@cyanheads/git-mcp-server 2.4.8 → 2.5.1

package/README.md

@@ -7,7 +7,7 @@
 
 <div align="center">
 
-[![Version](https://img.shields.io/badge/Version-2.4.8-blue.svg?style=flat-square)](./CHANGELOG.md) [![MCP Spec](https://img.shields.io/badge/MCP%20Spec-2025--06--18-8A2BE2.svg?style=flat-square)](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/docs/specification/2025-06-18/changelog.mdx) [![MCP SDK](https://img.shields.io/badge/MCP%20SDK-^1.20.0-green.svg?style=flat-square)](https://modelcontextprotocol.io/) [![License](https://img.shields.io/badge/License-Apache%202.0-orange.svg?style=flat-square)](./LICENSE) [![Status](https://img.shields.io/badge/Status-Stable-brightgreen.svg?style=flat-square)](https://github.com/cyanheads/git-mcp-server/issues) [![TypeScript](https://img.shields.io/badge/TypeScript-^5.9.3-3178C6.svg?style=flat-square)](https://www.typescriptlang.org/) [![Bun](https://img.shields.io/badge/Bun-v1.2.21-blueviolet.svg?style=flat-square)](https://bun.sh/)
+[![Version](https://img.shields.io/badge/Version-2.4.9-blue.svg?style=flat-square)](./CHANGELOG.md) [![MCP Spec](https://img.shields.io/badge/MCP%20Spec-2025--06--18-8A2BE2.svg?style=flat-square)](https://github.com/modelcontextprotocol/modelcontextprotocol/blob/main/docs/specification/2025-06-18/changelog.mdx) [![MCP SDK](https://img.shields.io/badge/MCP%20SDK-^1.20.0-green.svg?style=flat-square)](https://modelcontextprotocol.io/) [![License](https://img.shields.io/badge/License-Apache%202.0-orange.svg?style=flat-square)](./LICENSE) [![Status](https://img.shields.io/badge/Status-Stable-brightgreen.svg?style=flat-square)](https://github.com/cyanheads/git-mcp-server/issues) [![TypeScript](https://img.shields.io/badge/TypeScript-^5.9.3-3178C6.svg?style=flat-square)](https://www.typescriptlang.org/) [![Bun](https://img.shields.io/badge/Bun-v1.2.21-blueviolet.svg?style=flat-square)](https://bun.sh/)
 
 </div>
 
@@ -73,7 +73,7 @@ Add the following to your MCP Client configuration file (e.g., `cline_mcp_settin
       "env": {
         "MCP_TRANSPORT_TYPE": "stdio",
         "MCP_LOG_LEVEL": "info",
-        "GIT_MCP_BASE_DIR": "~/Developer/",
+        "GIT_BASE_DIR": "~/Developer/",
         "LOGS_DIR": "~/Developer/logs/git-mcp-server/",
         "GIT_USERNAME": "cyanheads",
         "GIT_EMAIL": "casey@caseyjhand.com",
@@ -96,7 +96,7 @@ Add the following to your MCP Client configuration file (e.g., `cline_mcp_settin
       "env": {
         "MCP_TRANSPORT_TYPE": "stdio",
         "MCP_LOG_LEVEL": "info",
-        "GIT_MCP_BASE_DIR": "~/Developer/",
+        "GIT_BASE_DIR": "~/Developer/",
         "LOGS_DIR": "~/Developer/logs/git-mcp-server/",
         "GIT_USERNAME": "cyanheads",
         "GIT_EMAIL": "casey@caseyjhand.com",
@@ -133,8 +133,9 @@ Plus, specialized features for **Git integration**:
 - **Optimized Git Execution**: Direct git CLI interaction with cross-runtime support for high-performance process management, streaming I/O, and timeout handling (current CLI provider).
 - **Comprehensive Coverage**: 27 tools covering all essential Git operations from init to push.
 - **Working Directory Management**: Session-specific directory context for multi-repo workflows.
+- **Configurable Git Identity**: Override author/committer information via environment variables with automatic fallback to global git config.
 - **Safety Features**: Explicit confirmations for destructive operations like `git clean` and `git reset --hard`.
-- **Commit Signing**: Optional GPG/SSH signing support for verified commits.
+- **Commit Signing**: Optional GPG/SSH signing support for all commit-creating operations (commits, merges, rebases, cherry-picks, and tags).
 
 ### Development Environment Setup
 
@@ -190,7 +191,9 @@ All configuration is centralized and validated at startup in `src/config/index.t
 | `STORAGE_PROVIDER_TYPE`        | Storage backend: `in-memory`, `filesystem`, `supabase`, `cloudflare-kv`, `r2`.                                                                            | `in-memory` |
 | `OTEL_ENABLED`                 | Set to `true` to enable OpenTelemetry.                                                                                                                    | `false`     |
 | `MCP_LOG_LEVEL`                | The minimum level for logging (`debug`, `info`, `warn`, `error`).                                                                                         | `info`      |
-| `GIT_SIGN_COMMITS`             | Set to `"true"` to enable GPG/SSH signing for commits. Requires server-side Git configuration.                                                            | `false`     |
+| `GIT_SIGN_COMMITS`             | Set to `"true"` to enable GPG/SSH signing for all commits, merges, rebases, cherry-picks, and tags. Requires GPG/SSH configuration.                       | `false`     |
+| `GIT_AUTHOR_NAME`              | Git author name. Aliases: `GIT_USERNAME`, `GIT_USER`. Falls back to global git config if not set.                                                         | `(none)`    |
+| `GIT_AUTHOR_EMAIL`             | Git author email. Aliases: `GIT_EMAIL`, `GIT_USER_EMAIL`. Falls back to global git config if not set.                                                     | `(none)`    |
 | `GIT_BASE_DIR`                 | Optional absolute path to restrict all git operations to a specific directory tree. Provides security sandboxing for multi-tenant or shared environments. | `(none)`    |
 | `GIT_WRAPUP_INSTRUCTIONS_PATH` | Optional path to custom markdown file with Git workflow instructions.                                                                                     | `(none)`    |
 | `MCP_AUTH_SECRET_KEY`          | **Required for `jwt` auth.** A 32+ character secret key.                                                                                                  | `(none)`    |

package/dist/index.js

@@ -4,6 +4,7 @@ var __create = Object.create;
 var __getProtoOf = Object.getPrototypeOf;
 var __defProp = Object.defineProperty;
 var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
 var __toESM = (mod2, isNodeMode, target) => {
   target = mod2 != null ? __create(__getProtoOf(mod2)) : {};
@@ -16,6 +17,20 @@ var __toESM = (mod2, isNodeMode, target) => {
       });
   return to;
 };
+var __moduleCache = /* @__PURE__ */ new WeakMap;
+var __toCommonJS = (from) => {
+  var entry = __moduleCache.get(from), desc;
+  if (entry)
+    return entry;
+  entry = __defProp({}, "__esModule", { value: true });
+  if (from && typeof from === "object" || typeof from === "function")
+    __getOwnPropNames(from).map((key) => !__hasOwnProp.call(entry, key) && __defProp(entry, key, {
+      get: () => from[key],
+      enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+    }));
+  __moduleCache.set(from, entry);
+  return entry;
+};
 var __commonJS = (cb, mod2) => () => (mod2 || cb((mod2 = { exports: {} }).exports, mod2), mod2.exports);
 var __export = (target, all) => {
   for (var name in all)
@@ -4246,7 +4261,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "@cyanheads/git-mcp-server",
-    version: "2.4.7",
+    version: "2.5.1",
     mcpName: "io.github.cyanheads/git-mcp-server",
     description: "A secure and scalable Git MCP server enabling AI agents to perform comprehensive Git version control operations via STDIO and Streamable HTTP.",
     main: "dist/index.js",
@@ -4312,33 +4327,12 @@ var init_package = __esm(() => {
       zod: "3.23.8",
       typescript: "5.9.3"
     },
-    dependencies: {
+    devDependencies: {
+      "@cloudflare/workers-types": "^4.20251011.0",
+      "@eslint/js": "^9.37.0",
       "@hono/mcp": "^0.1.4",
       "@hono/node-server": "^1.19.5",
       "@modelcontextprotocol/sdk": "^1.20.0",
-      "@supabase/supabase-js": "^2.75.0",
-      axios: "^1.12.2",
-      "chrono-node": "^2.9.0",
-      dotenv: "^17.2.3",
-      "fast-xml-parser": "^5.3.0",
-      hono: "^4.9.12",
-      ignore: "^7.0.5",
-      jose: "^6.1.0",
-      "js-yaml": "^4.1.0",
-      "node-cron": "^4.2.1",
-      openai: "^6.3.0",
-      papaparse: "^5.5.3",
-      "partial-json": "^0.1.7",
-      "pdf-lib": "^1.17.1",
-      pino: "^10.0.0",
-      "pino-pretty": "^13.1.2",
-      "reflect-metadata": "^0.2.2",
-      repomix: "^1.7.0",
-      "sanitize-html": "^2.17.0",
-      tslib: "^2.8.1",
-      tsyringe: "^4.10.0",
-      validator: "13.15.15",
-      zod: "^3.23.8",
       "@opentelemetry/api": "^1.9.0",
       "@opentelemetry/auto-instrumentations-node": "^0.65.0",
       "@opentelemetry/exporter-metrics-otlp-http": "^0.206.0",
@@ -4348,11 +4342,8 @@ var init_package = __esm(() => {
       "@opentelemetry/sdk-metrics": "^2.1.0",
       "@opentelemetry/sdk-node": "^0.206.0",
       "@opentelemetry/sdk-trace-node": "^2.1.0",
-      "@opentelemetry/semantic-conventions": "^1.37.0"
-    },
-    devDependencies: {
-      "@cloudflare/workers-types": "^4.20251011.0",
-      "@eslint/js": "^9.37.0",
+      "@opentelemetry/semantic-conventions": "^1.37.0",
+      "@supabase/supabase-js": "^2.75.0",
       "@types/bun": "^1.3.0",
       "@types/js-yaml": "^4.0.9",
       "@types/node": "^24.7.2",
@@ -4363,21 +4354,43 @@ var init_package = __esm(() => {
       "@vitest/coverage-v8": "3.2.4",
       ajv: "^8.17.1",
       "ajv-formats": "^3.0.1",
+      axios: "^1.12.2",
       "bun-types": "^1.3.0",
+      "chrono-node": "^2.9.0",
       clipboardy: "^5.0.0",
       depcheck: "^1.4.7",
+      dotenv: "^17.2.3",
       eslint: "^9.37.0",
       execa: "^9.6.0",
+      "fast-xml-parser": "^5.3.0",
       globals: "^16.4.0",
+      hono: "^4.9.12",
       husky: "^9.1.7",
+      ignore: "^7.0.5",
+      jose: "^6.1.0",
+      "js-yaml": "^4.1.0",
       msw: "^2.11.5",
+      "node-cron": "^4.2.1",
+      openai: "^6.3.0",
+      papaparse: "^5.5.3",
+      "partial-json": "^0.1.7",
+      "pdf-lib": "^1.17.1",
+      pino: "^10.0.0",
+      "pino-pretty": "^13.1.2",
       prettier: "^3.6.2",
+      "reflect-metadata": "^0.2.2",
+      repomix: "^1.7.0",
+      "sanitize-html": "^2.17.0",
+      tslib: "^2.8.1",
+      tsyringe: "^4.10.0",
       typedoc: "^0.28.14",
       typescript: "^5.9.3",
       "typescript-eslint": "8.46.0",
+      validator: "13.15.15",
       vite: "7.1.9",
       "vite-tsconfig-paths": "^5.1.4",
-      vitest: "^3.2.4"
+      vitest: "^3.2.4",
+      zod: "^3.23.8"
     },
     keywords: [
       "ai-agent",
@@ -4574,6 +4587,10 @@ var import_dotenv, packageManifest, hasFileSystemAccess, emptyStringAsUndefined
     git: {
       provider: env.GIT_PROVIDER,
       signCommits: env.GIT_SIGN_COMMITS,
+      authorName: env.GIT_AUTHOR_NAME || env.GIT_USERNAME || env.GIT_USER || undefined,
+      authorEmail: env.GIT_AUTHOR_EMAIL || env.GIT_EMAIL || env.GIT_USER_EMAIL || undefined,
+      committerName: env.GIT_COMMITTER_NAME || env.GIT_USERNAME || env.GIT_USER || undefined,
+      committerEmail: env.GIT_COMMITTER_EMAIL || env.GIT_EMAIL || env.GIT_USER_EMAIL || undefined,
       wrapupInstructionsPath: env.GIT_WRAPUP_INSTRUCTIONS_PATH,
       baseDir: env.GIT_BASE_DIR,
       maxCommandTimeoutMs: env.GIT_MAX_COMMAND_TIMEOUT_MS,
@@ -4753,6 +4770,10 @@ var init_config = __esm(() => {
     git: z.object({
       provider: z.preprocess(emptyStringAsUndefined, z.enum(["auto", "cli", "isomorphic"]).default("auto")),
       signCommits: z.coerce.boolean().default(false),
+      authorName: z.string().optional(),
+      authorEmail: z.string().email().optional(),
+      committerName: z.string().optional(),
+      committerEmail: z.string().email().optional(),
       wrapupInstructionsPath: z.preprocess(expandTildePath, z.string().optional()),
       baseDir: z.preprocess((val) => expandTildePath(emptyStringAsUndefined(val)), z.string().refine((path) => !path || path.startsWith("/"), {
         message: 'GIT_BASE_DIR must be an absolute path starting with "/" (tilde expansion is supported)'
@@ -13784,7 +13805,7 @@ var require_propwrap = __commonJS((exports) => {
   Object.defineProperty(exports, "__esModule", { value: true });
   exports.propwrap = undefined;
   var __defProp2 = Object.defineProperty;
-  var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+  var __getOwnPropDesc2 = Object.getOwnPropertyDescriptor;
   var __hasOwnProp2 = Object.prototype.hasOwnProperty;
   var __getOwnPropNames2 = Object.getOwnPropertyNames;
   var __copyProps = (to, from, except, desc) => {
@@ -13793,7 +13814,7 @@ var require_propwrap = __commonJS((exports) => {
         if (!__hasOwnProp2.call(to, key) && key !== except) {
           __defProp2(to, key, {
             get: () => from[key],
-            enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
+            enumerable: !(desc = __getOwnPropDesc2(from, key)) || desc.enumerable
           });
         }
       }
@@ -13828,7 +13849,7 @@ var require_propwrap = __commonJS((exports) => {
       } else {
         val = namespaces[i + 1];
       }
-      const desc = __getOwnPropDesc(namespace, key);
+      const desc = __getOwnPropDesc2(namespace, key);
       const wrappedNamespace = __defProp2({}, key, {
         value: val,
         enumerable: !desc || desc.enumerable
@@ -151663,6 +151684,14 @@ function buildGitCommand(config2) {
   }
   return parts;
 }
+function loadConfig() {
+  try {
+    const configModule = (init_config(), __toCommonJS(exports_config));
+    return configModule.config;
+  } catch {
+    return null;
+  }
+}
 function buildGitEnv(additionalEnv) {
   const env = { ...process.env };
   Object.assign(env, {
@@ -151670,6 +151699,21 @@ function buildGitEnv(additionalEnv) {
     LANG: "en_US.UTF-8",
     LC_ALL: "en_US.UTF-8"
   });
+  const config2 = loadConfig();
+  if (config2?.git) {
+    if (config2.git.authorName) {
+      env.GIT_AUTHOR_NAME = config2.git.authorName;
+    }
+    if (config2.git.authorEmail) {
+      env.GIT_AUTHOR_EMAIL = config2.git.authorEmail;
+    }
+    if (config2.git.committerName) {
+      env.GIT_COMMITTER_NAME = config2.git.committerName;
+    }
+    if (config2.git.committerEmail) {
+      env.GIT_COMMITTER_EMAIL = config2.git.committerEmail;
+    }
+  }
   if (additionalEnv) {
     Object.assign(env, additionalEnv);
   }
@@ -151732,6 +151776,20 @@ function validateGitArgs(args) {
   }
 }
 
+// src/services/git/providers/cli/utils/config-helper.ts
+function loadConfig2() {
+  try {
+    const configModule = (init_config(), __toCommonJS(exports_config));
+    return configModule.config;
+  } catch {
+    return null;
+  }
+}
+function shouldSignCommits() {
+  const config2 = loadConfig2();
+  return config2?.git?.signCommits ?? false;
+}
+
 // src/services/git/providers/cli/utils/error-mapper.ts
 init_errors();
 var ERROR_PATTERNS = [
@@ -151871,13 +151929,24 @@ function detectRuntime2() {
   }
   return "node";
 }
-async function spawnWithBun(args, cwd, env, timeout) {
+async function spawnWithBun(args, cwd, env, timeout, signal) {
   const bunApi = globalThis.Bun;
+  if (signal?.aborted) {
+    throw new Error(`Git command cancelled before execution: git ${args.join(" ")}`);
+  }
   const proc = bunApi.spawn(["git", ...args], {
     cwd,
     env,
     stdio: ["ignore", "pipe", "pipe"]
   });
+  const abortPromise = new Promise((_, reject) => {
+    if (signal) {
+      signal.addEventListener("abort", () => {
+        proc.kill();
+        reject(new Error(`Git command cancelled: git ${args.join(" ")}`));
+      }, { once: true });
+    }
+  });
   const timeoutPromise = new Promise((_, reject) => {
     const timeoutId = setTimeout(() => {
       proc.kill();
@@ -151885,7 +151954,11 @@ async function spawnWithBun(args, cwd, env, timeout) {
     }, timeout);
     proc.exited.finally(() => clearTimeout(timeoutId));
   });
-  const exitCode = await Promise.race([proc.exited, timeoutPromise]);
+  const exitCode = await Promise.race([
+    proc.exited,
+    timeoutPromise,
+    ...signal ? [abortPromise] : []
+  ]);
   const [stdout, stderr] = await Promise.all([
     proc.stdout.text(),
     proc.stderr.text()
@@ -151898,8 +151971,12 @@ Stdout: ${stdout}`;
   }
   return { stdout, stderr };
 }
-async function spawnWithNode(args, cwd, env, timeout) {
+async function spawnWithNode(args, cwd, env, timeout, signal) {
   return new Promise((resolve, reject) => {
+    if (signal?.aborted) {
+      reject(new Error(`Git command cancelled before execution: ${args.join(" ")}`));
+      return;
+    }
     const proc = spawn("git", args, {
       cwd,
       env,
@@ -151913,16 +151990,29 @@ async function spawnWithNode(args, cwd, env, timeout) {
     proc.stderr.on("data", (chunk) => {
       stderrChunks.push(chunk);
     });
+    const abortHandler = () => {
+      proc.kill("SIGTERM");
+      reject(new Error(`Git command cancelled: ${args.join(" ")}`));
+    };
+    if (signal) {
+      signal.addEventListener("abort", abortHandler, { once: true });
+    }
     const timeoutHandle = setTimeout(() => {
       proc.kill("SIGTERM");
       reject(new Error(`Git command timed out after ${timeout / 1000}s: ${args.join(" ")}`));
     }, timeout);
     proc.on("error", (error) => {
       clearTimeout(timeoutHandle);
+      if (signal) {
+        signal.removeEventListener("abort", abortHandler);
+      }
       reject(error);
     });
     proc.on("close", (exitCode) => {
       clearTimeout(timeoutHandle);
+      if (signal) {
+        signal.removeEventListener("abort", abortHandler);
+      }
       const stdout = Buffer.concat(stdoutChunks).toString("utf-8");
       const stderr = Buffer.concat(stderrChunks).toString("utf-8");
       if (exitCode !== 0) {
@@ -151936,12 +152026,12 @@ Stdout: ${stdout}`;
     });
   });
 }
-async function spawnGitCommand(args, cwd, env, timeout = 60000) {
+async function spawnGitCommand(args, cwd, env, timeout = 60000, signal) {
   const runtime2 = detectRuntime2();
   if (runtime2 === "bun") {
-    return spawnWithBun(args, cwd, env, timeout);
+    return spawnWithBun(args, cwd, env, timeout, signal);
   } else {
-    return spawnWithNode(args, cwd, env, timeout);
+    return spawnWithNode(args, cwd, env, timeout, signal);
   }
 }
 
@@ -152327,7 +152417,8 @@ async function executeCommit(options, context, execGit) {
     if (options.noVerify) {
       args.push("--no-verify");
     }
-    if (options.sign) {
+    const shouldSign = options.sign ?? shouldSignCommits();
+    if (shouldSign) {
       args.push("--gpg-sign");
     }
     if (options.author) {
@@ -152627,6 +152718,10 @@ async function executeMerge(options, context, execGit) {
     if (options.message) {
       args.push("-m", options.message);
     }
+    const shouldSign = options.sign ?? shouldSignCommits();
+    if (shouldSign) {
+      args.push("-S");
+    }
     const cmd = buildGitCommand({ command: "merge", args });
     const result = await execGit(cmd, context.workingDirectory, context.requestContext);
     const hasConflicts = result.stdout.includes("CONFLICT") || result.stderr.includes("CONFLICT");
@@ -152706,6 +152801,10 @@ async function executeRebase(options, context, execGit) {
       if (options.preserve) {
         args.push("--preserve-merges");
       }
+      const shouldSign = options.sign ?? shouldSignCommits();
+      if (shouldSign) {
+        args.push("--gpg-sign");
+      }
     }
     const cmd = buildGitCommand({ command: "rebase", args });
     const result = await execGit(cmd, context.workingDirectory, context.requestContext);
@@ -152741,6 +152840,10 @@ async function executeCherryPick(options, context, execGit) {
       if (options.noCommit) {
         args.push("--no-commit");
       }
+      const shouldSign = options.sign ?? shouldSignCommits();
+      if (shouldSign) {
+        args.push("--gpg-sign");
+      }
     }
     const cmd = buildGitCommand({ command: "cherry-pick", args });
     const result = await execGit(cmd, context.workingDirectory, context.requestContext);
@@ -153041,7 +153144,11 @@ async function executeTag(options, context, execGit) {
           throw new Error("Tag name is required for create operation");
         }
         args.push(options.tagName);
-        if (options.message && options.annotated) {
+        const shouldSign = options.sign ?? shouldSignCommits();
+        if (shouldSign) {
+          const message = options.message || `Tag ${options.tagName}`;
+          args.push("-s", "-m", message);
+        } else if (options.message && options.annotated) {
           args.push("-a", "-m", options.message);
         }
         if (options.commit) {
@@ -172049,6 +172156,163 @@ var httpErrorHandler = async (err, c) => {
   return c.json(errorResponse);
 };
 
+// src/mcp-server/transports/http/sessionManager.ts
+init_utils();
+
+class SessionManager {
+  static instance = null;
+  sessions = new Map;
+  cleanupIntervalId = null;
+  staleTimeoutMs;
+  cleanupIntervalMs;
+  constructor(staleTimeoutMs = 30 * 60 * 1000, cleanupIntervalMs = 5 * 60 * 1000) {
+    this.staleTimeoutMs = staleTimeoutMs;
+    this.cleanupIntervalMs = cleanupIntervalMs;
+    this.startCleanupInterval();
+  }
+  static getInstance(staleTimeoutMs, cleanupIntervalMs) {
+    if (!SessionManager.instance) {
+      SessionManager.instance = new SessionManager(staleTimeoutMs, cleanupIntervalMs);
+    }
+    return SessionManager.instance;
+  }
+  static resetInstance() {
+    if (SessionManager.instance) {
+      SessionManager.instance.stopCleanupInterval();
+      SessionManager.instance = null;
+    }
+  }
+  createSession(sessionId, clientId, tenantId) {
+    const now2 = Date.now();
+    const metadata = {
+      sessionId,
+      createdAt: now2,
+      lastActivityAt: now2,
+      ...clientId !== undefined && { clientId },
+      ...tenantId !== undefined && { tenantId }
+    };
+    this.sessions.set(sessionId, metadata);
+    logger.debug("Created new MCP session", {
+      ...requestContextService.createRequestContext({
+        operation: "SessionManager.createSession"
+      }),
+      sessionId,
+      ...clientId !== undefined && { clientId },
+      ...tenantId !== undefined && { tenantId },
+      totalSessions: this.sessions.size
+    });
+    return sessionId;
+  }
+  isSessionValid(sessionId) {
+    const session = this.sessions.get(sessionId);
+    if (!session) {
+      return false;
+    }
+    const now2 = Date.now();
+    const age = now2 - session.lastActivityAt;
+    if (age > this.staleTimeoutMs) {
+      logger.info("Session expired due to inactivity", {
+        ...requestContextService.createRequestContext({
+          operation: "SessionManager.isSessionValid"
+        }),
+        sessionId,
+        ageMs: age,
+        staleTimeoutMs: this.staleTimeoutMs
+      });
+      this.sessions.delete(sessionId);
+      return false;
+    }
+    return true;
+  }
+  touchSession(sessionId) {
+    const session = this.sessions.get(sessionId);
+    if (session) {
+      session.lastActivityAt = Date.now();
+    }
+  }
+  terminateSession(sessionId) {
+    const existed = this.sessions.has(sessionId);
+    this.sessions.delete(sessionId);
+    if (existed) {
+      logger.info("Session explicitly terminated", {
+        ...requestContextService.createRequestContext({
+          operation: "SessionManager.terminateSession"
+        }),
+        sessionId,
+        remainingSessions: this.sessions.size
+      });
+    }
+    return existed;
+  }
+  getSessionMetadata(sessionId) {
+    if (!this.isSessionValid(sessionId)) {
+      return null;
+    }
+    return this.sessions.get(sessionId) ?? null;
+  }
+  getActiveSessionCount() {
+    return this.sessions.size;
+  }
+  startCleanupInterval() {
+    if (this.cleanupIntervalId) {
+      return;
+    }
+    this.cleanupIntervalId = setInterval(() => {
+      this.cleanupStaleSessions();
+    }, this.cleanupIntervalMs);
+    logger.info("Session cleanup interval started", {
+      ...requestContextService.createRequestContext({
+        operation: "SessionManager.startCleanupInterval"
+      }),
+      cleanupIntervalMs: this.cleanupIntervalMs,
+      staleTimeoutMs: this.staleTimeoutMs
+    });
+  }
+  stopCleanupInterval() {
+    if (this.cleanupIntervalId) {
+      clearInterval(this.cleanupIntervalId);
+      this.cleanupIntervalId = null;
+      logger.info("Session cleanup interval stopped", {
+        ...requestContextService.createRequestContext({
+          operation: "SessionManager.stopCleanupInterval"
+        })
+      });
+    }
+  }
+  cleanupStaleSessions() {
+    const now2 = Date.now();
+    const sessionsBefore = this.sessions.size;
+    let removedCount = 0;
+    for (const [sessionId, metadata] of this.sessions.entries()) {
+      const age = now2 - metadata.lastActivityAt;
+      if (age > this.staleTimeoutMs) {
+        this.sessions.delete(sessionId);
+        removedCount++;
+      }
+    }
+    if (removedCount > 0) {
+      logger.notice("Cleaned up stale sessions", {
+        ...requestContextService.createRequestContext({
+          operation: "SessionManager.cleanupStaleSessions"
+        }),
+        removedCount,
+        sessionsBefore,
+        sessionsAfter: this.sessions.size
+      });
+    }
+  }
+  clearAllSessions() {
+    const count = this.sessions.size;
+    this.sessions.clear();
+    logger.warning("All sessions cleared", {
+      ...requestContextService.createRequestContext({
+        operation: "SessionManager.clearAllSessions"
+      }),
+      clearedCount: count
+    });
+  }
+}
+
 // src/mcp-server/transports/http/httpTransport.ts
 init_utils();
 
@@ -172065,6 +172329,11 @@ function createHttpApp(mcpServer, parentContext) {
     ...parentContext,
     component: "HttpTransportSetup"
   };
+  const sessionManager = SessionManager.getInstance(config.mcpStatefulSessionStaleTimeoutMs);
+  logger.info("Session manager initialized", {
+    ...transportContext,
+    staleTimeoutMs: config.mcpStatefulSessionStaleTimeoutMs
+  });
   const allowedOrigin = Array.isArray(config.mcpAllowedOrigins) && config.mcpAllowedOrigins.length > 0 ? config.mcpAllowedOrigins : "*";
   app.use("*", cors({
     origin: allowedOrigin,
@@ -172113,6 +172382,35 @@ function createHttpApp(mcpServer, parentContext) {
   } else {
     logger.info("Authentication is disabled; MCP endpoint is unprotected.", transportContext);
   }
+  app.delete(config.mcpHttpEndpointPath, (c) => {
+    const sessionId = c.req.header("mcp-session-id");
+    if (!sessionId) {
+      return c.json({
+        jsonrpc: "2.0",
+        error: {
+          code: -32600,
+          message: "Mcp-Session-Id header required for DELETE"
+        },
+        id: null
+      }, 400);
+    }
+    const terminated = sessionManager.terminateSession(sessionId);
+    if (!terminated) {
+      return c.json({
+        jsonrpc: "2.0",
+        error: {
+          code: -32001,
+          message: "Session not found or already expired"
+        },
+        id: null
+      }, 404);
+    }
+    logger.info("Session terminated via DELETE", {
+      ...transportContext,
+      sessionId
+    });
+    return c.body(null, 204);
+  });
   app.all(config.mcpHttpEndpointPath, async (c) => {
     const protocolVersion = c.req.header("mcp-protocol-version") ?? "2025-03-26";
     logger.debug("Handling MCP request.", {
@@ -172128,12 +172426,50 @@ function createHttpApp(mcpServer, parentContext) {
         protocolVersion,
         supportedVersions
       });
+      return c.json({
+        jsonrpc: "2.0",
+        error: {
+          code: -32600,
+          message: `Unsupported MCP protocol version: ${protocolVersion}`,
+          data: {
+            requested: protocolVersion,
+            supported: supportedVersions
+          }
+        },
+        id: null
+      }, 400);
     }
     const sessionId = c.req.header("mcp-session-id") ?? randomUUID();
+    if (c.req.header("mcp-session-id") && !sessionManager.isSessionValid(sessionId)) {
+      logger.warning("Invalid or expired session ID", {
+        ...transportContext,
+        sessionId
+      });
+      return c.json({
+        jsonrpc: "2.0",
+        error: {
+          code: -32001,
+          message: "Session expired or invalid. Please reinitialize."
+        },
+        id: null
+      }, 404);
+    }
+    if (!c.req.header("mcp-session-id")) {
+      logger.debug("New session will be created", {
+        ...transportContext,
+        sessionId
+      });
+    } else {
+      sessionManager.touchSession(sessionId);
+    }
     const transport = new McpSessionTransport(sessionId);
     const handleRpc = async () => {
       await mcpServer.connect(transport);
       const response = await transport.handleRequest(c);
+      if (response && !c.req.header("mcp-session-id")) {
+        const store = authContext.getStore();
+        sessionManager.createSession(sessionId, store?.authInfo.clientId, store?.authInfo.tenantId);
+      }
       if (response) {
         return response;
       }
@@ -172229,6 +172565,9 @@ async function stopHttpTransport(server, parentContext) {
     transportType: "Http"
   };
   logger.info("Attempting to stop http transport...", operationContext);
+  const sessionManager = SessionManager.getInstance();
+  sessionManager.stopCleanupInterval();
+  logger.info("Session cleanup interval stopped", operationContext);
   return new Promise((resolve, reject) => {
     server.close((err) => {
       if (err) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyanheads/git-mcp-server",
-  "version": "2.4.8",
+  "version": "2.5.1",
   "mcpName": "io.github.cyanheads/git-mcp-server",
   "description": "A secure and scalable Git MCP server enabling AI agents to perform comprehensive Git version control operations via STDIO and Streamable HTTP.",
   "main": "dist/index.js",
@@ -66,33 +66,12 @@
     "zod": "3.23.8",
     "typescript": "5.9.3"
   },
-  "dependencies": {
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20251011.0",
+    "@eslint/js": "^9.37.0",
     "@hono/mcp": "^0.1.4",
     "@hono/node-server": "^1.19.5",
     "@modelcontextprotocol/sdk": "^1.20.0",
-    "@supabase/supabase-js": "^2.75.0",
-    "axios": "^1.12.2",
-    "chrono-node": "^2.9.0",
-    "dotenv": "^17.2.3",
-    "fast-xml-parser": "^5.3.0",
-    "hono": "^4.9.12",
-    "ignore": "^7.0.5",
-    "jose": "^6.1.0",
-    "js-yaml": "^4.1.0",
-    "node-cron": "^4.2.1",
-    "openai": "^6.3.0",
-    "papaparse": "^5.5.3",
-    "partial-json": "^0.1.7",
-    "pdf-lib": "^1.17.1",
-    "pino": "^10.0.0",
-    "pino-pretty": "^13.1.2",
-    "reflect-metadata": "^0.2.2",
-    "repomix": "^1.7.0",
-    "sanitize-html": "^2.17.0",
-    "tslib": "^2.8.1",
-    "tsyringe": "^4.10.0",
-    "validator": "13.15.15",
-    "zod": "^3.23.8",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/auto-instrumentations-node": "^0.65.0",
     "@opentelemetry/exporter-metrics-otlp-http": "^0.206.0",
@@ -102,11 +81,8 @@
     "@opentelemetry/sdk-metrics": "^2.1.0",
     "@opentelemetry/sdk-node": "^0.206.0",
     "@opentelemetry/sdk-trace-node": "^2.1.0",
-    "@opentelemetry/semantic-conventions": "^1.37.0"
-  },
-  "devDependencies": {
-    "@cloudflare/workers-types": "^4.20251011.0",
-    "@eslint/js": "^9.37.0",
+    "@opentelemetry/semantic-conventions": "^1.37.0",
+    "@supabase/supabase-js": "^2.75.0",
     "@types/bun": "^1.3.0",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "^24.7.2",
@@ -117,21 +93,43 @@
     "@vitest/coverage-v8": "3.2.4",
     "ajv": "^8.17.1",
     "ajv-formats": "^3.0.1",
+    "axios": "^1.12.2",
     "bun-types": "^1.3.0",
+    "chrono-node": "^2.9.0",
     "clipboardy": "^5.0.0",
     "depcheck": "^1.4.7",
+    "dotenv": "^17.2.3",
     "eslint": "^9.37.0",
     "execa": "^9.6.0",
+    "fast-xml-parser": "^5.3.0",
     "globals": "^16.4.0",
+    "hono": "^4.9.12",
     "husky": "^9.1.7",
+    "ignore": "^7.0.5",
+    "jose": "^6.1.0",
+    "js-yaml": "^4.1.0",
     "msw": "^2.11.5",
+    "node-cron": "^4.2.1",
+    "openai": "^6.3.0",
+    "papaparse": "^5.5.3",
+    "partial-json": "^0.1.7",
+    "pdf-lib": "^1.17.1",
+    "pino": "^10.0.0",
+    "pino-pretty": "^13.1.2",
     "prettier": "^3.6.2",
+    "reflect-metadata": "^0.2.2",
+    "repomix": "^1.7.0",
+    "sanitize-html": "^2.17.0",
+    "tslib": "^2.8.1",
+    "tsyringe": "^4.10.0",
     "typedoc": "^0.28.14",
     "typescript": "^5.9.3",
     "typescript-eslint": "8.46.0",
+    "validator": "13.15.15",
     "vite": "7.1.9",
     "vite-tsconfig-paths": "^5.1.4",
-    "vitest": "^3.2.4"
+    "vitest": "^3.2.4",
+    "zod": "^3.23.8"
   },
   "keywords": [
     "ai-agent",