Add resource limits and cleanup to bridge and extension

[m1rl0k]

Implemented storage and cache size limits, periodic cleanup, and expiry for tokens, codes, and clients in the MCP bridge OAuth handler. Added request body size limit and graceful shutdown to the HTTP MCP server. Improved resource cleanup and cache pruning in the VSCode extension, including limiting skipped auth combos, clearing timers on deactivate, and disposing terminals properly.

[augmentcode]

🤖 Augment PR Summary

Summary: This PR tightens resource usage and cleanup behavior across the MCP bridge and the VSCode uploader extension.

Changes:

• Bumps bridge and extension package versions.
• On bridge session errors, actively closes and nulls remote MCP clients before reinitializing.
• Adds a 10MB request body limit for the HTTP MCP endpoint to prevent unbounded buffering.
• Adds graceful shutdown handling for the HTTP MCP server on SIGINT/SIGTERM with a long timeout for in-flight MCP calls.
• Introduces bounded in-memory OAuth stores (tokens/codes/clients) with TTL-based expiry and periodic cleanup.
• Starts a periodic OAuth cleanup interval (unref’d) to avoid blocking process exit.
• VSCode extension: caps the “skipped auth combos” set to avoid unbounded growth.
• Ensures pending timers are cleared on extension deactivation.
• Disposes the logs terminal properly during cleanup.
• Adds cache pruning + max-entry limits for auth/endpoint reachability caches and clears refresh intervals on dispose.

Technical Notes: Most changes focus on preventing memory growth (size caps + TTL eviction) and ensuring resources (clients, timers, terminals, HTTP server) are closed predictably.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

req.destroy() typically destroys the underlying socket, so the client may never receive the intended 413 JSON response (it can look like a connection reset instead). Consider stopping further reads without destroying the socket until after the response is sent.

_{🤖 Was this useful? React with 👍 or 👎}

[augmentcode]

body.length is a character count after decoding chunks to a JS string, not the raw byte size on the wire; a request can exceed 10MB in bytes while staying under this limit. If the intent is a hard 10MB cap, tracking the incoming byte count is more reliable.

_{🤖 Was this useful? React with 👍 or 👎}