@apify/mcpc 0.2.3 → 0.2.6

package/CHANGELOG.md

@@ -7,18 +7,71 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.2.6] - 2026-04-15
+
+### Added
+
+- New `tasks-result <taskId>` command that fetches the final `CallToolResult` payload of an async task via the MCP `tasks/result` method. Blocks until the task reaches a terminal state, then prints the payload using the same renderer as `tools-call` (`--json` returns the raw result).
+
+### Fixed
+
+- `tools-get` "Call example" now wraps JSON values (arrays, objects, strings) in single quotes so they can be copy-pasted into a shell verbatim without being mangled by word-splitting (e.g., `outputFormats:='["markdown"]'` instead of `outputFormats:=["markdown"]`)
+
+## [0.2.5] - 2026-04-15
+
+### Added
+
+- `mcpc connect <config-file>` connects all servers defined in a config file at once, auto-generating session names from entry names (e.g., `mcpc connect ~/.vscode/mcp.json`)
+- `connect` auto-generates a session name when `@session` is omitted (e.g., `mcpc connect mcp.apify.com` creates `@apify`), reusing an existing session when auth settings match
+- `--max-chars <n>` global option to truncate output to a given number of characters (ignored in `--json` mode)
+- "Did you mean?" suggestions for unknown commands, including reversed names (e.g., `list-tools` → `tools-list`)
+- `mcpc login --client-metadata-url <https-url>` flag adds support for [OAuth Client ID Metadata Documents (CIMD)](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-client-id-metadata-document-00). When the authorization server advertises `client_id_metadata_document_supported: true`, mcpc uses the URL as the `client_id`; otherwise it falls back to Dynamic Client Registration.
+
+### Changed
+
+- Session info JSON output (`mcpc @session --json`, `mcpc connect --json`) returns `toolNames` (array of strings) instead of full `tools` objects
+- `--schema` and `--schema-mode` options scoped to `tools-get` and `tools-call` only (removed from `prompts-get`)
+
+### Fixed
+
+- `connect` now verifies the server responds before reporting success; shows a warning with the actual error when the server is unreachable
+- HTTP 404 during initial connect no longer misclassified as "session expired"; error messages now include the actual HTTP error and server URL
+- `mcpc login --json` now writes interactive prompts to stderr, so stdout contains only the final JSON result and is safe to pipe to `jq` or redirect to a file
+
+## [0.2.4] - 2026-04-07
+
+### Security
+
+- Fixed XSS vulnerability in OAuth callback server: error messages from query parameters are now HTML-escaped before rendering
+- Replaced `exec()` with `execFile()` in browser opening to prevent potential shell injection via crafted OAuth authorization URLs
+- Added Host header validation to OAuth callback server to mitigate DNS rebinding attacks
+- Set restrictive directory permissions (`0o700`) on `~/.mcpc/` and subdirectories to prevent local privilege escalation on shared systems
+
+### Fixed
+
+- Bridge ignores stored OAuth access token when no refresh token is provided; servers that don't issue refresh tokens now work correctly by using the access token as a static Bearer header
+- Session incorrectly marked as `unauthorized` when access token expires but refresh token is still valid; bridge now attempts token refresh before giving up
+- "ESC to detach" hint now shows immediately in the spinner when using `--task`, instead of waiting for the server to return a task ID
+
 ## [0.2.3] - 2026-03-31
 
 ## [0.2.2] - 2026-03-31
 
 ## [0.2.1] - 2026-03-30
+
 ### Added
+
 - Secure x402 wallet storage using OS keychain integration with fallback to `wallets.json` for compatibility
 - QR code display for wallet address in `x402 init`, `x402 import`, and `x402 info` commands, allowing users to scan and fund the wallet directly from the terminal
 
 ### Changed
 
-- Release process migrated from local `scripts/publish.sh` to GitHub Actions; `npm run release` now triggers the CI workflow instead of running locally
+- Auto-reconnect crashed and unauthorized bridge processes in the background when enumerating sessions (`mcpc` or `mcpc grep`), with a 10-second cooldown between reconnection attempts. Unauthorized sessions benefit from OAuth tokens refreshed by other sessions sharing the same profile.
+
+### Fixed
+
+- Fixed expired sessions falsely showing as `live` after auto-reconnect — the bridge now detects when the server did not resume the original MCP session (including when no session ID is returned) and marks the session as `expired`
+- Bridge sends first keepalive ping 5 seconds after startup (instead of waiting the full 30-second interval) to detect stale sessions earlier
 
 ## [0.2.0] - 2026-03-24
 
@@ -182,7 +235,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Interactive shell mode
 - JSON output mode for scripting
 
-[Unreleased]: https://github.com/apify/mcpc/compare/v0.2.3...HEAD
+[Unreleased]: https://github.com/apify/mcpc/compare/v0.2.6...HEAD
+[0.2.6]: https://github.com/apify/mcpc/compare/v0.2.5...v0.2.6
+[0.2.5]: https://github.com/apify/mcpc/compare/v0.2.4...v0.2.5
+[0.2.4]: https://github.com/apify/mcpc/compare/v0.2.3...v0.2.4
 [0.2.3]: https://github.com/apify/mcpc/compare/v0.2.2...v0.2.3
 [0.2.2]: https://github.com/apify/mcpc/compare/v0.2.1...v0.2.2
 [0.2.1]: https://github.com/apify/mcpc/compare/v0.2.0...v0.2.1

package/README.md

@@ -251,7 +251,7 @@ By default, `grep` searches only tools. Use `--resources` or `--prompts` to sear
 (combine with `--tools` to include tools too). Sessions that are crashed or unavailable are shown
 with their status rather than silently skipped.
 
-The `grep` command is useful for **dynamic tool discovery**, 
+The `grep` command is useful for **dynamic tool discovery**,
 also called [Tool search tool](https://www.anthropic.com/engineering/advanced-tool-use) by Anthropic
 or [Dynamic context discovery](https://cursor.com/blog/dynamic-context-discovery) by Cursor.
 Rather than loading all tools into AI agent's context, the agent can use `grep` to discover the right tool
@@ -310,13 +310,15 @@ Still, sessions can fail due to network disconnects, bridge process crash, or se
 
 **Session states:**
 
-| State                 | Meaning                                                                                           |
-| --------------------- | ------------------------------------------------------------------------------------------------- |
-| 🟢 **`live`**         | Bridge process running and server responding                                                      |
-| 🟡 **`disconnected`** | Bridge process running but server unreachable; auto-recovers when server responds                 |
-| 🟡 **`crashed`**      | Bridge process crashed or was killed; auto-restarts on next use                                   |
-| 🔴 **`unauthorized`** | Server rejected authentication (401/403) or token refresh failed; requires `login` then `restart` |
-| 🔴 **`expired`**      | Server rejected session ID (404); requires `restart`                                              |
+| State                | Meaning                                                                                            |
+| -------------------- | -------------------------------------------------------------------------------------------------- |
+| 🟢**`live`**         | Bridge process running and server responding                                                       |
+| 🟡**`connecting`**   | Initial bridge startup in progress (`mcpc connect`)                                                |
+| 🟡**`reconnecting`** | Bridge crashed or lost auth; auto-reconnecting in the background                                   |
+| 🟡**`disconnected`** | Bridge process running but server unreachable; auto-recovers when server responds                  |
+| 🟡**`crashed`**      | Bridge process crashed or was killed; auto-reconnects in the background                            |
+| 🔴**`unauthorized`** | Server rejected authentication (401/403) or token refresh failed; auto-reconnects or needs `login` |
+| 🔴**`expired`**      | Server rejected session ID (404); requires `restart`                                               |
 
 Here's how `mcpc` handles various bridge process and server connection states:
 
@@ -326,14 +328,17 @@ Here's how `mcpc` handles various bridge process and server connection states:
     The bridge will keep trying to reconnect in the background and will return to 🟢 **`live`** once the server responds again.
   - If **server rejects authentication** (HTTP 401 or 403) or token refresh fails,
     the session is marked 🔴 **`unauthorized`**.
-    You need to re-authenticate with `mcpc login <server>` and then `mcpc @my-session restart`.
+    `mcpc` will auto-reconnect in the background if another session sharing the same OAuth profile has refreshed the tokens.
+    Otherwise, re-authenticate with `mcpc login <server>` and then `mcpc @my-session restart`.
   - If **server rejects the session ID** (HTTP 404), indicating the MCP session is no longer valid,
     the session is marked 🔴 **`expired`**.
     You need to restart the session with `mcpc @my-session restart` to establish a new connection.
-- If the **bridge process crashes**, `mcpc` will mark the session as 🟡 **`crashed`** on first use.
-  Next time you run `mcpc @my-session ...`, it will attempt to restart the bridge process.
-  - If bridge **restart succeeds**, everything starts again (see above).
-  - If bridge **restart fails**, `mcpc @my-session ...` returns error, and session remains marked 🟡 **`crashed`**.
+- If the **bridge process crashes**, `mcpc` will mark the session as 🟡 **`crashed`**
+  and auto-reconnect the bridge in the background. You can also trigger reconnection manually
+  by running any `mcpc @my-session ...` command.
+  - If reconnection **succeeds** and the server resumes the MCP session, the session returns to 🟢 **`live`**.
+  - If the server issues a **new session ID** instead of resuming, the session is marked 🔴 **`expired`**.
+  - If reconnection **fails**, the session remains 🟡 **`crashed`** and retries after a 10-second cooldown.
 
 Note that `mcpc` never automatically removes sessions from the list.
 Instead, it keeps them flagged as 🟡 **`crashed`**, 🔴 **`unauthorized`**, or 🔴 **`expired`**,
@@ -383,9 +388,12 @@ mcpc @apify tools-list
 
 ### OAuth profiles
 
-For OAuth-enabled remote MCP servers, `mcpc` implements the full OAuth 2.1 flow with PKCE,
-including `WWW-Authenticate` header discovery, server metadata discovery, client ID metadata documents,
-dynamic client registration, and automatic token refresh.
+For OAuth-enabled remote MCP servers, `mcpc` implements the full OAuth 2.1 flow with PKCE as
+mandated by the [MCP authorization spec](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization):
+`WWW-Authenticate` 401 challenges, Protected Resource Metadata and authorization server metadata
+discovery, all three [client registration approaches](#client-registration-approaches),
+[resource indicators (RFC 8707)](https://www.rfc-editor.org/rfc/rfc8707), and automatic
+refresh-token rotation.
 
 The OAuth authentication **always** needs to be initiated by the user calling the `login` command,
 which opens a web browser with login screen. `mcpc` never opens the web browser on its own.
@@ -428,6 +436,34 @@ mcpc logout mcp.apify.com
 mcpc logout mcp.apify.com --profile work
 ```
 
+### Client registration approaches
+
+When logging in, `mcpc` supports all three OAuth client registration approaches defined in the
+[MCP authorization spec](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-registration-approaches),
+picking the one the authorization server advertises in its OAuth metadata:
+
+| **Approach**                            | **`mcpc login` flags**                         |
+|:----------------------------------------| :--------------------------------------------- |
+| **Pre-registration**                    | `--client-id` (and optional `--client-secret`) |
+| **Client ID Metadata Documents (CIMD)** | `--client-metadata-url <https-url>`            |
+| **Dynamic Client Registration (DCR)**   | _(default, no flags needed)_                   |
+
+```bash
+# Pre-registered OAuth client (public or confidential)
+mcpc login mcp.example.com --client-id <id> [--client-secret <secret>]
+
+# Client ID Metadata Documents (CIMD): URL points to a JSON document served over HTTPS.
+# Used only if the authorization server advertises client_id_metadata_document_supported: true;
+# otherwise mcpc falls back to Dynamic Client Registration.
+mcpc login mcp.example.com --client-metadata-url https://example.com/mcpc-client.json
+
+# Dynamic Client Registration (DCR): default when the server has a registration_endpoint.
+mcpc login mcp.apify.com
+```
+
+See the [MCP authorization spec](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-registration-approaches)
+for details on each approach and the format of Client ID Metadata Documents.
+
 ### Authentication precedence
 
 When multiple authentication methods are available, `mcpc` uses this precedence order:
@@ -455,6 +491,11 @@ exclusive. Providing both will result in a clear error. Use one or the other.
    - If authentication fails (expired/invalid) → Fail with an error
 2. **Profile doesn't exist**: Fail with an error
 
+**When `--x402` is specified (without `--profile`):**
+
+- OAuth profile auto-detection is skipped, since x402 serves as the payment/auth mechanism
+- If you also pass `--profile`, the specified profile is still used alongside x402
+
 **When `--no-profile` is specified:**
 
 - Skip all OAuth profile detection and connect anonymously
@@ -495,6 +536,9 @@ mcpc connect mcp.apify.com @apify-personal
 # Explicit bearer token - skips profile auto-detection:
 mcpc connect mcp.apify.com @apify --header "Authorization: Bearer ${APIFY_TOKEN}"
 
+# x402 payment - skips default profile auto-detection:
+mcpc connect mcp.apify.com @apify --x402
+
 # Anonymous - skips default profile even if it exists:
 mcpc connect mcp.apify.com @apify-anon --no-profile
 ```
@@ -617,12 +661,15 @@ For a complete example script, see [`docs/examples/company-lookup.sh`](./docs/ex
 
 ### Schema validation
 
-Validate tool/prompt schemas using the `--schema` option to detect breaking changes early:
+The `tools-get` and `tools-call` commands support `--schema` to validate a tool's schema against an expected snapshot. This helps detect breaking changes early in scripts and CI:
 
 ```bash
 # Save expected schema
 mcpc --json @apify tools-get search-actors > expected.json
 
+# Validate without calling (read-only check)
+mcpc @apify tools-get search-actors --schema expected.json
+
 # Validate before calling (fails if schema changed incompatibly)
 mcpc @apify tools-call search-actors --schema expected.json keywords:="test"
 ```
@@ -725,10 +772,10 @@ mcpc x402 sign <base64-payment-required> --amount 1.00 --expiry 3600 --json
 
 **Options:**
 
-| Option              | Description                                                      |
-| ------------------- | ---------------------------------------------------------------- |
-| `--amount <usd>`    | Override the payment amount in USD (e.g. `0.50` for $0.50)       |
-| `--expiry <seconds>`| Override the payment expiry in seconds from now (e.g. `3600`)    |
+| Option               | Description                                                   |
+| -------------------- | ------------------------------------------------------------- |
+| `--amount <usd>`     | Override the payment amount in USD (e.g. `0.50` for $0.50)    |
+| `--expiry <seconds>` | Override the payment expiry in seconds from now (e.g. `3600`) |
 
 The command outputs the signed `PAYMENT-SIGNATURE` header value and an MCP config snippet
 that can be used directly with other MCP clients.
@@ -799,7 +846,7 @@ The bridge process manages the full MCP session lifecycle:
 | 🔔 [**Notifications**](#list-change-notifications) | ✅ Supported                      |
 | 📄 [**Pagination**](#pagination)                   | ✅ Supported                      |
 | 🏓 [**Ping**](#ping)                               | ✅ Supported                      |
-| ⏳ [**Async tasks**](#async-tasks)                  | ✅ Supported                      |
+| ⏳ [**Async tasks**](#async-tasks)                 | ✅ Supported                      |
 | 📁 **Roots**                                       | 🚧 Planned                        |
 | ❓ **Elicitation**                                 | 🚧 Planned                        |
 | 🔤 **Completion**                                  | 🚧 Planned                        |
@@ -969,6 +1016,9 @@ mcpc @apify tasks-list
 # Check task status
 mcpc @apify tasks-get <taskId>
 
+# Get the task result (blocks until the task reaches a terminal state)
+mcpc @apify tasks-result <taskId>
+
 # Cancel a running task
 mcpc @apify tasks-cancel <taskId>
 ```
@@ -976,6 +1026,8 @@ mcpc @apify tasks-cancel <taskId>
 With `--task`, the CLI shows a progress spinner with elapsed time, server status messages,
 and progress notifications. Press **ESC** during execution to detach and get the task ID
 for later retrieval. With `--detach`, the task starts and returns the task ID immediately.
+Use `tasks-result <taskId>` to fetch the final `CallToolResult` payload once the task
+completes.
 
 `tools-list` and `tools-get` show task support annotations per tool:
 `[task:optional]`, `[task:required]`, or `[task:forbidden]`.
@@ -1205,19 +1257,19 @@ See [CONTRIBUTING](./CONTRIBUTING.md) for development setup, architecture overvi
 <!-- Stars, contributors, commits, and activity as of March 2026. -->
 
 | Tool                                                                    | Lang   | Stars | Contrib / Commits | Active | Tools | Resources | Prompts | Tasks | Code mode | Sessions | OAuth | Stdio | HTTP | Tool search | x402 | LLM |
-| ----------------------------------------------------------------------- | ------ | ----: | -----------------: | ------ | ----- | --------- | ------- | ----- | --------- | -------- | ----- | ----- | ---- | ----------- | ---- | --- |
-| **[apify/mcpc](https://github.com/apify/mcpc)**                         | TS     |  ~420 |           7 / ~510 | ✅     | ✅    | ✅        | ✅      | ✅    | ✅        | ✅       | ✅    | ✅    | ✅   | ✅          | ✅   | —   |
-| [steipete/mcporter](https://github.com/steipete/mcporter)               | TS     | ~3.5k |          24 / ~570 | ✅     | ✅    | —         | —       | —     | ✅        | ✅       | ✅    | ✅    | ✅   | —           | —    | —   |
-| [IBM/mcp-cli](https://github.com/IBM/mcp-cli)                           | Python | ~1.9k |          22 / ~790 | ✅     | ✅    | ✅        | ✅      | —     | ✅        | ✅       | ✅    | ✅    | ✅   | —           | —    | ✅  |
-| [knowsuchagency/mcp2cli](https://github.com/knowsuchagency/mcp2cli)     | Python | ~1.8k |           5 / ~76  | ✅     | ✅    | ✅        | ✅      | —     | ✅        | ✅       | ✅    | ✅    | ✅   | ✅          | —    | —   |
-| [f/mcptools](https://github.com/f/mcptools)                             | Go     | ~1.5k |          15 / ~170 | ⚠️     | ✅    | ✅        | ✅      | —     | ✅        | —        | —     | ✅    | ✅   | —           | —    | —   |
-| [philschmid/mcp-cli](https://github.com/philschmid/mcp-cli)             | TS     | ~1.1k |           2 / ~30  | ✅     | ✅    | —         | —       | —     | ✅        | ✅       | —     | ✅    | ✅   | ✅          | —    | —   |
-| [adhikasp/mcp-client-cli](https://github.com/adhikasp/mcp-client-cli)   | Python |  ~670 |          6 / ~110  | ⚠️     | ✅    | ✅        | ✅      | —     | —         | —        | —     | ✅    | —    | —           | —    | ✅  |
-| [thellimist/clihub](https://github.com/thellimist/clihub)               | Go     |  ~640 |           1 / ~60  | ✅     | ✅    | —         | —       | —     | —         | —        | ✅    | ✅    | ✅   | ✅          | —    | —   |
-| [wong2/mcp-cli](https://github.com/wong2/mcp-cli)                       | JS     |  ~430 |           4 / ~63  | ⚠️     | ✅    | ✅        | ✅      | —     | —         | —        | ✅    | —     | ✅   | —           | —    | —   |
-| [mcpshim/mcpshim](https://github.com/mcpshim/mcpshim)                   | Go     |   ~54 |           1 / ~13  | ✅     | ✅    | —         | —       | —     | ✅        | ✅       | ✅    | —     | ✅   | ✅          | —    | —   |
-| [evantahler/mcpx](https://github.com/evantahler/mcpx)                   | TS     |   ~28 |           1 / ~64  | ✅     | ✅    | ✅        | ✅      | ✅    | ✅        | —        | ✅    | ✅    | ✅   | ✅          | —    | —   |
-| [EstebanForge/mcp-cli-ent](https://github.com/EstebanForge/mcp-cli-ent) | Go     |   ~15 |          ~2 / ~46  | ✅     | ✅    | —         | —       | —     | ✅        | ✅       | —     | ✅    | ✅   | ✅          | —    | —   |
+| ----------------------------------------------------------------------- | ------ | ----: | ----------------: | ------ | ----- | --------- | ------- | ----- | --------- | -------- | ----- | ----- | ---- | ----------- | ---- | --- |
+| **[apify/mcpc](https://github.com/apify/mcpc)**                         | TS     |  ~420 |          7 / ~510 | ✅     | ✅    | ✅        | ✅      | ✅    | ✅        | ✅       | ✅    | ✅    | ✅   | ✅          | ✅   | —   |
+| [steipete/mcporter](https://github.com/steipete/mcporter)               | TS     | ~3.5k |         24 / ~570 | ✅     | ✅    | —         | —       | —     | ✅        | ✅       | ✅    | ✅    | ✅   | —           | —    | —   |
+| [IBM/mcp-cli](https://github.com/IBM/mcp-cli)                           | Python | ~1.9k |         22 / ~790 | ✅     | ✅    | ✅        | ✅      | —     | ✅        | ✅       | ✅    | ✅    | ✅   | —           | —    | ✅  |
+| [knowsuchagency/mcp2cli](https://github.com/knowsuchagency/mcp2cli)     | Python | ~1.8k |           5 / ~76 | ✅     | ✅    | ✅        | ✅      | —     | ✅        | ✅       | ✅    | ✅    | ✅   | ✅          | —    | —   |
+| [f/mcptools](https://github.com/f/mcptools)                             | Go     | ~1.5k |         15 / ~170 | ⚠️     | ✅    | ✅        | ✅      | —     | ✅        | —        | —     | ✅    | ✅   | —           | —    | —   |
+| [philschmid/mcp-cli](https://github.com/philschmid/mcp-cli)             | TS     | ~1.1k |           2 / ~30 | ✅     | ✅    | —         | —       | —     | ✅        | ✅       | —     | ✅    | ✅   | ✅          | —    | —   |
+| [adhikasp/mcp-client-cli](https://github.com/adhikasp/mcp-client-cli)   | Python |  ~670 |          6 / ~110 | ⚠️     | ✅    | ✅        | ✅      | —     | —         | —        | —     | ✅    | —    | —           | —    | ✅  |
+| [thellimist/clihub](https://github.com/thellimist/clihub)               | Go     |  ~640 |           1 / ~60 | ✅     | ✅    | —         | —       | —     | —         | —        | ✅    | ✅    | ✅   | ✅          | —    | —   |
+| [wong2/mcp-cli](https://github.com/wong2/mcp-cli)                       | JS     |  ~430 |           4 / ~63 | ⚠️     | ✅    | ✅        | ✅      | —     | —         | —        | ✅    | —     | ✅   | —           | —    | —   |
+| [mcpshim/mcpshim](https://github.com/mcpshim/mcpshim)                   | Go     |   ~54 |           1 / ~13 | ✅     | ✅    | —         | —       | —     | ✅        | ✅       | ✅    | —     | ✅   | ✅          | —    | —   |
+| [evantahler/mcpx](https://github.com/evantahler/mcpx)                   | TS     |   ~28 |           1 / ~64 | ✅     | ✅    | ✅        | ✅      | ✅    | ✅        | —        | ✅    | ✅    | ✅   | ✅          | —    | —   |
+| [EstebanForge/mcp-cli-ent](https://github.com/EstebanForge/mcp-cli-ent) | Go     |   ~15 |          ~2 / ~46 | ✅     | ✅    | —         | —       | —     | ✅        | ✅       | —     | ✅    | ✅   | ✅          | —    | —   |
 
 **Legend:** ✅ = supported, ⚠️ = stale (no commits in 3+ months), **Contrib / Commits** = contributors / total commits, **Tasks** = [async tasks](https://modelcontextprotocol.io/specification/latest/server/utilities/tasks), **x402** = [x402 payment protocol](https://www.x402.org/) support, **LLM** = requires/uses an LLM.
 

package/dist/bridge/index.js

@@ -6,7 +6,7 @@ import { createMcpClient } from '../core/index.js';
 import { KEEPALIVE_INTERVAL_MS } from '../lib/types.js';
 import { createLogger, setVerbose, initFileLogger, closeFileLogger } from '../lib/index.js';
 import { fileExists, getBridgesDir, getSocketPath, ensureDir, cleanupOrphanedLogFiles, isSessionExpiredError, } from '../lib/index.js';
-import { ClientError, NetworkError, AuthError, isAuthenticationError } from '../lib/index.js';
+import { ClientError, ServerError, NetworkError, AuthError, isAuthenticationError, } from '../lib/index.js';
 import { getSession, loadSessions, updateSession } from '../lib/sessions.js';
 import { OAuthTokenManager } from '../lib/auth/oauth-token-manager.js';
 import { OAuthProvider } from '../lib/auth/oauth-provider.js';
@@ -45,7 +45,7 @@ class BridgeProcess {
     mcpClientReadyRejecter;
     constructor(options) {
         this.options = options;
-        this.socketPath = getSocketPath(options.sessionName);
+        this.socketPath = getSocketPath(options.sessionName, process.pid);
         this.mcpClientReady = new Promise((resolve, reject) => {
             this.mcpClientReadyResolver = resolve;
             this.mcpClientReadyRejecter = reject;
@@ -58,6 +58,7 @@ class BridgeProcess {
         logger.info(`Received auth credentials for profile: ${credentials.profileName}`);
         logger.debug(`  serverUrl: ${credentials.serverUrl}`);
         logger.debug(`  refreshToken: ${credentials.refreshToken ? 'present' : 'MISSING'}`);
+        logger.debug(`  accessToken: ${credentials.accessToken ? 'present' : 'MISSING'}`);
         logger.debug(`  clientId: ${credentials.clientId ? 'present' : 'MISSING'}`);
         logger.debug(`  headers: ${credentials.headers ? Object.keys(credentials.headers).length : 0}`);
         if (credentials.refreshToken && credentials.clientId) {
@@ -119,8 +120,18 @@ class BridgeProcess {
         else if (credentials.refreshToken && !credentials.clientId) {
             logger.warn('Refresh token provided but client ID is missing - token refresh will not work');
         }
+        else if (credentials.accessToken && !credentials.refreshToken) {
+            this.headers = {
+                ...this.headers,
+                Authorization: `Bearer ${credentials.accessToken}`,
+            };
+            logger.debug('Using OAuth access token as static Bearer header (no refresh token available)');
+        }
         if (credentials.headers) {
-            this.headers = credentials.headers;
+            this.headers = {
+                ...this.headers,
+                ...credentials.headers,
+            };
             logger.debug(`Stored headers "${Object.keys(this.headers).join(', ')}" in memory`);
         }
         if (this.authCredentialsResolver) {
@@ -237,7 +248,9 @@ class BridgeProcess {
                     classifiedError = new AuthError(errorMsg);
                 }
                 this.mcpClientReadyRejecter(classifiedError);
-                if (isSessionExpiredError(errorMsg)) {
+                if (isSessionExpiredError(errorMsg, {
+                    hadActiveSession: !!this.options.mcpSessionId,
+                })) {
                     logger.warn('Session rejected by server (expired session ID), marking as expired');
                     try {
                         await updateSession(this.options.sessionName, { status: 'expired' });
@@ -406,8 +419,20 @@ class BridgeProcess {
         });
         const serverDetails = await this.client.getServerDetails();
         const newMcpSessionId = this.client.getMcpSessionId();
+        if (this.options.mcpSessionId && newMcpSessionId !== this.options.mcpSessionId) {
+            logger.warn(`Server did not resume MCP session ` +
+                `(expected ${this.options.mcpSessionId}, got ${newMcpSessionId ?? 'none'}). Marking as expired.`);
+            throw new Error(`Session expired: server did not resume MCP session ` +
+                `(expected ${this.options.mcpSessionId}, got ${newMcpSessionId ?? 'none'})`);
+        }
+        if (this.options.mcpSessionId) {
+            logger.info('Verifying resumed session with ping...');
+            await this.client.ping();
+            logger.info('Session verification ping succeeded');
+        }
         const sessionUpdate = {
             lastSeenAt: new Date().toISOString(),
+            status: 'active',
         };
         if (serverDetails.protocolVersion) {
             sessionUpdate.protocolVersion = serverDetails.protocolVersion;
@@ -422,6 +447,10 @@ class BridgeProcess {
         await updateSession(this.options.sessionName, sessionUpdate);
         if (serverDetails.capabilities?.tools) {
             await this.client.listAllTools({ refreshCache: true }).catch((err) => {
+                const errMsg = err.message || '';
+                if (isSessionExpiredError(errMsg) || isAuthenticationError(errMsg)) {
+                    throw err;
+                }
                 logger.warn('Failed to pre-populate tools cache:', err);
             });
         }
@@ -456,6 +485,13 @@ class BridgeProcess {
     }
     startKeepalive() {
         logger.debug(`Starting keepalive ping every ${KEEPALIVE_INTERVAL_MS / 1000}s`);
+        const earlyPing = setTimeout(() => {
+            this.sendKeepalivePing().catch(async (error) => {
+                logger.error('Initial keepalive ping failed:', error);
+                await this.handlePossibleExpiration(error);
+            });
+        }, 5_000);
+        earlyPing.unref();
         this.keepaliveInterval = setInterval(() => {
             this.sendKeepalivePing().catch(async (error) => {
                 logger.error('Keepalive ping failed:', error);
@@ -484,12 +520,29 @@ class BridgeProcess {
         }
     }
     async handlePossibleExpiration(error) {
+        if (error instanceof ServerError) {
+            const originalError = error.details?.originalError;
+            if (originalError && originalError.name === 'McpError') {
+                return;
+            }
+        }
         let status = null;
-        if (isSessionExpiredError(error.message)) {
+        if (isSessionExpiredError(error.message, { hadActiveSession: true })) {
             logger.warn('Session appears to be expired, marking as expired and shutting down');
             status = 'expired';
         }
         else if (isAuthenticationError(error.message)) {
+            if (this.tokenManager) {
+                try {
+                    logger.info('Authentication error detected, attempting token refresh before giving up...');
+                    await this.tokenManager.refreshAccessToken();
+                    logger.info('Token refresh succeeded — session will recover on next request');
+                    return;
+                }
+                catch (refreshError) {
+                    logger.warn('Token refresh also failed, marking session as unauthorized:', refreshError);
+                }
+            }
             logger.warn('Authentication rejected, marking session as unauthorized and shutting down');
             status = 'unauthorized';
         }
@@ -802,6 +855,11 @@ class BridgeProcess {
                     result = await this.client.getTask(params.taskId);
                     break;
                 }
+                case 'getTaskResult': {
+                    const params = message.params;
+                    result = await this.client.getTaskResult(params.taskId);
+                    break;
+                }
                 case 'cancelTask': {
                     const params = message.params;
                     result = await this.client.cancelTask(params.taskId);