@hailer/mcp 1.1.12 → 1.1.13

package/dist/mcp/UserContextCache.js

@@ -6,6 +6,7 @@ const workspace_cache_1 = require("./workspace-cache");
 const config_1 = require("../config");
 const logger_1 = require("../lib/logger");
 const index_1 = require("./utils/index");
+const index_2 = require("./utils/index");
 const logger = (0, logger_1.createLogger)({ component: 'user-context-cache' });
 /**
  * Cache for user-specific data (client connections, init data, workspace cache)
@@ -57,7 +58,7 @@ class UserContextCache {
             else {
                 // Cache expired, remove stale entry
                 this.cache.delete(apiKey);
-                logger.debug('Cache expired, refreshing user context', {
+                logger.info('Cache expired, refreshing user context', {
                     apiKey: apiKey.substring(0, 8) + '...',
                     ageMinutes: Math.round(age / (1000 * 60))
                 });
@@ -66,7 +67,7 @@ class UserContextCache {
         else if (forceRefresh && this.cache.has(apiKey)) {
             // Force refresh requested, clear existing cache
             this.cache.delete(apiKey);
-            logger.debug('Force refresh requested, clearing cached user context', {
+            logger.info('Force refresh requested, clearing cached user context', {
                 apiKey: apiKey.substring(0, 8) + '...'
             });
         }
@@ -105,29 +106,57 @@ class UserContextCache {
             const init = await client.socket.request('v2.core.init', [
                 ['processes', 'users', 'network', 'networks', 'teams']
             ]);
-            // Validate single workspace access - MCP requires bot credentials with access to one workspace only
-            const workspaceCount = Object.keys(init.networks || {}).length;
+            (0, index_1.normalizeInitProcesses)(init);
+            // Multi-workspace support: log available workspaces, use first one as default
+            // User can switch workspaces using list_my_workspaces tool and specifying workspaceId
+            const networks = (init.networks || {});
+            const workspaceCount = Object.keys(networks).length;
             if (workspaceCount > 1) {
-                const networks = (init.networks || {});
-                const workspaceNames = Object.values(networks)
-                    .map((ws) => ws.name)
+                const workspaceList = Object.entries(networks)
+                    .map(([id, ws]) => `${ws.name} (${id})`)
                     .join(', ');
-                logger.error('Multi-workspace credentials detected', {
+                logger.info('Multi-workspace user detected', {
                     workspaceCount,
-                    workspaces: workspaceNames,
-                    apiKey: apiKey.substring(0, 8) + '...'
+                    workspaces: workspaceList,
+                    apiKey: apiKey.substring(0, 8) + '...',
+                    hint: 'Use list_my_workspaces tool to see all workspaces and switch between them'
                 });
-                // Clean up the connection before throwing - prevents dangling socket
-                (0, hailer_clients_1.disconnectHailerClientByApiKey)(apiKey);
-                throw new Error(`Multi-workspace credentials detected (${workspaceCount} workspaces: ${workspaceNames}). ` +
-                    `MCP requires bot credentials with access to a single workspace. ` +
-                    `Please use the bot account created during 'hailer-sdk init'.`);
             }
             // Create workspace cache from init data
             const appConfig = (0, config_1.createApplicationConfig)();
             const workspaceCache = (0, workspace_cache_1.createWorkspaceCache)(init, appConfig.mcpConfig);
+            // Extract user roles from ALL workspaces
+            const currentUserId = await (0, hailer_clients_1.getCurrentUserId)(client);
+            const workspaceRoles = (0, index_2.extractWorkspaceRoles)(networks, currentUserId);
+            // Get current workspace ID
+            const currentWorkspaceId = init.network?._id || Object.keys(networks)[0] || '';
+            // Get role for current workspace (for backward compatibility and initial tool filtering)
+            const userRole = workspaceRoles[currentWorkspaceId] || 'guest';
+            const allowedGroups = (0, index_2.getAllowedGroups)(userRole, config_1.environment.ENABLE_NUCLEAR_TOOLS);
+            logger.info('User roles extracted from all workspaces', {
+                apiKey: apiKey.substring(0, 8) + '...',
+                workspaceCount: Object.keys(workspaceRoles).length,
+                currentWorkspaceId,
+                currentRole: userRole,
+                allRoles: Object.entries(workspaceRoles).map(([id, role]) => `${id.slice(-6)}:${role}`).join(', ')
+            });
             // Get credentials from config (for tools like publish_hailer_app that need external auth)
-            const accountConfig = appConfig.getClientConfig(apiKey);
+            // User API Keys (OAuth users) don't have bot credentials - use empty strings
+            const isUserApiKey = apiKey.startsWith('userapikey_');
+            let email = '';
+            let password = '';
+            if (!isUserApiKey) {
+                try {
+                    const accountConfig = appConfig.getClientConfig(apiKey);
+                    email = accountConfig.email;
+                    password = accountConfig.password;
+                }
+                catch (error) {
+                    logger.warn('No client config found for API key, using empty credentials', {
+                        apiKey: apiKey.substring(0, 8) + '...'
+                    });
+                }
+            }
             const context = {
                 client,
                 hailer,
@@ -135,8 +164,11 @@ class UserContextCache {
                 workspaceCache,
                 apiKey,
                 createdAt: Date.now(),
-                email: accountConfig.email,
-                password: accountConfig.password,
+                email,
+                password,
+                workspaceRoles, // NEW: Map of workspaceId → role
+                currentWorkspaceId, // NEW: Current workspace ID
+                allowedGroups, // Keep for stdio-server compatibility
             };
             // Calculate and log cache sizes
             const rawInitSize = Buffer.byteLength(JSON.stringify(init), 'utf8');
@@ -176,7 +208,7 @@ class UserContextCache {
     static clearAll() {
         const size = this.cache.size;
         this.cache.clear();
-        logger.debug('Cleared all user contexts from cache', { clearedCount: size });
+        logger.info('Cleared all user contexts from cache', { clearedCount: size });
     }
     /**
      * Get cache statistics (for monitoring and debugging)

package/dist/mcp/hailer-clients.d.ts

@@ -5,10 +5,28 @@ export interface HailerRestClient {
     sessionKey: string;
 }
 export interface HailerClient {
-    socket: Client;
+    socket: Client | RestOnlySocket;
     rest: HailerRestClient;
     sessionKey: string;
 }
+/**
+ * REST-only socket mock for User API Key sessions
+ * User API Keys require IP for validation, which socket.resume() doesn't provide.
+ * This mock implements the socket.request() interface using REST API calls.
+ */
+export declare class RestOnlySocket {
+    host: string;
+    private apiKey;
+    constructor(baseUrl: string, apiKey: string);
+    /**
+     * Make RPC request via REST API instead of socket
+     * Hailer's /api endpoint accepts the same RPC format as socket
+     */
+    request(method: string, args?: unknown[]): Promise<unknown>;
+    on(_event: string, _handler: (...args: any[]) => void): void;
+    off(_event: string, _handler: (...args: any[]) => void): void;
+    disconnect(): void;
+}
 /**
  * Get the current user ID from the authenticated session
  * This is called after authentication to retrieve the user ID automatically

package/dist/mcp/hailer-clients.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.subscribeToSignal = exports.clearAllConnections = exports.disconnectHailerClientByApiKey = exports.createHailerClientByApiKey = exports.HailerClientManager = void 0;
+exports.subscribeToSignal = exports.clearAllConnections = exports.disconnectHailerClientByApiKey = exports.createHailerClientByApiKey = exports.HailerClientManager = exports.RestOnlySocket = void 0;
 exports.getCurrentUserId = getCurrentUserId;
 exports.registerBotCredentials = registerBotCredentials;
 exports.unregisterBotCredentials = unregisterBotCredentials;
@@ -9,6 +9,70 @@ const auth_1 = require("./auth");
 const logger_1 = require("../lib/logger");
 const config_1 = require("../config");
 const logger = (0, logger_1.createLogger)({ component: 'hailer-clients' });
+// Default API base URL for OAuth sessions (User API Keys)
+const DEFAULT_API_BASE_URL = process.env.BOT_API_BASE_URL || 'https://api.hailer.com';
+/**
+ * REST-only socket mock for User API Key sessions
+ * User API Keys require IP for validation, which socket.resume() doesn't provide.
+ * This mock implements the socket.request() interface using REST API calls.
+ */
+class RestOnlySocket {
+    host;
+    apiKey;
+    constructor(baseUrl, apiKey) {
+        this.host = baseUrl;
+        this.apiKey = apiKey;
+    }
+    /**
+     * Make RPC request via REST API instead of socket
+     * Hailer's /api endpoint accepts the same RPC format as socket
+     */
+    async request(method, args = []) {
+        const url = `${this.host}/api/${method.replace(/\./g, '/')}`;
+        logger.debug('RestOnlySocket making request', {
+            url,
+            method,
+            apiKeyPrefix: this.apiKey.substring(0, 20) + '...',
+        });
+        const response = await (0, auth_1.safeFetch)(url, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'hlrkey': this.apiKey,
+            },
+            body: JSON.stringify({ args }),
+        });
+        if (!response.ok) {
+            const errorText = await response.text();
+            logger.error('RestOnlySocket request failed', {
+                url,
+                method,
+                status: response.status,
+                errorText,
+            });
+            throw new Error(`REST API request failed: ${response.status} ${errorText}`);
+        }
+        const result = await response.json();
+        logger.debug('RestOnlySocket request succeeded', { method });
+        return result;
+    }
+    // Stub methods for socket interface compatibility
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    on(_event, _handler) {
+        // REST-only client doesn't support real-time events
+        logger.debug('RestOnlySocket.on() called - events not supported for User API Key sessions');
+    }
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    off(_event, _handler) {
+        // REST-only client doesn't support real-time events
+        logger.debug('RestOnlySocket.off() called - events not supported for User API Key sessions');
+    }
+    disconnect() {
+        // Nothing to disconnect for REST-only client
+        logger.debug('RestOnlySocket.disconnect() called - no-op for REST client');
+    }
+}
+exports.RestOnlySocket = RestOnlySocket;
 /**
  * Get the current user ID from the authenticated session
  * This is called after authentication to retrieve the user ID automatically
@@ -91,24 +155,23 @@ class HailerClientManager {
             password: this.password,
             ...(isLocalDev && { rejectUnauthorized: false }), // Add for local dev with self-signed certs
         };
-        // Track timeout with single settled flag to prevent race conditions
+        // Track timeout for proper cleanup
         let timeoutId = null;
-        let settled = false;
+        let timeoutCleared = false;
         try {
             // Create socket client using @hailer/cli with cancellable timeout
             this.socketClient = (await Promise.race([
                 cli_1.Client.create(clientOptions).then(client => {
-                    if (!settled) {
-                        settled = true;
-                        if (timeoutId)
-                            clearTimeout(timeoutId);
+                    // Clear timeout on success
+                    if (timeoutId && !timeoutCleared) {
+                        clearTimeout(timeoutId);
+                        timeoutCleared = true;
                     }
                     return client;
                 }),
                 new Promise((_, reject) => {
                     timeoutId = setTimeout(() => {
-                        if (!settled) {
-                            settled = true;
+                        if (!timeoutCleared) {
                             reject(new Error(`Timeout connecting to: ${this.host}`));
                         }
                     }, 30000);
@@ -116,10 +179,10 @@ class HailerClientManager {
             ]));
         }
         catch (error) {
-            // Ensure timeout is cleared on error
-            if (timeoutId && !settled) {
-                settled = true;
+            // Ensure timeout is cleared on error too
+            if (timeoutId && !timeoutCleared) {
                 clearTimeout(timeoutId);
+                timeoutCleared = true;
             }
             logger.error('Failed to create socket client', error, { username: this.username });
             throw error;
@@ -163,13 +226,13 @@ class HailerClientManager {
             logger.info('Socket reconnected and session resumed', { username: this.username });
         });
         this.socketClient.on("connect", () => {
-            logger.debug('Socket connected', { username: this.username });
+            logger.info('Socket connected', { username: this.username });
         });
         this.socketClient.on("connect_error", (error) => {
             logger.error('Socket connection error', { error: error.message, username: this.username });
         });
         this.socketClient.on("reconnect_attempt", (attempt) => {
-            logger.debug('Socket reconnection attempt', { attempt, username: this.username });
+            logger.info('Socket reconnection attempt', { attempt, username: this.username });
         });
         this.socketClient.on("reconnect_failed", () => {
             logger.error('Socket reconnection failed permanently', { username: this.username });
@@ -204,10 +267,7 @@ class HailerClientManager {
         if (!this.signalHandlers.has(eventType)) {
             this.signalHandlers.set(eventType, []);
         }
-        const handlers = this.signalHandlers.get(eventType);
-        if (!handlers.includes(handler)) {
-            handlers.push(handler);
-        }
+        this.signalHandlers.get(eventType).push(handler);
     }
     // Remove a signal handler
     offSignal(eventType, handler) {
@@ -247,12 +307,86 @@ class HailerClientManager {
 exports.HailerClientManager = HailerClientManager;
 // Connection pool for the MCP server
 const connectionPool = new Map();
+// Pool for User API Key socket clients
+const userApiKeyClients = new Map();
+/**
+ * Create a REST-only client for User API Keys
+ *
+ * User API Keys require IP address for validation (see validateApiKey in backend).
+ * Socket.IO resume() doesn't pass IP, so we use REST API with hlrkey header instead.
+ * The REST API passes req.ip to core.getSession() which then validates the key.
+ */
+async function createUserApiKeyClient(userApiKey) {
+    // Check if we already have this client
+    const existing = userApiKeyClients.get(userApiKey);
+    if (existing) {
+        logger.debug('Reusing existing User API Key client', {
+            apiKey: userApiKey.substring(0, 20) + '...'
+        });
+        return existing;
+    }
+    logger.info('Creating REST-only client for User API Key', {
+        apiKey: userApiKey.substring(0, 20) + '...',
+        apiBaseUrl: DEFAULT_API_BASE_URL
+    });
+    try {
+        // Create REST-only socket mock that uses HTTP API instead of WebSocket
+        const restSocket = new RestOnlySocket(DEFAULT_API_BASE_URL, userApiKey);
+        // Verify the API key works by making a test request
+        logger.debug('Verifying User API Key via REST...');
+        const testResult = await restSocket.request('v2.core.init', [['user']]);
+        if (!testResult?.user?._id) {
+            throw new Error('User API Key validation failed - could not get user info');
+        }
+        logger.info('User API Key validated successfully via REST', {
+            apiKey: userApiKey.substring(0, 20) + '...',
+            userId: testResult.user._id
+        });
+        // Create REST client
+        const restClient = {
+            fetch: (url, options = {}) => {
+                const fullUrl = url.startsWith('http') ? url : `${DEFAULT_API_BASE_URL}${url}`;
+                const headers = {
+                    ...options.headers,
+                    hlrkey: userApiKey,
+                    'Content-Type': 'application/json',
+                };
+                return (0, auth_1.safeFetch)(fullUrl, { ...options, headers });
+            },
+            sessionKey: userApiKey,
+        };
+        const client = {
+            socket: restSocket,
+            rest: restClient,
+            sessionKey: userApiKey,
+        };
+        userApiKeyClients.set(userApiKey, client);
+        return client;
+    }
+    catch (error) {
+        const errorMsg = error instanceof Error
+            ? error.message
+            : (typeof error === 'object' && error !== null)
+                ? JSON.stringify(error)
+                : String(error);
+        logger.error('Failed to create User API Key client', {
+            error: errorMsg,
+            errorType: typeof error,
+        });
+        throw new Error(`Failed to create User API Key session: ${errorMsg}`);
+    }
+}
 /**
  * Create Hailer client by API key (O(1) lookup)
  * This is the new efficient method for MCP Server to get connections
  */
 const createHailerClientByApiKey = async (apiKey) => {
-    // O(1) lookup in Map-based CLIENT_CONFIGS
+    // Check if this is a User API Key (from OAuth flow)
+    // User API Keys start with "userapikey_" and can authenticate via socket resume()
+    if (apiKey.startsWith('userapikey_')) {
+        return await createUserApiKeyClient(apiKey);
+    }
+    // O(1) lookup in Map-based CLIENT_CONFIGS (for bot accounts)
     const account = config_1.environment.CLIENT_CONFIGS[apiKey];
     if (!account) {
         throw new Error(`No Hailer account found for API key: ${apiKey}`);
@@ -283,7 +417,7 @@ const createHailerClientByApiKey = async (apiKey) => {
         connectionPool.delete(connectionKey);
     }
     // Create new connection
-    logger.debug('Creating new connection', {
+    logger.info('Creating new connection', {
         apiKey: apiKey.substring(0, 8) + '...',
         email: (0, config_1.maskEmail)(account.email),
         host: account.apiBaseUrl
@@ -315,7 +449,7 @@ const clearAllConnections = () => {
         clientManager.disconnect();
     }
     connectionPool.clear();
-    logger.debug('Cleared Hailer connections', { count });
+    logger.info('Cleared Hailer connections', { count });
 };
 exports.clearAllConnections = clearAllConnections;
 /**
@@ -349,10 +483,10 @@ function registerBotCredentials(botId, email, password, options) {
     config_1.environment.CLIENT_CONFIGS[apiKey] = {
         email,
         password,
-        apiBaseUrl: config_1.environment.BOT_API_BASE_URL || 'https://api.hailer.com',
+        apiBaseUrl: 'https://api.hailer.com',
         ...(options?.allowedGroups && { allowedGroups: options.allowedGroups }),
     };
-    logger.debug('Bot credentials registered', {
+    logger.info('Bot credentials registered', {
         botId,
         hasAllowedGroups: !!options?.allowedGroups
     });
@@ -364,6 +498,6 @@ function registerBotCredentials(botId, email, password, options) {
 function unregisterBotCredentials(apiKey) {
     delete config_1.environment.CLIENT_CONFIGS[apiKey];
     (0, exports.disconnectHailerClientByApiKey)(apiKey);
-    logger.debug('Bot credentials unregistered');
+    logger.info('Bot credentials unregistered');
 }
 //# sourceMappingURL=hailer-clients.js.map

package/dist/mcp/session-store.d.ts

@@ -0,0 +1,68 @@
+/**
+ * SessionStore - Maps key_id to real api_key for Claude App authentication
+ *
+ * Purpose: Keep real Hailer API keys on server side, Claude only gets a reference (key_id).
+ * Multiple concurrent sessions supported - each user gets their own key_id.
+ *
+ * Flow:
+ * 1. User logs in via Hailer auth page
+ * 2. Frontend generates key_id, sends {key_id, api_key} to MCP /auth/register
+ * 3. Frontend redirects to Claude with key_id as "access_token"
+ * 4. Claude sends key_id in Authorization header
+ * 5. MCP looks up real api_key from this store
+ */
+export interface Session {
+    apiKey: string;
+    workspaceId: string;
+    createdAt: number;
+    lastAccessedAt: number;
+}
+export declare class SessionStore {
+    private store;
+    private maxTtlMs;
+    private inactivityTtlMs;
+    private cleanupInterval;
+    /**
+     * @param maxTtlHours - Maximum session lifetime in hours (default 24)
+     * @param inactivityMinutes - Session expires after this many minutes of inactivity (default 30)
+     */
+    constructor(maxTtlHours?: number, inactivityMinutes?: number);
+    /**
+     * Register a new session (called by /auth/register endpoint)
+     */
+    set(keyId: string, apiKey: string, workspaceId: string): void;
+    /**
+     * Get session by key_id (returns null if expired or not found)
+     * Updates lastAccessedAt to extend inactivity timeout
+     */
+    get(keyId: string): Session | null;
+    /**
+     * Delete session (logout)
+     */
+    delete(keyId: string): boolean;
+    /**
+     * Remove all expired sessions (both max TTL and inactivity)
+     */
+    cleanup(): void;
+    /**
+     * Get store statistics
+     */
+    getStats(): {
+        size: number;
+        config: {
+            maxTtlHours: number;
+            inactivityMinutes: number;
+        };
+        sessions: Array<{
+            keyId: string;
+            ageMinutes: number;
+            inactivityMinutes: number;
+        }>;
+    };
+    /**
+     * Stop cleanup interval (for graceful shutdown)
+     */
+    destroy(): void;
+}
+export declare const sessionStore: SessionStore;
+//# sourceMappingURL=session-store.d.ts.map

package/dist/mcp/session-store.js

@@ -0,0 +1,169 @@
+"use strict";
+/**
+ * SessionStore - Maps key_id to real api_key for Claude App authentication
+ *
+ * Purpose: Keep real Hailer API keys on server side, Claude only gets a reference (key_id).
+ * Multiple concurrent sessions supported - each user gets their own key_id.
+ *
+ * Flow:
+ * 1. User logs in via Hailer auth page
+ * 2. Frontend generates key_id, sends {key_id, api_key} to MCP /auth/register
+ * 3. Frontend redirects to Claude with key_id as "access_token"
+ * 4. Claude sends key_id in Authorization header
+ * 5. MCP looks up real api_key from this store
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sessionStore = exports.SessionStore = void 0;
+const logger_1 = require("../lib/logger");
+const logger = (0, logger_1.createLogger)({ component: 'session-store' });
+class SessionStore {
+    store = new Map();
+    maxTtlMs; // Maximum session lifetime (absolute)
+    inactivityTtlMs; // Session expires after inactivity
+    cleanupInterval = null;
+    /**
+     * @param maxTtlHours - Maximum session lifetime in hours (default 24)
+     * @param inactivityMinutes - Session expires after this many minutes of inactivity (default 30)
+     */
+    constructor(maxTtlHours = 24, inactivityMinutes = 30) {
+        this.maxTtlMs = maxTtlHours * 60 * 60 * 1000;
+        this.inactivityTtlMs = inactivityMinutes * 60 * 1000;
+        // Cleanup expired sessions every 5 minutes (more frequent for inactivity-based expiry)
+        this.cleanupInterval = setInterval(() => this.cleanup(), 5 * 60 * 1000);
+        logger.info('SessionStore initialized', {
+            maxTtlHours,
+            inactivityMinutes,
+            maxTtlMs: this.maxTtlMs,
+            inactivityTtlMs: this.inactivityTtlMs
+        });
+    }
+    /**
+     * Register a new session (called by /auth/register endpoint)
+     */
+    set(keyId, apiKey, workspaceId) {
+        const now = Date.now();
+        const session = {
+            apiKey,
+            workspaceId,
+            createdAt: now,
+            lastAccessedAt: now,
+        };
+        this.store.set(keyId, session);
+        logger.info('Session registered', {
+            keyId: keyId.substring(0, 8) + '...',
+            workspaceId: workspaceId.substring(0, 8) + '...',
+            totalSessions: this.store.size,
+        });
+    }
+    /**
+     * Get session by key_id (returns null if expired or not found)
+     * Updates lastAccessedAt to extend inactivity timeout
+     */
+    get(keyId) {
+        const session = this.store.get(keyId);
+        if (!session) {
+            logger.debug('Session not found', { keyId: keyId.substring(0, 8) + '...' });
+            return null;
+        }
+        const now = Date.now();
+        const age = now - session.createdAt;
+        const inactivity = now - session.lastAccessedAt;
+        // Check if max lifetime exceeded (absolute expiry)
+        if (age > this.maxTtlMs) {
+            logger.info('Session expired (max TTL)', {
+                keyId: keyId.substring(0, 8) + '...',
+                ageHours: Math.round(age / (1000 * 60 * 60)),
+            });
+            this.store.delete(keyId);
+            return null;
+        }
+        // Check if inactivity timeout exceeded
+        if (inactivity > this.inactivityTtlMs) {
+            logger.info('Session expired (inactivity)', {
+                keyId: keyId.substring(0, 8) + '...',
+                inactivityMinutes: Math.round(inactivity / (1000 * 60)),
+            });
+            this.store.delete(keyId);
+            return null;
+        }
+        // Update lastAccessedAt to extend session
+        session.lastAccessedAt = now;
+        logger.debug('Session found', {
+            keyId: keyId.substring(0, 8) + '...',
+            ageMinutes: Math.round(age / (1000 * 60)),
+            inactivityMinutes: Math.round(inactivity / (1000 * 60)),
+        });
+        return session;
+    }
+    /**
+     * Delete session (logout)
+     */
+    delete(keyId) {
+        const existed = this.store.delete(keyId);
+        if (existed) {
+            logger.info('Session deleted', { keyId: keyId.substring(0, 8) + '...' });
+        }
+        return existed;
+    }
+    /**
+     * Remove all expired sessions (both max TTL and inactivity)
+     */
+    cleanup() {
+        const now = Date.now();
+        let removedMaxTtl = 0;
+        let removedInactivity = 0;
+        for (const [keyId, session] of this.store.entries()) {
+            const age = now - session.createdAt;
+            const inactivity = now - session.lastAccessedAt;
+            if (age > this.maxTtlMs) {
+                this.store.delete(keyId);
+                removedMaxTtl++;
+            }
+            else if (inactivity > this.inactivityTtlMs) {
+                this.store.delete(keyId);
+                removedInactivity++;
+            }
+        }
+        const totalRemoved = removedMaxTtl + removedInactivity;
+        if (totalRemoved > 0) {
+            logger.info('Cleanup completed', {
+                removedMaxTtl,
+                removedInactivity,
+                remaining: this.store.size
+            });
+        }
+    }
+    /**
+     * Get store statistics
+     */
+    getStats() {
+        const now = Date.now();
+        const sessions = Array.from(this.store.entries()).map(([keyId, session]) => ({
+            keyId: keyId.substring(0, 8) + '...',
+            ageMinutes: Math.round((now - session.createdAt) / (1000 * 60)),
+            inactivityMinutes: Math.round((now - session.lastAccessedAt) / (1000 * 60)),
+        }));
+        return {
+            size: this.store.size,
+            config: {
+                maxTtlHours: Math.round(this.maxTtlMs / (1000 * 60 * 60)),
+                inactivityMinutes: Math.round(this.inactivityTtlMs / (1000 * 60)),
+            },
+            sessions,
+        };
+    }
+    /**
+     * Stop cleanup interval (for graceful shutdown)
+     */
+    destroy() {
+        if (this.cleanupInterval) {
+            clearInterval(this.cleanupInterval);
+            this.cleanupInterval = null;
+        }
+        logger.info('SessionStore destroyed');
+    }
+}
+exports.SessionStore = SessionStore;
+// Singleton instance
+exports.sessionStore = new SessionStore();
+//# sourceMappingURL=session-store.js.map

package/dist/mcp/signal-handler.js

@@ -3,6 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.SignalHandler = void 0;
 const logger_1 = require("../lib/logger");
 const webhooks_1 = require("../bot-config/webhooks");
+const types_1 = require("./utils/types");
 // Optional: bot-config only available in bot server mode, not MCP terminal
 let reloadConfigFromHailer = null;
 let setActiveWorkspace = null;
@@ -239,6 +240,7 @@ class SignalHandler {
             // Refresh cache by fetching fresh data - API requires array of keys to fetch
             // IMPORTANT: Include 'processes' to get updated workflow list (e.g., after template install)
             const init = await this.client.socket.request('v2.core.init', [['users', 'network', 'networks', 'processes']]);
+            (0, types_1.normalizeInitProcesses)(init);
             // Update workspace cache with fresh data
             if (init.processes) {
                 this.workspaceCache.rawInit.processes = init.processes;