }
+      }
+      this.redraw();
+      return;
+    }
+    if (key === "\x7F" || key === "\b") {
+      if (this.buf.length > 0) {
+        this.buf = this.buf.slice(0, -1);
+        this.redraw();
+      }
+      return;
+    }
+    if (key === "\r" || key === `
+`) {
+      await this.submit();
+      return;
+    }
+    if (this.buf === "") {
+      switch (key.toLowerCase()) {
+        case "r":
+          await this.dispatchImmediate("r");
+          return;
+        case "b":
+          await this.dispatchImmediate("b");
+          return;
+        case "s":
+          await this.dispatchImmediate("s");
+          return;
+        case "q":
+          await this.dispatchImmediate("q");
+          return;
+        case "?":
+        case "h":
+          await this.dispatchImmediate("h");
+          return;
+        case "/":
+          this.buf = "/";
+          this.redraw();
+          return;
+      }
+    }
+    const printable = key.replace(/[^\x20-\x7E]/g, "");
+    if (printable) {
+      this.buf += printable;
+      this.redraw();
+    }
+  }
+  async submit() {
+    const cmd = this.buf.trim();
+    this.buf = "";
+    this.clearPrompt();
+    process.stdout.write(`
+`);
+    this.promptDrawn = false;
+    if (cmd) {
+      this.history.unshift(cmd);
+      if (this.history.length > 200)
+        this.history.pop();
+      this.histIdx = -1;
+      this.savedBuf = "";
+      if (this.onCmd)
+        await this.onCmd(cmd);
+    }
+    this.drawPrompt();
+  }
+  async dispatchImmediate(key) {
+    this.clearPrompt();
+    process.stdout.write(`
+`);
+    this.promptDrawn = false;
+    if (this.onCmd)
+      await this.onCmd(key);
+    this.drawPrompt();
+  }
+  historyUp() {
+    if (!this.history.length)
+      return;
+    if (this.histIdx === -1)
+      this.savedBuf = this.buf;
+    this.histIdx = Math.min(this.histIdx + 1, this.history.length - 1);
+    this.buf = this.history[this.histIdx] ?? "";
+    this.redraw();
+  }
+  historyDown() {
+    if (this.histIdx === -1)
+      return;
+    this.histIdx--;
+    this.buf = this.histIdx === -1 ? this.savedBuf : this.history[this.histIdx] ?? "";
+    this.redraw();
+  }
+  startSimple(onCmd) {
+    process.stdout.write("  \u276F ");
+    process.stdin.setEncoding("utf8");
+    let line = "";
+    process.stdin.on("data", async (chunk) => {
+      for (const ch of chunk) {
+        if (ch === `
+` || ch === "\r") {
+          const cmd = line.trim();
+          line = "";
+          if (cmd)
+            await onCmd(cmd);
+          process.stdout.write("  \u276F ");
+        } else {
+          line += ch;
+        }
+      }
+    });
+  }
+}
+var BASE, SUB;
+var init_repl = __esm(() => {
+  init_ui();
+  BASE = [
+    { value: "help", label: "help", desc: "Show all commands" },
+    { value: "status", label: "status", desc: "Show server status" },
+    { value: "reload", label: "reload", desc: "Hot-reload the spec" },
+    { value: "spec", label: "spec", desc: "Load a different spec" },
+    { value: "mcp", label: "mcp", desc: "Toggle MCP endpoint" },
+    { value: "proxy", label: "proxy", desc: "Toggle HTTP proxy" },
+    { value: "ai", label: "ai", desc: "Toggle AI chat" },
+    { value: "readonly", label: "readonly", desc: "Toggle read-only mode" },
+    { value: "auth", label: "auth", desc: "Manage auth roles" },
+    { value: "token", label: "token", desc: "Manage access token" },
+    { value: "tail", label: "tail", desc: "Live request log" },
+    { value: "open", label: "open", desc: "Open studio in browser" },
+    { value: "update", label: "update", desc: "Update wasper" },
+    { value: "quit", label: "quit", desc: "Quit" }
+  ];
+  SUB = {
+    auth: [
+      { value: "auth list", label: "list", desc: "List auth profiles" },
+      { value: "auth use ", label: "use", desc: "Switch active profile" },
+      { value: "auth none", label: "none", desc: "Disable auth" }
+    ],
+    mcp: [{ value: "mcp on", label: "on", desc: "" }, { value: "mcp off", label: "off", desc: "" }],
+    proxy: [{ value: "proxy on", label: "on", desc: "" }, { value: "proxy off", label: "off", desc: "" }],
+    ai: [{ value: "ai on", label: "on", desc: "" }, { value: "ai off", label: "off", desc: "" }],
+    readonly: [{ value: "readonly on", label: "on", desc: "" }, { value: "readonly off", label: "off", desc: "" }],
+    token: [{ value: "token new", label: "new", desc: "Generate token" }, { value: "token off", label: "off", desc: "Remove token" }],
+    tail: [{ value: "tail on", label: "on", desc: "" }, { value: "tail off", label: "off", desc: "" }]
+  };
+});
 // src/commands/start.ts
 var exports_start = {};
 __export(exports_start, {
@@ -5942,18 +7346,44 @@ async function run2(overrideOpts) {
     printHelp();
     process.exit(0);
   }
-  const specUrl = overrideOpts?.url ?? (values.url ? String(values.url) : null) ?? process.env.WASPER_SPEC_URL ?? null;
+  let specUrl = overrideOpts?.url ?? (values.url ? String(values.url) : null) ?? process.env.WASPER_SPEC_URL ?? null;
   const PORT = overrideOpts?.port ?? parseInt(String(values.port ?? "3388"), 10);
   const HOST = overrideOpts?.host ?? (values.host ? String(values.host) : null) ?? process.env.WASPER_HOST ?? "0.0.0.0";
   const ORIGIN = (overrideOpts?.origin ?? (values.origin ? String(values.origin) : null) ?? process.env.WASPER_ORIGIN ?? null)?.replace(/\/$/, "") ?? null;
   const TOKEN = overrideOpts?.token ?? (values.token ? String(values.token) : null) ?? process.env.WASPER_TOKEN ?? null;
   const bgNow = overrideOpts?.daemon ?? !!(values.background || values.daemon);
   const isDaemon = overrideOpts?.isDaemon ?? !!values["_daemon"];
+  if (!specUrl && !isDaemon) {
+    const last = dbQueries.getLastSpec();
+    if (last) {
+      specUrl = last.url;
+      if (isTTY)
+        console.log(`  ${paint.dim("\u21A9")}  Resuming ${paint.cyan(last.title ?? last.url)}  ${paint.dim("(last used)")}
+`);
+    }
+  }
   setServerConfig({ port: PORT, host: HOST, origin: ORIGIN, token: TOKEN });
+  {
+    const saved = dbQueries.getSetting("features");
+    if (saved) {
+      try {
+        const obj = JSON.parse(saved);
+        const patch = {};
+        if (obj.mcp === false)
+          patch.mcp = false;
+        if (obj.proxy === false)
+          patch.proxy = false;
+        if (obj.ai === false)
+          patch.ai = false;
+        if (Object.keys(patch).length)
+          setFeatures(patch);
+      } catch {}
+    }
+  }
   setFeatures({
-    mcp: !values["no-mcp"],
-    proxy: !values["no-proxy"],
-    ai: !values["no-ai"],
+    ...values["no-mcp"] ? { mcp: false } : {},
+    ...values["no-proxy"] ? { proxy: false } : {},
+    ...values["no-ai"] ? { ai: false } : {},
     readonly: !!values.readonly
   });
   if (bgNow) {
@@ -5980,6 +7410,7 @@ async function run2(overrideOpts) {
       specVersion = state.spec.version;
       endpointCount = state.operations.length;
       spinner.stop();
+      dbQueries.upsertSpec(specUrl, specTitle ?? null, specVersion ?? null, endpointCount);
     } catch (e) {
       spinner.stop("\u2717", `Failed to load spec: ${e instanceof Error ? e.message : String(e)}`, "red");
     }
@@ -6002,6 +7433,8 @@ async function run2(overrideOpts) {
         if (req.method === "OPTIONS") {
           return new Response(null, { status: 204, headers: CORS_HEADERS });
         }
+        if (pathname.startsWith("/c/"))
+          return captureHandler(req);
         if (!isAuthorized(req)) {
           return new Response(JSON.stringify({ error: "Unauthorized: pass Authorization: Bearer <token> or ?token=" }), {
             status: 401,
@@ -6092,127 +7525,129 @@ async function run2(overrideOpts) {
 function attachKeyboard(opts) {
   const ctx = { specUrl: opts.specUrl, PORT: opts.PORT, tailOff: null };
   let isReloading = false;
-  let cmdBuf = null;
-  process.stdin.setRawMode(true);
-  process.stdin.resume();
-  process.stdin.setEncoding("utf8");
-  const spinner = new Spinner;
+  const repl = new Repl;
+  const buildStatus = () => {
+    const state = hasState() ? getState() : null;
+    const f = getFeatures();
+    const cfg = getServerConfig();
+    const active = dbQueries.getActiveProfile();
+    const parts = [];
+    if (state) {
+      parts.push(`${state.spec.title} v${state.spec.version} \xB7 ${state.operations.length} ep`);
+    } else {
+      parts.push("no spec");
+    }
+    parts.push(`:${ctx.PORT}`);
+    const flags = [];
+    if (!f.mcp)
+      flags.push("mcp:off");
+    if (!f.proxy)
+      flags.push("proxy:off");
+    if (!f.ai)
+      flags.push("ai:off");
+    if (f.readonly)
+      flags.push("readonly:on");
+    if (flags.length)
+      parts.push(flags.join(" "));
+    parts.push(`auth:${active ? active.name : "none"}`);
+    if (cfg.token)
+      parts.push("token:set");
+    if (ctx.tailOff)
+      parts.push("tail:on");
+    return parts.join("  \xB7  ");
+  };
+  const refreshStatus = () => repl.setStatus(buildStatus());
+  const refreshAuthSuggestions = () => {
+    const profiles = dbQueries.getProfiles();
+    repl.setDynamicSuggestions(profiles.map((p) => ({
+      value: `auth use ${p.name}`,
+      label: p.name,
+      desc: p.type
+    })));
+  };
   const reload = async () => {
     if (isReloading)
       return;
-    process.stdout.write(`
-`);
     if (!ctx.specUrl) {
-      console.log(`  ${paint.yellow("\u25CB")}  No spec URL \u2014 use /spec <url> or start with --url <url>`);
-      console.log();
+      console.log(`
+  ${paint.yellow("\u25CB")}  No spec URL \u2014 use /spec <url>
+`);
       return;
     }
     isReloading = true;
-    spinner.start(`Reloading spec\u2026`);
+    let fi = 0;
+    const base = buildStatus();
+    const spinTimer = setInterval(() => {
+      repl.setStatus(`${SPIN_FRAMES[fi++ % SPIN_FRAMES.length]}  Reloading\u2026  \xB7  ${base}`);
+    }, 80);
     try {
       const state = await loadSpec(ctx.specUrl);
-      spinner.stop("\u2713", `${paint.bold(state.spec.title)}  ${paint.dim("v" + state.spec.version)}  ${paint.dim("\xB7")}  ${paint.green(state.operations.length + " endpoints")}`, "green");
+      clearInterval(spinTimer);
+      dbQueries.upsertSpec(ctx.specUrl, state.spec.title, state.spec.version, state.operations.length);
+      console.log(`  ${paint.green("\u2713")}  ${paint.bold(state.spec.title)}  ${paint.dim("v" + state.spec.version)}  \xB7  ${paint.green(state.operations.length + " endpoints")}
+`);
     } catch (e) {
-      spinner.stop("\u2717", `Reload failed: ${e instanceof Error ? e.message : String(e)}`, "red");
+      clearInterval(spinTimer);
+      console.log(`  ${paint.red("\u2717")}  Reload failed: ${e instanceof Error ? e.message : String(e)}
+`);
     } finally {
       isReloading = false;
+      refreshStatus();
     }
-    console.log();
   };
-  const printPrompt = () => process.stdout.write(`\r\x1B[K  ${paint.cyan("\u276F")} ${cmdBuf}`);
-  process.stdin.on("data", async (chunk) => {
-    if (chunk.startsWith("\x1B") && chunk.length > 1)
-      return;
-    for (const key of chunk)
-      await handleKey(key);
-  });
-  const handleKey = async (key) => {
-    if (key === "\x03") {
-      if (cmdBuf !== null) {
-        cmdBuf = null;
-        process.stdout.write("\r\x1B[K");
-        return;
-      }
-      process.emit("SIGINT");
-      return;
-    }
-    if (cmdBuf !== null) {
-      if (key === "\x1B") {
-        cmdBuf = null;
-        process.stdout.write("\r\x1B[K");
-        return;
-      }
-      if (key === "\x7F" || key === "\b") {
-        cmdBuf = cmdBuf.slice(0, -1);
-        if (!cmdBuf) {
-          cmdBuf = null;
-          process.stdout.write("\r\x1B[K");
+  const handler = async (input) => {
+    const cmd = input.trim();
+    if (cmd.length === 1) {
+      switch (cmd.toLowerCase()) {
+        case "r":
+          await reload();
           return;
-        }
-        printPrompt();
-        return;
-      }
-      if (key === "\r" || key === `
-`) {
-        const cmd = cmdBuf;
-        cmdBuf = null;
-        process.stdout.write("\r\x1B[K");
-        await runSlashCommand(cmd, ctx, reload);
-        return;
-      }
-      const printable = key.replace(/[^\x20-\x7E]/g, "");
-      if (printable) {
-        cmdBuf += printable;
-        printPrompt();
-      }
-      return;
-    }
-    if (key === "/") {
-      cmdBuf = "/";
-      printPrompt();
-      return;
-    }
-    switch (key.toLowerCase()) {
-      case "r":
-        await reload();
-        break;
-      case "b": {
-        process.stdin.setRawMode(false);
-        process.stdin.pause();
-        process.on("SIGHUP", () => {});
-        console.log(`
-  ${paint.green("\u2713")}  Detached  ${paint.dim(`PID ${process.pid}`)}`);
-        console.log(`  ${paint.dim("\u279C")}  ${paint.dim("wasper status")}  ${paint.dim("\xB7")}  ${paint.dim("wasper stop")}
+        case "s":
+          printInlineStatus(ctx);
+          return;
+        case "q":
+          process.emit("SIGINT");
+          return;
+        case "h":
+        case "?":
+          printInteractiveHelp();
+          return;
+        case "b": {
+          repl.stop();
+          process.on("SIGHUP", () => {});
+          console.log(`
+  ${paint.green("\u2713")}  Detached  ${paint.dim("PID " + process.pid)}`);
+          console.log(`  ${paint.dim("\u279C")}  ${paint.dim("wasper status")}  ${paint.dim("\xB7")}  ${paint.dim("wasper stop")}
 `);
-        break;
+          return;
+        }
       }
-      case "s":
-        printInlineStatus(ctx);
-        break;
-      case "?":
-      case "h":
-        printInteractiveHelp();
-        break;
-      case "q":
-        process.emit("SIGINT");
-        break;
     }
+    const slashCmd = cmd.startsWith("/") ? cmd : `/${cmd}`;
+    await runSlashCommand(slashCmd, ctx, reload);
+    refreshStatus();
+    refreshAuthSuggestions();
   };
+  refreshAuthSuggestions();
+  repl.setStatus(buildStatus());
+  repl.start(handler);
 }
 function printInlineStatus(ctx) {
   const state = hasState() ? getState() : null;
   const f = getFeatures();
   const cfg = getServerConfig();
-  const flag = (on) => on ? paint.green("on") : paint.red("off");
+  const on = (v) => v ? paint.green("on") : paint.dim("off");
+  const dot = paint.dim("\xB7");
   console.log(`
-  ${paint.dim("\u25CF")}  ${paint.bold("OpenAPI Agent")}  PID ${process.pid}  port ${ctx.PORT}`);
+  ${paint.green("\u25CF")}  ${paint.bold("wasper")}  ${paint.dim("PID " + process.pid)}  ${dot}  ${paint.dim(":" + ctx.PORT)}`);
   if (state) {
-    console.log(`     ${paint.bold(state.spec.title)} v${state.spec.version} \xB7 ${state.operations.length} endpoints`);
+    console.log(`     ${paint.bold(state.spec.title)}  ${paint.dim("v" + state.spec.version)}  ${dot}  ${paint.green(state.operations.length + " endpoints")}`);
+  } else {
+    console.log(`     ${paint.dim("no spec loaded")}`);
   }
-  console.log(`     mcp ${flag(f.mcp)}  ${paint.dim("\xB7")}  proxy ${flag(f.proxy)}  ${paint.dim("\xB7")}  ai ${flag(f.ai)}  ${paint.dim("\xB7")}  readonly ${flag(f.readonly)}  ${paint.dim("\xB7")}  token ${cfg.token ? paint.green("set") : paint.dim("none")}`);
+  console.log(`     mcp ${on(f.mcp)}  ${dot}  proxy ${on(f.proxy)}  ${dot}  ai ${on(f.ai)}  ${dot}  readonly ${on(f.readonly)}  ${dot}  token ${cfg.token ? paint.green("set") : paint.dim("none")}`);
   const active = dbQueries.getActiveProfile();
-  if (active)
-    console.log(`     auth role: ${paint.bold(active.name)} ${paint.dim(`(${active.type})`)}`);
+  console.log(`     auth ${active ? paint.bold(active.name) + "  " + paint.dim("(" + active.type + ")") : paint.dim("none")}`);
   console.log();
 }
 async function runSlashCommand(input, ctx, reload) {
@@ -6224,6 +7659,7 @@ async function runSlashCommand(input, ctx, reload) {
     const cur = getFeatures()[name];
     const next = arg === "on" ? true : arg === "off" ? false : !cur;
     setFeatures({ [name]: next });
+    persistAndBroadcastFeatures();
     console.log(`  ${next ? paint.green("\u2713") : paint.yellow("\u25CB")}  ${label} ${next ? paint.green("enabled") : paint.yellow("disabled")}
 `);
   };
@@ -6368,40 +7804,48 @@ async function runSlashCommand(input, ctx, reload) {
   }
 }
 function printInteractiveHelp() {
+  const k = (s) => paint.bold(s);
+  const d = (s) => paint.dim(s);
+  const hr = d("\u2500".repeat(50));
   console.log(`
-  ${paint.bold("Keys")}
-  ${paint.dim("\u2500".repeat(46))}
-  ${paint.bold("r")}   Hot-reload OpenAPI spec from URL
-  ${paint.bold("s")}   Print current status
-  ${paint.bold("b")}   Detach to background (survive terminal close)
-  ${paint.bold("q")}   Quit gracefully
-  ${paint.bold("/")}   Type a slash command  ${paint.dim("(Esc cancels)")}
+  ${paint.bold("Keys")}  ${d("(when input is empty)")}
+  ${hr}
+  ${k("r")}   Hot-reload spec          ${k("b")}   Detach to background
+  ${k("s")}   Print status             ${k("q")}   Quit
+  ${k("/")}   Start a command          ${k("?")}   This help
+  ${d("\u2191 / \u2193")} cycle command history  \xB7  ${d("\u2192 or Tab")} accept autocomplete
+  ${d("Ctrl+L")} clear screen  \xB7  ${d("Ctrl+U")} clear input  \xB7  ${d("Esc")} cancel
   ${paint.bold("Slash commands")}
-  ${paint.dim("\u2500".repeat(46))}
-  ${paint.bold("/mcp")} ${paint.dim("[on|off]")}        Toggle the MCP endpoint
-  ${paint.bold("/proxy")} ${paint.dim("[on|off]")}      Toggle the HTTP proxy
-  ${paint.bold("/ai")} ${paint.dim("[on|off]")}         Toggle the AI chat endpoint
-  ${paint.bold("/readonly")} ${paint.dim("[on|off]")}   Block non-GET upstream requests
-  ${paint.bold("/auth")}                List auth roles
-  ${paint.bold("/auth use")} ${paint.dim("<name>")}     Switch active auth role
-  ${paint.bold("/auth none")}           Disable auth
-  ${paint.bold("/token")} ${paint.dim("[new|off|<v>]")} Show / rotate / set the access token
-  ${paint.bold("/spec")} ${paint.dim("<url>")}          Load a different OpenAPI spec
-  ${paint.bold("/tail")} ${paint.dim("[on|off]")}       Live request log in this terminal
-  ${paint.bold("/open")}                Open the studio in a browser
-  ${paint.bold("/status")} ${paint.dim("\xB7")} ${paint.bold("/reload")} ${paint.dim("\xB7")} ${paint.bold("/help")} ${paint.dim("\xB7")} ${paint.bold("/quit")}
+  ${hr}
+  ${k("/spec")} ${d("<url>")}          Load a different OpenAPI spec
+  ${k("/mcp")} ${d("[on|off]")}        Toggle the MCP endpoint
+  ${k("/proxy")} ${d("[on|off]")}      Toggle the HTTP proxy
+  ${k("/ai")} ${d("[on|off]")}         Toggle the AI chat endpoint
+  ${k("/readonly")} ${d("[on|off]")}   Block non-GET upstream requests
+  ${k("/auth")}                List saved auth profiles
+  ${k("/auth use")} ${d("<name>")}     Switch active auth profile
+  ${k("/auth none")}           Disable auth
+  ${k("/token")} ${d("[new|off|<v>]")} Show / rotate / set the access token
+  ${k("/tail")} ${d("[on|off]")}       Live request log in this terminal
+  ${k("/open")}                Open the studio in a browser
+  ${k("/update")}              Update wasper to the latest version
+  ${k("/status")}  ${k("/reload")}  ${k("/help")}  ${k("/quit")}
 `);
 }
 function printHelp() {
   console.log(`
 Usage: wasper [start] [options]
-  openapi-agent [--url <spec-url>] [--port <port>]   Start in foreground
+  wasper [--url <spec-url>] [--port <port>]    Start in foreground (auto-resumes last spec)
   wasper start --background                   Start in background
   wasper stop                                 Stop background server
   wasper status                               Show server status
   wasper reload                               Hot-reload the spec
+  wasper ls                                   List saved specs (history)
+  wasper use <number|url>                     Start with a saved spec
+  wasper rm  <number|url>                     Remove a spec from history
 Options:
   --url, -u        OpenAPI spec URL or local path
@@ -6520,9 +7964,11 @@ async function runFirstTimeSetup(port, origin) {
   ${paint.dim("Skip future prompts: set WASPER_NO_FIRST_RUN=1")}
 `);
 }
+var SPIN_FRAMES;
 var init_start = __esm(() => {
   init_server();
   init_handler();
+  init_capture();
   init_routes();
   init_bus();
   init_db();
@@ -6531,6 +7977,9 @@ var init_start = __esm(() => {
   init_config();
   init_update();
   init_ui();
+  init_repl();
+  init_routes();
+  SPIN_FRAMES = ["\u280B", "\u2819", "\u2839", "\u2838", "\u283C", "\u2834", "\u2826", "\u2827", "\u2807", "\u280F"];
 });
 // index.ts