vector_mcp 0.4.0 → 0.5.0

data/lib/vector_mcp/server.rb

@@ -72,7 +72,7 @@ module VectorMCP
     SUPPORTED_PROTOCOL_VERSIONS = %w[2025-11-25 2025-03-26 2024-11-05].freeze
 
     attr_reader :logger, :name, :version, :protocol_version, :tools, :resources, :prompts, :roots, :in_flight_requests,
-                :auth_manager, :authorization, :security_middleware, :middleware_manager
+                :auth_manager, :authorization, :security_middleware, :middleware_manager, :oauth_resource_metadata_url
     attr_accessor :transport
 
     # Initializes a new VectorMCP server.
@@ -122,6 +122,7 @@ module VectorMCP
       @auth_manager = Security::AuthManager.new
       @authorization = Security::Authorization.new
       @security_middleware = Security::Middleware.new(@auth_manager, @authorization)
+      @oauth_resource_metadata_url = nil
 
       # Initialize middleware manager
       @middleware_manager = Middleware::Manager.new
@@ -188,28 +189,18 @@ module VectorMCP
     # Enable authentication with specified strategy and configuration
     # @param strategy [Symbol] the authentication strategy (:api_key, :jwt, :custom)
     # @param options [Hash] strategy-specific configuration options
+    # @option options [String] :resource_metadata_url OAuth 2.1 protected resource metadata URL
+    #   (RFC 9728). When provided, unauthenticated requests to the HTTP Stream transport's MCP
+    #   endpoint return HTTP 401 with a +WWW-Authenticate: Bearer+ header pointing at this URL,
+    #   enabling MCP clients (e.g. Claude Desktop) to discover the authorization server and
+    #   initiate an OAuth 2.1 flow. When omitted (default), auth failures continue to surface
+    #   as JSON-RPC +-32401+ errors — existing behavior is preserved for non-OAuth deployments.
     # @return [void]
     def enable_authentication!(strategy: :api_key, **options, &block)
-      # Clear existing strategies when switching to a new configuration
       clear_auth_strategies unless @auth_manager.strategies.empty?
-
+      extract_oauth_metadata!(options)
       @auth_manager.enable!(default_strategy: strategy)
-
-      case strategy
-      when :api_key
-        add_api_key_auth(options[:keys] || [], allow_query_params: options[:allow_query_params] || false)
-      when :jwt
-        add_jwt_auth(options)
-      when :custom
-        handler = block || options[:handler]
-        raise ArgumentError, "Custom authentication strategy requires a handler block" unless handler
-
-        add_custom_auth(&handler)
-
-      else
-        raise ArgumentError, "Unknown authentication strategy: #{strategy}"
-      end
-
+      register_auth_strategy(strategy, options, block || options.delete(:handler))
       @logger.info("Authentication enabled with strategy: #{strategy}")
     end
 
@@ -217,6 +208,7 @@ module VectorMCP
     # @return [void]
     def disable_authentication!
       @auth_manager.disable!
+      @oauth_resource_metadata_url = nil
       @logger.info("Authentication disabled")
     end
 
@@ -318,6 +310,34 @@ module VectorMCP
 
     private
 
+    # Extract OAuth resource metadata URL from options before they reach strategy constructors
+    # @param options [Hash] the options hash (mutated — :resource_metadata_url is removed)
+    # @return [void]
+    def extract_oauth_metadata!(options)
+      @oauth_resource_metadata_url = options.delete(:resource_metadata_url)
+      warn_on_insecure_oauth_metadata_url(@oauth_resource_metadata_url)
+    end
+
+    # Register the appropriate auth strategy based on the strategy name
+    # @param strategy [Symbol] the strategy type
+    # @param options [Hash] strategy-specific options
+    # @param handler [Proc, nil] custom handler block (for :custom strategy)
+    # @return [void]
+    def register_auth_strategy(strategy, options, handler)
+      case strategy
+      when :api_key
+        add_api_key_auth(options[:keys] || [], allow_query_params: options[:allow_query_params] || false)
+      when :jwt
+        add_jwt_auth(options)
+      when :custom
+        raise ArgumentError, "Custom authentication strategy requires a handler block" unless handler
+
+        add_custom_auth(&handler)
+      else
+        raise ArgumentError, "Unknown authentication strategy: #{strategy}"
+      end
+    end
+
     # Add API key authentication strategy
     # @param keys [Array<String>] array of valid API keys
     # @param allow_query_params [Boolean] whether to accept API keys from query parameters
@@ -350,6 +370,20 @@ module VectorMCP
         @auth_manager.remove_strategy(strategy_name)
       end
     end
+
+    # Emit a warning when the OAuth resource metadata URL is not HTTPS.
+    # We don't raise because local development against http://localhost is a valid use case.
+    # @param url [String, nil] the configured metadata URL
+    # @return [void]
+    def warn_on_insecure_oauth_metadata_url(url)
+      return if url.nil?
+      return if url.start_with?("https://")
+
+      @logger.warn do
+        "[SECURITY] resource_metadata_url is not HTTPS (#{url}). " \
+          "Use HTTPS in production; plaintext is only acceptable for local development."
+      end
+    end
   end
 
   module Transport

data/lib/vector_mcp/token_store.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+require "concurrent-ruby"
+require "securerandom"
+
+module VectorMCP
+  # Thread-safe bidirectional store mapping arbitrary string values to opaque
+  # tokens and back. The store has no knowledge of domain semantics: callers
+  # supply the prefix, and the store guarantees that the same (value, prefix)
+  # pair always yields the same token within its lifetime.
+  class TokenStore
+    # Regexp describing the token format emitted by {#tokenize}.
+    TOKEN_PATTERN = /\A[A-Z]+_[0-9A-F]{8}\z/
+
+    def initialize
+      @forward = Concurrent::Hash.new
+      @reverse = Concurrent::Hash.new
+      @mutex = Mutex.new
+    end
+
+    # Return an opaque token for +value+. Calling this repeatedly with the
+    # same +value+ and +prefix+ returns the same token.
+    #
+    # @param value [String] the value to tokenize.
+    # @param prefix [String] the token prefix (uppercase recommended).
+    # @return [String] a token of the form +"PREFIX_XXXXXXXX"+.
+    def tokenize(value, prefix:)
+      key = [prefix, value]
+      existing = @forward[key]
+      return existing if existing
+
+      @mutex.synchronize do
+        existing = @forward[key]
+        return existing if existing
+
+        token = generate_token(prefix)
+        # Populate the reverse map first so any thread that observes the
+        # token in @forward can always resolve it.
+        @reverse[token] = value
+        @forward[key] = token
+        token
+      end
+    end
+
+    # Resolve a token back to its original value.
+    #
+    # @param token [String] a token previously returned by {#tokenize}.
+    # @return [String, nil] the original value, or +nil+ if unknown.
+    def resolve(token)
+      @reverse[token]
+    end
+
+    # Predicate: does +string+ look like a token issued by this class?
+    # This check is purely structural and does not consult the store.
+    #
+    # @param string [Object] the value to test.
+    # @return [Boolean]
+    def token?(string)
+      string.is_a?(String) && TOKEN_PATTERN.match?(string)
+    end
+
+    # Remove all mappings. Intended for test teardown.
+    # @return [void]
+    def clear
+      @mutex.synchronize do
+        @forward.clear
+        @reverse.clear
+      end
+    end
+
+    private
+
+    def generate_token(prefix)
+      loop do
+        candidate = "#{prefix}_#{SecureRandom.hex(4).upcase}"
+        return candidate unless @reverse.key?(candidate)
+      end
+    end
+  end
+end

data/lib/vector_mcp/transport/http_stream/event_store.rb

@@ -36,7 +36,8 @@ module VectorMCP
         def initialize(max_events)
           @max_events = max_events
           @events = Concurrent::Array.new
-          @event_index = Concurrent::Hash.new # event_id -> index for fast lookup
+          @event_index = Concurrent::Hash.new # event_id -> logical position
+          @offset = 0 # number of events shifted off the front
           @current_sequence = Concurrent::AtomicFixnum.new(0)
         end
 
@@ -53,19 +54,15 @@ module VectorMCP
 
           event = Event.new(event_id, data, type, timestamp, session_id, stream_id)
 
-          # Add to events array
+          # Add to events array and record logical position
           @events.push(event)
-
-          # Update index
-          @event_index[event_id] = @events.length - 1
+          @event_index[event_id] = @offset + @events.length - 1
 
           # Maintain circular buffer
           if @events.length > @max_events
             removed_event = @events.shift
             @event_index.delete(removed_event.id)
-
-            # Update all indices after removal
-            @event_index.transform_values! { |index| index - 1 }
+            @offset += 1
           end
 
           event_id
@@ -81,13 +78,13 @@ module VectorMCP
           events = if last_event_id.nil?
                      @events.to_a
                    else
-                     last_index = @event_index[last_event_id]
-                     return [] if last_index.nil?
+                     logical = @event_index[last_event_id]
+                     return [] if logical.nil?
 
-                     start_index = last_index + 1
-                     return [] if start_index >= @events.length
+                     physical = logical - @offset + 1
+                     return [] if physical >= @events.length
 
-                     @events[start_index..]
+                     @events[physical..]
                    end
 
           events = events.select { |e| e.session_id == session_id } if session_id
@@ -100,10 +97,10 @@ module VectorMCP
         # @param event_id [String] The event ID to look up
         # @return [Event, nil] The stored event, or nil if it is no longer retained
         def get_event(event_id)
-          index = @event_index[event_id]
-          return nil if index.nil?
+          logical = @event_index[event_id]
+          return nil if logical.nil?
 
-          @events[index]
+          @events[logical - @offset]
         end
 
         # Gets the total number of stored events.
@@ -141,6 +138,7 @@ module VectorMCP
         def clear
           @events.clear
           @event_index.clear
+          @offset = 0
         end
 
         # Gets statistics about the event store.

data/lib/vector_mcp/transport/http_stream/session_manager.rb

@@ -70,24 +70,19 @@ module VectorMCP
         # @param transport [HttpStream] The parent transport instance
         # @param session_timeout [Integer] Session timeout in seconds
 
-        # Optimized session creation with reduced object allocation and faster context creation
+        # Creates a new session. RequestContext.from_rack_env handles nil
+        # rack_env by falling back to a minimal context, so we don't need to
+        # branch here.
         def create_session(session_id = nil, rack_env = nil)
           session_id ||= generate_session_id
           now = Time.now
 
-          # Optimize session context creation - use cached minimal context when rack_env is nil
-          session_context = if rack_env
-                              create_session_with_context(session_id, rack_env)
-                            else
-                              create_minimal_session_context(session_id)
-                            end
-
-          # Pre-allocate metadata hash for better performance
-          metadata = create_session_metadata
-
-          # Create internal session record with streaming connection metadata
-          session = Session.new(session_id, session_context, now, now, metadata)
+          request_context = VectorMCP::RequestContext.from_rack_env(rack_env, "http_stream")
+          session_context = VectorMCP::Session.new(
+            @transport.server, @transport, id: session_id, request_context: request_context
+          )
 
+          session = Session.new(session_id, session_context, now, now, create_session_metadata)
           @sessions[session_id] = session
 
           logger.info { "Session created: #{session_id}" }
@@ -116,19 +111,6 @@ module VectorMCP
           create_session(nil, rack_env)
         end
 
-        # Creates a VectorMCP::Session with proper request context from Rack environment
-        def create_session_with_context(session_id, rack_env)
-          request_context = VectorMCP::RequestContext.from_rack_env(rack_env, "http_stream")
-          VectorMCP::Session.new(@transport.server, @transport, id: session_id, request_context: request_context)
-        end
-
-        # Creates a minimal session context for each session (no caching to prevent contamination)
-        def create_minimal_session_context(session_id)
-          # Create a new minimal context for each session to prevent cross-session contamination
-          minimal_context = VectorMCP::RequestContext.minimal("http_stream")
-          VectorMCP::Session.new(@transport.server, @transport, id: session_id, request_context: minimal_context)
-        end
-
         # Terminates a session by ID.
         #
         # @param session_id [String] The session ID to terminate

data/lib/vector_mcp/transport/http_stream.rb

@@ -52,6 +52,8 @@ module VectorMCP
       DEFAULT_SESSION_TIMEOUT = 300 # 5 minutes
       DEFAULT_EVENT_RETENTION = 100 # Keep last 100 events for resumability
       DEFAULT_REQUEST_TIMEOUT = 30 # Default timeout for server-initiated requests
+      DEFAULT_MIN_THREADS = 4
+      DEFAULT_MAX_THREADS = 32
 
       # Default allowed origins — restrict to localhost by default for security.
       DEFAULT_ALLOWED_ORIGINS = %w[
@@ -72,6 +74,8 @@ module VectorMCP
       # @option options [String] :path_prefix ("/mcp") The base path for HTTP endpoints
       # @option options [Integer] :session_timeout (300) Session timeout in seconds
       # @option options [Integer] :event_retention (100) Number of events to retain for resumability
+      # @option options [Integer] :min_threads (4) Minimum Puma thread pool size
+      # @option options [Integer] :max_threads (32) Maximum Puma thread pool size
       # @option options [Array<String>] :allowed_origins Allowed origins for CORS validation.
       #   Defaults to localhost origins only. Pass ["*"] to allow all origins (NOT recommended for production).
       def initialize(server, options = {})
@@ -264,7 +268,7 @@ module VectorMCP
       #
       # @return [void]
       def start_puma_server
-        @puma_server = Puma::Server.new(self)
+        @puma_server = Puma::Server.new(self, nil, min_threads: @min_threads, max_threads: @max_threads)
         @puma_server.add_tcp_listener(@host, @port)
 
         @running = true
@@ -345,6 +349,7 @@ module VectorMCP
       # Validates origin and dispatches to the appropriate handler by HTTP method.
       def validate_and_dispatch(method, env)
         return forbidden_response("Origin not allowed") unless valid_origin?(env)
+        return unauthorized_oauth_response(env) if oauth_gate_should_reject?(env)
 
         case method
         when "POST"
@@ -358,6 +363,73 @@ module VectorMCP
         end
       end
 
+      # True when OAuth 2.1 resource server mode is enabled and the incoming
+      # request has not successfully authenticated. Opt-in: only activates when the
+      # server was configured with a +resource_metadata_url+ via +enable_authentication!+.
+      #
+      # @param env [Hash] The Rack environment
+      # @return [Boolean]
+      def oauth_gate_should_reject?(env)
+        return false unless oauth_resource_server_enabled?
+
+        !authenticate_transport_request(env).authenticated?
+      end
+
+      # @return [Boolean] true when the server is configured to act as an OAuth 2.1 resource server.
+      def oauth_resource_server_enabled?
+        return false unless @server.respond_to?(:oauth_resource_metadata_url)
+        return false if @server.oauth_resource_metadata_url.nil?
+
+        @server.auth_manager.required?
+      end
+
+      # Runs the configured authentication strategy against the Rack env and returns
+      # the resulting SessionContext. The request is normalized into the
+      # +{ headers:, params:, method:, path:, rack_env: }+ hash shape that the rest
+      # of the codebase's authentication pipeline uses (see
+      # +VectorMCP::Handlers::Core.extract_request_from_session+), so +:custom+
+      # strategy handlers see the same contract here as they do on the in-handler
+      # auth path. Errors in the strategy are logged and treated as unauthenticated
+      # rather than propagated, so a malformed token can never crash the request
+      # pipeline.
+      #
+      # @param env [Hash] The Rack environment
+      # @return [VectorMCP::Security::SessionContext]
+      def authenticate_transport_request(env)
+        normalized_request = @server.security_middleware.normalize_request(env)
+        @server.security_middleware.authenticate_request(normalized_request)
+      rescue StandardError => e
+        VectorMCP.logger_for("security").warn do
+          "OAuth transport auth strategy raised #{e.class}: #{e.message}"
+        end
+        VectorMCP::Security::SessionContext.anonymous
+      end
+
+      # Returns a 401 Rack response carrying a WWW-Authenticate header that points
+      # Claude Desktop (and other RFC 9728 clients) at the configured OAuth 2.1
+      # protected resource metadata document. The JSON-RPC error envelope in the
+      # body is for clients that parse bodies regardless of status code; the header
+      # and status are the parts that drive the discovery flow.
+      #
+      # @param env [Hash] The Rack environment
+      # @return [Array] Rack response triplet
+      def unauthorized_oauth_response(env)
+        VectorMCP.logger_for("security").info do
+          "OAuth 401 challenge issued for #{env["REQUEST_METHOD"]} #{env["PATH_INFO"]}"
+        end
+
+        header_value = %(Bearer realm="mcp", resource_metadata="#{@server.oauth_resource_metadata_url}")
+        body = {
+          jsonrpc: "2.0",
+          id: nil,
+          error: { code: -32_401, message: "Authentication required" }
+        }.to_json
+
+        [401,
+         { "Content-Type" => "application/json", "WWW-Authenticate" => header_value },
+         [body]]
+      end
+
       # Handles POST requests (client-to-server JSON-RPC)
       #
       # @param env [Hash] The Rack environment
@@ -762,15 +834,12 @@ module VectorMCP
 
       # Request tracking helpers for server-initiated requests
 
-      # Sets up tracking for an outgoing request using pooled condition variables.
+      # Sets up tracking for an outgoing request.
       #
       # @param request_id [String] The request ID to track
       # @return [void]
       def setup_request_tracking(request_id)
-        @request_mutex.synchronize do
-          # Create IVar for thread-safe request tracking (no race conditions)
-          @outgoing_request_ivars[request_id] = Concurrent::IVar.new
-        end
+        @outgoing_request_ivars[request_id] = Concurrent::IVar.new
       end
 
       # Waits for a response to an outgoing request.
@@ -781,11 +850,7 @@ module VectorMCP
       # @return [Hash] The response data
       # @raise [VectorMCP::SamplingTimeoutError] if timeout occurs
       def wait_for_response(request_id, method, timeout)
-        ivar = nil
-        @request_mutex.synchronize do
-          ivar = @outgoing_request_ivars[request_id]
-        end
-
+        ivar = @outgoing_request_ivars[request_id]
         return nil unless ivar
 
         begin
@@ -827,24 +892,11 @@ module VectorMCP
         response[:result]
       end
 
-      # Cleans up tracking for a request and returns condition variable to pool.
+      # Cleans up tracking for a request.
       #
       # @param request_id [String] The request ID to clean up
       # @return [void]
       def cleanup_request_tracking(request_id)
-        @request_mutex.synchronize do
-          cleanup_request_tracking_unsafe(request_id)
-        end
-      end
-
-      # Internal cleanup method that assumes mutex is already held.
-      # This prevents recursive locking when called from within synchronized blocks.
-      #
-      # @param request_id [String] The request ID to clean up
-      # @return [void]
-      # @api private
-      def cleanup_request_tracking_unsafe(request_id)
-        # Remove IVar for this request (no condition variable cleanup needed)
         @outgoing_request_ivars.delete(request_id)
       end
 
@@ -873,10 +925,7 @@ module VectorMCP
       def handle_outgoing_response(message)
         request_id = message["id"]
 
-        ivar = nil
-        @request_mutex.synchronize do
-          ivar = @outgoing_request_ivars[request_id]
-        end
+        ivar = @outgoing_request_ivars[request_id]
 
         unless ivar
           logger.debug { "Received response for request ID #{request_id} but no thread is waiting (likely timed out)" }
@@ -885,11 +934,6 @@ module VectorMCP
 
         # Convert keys to symbols for consistency and put response in IVar
         response_data = deep_transform_keys(message, &:to_sym)
-
-        # Store in both places for compatibility with tests
-        @outgoing_request_responses[request_id] = response_data
-
-        # IVar handles thread-safe response delivery - no race conditions possible
         if ivar.try_set(response_data)
           logger.debug { "Response delivered to waiting thread for request ID #{request_id}" }
         else
@@ -937,6 +981,8 @@ module VectorMCP
         @path_prefix = normalize_path_prefix(options[:path_prefix] || DEFAULT_PATH_PREFIX)
         @session_timeout = options[:session_timeout] || DEFAULT_SESSION_TIMEOUT
         @event_retention = options[:event_retention] || DEFAULT_EVENT_RETENTION
+        @min_threads = options[:min_threads] || DEFAULT_MIN_THREADS
+        @max_threads = options[:max_threads] || DEFAULT_MAX_THREADS
         @allowed_origins = options[:allowed_origins] || DEFAULT_ALLOWED_ORIGINS
         @mounted = options.fetch(:mounted, false)
 
@@ -960,11 +1006,7 @@ module VectorMCP
 
       # Initialize request tracking system and ID generation for server-initiated requests
       def initialize_request_tracking
-        # Use IVars for thread-safe request/response handling (eliminates condition variable races)
         @outgoing_request_ivars = Concurrent::Hash.new
-        # Keep compatibility with tests that expect @outgoing_request_responses
-        @outgoing_request_responses = Concurrent::Hash.new
-        @request_mutex = Mutex.new
         initialize_request_id_generation
       end
 
@@ -1008,10 +1050,7 @@ module VectorMCP
 
         logger.debug { "Cleaning up #{@outgoing_request_ivars.size} pending requests" }
 
-        @request_mutex.synchronize do
-          # IVars will timeout naturally, just clear the tracking
-          @outgoing_request_ivars.clear
-        end
+        @outgoing_request_ivars.clear
       end
 
       # Finds the first session with an active streaming connection.

data/lib/vector_mcp/util/token_sweeper.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module VectorMCP
+  module Util
+    # Stateless recursive traversal utility for parsed JSON-like structures.
+    #
+    # {.sweep} walks Hashes, Arrays, and String leaves, yielding each String
+    # value together with its parent Hash key (or the enclosing Hash key of
+    # the nearest containing Array). The block's return value replaces the
+    # String in the output. All other scalar types (Integer, Float, nil,
+    # Boolean, etc.) are returned unchanged and are not yielded.
+    #
+    # The method is purely functional: it never mutates the input structure
+    # and always returns a fresh Hash/Array spine when containers are
+    # encountered. Circular references are detected via an identity-compared
+    # visited set and the originally-referenced node is returned unchanged
+    # on cycles.
+    module TokenSweeper
+      # Traverse +obj+ and return a new structure with String leaves
+      # transformed by +block+.
+      #
+      # @param obj [Object] the object to sweep (typically Hash/Array/String/scalar).
+      # @yield [value, parent_key] invoked for each String leaf.
+      # @yieldparam value [String] the String value.
+      # @yieldparam parent_key [Object, nil] the Hash key under which +value+
+      #   lives, or +nil+ when the String is a top-level scalar; propagated
+      #   from the nearest containing Hash when inside Arrays.
+      # @yieldreturn [Object] the replacement value.
+      # @return [Object] the transformed structure.
+      def self.sweep(obj, &block)
+        raise ArgumentError, "TokenSweeper.sweep requires a block" unless block
+
+        walk(obj, nil, {}.compare_by_identity, &block)
+      end
+
+      class << self
+        private
+
+        def walk(obj, parent_key, visited, &)
+          case obj
+          when Hash  then walk_hash(obj, visited, &)
+          when Array then walk_array(obj, parent_key, visited, &)
+          when String then yield(obj, parent_key)
+          else obj
+          end
+        end
+
+        def walk_hash(hash, visited, &)
+          return hash if visited[hash]
+
+          visited[hash] = true
+          begin
+            hash.each_with_object({}) do |(key, value), out|
+              out[key] = walk(value, key, visited, &)
+            end
+          ensure
+            visited.delete(hash)
+          end
+        end
+
+        def walk_array(array, parent_key, visited, &)
+          return array if visited[array]
+
+          visited[array] = true
+          begin
+            array.map { |element| walk(element, parent_key, visited, &) }
+          ensure
+            visited.delete(array)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/vector_mcp/version.rb

@@ -2,5 +2,5 @@
 
 module VectorMCP
   # The current version of the VectorMCP gem.
-  VERSION = "0.4.0"
+  VERSION = "0.5.0"
 end

data/lib/vector_mcp.rb

@@ -8,6 +8,8 @@ require_relative "vector_mcp/errors"
 require_relative "vector_mcp/definitions"
 require_relative "vector_mcp/session"
 require_relative "vector_mcp/util"
+require_relative "vector_mcp/util/token_sweeper"
+require_relative "vector_mcp/token_store"
 require_relative "vector_mcp/log_filter"
 require_relative "vector_mcp/image_util"
 require_relative "vector_mcp/handlers/core"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: vector_mcp
 version: !ruby/object:Gem::Version
-  version: 0.4.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Sergio Bayona
@@ -132,6 +132,7 @@ files:
 - lib/vector_mcp/log_filter.rb
 - lib/vector_mcp/logger.rb
 - lib/vector_mcp/middleware.rb
+- lib/vector_mcp/middleware/anonymizer.rb
 - lib/vector_mcp/middleware/base.rb
 - lib/vector_mcp/middleware/context.rb
 - lib/vector_mcp/middleware/hook.rb
@@ -142,6 +143,7 @@ files:
 - lib/vector_mcp/sampling/result.rb
 - lib/vector_mcp/security.rb
 - lib/vector_mcp/security/auth_manager.rb
+- lib/vector_mcp/security/auth_result.rb
 - lib/vector_mcp/security/authorization.rb
 - lib/vector_mcp/security/middleware.rb
 - lib/vector_mcp/security/session_context.rb
@@ -153,6 +155,7 @@ files:
 - lib/vector_mcp/server/message_handling.rb
 - lib/vector_mcp/server/registry.rb
 - lib/vector_mcp/session.rb
+- lib/vector_mcp/token_store.rb
 - lib/vector_mcp/tool.rb
 - lib/vector_mcp/transport/base_session_manager.rb
 - lib/vector_mcp/transport/http_stream.rb
@@ -160,6 +163,7 @@ files:
 - lib/vector_mcp/transport/http_stream/session_manager.rb
 - lib/vector_mcp/transport/http_stream/stream_handler.rb
 - lib/vector_mcp/util.rb
+- lib/vector_mcp/util/token_sweeper.rb
 - lib/vector_mcp/version.rb
 homepage: https://github.com/sergiobayona/vector_mcp
 licenses: