@contextvm/sdk 0.1.48 → 0.2.0

package/dist/esm/transport/nostr-server-transport.js

@@ -1,10 +1,12 @@
-import { InitializeResultSchema, isJSONRPCRequest, isJSONRPCNotification, LATEST_PROTOCOL_VERSION, ListPromptsResultSchema, ListResourcesResultSchema, ListResourceTemplatesResultSchema, ListToolsResultSchema, isJSONRPCResultResponse, isJSONRPCErrorResponse, } from '@modelcontextprotocol/sdk/types.js';
+import { InitializeResultSchema, isJSONRPCRequest, isJSONRPCNotification, isJSONRPCResultResponse, isJSONRPCErrorResponse, } from '@modelcontextprotocol/sdk/types.js';
 import { BaseNostrTransport, } from './base-nostr-transport.js';
-import { announcementMethods, CTXVM_MESSAGES_KIND, GIFT_WRAP_KIND, NOSTR_TAGS, PROMPTS_LIST_KIND, RESOURCES_LIST_KIND, RESOURCETEMPLATES_LIST_KIND, SERVER_ANNOUNCEMENT_KIND, TOOLS_LIST_KIND, decryptMessage, } from '../core/index.js';
+import { CTXVM_MESSAGES_KIND, GIFT_WRAP_KIND, NOSTR_TAGS, NOTIFICATIONS_INITIALIZED_METHOD, decryptMessage, } from '../core/index.js';
 import { EncryptionMode } from '../core/interfaces.js';
-import { EventDeletion } from 'nostr-tools/kinds';
-import { LruCache } from '../core/utils/lru-cache.js';
-import { injectClientPubkey } from '../core/utils/utils.js';
+import { injectClientPubkey, withTimeout } from '../core/utils/utils.js';
+import { CorrelationStore } from './nostr-server/correlation-store.js';
+import { SessionStore } from './nostr-server/session-store.js';
+import { AuthorizationPolicy, } from './nostr-server/authorization-policy.js';
+import { AnnouncementManager, } from './nostr-server/announcement-manager.js';
 /**
  * A server-side transport layer for CTXVM that uses Nostr events for communication.
  * This transport listens for incoming MCP requests via Nostr events and can send
@@ -15,55 +17,45 @@ export class NostrServerTransport extends BaseNostrTransport {
     constructor(options) {
         var _a;
         super('nostr-server-transport', options);
-        this.eventIdToClient = new Map(); // eventId -> clientPubkey
-        this.maxSessions = 1000; // LRU cache limit
-        this.isInitialized = false;
-        this.serverInfo = options.serverInfo;
-        this.isPublicServer = options.isPublicServer;
-        this.allowedPublicKeys = options.allowedPublicKeys
-            ? new Set(options.allowedPublicKeys)
-            : undefined;
-        this.excludedCapabilities = options.excludedCapabilities;
         this.injectClientPubkey = (_a = options.injectClientPubkey) !== null && _a !== void 0 ? _a : false;
-        // Initialize LRU cache with eviction callback for cleanup
-        this.clientSessions = new LruCache(this.maxSessions, (key, session) => {
-            // Clean up reverse lookup mappings for evicted session
-            for (const eventId of session.pendingRequests.keys()) {
-                this.eventIdToClient.delete(eventId);
-            }
-            for (const eventId of session.eventToProgressToken.keys()) {
-                this.eventIdToClient.delete(eventId);
-            }
-            this.logger.info(`Evicted LRU session for ${key}`);
+        // Initialize authorization policy
+        this.authorizationPolicy = new AuthorizationPolicy({
+            allowedPublicKeys: options.allowedPublicKeys
+                ? new Set(options.allowedPublicKeys)
+                : undefined,
+            excludedCapabilities: options.excludedCapabilities,
+            isPublicServer: options.isPublicServer,
+        });
+        // Initialize session store with eviction callback for correlation cleanup
+        this.sessionStore = new SessionStore({
+            maxSessions: 1000,
+            onSessionEvicted: (clientPubkey) => {
+                // Clean up all correlation data for evicted session
+                const removedCount = this.correlationStore.removeRoutesForClient(clientPubkey);
+                this.logger.info(`Evicted session for ${clientPubkey} (removed ${removedCount} routes)`);
+            },
+        });
+        // Initialize correlation store with bounded caches
+        this.correlationStore = new CorrelationStore({
+            maxEventRoutes: 10000,
+            maxProgressTokens: 10000,
+            onEventRouteEvicted: (eventId, route) => {
+                this.logger.debug(`Evicted event route for ${eventId}`, {
+                    clientPubkey: route.clientPubkey,
+                });
+            },
+        });
+        // Initialize announcement manager
+        this.announcementManager = new AnnouncementManager({
+            serverInfo: options.serverInfo,
+            encryptionMode: this.encryptionMode,
+            onSendMessage: (message) => { var _a; return (_a = this.onmessage) === null || _a === void 0 ? void 0 : _a.call(this, message); },
+            onPublishEvent: (event) => this.publishEvent(event),
+            onSignEvent: (eventTemplate) => this.signer.signEvent(eventTemplate),
+            onGetPublicKey: () => this.getPublicKey(),
+            onSubscribe: (filters, onEvent) => this.relayHandler.subscribe(filters, onEvent),
+            logger: this.logger,
         });
-    }
-    /**
-     * Generates common tags from server information for use in Nostr events.
-     * @returns Array of tag arrays for Nostr events.
-     */
-    generateCommonTags() {
-        var _a, _b, _c, _d;
-        if (this.cachedCommonTags) {
-            return this.cachedCommonTags;
-        }
-        const commonTags = [];
-        if ((_a = this.serverInfo) === null || _a === void 0 ? void 0 : _a.name) {
-            commonTags.push([NOSTR_TAGS.NAME, this.serverInfo.name]);
-        }
-        if ((_b = this.serverInfo) === null || _b === void 0 ? void 0 : _b.about) {
-            commonTags.push([NOSTR_TAGS.ABOUT, this.serverInfo.about]);
-        }
-        if ((_c = this.serverInfo) === null || _c === void 0 ? void 0 : _c.website) {
-            commonTags.push([NOSTR_TAGS.WEBSITE, this.serverInfo.website]);
-        }
-        if ((_d = this.serverInfo) === null || _d === void 0 ? void 0 : _d.picture) {
-            commonTags.push([NOSTR_TAGS.PICTURE, this.serverInfo.picture]);
-        }
-        if (this.encryptionMode !== EncryptionMode.DISABLED) {
-            commonTags.push([NOSTR_TAGS.SUPPORT_ENCRYPTION]);
-        }
-        this.cachedCommonTags = commonTags;
-        return commonTags;
     }
     /**
      * Starts the transport, connecting to the relay and setting up event listeners
@@ -94,17 +86,13 @@ export class NostrServerTransport extends BaseNostrTransport {
                     (_a = this.onerror) === null || _a === void 0 ? void 0 : _a.call(this, error instanceof Error ? error : new Error(String(error)));
                 }
             });
-            if (this.isPublicServer) {
-                await this.getAnnouncementData();
+            if (this.authorizationPolicy.isPublicServer) {
+                await this.announcementManager.getAnnouncementData();
             }
         }
         catch (error) {
-            this.logger.error('Error starting NostrServerTransport', {
-                error: error instanceof Error ? error.message : String(error),
-                stack: error instanceof Error ? error.stack : undefined,
-            });
             (_a = this.onerror) === null || _a === void 0 ? void 0 : _a.call(this, error instanceof Error ? error : new Error(String(error)));
-            throw error;
+            this.logAndRethrowError('Error starting NostrServerTransport', error);
         }
     }
     /**
@@ -113,17 +101,17 @@ export class NostrServerTransport extends BaseNostrTransport {
     async close() {
         var _a, _b;
         try {
+            // Shutdown the task queue to prevent new tasks from being queued
+            // and clear pending tasks to avoid operating on stale state
+            this.taskQueue.shutdown();
             await this.disconnect();
-            this.clientSessions.clear();
+            this.sessionStore.clear();
+            this.correlationStore.clear();
             (_a = this.onclose) === null || _a === void 0 ? void 0 : _a.call(this);
         }
         catch (error) {
-            this.logger.error('Error closing NostrServerTransport', {
-                error: error instanceof Error ? error.message : String(error),
-                stack: error instanceof Error ? error.stack : undefined,
-            });
             (_b = this.onerror) === null || _b === void 0 ? void 0 : _b.call(this, error instanceof Error ? error : new Error(String(error)));
-            throw error;
+            this.logAndRethrowError('Error closing NostrServerTransport', error);
         }
     }
     /**
@@ -151,230 +139,46 @@ export class NostrServerTransport extends BaseNostrTransport {
      * @returns Promise that resolves to an array of deletion events that were published.
      */
     async deleteAnnouncement(reason = 'Service offline') {
-        const publicKey = await this.getPublicKey();
-        const events = [];
-        const kinds = [
-            SERVER_ANNOUNCEMENT_KIND,
-            TOOLS_LIST_KIND,
-            RESOURCES_LIST_KIND,
-            RESOURCETEMPLATES_LIST_KIND,
-            PROMPTS_LIST_KIND,
-        ];
-        for (const kind of kinds) {
-            const filter = {
-                kinds: [kind],
-                authors: [publicKey],
-            };
-            // Collect events using the subscribe method with onEvent hook
-            await this.relayHandler.subscribe([filter], (event) => {
-                var _a;
-                try {
-                    events.push(event);
-                }
-                catch (error) {
-                    this.logger.error('Error in relay subscription event collection', {
-                        error: error instanceof Error ? error.message : String(error),
-                        eventId: event.id,
-                    });
-                    (_a = this.onerror) === null || _a === void 0 ? void 0 : _a.call(this, error instanceof Error ? error : new Error(String(error)));
-                }
-            });
-            if (!events.length) {
-                this.logger.info(`No events found for kind ${kind} to delete`);
-                continue;
-            }
-            const deletionEventTemplate = {
-                kind: EventDeletion,
-                pubkey: publicKey,
-                content: reason,
-                tags: events.map((ev) => ['e', ev.id]),
-                created_at: Math.floor(Date.now() / 1000),
-            };
-            const deletionEvent = await this.signer.signEvent(deletionEventTemplate);
-            await this.relayHandler.publish(deletionEvent);
-            this.logger.info(`Published deletion event for kind ${kind} (${events.length} events)`);
-        }
-        return events;
-    }
-    /**
-     * Initiates the process of fetching announcement data from the server's internal logic.
-     * This method now properly handles the initialization handshake by first sending
-     * the initialize request, waiting for the response, and then proceeding with other announcements.
-     */
-    async getAnnouncementData() {
-        var _a, _b, _c;
-        try {
-            const initializeParams = {
-                protocolVersion: LATEST_PROTOCOL_VERSION,
-                capabilities: {},
-                clientInfo: {
-                    name: 'DummyClient',
-                    version: '1.0.0',
-                },
-            };
-            // Send the initialize request if not already initialized
-            if (!this.isInitialized) {
-                const initializeMessage = {
-                    jsonrpc: '2.0',
-                    id: 'announcement',
-                    method: 'initialize',
-                    params: initializeParams,
-                };
-                this.logger.info('Sending initialize request for announcement');
-                (_a = this.onmessage) === null || _a === void 0 ? void 0 : _a.call(this, initializeMessage);
-            }
-            try {
-                // Wait for initialization to complete
-                await this.waitForInitialization();
-                // Send all announcements now that we're initialized
-                for (const [key, methodValue] of Object.entries(announcementMethods)) {
-                    this.logger.info('Sending announcement', { key, methodValue });
-                    const message = {
-                        jsonrpc: '2.0',
-                        id: 'announcement',
-                        method: methodValue,
-                        params: key === 'server' ? initializeParams : {},
-                    };
-                    (_b = this.onmessage) === null || _b === void 0 ? void 0 : _b.call(this, message);
-                }
-            }
-            catch (error) {
-                this.logger.warn('Server not initialized after waiting, skipping announcements', { error: error instanceof Error ? error.message : error });
-            }
-        }
-        catch (error) {
-            this.logger.error('Error in getAnnouncementData', {
-                error: error instanceof Error ? error.message : String(error),
-                stack: error instanceof Error ? error.stack : undefined,
-            });
-            (_c = this.onerror) === null || _c === void 0 ? void 0 : _c.call(this, error instanceof Error ? error : new Error(String(error)));
-        }
-    }
-    /**
-     * Waits for the server to be initialized with a timeout.
-     * @returns Promise that resolves when initialized or after 10-second timeout.
-     * The method will always resolve, allowing announcements to proceed.
-     */
-    async waitForInitialization() {
-        if (this.isInitialized)
-            return;
-        if (!this.initializationPromise) {
-            this.initializationPromise = new Promise((resolve) => {
-                this.initializationResolver = resolve;
-            });
-        }
-        const timeout = new Promise((_, reject) => setTimeout(() => reject(new Error('Initialization timeout')), 10000));
-        try {
-            await Promise.race([this.initializationPromise, timeout]);
-        }
-        catch (_a) {
-            this.logger.warn('Server initialization not completed within timeout, proceeding with announcements');
-        }
-    }
-    /**
-     * Handles the JSON-RPC responses for public server announcements and publishes
-     * them as Nostr events to the configured relays.
-     * @param message The JSON-RPC response containing the announcement data.
-     */
-    async announcer(message) {
-        var _a;
-        try {
-            // Only process successful responses with result data
-            if (!isJSONRPCResultResponse(message) || !message.result) {
-                return;
-            }
-            const recipientPubkey = await this.getPublicKey();
-            const commonTags = this.generateCommonTags();
-            const announcementMapping = [
-                {
-                    schema: InitializeResultSchema,
-                    kind: SERVER_ANNOUNCEMENT_KIND,
-                    tags: commonTags,
-                },
-                { schema: ListToolsResultSchema, kind: TOOLS_LIST_KIND, tags: [] },
-                {
-                    schema: ListResourcesResultSchema,
-                    kind: RESOURCES_LIST_KIND,
-                    tags: [],
-                },
-                {
-                    schema: ListResourceTemplatesResultSchema,
-                    kind: RESOURCETEMPLATES_LIST_KIND,
-                    tags: [],
-                },
-                { schema: ListPromptsResultSchema, kind: PROMPTS_LIST_KIND, tags: [] },
-            ];
-            for (const mapping of announcementMapping) {
-                if (mapping.schema.safeParse(message.result).success) {
-                    await this.sendMcpMessage(message.result, recipientPubkey, mapping.kind, mapping.tags);
-                    break;
-                }
-            }
-        }
-        catch (error) {
-            this.logger.error('Error in announcer', {
-                error: error instanceof Error ? error.message : String(error),
-                stack: error instanceof Error ? error.stack : undefined,
-            });
-            (_a = this.onerror) === null || _a === void 0 ? void 0 : _a.call(this, error instanceof Error ? error : new Error(String(error)));
-        }
+        return await this.announcementManager.deleteAnnouncement(reason);
     }
     /**
      * Gets or creates a client session with proper initialization.
      * @param clientPubkey The client's public key.
-     * @param now Current timestamp.
      * @param isEncrypted Whether the session uses encryption.
      * @returns The client session.
      */
-    getOrCreateClientSession(clientPubkey, now, isEncrypted) {
-        const session = this.clientSessions.get(clientPubkey);
+    getOrCreateClientSession(clientPubkey, isEncrypted) {
+        const session = this.sessionStore.getSession(clientPubkey);
         if (!session) {
             this.logger.info(`Session created for ${clientPubkey}`);
-            const newSession = {
-                isInitialized: false,
-                isEncrypted,
-                lastActivity: now,
-                pendingRequests: new Map(),
-                eventToProgressToken: new Map(),
-            };
-            this.clientSessions.set(clientPubkey, newSession);
-            return newSession;
         }
-        session.isEncrypted = isEncrypted;
-        return session;
+        return this.sessionStore.getOrCreateSession(clientPubkey, isEncrypted);
     }
     /**
      * Handles incoming requests with correlation tracking.
-     * @param session The client session.
      * @param eventId The Nostr event ID.
      * @param request The request message.
+     * @param clientPubkey The client's public key.
      */
-    handleIncomingRequest(session, eventId, request, clientPubkey) {
+    handleIncomingRequest(eventId, request, clientPubkey) {
         var _a, _b;
         // Store the original request ID for later restoration
         const originalRequestId = request.id;
         // Use the unique Nostr event ID as the MCP request ID to avoid collisions
         request.id = eventId;
-        // Store in client session
-        session.pendingRequests.set(eventId, originalRequestId);
-        this.eventIdToClient.set(eventId, clientPubkey);
-        // Track progress tokens if provided
+        // Register the event route in the correlation store
         const progressToken = (_b = (_a = request.params) === null || _a === void 0 ? void 0 : _a._meta) === null || _b === void 0 ? void 0 : _b.progressToken;
-        if (progressToken) {
-            const tokenStr = String(progressToken);
-            session.pendingRequests.set(tokenStr, eventId);
-            session.eventToProgressToken.set(eventId, tokenStr);
-        }
+        this.correlationStore.registerEventRoute(eventId, clientPubkey, originalRequestId, progressToken ? String(progressToken) : undefined);
     }
     /**
      * Handles incoming notifications.
-     * @param session The client session.
+     * @param clientPubkey The client's public key.
      * @param notification The notification message.
      */
-    handleIncomingNotification(session, notification) {
+    handleIncomingNotification(clientPubkey, notification) {
         if (isJSONRPCNotification(notification) &&
-            notification.method === 'notifications/initialized') {
-            session.isInitialized = true;
+            notification.method === NOTIFICATIONS_INITIALIZED_METHOD) {
+            this.sessionStore.markInitialized(clientPubkey);
         }
     }
     /**
@@ -382,64 +186,44 @@ export class NostrServerTransport extends BaseNostrTransport {
      * @param response The JSON-RPC response or error to send.
      */
     async handleResponse(response) {
-        var _a, _b, _c, _d, _e;
+        var _a, _b;
         // Handle special announcement responses
         if (response.id === 'announcement') {
-            if (isJSONRPCResultResponse(response)) {
+            const wasHandled = await this.announcementManager.handleAnnouncementResponse(response);
+            if (wasHandled && isJSONRPCResultResponse(response)) {
                 if (InitializeResultSchema.safeParse(response.result).success) {
-                    this.isInitialized = true;
-                    (_a = this.initializationResolver) === null || _a === void 0 ? void 0 : _a.call(this); // Resolve waiting promise
-                    // Send the initialized notification
-                    const initializedNotification = {
-                        jsonrpc: '2.0',
-                        method: 'notifications/initialized',
-                    };
-                    (_b = this.onmessage) === null || _b === void 0 ? void 0 : _b.call(this, initializedNotification);
                     this.logger.info('Initialized');
                 }
-                await this.announcer(response);
             }
             return;
         }
-        // Find the client session with this pending request using O(1) lookup
+        // Find the event route using O(1) lookup
         const nostrEventId = response.id;
-        const targetClientPubkey = this.eventIdToClient.get(nostrEventId);
-        if (!targetClientPubkey) {
-            (_c = this.onerror) === null || _c === void 0 ? void 0 : _c.call(this, new Error(`No pending request found for response ID: ${response.id}`));
+        const route = this.correlationStore.getEventRoute(nostrEventId);
+        if (!route) {
+            (_a = this.onerror) === null || _a === void 0 ? void 0 : _a.call(this, new Error(`No pending request found for response ID: ${response.id}`));
             return;
         }
-        const session = this.clientSessions.get(targetClientPubkey);
+        const session = this.sessionStore.getSession(route.clientPubkey);
         if (!session) {
-            (_d = this.onerror) === null || _d === void 0 ? void 0 : _d.call(this, new Error(`No session found for client: ${targetClientPubkey}`));
-            return;
-        }
-        const originalRequestId = session.pendingRequests.get(nostrEventId);
-        if (originalRequestId === undefined) {
-            (_e = this.onerror) === null || _e === void 0 ? void 0 : _e.call(this, new Error(`No original request ID found for response ID: ${response.id}`));
+            (_b = this.onerror) === null || _b === void 0 ? void 0 : _b.call(this, new Error(`No session found for client: ${route.clientPubkey}`));
             return;
         }
         // Restore the original request ID in the response
-        response.id = originalRequestId;
+        response.id = route.originalRequestId;
         // Send the response back to the original requester
-        const tags = this.createResponseTags(targetClientPubkey, nostrEventId);
+        const tags = this.createResponseTags(route.clientPubkey, nostrEventId);
+        // Add common tags for initialize responses (independent of encryption mode)
         if (isJSONRPCResultResponse(response) &&
-            InitializeResultSchema.safeParse(response.result).success &&
-            session.isEncrypted) {
-            const commonTags = this.generateCommonTags();
+            InitializeResultSchema.safeParse(response.result).success) {
+            const commonTags = this.announcementManager.getCommonTags();
             commonTags.forEach((tag) => {
                 tags.push(tag);
             });
         }
-        await this.sendMcpMessage(response, targetClientPubkey, CTXVM_MESSAGES_KIND, tags, session.isEncrypted);
-        // Clean up the pending request and any associated progress token
-        session.pendingRequests.delete(nostrEventId);
-        this.eventIdToClient.delete(nostrEventId);
-        // Clean up progress token if it exists
-        const progressToken = session.eventToProgressToken.get(nostrEventId);
-        if (progressToken) {
-            session.pendingRequests.delete(progressToken);
-            session.eventToProgressToken.delete(nostrEventId);
-        }
+        await this.sendMcpMessage(response, route.clientPubkey, CTXVM_MESSAGES_KIND, tags, session.isEncrypted);
+        // Clean up the event route (this also cleans up progress token mapping)
+        this.correlationStore.removeEventRoute(nostrEventId);
     }
     /**
      * Handles notification messages with routing.
@@ -454,28 +238,22 @@ export class NostrServerTransport extends BaseNostrTransport {
                 notification.method === 'notifications/progress' &&
                 ((_b = (_a = notification.params) === null || _a === void 0 ? void 0 : _a._meta) === null || _b === void 0 ? void 0 : _b.progressToken)) {
                 const token = String(notification.params._meta.progressToken);
-                // Use reverse lookup map for O(1) progress token routing
-                // First find the session that has this progress token
-                let targetClientPubkey;
-                let nostrEventId;
-                for (const [clientPubkey, session] of this.clientSessions.entries()) {
-                    if (session.pendingRequests.has(token)) {
-                        nostrEventId = session.pendingRequests.get(token);
-                        targetClientPubkey = clientPubkey;
-                        break;
+                // Use O(1) lookup for progress token routing
+                const nostrEventId = this.correlationStore.getEventIdByProgressToken(token);
+                if (nostrEventId) {
+                    const route = this.correlationStore.getEventRoute(nostrEventId);
+                    if (route) {
+                        await this.sendNotification(route.clientPubkey, notification, nostrEventId);
+                        return;
                     }
                 }
-                if (targetClientPubkey && nostrEventId) {
-                    await this.sendNotification(targetClientPubkey, notification, nostrEventId);
-                    return;
-                }
                 const error = new Error(`No client found for progress token: ${token}`);
                 this.logger.error('Progress token not found', { token });
                 (_c = this.onerror) === null || _c === void 0 ? void 0 : _c.call(this, error);
                 return;
             }
             // Use TaskQueue for outbound notification broadcasting to prevent event loop blocking
-            for (const [clientPubkey, session] of this.clientSessions.entries()) {
+            for (const [clientPubkey, session,] of this.sessionStore.getAllSessions()) {
                 if (session.isInitialized) {
                     this.taskQueue.add(async () => {
                         try {
@@ -509,7 +287,7 @@ export class NostrServerTransport extends BaseNostrTransport {
      * @returns Promise that resolves when the notification is sent.
      */
     async sendNotification(clientPubkey, notification, correlatedEventId) {
-        const session = this.clientSessions.get(clientPubkey);
+        const session = this.sessionStore.getSession(clientPubkey);
         if (!session) {
             throw new Error(`No active session found for client: ${clientPubkey}`);
         }
@@ -557,7 +335,8 @@ export class NostrServerTransport extends BaseNostrTransport {
             return;
         }
         try {
-            const decryptedJson = await decryptMessage(event, this.signer);
+            const decryptedJson = await withTimeout(decryptMessage(event, this.signer), 30000, // 30 seconds default timeout
+            'Decrypt message timed out');
             const currentEvent = JSON.parse(decryptedJson);
             this.authorizeAndProcessEvent(currentEvent, true);
         }
@@ -584,34 +363,6 @@ export class NostrServerTransport extends BaseNostrTransport {
         }
         this.authorizeAndProcessEvent(event, false);
     }
-    /**
-     * Checks if a capability is excluded from whitelisting requirements.
-     * @param method The JSON-RPC method (e.g., 'tools/call', 'tools/list')
-     * @param name Optional capability name for method-specific exclusions (e.g., 'get_weather')
-     * @returns true if the capability should bypass whitelisting, false otherwise
-     */
-    isCapabilityExcluded(method, name) {
-        var _a;
-        // Always allow fundamental MCP methods for connection establishment
-        if (method === 'initialize' || method === 'notifications/initialized') {
-            return true;
-        }
-        if (!((_a = this.excludedCapabilities) === null || _a === void 0 ? void 0 : _a.length)) {
-            return false;
-        }
-        return this.excludedCapabilities.some((exclusion) => {
-            // Check if method matches
-            if (exclusion.method !== method) {
-                return false;
-            }
-            // If exclusion has no name requirement, method match is sufficient
-            if (!exclusion.name) {
-                return true;
-            }
-            // If exclusion has a name requirement, check if it matches the provided name
-            return exclusion.name === name;
-        });
-    }
     /**
      * Authorizes and processes an incoming Nostr event, handling message validation,
      * client authorization, session management, and optional client public key injection.
@@ -619,7 +370,7 @@ export class NostrServerTransport extends BaseNostrTransport {
      * @param isEncrypted Whether the original event was encrypted.
      */
     authorizeAndProcessEvent(event, isEncrypted) {
-        var _a, _b, _c, _d, _e;
+        var _a, _b;
         try {
             const mcpMessage = this.convertNostrEventToMcpMessage(event);
             if (!mcpMessage) {
@@ -630,52 +381,48 @@ export class NostrServerTransport extends BaseNostrTransport {
                 });
                 return;
             }
-            if ((_a = this.allowedPublicKeys) === null || _a === void 0 ? void 0 : _a.size) {
-                // Check if the message should bypass whitelisting due to excluded capabilities
-                const shouldBypassWhitelisting = ((_b = this.excludedCapabilities) === null || _b === void 0 ? void 0 : _b.length) &&
-                    (isJSONRPCRequest(mcpMessage) || isJSONRPCNotification(mcpMessage)) &&
-                    this.isCapabilityExcluded(mcpMessage.method, (_c = mcpMessage.params) === null || _c === void 0 ? void 0 : _c.name);
-                if (!this.allowedPublicKeys.has(event.pubkey) &&
-                    !shouldBypassWhitelisting) {
-                    this.logger.error(`Unauthorized message from ${event.pubkey}, message: ${JSON.stringify(mcpMessage)}. Ignoring.`);
-                    if (this.isPublicServer && isJSONRPCRequest(mcpMessage)) {
-                        const errorResponse = {
-                            jsonrpc: '2.0',
-                            id: mcpMessage.id,
-                            error: {
-                                code: -32000,
-                                message: 'Unauthorized',
-                            },
-                        };
-                        const tags = this.createResponseTags(event.pubkey, event.id);
-                        this.sendMcpMessage(errorResponse, event.pubkey, CTXVM_MESSAGES_KIND, tags, isEncrypted).catch((err) => {
-                            var _a;
-                            this.logger.error('Failed to send unauthorized response', {
-                                error: err instanceof Error ? err.message : String(err),
-                                pubkey: event.pubkey,
-                                eventId: event.id,
-                            });
-                            (_a = this.onerror) === null || _a === void 0 ? void 0 : _a.call(this, new Error(`Failed to send unauthorized response: ${err}`));
+            // Check authorization using the authorization policy
+            const authDecision = this.authorizationPolicy.authorize(event.pubkey, mcpMessage);
+            if (!authDecision.allowed) {
+                this.logger.error(`Unauthorized message from ${event.pubkey}, message: ${JSON.stringify(mcpMessage)}. Ignoring.`);
+                if ('shouldReplyUnauthorized' in authDecision &&
+                    authDecision.shouldReplyUnauthorized &&
+                    isJSONRPCRequest(mcpMessage)) {
+                    const errorResponse = {
+                        jsonrpc: '2.0',
+                        id: mcpMessage.id,
+                        error: {
+                            code: -32000,
+                            message: 'Unauthorized',
+                        },
+                    };
+                    const tags = this.createResponseTags(event.pubkey, event.id);
+                    this.sendMcpMessage(errorResponse, event.pubkey, CTXVM_MESSAGES_KIND, tags, isEncrypted).catch((err) => {
+                        var _a;
+                        this.logger.error('Failed to send unauthorized response', {
+                            error: err instanceof Error ? err.message : String(err),
+                            pubkey: event.pubkey,
+                            eventId: event.id,
                         });
-                    }
-                    return;
+                        (_a = this.onerror) === null || _a === void 0 ? void 0 : _a.call(this, new Error(`Failed to send unauthorized response: ${err}`));
+                    });
                 }
+                return;
             }
-            const now = Date.now();
-            const session = this.getOrCreateClientSession(event.pubkey, now, isEncrypted);
-            session.lastActivity = now;
+            // Get or create session for this client (ensures session exists for authorized messages)
+            this.getOrCreateClientSession(event.pubkey, isEncrypted);
             // Handle message routing and conditionally inject client pubkey
             if (isJSONRPCRequest(mcpMessage)) {
-                this.handleIncomingRequest(session, event.id, mcpMessage, event.pubkey);
+                this.handleIncomingRequest(event.id, mcpMessage, event.pubkey);
                 // Inject client public key for enhanced server integration (in-place mutation)
                 if (this.injectClientPubkey) {
                     injectClientPubkey(mcpMessage, event.pubkey);
                 }
             }
             else if (isJSONRPCNotification(mcpMessage)) {
-                this.handleIncomingNotification(session, mcpMessage);
+                this.handleIncomingNotification(event.pubkey, mcpMessage);
             }
-            (_d = this.onmessage) === null || _d === void 0 ? void 0 : _d.call(this, mcpMessage);
+            (_a = this.onmessage) === null || _a === void 0 ? void 0 : _a.call(this, mcpMessage);
         }
         catch (error) {
             this.logger.error('Error in authorizeAndProcessEvent', {
@@ -684,8 +431,18 @@ export class NostrServerTransport extends BaseNostrTransport {
                 eventId: event.id,
                 pubkey: event.pubkey,
             });
-            (_e = this.onerror) === null || _e === void 0 ? void 0 : _e.call(this, error instanceof Error ? error : new Error(String(error)));
+            (_b = this.onerror) === null || _b === void 0 ? void 0 : _b.call(this, error instanceof Error ? error : new Error(String(error)));
         }
     }
+    /**
+     * Test-only accessor for internal state.
+     * @internal
+     */
+    getInternalStateForTesting() {
+        return {
+            sessionStore: this.sessionStore,
+            correlationStore: this.correlationStore,
+        };
+    }
 }
 //# sourceMappingURL=nostr-server-transport.js.map