@context-engine-bridge/context-engine-mcp-bridge 0.0.13 → 0.0.15

package/AGENTS.md

@@ -0,0 +1,18 @@
+<!-- Parent: ../AGENTS.md -->
+# MCP Bridge CLI (ctxce)
+
+Node package that exposes indexer+memory as a single MCP server (stdio + HTTP). Optional OAuth/PKCE.
+
+## WHERE TO LOOK
+
+| Task | Location | Notes |
+|------|----------|-------|
+| CLI entry | `ctx-mcp-bridge/bin/ctxce.js` | wrapper -> src/cli |
+| CLI logic | `ctx-mcp-bridge/src/cli.js` | command parsing |
+| MCP proxy | `ctx-mcp-bridge/src/mcpServer.js` | forwards tools |
+| OAuth/PKCE | `ctx-mcp-bridge/src/oauthHandler.js` | auth flow |
+| Path mapping | `ctx-mcp-bridge/src/resultPathMapping.js` | local <-> remote |
+
+## KNOWN TODO
+
+- PKCE verifier validation is still TODO in `ctx-mcp-bridge/src/oauthHandler.js`.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@context-engine-bridge/context-engine-mcp-bridge",
-  "version": "0.0.13",
+  "version": "0.0.15",
   "description": "Context Engine MCP bridge (http/stdio proxy combining indexer + memory servers)",
   "bin": {
     "ctxce": "bin/ctxce.js",

package/src/authConfig.js

@@ -11,7 +11,7 @@ function getConfigPath() {
   return path.join(dir, CONFIG_BASENAME);
 }
 
-function readConfig() {
+export function readConfig() {
   try {
     const cfgPath = getConfigPath();
     const raw = fs.readFileSync(cfgPath, "utf8");

package/src/mcpServer.js

@@ -9,7 +9,7 @@ import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/
 import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
 import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
-import { loadAnyAuthEntry, loadAuthEntry } from "./authConfig.js";
+import { loadAnyAuthEntry, loadAuthEntry, readConfig, saveAuthEntry } from "./authConfig.js";
 import { maybeRemapToolArgs, maybeRemapToolResult } from "./resultPathMapping.js";
 import * as oauthHandler from "./oauthHandler.js";
 
@@ -63,11 +63,7 @@ async function listMemoryTools(client) {
     return [];
   }
   try {
-    const remote = await withTimeout(
-      client.listTools(),
-      5000,
-      "memory tools/list",
-    );
+    const remote = await client.listTools();
     return Array.isArray(remote?.tools) ? remote.tools.slice() : [];
   } catch (err) {
     debugLog("[ctxce] Error calling memory tools/list: " + String(err));
@@ -113,15 +109,15 @@ function getBridgeToolTimeoutMs() {
   try {
     const raw = process.env.CTXCE_TOOL_TIMEOUT_MSEC;
     if (!raw) {
-      return 300000;
+      return 600000; // 10 minutes default for remote operations
     }
     const parsed = Number.parseInt(String(raw), 10);
     if (!Number.isFinite(parsed) || parsed <= 0) {
-      return 300000;
+      return 600000;
     }
     return parsed;
   } catch {
-    return 300000;
+    return 600000;
   }
 }
 
@@ -130,7 +126,7 @@ function selectClientForTool(name, indexerClient, memoryClient) {
     return indexerClient;
   }
   const lowered = name.toLowerCase();
-  if (memoryClient && (lowered.startsWith("memory.") || lowered.startsWith("mcp_memory_") || lowered.includes("memory"))) {
+  if (memoryClient && (lowered.startsWith("memory.") || lowered.startsWith("mcp_memory_"))) {
     return memoryClient;
   }
   return indexerClient;
@@ -155,11 +151,34 @@ function isSessionError(error) {
   }
 }
 
+/**
+ * Detect actual backend auth rejection (from mcp_auth.py ValidationError).
+ * These indicate the session is truly invalid on the backend, not just
+ * an MCP SDK transport issue that can be fixed by reinit.
+ */
+function isAuthRejectionError(error) {
+  try {
+    const msg =
+      (error && typeof error.message === "string" && error.message) ||
+      (typeof error === "string" ? error : String(error || ""));
+    if (!msg) {
+      return false;
+    }
+    return (
+      msg.includes("Invalid or expired session") ||
+      msg.includes("Missing session for authorized operation") ||
+      msg.includes("Not authenticated")
+    );
+  } catch {
+    return false;
+  }
+}
+
 function getBridgeRetryAttempts() {
   try {
     const raw = process.env.CTXCE_TOOL_RETRY_ATTEMPTS;
     if (!raw) {
-      return 2;
+      return 3; // 3 attempts for better reliability on remote
     }
     const parsed = Number.parseInt(String(raw), 10);
     if (!Number.isFinite(parsed) || parsed <= 0) {
@@ -167,7 +186,7 @@ function getBridgeRetryAttempts() {
     }
     return parsed;
   } catch {
-    return 2;
+    return 3;
   }
 }
 
@@ -175,7 +194,7 @@ function getBridgeRetryDelayMs() {
   try {
     const raw = process.env.CTXCE_TOOL_RETRY_DELAY_MSEC;
     if (!raw) {
-      return 200;
+      return 1000; // 1 second delay between retries for remote
     }
     const parsed = Number.parseInt(String(raw), 10);
     if (!Number.isFinite(parsed) || parsed < 0) {
@@ -183,7 +202,7 @@ function getBridgeRetryDelayMs() {
     }
     return parsed;
   } catch {
-    return 200;
+    return 1000;
   }
 }
 
@@ -255,6 +274,15 @@ const ADMIN_SESSION_COOKIE_NAME = "ctxce_session";
 const SLUGGED_REPO_RE = /.+-[0-9a-f]{16}(?:_old)?$/i;
 const BRIDGE_STATE_TOKEN = (process.env.CTXCE_BRIDGE_STATE_TOKEN || "").trim();
 
+function getHostname(candidate) {
+  try {
+    const url = new URL(candidate);
+    return url.hostname;
+  } catch {
+    return "";
+  }
+}
+
 function normalizeBackendUrl(candidate) {
   const trimmed = (candidate || "").trim();
   if (!trimmed) {
@@ -271,11 +299,35 @@ function normalizeBackendUrl(candidate) {
   return trimmed.replace(/\/+$/, "");
 }
 
-function resolveAuthBackendContext() {
+function resolveAuthBackendContext(indexerUrl, memoryUrl) {
   const envBackend = normalizeBackendUrl(process.env.CTXCE_AUTH_BACKEND_URL || "");
   if (envBackend) {
     return { backendUrl: envBackend, source: "CTXCE_AUTH_BACKEND_URL" };
   }
+
+  // If no env override, try to find a saved session.
+  // We prefer one that matches the host of indexer or memory URL if they look like backend roots.
+  const targetHosts = new Set();
+  const ih = getHostname(indexerUrl);
+  if (ih) {
+    targetHosts.add(ih);
+  }
+  const mh = getHostname(memoryUrl);
+  if (mh) {
+    targetHosts.add(mh);
+  }
+
+  if (targetHosts.size > 0) {
+    const all = readConfig();
+    const backends = Object.keys(all);
+    for (const backendUrl of backends) {
+      const bh = getHostname(backendUrl);
+      if (bh && targetHosts.has(bh)) {
+        return { backendUrl, source: "auth_entry_host_match" };
+      }
+    }
+  }
+
   try {
     const any = loadAnyAuthEntry();
     const stored = normalizeBackendUrl(any?.backendUrl || "");
@@ -288,32 +340,22 @@ function resolveAuthBackendContext() {
   return { backendUrl: "", source: "" };
 }
 
-const {
-  backendUrl: AUTH_BACKEND_URL,
-  source: AUTH_BACKEND_SOURCE,
-} = resolveAuthBackendContext();
-const UPLOAD_SERVICE_URL = AUTH_BACKEND_URL;
-const UPLOAD_AUTH_BACKEND = AUTH_BACKEND_URL;
-
-if (UPLOAD_SERVICE_URL) {
-  debugLog(`[ctxce] Upload/auth backend resolved from ${AUTH_BACKEND_SOURCE}: ${UPLOAD_SERVICE_URL}`);
-} else {
-  debugLog("[ctxce] No auth backend detected; bridge/state overrides disabled.");
-}
-
 async function fetchBridgeCollectionState({
   workspace,
   collection,
   sessionId,
   repoName,
   bridgeStateToken,
+  backendHint,
+  uploadServiceUrl,
 }) {
   try {
-    if (!UPLOAD_SERVICE_URL) {
+    if (!uploadServiceUrl) {
       debugLog("[ctxce] Skipping bridge/state fetch: no upload endpoint configured.");
       return null;
     }
-    const url = new URL("/bridge/state", UPLOAD_SERVICE_URL);
+    const url = new URL("/bridge/state", uploadServiceUrl);
+    // ...
     if (collection && collection.trim()) {
       url.searchParams.set("collection", collection.trim());
     } else if (workspace && workspace.trim()) {
@@ -341,8 +383,18 @@ async function fetchBridgeCollectionState({
     if (!resp.ok) {
       if (resp.status === 401 || resp.status === 403) {
         debugLog(
-          `[ctxce] /bridge/state responded ${resp.status}; missing or invalid token/session, falling back to ctx_config defaults.`,
+          `[ctxce] /bridge/state responded ${resp.status}; missing or invalid token/session, marking local session as expired.`,
         );
+        if (backendHint) {
+          try {
+            const entry = loadAuthEntry(backendHint);
+            if (entry) {
+              saveAuthEntry(backendHint, { ...entry, expiresAt: 1 });
+            }
+          } catch {
+            // ignore failures
+          }
+        }
         return null;
       }
       throw new Error(`bridge/state responded ${resp.status}`);
@@ -389,9 +441,23 @@ async function createBridgeServer(options) {
   // future this can be made user-aware (e.g. from auth), but for now we
   // keep it deterministic per workspace to help the indexer reuse
   // session-scoped defaults.
+  const {
+    backendUrl: authBackendUrl,
+    source: authBackendSource,
+  } = resolveAuthBackendContext(indexerUrl, memoryUrl);
+
+  const uploadServiceUrl = authBackendUrl;
+  const uploadAuthBackend = authBackendUrl;
+
+  if (uploadServiceUrl) {
+    debugLog(`[ctxce] Upload/auth backend resolved from ${authBackendSource}: ${uploadServiceUrl}`);
+  } else {
+    debugLog("[ctxce] No auth backend detected; bridge/state overrides disabled.");
+  }
+
   const explicitSession = process.env.CTXCE_SESSION_ID || "";
   const authBackendEnv = (process.env.CTXCE_AUTH_BACKEND_URL || "").trim();
-  let backendHint = authBackendEnv || UPLOAD_AUTH_BACKEND || "";
+  let backendHint = authBackendEnv || uploadAuthBackend || "";
   let sessionId = explicitSession;
 
   function sessionFromEntry(entry) {
@@ -446,7 +512,7 @@ async function createBridgeServer(options) {
     if (explicit) {
       return explicit;
     }
-    return findSavedSession([backendHint, UPLOAD_AUTH_BACKEND, authBackendEnv]);
+    return findSavedSession([backendHint, uploadAuthBackend, authBackendEnv]);
   }
 
   if (!sessionId) {
@@ -473,6 +539,8 @@ async function createBridgeServer(options) {
       sessionId,
       repoName,
       bridgeStateToken: BRIDGE_STATE_TOKEN,
+      backendHint,
+      uploadServiceUrl,
     });
     if (state) {
       const serving = state.serving_collection || state.active_collection;
@@ -502,10 +570,23 @@ async function createBridgeServer(options) {
     }
 
     if (forceRecreate) {
-      try {
-        debugLog("[ctxce] Reinitializing remote MCP clients after session error.");
-      } catch {
-        // ignore logging failures
+      debugLog("[ctxce] Reinitializing remote MCP clients after session error.");
+      
+      if (indexerClient) {
+        try {
+          await indexerClient.close();
+        } catch {
+          // ignore close errors
+        }
+        indexerClient = null;
+      }
+      if (memoryClient) {
+        try {
+          await memoryClient.close();
+        } catch {
+          // ignore close errors
+        }
+        memoryClient = null;
       }
     }
 
@@ -592,11 +673,7 @@ async function createBridgeServer(options) {
       if (!indexerClient) {
         throw new Error("Indexer MCP client not initialized");
       }
-      remote = await withTimeout(
-        indexerClient.listTools(),
-        10000,
-        "indexer tools/list",
-      );
+      remote = await indexerClient.listTools();
     } catch (err) {
       debugLog("[ctxce] Error calling remote tools/list: " + String(err));
       const memoryToolsFallback = await listMemoryTools(memoryClient);
@@ -695,20 +772,38 @@ async function createBridgeServer(options) {
         if (isSessionError(err) && !sessionRetried) {
           debugLog(
             "[ctxce] tools/call: detected remote MCP session error; reinitializing clients and retrying once: " +
-              String(err),
+            String(err),
           );
           await initializeRemoteClients(true);
           sessionRetried = true;
           continue;
         }
 
+        // Backend auth rejection (mcp_auth.py ValidationError) - expire local auth
+        if (isAuthRejectionError(err)) {
+          debugLog(
+            "[ctxce] tools/call: backend auth rejection; marking local session as expired: " +
+            String(err),
+          );
+          if (backendHint) {
+            try {
+              const entry = loadAuthEntry(backendHint);
+              if (entry) {
+                saveAuthEntry(backendHint, { ...entry, expiresAt: 1 });
+              }
+            } catch {
+              // ignore failures
+            }
+          }
+        }
+
         if (!isTransientToolError(err) || attempt === maxAttempts - 1) {
           throw err;
         }
 
         debugLog(
           `[ctxce] tools/call: transient error (attempt ${attempt + 1}/${maxAttempts}), retrying: ` +
-            String(err),
+          String(err),
         );
         // Loop will retry
       }
@@ -830,11 +925,28 @@ export async function runHttpMcpServer(options) {
           return;
         }
 
+        const MAX_BODY_SIZE = 10 * 1024 * 1024; // 10MB
         let body = "";
+        let bodyLimitExceeded = false;
         req.on("data", (chunk) => {
+          if (bodyLimitExceeded) return;
           body += chunk;
+          if (body.length > MAX_BODY_SIZE) {
+            bodyLimitExceeded = true;
+            req.destroy();
+            res.statusCode = 413;
+            res.setHeader("Content-Type", "application/json");
+            res.end(
+              JSON.stringify({
+                jsonrpc: "2.0",
+                error: { code: -32000, message: "Request body too large" },
+                id: null,
+              }),
+            );
+          }
         });
         req.on("end", async () => {
+          if (bodyLimitExceeded) return;
           let parsed;
           try {
             parsed = body ? JSON.parse(body) : {};
@@ -902,6 +1014,25 @@ export async function runHttpMcpServer(options) {
   httpServer.listen(port, '127.0.0.1', () => {
     debugLog(`[ctxce] HTTP MCP bridge listening on 127.0.0.1:${port}`);
   });
+
+  let shuttingDown = false;
+  const shutdown = (signal) => {
+    if (shuttingDown) return;
+    shuttingDown = true;
+    debugLog(`[ctxce] Received ${signal}; closing HTTP server (waiting for in-flight requests).`);
+    httpServer.close(() => {
+      debugLog("[ctxce] HTTP server closed.");
+      process.exit(0);
+    });
+    const SHUTDOWN_TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes for long MCP calls
+    setTimeout(() => {
+      debugLog("[ctxce] Forcing exit after shutdown timeout.");
+      process.exit(1);
+    }, SHUTDOWN_TIMEOUT_MS).unref();
+  };
+
+  process.on("SIGTERM", () => shutdown("SIGTERM"));
+  process.on("SIGINT", () => shutdown("SIGINT"));
 }
 
 function loadConfig(startDir) {

package/src/oauthHandler.js

@@ -16,24 +16,97 @@ const pendingCodes = new Map();
 // Maps client_id to client info
 const registeredClients = new Map();
 
+// ============================================================================
+// Storage Limits and Cleanup Configuration
+// ============================================================================
+
+const MAX_TOKEN_STORE_SIZE = 10000;
+const MAX_PENDING_CODES_SIZE = 1000;
+const MAX_REGISTERED_CLIENTS_SIZE = 1000;
+const TOKEN_EXPIRY_MS = 86400000; // 24 hours
+const CODE_EXPIRY_MS = 600000; // 10 minutes
+const CLIENT_EXPIRY_MS = 7 * 86400000; // 7 days
+const CLEANUP_INTERVAL_MS = 300000; // 5 minutes
+
+// Cleanup interval reference (for cleanup on shutdown if needed)
+let cleanupIntervalId = null;
+
 // ============================================================================
 // OAuth Utilities
 // ============================================================================
 
-/**
- * Clean up expired tokens from tokenStore
- * Called periodically to prevent unbounded memory growth
- */
 function cleanupExpiredTokens() {
   const now = Date.now();
-  const expiryMs = 86400000; // 24 hours
   for (const [token, data] of tokenStore.entries()) {
-    if (now - data.createdAt > expiryMs) {
+    if (now - data.createdAt > TOKEN_EXPIRY_MS) {
       tokenStore.delete(token);
     }
   }
 }
 
+function cleanupExpiredCodes() {
+  const now = Date.now();
+  for (const [code, data] of pendingCodes.entries()) {
+    if (now - data.createdAt > CODE_EXPIRY_MS) {
+      pendingCodes.delete(code);
+    }
+  }
+}
+
+function cleanupExpiredClients() {
+  const now = Date.now();
+  for (const [clientId, data] of registeredClients.entries()) {
+    if (now - data.createdAt > CLIENT_EXPIRY_MS) {
+      registeredClients.delete(clientId);
+    }
+  }
+}
+
+function enforceStorageLimits() {
+  if (tokenStore.size > MAX_TOKEN_STORE_SIZE) {
+    const entries = [...tokenStore.entries()].sort((a, b) => a[1].createdAt - b[1].createdAt);
+    const toRemove = entries.slice(0, tokenStore.size - MAX_TOKEN_STORE_SIZE);
+    for (const [key] of toRemove) {
+      tokenStore.delete(key);
+    }
+  }
+  if (pendingCodes.size > MAX_PENDING_CODES_SIZE) {
+    const entries = [...pendingCodes.entries()].sort((a, b) => a[1].createdAt - b[1].createdAt);
+    const toRemove = entries.slice(0, pendingCodes.size - MAX_PENDING_CODES_SIZE);
+    for (const [key] of toRemove) {
+      pendingCodes.delete(key);
+    }
+  }
+  if (registeredClients.size > MAX_REGISTERED_CLIENTS_SIZE) {
+    const entries = [...registeredClients.entries()].sort((a, b) => a[1].createdAt - b[1].createdAt);
+    const toRemove = entries.slice(0, registeredClients.size - MAX_REGISTERED_CLIENTS_SIZE);
+    for (const [key] of toRemove) {
+      registeredClients.delete(key);
+    }
+  }
+}
+
+function runPeriodicCleanup() {
+  cleanupExpiredTokens();
+  cleanupExpiredCodes();
+  cleanupExpiredClients();
+  enforceStorageLimits();
+}
+
+export function startCleanupInterval() {
+  if (!cleanupIntervalId) {
+    cleanupIntervalId = setInterval(runPeriodicCleanup, CLEANUP_INTERVAL_MS);
+    cleanupIntervalId.unref?.();
+  }
+}
+
+export function stopCleanupInterval() {
+  if (cleanupIntervalId) {
+    clearInterval(cleanupIntervalId);
+    cleanupIntervalId = null;
+  }
+}
+
 function generateToken() {
   return randomBytes(32).toString("hex");
 }
@@ -545,20 +618,14 @@ export function handleOAuthToken(req, res) {
   });
 }
 
-/**
- * Validate Bearer token and return session info
- * @param {string} token - Bearer token
- * @returns {{sessionId: string, backendUrl: string} | null}
- */
 export function validateBearerToken(token) {
   const tokenData = tokenStore.get(token);
   if (!tokenData) {
     return null;
   }
 
-  // Check token age (24 hour expiry)
   const tokenAge = Date.now() - tokenData.createdAt;
-  if (tokenAge > 86400000) {
+  if (tokenAge > TOKEN_EXPIRY_MS) {
     tokenStore.delete(token);
     return null;
   }
@@ -583,3 +650,5 @@ export function isOAuthEndpoint(pathname) {
     pathname === "/oauth/token"
   );
 }
+
+startCleanupInterval();

package/src/resultPathMapping.js

@@ -326,6 +326,8 @@ function remapHitPaths(hit, workspaceRoot) {
       out.path = finalRelPath;
     }
   }
+  // Strip internal container_path before returning to client.
+  delete out.container_path;
   return out;
 }