@danielblomma/cortex-mcp 1.7.1 → 2.0.2

package/scaffold/mcp/src/server.ts

@@ -4,9 +4,35 @@ import { z } from "zod";
 import { reloadContextGraph } from "./graph.js";
 import { runContextRules } from "./rules.js";
 import { runContextImpact, runContextRelated, runContextSearch } from "./search.js";
+import {
+  getToolCallHook,
+  getToolEventHook,
+  getSessionEndHook,
+  getSessionEventHook,
+  loadPlugins,
+} from "./plugin.js";
 
 type ToolPayload = Record<string, unknown>;
 
+const ESTIMATED_TOKENS_SAVED_PER_RESULT = 400;
+const MAX_SESSION_CALLS = 1000;
+const SHUTDOWN_TIMEOUT_MS = 3000;
+
+type SessionCall = {
+  tool: string;
+  query?: string;
+  resultCount: number;
+  time: string;
+  outcome?: "success" | "error";
+  duration_ms?: number;
+  error?: string;
+};
+
+const sessionCalls: SessionCall[] = [];
+const sessionStartedAt = Date.now();
+let successfulToolCalls = 0;
+let failedToolCalls = 0;
+
 const SearchInput = z.object({
   query: z.string().min(1),
   top_k: z.number().int().positive().max(20).default(5),
@@ -123,6 +149,115 @@ function buildToolResult(data: ToolPayload) {
   };
 }
 
+function extractQuery(input: unknown): string | undefined {
+  if (input && typeof input === "object" && "query" in input) {
+    const q = (input as { query?: unknown }).query;
+    if (typeof q === "string") return q;
+  }
+  return undefined;
+}
+
+function notifyToolStart(toolName: string, input: unknown): string {
+  const timestamp = new Date().toISOString();
+  const eventHook = getToolEventHook();
+  if (eventHook) {
+    const query = extractQuery(input);
+    void eventHook({
+      phase: "start",
+      tool: toolName,
+      timestamp,
+      input: (input ?? {}) as Record<string, unknown>,
+      query,
+      query_length: query?.length,
+    });
+  }
+  return timestamp;
+}
+
+function notifyToolCall(toolName: string, input: unknown, result: ToolPayload, durationMs: number, startedAtIso: string): void {
+  const resultCount = Array.isArray((result as { results?: unknown }).results)
+    ? ((result as { results: unknown[] }).results).length
+    : 0;
+  const query = extractQuery(input);
+  if (sessionCalls.length < MAX_SESSION_CALLS) {
+    sessionCalls.push({
+      tool: toolName,
+      query,
+      resultCount,
+      time: startedAtIso,
+      outcome: "success",
+      duration_ms: durationMs,
+    });
+  }
+  successfulToolCalls++;
+
+  const eventHook = getToolEventHook();
+  const hook = getToolCallHook();
+  if (!eventHook && hook) {
+    hook(toolName, resultCount, resultCount * ESTIMATED_TOKENS_SAVED_PER_RESULT);
+  }
+  if (eventHook) {
+    void eventHook({
+      phase: "success",
+      tool: toolName,
+      timestamp: new Date().toISOString(),
+      input: (input ?? {}) as Record<string, unknown>,
+      query,
+      query_length: query?.length,
+      result_count: resultCount,
+      estimated_tokens_saved: resultCount * ESTIMATED_TOKENS_SAVED_PER_RESULT,
+      duration_ms: durationMs,
+    });
+  }
+}
+
+function notifyToolError(toolName: string, input: unknown, error: unknown, durationMs: number, startedAtIso: string): void {
+  const query = extractQuery(input);
+  if (sessionCalls.length < MAX_SESSION_CALLS) {
+    sessionCalls.push({
+      tool: toolName,
+      query,
+      resultCount: 0,
+      time: startedAtIso,
+      outcome: "error",
+      duration_ms: durationMs,
+      error: error instanceof Error ? error.message : String(error),
+    });
+  }
+  failedToolCalls++;
+
+  const eventHook = getToolEventHook();
+  if (eventHook) {
+    void eventHook({
+      phase: "error",
+      tool: toolName,
+      timestamp: new Date().toISOString(),
+      input: (input ?? {}) as Record<string, unknown>,
+      query,
+      query_length: query?.length,
+      duration_ms: durationMs,
+      error: error instanceof Error ? error.message : String(error),
+    });
+  }
+}
+
+async function executeInstrumentedTool(
+  toolName: string,
+  input: unknown,
+  run: () => Promise<ToolPayload>
+) {
+  const startedAt = Date.now();
+  const startedAtIso = notifyToolStart(toolName, input);
+  try {
+    const result = await run();
+    notifyToolCall(toolName, input, result, Date.now() - startedAt, startedAtIso);
+    return buildToolResult(result);
+  } catch (error) {
+    notifyToolError(toolName, input, error, Date.now() - startedAt, startedAtIso);
+    throw error;
+  }
+}
+
 function registerTools(server: McpServer): void {
   server.registerTool(
     "context.search",
@@ -130,7 +265,11 @@ function registerTools(server: McpServer): void {
       description: "Search ranked context documents and code using semantic, graph and trust weighting.",
       inputSchema: SearchInput
     },
-    async (input) => buildToolResult(await runContextSearch(SearchInput.parse(input ?? {})))
+    async (input) => executeInstrumentedTool(
+      "context.search",
+      input,
+      async () => runContextSearch(SearchInput.parse(input ?? {}))
+    )
   );
 
   server.registerTool(
@@ -139,7 +278,11 @@ function registerTools(server: McpServer): void {
       description: "Return related entities and graph edges for a context entity id.",
       inputSchema: RelatedInput
     },
-    async (input) => buildToolResult(await runContextRelated(RelatedInput.parse(input ?? {})))
+    async (input) => executeInstrumentedTool(
+      "context.get_related",
+      input,
+      async () => runContextRelated(RelatedInput.parse(input ?? {}))
+    )
   );
 
   server.registerTool(
@@ -148,7 +291,11 @@ function registerTools(server: McpServer): void {
       description: "Traverse likely impact paths across config, code and SQL starting from an entity id or query.",
       inputSchema: ImpactInput
     },
-    async (input) => buildToolResult(await runContextImpact(ImpactInput.parse(input ?? {})))
+    async (input) => executeInstrumentedTool(
+      "context.impact",
+      input,
+      async () => runContextImpact(ImpactInput.parse(input ?? {}))
+    )
   );
 
   server.registerTool(
@@ -157,7 +304,11 @@ function registerTools(server: McpServer): void {
       description: "List indexed rules filtered by scope and active status.",
       inputSchema: RulesInput.optional()
     },
-    async (input) => buildToolResult(await runContextRules(RulesInput.parse(input ?? {})))
+    async (input) => executeInstrumentedTool(
+      "context.get_rules",
+      input,
+      async () => runContextRules(RulesInput.parse(input ?? {}))
+    )
   );
 
   server.registerTool(
@@ -166,13 +317,50 @@ function registerTools(server: McpServer): void {
       description: "Reload RyuGraph connection after graph updates or maintenance.",
       inputSchema: ReloadInput.optional()
     },
-    async (input) => {
+    async (input) => executeInstrumentedTool("context.reload", input, async () => {
       const parsed = ReloadInput.parse(input ?? {});
-      return buildToolResult(await reloadContextGraph(parsed.force));
-    }
+      return reloadContextGraph(parsed.force);
+    })
   );
 }
 
+let shutdownCalled = false;
+
+async function onShutdown(): Promise<void> {
+  if (shutdownCalled) return;
+  shutdownCalled = true;
+  const sessionEventHook = getSessionEventHook();
+  if (sessionEventHook) {
+    try {
+      await Promise.race([
+        Promise.resolve(sessionEventHook({
+          phase: "end",
+          timestamp: new Date().toISOString(),
+          duration_ms: Date.now() - sessionStartedAt,
+          tool_calls: sessionCalls.length,
+          successful_tool_calls: successfulToolCalls,
+          failed_tool_calls: failedToolCalls,
+          calls: [...sessionCalls],
+        })),
+        new Promise<never>((_, reject) => setTimeout(() => reject(new Error("session event hook timeout")), SHUTDOWN_TIMEOUT_MS))
+      ]);
+    } catch {
+      // Best effort — don't block shutdown
+    }
+  }
+  const hook = getSessionEndHook();
+  if (hook) {
+    try {
+      await Promise.race([
+        hook([...sessionCalls]),
+        new Promise<never>((_, reject) => setTimeout(() => reject(new Error("shutdown hook timeout")), SHUTDOWN_TIMEOUT_MS))
+      ]);
+    } catch {
+      // Best effort — don't block shutdown
+    }
+  }
+}
+
 async function main(): Promise<void> {
   const server = new McpServer({
     name: "cortex-context",
@@ -180,8 +368,31 @@ async function main(): Promise<void> {
   });
 
   registerTools(server);
+
+  // v2.0.0: load enterprise plugin in-process if .context/enterprise.yml
+  // is present and license validates. Community-mode is a no-op.
+  await loadPlugins(server);
+
+  // Notify session start to enterprise (if active).
+  const sessionEventHook = getSessionEventHook();
+  if (sessionEventHook) {
+    void sessionEventHook({
+      phase: "start",
+      timestamp: new Date(sessionStartedAt).toISOString(),
+    });
+  }
+
   const transport = new StdioServerTransport();
   await server.connect(transport);
+
+  const cleanup = () => {
+    void onShutdown().finally(() => process.exit(0));
+  };
+  process.on("SIGINT", cleanup);
+  process.on("SIGTERM", cleanup);
+  process.on("beforeExit", () => {
+    void onShutdown();
+  });
 }
 
 main().catch((error) => {

package/scaffold/mcp/tests/copilot-shim.test.mjs

@@ -0,0 +1,146 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+
+import {
+  installCopilotShim,
+  uninstallCopilotShim,
+  buildCopilotShim,
+  isCortexShim,
+  SHIM_MARKER,
+} from "../dist/cli/run.js";
+
+function makeWorkspace() {
+  const dir = fs.mkdtempSync(path.join(os.tmpdir(), "cortex-shim-"));
+  const realDir = path.join(dir, "real-bin");
+  const shimDir = path.join(dir, "shim-bin");
+  fs.mkdirSync(realDir, { recursive: true });
+  fs.mkdirSync(shimDir, { recursive: true });
+  const realCopilot = path.join(realDir, "copilot");
+  fs.writeFileSync(realCopilot, "#!/bin/sh\necho real copilot\n", { mode: 0o755 });
+  return {
+    dir,
+    realDir,
+    shimDir,
+    realCopilot,
+    shimPath: path.join(shimDir, "copilot"),
+    searchPath: `${realDir}:${shimDir}`,
+  };
+}
+
+test("buildCopilotShim: contains SHIM_MARKER and exec line", () => {
+  const shim = buildCopilotShim("/usr/bin/copilot");
+  assert.ok(shim.startsWith("#!/bin/sh"));
+  assert.match(shim, new RegExp(SHIM_MARKER));
+  assert.match(shim, /Real binary captured at install time: \/usr\/bin\/copilot/);
+  assert.match(shim, /exec "\$CORTEX" run copilot "\$@"/);
+});
+
+test("installCopilotShim: writes shim, finds real binary, makes shim executable", () => {
+  const ws = makeWorkspace();
+  try {
+    const result = installCopilotShim({
+      shimPath: ws.shimPath,
+      searchPath: ws.searchPath,
+    });
+    assert.equal(result.ok, true, result.message);
+    assert.equal(result.realBinary, ws.realCopilot);
+    assert.equal(result.shimPath, ws.shimPath);
+    assert.equal(isCortexShim(ws.shimPath), true);
+    const stat = fs.statSync(ws.shimPath);
+    assert.equal(stat.mode & 0o111, 0o111, "shim should be executable");
+  } finally {
+    fs.rmSync(ws.dir, { recursive: true, force: true });
+  }
+});
+
+test("installCopilotShim: errors when real binary missing", () => {
+  const ws = makeWorkspace();
+  try {
+    fs.unlinkSync(ws.realCopilot);
+    const result = installCopilotShim({
+      shimPath: ws.shimPath,
+      searchPath: ws.searchPath,
+    });
+    assert.equal(result.ok, false);
+    assert.match(result.message, /not found in PATH/);
+  } finally {
+    fs.rmSync(ws.dir, { recursive: true, force: true });
+  }
+});
+
+test("installCopilotShim: refuses to overwrite a non-shim file at shim path", () => {
+  const ws = makeWorkspace();
+  try {
+    fs.writeFileSync(ws.shimPath, "#!/bin/sh\necho not a cortex shim\n", { mode: 0o755 });
+    const result = installCopilotShim({
+      shimPath: ws.shimPath,
+      searchPath: ws.searchPath,
+    });
+    assert.equal(result.ok, false);
+    assert.match(result.message, /not a cortex shim/);
+  } finally {
+    fs.rmSync(ws.dir, { recursive: true, force: true });
+  }
+});
+
+test("installCopilotShim: skips a previously-installed shim during PATH search and replaces it cleanly", () => {
+  const ws = makeWorkspace();
+  try {
+    // First install — shim goes to shimDir.
+    const first = installCopilotShim({
+      shimPath: ws.shimPath,
+      searchPath: ws.searchPath,
+    });
+    assert.equal(first.ok, true);
+    // Second install — searchPath now lists shimDir before realDir; install must
+    // still find the real binary by skipping its own shim.
+    const second = installCopilotShim({
+      shimPath: ws.shimPath,
+      searchPath: `${ws.shimDir}:${ws.realDir}`,
+    });
+    assert.equal(second.ok, true, second.message);
+    assert.equal(second.realBinary, ws.realCopilot);
+  } finally {
+    fs.rmSync(ws.dir, { recursive: true, force: true });
+  }
+});
+
+test("uninstallCopilotShim: removes a cortex shim", () => {
+  const ws = makeWorkspace();
+  try {
+    installCopilotShim({ shimPath: ws.shimPath, searchPath: ws.searchPath });
+    assert.equal(fs.existsSync(ws.shimPath), true);
+    const result = uninstallCopilotShim(ws.shimPath);
+    assert.equal(result.ok, true, result.message);
+    assert.equal(fs.existsSync(ws.shimPath), false);
+  } finally {
+    fs.rmSync(ws.dir, { recursive: true, force: true });
+  }
+});
+
+test("uninstallCopilotShim: refuses to delete a file that is no longer a cortex shim", () => {
+  const ws = makeWorkspace();
+  try {
+    fs.writeFileSync(ws.shimPath, "#!/bin/sh\necho not a shim anymore\n", { mode: 0o755 });
+    const result = uninstallCopilotShim(ws.shimPath);
+    assert.equal(result.ok, false);
+    assert.match(result.message, /no longer a cortex shim/);
+    assert.equal(fs.existsSync(ws.shimPath), true, "should not delete user file");
+  } finally {
+    fs.rmSync(ws.dir, { recursive: true, force: true });
+  }
+});
+
+test("uninstallCopilotShim: missing file is a no-op success", () => {
+  const ws = makeWorkspace();
+  try {
+    const result = uninstallCopilotShim(ws.shimPath);
+    assert.equal(result.ok, true);
+    assert.match(result.message, /already absent/);
+  } finally {
+    fs.rmSync(ws.dir, { recursive: true, force: true });
+  }
+});

package/scaffold/mcp/tests/daemon-client.test.mjs

@@ -0,0 +1,32 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+
+import { isProcessAlive } from "../dist/daemon/client.js";
+
+test("isProcessAlive: treats EPERM from signal 0 as alive", () => {
+  const originalKill = process.kill;
+  process.kill = () => {
+    const err = new Error("operation not permitted");
+    err.code = "EPERM";
+    throw err;
+  };
+  try {
+    assert.equal(isProcessAlive(12345), true);
+  } finally {
+    process.kill = originalKill;
+  }
+});
+
+test("isProcessAlive: returns false for ESRCH", () => {
+  const originalKill = process.kill;
+  process.kill = () => {
+    const err = new Error("no such process");
+    err.code = "ESRCH";
+    throw err;
+  };
+  try {
+    assert.equal(isProcessAlive(12345), false);
+  } finally {
+    process.kill = originalKill;
+  }
+});

package/scaffold/mcp/tests/egress-proxy.test.mjs

@@ -0,0 +1,239 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import net from "node:net";
+
+import { parseSni, startEgressProxy } from "../dist/daemon/egress-proxy.js";
+
+function makeProject() {
+  const root = fs.mkdtempSync(path.join(os.tmpdir(), "cortex-egress-"));
+  fs.mkdirSync(path.join(root, ".context"), { recursive: true });
+  return root;
+}
+
+/**
+ * Hand-craft a minimal TLS 1.2 ClientHello with a server_name extension
+ * for the given hostname. Enough for the SNI parser to find it.
+ */
+function buildClientHello(serverName) {
+  const nameBuf = Buffer.from(serverName, "ascii");
+  const sniListInner = Buffer.concat([
+    Buffer.from([0x00]),
+    Buffer.from([(nameBuf.length >> 8) & 0xff, nameBuf.length & 0xff]),
+    nameBuf,
+  ]);
+  const sniList = Buffer.concat([
+    Buffer.from([(sniListInner.length >> 8) & 0xff, sniListInner.length & 0xff]),
+    sniListInner,
+  ]);
+  const sniExt = Buffer.concat([
+    Buffer.from([0x00, 0x00]),
+    Buffer.from([(sniList.length >> 8) & 0xff, sniList.length & 0xff]),
+    sniList,
+  ]);
+  const extensions = Buffer.concat([
+    Buffer.from([(sniExt.length >> 8) & 0xff, sniExt.length & 0xff]),
+    sniExt,
+  ]);
+
+  const random = Buffer.alloc(32);
+  const sessionId = Buffer.from([0x00]);
+  const cipherSuites = Buffer.from([0x00, 0x02, 0xc0, 0x2f]);
+  const compMethods = Buffer.from([0x01, 0x00]);
+
+  const clientHelloBody = Buffer.concat([
+    Buffer.from([0x03, 0x03]),
+    random,
+    sessionId,
+    cipherSuites,
+    compMethods,
+    extensions,
+  ]);
+  const handshake = Buffer.concat([
+    Buffer.from([0x01, (clientHelloBody.length >> 16) & 0xff, (clientHelloBody.length >> 8) & 0xff, clientHelloBody.length & 0xff]),
+    clientHelloBody,
+  ]);
+  const record = Buffer.concat([
+    Buffer.from([0x16, 0x03, 0x01, (handshake.length >> 8) & 0xff, handshake.length & 0xff]),
+    handshake,
+  ]);
+  return record;
+}
+
+test("parseSni: extracts hostname from a well-formed ClientHello", () => {
+  const buf = buildClientHello("api.githubcopilot.com");
+  assert.equal(parseSni(buf), "api.githubcopilot.com");
+});
+
+test("parseSni: returns null for too-short buffer", () => {
+  assert.equal(parseSni(Buffer.from([0x16, 0x03])), null);
+});
+
+test("parseSni: returns null for non-TLS bytes", () => {
+  assert.equal(parseSni(Buffer.from("GET / HTTP/1.1\r\n\r\n", "ascii")), null);
+});
+
+test("parseSni: returns null when no SNI extension is present", () => {
+  // ClientHello without extensions at all (extensions_length = 0).
+  const random = Buffer.alloc(32);
+  const sessionId = Buffer.from([0x00]);
+  const cipherSuites = Buffer.from([0x00, 0x02, 0xc0, 0x2f]);
+  const compMethods = Buffer.from([0x01, 0x00]);
+  const extensions = Buffer.from([0x00, 0x00]);
+  const body = Buffer.concat([
+    Buffer.from([0x03, 0x03]),
+    random,
+    sessionId,
+    cipherSuites,
+    compMethods,
+    extensions,
+  ]);
+  const handshake = Buffer.concat([
+    Buffer.from([0x01, 0x00, (body.length >> 8) & 0xff, body.length & 0xff]),
+    body,
+  ]);
+  const record = Buffer.concat([
+    Buffer.from([0x16, 0x03, 0x01, (handshake.length >> 8) & 0xff, handshake.length & 0xff]),
+    handshake,
+  ]);
+  assert.equal(parseSni(record), null);
+});
+
+function startEchoServer() {
+  return new Promise((resolve) => {
+    const server = net.createServer((sock) => {
+      sock.on("data", (chunk) => sock.write(chunk));
+    });
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      resolve({ server, port: addr.port });
+    });
+  });
+}
+
+test("egress proxy: CONNECT establishes tunnel and emits event with destination + SNI", async () => {
+  const echo = await startEchoServer();
+  const cwd = makeProject();
+  const proxy = await startEgressProxy({ cwd, port: 0, hostId: "test-host" });
+  try {
+    await new Promise((resolve, reject) => {
+      const client = net.connect(proxy.port, "127.0.0.1", () => {
+        client.write(`CONNECT 127.0.0.1:${echo.port} HTTP/1.1\r\nHost: 127.0.0.1:${echo.port}\r\n\r\n`);
+      });
+      let phase = "wait-200";
+      let pending = "";
+      client.on("data", (chunk) => {
+        if (phase === "wait-200") {
+          pending += chunk.toString();
+          if (pending.includes("\r\n\r\n")) {
+            assert.match(pending, /HTTP\/1\.1 200/);
+            phase = "tls";
+            client.write(buildClientHello("api.githubcopilot.com"));
+            return;
+          }
+        }
+        if (phase === "tls") {
+          client.end();
+          resolve();
+        }
+      });
+      client.on("error", reject);
+    });
+
+    // Give the proxy a moment to flush the audit event.
+    await new Promise((r) => setTimeout(r, 100));
+
+    const date = new Date().toISOString().slice(0, 10);
+    const auditFile = path.join(cwd, ".context", "audit", `host-events-${date}.jsonl`);
+    assert.equal(fs.existsSync(auditFile), true, "audit file should exist");
+    const events = fs
+      .readFileSync(auditFile, "utf8")
+      .trim()
+      .split("\n")
+      .map((l) => JSON.parse(l));
+    const egress = events.find((e) => e.event_type === "egress_connection");
+    assert.ok(egress, "egress_connection event should be emitted");
+    assert.equal(egress.protocol, "https");
+    assert.equal(egress.destination.host, "127.0.0.1");
+    assert.equal(egress.destination.port, echo.port);
+    assert.equal(egress.sni, "api.githubcopilot.com");
+    assert.ok(egress.bytes_client_to_server > 0);
+    assert.ok(egress.bytes_server_to_client > 0);
+  } finally {
+    await proxy.stop();
+    await new Promise((r) => echo.server.close(r));
+    fs.rmSync(cwd, { recursive: true, force: true });
+  }
+});
+
+test("egress proxy: HTTP request also logs destination", async () => {
+  const echo = await startEchoServer();
+  const cwd = makeProject();
+  const proxy = await startEgressProxy({ cwd, port: 0, hostId: "test-host" });
+  try {
+    await new Promise((resolve, reject) => {
+      const client = net.connect(proxy.port, "127.0.0.1", () => {
+        client.write(
+          `GET http://127.0.0.1:${echo.port}/health HTTP/1.1\r\nHost: 127.0.0.1:${echo.port}\r\n\r\n`,
+        );
+      });
+      client.on("data", () => {
+        client.end();
+        resolve();
+      });
+      client.on("error", reject);
+    });
+
+    await new Promise((r) => setTimeout(r, 100));
+
+    const date = new Date().toISOString().slice(0, 10);
+    const auditFile = path.join(cwd, ".context", "audit", `host-events-${date}.jsonl`);
+    const events = fs
+      .readFileSync(auditFile, "utf8")
+      .trim()
+      .split("\n")
+      .map((l) => JSON.parse(l));
+    const egress = events.find((e) => e.event_type === "egress_connection");
+    assert.ok(egress);
+    assert.equal(egress.protocol, "http");
+    assert.equal(egress.destination.host, "127.0.0.1");
+    assert.equal(egress.destination.port, echo.port);
+    assert.equal(egress.sni, "127.0.0.1");
+  } finally {
+    await proxy.stop();
+    await new Promise((r) => echo.server.close(r));
+    fs.rmSync(cwd, { recursive: true, force: true });
+  }
+});
+
+test("egress proxy: malformed first line returns 400 and closes", async () => {
+  const cwd = makeProject();
+  const proxy = await startEgressProxy({ cwd, port: 0, hostId: "test-host" });
+  try {
+    const got = await new Promise((resolve) => {
+      const client = net.connect(proxy.port, "127.0.0.1", () => {
+        client.write("garbage line\r\n\r\n");
+      });
+      let buf = "";
+      client.on("data", (chunk) => {
+        buf += chunk.toString();
+      });
+      client.on("close", () => resolve(buf));
+    });
+    assert.match(got, /400/);
+  } finally {
+    await proxy.stop();
+    fs.rmSync(cwd, { recursive: true, force: true });
+  }
+});
+
+test("egress proxy: stop() closes the server", async () => {
+  const cwd = makeProject();
+  const proxy = await startEgressProxy({ cwd, port: 0, hostId: "test-host" });
+  assert.equal(proxy.isRunning(), true);
+  await proxy.stop();
+  assert.equal(proxy.isRunning(), false);
+  fs.rmSync(cwd, { recursive: true, force: true });
+});