@blueprint-chart/mcp 0.1.1 → 0.1.3

package/dist/tools/validate.test.js

@@ -2,26 +2,31 @@ import { describe, expect, it } from 'vitest';
 import { samples } from '@blueprint-chart/lib';
 import { validateDsl } from './validate';
 describe('validate_dsl', () => {
-    it('returns ok for every shipped sample', () => {
+    it('returns valid: true with empty errors/warnings for every sample', () => {
         for (const s of samples) {
             const r = validateDsl({ source: s.dsl });
-            expect(r.ok, `sample "${s.id}" should validate`).toBe(true);
+            expect(r.ok, `sample ${s.id}`).toBe(true);
+            if (r.ok) {
+                expect(r.data.valid).toBe(true);
+                expect(r.data.errors).toEqual([]);
+                expect(r.data.warnings).toEqual([]);
+            }
         }
     });
-    it('returns parse error with line/column', () => {
-        const r = validateDsl({ source: 'chart not-a-real-thing\n@@@' });
-        expect(r.ok).toBe(false);
-        if (!r.ok) {
-            expect(r.code).toBe('E_PARSE');
-            expect(r.errors[0]?.line).toBeTypeOf('number');
+    it('returns valid: false with E_UNKNOWN_CHART_TYPE on chart bar', () => {
+        const r = validateDsl({ source: 'chart bar { data { "E" = 1 } }' });
+        expect(r.ok).toBe(true);
+        if (r.ok) {
+            expect(r.data.valid).toBe(false);
+            expect(r.data.errors[0].code).toBe('E_UNKNOWN_CHART_TYPE');
+            expect(r.data.errors[0].suggestion).toMatch(/^bar-/);
         }
     });
-    it('returns E_INPUT for non-string source', () => {
-        // @ts-expect-error testing runtime validation
-        const r = validateDsl({ source: null });
+    it('still surfaces PEG errors as E_PARSE (isError channel)', () => {
+        const r = validateDsl({ source: '@@@ not valid' });
         expect(r.ok).toBe(false);
         if (!r.ok) {
-            expect(r.code).toBe('E_INPUT');
+            expect(r.code).toBe('E_PARSE');
         }
     });
 });

package/dist/transports/http.d.ts

@@ -1,18 +1,20 @@
 export interface StartHttpOptions {
     port: number;
     host?: string;
-    /** If set, require `Authorization: Bearer <token>` on every /mcp request. */
+    /** If set, require `Authorization: Bearer <token>` on every request. */
     authToken?: string;
     /** Comma-resolved CORS allowlist. `'*'` allows any origin. Default: `'*'`. */
     allowedOrigins?: string[] | '*';
     /** Read `X-Forwarded-For` for client IP (enable when behind a reverse proxy). */
     trustProxy?: boolean;
-    /** Cap on concurrent `POST /mcp` requests. Default: 16. */
+    /** Cap on concurrent tool calls. Default: 16. */
     maxConcurrentRequests?: number;
     /** Per-IP token-bucket rate limit. Disabled when undefined or 0. */
     rateLimitPerMinute?: number;
     /** Suppress JSON access logs. Default: false (logs to stderr). */
     silent?: boolean;
+    /** If set, redirect GET / to this URL. Otherwise returns 404. */
+    rootRedirectUrl?: string;
 }
 export interface HttpHandle {
     url: string;

package/dist/transports/http.js

@@ -1,7 +1,36 @@
+import { SSEServerTransport } from '@modelcontextprotocol/sdk/server/sse.js';
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import { isInitializeRequest } from '@modelcontextprotocol/sdk/types.js';
 import { createServer as createHttpServer, } from 'node:http';
 import { randomUUID } from 'node:crypto';
+import { readFile } from 'node:fs/promises';
+import { dirname, join } from 'node:path';
+import { fileURLToPath } from 'node:url';
 import { createServer } from '../server.js';
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const PUBLIC_DIR = join(__dirname, '..', '..', 'public');
+// Routes served from `public/`. `/favicon.ico` is mapped to the PNG file: modern
+// browsers identify image format by magic bytes, and shipping a real multi-size
+// ICO would add a build-time generator for no real benefit here.
+const STATIC_ROUTES = {
+    '/favicon.ico': { file: 'favicon.png', contentType: 'image/png' },
+    '/favicon.png': { file: 'favicon.png', contentType: 'image/png' },
+    '/favicon.svg': { file: 'favicon.svg', contentType: 'image/svg+xml' },
+    '/apple-touch-icon.png': { file: 'apple-touch-icon.png', contentType: 'image/png' },
+};
+async function loadStaticAssets() {
+    const cache = new Map();
+    for (const [route, asset] of Object.entries(STATIC_ROUTES)) {
+        try {
+            const body = await readFile(join(PUBLIC_DIR, asset.file));
+            cache.set(route, { body, contentType: asset.contentType });
+        }
+        catch {
+            // Asset missing → route stays unregistered; request will 404 as before.
+        }
+    }
+    return cache;
+}
 class Semaphore {
     available;
     waiters = [];
@@ -80,8 +109,9 @@ function applyCors(res, origin, allowed) {
         res.setHeader('Access-Control-Allow-Origin', origin);
         res.setHeader('Vary', 'Origin');
     }
-    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, Mcp-Session-Id, Accept');
+    res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, DELETE');
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, Mcp-Session-Id, Mcp-Protocol-Version, Accept');
+    res.setHeader('Access-Control-Expose-Headers', 'Mcp-Session-Id, Mcp-Protocol-Version');
     res.setHeader('Access-Control-Max-Age', '86400');
 }
 function logEvent(silent, fields) {
@@ -95,12 +125,26 @@ function jsonResponse(res, status, body) {
     res.setHeader('Content-Type', 'application/json');
     res.end(JSON.stringify(body));
 }
+async function readRequestBody(req) {
+    const chunks = [];
+    for await (const chunk of req) {
+        chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+    }
+    const raw = Buffer.concat(chunks).toString('utf8');
+    if (!raw) {
+        return undefined;
+    }
+    try {
+        return JSON.parse(raw);
+    }
+    catch {
+        return undefined;
+    }
+}
 export async function startHttp(opts) {
-    const transport = new StreamableHTTPServerTransport({
-        sessionIdGenerator: () => randomUUID(),
-    });
-    const server = createServer();
-    await server.connect(transport);
+    const sseSessions = new Map();
+    const streamableSessions = new Map();
+    const staticAssets = await loadStaticAssets();
     const allowedOrigins = opts.allowedOrigins ?? '*';
     const trustProxy = opts.trustProxy ?? false;
     const silent = opts.silent ?? false;
@@ -114,29 +158,69 @@ export async function startHttp(opts) {
     }
     const httpServer = createHttpServer(async (req, res) => {
         const started = Date.now();
-        const origin = req.headers.origin;
+        const rawUrl = req.url ?? '/';
+        const hostHeader = req.headers.host ?? 'unknown';
         const ip = getClientIp(req, trustProxy);
-        applyCors(res, origin, allowedOrigins);
-        // CORS preflight
+        const proto = trustProxy ? (req.headers['x-forwarded-proto'] ?? 'http') : 'http';
+        // Raw log for every single request
+        logEvent(silent, { event: 'raw_request', method: req.method, url: rawUrl, host: hostHeader, ip, proto });
+        applyCors(res, req.headers.origin, allowedOrigins);
+        // 1. Health check (Railway / load-balancer liveness probe)
+        if (rawUrl === '/healthz' || rawUrl === '/health') {
+            jsonResponse(res, 200, { status: 'ok' });
+            return;
+        }
+        // 2. CORS preflight (any path — claude.ai sends it before the actual POST)
         if (req.method === 'OPTIONS') {
+            logEvent(silent, { event: 'preflight', ip, headers: req.headers });
             res.statusCode = 204;
             res.end();
             return;
         }
-        // Health check (Railway / load-balancer liveness probe)
-        if (req.url === '/healthz' || req.url === '/health') {
-            jsonResponse(res, 200, { status: 'ok' });
+        const url = new URL(rawUrl, `${proto}://${hostHeader}`);
+        const pathname = url.pathname;
+        const normalizedPath = pathname.endsWith('/') && pathname !== '/' ? pathname.slice(0, -1) : pathname;
+        // 3. Static assets (favicon, etc.) — served unauthenticated so browsers can
+        //    fetch them even when MCP_AUTH_TOKEN is set on the MCP route.
+        if (req.method === 'GET' && staticAssets.has(normalizedPath)) {
+            const asset = staticAssets.get(normalizedPath);
+            res.statusCode = 200;
+            res.setHeader('Content-Type', asset.contentType);
+            res.setHeader('Cache-Control', 'public, max-age=86400');
+            res.end(asset.body);
             return;
         }
-        if (!req.url?.startsWith('/mcp')) {
+        // MCP lives at the root path. Everything else is 404.
+        if (normalizedPath !== '/') {
+            logEvent(silent, { event: 'path_not_found', path: pathname, ip, method: req.method });
+            jsonResponse(res, 404, { error: 'Not Found' });
+            return;
+        }
+        // Disambiguate MCP traffic from browser visits to GET /. MCP clients always
+        // POST/DELETE, or GET with `text/event-stream` or an `Mcp-Session-Id` header.
+        // A plain browser GET / (no MCP signals) falls back to the optional redirect.
+        const acceptHeader = String(req.headers.accept ?? '');
+        const isMcpRequest = req.method === 'POST'
+            || req.method === 'DELETE'
+            || (req.method === 'GET' && (Boolean(req.headers['mcp-session-id']) || acceptHeader.includes('text/event-stream')));
+        if (!isMcpRequest) {
+            if (req.method === 'GET' && opts.rootRedirectUrl) {
+                logEvent(silent, { event: 'root_redirect', ip, to: opts.rootRedirectUrl });
+                res.statusCode = 302;
+                res.setHeader('Location', opts.rootRedirectUrl);
+                res.end();
+                return;
+            }
+            logEvent(silent, { event: 'root_non_mcp', ip, method: req.method, accept: acceptHeader });
             jsonResponse(res, 404, { error: 'Not Found' });
             return;
         }
+        logEvent(silent, { event: 'incoming_request', method: req.method, path: pathname, ip, headers: req.headers });
         // Bearer token auth (off if MCP_AUTH_TOKEN not set)
         if (opts.authToken) {
             const auth = req.headers.authorization;
             if (auth !== `Bearer ${opts.authToken}`) {
-                logEvent(silent, { event: 'auth_rejected', ip, method: req.method });
+                logEvent(silent, { event: 'auth_rejected', ip, method: req.method, headers: req.headers });
                 jsonResponse(res, 401, { error: 'Unauthorized' });
                 return;
             }
@@ -148,23 +232,141 @@ export async function startHttp(opts) {
             jsonResponse(res, 429, { error: 'Too Many Requests' });
             return;
         }
-        // Concurrency cap on POST (tool calls); GET streams unrestricted
-        const cap = req.method === 'POST';
-        const release = cap ? await semaphore.acquire() : undefined;
         try {
-            await transport.handleRequest(req, res);
+            const streamableSessionHeader = req.headers['mcp-session-id'];
+            const streamableSessionId = Array.isArray(streamableSessionHeader)
+                ? streamableSessionHeader[0]
+                : streamableSessionHeader;
+            if (req.method === 'GET') {
+                // Streamable HTTP GETs always include the Mcp-Session-Id header — they're
+                // a server→client SSE notification stream for an established session.
+                // Legacy SSE GETs are the bootstrap and have no session header.
+                if (streamableSessionId) {
+                    const transport = streamableSessions.get(streamableSessionId);
+                    if (!transport) {
+                        logEvent(silent, { event: 'streamable_get_invalid_session', ip, sessionId: streamableSessionId });
+                        jsonResponse(res, 404, { error: 'Unknown session' });
+                        return;
+                    }
+                    logEvent(silent, { event: 'streamable_get', ip, sessionId: streamableSessionId });
+                    await transport.handleRequest(req, res);
+                }
+                else {
+                    const transport = new SSEServerTransport('/', res);
+                    const sessionId = transport.sessionId;
+                    sseSessions.set(sessionId, transport);
+                    transport.onclose = () => {
+                        logEvent(silent, { event: 'sse_closed', sessionId });
+                        sseSessions.delete(sessionId);
+                    };
+                    // Connect a fresh server instance per SSE session to avoid state contamination
+                    const sessionServer = createServer();
+                    await sessionServer.connect(transport);
+                    await transport.start(); // Mandatory to start the stream!
+                    logEvent(silent, { event: 'sse_connected', ip, sessionId, headers: req.headers });
+                }
+            }
+            else if (req.method === 'DELETE') {
+                // Streamable HTTP session termination — client signals it's done with the session.
+                if (streamableSessionId) {
+                    const transport = streamableSessions.get(streamableSessionId);
+                    if (transport) {
+                        logEvent(silent, { event: 'streamable_delete', ip, sessionId: streamableSessionId });
+                        await transport.handleRequest(req, res);
+                    }
+                    else {
+                        jsonResponse(res, 404, { error: 'Unknown session' });
+                    }
+                }
+                else {
+                    jsonResponse(res, 400, { error: 'Mcp-Session-Id header required for DELETE' });
+                }
+            }
+            else if (req.method === 'POST') {
+                const sseSessionId = url.searchParams.get('sessionId');
+                if (sseSessionId) {
+                    // Legacy SSE POST: messages flow over the open SSE stream identified by sessionId query param.
+                    const transport = sseSessions.get(sseSessionId);
+                    if (!transport) {
+                        logEvent(silent, { event: 'sse_post_invalid_session', ip, sessionId: sseSessionId });
+                        jsonResponse(res, 400, { error: 'Invalid sessionId' });
+                        return;
+                    }
+                    logEvent(silent, { event: 'sse_post', ip, sessionId: sseSessionId });
+                    const release = await semaphore.acquire();
+                    try {
+                        await transport.handlePostMessage(req, res);
+                    }
+                    finally {
+                        release();
+                    }
+                }
+                else {
+                    // Streamable HTTP POST: either an initialize bootstrap (no Mcp-Session-Id yet)
+                    // or a follow-up request on an existing session (Mcp-Session-Id in headers).
+                    const body = await readRequestBody(req);
+                    const release = await semaphore.acquire();
+                    try {
+                        if (streamableSessionId) {
+                            const transport = streamableSessions.get(streamableSessionId);
+                            if (!transport) {
+                                logEvent(silent, { event: 'streamable_post_invalid_session', ip, sessionId: streamableSessionId });
+                                jsonResponse(res, 404, { error: 'Unknown session' });
+                                return;
+                            }
+                            logEvent(silent, { event: 'streamable_post', ip, sessionId: streamableSessionId });
+                            await transport.handleRequest(req, res, body);
+                        }
+                        else if (isInitializeRequest(body)) {
+                            // Per-session transport: each initialize starts a fresh session with its own
+                            // server instance. The SDK assigns the session ID and we register the transport
+                            // in the map via onsessioninitialized so subsequent POST/GET/DELETE can find it.
+                            const transport = new StreamableHTTPServerTransport({
+                                sessionIdGenerator: () => randomUUID(),
+                                onsessioninitialized: (sid) => {
+                                    streamableSessions.set(sid, transport);
+                                    logEvent(silent, { event: 'streamable_session_initialized', sessionId: sid });
+                                },
+                            });
+                            transport.onclose = () => {
+                                if (transport.sessionId) {
+                                    streamableSessions.delete(transport.sessionId);
+                                    logEvent(silent, { event: 'streamable_session_closed', sessionId: transport.sessionId });
+                                }
+                            };
+                            const sessionServer = createServer();
+                            await sessionServer.connect(transport);
+                            logEvent(silent, { event: 'streamable_init', ip });
+                            await transport.handleRequest(req, res, body);
+                        }
+                        else {
+                            jsonResponse(res, 400, {
+                                jsonrpc: '2.0',
+                                error: { code: -32600, message: 'Invalid Request: missing Mcp-Session-Id and not an initialize request' },
+                                id: null,
+                            });
+                        }
+                    }
+                    finally {
+                        release();
+                    }
+                }
+            }
+            else {
+                jsonResponse(res, 405, { error: 'Method Not Allowed' });
+            }
         }
         catch (err) {
             const message = err instanceof Error ? err.message : String(err);
-            logEvent(silent, { event: 'transport_error', ip, method: req.method, message });
+            const stack = err instanceof Error ? err.stack : undefined;
+            logEvent(silent, { event: 'transport_error', ip, method: req.method, message, stack });
             if (!res.headersSent) {
                 jsonResponse(res, 500, { error: 'Internal Server Error' });
             }
         }
         finally {
-            release?.();
             logEvent(silent, {
-                event: 'request',
+                event: 'request_finished',
                 ip,
                 method: req.method,
                 path: req.url,
@@ -185,7 +387,14 @@ export async function startHttp(opts) {
             if (pruneTimer) {
                 clearInterval(pruneTimer);
             }
-            await transport.close();
+            for (const transport of streamableSessions.values()) {
+                await transport.close();
+            }
+            streamableSessions.clear();
+            for (const transport of sseSessions.values()) {
+                await transport.close();
+            }
+            sseSessions.clear();
             httpServer.closeAllConnections();
             await new Promise((resolve, reject) => httpServer.close(err => (err ? reject(err) : resolve())));
         },

package/dist/transports/http.test.js

@@ -10,14 +10,33 @@ async function withServer(opts, fn) {
     }
 }
 describe('http transport', () => {
-    it('responds to /mcp tools/list with status < 500', async () => {
+    it('responds to root tools/list after establishing SSE', async () => {
         await withServer({ port: 0 }, async (url) => {
-            const res = await fetch(`${url}/mcp`, {
+            // 1. Establish SSE session
+            const sseRes = await fetch(`${url}/`, {
+                headers: { accept: 'text/event-stream' },
+            });
+            expect(sseRes.status).toBe(200);
+            const reader = sseRes.body?.getReader();
+            if (!reader) {
+                throw new Error('No reader');
+            }
+            const { value } = await reader.read();
+            const text = new TextDecoder().decode(value);
+            const sessionIdMatch = text.match(/sessionId=([a-zA-Z0-9-]+)/);
+            if (!sessionIdMatch) {
+                throw new Error(`No sessionId in SSE: ${text}`);
+            }
+            const sessionId = sessionIdMatch[1];
+            // 2. Post message using sessionId
+            const res = await fetch(`${url}/?sessionId=${sessionId}`, {
                 method: 'POST',
                 headers: { 'content-type': 'application/json', 'accept': 'application/json' },
                 body: JSON.stringify({ jsonrpc: '2.0', id: 1, method: 'tools/list', params: {} }),
             });
-            expect(res.status).toBeLessThan(500);
+            expect(res.status).toBe(202); // SSEServerTransport returns 202 for POSTs
+            // Cleanup
+            await reader.cancel();
         });
     });
     it('serves /healthz returning {status:"ok"}', async () => {
@@ -34,52 +53,169 @@ describe('http transport', () => {
             expect(res.status).toBe(404);
         });
     });
+    it('returns 404 for / by default', async () => {
+        await withServer({ port: 0 }, async (url) => {
+            const res = await fetch(`${url}/`);
+            expect(res.status).toBe(404);
+        });
+    });
+    it('redirects plain GET / to rootRedirectUrl when set', async () => {
+        const rootRedirectUrl = 'https://example.com';
+        await withServer({ port: 0, rootRedirectUrl }, async (url) => {
+            const res = await fetch(`${url}/`, { redirect: 'manual' });
+            expect(res.status).toBe(302);
+            expect(res.headers.get('location')).toBe(rootRedirectUrl);
+        });
+    });
+    it('routes MCP traffic to / even when rootRedirectUrl is set', async () => {
+        // The key co-existence test: a configured root redirect must NOT swallow
+        // MCP requests. POSTs always count as MCP; the redirect only fires for
+        // browser-style GETs.
+        await withServer({ port: 0, rootRedirectUrl: 'https://example.com' }, async (url) => {
+            const res = await fetch(`${url}/`, {
+                method: 'POST',
+                headers: { 'content-type': 'application/json', 'accept': 'application/json, text/event-stream' },
+                body: JSON.stringify({
+                    jsonrpc: '2.0',
+                    id: 1,
+                    method: 'initialize',
+                    params: { protocolVersion: '2024-11-05', capabilities: {}, clientInfo: { name: 't', version: '0' } },
+                }),
+            });
+            expect(res.status).toBe(200);
+            expect(res.headers.get('mcp-session-id')).toMatch(/^[0-9a-f-]{36}$/);
+        });
+    });
+    it('routes GET / with text/event-stream as MCP SSE even when rootRedirectUrl is set', async () => {
+        await withServer({ port: 0, rootRedirectUrl: 'https://example.com' }, async (url) => {
+            const res = await fetch(`${url}/`, {
+                headers: { accept: 'text/event-stream' },
+                redirect: 'manual',
+            });
+            expect(res.status).toBe(200);
+            expect(res.headers.get('content-type')).toMatch(/text\/event-stream/);
+            await res.body?.cancel();
+        });
+    });
     it('handles CORS preflight (OPTIONS)', async () => {
         await withServer({ port: 0 }, async (url) => {
-            const res = await fetch(`${url}/mcp`, { method: 'OPTIONS' });
+            const res = await fetch(`${url}/`, { method: 'OPTIONS' });
             expect(res.status).toBe(204);
             expect(res.headers.get('access-control-allow-methods')).toMatch(/POST/);
         });
     });
-    it('rejects /mcp without token when authToken is set', async () => {
-        await withServer({ port: 0, authToken: 'secret' }, async (url) => {
-            const res = await fetch(`${url}/mcp`, {
+    it('rejects POST without sessionId and not an initialize request', async () => {
+        await withServer({ port: 0 }, async (url) => {
+            const res = await fetch(`${url}/`, {
                 method: 'POST',
                 headers: { 'content-type': 'application/json', 'accept': 'application/json' },
                 body: JSON.stringify({ jsonrpc: '2.0', id: 1, method: 'tools/list', params: {} }),
             });
-            expect(res.status).toBe(401);
+            // Non-initialize POSTs without an Mcp-Session-Id header are invalid; the
+            // transport returns 400 Bad Request with a JSON-RPC error envelope.
+            expect(res.status).toBe(400);
+            const body = await res.json();
+            expect(body.error?.code).toBe(-32600);
+            expect(body.error?.message).toMatch(/Mcp-Session-Id|initialize/i);
         });
     });
-    it('accepts /mcp with correct bearer token', async () => {
-        await withServer({ port: 0, authToken: 'secret' }, async (url) => {
-            const res = await fetch(`${url}/mcp`, {
+    it('accepts POST initialize and returns a Mcp-Session-Id', async () => {
+        await withServer({ port: 0 }, async (url) => {
+            const res = await fetch(`${url}/`, {
                 method: 'POST',
                 headers: {
                     'content-type': 'application/json',
-                    'accept': 'application/json',
-                    'authorization': 'Bearer secret',
+                    'accept': 'application/json, text/event-stream',
                 },
-                body: JSON.stringify({ jsonrpc: '2.0', id: 1, method: 'tools/list', params: {} }),
+                body: JSON.stringify({
+                    jsonrpc: '2.0',
+                    id: 1,
+                    method: 'initialize',
+                    params: { protocolVersion: '2024-11-05', capabilities: {}, clientInfo: { name: 't', version: '0' } },
+                }),
             });
-            expect(res.status).toBeLessThan(500);
-            expect(res.status).not.toBe(401);
+            expect(res.status).toBe(200);
+            expect(res.headers.get('mcp-session-id')).toMatch(/^[0-9a-f-]{36}$/);
         });
     });
-    it('rate-limits /mcp by IP', async () => {
-        await withServer({ port: 0, rateLimitPerMinute: 2 }, async (url) => {
-            const hit = async () => fetch(`${url}/mcp`, {
+    it('rejects POST with invalid sessionId', async () => {
+        await withServer({ port: 0 }, async (url) => {
+            const res = await fetch(`${url}/?sessionId=nope`, {
                 method: 'POST',
                 headers: { 'content-type': 'application/json', 'accept': 'application/json' },
                 body: JSON.stringify({ jsonrpc: '2.0', id: 1, method: 'tools/list', params: {} }),
             });
+            expect(res.status).toBe(400);
+        });
+    });
+    it('rejects SSE without token when authToken is set', async () => {
+        await withServer({ port: 0, authToken: 'secret' }, async (url) => {
+            const res = await fetch(`${url}/`, {
+                headers: { accept: 'text/event-stream' },
+            });
+            expect(res.status).toBe(401);
+        });
+    });
+    it('accepts SSE with correct bearer token', async () => {
+        await withServer({ port: 0, authToken: 'secret' }, async (url) => {
+            const res = await fetch(`${url}/`, {
+                headers: {
+                    accept: 'text/event-stream',
+                    authorization: 'Bearer secret',
+                },
+            });
+            expect(res.status).toBe(200);
+            await res.body?.cancel();
+        });
+    });
+    it('serves /favicon.svg with image/svg+xml', async () => {
+        await withServer({ port: 0 }, async (url) => {
+            const res = await fetch(`${url}/favicon.svg`);
+            expect(res.status).toBe(200);
+            expect(res.headers.get('content-type')).toBe('image/svg+xml');
+            const body = await res.text();
+            expect(body).toContain('<svg');
+        });
+    });
+    it('serves /favicon.ico as PNG (modern browsers identify by magic bytes)', async () => {
+        await withServer({ port: 0 }, async (url) => {
+            const res = await fetch(`${url}/favicon.ico`);
+            expect(res.status).toBe(200);
+            expect(res.headers.get('content-type')).toBe('image/png');
+            const body = new Uint8Array(await res.arrayBuffer());
+            // PNG magic: 89 50 4E 47 0D 0A 1A 0A
+            expect(body[0]).toBe(0x89);
+            expect(body[1]).toBe(0x50);
+            expect(body[2]).toBe(0x4E);
+            expect(body[3]).toBe(0x47);
+        });
+    });
+    it('serves /apple-touch-icon.png', async () => {
+        await withServer({ port: 0 }, async (url) => {
+            const res = await fetch(`${url}/apple-touch-icon.png`);
+            expect(res.status).toBe(200);
+            expect(res.headers.get('content-type')).toBe('image/png');
+        });
+    });
+    it('serves static assets even when authToken is set', async () => {
+        await withServer({ port: 0, authToken: 'secret' }, async (url) => {
+            const res = await fetch(`${url}/favicon.svg`);
+            expect(res.status).toBe(200);
+        });
+    });
+    it('rate-limits MCP requests by IP', async () => {
+        await withServer({ port: 0, rateLimitPerMinute: 2 }, async (url) => {
+            const hit = async () => fetch(`${url}/`, {
+                headers: { accept: 'text/event-stream' },
+            });
             const first = await hit();
             const second = await hit();
             const third = await hit();
-            expect(first.status).not.toBe(429);
-            expect(second.status).not.toBe(429);
+            expect(first.status).toBe(200);
+            expect(second.status).toBe(200);
             expect(third.status).toBe(429);
-            expect(third.headers.get('retry-after')).toBe('60');
+            await first.body?.cancel();
+            await second.body?.cancel();
         });
     });
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blueprint-chart/mcp",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "Model Context Protocol server for authoring Blueprint Chart .bpc files with LLMs.",
   "license": "MIT",
   "author": "pirhoo",
@@ -27,6 +27,7 @@
   "files": [
     "dist",
     "bin",
+    "public",
     "README.md",
     "LICENSE"
   ],
@@ -41,7 +42,8 @@
     "@napi-rs/canvas": "^0.1.71",
     "@resvg/resvg-js": "^2.6.2",
     "jsdom": "^26.1.0",
-    "zod": "^3.23.8"
+    "zod": "^3.23.8",
+    "zod-to-json-schema": "^3.25.2"
   },
   "devDependencies": {
     "@eslint/js": "^9.39.4",