@aiwerk/mcp-bridge 2.1.4 → 2.5.0

package/README.md

@@ -17,7 +17,7 @@ Most AI agents connect to MCP servers one-by-one. With 10+ servers, that's 10+ c
 - **Intent routing**: say what you need in plain language, the bridge finds the right tool
 - **Schema compression**: tool descriptions compressed ~57%, full schema on demand
 - **Security layer**: trust levels, tool deny/allow lists, result size limits
-- **HTTP auth**: bearer token, custom headers, and **OAuth2 Client Credentials** with automatic token management
+- **HTTP auth**: bearer token, custom headers, **OAuth2 Client Credentials**, and **OAuth2 Authorization Code + PKCE** (interactive browser login)
 - **Result caching**: LRU cache with per-tool TTL overrides
 - **Batch calls**: parallel multi-tool execution via `action=batch`
 - **Multi-server resolution**: automatic tool disambiguation when multiple servers provide the same tool
@@ -67,7 +67,7 @@ Add to `~/Library/Application Support/Claude/claude_desktop_config.json`:
 
 ## Recipe Spec v2
 
-Bundled servers now ship with `recipe.json` using **Universal Recipe Spec v2.0**.
+Bundled servers now ship with `recipe.json` using **Universal Recipe Spec v2.1** (15 servers with rich metadata: category, subcategory, origin, countries, audience, sideEffects).
 During install, MCP Bridge prefers `recipe.json` when present and falls back to legacy `config.json` (v1) for backwards compatibility.
 
 - Spec: [`docs/universal-recipe-spec.md`](docs/universal-recipe-spec.md)
@@ -398,6 +398,37 @@ SSE and streamable-HTTP transports support three auth methods:
 
 OAuth2 features: automatic token acquisition, caching with expiry-aware refresh, single-attempt 401 retry, env var substitution in credentials.
 
+**OAuth2 Authorization Code + PKCE** (interactive browser login):
+
+For MCP servers behind enterprise SSO or user-level OAuth2 that require browser-based login:
+
+```json
+{
+  "auth": {
+    "type": "oauth2",
+    "grantType": "authorization_code",
+    "authorizationUrl": "https://auth.example.com/authorize",
+    "tokenUrl": "https://auth.example.com/oauth/token",
+    "clientId": "optional-public-client-id",
+    "scopes": ["read", "write"]
+  }
+}
+```
+
+Then authenticate via CLI:
+
+```bash
+mcp-bridge auth login my-server    # Opens browser, completes OAuth2 flow
+mcp-bridge auth status             # Check token status for all servers
+mcp-bridge auth logout my-server   # Remove stored token
+```
+
+Features:
+- **PKCE (RFC 7636)** — mandatory S256 code challenge, no `clientSecret` needed for public clients
+- **Persistent tokens** — stored in `~/.mcp-bridge/tokens/` (chmod 600), survive bridge restarts
+- **Automatic refresh** — tokens refreshed transparently via `refresh_token` grant
+- **Actionable errors** — expired tokens return error with exact CLI command to re-authenticate
+
 ### Environment variables
 
 Secrets go in `~/.mcp-bridge/.env` (chmod 600 on init):
@@ -427,6 +458,10 @@ mcp-bridge servers                # List configured servers
 mcp-bridge search <query>         # Search catalog by keyword
 mcp-bridge update [--check]       # Check for / install updates
 mcp-bridge --version              # Print version
+
+mcp-bridge auth login <server>    # OAuth2 browser login (Authorization Code + PKCE)
+mcp-bridge auth logout <server>   # Remove stored token
+mcp-bridge auth status            # Show auth status for all servers
 ```
 
 ## Server Catalog
@@ -517,6 +552,8 @@ For production deployments with high security requirements, consider adding an e
 | ✅ | HTTP auth (bearer, headers) | 2.0.0 |
 | ✅ | Configurable retries + graceful shutdown | 2.0.0 |
 | ✅ | OAuth2 Client Credentials | 2.1.0 |
+| ✅ | OAuth2 Authorization Code + PKCE | 2.5.0 |
+| 🔜 | OAuth2 Device Code flow (headless) | planned |
 | 🔜 | Hosted bridge (bridge.aiwerk.ch) | planned |
 | 🔜 | Remote catalog integration | planned |
 | 🔜 | OpenTelemetry / Prometheus metrics | planned |

package/dist/src/index.d.ts

@@ -13,7 +13,7 @@ export type { ToolResolutionResult, ToolResolutionCandidate } from "./tool-resol
 export { convertJsonSchemaToTypeBox, createToolParameters, setTypeBoxLoader, setSchemaLogger } from "./schema-convert.js";
 export { initializeProtocol, fetchToolsList, PACKAGE_VERSION } from "./protocol.js";
 export { loadConfig, parseEnvFile, initConfigDir, getConfigDir } from "./config.js";
-export type { Logger, McpServerConfig, McpClientConfig, HttpAuthConfig, RetryConfig, McpTool, McpRequest, McpCallRequest, McpResponse, JsonRpcMessage, McpTransport, McpServerConnection, BridgeConfig, } from "./types.js";
+export type { Logger, McpServerConfig, McpClientConfig, HttpAuthConfig, RetryConfig, McpTool, McpRequest, McpCallRequest, McpResponse, JsonRpcMessage, McpTransport, McpServerConnection, BridgeConfig, RequestIdState, RequestIdGenerator, } from "./types.js";
 export { nextRequestId } from "./types.js";
 export { pickRegisteredToolName } from "./tool-naming.js";
 export { StandaloneServer } from "./standalone-server.js";

package/dist/src/mcp-router.d.ts

@@ -93,9 +93,9 @@ export type RouterDispatchResponse = {
     code?: number;
 };
 export interface RouterTransportRefs {
-    sse: new (config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager) => McpTransport;
-    stdio: new (config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>) => McpTransport;
-    streamableHttp: new (config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager) => McpTransport;
+    sse: new (config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager, requestIdGenerator?: () => number) => McpTransport;
+    stdio: new (config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, requestIdGenerator?: () => number) => McpTransport;
+    streamableHttp: new (config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager, requestIdGenerator?: () => number) => McpTransport;
 }
 export declare class McpRouter {
     private readonly servers;
@@ -103,12 +103,14 @@ export declare class McpRouter {
     private readonly logger;
     private readonly transportRefs;
     private readonly idleTimeoutMs;
+    private readonly connectErrorCooldownMs;
     private readonly maxConcurrent;
     private readonly resultCache;
     private readonly maxBatchSize;
     private readonly states;
     private readonly toolResolver;
     private readonly tokenManager;
+    private readonly requestIdState;
     private intentRouter;
     private promotion;
     constructor(servers: Record<string, McpServerConfig>, clientConfig: McpClientConfig, logger: Logger, transportRefs?: Partial<RouterTransportRefs>);
@@ -134,6 +136,7 @@ export declare class McpRouter {
     private enforceMaxConcurrent;
     private disconnectServer;
     private markUsed;
+    private nextRequestId;
     private createTransport;
     private extractRequiredParams;
     private error;

package/dist/src/mcp-router.js

@@ -1,3 +1,4 @@
+import { nextRequestId, } from "./types.js";
 import { SseTransport } from "./transport-sse.js";
 import { StdioTransport } from "./transport-stdio.js";
 import { StreamableHttpTransport } from "./transport-streamable-http.js";
@@ -11,6 +12,7 @@ import { ResultCache, createResultCacheKey } from "./result-cache.js";
 import { ToolResolver } from "./tool-resolution.js";
 import { OAuth2TokenManager } from "./oauth2-token-manager.js";
 const DEFAULT_IDLE_TIMEOUT_MS = 10 * 60 * 1000;
+const DEFAULT_CONNECT_ERROR_COOLDOWN_MS = 10 * 1000;
 const DEFAULT_MAX_CONCURRENT = 5;
 const DEFAULT_MAX_BATCH_SIZE = 10;
 const DEFAULT_SHUTDOWN_TIMEOUT_MS = 5000;
@@ -20,12 +22,14 @@ export class McpRouter {
     logger;
     transportRefs;
     idleTimeoutMs;
+    connectErrorCooldownMs;
     maxConcurrent;
     resultCache;
     maxBatchSize;
     states = new Map();
     toolResolver;
     tokenManager;
+    requestIdState = { value: 0 };
     intentRouter = null;
     promotion = null;
     constructor(servers, clientConfig, logger, transportRefs) {
@@ -38,6 +42,7 @@ export class McpRouter {
             streamableHttp: transportRefs?.streamableHttp ?? StreamableHttpTransport
         };
         this.idleTimeoutMs = clientConfig.routerIdleTimeoutMs ?? DEFAULT_IDLE_TIMEOUT_MS;
+        this.connectErrorCooldownMs = clientConfig.routerConnectErrorCooldownMs ?? DEFAULT_CONNECT_ERROR_COOLDOWN_MS;
         this.maxConcurrent = clientConfig.routerMaxConcurrent ?? DEFAULT_MAX_CONCURRENT;
         this.resultCache = clientConfig.resultCache?.enabled
             ? new ResultCache({
@@ -505,20 +510,39 @@ export class McpRouter {
             };
             this.states.set(server, state);
         }
+        const lastConnectError = state.lastConnectError;
+        if (lastConnectError) {
+            const withinCooldown = Date.now() - lastConnectError.timestamp < this.connectErrorCooldownMs;
+            if (withinCooldown) {
+                throw lastConnectError.error;
+            }
+            state.lastConnectError = undefined;
+        }
         if (state.initPromise) {
             await state.initPromise;
             return state;
         }
         state.initPromise = (async () => {
-            if (!state.transport.isConnected()) {
-                await state.transport.connect();
+            try {
+                if (!state.transport.isConnected()) {
+                    await state.transport.connect();
+                }
+                if (!state.initialized) {
+                    await initializeProtocol(state.transport, PACKAGE_VERSION);
+                    state.initialized = true;
+                }
+                state.lastConnectError = undefined;
+                this.markUsed(server);
+                await this.enforceMaxConcurrent(server);
             }
-            if (!state.initialized) {
-                await initializeProtocol(state.transport, PACKAGE_VERSION);
-                state.initialized = true;
+            catch (error) {
+                const normalizedError = error instanceof Error ? error : new Error(String(error));
+                state.lastConnectError = {
+                    error: normalizedError,
+                    timestamp: Date.now()
+                };
+                throw normalizedError;
             }
-            this.markUsed(server);
-            await this.enforceMaxConcurrent(server);
         })();
         try {
             await state.initPromise;
@@ -581,6 +605,9 @@ export class McpRouter {
             state.idleTimer.unref();
         }
     }
+    nextRequestId() {
+        return nextRequestId(this.requestIdState);
+    }
     createTransport(serverName, serverConfig) {
         const onReconnected = async () => {
             const state = this.states.get(serverName);
@@ -594,13 +621,13 @@ export class McpRouter {
             this.resultCache?.invalidate(`${serverName}:`);
         };
         if (serverConfig.transport === "sse") {
-            return new this.transportRefs.sse(serverConfig, this.clientConfig, this.logger, onReconnected, this.tokenManager);
+            return new this.transportRefs.sse(serverConfig, this.clientConfig, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId());
         }
         if (serverConfig.transport === "stdio") {
-            return new this.transportRefs.stdio(serverConfig, this.clientConfig, this.logger, onReconnected);
+            return new this.transportRefs.stdio(serverConfig, this.clientConfig, this.logger, onReconnected, () => this.nextRequestId());
         }
         if (serverConfig.transport === "streamable-http") {
-            return new this.transportRefs.streamableHttp(serverConfig, this.clientConfig, this.logger, onReconnected, this.tokenManager);
+            return new this.transportRefs.streamableHttp(serverConfig, this.clientConfig, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId());
         }
         throw new Error(`Unsupported transport: ${serverConfig.transport}`);
     }

package/dist/src/security.js

@@ -3,28 +3,29 @@
  *
  * Pipeline order: truncate → sanitize → trust-tag
  */
-// Prompt injection patterns to strip (case-insensitive)
-const INJECTION_PATTERNS = [
-    /ignore\s+(all\s+)?previous\s+instructions/gi,
-    /ignore\s+(all\s+)?prior\s+instructions/gi,
-    /disregard\s+(all\s+)?previous\s+instructions/gi,
-    /you\s+are\s+now\b/gi,
-    /^system\s*:/gim,
-    /\bact\s+as\s+(a|an)\s+/gi,
-    /pretend\s+you\s+are\b/gi,
-    /from\s+now\s+on\s+you\s+are\b/gi,
-    /new\s+instructions\s*:/gi,
-    /override\s+(all\s+)?instructions/gi,
+// Prompt injection pattern sources to strip (compiled per call to avoid RegExp state leakage)
+const INJECTION_PATTERN_SOURCES = [
+    "ignore\\s+(all\\s+)?previous\\s+instructions",
+    "ignore\\s+(all\\s+)?prior\\s+instructions",
+    "disregard\\s+(all\\s+)?previous\\s+instructions",
+    "you\\s+are\\s+now\\b",
+    "\\bact\\s+as\\s+(a|an)\\s+",
+    "pretend\\s+you\\s+are\\b",
+    "from\\s+now\\s+on\\s+you\\s+are\\b",
+    "new\\s+instructions\\s*:",
+    "override\\s+(all\\s+)?instructions",
 ];
+const INJECTION_PATTERN_MULTILINE_SOURCES = ["^system\\s*:"];
 function stripHtmlTags(text) {
     return text.replace(/<[^>]*>/g, "");
 }
 function stripInjectionPatterns(text) {
     let result = text;
-    for (const pattern of INJECTION_PATTERNS) {
-        // Reset lastIndex for global regexes
-        pattern.lastIndex = 0;
-        result = result.replace(pattern, "");
+    for (const source of INJECTION_PATTERN_SOURCES) {
+        result = result.replace(new RegExp(source, "gi"), "");
+    }
+    for (const source of INJECTION_PATTERN_MULTILINE_SOURCES) {
+        result = result.replace(new RegExp(source, "gim"), "");
     }
     return result;
 }

package/dist/src/standalone-server.d.ts

@@ -11,6 +11,7 @@ export declare class StandaloneServer {
     private initialized;
     private lspMode;
     private readonly tokenManager;
+    private readonly requestIdState;
     private directTools;
     private directConnections;
     constructor(config: BridgeConfig, logger: Logger);
@@ -29,6 +30,7 @@ export declare class StandaloneServer {
     /** Connect to all backend servers and discover their tools (direct mode). */
     private discoverDirectTools;
     private _doDiscovery;
+    private nextRequestId;
     private createTransport;
     /** Graceful shutdown: disconnect all backend servers. */
     shutdown(): Promise<void>;

package/dist/src/standalone-server.js

@@ -1,6 +1,7 @@
 import { McpRouter } from "./mcp-router.js";
 import { fetchToolsList, initializeProtocol, PACKAGE_VERSION } from "./protocol.js";
 import { pickRegisteredToolName } from "./tool-naming.js";
+import { nextRequestId, } from "./types.js";
 import { SseTransport } from "./transport-sse.js";
 import { StdioTransport } from "./transport-stdio.js";
 import { StreamableHttpTransport } from "./transport-streamable-http.js";
@@ -17,6 +18,7 @@ export class StandaloneServer {
     initialized = false;
     lspMode = false;
     tokenManager;
+    requestIdState = { value: 0 };
     // Direct mode state
     directTools = [];
     directConnections = new Map();
@@ -36,25 +38,24 @@ export class StandaloneServer {
     async startStdio() {
         const stdin = process.stdin;
         const stdout = process.stdout;
-        stdin.setEncoding("utf8");
-        let buffer = "";
+        let buffer = Buffer.alloc(0);
         // LSP framing state
         let lspContentLength = -1; // -1 means not in LSP mode for current message
         let lspHeadersDone = false;
         stdin.on("data", (chunk) => {
-            buffer += chunk;
+            const chunkBuffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk, "utf8");
+            buffer = Buffer.concat([buffer, chunkBuffer]);
             // Process buffer in a loop — it may contain multiple messages
             let progress = true;
             while (progress) {
                 progress = false;
                 // If we're reading an LSP body, check if we have enough bytes
                 if (lspContentLength >= 0 && lspHeadersDone) {
-                    const bufferBytes = Buffer.byteLength(buffer, "utf8");
-                    if (bufferBytes >= lspContentLength) {
+                    if (buffer.length >= lspContentLength) {
                         // Extract exactly lspContentLength bytes (LSP spec defines Content-Length in bytes)
-                        const bodyBuffer = Buffer.from(buffer, "utf8").slice(0, lspContentLength);
+                        const bodyBuffer = buffer.subarray(0, lspContentLength);
                         const body = bodyBuffer.toString("utf8");
-                        buffer = buffer.substring(body.length);
+                        buffer = buffer.subarray(lspContentLength);
                         lspContentLength = -1;
                         lspHeadersDone = false;
                         const trimmed = body.trim();
@@ -68,15 +69,16 @@ export class StandaloneServer {
                     break;
                 }
                 // Look for complete lines to detect framing
-                const newlineIdx = buffer.indexOf("\n");
+                const newlineIdx = buffer.indexOf(0x0a);
                 if (newlineIdx === -1)
                     break;
-                const line = buffer.slice(0, newlineIdx);
+                const lineBuffer = buffer.subarray(0, newlineIdx);
+                const line = lineBuffer.toString("utf8").replace(/\r$/, "");
                 const trimmed = line.trim();
                 // LSP header detection
                 if (lspContentLength >= 0 && !lspHeadersDone) {
                     // We're reading LSP headers — consume until empty line
-                    buffer = buffer.slice(newlineIdx + 1);
+                    buffer = buffer.subarray(newlineIdx + 1);
                     progress = true;
                     if (trimmed === "") {
                         // End of headers — next read the body
@@ -93,13 +95,13 @@ export class StandaloneServer {
                     if (!isNaN(length) && length > 0) {
                         lspContentLength = length;
                         lspHeadersDone = false;
-                        buffer = buffer.slice(newlineIdx + 1);
+                        buffer = buffer.subarray(newlineIdx + 1);
                         progress = true;
                         continue;
                     }
                 }
                 // Newline-delimited JSON: consume the line
-                buffer = buffer.slice(newlineIdx + 1);
+                buffer = buffer.subarray(newlineIdx + 1);
                 progress = true;
                 if (!trimmed || !trimmed.startsWith("{"))
                     continue;
@@ -396,6 +398,9 @@ export class StandaloneServer {
             }
         }
     }
+    nextRequestId() {
+        return nextRequestId(this.requestIdState);
+    }
     createTransport(serverName, serverConfig) {
         const onReconnected = async () => {
             this.logger.info(`[mcp-bridge] ${serverName} reconnected, refreshing tools`);
@@ -403,11 +408,11 @@ export class StandaloneServer {
         };
         switch (serverConfig.transport) {
             case "sse":
-                return new SseTransport(serverConfig, this.config, this.logger, onReconnected, this.tokenManager);
+                return new SseTransport(serverConfig, this.config, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId());
             case "stdio":
-                return new StdioTransport(serverConfig, this.config, this.logger, onReconnected);
+                return new StdioTransport(serverConfig, this.config, this.logger, onReconnected, () => this.nextRequestId());
             case "streamable-http":
-                return new StreamableHttpTransport(serverConfig, this.config, this.logger, onReconnected, this.tokenManager);
+                return new StreamableHttpTransport(serverConfig, this.config, this.logger, onReconnected, this.tokenManager, () => this.nextRequestId());
             default:
                 throw new Error(`Unsupported transport: ${serverConfig.transport}`);
         }

package/dist/src/transport-base.d.ts

@@ -1,4 +1,4 @@
-import { McpTransport, McpRequest, McpResponse, McpServerConfig, McpClientConfig, Logger, JsonRpcMessage } from "./types.js";
+import { McpTransport, McpRequest, McpResponse, McpServerConfig, McpClientConfig, Logger, JsonRpcMessage, RequestIdGenerator } from "./types.js";
 import type { OAuth2Config, OAuth2TokenManager } from "./oauth2-token-manager.js";
 export type PendingRequest = {
     resolve: (value: McpResponse) => void;
@@ -22,12 +22,15 @@ export declare abstract class BaseTransport implements McpTransport {
     protected reconnectTimer: NodeJS.Timeout | null;
     protected onReconnected?: () => Promise<void>;
     protected backoffDelay: number;
-    constructor(config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>);
+    private readonly requestIdState;
+    private readonly requestIdGenerator;
+    constructor(config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, requestIdGenerator?: RequestIdGenerator);
     abstract connect(): Promise<void>;
     abstract disconnect(): Promise<void>;
     abstract sendRequest(request: McpRequest): Promise<McpResponse>;
     abstract sendNotification(notification: any): Promise<void>;
     isConnected(): boolean;
+    protected nextRequestId(): number;
     /** Human-readable transport name for log messages (e.g. "stdio", "SSE", "streamable-http"). */
     protected abstract get transportName(): string;
     /**

package/dist/src/transport-base.js

@@ -1,3 +1,4 @@
+import { nextRequestId } from "./types.js";
 import { loadOpenClawDotEnvFallback } from "./config.js";
 /**
  * Base class for all MCP transports. Provides shared logic for:
@@ -16,15 +17,21 @@ export class BaseTransport {
     reconnectTimer = null;
     onReconnected;
     backoffDelay = 0;
-    constructor(config, clientConfig, logger, onReconnected) {
+    requestIdState = { value: 0 };
+    requestIdGenerator;
+    constructor(config, clientConfig, logger, onReconnected, requestIdGenerator) {
         this.config = config;
         this.clientConfig = clientConfig;
         this.logger = logger;
         this.onReconnected = onReconnected;
+        this.requestIdGenerator = requestIdGenerator ?? (() => nextRequestId(this.requestIdState));
     }
     isConnected() {
         return this.connected;
     }
+    nextRequestId() {
+        return this.requestIdGenerator();
+    }
     /**
      * Route an incoming JSON-RPC message to the appropriate handler:
      * - notifications/tools/list_changed -> trigger tool refresh
@@ -130,7 +137,7 @@ export function resolveEnvVars(value, contextDescription, extraEnv, envFallback)
                 return fallbackVal;
             }
         }
-        if (resolved === undefined) {
+        if (resolved === undefined || resolved === "") {
             throw new Error(`[mcp-bridge] Missing required environment variable "${varName}" while resolving ${contextDescription}`);
         }
         return resolved;

package/dist/src/transport-sse.d.ts

@@ -1,4 +1,4 @@
-import { Logger, McpClientConfig, McpRequest, McpResponse, McpServerConfig } from "./types.js";
+import { Logger, McpClientConfig, McpRequest, McpResponse, McpServerConfig, RequestIdGenerator } from "./types.js";
 import { OAuth2TokenManager } from "./oauth2-token-manager.js";
 import { BaseTransport } from "./transport-base.js";
 export declare class SseTransport extends BaseTransport {
@@ -8,7 +8,7 @@ export declare class SseTransport extends BaseTransport {
     private pendingRequestControllers;
     private readonly tokenManager;
     protected get transportName(): string;
-    constructor(config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager);
+    constructor(config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager, requestIdGenerator?: RequestIdGenerator);
     connect(): Promise<void>;
     private _onEndpointReceived;
     private getBaseHeaders;

package/dist/src/transport-sse.js

@@ -1,4 +1,3 @@
-import { nextRequestId } from "./types.js";
 import { OAuth2TokenManager } from "./oauth2-token-manager.js";
 import { BaseTransport, resolveOAuth2Config, resolveServerHeaders, resolveServerHeadersAsync, warnIfNonTlsRemoteUrl, } from "./transport-base.js";
 export class SseTransport extends BaseTransport {
@@ -8,8 +7,8 @@ export class SseTransport extends BaseTransport {
     pendingRequestControllers = new Map();
     tokenManager;
     get transportName() { return "SSE"; }
-    constructor(config, clientConfig, logger, onReconnected, tokenManager) {
-        super(config, clientConfig, logger, onReconnected);
+    constructor(config, clientConfig, logger, onReconnected, tokenManager, requestIdGenerator) {
+        super(config, clientConfig, logger, onReconnected, requestIdGenerator);
         this.tokenManager = tokenManager ?? new OAuth2TokenManager(logger);
     }
     async connect() {
@@ -193,7 +192,7 @@ export class SseTransport extends BaseTransport {
         if (!this.connected || !this.endpointUrl) {
             throw new Error("SSE transport not connected or no endpoint URL");
         }
-        const id = nextRequestId();
+        const id = this.nextRequestId();
         const requestWithId = { ...request, id };
         return new Promise((resolve, reject) => {
             const requestTimeout = this.clientConfig.requestTimeoutMs || 60000;

package/dist/src/transport-stdio.js

@@ -1,5 +1,4 @@
 import { spawn } from "child_process";
-import { nextRequestId } from "./types.js";
 import { BaseTransport, resolveEnvRecord, resolveArgs } from "./transport-base.js";
 export class StdioTransport extends BaseTransport {
     process = null;
@@ -130,8 +129,15 @@ export class StdioTransport extends BaseTransport {
             this.process.once("error", onProcessError);
             this.process.once("exit", onProcessExit);
             timeout = setTimeout(() => {
-                this.logger.warn(`[mcp-bridge] Stdio startup stdout readiness timed out after ${connectionTimeout}ms; continuing`);
-                settleResolve();
+                const timeoutError = new Error(`Stdio process startup timeout: no data received within ${connectionTimeout}ms`);
+                this.logger.warn(`[mcp-bridge] ${timeoutError.message}; terminating unresponsive process`);
+                try {
+                    this.process?.kill("SIGTERM");
+                }
+                catch {
+                    // Ignore kill errors and reject with timeout
+                }
+                settleReject(timeoutError);
             }, connectionTimeout);
         });
     }
@@ -156,7 +162,7 @@ export class StdioTransport extends BaseTransport {
         if (!this.connected || !this.process?.stdin) {
             throw new Error("Stdio transport not connected");
         }
-        const id = nextRequestId();
+        const id = this.nextRequestId();
         const requestWithId = { ...request, id };
         return new Promise((resolve, reject) => {
             const requestTimeout = this.clientConfig.requestTimeoutMs || 60000;

package/dist/src/transport-streamable-http.d.ts

@@ -1,4 +1,4 @@
-import { Logger, McpClientConfig, McpRequest, McpResponse, McpServerConfig } from "./types.js";
+import { Logger, McpClientConfig, McpRequest, McpResponse, McpServerConfig, RequestIdGenerator } from "./types.js";
 import { OAuth2TokenManager } from "./oauth2-token-manager.js";
 import { BaseTransport } from "./transport-base.js";
 export declare class StreamableHttpTransport extends BaseTransport {
@@ -7,7 +7,7 @@ export declare class StreamableHttpTransport extends BaseTransport {
     private pendingRequestControllers;
     private readonly tokenManager;
     protected get transportName(): string;
-    constructor(config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager);
+    constructor(config: McpServerConfig, clientConfig: McpClientConfig, logger: Logger, onReconnected?: () => Promise<void>, tokenManager?: OAuth2TokenManager, requestIdGenerator?: RequestIdGenerator);
     connect(): Promise<void>;
     private getBaseHeaders;
     private refreshResolvedHeaders;

package/dist/src/transport-streamable-http.js

@@ -1,4 +1,3 @@
-import { nextRequestId } from "./types.js";
 import { OAuth2TokenManager } from "./oauth2-token-manager.js";
 import { BaseTransport, resolveOAuth2Config, resolveServerHeaders, resolveServerHeadersAsync, warnIfNonTlsRemoteUrl, } from "./transport-base.js";
 export class StreamableHttpTransport extends BaseTransport {
@@ -7,8 +6,8 @@ export class StreamableHttpTransport extends BaseTransport {
     pendingRequestControllers = new Map();
     tokenManager;
     get transportName() { return "streamable-http"; }
-    constructor(config, clientConfig, logger, onReconnected, tokenManager) {
-        super(config, clientConfig, logger, onReconnected);
+    constructor(config, clientConfig, logger, onReconnected, tokenManager, requestIdGenerator) {
+        super(config, clientConfig, logger, onReconnected, requestIdGenerator);
         this.tokenManager = tokenManager ?? new OAuth2TokenManager(logger);
     }
     async connect() {
@@ -68,7 +67,7 @@ export class StreamableHttpTransport extends BaseTransport {
         if (!this.connected || !this.config.url) {
             throw new Error("Streamable HTTP transport not connected");
         }
-        const id = nextRequestId();
+        const id = this.nextRequestId();
         const requestWithId = { ...request, id };
         return new Promise((resolve, reject) => {
             const requestTimeout = this.clientConfig.requestTimeoutMs || 60000;

package/dist/src/types.d.ts

@@ -52,6 +52,7 @@ export interface McpClientConfig {
     requestTimeoutMs?: number;
     shutdownTimeoutMs?: number;
     routerIdleTimeoutMs?: number;
+    routerConnectErrorCooldownMs?: number;
     routerMaxConcurrent?: number;
     maxBatchSize?: number;
     schemaCompression?: {
@@ -108,7 +109,11 @@ export interface McpRequest {
 export interface McpCallRequest extends McpRequest {
     id: number;
 }
-export declare function nextRequestId(): number;
+export interface RequestIdState {
+    value: number;
+}
+export type RequestIdGenerator = () => number;
+export declare function nextRequestId(state: RequestIdState): number;
 export interface McpResponse {
     jsonrpc: "2.0";
     id: number;

package/dist/src/types.js

@@ -1,8 +1,7 @@
-let globalRequestId = 0;
-export function nextRequestId() {
-    globalRequestId++;
-    if (globalRequestId >= Number.MAX_SAFE_INTEGER) {
-        globalRequestId = 1;
+export function nextRequestId(state) {
+    state.value++;
+    if (state.value >= Number.MAX_SAFE_INTEGER) {
+        state.value = 1;
     }
-    return globalRequestId;
+    return state.value;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aiwerk/mcp-bridge",
-  "version": "2.1.4",
+  "version": "2.5.0",
   "description": "Standalone MCP server that multiplexes multiple MCP servers into one interface",
   "type": "module",
   "main": "./dist/src/index.js",
@@ -26,7 +26,7 @@
   "homepage": "https://github.com/AIWerk/mcp-bridge#readme",
   "repository": {
     "type": "git",
-    "url": "https://github.com/AIWerk/mcp-bridge"
+    "url": "git+https://github.com/AIWerk/mcp-bridge.git"
   },
   "keywords": [
     "mcp",