@agiflowai/one-mcp 0.3.13 → 0.3.15

package/dist/{http-_ThlSpST.mjs → src-CH93aUm2.mjs}

@@ -12,10 +12,12 @@ import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js"
 import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
 import { Liquid } from "liquidjs";
-import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
-import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
-import express from "express";
+import { once } from "node:events";
+import { promisify } from "node:util";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import express from "express";
+import { SSEServerTransport } from "@modelcontextprotocol/sdk/server/sse.js";
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 
 //#region src/utils/mcpConfigSchema.ts
 /**
@@ -1137,7 +1139,7 @@ const DEFAULT_SERVER_ID = "unknown";
 function isYamlPath(filePath) {
 	return filePath.endsWith(".yaml") || filePath.endsWith(".yml");
 }
-function toErrorMessage(error) {
+function toErrorMessage$3(error) {
 	return error instanceof Error ? error.message : String(error);
 }
 function sanitizeConfigPathForFilename(configFilePath) {
@@ -1328,7 +1330,7 @@ var DefinitionsCacheService = class {
 			} catch (error) {
 				failures.push({
 					serverName: client.serverName,
-					error: toErrorMessage(error)
+					error: toErrorMessage$3(error)
 				});
 				return null;
 			}
@@ -1366,7 +1368,7 @@ var DefinitionsCacheService = class {
 				arguments: prompt.arguments?.map((arg) => ({ ...arg }))
 			}));
 		} catch (error) {
-			console.error(`${LOG_PREFIX_SKILL_DETECTION} Failed to list prompts from ${client.serverName}: ${toErrorMessage(error)}`);
+			console.error(`${LOG_PREFIX_SKILL_DETECTION} Failed to list prompts from ${client.serverName}: ${toErrorMessage$3(error)}`);
 			return [];
 		}
 	}
@@ -1379,7 +1381,7 @@ var DefinitionsCacheService = class {
 				mimeType: resource.mimeType
 			}));
 		} catch (error) {
-			console.error(`${LOG_PREFIX_CAPABILITY_DISCOVERY} Failed to list resources from ${client.serverName}: ${toErrorMessage(error)}`);
+			console.error(`${LOG_PREFIX_CAPABILITY_DISCOVERY} Failed to list resources from ${client.serverName}: ${toErrorMessage$3(error)}`);
 			return [];
 		}
 	}
@@ -1408,7 +1410,7 @@ var DefinitionsCacheService = class {
 					autoDetected: true
 				};
 			} catch (error) {
-				console.error(`${LOG_PREFIX_SKILL_DETECTION} Failed to fetch prompt '${prompt.name}' from ${client.serverName}: ${toErrorMessage(error)}`);
+				console.error(`${LOG_PREFIX_SKILL_DETECTION} Failed to fetch prompt '${prompt.name}' from ${client.serverName}: ${toErrorMessage$3(error)}`);
 				return null;
 			}
 		}));
@@ -2777,7 +2779,7 @@ IMPORTANT: Only use tools discovered from describe_tools with id="${this.serverI
 
 //#endregion
 //#region package.json
-var version = "0.3.12";
+var version = "0.3.14";
 
 //#endregion
 //#region src/server/index.ts
@@ -3097,28 +3099,341 @@ async function createServer(options) {
 }
 
 //#endregion
-//#region src/transports/stdio.ts
+//#region src/types/index.ts
 /**
-* Stdio transport handler for MCP server
-* Used for command-line and direct integrations
+* Transport mode constants
 */
-var StdioTransportHandler = class {
-	server;
-	transport = null;
-	constructor(server) {
-		this.server = server;
+const TRANSPORT_MODE = {
+	STDIO: "stdio",
+	HTTP: "http",
+	SSE: "sse"
+};
+
+//#endregion
+//#region src/transports/http.ts
+/**
+* HTTP Transport Handler
+*
+* DESIGN PATTERNS:
+* - Transport handler pattern implementing TransportHandler interface
+* - Session management for stateful connections
+* - Streamable HTTP protocol (2025-03-26) with resumability support
+* - Factory pattern for creating MCP server instances per session
+*
+* CODING STANDARDS:
+* - Use async/await for all asynchronous operations
+* - Implement proper session lifecycle management
+* - Handle errors gracefully with appropriate HTTP status codes
+* - Provide health check endpoint for monitoring
+* - Clean up resources on shutdown
+*
+* AVOID:
+* - Sharing MCP server instances across sessions (use factory pattern)
+* - Forgetting to clean up sessions on disconnect
+* - Missing error handling for request processing
+* - Hardcoded configuration (use TransportConfig)
+*/
+/**
+* HTTP session manager
+*/
+var HttpFullSessionManager = class {
+	sessions = /* @__PURE__ */ new Map();
+	getSession(sessionId) {
+		return this.sessions.get(sessionId);
+	}
+	setSession(sessionId, transport, server) {
+		this.sessions.set(sessionId, {
+			transport,
+			server
+		});
+	}
+	async deleteSession(sessionId) {
+		const session = this.sessions.get(sessionId);
+		if (session) try {
+			await session.server.close();
+		} catch (error) {
+			throw new Error(`Failed to close MCP server for session '${sessionId}': ${toErrorMessage$2(error)}`);
+		}
+		this.sessions.delete(sessionId);
+	}
+	hasSession(sessionId) {
+		return this.sessions.has(sessionId);
+	}
+	async clear() {
+		try {
+			await Promise.all(Array.from(this.sessions.values()).map(async (session) => {
+				await session.server.close();
+			}));
+		} catch (error) {
+			throw new Error(`Failed to clear sessions: ${toErrorMessage$2(error)}`);
+		}
+		this.sessions.clear();
+	}
+};
+function toErrorMessage$2(error) {
+	return error instanceof Error ? error.message : String(error);
+}
+const ADMIN_RATE_LIMIT_WINDOW_MS = 6e4;
+const ADMIN_RATE_LIMIT_MAX_REQUESTS = 5;
+/**
+* Simple in-memory rate limiter for the admin shutdown endpoint.
+* Tracks request timestamps per IP within a sliding window.
+*/
+var AdminRateLimiter = class {
+	requests = /* @__PURE__ */ new Map();
+	isAllowed(ip) {
+		const now = Date.now();
+		const windowStart = now - ADMIN_RATE_LIMIT_WINDOW_MS;
+		const timestamps = (this.requests.get(ip) ?? []).filter((t) => t > windowStart);
+		if (timestamps.length >= ADMIN_RATE_LIMIT_MAX_REQUESTS) {
+			this.requests.set(ip, timestamps);
+			return false;
+		}
+		timestamps.push(now);
+		this.requests.set(ip, timestamps);
+		return true;
+	}
+};
+/**
+* HTTP transport handler using Streamable HTTP (protocol version 2025-03-26)
+* Provides stateful session management with resumability support
+*/
+var HttpTransportHandler = class {
+	serverFactory;
+	app;
+	server = null;
+	sessionManager;
+	config;
+	adminOptions;
+	adminRateLimiter = new AdminRateLimiter();
+	constructor(serverFactory, config, adminOptions) {
+		this.serverFactory = serverFactory;
+		this.app = express();
+		this.sessionManager = new HttpFullSessionManager();
+		this.config = {
+			mode: config.mode,
+			port: config.port ?? 3e3,
+			host: config.host ?? "localhost"
+		};
+		this.adminOptions = adminOptions;
+		this.setupMiddleware();
+		this.setupRoutes();
+	}
+	setupMiddleware() {
+		this.app.use(express.json());
+	}
+	setupRoutes() {
+		this.app.post("/mcp", async (req, res) => {
+			try {
+				await this.handlePostRequest(req, res);
+			} catch (error) {
+				console.error(`Failed to handle MCP POST request: ${toErrorMessage$2(error)}`);
+				res.status(500).json({
+					jsonrpc: "2.0",
+					error: {
+						code: -32603,
+						message: "Failed to handle MCP POST request."
+					},
+					id: null
+				});
+			}
+		});
+		this.app.get("/mcp", async (req, res) => {
+			try {
+				await this.handleGetRequest(req, res);
+			} catch (error) {
+				console.error(`Failed to handle MCP GET request: ${toErrorMessage$2(error)}`);
+				res.status(500).send("Failed to handle MCP GET request.");
+			}
+		});
+		this.app.delete("/mcp", async (req, res) => {
+			try {
+				await this.handleDeleteRequest(req, res);
+			} catch (error) {
+				console.error(`Failed to handle MCP DELETE request: ${toErrorMessage$2(error)}`);
+				res.status(500).send("Failed to handle MCP DELETE request.");
+			}
+		});
+		this.app.get("/health", (_req, res) => {
+			const payload = {
+				status: "ok",
+				transport: "http",
+				serverId: this.adminOptions?.serverId
+			};
+			res.json(payload);
+		});
+		this.app.post("/admin/shutdown", async (req, res) => {
+			try {
+				const clientIp = req.ip ?? req.socket.remoteAddress ?? "unknown";
+				if (!this.adminRateLimiter.isAllowed(clientIp)) {
+					const payload = {
+						ok: false,
+						message: "Too many shutdown requests. Try again later.",
+						serverId: this.adminOptions?.serverId
+					};
+					res.status(429).json(payload);
+					return;
+				}
+				await this.handleAdminShutdownRequest(req, res);
+			} catch (error) {
+				console.error(`Failed to process shutdown request: ${toErrorMessage$2(error)}`);
+				const payload = {
+					ok: false,
+					message: "Failed to process shutdown request.",
+					serverId: this.adminOptions?.serverId
+				};
+				res.status(500).json(payload);
+			}
+		});
+	}
+	isAuthorizedShutdownRequest(req) {
+		const expectedToken = this.adminOptions?.shutdownToken;
+		if (!expectedToken) return false;
+		const authHeader = req.headers.authorization;
+		if (typeof authHeader === "string" && authHeader.startsWith("Bearer ")) return authHeader.slice(7) === expectedToken;
+		const tokenHeader = req.headers["x-one-mcp-shutdown-token"];
+		return typeof tokenHeader === "string" && tokenHeader === expectedToken;
+	}
+	async handleAdminShutdownRequest(req, res) {
+		try {
+			if (!this.adminOptions?.onShutdownRequested) {
+				const payload$1 = {
+					ok: false,
+					message: "Shutdown endpoint is not enabled for this server instance.",
+					serverId: this.adminOptions?.serverId
+				};
+				res.status(404).json(payload$1);
+				return;
+			}
+			if (!this.isAuthorizedShutdownRequest(req)) {
+				const payload$1 = {
+					ok: false,
+					message: "Unauthorized shutdown request: invalid or missing shutdown token.",
+					serverId: this.adminOptions?.serverId
+				};
+				res.status(401).json(payload$1);
+				return;
+			}
+			const payload = {
+				ok: true,
+				message: "Shutdown request accepted. Stopping server gracefully.",
+				serverId: this.adminOptions?.serverId
+			};
+			res.json(payload);
+			await this.adminOptions.onShutdownRequested();
+		} catch (error) {
+			throw new Error(`Failed to handle admin shutdown request: ${toErrorMessage$2(error)}`);
+		}
+	}
+	async handlePostRequest(req, res) {
+		const sessionId = req.headers["mcp-session-id"];
+		let transport;
+		if (sessionId && this.sessionManager.hasSession(sessionId)) transport = this.sessionManager.getSession(sessionId).transport;
+		else if (!sessionId && isInitializeRequest(req.body)) {
+			const mcpServer = await this.serverFactory();
+			transport = new StreamableHTTPServerTransport({
+				sessionIdGenerator: () => randomUUID(),
+				enableJsonResponse: true,
+				onsessioninitialized: (initializedSessionId) => {
+					this.sessionManager.setSession(initializedSessionId, transport, mcpServer);
+				}
+			});
+			transport.onclose = async () => {
+				if (transport.sessionId) try {
+					await this.sessionManager.deleteSession(transport.sessionId);
+				} catch (error) {
+					console.error(`Failed to clean up session '${transport.sessionId}': ${toErrorMessage$2(error)}`);
+				}
+			};
+			try {
+				await mcpServer.connect(transport);
+			} catch (error) {
+				throw new Error(`Failed to connect MCP server transport for initialization request: ${toErrorMessage$2(error)}`);
+			}
+		} else {
+			res.status(400).json({
+				jsonrpc: "2.0",
+				error: {
+					code: -32e3,
+					message: sessionId === void 0 ? "Bad Request: missing session ID and request body is not an initialize request." : `Bad Request: unknown session ID '${sessionId}'.`
+				},
+				id: null
+			});
+			return;
+		}
+		try {
+			await transport.handleRequest(req, res, req.body);
+		} catch (error) {
+			throw new Error(`Failed handling MCP transport request: ${toErrorMessage$2(error)}`);
+		}
+	}
+	async handleGetRequest(req, res) {
+		const sessionId = req.headers["mcp-session-id"];
+		if (!sessionId || !this.sessionManager.hasSession(sessionId)) {
+			res.status(400).send("Invalid or missing session ID");
+			return;
+		}
+		const session = this.sessionManager.getSession(sessionId);
+		try {
+			await session.transport.handleRequest(req, res);
+		} catch (error) {
+			throw new Error(`Failed handling MCP GET request for session '${sessionId}': ${toErrorMessage$2(error)}`);
+		}
+	}
+	async handleDeleteRequest(req, res) {
+		const sessionId = req.headers["mcp-session-id"];
+		if (!sessionId || !this.sessionManager.hasSession(sessionId)) {
+			res.status(400).send("Invalid or missing session ID");
+			return;
+		}
+		const session = this.sessionManager.getSession(sessionId);
+		try {
+			await session.transport.handleRequest(req, res);
+		} catch (error) {
+			throw new Error(`Failed handling MCP DELETE request for session '${sessionId}': ${toErrorMessage$2(error)}`);
+		}
+		await this.sessionManager.deleteSession(sessionId);
 	}
 	async start() {
-		this.transport = new StdioServerTransport();
-		await this.server.connect(this.transport);
-		console.error("@agiflowai/one-mcp MCP server started on stdio");
+		try {
+			const server = this.app.listen(this.config.port, this.config.host);
+			this.server = server;
+			const listeningPromise = (async () => {
+				await once(server, "listening");
+			})();
+			const errorPromise = (async () => {
+				const [error] = await once(server, "error");
+				throw error instanceof Error ? error : new Error(String(error));
+			})();
+			await Promise.race([listeningPromise, errorPromise]);
+			console.error(`@agiflowai/one-mcp MCP server started on http://${this.config.host}:${this.config.port}/mcp`);
+			console.error(`Health check: http://${this.config.host}:${this.config.port}/health`);
+		} catch (error) {
+			this.server = null;
+			throw new Error(`Failed to start HTTP transport: ${toErrorMessage$2(error)}`);
+		}
 	}
 	async stop() {
-		if (this.transport) {
-			await this.transport.close();
-			this.transport = null;
+		if (!this.server) return;
+		try {
+			await this.sessionManager.clear();
+		} catch (error) {
+			throw new Error(`Failed to clear sessions during HTTP transport stop: ${toErrorMessage$2(error)}`);
+		}
+		const closeServer = promisify(this.server.close.bind(this.server));
+		try {
+			await closeServer();
+			this.server = null;
+		} catch (error) {
+			throw new Error(`Failed to stop HTTP transport: ${toErrorMessage$2(error)}`);
 		}
 	}
+	getPort() {
+		return this.config.port;
+	}
+	getHost() {
+		return this.config.host;
+	}
 };
 
 //#endregion
@@ -3264,182 +3579,505 @@ var SseTransportHandler = class {
 };
 
 //#endregion
-//#region src/transports/http.ts
+//#region src/transports/stdio.ts
 /**
-* HTTP Transport Handler
+* Stdio transport handler for MCP server
+* Used for command-line and direct integrations
+*/
+var StdioTransportHandler = class {
+	server;
+	transport = null;
+	constructor(server) {
+		this.server = server;
+	}
+	async start() {
+		this.transport = new StdioServerTransport();
+		await this.server.connect(this.transport);
+		console.error("@agiflowai/one-mcp MCP server started on stdio");
+	}
+	async stop() {
+		if (this.transport) {
+			await this.transport.close();
+			this.transport = null;
+		}
+	}
+};
+
+//#endregion
+//#region src/transports/stdio-http.ts
+/**
+* STDIO-HTTP Proxy Transport
 *
 * DESIGN PATTERNS:
 * - Transport handler pattern implementing TransportHandler interface
-* - Session management for stateful connections
-* - Streamable HTTP protocol (2025-03-26) with resumability support
-* - Factory pattern for creating MCP server instances per session
+* - STDIO transport with MCP request forwarding to HTTP backend
+* - Graceful cleanup with error isolation
 *
 * CODING STANDARDS:
-* - Use async/await for all asynchronous operations
-* - Implement proper session lifecycle management
-* - Handle errors gracefully with appropriate HTTP status codes
-* - Provide health check endpoint for monitoring
-* - Clean up resources on shutdown
+* - Use StdioServerTransport for stdio communication
+* - Reuse a single StreamableHTTP client connection
+* - Wrap async operations with try-catch and descriptive errors
 *
 * AVOID:
-* - Sharing MCP server instances across sessions (use factory pattern)
-* - Forgetting to clean up sessions on disconnect
-* - Missing error handling for request processing
-* - Hardcoded configuration (use TransportConfig)
+* - Starting HTTP server lifecycle in this transport entry point
+* - Recreating HTTP client per request
+* - Swallowing cleanup failures silently
 */
 /**
-* HTTP session manager
+* Transport that serves MCP over stdio and forwards MCP requests to an HTTP endpoint.
 */
-var HttpFullSessionManager = class {
-	sessions = /* @__PURE__ */ new Map();
-	getSession(sessionId) {
-		return this.sessions.get(sessionId);
-	}
-	setSession(sessionId, transport, server) {
-		this.sessions.set(sessionId, {
-			transport,
-			server
-		});
+var StdioHttpTransportHandler = class {
+	endpoint;
+	stdioProxyServer = null;
+	stdioTransport = null;
+	httpClient = null;
+	constructor(config) {
+		this.endpoint = config.endpoint;
 	}
-	deleteSession(sessionId) {
-		const session = this.sessions.get(sessionId);
-		if (session) session.server.close();
-		this.sessions.delete(sessionId);
+	async start() {
+		try {
+			const httpClientTransport = new StreamableHTTPClientTransport(this.endpoint);
+			const client = new Client({
+				name: "@agiflowai/one-mcp-stdio-http-proxy",
+				version: "0.1.0"
+			}, { capabilities: {} });
+			await client.connect(httpClientTransport);
+			this.httpClient = client;
+			this.stdioProxyServer = this.createProxyServer(client);
+			this.stdioTransport = new StdioServerTransport();
+			await this.stdioProxyServer.connect(this.stdioTransport);
+			console.error(`@agiflowai/one-mcp MCP stdio proxy connected to ${this.endpoint.toString()}`);
+		} catch (error) {
+			await this.stop();
+			throw new Error(`Failed to start stdio-http proxy transport: ${error instanceof Error ? error.message : String(error)}`);
+		}
 	}
-	hasSession(sessionId) {
-		return this.sessions.has(sessionId);
+	async stop() {
+		const stdioTransport = this.stdioTransport;
+		const stdioProxyServer = this.stdioProxyServer;
+		const httpClient = this.httpClient;
+		this.stdioTransport = null;
+		this.stdioProxyServer = null;
+		this.httpClient = null;
+		const cleanupErrors = [];
+		await Promise.all([
+			(async () => {
+				try {
+					if (stdioTransport) await stdioTransport.close();
+				} catch (error) {
+					cleanupErrors.push(`failed closing stdio transport: ${error instanceof Error ? error.message : String(error)}`);
+				}
+			})(),
+			(async () => {
+				try {
+					if (stdioProxyServer) await stdioProxyServer.close();
+				} catch (error) {
+					cleanupErrors.push(`failed closing stdio proxy server: ${error instanceof Error ? error.message : String(error)}`);
+				}
+			})(),
+			(async () => {
+				try {
+					if (httpClient) await httpClient.close();
+				} catch (error) {
+					cleanupErrors.push(`failed closing http client: ${error instanceof Error ? error.message : String(error)}`);
+				}
+			})()
+		]);
+		if (cleanupErrors.length > 0) throw new Error(`Failed to stop stdio-http proxy transport: ${cleanupErrors.join("; ")}`);
 	}
-	clear() {
-		for (const session of this.sessions.values()) session.server.close();
-		this.sessions.clear();
+	createProxyServer(client) {
+		const proxyServer = new Server({
+			name: "@agiflowai/one-mcp-stdio-http-proxy",
+			version: "0.1.0"
+		}, { capabilities: {
+			tools: {},
+			resources: {},
+			prompts: {}
+		} });
+		proxyServer.setRequestHandler(ListToolsRequestSchema, async () => {
+			try {
+				return await client.listTools();
+			} catch (error) {
+				throw new Error(`Failed forwarding tools/list to HTTP backend: ${error instanceof Error ? error.message : String(error)}`);
+			}
+		});
+		proxyServer.setRequestHandler(CallToolRequestSchema, async (request) => {
+			try {
+				return await client.callTool({
+					name: request.params.name,
+					arguments: request.params.arguments
+				});
+			} catch (error) {
+				throw new Error(`Failed forwarding tools/call (${request.params.name}) to HTTP backend: ${error instanceof Error ? error.message : String(error)}`);
+			}
+		});
+		proxyServer.setRequestHandler(ListResourcesRequestSchema, async () => {
+			try {
+				return await client.listResources();
+			} catch (error) {
+				throw new Error(`Failed forwarding resources/list to HTTP backend: ${error instanceof Error ? error.message : String(error)}`);
+			}
+		});
+		proxyServer.setRequestHandler(ReadResourceRequestSchema, async (request) => {
+			try {
+				return await client.readResource({ uri: request.params.uri });
+			} catch (error) {
+				throw new Error(`Failed forwarding resources/read (${request.params.uri}) to HTTP backend: ${error instanceof Error ? error.message : String(error)}`);
+			}
+		});
+		proxyServer.setRequestHandler(ListPromptsRequestSchema, async () => {
+			try {
+				return await client.listPrompts();
+			} catch (error) {
+				throw new Error(`Failed forwarding prompts/list to HTTP backend: ${error instanceof Error ? error.message : String(error)}`);
+			}
+		});
+		proxyServer.setRequestHandler(GetPromptRequestSchema, async (request) => {
+			try {
+				return await client.getPrompt({
+					name: request.params.name,
+					arguments: request.params.arguments
+				});
+			} catch (error) {
+				throw new Error(`Failed forwarding prompts/get (${request.params.name}) to HTTP backend: ${error instanceof Error ? error.message : String(error)}`);
+			}
+		});
+		return proxyServer;
 	}
 };
+
+//#endregion
+//#region src/services/RuntimeStateService.ts
 /**
-* HTTP transport handler using Streamable HTTP (protocol version 2025-03-26)
-* Provides stateful session management with resumability support
+* RuntimeStateService
+*
+* Persists runtime metadata for HTTP one-mcp instances so external commands
+* (for example `one-mcp stop`) can discover and target the correct server.
 */
-var HttpTransportHandler = class {
-	serverFactory;
-	app;
-	server = null;
-	sessionManager;
-	config;
-	constructor(serverFactory, config) {
-		this.serverFactory = typeof serverFactory === "function" ? serverFactory : () => serverFactory;
-		this.app = express();
-		this.sessionManager = new HttpFullSessionManager();
-		this.config = {
-			mode: config.mode,
-			port: config.port ?? 3e3,
-			host: config.host ?? "localhost"
-		};
-		this.setupMiddleware();
-		this.setupRoutes();
+const RUNTIME_DIR_NAME = "runtimes";
+const RUNTIME_FILE_SUFFIX = ".runtime.json";
+function isObject(value) {
+	return typeof value === "object" && value !== null;
+}
+function isRuntimeStateRecord(value) {
+	if (!isObject(value)) return false;
+	return typeof value.serverId === "string" && typeof value.host === "string" && typeof value.port === "number" && value.transport === "http" && typeof value.shutdownToken === "string" && typeof value.startedAt === "string" && typeof value.pid === "number" && (value.configPath === void 0 || typeof value.configPath === "string");
+}
+function toErrorMessage$1(error) {
+	return error instanceof Error ? error.message : String(error);
+}
+/**
+* Runtime state persistence implementation.
+*/
+var RuntimeStateService = class RuntimeStateService {
+	runtimeDir;
+	constructor(runtimeDir) {
+		this.runtimeDir = runtimeDir ?? RuntimeStateService.getDefaultRuntimeDir();
 	}
-	setupMiddleware() {
-		this.app.use(express.json());
+	/**
+	* Resolve default runtime directory under the user's home cache path.
+	* @returns Absolute runtime directory path
+	*/
+	static getDefaultRuntimeDir() {
+		return join(homedir(), ".aicode-toolkit", "one-mcp", RUNTIME_DIR_NAME);
 	}
-	setupRoutes() {
-		this.app.post("/mcp", async (req, res) => {
-			await this.handlePostRequest(req, res);
-		});
-		this.app.get("/mcp", async (req, res) => {
-			await this.handleGetRequest(req, res);
-		});
-		this.app.delete("/mcp", async (req, res) => {
-			await this.handleDeleteRequest(req, res);
-		});
-		this.app.get("/health", (_req, res) => {
-			res.json({
-				status: "ok",
-				transport: "http"
-			});
-		});
+	/**
+	* Build runtime state file path for a given server ID.
+	* @param serverId - Target one-mcp server identifier
+	* @returns Absolute runtime file path
+	*/
+	getRecordPath(serverId) {
+		return join(this.runtimeDir, `${serverId}${RUNTIME_FILE_SUFFIX}`);
 	}
-	async handlePostRequest(req, res) {
-		const sessionId = req.headers["mcp-session-id"];
-		let transport;
-		if (sessionId && this.sessionManager.hasSession(sessionId)) transport = this.sessionManager.getSession(sessionId).transport;
-		else if (!sessionId && isInitializeRequest(req.body)) {
-			const mcpServer = this.serverFactory();
-			transport = new StreamableHTTPServerTransport({
-				sessionIdGenerator: () => randomUUID(),
-				enableJsonResponse: true,
-				onsessioninitialized: (sessionId$1) => {
-					this.sessionManager.setSession(sessionId$1, transport, mcpServer);
+	/**
+	* Persist a runtime state record.
+	* @param record - Runtime metadata to persist
+	* @returns Promise that resolves when write completes
+	*/
+	async write(record) {
+		await mkdir(this.runtimeDir, { recursive: true });
+		await writeFile(this.getRecordPath(record.serverId), JSON.stringify(record, null, 2), "utf-8");
+	}
+	/**
+	* Read a runtime state record by server ID.
+	* @param serverId - Target one-mcp server identifier
+	* @returns Matching runtime record, or null when no record exists
+	*/
+	async read(serverId) {
+		const filePath = this.getRecordPath(serverId);
+		try {
+			const content = await readFile(filePath, "utf-8");
+			const parsed = JSON.parse(content);
+			return isRuntimeStateRecord(parsed) ? parsed : null;
+		} catch (error) {
+			if (isObject(error) && "code" in error && error.code === "ENOENT") return null;
+			throw new Error(`Failed to read runtime state for server '${serverId}' from '${filePath}': ${toErrorMessage$1(error)}`);
+		}
+	}
+	/**
+	* List all persisted runtime records.
+	* @returns Array of runtime records
+	*/
+	async list() {
+		try {
+			const files = (await readdir(this.runtimeDir, { withFileTypes: true })).filter((entry) => entry.isFile() && entry.name.endsWith(RUNTIME_FILE_SUFFIX));
+			return (await Promise.all(files.map(async (file) => {
+				try {
+					const content = await readFile(join(this.runtimeDir, file.name), "utf-8");
+					const parsed = JSON.parse(content);
+					return isRuntimeStateRecord(parsed) ? parsed : null;
+				} catch {
+					return null;
 				}
-			});
-			transport.onclose = () => {
-				if (transport.sessionId) this.sessionManager.deleteSession(transport.sessionId);
-			};
-			await mcpServer.connect(transport);
-		} else {
-			res.status(400).json({
-				jsonrpc: "2.0",
-				error: {
-					code: -32e3,
-					message: "Bad Request: No valid session ID provided"
-				},
-				id: null
-			});
-			return;
+			}))).filter((record) => record !== null);
+		} catch (error) {
+			if (isObject(error) && "code" in error && error.code === "ENOENT") return [];
+			throw new Error(`Failed to list runtime states from '${this.runtimeDir}': ${toErrorMessage$1(error)}`);
 		}
-		await transport.handleRequest(req, res, req.body);
 	}
-	async handleGetRequest(req, res) {
-		const sessionId = req.headers["mcp-session-id"];
-		if (!sessionId || !this.sessionManager.hasSession(sessionId)) {
-			res.status(400).send("Invalid or missing session ID");
-			return;
+	/**
+	* Remove a runtime state record by server ID.
+	* @param serverId - Target one-mcp server identifier
+	* @returns Promise that resolves when delete completes
+	*/
+	async remove(serverId) {
+		await rm(this.getRecordPath(serverId), { force: true });
+	}
+};
+
+//#endregion
+//#region src/services/StopServerService/constants.ts
+/**
+* StopServerService constants.
+*/
+/** Maximum time in milliseconds to wait for a shutdown to complete. */
+const DEFAULT_STOP_TIMEOUT_MS = 5e3;
+/** Minimum timeout in milliseconds for individual health check requests. */
+const HEALTH_REQUEST_TIMEOUT_FLOOR_MS = 250;
+/** Delay in milliseconds between shutdown polling attempts. */
+const SHUTDOWN_POLL_INTERVAL_MS = 200;
+/** Path for the runtime health check endpoint. */
+const HEALTH_CHECK_PATH = "/health";
+/** Path for the authenticated admin shutdown endpoint. */
+const ADMIN_SHUTDOWN_PATH = "/admin/shutdown";
+/** HTTP GET method identifier. */
+const HTTP_METHOD_GET = "GET";
+/** HTTP POST method identifier. */
+const HTTP_METHOD_POST = "POST";
+/** HTTP header name for bearer token authorization. */
+const AUTHORIZATION_HEADER_NAME = "Authorization";
+/** Prefix for bearer token values in the Authorization header. */
+const BEARER_TOKEN_PREFIX = "Bearer ";
+/** HTTP protocol scheme prefix for URL construction. */
+const HTTP_PROTOCOL = "http://";
+/** Separator between host and port in URL construction. */
+const URL_PORT_SEPARATOR = ":";
+/** Loopback hostname. */
+const LOOPBACK_HOST_LOCALHOST = "localhost";
+/** IPv4 loopback address. */
+const LOOPBACK_HOST_IPV4 = "127.0.0.1";
+/** IPv6 loopback address. */
+const LOOPBACK_HOST_IPV6 = "::1";
+/** Hosts that are safe to send admin requests to (loopback only). */
+const ALLOWED_HOSTS = new Set([
+	LOOPBACK_HOST_LOCALHOST,
+	LOOPBACK_HOST_IPV4,
+	LOOPBACK_HOST_IPV6
+]);
+/** Expected status value in a healthy runtime response. */
+const HEALTH_STATUS_OK = "ok";
+/** Expected transport value in a healthy runtime response. */
+const HEALTH_TRANSPORT_HTTP = "http";
+/** Property key for status field in health responses. */
+const KEY_STATUS = "status";
+/** Property key for transport field in health responses. */
+const KEY_TRANSPORT = "transport";
+/** Property key for serverId field in runtime responses. */
+const KEY_SERVER_ID = "serverId";
+/** Property key for ok field in shutdown responses. */
+const KEY_OK = "ok";
+/** Property key for message field in shutdown responses. */
+const KEY_MESSAGE = "message";
+
+//#endregion
+//#region src/services/StopServerService/types.ts
+/**
+* Safely cast a non-null object to a string-keyed record for property access.
+* @param value - Object value already verified as non-null
+* @returns The same value typed as a record
+*/
+function toRecord(value) {
+	return value;
+}
+/**
+* Type guard for health responses.
+* @param value - Candidate payload to validate
+* @returns True when payload matches health response shape
+*/
+function isHealthResponse(value) {
+	if (typeof value !== "object" || value === null) return false;
+	const record = toRecord(value);
+	return KEY_STATUS in record && record[KEY_STATUS] === HEALTH_STATUS_OK && KEY_TRANSPORT in record && record[KEY_TRANSPORT] === HEALTH_TRANSPORT_HTTP && (!(KEY_SERVER_ID in record) || record[KEY_SERVER_ID] === void 0 || typeof record[KEY_SERVER_ID] === "string");
+}
+/**
+* Type guard for shutdown responses.
+* @param value - Candidate payload to validate
+* @returns True when payload matches shutdown response shape
+*/
+function isShutdownResponse(value) {
+	if (typeof value !== "object" || value === null) return false;
+	const record = toRecord(value);
+	return KEY_OK in record && typeof record[KEY_OK] === "boolean" && KEY_MESSAGE in record && typeof record[KEY_MESSAGE] === "string" && (!(KEY_SERVER_ID in record) || record[KEY_SERVER_ID] === void 0 || typeof record[KEY_SERVER_ID] === "string");
+}
+
+//#endregion
+//#region src/services/StopServerService/StopServerService.ts
+/**
+* Format runtime endpoint URL after validating the host is a loopback address.
+* Rejects non-loopback hosts to prevent SSRF via tampered runtime state files.
+* @param runtime - Runtime record to format
+* @param path - Request path to append
+* @returns Full runtime URL
+*/
+function buildRuntimeUrl(runtime, path) {
+	if (!ALLOWED_HOSTS.has(runtime.host)) throw new Error(`Refusing to connect to non-loopback host '${runtime.host}'. Only ${Array.from(ALLOWED_HOSTS).join(", ")} are allowed.`);
+	return `${HTTP_PROTOCOL}${runtime.host}${URL_PORT_SEPARATOR}${runtime.port}${path}`;
+}
+function toErrorMessage(error) {
+	return error instanceof Error ? error.message : String(error);
+}
+function sleep(delayMs) {
+	return new Promise((resolve$1) => {
+		setTimeout(resolve$1, delayMs);
+	});
+}
+/**
+* Service for resolving runtime targets and stopping them safely.
+*/
+var StopServerService = class {
+	runtimeStateService;
+	constructor(runtimeStateService = new RuntimeStateService()) {
+		this.runtimeStateService = runtimeStateService;
+	}
+	/**
+	* Resolve a target runtime and stop it cooperatively.
+	* @param request - Stop request options
+	* @returns Stop result payload
+	*/
+	async stop(request) {
+		const timeoutMs = request.timeoutMs ?? DEFAULT_STOP_TIMEOUT_MS;
+		const runtime = await this.resolveRuntime(request);
+		const health = await this.fetchHealth(runtime, timeoutMs);
+		if (!health.reachable) {
+			await this.runtimeStateService.remove(runtime.serverId);
+			throw new Error(`Runtime '${runtime.serverId}' is not reachable at http://${runtime.host}:${runtime.port}. Removed stale runtime record.`);
 		}
-		await this.sessionManager.getSession(sessionId).transport.handleRequest(req, res);
+		if (!request.force && health.payload?.serverId && health.payload.serverId !== runtime.serverId) throw new Error(`Refusing to stop runtime at http://${runtime.host}:${runtime.port}: expected server ID '${runtime.serverId}' but health endpoint reported '${health.payload.serverId}'. Use --force to override.`);
+		const shutdownToken = request.token ?? runtime.shutdownToken;
+		if (!shutdownToken) throw new Error(`No shutdown token available for runtime '${runtime.serverId}'.`);
+		const shutdownResponse = await this.requestShutdown(runtime, shutdownToken, timeoutMs);
+		await this.waitForShutdown(runtime, timeoutMs);
+		await this.runtimeStateService.remove(runtime.serverId);
+		return {
+			ok: true,
+			serverId: runtime.serverId,
+			host: runtime.host,
+			port: runtime.port,
+			message: shutdownResponse.message
+		};
 	}
-	async handleDeleteRequest(req, res) {
-		const sessionId = req.headers["mcp-session-id"];
-		if (!sessionId || !this.sessionManager.hasSession(sessionId)) {
-			res.status(400).send("Invalid or missing session ID");
-			return;
+	/**
+	* Resolve a runtime record from explicit ID or a unique host/port pair.
+	* @param request - Stop request options
+	* @returns Matching runtime record
+	*/
+	async resolveRuntime(request) {
+		if (request.serverId) {
+			const runtime = await this.runtimeStateService.read(request.serverId);
+			if (!runtime) throw new Error(`No runtime record found for server ID '${request.serverId}'. Start the server with 'one-mcp mcp-serve --type http' first.`);
+			return runtime;
 		}
-		await this.sessionManager.getSession(sessionId).transport.handleRequest(req, res);
-		this.sessionManager.deleteSession(sessionId);
+		if (request.host === void 0 || request.port === void 0) throw new Error("Provide --id or both --host and --port to select a runtime.");
+		const matches = (await this.runtimeStateService.list()).filter((runtime) => runtime.host === request.host && runtime.port === request.port);
+		if (matches.length === 0) throw new Error(`No runtime record found for http://${request.host}:${request.port}. Start the server with 'one-mcp mcp-serve --type http' first.`);
+		if (matches.length > 1) throw new Error(`Multiple runtime records match http://${request.host}:${request.port}. Retry with --id to avoid stopping the wrong server.`);
+		return matches[0];
 	}
-	async start() {
-		return new Promise((resolve$1, reject) => {
-			try {
-				this.server = this.app.listen(this.config.port, this.config.host, () => {
-					console.error(`@agiflowai/one-mcp MCP server started on http://${this.config.host}:${this.config.port}/mcp`);
-					console.error(`Health check: http://${this.config.host}:${this.config.port}/health`);
-					resolve$1();
-				});
-				this.server.on("error", (error) => {
-					reject(error);
-				});
-			} catch (error) {
-				reject(error);
-			}
-		});
+	/**
+	* Read the runtime health payload.
+	* @param runtime - Runtime to query
+	* @param timeoutMs - Request timeout in milliseconds
+	* @returns Reachability status and optional payload
+	*/
+	async fetchHealth(runtime, timeoutMs) {
+		try {
+			const response = await this.fetchWithTimeout(buildRuntimeUrl(runtime, HEALTH_CHECK_PATH), { method: HTTP_METHOD_GET }, timeoutMs);
+			if (!response.ok) return { reachable: false };
+			const payload = await response.json();
+			if (!isHealthResponse(payload)) throw new Error("Received invalid health response payload.");
+			return {
+				reachable: true,
+				payload
+			};
+		} catch {
+			return { reachable: false };
+		}
 	}
-	async stop() {
-		return new Promise((resolve$1, reject) => {
-			if (this.server) {
-				this.sessionManager.clear();
-				this.server.close((err) => {
-					if (err) reject(err);
-					else {
-						this.server = null;
-						resolve$1();
-					}
-				});
-			} else resolve$1();
-		});
+	/**
+	* Send authenticated shutdown request to the admin endpoint.
+	* @param runtime - Runtime to stop
+	* @param shutdownToken - Bearer token for the admin endpoint
+	* @param timeoutMs - Request timeout in milliseconds
+	* @returns Parsed shutdown response payload
+	*/
+	async requestShutdown(runtime, shutdownToken, timeoutMs) {
+		const response = await this.fetchWithTimeout(buildRuntimeUrl(runtime, ADMIN_SHUTDOWN_PATH), {
+			method: HTTP_METHOD_POST,
+			headers: { [AUTHORIZATION_HEADER_NAME]: `${BEARER_TOKEN_PREFIX}${shutdownToken}` }
+		}, timeoutMs);
+		const payload = await response.json();
+		if (!isShutdownResponse(payload)) throw new Error("Received invalid shutdown response payload.");
+		if (!response.ok || !payload.ok) throw new Error(payload.message);
+		return payload;
 	}
-	getPort() {
-		return this.config.port;
+	/**
+	* Poll until the target runtime is no longer reachable.
+	* @param runtime - Runtime expected to stop
+	* @param timeoutMs - Maximum wait time in milliseconds
+	* @returns Promise that resolves when shutdown is observed
+	*/
+	async waitForShutdown(runtime, timeoutMs) {
+		const deadline = Date.now() + timeoutMs;
+		while (Date.now() < deadline) {
+			if (!(await this.fetchHealth(runtime, Math.max(HEALTH_REQUEST_TIMEOUT_FLOOR_MS, deadline - Date.now()))).reachable) return;
+			await sleep(SHUTDOWN_POLL_INTERVAL_MS);
+		}
+		throw new Error(`Timed out waiting for runtime '${runtime.serverId}' to stop at http://${runtime.host}:${runtime.port}.`);
 	}
-	getHost() {
-		return this.config.host;
+	/**
+	* Perform a fetch with an abort timeout.
+	* @param url - Target URL
+	* @param init - Fetch options
+	* @param timeoutMs - Timeout in milliseconds
+	* @returns Fetch response
+	*/
+	async fetchWithTimeout(url, init, timeoutMs) {
+		const controller = new AbortController();
+		const timeoutId = setTimeout(() => {
+			controller.abort();
+		}, timeoutMs);
+		try {
+			return await fetch(url, {
+				...init,
+				signal: controller.signal
+			});
+		} catch (error) {
+			throw new Error(`Request to '${url}' failed: ${toErrorMessage(error)}`);
+		} finally {
+			clearTimeout(timeoutId);
+		}
 	}
 };
 
 //#endregion
-export { version as a, DescribeToolsTool as c, DefinitionsCacheService as d, generateServerId as f, createServer as i, SkillService as l, ConfigFetcherService as m, SseTransportHandler as n, UseToolTool as o, findConfigFile as p, StdioTransportHandler as r, SearchListToolsTool as s, HttpTransportHandler as t, McpClientManagerService as u };
+export { findConfigFile as _, SseTransportHandler as a, createServer as c, SearchListToolsTool as d, DescribeToolsTool as f, generateServerId as g, DefinitionsCacheService as h, StdioTransportHandler as i, version as l, McpClientManagerService as m, RuntimeStateService as n, HttpTransportHandler as o, SkillService as p, StdioHttpTransportHandler as r, TRANSPORT_MODE as s, StopServerService as t, UseToolTool as u, ConfigFetcherService as v };