PyPI - openmaskit - Versions diffs - 0.1.1__py3-none-any.whl - Mend

openmaskit 0.1.1__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (66) hide show

openmaskit/__init__.py +19 -0
openmaskit/__main__.py +617 -0
openmaskit/backend_client.py +181 -0
openmaskit/cli.py +112 -0
openmaskit/config.py +126 -0
openmaskit/container.py +285 -0
openmaskit/logging_config.py +74 -0
openmaskit/masking/__init__.py +0 -0
openmaskit/masking/engine.py +536 -0
openmaskit/masking/mappers.py +20 -0
openmaskit/masking/parsing.py +51 -0
openmaskit/masking/rules.py +103 -0
openmaskit/masking/store.py +619 -0
openmaskit/models.py +66 -0
openmaskit/oauth/__init__.py +0 -0
openmaskit/oauth/handler.py +431 -0
openmaskit/proxy/__init__.py +0 -0
openmaskit/proxy/core.py +574 -0
openmaskit/proxy/http_downstream.py +159 -0
openmaskit/proxy/manager.py +260 -0
openmaskit/proxy/upstream.py +321 -0
openmaskit/security.py +145 -0
openmaskit/traffic/__init__.py +0 -0
openmaskit/traffic/buffer.py +44 -0
openmaskit/traffic/store.py +223 -0
openmaskit/web/__init__.py +0 -0
openmaskit/web/app.py +142 -0
openmaskit/web/health.py +109 -0
openmaskit/web/origin.py +110 -0
openmaskit/web/routes/__init__.py +0 -0
openmaskit/web/routes/custom_targets.py +280 -0
openmaskit/web/routes/guardrails.py +160 -0
openmaskit/web/routes/hidden_tools.py +40 -0
openmaskit/web/routes/injections.py +142 -0
openmaskit/web/routes/mappers.py +382 -0
openmaskit/web/routes/marketplace.py +607 -0
openmaskit/web/routes/oauth.py +162 -0
openmaskit/web/routes/oauth_callback.py +191 -0
openmaskit/web/routes/pages.py +158 -0
openmaskit/web/routes/rules.py +124 -0
openmaskit/web/routes/traffic.py +82 -0
openmaskit/web/static/big.png +0 -0
openmaskit/web/static/favicon.png +0 -0
openmaskit/web/static/icon.png +0 -0
openmaskit/web/static/marketplace.html +937 -0
openmaskit/web/static/new_maskit-removebg-preview.png +0 -0
openmaskit/web/static/onboarding.css +386 -0
openmaskit/web/static/original_icon.png +0 -0
openmaskit/web/static/shared.js +322 -0
openmaskit/web/static/style.css +5036 -0
openmaskit/web/static/targets.html +1174 -0
openmaskit/web/static/tool_detail.html +936 -0
openmaskit/web/static/tools.html +661 -0
openmaskit/web/static/tutorial.css +377 -0
openmaskit/web/static/tutorial.js +546 -0
openmaskit/web/static/tutorials/guardrails.json +31 -0
openmaskit/web/static/tutorials/hide-tool.json +16 -0
openmaskit/web/static/tutorials/injections.json +31 -0
openmaskit/web/static/tutorials/masking-with-result.json +31 -0
openmaskit/web/static/tutorials/masking.json +16 -0
openmaskit-0.1.1.dist-info/METADATA +229 -0
openmaskit-0.1.1.dist-info/RECORD +66 -0
openmaskit-0.1.1.dist-info/WHEEL +4 -0
openmaskit-0.1.1.dist-info/entry_points.txt +2 -0
openmaskit-0.1.1.dist-info/licenses/LICENSE +201 -0
openmaskit-0.1.1.dist-info/licenses/NOTICE +10 -0

openmaskit/__init__.py ADDED Viewed

@@ -0,0 +1,19 @@
+"""OpenMaskit - MCP server wrapper that masks sensitive fields."""
+from importlib.metadata import version, PackageNotFoundError
+try:
+    __version__ = version("openmaskit")
+except PackageNotFoundError:
+    # Running from source without the package installed
+    try:
+        from pathlib import Path
+        try:
+            import tomllib
+        except ImportError:
+            import tomli as tomllib  # type: ignore
+        _pyproject = Path(__file__).parent.parent.parent / "pyproject.toml"
+        with open(_pyproject, "rb") as _f:
+            __version__ = tomllib.load(_f).get("project", {}).get("version", "unknown")
+    except Exception:
+        __version__ = "unknown"

openmaskit/__main__.py ADDED Viewed

@@ -0,0 +1,617 @@
+"""OpenMaskit entry point."""
+from __future__ import annotations
+import asyncio
+import logging
+import os
+import signal
+import sys
+from contextlib import AsyncExitStack
+from pathlib import Path
+import random
+import string
+import anyio
+import uvicorn
+from anyio.streams.memory import MemoryObjectReceiveStream, MemoryObjectSendStream
+from mcp.shared.message import SessionMessage
+from openmaskit.config import load_config
+from openmaskit.masking.engine import MaskingEngine
+from openmaskit.masking.rules import ArgumentGuardrail, ArgumentInjection, MaskingRule
+from openmaskit.masking.store import MaskingStore
+from openmaskit.oauth.handler import OAuthCallbackServer
+from openmaskit.proxy.core import ProxyState, TargetState, run_proxy_for_target
+from openmaskit.proxy.http_downstream import create_mcp_app
+from openmaskit.proxy.manager import TargetManager, _build_upstream_config
+from openmaskit.proxy.upstream import connect_upstream, is_oauth_token_expired, refresh_backend_oauth_token
+from openmaskit.traffic.buffer import TrafficBuffer
+from openmaskit.traffic.store import TrafficStore
+from openmaskit.web.app import create_app
+from openmaskit import __version__
+logger = logging.getLogger(__name__)
+def print_banner():
+    # https://patorjk.com/software/taag
+    # DOS Rebel for openmaskit
+    # Pagga for version
+    banner = """
+    ███████                                  ██████   ██████                   █████       ███   █████
+  ███░░░░░███                               ░░██████ ██████                   ░░███       ░░░   ░░███
+ ███     ░░███ ████████   ██████  ████████   ░███░█████░███   ██████    █████  ░███ █████ ████  ███████
+░███      ░███░░███░░███ ███░░███░░███░░███  ░███░░███ ░███  ░░░░░███  ███░░   ░███░░███ ░░███ ░░░███░
+░███      ░███ ░███ ░███░███████  ░███ ░███  ░███ ░░░  ░███   ███████ ░░█████  ░██████░   ░███   ░███
+░░███     ███  ░███ ░███░███░░░   ░███ ░███  ░███      ░███  ███░░███  ░░░░███ ░███░░███  ░███   ░███ ███
+ ░░░███████░   ░███████ ░░██████  ████ █████ █████     █████░░████████ ██████  ████ █████ █████  ░░█████
+   ░░░░░░░     ░███░░░   ░░░░░░  ░░░░ ░░░░░ ░░░░░     ░░░░░  ░░░░░░░░ ░░░░░░  ░░░░ ░░░░░ ░░░░░    ░░░░░
+               ░███
+               █████                ░▄▀▄░░░░▀█░░░░░▄▀▄
+              ░░░░░                 ░█/█░░░░░█░░░░░█/█
+                                    ░░▀░░▀░░▀▀▀░▀░░░▀░
+    """
+    print(banner)
+async def _flush_loop(engine: MaskingEngine, shutdown_event: anyio.Event):
+    """Periodically flush pending alias writes to the database."""
+    while not shutdown_event.is_set():
+        await anyio.sleep(1.0)
+        if engine.has_pending_writes:
+            try:
+                await engine.flush_pending()
+            except Exception:
+                logger.exception("Failed to flush aliases to database")
+    # Final flush on shutdown
+    if engine.has_pending_writes:
+        try:
+            await engine.flush_pending()
+        except Exception:
+            logger.exception("Failed final flush of aliases to database")
+async def _traffic_flush_loop(
+    buffer: TrafficBuffer,
+    store: TrafficStore,
+    shutdown_event: anyio.Event,
+):
+    """Periodically drain the traffic buffer into the traffic DB."""
+    while not shutdown_event.is_set():
+        await anyio.sleep(1.0)
+        if buffer.has_pending:
+            await buffer.flush(store)
+    # Final drain on shutdown
+    if buffer.has_pending:
+        await buffer.flush(store)
+async def _traffic_rotation_loop(
+    store: TrafficStore,
+    max_rows: int,
+    shutdown_event: anyio.Event,
+):
+    """Enforce the global traffic row cap every 5 minutes."""
+    while not shutdown_event.is_set():
+        with anyio.move_on_after(300):
+            await shutdown_event.wait()
+        if shutdown_event.is_set():
+            return
+        try:
+            await store.enforce_row_cap(max_rows)
+        except Exception:
+            logger.exception("Failed to enforce traffic row cap")
+def _install_shutdown_noise_filter(shutdown_event: anyio.Event) -> None:
+    """Quiet anyio/MCP-SDK async-generator teardown noise during shutdown.
+    The MCP SDK's stdio_client holds anyio task-group cancel scopes whose
+    teardown happens in Python's asyncgen finalizer task — not the task that
+    entered them. The resulting 'cancel scope in a different task' and
+    'aclose(): asynchronous generator is already running' errors are harmless
+    but loud. Swallow them once shutdown has been signalled.
+    """
+    loop = asyncio.get_running_loop()
+    def _is_known_shutdown_noise(exc: BaseException | None, message: str) -> bool:
+        if "asynchronous generator" in message:
+            return True
+        if exc is None:
+            return False
+        if isinstance(exc, GeneratorExit):
+            return True
+        s = str(exc).lower()
+        if "cancel scope" in s or "asynchronous generator" in s:
+            return True
+        sub = getattr(exc, "exceptions", None)
+        if sub:
+            return bool(sub) and all(_is_known_shutdown_noise(e, "") for e in sub)
+        return False
+    def handler(loop, context):
+        if shutdown_event.is_set():
+            if _is_known_shutdown_noise(context.get("exception"), context.get("message", "")):
+                return
+        loop.default_exception_handler(context)
+    loop.set_exception_handler(handler)
+async def _graceful_shutdown(
+    state: ProxyState,
+    shutdown_event: anyio.Event,
+    web_server,
+    mcp_server,
+    callback_web_server,
+    tg,
+    drain_timeout: float,
+    flush_timeout: float,
+) -> None:
+    """Coordinate graceful shutdown with timeout enforcement.
+    Shutdown sequence:
+    1. Stop accepting new requests (servers marked for exit)
+    2. Drain in-flight requests (ResponseDispatcher notifies waiters)
+    3. Wait for flush loops to complete
+    4. Close upstream connections
+    5. Task group cancellation (any remaining tasks)
+    """
+    logger.info("Starting graceful shutdown sequence")
+    # Stage 1: Stop accepting new requests
+    logger.info("Stage 1/4: Stopping request acceptance")
+    web_server.should_exit = True
+    mcp_server.should_exit = True
+    callback_web_server.should_exit = True
+    # Stage 2: Drain in-flight requests
+    logger.info(f"Stage 2/4: Draining in-flight requests ({drain_timeout}s timeout)")
+    with anyio.move_on_after(drain_timeout):
+        for target_state in state.targets.values():
+            # Notify all waiting HTTP clients to abort
+            target_state.response_dispatcher.shutdown()
+            # Close downstream streams (prevents new messages from clients)
+            if target_state.ds_read_send:
+                await target_state.ds_read_send.aclose()
+    # Stage 3: Wait for flush loops to complete
+    logger.info(f"Stage 3/4: Waiting for database flushes ({flush_timeout}s timeout)")
+    with anyio.move_on_after(flush_timeout):
+        # Signal shutdown to flush loops
+        shutdown_event.set()
+        # Give flush loops time to complete final flush
+        await anyio.sleep(0.5)
+        # Check if flushes completed
+        pending_count = sum(
+            ts.engine.has_pending_writes for ts in state.targets.values()
+        )
+        if pending_count > 0:
+            logger.warning(f"{pending_count} targets still have pending writes")
+        # Drain any remaining traffic entries
+        if state.traffic_buffer is not None and state.traffic_store is not None:
+            if state.traffic_buffer.has_pending:
+                await state.traffic_buffer.flush(state.traffic_store)
+    # Stage 4: Cancel remaining tasks (relay loops, servers)
+    logger.info("Stage 4/4: Cancelling remaining tasks")
+    tg.cancel_scope.cancel()
+def _generate_installation_id() -> str:
+    length = 25
+    random_string = ''.join(
+        random.choices(string.ascii_letters + string.digits, k=length)
+    )
+    return random_string
+def _load_installation_id() -> str:
+    id_path = Path("~/.openmaskit/.installation_id").expanduser()
+    if id_path.exists():
+        return id_path.read_bytes().strip().decode('utf-8')
+    key = _generate_installation_id()
+    id_path.parent.mkdir(parents=True, exist_ok=True)
+    id_path.write_bytes(bytes(key, 'utf-8'))
+    id_path.chmod(0o600)
+    return key
+async def async_main():
+    from openmaskit.logging_config import setup_logging
+    from openmaskit.cli import parse_args
+    setup_logging()
+    logger = logging.getLogger(__name__)
+    args = parse_args()
+    config = load_config(
+        path=args.config_path,
+        web_port=args.web_port,
+        mcp_port=args.mcp_port,
+        oauth_port=args.oauth_port,
+        store_path=args.store_path,
+    )
+    bind_host = os.environ.get("OPENMASKIT_HOST", "127.0.0.1")
+    # Container runtime detection
+    from openmaskit.container import get_container_runtime
+    runtime = get_container_runtime(config.container_runtime)
+    if runtime:
+        if config.container_runtime:
+            logger.info(f"Container runtime: {runtime} (configured)")
+        else:
+            logger.info(f"Container runtime: {runtime} (auto-detected)")
+    else:
+        logger.warning("No container runtime detected. Containerized MCP servers will not work.")
+    # Shutdown configuration
+    SHUTDOWN_TIMEOUT = float(os.environ.get("OPENMASKIT_SHUTDOWN_TIMEOUT", "30"))
+    DRAIN_TIMEOUT = 5.0  # Time to wait for in-flight requests
+    FLUSH_TIMEOUT = 3.0  # Time to wait for database flushes
+    store = await MaskingStore.create(config.store_path)
+    traffic_db_path = os.environ.get(
+        "OPENMASKIT_TRAFFIC_DB_PATH",
+        str(Path("~/.openmaskit/traffic.db").expanduser()),
+    )
+    traffic_store = await TrafficStore.create(traffic_db_path)
+    traffic_buffer = TrafficBuffer()
+    traffic_max_rows = int(os.environ.get("OPENMASKIT_TRAFFIC_MAX_ROWS", "10000"))
+    state = ProxyState()
+    state.store = store
+    state.traffic_store = traffic_store
+    state.traffic_buffer = traffic_buffer
+    state.mcp_port = config.mcp_port
+    state.oauth_port = config.oauth_port
+    # Create per-target state
+    for name, target_config in config.targets.items():
+        rules = [
+            MaskingRule(
+                tool_name=r.tool_name,
+                field_path=r.field_path,
+                alias_prefix=r.alias_prefix,
+                action=r.action,
+            )
+            for r in target_config.rules
+        ]
+        db_rules = await store.get_rules(target_name=name)
+        rules.extend(db_rules)
+        engine = MaskingEngine(rules, store, target_name=name)
+        await engine.load_aliases()
+        await engine.load_mappers()
+        await engine.load_guardrails()
+        await engine.load_injections()
+        for g in target_config.guardrails:
+            engine.add_guardrail(ArgumentGuardrail(
+                tool_name=g.tool_name, argument_name=g.argument_name,
+                match_type=g.match_type, pattern=g.pattern, message=g.message,
+            ))
+        for i in target_config.injections:
+            engine.add_injection(ArgumentInjection(
+                tool_name=i.tool_name, argument_name=i.argument_name,
+                value=i.value, mode=i.mode,
+            ))
+        hidden = await store.get_hidden_tools(target_name=name)
+        ds_read_send, ds_read_recv = anyio.create_memory_object_stream[SessionMessage | Exception](32)
+        target_state = TargetState(
+            name=name,
+            engine=engine,
+            hidden_tools=set(hidden),
+            ds_read_send=ds_read_send,
+            ds_read_recv=ds_read_recv,
+            traffic_buffer=traffic_buffer,
+        )
+        state.targets[name] = target_state
+    state.config_target_ids = set(config.targets.keys())
+    # Load active marketplace servers from DB
+    marketplace_configs: dict[str, dict] = {}
+    installed = await store.get_installed_servers(active_only=True)
+    for record in installed:
+        server_id = record["id"]
+        if server_id in state.targets:
+            continue
+        engine = MaskingEngine([], store, target_name=server_id)
+        await engine.load_aliases()
+        await engine.load_mappers()
+        await engine.load_guardrails()
+        await engine.load_injections()
+        hidden = await store.get_hidden_tools(target_name=server_id)
+        ds_read_send, ds_read_recv = anyio.create_memory_object_stream[SessionMessage | Exception](32)
+        target_state = TargetState(
+            name=server_id,
+            engine=engine,
+            hidden_tools=set(hidden),
+            ds_read_send=ds_read_send,
+            ds_read_recv=ds_read_recv,
+            server_id=server_id,  # Set server_id for OAuth refresh
+            traffic_buffer=traffic_buffer,
+        )
+        state.targets[server_id] = target_state
+        marketplace_configs[server_id] = record["config"]
+    shutdown_event = anyio.Event()
+    _install_shutdown_noise_filter(shutdown_event)
+    # Shared OAuth callback server (always running)
+    callback_server = OAuthCallbackServer(port=config.oauth_port)
+    callback_app = callback_server.create_app()
+    callback_uvicorn_config = uvicorn.Config(
+        callback_app,
+        host=bind_host,
+        port=config.oauth_port,
+        log_level="warning",
+        log_config=None,
+    )
+    callback_web_server = uvicorn.Server(callback_uvicorn_config)
+    callback_web_server.install_signal_handlers = lambda: None
+    state.callback_server = callback_server
+    installation_id = _load_installation_id()
+    openmaskit_version = __version__
+    print('----------------------------------------------------------------------------------------------------------')
+    print_banner()
+    print('----------------------------------------------------------------------------------------------------------')
+    # Initialize backend client for marketplace and auth integration
+    from openmaskit.backend_client import BackendClient
+    backend_client = BackendClient(installation_id=installation_id, openmaskit_version=openmaskit_version)
+    oauth_states: dict[str, dict] = {}  # {csrf_state: {server_id, handle, timestamp}}
+    # Store backend_client in state for token refresh
+    state.backend_client = backend_client
+    state.version_status = await backend_client.check_version()
+    if state.version_status:
+        if not state.version_status.get("supported", True):
+            logger.warning(
+                "OpenMaskit %s is no longer supported. Latest: %s",
+                openmaskit_version, state.version_status.get("latest_version"),
+            )
+        elif state.version_status.get("update_available"):
+            logger.info(
+                "OpenMaskit update available: %s (you have %s)",
+                state.version_status.get("latest_version"), openmaskit_version,
+            )
+    logger.info("OpenMaskit proxy starting")
+    logger.info(f"Dashboard: http://{bind_host}:{config.web_port}")
+    logger.info(f"OAuth callback: http://{bind_host}:{config.oauth_port}/callback")
+    if backend_client.enabled:
+        logger.info("Backend integration enabled.")
+    logger.info("MCP servers:")
+    for name in state.target_names:
+        logger.info(f"  {name}: http://{bind_host}:{config.mcp_port}/{name}/mcp")
+    from openmaskit.web.origin import default_localhost_origins
+    allowed_origins = default_localhost_origins(config.web_port)
+    extra_origins_env = os.environ.get("OPENMASKIT_ALLOWED_ORIGINS", "").strip()
+    if extra_origins_env:
+        allowed_origins.extend(
+            o.strip() for o in extra_origins_env.split(",") if o.strip()
+        )
+    logger.debug(f"Allowed dashboard origins: {allowed_origins}")
+    # Route upstream MCP child stderr based on log level. Upstream servers
+    # emit their own protocol chatter ("Processing request of type …") that
+    # we cannot demote from inside our process; we can only mute the stream.
+    if logger.isEnabledFor(logging.DEBUG):
+        upstream_errlog = sys.stderr
+    else:
+        upstream_errlog = open(os.devnull, "w")
+        logger.info("Upstream stderr is suppressed. Set OPENMASKIT_LOG_LEVEL=DEBUG to see it.")
+    web_app = create_app(state, allowed_origins=allowed_origins)
+    web_app.state.backend_client = backend_client
+    web_app.state.oauth_states = oauth_states
+    mcp_app = create_mcp_app(state, allowed_origins=allowed_origins)
+    uvicorn_config = uvicorn.Config(
+        web_app,
+        host=bind_host,
+        port=config.web_port,
+        log_level="warning",
+        log_config=None,
+    )
+    web_server = uvicorn.Server(uvicorn_config)
+    web_server.install_signal_handlers = lambda: None
+    mcp_uvicorn_config = uvicorn.Config(
+        mcp_app,
+        host=bind_host,
+        port=config.mcp_port,
+        log_level="warning",
+        log_config=None,
+    )
+    mcp_server = uvicorn.Server(mcp_uvicorn_config)
+    mcp_server.install_signal_handlers = lambda: None
+    try:
+        async with AsyncExitStack() as stack:
+            # Connect all upstream targets
+            upstream_streams: dict[str, tuple[
+                MemoryObjectReceiveStream[SessionMessage | Exception],
+                MemoryObjectSendStream[SessionMessage],
+            ]] = {}
+            failed_targets = []
+            for name, target_state in state.targets.items():
+                if name in config.targets:
+                    target_config = config.targets[name]
+                    us_read, us_write, container_info = await stack.enter_async_context(
+                        connect_upstream(target_config.upstream, config.store_path,
+                                       errlog=upstream_errlog, server_id=name,
+                                       callback_server=callback_server,
+                                       container_runtime=config.container_runtime)
+                    )
+                    target_state.container_info = container_info
+                    upstream_streams[name] = (us_read, us_write)
+                elif name in marketplace_configs:
+                    upstream_cfg = _build_upstream_config(marketplace_configs[name])
+                    # Pre-flight refresh if token is known-expired
+                    if is_oauth_token_expired(name, config.store_path):
+                        logger.info("OAuth token for %s is expired; attempting refresh before connect", name)
+                        refreshed = await refresh_backend_oauth_token(name, config.store_path, backend_client)
+                        if not refreshed:
+                            logger.warning(
+                                "Could not refresh OAuth token for %s; deactivating. User must re-authenticate via the dashboard.",
+                                name,
+                            )
+                            failed_targets.append(name)
+                            try:
+                                await store.deactivate_server(name)
+                            except Exception as deactivate_exc:
+                                logger.error("Failed to deactivate server %s: %s", name, deactivate_exc)
+                            continue
+                    async def _connect_with_isolated_stack():
+                        own_stack = AsyncExitStack()
+                        await own_stack.__aenter__()
+                        try:
+                            r, w, ci = await own_stack.enter_async_context(
+                                connect_upstream(upstream_cfg, config.store_path,
+                                               errlog=upstream_errlog, server_id=name,
+                                               callback_server=callback_server,
+                                               container_runtime=config.container_runtime)
+                            )
+                            return own_stack, r, w, ci
+                        except BaseException:
+                            await own_stack.aclose()
+                            raise
+                    own_stack = None
+                    container_info = None
+                    try:
+                        own_stack, us_read, us_write, container_info = await _connect_with_isolated_stack()
+                    except Exception as exc:
+                        # One refresh+retry on failure (covers stale token not flagged by created_at)
+                        logger.warning("Failed to connect marketplace server %s: %s", name, exc)
+                        refreshed = await refresh_backend_oauth_token(name, config.store_path, backend_client)
+                        if refreshed:
+                            try:
+                                own_stack, us_read, us_write, container_info = await _connect_with_isolated_stack()
+                            except Exception as exc2:
+                                logger.warning("Retry after refresh failed for %s: %s", name, exc2)
+                                own_stack = None
+                        if own_stack is None:
+                            failed_targets.append(name)
+                            try:
+                                await store.deactivate_server(name)
+                                logger.info("Deactivated server %s in database; re-auth via dashboard to reconnect", name)
+                            except Exception as deactivate_exc:
+                                logger.error("Failed to deactivate server %s: %s", name, deactivate_exc)
+                            continue
+                    # Register the isolated stack with the parent so it tears down at shutdown.
+                    # Wrap aclose to swallow exit-time errors per target (otherwise one bad
+                    # upstream's teardown takes down the whole process).
+                    def _make_safe_aclose(target_name=name, s=own_stack):
+                        async def _close():
+                            try:
+                                await s.aclose()
+                            except Exception as exc:
+                                logger.warning("Error closing upstream %s at shutdown: %s", target_name, exc)
+                        return _close
+                    stack.push_async_callback(_make_safe_aclose())
+                    state.targets[name].container_info = container_info
+                    upstream_streams[name] = (us_read, us_write)
+            for name in failed_targets:
+                del state.targets[name]
+            async with anyio.create_task_group() as tg:
+                manager = TargetManager(state, store, config.store_path,
+                                       callback_server=callback_server,
+                                       container_runtime=config.container_runtime)
+                manager.set_task_group(tg, shutdown_event)
+                state.target_manager = manager
+                # Start OAuth state cleanup task if backend is enabled
+                if backend_client.enabled:
+                    from openmaskit.web.routes.oauth_callback import cleanup_expired_oauth_states
+                    tg.start_soon(cleanup_expired_oauth_states, oauth_states)
+                async def _shutdown_on_signal():
+                    with anyio.open_signal_receiver(signal.SIGINT, signal.SIGTERM) as signals:
+                        async for sig in signals:
+                            logger.info(f"Received {sig.name}, initiating graceful shutdown")
+                            await _graceful_shutdown(
+                                state, shutdown_event, web_server, mcp_server,
+                                callback_web_server, tg, DRAIN_TIMEOUT, FLUSH_TIMEOUT
+                            )
+                            break
+                tg.start_soon(_shutdown_on_signal)
+                async def _safe_run_proxy(target_state, us_read, us_write):
+                    target_name = target_state.name
+                    try:
+                        await run_proxy_for_target(target_state, us_read, us_write)
+                    except Exception as exc:
+                        logger.error(
+                            "[%s] Proxy task failed (likely OAuth/upstream error); deactivating target. %s",
+                            target_name, exc,
+                        )
+                        # Deactivate so we don't crash again on next startup
+                        try:
+                            await store.deactivate_server(target_name)
+                        except Exception:
+                            pass
+                        state.targets.pop(target_name, None)
+                for name, target_state in state.targets.items():
+                    us_read, us_write = upstream_streams[name]
+                    tg.start_soon(_safe_run_proxy, target_state, us_read, us_write)
+                    tg.start_soon(_flush_loop, target_state.engine, shutdown_event)
+                    # Start background eviction to prevent memory leaks
+                    tg.start_soon(target_state.response_dispatcher.start_background_eviction, shutdown_event)
+                tg.start_soon(_traffic_flush_loop, traffic_buffer, traffic_store, shutdown_event)
+                tg.start_soon(_traffic_rotation_loop, traffic_store, traffic_max_rows, shutdown_event)
+                tg.start_soon(web_server.serve)
+                tg.start_soon(mcp_server.serve)
+                tg.start_soon(callback_web_server.serve)
+    except Exception as exc:
+        logger.exception(f"Error: {type(exc).__name__}: {exc}")
+    finally:
+        await backend_client.close()
+        await store.close()
+        try:
+            await traffic_store.close()
+        except Exception:
+            logger.exception("Failed to close traffic store")
+    logger.info("OpenMaskit stopped")
+def main():
+    try:
+        anyio.run(async_main)
+    except (KeyboardInterrupt, SystemExit):
+        pass
+    except BaseException as exc:
+        print(f"Fatal error: {exc}", file=sys.stderr)
+        import traceback
+        traceback.print_exc(file=sys.stderr)
+        sys.exit(1)
+if __name__ == "__main__":
+    main()