mcpower-proxy 0.0.67__py3-none-any.whl → 0.0.73__py3-none-any.whl

modules/utils/ids.py

@@ -24,6 +24,16 @@ def generate_event_id() -> str:
     return f"{timestamp}-{unique_part}"
 
 
+def generate_prompt_id() -> str:
+    """
+    Generate truly-random 8-character prompt ID for user request correlation
+    
+    Returns:
+        8-character random ID string
+    """
+    return str(uuid.uuid4())[:8]
+
+
 def get_session_id() -> str:
     """
     Get session ID for the current process. Returns the same value for all calls
@@ -109,20 +119,53 @@ def _get_or_create_uuid(uid_path: Path, logger, id_type: str) -> str:
                     time.sleep(0.1 * (2 ** attempt))
                     continue
                 raise
-        
+
         new_uid = str(uuid.uuid4())
-        
+
         if _atomic_write_uuid(uid_path, new_uid):
             logger.info(f"Generated {id_type}: {new_uid} at {uid_path}")
             return new_uid
-        
-        logger.debug(f"{id_type.title()} file created by another process, reading (attempt {attempt + 1}/{max_attempts})")
+
+        logger.debug(
+            f"{id_type.title()} file created by another process, reading (attempt {attempt + 1}/{max_attempts})")
         if attempt < max_attempts - 1:
             time.sleep(0.05)
-    
+
     raise RuntimeError(f"Failed to get or create {id_type} after {max_attempts} attempts")
 
 
+def get_home_mcpower_dir() -> Path:
+    """
+    Get the global MCPower directory path in user's home directory
+    
+    Returns:
+        Path to ~/.mcpower directory
+    """
+    return Path.home() / ".mcpower"
+
+
+def get_project_mcpower_dir(project_path: Optional[str] = None) -> str:
+    """
+    Get the MCPower directory path, with fallback to global ~/.mcpower
+
+    Args:
+        project_path: Optional project/workspace path. If None or invalid, falls back to ~/.mcpower
+
+    Returns:
+        Path to use for MCPower data (either project/.mcpower or ~/.mcpower)
+    """
+    if project_path:
+        try:
+            path = Path(project_path)
+            if path.exists() and path.is_dir():
+                return str(path)
+        except Exception:
+            pass
+
+    # Fallback to global ~/.mcpower
+    return str(get_home_mcpower_dir())
+
+
 def get_or_create_user_id(logger) -> str:
     """
     Get or create machine-wide user ID from ~/.mcpower/uid
@@ -134,7 +177,7 @@ def get_or_create_user_id(logger) -> str:
     Returns:
         User ID string
     """
-    uid_path = Path.home() / ".mcpower" / "uid"
+    uid_path = get_home_mcpower_dir() / "uid"
     return _get_or_create_uuid(uid_path, logger, "user ID")
 
 
@@ -158,5 +201,5 @@ def read_app_uid(logger, project_folder_path: str) -> str:
     else:
         # Project-specific case
         uid_path = project_path / ".mcpower" / "app_uid"
-    
+
     return _get_or_create_uuid(uid_path, logger, "app UID")

modules/utils/json.py

@@ -52,7 +52,7 @@ def safe_json_dumps(obj: Any, **kwargs) -> str:
     # If it's a Pydantic BaseModel, use its built-in JSON serialization
     if isinstance(obj, BaseModel):
         return obj.model_dump_json(**kwargs)
-    
+
     # If it's a dict or list that might contain Pydantic objects, use custom serializer
     def default_serializer(o):
         if isinstance(o, BaseModel):
@@ -72,7 +72,7 @@ def safe_json_dumps(obj: Any, **kwargs) -> str:
             return o.__dict__
         # Fallback to string representation
         return str(o)
-    
+
     return json.dumps(obj, default=default_serializer, **kwargs)
 
 
@@ -117,4 +117,4 @@ def parse_jsonc(text: str) -> Any:
             return json.loads(text)
         except json.JSONDecodeError:
             # Re-raise the original JSONC error if JSON also fails
-            raise json.JSONDecodeError(f"JSONC parsing failed: {str(e)}", text, 0)
+            raise json.JSONDecodeError(f"JSONC parsing failed: {str(e)}", text, 0)

wrapper/__version__.py

@@ -3,4 +3,4 @@
 Wrapper MCP Server Version
 """
 
-__version__ = "0.0.67"
+__version__ = "0.0.73"

wrapper/middleware.py

@@ -2,6 +2,7 @@
 FastMCP middleware for security policy enforcement
 Implements pre/post interception for all MCP operations
 """
+import asyncio
 import sys
 import time
 import urllib.parse
@@ -12,22 +13,23 @@ from typing import Any, Dict, List, Optional
 from fastmcp.exceptions import FastMCPError
 from fastmcp.server.middleware.middleware import Middleware, MiddlewareContext, CallNext
 from fastmcp.server.proxy import ProxyClient
+from httpx import HTTPStatusError
+from mcp import ErrorData
+
+from mcpower_shared.mcp_types import (create_policy_request, create_policy_response, AgentContext, EnvironmentContext,
+                                      InitRequest,
+                                      ServerRef, ToolRef)
 from modules.apis.security_policy import SecurityPolicyClient
+from modules.decision_handler import DecisionHandler, DecisionEnforcementError
 from modules.logs.audit_trail import AuditTrailLogger
 from modules.logs.logger import MCPLogger
 from modules.redaction import redact
-from modules.ui.classes import ConfirmationRequest, DialogOptions, UserDecision
-from modules.ui.confirmation import UserConfirmationDialog, UserConfirmationError
 from modules.utils.copy import safe_copy
-from modules.utils.ids import generate_event_id, get_session_id, read_app_uid
+from modules.utils.ids import generate_event_id, get_session_id, read_app_uid, get_project_mcpower_dir
 from modules.utils.json import safe_json_dumps, to_dict
 from modules.utils.mcp_configs import extract_wrapped_server_info
 from wrapper.schema import merge_input_schema_with_existing
 
-from mcpower_shared.mcp_types import (create_policy_request, create_policy_response, AgentContext, EnvironmentContext,
-                                      InitRequest,
-                                      ServerRef, ToolRef, UserConfirmation)
-
 
 class MockContext:
     """Mock context for internal operations"""
@@ -53,10 +55,7 @@ class MockContext:
 class SecurityMiddleware(Middleware):
     """FastMCP middleware for security policy enforcement"""
 
-    app_id: str = ""
     _TOOLS_INIT_DEBOUNCE_SECONDS = 60
-    _last_tools_init_time: Optional[float] = None
-    _last_workspace_root: Optional[str] = None
 
     def __init__(self,
                  wrapped_server_configs: dict,
@@ -72,6 +71,9 @@ class SecurityMiddleware(Middleware):
         self.audit_logger = audit_logger
         self.app_id = ""
         self._last_workspace_root = None
+        self._last_tools_init_time: Optional[float] = None
+        self._tools_list_in_progress: Optional[asyncio.Task] = None
+        self._tools_list_lock = asyncio.Lock()
 
         self.wrapped_server_name, self.wrapped_server_transport = (
             extract_wrapped_server_info(self.wrapper_server_name, self.logger, self.wrapped_server_configs)
@@ -88,17 +90,36 @@ class SecurityMiddleware(Middleware):
     async def on_message(self, context: MiddlewareContext, call_next: CallNext) -> Any:
         self.logger.info(f"on_message: {redact(safe_json_dumps(context))}")
 
-        # Check workspace roots and re-initialize app_uid if workspace changed
-        workspace_roots = await self._extract_workspace_roots(context)
-        current_workspace_root = workspace_roots[0] if workspace_roots else str(Path.home() / ".mcpower")
-        if current_workspace_root != self._last_workspace_root:
-            self.logger.debug(f"Workspace root changed from {self._last_workspace_root} to {current_workspace_root}")
-            self._last_workspace_root = current_workspace_root
-            self.app_id = read_app_uid(logger=self.logger, project_folder_path=current_workspace_root)
-            self.audit_logger.set_app_uid(self.app_id)
+        # Skip workspace check for `initialize` calls to avoid premature app_uid changes.
+        # The `initialize` request doesn't contain workspace data, so checking it would
+        # cause unnecessary audit log flushes before the actual workspace init arrives.
+        if context.method != "initialize":
+            # Check workspace roots and re-initialize app_uid if workspace changed
+            workspace_roots = await self._extract_workspace_roots(context)
+            current_workspace_root = get_project_mcpower_dir(workspace_roots[0] if workspace_roots else None)
+            if current_workspace_root != self._last_workspace_root:
+                self.logger.debug(
+                    f"Workspace root changed from {self._last_workspace_root} to {current_workspace_root}")
+                self._last_workspace_root = current_workspace_root
+                self.app_id = read_app_uid(logger=self.logger, project_folder_path=current_workspace_root)
+                self.audit_logger.set_app_uid(self.app_id)
 
         operation_type = "message"
-        call_next_callback = call_next
+
+        async def call_next_wrapper(ctx):
+            try:
+                return await call_next(ctx)
+            except HTTPStatusError as e:
+                if e.response.status_code in (401, 403):
+                    raise FastMCPError(ErrorData(
+                        code=-32000,
+                        message="Authentication required",
+                        data={
+                            "type": "unauthorized",
+                            "details": "Please provide valid authentication credentials"
+                        }
+                    ))
+                raise e
 
         match context.type:
             case "request":
@@ -115,13 +136,13 @@ class SecurityMiddleware(Middleware):
                 operation_type = "prompt"
             case "tools/list":
                 # Special handling for tools/list - call /init instead of normal inspection
-                return await self._handle_tools_list(context, call_next)
+                return await self._handle_tools_list(context, call_next_wrapper)
             case "initialize" | "resources/list" | "resources/templates/list" | "prompts/list":
-                return await call_next_callback(context)
+                return await call_next_wrapper(context)
 
         return await self._handle_operation(
             context=context,
-            call_next=call_next_callback,
+            call_next=call_next_wrapper,
             error_class=FastMCPError,
             operation_type=operation_type
         )
@@ -181,15 +202,15 @@ class SecurityMiddleware(Middleware):
         return await ProxyClient.default_progress_handler(progress, total, message)
 
     async def secure_log_handler(self, log_message):
-        # FIXME: log_message should be redacted before logging, 
+        # FIXME: log_message should be redacted before logging,
         self.logger.info(f"secure_log_handler: {str(log_message)[:100]}...")
         # FIXME: log_message should be reviewed with policy before forwarding
-        
+
         # Handle case where log_message.data is a string instead of dict
         # The default_log_handler expects data to be a dict with 'msg' and 'extra' keys
         if hasattr(log_message, 'data') and isinstance(log_message.data, str):
             log_message = safe_copy(log_message, {'data': {'msg': log_message.data, 'extra': None}})
-        
+
         return await ProxyClient.default_log_handler(log_message)
 
     async def _handle_operation(self, context: MiddlewareContext, call_next, error_class, operation_type: str):
@@ -222,19 +243,28 @@ class SecurityMiddleware(Middleware):
             prompt_id=prompt_id
         )
         on_inspect_request_duration = time.time() - on_inspect_request_start_time
-        self.logger.info(f"PROFILE: {operation_type} id: {event_id} inspect_request duration: {on_inspect_request_duration:.2f} seconds")
+        self.logger.debug(
+            f"PROFILE: {operation_type} id: {event_id} inspect_request duration: {on_inspect_request_duration:.2f} seconds")
 
-        await self._enforce_decision(
-            decision=request_decision,
-            error_class=error_class,
-            base_message=f"{operation_type.title()} request blocked by security policy",
-            is_request=True,
-            event_id=event_id,
-            tool_name=tool_name,
-            content_data=tool_args,
-            operation_type=operation_type,
-            prompt_id=prompt_id
-        )
+        try:
+            await DecisionHandler(
+                logger=self.logger,
+                audit_logger=self.audit_logger,
+                session_id=self.session_id,
+                app_id=self.app_id
+            ).enforce_decision(
+                decision=request_decision,
+                is_request=True,
+                event_id=event_id,
+                tool_name=tool_name,
+                content_data=tool_args,
+                operation_type=operation_type,
+                prompt_id=prompt_id,
+                server_name=self.wrapped_server_name,
+                error_message_prefix=f"{operation_type.title()} request blocked by security policy"
+            )
+        except DecisionEnforcementError as e:
+            raise error_class(str(e))
 
         self.audit_logger.log_event(
             "agent_request_forwarded",
@@ -251,7 +281,8 @@ class SecurityMiddleware(Middleware):
         # Call wrapped MCP with cleaned context (e.g., no wrapper args)
         result = await call_next(cleaned_context)
         on_call_next_duration = time.time() - on_call_next_start_time
-        self.logger.info(f"PROFILE: {operation_type} id: {event_id} call_next duration: {on_call_next_duration:.2f} seconds")
+        self.logger.debug(
+            f"PROFILE: {operation_type} id: {event_id} call_next duration: {on_call_next_duration:.2f} seconds")
 
         response_content = self._extract_response_content(result)
 
@@ -276,19 +307,28 @@ class SecurityMiddleware(Middleware):
             prompt_id=prompt_id
         )
         on_inspect_response_duration = time.time() - on_inspect_response_start_time
-        self.logger.info(f"PROFILE: {operation_type} id: {event_id} inspect_response duration: {on_inspect_response_duration:.2f} seconds")
+        self.logger.debug(
+            f"PROFILE: {operation_type} id: {event_id} inspect_response duration: {on_inspect_response_duration:.2f} seconds")
 
-        await self._enforce_decision(
-            decision=response_decision,
-            error_class=error_class,
-            base_message=f"{operation_type.title()} response blocked by security policy",
-            is_request=False,
-            event_id=event_id,
-            tool_name=tool_name,
-            content_data=response_content,
-            operation_type=operation_type,
-            prompt_id=prompt_id
-        )
+        try:
+            await DecisionHandler(
+                logger=self.logger,
+                audit_logger=self.audit_logger,
+                session_id=self.session_id,
+                app_id=self.app_id
+            ).enforce_decision(
+                decision=response_decision,
+                is_request=False,
+                event_id=event_id,
+                tool_name=tool_name,
+                content_data=response_content,
+                operation_type=operation_type,
+                prompt_id=prompt_id,
+                server_name=self.wrapped_server_name,
+                error_message_prefix=f"{operation_type.title()} response blocked by security policy"
+            )
+        except DecisionEnforcementError as e:
+            raise error_class(str(e))
 
         self.audit_logger.log_event(
             "mcp_response_forwarded",
@@ -301,15 +341,30 @@ class SecurityMiddleware(Middleware):
             prompt_id=prompt_id
         )
         on_handle_operation_duration = time.time() - on_handle_operation_start_time
-        self.logger.info(f"PROFILE: {operation_type} id: {event_id} duration: {on_handle_operation_duration:.2f} seconds")
+        self.logger.debug(
+            f"PROFILE: {operation_type} id: {event_id} duration: {on_handle_operation_duration:.2f} seconds")
         return result
 
     async def _handle_tools_list(self, context: MiddlewareContext, call_next: CallNext) -> Any:
-        """Handle tools/list by calling /init API and modifying schemas"""
+        """Handle tools/list by calling /init API and modifying schemas with deduplication"""
         event_id = generate_event_id()
         on_handle_tools_list_start_time = time.time()
-        result = await call_next(context)
-        self.logger.info(f"PROFILE: tools/list call_next duration: {time.time() - on_handle_tools_list_start_time:.2f} seconds id: {event_id}")
+
+        async with self._tools_list_lock:
+            if not self._tools_list_in_progress or self._tools_list_in_progress.done():
+                self._tools_list_in_progress = asyncio.create_task(call_next(context))
+            shared_task = self._tools_list_in_progress
+
+        try:
+            result = await shared_task
+        except Exception as e:
+            async with self._tools_list_lock:
+                if self._tools_list_in_progress is shared_task:
+                    self._tools_list_in_progress = None
+            raise
+        self.logger.debug(
+            f"PROFILE: tools/list call_next duration: {time.time() - on_handle_tools_list_start_time:.2f} seconds id: {event_id}")
+
         tools_list = None
         if isinstance(result, list):
             tools_list = result
@@ -339,11 +394,13 @@ class SecurityMiddleware(Middleware):
                 enhanced_result = result
 
             on_handle_tools_list_duration = time.time() - on_handle_tools_list_start_time
-            self.logger.info(f"PROFILE: tools/list enhanced_result duration: {on_handle_tools_list_duration:.2f} seconds id: {event_id}")
+            self.logger.debug(
+                f"PROFILE: tools/list enhanced_result duration: {on_handle_tools_list_duration:.2f} seconds id: {event_id}")
             return enhanced_result
 
         on_handle_tools_list_duration = time.time() - on_handle_tools_list_start_time
-        self.logger.info(f"PROFILE: tools/list result duration: {on_handle_tools_list_duration:.2f} seconds id: {event_id}")
+        self.logger.debug(
+            f"PROFILE: tools/list result duration: {on_handle_tools_list_duration:.2f} seconds id: {event_id}")
 
         return result
 
@@ -482,12 +539,12 @@ class SecurityMiddleware(Middleware):
                         file_path_prefix = 'file://'
                         if uri.startswith(file_path_prefix):
                             path = urllib.parse.unquote(uri[len(file_path_prefix):])
-                            
+
                             # Windows fix: remove leading slash before drive letter
                             # file:///C:/path becomes /C:/path, should be C:/path
                             if sys.platform == 'win32' and len(path) >= 3 and path[0] == '/' and path[2] == ':':
                                 path = path[1:]
-                            
+
                             try:
                                 resolved_path = str(Path(path).resolve())
                                 workspace_roots.append(resolved_path)
@@ -593,28 +650,6 @@ class SecurityMiddleware(Middleware):
             )
         }
 
-    async def _record_user_confirmation(self, event_id: str, is_request: bool, user_decision: UserDecision,
-                                        prompt_id: str, call_type: str = None):
-        """Record user confirmation decision with the security API"""
-        try:
-            direction = "request" if is_request else "response"
-
-            user_confirmation = UserConfirmation(
-                event_id=event_id,
-                direction=direction,
-                user_decision=user_decision,
-                call_type=call_type
-            )
-
-            async with SecurityPolicyClient(session_id=self.session_id, logger=self.logger,
-                                            audit_logger=self.audit_logger, app_id=self.app_id) as client:
-                result = await client.record_user_confirmation(user_confirmation, prompt_id=prompt_id)
-                self.logger.debug(f"User confirmation recorded: {result}")
-        except Exception as e:
-            # Don't fail the operation if API call fails - just log the error
-            self.logger.error(f"Failed to record user confirmation: {e}")
-
-
     @staticmethod
     def _create_security_api_failure_decision(error: Exception) -> Dict[str, Any]:
         """Create a standard failure decision when security API is unavailable/failing/unreachable"""
@@ -624,135 +659,3 @@ class SecurityMiddleware(Middleware):
             "reasons": [f"Security API unavailable: {error}"],
             "matched_rules": ["security_api.error"]
         }
-
-    async def _enforce_decision(self, decision: Dict[str, Any], error_class, base_message: str,
-                                is_request: bool, event_id: str, tool_name: str, content_data: Dict[str, Any],
-                                operation_type: str, prompt_id: str):
-        """Enforce security decision with user confirmation support"""
-        decision_type = decision.get("decision", "block")
-
-        if decision_type == "allow":
-            return
-
-        elif decision_type == "block":
-            policy_reasons = decision.get("reasons", ["Policy violation"])
-            severity = decision.get("severity", "unknown")
-            call_type = decision.get("call_type")
-
-            try:
-                # Show a blocking dialog and wait for user decision
-                confirmation_request = ConfirmationRequest(
-                    is_request=is_request,
-                    tool_name=tool_name,
-                    policy_reasons=policy_reasons,
-                    content_data=content_data,
-                    severity=severity,
-                    event_id=event_id,
-                    operation_type=operation_type,
-                    server_name=self.wrapped_server_name,
-                    timeout_seconds=60
-                )
-
-                response = UserConfirmationDialog(
-                    self.logger, self.audit_logger
-                ).request_blocking_confirmation(confirmation_request, prompt_id, call_type)
-
-                # If we got here, user chose "Allow Anyway"
-                self.logger.info(f"User chose to 'allow anyway' a blocked {confirmation_request.operation_type} "
-                                 f"operation for tool '{tool_name}' (event: {event_id})")
-
-                await self._record_user_confirmation(event_id, is_request, response.user_decision, prompt_id, call_type)
-                return
-
-            except UserConfirmationError as e:
-                # User chose to block or dialog failed
-                self.logger.warning(f"User blocking confirmation failed: {e}")
-                await self._record_user_confirmation(event_id, is_request, UserDecision.BLOCK, prompt_id, call_type)
-                reasons = "; ".join(policy_reasons)
-                raise error_class("Security Violation. User blocked the operation")
-
-        elif decision_type == "required_explicit_user_confirmation":
-            policy_reasons = decision.get("reasons", ["Security policy requires confirmation"])
-            severity = decision.get("severity", "unknown")
-            call_type = decision.get("call_type")
-
-            try:
-                confirmation_request = ConfirmationRequest(
-                    is_request=is_request,
-                    tool_name=tool_name,
-                    policy_reasons=policy_reasons,
-                    content_data=content_data,
-                    severity=severity,
-                    event_id=event_id,
-                    operation_type=operation_type,
-                    server_name=self.wrapped_server_name,
-                    timeout_seconds=60
-                )
-
-                # only show YES_ALWAYS if call_type exists
-                options = DialogOptions(
-                    show_always_allow=(call_type is not None),
-                    show_always_block=False
-                )
-
-                response = UserConfirmationDialog(
-                    self.logger, self.audit_logger
-                ).request_confirmation(confirmation_request, prompt_id, call_type, options)
-
-                # If we got here, user approved the operation
-                self.logger.info(f"User {response.user_decision.value} {confirmation_request.operation_type} "
-                                 f"operation for tool '{tool_name}' (event: {event_id})")
-
-                await self._record_user_confirmation(event_id, is_request, response.user_decision, prompt_id, call_type)
-                return
-
-            except UserConfirmationError as e:
-                # User denied confirmation or dialog failed
-                self.logger.warning(f"User confirmation failed: {e}")
-                await self._record_user_confirmation(event_id, is_request, UserDecision.BLOCK, prompt_id, call_type)
-                raise error_class("Security Violation. User blocked the operation")
-
-        elif decision_type == "need_more_info":
-            stage_title = 'CLIENT REQUEST' if is_request else 'TOOL RESPONSE'
-
-            # Create an actionable error message for the AI agent
-            reasons = decision.get("reasons", [])
-            need_fields = decision.get("need_fields", [])
-
-            error_parts = [
-                f"SECURITY POLICY NEEDS MORE INFORMATION FOR REVIEWING {stage_title}:",
-                '\n'.join(reasons),
-                '' # newline
-            ]
-
-            if need_fields:
-                # Convert server field names to wrapper field names for the AI agent
-                wrapper_field_mapping = {
-                    "context.agent.intent": "__wrapper_modelIntent",
-                    "context.agent.plan": "__wrapper_modelPlan",
-                    "context.agent.expectedOutputs": "__wrapper_modelExpectedOutputs",
-                    "context.agent.user_prompt": "__wrapper_userPrompt",
-                    "context.agent.user_prompt_id": "__wrapper_userPromptId",
-                    "context.agent.context_summary": "__wrapper_contextSummary",
-                    "context.workspace.current_files": "__wrapper_currentFiles",
-                }
-
-                missing_wrapper_fields = []
-                for field in need_fields:
-                    wrapper_field = wrapper_field_mapping.get(field, field)
-                    missing_wrapper_fields.append(wrapper_field)
-
-                if missing_wrapper_fields:
-                    error_parts.append("AFFECTED FIELDS:")
-                    error_parts.extend(missing_wrapper_fields)
-                else:
-                    error_parts.append("MISSING INFORMATION:")
-                    error_parts.extend(need_fields)
-
-
-            error_parts.append("\nMANDATORY ACTIONS:")
-            error_parts.append("1. Add/Edit ALL affected fields according to the required information")
-            error_parts.append("2. Retry the tool call")
-
-            actionable_message = "\n".join(error_parts)
-            raise error_class(actionable_message)

wrapper/server.py

@@ -6,10 +6,11 @@ Implements transparent 1:1 MCP proxying with security middleware
 import logging
 
 from fastmcp.server.middleware.logging import StructuredLoggingMiddleware
-from fastmcp.server.proxy import ProxyClient, default_proxy_roots_handler, FastMCPProxy
+from fastmcp.server.proxy import ProxyClient, default_proxy_roots_handler, FastMCPProxy, StatefulProxyClient
 
 from modules.logs.audit_trail import AuditTrailLogger
 from modules.logs.logger import MCPLogger
+from modules.utils.json import safe_json_dumps
 from .__version__ import __version__
 from .middleware import SecurityMiddleware
 
@@ -42,7 +43,7 @@ def create_wrapper_server(wrapper_server_name: str,
         logger=logger,
         audit_logger=audit_logger
     )
-    
+
     # Log MCPower startup to audit trail
     audit_logger.log_event("mcpower_start", {
         "wrapper_version": __version__,
@@ -51,16 +52,23 @@ def create_wrapper_server(wrapper_server_name: str,
     })
 
     # Create FastMCP server as proxy with our security-aware ProxyClient
+    # Use StatefulProxyClient for remote servers (mcp-remote or url-based transports)
+    config_str = safe_json_dumps(wrapped_server_configs)
+    is_remote = '"@mcpower/mcp-remote",' in config_str or '"url":' in config_str
+    backend_class = StatefulProxyClient if is_remote else ProxyClient
+    backend = backend_class(
+        wrapped_server_configs,
+        name=wrapper_server_name,
+        roots=default_proxy_roots_handler,  # Use default for filesystem roots
+        sampling_handler=security_middleware.secure_sampling_handler,
+        elicitation_handler=security_middleware.secure_elicitation_handler,
+        log_handler=security_middleware.secure_log_handler,
+        progress_handler=security_middleware.secure_progress_handler,
+    )
+
     def client_factory():
-        return ProxyClient(
-            wrapped_server_configs,
-            name=wrapper_server_name,
-            roots=default_proxy_roots_handler,  # Use default for filesystem roots
-            sampling_handler=security_middleware.secure_sampling_handler,
-            elicitation_handler=security_middleware.secure_elicitation_handler,
-            log_handler=security_middleware.secure_log_handler,
-            progress_handler=security_middleware.secure_progress_handler,
-        )
+        # we must return the same instance, otherwise StatefulProxyClient doesn't play nice with mcp-remote
+        return backend
 
     server = FastMCPProxy(client_factory=client_factory, name=wrapper_server_name, version=__version__)