aaif-goose · aharvard · Feb 25, 2026 · Feb 10, 2026 · Feb 11, 2026 · Feb 12, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/goose-server/Cargo.toml b/crates/goose-server/Cargo.toml
@@ -47,10 +47,13 @@ rand = "0.9.2"
 hex = "0.4.3"
 socket2 = "0.6.1"
 fs2 = { workspace = true }
-rustls = { version = "0.23", features = ["ring"] }
+rustls = { version = "0.23", features = ["aws_lc_rs"] }
 uuid = { workspace = true }
 once_cell = { workspace = true }
 dirs = { workspace = true }
+rcgen = "0.13"
+axum-server = { version = "0.8.0", features = ["tls-rustls"] }
+aws-lc-rs = "1.16.0"
 
 [target.'cfg(windows)'.dependencies]
 winreg = { version = "0.55.0" }

diff --git a/crates/goose-server/src/auth.rs b/crates/goose-server/src/auth.rs
@@ -13,6 +13,7 @@ pub async fn check_token(
     if request.uri().path() == "/status"
         || request.uri().path() == "/mcp-ui-proxy"
         || request.uri().path() == "/mcp-app-proxy"
+        || request.uri().path() == "/mcp-app-guest"
     {
         return Ok(next.run(request).await);
     }

diff --git a/crates/goose-server/src/commands/agent.rs b/crates/goose-server/src/commands/agent.rs
@@ -2,11 +2,12 @@ use crate::configuration;
 use crate::state;
 use anyhow::Result;
 use axum::middleware;
+use axum_server::Handle;
 use goose_server::auth::check_token;
+use goose_server::tls::self_signed_config;
 use tower_http::cors::{Any, CorsLayer};
 use tracing::info;
 
-// Graceful shutdown signal
 #[cfg(unix)]
 async fn shutdown_signal() {
     use tokio::signal::unix::{signal, SignalKind};
@@ -53,8 +54,17 @@ pub async fn run() -> Result<()> {
         ))
         .layer(cors);
 
-    let listener = tokio::net::TcpListener::bind(settings.socket_addr()).await?;
-    info!("listening on {}", listener.local_addr()?);
+    let addr = settings.socket_addr();
+    let tls_setup = self_signed_config().await?;
+
+    let handle = Handle::new();
+    let shutdown_handle = handle.clone();
+    tokio::spawn(async move {
+        shutdown_signal().await;
+        shutdown_handle.graceful_shutdown(None);
+    });
+
+    info!("listening on https://{}", addr);
 
     let tunnel_manager = app_state.tunnel_manager.clone();
     tokio::spawn(async move {
@@ -66,8 +76,9 @@ pub async fn run() -> Result<()> {
         gateway_manager.check_auto_start().await;
     });
 
-    axum::serve(listener, app)
-        .with_graceful_shutdown(shutdown_signal())
+    axum_server::bind_rustls(addr, tls_setup.config)
+        .handle(handle)
+        .serve(app.into_make_service())
         .await?;
 
     if goose::otel::otlp::is_otlp_initialized() {

diff --git a/crates/goose-server/src/lib.rs b/crates/goose-server/src/lib.rs
@@ -4,6 +4,7 @@ pub mod error;
 pub mod openapi;
 pub mod routes;
 pub mod state;
+pub mod tls;
 pub mod tunnel;
 
 // Re-export commonly used items

diff --git a/crates/goose-server/src/routes/agent.rs b/crates/goose-server/src/routes/agent.rs
@@ -848,6 +848,16 @@ async fn update_working_dir(
     Ok(StatusCode::OK)
 }
 
+async fn ensure_extensions_loaded(state: &AppState, session_id: &str) {
+    if let Some(_results) = state.take_extension_loading_task(session_id).await {
+        tracing::debug!(
+            "Awaited background extension loading for session {} before serving request",
+            session_id
+        );
+        state.remove_extension_loading_task(session_id).await;
+    }
+}
+
 #[utoipa::path(
     post,
     path = "/agent/read_resource",
@@ -866,6 +876,8 @@ async fn read_resource(
 ) -> Result<Json<ReadResourceResponse>, StatusCode> {
     use rmcp::model::ResourceContents;
 
+    ensure_extensions_loaded(&state, &payload.session_id).await;
+
     let agent = state
         .get_agent_for_route(payload.session_id.clone())
         .await?;
@@ -879,7 +891,16 @@ async fn read_resource(
             CancellationToken::default(),
         )
         .await
-        .map_err(|_e| StatusCode::INTERNAL_SERVER_ERROR)?;
+        .map_err(|e| {
+            tracing::error!(
+                "read_resource failed for session={}, uri={}, extension={}: {:?}",
+                payload.session_id,
+                payload.uri,
+                payload.extension_name,
+                e
+            );
+            StatusCode::INTERNAL_SERVER_ERROR
+        })?;
 
     let content = read_result
         .contents
@@ -936,6 +957,8 @@ async fn call_tool(
     State(state): State<Arc<AppState>>,
     Json(payload): Json<CallToolRequest>,
 ) -> Result<Json<CallToolResponse>, StatusCode> {
+    ensure_extensions_loaded(&state, &payload.session_id).await;
+
     let agent = state
         .get_agent_for_route(payload.session_id.clone())
         .await?;