From 0b16a59ead4896926fb50498f2fa721119b26cd0 Mon Sep 17 00:00:00 2001
From: betterclever <paliwal.pranjal83@gmail.com>
Date: Thu, 29 Jan 2026 10:55:40 +0530
Subject: [PATCH 1/5] feat: add stdio MCP proxy and cleanup

Signed-off-by: betterclever <paliwal.pranjal83@gmail.com>
---
 backend/src/mcp/internal-mcp.controller.ts    |  6 ++
 docker/mcp-stdio-proxy/Dockerfile             | 13 +++
 docker/mcp-stdio-proxy/README.md              | 31 +++++++
 docker/mcp-stdio-proxy/package.json           | 14 +++
 docker/mcp-stdio-proxy/server.mjs             | 89 +++++++++++++++++++
 worker/src/components/core/mcp-server.ts      | 44 ++++++++-
 .../src/temporal/activities/mcp.activity.ts   | 31 +++++++
 worker/src/temporal/types.ts                  |  5 ++
 worker/src/temporal/workers/dev.worker.ts     |  3 +
 worker/src/temporal/workflows/index.ts        |  6 ++
 10 files changed, 238 insertions(+), 4 deletions(-)
 create mode 100644 docker/mcp-stdio-proxy/Dockerfile
 create mode 100644 docker/mcp-stdio-proxy/README.md
 create mode 100644 docker/mcp-stdio-proxy/package.json
 create mode 100644 docker/mcp-stdio-proxy/server.mjs

diff --git a/backend/src/mcp/internal-mcp.controller.ts b/backend/src/mcp/internal-mcp.controller.ts
index 5eb28c82..3bbf0e0d 100644
--- a/backend/src/mcp/internal-mcp.controller.ts
+++ b/backend/src/mcp/internal-mcp.controller.ts
@@ -50,4 +50,10 @@ export class InternalMcpController {
     await this.toolRegistry.registerLocalMcp(body);
     return { success: true };
   }
+
+  @Post('cleanup')
+  async cleanupRun(@Body() body: { runId: string }) {
+    const containerIds = await this.toolRegistry.cleanupRun(body.runId);
+    return { containerIds };
+  }
 }
diff --git a/docker/mcp-stdio-proxy/Dockerfile b/docker/mcp-stdio-proxy/Dockerfile
new file mode 100644
index 00000000..fd2bf783
--- /dev/null
+++ b/docker/mcp-stdio-proxy/Dockerfile
@@ -0,0 +1,13 @@
+FROM node:20-alpine
+
+WORKDIR /app
+
+COPY package.json ./
+RUN npm install --omit=dev
+
+COPY server.mjs ./
+
+ENV PORT=8080
+EXPOSE 8080
+
+CMD ["node", "server.mjs"]
diff --git a/docker/mcp-stdio-proxy/README.md b/docker/mcp-stdio-proxy/README.md
new file mode 100644
index 00000000..9785829b
--- /dev/null
+++ b/docker/mcp-stdio-proxy/README.md
@@ -0,0 +1,31 @@
+# MCP Stdio Proxy
+
+This image wraps a stdio-based MCP server and exposes it over Streamable HTTP.
+
+## Build
+
+```bash
+docker build -t shipsec/mcp-stdio-proxy:latest docker/mcp-stdio-proxy
+```
+
+## Run
+
+```bash
+docker run --rm -p 8080:8080 \
+  -e MCP_COMMAND=uvx \
+  -e MCP_ARGS='["awslabs-cloudwatch-mcp-server"]' \
+  shipsec/mcp-stdio-proxy:latest
+```
+
+The proxy will expose MCP on `http://localhost:8080/mcp` and a basic health endpoint at `/health`.
+
+## Environment
+
+- `MCP_COMMAND` (required): Command to launch the stdio MCP server.
+- `MCP_ARGS` (optional): JSON array or space-delimited list of arguments.
+- `PORT` / `MCP_PORT` (optional): Port for the HTTP server (default: 8080).
+
+## Notes
+
+- The proxy lists tools once at startup and registers them. Restart the container if tools change.
+- Make sure the stdio server binary is present in the image. For third-party tools, build a derived image that installs them.
diff --git a/docker/mcp-stdio-proxy/package.json b/docker/mcp-stdio-proxy/package.json
new file mode 100644
index 00000000..e766511d
--- /dev/null
+++ b/docker/mcp-stdio-proxy/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "mcp-stdio-proxy",
+  "version": "0.1.0",
+  "private": true,
+  "type": "module",
+  "description": "HTTP proxy for stdio-based MCP servers",
+  "scripts": {
+    "start": "node server.mjs"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.25.3",
+    "express": "^5.2.1"
+  }
+}
diff --git a/docker/mcp-stdio-proxy/server.mjs b/docker/mcp-stdio-proxy/server.mjs
new file mode 100644
index 00000000..515374c9
--- /dev/null
+++ b/docker/mcp-stdio-proxy/server.mjs
@@ -0,0 +1,89 @@
+import express from 'express';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import { Client } from '@modelcontextprotocol/sdk/client/index.js';
+import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
+
+function parseArgs(raw) {
+  if (!raw) return [];
+  try {
+    const parsed = JSON.parse(raw);
+    if (Array.isArray(parsed)) return parsed.map(String);
+  } catch {
+    // fall through
+  }
+  return raw
+    .split(' ')
+    .map((entry) => entry.trim())
+    .filter(Boolean);
+}
+
+const command = process.env.MCP_COMMAND;
+const args = parseArgs(process.env.MCP_ARGS || '');
+const port = Number.parseInt(process.env.PORT || process.env.MCP_PORT || '8080', 10);
+
+if (!command) {
+  console.error('MCP_COMMAND is required to start the stdio MCP server.');
+  process.exit(1);
+}
+
+const client = new Client({ name: 'shipsec-mcp-stdio-proxy', version: '1.0.0' });
+const clientTransport = new StdioClientTransport({
+  command,
+  args,
+});
+
+await client.connect(clientTransport);
+
+const toolsResponse = await client.listTools();
+const tools = toolsResponse.tools ?? [];
+
+const server = new McpServer({
+  name: 'shipsec-mcp-stdio-proxy',
+  version: '1.0.0',
+});
+
+for (const tool of tools) {
+  server.registerTool(
+    tool.name,
+    {
+      description: tool.description,
+      inputSchema: tool.inputSchema,
+    },
+    async (toolArgs) => {
+      return client.callTool({
+        name: tool.name,
+        arguments: toolArgs ?? {},
+      });
+    },
+  );
+}
+
+const transport = new StreamableHTTPServerTransport({
+  sessionIdGenerator: () => 'stdio-proxy',
+  enableJsonResponse: true,
+});
+await server.connect(transport);
+
+const app = express();
+app.use(express.json({ limit: '2mb' }));
+
+app.all('/mcp', async (req, res) => {
+  try {
+    await transport.handleRequest(req, res, req.body);
+  } catch (error) {
+    console.error('Failed to handle MCP request', error);
+    if (!res.headersSent) {
+      res.status(500).send('MCP proxy error');
+    }
+  }
+});
+
+app.get('/health', (_req, res) => {
+  res.json({ status: 'ok', toolCount: tools.length });
+});
+
+app.listen(port, '0.0.0.0', () => {
+  console.log(`MCP stdio proxy listening on http://0.0.0.0:${port}/mcp`);
+  console.log(`Proxied MCP command: ${command} ${args.join(' ')}`);
+});
diff --git a/worker/src/components/core/mcp-server.ts b/worker/src/components/core/mcp-server.ts
index 23e850d5..bf318b9c 100644
--- a/worker/src/components/core/mcp-server.ts
+++ b/worker/src/components/core/mcp-server.ts
@@ -21,11 +21,35 @@ const outputSchema = outputs({
 });
 
 const parameterSchema = parameters({
+  mode: param(z.enum(['http', 'stdio']).default('http').describe('How to launch the MCP server.'), {
+    label: 'Mode',
+    editor: 'select',
+    options: [
+      { label: 'HTTP Server', value: 'http' },
+      { label: 'Stdio Server (Proxy)', value: 'stdio' },
+    ],
+    description: 'HTTP starts a native MCP HTTP server. Stdio starts a proxy container.',
+  }),
   image: param(z.string().describe('Docker image for the MCP server'), {
     label: 'Docker Image',
     editor: 'text',
-    placeholder: 'mcp/myserver:latest',
+    placeholder: 'shipsec/mcp-stdio-proxy:latest',
   }),
+  stdioCommand: param(
+    z.string().optional().describe('Stdio MCP command to run inside the proxy container.'),
+    {
+      label: 'Stdio Command',
+      editor: 'text',
+      placeholder: 'uvx',
+    },
+  ),
+  stdioArgs: param(
+    z.array(z.string()).default([]).describe('Arguments for the stdio MCP command.'),
+    {
+      label: 'Stdio Args',
+      editor: 'variable-list',
+    },
+  ),
   command: param(z.array(z.string()).default([]).describe('Entrypoint command'), {
     label: 'Command',
     editor: 'variable-list',
@@ -60,7 +84,7 @@ const definition = defineComponent({
   inputs: inputSchema,
   outputs: outputSchema,
   parameters: parameterSchema,
-  docs: 'Starts an external MCP server in a Docker container and registers it as a tool source.',
+  docs: 'Starts an MCP server in a Docker container and registers it as a tool source. Use stdio mode with the MCP stdio proxy image to wrap CLI-based MCP servers.',
   ui: {
     slug: 'mcp-server',
     version: '1.0.0',
@@ -79,14 +103,26 @@ const definition = defineComponent({
     const serverPort = params.port || 8080; // Determine the port once
 
     if (params.image) {
+      const isStdioMode = params.mode === 'stdio';
       // Manually construct runner config to resolve parameters,
       // as `this.runner` is not interpolated when used directly in `execute`.
       const runnerConfig = {
         kind: 'docker' as const, // Explicitly type as 'docker' literal
         image: params.image,
         // Combine command and args into a single array for the Docker command
-        command: [...(params.command || []), ...(params.args || [])],
-        env: params.env,
+        command: isStdioMode
+          ? []
+          : [...(params.command || []), ...(params.args || [])],
+        env: {
+          ...params.env,
+          ...(isStdioMode
+            ? {
+                MCP_COMMAND: params.stdioCommand ?? '',
+                MCP_ARGS: JSON.stringify(params.stdioArgs ?? []),
+                MCP_PORT: String(serverPort),
+              }
+            : {}),
+        },
         detached: true,
         // Map the internal server port to the same host port
         ports: { [serverPort]: serverPort },
diff --git a/worker/src/temporal/activities/mcp.activity.ts b/worker/src/temporal/activities/mcp.activity.ts
index 2ef9aeea..483dd743 100644
--- a/worker/src/temporal/activities/mcp.activity.ts
+++ b/worker/src/temporal/activities/mcp.activity.ts
@@ -6,6 +6,7 @@ import {
   ServiceError,
 } from '@shipsec/component-sdk';
 import {
+  CleanupLocalMcpActivityInput,
   RegisterComponentToolActivityInput,
   RegisterLocalMcpActivityInput,
   RegisterRemoteMcpActivityInput,
@@ -80,6 +81,36 @@ export async function registerLocalMcpActivity(
   });
 }
 
+export async function cleanupLocalMcpActivity(
+  input: CleanupLocalMcpActivityInput,
+): Promise<void> {
+  const response = await callInternalApi('cleanup', { runId: input.runId });
+  const containerIds = Array.isArray(response?.containerIds) ? response.containerIds : [];
+
+  if (containerIds.length === 0) {
+    return;
+  }
+
+  const { exec } = await import('node:child_process');
+  const { promisify } = await import('node:util');
+  const execAsync = promisify(exec);
+
+  await Promise.all(
+    containerIds.map(async (containerId: string) => {
+      if (!containerId || typeof containerId !== 'string') return;
+      if (!/^[a-zA-Z0-9_.-]+$/.test(containerId)) {
+        console.warn(`[MCP Cleanup] Skipping container with unsafe id: ${containerId}`);
+        return;
+      }
+      try {
+        await execAsync(`docker rm -f ${containerId}`);
+      } catch (error) {
+        console.warn(`[MCP Cleanup] Failed to remove container ${containerId}:`, error);
+      }
+    }),
+  );
+}
+
 export async function prepareAndRegisterToolActivity(input: {
   runId: string;
   nodeId: string;
diff --git a/worker/src/temporal/types.ts b/worker/src/temporal/types.ts
index 0cdfaab0..e7839161 100644
--- a/worker/src/temporal/types.ts
+++ b/worker/src/temporal/types.ts
@@ -218,6 +218,7 @@ export interface RegisterLocalMcpActivityInput {
   containerId: string;
 }
 
+
 export interface PrepareAndRegisterToolActivityInput {
   runId: string;
   nodeId: string;
@@ -225,3 +226,7 @@ export interface PrepareAndRegisterToolActivityInput {
   inputs: Record<string, unknown>;
   params: Record<string, unknown>;
 }
+
+export interface CleanupLocalMcpActivityInput {
+  runId: string;
+}
diff --git a/worker/src/temporal/workers/dev.worker.ts b/worker/src/temporal/workers/dev.worker.ts
index 5fda2905..88b0ff3e 100644
--- a/worker/src/temporal/workers/dev.worker.ts
+++ b/worker/src/temporal/workers/dev.worker.ts
@@ -29,6 +29,7 @@ import {
   registerComponentToolActivity,
   registerLocalMcpActivity,
   registerRemoteMcpActivity,
+  cleanupLocalMcpActivity,
   prepareAndRegisterToolActivity,
 } from '../activities/mcp.activity';
 
@@ -221,6 +222,7 @@ async function main() {
       registerComponentToolActivity,
       registerLocalMcpActivity,
       registerRemoteMcpActivity,
+      cleanupLocalMcpActivity,
     }).join(', ')}`,
   );
 
@@ -256,6 +258,7 @@ async function main() {
       registerComponentToolActivity,
       registerLocalMcpActivity,
       registerRemoteMcpActivity,
+      cleanupLocalMcpActivity,
       prepareAndRegisterToolActivity,
     },
     bundlerOptions: {
diff --git a/worker/src/temporal/workflows/index.ts b/worker/src/temporal/workflows/index.ts
index ad647387..8b366b6c 100644
--- a/worker/src/temporal/workflows/index.ts
+++ b/worker/src/temporal/workflows/index.ts
@@ -28,6 +28,7 @@ import type {
   WorkflowAction,
   PrepareRunPayloadActivityInput,
   RegisterComponentToolActivityInput,
+  CleanupLocalMcpActivityInput,
   RegisterLocalMcpActivityInput,
   RegisterRemoteMcpActivityInput,
   PrepareAndRegisterToolActivityInput,
@@ -41,6 +42,7 @@ const {
   expireHumanInputRequestActivity,
   registerLocalMcpActivity,
   registerRemoteMcpActivity,
+  cleanupLocalMcpActivity,
   prepareAndRegisterToolActivity,
 } = proxyActivities<{
   runComponentActivity(input: RunComponentActivityInput): Promise<RunComponentActivityOutput>;
@@ -70,6 +72,7 @@ const {
   registerComponentToolActivity(input: RegisterComponentToolActivityInput): Promise<void>;
   registerLocalMcpActivity(input: RegisterLocalMcpActivityInput): Promise<void>;
   registerRemoteMcpActivity(input: RegisterRemoteMcpActivityInput): Promise<void>;
+  cleanupLocalMcpActivity(input: CleanupLocalMcpActivityInput): Promise<void>;
   prepareAndRegisterToolActivity(input: PrepareAndRegisterToolActivityInput): Promise<void>;
 }>({
   startToCloseTimeout: '10 minutes',
@@ -886,6 +889,9 @@ export async function shipsecWorkflowRun(
       [{ outputs, error: normalizedError.message }],
     );
   } finally {
+    await cleanupLocalMcpActivity({ runId: input.runId }).catch((err) => {
+      console.error(`[Workflow] Failed to cleanup MCP containers for run ${input.runId}`, err);
+    });
     await finalizeRunActivity({ runId: input.runId }).catch((err) => {
       console.error(`[Workflow] Failed to finalize run ${input.runId}`, err);
     });

From 55844dea27b2749856c389154f67489965fa1ab9 Mon Sep 17 00:00:00 2001
From: betterclever <paliwal.pranjal83@gmail.com>
Date: Thu, 29 Jan 2026 11:25:10 +0530
Subject: [PATCH 2/5] feat: add AWS MCP server components

Signed-off-by: betterclever <paliwal.pranjal83@gmail.com>
---
 .ai/PLAN.md                                   | 201 +++++++++++-------
 docker/mcp-aws-cloudtrail/Dockerfile          |   8 +
 docker/mcp-aws-cloudtrail/README.md           |  22 ++
 docker/mcp-aws-cloudwatch/Dockerfile          |   8 +
 docker/mcp-aws-cloudwatch/README.md           |  22 ++
 .../src/components/workflow/WorkflowNode.tsx  |  40 +++-
 worker/src/components/core/mcp-runtime.ts     |  54 +++++
 worker/src/components/core/mcp-server.ts      |  76 +++----
 worker/src/components/index.ts                |   2 +
 .../components/security/aws-cloudtrail-mcp.ts | 123 +++++++++++
 .../components/security/aws-cloudwatch-mcp.ts | 123 +++++++++++
 worker/src/temporal/workflows/index.ts        |  82 ++++---
 12 files changed, 607 insertions(+), 154 deletions(-)
 create mode 100644 docker/mcp-aws-cloudtrail/Dockerfile
 create mode 100644 docker/mcp-aws-cloudtrail/README.md
 create mode 100644 docker/mcp-aws-cloudwatch/Dockerfile
 create mode 100644 docker/mcp-aws-cloudwatch/README.md
 create mode 100644 worker/src/components/core/mcp-runtime.ts
 create mode 100644 worker/src/components/security/aws-cloudtrail-mcp.ts
 create mode 100644 worker/src/components/security/aws-cloudwatch-mcp.ts

diff --git a/.ai/PLAN.md b/.ai/PLAN.md
index 3896183b..c0a703db 100644
--- a/.ai/PLAN.md
+++ b/.ai/PLAN.md
@@ -1,82 +1,119 @@
-# ENG-101: Frontend: Tool Mode & Agent Node UI Implementation Plan
-
-## Overview
-This plan details the frontend implementation for supporting Agentic workflows, including a Tool Mode toggle for nodes, an MCP Server node type, and enhancements to the Run Timeline to visualize agent execution and reasoning.
-
-## User Review Required
-> [!IMPORTANT]
-> - Confirm if `core.mcp.server` component definition exists in the backend or if it needs to be mocked/created in frontend for now.
-> - Clarify if "MCP Server node type in palette" implies a specific UI for browsing a catalog (e.g., distinct from normal list). We will implement it as a distinct category in the existing Sidebar for now.
-
-## Proposed Changes
-
-### 1. Tool Mode Toggle
-**Goal**: Allow users to toggle nodes into "Tool Mode", changing their visual representation and port exposure.
-
-#### [MODIFY] [WorkflowNode.tsx](file:///Users/betterclever/shipsec/shipsec-studio/frontend/src/components/workflow/WorkflowNode.tsx)
-- Add a "Tool Mode" toggle button to the node header (visible for agent-callable nodes).
-- **State**: Track `isToolMode` state (likely in `node.data.config.isToolMode` or similar).
-- **Rendering**:
-    - When `isToolMode` is active:
-        - Show "Exposed" inputs/outputs (the ones the Agent sees).
-        - Hide internal wiring ports not relevant to the Agent? Or show them differently?
-        - Apply a distinct visual style (e.g., "Tool" badge, different border color).
-    - **Visual Distinction**: "Visual distinction for tool calls vs normal nodes".
-        - Add a "Tool" icon/badge.
-        - Change border style (e.g., dashed vs solid, or a specific color like purple/indigo for tools).
-
-### 2. MCP Server Node & Palette
-**Goal**: Add MCP Server nodes to the palette with catalog selection.
-
-#### [MODIFY] [Sidebar.tsx](file:///Users/betterclever/shipsec/shipsec-studio/frontend/src/components/layout/Sidebar.tsx)
-- Add `mcp_server` to `categoryOrder` and `categoryColors`.
-- Ensure MCP Server components are correctly categorized and displayed.
-- **Catalog Selection**:
-    - If a specific Catalog UI is needed, we might need a "Add from Catalog" button in the `mcp_server` section or a separate view.
-    - *Plan*: Integrate into the existing accordion list for now, ensuring `mcp_server` category is prominent.
-
-#### [NEW] [MCPServerNode.tsx] (Optional)
-- If MCP Server nodes require special rendering (e.g., connection status to external server), create a custom node type.
-- *Default*: Use `WorkflowNode` but with "MCP" styling.
-
-### 3. Agent Node & Tools Port
-**Goal**: Enhance the Agent Node UI to support multi-connection tools port.
-
-#### [MODIFY] [WorkflowNode.tsx](file:///Users/betterclever/shipsec/shipsec-studio/frontend/src/components/workflow/WorkflowNode.tsx)
-- **Tools Port**:
-    - Ensure the `tools` input port (anchor) handles multiple connections visually.
-    - ReactFlow `Handle` supports `isConnectable={true}` (default).
-    - **Visual**: Style the "Tools" port distinctly (e.g., different shape or color) to indicate it's a "Tool Collection" port.
-
-### 4. Run Timeline Enhancements
-**Goal**: Visualize agent execution, reasoning, and tool calls.
-
-#### [MODIFY] [ExecutionTimeline.tsx](file:///Users/betterclever/shipsec/shipsec-studio/frontend/src/components/timeline/ExecutionTimeline.tsx)
-- **Expandable Tool Calls**:
-    - Show Agent events (steps) on the timeline track.
-    - Allow clicking an Agent event to expand/focus it.
-    - `agentMarkers` seem implemented. Ensure they are fully wired up to show sub-steps.
-
-#### [MODIFY] [AgentTracePanel.tsx](file:///Users/betterclever/shipsec/shipsec-studio/frontend/src/components/timeline/AgentTracePanel.tsx)
-- **Thinking/Reasoning**:
-    - Ensure `step.thought` is displayed prominently (it is currently `ExpandableText`).
-    - **Tool Calls**:
-        - `AgentStepCard` shows tool calls. Improve visual distinction.
-        - Add "Thinking" section (e.g., "Agent is thinking..." animation or collapsible "Reasoning" block).
-
-## Verification Plan
-
-### Manual Verification
-1.  **Tool Mode**:
-    - Drag a component (e.g., "Recursive Web Scraper") to canvas.
-    - Toggle "Tool Mode". Verify visual change (border/badge) and port changes.
-    - Connect it to an Agent node's "Tools" port.
-2.  **MCP Server**:
-    - Check Palette for "MCP Servers" category.
-    - Drag an MCP Server node to canvas.
-3.  **Run Timeline**:
-    - Run a workflow with an Agent.
-    - Open "Execution" view.
-    - Check Timeline for Agent markers.
-    - Click Agent node -> Check "Agent Trace" panel.
-    - Verify "Thinking" and "Tool Calls" are shown clearly.
+# MCP AWS Servers Plan (CloudTrail + CloudWatch)
+
+Goal: Make AWS CloudTrail + CloudWatch MCP servers usable locally via OpenCode and the MCP Gateway, with a standardized MCP-node lifecycle (start → register → cleanup), and UI support through tool-mode nodes.
+
+This plan is split into commit-sized phases. No code changes beyond the plan should happen until you approve.
+
+---
+
+## Constraints and Principles
+- MCP server nodes are tool-mode only.
+- MCP servers are long-lived per workflow run (start once, expose tools, cleanup on finalize).
+- All MCP servers exposed to agents must be HTTP (stdio is wrapped with proxy).
+- AWS credentials are provided via a credential bundle input (or equivalent).
+
+---
+
+## Commit Plan
+
+### Commit 1 — MCP lifecycle helper (worker)
+Scope: Standardize MCP node lifecycle with shared helper utilities.
+- Create a shared helper (e.g., `worker/src/components/core/mcp-runtime.ts`):
+  - `runMcpServerInToolMode(...)` to start container, inject env, return endpoint/containerId.
+  - `registerMcpServer(...)` wrapper (call `registerLocalMcpActivity`).
+  - `assertToolModeOnly(context)` guard.
+- Update `core.mcp.server` to call the helper and enforce tool-mode.
+- Keep current stdio proxy support (already added) as a supported mode.
+
+Artifacts:
+- Helper module added.
+- `core.mcp.server` uses helper and rejects non-tool mode.
+
+---
+
+### Commit 2 — AWS MCP proxy images (docker)
+Scope: Build derived images that include AWS MCP stdio servers.
+- Add `docker/mcp-aws-cloudtrail/`:
+  - Dockerfile builds from `shipsec/mcp-stdio-proxy` and installs CloudTrail MCP (e.g., `uvx awslabs-cloudtrail-mcp-server`).
+- Add `docker/mcp-aws-cloudwatch/`:
+  - Dockerfile builds from same base and installs CloudWatch MCP.
+- Document build commands and expected env vars.
+
+Artifacts:
+- New docker folders + README for each image.
+
+---
+
+### Commit 3 — AWS MCP components (tool-mode only)
+Scope: Add two components that encapsulate AWS MCP lifecycle.
+- `worker/src/components/security/aws-cloudtrail-mcp.ts`
+- `worker/src/components/security/aws-cloudwatch-mcp.ts`
+
+Each component:
+- Runner: docker, image points to the new AWS proxy image.
+- Parameters:
+  - `region`
+  - `mcpPort` (default 8080)
+  - optional `extraArgs` (array)
+- Inputs:
+  - `awsCredentials` (credential bundle: accessKeyId, secretAccessKey, sessionToken)
+- Execute:
+  - Assert tool-mode only.
+  - Start container with env: AWS creds + region + MCP_COMMAND/MCP_ARGS.
+  - Register with gateway via activity.
+  - Output: endpoint + containerId (for debug)
+
+Artifacts:
+- New components registered in index.
+- Optional unit tests for components (basic config validation).
+
+---
+
+### Commit 4 — UI tool-mode safeguards + AWS MCP visibility
+Scope: UI clarity and guardrails.
+- Add “tool-mode only” badge or warning for MCP server components.
+- Update component metadata / docs to reflect tool-mode only behavior.
+- Ensure AWS MCP components appear in the palette under `security` (or a new `mcp` category if desired).
+
+Artifacts:
+- UI hints in config panel / node rendering.
+
+---
+
+## Lint & Typecheck Instructions
+Run after each commit (or at least after Commit 4):
+
+```bash
+bun --cwd worker run lint
+bun --cwd worker run typecheck
+bun --cwd backend run lint
+bun --cwd backend run typecheck
+bun --cwd frontend run lint
+bun --cwd frontend run typecheck
+```
+
+If only worker changes are made in a commit, it is acceptable to run just the worker checks for that commit and the full set at the end.
+
+---
+
+## Manual Validation (you will run)
+1. Build the AWS proxy images.
+2. In UI, add AWS CloudTrail MCP node and set tool mode.
+3. Connect to OpenCode tools port.
+4. Run workflow and verify tools show up in the gateway.
+5. Confirm containers stop after workflow completes.
+
+---
+
+## Open Questions to Resolve Before Coding
+- Should AWS MCP components live under `security` or a new `mcp` category?
+- Do we want a single generic “AWS MCP” component with a server selector, or separate components?
+- What is the final “credential bundle” schema in the UI?
+
+---
+
+## Implementation Order (after plan approval)
+1) Commit 1
+2) Commit 2
+3) Commit 3
+4) Commit 4
diff --git a/docker/mcp-aws-cloudtrail/Dockerfile b/docker/mcp-aws-cloudtrail/Dockerfile
new file mode 100644
index 00000000..860a858f
--- /dev/null
+++ b/docker/mcp-aws-cloudtrail/Dockerfile
@@ -0,0 +1,8 @@
+ARG BASE_IMAGE=shipsec/mcp-stdio-proxy:latest
+FROM ${BASE_IMAGE}
+
+RUN apk add --no-cache python3 py3-pip \
+  && pip install --no-cache-dir uv
+
+ENV MCP_COMMAND=uvx
+ENV MCP_ARGS='["awslabs-cloudtrail-mcp-server"]'
diff --git a/docker/mcp-aws-cloudtrail/README.md b/docker/mcp-aws-cloudtrail/README.md
new file mode 100644
index 00000000..7828a5d6
--- /dev/null
+++ b/docker/mcp-aws-cloudtrail/README.md
@@ -0,0 +1,22 @@
+# AWS CloudTrail MCP Proxy Image
+
+This image extends the MCP stdio proxy and installs the CloudTrail MCP server.
+
+## Build
+
+```bash
+docker build -t shipsec/mcp-aws-cloudtrail:latest docker/mcp-aws-cloudtrail
+```
+
+## Run (example)
+
+```bash
+docker run --rm -p 8080:8080 \
+  -e AWS_ACCESS_KEY_ID=... \
+  -e AWS_SECRET_ACCESS_KEY=... \
+  -e AWS_SESSION_TOKEN=... \
+  -e AWS_REGION=us-east-1 \
+  shipsec/mcp-aws-cloudtrail:latest
+```
+
+The proxy exposes MCP on `http://localhost:8080/mcp`.
diff --git a/docker/mcp-aws-cloudwatch/Dockerfile b/docker/mcp-aws-cloudwatch/Dockerfile
new file mode 100644
index 00000000..baab5b7e
--- /dev/null
+++ b/docker/mcp-aws-cloudwatch/Dockerfile
@@ -0,0 +1,8 @@
+ARG BASE_IMAGE=shipsec/mcp-stdio-proxy:latest
+FROM ${BASE_IMAGE}
+
+RUN apk add --no-cache python3 py3-pip \
+  && pip install --no-cache-dir uv
+
+ENV MCP_COMMAND=uvx
+ENV MCP_ARGS='["awslabs-cloudwatch-mcp-server"]'
diff --git a/docker/mcp-aws-cloudwatch/README.md b/docker/mcp-aws-cloudwatch/README.md
new file mode 100644
index 00000000..4b8f57d0
--- /dev/null
+++ b/docker/mcp-aws-cloudwatch/README.md
@@ -0,0 +1,22 @@
+# AWS CloudWatch MCP Proxy Image
+
+This image extends the MCP stdio proxy and installs the CloudWatch MCP server.
+
+## Build
+
+```bash
+docker build -t shipsec/mcp-aws-cloudwatch:latest docker/mcp-aws-cloudwatch
+```
+
+## Run (example)
+
+```bash
+docker run --rm -p 8080:8080 \
+  -e AWS_ACCESS_KEY_ID=... \
+  -e AWS_SECRET_ACCESS_KEY=... \
+  -e AWS_SESSION_TOKEN=... \
+  -e AWS_REGION=us-east-1 \
+  shipsec/mcp-aws-cloudwatch:latest
+```
+
+The proxy exposes MCP on `http://localhost:8080/mcp`.
diff --git a/frontend/src/components/workflow/WorkflowNode.tsx b/frontend/src/components/workflow/WorkflowNode.tsx
index 45e9a198..4cb8ebdb 100644
--- a/frontend/src/components/workflow/WorkflowNode.tsx
+++ b/frontend/src/components/workflow/WorkflowNode.tsx
@@ -446,6 +446,11 @@ export const WorkflowNode = ({ data, selected, id }: NodeProps<NodeData>) => {
   const MAX_TEXT_HEIGHT = 1200;
   const DEFAULT_TEXT_WIDTH = 320;
   const DEFAULT_TEXT_HEIGHT = 300;
+  const TOOL_MODE_ONLY_COMPONENTS = new Set([
+    'core.mcp.server',
+    'security.aws-cloudtrail-mcp',
+    'security.aws-cloudwatch-mcp',
+  ]);
   const [textSize, setTextSize] = useState<{ width: number; height: number }>(() => {
     const uiSize = (data as any)?.ui?.size as { width?: number; height?: number } | undefined;
     return {
@@ -488,6 +493,7 @@ export const WorkflowNode = ({ data, selected, id }: NodeProps<NodeData>) => {
   const component = getComponent(componentRef);
   const isTextBlock = component?.id === 'core.ui.text';
   const isEntryPoint = component?.id === 'core.workflow.entrypoint';
+  const isToolModeOnly = component?.id ? TOOL_MODE_ONLY_COMPONENTS.has(component.id) : false;
 
   // Detect dark mode using theme store (reacts to theme changes)
   const theme = useThemeStore((state) => state.theme);
@@ -517,8 +523,32 @@ export const WorkflowNode = ({ data, selected, id }: NodeProps<NodeData>) => {
   // Tool Mode State
   const isToolMode = (nodeData.config as any)?.isToolMode || false;
 
+  useEffect(() => {
+    if (!isToolModeOnly || isToolMode) return;
+    setNodes((nds) =>
+      nds.map((n) => {
+        if (n.id !== id) return n;
+        const currentConfig = (n.data as any).config || {};
+        return {
+          ...n,
+          data: {
+            ...n.data,
+            config: {
+              ...currentConfig,
+              isToolMode: true,
+            },
+          },
+        };
+      }),
+    );
+    markDirty();
+  }, [id, isToolMode, isToolModeOnly, markDirty, setNodes]);
+
   const toggleToolMode = (e: React.MouseEvent) => {
     e.stopPropagation();
+    if (isToolModeOnly) {
+      return;
+    }
     setNodes((nds) =>
       nds.map((n) => {
         if (n.id !== id) return n;
@@ -1074,13 +1104,21 @@ export const WorkflowNode = ({ data, selected, id }: NodeProps<NodeData>) => {
                   <button
                     type="button"
                     onClick={toggleToolMode}
+                    disabled={isToolModeOnly}
                     className={cn(
                       'flex items-center gap-1.5 px-2 py-1 rounded transition-all border',
+                      isToolModeOnly && 'opacity-70 cursor-not-allowed',
                       isToolMode
                         ? 'bg-purple-600 text-white border-purple-500 shadow-sm'
                         : 'bg-background text-muted-foreground/60 border-border hover:border-purple-400 hover:text-purple-600',
                     )}
-                    title={isToolMode ? 'Disable Tool Mode' : 'Enable Tool Mode'}
+                    title={
+                      isToolModeOnly
+                        ? 'Tool Mode Only'
+                        : isToolMode
+                          ? 'Disable Tool Mode'
+                          : 'Enable Tool Mode'
+                    }
                   >
                     <Hammer
                       className={cn('h-3.5 w-3.5', isToolMode ? 'text-white' : 'text-current')}
diff --git a/worker/src/components/core/mcp-runtime.ts b/worker/src/components/core/mcp-runtime.ts
new file mode 100644
index 00000000..88948645
--- /dev/null
+++ b/worker/src/components/core/mcp-runtime.ts
@@ -0,0 +1,54 @@
+import { runComponentWithRunner, ValidationError } from '@shipsec/component-sdk';
+
+type StartMcpServerInput = {
+  image: string;
+  command?: string[];
+  args?: string[];
+  env?: Record<string, string>;
+  port?: number;
+  params: Record<string, unknown>;
+  context: any;
+};
+
+type StartMcpServerOutput = {
+  endpoint: string;
+  containerId?: string;
+};
+
+export async function startMcpDockerServer(
+  input: StartMcpServerInput,
+): Promise<StartMcpServerOutput> {
+  const port = input.port ?? 8080;
+
+  if (!input.image || input.image.trim().length === 0) {
+    throw new ValidationError('Docker image is required for MCP server', {
+      fieldErrors: { image: ['Docker image is required'] },
+    });
+  }
+
+  const runnerConfig = {
+    kind: 'docker' as const,
+    image: input.image,
+    command: [...(input.command ?? []), ...(input.args ?? [])],
+    env: input.env,
+    detached: true,
+    ports: { [port]: port },
+  };
+
+  const result = await runComponentWithRunner(
+    runnerConfig,
+    async () => ({}),
+    input.params,
+    input.context,
+  );
+
+  let containerId: string | undefined;
+  if (result && typeof result === 'object' && 'containerId' in result) {
+    containerId = (result as { containerId?: string }).containerId;
+  }
+
+  return {
+    endpoint: `http://localhost:${port}`,
+    containerId,
+  };
+}
diff --git a/worker/src/components/core/mcp-server.ts b/worker/src/components/core/mcp-server.ts
index bf318b9c..17cdc8a0 100644
--- a/worker/src/components/core/mcp-server.ts
+++ b/worker/src/components/core/mcp-server.ts
@@ -7,8 +7,9 @@ import {
   parameters,
   param,
   port,
-  runComponentWithRunner,
+  ValidationError,
 } from '@shipsec/component-sdk';
+import { startMcpDockerServer } from './mcp-runtime';
 
 const inputSchema = inputs({});
 
@@ -96,56 +97,43 @@ const definition = defineComponent({
       name: 'ShipSecAI',
       type: 'shipsecai',
     },
+    agentTool: {
+      enabled: true,
+      toolName: 'mcp_server',
+      toolDescription: 'Expose an MCP server as a tool source.',
+    },
     isLatest: true,
   },
   async execute({ params }, context) {
-    let containerId: string | undefined;
-    const serverPort = params.port || 8080; // Determine the port once
-
-    if (params.image) {
-      const isStdioMode = params.mode === 'stdio';
-      // Manually construct runner config to resolve parameters,
-      // as `this.runner` is not interpolated when used directly in `execute`.
-      const runnerConfig = {
-        kind: 'docker' as const, // Explicitly type as 'docker' literal
-        image: params.image,
-        // Combine command and args into a single array for the Docker command
-        command: isStdioMode
-          ? []
-          : [...(params.command || []), ...(params.args || [])],
-        env: {
-          ...params.env,
-          ...(isStdioMode
-            ? {
-                MCP_COMMAND: params.stdioCommand ?? '',
-                MCP_ARGS: JSON.stringify(params.stdioArgs ?? []),
-                MCP_PORT: String(serverPort),
-              }
-            : {}),
-        },
-        detached: true,
-        // Map the internal server port to the same host port
-        ports: { [serverPort]: serverPort },
-      };
+    const serverPort = params.port || 8080;
+    const isStdioMode = params.mode === 'stdio';
 
-      // For local docker MCP servers, we start the container using the runner.
-      const result = await runComponentWithRunner(
-        runnerConfig, // Pass the dynamically constructed runner config
-        async () => ({}),
-        params,
-        context,
-      );
-
-      if (result && typeof result === 'object' && 'containerId' in result) {
-        containerId = (result as any).containerId;
-      }
+    if (isStdioMode && !params.stdioCommand) {
+      throw new ValidationError('Stdio command is required for stdio MCP servers', {
+        fieldErrors: { stdioCommand: ['Stdio command is required'] },
+      });
     }
 
-    const port = params.port || 8080;
-    return {
-      endpoint: `http://localhost:${port}`,
-      containerId,
+    const command = isStdioMode ? [] : [...(params.command || []), ...(params.args || [])];
+    const env = {
+      ...params.env,
+      ...(isStdioMode
+        ? {
+            MCP_COMMAND: params.stdioCommand ?? '',
+            MCP_ARGS: JSON.stringify(params.stdioArgs ?? []),
+            MCP_PORT: String(serverPort),
+          }
+        : {}),
     };
+
+    return startMcpDockerServer({
+      image: params.image,
+      command,
+      env,
+      port: serverPort,
+      params,
+      context,
+    });
   },
 });
 
diff --git a/worker/src/components/index.ts b/worker/src/components/index.ts
index b1a37b18..2dea721e 100644
--- a/worker/src/components/index.ts
+++ b/worker/src/components/index.ts
@@ -57,6 +57,8 @@ import './security/trufflehog';
 import './security/terminal-demo';
 import './security/virustotal';
 import './security/abuseipdb';
+import './security/aws-cloudtrail-mcp';
+import './security/aws-cloudwatch-mcp';
 
 // GitHub components
 import './github/connection-provider';
diff --git a/worker/src/components/security/aws-cloudtrail-mcp.ts b/worker/src/components/security/aws-cloudtrail-mcp.ts
new file mode 100644
index 00000000..6080b7a1
--- /dev/null
+++ b/worker/src/components/security/aws-cloudtrail-mcp.ts
@@ -0,0 +1,123 @@
+import { z } from 'zod';
+import {
+  componentRegistry,
+  defineComponent,
+  inputs,
+  outputs,
+  parameters,
+  param,
+  port,
+  ValidationError,
+} from '@shipsec/component-sdk';
+import { awsCredentialSchema } from '@shipsec/contracts';
+import { startMcpDockerServer } from '../core/mcp-runtime';
+
+const inputSchema = inputs({
+  credentials: port(awsCredentialSchema(), {
+    label: 'AWS Credentials',
+    description: 'AWS credential bundle (access key, secret key, optional session token).',
+    connectionType: { kind: 'contract', name: 'core.credential.aws', credential: true },
+  }),
+});
+
+const outputSchema = outputs({
+  endpoint: port(z.string().describe('The URL of the MCP server'), { label: 'Endpoint' }),
+  containerId: port(z.string().optional().describe('The Docker container ID'), {
+    label: 'Container ID',
+    hidden: true,
+  }),
+});
+
+const parameterSchema = parameters({
+  image: param(z.string().default('shipsec/mcp-aws-cloudtrail:latest'), {
+    label: 'Docker Image',
+    editor: 'text',
+  }),
+  region: param(z.string().optional().describe('AWS region for CloudTrail queries.'), {
+    label: 'Region',
+    editor: 'text',
+    placeholder: 'us-east-1',
+  }),
+  port: param(z.number().default(8080).describe('Internal port the MCP proxy listens on'), {
+    label: 'Port',
+    editor: 'number',
+  }),
+  extraArgs: param(z.array(z.string()).default([]).describe('Extra args for the MCP server.'), {
+    label: 'Extra Args',
+    editor: 'variable-list',
+  }),
+});
+
+const definition = defineComponent({
+  id: 'security.aws-cloudtrail-mcp',
+  label: 'AWS CloudTrail MCP Server',
+  category: 'security',
+  runner: {
+    kind: 'docker',
+    image: 'placeholder',
+    command: [],
+    detached: true,
+  },
+  inputs: inputSchema,
+  outputs: outputSchema,
+  parameters: parameterSchema,
+  docs: 'Runs the AWS CloudTrail MCP server in a container and exposes it via the MCP gateway (tool-mode only).',
+  ui: {
+    slug: 'aws-cloudtrail-mcp',
+    version: '1.0.0',
+    type: 'process',
+    category: 'security',
+    description: 'Expose AWS CloudTrail via MCP for tool-mode agents.',
+    icon: 'Shield',
+    author: {
+      name: 'ShipSecAI',
+      type: 'shipsecai',
+    },
+    agentTool: {
+      enabled: true,
+      toolName: 'aws_cloudtrail_mcp',
+      toolDescription: 'Expose AWS CloudTrail MCP tools to agents.',
+    },
+    isLatest: true,
+  },
+  async execute({ inputs, params }, context) {
+    const credentials = inputs.credentials;
+    if (!credentials?.accessKeyId || !credentials?.secretAccessKey) {
+      throw new ValidationError('AWS credentials are required for CloudTrail MCP', {
+        fieldErrors: { credentials: ['AWS credentials are required'] },
+      });
+    }
+
+    const region = params.region || credentials.region || 'us-east-1';
+    const port = params.port ?? 8080;
+
+    const env: Record<string, string> = {
+      AWS_ACCESS_KEY_ID: credentials.accessKeyId,
+      AWS_SECRET_ACCESS_KEY: credentials.secretAccessKey,
+      AWS_REGION: region,
+      AWS_DEFAULT_REGION: region,
+      MCP_COMMAND: 'uvx',
+      MCP_ARGS: JSON.stringify(['awslabs-cloudtrail-mcp-server', ...(params.extraArgs ?? [])]),
+      MCP_PORT: String(port),
+    };
+
+    if (credentials.sessionToken) {
+      env.AWS_SESSION_TOKEN = credentials.sessionToken;
+    }
+
+    return startMcpDockerServer({
+      image: params.image,
+      command: [],
+      env,
+      port,
+      params,
+      context,
+    });
+  },
+});
+
+componentRegistry.register(definition);
+
+export type AwsCloudtrailMcpInput = typeof inputSchema;
+export type AwsCloudtrailMcpParams = typeof parameterSchema;
+export type AwsCloudtrailMcpOutput = typeof outputSchema;
diff --git a/worker/src/components/security/aws-cloudwatch-mcp.ts b/worker/src/components/security/aws-cloudwatch-mcp.ts
new file mode 100644
index 00000000..affa20ce
--- /dev/null
+++ b/worker/src/components/security/aws-cloudwatch-mcp.ts
@@ -0,0 +1,123 @@
+import { z } from 'zod';
+import {
+  componentRegistry,
+  defineComponent,
+  inputs,
+  outputs,
+  parameters,
+  param,
+  port,
+  ValidationError,
+} from '@shipsec/component-sdk';
+import { awsCredentialSchema } from '@shipsec/contracts';
+import { startMcpDockerServer } from '../core/mcp-runtime';
+
+const inputSchema = inputs({
+  credentials: port(awsCredentialSchema(), {
+    label: 'AWS Credentials',
+    description: 'AWS credential bundle (access key, secret key, optional session token).',
+    connectionType: { kind: 'contract', name: 'core.credential.aws', credential: true },
+  }),
+});
+
+const outputSchema = outputs({
+  endpoint: port(z.string().describe('The URL of the MCP server'), { label: 'Endpoint' }),
+  containerId: port(z.string().optional().describe('The Docker container ID'), {
+    label: 'Container ID',
+    hidden: true,
+  }),
+});
+
+const parameterSchema = parameters({
+  image: param(z.string().default('shipsec/mcp-aws-cloudwatch:latest'), {
+    label: 'Docker Image',
+    editor: 'text',
+  }),
+  region: param(z.string().optional().describe('AWS region for CloudWatch queries.'), {
+    label: 'Region',
+    editor: 'text',
+    placeholder: 'us-east-1',
+  }),
+  port: param(z.number().default(8080).describe('Internal port the MCP proxy listens on'), {
+    label: 'Port',
+    editor: 'number',
+  }),
+  extraArgs: param(z.array(z.string()).default([]).describe('Extra args for the MCP server.'), {
+    label: 'Extra Args',
+    editor: 'variable-list',
+  }),
+});
+
+const definition = defineComponent({
+  id: 'security.aws-cloudwatch-mcp',
+  label: 'AWS CloudWatch MCP Server',
+  category: 'security',
+  runner: {
+    kind: 'docker',
+    image: 'placeholder',
+    command: [],
+    detached: true,
+  },
+  inputs: inputSchema,
+  outputs: outputSchema,
+  parameters: parameterSchema,
+  docs: 'Runs the AWS CloudWatch MCP server in a container and exposes it via the MCP gateway (tool-mode only).',
+  ui: {
+    slug: 'aws-cloudwatch-mcp',
+    version: '1.0.0',
+    type: 'process',
+    category: 'security',
+    description: 'Expose AWS CloudWatch via MCP for tool-mode agents.',
+    icon: 'Activity',
+    author: {
+      name: 'ShipSecAI',
+      type: 'shipsecai',
+    },
+    agentTool: {
+      enabled: true,
+      toolName: 'aws_cloudwatch_mcp',
+      toolDescription: 'Expose AWS CloudWatch MCP tools to agents.',
+    },
+    isLatest: true,
+  },
+  async execute({ inputs, params }, context) {
+    const credentials = inputs.credentials;
+    if (!credentials?.accessKeyId || !credentials?.secretAccessKey) {
+      throw new ValidationError('AWS credentials are required for CloudWatch MCP', {
+        fieldErrors: { credentials: ['AWS credentials are required'] },
+      });
+    }
+
+    const region = params.region || credentials.region || 'us-east-1';
+    const port = params.port ?? 8080;
+
+    const env: Record<string, string> = {
+      AWS_ACCESS_KEY_ID: credentials.accessKeyId,
+      AWS_SECRET_ACCESS_KEY: credentials.secretAccessKey,
+      AWS_REGION: region,
+      AWS_DEFAULT_REGION: region,
+      MCP_COMMAND: 'uvx',
+      MCP_ARGS: JSON.stringify(['awslabs-cloudwatch-mcp-server', ...(params.extraArgs ?? [])]),
+      MCP_PORT: String(port),
+    };
+
+    if (credentials.sessionToken) {
+      env.AWS_SESSION_TOKEN = credentials.sessionToken;
+    }
+
+    return startMcpDockerServer({
+      image: params.image,
+      command: [],
+      env,
+      port,
+      params,
+      context,
+    });
+  },
+});
+
+componentRegistry.register(definition);
+
+export type AwsCloudwatchMcpInput = typeof inputSchema;
+export type AwsCloudwatchMcpParams = typeof parameterSchema;
+export type AwsCloudwatchMcpOutput = typeof outputSchema;
diff --git a/worker/src/temporal/workflows/index.ts b/worker/src/temporal/workflows/index.ts
index 8b366b6c..59bff3d2 100644
--- a/worker/src/temporal/workflows/index.ts
+++ b/worker/src/temporal/workflows/index.ts
@@ -30,7 +30,6 @@ import type {
   RegisterComponentToolActivityInput,
   CleanupLocalMcpActivityInput,
   RegisterLocalMcpActivityInput,
-  RegisterRemoteMcpActivityInput,
   PrepareAndRegisterToolActivityInput,
 } from '../types';
 
@@ -41,7 +40,6 @@ const {
   createHumanInputRequestActivity,
   expireHumanInputRequestActivity,
   registerLocalMcpActivity,
-  registerRemoteMcpActivity,
   cleanupLocalMcpActivity,
   prepareAndRegisterToolActivity,
 } = proxyActivities<{
@@ -71,7 +69,6 @@ const {
   expireHumanInputRequestActivity(requestId: string): Promise<void>;
   registerComponentToolActivity(input: RegisterComponentToolActivityInput): Promise<void>;
   registerLocalMcpActivity(input: RegisterLocalMcpActivityInput): Promise<void>;
-  registerRemoteMcpActivity(input: RegisterRemoteMcpActivityInput): Promise<void>;
   cleanupLocalMcpActivity(input: CleanupLocalMcpActivityInput): Promise<void>;
   prepareAndRegisterToolActivity(input: PrepareAndRegisterToolActivityInput): Promise<void>;
 }>({
@@ -90,6 +87,31 @@ const { recordTraceEventActivity } = proxyActivities<{
   startToCloseTimeout: '1 minute',
 });
 
+const MCP_SERVER_COMPONENTS: Record<
+  string,
+  { toolName: (params: Record<string, unknown>) => string; description: string }
+> = {
+  'core.mcp.server': {
+    toolName: (params) => {
+      const image = typeof params.image === 'string' ? params.image : '';
+      return image.split('/').pop()?.split(':')[0] || 'mcp_server';
+    },
+    description: 'Local MCP Server',
+  },
+  'security.aws-cloudtrail-mcp': {
+    toolName: () => 'aws_cloudtrail_mcp',
+    description: 'AWS CloudTrail MCP Server',
+  },
+  'security.aws-cloudwatch-mcp': {
+    toolName: () => 'aws_cloudwatch_mcp',
+    description: 'AWS CloudWatch MCP Server',
+  },
+};
+
+function isMcpServerComponent(componentId: string): boolean {
+  return componentId in MCP_SERVER_COMPONENTS;
+}
+
 /**
  * Check if an output indicates a pending approval gate
  */
@@ -622,7 +644,7 @@ export async function shipsecWorkflowRun(
 
         if (isToolMode) {
           console.log(`[Workflow] Node ${action.ref} is in tool mode, registering...`);
-          if (action.componentId === 'core.mcp.server') {
+          if (isMcpServerComponent(action.componentId)) {
             const { runComponentActivity: runMcp } = proxyActivities<{
               runComponentActivity(
                 input: RunComponentActivityInput,
@@ -637,30 +659,29 @@ export async function shipsecWorkflowRun(
             const endpoint = output.endpoint;
             const containerId = output.containerId;
 
-            if (mergedParams.type === 'docker' || mergedParams.image) {
-              await registerLocalMcpActivity({
-                runId: input.runId,
-                nodeId: action.ref,
-                toolName:
-                  (mergedParams.image as string)?.split('/').pop()?.split(':')[0] || 'mcp_server',
-                description: `Local MCP Server (${mergedParams.image})`,
-                inputSchema: {},
-                image: mergedParams.image as string,
-                port: (mergedParams.port as number) || 8080,
-                endpoint,
-                containerId,
-              });
-            } else {
-              await registerRemoteMcpActivity({
-                runId: input.runId,
-                nodeId: action.ref,
-                toolName: 'remote_mcp',
-                description: `Remote MCP Server (${endpoint})`,
-                inputSchema: {},
-                endpoint: endpoint as string,
-                authToken: mergedParams.authToken as string,
-              });
+            if (!endpoint) {
+              throw new Error('MCP server output missing endpoint');
             }
+
+            if (!containerId) {
+              throw new Error('MCP server output missing containerId');
+            }
+
+            const mcpMeta = MCP_SERVER_COMPONENTS[action.componentId];
+            const toolName = mcpMeta.toolName(mergedParams);
+            const description = mcpMeta.description;
+
+            await registerLocalMcpActivity({
+              runId: input.runId,
+              nodeId: action.ref,
+              toolName,
+              description,
+              inputSchema: {},
+              image: (mergedParams.image as string) || 'unknown',
+              port: (mergedParams.port as number) || 8080,
+              endpoint,
+              containerId,
+            });
           } else {
             await prepareAndRegisterToolActivity({
               runId: input.runId,
@@ -687,6 +708,13 @@ export async function shipsecWorkflowRun(
           return { activePorts: ['default', 'tools'] };
         }
 
+        if (isMcpServerComponent(action.componentId)) {
+          throw ApplicationFailure.nonRetryable(
+            `Component ${action.componentId} is tool-mode only`,
+            'ToolModeOnly',
+          );
+        }
+
         const { runComponentActivity: runComponentWithRetry } = proxyActivities<{
           runComponentActivity(
             input: RunComponentActivityInput,

From 80b764c2d0950a51ad5bfe0e8f5c4117c572e2fc Mon Sep 17 00:00:00 2001
From: betterclever <paliwal.pranjal83@gmail.com>
Date: Thu, 29 Jan 2026 18:27:42 +0530
Subject: [PATCH 3/5] feat: add stdio mcp proxy and aws mcp components

Signed-off-by: betterclever <paliwal.pranjal83@gmail.com>
---
 .ai/PLAN.md                                   |  87 +++++++++++
 .ai/problem.md                                |  98 ++++++++++++
 backend/src/mcp/internal-mcp.controller.ts    |   5 +
 backend/src/mcp/mcp-gateway.service.ts        | 143 ++++++++++++++++--
 backend/src/mcp/mcp.module.ts                 |   5 +
 backend/src/mcp/tool-registry.service.ts      |   1 +
 bun.lock                                      |   6 +-
 docker/mcp-aws-cloudtrail/Dockerfile          |  11 +-
 docker/mcp-aws-cloudwatch/Dockerfile          |  14 +-
 docker/mcp-stdio-proxy/Dockerfile             |   2 +-
 docker/mcp-stdio-proxy/server.mjs             |  81 +++++++---
 worker/package.json                           |   2 +-
 worker/src/components/core/mcp-runtime.ts     |  28 +++-
 .../components/security/aws-cloudtrail-mcp.ts |  15 +-
 .../components/security/aws-cloudwatch-mcp.ts |  15 +-
 15 files changed, 448 insertions(+), 65 deletions(-)
 create mode 100644 .ai/problem.md

diff --git a/.ai/PLAN.md b/.ai/PLAN.md
index c0a703db..f1d42668 100644
--- a/.ai/PLAN.md
+++ b/.ai/PLAN.md
@@ -2,6 +2,93 @@
 
 Goal: Make AWS CloudTrail + CloudWatch MCP servers usable locally via OpenCode and the MCP Gateway, with a standardized MCP-node lifecycle (start → register → cleanup), and UI support through tool-mode nodes.
 
+---
+
+## E2E Debug Ladder (Manual → Full)
+
+This is the incremental pipeline to isolate failures quickly.
+
+### Stage 0 — Image Sanity
+Goal: Ensure proxy images contain `uvx` and boot correctly.
+
+Commands:
+```
+docker run --rm shipsec/mcp-aws-cloudtrail:latest sh -lc "uvx --help"
+docker run --rm shipsec/mcp-aws-cloudwatch:latest sh -lc "uvx --help"
+```
+
+Pass: `uvx` help output.
+
+---
+
+### Stage 1 — Proxy Health Endpoint
+Goal: Container boots and proxy HTTP server responds.
+
+Commands:
+```
+docker run --rm -p 8081:8080 \
+  -e AWS_ACCESS_KEY_ID=$TEST_AWS_ACCESS_KEY_ID \
+  -e AWS_SECRET_ACCESS_KEY=$TEST_AWS_SECRET_ACCESS_KEY \
+  -e AWS_SESSION_TOKEN=$TEST_AWS_SESSION_TOKEN \
+  -e AWS_REGION=$TEST_AWS_REGION \
+  shipsec/mcp-aws-cloudtrail:latest
+```
+Then:
+```
+curl http://localhost:8081/health
+```
+
+Pass: JSON `{ status: "ok", toolCount: ... }`.
+
+---
+
+### Stage 2 — MCP Protocol (Direct)
+Goal: MCP initialize + tools/list via HTTP to the proxy.
+
+Commands:
+```
+curl -s http://localhost:8081/mcp \
+  -H "Content-Type: application/json" \
+  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test","version":"0.1.0"}}}'
+
+curl -s http://localhost:8081/mcp \
+  -H "Content-Type: application/json" \
+  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}'
+```
+
+Pass: `result.tools` present.
+
+---
+
+### Stage 3 — Workflow Registration
+Goal: Tool-mode node registers local MCP in Redis.
+
+Run a workflow with a single tool-mode AWS MCP node and ensure:
+- `registerLocalMcpActivity` invoked
+- Redis key `mcp:run:{runId}:tools` has entry with containerId
+
+---
+
+### Stage 4 — Gateway Discovery
+Goal: Gateway exposes MCP tools via `toolName__tool`.
+
+Use MCP client to hit `/mcp/gateway` with session token for the run.
+Pass: `tools/list` returns `aws_cloudtrail_mcp__*`.
+
+---
+
+### Stage 5 — OpenCode Tool Call
+Goal: OpenCode uses gateway tools successfully.
+
+Run OpenCode with tool connected to AWS MCP node; verify it calls at least one tool.
+
+---
+
+### Stage 6 — Cleanup
+Goal: Workflow finalize stops containers and cleans Redis.
+
+Pass: `docker ps` doesn’t show MCP container; Redis entry deleted.
+
 This plan is split into commit-sized phases. No code changes beyond the plan should happen until you approve.
 
 ---
diff --git a/.ai/problem.md b/.ai/problem.md
new file mode 100644
index 00000000..531651c8
--- /dev/null
+++ b/.ai/problem.md
@@ -0,0 +1,98 @@
+# MCP Local Tool Discovery Failing via Gateway
+
+## Goal
+Get AWS CloudTrail/CloudWatch MCP tools discoverable via the MCP Gateway in a workflow tool-mode run (local dev).
+
+## Current Status
+- MCP proxy images build and run locally.
+- Containers start successfully with dynamic host ports and respond to `/mcp` when hit directly.
+- Tool registry entries are written in Redis for each run (type `local-mcp`).
+- Gateway `tools/list` via `/api/v1/mcp/gateway` still returns empty list for the run.
+
+## What Works (Direct Container)
+Example container (host port random):
+- `curl -H 'Accept: application/json, text/event-stream' -H 'Mcp-Session-Id: stdio-proxy' ... http://localhost:<port>/mcp` works
+- Manual `initialize` then `tools/list` returns 5 CloudTrail tools.
+
+## Current Failure (Gateway)
+Gateway tries to fetch tools from external source via `StreamableHTTPClientTransport`.
+Errors from backend:
+- “The socket connection was closed unexpectedly”
+- “Bad Request: Server not initialized”
+- “Invalid Request: Server already initialized” (fixed by unique session IDs)
+
+## Root Cause Hypothesis
+Gateway’s StreamableHTTP client isn’t reliably completing the MCP initialize flow against the proxy, likely due to:
+- Session handling (Mcp-Session-Id headers, initialize sequencing)
+- GET SSE requirement of the MCP Streamable HTTP spec (client may be expecting SSE and disconnecting)
+- Timing: gateway initializes before MCP registers tools and/or before proxy is fully ready
+
+## What We Tried
+1) **Proxy image rebuilds**
+- Switched base to `node:20-slim` (glibc) to speed builds.
+- Installed MCP packages at build using `uv pip install --system`.
+- Corrected MCP binary names (`awslabs.cloudtrail-mcp-server`, `awslabs.cloudwatch-mcp-server`).
+
+2) **Dynamic ports**
+- `worker/src/components/core/mcp-runtime.ts` now chooses a free host port and sets `ENDPOINT` to `http://localhost:<port>/mcp`.
+
+3) **Gateway debugging**
+- Added heavy logs in `backend/src/mcp/mcp-gateway.service.ts`.
+- Added refresh flow in `InternalMcpController` → `McpGatewayService.refreshServersForRun` so tools can be registered after gateway initialization.
+
+4) **Session handling fixes**
+- `StreamableHTTPClientTransport` now includes `Mcp-Session-Id` header in request init.
+- Per-attempt unique session IDs generated to avoid “already initialized”.
+
+5) **Direct client test**
+- A Node script using `StreamableHTTPClientTransport` + `Mcp-Session-Id` works when run outside gateway (manual test). This indicates the proxy is healthy.
+
+## Evidence
+Gateway logs show:
+- First `initialize` occurs before tools are registered → registry returns 0 tools.
+- Refresh is called after register-local → registry returns 1 local-mcp source.
+- Gateway tries to fetch tools from endpoint (e.g. `http://localhost:<port>/mcp`).
+- Fails with socket closed or server-not-initialized errors despite container working via curl.
+
+## Suspected Remaining Issues
+- `StreamableHTTPClientTransport` may still be opening GET SSE without required `Mcp-Session-Id`, or closing prematurely.
+- `Client.connect()` does **not** send initialize if transport sessionId is set. We set header only, so initialization should happen. However GET SSE may happen first and fail, causing socket close.
+- The proxy expects `/mcp` POST initialize before `/tools/list`. Gateway may be POSTing `tools/list` before initialize completes.
+- Gateway is running multiple connects per attempt; retries may be stepping on the same session or receiving server-side invalid request.
+
+## Next Suggested Debug Steps
+1) Force the client to explicitly initialize:
+   - Call `client.request({ method: 'initialize', ... })` instead of relying on `connect()`.
+   - Or remove the custom `sessionId` / header usage and let the SDK handle init.
+
+2) Disable SSE connection in `StreamableHTTPClientTransport`:
+   - The proxy does not implement GET SSE (returns 400 unless initialized). Consider overriding transport or using fetch-based transport without SSE.
+
+3) Test gateway transport outside of Nest:
+   - Create a small Node script that mirrors gateway’s exact `StreamableHTTPClientTransport` usage (with headers), and see if it fails.
+
+4) Check for concurrency issues:
+   - The gateway refresh can be called while the initial server is still being connected, causing initialize collisions.
+
+## PTY Issue (side thread)
+`node-pty` rebuild fails due to TypeScript errors pulled from repo types. PTY spawn fails (`posix_spawnp failed`). We avoided PTY for MCP by using detached docker. This is separate from MCP gateway issues.
+
+## Current Local Command to Repro
+```
+set -a; source .env; set +a; INTERNAL_SERVICE_TOKEN=local-internal-token node /tmp/mcp-stage3-4.js
+```
+This script:
+- creates workflow
+- runs it
+- generates MCP token
+- initializes gateway
+- tries tools/list (retries)
+
+## Key Files
+- `backend/src/mcp/mcp-gateway.service.ts`
+- `backend/src/mcp/internal-mcp.controller.ts`
+- `worker/src/components/core/mcp-runtime.ts`
+- `worker/src/components/security/aws-cloudtrail-mcp.ts`
+- `docker/mcp-aws-cloudtrail/Dockerfile`
+- `/tmp/mcp-stage3-4.js`
+
diff --git a/backend/src/mcp/internal-mcp.controller.ts b/backend/src/mcp/internal-mcp.controller.ts
index 3bbf0e0d..14953827 100644
--- a/backend/src/mcp/internal-mcp.controller.ts
+++ b/backend/src/mcp/internal-mcp.controller.ts
@@ -1,5 +1,6 @@
 import { Body, Controller, Post } from '@nestjs/common';
 import { ToolRegistryService } from './tool-registry.service';
+import { McpGatewayService } from './mcp-gateway.service';
 import { McpAuthService } from './mcp-auth.service';
 import {
   RegisterComponentToolInput,
@@ -12,6 +13,7 @@ export class InternalMcpController {
   constructor(
     private readonly toolRegistry: ToolRegistryService,
     private readonly mcpAuthService: McpAuthService,
+    private readonly mcpGatewayService: McpGatewayService,
   ) {}
 
   @Post('generate-token')
@@ -36,18 +38,21 @@ export class InternalMcpController {
   @Post('register-component')
   async registerComponent(@Body() body: RegisterComponentToolInput) {
     await this.toolRegistry.registerComponentTool(body);
+    await this.mcpGatewayService.refreshServersForRun(body.runId);
     return { success: true };
   }
 
   @Post('register-remote')
   async registerRemote(@Body() body: RegisterRemoteMcpInput) {
     await this.toolRegistry.registerRemoteMcp(body);
+    await this.mcpGatewayService.refreshServersForRun(body.runId);
     return { success: true };
   }
 
   @Post('register-local')
   async registerLocal(@Body() body: RegisterLocalMcpInput) {
     await this.toolRegistry.registerLocalMcp(body);
+    await this.mcpGatewayService.refreshServersForRun(body.runId);
     return { success: true };
   }
 
diff --git a/backend/src/mcp/mcp-gateway.service.ts b/backend/src/mcp/mcp-gateway.service.ts
index 284d9ecc..03b7786a 100644
--- a/backend/src/mcp/mcp-gateway.service.ts
+++ b/backend/src/mcp/mcp-gateway.service.ts
@@ -28,6 +28,7 @@ export class McpGatewayService {
 
   // Cache of servers per runId
   private readonly servers = new Map<string, McpServer>();
+  private readonly registeredToolNames = new Map<string, Set<string>>();
 
   constructor(
     private readonly toolRegistry: ToolRegistryService,
@@ -65,12 +66,39 @@ export class McpGatewayService {
       version: '1.0.0',
     });
 
-    await this.registerTools(server, runId, allowedTools, allowedNodeIds);
+    const toolSet = new Set<string>();
+    this.registeredToolNames.set(cacheKey, toolSet);
+    await this.registerTools(server, runId, allowedTools, allowedNodeIds, toolSet);
     this.servers.set(cacheKey, server);
 
     return server;
   }
 
+  /**
+   * Refresh tool registrations for any cached servers for a run.
+   * This is used when tools register after an MCP session has already initialized.
+   */
+  async refreshServersForRun(runId: string): Promise<void> {
+    const matchingEntries = Array.from(this.servers.entries()).filter(([key]) =>
+      key === runId || key.startsWith(`${runId}:`),
+    );
+
+    if (matchingEntries.length === 0) {
+      return;
+    }
+
+    this.logger.log(`Refreshing MCP servers for run ${runId} (${matchingEntries.length} instance(s))`);
+
+    await Promise.all(
+      matchingEntries.map(async ([cacheKey, server]) => {
+        const allowedNodeIds = cacheKey === runId ? undefined : cacheKey.split(':').slice(1).join(':').split(',');
+        const toolSet = this.registeredToolNames.get(cacheKey) ?? new Set<string>();
+        this.registeredToolNames.set(cacheKey, toolSet);
+        await this.registerTools(server, runId, undefined, allowedNodeIds, toolSet);
+      }),
+    );
+  }
+
   private async validateRunAccess(runId: string, organizationId?: string | null) {
     const run = await this.workflowRunRepository.findByRunId(runId);
     if (!run) {
@@ -124,8 +152,15 @@ export class McpGatewayService {
     runId: string,
     allowedTools?: string[],
     allowedNodeIds?: string[],
+    registeredToolNames?: Set<string>,
   ) {
+    this.logger.log(
+      `Registering tools for run ${runId} (allowedNodeIds=${allowedNodeIds?.join(',') ?? 'none'}, allowedTools=${allowedTools?.join(',') ?? 'none'})`,
+    );
     const allRegistered = await this.toolRegistry.getToolsForRun(runId, allowedNodeIds);
+    this.logger.log(
+      `Tool registry returned ${allRegistered.length} tool(s) for run ${runId}: ${allRegistered.map((t) => `${t.toolName}:${t.type}`).join(', ') || 'none'}`,
+    );
 
     // Filter by allowed tools if specified
     if (allowedTools && allowedTools.length > 0) {
@@ -137,11 +172,25 @@ export class McpGatewayService {
 
     // 1. Register Internal Tools
     const internalTools = allRegistered.filter((t) => t.type === 'component');
+    this.logger.log(
+      `Registering ${internalTools.length} internal tool(s) for run ${runId}`,
+    );
     for (const tool of internalTools) {
       if (allowedTools && allowedTools.length > 0 && !allowedTools.includes(tool.toolName)) {
+        this.logger.log(
+          `Skipping internal tool ${tool.toolName} (not in allowedTools)`,
+        );
         continue;
       }
 
+      if (registeredToolNames?.has(tool.toolName)) {
+        this.logger.log(`Skipping internal tool ${tool.toolName} (already registered)`);
+        continue;
+      }
+
+      this.logger.log(
+        `Registering internal tool ${tool.toolName} (node=${tool.nodeId})`,
+      );
       const component = tool.componentId ? componentRegistry.get(tool.componentId) : null;
       const inputShape = component ? getToolInputShape(component) : undefined;
 
@@ -217,22 +266,43 @@ export class McpGatewayService {
           }
         },
       );
+      registeredToolNames?.add(tool.toolName);
     }
 
     // 2. Register External Tools (Proxied)
     const externalSources = allRegistered.filter((t) => t.type !== 'component');
+    this.logger.log(
+      `Registering ${externalSources.length} external MCP source(s) for run ${runId}`,
+    );
     for (const source of externalSources) {
       try {
+        this.logger.log(
+          `Fetching tools from external source ${source.toolName} (type=${source.type}, endpoint=${source.endpoint ?? 'missing'})`,
+        );
         const tools = await this.fetchExternalTools(source);
         const prefix = source.toolName;
 
+        this.logger.log(
+          `External source ${source.toolName} returned ${tools.length} tool(s)`,
+        );
         for (const t of tools) {
           const proxiedName = `${prefix}__${t.name}`;
 
           if (allowedTools && allowedTools.length > 0 && !allowedTools.includes(proxiedName)) {
+            this.logger.log(
+              `Skipping proxied tool ${proxiedName} (not in allowedTools)`,
+            );
+            continue;
+          }
+
+          if (registeredToolNames?.has(proxiedName)) {
+            this.logger.log(`Skipping proxied tool ${proxiedName} (already registered)`);
             continue;
           }
 
+          this.logger.log(
+            `Registering proxied tool ${proxiedName} (source=${source.toolName})`,
+          );
           server.registerTool(
             proxiedName,
             {
@@ -261,6 +331,7 @@ export class McpGatewayService {
               }
             },
           );
+          registeredToolNames?.add(proxiedName);
         }
       } catch (error) {
         this.logger.error(`Failed to fetch tools from external source ${source.toolName}:`, error);
@@ -272,21 +343,58 @@ export class McpGatewayService {
    * Fetches tools from an external MCP source
    */
   private async fetchExternalTools(source: RegisteredTool): Promise<any[]> {
-    if (!source.endpoint) return [];
+    if (!source.endpoint) {
+      this.logger.warn(`Missing endpoint for external source ${source.toolName}`);
+      return [];
+    }
 
-    const transport = new StreamableHTTPClientTransport(new URL(source.endpoint));
-    const client = new Client(
-      { name: 'shipsec-gateway-client', version: '1.0.0' },
-      { capabilities: {} },
-    );
+    const MAX_RETRIES = 5;
+    const RETRY_DELAY_MS = 1000;
+    let lastError: unknown;
 
-    await client.connect(transport);
-    try {
-      const response = await client.listTools();
-      return response.tools;
-    } finally {
-      await client.close();
+    for (let attempt = 1; attempt <= MAX_RETRIES; attempt += 1) {
+      const sessionId = `stdio-proxy-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+      const transport = new StreamableHTTPClientTransport(new URL(source.endpoint), {
+        requestInit: {
+          headers: {
+            'Mcp-Session-Id': sessionId,
+          },
+        },
+      });
+      const client = new Client(
+        { name: 'shipsec-gateway-client', version: '1.0.0' },
+        { capabilities: {} },
+      );
+
+      this.logger.log(
+        `Connecting to external MCP source ${source.toolName} at ${source.endpoint} (attempt ${attempt}/${MAX_RETRIES})`,
+      );
+
+      try {
+        await client.connect(transport);
+        const response = await client.listTools();
+        this.logger.log(
+          `listTools from ${source.toolName} returned ${response.tools?.length ?? 0} tool(s)`,
+        );
+        return response.tools;
+      } catch (error) {
+        lastError = error;
+        this.logger.warn(
+          `listTools failed for ${source.toolName} (attempt ${attempt}/${MAX_RETRIES}): ${error instanceof Error ? error.message : String(error)}`,
+        );
+        if (attempt < MAX_RETRIES) {
+          await new Promise((resolve) => setTimeout(resolve, RETRY_DELAY_MS));
+        }
+      } finally {
+        this.logger.log(`Closing external MCP client for ${source.toolName}`);
+        await client.close();
+      }
+    }
+
+    if (lastError) {
+      throw lastError;
     }
+    return [];
   }
 
   /**
@@ -310,7 +418,14 @@ export class McpGatewayService {
     let lastError: unknown;
 
     for (let attempt = 1; attempt <= MAX_RETRIES; attempt++) {
-      const transport = new StreamableHTTPClientTransport(new URL(source.endpoint));
+      const sessionId = `stdio-proxy-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+      const transport = new StreamableHTTPClientTransport(new URL(source.endpoint), {
+        requestInit: {
+          headers: {
+            'Mcp-Session-Id': sessionId,
+          },
+        },
+      });
       const client = new Client(
         { name: 'shipsec-gateway-client', version: '1.0.0' },
         { capabilities: {} },
diff --git a/backend/src/mcp/mcp.module.ts b/backend/src/mcp/mcp.module.ts
index 2435cf89..d92053f7 100644
--- a/backend/src/mcp/mcp.module.ts
+++ b/backend/src/mcp/mcp.module.ts
@@ -19,6 +19,11 @@ import { ApiKeysModule } from '../api-keys/api-keys.module';
       useFactory: () => {
         // Use the same Redis URL as terminal or a dedicated one
         const url = process.env.TOOL_REGISTRY_REDIS_URL ?? process.env.TERMINAL_REDIS_URL;
+        if (!url) {
+          console.warn('[MCP] Redis URL not set; tool registry disabled');
+        } else {
+          console.info(`[MCP] Tool registry Redis URL: ${url}`);
+        }
         if (!url) {
           return null;
         }
diff --git a/backend/src/mcp/tool-registry.service.ts b/backend/src/mcp/tool-registry.service.ts
index 6788d544..e1805354 100644
--- a/backend/src/mcp/tool-registry.service.ts
+++ b/backend/src/mcp/tool-registry.service.ts
@@ -211,6 +211,7 @@ export class ToolRegistryService implements OnModuleDestroy {
 
   async getToolsForRun(runId: string, nodeIds?: string[]): Promise<RegisteredTool[]> {
     if (!this.redis) {
+      this.logger.warn('Redis not configured, tool registry disabled');
       return [];
     }
 
diff --git a/bun.lock b/bun.lock
index cd2e8e58..e34fe06c 100644
--- a/bun.lock
+++ b/bun.lock
@@ -271,7 +271,7 @@
         "@types/adm-zip": "^0.5.7",
         "@types/js-yaml": "^4.0.9",
         "@types/minio": "^7.1.1",
-        "@types/node": "^20.19.30",
+        "@types/node": "^25.1.0",
         "@types/pg": "^8.16.0",
         "@typescript-eslint/eslint-plugin": "^8.53.1",
         "@typescript-eslint/parser": "^8.53.1",
@@ -3095,7 +3095,7 @@
 
     "@shipsec/studio-worker/@googleapis/admin": ["@googleapis/admin@29.0.0", "", { "dependencies": { "googleapis-common": "^8.0.0" } }, "sha512-lujnbfmDn1aetoJBDeExH4IDKniMZs7Ga8hGagN/lecO8hd0fy9hu+osROp0HFk6u2wCAiA89oXi5qHVXupbOQ=="],
 
-    "@shipsec/studio-worker/@types/node": ["@types/node@20.19.30", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-WJtwWJu7UdlvzEAUm484QNg5eAoq5QR08KDNx7g45Usrs2NtOPiX8ugDqmKdXkyL03rBqU5dYNYVQetEpBHq2g=="],
+    "@shipsec/studio-worker/@types/node": ["@types/node@25.1.0", "", { "dependencies": { "undici-types": "~7.16.0" } }, "sha512-t7frlewr6+cbx+9Ohpl0NOTKXZNV9xHRmNOvql47BFJKcEG1CxtxlPEEe+gR9uhVWM4DwhnvTF110mIL4yP9RA=="],
 
     "@temporalio/worker/@swc/core": ["@swc/core@1.15.8", "", { "dependencies": { "@swc/counter": "^0.1.3", "@swc/types": "^0.1.25" }, "optionalDependencies": { "@swc/core-darwin-arm64": "1.15.8", "@swc/core-darwin-x64": "1.15.8", "@swc/core-linux-arm-gnueabihf": "1.15.8", "@swc/core-linux-arm64-gnu": "1.15.8", "@swc/core-linux-arm64-musl": "1.15.8", "@swc/core-linux-x64-gnu": "1.15.8", "@swc/core-linux-x64-musl": "1.15.8", "@swc/core-win32-arm64-msvc": "1.15.8", "@swc/core-win32-ia32-msvc": "1.15.8", "@swc/core-win32-x64-msvc": "1.15.8" }, "peerDependencies": { "@swc/helpers": ">=0.5.17" }, "optionalPeers": ["@swc/helpers"] }, "sha512-T8keoJjXaSUoVBCIjgL6wAnhADIb09GOELzKg10CjNg+vLX48P93SME6jTfte9MZIm5m+Il57H3rTSk/0kzDUw=="],
 
@@ -3449,8 +3449,6 @@
 
     "@shipsec/studio-frontend/ai/@ai-sdk/provider-utils": ["@ai-sdk/provider-utils@3.0.20", "", { "dependencies": { "@ai-sdk/provider": "2.0.1", "@standard-schema/spec": "^1.0.0", "eventsource-parser": "^3.0.6" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-iXHVe0apM2zUEzauqJwqmpC37A5rihrStAih5Ks+JE32iTe4LZ58y17UGBjpQQTCRw9YxMeo2UFLxLpBluyvLQ=="],
 
-    "@shipsec/studio-worker/@types/node/undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
-
     "@temporalio/worker/@swc/core/@swc/core-darwin-arm64": ["@swc/core-darwin-arm64@1.15.8", "", { "os": "darwin", "cpu": "arm64" }, "sha512-M9cK5GwyWWRkRGwwCbREuj6r8jKdES/haCZ3Xckgkl8MUQJZA3XB7IXXK1IXRNeLjg6m7cnoMICpXv1v1hlJOg=="],
 
     "@temporalio/worker/@swc/core/@swc/core-darwin-x64": ["@swc/core-darwin-x64@1.15.8", "", { "os": "darwin", "cpu": "x64" }, "sha512-j47DasuOvXl80sKJHSi2X25l44CMc3VDhlJwA7oewC1nV1VsSzwX+KOwE5tLnfORvVJJyeiXgJORNYg4jeIjYQ=="],
diff --git a/docker/mcp-aws-cloudtrail/Dockerfile b/docker/mcp-aws-cloudtrail/Dockerfile
index 860a858f..43a0ccff 100644
--- a/docker/mcp-aws-cloudtrail/Dockerfile
+++ b/docker/mcp-aws-cloudtrail/Dockerfile
@@ -1,8 +1,11 @@
 ARG BASE_IMAGE=shipsec/mcp-stdio-proxy:latest
 FROM ${BASE_IMAGE}
 
-RUN apk add --no-cache python3 py3-pip \
-  && pip install --no-cache-dir uv
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends python3 python3-pip \
+  && rm -rf /var/lib/apt/lists/* \
+  && pip install --no-cache-dir --break-system-packages uv \
+  && uv pip install --system --break-system-packages awslabs-cloudtrail-mcp-server
 
-ENV MCP_COMMAND=uvx
-ENV MCP_ARGS='["awslabs-cloudtrail-mcp-server"]'
+ENV MCP_COMMAND=awslabs.cloudtrail-mcp-server
+ENV MCP_ARGS='[]'
diff --git a/docker/mcp-aws-cloudwatch/Dockerfile b/docker/mcp-aws-cloudwatch/Dockerfile
index baab5b7e..4283d8c5 100644
--- a/docker/mcp-aws-cloudwatch/Dockerfile
+++ b/docker/mcp-aws-cloudwatch/Dockerfile
@@ -1,8 +1,14 @@
 ARG BASE_IMAGE=shipsec/mcp-stdio-proxy:latest
 FROM ${BASE_IMAGE}
 
-RUN apk add --no-cache python3 py3-pip \
-  && pip install --no-cache-dir uv
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends \
+    python3 python3-pip python3-dev \
+    build-essential gfortran \
+    libopenblas-dev liblapack-dev \
+  && rm -rf /var/lib/apt/lists/* \
+  && pip install --no-cache-dir --break-system-packages uv \
+  && uv pip install --system --break-system-packages awslabs-cloudwatch-mcp-server
 
-ENV MCP_COMMAND=uvx
-ENV MCP_ARGS='["awslabs-cloudwatch-mcp-server"]'
+ENV MCP_COMMAND=awslabs.cloudwatch-mcp-server
+ENV MCP_ARGS='[]'
diff --git a/docker/mcp-stdio-proxy/Dockerfile b/docker/mcp-stdio-proxy/Dockerfile
index fd2bf783..cfaef59b 100644
--- a/docker/mcp-stdio-proxy/Dockerfile
+++ b/docker/mcp-stdio-proxy/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:20-alpine
+FROM node:20-slim
 
 WORKDIR /app
 
diff --git a/docker/mcp-stdio-proxy/server.mjs b/docker/mcp-stdio-proxy/server.mjs
index 515374c9..b465bf6d 100644
--- a/docker/mcp-stdio-proxy/server.mjs
+++ b/docker/mcp-stdio-proxy/server.mjs
@@ -1,8 +1,15 @@
 import express from 'express';
-import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
-import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import { Client } from '@modelcontextprotocol/sdk/client/index.js';
 import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
+import { Server } from '@modelcontextprotocol/sdk/server/index.js';
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import {
+  CallToolRequestSchema,
+  InitializeRequestSchema,
+  InitializedNotificationSchema,
+  ListToolsRequestSchema,
+  LATEST_PROTOCOL_VERSION,
+} from '@modelcontextprotocol/sdk/types.js';
 
 function parseArgs(raw) {
   if (!raw) return [];
@@ -35,44 +42,70 @@ const clientTransport = new StdioClientTransport({
 
 await client.connect(clientTransport);
 
-const toolsResponse = await client.listTools();
-const tools = toolsResponse.tools ?? [];
+const server = new Server(
+  {
+    name: 'shipsec-mcp-stdio-proxy',
+    version: '1.0.0',
+  },
+  {
+    capabilities: client.getServerCapabilities() ?? {
+      tools: { listChanged: false },
+    },
+  },
+);
 
-const server = new McpServer({
-  name: 'shipsec-mcp-stdio-proxy',
-  version: '1.0.0',
+server.setRequestHandler(InitializeRequestSchema, async () => {
+  return {
+    protocolVersion: LATEST_PROTOCOL_VERSION,
+    capabilities: client.getServerCapabilities() ?? {},
+    serverInfo: client.getServerVersion() ?? {
+      name: 'shipsec-mcp-stdio-proxy',
+      version: '1.0.0',
+    },
+    instructions: client.getInstructions?.(),
+  };
 });
 
-for (const tool of tools) {
-  server.registerTool(
-    tool.name,
-    {
-      description: tool.description,
-      inputSchema: tool.inputSchema,
-    },
-    async (toolArgs) => {
-      return client.callTool({
-        name: tool.name,
-        arguments: toolArgs ?? {},
-      });
-    },
-  );
-}
+server.setNotificationHandler(InitializedNotificationSchema, () => {
+  // no-op
+});
+
+server.setRequestHandler(ListToolsRequestSchema, async () => {
+  return await client.listTools();
+});
+
+server.setRequestHandler(CallToolRequestSchema, async (request) => {
+  return await client.callTool({
+    name: request.params.name,
+    arguments: request.params.arguments ?? {},
+  });
+});
 
 const transport = new StreamableHTTPServerTransport({
-  sessionIdGenerator: () => 'stdio-proxy',
+  sessionIdGenerator: undefined,
   enableJsonResponse: true,
 });
+
 await server.connect(transport);
 
 const app = express();
 app.use(express.json({ limit: '2mb' }));
 
 app.all('/mcp', async (req, res) => {
+  console.log('[mcp-proxy] incoming request', {
+    method: req.method,
+    path: req.path,
+    headers: {
+      'mcp-session-id': req.headers['mcp-session-id'],
+      accept: req.headers['accept'],
+      'content-type': req.headers['content-type'],
+    },
+    body: req.body,
+  });
   try {
     await transport.handleRequest(req, res, req.body);
   } catch (error) {
-    console.error('Failed to handle MCP request', error);
+    console.error('[mcp-proxy] Failed to handle MCP request', error);
     if (!res.headersSent) {
       res.status(500).send('MCP proxy error');
     }
diff --git a/worker/package.json b/worker/package.json
index 956345c7..317184f9 100644
--- a/worker/package.json
+++ b/worker/package.json
@@ -53,7 +53,7 @@
     "@types/adm-zip": "^0.5.7",
     "@types/js-yaml": "^4.0.9",
     "@types/minio": "^7.1.1",
-    "@types/node": "^20.19.30",
+    "@types/node": "^25.1.0",
     "@types/pg": "^8.16.0",
     "@typescript-eslint/eslint-plugin": "^8.53.1",
     "@typescript-eslint/parser": "^8.53.1",
diff --git a/worker/src/components/core/mcp-runtime.ts b/worker/src/components/core/mcp-runtime.ts
index 88948645..8907b1fe 100644
--- a/worker/src/components/core/mcp-runtime.ts
+++ b/worker/src/components/core/mcp-runtime.ts
@@ -1,3 +1,4 @@
+import { createServer } from 'node:net';
 import { runComponentWithRunner, ValidationError } from '@shipsec/component-sdk';
 
 type StartMcpServerInput = {
@@ -15,10 +16,29 @@ type StartMcpServerOutput = {
   containerId?: string;
 };
 
+async function getAvailablePort(): Promise<number> {
+  return await new Promise((resolve, reject) => {
+    const server = createServer();
+    server.unref();
+    server.on('error', reject);
+    server.listen(0, '0.0.0.0', () => {
+      const address = server.address();
+      const port = typeof address === 'object' && address ? address.port : 0;
+      server.close((closeErr) => {
+        if (closeErr) {
+          reject(closeErr);
+        } else {
+          resolve(port);
+        }
+      });
+    });
+  });
+}
+
 export async function startMcpDockerServer(
   input: StartMcpServerInput,
 ): Promise<StartMcpServerOutput> {
-  const port = input.port ?? 8080;
+  const port = input.port ?? (await getAvailablePort());
 
   if (!input.image || input.image.trim().length === 0) {
     throw new ValidationError('Docker image is required for MCP server', {
@@ -26,11 +46,13 @@ export async function startMcpDockerServer(
     });
   }
 
+  const endpoint = `http://localhost:${port}/mcp`;
   const runnerConfig = {
     kind: 'docker' as const,
     image: input.image,
     command: [...(input.command ?? []), ...(input.args ?? [])],
-    env: input.env,
+    env: { ...input.env, PORT: String(port), ENDPOINT: endpoint },
+    network: 'bridge' as const,
     detached: true,
     ports: { [port]: port },
   };
@@ -48,7 +70,7 @@ export async function startMcpDockerServer(
   }
 
   return {
-    endpoint: `http://localhost:${port}`,
+    endpoint,
     containerId,
   };
 }
diff --git a/worker/src/components/security/aws-cloudtrail-mcp.ts b/worker/src/components/security/aws-cloudtrail-mcp.ts
index 6080b7a1..c1514e88 100644
--- a/worker/src/components/security/aws-cloudtrail-mcp.ts
+++ b/worker/src/components/security/aws-cloudtrail-mcp.ts
@@ -38,7 +38,7 @@ const parameterSchema = parameters({
     editor: 'text',
     placeholder: 'us-east-1',
   }),
-  port: param(z.number().default(8080).describe('Internal port the MCP proxy listens on'), {
+  port: param(z.number().optional().describe('Internal port the MCP proxy listens on'), {
     label: 'Port',
     editor: 'number',
   }),
@@ -89,18 +89,23 @@ const definition = defineComponent({
     }
 
     const region = params.region || credentials.region || 'us-east-1';
-    const port = params.port ?? 8080;
+    const port = params.port;
 
     const env: Record<string, string> = {
       AWS_ACCESS_KEY_ID: credentials.accessKeyId,
       AWS_SECRET_ACCESS_KEY: credentials.secretAccessKey,
       AWS_REGION: region,
       AWS_DEFAULT_REGION: region,
-      MCP_COMMAND: 'uvx',
-      MCP_ARGS: JSON.stringify(['awslabs-cloudtrail-mcp-server', ...(params.extraArgs ?? [])]),
-      MCP_PORT: String(port),
     };
 
+    if (params.extraArgs && params.extraArgs.length > 0) {
+      env.MCP_ARGS = JSON.stringify(params.extraArgs);
+    }
+
+    if (port) {
+      env.MCP_PORT = String(port);
+    }
+
     if (credentials.sessionToken) {
       env.AWS_SESSION_TOKEN = credentials.sessionToken;
     }
diff --git a/worker/src/components/security/aws-cloudwatch-mcp.ts b/worker/src/components/security/aws-cloudwatch-mcp.ts
index affa20ce..9c830ca6 100644
--- a/worker/src/components/security/aws-cloudwatch-mcp.ts
+++ b/worker/src/components/security/aws-cloudwatch-mcp.ts
@@ -38,7 +38,7 @@ const parameterSchema = parameters({
     editor: 'text',
     placeholder: 'us-east-1',
   }),
-  port: param(z.number().default(8080).describe('Internal port the MCP proxy listens on'), {
+  port: param(z.number().optional().describe('Internal port the MCP proxy listens on'), {
     label: 'Port',
     editor: 'number',
   }),
@@ -89,18 +89,23 @@ const definition = defineComponent({
     }
 
     const region = params.region || credentials.region || 'us-east-1';
-    const port = params.port ?? 8080;
+    const port = params.port;
 
     const env: Record<string, string> = {
       AWS_ACCESS_KEY_ID: credentials.accessKeyId,
       AWS_SECRET_ACCESS_KEY: credentials.secretAccessKey,
       AWS_REGION: region,
       AWS_DEFAULT_REGION: region,
-      MCP_COMMAND: 'uvx',
-      MCP_ARGS: JSON.stringify(['awslabs-cloudwatch-mcp-server', ...(params.extraArgs ?? [])]),
-      MCP_PORT: String(port),
     };
 
+    if (params.extraArgs && params.extraArgs.length > 0) {
+      env.MCP_ARGS = JSON.stringify(params.extraArgs);
+    }
+
+    if (port) {
+      env.MCP_PORT = String(port);
+    }
+
     if (credentials.sessionToken) {
       env.AWS_SESSION_TOKEN = credentials.sessionToken;
     }

From 4781b6e9650ccb6a704d8fa43740d854e65a3a80 Mon Sep 17 00:00:00 2001
From: betterclever <paliwal.pranjal83@gmail.com>
Date: Thu, 29 Jan 2026 18:52:42 +0530
Subject: [PATCH 4/5] chore: drop ai notes

Signed-off-by: betterclever <paliwal.pranjal83@gmail.com>
---
 .ai/PLAN.md    | 206 -------------------------------------------------
 .ai/problem.md |  98 -----------------------
 2 files changed, 304 deletions(-)
 delete mode 100644 .ai/PLAN.md
 delete mode 100644 .ai/problem.md

diff --git a/.ai/PLAN.md b/.ai/PLAN.md
deleted file mode 100644
index f1d42668..00000000
--- a/.ai/PLAN.md
+++ /dev/null
@@ -1,206 +0,0 @@
-# MCP AWS Servers Plan (CloudTrail + CloudWatch)
-
-Goal: Make AWS CloudTrail + CloudWatch MCP servers usable locally via OpenCode and the MCP Gateway, with a standardized MCP-node lifecycle (start → register → cleanup), and UI support through tool-mode nodes.
-
----
-
-## E2E Debug Ladder (Manual → Full)
-
-This is the incremental pipeline to isolate failures quickly.
-
-### Stage 0 — Image Sanity
-Goal: Ensure proxy images contain `uvx` and boot correctly.
-
-Commands:
-```
-docker run --rm shipsec/mcp-aws-cloudtrail:latest sh -lc "uvx --help"
-docker run --rm shipsec/mcp-aws-cloudwatch:latest sh -lc "uvx --help"
-```
-
-Pass: `uvx` help output.
-
----
-
-### Stage 1 — Proxy Health Endpoint
-Goal: Container boots and proxy HTTP server responds.
-
-Commands:
-```
-docker run --rm -p 8081:8080 \
-  -e AWS_ACCESS_KEY_ID=$TEST_AWS_ACCESS_KEY_ID \
-  -e AWS_SECRET_ACCESS_KEY=$TEST_AWS_SECRET_ACCESS_KEY \
-  -e AWS_SESSION_TOKEN=$TEST_AWS_SESSION_TOKEN \
-  -e AWS_REGION=$TEST_AWS_REGION \
-  shipsec/mcp-aws-cloudtrail:latest
-```
-Then:
-```
-curl http://localhost:8081/health
-```
-
-Pass: JSON `{ status: "ok", toolCount: ... }`.
-
----
-
-### Stage 2 — MCP Protocol (Direct)
-Goal: MCP initialize + tools/list via HTTP to the proxy.
-
-Commands:
-```
-curl -s http://localhost:8081/mcp \
-  -H "Content-Type: application/json" \
-  -d '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"test","version":"0.1.0"}}}'
-
-curl -s http://localhost:8081/mcp \
-  -H "Content-Type: application/json" \
-  -d '{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}'
-```
-
-Pass: `result.tools` present.
-
----
-
-### Stage 3 — Workflow Registration
-Goal: Tool-mode node registers local MCP in Redis.
-
-Run a workflow with a single tool-mode AWS MCP node and ensure:
-- `registerLocalMcpActivity` invoked
-- Redis key `mcp:run:{runId}:tools` has entry with containerId
-
----
-
-### Stage 4 — Gateway Discovery
-Goal: Gateway exposes MCP tools via `toolName__tool`.
-
-Use MCP client to hit `/mcp/gateway` with session token for the run.
-Pass: `tools/list` returns `aws_cloudtrail_mcp__*`.
-
----
-
-### Stage 5 — OpenCode Tool Call
-Goal: OpenCode uses gateway tools successfully.
-
-Run OpenCode with tool connected to AWS MCP node; verify it calls at least one tool.
-
----
-
-### Stage 6 — Cleanup
-Goal: Workflow finalize stops containers and cleans Redis.
-
-Pass: `docker ps` doesn’t show MCP container; Redis entry deleted.
-
-This plan is split into commit-sized phases. No code changes beyond the plan should happen until you approve.
-
----
-
-## Constraints and Principles
-- MCP server nodes are tool-mode only.
-- MCP servers are long-lived per workflow run (start once, expose tools, cleanup on finalize).
-- All MCP servers exposed to agents must be HTTP (stdio is wrapped with proxy).
-- AWS credentials are provided via a credential bundle input (or equivalent).
-
----
-
-## Commit Plan
-
-### Commit 1 — MCP lifecycle helper (worker)
-Scope: Standardize MCP node lifecycle with shared helper utilities.
-- Create a shared helper (e.g., `worker/src/components/core/mcp-runtime.ts`):
-  - `runMcpServerInToolMode(...)` to start container, inject env, return endpoint/containerId.
-  - `registerMcpServer(...)` wrapper (call `registerLocalMcpActivity`).
-  - `assertToolModeOnly(context)` guard.
-- Update `core.mcp.server` to call the helper and enforce tool-mode.
-- Keep current stdio proxy support (already added) as a supported mode.
-
-Artifacts:
-- Helper module added.
-- `core.mcp.server` uses helper and rejects non-tool mode.
-
----
-
-### Commit 2 — AWS MCP proxy images (docker)
-Scope: Build derived images that include AWS MCP stdio servers.
-- Add `docker/mcp-aws-cloudtrail/`:
-  - Dockerfile builds from `shipsec/mcp-stdio-proxy` and installs CloudTrail MCP (e.g., `uvx awslabs-cloudtrail-mcp-server`).
-- Add `docker/mcp-aws-cloudwatch/`:
-  - Dockerfile builds from same base and installs CloudWatch MCP.
-- Document build commands and expected env vars.
-
-Artifacts:
-- New docker folders + README for each image.
-
----
-
-### Commit 3 — AWS MCP components (tool-mode only)
-Scope: Add two components that encapsulate AWS MCP lifecycle.
-- `worker/src/components/security/aws-cloudtrail-mcp.ts`
-- `worker/src/components/security/aws-cloudwatch-mcp.ts`
-
-Each component:
-- Runner: docker, image points to the new AWS proxy image.
-- Parameters:
-  - `region`
-  - `mcpPort` (default 8080)
-  - optional `extraArgs` (array)
-- Inputs:
-  - `awsCredentials` (credential bundle: accessKeyId, secretAccessKey, sessionToken)
-- Execute:
-  - Assert tool-mode only.
-  - Start container with env: AWS creds + region + MCP_COMMAND/MCP_ARGS.
-  - Register with gateway via activity.
-  - Output: endpoint + containerId (for debug)
-
-Artifacts:
-- New components registered in index.
-- Optional unit tests for components (basic config validation).
-
----
-
-### Commit 4 — UI tool-mode safeguards + AWS MCP visibility
-Scope: UI clarity and guardrails.
-- Add “tool-mode only” badge or warning for MCP server components.
-- Update component metadata / docs to reflect tool-mode only behavior.
-- Ensure AWS MCP components appear in the palette under `security` (or a new `mcp` category if desired).
-
-Artifacts:
-- UI hints in config panel / node rendering.
-
----
-
-## Lint & Typecheck Instructions
-Run after each commit (or at least after Commit 4):
-
-```bash
-bun --cwd worker run lint
-bun --cwd worker run typecheck
-bun --cwd backend run lint
-bun --cwd backend run typecheck
-bun --cwd frontend run lint
-bun --cwd frontend run typecheck
-```
-
-If only worker changes are made in a commit, it is acceptable to run just the worker checks for that commit and the full set at the end.
-
----
-
-## Manual Validation (you will run)
-1. Build the AWS proxy images.
-2. In UI, add AWS CloudTrail MCP node and set tool mode.
-3. Connect to OpenCode tools port.
-4. Run workflow and verify tools show up in the gateway.
-5. Confirm containers stop after workflow completes.
-
----
-
-## Open Questions to Resolve Before Coding
-- Should AWS MCP components live under `security` or a new `mcp` category?
-- Do we want a single generic “AWS MCP” component with a server selector, or separate components?
-- What is the final “credential bundle” schema in the UI?
-
----
-
-## Implementation Order (after plan approval)
-1) Commit 1
-2) Commit 2
-3) Commit 3
-4) Commit 4
diff --git a/.ai/problem.md b/.ai/problem.md
deleted file mode 100644
index 531651c8..00000000
--- a/.ai/problem.md
+++ /dev/null
@@ -1,98 +0,0 @@
-# MCP Local Tool Discovery Failing via Gateway
-
-## Goal
-Get AWS CloudTrail/CloudWatch MCP tools discoverable via the MCP Gateway in a workflow tool-mode run (local dev).
-
-## Current Status
-- MCP proxy images build and run locally.
-- Containers start successfully with dynamic host ports and respond to `/mcp` when hit directly.
-- Tool registry entries are written in Redis for each run (type `local-mcp`).
-- Gateway `tools/list` via `/api/v1/mcp/gateway` still returns empty list for the run.
-
-## What Works (Direct Container)
-Example container (host port random):
-- `curl -H 'Accept: application/json, text/event-stream' -H 'Mcp-Session-Id: stdio-proxy' ... http://localhost:<port>/mcp` works
-- Manual `initialize` then `tools/list` returns 5 CloudTrail tools.
-
-## Current Failure (Gateway)
-Gateway tries to fetch tools from external source via `StreamableHTTPClientTransport`.
-Errors from backend:
-- “The socket connection was closed unexpectedly”
-- “Bad Request: Server not initialized”
-- “Invalid Request: Server already initialized” (fixed by unique session IDs)
-
-## Root Cause Hypothesis
-Gateway’s StreamableHTTP client isn’t reliably completing the MCP initialize flow against the proxy, likely due to:
-- Session handling (Mcp-Session-Id headers, initialize sequencing)
-- GET SSE requirement of the MCP Streamable HTTP spec (client may be expecting SSE and disconnecting)
-- Timing: gateway initializes before MCP registers tools and/or before proxy is fully ready
-
-## What We Tried
-1) **Proxy image rebuilds**
-- Switched base to `node:20-slim` (glibc) to speed builds.
-- Installed MCP packages at build using `uv pip install --system`.
-- Corrected MCP binary names (`awslabs.cloudtrail-mcp-server`, `awslabs.cloudwatch-mcp-server`).
-
-2) **Dynamic ports**
-- `worker/src/components/core/mcp-runtime.ts` now chooses a free host port and sets `ENDPOINT` to `http://localhost:<port>/mcp`.
-
-3) **Gateway debugging**
-- Added heavy logs in `backend/src/mcp/mcp-gateway.service.ts`.
-- Added refresh flow in `InternalMcpController` → `McpGatewayService.refreshServersForRun` so tools can be registered after gateway initialization.
-
-4) **Session handling fixes**
-- `StreamableHTTPClientTransport` now includes `Mcp-Session-Id` header in request init.
-- Per-attempt unique session IDs generated to avoid “already initialized”.
-
-5) **Direct client test**
-- A Node script using `StreamableHTTPClientTransport` + `Mcp-Session-Id` works when run outside gateway (manual test). This indicates the proxy is healthy.
-
-## Evidence
-Gateway logs show:
-- First `initialize` occurs before tools are registered → registry returns 0 tools.
-- Refresh is called after register-local → registry returns 1 local-mcp source.
-- Gateway tries to fetch tools from endpoint (e.g. `http://localhost:<port>/mcp`).
-- Fails with socket closed or server-not-initialized errors despite container working via curl.
-
-## Suspected Remaining Issues
-- `StreamableHTTPClientTransport` may still be opening GET SSE without required `Mcp-Session-Id`, or closing prematurely.
-- `Client.connect()` does **not** send initialize if transport sessionId is set. We set header only, so initialization should happen. However GET SSE may happen first and fail, causing socket close.
-- The proxy expects `/mcp` POST initialize before `/tools/list`. Gateway may be POSTing `tools/list` before initialize completes.
-- Gateway is running multiple connects per attempt; retries may be stepping on the same session or receiving server-side invalid request.
-
-## Next Suggested Debug Steps
-1) Force the client to explicitly initialize:
-   - Call `client.request({ method: 'initialize', ... })` instead of relying on `connect()`.
-   - Or remove the custom `sessionId` / header usage and let the SDK handle init.
-
-2) Disable SSE connection in `StreamableHTTPClientTransport`:
-   - The proxy does not implement GET SSE (returns 400 unless initialized). Consider overriding transport or using fetch-based transport without SSE.
-
-3) Test gateway transport outside of Nest:
-   - Create a small Node script that mirrors gateway’s exact `StreamableHTTPClientTransport` usage (with headers), and see if it fails.
-
-4) Check for concurrency issues:
-   - The gateway refresh can be called while the initial server is still being connected, causing initialize collisions.
-
-## PTY Issue (side thread)
-`node-pty` rebuild fails due to TypeScript errors pulled from repo types. PTY spawn fails (`posix_spawnp failed`). We avoided PTY for MCP by using detached docker. This is separate from MCP gateway issues.
-
-## Current Local Command to Repro
-```
-set -a; source .env; set +a; INTERNAL_SERVICE_TOKEN=local-internal-token node /tmp/mcp-stage3-4.js
-```
-This script:
-- creates workflow
-- runs it
-- generates MCP token
-- initializes gateway
-- tries tools/list (retries)
-
-## Key Files
-- `backend/src/mcp/mcp-gateway.service.ts`
-- `backend/src/mcp/internal-mcp.controller.ts`
-- `worker/src/components/core/mcp-runtime.ts`
-- `worker/src/components/security/aws-cloudtrail-mcp.ts`
-- `docker/mcp-aws-cloudtrail/Dockerfile`
-- `/tmp/mcp-stage3-4.js`
-

From 532d84199247b5adbdc9ef86cb46ebe54c5a1dfb Mon Sep 17 00:00:00 2001
From: betterclever <paliwal.pranjal83@gmail.com>
Date: Thu, 29 Jan 2026 19:33:57 +0530
Subject: [PATCH 5/5] feat: finalize mcp servers and ui

Signed-off-by: betterclever <paliwal.pranjal83@gmail.com>
---
 .../src/components/utils/categorization.ts    |   8 ++
 backend/src/mcp/mcp-gateway.service.ts        |  35 ++----
 current-state.md                              | 117 ------------------
 frontend/src/components/layout/Sidebar.tsx    |   2 +
 .../src/components/workflow/WorkflowNode.tsx  |  12 +-
 frontend/src/schemas/component.ts             |   1 +
 frontend/src/utils/categoryColors.ts          |   9 ++
 packages/component-sdk/src/types.ts           |   1 +
 worker/src/components/core/mcp-runtime.ts     |  18 ++-
 worker/src/components/core/mcp-server.ts      |   4 +-
 .../components/security/aws-cloudtrail-mcp.ts |  56 +++++++--
 .../components/security/aws-cloudwatch-mcp.ts |  56 +++++++--
 .../src/temporal/activities/mcp.activity.ts   |  43 ++++++-
 worker/src/temporal/types.ts                  |   1 -
 14 files changed, 187 insertions(+), 176 deletions(-)
 delete mode 100644 current-state.md

diff --git a/backend/src/components/utils/categorization.ts b/backend/src/components/utils/categorization.ts
index a2f8d11b..f3081054 100644
--- a/backend/src/components/utils/categorization.ts
+++ b/backend/src/components/utils/categorization.ts
@@ -12,6 +12,7 @@ const SUPPORTED_CATEGORIES: readonly ComponentCategory[] = [
   'input',
   'transform',
   'ai',
+  'mcp',
   'security',
   'it_ops',
   'notification',
@@ -41,6 +42,13 @@ const COMPONENT_CATEGORY_CONFIG: Record<ComponentCategory, ComponentCategoryConf
     emoji: '🤖',
     icon: 'Brain',
   },
+  mcp: {
+    label: 'MCP Servers',
+    color: 'text-teal-600',
+    description: 'Model Context Protocol servers and tool gateways',
+    emoji: '🔌',
+    icon: 'Plug',
+  },
   security: {
     label: 'Security Tools',
     color: 'text-red-600',
diff --git a/backend/src/mcp/mcp-gateway.service.ts b/backend/src/mcp/mcp-gateway.service.ts
index 03b7786a..c841217a 100644
--- a/backend/src/mcp/mcp-gateway.service.ts
+++ b/backend/src/mcp/mcp-gateway.service.ts
@@ -79,19 +79,22 @@ export class McpGatewayService {
    * This is used when tools register after an MCP session has already initialized.
    */
   async refreshServersForRun(runId: string): Promise<void> {
-    const matchingEntries = Array.from(this.servers.entries()).filter(([key]) =>
-      key === runId || key.startsWith(`${runId}:`),
+    const matchingEntries = Array.from(this.servers.entries()).filter(
+      ([key]) => key === runId || key.startsWith(`${runId}:`),
     );
 
     if (matchingEntries.length === 0) {
       return;
     }
 
-    this.logger.log(`Refreshing MCP servers for run ${runId} (${matchingEntries.length} instance(s))`);
+    this.logger.log(
+      `Refreshing MCP servers for run ${runId} (${matchingEntries.length} instance(s))`,
+    );
 
     await Promise.all(
       matchingEntries.map(async ([cacheKey, server]) => {
-        const allowedNodeIds = cacheKey === runId ? undefined : cacheKey.split(':').slice(1).join(':').split(',');
+        const allowedNodeIds =
+          cacheKey === runId ? undefined : cacheKey.split(':').slice(1).join(':').split(',');
         const toolSet = this.registeredToolNames.get(cacheKey) ?? new Set<string>();
         this.registeredToolNames.set(cacheKey, toolSet);
         await this.registerTools(server, runId, undefined, allowedNodeIds, toolSet);
@@ -172,14 +175,10 @@ export class McpGatewayService {
 
     // 1. Register Internal Tools
     const internalTools = allRegistered.filter((t) => t.type === 'component');
-    this.logger.log(
-      `Registering ${internalTools.length} internal tool(s) for run ${runId}`,
-    );
+    this.logger.log(`Registering ${internalTools.length} internal tool(s) for run ${runId}`);
     for (const tool of internalTools) {
       if (allowedTools && allowedTools.length > 0 && !allowedTools.includes(tool.toolName)) {
-        this.logger.log(
-          `Skipping internal tool ${tool.toolName} (not in allowedTools)`,
-        );
+        this.logger.log(`Skipping internal tool ${tool.toolName} (not in allowedTools)`);
         continue;
       }
 
@@ -188,9 +187,7 @@ export class McpGatewayService {
         continue;
       }
 
-      this.logger.log(
-        `Registering internal tool ${tool.toolName} (node=${tool.nodeId})`,
-      );
+      this.logger.log(`Registering internal tool ${tool.toolName} (node=${tool.nodeId})`);
       const component = tool.componentId ? componentRegistry.get(tool.componentId) : null;
       const inputShape = component ? getToolInputShape(component) : undefined;
 
@@ -282,16 +279,12 @@ export class McpGatewayService {
         const tools = await this.fetchExternalTools(source);
         const prefix = source.toolName;
 
-        this.logger.log(
-          `External source ${source.toolName} returned ${tools.length} tool(s)`,
-        );
+        this.logger.log(`External source ${source.toolName} returned ${tools.length} tool(s)`);
         for (const t of tools) {
           const proxiedName = `${prefix}__${t.name}`;
 
           if (allowedTools && allowedTools.length > 0 && !allowedTools.includes(proxiedName)) {
-            this.logger.log(
-              `Skipping proxied tool ${proxiedName} (not in allowedTools)`,
-            );
+            this.logger.log(`Skipping proxied tool ${proxiedName} (not in allowedTools)`);
             continue;
           }
 
@@ -300,9 +293,7 @@ export class McpGatewayService {
             continue;
           }
 
-          this.logger.log(
-            `Registering proxied tool ${proxiedName} (source=${source.toolName})`,
-          );
+          this.logger.log(`Registering proxied tool ${proxiedName} (source=${source.toolName})`);
           server.registerTool(
             proxiedName,
             {
diff --git a/current-state.md b/current-state.md
deleted file mode 100644
index a03328ae..00000000
--- a/current-state.md
+++ /dev/null
@@ -1,117 +0,0 @@
-# OpenCode Agent E2E Testing - RESOLVED
-
-## Progress Summary
-
-### ✅ All Completed
-1. **Z.AI Provider Added** - `zai-coding-plan` provider added to LLMProviderSchema
-2. **Component Fixes** - OpenCode component updated with:
-   - Proper model string format: `zai-coding-plan/glm-4.7`
-   - Provider config with `apiKey` in `provider.options.apiKey`
-   - MCP config fix: `type: "remote"` instead of `transport: "http"`
-3. **E2E Tests Fixed and Passing** - All issues resolved:
-   - **`--quiet` flag doesn't exist** in opencode 1.1.34, changed to `--log-level ERROR`
-   - **Wrapper script approach** to handle prompt file reading inside container
-   - **Entry point override** using `/bin/sh` to execute wrapper script
-   - **Test assertions fixed** - changed from `output?.report` to `outputSummary?.report`
-
----
-
-## Root Cause - The `--quiet` Flag Issue
-
-### Discovery
-The `--quiet` flag **does not exist** in opencode version 1.1.34. When used, opencode shows help text instead of executing the command.
-
-### Manual Verification
-```bash
-# This shows help (wrong):
-docker run ... ghcr.io/anomalyco/opencode run --quiet "hello"
-
-# This works (correct):
-docker run ... ghcr.io/anomalyco/opencode run --log-level ERROR "hello"
-```
-
----
-
-## Final Implementation
-
-### Wrapper Script Approach
-The prompt is written to `prompt.txt` and read by a wrapper script inside the container:
-
-```typescript
-// Write wrapper script that reads prompt from file
-const wrapperScript = '#!/bin/sh\nopencode run --log-level ERROR "$(cat /workspace/prompt.txt)"\n';
-
-await volume.initialize({
-  'context.json': contextJson,
-  'opencode.jsonc': JSON.stringify(opencodeConfig, null, 2),
-  'prompt.txt': finalPrompt,
-  'run.sh': wrapperScript,
-});
-
-// Execute with /bin/sh entrypoint
-const runnerConfig = {
-  ...definition.runner,
-  entrypoint: '/bin/sh',
-  command: ['/workspace/run.sh'],
-  network: 'host' as const,
-  volumes: [volume.getVolumeConfig('/workspace', false)],
-  workingDir: '/workspace',
-};
-```
-
-### Why This Works
-1. **`entrypoint: '/bin/sh'`** overrides the image's default `opencode` entrypoint
-2. **Wrapper script** runs inside the container, so `$(cat /workspace/prompt.txt)` is evaluated by the container shell
-3. **`--log-level ERROR`** suppresses verbose logging (replaces the non-existent `--quiet` flag)
-
----
-
-## Test Results
-
-### E2E Tests: ✅ PASSING
-```
-bun test e2e-tests/opencode.test.ts
-
-  2 pass
-  0 fail
-  10 expect() calls
-Ran 2 tests across 1 file. [30.31s]
-```
-
-### Tests Implemented
-1. **Basic Test** - OpenCode agent runs with Z.AI GLM-4.7
-2. **Context Test** - OpenCode agent uses context from input (JSON data)
-
----
-
-## Key Findings
-
-### OpenCode Configuration
-1. **Z.AI Native Provider**: `zai-coding-plan` is a first-class provider in OpenCode
-2. **Model Format**: `zai-coding-plan/glm-4.7` (provider/modelId)
-3. **API Key**: Goes in `provider.zai-coding-plan.options.apiKey`
-4. **MCP Format**: `mcp.{name}: {type: 'remote', url: '...'}`
-5. **No `--quiet` flag**: Use `--log-level ERROR` instead
-
-### Docker Execution Pattern
-For complex commands with shell expansion:
-- Write a wrapper script to a file
-- Use `/bin/sh` as entrypoint
-- Execute the wrapper script as the command
-
----
-
-## Environment
-
-- **ZAI_API_KEY**: `aa8e1ccdcb48463aa3def6939a959a5c.GK2rlnuBm76aHRaI`
-- **GLM Model**: `zai-coding-plan/glm-4.7`
-- **Studio API**: Running on `http://127.0.0.1:3211`
-- **OpenCode Version**: 1.1.34
-
----
-
-## Files Modified
-
-1. `packages/contracts/src/index.ts` - Added `zai-coding-plan` provider schema
-2. `worker/src/components/ai/opencode.ts` - Fixed command execution and removed `--quiet` flag
-3. `e2e-tests/opencode.test.ts` - Created E2E tests and fixed assertions
diff --git a/frontend/src/components/layout/Sidebar.tsx b/frontend/src/components/layout/Sidebar.tsx
index de7b391f..5f9b78af 100644
--- a/frontend/src/components/layout/Sidebar.tsx
+++ b/frontend/src/components/layout/Sidebar.tsx
@@ -217,6 +217,7 @@ export function Sidebar({ canManageWorkflows = true }: SidebarProps) {
       input: 'text-blue-600 dark:text-blue-400',
       transform: 'text-orange-600 dark:text-orange-400',
       ai: 'text-purple-600 dark:text-purple-400',
+      mcp: 'text-teal-600 dark:text-teal-400',
       security: 'text-red-600 dark:text-red-400',
       it_ops: 'text-cyan-600 dark:text-cyan-400',
       notification: 'text-pink-600 dark:text-pink-400',
@@ -302,6 +303,7 @@ export function Sidebar({ canManageWorkflows = true }: SidebarProps) {
     'output',
     'notification',
     'security',
+    'mcp',
     'ai',
     'transform',
     'it_ops',
diff --git a/frontend/src/components/workflow/WorkflowNode.tsx b/frontend/src/components/workflow/WorkflowNode.tsx
index 4cb8ebdb..ebc12f55 100644
--- a/frontend/src/components/workflow/WorkflowNode.tsx
+++ b/frontend/src/components/workflow/WorkflowNode.tsx
@@ -502,6 +502,7 @@ export const WorkflowNode = ({ data, selected, id }: NodeProps<NodeData>) => {
   // Get component category (default to 'input' for entry points)
   const componentCategory: ComponentCategory =
     (component?.category as ComponentCategory) || (isEntryPoint ? 'input' : 'input');
+  const showMcpBadge = componentCategory === 'mcp' || isToolModeOnly;
 
   // Entry Point Helper Data
   // Get workflowId from store first, then from node data (passed from Canvas), then from route params
@@ -1088,7 +1089,14 @@ export const WorkflowNode = ({ data, selected, id }: NodeProps<NodeData>) => {
                       !isEntryPoint && mode === 'design' ? 'Double-click to rename' : undefined
                     }
                   >
-                    <h3 className="text-sm font-semibold truncate">{displayLabel}</h3>
+                    <div className="flex items-center gap-1.5">
+                      <h3 className="text-sm font-semibold truncate">{displayLabel}</h3>
+                      {showMcpBadge && (
+                        <span className="inline-flex items-center rounded-full bg-teal-100 px-1.5 py-0.5 text-[10px] font-semibold text-teal-700 dark:bg-teal-900/40 dark:text-teal-200">
+                          MCP
+                        </span>
+                      )}
+                    </div>
                     {hasCustomLabel && (
                       <span className="text-[10px] text-muted-foreground opacity-70 truncate block">
                         {component.name}
@@ -1233,7 +1241,7 @@ export const WorkflowNode = ({ data, selected, id }: NodeProps<NodeData>) => {
               className="text-xs bg-emerald-50 text-emerald-800 border border-emerald-200 dark:bg-emerald-900/20 dark:text-emerald-400 dark:border-emerald-700"
             >
               <CheckCircle className="h-3 w-3 mr-1" />
-              Completed
+              {componentCategory === 'mcp' ? 'Server Ready' : 'Completed'}
             </Badge>
           )}
           {visualState.status === 'error' && (
diff --git a/frontend/src/schemas/component.ts b/frontend/src/schemas/component.ts
index e56f2ee8..566564d1 100644
--- a/frontend/src/schemas/component.ts
+++ b/frontend/src/schemas/component.ts
@@ -179,6 +179,7 @@ export const ComponentMetadataSchema = z.object({
     'input',
     'transform',
     'ai',
+    'mcp',
     'security',
     'it_ops',
     'notification',
diff --git a/frontend/src/utils/categoryColors.ts b/frontend/src/utils/categoryColors.ts
index ed0b47e2..d0ed4f11 100644
--- a/frontend/src/utils/categoryColors.ts
+++ b/frontend/src/utils/categoryColors.ts
@@ -5,6 +5,7 @@ export type ComponentCategory =
   | 'input'
   | 'transform'
   | 'ai'
+  | 'mcp'
   | 'security'
   | 'it_ops'
   | 'notification'
@@ -29,6 +30,10 @@ export const CATEGORY_SEPARATOR_COLORS: Record<ComponentCategory, { light: strin
       light: 'rgb(196 181 253)', // violet-300 (2 shades lighter than violet-500)
       dark: 'rgb(196 181 253)', // violet-300 (2 shades lighter than violet-400)
     },
+    mcp: {
+      light: 'rgb(153 246 228)', // teal-200
+      dark: 'rgb(94 234 212)', // teal-300
+    },
     security: {
       light: 'rgb(252 165 165)', // red-300 (2 shades lighter than red-500)
       dark: 'rgb(252 165 165)', // red-300 (2 shades lighter than red-400)
@@ -69,6 +74,10 @@ export const CATEGORY_HEADER_BG_COLORS: Record<ComponentCategory, { light: strin
       light: 'rgb(253 250 255)', // custom violet-25
       dark: 'rgb(36 25 50 / 0.15)', // violet-950/15
     },
+    mcp: {
+      light: 'rgb(247 254 253)', // teal-25
+      dark: 'rgb(19 78 74 / 0.15)', // teal-950/15
+    },
     security: {
       light: 'rgb(255 250 250)', // custom red-25
       dark: 'rgb(69 10 10 / 0.15)', // red-950/15
diff --git a/packages/component-sdk/src/types.ts b/packages/component-sdk/src/types.ts
index f8cea2fb..463dffd0 100644
--- a/packages/component-sdk/src/types.ts
+++ b/packages/component-sdk/src/types.ts
@@ -307,6 +307,7 @@ export type ComponentCategory =
   | 'input'
   | 'transform'
   | 'ai'
+  | 'mcp'
   | 'security'
   | 'it_ops'
   | 'notification'
diff --git a/worker/src/components/core/mcp-runtime.ts b/worker/src/components/core/mcp-runtime.ts
index 8907b1fe..7c1c7e87 100644
--- a/worker/src/components/core/mcp-runtime.ts
+++ b/worker/src/components/core/mcp-runtime.ts
@@ -1,20 +1,25 @@
 import { createServer } from 'node:net';
 import { runComponentWithRunner, ValidationError } from '@shipsec/component-sdk';
 
-type StartMcpServerInput = {
+interface StartMcpServerInput {
   image: string;
   command?: string[];
   args?: string[];
   env?: Record<string, string>;
   port?: number;
+  volumes?: {
+    source: string;
+    target: string;
+    readOnly?: boolean;
+  }[];
   params: Record<string, unknown>;
   context: any;
-};
+}
 
-type StartMcpServerOutput = {
+interface StartMcpServerOutput {
   endpoint: string;
   containerId?: string;
-};
+}
 
 async function getAvailablePort(): Promise<number> {
   return await new Promise((resolve, reject) => {
@@ -46,7 +51,7 @@ export async function startMcpDockerServer(
     });
   }
 
-  const endpoint = `http://localhost:${port}/mcp`;
+  const endpoint = `http://127.0.0.1:${port}/mcp`;
   const runnerConfig = {
     kind: 'docker' as const,
     image: input.image,
@@ -54,7 +59,8 @@ export async function startMcpDockerServer(
     env: { ...input.env, PORT: String(port), ENDPOINT: endpoint },
     network: 'bridge' as const,
     detached: true,
-    ports: { [port]: port },
+    ports: { [`127.0.0.1:${port}`]: port } as unknown as Record<number, number>,
+    volumes: input.volumes,
   };
 
   const result = await runComponentWithRunner(
diff --git a/worker/src/components/core/mcp-server.ts b/worker/src/components/core/mcp-server.ts
index 17cdc8a0..8854107d 100644
--- a/worker/src/components/core/mcp-server.ts
+++ b/worker/src/components/core/mcp-server.ts
@@ -72,7 +72,7 @@ const parameterSchema = parameters({
 const definition = defineComponent({
   id: 'core.mcp.server',
   label: 'MCP Server',
-  category: 'it_ops',
+  category: 'mcp',
   // The runner configuration here is a placeholder.
   // The actual runner config is constructed dynamically in the execute method
   // because `this.runner` is not interpolated when used directly in `execute`.
@@ -90,7 +90,7 @@ const definition = defineComponent({
     slug: 'mcp-server',
     version: '1.0.0',
     type: 'process',
-    category: 'it_ops',
+    category: 'mcp',
     description: 'Run an external Model Context Protocol (MCP) server.',
     icon: 'Server',
     author: {
diff --git a/worker/src/components/security/aws-cloudtrail-mcp.ts b/worker/src/components/security/aws-cloudtrail-mcp.ts
index c1514e88..8cd76ce6 100644
--- a/worker/src/components/security/aws-cloudtrail-mcp.ts
+++ b/worker/src/components/security/aws-cloudtrail-mcp.ts
@@ -11,6 +11,7 @@ import {
 } from '@shipsec/component-sdk';
 import { awsCredentialSchema } from '@shipsec/contracts';
 import { startMcpDockerServer } from '../core/mcp-runtime';
+import { IsolatedContainerVolume } from '../../utils/isolated-volume';
 
 const inputSchema = inputs({
   credentials: port(awsCredentialSchema(), {
@@ -51,7 +52,7 @@ const parameterSchema = parameters({
 const definition = defineComponent({
   id: 'security.aws-cloudtrail-mcp',
   label: 'AWS CloudTrail MCP Server',
-  category: 'security',
+  category: 'mcp',
   runner: {
     kind: 'docker',
     image: 'placeholder',
@@ -66,9 +67,9 @@ const definition = defineComponent({
     slug: 'aws-cloudtrail-mcp',
     version: '1.0.0',
     type: 'process',
-    category: 'security',
+    category: 'mcp',
     description: 'Expose AWS CloudTrail via MCP for tool-mode agents.',
-    icon: 'Shield',
+    icon: 'Plug',
     author: {
       name: 'ShipSecAI',
       type: 'shipsecai',
@@ -110,14 +111,47 @@ const definition = defineComponent({
       env.AWS_SESSION_TOKEN = credentials.sessionToken;
     }
 
-    return startMcpDockerServer({
-      image: params.image,
-      command: [],
-      env,
-      port,
-      params,
-      context,
-    });
+    env.AWS_SHARED_CREDENTIALS_FILE = '/root/.aws/credentials';
+    env.AWS_CONFIG_FILE = '/root/.aws/config';
+    env.AWS_PROFILE = 'default';
+
+    const tenantId = (context as any).tenantId ?? 'default-tenant';
+    const volume = new IsolatedContainerVolume(tenantId, context.runId);
+    let volumeInitialized = false;
+
+    try {
+      const credsLines = [
+        '[default]',
+        `aws_access_key_id = ${credentials.accessKeyId}`,
+        `aws_secret_access_key = ${credentials.secretAccessKey}`,
+      ];
+      if (credentials.sessionToken) {
+        credsLines.push(`aws_session_token = ${credentials.sessionToken}`);
+      }
+
+      const configLines = ['[default]', `region = ${region}`, 'output = json'];
+
+      await volume.initialize({
+        credentials: credsLines.join('\n'),
+        config: configLines.join('\n'),
+      });
+      volumeInitialized = true;
+
+      return await startMcpDockerServer({
+        image: params.image,
+        command: [],
+        env,
+        port,
+        params,
+        context,
+        volumes: [volume.getVolumeConfig('/root/.aws', true)],
+      });
+    } catch (error) {
+      if (volumeInitialized) {
+        await volume.cleanup().catch(() => {});
+      }
+      throw error;
+    }
   },
 });
 
diff --git a/worker/src/components/security/aws-cloudwatch-mcp.ts b/worker/src/components/security/aws-cloudwatch-mcp.ts
index 9c830ca6..8950c748 100644
--- a/worker/src/components/security/aws-cloudwatch-mcp.ts
+++ b/worker/src/components/security/aws-cloudwatch-mcp.ts
@@ -11,6 +11,7 @@ import {
 } from '@shipsec/component-sdk';
 import { awsCredentialSchema } from '@shipsec/contracts';
 import { startMcpDockerServer } from '../core/mcp-runtime';
+import { IsolatedContainerVolume } from '../../utils/isolated-volume';
 
 const inputSchema = inputs({
   credentials: port(awsCredentialSchema(), {
@@ -51,7 +52,7 @@ const parameterSchema = parameters({
 const definition = defineComponent({
   id: 'security.aws-cloudwatch-mcp',
   label: 'AWS CloudWatch MCP Server',
-  category: 'security',
+  category: 'mcp',
   runner: {
     kind: 'docker',
     image: 'placeholder',
@@ -66,9 +67,9 @@ const definition = defineComponent({
     slug: 'aws-cloudwatch-mcp',
     version: '1.0.0',
     type: 'process',
-    category: 'security',
+    category: 'mcp',
     description: 'Expose AWS CloudWatch via MCP for tool-mode agents.',
-    icon: 'Activity',
+    icon: 'Plug',
     author: {
       name: 'ShipSecAI',
       type: 'shipsecai',
@@ -110,14 +111,47 @@ const definition = defineComponent({
       env.AWS_SESSION_TOKEN = credentials.sessionToken;
     }
 
-    return startMcpDockerServer({
-      image: params.image,
-      command: [],
-      env,
-      port,
-      params,
-      context,
-    });
+    env.AWS_SHARED_CREDENTIALS_FILE = '/root/.aws/credentials';
+    env.AWS_CONFIG_FILE = '/root/.aws/config';
+    env.AWS_PROFILE = 'default';
+
+    const tenantId = (context as any).tenantId ?? 'default-tenant';
+    const volume = new IsolatedContainerVolume(tenantId, context.runId);
+    let volumeInitialized = false;
+
+    try {
+      const credsLines = [
+        '[default]',
+        `aws_access_key_id = ${credentials.accessKeyId}`,
+        `aws_secret_access_key = ${credentials.secretAccessKey}`,
+      ];
+      if (credentials.sessionToken) {
+        credsLines.push(`aws_session_token = ${credentials.sessionToken}`);
+      }
+
+      const configLines = ['[default]', `region = ${region}`, 'output = json'];
+
+      await volume.initialize({
+        credentials: credsLines.join('\n'),
+        config: configLines.join('\n'),
+      });
+      volumeInitialized = true;
+
+      return await startMcpDockerServer({
+        image: params.image,
+        command: [],
+        env,
+        port,
+        params,
+        context,
+        volumes: [volume.getVolumeConfig('/root/.aws', true)],
+      });
+    } catch (error) {
+      if (volumeInitialized) {
+        await volume.cleanup().catch(() => {});
+      }
+      throw error;
+    }
   },
 });
 
diff --git a/worker/src/temporal/activities/mcp.activity.ts b/worker/src/temporal/activities/mcp.activity.ts
index 483dd743..94c7dab3 100644
--- a/worker/src/temporal/activities/mcp.activity.ts
+++ b/worker/src/temporal/activities/mcp.activity.ts
@@ -81,10 +81,10 @@ export async function registerLocalMcpActivity(
   });
 }
 
-export async function cleanupLocalMcpActivity(
-  input: CleanupLocalMcpActivityInput,
-): Promise<void> {
-  const response = await callInternalApi('cleanup', { runId: input.runId });
+export async function cleanupLocalMcpActivity(input: CleanupLocalMcpActivityInput): Promise<void> {
+  const response = (await callInternalApi('cleanup', { runId: input.runId })) as {
+    containerIds?: string[];
+  };
   const containerIds = Array.isArray(response?.containerIds) ? response.containerIds : [];
 
   if (containerIds.length === 0) {
@@ -109,6 +109,41 @@ export async function cleanupLocalMcpActivity(
       }
     }),
   );
+
+  if (!/^[a-zA-Z0-9_.-]+$/.test(input.runId)) {
+    console.warn(`[MCP Cleanup] Skipping volume cleanup with unsafe runId: ${input.runId}`);
+    return;
+  }
+
+  try {
+    const { stdout } = await execAsync(
+      `docker volume ls --filter "label=studio.managed=true" --filter "label=studio.run=${input.runId}" --format "{{.Name}}"`,
+    );
+    const volumeNames = stdout
+      .split('\n')
+      .map((line) => line.trim())
+      .filter(Boolean);
+
+    if (volumeNames.length === 0) {
+      return;
+    }
+
+    await Promise.all(
+      volumeNames.map(async (volumeName) => {
+        if (!/^[a-zA-Z0-9_.-]+$/.test(volumeName)) {
+          console.warn(`[MCP Cleanup] Skipping volume with unsafe name: ${volumeName}`);
+          return;
+        }
+        try {
+          await execAsync(`docker volume rm ${volumeName}`);
+        } catch (error) {
+          console.warn(`[MCP Cleanup] Failed to remove volume ${volumeName}:`, error);
+        }
+      }),
+    );
+  } catch (error) {
+    console.warn(`[MCP Cleanup] Failed to list volumes for run ${input.runId}:`, error);
+  }
 }
 
 export async function prepareAndRegisterToolActivity(input: {
diff --git a/worker/src/temporal/types.ts b/worker/src/temporal/types.ts
index e7839161..84ed6ce4 100644
--- a/worker/src/temporal/types.ts
+++ b/worker/src/temporal/types.ts
@@ -218,7 +218,6 @@ export interface RegisterLocalMcpActivityInput {
   containerId: string;
 }
 
-
 export interface PrepareAndRegisterToolActivityInput {
   runId: string;
   nodeId: string;