feat: new /shutodwn route + refactor

[shadowfax92]

• feat: /shutdown API
• fix: rename extension status to status

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds a new /shutdown API endpoint and renames the /extension-status route to /status for better consistency. The shutdown endpoint triggers graceful server shutdown via the Application.stop() method.

Key Changes:

• Added POST /shutdown route that schedules shutdown via setImmediate and returns {status: 'ok'}
• Renamed /extension-status to /status with updated interface names (ExtensionStatusDeps → StatusDeps, createExtensionStatusRoute → createStatusRoute)
• Wired shutdown callback through HttpServerConfig.onShutdown to Application.stop()
• Updated all test references from /extension-status to /status
• Dependency bump: chrome-devtools-mcp from 0.13.0 to 0.14.0

Note: PR title contains typo - "shutodwn" should be "shutdown"

Confidence Score: 5/5

• This PR is safe to merge - clean refactoring with straightforward new feature
• The implementation is well-structured with proper separation of concerns, follows existing patterns in the codebase, includes comprehensive test updates, and has no logical errors or security issues
• No files require special attention

Important Files Changed

Filename	Overview
apps/server/src/api/routes/shutdown.ts	New shutdown route added with POST endpoint that triggers graceful shutdown via callback
apps/server/src/api/routes/status.ts	Renamed from extension-status.ts - interface and function names updated to be more generic
apps/server/src/api/server.ts	Integrated shutdown route and renamed extension-status to status route with fallback for onShutdown
apps/server/src/main.ts	Connected shutdown route to Application.stop() method via onShutdown callback

Sequence Diagram

sequenceDiagram
    participant Client
    participant HonoServer as Hono Server
    participant ShutdownRoute as Shutdown Route
    participant Application
    participant HealthWatchdog
    participant Process

    Client->>HonoServer: POST /shutdown
    HonoServer->>ShutdownRoute: Handle request
    ShutdownRoute->>ShutdownRoute: setImmediate(onShutdown)
    ShutdownRoute->>HonoServer: {status: 'ok'}
    HonoServer->>Client: 200 OK
    Note over ShutdownRoute,Application: Response sent before shutdown begins
    ShutdownRoute->>Application: this.stop()
    Application->>HealthWatchdog: stop()
    Application->>Process: process.exit(EXIT_CODES.SUCCESS)
    Note over Process: Server terminates immediately

Loading

[claude]

Code Review

Found 1 security issue:

---

File: apps/server/src/api/routes/shutdown.ts (line 14)

Issue: Security Vulnerability - Unauthenticated Shutdown Endpoint

The /shutdown endpoint lacks authentication/authorization, allowing any network client to terminate the server. This creates a denial-of-service vulnerability.

Details:

• The server binds to 0.0.0.0 (all network interfaces) - see apps/server/src/main.ts#L84
• The shutdown route has no isLocalhostRequest() check
• Any HTTP client on the network can POST to /shutdown and trigger server termination

Existing Protection Pattern:
The /mcp endpoint uses isLocalhostRequest() for protection - see apps/server/src/api/routes/mcp.ts#L153-L158

Recommended Fix:

export function createShutdownRoute(config: ShutdownRouteConfig) {
  return new Hono().post('/', (c) => {
    if (!isLocalhostRequest(c)) {
      return c.json({ error: 'Forbidden' }, 403)
    }
    setImmediate(config.onShutdown)
    return c.json({ status: 'ok' })
  })
}

You'll need to import isLocalhostRequest from '../utils/security'.