palmier 0.4.5 → 0.4.6

package/src/pending-requests.ts

@@ -0,0 +1,55 @@
+import type { RequiredPermission } from "./types.js";
+
+export interface PendingRequest {
+  type: "confirmation" | "permission" | "input";
+  resolve: (value: string[]) => void;
+  /** Permission list (for 'permission') or input descriptions (for 'input'). */
+  params?: RequiredPermission[] | string[];
+}
+
+const pending = new Map<string, PendingRequest>();
+
+/**
+ * Register a pending request for a task. Returns a Promise that resolves
+ * when `resolvePending` is called with the user's response.
+ * Only one pending request per task at a time.
+ */
+export function registerPending(
+  taskId: string,
+  type: PendingRequest["type"],
+  params?: PendingRequest["params"],
+): Promise<string[]> {
+  if (pending.has(taskId)) {
+    return Promise.reject(new Error(`Task ${taskId} already has a pending request`));
+  }
+
+  return new Promise<string[]>((resolve) => {
+    pending.set(taskId, { type, resolve, params });
+  });
+}
+
+/**
+ * Resolve a pending request with the user's response.
+ * Returns true if a pending request was found and resolved.
+ */
+export function resolvePending(taskId: string, value: string[]): boolean {
+  const entry = pending.get(taskId);
+  if (!entry) return false;
+  pending.delete(taskId);
+  entry.resolve(value);
+  return true;
+}
+
+/**
+ * Get the current pending request for a task (if any).
+ */
+export function getPending(taskId: string): PendingRequest | undefined {
+  return pending.get(taskId);
+}
+
+/**
+ * Remove a pending request without resolving it.
+ */
+export function removePending(taskId: string): void {
+  pending.delete(taskId);
+}

package/src/rpc-handler.ts

@@ -6,6 +6,7 @@ import { spawn, type ChildProcess } from "child_process";
 import { parse as parseYaml } from "yaml";
 import { type NatsConnection } from "nats";
 import { listTasks, parseTaskFile, writeTaskFile, getTaskDir, readTaskStatus, writeTaskStatus, readHistory, deleteHistoryEntry, appendTaskList, removeFromTaskList, appendHistory, createRunDir, appendRunMessage, getRunDir } from "./task.js";
+import { resolvePending, getPending } from "./pending-requests.js";
 import { getPlatform } from "./platform/index.js";
 import { spawnCommand } from "./spawn-command.js";
 import crossSpawn from "cross-spawn";
@@ -157,8 +158,8 @@ export function createRpcHandler(config: HostConfig, nc?: NatsConnection) {
   }
 
   async function handleRpc(request: RpcMessage): Promise<unknown> {
-    // Session token validation: always require a valid session token
-    if (!request.sessionToken || !validateSession(request.sessionToken)) {
+    // Session token validation: skip for trusted localhost requests
+    if (!request.localhost && (!request.sessionToken || !validateSession(request.sessionToken))) {
       return { error: "Unauthorized" };
     }
 
@@ -521,7 +522,14 @@ export function createRpcHandler(config: HostConfig, nc?: NatsConnection) {
         if (!status) {
           return { task_id: params.id, error: "No status found" };
         }
-        return { task_id: params.id, ...status };
+        const pending = getPending(params.id);
+        return {
+          task_id: params.id,
+          ...status,
+          ...(pending?.type === "confirmation" ? { pending_confirmation: true } : {}),
+          ...(pending?.type === "permission" ? { pending_permission: pending.params } : {}),
+          ...(pending?.type === "input" ? { pending_input: pending.params } : {}),
+        };
       }
 
       case "task.result": {
@@ -570,17 +578,15 @@ export function createRpcHandler(config: HostConfig, nc?: NatsConnection) {
 
       case "task.user_input": {
         const params = request.params as { id: string; value: string[] };
-        const taskDir = getTaskDir(config.projectRoot, params.id);
 
-        const currentStatus = readTaskStatus(taskDir);
-        if (!currentStatus?.pending_confirmation && !currentStatus?.pending_permission?.length && !currentStatus?.pending_input?.length) {
+        const pending = getPending(params.id);
+        if (!pending) {
           return { ok: false, error: "not pending" };
         }
 
-        writeTaskStatus(taskDir, { ...currentStatus, user_input: params.value });
-
+        const resolved = resolvePending(params.id, params.value);
         console.log(`[task.user_input] ${params.id} → ${params.value}`);
-        return { ok: true };
+        return { ok: resolved };
       }
 
       case "taskrun.list": {

package/src/transports/http-transport.ts

@@ -1,23 +1,29 @@
 import * as http from "node:http";
 import * as os from "os";
+import { StringCodec, type NatsConnection } from "nats";
 import { validateSession, addSession } from "../session-store.js";
-import type { HostConfig, RpcMessage } from "../types.js";
+import { registerPending } from "../pending-requests.js";
+import { getTaskDir, parseTaskFile, appendRunMessage } from "../task.js";
+import type { HostConfig, RpcMessage, RequiredPermission } from "../types.js";
 
 const PWA_ORIGIN = "https://app.palmier.me";
 
-// ── In-memory PWA asset cache ──────────────────────────────────────────
+// ── On-the-fly PWA asset cache ──────────────────────────────────────────
 
 interface CachedAsset {
   data: Buffer;
   contentType: string;
 }
 
+const assetCache = new Map<string, CachedAsset>();
+/** Paths currently being fetched (dedup concurrent requests). */
+const assetInflight = new Map<string, Promise<CachedAsset | null>>();
+
 const CONTENT_TYPES: Record<string, string> = {
   ".html": "text/html; charset=utf-8",
   ".js": "application/javascript",
   ".css": "text/css",
   ".json": "application/json",
-
   ".png": "image/png",
   ".ico": "image/x-icon",
   ".woff2": "font/woff2",
@@ -26,6 +32,7 @@ const CONTENT_TYPES: Record<string, string> = {
 };
 
 function guessContentType(urlPath: string): string {
+  if (urlPath === "/") return "text/html; charset=utf-8";
   const ext = urlPath.match(/\.[^.]+$/)?.[0] ?? "";
   return CONTENT_TYPES[ext] ?? "application/octet-stream";
 }
@@ -37,59 +44,38 @@ async function fetchBuffer(url: string): Promise<Buffer> {
 }
 
 /**
- * Download the PWA from palmier.me into memory.
- * Parses index.html for asset references, then fetches each one.
+ * Fetch a PWA asset on-the-fly, caching in memory.
+ * Returns null if the asset cannot be fetched.
  */
-async function downloadPwaAssets(): Promise<Map<string, CachedAsset>> {
-  const assets = new Map<string, CachedAsset>();
-
-  // 1. Fetch index.html
-  const html = await fetchBuffer(`${PWA_ORIGIN}/`);
-  assets.set("/", { data: html, contentType: "text/html; charset=utf-8" });
-
-  const htmlStr = html.toString("utf-8");
-
-  // 2. Extract references from HTML (src="..." and href="...")
-  // Skip service worker and manifest — they require HTTPS which LAN mode doesn't use
-  const SKIP = new Set(["/registerSW.js", "/service-worker.js", "/manifest.webmanifest"]);
-  const refRegex = /(?:src|href)="([^"]+)"/g;
-  const htmlRefs = new Set<string>();
-  let match;
-  while ((match = refRegex.exec(htmlStr)) !== null) {
-    const ref = match[1];
-    if (ref.startsWith("/") && !ref.startsWith("//") && !SKIP.has(ref)) {
-      htmlRefs.add(ref);
-    }
-  }
+async function getAsset(urlPath: string): Promise<CachedAsset | null> {
+  const cached = assetCache.get(urlPath);
+  if (cached) return cached;
 
-  // 3. Fetch all HTML-referenced assets
-  for (const ref of htmlRefs) {
+  // Dedup concurrent requests for the same path
+  const inflight = assetInflight.get(urlPath);
+  if (inflight) return inflight;
+
+  const promise = (async () => {
     try {
-      const data = await fetchBuffer(`${PWA_ORIGIN}${ref}`);
-      assets.set(ref, { data, contentType: guessContentType(ref) });
-
-      // 4. Parse CSS for font url() references
-      if (ref.endsWith(".css")) {
-        const cssStr = data.toString("utf-8");
-        const urlRegex = /url\(["']?([^"')]+)["']?\)/g;
-        let cssMatch;
-        while ((cssMatch = urlRegex.exec(cssStr)) !== null) {
-          let fontRef = cssMatch[1];
-          if (fontRef.startsWith("data:")) continue;
-          // Resolve relative URLs against the CSS file's directory
-          if (!fontRef.startsWith("/")) {
-            const cssDir = ref.substring(0, ref.lastIndexOf("/") + 1);
-            fontRef = cssDir + fontRef;
-          }
-          htmlRefs.add(fontRef);
-        }
+      let data = await fetchBuffer(`${PWA_ORIGIN}${urlPath}`);
+      // Inject LAN mode marker into index HTML so the PWA can detect it's served by palmier
+      if (urlPath === "/") {
+        const html = data.toString("utf-8").replace("</head>", "<script>window.__PALMIER_SERVE__=true</script></head>");
+        data = Buffer.from(html, "utf-8");
       }
+      const asset: CachedAsset = { data, contentType: guessContentType(urlPath) };
+      assetCache.set(urlPath, asset);
+      return asset;
     } catch (err) {
-      console.warn(`[pwa] Failed to fetch ${ref}: ${err}`);
+      console.warn(`[pwa] Failed to fetch ${urlPath}: ${err}`);
+      return null;
+    } finally {
+      assetInflight.delete(urlPath);
     }
-  }
+  })();
 
-  return assets;
+  assetInflight.set(urlPath, promise);
+  return promise;
 }
 
 type SseClient = http.ServerResponse;
@@ -114,30 +100,26 @@ export function detectLanIp(): string {
 }
 
 /**
- * Start the HTTP transport: Express-like server with RPC, SSE, and health endpoints.
+ * Start the HTTP transport: server with RPC, SSE, PWA proxy, pairing, and
+ * localhost-only agent endpoints (notify, request-input, confirmation, permission).
  */
 export async function startHttpTransport(
   config: HostConfig,
   handleRpc: (req: RpcMessage) => Promise<unknown>,
   port: number,
+  nc: NatsConnection | undefined,
   pairingCode?: string,
   onReady?: () => void,
 ): Promise<void> {
-  // Download PWA assets into memory before starting the server
-  console.log("[http] Downloading PWA assets...");
-  const pwaAssets = await downloadPwaAssets();
-  console.log(`[http] Cached ${pwaAssets.size} PWA assets in memory.`);
-
   const sseClients = new Set<SseClient>();
+  const lanEnabled = config.lanEnabled ?? false;
+  const bindAddress = lanEnabled ? "0.0.0.0" : "127.0.0.1";
 
-  // If a pairing code is provided (from `palmier lan`), pre-register it
+  // If a pairing code is provided, pre-register it
   if (pairingCode) {
-    const EXPIRY_MS = 24 * 60 * 60 * 1000; // 24 hours — stays valid while lan server runs
+    const EXPIRY_MS = 24 * 60 * 60 * 1000;
     const timer = setTimeout(() => { pendingPairs.delete(pairingCode); }, EXPIRY_MS);
-    pendingPairs.set(pairingCode, {
-      resolve: () => {},
-      timer,
-    });
+    pendingPairs.set(pairingCode, { resolve: () => {}, timer });
   }
 
   function broadcastSseEvent(data: unknown) {
@@ -147,12 +129,10 @@ export async function startHttpTransport(
     }
   }
 
-
   function checkAuth(req: http.IncomingMessage): boolean {
     const auth = req.headers.authorization;
     if (!auth || !auth.startsWith("Bearer ")) return false;
-    const token = auth.slice(7);
-    return validateSession(token);
+    return validateSession(auth.slice(7));
   }
 
   function extractSessionToken(req: http.IncomingMessage): string | undefined {
@@ -180,50 +160,42 @@ export async function startHttpTransport(
     return addr === "127.0.0.1" || addr === "::1" || addr === "::ffff:127.0.0.1";
   }
 
+  /**
+   * Publish an event via NATS and SSE.
+   */
+  async function publishEvent(taskId: string, payload: Record<string, unknown>): Promise<void> {
+    const sc = StringCodec();
+    const subject = `host-event.${config.hostId}.${taskId}`;
+    if (nc) {
+      nc.publish(subject, sc.encode(JSON.stringify(payload)));
+    }
+    broadcastSseEvent({ task_id: taskId, ...payload });
+  }
+
   const server = http.createServer(async (req, res) => {
     const url = new URL(req.url ?? "/", `http://localhost:${port}`);
     const pathname = url.pathname;
 
-    // Internal event endpoint — localhost only, no auth
-    if (req.method === "POST" && pathname === "/internal/event") {
-      if (!isLocalhost(req)) {
-        sendJson(res, 403, { error: "localhost only" });
-        return;
-      }
+    // ── Localhost-only endpoints (no auth) ─────────────────────────────
+
+    if (req.method === "POST" && pathname === "/event") {
+      if (!isLocalhost(req)) { sendJson(res, 403, { error: "localhost only" }); return; }
       try {
         const body = await readBody(req);
         const event = JSON.parse(body);
         broadcastSseEvent(event);
         sendJson(res, 200, { ok: true });
-      } catch {
-        sendJson(res, 400, { error: "Invalid JSON" });
-      }
+      } catch { sendJson(res, 400, { error: "Invalid JSON" }); }
       return;
     }
 
-    // Internal pair-register endpoint — localhost only, long-poll
-    // The pair CLI posts here and blocks until paired or expired.
-    if (req.method === "POST" && pathname === "/internal/pair-register") {
-      if (!isLocalhost(req)) {
-        sendJson(res, 403, { error: "localhost only" });
-        return;
-      }
+    if (req.method === "POST" && pathname === "/pair-register") {
+      if (!isLocalhost(req)) { sendJson(res, 403, { error: "localhost only" }); return; }
       try {
         const body = await readBody(req);
-        const { code, expiryMs } = JSON.parse(body) as {
-          code: string;
-          expiryMs: number;
-        };
-
-        if (!code) {
-          sendJson(res, 400, { error: "Missing code" });
-          return;
-        }
-
-        if (pendingPairs.has(code)) {
-          sendJson(res, 409, { error: "Code already registered" });
-          return;
-        }
+        const { code, expiryMs } = JSON.parse(body) as { code: string; expiryMs: number };
+        if (!code) { sendJson(res, 400, { error: "Missing code" }); return; }
+        if (pendingPairs.has(code)) { sendJson(res, 409, { error: "Code already registered" }); return; }
 
         const result = await new Promise<{ paired: boolean }>((resolve) => {
           const timer = setTimeout(() => {
@@ -232,8 +204,6 @@ export async function startHttpTransport(
           }, expiryMs ?? 5 * 60 * 1000);
 
           pendingPairs.set(code, { resolve, timer });
-
-          // Clean up if the CLI disconnects early
           req.on("close", () => {
             if (pendingPairs.has(code)) {
               clearTimeout(timer);
@@ -243,33 +213,163 @@ export async function startHttpTransport(
         });
 
         sendJson(res, 200, result);
-      } catch {
-        sendJson(res, 400, { error: "Invalid JSON" });
-      }
+      } catch { sendJson(res, 400, { error: "Invalid JSON" }); }
       return;
     }
 
-    // Public pair endpoint — no auth required, PWA posts OTP code here
-    if (req.method === "POST" && pathname === "/pair") {
+    // ── GET /notify — send push notification via NATS ──────────────────
+
+    if (req.method === "GET" && pathname === "/notify") {
+      if (!isLocalhost(req)) { sendJson(res, 403, { error: "localhost only" }); return; }
+      if (!nc) { sendJson(res, 503, { error: "NATS not connected — push notifications require server mode" }); return; }
+
       try {
-        const body = await readBody(req);
-        const { code, label } = JSON.parse(body) as {
-          code: string;
-          label?: string;
-        };
+        const title = url.searchParams.get("title");
+        const notifBody = url.searchParams.get("body");
+        if (!title || !notifBody) { sendJson(res, 400, { error: "title and body query params are required" }); return; }
+
+        const sc = StringCodec();
+        const payload = { hostId: config.hostId, title, body: notifBody };
+        const subject = `host.${config.hostId}.push.send`;
+        const reply = await nc.request(subject, sc.encode(JSON.stringify(payload)), { timeout: 15_000 });
+        const result = JSON.parse(sc.decode(reply.data)) as { ok?: boolean; error?: string };
+
+        if (result.ok) {
+          sendJson(res, 200, { ok: true });
+        } else {
+          sendJson(res, 502, { error: result.error ?? "Push notification failed" });
+        }
+      } catch (err) {
+        sendJson(res, 500, { error: `Failed to send notification: ${err}` });
+      }
+      return;
+    }
 
-        if (!code) {
-          sendJson(res, 400, { error: "Missing code" });
+    // ── GET /request-input — held connection until user responds ────────
+
+    if (req.method === "GET" && pathname === "/request-input") {
+      if (!isLocalhost(req)) { sendJson(res, 403, { error: "localhost only" }); return; }
+      try {
+        const taskId = url.searchParams.get("taskId");
+        const runId = url.searchParams.get("runId");
+        const descriptions = url.searchParams.getAll("descriptions");
+        if (!taskId || !descriptions.length) {
+          sendJson(res, 400, { error: "taskId and descriptions query params are required" });
           return;
         }
 
-        const pending = pendingPairs.get(code);
-        if (!pending) {
-          sendJson(res, 401, { error: "Invalid code" });
+        const taskDir = getTaskDir(config.projectRoot, taskId);
+        const task = parseTaskFile(taskDir);
+
+        await publishEvent(taskId, {
+          event_type: "input-request",
+          host_id: config.hostId,
+          input_descriptions: descriptions,
+          name: task.frontmatter.name,
+        });
+
+        const response = await registerPending(taskId, "input", descriptions);
+
+        if (response.length === 1 && response[0] === "aborted") {
+          await publishEvent(taskId, { event_type: "input-resolved", host_id: config.hostId, status: "aborted" });
+          if (runId) {
+            appendRunMessage(taskDir, runId, { role: "user", time: Date.now(), content: "Input request aborted.", type: "input" });
+          }
+          sendJson(res, 200, { aborted: true });
+        } else {
+          await publishEvent(taskId, { event_type: "input-resolved", host_id: config.hostId, status: "provided" });
+          if (runId) {
+            const lines = descriptions.map((desc, i) => `**${desc}** ${response[i]}`);
+            appendRunMessage(taskDir, runId, { role: "user", time: Date.now(), content: lines.join("\n"), type: "input" });
+          }
+          sendJson(res, 200, { values: response });
+        }
+      } catch (err) {
+        sendJson(res, 500, { error: String(err) });
+      }
+      return;
+    }
+
+    // ── GET /request-confirmation — held connection ─────────────────────
+
+    if (req.method === "GET" && pathname === "/request-confirmation") {
+      if (!isLocalhost(req)) { sendJson(res, 403, { error: "localhost only" }); return; }
+      try {
+        const taskId = url.searchParams.get("taskId");
+        if (!taskId) { sendJson(res, 400, { error: "taskId query param is required" }); return; }
+
+        await publishEvent(taskId, {
+          event_type: "confirm-request",
+          host_id: config.hostId,
+        });
+
+        const response = await registerPending(taskId, "confirmation");
+        const confirmed = response[0] === "confirmed";
+
+        await publishEvent(taskId, {
+          event_type: "confirm-resolved",
+          host_id: config.hostId,
+          status: confirmed ? "confirmed" : "aborted",
+        });
+
+        sendJson(res, 200, { confirmed });
+      } catch (err) {
+        sendJson(res, 500, { error: String(err) });
+      }
+      return;
+    }
+
+    // ── GET /request-permission — held connection ───────────────────────
+
+    if (req.method === "GET" && pathname === "/request-permission") {
+      if (!isLocalhost(req)) { sendJson(res, 403, { error: "localhost only" }); return; }
+      try {
+        const taskId = url.searchParams.get("taskId");
+        const taskName = url.searchParams.get("taskName");
+        const permissionsRaw = url.searchParams.get("permissions");
+        let permissions: RequiredPermission[] = [];
+        if (permissionsRaw) {
+          try { permissions = JSON.parse(permissionsRaw) as RequiredPermission[]; } catch { /* ignore */ }
+        }
+        if (!taskId || !permissions.length) {
+          sendJson(res, 400, { error: "taskId and permissions query params are required" });
           return;
         }
 
-        // Create session and build response
+        await publishEvent(taskId, {
+          event_type: "permission-request",
+          host_id: config.hostId,
+          required_permissions: permissions,
+          name: taskName,
+        });
+
+        const response = await registerPending(taskId, "permission", permissions);
+        const status = response[0] as "granted" | "granted_all" | "aborted";
+
+        await publishEvent(taskId, {
+          event_type: "permission-resolved",
+          host_id: config.hostId,
+          status,
+        });
+
+        sendJson(res, 200, { response: status });
+      } catch (err) {
+        sendJson(res, 500, { error: String(err) });
+      }
+      return;
+    }
+
+    // ── Public pair endpoint — no auth, PWA posts OTP code here ────────
+
+    if (req.method === "POST" && pathname === "/pair") {
+      try {
+        const body = await readBody(req);
+        const { code, label } = JSON.parse(body) as { code: string; label?: string };
+        if (!code) { sendJson(res, 400, { error: "Missing code" }); return; }
+
+        const pending = pendingPairs.get(code);
+        if (!pending) { sendJson(res, 401, { error: "Invalid code" }); return; }
+
         const session = addSession(label);
         const ip = detectLanIp();
         const response: Record<string, unknown> = {
@@ -278,34 +378,42 @@ export async function startHttpTransport(
           directUrl: `http://${ip}:${port}`,
         };
 
-        // Resolve the long-poll and clean up
         clearTimeout(pending.timer);
         pendingPairs.delete(code);
         pending.resolve({ paired: true });
 
         sendJson(res, 200, response);
-      } catch {
-        sendJson(res, 400, { error: "Invalid JSON" });
-      }
+      } catch { sendJson(res, 400, { error: "Invalid JSON" }); }
       return;
     }
 
-    // Serve cached PWA assets for non-API routes (no auth required)
+    // ── PWA assets (on-the-fly, cached) ────────────────────────────────
+
+    // Skip service worker and manifest — they require HTTPS which LAN mode doesn't use
+    const SKIP = new Set(["/registerSW.js", "/service-worker.js", "/manifest.webmanifest"]);
+
     const isApiRoute = pathname === "/events" || pathname.startsWith("/rpc/");
     if (!isApiRoute) {
-      // SPA fallback: serve index.html for unrecognized paths
-      const asset = pwaAssets.get(pathname) ?? (pathname !== "/" ? pwaAssets.get("/") : undefined);
+      if (SKIP.has(pathname)) { sendJson(res, 404, { error: "Not found" }); return; }
+
+      // Try exact path, then fall back to index.html (SPA routing)
+      let asset = await getAsset(pathname);
+      if (!asset && pathname !== "/") {
+        asset = await getAsset("/");
+      }
+
       if (asset) {
         res.writeHead(200, { "Content-Type": asset.contentType });
         res.end(asset.data);
       } else {
-        sendJson(res, 404, { error: "Not found" });
+        sendJson(res, 502, { error: "Failed to fetch PWA assets" });
       }
       return;
     }
 
-    // API endpoints require auth
-    if (!checkAuth(req)) {
+    // ── API endpoints require auth (localhost is trusted) ───────────────
+
+    if (!isLocalhost(req) && !checkAuth(req)) {
       sendJson(res, 401, { error: "Unauthorized" });
       return;
     }
@@ -319,7 +427,6 @@ export async function startHttpTransport(
       });
       res.write(":ok\n\n");
 
-      // Send heartbeat every 5 seconds
       const heartbeat = setInterval(() => {
         res.write("data: {\"heartbeat\":true}\n\n");
       }, 5000);
@@ -335,10 +442,7 @@ export async function startHttpTransport(
     // RPC endpoint: POST /rpc/<method>
     if (req.method === "POST" && pathname.startsWith("/rpc/")) {
       const method = pathname.slice("/rpc/".length);
-      if (!method) {
-        sendJson(res, 400, { error: "Missing RPC method" });
-        return;
-      }
+      if (!method) { sendJson(res, 400, { error: "Missing RPC method" }); return; }
 
       let params: Record<string, unknown> = {};
       try {
@@ -346,16 +450,13 @@ export async function startHttpTransport(
         if (body.trim().length > 0) {
           params = JSON.parse(body);
         }
-      } catch {
-        sendJson(res, 400, { error: "Invalid JSON" });
-        return;
-      }
+      } catch { sendJson(res, 400, { error: "Invalid JSON" }); return; }
 
       const sessionToken = extractSessionToken(req);
       console.log(`[http] RPC: ${method}`);
 
       try {
-        const response = await handleRpc({ method, params, sessionToken });
+        const response = await handleRpc({ method, params, sessionToken, localhost: isLocalhost(req) });
         console.log(`[http] RPC done: ${method}`, JSON.stringify(response).slice(0, 200));
         sendJson(res, 200, response);
       } catch (err) {
@@ -369,11 +470,10 @@ export async function startHttpTransport(
   });
 
   return new Promise<void>((resolve, reject) => {
-    server.listen(port, () => {
-      console.log(`[http] Listening on port ${port}`);
+    server.listen(port, bindAddress, () => {
+      console.log(`[http] Listening on ${bindAddress}:${port}`);
       onReady?.();
 
-      // Graceful shutdown
       const shutdown = () => {
         console.log("[http] Shutting down...");
         for (const client of sseClients) {