@nekzus/liop 1.2.0-alpha.10

package/dist/bin/agent.js

@@ -0,0 +1,307 @@
+#!/usr/bin/env node
+import * as fs from "node:fs";
+import * as os from "node:os";
+import * as path from "node:path";
+import { multiaddr } from "@multiformats/multiaddr";
+import { LiopMcpRouter } from "../gateway/router.js";
+import { MeshNode } from "../mesh/index.js";
+import { LiopServer } from "../server/index.js";
+import { log } from "../utils/logger.js";
+/**
+ * Resolves a full libp2p multiaddr (with PeerID) from a LIOP node's
+ * HTTP health endpoint. This enables zero-config bootstrap — users
+ * only need to provide a URL, not a cryptographic PeerID.
+ *
+ * @param url - HTTP URL of a LIOP node's health endpoint (e.g. "http://host:3000")
+ * @returns Full multiaddr string with PeerID, or null if resolution fails
+ */
+async function resolveBootstrapFromUrl(url) {
+    try {
+        const healthUrl = url.endsWith("/health") ? url : `${url}/health`;
+        const response = await fetch(healthUrl, {
+            headers: { Accept: "application/json" },
+            signal: AbortSignal.timeout(10000), // Increased to 10s
+        });
+        if (!response.ok)
+            return null;
+        const data = await response.json();
+        if (!data.mesh?.multiaddrs?.length || !data.mesh?.peerId)
+            return null;
+        // Find TCP multiaddr (prefer non-websocket for stability)
+        const tcpAddr = data.mesh.multiaddrs.find((a) => a.includes("/tcp/") &&
+            !a.includes("/ws") &&
+            !a.includes("/ip4/127.0.0.1/"));
+        if (!tcpAddr)
+            return null;
+        // Rewrite internal Docker IP using industrial mapper if available
+        let resolved = industrialAddressMapper(tcpAddr);
+        if (!resolved || resolved === tcpAddr) {
+            const urlHost = new URL(url).hostname;
+            resolved = tcpAddr.replace(/\/ip4\/[^/]+/, `/ip4/${urlHost}`);
+        }
+        if (!resolved)
+            return null;
+        resolved += resolved.includes("/p2p/") ? "" : `/p2p/${data.mesh.peerId}`;
+        return resolved;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Normalizes a bootstrap multiaddr string.
+ * If the address contains a Docker bridge IP (172.16-31.x.x) or Loopback (127.0.0.1),
+ * rewrites it to the host accessible via LIOP_NEXUS_URL (e.g. WSL2 IP).
+ * This is critical when WSL2 mirror-mode networking is broken.
+ */
+function normalizeBootstrap(addr) {
+    const trimmed = addr.trim();
+    // Remap Docker bridge IPs and ANY external physical IPs to 127.0.0.1
+    // because Test-NetConnection confirmed 127.0.0.1 is the only reliable path to Docker ports.
+    const dockerIpRegex = /\/ip4\/172\.(1[6-9]|2[0-9]|3[0-1])\.[0-9]{1,3}\.[0-9]{1,3}/;
+    const loopbackRegex = /\/ip4\/127\.0\.0\.1/;
+    const physicalIpRegex = /\/ip4\/192\.168\.[0-9]{1,3}\.[0-9]{1,3}/;
+    if (dockerIpRegex.test(trimmed) ||
+        loopbackRegex.test(trimmed) ||
+        physicalIpRegex.test(trimmed)) {
+        const targetIp = "127.0.0.1";
+        const normalized = trimmed
+            .replace(dockerIpRegex, `/ip4/${targetIp}`)
+            .replace(loopbackRegex, `/ip4/${targetIp}`)
+            .replace(physicalIpRegex, `/ip4/${targetIp}`);
+        if (normalized !== trimmed) {
+            log.info(`[LIOP-Agent] 🔄 Local Routing Hack → Forced 127.0.0.1: ${normalized}`);
+        }
+        return normalized;
+    }
+    return trimmed;
+}
+/**
+ * industrialAddressMapper
+ *
+ * Mapea IPs internas de Docker a puertos industriales mapeados en el Host.
+ * Nexus (172.20.0.10) -> 13001
+ * Vault (172.20.0.11) -> 13003
+ * Bank  (172.20.0.12) -> 13004
+ * Oracle(172.20.0.13) -> 13005
+ */
+function industrialAddressMapper(addr) {
+    if (addr.includes("/ip4/172.20.0.10"))
+        return addr.replace(/\/ip4\/172\.20\.0\.10\/tcp\/[0-9]+/, "/ip4/127.0.0.1/tcp/13001");
+    if (addr.includes("/ip4/172.20.0.11"))
+        return addr.replace(/\/ip4\/172\.20\.0\.11\/tcp\/[0-9]+/, "/ip4/127.0.0.1/tcp/13003");
+    if (addr.includes("/ip4/172.20.0.12"))
+        return addr.replace(/\/ip4\/172\.20\.0\.12\/tcp\/[0-9]+/, "/ip4/127.0.0.1/tcp/13004");
+    if (addr.includes("/ip4/172.20.0.13"))
+        return addr.replace(/\/ip4\/172\.20\.0\.13\/tcp\/[0-9]+/, "/ip4/127.0.0.1/tcp/13005");
+    // Drop container-internal loopbacks to prevent the Host Agent from dialing itself or conflicting ports
+    if (addr.includes("/ip4/127.0.0.1/tcp/4000") ||
+        addr.includes("/ip4/127.0.0.1/tcp/3000")) {
+        return null;
+    }
+    return addr;
+}
+/**
+ * LIOP Agent (Zero-Config CLI)
+ *
+ * Secure Logic-on-Origin gateway for Claude Desktop.
+ * Communicates via STDIO / JSON-RPC.
+ *
+ * All tool discovery is DYNAMIC via the /liop/manifest/1.0.0 protocol.
+ * No hardcoded tools, PeerIDs, or port mappings.
+ */
+async function main() {
+    const buildTime = new Date().toISOString();
+    log.info(`[LIOP-Agent] 🚀 Version 1.2.0-alpha.9 | Build: ${buildTime}`);
+    const liopDir = path.join(os.homedir(), ".liop");
+    const identityPath = path.join(liopDir, "identity.json");
+    if (!fs.existsSync(liopDir)) {
+        fs.mkdirSync(liopDir, { recursive: true });
+    }
+    // 1. Determine Bootstrap Nodes (Zero-Config Discovery)
+    let bootstrapNodes = [];
+    // Command line arguments take precedence
+    const args = process.argv.slice(2);
+    if (args.length > 0) {
+        bootstrapNodes = args.filter((a) => a.startsWith("/"));
+    }
+    // Priority 1: Physical Beacons (Industrial Pattern) - DETERMINISTIC & INSTANT
+    if (bootstrapNodes.length === 0) {
+        const searchDirs = [];
+        // Priority 1.1: Explicit file from environment variable
+        if (process.env.LIOP_BOOTSTRAP_FILE) {
+            const filePath = path.resolve(process.env.LIOP_BOOTSTRAP_FILE);
+            if (fs.existsSync(filePath)) {
+                const addr = fs.readFileSync(filePath, "utf8").trim();
+                if (addr)
+                    bootstrapNodes.push(normalizeBootstrap(addr));
+            }
+        }
+        // Priority 1.2: Traditional locations (Scan for all *.multiaddr)
+        searchDirs.push(process.cwd(), path.join(process.cwd(), "tests/infra/nexus-data"), liopDir, path.join(path
+            .dirname(new URL(import.meta.url).pathname)
+            .replace(/^\/([A-Z]:)/, "$1"), "../../tests/infra/nexus-data"));
+        for (const dir of searchDirs) {
+            try {
+                if (fs.existsSync(dir)) {
+                    const files = fs.readdirSync(dir);
+                    const multiaddrFiles = files.filter((f) => f.endsWith(".multiaddr"));
+                    for (const file of multiaddrFiles) {
+                        const filePath = path.join(dir, file);
+                        const addr = fs.readFileSync(filePath, "utf8").trim();
+                        if (addr) {
+                            const normalized = normalizeBootstrap(addr);
+                            if (!bootstrapNodes.includes(normalized)) {
+                                bootstrapNodes.push(normalized);
+                                log.info(`[LIOP-Agent] ✅ Loaded beacon: ${file} from ${dir}`);
+                            }
+                        }
+                    }
+                    // If we found any beacons in this directory, we consider discovery successful for this layer
+                    if (bootstrapNodes.length > 0)
+                        break;
+                }
+            }
+            catch (_e) {
+                /* ignore */
+            }
+        }
+    }
+    // Priority 2: Auto-Discovery via NEXUS URL (Aggressive Parallel Discovery)
+    if (process.env.LIOP_NEXUS_URL) {
+        const nexusUrl = process.env.LIOP_NEXUS_URL;
+        log.info(`[LIOP-Agent] 🌐 Running parallel discovery from: ${nexusUrl} (Sources Found: ${bootstrapNodes.length})`);
+        const resolved = await resolveBootstrapFromUrl(nexusUrl);
+        if (resolved) {
+            const normalized = normalizeBootstrap(resolved);
+            if (!bootstrapNodes.includes(normalized)) {
+                bootstrapNodes.push(normalized);
+                log.info(`[LIOP-Agent] ✅ Added bootstrap from URL discovery: ${normalized}`);
+            }
+        }
+    }
+    // Priority 3: Environment variable (direct multiaddr)
+    if (bootstrapNodes.length === 0 && process.env.LIOP_BOOTSTRAP) {
+        bootstrapNodes.push(process.env.LIOP_BOOTSTRAP.trim());
+    }
+    // Final fallback: local Nexus bootstrap for demo environments.
+    // Avoid injecting stale static peer IDs when discovery already found valid peers.
+    if (bootstrapNodes.length === 0) {
+        bootstrapNodes.push("/ip4/127.0.0.1/tcp/13001/p2p/12D3KooWD8FUFdnLQzzLFNdicsaTknM5cpD7os9sK9NWVSVABJMD");
+    }
+    // Sanitize/validate all candidate multiaddrs so malformed PeerIDs don't crash startup.
+    bootstrapNodes = bootstrapNodes.filter((addr) => {
+        try {
+            multiaddr(addr);
+            return true;
+        }
+        catch {
+            log.warn(`[LIOP-Agent] Ignoring invalid bootstrap multiaddr: ${addr}`);
+            return false;
+        }
+    });
+    // If no bootstrap nodes found, the agent operates in standalone mode.
+    // It will only serve local tools until peers are discovered.
+    if (bootstrapNodes.length === 0) {
+        log.info("[LIOP-Agent] No bootstrap nodes configured. Operating in standalone mode.");
+        log.info("[LIOP-Agent] Pass a multiaddr as argument or create 'nexus.multiaddr' file.");
+    }
+    // Initialize local server node (lightweight, no tools registered locally)
+    const liopServer = new LiopServer({
+        name: "@nekzus/liop-agent",
+        version: "1.0.0",
+    });
+    // Enable Zero-Shot Autonomy (Industrial Prompt Injection)
+    liopServer.enableZeroShotAutonomy();
+    // 2. Mesh Node Configuration
+    const meshNode = new MeshNode({
+        identityPath: identityPath,
+        bootstrapNodes: bootstrapNodes,
+        addressMapper: industrialAddressMapper,
+    });
+    // Start P2P Mesh
+    await meshNode.start();
+    // 3. Initialize the Dynamic Router
+    // No hardcoded tools — all discovery happens via liop:manifest protocol
+    const router = new LiopMcpRouter(liopServer, meshNode);
+    // Proactive Notification to Claude Desktop when tools/resources are discovered dynamically
+    router.onToolsChanged = () => {
+        process.stdout.write(`{"jsonrpc":"2.0","method":"notifications/tools/list_changed"}\n`);
+        process.stdout.write(`{"jsonrpc":"2.0","method":"notifications/resources/list_changed"}\n`);
+    };
+    // Initial warming period (2s) then Adaptive Background Discovery
+    // Polls DHT for new nodes and triggers onToolsChanged when topology shifts.
+    // Uses exponential backoff to reduce polling load on stable meshes.
+    setTimeout(() => {
+        // biome-ignore lint/suspicious/noExplicitAny: access internal for telemetry
+        const rtSize = meshNode.getRoutingTableSize?.() || 0;
+        log.info(`[LIOP-Agent] Warm-up complete. Routing Table size: ${rtSize}`);
+        router.refreshManifestCache(true).catch(() => { });
+    }, 2000);
+    const POLL_BASE_MS = 10_000;
+    const POLL_MAX_MS = 120_000;
+    let pollIntervalMs = POLL_BASE_MS;
+    const scheduleAdaptivePoll = () => {
+        setTimeout(async () => {
+            const prevSize = router.getCacheSize();
+            await router.refreshManifestCache(true).catch(() => { });
+            const newSize = router.getCacheSize();
+            if (newSize !== prevSize) {
+                // Topology changed — reset to aggressive polling
+                pollIntervalMs = POLL_BASE_MS;
+                log.info(`[LIOP-Agent] Topology change detected (${prevSize} → ${newSize}). Resetting poll to ${POLL_BASE_MS / 1000}s.`);
+            }
+            else {
+                // Stable — relax polling interval (factor 1.5)
+                pollIntervalMs = Math.min(Math.round(pollIntervalMs * 1.5), POLL_MAX_MS);
+            }
+            scheduleAdaptivePoll();
+        }, pollIntervalMs);
+    };
+    scheduleAdaptivePoll();
+    // 4. STDIO Transport — Buffered Line Reader
+    // Uses readline to guarantee complete JSON-RPC messages before parsing.
+    // Raw stdin.on("data") can fragment large payloads across multiple chunks.
+    const readline = await import("node:readline");
+    const rl = readline.createInterface({
+        input: process.stdin,
+        terminal: false,
+    });
+    process.stdout.on("error", (err) => {
+        if (err.code === "EPIPE") {
+            process.exit(0); // Graceful exit when Claude Desktop disconnects
+        }
+    });
+    rl.on("line", async (line) => {
+        const trimmed = line.trim();
+        if (!trimmed)
+            return;
+        try {
+            const request = JSON.parse(trimmed);
+            if (request.method) {
+                const response = await router.dispatch(request);
+                if (response) {
+                    process.stdout.write(`${JSON.stringify(response)}\n`);
+                }
+            }
+        }
+        catch (_err) {
+            // Silent catch for binary noise or malformed lines
+        }
+    });
+    rl.on("close", () => {
+        process.exit(0);
+    });
+    // Status directed only to stderr
+    log.info(`[LIOP-Agent] Guarding Claude Desktop via STDIO.`);
+    log.info(`[LIOP-Agent] P2P Mesh: Joined (${bootstrapNodes.length} bootstraps)`);
+    log.info("[LIOP-Agent] Tool discovery: Dynamic via /liop/manifest/1.0.0");
+    process.on("SIGINT", async () => {
+        await meshNode.stop();
+        process.exit(0);
+    });
+}
+main().catch((err) => {
+    log.error(`[LIOP-Agent] Fatal Error: ${err.message}`);
+    process.exit(1);
+});

package/dist/bridge/index.d.ts

@@ -0,0 +1,37 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import type { LiopServerOptions } from "../server/index.js";
+import { LiopServer } from "../server/index.js";
+export interface LiopBridgeOptions {
+    publishToMesh?: boolean;
+    meshIdentity?: string;
+    serverInfo?: {
+        name: string;
+        version: string;
+    };
+    security?: LiopServerOptions["security"];
+}
+/**
+ * LIOP MCP Bridge
+ * A bi-directional bridge that allows legacy MCP servers to join the LIOP mesh,
+ * or exposes a LIOP server as an MCP-compatible stdio process for tools like Claude Desktop.
+ */
+export declare class LiopMcpBridge {
+    private options;
+    private liopServer;
+    private legacyMcpServer;
+    constructor(source: LiopServer | McpServer, options?: LiopBridgeOptions);
+    /**
+     * Handles an incoming standard MCP JSON-RPC 2.0 payload.
+     * Pipes it to the underlying server (LIOP or Legacy MCP).
+     */
+    handleJsonRpcRequest(payload: Record<string, unknown>): Promise<unknown>;
+    private handleLiopToMcp;
+    private successResponse;
+    private errorResponse;
+    private verifyZkReceipt;
+    /**
+     * Connects the bridge via stdio or Mesh depending on mode.
+     */
+    connect(): Promise<void>;
+}
+export * from "./stream.js";

package/dist/bridge/index.js

@@ -0,0 +1,249 @@
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { LiopServer } from "../server/index.js";
+import { log } from "../utils/logger.js";
+/**
+ * LIOP MCP Bridge
+ * A bi-directional bridge that allows legacy MCP servers to join the LIOP mesh,
+ * or exposes a LIOP server as an MCP-compatible stdio process for tools like Claude Desktop.
+ */
+export class LiopMcpBridge {
+    options;
+    liopServer = null;
+    legacyMcpServer = null;
+    constructor(source, options = {}) {
+        this.options = options;
+        // Determine mode: Exposing LIOP to MCP (Claude) or Wrapping MCP to LIOP (Mesh)
+        if (source instanceof LiopServer) {
+            this.liopServer = source;
+            log.info("[LIOP-Bridge] Mode: EXPOSE (LIOP -> MCP Stdio)");
+        }
+        else if (source instanceof McpServer) {
+            this.legacyMcpServer = source;
+            log.info("[LIOP-Bridge] Mode: WRAP (Legacy MCP -> LIOP Mesh)");
+        }
+    }
+    /**
+     * Handles an incoming standard MCP JSON-RPC 2.0 payload.
+     * Pipes it to the underlying server (LIOP or Legacy MCP).
+     */
+    async handleJsonRpcRequest(payload) {
+        const id = payload.id;
+        const method = payload.method;
+        const params = payload.params;
+        if (payload.jsonrpc !== "2.0") {
+            return this.errorResponse(id, -32600, "Invalid Request");
+        }
+        // Mode: EXPOSE (Standard behavior used by Claude Desktop)
+        if (this.liopServer) {
+            return this.handleLiopToMcp(id, method, params);
+        }
+        // Mode: WRAP (Redirecting via internal LiopServer after connect())
+        if (this.legacyMcpServer && this.liopServer) {
+            return this.handleLiopToMcp(id, method, params);
+        }
+        return this.errorResponse(id, -32601, "Bridge source not configured");
+    }
+    async handleLiopToMcp(id, method, params) {
+        if (!this.liopServer)
+            return null;
+        if (method === "initialize") {
+            return this.successResponse(id, {
+                protocolVersion: "2025-11-25",
+                capabilities: {
+                    prompts: {},
+                    resources: {},
+                    tools: {},
+                },
+                serverInfo: this.liopServer.getServerInfo(),
+            });
+        }
+        if (method === "notifications/initialized")
+            return undefined;
+        if (method === "ping")
+            return this.successResponse(id, {});
+        if (method === "tools/list") {
+            const tools = this.liopServer.listTools();
+            return this.successResponse(id, { tools });
+        }
+        if (method === "resources/list") {
+            const resources = this.liopServer.listResources();
+            return this.successResponse(id, { resources });
+        }
+        if (method === "prompts/list") {
+            const prompts = this.liopServer.listPrompts();
+            return this.successResponse(id, { prompts });
+        }
+        if (method === "prompts/get") {
+            if (!params?.name) {
+                return this.errorResponse(id, -32602, "Missing prompt name");
+            }
+            try {
+                const result = await this.liopServer.getPrompt({
+                    name: params.name,
+                    arguments: params.arguments,
+                });
+                return this.successResponse(id, result);
+            }
+            catch (err) {
+                return this.errorResponse(id, -32000, err.message);
+            }
+        }
+        if (method === "resources/read") {
+            if (!params?.uri) {
+                return this.errorResponse(id, -32602, "Missing resource URI");
+            }
+            try {
+                const result = await this.liopServer.readResource(params.uri);
+                return this.successResponse(id, result);
+            }
+            catch (err) {
+                return this.errorResponse(id, -32000, err.message);
+            }
+        }
+        if (method === "tools/call") {
+            if (!params?.name) {
+                return this.errorResponse(id, -32602, "Missing tool name");
+            }
+            const request = {
+                name: params.name,
+                arguments: params.arguments || {},
+            };
+            try {
+                const result = await this.liopServer.callTool(request);
+                const isVerified = await this.verifyZkReceipt(request, result);
+                if (!isVerified) {
+                    return this.successResponse(id, {
+                        content: [
+                            {
+                                type: "text",
+                                text: "ALERT [LIOP ZERO-TRUST SHIELD] ZK Verification Failed. The mathematical ImageID does not match the original payload.",
+                            },
+                        ],
+                        isError: true,
+                    });
+                }
+                return this.successResponse(id, result);
+            }
+            catch (err) {
+                return this.errorResponse(id, -32000, err.message);
+            }
+        }
+        return this.errorResponse(id, -32601, "Method not found");
+    }
+    successResponse(id, result) {
+        return { jsonrpc: "2.0", id, result };
+    }
+    errorResponse(id, code, message) {
+        return { jsonrpc: "2.0", id, error: { code, message } };
+    }
+    async verifyZkReceipt(request, result) {
+        if (!request.arguments?.payload ||
+            typeof request.arguments.payload !== "string") {
+            return true;
+        }
+        try {
+            const payload = request.arguments.payload;
+            const contentText = result.content[0]?.text;
+            if (contentText && typeof contentText === "string") {
+                try {
+                    const data = JSON.parse(contentText);
+                    if (data.image_id || data.zk_receipt) {
+                        // 1. Instantiate the Industrial Verifier ( backed by Piscina Worker Pool )
+                        const { LiopVerifier } = await import("../crypto/verifier.js");
+                        const verifier = new LiopVerifier();
+                        // 2. Delegate the heavy mathematical check (ZK Journal + Seal)
+                        const isAuthentic = await verifier.verifyZkReceipt(Buffer.from(payload, "utf-8"), data.image_id, Buffer.from(data.zk_receipt || "", "base64"));
+                        if (!isAuthentic) {
+                            return false;
+                        }
+                        data.audit_status =
+                            "VERIFIED: ZK-Receipt & ImageID Mathematically Verified by LiopMcpBridge";
+                        result.content[0].text = JSON.stringify(data);
+                    }
+                }
+                catch {
+                    // Output not JSON
+                }
+            }
+            return true;
+        }
+        catch (e) {
+            log.info("[LIOP-Bridge] ZK-Verifier Failure:", e);
+            return false;
+        }
+    }
+    /**
+     * Connects the bridge via stdio or Mesh depending on mode.
+     */
+    async connect() {
+        // In WRAP mode, we actually need to create a LiopServer and join the mesh
+        if (this.legacyMcpServer) {
+            const { LiopServer } = await import("../server/index.js");
+            this.liopServer = new LiopServer(this.options.serverInfo || {
+                name: "liop-bridge",
+                version: "1.0.0",
+            }, { security: this.options.security });
+            if (this.options.publishToMesh) {
+                await this.liopServer.connect();
+                // Automatically Bridge Legacy Capabilities to LIOP Mesh
+                // biome-ignore lint/suspicious/noExplicitAny: Internal legacy MCP properties are completely opaque and unexported
+                const legacy = this.legacyMcpServer;
+                // 1. Sync Tools
+                if (legacy._registeredTools) {
+                    for (const [name, tool] of Object.entries(legacy._registeredTools)) {
+                        // biome-ignore lint/suspicious/noExplicitAny: Opaque legacy structure
+                        const t = tool;
+                        this.liopServer.tool(name, t.description || "", t.inputSchema || {}, 
+                        // biome-ignore lint/suspicious/noExplicitAny: Opaque legacy callback args
+                        async (args) => {
+                            return await t.handler(args);
+                        });
+                    }
+                }
+                // 2. Sync Resources
+                if (legacy._registeredResources) {
+                    for (const [uri, resource] of Object.entries(legacy._registeredResources)) {
+                        // biome-ignore lint/suspicious/noExplicitAny: Opaque legacy structure
+                        const r = resource;
+                        this.liopServer.resource(r.name, uri, r.metadata?.description || "", r.metadata?.mimeType || "application/octet-stream", async () => {
+                            const res = await r.readCallback(new URL(uri));
+                            return res.contents[0].text;
+                        });
+                    }
+                }
+            }
+            return;
+        }
+        // In EXPOSE mode, listen to stdio (Claude Desktop)
+        const readline = await import("node:readline");
+        const rl = readline.createInterface({
+            input: process.stdin,
+            output: process.stdout,
+            terminal: false,
+        });
+        const shutdown = async () => {
+            log.info("[LIOP-Bridge] Disconnecting session...");
+            if (this.liopServer)
+                await this.liopServer.close();
+            process.exit(0);
+        };
+        rl.on("close", shutdown);
+        process.on("SIGINT", shutdown);
+        process.on("SIGTERM", shutdown);
+        rl.on("line", async (line) => {
+            if (!line.trim())
+                return;
+            try {
+                const payload = JSON.parse(line);
+                const response = await this.handleJsonRpcRequest(payload);
+                if (response) {
+                    process.stdout.write(`${JSON.stringify(response)}\n`);
+                }
+            }
+            catch (e) {
+                log.error(`[LIOP-Bridge] Error: ${e.message}`);
+            }
+        });
+    }
+}
+export * from "./stream.js";

package/dist/bridge/stream.d.ts

@@ -0,0 +1,62 @@
+import type { LiopServer } from "../server/index.js";
+/**
+ * Configuration options for LiopStreamBridge.
+ */
+export interface LiopStreamBridgeOptions {
+    /** Port to listen on (default: 3000) */
+    port?: number;
+    /** Max concurrent sessions per IP (default: 5) */
+    maxSessionsPerIp?: number;
+    /** Session idle timeout in milliseconds (default: 30 min) */
+    sessionTimeoutMs?: number;
+}
+/**
+ * LiopStreamBridge
+ *
+ * Exposes a LiopServer over a remote HTTP network using the industry-standard
+ * MCP Streamable HTTP Transport + Hono JS.
+ *
+ * Supports concurrent multi-client connections via per-session transport instances (Map pattern).
+ * External agents connect using only a URL + Bearer Token (Zero-Trust).
+ *
+ * Security hardening:
+ * - Zero-Trust Bearer Token enforcement
+ * - Per-IP rate limiting on session creation
+ * - Automatic eviction of idle sessions (TTL)
+ */
+export declare class LiopStreamBridge {
+    private options;
+    private app;
+    private httpServer;
+    private bridgeLogic;
+    private activeSessions;
+    private evictionTimer;
+    private maxSessionsPerIp;
+    private sessionTimeoutMs;
+    constructor(internalServer: LiopServer, options?: LiopStreamBridgeOptions);
+    /**
+     * Creates a new per-session transport instance and wires it to the LIOPMcpBridge logic.
+     */
+    private createSessionTransport;
+    /**
+     * Returns the number of active sessions for a given IP.
+     */
+    private countSessionsByIp;
+    /**
+     * Extracts client IP from the request (supports X-Forwarded-For for reverse proxies).
+     */
+    private getClientIp;
+    /**
+     * Evicts sessions that have been idle longer than the configured timeout.
+     */
+    private evictIdleSessions;
+    private setupRoutes;
+    /**
+     * Starts the LiopStreamBridge HTTP server and session eviction timer.
+     */
+    start(port?: number): Promise<void>;
+    /**
+     * Graceful shutdown — closes all active sessions, stops timers, and releases port.
+     */
+    stop(): Promise<void>;
+}