@cyanheads/git-mcp-server 2.1.3 → 2.1.5

package/dist/mcp-server/tools/gitWorktree/logic.js

@@ -1,9 +1,9 @@
-import { exec } from "child_process";
+import { execFile } from "child_process";
 import { promisify } from "util";
 import { z } from "zod";
 import { logger, sanitization } from "../../../utils/index.js";
 import { BaseErrorCode, McpError } from "../../../types-global/errors.js";
-const execAsync = promisify(exec);
+const execFileAsync = promisify(execFile);
 // Define the BASE input schema for the git_worktree tool using Zod
 export const GitWorktreeBaseSchema = z.object({
     path: z
@@ -176,18 +176,19 @@ export async function gitWorktreeLogic(input, context) {
         throw new McpError(BaseErrorCode.VALIDATION_ERROR, `Invalid path: ${error instanceof Error ? error.message : String(error)}`, { context, operation, originalError: error });
     }
     try {
-        let command = `git -C "${targetPath}" worktree `;
+        let args;
         let result;
         switch (input.mode) {
             case "list":
-                command += "list";
-                if (input.verbose)
-                    command += " --porcelain"; // Use porcelain for structured output
-                logger.debug(`Executing command: ${command}`, {
+                args = ["-C", targetPath, "worktree", "list"];
+                if (input.verbose) {
+                    args.push("--porcelain");
+                } // Use porcelain for structured output
+                logger.debug(`Executing command: git ${args.join(" ")}`, {
                     ...context,
                     operation,
                 });
-                const { stdout: listStdout } = await execAsync(command);
+                const { stdout: listStdout } = await execFileAsync("git", args);
                 if (input.verbose) {
                     const worktrees = parsePorcelainWorktreeList(listStdout);
                     result = { success: true, mode: "list", worktrees };
@@ -214,21 +215,25 @@ export async function gitWorktreeLogic(input, context) {
             case "add":
                 // worktreePath is guaranteed by refine
                 const sanitizedWorktreePathAdd = sanitization.sanitizePath(input.worktreePath, { allowAbsolute: true, rootDir: targetPath }).sanitizedPath;
-                command += `add `;
-                if (input.force)
-                    command += "--force ";
-                if (input.detach)
-                    command += "--detach ";
-                if (input.newBranch)
-                    command += `-b "${input.newBranch}" `;
-                command += `"${sanitizedWorktreePathAdd}"`;
-                if (input.commitish)
-                    command += ` "${input.commitish}"`;
-                logger.debug(`Executing command: ${command}`, {
+                args = ["-C", targetPath, "worktree", "add"];
+                if (input.force) {
+                    args.push("--force");
+                }
+                if (input.detach) {
+                    args.push("--detach");
+                }
+                if (input.newBranch) {
+                    args.push("-b", input.newBranch);
+                }
+                args.push(sanitizedWorktreePathAdd);
+                if (input.commitish) {
+                    args.push(input.commitish);
+                }
+                logger.debug(`Executing command: git ${args.join(" ")}`, {
                     ...context,
                     operation,
                 });
-                await execAsync(command);
+                await execFileAsync("git", args);
                 // To get the HEAD of the new worktree, we might need another command or parse output if available
                 // For simplicity, we'll report success. A more robust solution might `git -C new_worktree_path rev-parse HEAD`
                 result = {
@@ -243,15 +248,16 @@ export async function gitWorktreeLogic(input, context) {
             case "remove":
                 // worktreePath is guaranteed by refine
                 const sanitizedWorktreePathRemove = sanitization.sanitizePath(input.worktreePath, { allowAbsolute: true, rootDir: targetPath }).sanitizedPath;
-                command += `remove `;
-                if (input.force)
-                    command += "--force ";
-                command += `"${sanitizedWorktreePathRemove}"`;
-                logger.debug(`Executing command: ${command}`, {
+                args = ["-C", targetPath, "worktree", "remove"];
+                if (input.force) {
+                    args.push("--force");
+                }
+                args.push(sanitizedWorktreePathRemove);
+                logger.debug(`Executing command: git ${args.join(" ")}`, {
                     ...context,
                     operation,
                 });
-                const { stdout: removeStdout } = await execAsync(command);
+                const { stdout: removeStdout } = await execFileAsync("git", args);
                 result = {
                     success: true,
                     mode: "remove",
@@ -267,12 +273,19 @@ export async function gitWorktreeLogic(input, context) {
                     allowAbsolute: true,
                     rootDir: targetPath,
                 }).sanitizedPath;
-                command += `move "${sanitizedOldPathMove}" "${sanitizedNewPathMove}"`;
-                logger.debug(`Executing command: ${command}`, {
+                args = [
+                    "-C",
+                    targetPath,
+                    "worktree",
+                    "move",
+                    sanitizedOldPathMove,
+                    sanitizedNewPathMove,
+                ];
+                logger.debug(`Executing command: git ${args.join(" ")}`, {
                     ...context,
                     operation,
                 });
-                await execAsync(command);
+                await execFileAsync("git", args);
                 result = {
                     success: true,
                     mode: "move",
@@ -282,18 +295,21 @@ export async function gitWorktreeLogic(input, context) {
                 };
                 break;
             case "prune":
-                command += "prune ";
-                if (input.dryRun)
-                    command += "--dry-run ";
-                if (input.verbose)
-                    command += "--verbose ";
-                if (input.expire)
-                    command += `--expire "${input.expire}" `;
-                logger.debug(`Executing command: ${command}`, {
+                args = ["-C", targetPath, "worktree", "prune"];
+                if (input.dryRun) {
+                    args.push("--dry-run");
+                }
+                if (input.verbose) {
+                    args.push("--verbose");
+                }
+                if (input.expire) {
+                    args.push(`--expire=${input.expire}`);
+                }
+                logger.debug(`Executing command: git ${args.join(" ")}`, {
                     ...context,
                     operation,
                 });
-                const { stdout: pruneStdout, stderr: pruneStderr } = await execAsync(command);
+                const { stdout: pruneStdout, stderr: pruneStderr } = await execFileAsync("git", args);
                 // Prune often outputs to stderr even on success for verbose/dry-run
                 const pruneMessage = pruneStdout.trim() ||
                     pruneStderr.trim() ||

package/dist/mcp-server/transports/auth/core/authContext.js

@@ -0,0 +1,24 @@
+/**
+ * @fileoverview Defines the AsyncLocalStorage context for authentication information.
+ * This module provides a mechanism to store and retrieve authentication details
+ * (like scopes and client ID) across asynchronous operations, making it available
+ * from the middleware layer down to the tool and resource handlers without
+ * drilling props.
+ *
+ * @module src/mcp-server/transports/auth/core/authContext
+ */
+import { AsyncLocalStorage } from "async_hooks";
+/**
+ * An instance of AsyncLocalStorage to hold the authentication context (`AuthStore`).
+ * This allows `authInfo` to be accessible throughout the async call chain of a request
+ * after being set in the authentication middleware.
+ *
+ * @example
+ * // In middleware:
+ * await authContext.run({ authInfo }, next);
+ *
+ * // In a deeper handler:
+ * const store = authContext.getStore();
+ * const scopes = store?.authInfo.scopes;
+ */
+export const authContext = new AsyncLocalStorage();

package/dist/mcp-server/transports/auth/core/authTypes.js

@@ -0,0 +1,5 @@
+/**
+ * @fileoverview Shared types for authentication middleware.
+ * @module src/mcp-server/transports/auth/core/auth.types
+ */
+export {};

package/dist/mcp-server/transports/auth/core/authUtils.js

@@ -0,0 +1,45 @@
+/**
+ * @fileoverview Provides utility functions for authorization, specifically for
+ * checking token scopes against required permissions for a given operation.
+ * @module src/mcp-server/transports/auth/core/authUtils
+ */
+import { BaseErrorCode, McpError } from "../../../../types-global/errors.js";
+import { logger, requestContextService } from "../../../../utils/index.js";
+import { authContext } from "./authContext.js";
+/**
+ * Checks if the current authentication context contains all the specified scopes.
+ * This function is designed to be called within tool or resource handlers to
+ * enforce scope-based access control. It retrieves the authentication information
+ * from `authContext` (AsyncLocalStorage).
+ *
+ * @param requiredScopes - An array of scope strings that are mandatory for the operation.
+ * @throws {McpError} Throws an error with `BaseErrorCode.INTERNAL_ERROR` if the
+ *   authentication context is missing, which indicates a server configuration issue.
+ * @throws {McpError} Throws an error with `BaseErrorCode.FORBIDDEN` if one or
+ *   more required scopes are not present in the validated token.
+ */
+export function withRequiredScopes(requiredScopes) {
+    const store = authContext.getStore();
+    if (!store || !store.authInfo) {
+        // This is a server-side logic error; the auth middleware should always populate this.
+        throw new McpError(BaseErrorCode.INTERNAL_ERROR, "Authentication context is missing. This indicates a server configuration error.", requestContextService.createRequestContext({
+            operation: "withRequiredScopesCheck",
+            error: "AuthStore not found in AsyncLocalStorage.",
+        }));
+    }
+    const { scopes: grantedScopes, clientId } = store.authInfo;
+    const grantedScopeSet = new Set(grantedScopes);
+    const missingScopes = requiredScopes.filter((scope) => !grantedScopeSet.has(scope));
+    if (missingScopes.length > 0) {
+        const context = requestContextService.createRequestContext({
+            operation: "withRequiredScopesCheck",
+            required: requiredScopes,
+            granted: grantedScopes,
+            missing: missingScopes,
+            clientId: clientId,
+            subject: store.authInfo.subject,
+        });
+        logger.warning("Authorization failed: Missing required scopes.", context);
+        throw new McpError(BaseErrorCode.FORBIDDEN, `Insufficient permissions. Missing required scopes: ${missingScopes.join(", ")}`, { requiredScopes, missingScopes });
+    }
+}

package/dist/mcp-server/transports/auth/index.js

@@ -0,0 +1,9 @@
+/**
+ * @fileoverview Barrel file for the auth module.
+ * Exports core utilities and middleware strategies for easier imports.
+ * @module src/mcp-server/transports/auth/index
+ */
+export { authContext } from "./core/authContext.js";
+export { withRequiredScopes } from "./core/authUtils.js";
+export { mcpAuthMiddleware as jwtAuthMiddleware } from "./strategies/jwt/jwtMiddleware.js";
+export { oauthMiddleware } from "./strategies/oauth/oauthMiddleware.js";

package/dist/mcp-server/transports/auth/strategies/jwt/jwtMiddleware.js

@@ -0,0 +1,149 @@
+/**
+ * @fileoverview MCP Authentication Middleware for Bearer Token Validation (JWT) for Hono.
+ *
+ * This middleware validates JSON Web Tokens (JWT) passed via the 'Authorization' header
+ * using the 'Bearer' scheme (e.g., "Authorization: Bearer <your_token>").
+ * It verifies the token's signature and expiration using the secret key defined
+ * in the configuration (`config.mcpAuthSecretKey`).
+ *
+ * If the token is valid, an object conforming to the MCP SDK's `AuthInfo` type
+ * is attached to `c.env.incoming.auth`. This direct attachment to the raw Node.js
+ * request object is for compatibility with the underlying SDK transport, which is
+ * not Hono-context-aware.
+ * If the token is missing, invalid, or expired, it throws an `McpError`, which is
+ * then handled by the centralized `httpErrorHandler`.
+ *
+ * @see {@link https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/docs/specification/2025-03-26/basic/authorization.mdx | MCP Authorization Specification}
+ * @module src/mcp-server/transports/auth/strategies/jwt/jwtMiddleware
+ */
+import { jwtVerify } from "jose";
+import { config, environment } from "../../../../../config/index.js";
+import { logger, requestContextService } from "../../../../../utils/index.js";
+import { BaseErrorCode, McpError } from "../../../../../types-global/errors.js";
+import { authContext } from "../../core/authContext.js";
+// Startup Validation: Validate secret key presence on module load.
+if (config.mcpAuthMode === "jwt") {
+    if (environment === "production" && !config.mcpAuthSecretKey) {
+        logger.fatal("CRITICAL: MCP_AUTH_SECRET_KEY is not set in production environment for JWT auth. Authentication cannot proceed securely.");
+        throw new Error("MCP_AUTH_SECRET_KEY must be set in production environment for JWT authentication.");
+    }
+    else if (!config.mcpAuthSecretKey) {
+        logger.warning("MCP_AUTH_SECRET_KEY is not set. JWT auth middleware will bypass checks (DEVELOPMENT ONLY). This is insecure for production.");
+    }
+}
+/**
+ * Hono middleware for verifying JWT Bearer token authentication.
+ * It attaches authentication info to `c.env.incoming.auth` for SDK compatibility with the node server.
+ */
+export async function mcpAuthMiddleware(c, next) {
+    const context = requestContextService.createRequestContext({
+        operation: "mcpAuthMiddleware",
+        method: c.req.method,
+        path: c.req.path,
+    });
+    logger.debug("Running MCP Authentication Middleware (Bearer Token Validation)...", context);
+    const reqWithAuth = c.env.incoming;
+    // If JWT auth is not enabled, skip the middleware.
+    if (config.mcpAuthMode !== "jwt") {
+        return await next();
+    }
+    // Development Mode Bypass
+    if (!config.mcpAuthSecretKey) {
+        if (environment !== "production") {
+            logger.warning("Bypassing JWT authentication: MCP_AUTH_SECRET_KEY is not set (DEVELOPMENT ONLY).", context);
+            reqWithAuth.auth = {
+                token: "dev-mode-placeholder-token",
+                clientId: "dev-client-id",
+                scopes: ["dev-scope"],
+            };
+            const authInfo = reqWithAuth.auth;
+            logger.debug("Dev mode auth object created.", {
+                ...context,
+                authDetails: authInfo,
+            });
+            return await authContext.run({ authInfo }, next);
+        }
+        else {
+            logger.error("FATAL: MCP_AUTH_SECRET_KEY is missing in production. Cannot bypass auth.", context);
+            throw new McpError(BaseErrorCode.INTERNAL_ERROR, "Server configuration error: Authentication key missing.");
+        }
+    }
+    const secretKey = new TextEncoder().encode(config.mcpAuthSecretKey);
+    const authHeader = c.req.header("Authorization");
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+        logger.warning("Authentication failed: Missing or malformed Authorization header (Bearer scheme required).", context);
+        throw new McpError(BaseErrorCode.UNAUTHORIZED, "Missing or invalid authentication token format.");
+    }
+    const tokenParts = authHeader.split(" ");
+    if (tokenParts.length !== 2 || tokenParts[0] !== "Bearer" || !tokenParts[1]) {
+        logger.warning("Authentication failed: Malformed Bearer token.", context);
+        throw new McpError(BaseErrorCode.UNAUTHORIZED, "Malformed authentication token.");
+    }
+    const rawToken = tokenParts[1];
+    try {
+        const { payload: decoded } = await jwtVerify(rawToken, secretKey);
+        const clientIdFromToken = typeof decoded.cid === "string"
+            ? decoded.cid
+            : typeof decoded.client_id === "string"
+                ? decoded.client_id
+                : undefined;
+        if (!clientIdFromToken) {
+            logger.warning("Authentication failed: JWT 'cid' or 'client_id' claim is missing or not a string.", { ...context, jwtPayloadKeys: Object.keys(decoded) });
+            throw new McpError(BaseErrorCode.UNAUTHORIZED, "Invalid token, missing client identifier.");
+        }
+        let scopesFromToken = [];
+        if (Array.isArray(decoded.scp) &&
+            decoded.scp.every((s) => typeof s === "string")) {
+            scopesFromToken = decoded.scp;
+        }
+        else if (typeof decoded.scope === "string" &&
+            decoded.scope.trim() !== "") {
+            scopesFromToken = decoded.scope.split(" ").filter((s) => s);
+            if (scopesFromToken.length === 0 && decoded.scope.trim() !== "") {
+                scopesFromToken = [decoded.scope.trim()];
+            }
+        }
+        if (scopesFromToken.length === 0) {
+            logger.warning("Authentication failed: Token resulted in an empty scope array, and scopes are required.", { ...context, jwtPayloadKeys: Object.keys(decoded) });
+            throw new McpError(BaseErrorCode.UNAUTHORIZED, "Token must contain valid, non-empty scopes.");
+        }
+        reqWithAuth.auth = {
+            token: rawToken,
+            clientId: clientIdFromToken,
+            scopes: scopesFromToken,
+        };
+        const subClaimForLogging = typeof decoded.sub === "string" ? decoded.sub : undefined;
+        const authInfo = reqWithAuth.auth;
+        logger.debug("JWT verified successfully. AuthInfo attached to request.", {
+            ...context,
+            mcpSessionIdContext: subClaimForLogging,
+            clientId: authInfo.clientId,
+            scopes: authInfo.scopes,
+        });
+        await authContext.run({ authInfo }, next);
+    }
+    catch (error) {
+        let errorMessage = "Invalid token.";
+        let errorCode = BaseErrorCode.UNAUTHORIZED;
+        if (error instanceof Error && error.name === "JWTExpired") {
+            errorMessage = "Token expired.";
+            logger.warning("Authentication failed: Token expired.", {
+                ...context,
+                errorName: error.name,
+            });
+        }
+        else if (error instanceof Error) {
+            errorMessage = `Invalid token: ${error.message}`;
+            logger.warning(`Authentication failed: ${errorMessage}`, {
+                ...context,
+                errorName: error.name,
+            });
+        }
+        else {
+            errorMessage = "Unknown verification error.";
+            errorCode = BaseErrorCode.INTERNAL_ERROR;
+            logger.error("Authentication failed: Unexpected non-error exception during token verification.", { ...context, error });
+        }
+        throw new McpError(errorCode, errorMessage);
+    }
+}

package/dist/mcp-server/transports/auth/strategies/oauth/oauthMiddleware.js

@@ -0,0 +1,127 @@
+/**
+ * @fileoverview Hono middleware for OAuth 2.1 Bearer Token validation.
+ * This middleware extracts a JWT from the Authorization header, validates it against
+ * a remote JWKS (JSON Web Key Set), and checks its issuer and audience claims.
+ * On success, it populates an AuthInfo object and stores it in an AsyncLocalStorage
+ * context for use in downstream handlers.
+ *
+ * @module src/mcp-server/transports/auth/strategies/oauth/oauthMiddleware
+ */
+import { createRemoteJWKSet, jwtVerify } from "jose";
+import { config } from "../../../../../config/index.js";
+import { BaseErrorCode, McpError } from "../../../../../types-global/errors.js";
+import { ErrorHandler } from "../../../../../utils/internal/errorHandler.js";
+import { logger, requestContextService } from "../../../../../utils/index.js";
+import { authContext } from "../../core/authContext.js";
+// --- Startup Validation ---
+// Ensures that necessary OAuth configuration is present when the mode is 'oauth'.
+if (config.mcpAuthMode === "oauth") {
+    if (!config.oauthIssuerUrl) {
+        throw new Error("OAUTH_ISSUER_URL must be set when MCP_AUTH_MODE is 'oauth'");
+    }
+    if (!config.oauthAudience) {
+        throw new Error("OAUTH_AUDIENCE must be set when MCP_AUTH_MODE is 'oauth'");
+    }
+    logger.info("OAuth 2.1 mode enabled. Verifying tokens against issuer.", requestContextService.createRequestContext({
+        issuer: config.oauthIssuerUrl,
+        audience: config.oauthAudience,
+    }));
+}
+// --- JWKS Client Initialization ---
+// The remote JWK set is fetched and cached to avoid network calls on every request.
+let jwks;
+if (config.mcpAuthMode === "oauth" && config.oauthIssuerUrl) {
+    try {
+        const jwksUrl = new URL(config.oauthJwksUri ||
+            `${config.oauthIssuerUrl.replace(/\/$/, "")}/.well-known/jwks.json`);
+        jwks = createRemoteJWKSet(jwksUrl, {
+            cooldownDuration: 300000, // 5 minutes
+            timeoutDuration: 5000, // 5 seconds
+        });
+        logger.info(`JWKS client initialized for URL: ${jwksUrl.href}`, requestContextService.createRequestContext({
+            operation: "oauthMiddlewareSetup",
+        }));
+    }
+    catch (error) {
+        logger.fatal("Failed to initialize JWKS client.", {
+            error: error,
+            context: requestContextService.createRequestContext({
+                operation: "oauthMiddlewareSetup",
+            }),
+        });
+        // Prevent server from starting if JWKS setup fails in oauth mode
+        process.exit(1);
+    }
+}
+/**
+ * Hono middleware for verifying OAuth 2.1 JWT Bearer tokens.
+ * It validates the token and uses AsyncLocalStorage to pass auth info.
+ * @param c - The Hono context object.
+ * @param next - The function to call to proceed to the next middleware.
+ */
+export async function oauthMiddleware(c, next) {
+    // If OAuth is not the configured auth mode, skip this middleware.
+    if (config.mcpAuthMode !== "oauth") {
+        return await next();
+    }
+    const context = requestContextService.createRequestContext({
+        operation: "oauthMiddleware",
+        httpMethod: c.req.method,
+        httpPath: c.req.path,
+    });
+    if (!jwks) {
+        // This should not happen if startup validation is correct, but it's a safeguard.
+        // This should not happen if startup validation is correct, but it's a safeguard.
+        throw new McpError(BaseErrorCode.CONFIGURATION_ERROR, "OAuth middleware is active, but JWKS client is not initialized.", context);
+    }
+    const authHeader = c.req.header("Authorization");
+    if (!authHeader || !authHeader.startsWith("Bearer ")) {
+        throw new McpError(BaseErrorCode.UNAUTHORIZED, "Missing or invalid token format.");
+    }
+    const token = authHeader.substring(7);
+    try {
+        const { payload } = await jwtVerify(token, jwks, {
+            issuer: config.oauthIssuerUrl,
+            audience: config.oauthAudience,
+        });
+        // The 'scope' claim is typically a space-delimited string in OAuth 2.1.
+        const scopes = typeof payload.scope === "string" ? payload.scope.split(" ") : [];
+        if (scopes.length === 0) {
+            logger.warning("Authentication failed: Token contains no scopes, but scopes are required.", { ...context, jwtPayloadKeys: Object.keys(payload) });
+            throw new McpError(BaseErrorCode.UNAUTHORIZED, "Token must contain valid, non-empty scopes.");
+        }
+        const clientId = typeof payload.client_id === "string" ? payload.client_id : undefined;
+        if (!clientId) {
+            logger.warning("Authentication failed: OAuth token 'client_id' claim is missing or not a string.", { ...context, jwtPayloadKeys: Object.keys(payload) });
+            throw new McpError(BaseErrorCode.UNAUTHORIZED, "Invalid token, missing client identifier.");
+        }
+        const authInfo = {
+            token,
+            clientId,
+            scopes,
+            subject: typeof payload.sub === "string" ? payload.sub : undefined,
+        };
+        // Attach to the raw request for potential legacy compatibility and
+        // store in AsyncLocalStorage for modern, safe access in handlers.
+        c.env.incoming.auth = authInfo;
+        await authContext.run({ authInfo }, next);
+    }
+    catch (error) {
+        if (error instanceof Error && error.name === "JWTExpired") {
+            logger.warning("Authentication failed: OAuth token expired.", context);
+            throw new McpError(BaseErrorCode.UNAUTHORIZED, "Token expired.");
+        }
+        const handledError = ErrorHandler.handleError(error, {
+            operation: "oauthMiddleware",
+            context,
+            rethrow: false, // We will throw a new McpError below
+        });
+        // Ensure we always throw an McpError for consistency
+        if (handledError instanceof McpError) {
+            throw handledError;
+        }
+        else {
+            throw new McpError(BaseErrorCode.UNAUTHORIZED, `Unauthorized: ${handledError.message || "Invalid token"}`, { originalError: handledError.name });
+        }
+    }
+}

package/dist/mcp-server/transports/httpErrorHandler.js

@@ -0,0 +1,73 @@
+/**
+ * @fileoverview Centralized error handler for the Hono HTTP transport.
+ * This middleware intercepts errors that occur during request processing,
+ * standardizes them using the application's ErrorHandler utility, and
+ * formats them into a consistent JSON-RPC error response.
+ * @module src/mcp-server/transports/httpErrorHandler
+ */
+import { BaseErrorCode, McpError } from "../../types-global/errors.js";
+import { ErrorHandler, requestContextService } from "../../utils/index.js";
+/**
+ * A centralized error handling middleware for Hono.
+ * This function is registered with `app.onError()` and will catch any errors
+ * thrown from preceding middleware or route handlers.
+ *
+ * @param err - The error that was thrown.
+ * @param c - The Hono context object for the request.
+ * @returns A Response object containing the formatted JSON-RPC error.
+ */
+export const httpErrorHandler = async (err, c) => {
+    const context = requestContextService.createRequestContext({
+        operation: "httpErrorHandler",
+        path: c.req.path,
+        method: c.req.method,
+    });
+    const handledError = ErrorHandler.handleError(err, {
+        operation: "httpTransport",
+        context,
+    });
+    let status = 500;
+    if (handledError instanceof McpError) {
+        switch (handledError.code) {
+            case BaseErrorCode.NOT_FOUND:
+                status = 404;
+                break;
+            case BaseErrorCode.UNAUTHORIZED:
+                status = 401;
+                break;
+            case BaseErrorCode.FORBIDDEN:
+                status = 403;
+                break;
+            case BaseErrorCode.VALIDATION_ERROR:
+                status = 400;
+                break;
+            case BaseErrorCode.CONFLICT:
+                status = 409;
+                break;
+            case BaseErrorCode.RATE_LIMITED:
+                status = 429;
+                break;
+            default:
+                status = 500;
+        }
+    }
+    // Attempt to get the request ID from the body, but don't fail if it's not there or unreadable.
+    let requestId = null;
+    try {
+        const body = await c.req.json();
+        requestId = body?.id || null;
+    }
+    catch {
+        // Ignore parsing errors, requestId will remain null
+    }
+    const errorCode = handledError instanceof McpError ? handledError.code : -32603;
+    c.status(status);
+    return c.json({
+        jsonrpc: "2.0",
+        error: {
+            code: errorCode,
+            message: handledError.message,
+        },
+        id: requestId,
+    });
+};