24 changed files with 759 additions and 3446 deletions
--- a/.forgejo/workflows/release.yml
+++ b/.forgejo/workflows/release.yml
@ -12,8 +12,6 @@ jobs:
    env:
      BINARY_NAME: email-mcp
      BUILD_PATH: build/email-mcp-linux-amd64
      CHECKSUM_PATH: build/email-mcp-linux-amd64.sha256
      MANIFEST_PATH: mcp.toml
    steps:
      - name: Checkout
@ -29,14 +27,6 @@ jobs:
      - name: Build linux amd64 binary
        run: make build GOOS=linux GOARCH=amd64
      - name: Generate binary checksum
        run: |
          set -euo pipefail
          asset_name="$(basename "${BUILD_PATH}")"
          checksum_value="$(sha256sum "${BUILD_PATH}" | cut -d' ' -f1)"
          printf '%s  %s\n' "${checksum_value}" "${asset_name}" > "${CHECKSUM_PATH}"
      - name: Generate release notes
        id: release_notes
        env:
@ -147,57 +137,3 @@ jobs:
            cat asset.json >&2
            exit 1
          fi
      - name: Upload manifest asset
        env:
          REPOSITORY: ${{ github.repository }}
          API_URL: ${{ github.api_url }}
          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
          RELEASE_ID: ${{ steps.release.outputs.release_id }}
        run: |
          set -euo pipefail
          owner="${REPOSITORY%%/*}"
          repo="${REPOSITORY#*/}"
          asset_name="$(basename "${MANIFEST_PATH}")"
          upload_url="${API_URL}/repos/${owner}/${repo}/releases/${RELEASE_ID}/assets?name=${asset_name}"
          http_code="$(curl -sS -o asset.json -w '%{http_code}' \
            -X POST \
            -H "Authorization: token ${GITEA_TOKEN}" \
            -H "Content-Type: application/octet-stream" \
            --data-binary @"${MANIFEST_PATH}" \
            "${upload_url}")"
          if [ "${http_code}" -lt 200 ] || [ "${http_code}" -ge 300 ]; then
            echo "asset upload failed with status ${http_code}" >&2
            cat asset.json >&2
            exit 1
          fi
      - name: Upload checksum asset
        env:
          REPOSITORY: ${{ github.repository }}
          API_URL: ${{ github.api_url }}
          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
          RELEASE_ID: ${{ steps.release.outputs.release_id }}
        run: |
          set -euo pipefail
          owner="${REPOSITORY%%/*}"
          repo="${REPOSITORY#*/}"
          asset_name="$(basename "${CHECKSUM_PATH}")"
          upload_url="${API_URL}/repos/${owner}/${repo}/releases/${RELEASE_ID}/assets?name=${asset_name}"
          http_code="$(curl -sS -o asset.json -w '%{http_code}' \
            -X POST \
            -H "Authorization: token ${GITEA_TOKEN}" \
            -H "Content-Type: application/octet-stream" \
            --data-binary @"${CHECKSUM_PATH}" \
            "${upload_url}")"
          if [ "${http_code}" -lt 200 ] || [ "${http_code}" -ge 300 ]; then
            echo "asset upload failed with status ${http_code}" >&2
            cat asset.json >&2
            exit 1
          fi
--- a/13
+++ b/13
@ -1,7 +1,6 @@
 BINARY_NAME := email-mcp
 BUILD_DIR   := build
 GOCACHE     ?= /tmp/$(BINARY_NAME)-gocache
 VERSION     ?= $(shell git describe --tags --always --dirty 2>/dev/null || echo dev)
 GOOS   ?= $(shell go env GOOS)
 GOARCH ?= $(shell go env GOARCH)
@ -14,20 +13,12 @@ endif
 OUTPUT := $(BUILD_DIR)/$(BINARY_NAME)-$(GOOS)-$(GOARCH)$(EXT)
-.PHONY: build test generate generate-check
+.PHONY: build test
 build:
 	@mkdir -p $(BUILD_DIR) $(GOCACHE)
-	GOCACHE=$(GOCACHE) GOOS=$(GOOS) GOARCH=$(GOARCH) go build -ldflags "-X main.version=$(VERSION)" -o $(OUTPUT) ./cmd/email-mcp
+	GOCACHE=$(GOCACHE) GOOS=$(GOOS) GOARCH=$(GOARCH) go build -o $(OUTPUT) ./cmd/email-mcp
 test:
 	@mkdir -p $(GOCACHE)
 	GOCACHE=$(GOCACHE) go test ./...
 generate:
 	@mkdir -p $(GOCACHE)
 	GOCACHE=$(GOCACHE) go run forge.lclr.dev/AI/mcp-framework/cmd/mcp-framework generate
 generate-check:
 	@mkdir -p $(GOCACHE)
 	GOCACHE=$(GOCACHE) go run forge.lclr.dev/AI/mcp-framework/cmd/mcp-framework generate --check
--- a/README.md
+++ b/README.md
@ -1,173 +1,72 @@
 # email-mcp
-Serveur MCP local pour lire une boîte mail via IMAP. Le serveur parle le protocole MCP standard sur `stdio`, avec des messages **JSON-RPC 2.0** (`initialize`, `notifications/initialized`, `tools/list`, `tools/call`).
+Serveur MCP local pour lire une boîte mail via IMAP. Le serveur parle le protocole MCP standard sur `stdio`, avec des messages **JSON-RPC 2.0** (`initialize`, `notifications/initialized`, `tools/list`, `tools/call`). Le projet expose trois outils :
-Le binaire s’appuie maintenant sur [`mcp-framework`](../mcp-framework) pour :
+- **`list_mailboxes`** — lister les boîtes IMAP visibles
 - **`list_messages`** — lister les messages récents d'une boîte
 - **`get_message`** — récupérer un message par UID IMAP
- la gestion de profils CLI
+Le stockage des credentials repose sur **KDE Wallet** via **D-Bus**. La V1 cible Linux avec session KDE Wallet disponible.
 - le stockage JSON de configuration dans `os.UserConfigDir()`
 - le stockage du mot de passe dans Bitwarden via `bw`
 - le manifeste `mcp.toml`
 - les helpers Go générés depuis `mcp.toml` (`mcpgen/`)
 - l’auto-update via `email-mcp update`
-## Commandes
+## Sommaire
- `email-mcp setup` : configure (ou met à jour) un profil IMAP
+- [Prérequis](#prérequis)
- `email-mcp config show` : affiche la configuration IMAP résolue et la provenance
+- [Configuration](#configuration)
- `email-mcp config test` : lance les checks de configuration/connectivité (équivalent de `doctor`)
+  - [Étape 1 : enregistrer les credentials](#étape-1--enregistrer-les-credentials)
- `email-mcp config delete` : supprime un profil local et son mot de passe stocké
+  - [Étape 2 : lancer le serveur MCP](#étape-2--lancer-le-serveur-mcp)
- `email-mcp mcp` : lance le serveur MCP sur `stdin/stdout`
+- [Installation](#installation)
- `email-mcp doctor` : diagnostique la configuration locale, Bitwarden, le manifeste et l’accès IMAP
+  - [Claude Code CLI](#claude-code-cli)
- `email-mcp update` : met à jour le binaire courant depuis la dernière release
+  - [Configuration JSON manuelle](#configuration-json-manuelle)
- `email-mcp version` : affiche la version du binaire
+- [Compiler depuis les sources](#compiler-depuis-les-sources)
 - [Outils](#outils)
  - [list_mailboxes](#list_mailboxes)
  - [list_messages](#list_messages)
  - [get_message](#get_message)
-La commande `email-mcp help` (ou `-h` / `--help`) affiche l’aide globale.
+## Prérequis
-## Outils MCP
+- Linux
-
+- une session D-Bus utilisateur active
- `list_mailboxes` : lister les boîtes IMAP visibles
+- KDE Wallet accessible sur cette session
- `list_messages` : lister les messages récents d’une boîte
+- Go 1.25+
- `get_message` : récupérer un message par UID IMAP
+- un compte IMAP fonctionnel
 ## Configuration
-La configuration est séparée en deux parties :
+### Étape 1 : enregistrer les credentials
- `host` et `username` sont stockés dans `config.json`
+Le setup est interactif :
 - `password` est stocké dans Bitwarden via le CLI `bw`
 Le profil actif est résolu dans cet ordre :
 1. `--profile`
 2. `EMAIL_MCP_PROFILE`
 3. `current_profile` dans `config.json`
 4. `[profiles].default` dans `mcp.toml`
 5. `default`
 Les credentials IMAP sont résolus ensuite via les champs `[[config.fields]]` du manifeste et les helpers générés par le framework :
 1. `host` : `EMAIL_MCP_HOST` puis `config.json`
 2. `username` : `EMAIL_MCP_USERNAME` puis `config.json`
 3. `password` : `EMAIL_MCP_PASSWORD` puis secret Bitwarden `imap-password/<profile>`
 ### Configurer un profil
 ```sh
 ./email-mcp setup
 ```
 Pour un profil nommé :
 ```sh
 ./email-mcp setup --profile work
 ```
 Le binaire demande ensuite :
-1. l’hôte IMAP
+1. l'hôte IMAP
-2. le nom d’utilisateur
+2. le nom d'utilisateur
 3. le mot de passe
-Si un mot de passe existe déjà dans Bitwarden, laisser le champ vide le conserve.
+Les credentials sont stockés dans KDE Wallet sous le profil `default`.
-Le backend de secrets déclaré dans `mcp.toml` est `bitwarden-cli`. Le CLI `bw` doit être installé, connecté et déverrouillé avec `BW_SESSION` disponible dans l’environnement. `EMAIL_MCP_PASSWORD` reste accepté pour fournir le mot de passe sans lire Bitwarden.
+Si KDE Wallet n'est pas disponible, le setup échoue explicitement et n'écrit rien ailleurs.
-### Lancer le serveur MCP
+### Étape 2 : lancer le serveur MCP
 Le serveur MCP s'exécute sur `stdin/stdout` avec le handshake MCP standard :
 ```sh
 ./email-mcp mcp
 ```
-Pour un profil nommé :
+Si aucun credential n'a été configuré, le serveur renvoie l'erreur :
 ```sh
 ./email-mcp mcp --profile work
 ```
 Si aucun credential n’a été configuré pour le profil résolu, le serveur renvoie l’erreur :
 ```text
 credentials not configured; run `email-mcp setup`
 ```
 ### Inspecter la configuration résolue
 ```sh
 ./email-mcp config show
 ./email-mcp config show --profile work
 ```
 ### Tester la configuration résolue
 ```sh
 ./email-mcp config test
 ./email-mcp config test --profile work
 ```
 ## Auto-update
 `email-mcp update` lit `mcp.toml` depuis le répertoire du binaire courant, puis remonte les répertoires parents. Si aucun manifeste n’est trouvé, la commande échoue.
 ```sh
 ./email-mcp update
 ```
 Le manifeste de ce repo utilise le driver Gitea du framework :
 ```toml
 binary_name = "email-mcp"
 [update]
 source_name = "email-mcp releases"
 driver = "gitea"
 repository = "AI/email-mcp"
 base_url = "https://gitea.lclr.dev"
 asset_name_template = "{binary}-{os}-{arch}{ext}"
 checksum_asset_name = "{asset}.sha256"
 checksum_required = true
 token_env_names = ["GITEA_TOKEN"]
 ```
 ## Diagnostic
 `email-mcp doctor` vérifie :
 - la lisibilité du fichier de configuration
 - le profil IMAP résolu
 - la disponibilité du backend Bitwarden
 - la présence du mot de passe stocké
 - la validité du manifeste `mcp.toml`
 - la connectivité IMAP avec les credentials résolus
 ```sh
 ./email-mcp doctor
 ./email-mcp doctor --profile work
 ```
 La commande retourne un code de sortie non nul si au moins un check échoue.
 Pour l’update, la validation du manifeste accepte :
 - soit `update.latest_release_url`
 - soit un couple driver/référentiel (`update.driver`, `update.repository`) avec les champs requis (ex. `update.base_url` pour Gitea)
 ## Installation
 ### Installateur interactif
 Le repo inclut un assistant interactif `install.sh` :
 ```sh
 ./install.sh
 ```
 Tu peux aussi l’exécuter directement depuis la branche `main` :
 ```sh
 curl -fsSL https://gitea.lclr.dev/AI/email-mcp/raw/branch/main/install.sh | bash
 ```
 ### Claude Code CLI
 Ajoute le serveur MCP en pointant vers le binaire et la sous-commande `mcp` :
@ -176,7 +75,7 @@ Ajoute le serveur MCP en pointant vers le binaire et la sous-commande `mcp` :
 claude mcp add email-mcp -- /absolute/path/to/bin/email-mcp mcp
 ```
-La configuration se fait une fois séparément via `email-mcp setup`.
+Le `setup` doit être exécuté une fois séparément avant d'utiliser le serveur.
 ### Configuration JSON manuelle
@ -197,11 +96,14 @@ Ajoute le bloc suivant à ta configuration MCP (`~/.claude.json` côté utilisat
 Une release est générée automatiquement quand tu pousses un tag `v*` sur le repo Gitea.
-Les assets publiés sont :
+Exemple pour démarrer en `v1.0` :
- `build/email-mcp-linux-amd64`
+```sh
- `build/email-mcp-linux-amd64.sha256`
+git tag v1.0
- `mcp.toml`
+git push origin v1.0
 ```
 Le workflow build alors `email-mcp` pour `linux/amd64` et joint le binaire `build/email-mcp-linux-amd64` comme asset de la release.
 ## Compiler depuis les sources
@ -209,7 +111,7 @@ Les assets publiés sont :
 make build
 ```
-Le binaire est généré dans `build/email-mcp-<goos>-<goarch>` avec une version injectée depuis `git describe`.
+Le binaire est généré dans `build/email-mcp-<goos>-<goarch>`.
 Pour cross-compiler :
@ -223,9 +125,34 @@ Pour lancer les tests :
 make test
 ```
-Pour régénérer la glue framework après une modification de `mcp.toml` :
+## Outils
-```sh
+### list_mailboxes
-make generate
+
-make generate-check
+Liste les boîtes IMAP visibles pour le compte configuré. Aucun paramètre.
-```
+
 ### list_messages
 Liste les messages récents d'une boîte.
 | Paramètre | Type | Description |
 |---|---|---|
 | `mailbox` | string | **Requis.** Nom de la boîte IMAP |
 | `limit` | number | Nombre maximum de messages à retourner. Par défaut : `20` |
 Retourne des résumés de messages avec un `uid` IMAP stable, le sujet et l'expéditeur.
 ### get_message
 Récupère un message précis à partir de sa boîte et de son UID IMAP.
 | Paramètre | Type | Description |
 |---|---|---|
 | `mailbox` | string | **Requis.** Nom de la boîte IMAP |
 | `uid` | number | **Requis.** UID IMAP du message |
 Retourne :
 - les métadonnées du message
 - les headers dans l'ordre d'origine
 - un body texte décodé de manière conservative pour les contenus MIME courants
--- a/cmd/email-mcp/main.go
+++ b/cmd/email-mcp/main.go
@ -6,9 +6,7 @@ import (
 	"email-mcp/internal/cli"
 )
 var version = "dev"
 func main() {
-	app := cli.BuildApp(version)
+	app := cli.BuildApp()
 	os.Exit(cli.Execute(app, os.Args[1:], os.Stderr))
 }
--- a/go.mod
+++ b/go.mod
@ -3,22 +3,12 @@ module email-mcp
 go 1.25.0
 require (
 	forge.lclr.dev/AI/mcp-framework v1.13.0
 	github.com/emersion/go-imap/v2 v2.0.0-beta.8
 	github.com/emersion/go-message v0.18.2
 	github.com/godbus/dbus/v5 v5.2.2
 )
 require (
-	github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
+	github.com/emersion/go-message v0.18.2 // indirect
 	github.com/99designs/keyring v1.2.2 // indirect
 	github.com/BurntSushi/toml v1.6.0 // indirect
 	github.com/danieljoos/wincred v1.1.2 // indirect
 	github.com/dvsekhvalnov/jose2go v1.5.0 // indirect
 	github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6 // indirect
-	github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
+	golang.org/x/sys v0.27.0 // indirect
 	github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect
 	github.com/mtibben/percent v0.2.1 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/term v0.40.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,50 +1,11 @@
 forge.lclr.dev/AI/mcp-framework v1.9.0 h1:8i2CHQlQo/mRG1BE2UArHptAa/HC7AOhZBIqz8md8Vk=
 forge.lclr.dev/AI/mcp-framework v1.9.0/go.mod h1:2xzmFEHGLQzT5PORq35j10pRhsOm0CDwivUZTHvxgh4=
 forge.lclr.dev/AI/mcp-framework v1.10.0 h1:RrTy7K/hSruaVS9Z/oaRpkLs2U5WGs4H3tox7PiErak=
 forge.lclr.dev/AI/mcp-framework v1.10.0/go.mod h1:2xzmFEHGLQzT5PORq35j10pRhsOm0CDwivUZTHvxgh4=
 forge.lclr.dev/AI/mcp-framework v1.12.0 h1:pu1cfWcL62BF+f7DBe4IbkigHLcK6YOJ3vEBz1495AY=
 forge.lclr.dev/AI/mcp-framework v1.12.0/go.mod h1:2xzmFEHGLQzT5PORq35j10pRhsOm0CDwivUZTHvxgh4=
 forge.lclr.dev/AI/mcp-framework v1.13.0 h1:YfC/AqdzTHGRgtZxMl7CfDN+duFezyQ4nkX9uTD+HX0=
 forge.lclr.dev/AI/mcp-framework v1.13.0/go.mod h1:2xzmFEHGLQzT5PORq35j10pRhsOm0CDwivUZTHvxgh4=
 github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 h1:/vQbFIOMbk2FiG/kXiLl8BRyzTWDw7gX/Hz7Dd5eDMs=
 github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4/go.mod h1:hN7oaIRCjzsZ2dE+yG5k+rsdt3qcwykqK6HVGcKwsw4=
 github.com/99designs/keyring v1.2.2 h1:pZd3neh/EmUzWONb35LxQfvuY7kiSXAq3HQd97+XBn0=
 github.com/99designs/keyring v1.2.2/go.mod h1:wes/FrByc8j7lFOAGLGSNEg8f/PaI3cgTBqhFkHUrPk=
 github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
 github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuAyr0=
 github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dvsekhvalnov/jose2go v1.5.0 h1:3j8ya4Z4kMCwT5nXIKFSV84YS+HdqSSO0VsTQxaLAeM=
 github.com/dvsekhvalnov/jose2go v1.5.0/go.mod h1:QsHjhyTlD/lAVqn/NSbVZmSCGeDehTB/mPZadG+mhXU=
 github.com/emersion/go-imap/v2 v2.0.0-beta.8 h1:5IXZK1E33DyeP526320J3RS7eFlCYGFgtbrfapqDPug=
 github.com/emersion/go-imap/v2 v2.0.0-beta.8/go.mod h1:dhoFe2Q0PwLrMD7oZw8ODuaD0vLYPe5uj2wcOMnvh48=
 github.com/emersion/go-message v0.18.2 h1:rl55SQdjd9oJcIoQNhubD2Acs1E6IzlZISRTK7x/Lpg=
 github.com/emersion/go-message v0.18.2/go.mod h1:XpJyL70LwRvq2a8rVbHXikPgKj8+aI0kGdHlg16ibYA=
 github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6 h1:oP4q0fw+fOSWn3DfFi4EXdT+B+gTtzx8GC9xsc26Znk=
 github.com/emersion/go-sasl v0.0.0-20241020182733-b788ff22d5a6/go.mod h1:iL2twTeMvZnrg54ZoPDNfJaJaqy0xIQFuBdrLsmspwQ=
 github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 h1:ZpnhV/YsD2/4cESfV5+Hoeu/iUR3ruzNvZ+yQfO03a0=
 github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2/go.mod h1:bBOAhwG1umN6/6ZUMtDFBMQR8jRg9O75tm9K00oMsK4=
 github.com/godbus/dbus/v5 v5.2.2 h1:TUR3TgtSVDmjiXOgAAyaZbYmIeP3DPkld3jgKGV8mXQ=
 github.com/godbus/dbus/v5 v5.2.2/go.mod h1:3AAv2+hPq5rdnr5txxxRwiGjPXamgoIHgz9FPBfOp3c=
 github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c h1:6rhixN/i8ZofjG1Y75iExal34USq5p+wiN1tpie8IrU=
 github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c/go.mod h1:NMPJylDgVpX0MLRlPy15sqSwOFv/U1GZ2m21JhFfek0=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/mtibben/percent v0.2.1 h1:5gssi8Nqo8QU/r2pynCm+hBQHpkB/uNK7BJCFogWdzs=
 github.com/mtibben/percent v0.2.1/go.mod h1:KG9uO+SZkUp+VkRHsCdYQV3XSZrrSpR3O9ibNBTZrns=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.3.0 h1:NGXK3lHquSN08v5vWalVI/L8XU9hdzE/G6xsrze47As=
 github.com/stretchr/objx v0.3.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
@ -60,17 +21,14 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210819135213-f52c844e1c1c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
 golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@ -81,9 +39,3 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b h1:QRR6H1YWRnHb4Y/HeNFCTJLFVxaq6wH4YuVdsUOr75U=
 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/install.sh
+++ b/install.sh
@ -1,625 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 BINARY_NAME="email-mcp"
 DEFAULT_PROFILE="default"
 PROFILE_ENV="EMAIL_MCP_PROFILE"
 RELEASE_BASE_URL="https://forge.lclr.dev"
 RELEASE_REPOSITORY="AI/email-mcp"
 INSTALLED_BINARY_PATH=""
 PREFILL_SERVER_NAME=""
 PREFILL_PROFILE_VALUE=""
 PREFILL_COMMAND_PATH=""
 if [ -t 2 ] && [ -z "${NO_COLOR:-}" ]; then
 	C_RESET="$(printf '\033[0m')"
 	C_BOLD="$(printf '\033[1m')"
 	C_DIM="$(printf '\033[2m')"
 	C_RED="$(printf '\033[31m')"
 	C_GREEN="$(printf '\033[32m')"
 	C_YELLOW="$(printf '\033[33m')"
 	C_BLUE="$(printf '\033[34m')"
 	C_MAGENTA="$(printf '\033[35m')"
 	C_CYAN="$(printf '\033[36m')"
 else
 	C_RESET=""
 	C_BOLD=""
 	C_DIM=""
 	C_RED=""
 	C_GREEN=""
 	C_YELLOW=""
 	C_BLUE=""
 	C_MAGENTA=""
 	C_CYAN=""
 fi
 ui_line() {
 	printf "%b%s%b\n" "$C_DIM" "------------------------------------------------------------" "$C_RESET" >&2
 }
 ui_title() {
 	printf "\n%b%s%b\n" "$C_BOLD$C_CYAN" "$1" "$C_RESET" >&2
 }
 ui_info() {
 	printf "%b[info]%b %s\n" "$C_BLUE" "$C_RESET" "$1" >&2
 }
 ui_success() {
 	printf "%b[ok]%b %s\n" "$C_GREEN" "$C_RESET" "$1" >&2
 }
 ui_warn() {
 	printf "%b[warn]%b %s\n" "$C_YELLOW" "$C_RESET" "$1" >&2
 }
 ui_error() {
 	printf "%b[error]%b %s\n" "$C_RED" "$C_RESET" "$1" >&2
 }
 prompt() {
 	local label="$1"
 	local default_value="$2"
 	local answer=""
 	if [ -n "$default_value" ]; then
 		printf "%b%s%b [%s]: " "$C_BOLD" "$label" "$C_RESET" "$default_value" >&2
 	else
 		printf "%b%s%b: " "$C_BOLD" "$label" "$C_RESET" >&2
 	fi
 	if [ -t 2 ] && [ -r /dev/tty ]; then
 		if ! IFS= read -r answer < /dev/tty 2>/dev/null; then
 			IFS= read -r answer || answer=""
 		fi
 	else
 		IFS= read -r answer || answer=""
 	fi
 	if [ -z "$answer" ]; then
 		printf "%s" "$default_value"
 		return
 	fi
 	printf "%s" "$answer"
 }
 tty_prompt_available() {
 	[ -t 2 ] && [ -r /dev/tty ] && [ -w /dev/tty ]
 }
 menu_select() {
 	local title="$1"
 	shift
 	local options=("$@")
 	local count="${#options[@]}"
 	local index=0
 	local key=""
 	local i=0
 	local rows=$((count + 3))
 	local rendered=0
 	if [ "$count" -eq 0 ]; then
 		return 1
 	fi
 	if ! tty_prompt_available; then
 		ui_title "$title"
 		i=0
 		while [ "$i" -lt "$count" ]; do
 			printf "  %d) %s\n" "$((i + 1))" "${options[$i]}" >&2
 			i=$((i + 1))
 		done
 		while true; do
 			local raw_choice
 			raw_choice="$(prompt "Choix" "1")"
 			case "$raw_choice" in
 				''|*[!0-9]*)
 					ui_warn "Choix invalide: $raw_choice"
 					;;
 				*)
 					if [ "$raw_choice" -ge 1 ] && [ "$raw_choice" -le "$count" ]; then
 						printf "%s" "${options[$((raw_choice - 1))]}"
 						return 0
 					fi
 					ui_warn "Choix invalide: $raw_choice"
 					;;
 			esac
 		done
 	fi
 	while true; do
 		if [ "$rendered" -eq 1 ]; then
 			printf "\033[%dA\033[J" "$rows" >&2 2>/dev/null || true
 		fi
 		ui_title "$title"
 		i=0
 		while [ "$i" -lt "$count" ]; do
 			if [ "$i" -eq "$index" ]; then
 				printf "  %b› %s%b\n" "$C_BOLD$C_CYAN" "${options[$i]}" "$C_RESET" >&2
 			else
 				printf "    %s\n" "${options[$i]}" >&2
 			fi
 			i=$((i + 1))
 		done
 		printf "%bUtilise ↑/↓ puis Entrée.%b\n" "$C_DIM" "$C_RESET" >&2
 		rendered=1
 		if ! IFS= read -rsn1 key < /dev/tty; then
 			continue
 		fi
 		case "$key" in
 			"")
 				printf "%s" "${options[$index]}"
 				return 0
 				;;
 			$'\x1b')
 				if IFS= read -rsn2 key < /dev/tty; then
 					case "$key" in
 						"[A")
 							if [ "$index" -eq 0 ]; then
 								index=$((count - 1))
 							else
 								index=$((index - 1))
 							fi
 							;;
 						"[B")
 							if [ "$index" -eq $((count - 1)) ]; then
 								index=0
 							else
 								index=$((index + 1))
 							fi
 							;;
 					esac
 				fi
 				;;
 		esac
 	done
 }
 sanitize_server_name() {
 	local raw="$1"
 	local sanitized
 	sanitized="$(printf "%s" "$raw" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9_-]/-/g; s/--*/-/g; s/^-*//; s/-*$//')"
 	if [ -z "$sanitized" ]; then
 		sanitized="$BINARY_NAME"
 	fi
 	printf "%s" "$sanitized"
 }
 toml_escape() {
 	printf "%s" "$1" | sed 's/\\/\\\\/g; s/"/\\"/g'
 }
 go_bin_dir() {
 	local gobin
 	gobin="$(go env GOBIN 2>/dev/null || true)"
 	if [ -n "$gobin" ]; then
 		printf "%s\n" "$gobin"
 		return
 	fi
 	go env GOPATH 2>/dev/null | awk '{print $1 "/bin"}'
 }
 resolve_binary_path() {
 	if [ -n "$INSTALLED_BINARY_PATH" ] && [ -x "$INSTALLED_BINARY_PATH" ]; then
 		printf "%s\n" "$INSTALLED_BINARY_PATH"
 		return
 	fi
 	if command -v "$BINARY_NAME" >/dev/null 2>&1; then
 		command -v "$BINARY_NAME"
 		return
 	fi
 	if command -v go >/dev/null 2>&1; then
 		local bin_dir
 		bin_dir="$(go_bin_dir)"
 		if [ -n "$bin_dir" ] && [ -x "$bin_dir/$BINARY_NAME" ]; then
 			printf "%s\n" "$bin_dir/$BINARY_NAME"
 			return
 		fi
 	fi
 	printf "%s\n" "$HOME/.local/bin/$BINARY_NAME"
 }
 ensure_cli() {
 	local cli_name="$1"
 	if command -v "$cli_name" >/dev/null 2>&1; then
 		return
 	fi
 	ui_error "Commande introuvable: $cli_name"
 	exit 1
 }
 detect_os() {
 	case "$(uname -s | tr '[:upper:]' '[:lower:]')" in
 		linux) printf "linux" ;;
 		darwin) printf "darwin" ;;
 		*)
 			ui_error "OS non supporte: $(uname -s)"
 			exit 1
 			;;
 	esac
 }
 detect_arch() {
 	case "$(uname -m)" in
 		x86_64|amd64) printf "amd64" ;;
 		aarch64|arm64) printf "arm64" ;;
 		*)
 			ui_error "Architecture non supportee: $(uname -m)"
 			exit 1
 			;;
 	esac
 }
 release_api_url() {
 	printf "%s/api/v1/repos/%s/releases/latest\n" "${RELEASE_BASE_URL%/}" "$RELEASE_REPOSITORY"
 }
 extract_asset_url() {
 	local json="$1"
 	local asset_name="$2"
 	printf "%s\n" "$json" \
 		| grep -o '"browser_download_url":"[^"]*"' \
 		| sed 's/"browser_download_url":"//;s/"$//' \
 		| sed 's#\\/#/#g' \
 		| grep "/${asset_name}$" \
 		| head -n 1
 }
 verify_checksum() {
 	local binary_path="$1"
 	local checksum_path="$2"
 	if command -v sha256sum >/dev/null 2>&1; then
 		( cd "$(dirname "$binary_path")" && sha256sum -c "$(basename "$checksum_path")" )
 		return
 	fi
 	if command -v shasum >/dev/null 2>&1; then
 		local expected
 		local actual
 		expected="$(awk '{print $1}' "$checksum_path")"
 		actual="$(shasum -a 256 "$binary_path" | awk '{print $1}')"
 		if [ "$expected" != "$actual" ]; then
 			ui_error "Checksum invalide pour $binary_path"
 			exit 1
 		fi
 		return
 	fi
 	ui_warn "Aucun utilitaire checksum trouve (sha256sum/shasum), verification ignoree."
 }
 download_latest_release_binary() {
 	if ! command -v curl >/dev/null 2>&1; then
 		ui_error "curl est requis pour telecharger la release."
 		exit 1
 	fi
 	local os_name
 	local arch_name
 	local ext=""
 	os_name="$(detect_os)"
 	arch_name="$(detect_arch)"
 	if [ "$os_name" = "windows" ]; then
 		ext=".exe"
 	fi
 	local asset_name
 	local checksum_name
 	asset_name="${BINARY_NAME}-${os_name}-${arch_name}${ext}"
 	checksum_name="${asset_name}.sha256"
 	ui_info "Recuperation de la derniere release..."
 	local release_json
 	release_json="$(curl -fsSL "$(release_api_url)")"
 	local asset_url
 	asset_url="$(extract_asset_url "$release_json" "$asset_name")"
 	if [ -z "$asset_url" ]; then
 		ui_error "Asset introuvable dans la derniere release: $asset_name"
 		exit 1
 	fi
 	local checksum_url
 	checksum_url="$(extract_asset_url "$release_json" "$checksum_name" || true)"
 	local tmp_dir
 	tmp_dir="$(mktemp -d)"
 	trap 'if [ -n "${tmp_dir:-}" ] && [ -d "${tmp_dir:-}" ]; then rm -rf "${tmp_dir}"; fi' EXIT INT TERM
 	curl -fsSL "$asset_url" -o "$tmp_dir/$asset_name"
 	chmod +x "$tmp_dir/$asset_name"
 	if [ -n "$checksum_url" ]; then
 		curl -fsSL "$checksum_url" -o "$tmp_dir/$checksum_name"
 		verify_checksum "$tmp_dir/$asset_name" "$tmp_dir/$checksum_name"
 	fi
 	local target_dir
 	target_dir="$(prompt "Repertoire d'installation" "$HOME/.local/bin")"
 	mkdir -p "$target_dir"
 	install -m 0755 "$tmp_dir/$asset_name" "$target_dir/$BINARY_NAME"
 	INSTALLED_BINARY_PATH="$target_dir/$BINARY_NAME"
 	ui_success "Binaire installe: $INSTALLED_BINARY_PATH"
 	ui_info "Ajoute ce dossier au PATH si necessaire."
 }
 install_binary() {
 	if command -v "$BINARY_NAME" >/dev/null 2>&1; then
 		INSTALLED_BINARY_PATH="$(command -v "$BINARY_NAME")"
 		ui_success "Binaire detecte: $INSTALLED_BINARY_PATH"
 		local reinstall
 		reinstall="$(prompt "Forcer une reinstall depuis la derniere release ? (y/N)" "N")"
 		case "$reinstall" in
 			y|Y|yes|YES)
 				download_latest_release_binary
 				return
 				;;
 			*)
 				return
 				;;
 		esac
 	fi
 	download_latest_release_binary
 }
 run_setup_wizard() {
 	install_binary
 	local profile
 	profile="$(prompt "Profil a configurer (${PROFILE_ENV})" "$DEFAULT_PROFILE")"
 	local binary_path
 	binary_path="$(resolve_binary_path)"
 	if [ ! -x "$binary_path" ]; then
 		ui_error "Binaire introuvable/executable: $binary_path"
 		exit 1
 	fi
 	ui_info "Déverrouillage Bitwarden avant le setup..."
 	if [ -t 2 ] && [ -r /dev/tty ] && [ -w /dev/tty ]; then
 		env "${PROFILE_ENV}=${profile}" "$binary_path" login < /dev/tty > /dev/tty
 	else
 		env "${PROFILE_ENV}=${profile}" "$binary_path" login
 	fi
 	ui_info "Lancement de $BINARY_NAME setup"
 	if [ -t 2 ] && [ -r /dev/tty ] && [ -w /dev/tty ]; then
 		env "${PROFILE_ENV}=${profile}" "$binary_path" setup < /dev/tty > /dev/tty
 	else
 		env "${PROFILE_ENV}=${profile}" "$binary_path" setup
 	fi
 	ui_success "Setup termine pour le profil \"$profile\"."
 	PREFILL_SERVER_NAME="$(sanitize_server_name "$BINARY_NAME")"
 	PREFILL_PROFILE_VALUE="$profile"
 	PREFILL_COMMAND_PATH="$binary_path"
 }
 collect_server_inputs() {
 	local default_name
 	default_name="$(sanitize_server_name "${PREFILL_SERVER_NAME:-$BINARY_NAME}")"
 	SERVER_NAME="$(prompt "Nom du serveur MCP" "$default_name")"
 	SERVER_NAME="$(sanitize_server_name "$SERVER_NAME")"
 	PROFILE_VALUE="$(prompt "Valeur de ${PROFILE_ENV}" "${PREFILL_PROFILE_VALUE:-$DEFAULT_PROFILE}")"
 	local default_command
 	if [ -n "${PREFILL_COMMAND_PATH:-}" ]; then
 		default_command="$PREFILL_COMMAND_PATH"
 	else
 		default_command="$(resolve_binary_path)"
 	fi
 	COMMAND_PATH="$(prompt "Chemin du binaire serveur MCP" "$default_command")"
 }
 choose_scope() {
 	local selected
 	selected="$(menu_select "Scope de configuration" "global (user)" "project (projet courant)")"
 	case "$selected" in
 		"global (user)")
 			printf "global"
 			;;
 		*)
 			printf "project"
 			;;
 	esac
 }
 apply_claude_mcp() {
 	ensure_cli "claude"
 	collect_server_inputs
 	local scope_choice
 	scope_choice="$(choose_scope)"
 	local claude_scope
 	if [ "$scope_choice" = "global" ]; then
 		claude_scope="user"
 	else
 		claude_scope="project"
 	fi
 	ui_info "Application de la configuration Claude ($claude_scope)..."
 	claude mcp remove --scope "$claude_scope" "$SERVER_NAME" >/dev/null 2>&1 || true
 	claude mcp add \
 		--transport stdio \
 		--scope "$claude_scope" \
 		"$SERVER_NAME" \
 		--env "${PROFILE_ENV}=${PROFILE_VALUE}" \
 		-- "$COMMAND_PATH" mcp
 	ui_success "Serveur \"$SERVER_NAME\" configure dans Claude ($claude_scope)."
 }
 rewrite_codex_project_config() {
 	local project_dir="$1"
 	local config_file="$project_dir/.codex/config.toml"
 	local section_prefix="[mcp_servers.${SERVER_NAME}"
 	mkdir -p "$project_dir/.codex"
 	touch "$config_file"
 	local tmp_file
 	tmp_file="$(mktemp)"
 	awk -v prefix="$section_prefix" '
 	function is_target(line, p, next_char) {
 		if (index(line, p) != 1) {
 			return 0
 		}
 		next_char = substr(line, length(p) + 1, 1)
 		return next_char == "]" || next_char == "."
 	}
 	/^\[.*\]$/ {
 		if (is_target($0, prefix)) {
 			skip = 1
 			next
 		}
 		if (skip == 1) {
 			skip = 0
 		}
 	}
 	{
 		if (skip != 1) {
 			print $0
 		}
 	}
 	' "$config_file" > "$tmp_file"
 	mv "$tmp_file" "$config_file"
 	{
 		printf "\n[mcp_servers.%s]\n" "$SERVER_NAME"
 		printf "command = \"%s\"\n" "$(toml_escape "$COMMAND_PATH")"
 		printf "args = [\"mcp\"]\n\n"
 		printf "[mcp_servers.%s.env]\n" "$SERVER_NAME"
 		printf "%s = \"%s\"\n" "$PROFILE_ENV" "$(toml_escape "$PROFILE_VALUE")"
 	} >> "$config_file"
 }
 apply_codex_mcp() {
 	ensure_cli "codex"
 	collect_server_inputs
 	local scope_choice
 	scope_choice="$(choose_scope)"
 	if [ "$scope_choice" = "global" ]; then
 		ui_info "Application via codex mcp add (scope global)..."
 		codex mcp remove "$SERVER_NAME" >/dev/null 2>&1 || true
 		codex mcp add \
 			"$SERVER_NAME" \
 			--env "${PROFILE_ENV}=${PROFILE_VALUE}" \
 			-- "$COMMAND_PATH" mcp
 		ui_success "Serveur \"$SERVER_NAME\" configure dans le scope global Codex."
 		return
 	fi
 	local default_project_dir
 	default_project_dir="$(pwd)"
 	local project_dir
 	project_dir="$(prompt "Dossier projet cible pour .codex/config.toml" "$default_project_dir")"
 	rewrite_codex_project_config "$project_dir"
 	ui_success "Configuration projet ecrite dans $project_dir/.codex/config.toml"
 }
 print_mcp_json() {
 	collect_server_inputs
 	cat <<JSON
 {
  "mcpServers": {
    "${SERVER_NAME}": {
      "command": "${COMMAND_PATH}",
      "args": ["mcp"],
      "env": {
        "${PROFILE_ENV}": "${PROFILE_VALUE}"
      }
    }
  }
 }
 JSON
 }
 print_header() {
 	ui_line
 	printf "%bMCP Install Wizard%b for %b%s%b\n" "$C_BOLD$C_MAGENTA" "$C_RESET" "$C_BOLD" "$BINARY_NAME" "$C_RESET" >&2
 	printf "%bRelease repo:%b %s\n" "$C_DIM" "$C_RESET" "$RELEASE_REPOSITORY" >&2
 	ui_line
 	printf "%bSelectionne une action dans le menu interactif.%b\n" "$C_DIM" "$C_RESET" >&2
 }
 post_setup_configure_mcp() {
 	ui_title "Configuration MCP apres setup"
 	local next_action
 	next_action="$(menu_select \
 		"Configurer le MCP maintenant ?" \
 		"Configurer Claude Code (apply direct)" \
 		"Configurer Codex (apply direct)" \
 		"Generer JSON MCP manuel" \
 		"Terminer sans config MCP")"
 	printf "\n" >&2
 	case "$next_action" in
 		"Configurer Claude Code (apply direct)")
 			apply_claude_mcp
 			;;
 		"Configurer Codex (apply direct)")
 			apply_codex_mcp
 			;;
 		"Generer JSON MCP manuel")
 			ui_info "JSON MCP genere sur stdout."
 			print_mcp_json
 			;;
 		*)
 			ui_info "Setup termine sans configuration MCP additionnelle."
 			;;
 	esac
 }
 main() {
 	print_header
 	local action
 	action="$(menu_select \
 		"Choisis une action" \
 		"Installer/mettre a jour le binaire + setup" \
 		"Configurer Claude Code (apply direct)" \
 		"Configurer Codex (apply direct)" \
 		"Generer JSON MCP manuel" \
 		"Quitter")"
 	printf "\n" >&2
 	case "$action" in
 		"Installer/mettre a jour le binaire + setup")
 			run_setup_wizard
 			post_setup_configure_mcp
 			;;
 		"Configurer Claude Code (apply direct)")
 			apply_claude_mcp
 			;;
 		"Configurer Codex (apply direct)")
 			apply_codex_mcp
 			;;
 		"Generer JSON MCP manuel")
 			ui_info "JSON MCP genere sur stdout."
 			print_mcp_json
 			;;
 		*)
 			ui_warn "Annule."
 			;;
 	esac
 }
 main "$@"
--- a/internal/cli/app.go
+++ b/internal/cli/app.go
@ -3,680 +3,83 @@ package cli
 import (
 	"context"
 	"errors"
 	"flag"
 	"fmt"
 	"io"
 	"os"
 	"path/filepath"
 	"sort"
 	"strings"
 	"email-mcp/mcpgen"
 	frameworkbootstrap "forge.lclr.dev/AI/mcp-framework/bootstrap"
 	frameworkcli "forge.lclr.dev/AI/mcp-framework/cli"
 	frameworkconfig "forge.lclr.dev/AI/mcp-framework/config"
 	frameworkmanifest "forge.lclr.dev/AI/mcp-framework/manifest"
 	frameworksecretstore "forge.lclr.dev/AI/mcp-framework/secretstore"
 	frameworkupdate "forge.lclr.dev/AI/mcp-framework/update"
 	"email-mcp/internal/mcpserver"
 	"email-mcp/internal/secretstore"
-)
+	"email-mcp/internal/secretstore/kwallet"
 const (
 	binaryName        = mcpgen.BinaryName
 	defaultProfileEnv = "EMAIL_MCP_PROFILE"
 	hostEnv           = "EMAIL_MCP_HOST"
 	usernameEnv       = "EMAIL_MCP_USERNAME"
 	passwordEnv       = "EMAIL_MCP_PASSWORD"
 	fallbackProfile   = "default"
 )
 type MCPRunner interface {
 	Run(ctx context.Context) error
 }
 type ConfigPrompter interface {
 	PromptCredential(ctx context.Context, existing secretstore.Credential, hasStoredPassword bool) (secretstore.Credential, error)
 }
 type profileConfigStore interface {
 	LoadDefault() (frameworkconfig.FileConfig[ProfileConfig], string, error)
 	SaveDefault(frameworkconfig.FileConfig[ProfileConfig]) (string, error)
 }
 type secretStore = frameworksecretstore.Store
 type manifestLoader func(startDir string) (frameworkmanifest.File, string, error)
 type executableResolver func() (string, error)
 type ProfileConfig struct {
 	Host     string `json:"host"`
 	Username string `json:"username"`
 }
 type App struct {
-	prompter          ConfigPrompter
+	prompter SetupPrompter
-	configStore       profileConfigStore
+	store    secretstore.Store
-	openSecretStore   func() (secretStore, error)
+	runner   MCPRunner
-	newMailService    func() mcpserver.MailService
+	stderr   io.Writer
 	newRunner         func(secretstore.Credential, mcpserver.MailService, io.Reader, io.Writer, io.Writer) MCPRunner
 	loadManifest      manifestLoader
 	resolveExecutable executableResolver
 	stdin             io.Reader
 	stdout            io.Writer
 	stderr            io.Writer
 	version           string
 }
 func NewApp() *App {
-	return BuildApp("dev")
+	return BuildApp()
 }
-func NewAppWithDependencies(
+func NewAppWithDependencies(prompter SetupPrompter, store secretstore.Store, runner MCPRunner, stderr io.Writer) *App {
 	prompter ConfigPrompter,
 	configStore profileConfigStore,
 	openSecretStore func() (secretStore, error),
 	newMailService func() mcpserver.MailService,
 	newRunner func(secretstore.Credential, mcpserver.MailService, io.Reader, io.Writer, io.Writer) MCPRunner,
 	loadManifest manifestLoader,
 	resolveExecutable executableResolver,
 	stdin io.Reader,
 	stdout io.Writer,
 	stderr io.Writer,
 	version string,
 ) *App {
 	if stdin == nil {
 		stdin = strings.NewReader("")
 	}
 	if stdout == nil {
 		stdout = io.Discard
 	}
 	if stderr == nil {
 		stderr = io.Discard
 	}
 	if version == "" {
 		version = "dev"
 	}
 	return &App{
-		prompter:          prompter,
+		prompter: prompter,
-		configStore:       configStore,
+		store:    store,
-		openSecretStore:   openSecretStore,
+		runner:   runner,
-		newMailService:    newMailService,
+		stderr:   stderr,
 		newRunner:         newRunner,
 		loadManifest:      loadManifest,
 		resolveExecutable: resolveExecutable,
 		stdin:             stdin,
 		stdout:            stdout,
 		stderr:            stderr,
 		version:           version,
 	}
 }
 func (a *App) Run(args []string) error {
-	if args == nil {
+	if len(args) == 0 {
-		args = []string{}
+		return fmt.Errorf("usage: email-mcp <setup|mcp>")
 	}
 	switch args[0] {
 	case "setup":
 		return a.runSetup(context.Background())
 	case "mcp":
 		return a.runMCP(context.Background())
 	default:
 		return fmt.Errorf("unknown command: %s", args[0])
 	}
 	return a.runBootstrap(context.Background(), args)
 }
-func (a *App) runBootstrap(ctx context.Context, args []string) error {
+func (a *App) runSetup(ctx context.Context) error {
 	metadata := a.runtimeMetadata()
 	return frameworkbootstrap.Run(ctx, frameworkbootstrap.Options{
 		BinaryName:        metadata.BinaryName,
 		Description:       metadata.Description,
 		Version:           a.version,
 		EnableDoctorAlias: true,
 		Args:              args,
 		Stdin:             a.stdin,
 		Stdout:            a.stdout,
 		Stderr:            a.stderr,
 		Hooks: frameworkbootstrap.Hooks{
 			Setup: func(ctx context.Context, inv frameworkbootstrap.Invocation) error {
 				return a.runConfig(ctx, frameworkbootstrap.CommandSetup, inv.Args)
 			},
 			Login: frameworkbootstrap.BitwardenLoginHandler(metadata.BinaryName),
 			MCP: func(ctx context.Context, inv frameworkbootstrap.Invocation) error {
 				return a.runMCP(ctx, inv.Args)
 			},
 			ConfigShow: func(ctx context.Context, inv frameworkbootstrap.Invocation) error {
 				return a.runConfigShow(ctx, inv.Args)
 			},
 			ConfigTest: func(ctx context.Context, inv frameworkbootstrap.Invocation) error {
 				return a.runDoctor(ctx, inv.Args)
 			},
 			ConfigDelete: func(ctx context.Context, inv frameworkbootstrap.Invocation) error {
 				return a.runConfigDelete(ctx, inv.Args)
 			},
 			Update: func(ctx context.Context, inv frameworkbootstrap.Invocation) error {
 				return a.runUpdate(ctx, inv.Args)
 			},
 		},
 	})
 }
 func (a *App) runConfig(ctx context.Context, command string, args []string) error {
 	if a.prompter == nil {
-		return fmt.Errorf("config prompter is not configured")
+		return fmt.Errorf("setup prompter is not configured")
 	}
-	if a.configStore == nil {
+	if a.store == nil {
 		return fmt.Errorf("config store is not configured")
 	}
 	if a.openSecretStore == nil {
 		return fmt.Errorf("secret store is not configured")
 	}
-	profileFlag, err := parseProfileArgs(command, args)
+	cred, err := a.prompter.PromptSetup(ctx)
 	if err != nil {
 		return err
 	}
 	cfg, _, err := a.configStore.LoadDefault()
 	if err != nil {
 		return err
 	}
 	profileName := a.resolveProfileName(profileFlag, cfg.CurrentProfile)
 	profile := cfg.Profiles[profileName]
 	secrets, err := a.openSecretStore()
 	if err != nil {
 		return mapAppError(err)
 	}
 	storedPassword, hasStoredPassword, err := loadStoredPassword(secrets, profileName)
 	if err != nil {
 		return mapAppError(err)
 	}
 	cred, err := a.prompter.PromptCredential(ctx, secretstore.Credential{
 		Host:     profile.Host,
 		Username: profile.Username,
 		Password: storedPassword,
 	}, hasStoredPassword)
 	if err != nil {
 		return err
 	}
 	if err := cred.Validate(); err != nil {
 		return err
 	}
-
+	if err := a.store.Save(ctx, secretstore.DefaultAccountKey, cred); err != nil {
 	if shouldPersistPassword(hasStoredPassword, storedPassword, cred.Password) {
 		if err := secrets.SetSecret(passwordSecretName(profileName), "IMAP password", cred.Password); err != nil {
 			switch {
 			case errors.Is(err, frameworksecretstore.ErrReadOnly):
 				if strings.TrimSpace(os.Getenv(passwordEnv)) == "" {
 					return newUserFacingError(
 						fmt.Sprintf("secret backend is read-only; set %s and rerun `email-mcp setup`", passwordEnv),
 						err,
 					)
 				}
 				if _, writeErr := fmt.Fprintf(a.stdout, "secret backend is read-only; password is provided via %s\n", passwordEnv); writeErr != nil {
 					return writeErr
 				}
 			default:
 				return mapAppError(err)
 			}
 		}
 	}
 	if cfg.Profiles == nil {
 		cfg.Profiles = map[string]ProfileConfig{}
 	}
 	cfg.CurrentProfile = profileName
 	cfg.Profiles[profileName] = ProfileConfig{
 		Host:     cred.Host,
 		Username: cred.Username,
 	}
 	configPath, err := a.configStore.SaveDefault(cfg)
 	if err != nil {
 		return err
 	}
 	fmt.Fprintf(a.stdout, "profile %q saved to %s\n", profileName, configPath)
 	return nil
 }
 func (a *App) runConfigShow(ctx context.Context, args []string) error {
 	if a.configStore == nil {
 		return fmt.Errorf("config store is not configured")
 	}
 	if a.openSecretStore == nil {
 		return fmt.Errorf("secret store is not configured")
 	}
 	profileFlag, err := parseProfileArgs("config show", args)
 	if err != nil {
 		return err
 	}
 	cfg, _, err := a.configStore.LoadDefault()
 	if err != nil {
 		return err
 	}
 	profileName := a.resolveProfileName(profileFlag, cfg.CurrentProfile)
 	profile := cfg.Profiles[profileName]
 	secrets, err := a.openSecretStore()
 	if err != nil {
 		return mapAppError(err)
 	}
 	resolution, err := resolveCredentialFields(profile, secrets, mcpgen.ResolveFieldSpecs(profileName))
 	if err != nil {
 		var missingErr *frameworkcli.MissingRequiredValuesError
 		if !errors.As(err, &missingErr) {
 			return mapAppError(err)
 		}
 	}
 	host, _ := resolution.Get("host")
 	username, _ := resolution.Get("username")
 	password, _ := resolution.Get("password")
 	if _, err := fmt.Fprintf(a.stdout, "profile: %s\n", profileName); err != nil {
 		return err
 	}
 	if _, err := fmt.Fprintf(a.stdout, "host: %s (%s)\n", renderVisibleField(host), renderSource(host)); err != nil {
 		return err
 	}
 	if _, err := fmt.Fprintf(a.stdout, "username: %s (%s)\n", renderVisibleField(username), renderSource(username)); err != nil {
 		return err
 	}
 	if _, err := fmt.Fprintf(a.stdout, "password: %s (%s)\n", renderSecretField(password), renderSource(password)); err != nil {
 		return err
 	}
 	return nil
 }
-func (a *App) runConfigDelete(_ context.Context, args []string) error {
+func (a *App) runMCP(ctx context.Context) error {
-	if a.configStore == nil {
+	if a.runner == nil {
 		return fmt.Errorf("config store is not configured")
 	}
 	if a.openSecretStore == nil {
 		return fmt.Errorf("secret store is not configured")
 	}
 	profileFlag, err := parseProfileArgs("config delete", args)
 	if err != nil {
 		return err
 	}
 	cfg, _, err := a.configStore.LoadDefault()
 	if err != nil {
 		return err
 	}
 	profileName := a.resolveProfileName(profileFlag, cfg.CurrentProfile)
 	secrets, err := a.openSecretStore()
 	if err != nil {
 		return mapAppError(err)
 	}
 	if err := secrets.DeleteSecret(passwordSecretName(profileName)); err != nil {
 		switch {
 		case errors.Is(err, frameworksecretstore.ErrNotFound):
 		case errors.Is(err, frameworksecretstore.ErrReadOnly):
 			if _, writeErr := fmt.Fprintf(a.stdout, "secret backend is read-only; %s cannot be deleted automatically\n", passwordEnv); writeErr != nil {
 				return writeErr
 			}
 		default:
 			return mapAppError(err)
 		}
 	}
 	if cfg.Profiles != nil {
 		delete(cfg.Profiles, profileName)
 	}
 	if strings.TrimSpace(cfg.CurrentProfile) == profileName {
 		cfg.CurrentProfile = nextCurrentProfile(cfg.Profiles, a.runtimeMetadata().DefaultProfile)
 	}
 	configPath, err := a.configStore.SaveDefault(cfg)
 	if err != nil {
 		return err
 	}
 	if _, err := fmt.Fprintf(a.stdout, "profile %q deleted from %s\n", profileName, configPath); err != nil {
 		return err
 	}
 	if cfg.CurrentProfile != "" {
 		if _, err := fmt.Fprintf(a.stdout, "current profile: %s\n", cfg.CurrentProfile); err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func (a *App) runMCP(ctx context.Context, args []string) error {
 	if a.newRunner == nil {
 		return fmt.Errorf("mcp runner is not configured")
 	}
-	if a.newMailService == nil {
+	return mapAppError(a.runner.Run(ctx))
 		return fmt.Errorf("mail service is not configured")
 	}
 	profileFlag, err := parseProfileArgs("mcp", args)
 	if err != nil {
 		return err
 	}
 	cred, err := a.loadCredential(profileFlag)
 	if err != nil {
 		return mapAppError(err)
 	}
 	runner := a.newRunner(cred, a.newMailService(), a.stdin, a.stdout, a.stderr)
 	if runner == nil {
 		return fmt.Errorf("mcp runner is not configured")
 	}
 	return mapAppError(runner.Run(ctx))
 }
 func (a *App) runUpdate(ctx context.Context, args []string) error {
 	if a.loadManifest == nil {
 		return fmt.Errorf("manifest loader is not configured")
 	}
 	if a.resolveExecutable == nil {
 		return fmt.Errorf("executable resolver is not configured")
 	}
 	if err := parseUpdateArgs(args); err != nil {
 		return err
 	}
 	executablePath, err := a.resolveExecutable()
 	if err != nil {
 		return fmt.Errorf("resolve executable path: %w", err)
 	}
 	options, err := mcpgen.UpdateOptionsFrom(filepath.Dir(executablePath), a.version, a.stdout)
 	if err != nil {
 		return err
 	}
 	options.ExecutablePath = executablePath
 	return frameworkupdate.Run(ctx, options)
 }
 func (a *App) loadManifestForExecutable(executablePath string) (frameworkmanifest.File, error) {
 	searchDirs := []string{filepath.Dir(executablePath), "."}
 	var firstErr error
 	for _, dir := range searchDirs {
 		file, _, err := a.loadManifest(dir)
 		if err == nil {
 			return file, nil
 		}
 		if firstErr == nil {
 			firstErr = err
 		}
 	}
 	return frameworkmanifest.File{}, fmt.Errorf("load manifest: %w", firstErr)
 }
 func (a *App) loadCredential(profileFlag string) (secretstore.Credential, error) {
 	if a.configStore == nil {
 		return secretstore.Credential{}, fmt.Errorf("config store is not configured")
 	}
 	if a.openSecretStore == nil {
 		return secretstore.Credential{}, fmt.Errorf("secret store is not configured")
 	}
 	cfg, _, err := a.configStore.LoadDefault()
 	if err != nil {
 		return secretstore.Credential{}, err
 	}
 	profileName := a.resolveProfileName(profileFlag, cfg.CurrentProfile)
 	profile := cfg.Profiles[profileName]
 	secrets, err := a.openSecretStore()
 	if err != nil {
 		return secretstore.Credential{}, err
 	}
 	resolution, err := resolveCredentialFields(profile, secrets, mcpgen.ResolveFieldSpecs(profileName))
 	if err != nil {
 		var missingErr *frameworkcli.MissingRequiredValuesError
 		if errors.As(err, &missingErr) {
 			return secretstore.Credential{}, fmt.Errorf(
 				"%w: profile %q is incomplete (missing: %s)",
 				mcpserver.ErrCredentialsNotConfigured,
 				profileName,
 				strings.Join(missingErr.Fields, ", "),
 			)
 		}
 		return secretstore.Credential{}, err
 	}
 	cred, err := credentialFromResolution(resolution)
 	if err != nil {
 		return secretstore.Credential{}, err
 	}
 	if err := cred.Validate(); err != nil {
 		return secretstore.Credential{}, fmt.Errorf("%w: profile %q is incomplete", mcpserver.ErrCredentialsNotConfigured, profileName)
 	}
 	return cred, nil
 }
 func profileFieldSpecs(profileName string) []frameworkcli.FieldSpec {
 	specs := mcpgen.ResolveFieldSpecs(profileName)
 	profileSpecs := make([]frameworkcli.FieldSpec, 0, len(specs))
 	for _, spec := range specs {
 		if spec.Name == "host" || spec.Name == "username" {
 			profileSpecs = append(profileSpecs, spec)
 		}
 	}
 	return profileSpecs
 }
 func passwordOnlyFieldSpecs(profileName string) []frameworkcli.FieldSpec {
 	for _, spec := range mcpgen.ResolveFieldSpecs(profileName) {
 		if spec.Name == "password" {
 			return []frameworkcli.FieldSpec{spec}
 		}
 	}
 	return nil
 }
 func resolveCredentialFields(profile ProfileConfig, store secretStore, fields []frameworkcli.FieldSpec) (frameworkcli.Resolution, error) {
 	configValues := map[string]string{
 		"host":     profile.Host,
 		"username": profile.Username,
 	}
 	return frameworkcli.ResolveFields(frameworkcli.ResolveOptions{
 		Fields: fields,
 		Lookup: frameworkcli.ResolveLookup(frameworkcli.ResolveLookupOptions{
 			Env:    frameworkcli.EnvLookup(os.LookupEnv),
 			Config: frameworkcli.ConfigMap(configValues),
 			Secret: frameworkcli.SecretStore(store),
 		}),
 	})
 }
 func credentialFromResolution(resolution frameworkcli.Resolution) (secretstore.Credential, error) {
 	host, ok := resolution.Get("host")
 	if !ok {
 		return secretstore.Credential{}, fmt.Errorf("resolve credential: host field is missing from resolution")
 	}
 	username, ok := resolution.Get("username")
 	if !ok {
 		return secretstore.Credential{}, fmt.Errorf("resolve credential: username field is missing from resolution")
 	}
 	password, ok := resolution.Get("password")
 	if !ok {
 		return secretstore.Credential{}, fmt.Errorf("resolve credential: password field is missing from resolution")
 	}
 	return secretstore.Credential{
 		Host:     host.Value,
 		Username: username.Value,
 		Password: password.Value,
 	}, nil
 }
 func loadStoredPassword(store secretStore, profileName string) (string, bool, error) {
 	password, err := store.GetSecret(passwordSecretName(profileName))
 	if err != nil {
 		if errors.Is(err, frameworksecretstore.ErrNotFound) {
 			return "", false, nil
 		}
 		return "", false, err
 	}
 	return password, true, nil
 }
 func passwordSecretName(profileName string) string {
 	for _, spec := range mcpgen.ResolveFieldSpecs(profileName) {
 		if spec.Name == "password" && strings.TrimSpace(spec.SecretKey) != "" {
 			return spec.SecretKey
 		}
 	}
 	return "imap-password/" + strings.TrimSpace(profileName)
 }
 func shouldPersistPassword(hasStoredPassword bool, storedPassword, newPassword string) bool {
 	if !hasStoredPassword {
 		return true
 	}
 	return storedPassword != newPassword
 }
 func parseProfileArgs(command string, args []string) (string, error) {
 	flagSet := flag.NewFlagSet(command, flag.ContinueOnError)
 	flagSet.SetOutput(io.Discard)
 	profile := flagSet.String("profile", "", "")
 	if err := flagSet.Parse(args); err != nil {
 		return "", fmt.Errorf("usage: email-mcp %s [--profile NAME]", command)
 	}
 	if flagSet.NArg() != 0 {
 		return "", fmt.Errorf("usage: email-mcp %s [--profile NAME]", command)
 	}
 	return strings.TrimSpace(*profile), nil
 }
 func parseUpdateArgs(args []string) error {
 	flagSet := flag.NewFlagSet("update", flag.ContinueOnError)
 	flagSet.SetOutput(io.Discard)
 	if err := flagSet.Parse(args); err != nil {
 		return fmt.Errorf("usage: email-mcp update")
 	}
 	if flagSet.NArg() != 0 {
 		return fmt.Errorf("usage: email-mcp update")
 	}
 	return nil
 }
 type runtimeMetadata struct {
 	BinaryName     string
 	Description    string
 	DefaultProfile string
 }
 func (a *App) runtimeMetadata() runtimeMetadata {
 	metadata := runtimeMetadata{
 		BinaryName:     mcpgen.BinaryName,
 		Description:    mcpgen.DefaultDescription,
 		DefaultProfile: fallbackProfile,
 	}
 	if a.loadManifest == nil {
 		return metadata
 	}
 	file, err := a.loadRuntimeManifest()
 	if err != nil {
 		return metadata
 	}
 	bootstrap := file.BootstrapInfo()
 	if bootstrap.BinaryName != "" {
 		metadata.BinaryName = bootstrap.BinaryName
 	}
 	if bootstrap.Description != "" {
 		metadata.Description = bootstrap.Description
 	}
 	if bootstrap.DefaultProfile != "" {
 		metadata.DefaultProfile = bootstrap.DefaultProfile
 	}
 	return metadata
 }
 func (a *App) loadRuntimeManifest() (frameworkmanifest.File, error) {
 	if a.loadManifest == nil {
 		return frameworkmanifest.File{}, fmt.Errorf("manifest loader is not configured")
 	}
 	if a.resolveExecutable != nil {
 		executablePath, err := a.resolveExecutable()
 		if err == nil {
 			file, loadErr := a.loadManifestForExecutable(executablePath)
 			if loadErr == nil {
 				return file, nil
 			}
 		}
 	}
 	file, _, err := a.loadManifest(".")
 	if err != nil {
 		return frameworkmanifest.File{}, err
 	}
 	return file, nil
 }
 func (a *App) resolveProfileName(profileFlag, currentProfile string) string {
 	resolvedCurrent := strings.TrimSpace(currentProfile)
 	if resolvedCurrent == "" {
 		resolvedCurrent = strings.TrimSpace(a.runtimeMetadata().DefaultProfile)
 	}
 	return frameworkcli.ResolveProfileName(profileFlag, os.Getenv(defaultProfileEnv), resolvedCurrent)
 }
 func nextCurrentProfile(profiles map[string]ProfileConfig, preferred string) string {
 	if len(profiles) == 0 {
 		return ""
 	}
 	normalizedPreferred := strings.TrimSpace(preferred)
 	if normalizedPreferred != "" {
 		if _, ok := profiles[normalizedPreferred]; ok {
 			return normalizedPreferred
 		}
 	}
 	if _, ok := profiles[fallbackProfile]; ok {
 		return fallbackProfile
 	}
 	names := make([]string, 0, len(profiles))
 	for name := range profiles {
 		if trimmed := strings.TrimSpace(name); trimmed != "" {
 			names = append(names, trimmed)
 		}
 	}
 	if len(names) == 0 {
 		return ""
 	}
 	sort.Strings(names)
 	return names[0]
 }
 func mapAppError(err error) error {
@ -687,36 +90,19 @@ func mapAppError(err error) error {
 	switch {
 	case errors.Is(err, mcpserver.ErrCredentialsNotConfigured):
 		return newUserFacingError("credentials not configured; run `email-mcp setup`", err)
-	case errors.Is(err, frameworksecretstore.ErrBackendUnavailable):
+	case errors.Is(err, kwallet.ErrKWalletUnavailable):
-		return newUserFacingError(strings.TrimSpace(err.Error()), err)
+		return newUserFacingError("kwallet is not available; make sure KDE Wallet is installed and your session D-Bus is running", err)
-	case errors.Is(err, frameworksecretstore.ErrReadOnly):
+	case errors.Is(err, kwallet.ErrKWalletDisabled):
-		return newUserFacingError("secret backend is read-only", err)
+		return newUserFacingError("kwallet is disabled in this KDE session", err)
 	case errors.Is(err, kwallet.ErrKWalletOpenFailed):
 		return newUserFacingError("kwallet could not be opened; unlock the wallet and try again", err)
 	case errors.Is(err, kwallet.ErrCredentialNotFound):
 		return newUserFacingError("credentials not configured; run `email-mcp setup`", err)
 	default:
 		return err
 	}
 }
 func renderSource(field frameworkcli.ResolvedField) string {
 	if !field.Found {
 		return "missing"
 	}
 	return string(field.Source)
 }
 func renderVisibleField(field frameworkcli.ResolvedField) string {
 	if !field.Found || strings.TrimSpace(field.Value) == "" {
 		return "<missing>"
 	}
 	return field.Value
 }
 func renderSecretField(field frameworkcli.ResolvedField) string {
 	if !field.Found || strings.TrimSpace(field.Value) == "" {
 		return "<missing>"
 	}
 	return "<set>"
 }
 type userFacingError struct {
 	message string
 	err     error
--- a/internal/cli/app_task6_test.go
+++ b/internal/cli/app_task6_test.go
@ -0,0 +1,77 @@
 package cli
 import (
 	"bytes"
 	"context"
 	"errors"
 	"fmt"
 	"strings"
 	"testing"
 	"email-mcp/internal/secretstore"
 	"email-mcp/internal/secretstore/kwallet"
 )
 type errorStoreStub struct {
 	err error
 }
 func (s errorStoreStub) Save(context.Context, string, secretstore.Credential) error {
 	return s.err
 }
 func (s errorStoreStub) Load(context.Context, string) (secretstore.Credential, error) {
 	return secretstore.Credential{}, s.err
 }
 func TestAppRunSetupMapsUnavailableWalletError(t *testing.T) {
 	app := NewAppWithDependencies(&promptStub{
 		credential: secretstore.Credential{
 			Host:     "imap.example.com",
 			Username: "alice",
 			Password: "secret",
 		},
 	}, errorStoreStub{
 		err: fmt.Errorf("%w: session bus missing", kwallet.ErrKWalletUnavailable),
 	}, nil, &bytes.Buffer{})
 	err := app.Run([]string{"setup"})
 	if err == nil {
 		t.Fatal("expected setup to fail")
 	}
 	if !strings.Contains(strings.ToLower(err.Error()), "kwallet is not available") {
 		t.Fatalf("expected mapped kwallet error, got %v", err)
 	}
 }
 func TestMapAppErrorMapsMissingCredentialError(t *testing.T) {
 	err := mapAppError(fmt.Errorf("%w: missing entry", kwallet.ErrCredentialNotFound))
 	if err == nil {
 		t.Fatal("expected mapped error")
 	}
 	if !strings.Contains(err.Error(), "run `email-mcp setup`") {
 		t.Fatalf("expected setup guidance, got %v", err)
 	}
 	if !errors.Is(err, kwallet.ErrCredentialNotFound) {
 		t.Fatalf("expected typed error to be preserved, got %v", err)
 	}
 }
 func TestMapAppErrorPreservesUnavailableTypedError(t *testing.T) {
 	err := mapAppError(fmt.Errorf("%w: session bus missing", kwallet.ErrKWalletUnavailable))
 	if err == nil {
 		t.Fatal("expected mapped error")
 	}
 	if !errors.Is(err, kwallet.ErrKWalletUnavailable) {
 		t.Fatalf("expected typed error to be preserved, got %v", err)
 	}
 }
 func TestMapAppErrorLeavesUnknownErrorsUntouched(t *testing.T) {
 	wantErr := errors.New("boom")
 	err := mapAppError(wantErr)
 	if !errors.Is(err, wantErr) {
 		t.Fatalf("expected original error, got %v", err)
 	}
 }
--- a/internal/cli/app_task9_test.go
+++ b/internal/cli/app_task9_test.go
@ -0,0 +1,17 @@
 package cli
 import (
 	"testing"
 	"email-mcp/internal/mcpserver"
 )
 func TestMapAppErrorMapsMCPMissingCredentialError(t *testing.T) {
 	err := mapAppError(mcpserver.ErrCredentialsNotConfigured)
 	if err == nil {
 		t.Fatal("expected mapped error")
 	}
 	if err.Error() != "credentials not configured; run `email-mcp setup`" {
 		t.Fatalf("unexpected error: %v", err)
 	}
 }
--- a/internal/cli/app_test.go
+++ b/internal/cli/app_test.go
--- a/internal/cli/doctor.go
+++ b/internal/cli/doctor.go
@ -1,131 +0,0 @@
 package cli
 import (
 	"context"
 	"fmt"
 	"os"
 	"time"
 	"email-mcp/mcpgen"
 	frameworkcli "forge.lclr.dev/AI/mcp-framework/cli"
 	frameworkconfig "forge.lclr.dev/AI/mcp-framework/config"
 )
 func (a *App) runDoctor(ctx context.Context, args []string) error {
 	profileFlag, err := parseProfileArgs("doctor", args)
 	if err != nil {
 		return err
 	}
 	if a.configStore == nil {
 		return fmt.Errorf("config store is not configured")
 	}
 	if a.openSecretStore == nil {
 		return fmt.Errorf("secret store is not configured")
 	}
 	if a.newMailService == nil {
 		return fmt.Errorf("mail service is not configured")
 	}
 	report := frameworkcli.RunDoctor(ctx, frameworkcli.DoctorOptions{
 		ConfigCheck:       frameworkcli.NewConfigCheck(frameworkconfig.NewStore[ProfileConfig](mcpgen.BinaryName)),
 		SecretStoreCheck:  frameworkcli.SecretStoreAvailabilityCheck(a.openSecretStore),
 		ConnectivityCheck: a.doctorConnectivityCheck(profileFlag),
 		ExtraChecks: []frameworkcli.DoctorCheck{
 			a.doctorRequiredProfileFieldsCheck(profileFlag),
 		},
 	})
 	if err := frameworkcli.RenderDoctorReport(a.stdout, report); err != nil {
 		return err
 	}
 	if report.HasFailures() {
 		return fmt.Errorf("doctor checks failed")
 	}
 	return nil
 }
 func (a *App) doctorRequiredProfileFieldsCheck(profileFlag string) frameworkcli.DoctorCheck {
 	var (
 		profileValues map[string]string
 		loadErr       error
 	)
 	check := frameworkcli.RequiredResolvedFieldsCheck(frameworkcli.ResolveOptions{
 		Fields: profileFieldSpecs(a.resolveDoctorProfileName(profileFlag)),
 		Lookup: frameworkcli.ResolveLookup(frameworkcli.ResolveLookupOptions{
 			Env: frameworkcli.EnvLookup(os.LookupEnv),
 			Config: func(key string) (string, bool, error) {
 				if loadErr != nil {
 					return "", false, loadErr
 				}
 				if profileValues == nil {
 					cfg, _, err := a.configStore.LoadDefault()
 					if err != nil {
 						loadErr = err
 						return "", false, loadErr
 					}
 					profileName := a.resolveProfileName(profileFlag, cfg.CurrentProfile)
 					profile := cfg.Profiles[profileName]
 					profileValues = map[string]string{
 						"host":     profile.Host,
 						"username": profile.Username,
 					}
 				}
 				return frameworkcli.MapLookup(profileValues)(key)
 			},
 		}),
 	})
 	return func(ctx context.Context) frameworkcli.DoctorResult {
 		result := check(ctx)
 		result.Name = "profile"
 		return result
 	}
 }
 func (a *App) doctorConnectivityCheck(profileFlag string) frameworkcli.DoctorCheck {
 	return func(parent context.Context) frameworkcli.DoctorResult {
 		ctx, cancel := context.WithTimeout(parent, 35*time.Second)
 		defer cancel()
 		cred, err := a.loadCredential(profileFlag)
 		if err != nil {
 			return frameworkcli.DoctorResult{
 				Name:    "connectivity",
 				Status:  frameworkcli.DoctorStatusFail,
 				Summary: "cannot load IMAP credentials",
 				Detail:  err.Error(),
 			}
 		}
 		if _, err := a.newMailService().ListMailboxes(ctx, cred); err != nil {
 			return frameworkcli.DoctorResult{
 				Name:    "connectivity",
 				Status:  frameworkcli.DoctorStatusFail,
 				Summary: "IMAP server is unreachable or rejected authentication",
 				Detail:  err.Error(),
 			}
 		}
 		return frameworkcli.DoctorResult{
 			Name:    "connectivity",
 			Status:  frameworkcli.DoctorStatusOK,
 			Summary: "IMAP server is reachable",
 		}
 	}
 }
 func (a *App) resolveDoctorProfileName(profileFlag string) string {
 	if a.configStore == nil {
 		return a.resolveProfileName(profileFlag, "")
 	}
 	cfg, _, err := a.configStore.LoadDefault()
 	if err != nil {
 		return a.resolveProfileName(profileFlag, "")
 	}
 	return a.resolveProfileName(profileFlag, cfg.CurrentProfile)
 }
--- a/internal/cli/integration_test.go
+++ b/internal/cli/integration_test.go
@ -0,0 +1,94 @@
 package cli
 import (
 	"bytes"
 	"context"
 	"testing"
 	"email-mcp/internal/imapclient"
 	"email-mcp/internal/mcpserver"
 	"email-mcp/internal/secretstore"
 	"email-mcp/internal/secretstore/kwallet"
 )
 type entrypointPromptStub struct {
 	credential secretstore.Credential
 }
 func (p *entrypointPromptStub) PromptSetup(context.Context) (secretstore.Credential, error) {
 	return p.credential, nil
 }
 type entrypointStoreStub struct {
 	saveErr error
 	loadErr error
 }
 func (s *entrypointStoreStub) Save(context.Context, string, secretstore.Credential) error {
 	return s.saveErr
 }
 func (s *entrypointStoreStub) Load(context.Context, string) (secretstore.Credential, error) {
 	return secretstore.Credential{}, s.loadErr
 }
 type entrypointMailServiceStub struct{}
 func (entrypointMailServiceStub) ListMailboxes(context.Context, secretstore.Credential) ([]imapclient.Mailbox, error) {
 	return nil, nil
 }
 func (entrypointMailServiceStub) ListMessages(context.Context, secretstore.Credential, string, int) ([]imapclient.MessageSummary, error) {
 	return nil, nil
 }
 func (entrypointMailServiceStub) GetMessage(context.Context, secretstore.Credential, string, uint32) (imapclient.Message, error) {
 	return imapclient.Message{}, nil
 }
 func TestExecuteSetupWritesWalletGuidanceAndReturnsExitCodeOne(t *testing.T) {
 	app := NewAppWithDependencies(
 		&entrypointPromptStub{
 			credential: secretstore.Credential{
 				Host:     "imap.example.com",
 				Username: "alice",
 				Password: "secret",
 			},
 		},
 		&entrypointStoreStub{saveErr: kwallet.ErrKWalletUnavailable},
 		nil,
 		nil,
 	)
 	stderr := &bytes.Buffer{}
 	if code := Execute(app, []string{"setup"}, stderr); code != 1 {
 		t.Fatalf("expected exit code 1, got %d", code)
 	}
 	if got := stderr.String(); got != "kwallet is not available; make sure KDE Wallet is installed and your session D-Bus is running\n" {
 		t.Fatalf("unexpected stderr: %q", got)
 	}
 }
 func TestExecuteMCPReturnsMissingCredentialErrorOnToolCall(t *testing.T) {
 	store := &entrypointStoreStub{loadErr: kwallet.ErrCredentialNotFound}
 	mail := entrypointMailServiceStub{}
 	input := bytes.NewBufferString(
 		"{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"initialize\",\"params\":{\"protocolVersion\":\"2024-11-05\",\"capabilities\":{},\"clientInfo\":{\"name\":\"test\",\"version\":\"1.0.0\"}}}\n" +
 			"{\"jsonrpc\":\"2.0\",\"method\":\"notifications/initialized\"}\n" +
 			"{\"jsonrpc\":\"2.0\",\"id\":2,\"method\":\"tools/call\",\"params\":{\"name\":\"list_mailboxes\"}}\n",
 	)
 	output := &bytes.Buffer{}
 	runner := mcpserver.NewRunner(mcpserver.New(store, mail), input, output, &bytes.Buffer{})
 	app := NewAppWithDependencies(nil, store, runner, nil)
 	stderr := &bytes.Buffer{}
 	if code := Execute(app, []string{"mcp"}, stderr); code != 0 {
 		t.Fatalf("expected exit code 0, got %d; stderr: %s", code, stderr.String())
 	}
 	// Verify the credential error appears in the tool call response
 	got := output.String()
 	if !bytes.Contains([]byte(got), []byte("credentials not configured")) {
 		t.Fatalf("expected credential error in output, got %q", got)
 	}
 }
--- a/internal/cli/setup.go
+++ b/internal/cli/setup.go
@ -7,20 +7,40 @@ import (
 	"io"
 	"os"
 	"strings"
-
+	"syscall"
-	"email-mcp/mcpgen"
+	"unsafe"
 	frameworkcli "forge.lclr.dev/AI/mcp-framework/cli"
 	"email-mcp/internal/secretstore"
 )
-type InteractiveConfigPrompter struct {
+type SetupPrompter interface {
-	reader    *bufio.Reader
+	PromptSetup(ctx context.Context) (secretstore.Credential, error)
 	stdinFile *os.File
 	output    io.Writer
 }
-func NewInteractiveConfigPrompter(input io.Reader, output io.Writer) *InteractiveConfigPrompter {
+type PasswordReader interface {
 	ReadPassword(prompt string) (string, error)
 }
 type InteractiveSetupPrompter struct {
 	input          *bufio.Reader
 	rawInput       io.Reader
 	output         io.Writer
 	passwordReader PasswordReader
 }
 type terminalPasswordReader struct {
 	input                io.Reader
 	output               io.Writer
 	isTerminal           func(io.Reader) bool
 	readHiddenPassword   func(*os.File) ([]byte, error)
 	readFallbackPassword func(string) (string, error)
 }
 func NewInteractiveSetupPrompter(input io.Reader, output io.Writer) *InteractiveSetupPrompter {
 	return NewInteractiveSetupPrompterWithPasswordReader(input, output, nil)
 }
 func NewInteractiveSetupPrompterWithPasswordReader(input io.Reader, output io.Writer, passwordReader PasswordReader) *InteractiveSetupPrompter {
 	if input == nil {
 		input = strings.NewReader("")
 	}
@ -28,33 +48,29 @@ func NewInteractiveConfigPrompter(input io.Reader, output io.Writer) *Interactiv
 		output = io.Discard
 	}
-	prompter := &InteractiveConfigPrompter{
+	prompter := &InteractiveSetupPrompter{
-		reader: bufio.NewReader(input),
+		input:    bufio.NewReader(input),
-		output: output,
+		rawInput: input,
 		output:   output,
 	}
-	if file, ok := input.(*os.File); ok {
+	if passwordReader == nil {
-		prompter.stdinFile = file
+		passwordReader = newTerminalPasswordReader(input, output, prompter.prompt)
 	}
 	prompter.passwordReader = passwordReader
 	return prompter
 }
-func (p *InteractiveConfigPrompter) PromptCredential(_ context.Context, existing secretstore.Credential, hasStoredPassword bool) (secretstore.Credential, error) {
+func (p *InteractiveSetupPrompter) PromptSetup(context.Context) (secretstore.Credential, error) {
-	if p.stdinFile != nil {
+	host, err := p.prompt("IMAP host: ")
 		return p.promptCredentialWithSetupEngine(existing, hasStoredPassword)
 	}
 	host, err := frameworkcli.PromptLine(p.reader, p.output, "IMAP host", existing.Host)
 	if err != nil {
 		return secretstore.Credential{}, err
 	}
-
+	username, err := p.prompt("Username: ")
 	username, err := frameworkcli.PromptLine(p.reader, p.output, "Username", existing.Username)
 	if err != nil {
 		return secretstore.Credential{}, err
 	}
-
+	password, err := p.passwordReader.ReadPassword("Password: ")
 	password, err := p.promptPassword(existing.Password, hasStoredPassword)
 	if err != nil {
 		return secretstore.Credential{}, err
 	}
@ -67,80 +83,101 @@ func (p *InteractiveConfigPrompter) PromptCredential(_ context.Context, existing
 	if err := cred.Validate(); err != nil {
 		return secretstore.Credential{}, err
 	}
 	return cred, nil
 }
-func (p *InteractiveConfigPrompter) promptCredentialWithSetupEngine(existing secretstore.Credential, hasStoredPassword bool) (secretstore.Credential, error) {
+func (p *InteractiveSetupPrompter) prompt(label string) (string, error) {
-	password := ""
+	if _, err := fmt.Fprint(p.output, label); err != nil {
 	if hasStoredPassword {
 		password = existing.Password
 	}
 	fields := mcpgen.SetupFields(map[string]string{"password": password})
 	for i := range fields {
 		switch fields[i].Name {
 		case "host":
 			fields[i].Default = existing.Host
 		case "username":
 			fields[i].Default = existing.Username
 		}
 	}
 	result, err := frameworkcli.RunSetup(frameworkcli.SetupOptions{
 		Stdin:  p.stdinFile,
 		Stdout: p.output,
 		Fields: fields,
 	})
 	if err != nil {
 		return secretstore.Credential{}, err
 	}
 	host, ok := result.Get("host")
 	if !ok {
 		return secretstore.Credential{}, fmt.Errorf("setup result is missing host")
 	}
 	username, ok := result.Get("username")
 	if !ok {
 		return secretstore.Credential{}, fmt.Errorf("setup result is missing username")
 	}
 	secret, ok := result.Get("password")
 	if !ok {
 		return secretstore.Credential{}, fmt.Errorf("setup result is missing password")
 	}
 	cred := secretstore.Credential{
 		Host:     host.String,
 		Username: username.String,
 		Password: secret.String,
 	}
 	if err := cred.Validate(); err != nil {
 		return secretstore.Credential{}, err
 	}
 	return cred, nil
 }
 func (p *InteractiveConfigPrompter) promptPassword(storedPassword string, hasStoredPassword bool) (string, error) {
 	if p.stdinFile != nil {
 		return frameworkcli.PromptSecret(p.stdinFile, p.output, "Password", hasStoredPassword, storedPassword)
 	}
 	if hasStoredPassword {
 		fmt.Fprint(p.output, "Password [stored, leave blank to keep]: ")
 	} else {
 		fmt.Fprint(p.output, "Password: ")
 	}
 	line, err := p.reader.ReadString('\n')
 	if err != nil && err != io.EOF {
 		return "", err
 	}
-	password := strings.TrimSpace(line)
+	value, err := p.input.ReadString('\n')
-	if password == "" && hasStoredPassword {
+	if err != nil && err != io.EOF {
-		return storedPassword, nil
+		return "", err
 	}
 	return strings.TrimSpace(value), nil
 }
 func newTerminalPasswordReader(input io.Reader, output io.Writer, fallback func(string) (string, error)) PasswordReader {
 	return terminalPasswordReader{
 		input:                input,
 		output:               output,
 		isTerminal:           isTerminalReader,
 		readHiddenPassword:   readHiddenPassword,
 		readFallbackPassword: fallback,
 	}
 }
 func (r terminalPasswordReader) ReadPassword(prompt string) (string, error) {
 	if r.isTerminal != nil && r.isTerminal(r.input) {
 		file, ok := r.input.(*os.File)
 		if ok {
 			if _, err := fmt.Fprint(r.output, prompt); err != nil {
 				return "", err
 			}
 			password, err := r.readHiddenPassword(file)
 			if _, printErr := fmt.Fprintln(r.output); err == nil && printErr != nil {
 				return "", printErr
 			}
 			if err != nil {
 				return "", err
 			}
 			return strings.TrimSpace(string(password)), nil
 		}
 	}
-	return password, nil
+	return r.readFallbackPassword(prompt)
 }
 func isTerminalReader(reader io.Reader) bool {
 	file, ok := reader.(*os.File)
 	if !ok {
 		return false
 	}
 	return isTerminalFile(file)
 }
 func isTerminalFile(file *os.File) bool {
 	_, err := getTermios(file.Fd())
 	return err == nil
 }
 func readHiddenPassword(file *os.File) ([]byte, error) {
 	state, err := getTermios(file.Fd())
 	if err != nil {
 		return nil, err
 	}
 	next := *state
 	next.Lflag &^= syscall.ECHO
 	if err := setTermios(file.Fd(), &next); err != nil {
 		return nil, err
 	}
 	defer func() {
 		_ = setTermios(file.Fd(), state)
 	}()
 	reader := bufio.NewReader(file)
 	value, err := reader.ReadBytes('\n')
 	if err != nil && err != io.EOF {
 		return nil, err
 	}
 	return []byte(strings.TrimRight(string(value), "\r\n")), nil
 }
 func getTermios(fd uintptr) (*syscall.Termios, error) {
 	state := &syscall.Termios{}
 	_, _, errno := syscall.Syscall(syscall.SYS_IOCTL, fd, uintptr(syscall.TCGETS), uintptr(unsafe.Pointer(state)))
 	if errno != 0 {
 		return nil, errno
 	}
 	return state, nil
 }
 func setTermios(fd uintptr, state *syscall.Termios) error {
 	_, _, errno := syscall.Syscall(syscall.SYS_IOCTL, fd, uintptr(syscall.TCSETS), uintptr(unsafe.Pointer(state)))
 	if errno != 0 {
 		return errno
 	}
 	return nil
 }
--- a/internal/cli/setup_test.go
+++ b/internal/cli/setup_test.go
@ -3,21 +3,21 @@ package cli
 import (
 	"bytes"
 	"context"
 	"errors"
 	"io"
 	"os"
 	"strings"
 	"testing"
 	"email-mcp/internal/secretstore"
 )
-func TestInteractiveConfigPrompterPromptCredentialCollectsValues(t *testing.T) {
+func TestInteractiveSetupPrompterPromptSetupCollectsCredential(t *testing.T) {
-	input := strings.NewReader("imap.example.com\nalice\nsecret\n")
+	input := strings.NewReader(" imap.example.com \n alice \n secret \n")
 	output := &bytes.Buffer{}
-	prompter := NewInteractiveConfigPrompter(input, output)
+	prompter := NewInteractiveSetupPrompter(input, output)
-	cred, err := prompter.PromptCredential(context.Background(), secretstore.Credential{}, false)
+	cred, err := prompter.PromptSetup(context.Background())
 	if err != nil {
-		t.Fatalf("PromptCredential returned error: %v", err)
+		t.Fatalf("PromptSetup returned error: %v", err)
 	}
 	if cred.Host != "imap.example.com" || cred.Username != "alice" || cred.Password != "secret" {
@ -28,85 +28,122 @@ func TestInteractiveConfigPrompterPromptCredentialCollectsValues(t *testing.T) {
 	}
 }
-func TestInteractiveConfigPrompterPromptCredentialKeepsStoredPassword(t *testing.T) {
+func TestInteractiveSetupPrompterPromptSetupUsesPasswordReader(t *testing.T) {
 	input := strings.NewReader("imap.example.com\nalice\n\n")
 	output := &bytes.Buffer{}
-	prompter := NewInteractiveConfigPrompter(input, output)
+	passwordReader := &passwordReaderStub{password: "secret"}
 	prompter := NewInteractiveSetupPrompterWithPasswordReader(
 		strings.NewReader("imap.example.com\nalice\n"),
 		output,
 		passwordReader,
 	)
-	cred, err := prompter.PromptCredential(context.Background(), secretstore.Credential{
+	cred, err := prompter.PromptSetup(context.Background())
 		Host:     "imap.example.com",
 		Username: "alice",
 		Password: "stored-secret",
 	}, true)
 	if err != nil {
-		t.Fatalf("PromptCredential returned error: %v", err)
+		t.Fatalf("PromptSetup returned error: %v", err)
 	}
-	if cred.Password != "stored-secret" {
+	if cred.Password != "secret" {
-		t.Fatalf("expected stored password to be preserved, got %q", cred.Password)
+		t.Fatalf("expected password from password reader, got %#v", cred)
 	}
-	if got := output.String(); !strings.Contains(got, "Password [stored, leave blank to keep]: ") {
+	if passwordReader.prompt != "Password: " {
-		t.Fatalf("unexpected prompts: %q", got)
+		t.Fatalf("unexpected password prompt %q", passwordReader.prompt)
 	}
 }
-func TestInteractiveConfigPrompterPromptCredentialUsesSetupEngineWithFileInput(t *testing.T) {
+func TestInteractiveSetupPrompterPromptSetupRejectsMissingFields(t *testing.T) {
-	input := setupInputFile(t, "imap.example.com\nalice\nsecret\n")
+	input := strings.NewReader("imap.example.com\nalice\n   \n")
-	output := &bytes.Buffer{}
+	prompter := NewInteractiveSetupPrompter(input, &bytes.Buffer{})
 	prompter := NewInteractiveConfigPrompter(input, output)
-	cred, err := prompter.PromptCredential(context.Background(), secretstore.Credential{}, false)
+	_, err := prompter.PromptSetup(context.Background())
-	if err != nil {
+	if err == nil {
-		t.Fatalf("PromptCredential returned error: %v", err)
+		t.Fatal("expected validation error")
 	}
-
+	if !strings.Contains(err.Error(), "password is required") {
-	if cred.Host != "imap.example.com" || cred.Username != "alice" || cred.Password != "secret" {
+		t.Fatalf("expected password validation error, got %v", err)
 		t.Fatalf("unexpected credential: %#v", cred)
 	}
 	if got := output.String(); got != "IMAP host: Username: Password: " {
 		t.Fatalf("unexpected prompts: %q", got)
 	}
 }
-func TestInteractiveConfigPrompterPromptCredentialKeepsStoredPasswordWithSetupEngine(t *testing.T) {
+func TestTerminalPasswordReaderReadPasswordUsesHiddenInputForTTY(t *testing.T) {
-	input := setupInputFile(t, "imap.example.com\nalice\n\n")
+	hiddenCalls := 0
-	output := &bytes.Buffer{}
+	fallbackCalls := 0
-	prompter := NewInteractiveConfigPrompter(input, output)
+	reader := terminalPasswordReader{
 		input:  os.Stdin,
 		output: &bytes.Buffer{},
 		isTerminal: func(io.Reader) bool {
 			return true
 		},
 		readHiddenPassword: func(file *os.File) ([]byte, error) {
 			hiddenCalls++
 			if file != os.Stdin {
 				t.Fatalf("expected os.Stdin, got %v", file)
 			}
 			return []byte("secret"), nil
 		},
 		readFallbackPassword: func(string) (string, error) {
 			fallbackCalls++
 			return "", nil
 		},
 	}
-	cred, err := prompter.PromptCredential(context.Background(), secretstore.Credential{
+	password, err := reader.ReadPassword("Password: ")
 		Host:     "imap.example.com",
 		Username: "alice",
 		Password: "stored-secret",
 	}, true)
 	if err != nil {
-		t.Fatalf("PromptCredential returned error: %v", err)
+		t.Fatalf("ReadPassword returned error: %v", err)
 	}
-	if cred.Password != "stored-secret" {
+	if password != "secret" {
-		t.Fatalf("expected stored password to be preserved, got %q", cred.Password)
+		t.Fatalf("expected hidden password, got %q", password)
 	}
-	if got := output.String(); !strings.Contains(got, "Password [stored, leave blank to keep]: ") {
+	if hiddenCalls != 1 {
-		t.Fatalf("unexpected prompts: %q", got)
+		t.Fatalf("expected hidden reader to be called once, got %d", hiddenCalls)
 	}
 	if fallbackCalls != 0 {
 		t.Fatalf("expected fallback reader not to be called, got %d", fallbackCalls)
 	}
 }
-func setupInputFile(t *testing.T, content string) *os.File {
+func TestTerminalPasswordReaderReadPasswordFallsBackWhenInputIsNotTTY(t *testing.T) {
-	t.Helper()
+	hiddenCalls := 0
 	reader := terminalPasswordReader{
 		input:  strings.NewReader("ignored\n"),
 		output: &bytes.Buffer{},
 		isTerminal: func(io.Reader) bool {
 			return false
 		},
 		readHiddenPassword: func(*os.File) ([]byte, error) {
 			hiddenCalls++
 			return nil, errors.New("should not be called")
 		},
 		readFallbackPassword: func(prompt string) (string, error) {
 			if prompt != "Password: " {
 				t.Fatalf("unexpected prompt %q", prompt)
 			}
 			return "secret", nil
 		},
 	}
-	input, err := os.CreateTemp(t.TempDir(), "setup-input-*.txt")
+	password, err := reader.ReadPassword("Password: ")
 	if err != nil {
-		t.Fatalf("CreateTemp returned error: %v", err)
+		t.Fatalf("ReadPassword returned error: %v", err)
 	}
 	t.Cleanup(func() {
 		_ = input.Close()
 	})
 	if _, err := input.WriteString(content); err != nil {
 		t.Fatalf("WriteString returned error: %v", err)
 	}
 	if _, err := input.Seek(0, 0); err != nil {
 		t.Fatalf("Seek returned error: %v", err)
 	}
-	return input
+	if password != "secret" {
 		t.Fatalf("expected fallback password, got %q", password)
 	}
 	if hiddenCalls != 0 {
 		t.Fatalf("expected hidden reader not to be called, got %d", hiddenCalls)
 	}
 }
 type passwordReaderStub struct {
 	password string
 	err      error
 	prompt   string
 }
 func (p *passwordReaderStub) ReadPassword(prompt string) (string, error) {
 	p.prompt = prompt
 	if p.err != nil {
 		return "", p.err
 	}
 	return p.password, nil
 }
--- a/internal/cli/wire.go
+++ b/internal/cli/wire.go
@ -1,85 +1,50 @@
 package cli
 import (
 	"context"
 	"io"
 	"os"
 	"strings"
 	"email-mcp/mcpgen"
 	frameworkconfig "forge.lclr.dev/AI/mcp-framework/config"
 	frameworksecretstore "forge.lclr.dev/AI/mcp-framework/secretstore"
 	"email-mcp/internal/imapclient"
 	"email-mcp/internal/mcpserver"
 	"email-mcp/internal/secretstore"
 	"email-mcp/internal/secretstore/kwallet"
 )
 type runtimeFactories struct {
-	newPrompter       func(io.Reader, io.Writer) ConfigPrompter
+	newPrompter     func(io.Reader, io.Writer) SetupPrompter
-	newConfigStore    func() profileConfigStore
+	newWalletClient func() kwallet.Client
-	openSecretStore   func() (secretStore, error)
+	newStore        func(kwallet.Client) secretstore.Store
-	newMailService    func() mcpserver.MailService
+	newMailService  func() mcpserver.MailService
-	newRunner         func(secretstore.Credential, mcpserver.MailService, io.Reader, io.Writer, io.Writer) MCPRunner
+	newRunner       func(secretstore.Store, mcpserver.MailService, io.Reader, io.Writer, io.Writer) MCPRunner
 	loadManifest      manifestLoader
 	resolveExecutable executableResolver
 }
-func BuildApp(version string) *App {
+func BuildApp() *App {
-	return buildApp(os.Stdin, os.Stdout, os.Stderr, version, runtimeFactories{})
+	return buildApp(os.Stdin, os.Stdout, os.Stderr, runtimeFactories{})
 }
-func buildApp(stdin io.Reader, stdout io.Writer, stderr io.Writer, version string, factories runtimeFactories) *App {
+func buildApp(stdin io.Reader, stdout io.Writer, stderr io.Writer, factories runtimeFactories) *App {
 	factories = factories.withDefaults()
-	return NewAppWithDependencies(
+	prompter := factories.newPrompter(stdin, stderr)
-		factories.newPrompter(stdin, stderr),
+	store := factories.newStore(factories.newWalletClient())
-		factories.newConfigStore(),
+	mailService := factories.newMailService()
-		factories.openSecretStore,
+	runner := factories.newRunner(store, mailService, stdin, stdout, stderr)
-		factories.newMailService,
+
-		factories.newRunner,
+	return NewAppWithDependencies(prompter, store, runner, stderr)
 		factories.loadManifest,
 		factories.resolveExecutable,
 		stdin,
 		stdout,
 		stderr,
 		version,
 	)
 }
 func (f runtimeFactories) withDefaults() runtimeFactories {
 	useGeneratedManifest := f.loadManifest == nil
 	if f.newPrompter == nil {
-		f.newPrompter = func(input io.Reader, output io.Writer) ConfigPrompter {
+		f.newPrompter = func(input io.Reader, output io.Writer) SetupPrompter {
-			return NewInteractiveConfigPrompter(input, output)
+			return NewInteractiveSetupPrompter(input, output)
 		}
 	}
-	if f.newConfigStore == nil {
+	if f.newWalletClient == nil {
-		f.newConfigStore = func() profileConfigStore {
+		f.newWalletClient = kwallet.NewDefaultWalletClient
 			return frameworkconfig.NewStore[ProfileConfig](mcpgen.BinaryName)
 		}
 	}
-	if f.loadManifest == nil {
+	if f.newStore == nil {
-		f.loadManifest = mcpgen.LoadManifest
+		f.newStore = func(client kwallet.Client) secretstore.Store {
-	}
+			return kwallet.NewStore(client)
 	if f.resolveExecutable == nil {
 		f.resolveExecutable = os.Executable
 	}
 	if f.openSecretStore == nil {
 		f.openSecretStore = func() (secretStore, error) {
 			if useGeneratedManifest {
 				return mcpgen.OpenSecretStore(mcpgen.SecretStoreOptions{
 					ExecutableResolver: frameworksecretstore.ExecutableResolver(f.resolveExecutable),
 					LookupEnv:          profilePasswordLookupEnv,
 				})
 			}
 			return frameworksecretstore.OpenFromManifest(frameworksecretstore.OpenFromManifestOptions{
 				ServiceName:        mcpgen.BinaryName,
 				ManifestLoader:     frameworksecretstore.ManifestLoader(f.loadManifest),
 				ExecutableResolver: frameworksecretstore.ExecutableResolver(f.resolveExecutable),
 				LookupEnv:          profilePasswordLookupEnv,
 			})
 		}
 	}
 	if f.newMailService == nil {
@ -88,30 +53,10 @@ func (f runtimeFactories) withDefaults() runtimeFactories {
 		}
 	}
 	if f.newRunner == nil {
-		f.newRunner = func(cred secretstore.Credential, mail mcpserver.MailService, input io.Reader, output io.Writer, errOut io.Writer) MCPRunner {
+		f.newRunner = func(store secretstore.Store, mail mcpserver.MailService, input io.Reader, output io.Writer, errOut io.Writer) MCPRunner {
-			return mcpserver.NewRunner(mcpserver.New(staticCredentialStore{credential: cred}, mail), input, output, errOut)
+			return mcpserver.NewRunner(mcpserver.New(store, mail), input, output, errOut)
 		}
 	}
 	return f
 }
 func profilePasswordLookupEnv(name string) (string, bool) {
 	trimmedName := strings.TrimSpace(name)
 	if strings.HasPrefix(trimmedName, "imap-password/") {
 		return os.LookupEnv(passwordEnv)
 	}
 	return os.LookupEnv(trimmedName)
 }
 type staticCredentialStore struct {
 	credential secretstore.Credential
 }
 func (s staticCredentialStore) Save(_ context.Context, _ string, _ secretstore.Credential) error {
 	return nil
 }
 func (s staticCredentialStore) Load(_ context.Context, _ string) (secretstore.Credential, error) {
 	return s.credential, nil
 }
--- a/internal/cli/wire_test.go
+++ b/internal/cli/wire_test.go
@ -1,82 +1,160 @@
 package cli
 import (
 	"bytes"
 	"context"
 	"io"
 	"strings"
 	"testing"
-	frameworkmanifest "forge.lclr.dev/AI/mcp-framework/manifest"
+	"email-mcp/internal/imapclient"
 	"email-mcp/internal/mcpserver"
 	"email-mcp/internal/secretstore"
 	"email-mcp/internal/secretstore/kwallet"
 )
 type walletClientStub struct{}
 func (walletClientStub) IsAvailable(context.Context) error {
 	return nil
 }
 func (walletClientStub) Open(context.Context) error {
 	return nil
 }
 func (walletClientStub) WriteEntry(context.Context, string, []byte) error {
 	return nil
 }
 func (walletClientStub) ReadEntry(context.Context, string) ([]byte, error) {
 	return nil, nil
 }
 type wireStoreStub struct {
 	saved      secretstore.Credential
 	savedKey   string
 	saveCalled bool
 }
 func (s *wireStoreStub) Save(_ context.Context, key string, cred secretstore.Credential) error {
 	s.saveCalled = true
 	s.savedKey = key
 	s.saved = cred
 	return nil
 }
 func (s *wireStoreStub) Load(context.Context, string) (secretstore.Credential, error) {
 	return secretstore.Credential{}, nil
 }
 type wireMailServiceStub struct{}
 func (wireMailServiceStub) ListMailboxes(context.Context, secretstore.Credential) ([]imapclient.Mailbox, error) {
 	return nil, nil
 }
 func (wireMailServiceStub) ListMessages(context.Context, secretstore.Credential, string, int) ([]imapclient.MessageSummary, error) {
 	return nil, nil
 }
 func (wireMailServiceStub) GetMessage(context.Context, secretstore.Credential, string, uint32) (imapclient.Message, error) {
 	return imapclient.Message{}, nil
 }
 func TestBuildAppWiresSetupAndMCPCommands(t *testing.T) {
 	stdin := strings.NewReader("unused")
 	stdout := &bytes.Buffer{}
 	stderr := &bytes.Buffer{}
 	prompter := &promptStub{
 		credential: secretstore.Credential{
 			Host:     "imap.example.com",
 			Username: "alice",
 			Password: "secret",
 		},
 	}
 	store := &wireStoreStub{}
 	mail := wireMailServiceStub{}
 	runner := &runnerStub{}
 	walletClient := &walletClientStub{}
 	var gotStoreClient kwallet.Client
 	var gotRunnerStore secretstore.Store
 	var gotRunnerMail mcpserver.MailService
 	app := buildApp(stdin, stdout, stderr, runtimeFactories{
 		newPrompter: func(in io.Reader, errOut io.Writer) SetupPrompter {
 			if in != stdin {
 				t.Fatalf("expected stdin to be forwarded to prompter")
 			}
 			if errOut != stderr {
 				t.Fatalf("expected stderr to be forwarded to prompter")
 			}
 			return prompter
 		},
 		newWalletClient: func() kwallet.Client {
 			return walletClient
 		},
 		newStore: func(client kwallet.Client) secretstore.Store {
 			gotStoreClient = client
 			return store
 		},
 		newMailService: func() mcpserver.MailService {
 			return mail
 		},
 		newRunner: func(store secretstore.Store, mail mcpserver.MailService, in io.Reader, out io.Writer, errOut io.Writer) MCPRunner {
 			gotRunnerStore = store
 			gotRunnerMail = mail
 			if in != stdin {
 				t.Fatalf("expected stdin to be forwarded to runner")
 			}
 			if out != stdout {
 				t.Fatalf("expected stdout to be forwarded to runner")
 			}
 			if errOut != stderr {
 				t.Fatalf("expected stderr to be forwarded to runner")
 			}
 			return runner
 		},
 	})
 	if err := app.Run([]string{"setup"}); err != nil {
 		t.Fatalf("setup returned error: %v", err)
 	}
 	if !prompter.called {
 		t.Fatal("expected setup prompter to be called")
 	}
 	if !store.saveCalled {
 		t.Fatal("expected store Save to be called")
 	}
 	if store.savedKey != secretstore.DefaultAccountKey {
 		t.Fatalf("expected setup to save %q, got %q", secretstore.DefaultAccountKey, store.savedKey)
 	}
 	if store.saved.Host != "imap.example.com" || store.saved.Username != "alice" || store.saved.Password != "secret" {
 		t.Fatalf("unexpected saved credential: %#v", store.saved)
 	}
 	if err := app.Run([]string{"mcp"}); err != nil {
 		t.Fatalf("mcp returned error: %v", err)
 	}
 	if !runner.called {
 		t.Fatal("expected MCP runner to be called")
 	}
 	if gotStoreClient != walletClient {
 		t.Fatal("expected wallet client to be passed to the store factory")
 	}
 	if gotRunnerStore != store {
 		t.Fatal("expected runner to receive the assembled store")
 	}
 	if gotRunnerMail != mail {
 		t.Fatal("expected runner to receive the assembled mail service")
 	}
 }
 func TestBuildAppReturnsConfiguredApp(t *testing.T) {
-	app := BuildApp("dev")
+	app := BuildApp()
 	if app == nil {
 		t.Fatal("expected app instance")
 	}
 	if app.prompter == nil {
 		t.Fatal("expected config prompter to be configured")
 	}
 	if app.configStore == nil {
 		t.Fatal("expected config store to be configured")
 	}
 	if app.openSecretStore == nil {
 		t.Fatal("expected secret store opener to be configured")
 	}
 	if app.newMailService == nil {
 		t.Fatal("expected mail service factory to be configured")
 	}
 	if app.newRunner == nil {
 		t.Fatal("expected runner factory to be configured")
 	}
 	if app.loadManifest == nil {
 		t.Fatal("expected manifest loader to be configured")
 	}
 }
 func TestBuildAppOpenSecretStoreMapsProfilePasswordToEnvironment(t *testing.T) {
 	t.Setenv(passwordEnv, "env-secret")
 	app := buildApp(nil, nil, nil, "dev", runtimeFactories{
 		loadManifest: func(string) (frameworkmanifest.File, string, error) {
 			return frameworkmanifest.File{
 				SecretStore: frameworkmanifest.SecretStore{
 					BackendPolicy: "env-only",
 				},
 			}, "/tmp/mcp.toml", nil
 		},
 		resolveExecutable: func() (string, error) { return "/tmp/bin/email-mcp", nil },
 	})
 	store, err := app.openSecretStore()
 	if err != nil {
 		t.Fatalf("openSecretStore returned error: %v", err)
 	}
 	value, err := store.GetSecret("imap-password/work")
 	if err != nil {
 		t.Fatalf("GetSecret returned error: %v", err)
 	}
 	if value != "env-secret" {
 		t.Fatalf("GetSecret = %q, want %q", value, "env-secret")
 	}
 }
 func TestBuildAppOpenSecretStoreReturnsErrorOnInvalidManifestPolicy(t *testing.T) {
 	app := buildApp(nil, nil, nil, "dev", runtimeFactories{
 		loadManifest: func(string) (frameworkmanifest.File, string, error) {
 			return frameworkmanifest.File{
 				SecretStore: frameworkmanifest.SecretStore{
 					BackendPolicy: "invalid-policy",
 				},
 			}, "/tmp/mcp.toml", nil
 		},
 		resolveExecutable: func() (string, error) { return "/tmp/bin/email-mcp", nil },
 	})
 	_, err := app.openSecretStore()
 	if err == nil {
 		t.Fatal("expected invalid secret store policy error")
 	}
 	if !strings.Contains(err.Error(), "invalid secret_store.backend_policy") {
 		t.Fatalf("unexpected error: %v", err)
 	}
 }
--- a/mcp.toml
+++ b/mcp.toml
@ -1,60 +0,0 @@
 binary_name = "email-mcp"
 docs_url = "https://forge.lclr.dev/AI/email-mcp"
 [update]
 source_name = "email-mcp releases"
 driver = "gitea"
 repository = "AI/email-mcp"
 base_url = "https://forge.lclr.dev"
 asset_name_template = "{binary}-{os}-{arch}{ext}"
 checksum_asset_name = "{asset}.sha256"
 checksum_required = true
 token_env_names = ["GITEA_TOKEN"]
 [environment]
 known = [
  "EMAIL_MCP_PROFILE",
  "EMAIL_MCP_HOST",
  "EMAIL_MCP_USERNAME",
  "EMAIL_MCP_PASSWORD",
  "BW_SESSION",
  "MCP_FRAMEWORK_BITWARDEN_CACHE",
  "MCP_FRAMEWORK_BITWARDEN_DEBUG",
 ]
 [secret_store]
 backend_policy = "bitwarden-cli"
 [profiles]
 default = "default"
 known = ["default"]
 [bootstrap]
 description = "Local MCP server to read an IMAP mailbox."
 [[config.fields]]
 name = "host"
 env = "EMAIL_MCP_HOST"
 config_key = "host"
 type = "string"
 label = "IMAP host"
 required = true
 sources = ["env", "config"]
 [[config.fields]]
 name = "username"
 env = "EMAIL_MCP_USERNAME"
 config_key = "username"
 type = "string"
 label = "Username"
 required = true
 sources = ["env", "config"]
 [[config.fields]]
 name = "password"
 env = "EMAIL_MCP_PASSWORD"
 secret_key_template = "imap-password/{profile}"
 type = "secret"
 label = "Password"
 required = true
 sources = ["env", "secret"]
--- a/mcpgen/config.go
+++ b/mcpgen/config.go
@ -1,63 +0,0 @@
 // Code generated by mcp-framework generate. DO NOT EDIT.
 package mcpgen
 import (
 	"flag"
 	"strings"
 	fwcli "forge.lclr.dev/AI/mcp-framework/cli"
 )
 type ConfigFlags struct {
 	values map[string]*string
 }
 func AddConfigFlags(fs *flag.FlagSet) ConfigFlags {
 	if fs == nil {
 		fs = flag.CommandLine
 	}
 	flags := ConfigFlags{
 		values: make(map[string]*string),
 	}
 	return flags
 }
 func ConfigFlagValues(flags ConfigFlags) map[string]string {
 	values := make(map[string]string)
 	for name, value := range flags.values {
 		if value == nil {
 			continue
 		}
 		if trimmed := strings.TrimSpace(*value); trimmed != "" {
 			values[name] = trimmed
 		}
 	}
 	return values
 }
 func ResolveFieldSpecs(profile string) []fwcli.FieldSpec {
 	return []fwcli.FieldSpec{
 		{Name: "host", Required: true, DefaultValue: "", Sources: []fwcli.ValueSource{fwcli.SourceEnv, fwcli.SourceConfig}, FlagKey: "", EnvKey: "EMAIL_MCP_HOST", ConfigKey: "host", SecretKey: replaceProfile("", profile)},
 		{Name: "username", Required: true, DefaultValue: "", Sources: []fwcli.ValueSource{fwcli.SourceEnv, fwcli.SourceConfig}, FlagKey: "", EnvKey: "EMAIL_MCP_USERNAME", ConfigKey: "username", SecretKey: replaceProfile("", profile)},
 		{Name: "password", Required: true, DefaultValue: "", Sources: []fwcli.ValueSource{fwcli.SourceEnv, fwcli.SourceSecret}, FlagKey: "", EnvKey: "EMAIL_MCP_PASSWORD", ConfigKey: "", SecretKey: replaceProfile("imap-password/{profile}", profile)},
 	}
 }
 func SetupFields(existing map[string]string) []fwcli.SetupField {
 	if existing == nil {
 		existing = map[string]string{}
 	}
 	return []fwcli.SetupField{
 		{Name: "host", Label: "IMAP host", Type: fwcli.SetupFieldString, Required: true, Default: "", ExistingSecret: existing["host"]},
 		{Name: "username", Label: "Username", Type: fwcli.SetupFieldString, Required: true, Default: "", ExistingSecret: existing["username"]},
 		{Name: "password", Label: "Password", Type: fwcli.SetupFieldSecret, Required: true, Default: "", ExistingSecret: existing["password"]},
 	}
 }
 func replaceProfile(value, profile string) string {
 	return strings.ReplaceAll(value, "{profile}", strings.TrimSpace(profile))
 }
--- a/mcpgen/generated_test.go
+++ b/mcpgen/generated_test.go
@ -1,71 +0,0 @@
 package mcpgen
 import (
 	"os"
 	"testing"
 	fwmanifest "forge.lclr.dev/AI/mcp-framework/manifest"
 )
 func TestGeneratedManifestFallsBackToEmbeddedRootManifest(t *testing.T) {
 	previousDir, err := os.Getwd()
 	if err != nil {
 		t.Fatalf("Getwd returned error: %v", err)
 	}
 	if err := os.Chdir(t.TempDir()); err != nil {
 		t.Fatalf("Chdir temp dir returned error: %v", err)
 	}
 	t.Cleanup(func() {
 		if err := os.Chdir(previousDir); err != nil {
 			t.Fatalf("restore working directory: %v", err)
 		}
 	})
 	manifestFile, source, err := LoadManifest(".")
 	if err != nil {
 		t.Fatalf("LoadManifest returned error: %v", err)
 	}
 	if source != fwmanifest.EmbeddedSource {
 		t.Fatalf("source = %q, want %q", source, fwmanifest.EmbeddedSource)
 	}
 	if manifestFile.BinaryName != "email-mcp" {
 		t.Fatalf("BinaryName = %q, want email-mcp", manifestFile.BinaryName)
 	}
 	if len(manifestFile.Config.Fields) != 3 {
 		t.Fatalf("config fields = %d, want 3", len(manifestFile.Config.Fields))
 	}
 	if manifestFile.SecretStore.BackendPolicy != "bitwarden-cli" {
 		t.Fatalf("secret store backend policy = %q, want bitwarden-cli", manifestFile.SecretStore.BackendPolicy)
 	}
 }
 func TestGeneratedConfigHelpersExposeIMAPResolutionFields(t *testing.T) {
 	specs := ResolveFieldSpecs("work")
 	if len(specs) != 3 {
 		t.Fatalf("ResolveFieldSpecs returned %d fields, want 3", len(specs))
 	}
 	if specs[0].Name != "host" || specs[0].EnvKey != "EMAIL_MCP_HOST" || specs[0].ConfigKey != "host" {
 		t.Fatalf("host spec = %+v", specs[0])
 	}
 	if specs[1].Name != "username" || specs[1].EnvKey != "EMAIL_MCP_USERNAME" || specs[1].ConfigKey != "username" {
 		t.Fatalf("username spec = %+v", specs[1])
 	}
 	if specs[2].Name != "password" || specs[2].EnvKey != "EMAIL_MCP_PASSWORD" || specs[2].SecretKey != "imap-password/work" {
 		t.Fatalf("password spec = %+v", specs[2])
 	}
 }
 func TestGeneratedManifestPrefersRootFileWhenPresent(t *testing.T) {
 	manifestFile, source, err := LoadManifest(".")
 	if err != nil {
 		t.Fatalf("LoadManifest returned error: %v", err)
 	}
 	if source == fwmanifest.EmbeddedSource {
 		t.Fatalf("source = %q, want root manifest path", source)
 	}
 	if manifestFile.BinaryName != "email-mcp" {
 		t.Fatalf("BinaryName = %q, want email-mcp", manifestFile.BinaryName)
 	}
 }
--- a/mcpgen/manifest.go
+++ b/mcpgen/manifest.go
@ -1,11 +0,0 @@
 // Code generated by mcp-framework generate. DO NOT EDIT.
 package mcpgen
 import fwmanifest "forge.lclr.dev/AI/mcp-framework/manifest"
 const embeddedManifest = "binary_name = \"email-mcp\"\ndocs_url = \"https://gitea.lclr.dev/AI/email-mcp\"\n\n[update]\nsource_name = \"email-mcp releases\"\ndriver = \"gitea\"\nrepository = \"AI/email-mcp\"\nbase_url = \"https://gitea.lclr.dev\"\nasset_name_template = \"{binary}-{os}-{arch}{ext}\"\nchecksum_asset_name = \"{asset}.sha256\"\nchecksum_required = true\ntoken_env_names = [\"GITEA_TOKEN\"]\n\n[environment]\nknown = [\n  \"EMAIL_MCP_PROFILE\",\n  \"EMAIL_MCP_HOST\",\n  \"EMAIL_MCP_USERNAME\",\n  \"EMAIL_MCP_PASSWORD\",\n  \"BW_SESSION\",\n  \"MCP_FRAMEWORK_BITWARDEN_CACHE\",\n  \"MCP_FRAMEWORK_BITWARDEN_DEBUG\",\n]\n\n[secret_store]\nbackend_policy = \"bitwarden-cli\"\n\n[profiles]\ndefault = \"default\"\nknown = [\"default\"]\n\n[bootstrap]\ndescription = \"Local MCP server to read an IMAP mailbox.\"\n\n[[config.fields]]\nname = \"host\"\nenv = \"EMAIL_MCP_HOST\"\nconfig_key = \"host\"\ntype = \"string\"\nlabel = \"IMAP host\"\nrequired = true\nsources = [\"env\", \"config\"]\n\n[[config.fields]]\nname = \"username\"\nenv = \"EMAIL_MCP_USERNAME\"\nconfig_key = \"username\"\ntype = \"string\"\nlabel = \"Username\"\nrequired = true\nsources = [\"env\", \"config\"]\n\n[[config.fields]]\nname = \"password\"\nenv = \"EMAIL_MCP_PASSWORD\"\nsecret_key_template = \"imap-password/{profile}\"\ntype = \"secret\"\nlabel = \"Password\"\nrequired = true\nsources = [\"env\", \"secret\"]\n"
 func LoadManifest(startDir string) (fwmanifest.File, string, error) {
 	return fwmanifest.LoadDefaultOrEmbedded(startDir, embeddedManifest)
 }
--- a/mcpgen/metadata.go
+++ b/mcpgen/metadata.go
@ -1,27 +0,0 @@
 // Code generated by mcp-framework generate. DO NOT EDIT.
 package mcpgen
 import fwmanifest "forge.lclr.dev/AI/mcp-framework/manifest"
 const BinaryName = "email-mcp"
 const DefaultDescription = "Local MCP server to read an IMAP mailbox."
 const DocsURL = "https://gitea.lclr.dev/AI/email-mcp"
 func BootstrapInfo(startDir string) (fwmanifest.BootstrapMetadata, string, error) {
 	manifestFile, source, err := LoadManifest(startDir)
 	if err != nil {
 		return fwmanifest.BootstrapMetadata{}, "", err
 	}
 	return manifestFile.BootstrapInfo(), source, nil
 }
 func ScaffoldInfo(startDir string) (fwmanifest.ScaffoldMetadata, string, error) {
 	manifestFile, source, err := LoadManifest(startDir)
 	if err != nil {
 		return fwmanifest.ScaffoldMetadata{}, "", err
 	}
 	return manifestFile.ScaffoldInfo(), source, nil
 }
--- a/mcpgen/secretstore.go
+++ b/mcpgen/secretstore.go
@ -1,91 +0,0 @@
 // Code generated by mcp-framework generate. DO NOT EDIT.
 package mcpgen
 import (
 	"os"
 	"path/filepath"
 	"strings"
 	fwsecretstore "forge.lclr.dev/AI/mcp-framework/secretstore"
 )
 type SecretStoreOptions struct {
 	ServiceName           string
 	LookupEnv             func(string) (string, bool)
 	KWalletAppID          string
 	KWalletFolder         string
 	BitwardenCommand      string
 	BitwardenDebug        bool
 	DisableBitwardenCache bool
 	Shell                 string
 	ExecutableResolver    fwsecretstore.ExecutableResolver
 }
 func OpenSecretStore(options SecretStoreOptions) (fwsecretstore.Store, error) {
 	return fwsecretstore.OpenFromManifest(secretStoreOpenOptions(options))
 }
 func DescribeSecretRuntime(options SecretStoreOptions) (fwsecretstore.RuntimeDescription, error) {
 	return fwsecretstore.DescribeRuntime(secretStoreDescribeOptions(options))
 }
 func PreflightSecretStore(options SecretStoreOptions) (fwsecretstore.PreflightReport, error) {
 	return fwsecretstore.PreflightFromManifest(secretStoreDescribeOptions(options))
 }
 func secretStoreOpenOptions(options SecretStoreOptions) fwsecretstore.OpenFromManifestOptions {
 	return fwsecretstore.OpenFromManifestOptions{
 		ServiceName:           secretStoreServiceName(options),
 		LookupEnv:             options.LookupEnv,
 		KWalletAppID:          options.KWalletAppID,
 		KWalletFolder:         options.KWalletFolder,
 		BitwardenCommand:      options.BitwardenCommand,
 		BitwardenDebug:        options.BitwardenDebug,
 		DisableBitwardenCache: options.DisableBitwardenCache,
 		Shell:                 options.Shell,
 		ManifestLoader:        LoadManifest,
 		ExecutableResolver:    options.ExecutableResolver,
 	}
 }
 func secretStoreDescribeOptions(options SecretStoreOptions) fwsecretstore.DescribeRuntimeOptions {
 	return fwsecretstore.DescribeRuntimeOptions{
 		ServiceName:           secretStoreServiceName(options),
 		LookupEnv:             options.LookupEnv,
 		KWalletAppID:          options.KWalletAppID,
 		KWalletFolder:         options.KWalletFolder,
 		BitwardenCommand:      options.BitwardenCommand,
 		BitwardenDebug:        options.BitwardenDebug,
 		DisableBitwardenCache: options.DisableBitwardenCache,
 		Shell:                 options.Shell,
 		ManifestLoader:        LoadManifest,
 		ExecutableResolver:    options.ExecutableResolver,
 	}
 }
 func secretStoreServiceName(options SecretStoreOptions) string {
 	serviceName := strings.TrimSpace(options.ServiceName)
 	if serviceName != "" {
 		return serviceName
 	}
 	startDir := "."
 	executableResolver := options.ExecutableResolver
 	if executableResolver == nil {
 		executableResolver = os.Executable
 	}
 	if executablePath, err := executableResolver(); err == nil {
 		if dir := strings.TrimSpace(filepath.Dir(strings.TrimSpace(executablePath))); dir != "" {
 			startDir = dir
 		}
 	}
 	if manifestFile, _, err := LoadManifest(startDir); err == nil {
 		if binaryName := strings.TrimSpace(manifestFile.BinaryName); binaryName != "" {
 			return binaryName
 		}
 	}
 	return BinaryName
 }
--- a/mcpgen/update.go
+++ b/mcpgen/update.go
@ -1,59 +0,0 @@
 // Code generated by mcp-framework generate. DO NOT EDIT.
 package mcpgen
 import (
 	"context"
 	"flag"
 	"fmt"
 	"io"
 	"strings"
 	fwupdate "forge.lclr.dev/AI/mcp-framework/update"
 )
 func UpdateOptions(version string, stdout io.Writer) (fwupdate.Options, error) {
 	return UpdateOptionsFrom(".", version, stdout)
 }
 func UpdateOptionsFrom(startDir string, version string, stdout io.Writer) (fwupdate.Options, error) {
 	manifestFile, _, err := LoadManifest(startDir)
 	if err != nil {
 		return fwupdate.Options{}, err
 	}
 	binaryName := strings.TrimSpace(manifestFile.BinaryName)
 	if binaryName == "" {
 		binaryName = BinaryName
 	}
 	return fwupdate.Options{
 		CurrentVersion: version,
 		Stdout:         stdout,
 		BinaryName:     binaryName,
 		ReleaseSource:  manifestFile.Update.ReleaseSource(),
 	}, nil
 }
 func RunUpdate(ctx context.Context, args []string, version string, stdout io.Writer) error {
 	return RunUpdateFrom(ctx, args, ".", version, stdout)
 }
 func RunUpdateFrom(ctx context.Context, args []string, startDir string, version string, stdout io.Writer) error {
 	fs := flag.NewFlagSet("update", flag.ContinueOnError)
 	fs.SetOutput(io.Discard)
 	if err := fs.Parse(args); err != nil {
 		return err
 	}
 	if fs.NArg() != 0 {
 		return fmt.Errorf("update does not accept positional arguments: %s", strings.Join(fs.Args(), ", "))
 	}
 	options, err := UpdateOptionsFrom(startDir, version, stdout)
 	if err != nil {
 		return err
 	}
 	return fwupdate.Run(ctx, options)
 }