vector_mcp 0.3.3 → 0.3.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 64b4dac9a0a1e9c782d3b5d693e7582803621ac81555f992031f9edbdd3f5b6b
-  data.tar.gz: 571e540ac540859b1fefaadc5e2b3cda39a1415c3496af38cee46cb839316c85
+  metadata.gz: 96c22c8497dcfd618605017a41a11d747e596654d86e856551159303133e0ab9
+  data.tar.gz: 301099d4a3b6b21c28ad82adf95c77f3469a0c4ba40dbd63f9f4f1060391b37f
 SHA512:
-  metadata.gz: cc7c13562e31070ce7aef3d0d20801e4a7368a44b22ea58d01ec872f7f9191e7b70d96e72c3cdcd42b9ecc40dc9b7ea30e63ce12b5b54987734a933402269b71
-  data.tar.gz: 6f989302cbd97c00aa5f2dfe28950cffb5c2c53c204c3ab10eb886a9dc680e0db6a704fef54229488910c837ebe3857c7e493ae5aa8729d8d6677fe048c223e1
+  metadata.gz: 4d464e8ae1e4472eead1580582b2e39dcaadcc5da54087e3022386c05c2dafd0a45f80509a23653273d615a7f739e0cbd8de052acb6d816c1442819bb775b374
+  data.tar.gz: 26818191d6c915a31562356b3dec35ada9a1e0bd42f662d37e5884ce05ba139bd54f4fe768d6a2b5106de21e97da2b5a3c9970797eb05082256761e82f276238

data/CHANGELOG.md

@@ -1,3 +1,24 @@
+## [0.3.4] – 2026-03-17
+
+### Added
+
+* **Batch JSON-RPC Support**: Added batch request dispatch on POST endpoint for processing multiple JSON-RPC requests in a single HTTP call
+* **SSE Response Mode for POST**: POST requests can now receive responses via Server-Sent Events streaming
+* **Accept Header Validation**: Added proper Accept header validation on POST and GET endpoints per MCP specification
+
+### Security
+
+* **Constant-Time API Key Comparison** (SECURITY-001): Replaced direct string comparison with `Rack::Utils.secure_compare` to prevent timing attacks
+* **Disable Query Parameter Token Extraction** (SECURITY-002): Token extraction from query parameters now disabled by default to prevent token leakage via URL logging and browser history
+* **Path Traversal Protection for ImageUtil** (SECURITY-004): Added path traversal validation to `ImageUtil` file operations to prevent unauthorized file access
+* **Sensitive Data Filtering in Debug Logs** (SECURITY-005): Debug log output now filters sensitive fields (tokens, keys, credentials) to prevent accidental credential exposure
+* **Cross-Session Event Leakage Prevention**: Fixed EventStore to prevent events from one session being accessible to another session
+* **Session ID Validation on POST**: Fixed session fixation vulnerability where unknown session IDs were silently accepted; server now returns 404 for invalid sessions
+
+### Fixed
+
+* **Code Quality**: RuboCop style fixes and cleanup of unnecessary files
+
 ## [0.3.3] – 2025-07-29
 
 ### Fixed

data/lib/vector_mcp/image_util.rb

@@ -217,12 +217,22 @@ module VectorMCP
     # @param file_path [String] Path to the image file.
     # @param validate [Boolean] Whether to validate the image.
     # @param max_size [Integer] Maximum allowed size for validation.
+    # @param base_directory [String, nil] Optional base directory for path traversal protection.
+    #   When provided, the resolved file_path must reside within this directory.
     # @return [Hash] MCP image content hash.
-    # @raise [ArgumentError] If file doesn't exist or validation fails.
+    # @raise [ArgumentError] If file doesn't exist, validation fails, or path traversal is detected.
     #
     # @example
     #   content = VectorMCP::ImageUtil.file_to_mcp_image_content("./avatar.png")
-    def file_to_mcp_image_content(file_path, validate: true, max_size: DEFAULT_MAX_SIZE)
+    #
+    # @example With path traversal protection
+    #   content = VectorMCP::ImageUtil.file_to_mcp_image_content(
+    #     user_input_path,
+    #     base_directory: "/app/uploads"
+    #   )
+    def file_to_mcp_image_content(file_path, validate: true, max_size: DEFAULT_MAX_SIZE, base_directory: nil)
+      validate_path_safety!(file_path, base_directory) if base_directory
+
       raise ArgumentError, "Image file not found: #{file_path}" unless File.exist?(file_path)
 
       raise ArgumentError, "Image file not readable: #{file_path}" unless File.readable?(file_path)
@@ -231,6 +241,21 @@ module VectorMCP
       to_mcp_image_content(binary_data, validate: validate, max_size: max_size)
     end
 
+    # Validates that a file path does not escape the given base directory.
+    #
+    # @param file_path [String] The file path to validate.
+    # @param base_directory [String] The base directory boundary.
+    # @raise [ArgumentError] If the resolved path is outside base_directory.
+    # @api private
+    def validate_path_safety!(file_path, base_directory)
+      resolved_base = File.expand_path(base_directory)
+      resolved_path = File.expand_path(file_path, resolved_base)
+
+      return if resolved_path.start_with?("#{resolved_base}/") || resolved_path == resolved_base
+
+      raise ArgumentError, "Path traversal detected: resolved path is outside the allowed base directory"
+    end
+
     # Extracts image metadata from binary data.
     #
     # @param data [String] Binary image data.

data/lib/vector_mcp/log_filter.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module VectorMCP
+  # Filters sensitive data from values before they are written to logs.
+  # Redacts known sensitive keys in hashes and token patterns in strings.
+  module LogFilter
+    SENSITIVE_KEYS = %w[
+      authorization x-api-key api_key apikey token jwt_token
+      password secret cookie set-cookie x-jwt-token
+    ].freeze
+
+    FILTERED = "[FILTERED]"
+
+    # Bearer/Basic token pattern: "Bearer <token>" or "Basic <token>"
+    TOKEN_PATTERN = /\b(Bearer|Basic|API-Key)\s+\S+/i
+
+    module_function
+
+    # Deep-redacts sensitive keys from a hash.
+    # @param hash [Hash] the hash to filter
+    # @return [Hash] a copy with sensitive values replaced by "[FILTERED]"
+    def filter_hash(hash)
+      return hash unless hash.is_a?(Hash)
+
+      hash.each_with_object({}) do |(key, value), filtered|
+        str_key = key.to_s.downcase
+        filtered[key] = if SENSITIVE_KEYS.include?(str_key)
+                          FILTERED
+                        elsif value.is_a?(Hash)
+                          filter_hash(value)
+                        elsif value.is_a?(String)
+                          filter_string(value)
+                        else
+                          value
+                        end
+      end
+    end
+
+    # Redacts Bearer/Basic/API-Key token patterns in a string.
+    # @param str [String] the string to filter
+    # @return [String] the filtered string
+    def filter_string(str)
+      return str unless str.is_a?(String)
+
+      str.gsub(TOKEN_PATTERN, '\1 [FILTERED]')
+    end
+  end
+end

data/lib/vector_mcp/security/strategies/api_key.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "openssl"
+
 module VectorMCP
   module Security
     module Strategies
@@ -10,8 +12,10 @@ module VectorMCP
 
         # Initialize with a list of valid API keys
         # @param keys [Array<String>] array of valid API keys
-        def initialize(keys: [])
+        # @param allow_query_params [Boolean] whether to accept API keys from query parameters (default: false)
+        def initialize(keys: [], allow_query_params: false)
           @valid_keys = Set.new(keys.map(&:to_s))
+          @allow_query_params = allow_query_params
         end
 
         # Add a valid API key
@@ -33,7 +37,7 @@ module VectorMCP
           api_key = extract_api_key(request)
           return false unless api_key&.length&.positive?
 
-          if @valid_keys.include?(api_key)
+          if secure_key_match?(api_key)
             {
               api_key: api_key,
               strategy: "api_key",
@@ -58,14 +62,33 @@ module VectorMCP
 
         private
 
+        # Constant-time comparison of API key against all valid keys.
+        # Iterates all keys to prevent timing side-channels.
+        # @param candidate [String] the API key to check
+        # @return [Boolean] true if the candidate matches a valid key
+        def secure_key_match?(candidate)
+          matched = false
+          @valid_keys.each do |valid_key|
+            next unless candidate.bytesize == valid_key.bytesize
+
+            matched = true if OpenSSL.fixed_length_secure_compare(candidate, valid_key)
+          end
+          matched
+        end
+
         # Extract API key from various request formats
         # @param request [Hash] the request object
         # @return [String, nil] the extracted API key
         def extract_api_key(request)
           headers = normalize_headers(request)
-          params = normalize_params(request)
 
-          extract_from_headers(headers) || extract_from_params(params)
+          from_headers = extract_from_headers(headers)
+          return from_headers if from_headers
+
+          return nil unless @allow_query_params
+
+          params = normalize_params(request)
+          extract_from_params(params)
         end
 
         # Normalize headers to handle different formats

data/lib/vector_mcp/security/strategies/jwt_token.rb

@@ -17,12 +17,14 @@ module VectorMCP
         # Initialize JWT strategy
         # @param secret [String] the secret key for JWT verification
         # @param algorithm [String] the JWT algorithm (default: HS256)
+        # @param allow_query_params [Boolean] whether to accept JWT tokens from query parameters (default: false)
         # @param options [Hash] additional JWT verification options
-        def initialize(secret:, algorithm: "HS256", **options)
+        def initialize(secret:, algorithm: "HS256", allow_query_params: false, **options)
           raise LoadError, "JWT gem is required for JWT authentication strategy" unless defined?(JWT)
 
           @secret = secret
           @algorithm = algorithm
+          @allow_query_params = allow_query_params
           @options = {
             algorithm: @algorithm,
             verify_expiration: true,
@@ -82,11 +84,14 @@ module VectorMCP
         # @return [String, nil] the extracted token
         def extract_token(request)
           headers = request[:headers] || request["headers"] || {}
-          params = request[:params] || request["params"] || {}
 
-          extract_from_auth_header(headers) ||
-            extract_from_jwt_header(headers) ||
-            extract_from_params(params)
+          from_headers = extract_from_auth_header(headers) || extract_from_jwt_header(headers)
+          return from_headers if from_headers
+
+          return nil unless @allow_query_params
+
+          params = request[:params] || request["params"] || {}
+          extract_from_params(params)
         end
 
         # Extract token from Authorization header

data/lib/vector_mcp/server/message_handling.rb

@@ -21,10 +21,10 @@ module VectorMCP
         params = message["params"] || {}
 
         if id && method # Request
-          logger.debug("[#{session_id}] Request [#{id}]: #{method} with params: #{params.inspect}")
+          logger.debug("[#{session_id}] Request [#{id}]: #{method} with params: #{VectorMCP::LogFilter.filter_hash(params).inspect}")
           handle_request(id, method, params, session)
         elsif method # Notification
-          logger.debug("[#{session_id}] Notification: #{method} with params: #{params.inspect}")
+          logger.debug("[#{session_id}] Notification: #{method} with params: #{VectorMCP::LogFilter.filter_hash(params).inspect}")
           handle_notification(method, params, session)
           nil # Notifications do not have a return value to send back to client
         elsif id # Invalid: Has ID but no method

data/lib/vector_mcp/server.rb

@@ -190,7 +190,7 @@ module VectorMCP
 
       case strategy
       when :api_key
-        add_api_key_auth(options[:keys] || [])
+        add_api_key_auth(options[:keys] || [], allow_query_params: options[:allow_query_params] || false)
       when :jwt
         add_jwt_auth(options)
       when :custom
@@ -313,9 +313,10 @@ module VectorMCP
 
     # Add API key authentication strategy
     # @param keys [Array<String>] array of valid API keys
+    # @param allow_query_params [Boolean] whether to accept API keys from query parameters
     # @return [void]
-    def add_api_key_auth(keys)
-      strategy = Security::Strategies::ApiKey.new(keys: keys)
+    def add_api_key_auth(keys, allow_query_params: false)
+      strategy = Security::Strategies::ApiKey.new(keys: keys, allow_query_params: allow_query_params)
       @auth_manager.add_strategy(:api_key, strategy)
     end
 

data/lib/vector_mcp/transport/http_stream/event_store.rb

@@ -17,7 +17,7 @@ module VectorMCP
       # @api private
       class EventStore
         # Event data structure
-        Event = Struct.new(:id, :data, :type, :timestamp) do
+        Event = Struct.new(:id, :data, :type, :timestamp, :session_id) do
           def to_sse_format
             lines = []
             lines << "id: #{id}"
@@ -44,12 +44,13 @@ module VectorMCP
         #
         # @param data [String] The event data
         # @param type [String] The event type (optional)
+        # @param session_id [String, nil] The session ID to scope this event to
         # @return [String] The generated event ID
-        def store_event(data, type = nil)
+        def store_event(data, type = nil, session_id: nil)
           event_id = generate_event_id
           timestamp = Time.now
 
-          event = Event.new(event_id, data, type, timestamp)
+          event = Event.new(event_id, data, type, timestamp, session_id)
 
           # Add to events array
           @events.push(event)
@@ -69,21 +70,26 @@ module VectorMCP
           event_id
         end
 
-        # Retrieves events starting from a specific event ID.
+        # Retrieves events starting from a specific event ID, optionally filtered by session.
         #
         # @param last_event_id [String] The last event ID received by client
+        # @param session_id [String, nil] Filter events to this session only
         # @return [Array<Event>] Array of events after the specified ID
-        def get_events_after(last_event_id)
-          return @events.to_a if last_event_id.nil?
+        def get_events_after(last_event_id, session_id: nil)
+          events = if last_event_id.nil?
+                     @events.to_a
+                   else
+                     last_index = @event_index[last_event_id]
+                     return [] if last_index.nil?
 
-          last_index = @event_index[last_event_id]
-          return [] if last_index.nil?
+                     start_index = last_index + 1
+                     return [] if start_index >= @events.length
 
-          # Return events after the last_event_id
-          start_index = last_index + 1
-          return [] if start_index >= @events.length
+                     @events[start_index..]
+                   end
 
-          @events[start_index..]
+          events = events.select { |e| e.session_id == session_id } if session_id
+          events
         end
 
         # Gets the total number of stored events.

data/lib/vector_mcp/transport/http_stream/session_manager.rb

@@ -75,7 +75,9 @@ module VectorMCP
           session
         end
 
-        # Override to add rack_env support
+        # Override to add rack_env support.
+        # Returns nil when a session_id is provided but not found (expired or unknown).
+        # Callers are responsible for returning 404 in that case.
         def get_or_create_session(session_id = nil, rack_env = nil)
           if session_id
             session = get_session(session_id)
@@ -88,8 +90,8 @@ module VectorMCP
               return session
             end
 
-            # If session_id was provided but not found, create with that ID
-            return create_session(session_id, rack_env)
+            # Session ID provided but not found — signal 404 to caller
+            return nil
           end
 
           create_session(nil, rack_env)

data/lib/vector_mcp/transport/http_stream/stream_handler.rb

@@ -68,7 +68,7 @@ module VectorMCP
           begin
             # Store event for resumability
             event_data = message.to_json
-            event_id = @transport.event_store.store_event(event_data, "message")
+            event_id = @transport.event_store.store_event(event_data, "message", session_id: session.id)
 
             # Send via SSE
             sse_event = format_sse_event(event_data, "message", event_id)
@@ -172,23 +172,24 @@ module VectorMCP
             }
           }
 
-          event_id = @transport.event_store.store_event(connection_event.to_json, "connection")
+          event_id = @transport.event_store.store_event(connection_event.to_json, "connection", session_id: session.id)
           yielder << format_sse_event(connection_event.to_json, "connection", event_id)
 
           # Replay missed events if resuming
-          replay_events(yielder, last_event_id) if last_event_id
+          replay_events(yielder, last_event_id, session) if last_event_id
 
           # Send periodic keep-alive events
           keep_alive_loop(session, yielder)
         end
 
-        # Replays events after a specific event ID.
+        # Replays events after a specific event ID, scoped to the session.
         #
         # @param yielder [Enumerator::Yielder] The SSE yielder
         # @param last_event_id [String] The last event ID received by client
+        # @param session [SessionManager::Session] The session to filter events for
         # @return [void]
-        def replay_events(yielder, last_event_id)
-          missed_events = @transport.event_store.get_events_after(last_event_id)
+        def replay_events(yielder, last_event_id, session)
+          missed_events = @transport.event_store.get_events_after(last_event_id, session_id: session.id)
 
           logger.info("Replaying #{missed_events.length} missed events from #{last_event_id}")
 
@@ -226,7 +227,7 @@ module VectorMCP
             }
 
             begin
-              event_id = @transport.event_store.store_event(heartbeat_event.to_json, "heartbeat")
+              event_id = @transport.event_store.store_event(heartbeat_event.to_json, "heartbeat", session_id: session.id)
               yielder << format_sse_event(heartbeat_event.to_json, "heartbeat", event_id)
             rescue StandardError
               logger.debug("Heartbeat failed for #{session.id}, connection likely closed")

data/lib/vector_mcp/transport/http_stream.rb

@@ -330,28 +330,122 @@ module VectorMCP
       # @param env [Hash] The Rack environment
       # @return [Array] Rack response triplet
       def handle_post_request(env)
-        session_id = extract_session_id(env)
-        session = @session_manager.get_or_create_session(session_id, env)
+        unless valid_post_accept?(env)
+          logger.warn { "POST request with unsupported Accept header: #{env["HTTP_ACCEPT"]}" }
+          return not_acceptable_response("Not Acceptable: POST requires Accept: application/json")
+        end
 
+        session_id = extract_session_id(env)
         request_body = read_request_body(env)
-        message = parse_json_message(request_body)
+        parsed = parse_json_message(request_body)
+
+        session = resolve_session_for_post(session_id, parsed, env)
+        return session if session.is_a?(Array) # Rack error response
+
+        if parsed.is_a?(Array)
+          handle_batch_request(parsed, session)
+        else
+          handle_single_request(parsed, session, env)
+        end
+      rescue JSON::ParserError => e
+        json_error_response(nil, -32_700, "Parse error", { details: e.message })
+      end
 
-        # Check if this is a response to a server-initiated request
+      # Handles a single JSON-RPC message from a POST request.
+      #
+      # @param message [Hash] Parsed JSON-RPC message
+      # @param session [Session] The resolved session
+      # @param env [Hash] The Rack environment
+      # @return [Array] Rack response triplet
+      def handle_single_request(message, session, env)
         if outgoing_response?(message)
           handle_outgoing_response(message)
-          # For responses, return 202 Accepted with no body
           return [202, { "Mcp-Session-Id" => session.id }, []]
         end
 
         result = @server.handle_message(message, session.context, session.id)
+        build_rpc_response(env, result, message["id"], session.id)
+      rescue VectorMCP::ProtocolError => e
+        build_protocol_error_response(env, e, session_id: session.id)
+      end
 
-        # Set session ID header in response
-        headers = { "Mcp-Session-Id" => session.id }
-        json_rpc_response(result, message["id"], headers)
+      # Handles a batch of JSON-RPC messages per JSON-RPC 2.0 spec.
+      #
+      # @param messages [Array] Array of parsed JSON-RPC messages
+      # @param session [Session] The resolved session
+      # @return [Array] Rack response triplet
+      def handle_batch_request(messages, session)
+        return json_error_response(nil, -32_600, "Invalid Request", { details: "Empty batch" }) if messages.empty?
+
+        responses = messages.filter_map do |message|
+          next batch_invalid_item_error unless message.is_a?(Hash)
+
+          process_batch_item(message, session)
+        end
+
+        return [204, { "Mcp-Session-Id" => session.id }, []] if responses.empty?
+
+        headers = { "Content-Type" => "application/json", "Mcp-Session-Id" => session.id }
+        [200, headers, [responses.to_json]]
+      end
+
+      # Processes a single item within a batch request.
+      #
+      # @param message [Hash] A single JSON-RPC message
+      # @param session [Session] The resolved session
+      # @return [Hash, nil] Response hash or nil for notifications/outgoing responses
+      def process_batch_item(message, session)
+        if outgoing_response?(message)
+          handle_outgoing_response(message)
+          return nil
+        end
+
+        result = @server.handle_message(message, session.context, session.id)
+        return nil if result.nil? && message["id"].nil?
+
+        { jsonrpc: "2.0", id: message["id"], result: result }
       rescue VectorMCP::ProtocolError => e
-        json_error_response(e.request_id, e.code, e.message, e.details)
-      rescue JSON::ParserError => e
-        json_error_response(nil, -32_700, "Parse error", { details: e.message })
+        { jsonrpc: "2.0", id: e.request_id, error: { code: e.code, message: e.message, data: e.details } }
+      rescue StandardError => e
+        { jsonrpc: "2.0", id: message["id"],
+          error: { code: -32_603, message: "Internal error", data: { details: e.message } } }
+      end
+
+      # Returns an error object for non-Hash items in a batch.
+      #
+      # @return [Hash] JSON-RPC error object
+      def batch_invalid_item_error
+        { jsonrpc: "2.0", id: nil, error: { code: -32_600, message: "Invalid Request" } }
+      end
+
+      # Resolves or creates the session for a POST request following MCP spec rules:
+      # - session_id present and known  → return existing session (updating request context)
+      # - session_id present but unknown/expired → 404 Not Found
+      # - no session_id + initialize request → create new session
+      # - no session_id + other request → 400 Bad Request
+      #
+      # @param session_id [String, nil] Client-supplied Mcp-Session-Id header value
+      # @param message [Hash, Array] Parsed JSON-RPC message or batch array
+      # @param env [Hash] Rack environment
+      # @return [Session, Array] Session object or Rack error response triplet
+      def resolve_session_for_post(session_id, message, env)
+        first_message = message.is_a?(Array) ? message.first : message
+        is_initialize = first_message.is_a?(Hash) && first_message["method"] == "initialize"
+
+        if session_id
+          session = @session_manager.get_session(session_id)
+          return not_found_response("Unknown or expired session") unless session
+
+          if env
+            request_context = VectorMCP::RequestContext.from_rack_env(env, "http_stream")
+            session.context.request_context = request_context
+          end
+          session
+        elsif is_initialize
+          @session_manager.create_session(nil, env)
+        else
+          bad_request_response("Missing Mcp-Session-Id header")
+        end
       end
 
       # Handles GET requests (SSE streaming)
@@ -359,6 +453,11 @@ module VectorMCP
       # @param env [Hash] The Rack environment
       # @return [Array] Rack response triplet
       def handle_get_request(env)
+        unless valid_get_accept?(env)
+          logger.warn { "GET request with unsupported Accept header: #{env["HTTP_ACCEPT"]}" }
+          return not_acceptable_response("Not Acceptable: GET requires Accept: text/event-stream")
+        end
+
         session_id = extract_session_id(env)
         return bad_request_response("Missing Mcp-Session-Id header") unless session_id
 
@@ -469,8 +568,73 @@ module VectorMCP
         [400, { "Content-Type" => "application/json" }, [response.to_json]]
       end
 
-      def not_found_response
-        [404, { "Content-Type" => "text/plain" }, ["Not Found"]]
+      def build_rpc_response(env, result, request_id, session_id)
+        headers = { "Mcp-Session-Id" => session_id }
+        if client_accepts_sse?(env)
+          sse_rpc_response(result, request_id, headers, session_id: session_id)
+        else
+          json_rpc_response(result, request_id, headers)
+        end
+      end
+
+      def build_protocol_error_response(env, error, session_id: nil)
+        if client_accepts_sse?(env)
+          sse_error_response(error.request_id, error.code, error.message, error.details, session_id: session_id)
+        else
+          json_error_response(error.request_id, error.code, error.message, error.details)
+        end
+      end
+
+      def client_accepts_sse?(env)
+        accept = env["HTTP_ACCEPT"] || ""
+        accept.include?("text/event-stream")
+      end
+
+      def format_sse_event(data, type, event_id)
+        lines = []
+        lines << "id: #{event_id}"
+        lines << "event: #{type}" if type
+        lines << "data: #{data}"
+        lines << ""
+        "#{lines.join("\n")}\n"
+      end
+
+      def sse_rpc_response(result, request_id, headers = {}, session_id: nil)
+        response = { jsonrpc: "2.0", id: request_id, result: result }
+        event_data = response.to_json
+
+        event_id = @event_store.store_event(event_data, "message", session_id: session_id)
+        sse_event = format_sse_event(event_data, "message", event_id)
+
+        response_headers = {
+          "Content-Type" => "text/event-stream",
+          "Cache-Control" => "no-cache",
+          "Connection" => "keep-alive",
+          "X-Accel-Buffering" => "no"
+        }.merge(headers)
+
+        [200, response_headers, [sse_event]]
+      end
+
+      def sse_error_response(id, code, err_message, data = nil, session_id: nil)
+        error_obj = { code: code, message: err_message }
+        error_obj[:data] = data if data
+        response = { jsonrpc: "2.0", id: id, error: error_obj }
+        event_data = response.to_json
+
+        event_id = @event_store.store_event(event_data, "message", session_id: session_id)
+        sse_event = format_sse_event(event_data, "message", event_id)
+
+        response_headers = {
+          "Content-Type" => "text/event-stream",
+          "Cache-Control" => "no-cache"
+        }
+
+        [200, response_headers, [sse_event]]
+      end
+
+      def not_found_response(message = "Not Found")
+        [404, { "Content-Type" => "text/plain" }, [message]]
       end
 
       def bad_request_response(message = "Bad Request")
@@ -486,6 +650,24 @@ module VectorMCP
          ["Method Not Allowed"]]
       end
 
+      def not_acceptable_response(message = "Not Acceptable")
+        [406, { "Content-Type" => "text/plain" }, [message]]
+      end
+
+      def valid_post_accept?(env)
+        accept = env["HTTP_ACCEPT"]
+        return true if accept.nil? || accept.strip.empty?
+
+        accept.include?("application/json") || accept.include?("*/*")
+      end
+
+      def valid_get_accept?(env)
+        accept = env["HTTP_ACCEPT"]
+        return true if accept.nil? || accept.strip.empty?
+
+        accept.include?("text/event-stream") || accept.include?("*/*")
+      end
+
       # Validates the Origin header for security
       #
       # @param env [Hash] The Rack environment

data/lib/vector_mcp/transport/sse/client_connection.rb

@@ -71,7 +71,7 @@ module VectorMCP
 
           begin
             @message_queue.push(message)
-            logger.debug { "Message enqueued for client #{session_id}: #{message.inspect}" }
+            logger.debug { "Message enqueued for client #{session_id}: #{VectorMCP::LogFilter.filter_hash(message).inspect}" }
             true
           rescue ClosedQueueError
             logger.warn { "Attempted to enqueue message to closed queue for client #{session_id}" }

data/lib/vector_mcp/transport/sse/stream_manager.rb

@@ -65,7 +65,7 @@ module VectorMCP
                 sse_data = format_sse_event("message", json_message)
                 yielder << sse_data
 
-                logger.debug { "Streamed message to client #{client_conn.session_id}: #{json_message}" }
+                logger.debug { "Streamed message to client #{client_conn.session_id}: #{VectorMCP::LogFilter.filter_string(json_message)}" }
               rescue StandardError => e
                 logger.error { "Error streaming message to client #{client_conn.session_id}: #{e.message}" }
                 break

data/lib/vector_mcp/version.rb

@@ -2,5 +2,5 @@
 
 module VectorMCP
   # The current version of the VectorMCP gem.
-  VERSION = "0.3.3"
+  VERSION = "0.3.4"
 end

data/lib/vector_mcp.rb

@@ -8,6 +8,7 @@ require_relative "vector_mcp/errors"
 require_relative "vector_mcp/definitions"
 require_relative "vector_mcp/session"
 require_relative "vector_mcp/util"
+require_relative "vector_mcp/log_filter"
 require_relative "vector_mcp/image_util"
 require_relative "vector_mcp/handlers/core"
 require_relative "vector_mcp/transport/stdio"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: vector_mcp
 version: !ruby/object:Gem::Version
-  version: 0.3.3
+  version: 0.3.4
 platform: ruby
 authors:
 - Sergio Bayona
@@ -129,6 +129,7 @@ files:
 - lib/vector_mcp/errors.rb
 - lib/vector_mcp/handlers/core.rb
 - lib/vector_mcp/image_util.rb
+- lib/vector_mcp/log_filter.rb
 - lib/vector_mcp/logger.rb
 - lib/vector_mcp/middleware.rb
 - lib/vector_mcp/middleware/base.rb