@silver886/mcp-proxy 0.1.4 → 0.2.0

package/README.md

@@ -71,13 +71,24 @@ Add the proxy as a stdio MCP server. The client launches it automatically.
 
 ### 3. Pair
 
-When the MCP client spawns the proxy, the proxy prints a setup URL to stderr:
+The proxy starts idle. Ask your MCP client to call the `configure` tool (or
+prompt) — the proxy then spins up an ephemeral pairing tunnel that serves
+both the setup page and the pairing API on the same origin, and prints a
+setup URL to stderr:
 
 ```
-Configure at: https://mcp-proxy.pages.dev/setup.html#code=...&key=...
+Configure at: https://abc-xyz.trycloudflare.com/#token=...
 ```
 
-Open the URL in a browser. Enter the tunnel URL and auth token from step 1, discover servers, and select tools. The proxy picks up the config automatically and starts forwarding MCP requests.
+Open the URL in a browser. Add one or more host agents — each row takes a
+host id (a slug you choose), tunnel URL, and auth token — discover servers,
+and select tools. The proxy applies the config and tears down the pairing
+tunnel automatically.
+
+A single proxy can fan out to multiple hosts at once. Tools are namespaced
+as `<hostId>__<serverName>__<toolName>` so the same server name can appear
+on more than one host without collision. (The host agent itself stays
+single-proxy, in line with MCP's one-server-one-client model.)
 
 ## Architecture
 
@@ -85,21 +96,36 @@ Open the URL in a browser. Enter the tunnel URL and auth token from step 1, disc
 
 | Component | Role | Runs on |
 |-----------|------|---------|
-| **Host Agent** (`host`) | HTTP-to-stdio bridge. Spawns MCP servers, manages sessions, serves MCP Streamable HTTP. | Machine with resources |
-| **Proxy Server** (`proxy`) | Stdio MCP server that forwards requests to the host agent via tunnel. | Machine with MCP client |
-| **Config Page** (Cloudflare Pages) | Device-code pairing. Stores encrypted config in KV with 15-min TTL. | Cloudflare edge |
+| **Host Agent** (`host`) | HTTP-to-stdio bridge. Spawns MCP servers, manages sessions, serves MCP Streamable HTTP over a long-lived Cloudflare tunnel. | Machine with resources |
+| **Proxy Server** (`proxy`) | Stdio MCP server. Idle at startup; on `configure` it spins up an ephemeral pairing tunnel via the bundled wrapper, serves the setup page on that same tunnel, accepts the pairing handshake, then talks to the host's tunnel for ongoing MCP traffic. | Machine with MCP client |
 
-### Pairing flow
+### Pairing flow (lazy-start, single-origin)
 
 ```
-1. MCP client spawns the proxy (stdio)
-2. Proxy generates pairing code + encryption key, polls Pages RPC
-3. User opens setup URL in browser (code + key in URL hash, never sent to server)
-4. User enters tunnel URL + auth token, discovers servers, selects tools
-5. Setup page encrypts config client-side, stores ciphertext in KV via RPC
-6. Proxy polls, decrypts config, discovers servers, starts forwarding
+1. MCP client spawns the proxy (stdio). Proxy is idle — no tunnel, no polling.
+2. Agent calls the `configure` tool. Proxy spawns a Node wrapper that owns
+   a `cloudflared` quick tunnel pointing at a local pairing HTTP server.
+   That HTTP server serves both the setup page (GET /) and the pairing API
+   (POST /pair/forward, POST /pair/complete) on the same origin.
+3. Wrapper prints the tunnel URL. Proxy mints a bearer token and emits a
+   setup URL — `<tunnel>/#token=<token>`. Token rides in the URL fragment
+   so it never appears in server access logs or Referer headers.
+4. User opens the setup URL. The page is served by the proxy itself, so
+   browser fetches to the pairing API are same-origin — no CORS dance.
+   Pairing endpoints are gated by the bearer token.
+5. Through the pairing API, the page discovers servers and tools on each
+   configured host's MCP tunnel, then submits the final configuration
+   (a list of hosts plus the selected tools).
+6. Proxy applies the config, signals the wrapper to tear down `cloudflared`,
+   and shuts the pairing HTTP server. From here on the proxy talks only to
+   the host's long-lived MCP tunnel — no public infrastructure, no polling.
 ```
 
+The wrapper guarantees `cloudflared` cannot outlive the proxy. When the
+proxy exits (or the wrapper sees stdin EOF), the wrapper kills the
+`cloudflared` child immediately. Detection latency is 0ms on
+Linux, macOS, and Windows.
+
 ### Protocol
 
 - **Client <-> Proxy**: stdio (JSON-RPC, newline-delimited)
@@ -151,12 +177,31 @@ host [options]
 **Proxy server:**
 
 ```
-proxy [options]
-
---pages-url <url>   Config page URL (default: https://mcp-proxy.pages.dev)
+proxy
 ```
 
-Also reads `MCP_PROXY_PAGES_URL` environment variable.
+The proxy takes no flags. The setup page is bundled with the npm package
+and served by the proxy itself on the ephemeral pairing tunnel — there's
+no external infrastructure to point at and no env vars to configure.
+
+The pairing handshake runs entirely between the browser and the proxy's
+ephemeral pairing tunnel, gated by a bearer token from the URL fragment.
+
+Server names exposed by the host agent — and host ids you assign during
+pairing — must match `[A-Za-z0-9._-]+` so they stay safe inside URLs and
+the proxy's tool-name routing. Names that violate the policy are rejected
+at host startup or pairing time.
+
+### Server-initiated requests
+
+The proxy fully bridges server→client requests (sampling, elicitation,
+roots/list, ping, …). When an upstream MCP server sends a request over its
+SSE notification channel, the proxy remaps the request id, forwards it to
+the MCP client, and routes the client's response back to the originating
+host session with the original id restored. The real client's
+`capabilities` are forwarded to each upstream server during initialize so
+servers see the actual feature support rather than an empty capabilities
+object.
 
 ## Error codes
 

package/dist/host/agent.d.ts

@@ -0,0 +1,22 @@
+export declare class HostAgent {
+    private config;
+    private sessions;
+    private timeout;
+    private authToken;
+    private gcTimer;
+    private server;
+    private boundHost;
+    private boundPort;
+    constructor(configPath: string, timeout: number, overrides?: {
+        host?: string;
+        port?: number;
+    });
+    get port(): number;
+    start(): Promise<void>;
+    shutdown(): void;
+    private sweepIdleSessions;
+    private handleRequest;
+    private authorized;
+    private handleMcpPost;
+    private handleSse;
+}

package/dist/host/agent.js

@@ -0,0 +1,314 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.HostAgent = void 0;
+const node_crypto_1 = require("node:crypto");
+const node_fs_1 = require("node:fs");
+const protocol_js_1 = require("../shared/protocol.js");
+const constants_js_1 = require("./constants.js");
+const session_js_1 = require("./session.js");
+function sendSessionMismatchError(res, session, serverName) {
+    res.writeHead(400, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ error: `Session belongs to server '${session.serverName}', not '${serverName}'` }));
+}
+// HTTP-to-stdio bridge. Owns the session map, handles the auth check, and
+// dispatches by method:
+//   GET /                 — list available servers (proxy discovery)
+//   POST /servers/:name   — JSON-RPC request (initialize spawns a session;
+//                           anything else against an unknown id is rejected
+//                           with 404 + JSON error so the proxy can re-init)
+//   GET /servers/:name    — SSE stream for that session's notifications
+//   DELETE /servers/:name — explicit session close
+class HostAgent {
+    config;
+    sessions = new Map();
+    timeout;
+    authToken;
+    gcTimer = null;
+    server = null;
+    boundHost;
+    boundPort;
+    constructor(configPath, timeout, overrides) {
+        const raw = (0, node_fs_1.readFileSync)(configPath, "utf-8");
+        this.config = JSON.parse(raw);
+        this.timeout = timeout;
+        this.authToken = (0, node_crypto_1.randomBytes)(32).toString("base64url"); // 256-bit token
+        this.boundHost = overrides?.host ?? this.config.host ?? protocol_js_1.DEFAULT_HOST;
+        // port 0 = let the OS pick. Resolved to the real bound port in start().
+        this.boundPort = overrides?.port ?? this.config.port ?? protocol_js_1.DEFAULT_PORT;
+        // Reject server names that the proxy/page would silently drop later.
+        // Authoritative at config-load time so misnamed servers surface as a
+        // startup error instead of disappearing during discovery.
+        const invalid = [];
+        for (const name of Object.keys(this.config.servers)) {
+            const reason = (0, protocol_js_1.validateServerName)(name);
+            if (reason)
+                invalid.push(`  - "${name}": ${reason}`);
+        }
+        if (invalid.length > 0) {
+            throw new Error(`Invalid server name(s) in ${configPath}:\n${invalid.join("\n")}\n` +
+                `Rename the entries in config.json so they match the policy.`);
+        }
+    }
+    get port() {
+        return this.boundPort;
+    }
+    // Resolves once the listener is bound. Tunnel mode passes port 0 and
+    // needs the real port back before it can start cloudflared, so callers
+    // must await this rather than racing the synchronous return.
+    //
+    // On a bind failure (EADDRINUSE, EACCES, …) we tear down everything we
+    // installed before rejecting: the GC interval, the listener reference,
+    // and any half-open server. Without this cleanup, a caller that catches
+    // the rejection and discards the agent leaks a running interval and a
+    // dangling server reference until process exit — invisible to the CLI
+    // (which just process.exits) but a real leak for library/test usage.
+    start() {
+        return new Promise((resolveP, rejectP) => {
+            const srv = (0, protocol_js_1.createServer)((req, res) => this.handleRequest(req, res));
+            this.server = srv;
+            this.gcTimer = setInterval(() => this.sweepIdleSessions(), constants_js_1.SESSION_GC_INTERVAL_MS);
+            const onError = (err) => {
+                if (this.gcTimer) {
+                    clearInterval(this.gcTimer);
+                    this.gcTimer = null;
+                }
+                this.server = null;
+                try {
+                    srv.close();
+                }
+                catch { /* never bound */ }
+                rejectP(err);
+            };
+            srv.once("error", onError);
+            srv.listen(this.boundPort, this.boundHost, () => {
+                const addr = srv.address();
+                if (addr && typeof addr === "object")
+                    this.boundPort = addr.port;
+                console.log(`MCP Host Agent listening on http://${this.boundHost}:${this.boundPort}`);
+                console.log(`Available servers: ${Object.keys(this.config.servers).join(", ")}`);
+                console.error(`Auth token: ${this.authToken}`);
+                srv.off("error", onError);
+                resolveP();
+            });
+        });
+    }
+    // Stop the GC timer, tear down every active session, and release the HTTP
+    // listener. Safe to call more than once. The listener close is what
+    // matters for library users — the CLI path immediately process.exits, but
+    // an embedder that re-creates the agent (tests, hot-reload, etc.) would
+    // otherwise leak the bound port. closeAllConnections() is required because
+    // the SSE handler keeps long-lived responses open; close() alone would
+    // wait for them to drain naturally and never resolve.
+    shutdown() {
+        if (this.gcTimer) {
+            clearInterval(this.gcTimer);
+            this.gcTimer = null;
+        }
+        for (const [id, session] of this.sessions) {
+            session.destroy();
+            this.sessions.delete(id);
+        }
+        if (this.server) {
+            const srv = this.server;
+            this.server = null;
+            srv.closeAllConnections();
+            srv.close();
+        }
+    }
+    sweepIdleSessions() {
+        const now = Date.now();
+        for (const [id, session] of this.sessions) {
+            if (!session.isAlive) {
+                this.sessions.delete(id);
+                continue;
+            }
+            if (now - session.lastActivity > constants_js_1.SESSION_IDLE_TIMEOUT_MS) {
+                console.log(`[${session.serverName}] Idle session ${id} closed after ${constants_js_1.SESSION_IDLE_TIMEOUT_MS}ms`);
+                session.destroy();
+                this.sessions.delete(id);
+            }
+        }
+    }
+    async handleRequest(req, res) {
+        if (!this.authorized(req)) {
+            res.writeHead(401, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: "Unauthorized" }));
+            return;
+        }
+        // Parse once so the route check ignores the query string and we can
+        // anchor on pathname — `/servers/foo/extra` must 404, not silently
+        // route to `foo` (the proxy's forwarder rejects it, so accepting it
+        // here would create a contract mismatch).
+        const { pathname } = new URL(req.url ?? "/", "http://h");
+        if (req.method === "GET" && pathname === "/") {
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({
+                service: "mcp-proxy-host",
+                servers: Object.keys(this.config.servers),
+            }));
+            return;
+        }
+        const match = pathname.match(/^\/servers\/([^/]+)$/);
+        if (!match) {
+            res.writeHead(404, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ error: "Not found. Use /servers/<name>" }));
+            return;
+        }
+        const serverName = match[1];
+        const serverConfig = this.config.servers[serverName];
+        if (!serverConfig) {
+            res.writeHead(404, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({
+                error: `Unknown server: ${serverName}`,
+                available: Object.keys(this.config.servers),
+            }));
+            return;
+        }
+        if (req.method === "POST") {
+            await this.handleMcpPost(req, res, serverName, serverConfig);
+            return;
+        }
+        if (req.method === "GET") {
+            this.handleSse(req, res, serverName);
+            return;
+        }
+        if (req.method === "DELETE") {
+            const sessionId = req.headers["mcp-session-id"];
+            if (sessionId && this.sessions.has(sessionId)) {
+                const session = this.sessions.get(sessionId);
+                if (session.serverName !== serverName) {
+                    sendSessionMismatchError(res, session, serverName);
+                    return;
+                }
+                session.destroy();
+                this.sessions.delete(sessionId);
+            }
+            res.writeHead(200, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({ ok: true }));
+            return;
+        }
+        res.writeHead(405);
+        res.end();
+    }
+    authorized(req) {
+        const auth = req.headers.authorization ?? "";
+        const expected = `Bearer ${this.authToken}`;
+        const authBuf = Buffer.from(auth);
+        const expectedBuf = Buffer.from(expected);
+        return authBuf.length === expectedBuf.length && (0, node_crypto_1.timingSafeEqual)(authBuf, expectedBuf);
+    }
+    async handleMcpPost(req, res, serverName, serverConfig) {
+        const body = await (0, protocol_js_1.readBody)(req);
+        const headerSessionId = req.headers["mcp-session-id"];
+        // Peek the JSON-RPC method without consuming the body. Only `initialize`
+        // may run without an existing session — anything else against an
+        // unknown id is stale (post-GC, post-restart) or wrong, and silently
+        // spawning a fresh uninitialized child for it would violate the MCP
+        // handshake.
+        let method;
+        try {
+            method = JSON.parse(body).method;
+        }
+        catch {
+            // Unparseable body falls through as non-initialize → 404 below.
+        }
+        const isInitialize = method === "initialize";
+        let existing;
+        if (headerSessionId) {
+            existing = this.sessions.get(headerSessionId);
+            if (existing) {
+                if (existing.serverName !== serverName) {
+                    sendSessionMismatchError(res, existing, serverName);
+                    return;
+                }
+                if (!existing.isAlive) {
+                    // Reaped under us — drop the dead entry; treat as no session.
+                    this.sessions.delete(headerSessionId);
+                    existing = undefined;
+                }
+            }
+        }
+        let session;
+        let activeSessionId;
+        if (existing && headerSessionId) {
+            session = existing;
+            activeSessionId = headerSessionId;
+        }
+        else {
+            if (!isInitialize) {
+                // Mirror handleSse: refuse to bind work to an id we don't know.
+                // The proxy is expected to re-`initialize` and retry on this 404.
+                res.writeHead(404, { "Content-Type": "application/json" });
+                res.end(JSON.stringify({
+                    error: headerSessionId
+                        ? `Unknown session: ${headerSessionId}`
+                        : "Mcp-Session-Id header required",
+                }));
+                return;
+            }
+            activeSessionId = (0, node_crypto_1.randomBytes)(16).toString("hex");
+            session = new session_js_1.McpSession(serverName, serverConfig, this.timeout);
+            this.sessions.set(activeSessionId, session);
+        }
+        const response = await session.sendRequest(body);
+        if (!response) {
+            // Client notification — no response body
+            res.writeHead(202, { "Mcp-Session-Id": activeSessionId });
+            res.end();
+            return;
+        }
+        res.writeHead(200, {
+            "Content-Type": "application/json",
+            "Mcp-Session-Id": activeSessionId,
+        });
+        res.end(response);
+    }
+    handleSse(req, res, serverName) {
+        const sessionId = req.headers["mcp-session-id"];
+        const session = sessionId ? this.sessions.get(sessionId) : undefined;
+        // Reject SSE attaches that do not point at a live session for this
+        // server. Returning 200 with an empty stream would let the proxy sit
+        // on a dead pipe forever instead of reconnecting to a fresh session
+        // id — the drain interval below would close the stream on its first
+        // tick once it noticed `session.isAlive === false`, but by then the
+        // 200 has already convinced the proxy that the session is good and
+        // it won't re-initialize on its own. The 404 here is the signal the
+        // proxy needs to throw the stale id away and start a fresh session.
+        if (sessionId && session && !session.isAlive) {
+            // Clear the dead entry on the way out so the next attach sees a
+            // clean miss instead of repeating this dance.
+            this.sessions.delete(sessionId);
+        }
+        if (!sessionId || !session || !session.isAlive) {
+            res.writeHead(404, { "Content-Type": "application/json" });
+            res.end(JSON.stringify({
+                error: sessionId ? `Unknown session: ${sessionId}` : "Mcp-Session-Id header required",
+            }));
+            return;
+        }
+        if (session.serverName !== serverName) {
+            sendSessionMismatchError(res, session, serverName);
+            return;
+        }
+        res.writeHead(200, {
+            "Content-Type": "text/event-stream",
+            "Cache-Control": "no-cache",
+            Connection: "keep-alive",
+            "Mcp-Session-Id": sessionId,
+        });
+        res.write(": connected\n\n");
+        const interval = setInterval(() => {
+            if (!session.isAlive) {
+                clearInterval(interval);
+                res.end();
+                return;
+            }
+            const notifications = session.drainNotifications();
+            for (const n of notifications) {
+                res.write(`data: ${n}\n\n`);
+            }
+        }, constants_js_1.SSE_DRAIN_INTERVAL_MS);
+        req.on("close", () => clearInterval(interval));
+    }
+}
+exports.HostAgent = HostAgent;

package/dist/host/cli.d.ts

@@ -0,0 +1 @@
+export declare function main(): Promise<void>;

package/dist/host/cli.js

@@ -0,0 +1,83 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.main = main;
+const protocol_js_1 = require("../shared/protocol.js");
+const agent_js_1 = require("./agent.js");
+const tunnel_js_1 = require("./tunnel.js");
+// Entry point: parse flags, start the agent, optionally bring up a quick
+// tunnel, install signal handlers. Kept separate from agent.ts so unit
+// tests / library users can import HostAgent without invoking process.exit
+// or cloudflared.
+async function main() {
+    const configPath = (0, protocol_js_1.getArg)("--config") ?? "config.json";
+    const timeoutRaw = (0, protocol_js_1.getArg)("--timeout") ?? "120000"; // 2min default
+    const timeout = Number(timeoutRaw);
+    // setTimeout(fn, NaN | <=0) fires immediately, making every MCP request
+    // appear to time out. Reject bad input at startup instead of silently
+    // breaking the agent.
+    if (!Number.isInteger(timeout) || timeout <= 0) {
+        console.error(`Invalid --timeout "${timeoutRaw}": must be a positive integer (milliseconds)`);
+        process.exit(2);
+    }
+    const useTunnel = process.argv.includes("--tunnel");
+    // In tunnel mode the listener is internal-only — cloudflared is the sole
+    // caller — so we ignore config.host/port and force loopback + an
+    // OS-assigned port. That removes the foot-gun where a user-provided port
+    // collides with another local service, and prevents accidentally
+    // exposing the unauthenticated-from-the-LAN listener on a routable
+    // interface when the bearer token is meant to ride only over the tunnel.
+    const overrides = useTunnel ? { host: "127.0.0.1", port: 0 } : undefined;
+    const agent = new agent_js_1.HostAgent(configPath, timeout, overrides);
+    await agent.start();
+    let tunnel = null;
+    if (useTunnel) {
+        console.log("Starting Cloudflare tunnel...");
+        try {
+            tunnel = await (0, tunnel_js_1.startTunnel)(agent.port, (reason) => {
+                // Runtime failure after the tunnel was already serving — keep the
+                // local agent alive so loopback clients can still reach it, but
+                // make the situation loud so the operator knows the public URL is
+                // dead and needs a restart.
+                console.error(`Cloudflare tunnel exited unexpectedly: ${reason}`);
+                console.error("The public URL is no longer reachable. Restart the host to bring up a new tunnel.");
+            });
+        }
+        catch (err) {
+            // Pre-ready tunnel failure (binary missing, network down, auth
+            // failure, startup timeout). Without this the user previously saw
+            // only "Starting Cloudflare tunnel..." and an apparently healthy
+            // host with no URL. Now we tear the agent down and exit non-zero so
+            // the failure is visible to whatever launched us.
+            console.error(`Cloudflare tunnel failed to start: ${err.message}`);
+            try {
+                agent.shutdown();
+            }
+            catch { /* ignore */ }
+            process.exit(1);
+        }
+    }
+    let shuttingDown = false;
+    const shutdown = (signal) => {
+        if (shuttingDown)
+            return;
+        shuttingDown = true;
+        console.log(`Received ${signal}, shutting down...`);
+        try {
+            agent.shutdown();
+        }
+        catch (err) {
+            console.error(`Agent shutdown error: ${err.message}`);
+        }
+        if (tunnel) {
+            try {
+                tunnel.stop();
+            }
+            catch (err) {
+                console.error(`Tunnel stop error: ${err.message}`);
+            }
+        }
+        process.exit(0);
+    };
+    process.on("SIGINT", () => shutdown("SIGINT"));
+    process.on("SIGTERM", () => shutdown("SIGTERM"));
+}

package/dist/host/constants.d.ts

@@ -0,0 +1,4 @@
+export declare const MAX_QUEUED_NOTIFICATIONS = 1000;
+export declare const SESSION_IDLE_TIMEOUT_MS: number;
+export declare const SESSION_GC_INTERVAL_MS: number;
+export declare const SSE_DRAIN_INTERVAL_MS = 100;

package/dist/host/constants.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SSE_DRAIN_INTERVAL_MS = exports.SESSION_GC_INTERVAL_MS = exports.SESSION_IDLE_TIMEOUT_MS = exports.MAX_QUEUED_NOTIFICATIONS = void 0;
+// Cap on queued notifications per session. Drains happen each time the
+// proxy's SSE reader polls (every 100ms in handleSse). With a sane upstream
+// this stays at a handful of entries; the cap is here to bound memory when
+// the SSE reader is dead/slow and the child is chatty. On overflow we drop
+// the oldest entries — the lost notifications are progress/log noise; any
+// id-bearing response is matched to a pending request before it ever reaches
+// this queue, so request correctness is unaffected.
+exports.MAX_QUEUED_NOTIFICATIONS = 1000;
+// Idle session GC: close sessions that haven't been used in this many ms.
+exports.SESSION_IDLE_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes
+exports.SESSION_GC_INTERVAL_MS = 60 * 1000; // sweep every minute
+// SSE poll interval — how often handleSse drains queued notifications.
+exports.SSE_DRAIN_INTERVAL_MS = 100;

package/dist/host/session.d.ts

@@ -0,0 +1,21 @@
+import { type ServerConfig } from "../shared/protocol.js";
+export declare class McpSession {
+    private name;
+    private timeout;
+    private process;
+    private stdoutBuffer;
+    private pending;
+    private notifications;
+    private notificationsDropped;
+    private orphansDropped;
+    private destroyed;
+    lastActivity: number;
+    constructor(name: string, config: ServerConfig, timeout: number);
+    private failPending;
+    private handleLine;
+    sendRequest(jsonRpcLine: string): Promise<string>;
+    drainNotifications(): string[];
+    get serverName(): string;
+    get isAlive(): boolean;
+    destroy(): void;
+}