@agiflowai/one-mcp 0.3.14 → 0.3.15

package/dist/cli.cjs

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-const require_src = require('./src-iTE9Cero.cjs');
+const require_src = require('./src-CWShQS8u.cjs');
 let node_fs_promises = require("node:fs/promises");
 let node_fs = require("node:fs");
 let node_crypto = require("node:crypto");
@@ -653,9 +653,9 @@ async function removeRuntimeRecordDuringStop(runtimeStateService, serverId) {
 		throw new Error(`Failed to remove runtime state during HTTP stop callback for '${serverId}': ${toErrorMessage$6(error)}`);
 	}
 }
-async function createStdioHttpInternalTransport(serverOptions, config, adminOptions) {
+function createStdioHttpInternalTransport(serverOptions, config, adminOptions) {
 	try {
-		return new require_src.HttpTransportHandler(await require_src.createServer(serverOptions), config, adminOptions);
+		return new require_src.HttpTransportHandler(() => require_src.createServer(serverOptions), config, adminOptions);
 	} catch (error) {
 		throw new Error(`Failed to create internal HTTP transport for stdio-http proxy: ${toErrorMessage$6(error)}`);
 	}
@@ -702,7 +702,7 @@ async function createAndStartHttpRuntime(serverOptions, config, resolvedConfigPa
 		}
 	};
 	try {
-		handler = new require_src.HttpTransportHandler(await require_src.createServer(serverOptions), config, createHttpAdminOptions(runtimeRecord.serverId, shutdownToken, stopHandler));
+		handler = new require_src.HttpTransportHandler(() => require_src.createServer(serverOptions), config, createHttpAdminOptions(runtimeRecord.serverId, shutdownToken, stopHandler));
 	} catch (error) {
 		throw new Error(`Failed to create HTTP runtime server: ${toErrorMessage$6(error)}`);
 	}
@@ -776,7 +776,7 @@ async function startStdioHttpTransport(serverOptions, config, resolvedConfigPath
 					initialProxyConnectError = error;
 				}
 				try {
-					httpHandler = await createStdioHttpInternalTransport(serverOptions, config, adminOptions);
+					httpHandler = createStdioHttpInternalTransport(serverOptions, config, adminOptions);
 					await httpHandler.start();
 					ownsInternalHttpTransport = true;
 				} catch (error) {

package/dist/cli.mjs

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { _ as findConfigFile, a as SseTransportHandler, c as createServer, d as SearchListToolsTool, g as generateServerId, h as DefinitionsCacheService, i as StdioTransportHandler, l as version, m as McpClientManagerService, n as RuntimeStateService, o as HttpTransportHandler, p as SkillService, r as StdioHttpTransportHandler, s as TRANSPORT_MODE, t as StopServerService, v as ConfigFetcherService } from "./src-D7Yq1bTx.mjs";
+import { _ as findConfigFile, a as SseTransportHandler, c as createServer, d as SearchListToolsTool, g as generateServerId, h as DefinitionsCacheService, i as StdioTransportHandler, l as version, m as McpClientManagerService, n as RuntimeStateService, o as HttpTransportHandler, p as SkillService, r as StdioHttpTransportHandler, s as TRANSPORT_MODE, t as StopServerService, v as ConfigFetcherService } from "./src-CH93aUm2.mjs";
 import { access, writeFile } from "node:fs/promises";
 import { constants } from "node:fs";
 import { randomUUID } from "node:crypto";
@@ -653,9 +653,9 @@ async function removeRuntimeRecordDuringStop(runtimeStateService, serverId) {
 		throw new Error(`Failed to remove runtime state during HTTP stop callback for '${serverId}': ${toErrorMessage$6(error)}`);
 	}
 }
-async function createStdioHttpInternalTransport(serverOptions, config, adminOptions) {
+function createStdioHttpInternalTransport(serverOptions, config, adminOptions) {
 	try {
-		return new HttpTransportHandler(await createServer(serverOptions), config, adminOptions);
+		return new HttpTransportHandler(() => createServer(serverOptions), config, adminOptions);
 	} catch (error) {
 		throw new Error(`Failed to create internal HTTP transport for stdio-http proxy: ${toErrorMessage$6(error)}`);
 	}
@@ -702,7 +702,7 @@ async function createAndStartHttpRuntime(serverOptions, config, resolvedConfigPa
 		}
 	};
 	try {
-		handler = new HttpTransportHandler(await createServer(serverOptions), config, createHttpAdminOptions(runtimeRecord.serverId, shutdownToken, stopHandler));
+		handler = new HttpTransportHandler(() => createServer(serverOptions), config, createHttpAdminOptions(runtimeRecord.serverId, shutdownToken, stopHandler));
 	} catch (error) {
 		throw new Error(`Failed to create HTTP runtime server: ${toErrorMessage$6(error)}`);
 	}
@@ -776,7 +776,7 @@ async function startStdioHttpTransport(serverOptions, config, resolvedConfigPath
 					initialProxyConnectError = error;
 				}
 				try {
-					httpHandler = await createStdioHttpInternalTransport(serverOptions, config, adminOptions);
+					httpHandler = createStdioHttpInternalTransport(serverOptions, config, adminOptions);
 					await httpHandler.start();
 					ownsInternalHttpTransport = true;
 				} catch (error) {

package/dist/index.cjs

@@ -1,4 +1,4 @@
-const require_src = require('./src-iTE9Cero.cjs');
+const require_src = require('./src-CWShQS8u.cjs');
 
 exports.ConfigFetcherService = require_src.ConfigFetcherService;
 exports.DefinitionsCacheService = require_src.DefinitionsCacheService;

package/dist/index.d.cts

@@ -440,7 +440,7 @@ declare class HttpTransportHandler implements HttpTransportHandler$1 {
   private config;
   private adminOptions?;
   private adminRateLimiter;
-  constructor(serverFactory: Server | (() => Server), config: TransportConfig, adminOptions?: HttpTransportAdminOptions);
+  constructor(serverFactory: (() => Server | Promise<Server>), config: TransportConfig, adminOptions?: HttpTransportAdminOptions);
   private setupMiddleware;
   private setupRoutes;
   private isAuthorizedShutdownRequest;
@@ -1083,7 +1083,7 @@ declare class RuntimeStateService implements RuntimeStateManager {
   remove(serverId: string): Promise<void>;
 }
 //#endregion
-//#region src/services/StopServerService.d.ts
+//#region src/services/StopServerService/types.d.ts
 /**
  * Stop request options.
  * @property serverId - Explicit one-mcp server identifier to stop
@@ -1116,6 +1116,8 @@ interface StopServerResult {
   port: number;
   message: string;
 }
+//#endregion
+//#region src/services/StopServerService/StopServerService.d.ts
 /**
  * Service for resolving runtime targets and stopping them safely.
  */

package/dist/index.d.mts

@@ -441,7 +441,7 @@ declare class HttpTransportHandler implements HttpTransportHandler$1 {
   private config;
   private adminOptions?;
   private adminRateLimiter;
-  constructor(serverFactory: Server | (() => Server), config: TransportConfig, adminOptions?: HttpTransportAdminOptions);
+  constructor(serverFactory: (() => Server | Promise<Server>), config: TransportConfig, adminOptions?: HttpTransportAdminOptions);
   private setupMiddleware;
   private setupRoutes;
   private isAuthorizedShutdownRequest;
@@ -1084,7 +1084,7 @@ declare class RuntimeStateService implements RuntimeStateManager {
   remove(serverId: string): Promise<void>;
 }
 //#endregion
-//#region src/services/StopServerService.d.ts
+//#region src/services/StopServerService/types.d.ts
 /**
  * Stop request options.
  * @property serverId - Explicit one-mcp server identifier to stop
@@ -1117,6 +1117,8 @@ interface StopServerResult {
   port: number;
   message: string;
 }
+//#endregion
+//#region src/services/StopServerService/StopServerService.d.ts
 /**
  * Service for resolving runtime targets and stopping them safely.
  */

package/dist/index.mjs

@@ -1,3 +1,3 @@
-import { _ as findConfigFile, a as SseTransportHandler, c as createServer, d as SearchListToolsTool, f as DescribeToolsTool, g as generateServerId, h as DefinitionsCacheService, i as StdioTransportHandler, m as McpClientManagerService, n as RuntimeStateService, o as HttpTransportHandler, p as SkillService, r as StdioHttpTransportHandler, s as TRANSPORT_MODE, t as StopServerService, u as UseToolTool, v as ConfigFetcherService } from "./src-D7Yq1bTx.mjs";
+import { _ as findConfigFile, a as SseTransportHandler, c as createServer, d as SearchListToolsTool, f as DescribeToolsTool, g as generateServerId, h as DefinitionsCacheService, i as StdioTransportHandler, m as McpClientManagerService, n as RuntimeStateService, o as HttpTransportHandler, p as SkillService, r as StdioHttpTransportHandler, s as TRANSPORT_MODE, t as StopServerService, u as UseToolTool, v as ConfigFetcherService } from "./src-CH93aUm2.mjs";
 
 export { ConfigFetcherService, DefinitionsCacheService, DescribeToolsTool, HttpTransportHandler, McpClientManagerService, RuntimeStateService, SearchListToolsTool, SkillService, SseTransportHandler, StdioHttpTransportHandler, StdioTransportHandler, StopServerService, TRANSPORT_MODE, UseToolTool, createServer, findConfigFile, generateServerId };

package/dist/{src-D7Yq1bTx.mjs → src-CH93aUm2.mjs}

@@ -2779,7 +2779,7 @@ IMPORTANT: Only use tools discovered from describe_tools with id="${this.serverI
 
 //#endregion
 //#region package.json
-var version = "0.3.13";
+var version = "0.3.14";
 
 //#endregion
 //#region src/server/index.ts
@@ -3147,16 +3147,26 @@ var HttpFullSessionManager = class {
 			server
 		});
 	}
-	deleteSession(sessionId) {
+	async deleteSession(sessionId) {
 		const session = this.sessions.get(sessionId);
-		if (session) session.server.close();
+		if (session) try {
+			await session.server.close();
+		} catch (error) {
+			throw new Error(`Failed to close MCP server for session '${sessionId}': ${toErrorMessage$2(error)}`);
+		}
 		this.sessions.delete(sessionId);
 	}
 	hasSession(sessionId) {
 		return this.sessions.has(sessionId);
 	}
-	clear() {
-		for (const session of this.sessions.values()) session.server.close();
+	async clear() {
+		try {
+			await Promise.all(Array.from(this.sessions.values()).map(async (session) => {
+				await session.server.close();
+			}));
+		} catch (error) {
+			throw new Error(`Failed to clear sessions: ${toErrorMessage$2(error)}`);
+		}
 		this.sessions.clear();
 	}
 };
@@ -3197,7 +3207,7 @@ var HttpTransportHandler = class {
 	adminOptions;
 	adminRateLimiter = new AdminRateLimiter();
 	constructor(serverFactory, config, adminOptions) {
-		this.serverFactory = typeof serverFactory === "function" ? serverFactory : () => serverFactory;
+		this.serverFactory = serverFactory;
 		this.app = express();
 		this.sessionManager = new HttpFullSessionManager();
 		this.config = {
@@ -3320,7 +3330,7 @@ var HttpTransportHandler = class {
 		let transport;
 		if (sessionId && this.sessionManager.hasSession(sessionId)) transport = this.sessionManager.getSession(sessionId).transport;
 		else if (!sessionId && isInitializeRequest(req.body)) {
-			const mcpServer = this.serverFactory();
+			const mcpServer = await this.serverFactory();
 			transport = new StreamableHTTPServerTransport({
 				sessionIdGenerator: () => randomUUID(),
 				enableJsonResponse: true,
@@ -3328,8 +3338,12 @@ var HttpTransportHandler = class {
 					this.sessionManager.setSession(initializedSessionId, transport, mcpServer);
 				}
 			});
-			transport.onclose = () => {
-				if (transport.sessionId) this.sessionManager.deleteSession(transport.sessionId);
+			transport.onclose = async () => {
+				if (transport.sessionId) try {
+					await this.sessionManager.deleteSession(transport.sessionId);
+				} catch (error) {
+					console.error(`Failed to clean up session '${transport.sessionId}': ${toErrorMessage$2(error)}`);
+				}
 			};
 			try {
 				await mcpServer.connect(transport);
@@ -3378,7 +3392,7 @@ var HttpTransportHandler = class {
 		} catch (error) {
 			throw new Error(`Failed handling MCP DELETE request for session '${sessionId}': ${toErrorMessage$2(error)}`);
 		}
-		this.sessionManager.deleteSession(sessionId);
+		await this.sessionManager.deleteSession(sessionId);
 	}
 	async start() {
 		try {
@@ -3401,7 +3415,11 @@ var HttpTransportHandler = class {
 	}
 	async stop() {
 		if (!this.server) return;
-		this.sessionManager.clear();
+		try {
+			await this.sessionManager.clear();
+		} catch (error) {
+			throw new Error(`Failed to clear sessions during HTTP transport stop: ${toErrorMessage$2(error)}`);
+		}
 		const closeServer = promisify(this.server.close.bind(this.server));
 		try {
 			await closeServer();
@@ -3738,11 +3756,11 @@ var StdioHttpTransportHandler = class {
 */
 const RUNTIME_DIR_NAME = "runtimes";
 const RUNTIME_FILE_SUFFIX = ".runtime.json";
-function isObject$1(value) {
+function isObject(value) {
 	return typeof value === "object" && value !== null;
 }
 function isRuntimeStateRecord(value) {
-	if (!isObject$1(value)) return false;
+	if (!isObject(value)) return false;
 	return typeof value.serverId === "string" && typeof value.host === "string" && typeof value.port === "number" && value.transport === "http" && typeof value.shutdownToken === "string" && typeof value.startedAt === "string" && typeof value.pid === "number" && (value.configPath === void 0 || typeof value.configPath === "string");
 }
 function toErrorMessage$1(error) {
@@ -3792,7 +3810,7 @@ var RuntimeStateService = class RuntimeStateService {
 			const parsed = JSON.parse(content);
 			return isRuntimeStateRecord(parsed) ? parsed : null;
 		} catch (error) {
-			if (isObject$1(error) && "code" in error && error.code === "ENOENT") return null;
+			if (isObject(error) && "code" in error && error.code === "ENOENT") return null;
 			throw new Error(`Failed to read runtime state for server '${serverId}' from '${filePath}': ${toErrorMessage$1(error)}`);
 		}
 	}
@@ -3813,7 +3831,7 @@ var RuntimeStateService = class RuntimeStateService {
 				}
 			}))).filter((record) => record !== null);
 		} catch (error) {
-			if (isObject$1(error) && "code" in error && error.code === "ENOENT") return [];
+			if (isObject(error) && "code" in error && error.code === "ENOENT") return [];
 			throw new Error(`Failed to list runtime states from '${this.runtimeDir}': ${toErrorMessage$1(error)}`);
 		}
 	}
@@ -3828,18 +3846,105 @@ var RuntimeStateService = class RuntimeStateService {
 };
 
 //#endregion
-//#region src/services/StopServerService.ts
-function toErrorMessage(error) {
-	return error instanceof Error ? error.message : String(error);
-}
-function isObject(value) {
-	return typeof value === "object" && value !== null;
+//#region src/services/StopServerService/constants.ts
+/**
+* StopServerService constants.
+*/
+/** Maximum time in milliseconds to wait for a shutdown to complete. */
+const DEFAULT_STOP_TIMEOUT_MS = 5e3;
+/** Minimum timeout in milliseconds for individual health check requests. */
+const HEALTH_REQUEST_TIMEOUT_FLOOR_MS = 250;
+/** Delay in milliseconds between shutdown polling attempts. */
+const SHUTDOWN_POLL_INTERVAL_MS = 200;
+/** Path for the runtime health check endpoint. */
+const HEALTH_CHECK_PATH = "/health";
+/** Path for the authenticated admin shutdown endpoint. */
+const ADMIN_SHUTDOWN_PATH = "/admin/shutdown";
+/** HTTP GET method identifier. */
+const HTTP_METHOD_GET = "GET";
+/** HTTP POST method identifier. */
+const HTTP_METHOD_POST = "POST";
+/** HTTP header name for bearer token authorization. */
+const AUTHORIZATION_HEADER_NAME = "Authorization";
+/** Prefix for bearer token values in the Authorization header. */
+const BEARER_TOKEN_PREFIX = "Bearer ";
+/** HTTP protocol scheme prefix for URL construction. */
+const HTTP_PROTOCOL = "http://";
+/** Separator between host and port in URL construction. */
+const URL_PORT_SEPARATOR = ":";
+/** Loopback hostname. */
+const LOOPBACK_HOST_LOCALHOST = "localhost";
+/** IPv4 loopback address. */
+const LOOPBACK_HOST_IPV4 = "127.0.0.1";
+/** IPv6 loopback address. */
+const LOOPBACK_HOST_IPV6 = "::1";
+/** Hosts that are safe to send admin requests to (loopback only). */
+const ALLOWED_HOSTS = new Set([
+	LOOPBACK_HOST_LOCALHOST,
+	LOOPBACK_HOST_IPV4,
+	LOOPBACK_HOST_IPV6
+]);
+/** Expected status value in a healthy runtime response. */
+const HEALTH_STATUS_OK = "ok";
+/** Expected transport value in a healthy runtime response. */
+const HEALTH_TRANSPORT_HTTP = "http";
+/** Property key for status field in health responses. */
+const KEY_STATUS = "status";
+/** Property key for transport field in health responses. */
+const KEY_TRANSPORT = "transport";
+/** Property key for serverId field in runtime responses. */
+const KEY_SERVER_ID = "serverId";
+/** Property key for ok field in shutdown responses. */
+const KEY_OK = "ok";
+/** Property key for message field in shutdown responses. */
+const KEY_MESSAGE = "message";
+
+//#endregion
+//#region src/services/StopServerService/types.ts
+/**
+* Safely cast a non-null object to a string-keyed record for property access.
+* @param value - Object value already verified as non-null
+* @returns The same value typed as a record
+*/
+function toRecord(value) {
+	return value;
 }
+/**
+* Type guard for health responses.
+* @param value - Candidate payload to validate
+* @returns True when payload matches health response shape
+*/
 function isHealthResponse(value) {
-	return isObject(value) && value.status === "ok" && value.transport === "http" && (value.serverId === void 0 || typeof value.serverId === "string");
+	if (typeof value !== "object" || value === null) return false;
+	const record = toRecord(value);
+	return KEY_STATUS in record && record[KEY_STATUS] === HEALTH_STATUS_OK && KEY_TRANSPORT in record && record[KEY_TRANSPORT] === HEALTH_TRANSPORT_HTTP && (!(KEY_SERVER_ID in record) || record[KEY_SERVER_ID] === void 0 || typeof record[KEY_SERVER_ID] === "string");
 }
+/**
+* Type guard for shutdown responses.
+* @param value - Candidate payload to validate
+* @returns True when payload matches shutdown response shape
+*/
 function isShutdownResponse(value) {
-	return isObject(value) && typeof value.ok === "boolean" && typeof value.message === "string" && (value.serverId === void 0 || typeof value.serverId === "string");
+	if (typeof value !== "object" || value === null) return false;
+	const record = toRecord(value);
+	return KEY_OK in record && typeof record[KEY_OK] === "boolean" && KEY_MESSAGE in record && typeof record[KEY_MESSAGE] === "string" && (!(KEY_SERVER_ID in record) || record[KEY_SERVER_ID] === void 0 || typeof record[KEY_SERVER_ID] === "string");
+}
+
+//#endregion
+//#region src/services/StopServerService/StopServerService.ts
+/**
+* Format runtime endpoint URL after validating the host is a loopback address.
+* Rejects non-loopback hosts to prevent SSRF via tampered runtime state files.
+* @param runtime - Runtime record to format
+* @param path - Request path to append
+* @returns Full runtime URL
+*/
+function buildRuntimeUrl(runtime, path) {
+	if (!ALLOWED_HOSTS.has(runtime.host)) throw new Error(`Refusing to connect to non-loopback host '${runtime.host}'. Only ${Array.from(ALLOWED_HOSTS).join(", ")} are allowed.`);
+	return `${HTTP_PROTOCOL}${runtime.host}${URL_PORT_SEPARATOR}${runtime.port}${path}`;
+}
+function toErrorMessage(error) {
+	return error instanceof Error ? error.message : String(error);
 }
 function sleep(delayMs) {
 	return new Promise((resolve$1) => {
@@ -3860,7 +3965,7 @@ var StopServerService = class {
 	* @returns Stop result payload
 	*/
 	async stop(request) {
-		const timeoutMs = request.timeoutMs ?? 5e3;
+		const timeoutMs = request.timeoutMs ?? DEFAULT_STOP_TIMEOUT_MS;
 		const runtime = await this.resolveRuntime(request);
 		const health = await this.fetchHealth(runtime, timeoutMs);
 		if (!health.reachable) {
@@ -3906,7 +4011,7 @@ var StopServerService = class {
 	*/
 	async fetchHealth(runtime, timeoutMs) {
 		try {
-			const response = await this.fetchWithTimeout(`http://${runtime.host}:${runtime.port}/health`, { method: "GET" }, timeoutMs);
+			const response = await this.fetchWithTimeout(buildRuntimeUrl(runtime, HEALTH_CHECK_PATH), { method: HTTP_METHOD_GET }, timeoutMs);
 			if (!response.ok) return { reachable: false };
 			const payload = await response.json();
 			if (!isHealthResponse(payload)) throw new Error("Received invalid health response payload.");
@@ -3926,9 +4031,9 @@ var StopServerService = class {
 	* @returns Parsed shutdown response payload
 	*/
 	async requestShutdown(runtime, shutdownToken, timeoutMs) {
-		const response = await this.fetchWithTimeout(`http://${runtime.host}:${runtime.port}/admin/shutdown`, {
-			method: "POST",
-			headers: { Authorization: `Bearer ${shutdownToken}` }
+		const response = await this.fetchWithTimeout(buildRuntimeUrl(runtime, ADMIN_SHUTDOWN_PATH), {
+			method: HTTP_METHOD_POST,
+			headers: { [AUTHORIZATION_HEADER_NAME]: `${BEARER_TOKEN_PREFIX}${shutdownToken}` }
 		}, timeoutMs);
 		const payload = await response.json();
 		if (!isShutdownResponse(payload)) throw new Error("Received invalid shutdown response payload.");
@@ -3944,8 +4049,8 @@ var StopServerService = class {
 	async waitForShutdown(runtime, timeoutMs) {
 		const deadline = Date.now() + timeoutMs;
 		while (Date.now() < deadline) {
-			if (!(await this.fetchHealth(runtime, Math.max(250, deadline - Date.now()))).reachable) return;
-			await sleep(200);
+			if (!(await this.fetchHealth(runtime, Math.max(HEALTH_REQUEST_TIMEOUT_FLOOR_MS, deadline - Date.now()))).reachable) return;
+			await sleep(SHUTDOWN_POLL_INTERVAL_MS);
 		}
 		throw new Error(`Timed out waiting for runtime '${runtime.serverId}' to stop at http://${runtime.host}:${runtime.port}.`);
 	}

package/dist/{src-iTE9Cero.cjs → src-CWShQS8u.cjs}

@@ -2808,7 +2808,7 @@ IMPORTANT: Only use tools discovered from describe_tools with id="${this.serverI
 
 //#endregion
 //#region package.json
-var version = "0.3.13";
+var version = "0.3.14";
 
 //#endregion
 //#region src/server/index.ts
@@ -3176,16 +3176,26 @@ var HttpFullSessionManager = class {
 			server
 		});
 	}
-	deleteSession(sessionId) {
+	async deleteSession(sessionId) {
 		const session = this.sessions.get(sessionId);
-		if (session) session.server.close();
+		if (session) try {
+			await session.server.close();
+		} catch (error) {
+			throw new Error(`Failed to close MCP server for session '${sessionId}': ${toErrorMessage$2(error)}`);
+		}
 		this.sessions.delete(sessionId);
 	}
 	hasSession(sessionId) {
 		return this.sessions.has(sessionId);
 	}
-	clear() {
-		for (const session of this.sessions.values()) session.server.close();
+	async clear() {
+		try {
+			await Promise.all(Array.from(this.sessions.values()).map(async (session) => {
+				await session.server.close();
+			}));
+		} catch (error) {
+			throw new Error(`Failed to clear sessions: ${toErrorMessage$2(error)}`);
+		}
 		this.sessions.clear();
 	}
 };
@@ -3226,7 +3236,7 @@ var HttpTransportHandler = class {
 	adminOptions;
 	adminRateLimiter = new AdminRateLimiter();
 	constructor(serverFactory, config, adminOptions) {
-		this.serverFactory = typeof serverFactory === "function" ? serverFactory : () => serverFactory;
+		this.serverFactory = serverFactory;
 		this.app = (0, express.default)();
 		this.sessionManager = new HttpFullSessionManager();
 		this.config = {
@@ -3349,7 +3359,7 @@ var HttpTransportHandler = class {
 		let transport;
 		if (sessionId && this.sessionManager.hasSession(sessionId)) transport = this.sessionManager.getSession(sessionId).transport;
 		else if (!sessionId && (0, __modelcontextprotocol_sdk_types_js.isInitializeRequest)(req.body)) {
-			const mcpServer = this.serverFactory();
+			const mcpServer = await this.serverFactory();
 			transport = new __modelcontextprotocol_sdk_server_streamableHttp_js.StreamableHTTPServerTransport({
 				sessionIdGenerator: () => (0, node_crypto.randomUUID)(),
 				enableJsonResponse: true,
@@ -3357,8 +3367,12 @@ var HttpTransportHandler = class {
 					this.sessionManager.setSession(initializedSessionId, transport, mcpServer);
 				}
 			});
-			transport.onclose = () => {
-				if (transport.sessionId) this.sessionManager.deleteSession(transport.sessionId);
+			transport.onclose = async () => {
+				if (transport.sessionId) try {
+					await this.sessionManager.deleteSession(transport.sessionId);
+				} catch (error) {
+					console.error(`Failed to clean up session '${transport.sessionId}': ${toErrorMessage$2(error)}`);
+				}
 			};
 			try {
 				await mcpServer.connect(transport);
@@ -3407,7 +3421,7 @@ var HttpTransportHandler = class {
 		} catch (error) {
 			throw new Error(`Failed handling MCP DELETE request for session '${sessionId}': ${toErrorMessage$2(error)}`);
 		}
-		this.sessionManager.deleteSession(sessionId);
+		await this.sessionManager.deleteSession(sessionId);
 	}
 	async start() {
 		try {
@@ -3430,7 +3444,11 @@ var HttpTransportHandler = class {
 	}
 	async stop() {
 		if (!this.server) return;
-		this.sessionManager.clear();
+		try {
+			await this.sessionManager.clear();
+		} catch (error) {
+			throw new Error(`Failed to clear sessions during HTTP transport stop: ${toErrorMessage$2(error)}`);
+		}
 		const closeServer = (0, node_util.promisify)(this.server.close.bind(this.server));
 		try {
 			await closeServer();
@@ -3767,11 +3785,11 @@ var StdioHttpTransportHandler = class {
 */
 const RUNTIME_DIR_NAME = "runtimes";
 const RUNTIME_FILE_SUFFIX = ".runtime.json";
-function isObject$1(value) {
+function isObject(value) {
 	return typeof value === "object" && value !== null;
 }
 function isRuntimeStateRecord(value) {
-	if (!isObject$1(value)) return false;
+	if (!isObject(value)) return false;
 	return typeof value.serverId === "string" && typeof value.host === "string" && typeof value.port === "number" && value.transport === "http" && typeof value.shutdownToken === "string" && typeof value.startedAt === "string" && typeof value.pid === "number" && (value.configPath === void 0 || typeof value.configPath === "string");
 }
 function toErrorMessage$1(error) {
@@ -3821,7 +3839,7 @@ var RuntimeStateService = class RuntimeStateService {
 			const parsed = JSON.parse(content);
 			return isRuntimeStateRecord(parsed) ? parsed : null;
 		} catch (error) {
-			if (isObject$1(error) && "code" in error && error.code === "ENOENT") return null;
+			if (isObject(error) && "code" in error && error.code === "ENOENT") return null;
 			throw new Error(`Failed to read runtime state for server '${serverId}' from '${filePath}': ${toErrorMessage$1(error)}`);
 		}
 	}
@@ -3842,7 +3860,7 @@ var RuntimeStateService = class RuntimeStateService {
 				}
 			}))).filter((record) => record !== null);
 		} catch (error) {
-			if (isObject$1(error) && "code" in error && error.code === "ENOENT") return [];
+			if (isObject(error) && "code" in error && error.code === "ENOENT") return [];
 			throw new Error(`Failed to list runtime states from '${this.runtimeDir}': ${toErrorMessage$1(error)}`);
 		}
 	}
@@ -3857,18 +3875,105 @@ var RuntimeStateService = class RuntimeStateService {
 };
 
 //#endregion
-//#region src/services/StopServerService.ts
-function toErrorMessage(error) {
-	return error instanceof Error ? error.message : String(error);
-}
-function isObject(value) {
-	return typeof value === "object" && value !== null;
+//#region src/services/StopServerService/constants.ts
+/**
+* StopServerService constants.
+*/
+/** Maximum time in milliseconds to wait for a shutdown to complete. */
+const DEFAULT_STOP_TIMEOUT_MS = 5e3;
+/** Minimum timeout in milliseconds for individual health check requests. */
+const HEALTH_REQUEST_TIMEOUT_FLOOR_MS = 250;
+/** Delay in milliseconds between shutdown polling attempts. */
+const SHUTDOWN_POLL_INTERVAL_MS = 200;
+/** Path for the runtime health check endpoint. */
+const HEALTH_CHECK_PATH = "/health";
+/** Path for the authenticated admin shutdown endpoint. */
+const ADMIN_SHUTDOWN_PATH = "/admin/shutdown";
+/** HTTP GET method identifier. */
+const HTTP_METHOD_GET = "GET";
+/** HTTP POST method identifier. */
+const HTTP_METHOD_POST = "POST";
+/** HTTP header name for bearer token authorization. */
+const AUTHORIZATION_HEADER_NAME = "Authorization";
+/** Prefix for bearer token values in the Authorization header. */
+const BEARER_TOKEN_PREFIX = "Bearer ";
+/** HTTP protocol scheme prefix for URL construction. */
+const HTTP_PROTOCOL = "http://";
+/** Separator between host and port in URL construction. */
+const URL_PORT_SEPARATOR = ":";
+/** Loopback hostname. */
+const LOOPBACK_HOST_LOCALHOST = "localhost";
+/** IPv4 loopback address. */
+const LOOPBACK_HOST_IPV4 = "127.0.0.1";
+/** IPv6 loopback address. */
+const LOOPBACK_HOST_IPV6 = "::1";
+/** Hosts that are safe to send admin requests to (loopback only). */
+const ALLOWED_HOSTS = new Set([
+	LOOPBACK_HOST_LOCALHOST,
+	LOOPBACK_HOST_IPV4,
+	LOOPBACK_HOST_IPV6
+]);
+/** Expected status value in a healthy runtime response. */
+const HEALTH_STATUS_OK = "ok";
+/** Expected transport value in a healthy runtime response. */
+const HEALTH_TRANSPORT_HTTP = "http";
+/** Property key for status field in health responses. */
+const KEY_STATUS = "status";
+/** Property key for transport field in health responses. */
+const KEY_TRANSPORT = "transport";
+/** Property key for serverId field in runtime responses. */
+const KEY_SERVER_ID = "serverId";
+/** Property key for ok field in shutdown responses. */
+const KEY_OK = "ok";
+/** Property key for message field in shutdown responses. */
+const KEY_MESSAGE = "message";
+
+//#endregion
+//#region src/services/StopServerService/types.ts
+/**
+* Safely cast a non-null object to a string-keyed record for property access.
+* @param value - Object value already verified as non-null
+* @returns The same value typed as a record
+*/
+function toRecord(value) {
+	return value;
 }
+/**
+* Type guard for health responses.
+* @param value - Candidate payload to validate
+* @returns True when payload matches health response shape
+*/
 function isHealthResponse(value) {
-	return isObject(value) && value.status === "ok" && value.transport === "http" && (value.serverId === void 0 || typeof value.serverId === "string");
+	if (typeof value !== "object" || value === null) return false;
+	const record = toRecord(value);
+	return KEY_STATUS in record && record[KEY_STATUS] === HEALTH_STATUS_OK && KEY_TRANSPORT in record && record[KEY_TRANSPORT] === HEALTH_TRANSPORT_HTTP && (!(KEY_SERVER_ID in record) || record[KEY_SERVER_ID] === void 0 || typeof record[KEY_SERVER_ID] === "string");
 }
+/**
+* Type guard for shutdown responses.
+* @param value - Candidate payload to validate
+* @returns True when payload matches shutdown response shape
+*/
 function isShutdownResponse(value) {
-	return isObject(value) && typeof value.ok === "boolean" && typeof value.message === "string" && (value.serverId === void 0 || typeof value.serverId === "string");
+	if (typeof value !== "object" || value === null) return false;
+	const record = toRecord(value);
+	return KEY_OK in record && typeof record[KEY_OK] === "boolean" && KEY_MESSAGE in record && typeof record[KEY_MESSAGE] === "string" && (!(KEY_SERVER_ID in record) || record[KEY_SERVER_ID] === void 0 || typeof record[KEY_SERVER_ID] === "string");
+}
+
+//#endregion
+//#region src/services/StopServerService/StopServerService.ts
+/**
+* Format runtime endpoint URL after validating the host is a loopback address.
+* Rejects non-loopback hosts to prevent SSRF via tampered runtime state files.
+* @param runtime - Runtime record to format
+* @param path - Request path to append
+* @returns Full runtime URL
+*/
+function buildRuntimeUrl(runtime, path) {
+	if (!ALLOWED_HOSTS.has(runtime.host)) throw new Error(`Refusing to connect to non-loopback host '${runtime.host}'. Only ${Array.from(ALLOWED_HOSTS).join(", ")} are allowed.`);
+	return `${HTTP_PROTOCOL}${runtime.host}${URL_PORT_SEPARATOR}${runtime.port}${path}`;
+}
+function toErrorMessage(error) {
+	return error instanceof Error ? error.message : String(error);
 }
 function sleep(delayMs) {
 	return new Promise((resolve$2) => {
@@ -3889,7 +3994,7 @@ var StopServerService = class {
 	* @returns Stop result payload
 	*/
 	async stop(request) {
-		const timeoutMs = request.timeoutMs ?? 5e3;
+		const timeoutMs = request.timeoutMs ?? DEFAULT_STOP_TIMEOUT_MS;
 		const runtime = await this.resolveRuntime(request);
 		const health = await this.fetchHealth(runtime, timeoutMs);
 		if (!health.reachable) {
@@ -3935,7 +4040,7 @@ var StopServerService = class {
 	*/
 	async fetchHealth(runtime, timeoutMs) {
 		try {
-			const response = await this.fetchWithTimeout(`http://${runtime.host}:${runtime.port}/health`, { method: "GET" }, timeoutMs);
+			const response = await this.fetchWithTimeout(buildRuntimeUrl(runtime, HEALTH_CHECK_PATH), { method: HTTP_METHOD_GET }, timeoutMs);
 			if (!response.ok) return { reachable: false };
 			const payload = await response.json();
 			if (!isHealthResponse(payload)) throw new Error("Received invalid health response payload.");
@@ -3955,9 +4060,9 @@ var StopServerService = class {
 	* @returns Parsed shutdown response payload
 	*/
 	async requestShutdown(runtime, shutdownToken, timeoutMs) {
-		const response = await this.fetchWithTimeout(`http://${runtime.host}:${runtime.port}/admin/shutdown`, {
-			method: "POST",
-			headers: { Authorization: `Bearer ${shutdownToken}` }
+		const response = await this.fetchWithTimeout(buildRuntimeUrl(runtime, ADMIN_SHUTDOWN_PATH), {
+			method: HTTP_METHOD_POST,
+			headers: { [AUTHORIZATION_HEADER_NAME]: `${BEARER_TOKEN_PREFIX}${shutdownToken}` }
 		}, timeoutMs);
 		const payload = await response.json();
 		if (!isShutdownResponse(payload)) throw new Error("Received invalid shutdown response payload.");
@@ -3973,8 +4078,8 @@ var StopServerService = class {
 	async waitForShutdown(runtime, timeoutMs) {
 		const deadline = Date.now() + timeoutMs;
 		while (Date.now() < deadline) {
-			if (!(await this.fetchHealth(runtime, Math.max(250, deadline - Date.now()))).reachable) return;
-			await sleep(200);
+			if (!(await this.fetchHealth(runtime, Math.max(HEALTH_REQUEST_TIMEOUT_FLOOR_MS, deadline - Date.now()))).reachable) return;
+			await sleep(SHUTDOWN_POLL_INTERVAL_MS);
 		}
 		throw new Error(`Timed out waiting for runtime '${runtime.serverId}' to stop at http://${runtime.host}:${runtime.port}.`);
 	}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@agiflowai/one-mcp",
   "description": "One MCP server package",
-  "version": "0.3.14",
+  "version": "0.3.15",
   "license": "AGPL-3.0",
   "keywords": [
     "mcp",
@@ -27,7 +27,7 @@
     "js-yaml": "^4.1.0",
     "liquidjs": "^10.21.0",
     "zod": "^3.24.1",
-    "@agiflowai/aicode-utils": "1.0.19"
+    "@agiflowai/aicode-utils": "1.0.20"
   },
   "devDependencies": {
     "@types/express": "^5.0.0",