@poncho-ai/harness 0.40.1 → 0.41.0

package/src/mcp.ts

@@ -46,6 +46,12 @@ class McpHttpError extends Error {
   }
 }
 
+class McpSessionExpiredError extends Error {
+  constructor() {
+    super("MCP session expired");
+  }
+}
+
 class StreamableHttpMcpRpcClient implements McpRpcClient {
   private readonly endpoint: string;
   private readonly timeoutMs: number;
@@ -106,6 +112,9 @@ class StreamableHttpMcpRpcClient implements McpRpcClient {
       if (response.status === 403) {
         throw new McpHttpError(403, "MCP server forbidden");
       }
+      if (response.status === 404 && this.sessionId) {
+        throw new McpSessionExpiredError();
+      }
       if (!response.ok) {
         throw new Error(`MCP HTTP request failed with status ${response.status}`);
       }
@@ -192,20 +201,32 @@ class StreamableHttpMcpRpcClient implements McpRpcClient {
   }
 
   private async request(method: string, params?: Record<string, unknown>): Promise<unknown> {
-    await this.ensureInitialized();
-    const id = this.idCounter++;
-    const payload = {
-      jsonrpc: "2.0",
-      id,
-      method,
-      params: params ?? {},
-    };
-    const payloads = await this.postMessage(payload);
-    const result = this.extractResult(payloads, id);
-    if (result.error) {
-      throw new Error(result.error.message ?? `MCP error on ${method}`);
+    for (let attempt = 0; attempt < 2; attempt++) {
+      try {
+        await this.ensureInitialized();
+        const id = this.idCounter++;
+        const payload = {
+          jsonrpc: "2.0",
+          id,
+          method,
+          params: params ?? {},
+        };
+        const payloads = await this.postMessage(payload);
+        const result = this.extractResult(payloads, id);
+        if (result.error) {
+          throw new Error(result.error.message ?? `MCP error on ${method}`);
+        }
+        return result.result;
+      } catch (error) {
+        if (error instanceof McpSessionExpiredError && attempt === 0) {
+          this.sessionId = undefined;
+          this.initialized = false;
+          continue;
+        }
+        throw error;
+      }
     }
-    return result.result;
+    throw new Error(`MCP request to ${method} failed after session retry`);
   }
 
   private async ensureInitialized(): Promise<void> {
@@ -270,6 +291,16 @@ class StreamableHttpMcpRpcClient implements McpRpcClient {
   }
 }
 
+interface CachedTenantClient {
+  client: StreamableHttpMcpRpcClient;
+  token: string;
+  lastUsed: number;
+}
+
+const TENANT_CLIENT_TTL_MS = 15 * 60 * 1000;
+const tenantClientKey = (serverName: string, tenantId: string): string =>
+  `${serverName}\0${tenantId}`;
+
 export class LocalMcpBridge {
   private readonly remoteServers: RemoteMcpServerConfig[];
   private readonly rpcClients = new Map<string, McpRpcClient>();
@@ -277,6 +308,18 @@ export class LocalMcpBridge {
   private readonly unavailableServers = new Map<string, string>();
   private readonly authFailedServers = new Set<string>();
   private envResolver?: (tenantId: string | undefined, envName: string) => Promise<string | undefined>;
+  /**
+   * Per-tenant MCP client cache. For consumer/SaaS deployments where every
+   * call resolves a different bearer token, building a fresh
+   * `StreamableHttpMcpRpcClient` per call would force a fresh `initialize`
+   * round-trip every time. We keep one client per `(serverName, tenantId)`
+   * with TTL-based idle eviction; on token rotation we evict the entry
+   * lazily and rebuild.
+   */
+  private readonly tenantClients = new Map<string, CachedTenantClient>();
+  /** Test/observability hook: bumped every time a new tenant client is constructed. */
+  tenantClientConstructions = 0;
+  private readonly tenantClientTtlMs: number;
 
   /**
    * Set a resolver for per-tenant env vars (e.g. MCP auth tokens).
@@ -286,7 +329,8 @@ export class LocalMcpBridge {
     this.envResolver = resolver;
   }
 
-  constructor(config: McpConfig | undefined) {
+  constructor(config: McpConfig | undefined, options?: { tenantClientTtlMs?: number }) {
+    this.tenantClientTtlMs = options?.tenantClientTtlMs ?? TENANT_CLIENT_TTL_MS;
     this.remoteServers = (config?.mcp ?? []).filter((entry): entry is RemoteMcpServerConfig =>
       typeof entry.url === "string",
     );
@@ -477,6 +521,43 @@ export class LocalMcpBridge {
       await client.close();
     }
     this.rpcClients.clear();
+    for (const [, entry] of this.tenantClients) {
+      await entry.client.close();
+    }
+    this.tenantClients.clear();
+  }
+
+  private getOrCreateTenantClient(
+    serverName: string,
+    tenantId: string,
+    token: string,
+    server: RemoteMcpServerConfig,
+  ): StreamableHttpMcpRpcClient {
+    const key = tenantClientKey(serverName, tenantId);
+    const now = Date.now();
+    // Lazily evict idle entries on access — no background timer needed.
+    const existing = this.tenantClients.get(key);
+    if (existing) {
+      const idle = now - existing.lastUsed > this.tenantClientTtlMs;
+      const tokenChanged = existing.token !== token;
+      if (idle || tokenChanged) {
+        // Best-effort close; the new client supersedes it.
+        void existing.client.close();
+        this.tenantClients.delete(key);
+      } else {
+        existing.lastUsed = now;
+        return existing.client;
+      }
+    }
+    const client = new StreamableHttpMcpRpcClient(
+      server.url,
+      server.timeoutMs ?? 10_000,
+      token,
+      server.headers,
+    );
+    this.tenantClients.set(key, { client, token, lastUsed: now });
+    this.tenantClientConstructions += 1;
+    return client;
   }
 
   listServers(): RemoteMcpServerConfig[] {
@@ -617,20 +698,18 @@ export class LocalMcpBridge {
       handler: async (input, context) => {
         try {
           // Per-tenant token resolution: if we have a resolver and the server uses tokenEnv,
-          // create a per-request client with the tenant-specific token
+          // resolve the tenant token and reuse a cached per-tenant client when present.
           const tokenEnv = server?.auth?.tokenEnv;
-          let callClient = client;
-          if (tokenEnv && this.envResolver && context?.tenantId) {
+          let callClient: McpRpcClient = client;
+          if (tokenEnv && this.envResolver && context?.tenantId && server) {
             const tenantToken = await this.envResolver(context.tenantId, tokenEnv);
             const defaultToken = process.env[tokenEnv];
-            // Only create a per-request client when the tenant has a different token.
-            // Using the original client preserves the established MCP session.
             if (tenantToken && tenantToken !== defaultToken) {
-              callClient = new StreamableHttpMcpRpcClient(
-                server.url,
-                server.timeoutMs ?? 10_000,
+              callClient = this.getOrCreateTenantClient(
+                serverName,
+                context.tenantId,
                 tenantToken,
-                server.headers,
+                server,
               );
             }
           }

package/src/storage/engine.ts

@@ -33,6 +33,8 @@ export interface VfsDirEntry {
 // ---------------------------------------------------------------------------
 
 export interface StorageEngine {
+  /** Partition key: every read/write is scoped to this agent id. */
+  readonly agentId: string;
   /** Run migrations and prepare the storage backend. */
   initialize(): Promise<void>;
   /** Gracefully release resources. */

package/src/storage/memory-engine.ts

@@ -55,7 +55,7 @@ const vfsKey = (tenantId: string, path: string) => `${tenantId}\0${path}`;
 // ---------------------------------------------------------------------------
 
 export class InMemoryEngine implements StorageEngine {
-  private readonly agentId: string;
+  readonly agentId: string;
 
   // Conversation data
   private convs = new Map<string, Conversation>();

package/src/storage/sql-dialect.ts

@@ -191,7 +191,7 @@ const colBytes = (v: unknown): number => {
 
 export abstract class SqlStorageEngine implements StorageEngine {
   protected readonly dialect: Dialect;
-  protected readonly agentId: string;
+  readonly agentId: string;
   protected abstract readonly executor: QueryExecutor;
   protected readonly egressMeter = new ConversationEgressMeter();
 

package/test/harness-config-injection.test.ts

@@ -0,0 +1,63 @@
+import { mkdtemp, rm, writeFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { describe, expect, it } from "vitest";
+import { AgentHarness } from "../src/harness.js";
+import type { PonchoConfig } from "../src/config.js";
+
+const AGENT_MD = `---
+name: config-inject-agent
+model:
+  provider: anthropic
+  name: claude-opus-4-5
+---
+
+# Config injection test
+`;
+
+describe("HarnessOptions.config injection (PR 2)", () => {
+  it("uses an injected PonchoConfig instead of reading poncho.config.js from disk", async () => {
+    const dir = await mkdtemp(join(tmpdir(), "poncho-cfg-injected-"));
+    try {
+      await writeFile(join(dir, "AGENT.md"), AGENT_MD, "utf8");
+      // Deliberately do NOT write a poncho.config.js — the injected
+      // config should be used end-to-end.
+      const config: PonchoConfig = {
+        tools: { web_search: false },
+        storage: { provider: "memory" },
+      };
+
+      const harness = new AgentHarness({ workingDir: dir, config });
+      await harness.initialize();
+
+      const names = harness.listTools().map((t) => t.name);
+      // web_search was disabled in the injected config; bash is a default
+      // built-in that should still be registered.
+      expect(names).not.toContain("web_search");
+      expect(names).toContain("bash");
+    } finally {
+      await rm(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("disk-loaded behaviour is unchanged when no config option is provided", async () => {
+    const dir = await mkdtemp(join(tmpdir(), "poncho-cfg-disk-"));
+    try {
+      await writeFile(join(dir, "AGENT.md"), AGENT_MD, "utf8");
+      // Write a poncho.config.js that disables a tool — proves loadPonchoConfig
+      // ran (otherwise web_search would be present).
+      await writeFile(
+        join(dir, "poncho.config.js"),
+        "export default { tools: { web_search: false }, storage: { provider: 'memory' } };\n",
+        "utf8",
+      );
+      const harness = new AgentHarness({ workingDir: dir });
+      await harness.initialize();
+      const names = harness.listTools().map((t) => t.name);
+      expect(names).not.toContain("web_search");
+      expect(names).toContain("bash");
+    } finally {
+      await rm(dir, { recursive: true, force: true });
+    }
+  });
+});

package/test/harness-injection.test.ts

@@ -0,0 +1,93 @@
+import { mkdtemp, rm } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { describe, expect, it } from "vitest";
+import { AgentHarness } from "../src/harness.js";
+import { InMemoryEngine } from "../src/storage/memory-engine.js";
+
+const AGENT_MD = `---
+name: injected-agent
+model:
+  provider: anthropic
+  name: claude-opus-4-5
+---
+
+# Injected agent
+
+You are a test agent.
+`;
+
+describe("HarnessOptions injection (PR 1)", () => {
+  it("initializes without an AGENT.md on disk when agentDefinition + storageEngine are provided", async () => {
+    const dir = await mkdtemp(join(tmpdir(), "poncho-injection-"));
+    try {
+      const engine = new InMemoryEngine("user-123");
+      const harness = new AgentHarness({
+        workingDir: dir,
+        agentDefinition: AGENT_MD,
+        storageEngine: engine,
+      });
+      await expect(harness.initialize()).resolves.toBeUndefined();
+      // No AGENT.md was written into `dir` — confirm initialize ran from
+      // injected content alone.
+      expect(harness.frontmatter?.name).toBe("injected-agent");
+    } finally {
+      await rm(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("mirrors storageEngine.agentId onto frontmatter.id on the injected path", async () => {
+    const dir = await mkdtemp(join(tmpdir(), "poncho-injection-id-"));
+    try {
+      const engine = new InMemoryEngine("user-456");
+      const harness = new AgentHarness({
+        workingDir: dir,
+        agentDefinition: AGENT_MD,
+        storageEngine: engine,
+      });
+      await harness.initialize();
+      expect(harness.frontmatter?.id).toBe("user-456");
+    } finally {
+      await rm(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("accepts a pre-parsed ParsedAgent as agentDefinition", async () => {
+    const dir = await mkdtemp(join(tmpdir(), "poncho-injection-parsed-"));
+    try {
+      const engine = new InMemoryEngine("user-789");
+      const parsed = {
+        frontmatter: {
+          name: "preparsed-agent",
+          model: { provider: "anthropic" as const, name: "claude-opus-4-5" },
+        },
+        body: "# Pre-parsed agent\n",
+      };
+      const harness = new AgentHarness({
+        workingDir: dir,
+        agentDefinition: parsed,
+        storageEngine: engine,
+      });
+      await harness.initialize();
+      expect(harness.frontmatter?.name).toBe("preparsed-agent");
+      expect(harness.frontmatter?.id).toBe("user-789");
+    } finally {
+      await rm(dir, { recursive: true, force: true });
+    }
+  });
+
+  it("throws when agentDefinition is provided without storageEngine", () => {
+    expect(
+      () =>
+        new AgentHarness({
+          agentDefinition: AGENT_MD,
+        }),
+    ).toThrow(/agentDefinition requires HarnessOptions\.storageEngine/);
+  });
+
+  it("falls back to disk path when neither agentDefinition nor storageEngine is provided (existing behaviour unchanged)", async () => {
+    // This is implicitly covered by every other test in harness.test.ts —
+    // we simply assert that the constructor accepts no injection options.
+    expect(() => new AgentHarness({ workingDir: tmpdir() })).not.toThrow();
+  });
+});

package/test/mcp-tenant-cache.test.ts

@@ -0,0 +1,311 @@
+import { createServer } from "node:http";
+import type { AddressInfo } from "node:net";
+import { describe, expect, it } from "vitest";
+import type { ToolContext } from "@poncho-ai/sdk";
+import { LocalMcpBridge } from "../src/mcp.js";
+
+interface ServerHandle {
+  port: number;
+  initializeCount: number;
+  shutdown: () => Promise<void>;
+  observedAuthHeaders: string[];
+}
+
+async function startMockMcpServer(): Promise<ServerHandle> {
+  const observedAuthHeaders: string[] = [];
+  let initializeCount = 0;
+  let sessionCounter = 0;
+  const server = createServer(async (req, res) => {
+    if (req.method === "DELETE") {
+      res.statusCode = 200;
+      res.end();
+      return;
+    }
+    const auth = req.headers.authorization;
+    if (auth) observedAuthHeaders.push(auth);
+    const chunks: Buffer[] = [];
+    for await (const chunk of req) chunks.push(Buffer.from(chunk));
+    const body = Buffer.concat(chunks).toString("utf8");
+    const payload = body.trim().length > 0 ? (JSON.parse(body) as any) : {};
+    if (payload.method === "initialize") {
+      initializeCount += 1;
+      sessionCounter += 1;
+      res.setHeader("Content-Type", "application/json");
+      res.setHeader("Mcp-Session-Id", `s_${sessionCounter}`);
+      res.end(
+        JSON.stringify({
+          jsonrpc: "2.0",
+          id: payload.id,
+          result: {
+            protocolVersion: "2025-03-26",
+            capabilities: { tools: { listChanged: true } },
+            serverInfo: { name: "remote", version: "1.0.0" },
+          },
+        }),
+      );
+      return;
+    }
+    if (payload.method === "notifications/initialized") {
+      res.statusCode = 202;
+      res.end();
+      return;
+    }
+    if (payload.method === "tools/list") {
+      res.setHeader("Content-Type", "application/json");
+      res.end(
+        JSON.stringify({
+          jsonrpc: "2.0",
+          id: payload.id,
+          result: {
+            tools: [
+              {
+                name: "ping",
+                inputSchema: {
+                  type: "object",
+                  properties: { value: { type: "string" } },
+                },
+              },
+            ],
+          },
+        }),
+      );
+      return;
+    }
+    if (payload.method === "tools/call") {
+      res.setHeader("Content-Type", "application/json");
+      res.end(
+        JSON.stringify({
+          jsonrpc: "2.0",
+          id: payload.id,
+          result: { result: { echoed: payload.params?.arguments?.value ?? "" } },
+        }),
+      );
+      return;
+    }
+    res.statusCode = 404;
+    res.end();
+  });
+  await new Promise<void>((r) => server.listen(0, () => r()));
+  const address = server.address() as AddressInfo;
+  return {
+    port: address.port,
+    get initializeCount() {
+      return initializeCount;
+    },
+    observedAuthHeaders,
+    shutdown: () => new Promise<void>((r) => server.close(() => r())),
+  };
+}
+
+const stubContext = (tenantId: string): ToolContext => ({
+  agentId: "agent",
+  runId: "run",
+  step: 1,
+  workingDir: process.cwd(),
+  parameters: {},
+  tenantId,
+});
+
+describe("LocalMcpBridge per-tenant client cache (PR 3)", () => {
+  it("reuses the same StreamableHttpMcpRpcClient across calls from the same tenant", async () => {
+    process.env.LINEAR_TOKEN = "default-token";
+    const server = await startMockMcpServer();
+    try {
+      const bridge = new LocalMcpBridge({
+        mcp: [
+          {
+            name: "remote",
+            url: `http://127.0.0.1:${server.port}/mcp`,
+            auth: { type: "bearer", tokenEnv: "LINEAR_TOKEN" },
+          },
+        ],
+      });
+      bridge.setEnvResolver(async (tenantId, envName) => {
+        if (envName !== "LINEAR_TOKEN") return undefined;
+        return tenantId === "tenant-A" ? "token-A" : undefined;
+      });
+      await bridge.startLocalServers();
+      await bridge.discoverTools();
+      const tools = await bridge.loadTools(["remote/ping"]);
+      const tool = tools.find((t) => t.name === "remote/ping")!;
+
+      const constructionsBefore = bridge.tenantClientConstructions;
+      await tool.handler({ value: "1" }, stubContext("tenant-A"));
+      await tool.handler({ value: "2" }, stubContext("tenant-A"));
+      await tool.handler({ value: "3" }, stubContext("tenant-A"));
+
+      // One construction for tenant-A; subsequent calls reuse it.
+      expect(bridge.tenantClientConstructions - constructionsBefore).toBe(1);
+      // The mock server saw a single initialize for the per-tenant client
+      // (in addition to the initial discovery initialize).
+      const tenantInits = server.observedAuthHeaders.filter(
+        (h) => h === "Bearer token-A",
+      ).length;
+      // initialize + notifications/initialized + 3x tools/call = 5 requests
+      // with token-A; only one initialize.
+      expect(tenantInits).toBeGreaterThanOrEqual(4);
+
+      await bridge.stopLocalServers();
+    } finally {
+      await server.shutdown();
+    }
+  });
+
+  it("uses different cached clients for different tenants", async () => {
+    process.env.LINEAR_TOKEN = "default-token";
+    const server = await startMockMcpServer();
+    try {
+      const bridge = new LocalMcpBridge({
+        mcp: [
+          {
+            name: "remote",
+            url: `http://127.0.0.1:${server.port}/mcp`,
+            auth: { type: "bearer", tokenEnv: "LINEAR_TOKEN" },
+          },
+        ],
+      });
+      bridge.setEnvResolver(async (tenantId, envName) => {
+        if (envName !== "LINEAR_TOKEN") return undefined;
+        if (tenantId === "tenant-A") return "token-A";
+        if (tenantId === "tenant-B") return "token-B";
+        return undefined;
+      });
+      await bridge.startLocalServers();
+      await bridge.discoverTools();
+      const tools = await bridge.loadTools(["remote/ping"]);
+      const tool = tools.find((t) => t.name === "remote/ping")!;
+
+      const constructionsBefore = bridge.tenantClientConstructions;
+      await tool.handler({ value: "a1" }, stubContext("tenant-A"));
+      await tool.handler({ value: "b1" }, stubContext("tenant-B"));
+      await tool.handler({ value: "a2" }, stubContext("tenant-A"));
+      await tool.handler({ value: "b2" }, stubContext("tenant-B"));
+
+      // One construction per tenant, then reuse.
+      expect(bridge.tenantClientConstructions - constructionsBefore).toBe(2);
+
+      await bridge.stopLocalServers();
+    } finally {
+      await server.shutdown();
+    }
+  });
+
+  it("rebuilds the cached client when the tenant's token changes", async () => {
+    process.env.LINEAR_TOKEN = "default-token";
+    const server = await startMockMcpServer();
+    try {
+      const bridge = new LocalMcpBridge({
+        mcp: [
+          {
+            name: "remote",
+            url: `http://127.0.0.1:${server.port}/mcp`,
+            auth: { type: "bearer", tokenEnv: "LINEAR_TOKEN" },
+          },
+        ],
+      });
+      let currentToken = "token-v1";
+      bridge.setEnvResolver(async (tenantId, envName) => {
+        if (envName !== "LINEAR_TOKEN" || tenantId !== "tenant-A") return undefined;
+        return currentToken;
+      });
+      await bridge.startLocalServers();
+      await bridge.discoverTools();
+      const tools = await bridge.loadTools(["remote/ping"]);
+      const tool = tools.find((t) => t.name === "remote/ping")!;
+
+      const constructionsBefore = bridge.tenantClientConstructions;
+      await tool.handler({ value: "1" }, stubContext("tenant-A"));
+      // Rotate the user's token — next call should rebuild the client.
+      currentToken = "token-v2";
+      await tool.handler({ value: "2" }, stubContext("tenant-A"));
+      await tool.handler({ value: "3" }, stubContext("tenant-A"));
+
+      // 1 build for v1, 1 build for v2; the v2 build is reused for the 3rd call.
+      expect(bridge.tenantClientConstructions - constructionsBefore).toBe(2);
+
+      await bridge.stopLocalServers();
+    } finally {
+      await server.shutdown();
+    }
+  });
+
+  it("evicts cached clients after the configured idle TTL", async () => {
+    process.env.LINEAR_TOKEN = "default-token";
+    const server = await startMockMcpServer();
+    try {
+      const bridge = new LocalMcpBridge(
+        {
+          mcp: [
+            {
+              name: "remote",
+              url: `http://127.0.0.1:${server.port}/mcp`,
+              auth: { type: "bearer", tokenEnv: "LINEAR_TOKEN" },
+            },
+          ],
+        },
+        { tenantClientTtlMs: 10 }, // very short TTL for the test
+      );
+      bridge.setEnvResolver(async (tenantId, envName) => {
+        if (envName !== "LINEAR_TOKEN") return undefined;
+        return tenantId === "tenant-A" ? "token-A" : undefined;
+      });
+      await bridge.startLocalServers();
+      await bridge.discoverTools();
+      const tools = await bridge.loadTools(["remote/ping"]);
+      const tool = tools.find((t) => t.name === "remote/ping")!;
+
+      const constructionsBefore = bridge.tenantClientConstructions;
+      await tool.handler({ value: "1" }, stubContext("tenant-A"));
+      // Sleep beyond TTL, then call again — should evict + rebuild.
+      await new Promise((r) => setTimeout(r, 30));
+      await tool.handler({ value: "2" }, stubContext("tenant-A"));
+      expect(bridge.tenantClientConstructions - constructionsBefore).toBe(2);
+
+      await bridge.stopLocalServers();
+    } finally {
+      await server.shutdown();
+    }
+  });
+
+  it("closes cached tenant clients on stopLocalServers()", async () => {
+    process.env.LINEAR_TOKEN = "default-token";
+    const server = await startMockMcpServer();
+    try {
+      const bridge = new LocalMcpBridge({
+        mcp: [
+          {
+            name: "remote",
+            url: `http://127.0.0.1:${server.port}/mcp`,
+            auth: { type: "bearer", tokenEnv: "LINEAR_TOKEN" },
+          },
+        ],
+      });
+      bridge.setEnvResolver(async (tenantId, envName) => {
+        if (envName !== "LINEAR_TOKEN") return undefined;
+        return tenantId === "tenant-A" ? "token-A" : undefined;
+      });
+      await bridge.startLocalServers();
+      await bridge.discoverTools();
+      const tools = await bridge.loadTools(["remote/ping"]);
+      const tool = tools.find((t) => t.name === "remote/ping")!;
+      await tool.handler({ value: "1" }, stubContext("tenant-A"));
+
+      // Before stop: cache has one entry.
+      // After stop: should be empty (and a subsequent call would rebuild).
+      await bridge.stopLocalServers();
+
+      // Re-run discovery to bring servers back up — verify cache rebuilds.
+      await bridge.startLocalServers();
+      await bridge.discoverTools();
+      const tools2 = await bridge.loadTools(["remote/ping"]);
+      const tool2 = tools2.find((t) => t.name === "remote/ping")!;
+      const constructionsBefore = bridge.tenantClientConstructions;
+      await tool2.handler({ value: "post-stop" }, stubContext("tenant-A"));
+      expect(bridge.tenantClientConstructions - constructionsBefore).toBe(1);
+
+      await bridge.stopLocalServers();
+    } finally {
+      await server.shutdown();
+    }
+  });
+});