@debian777/kairos-mcp 3.0.1-beta.6

package/dist/http/http-auth-callback.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-auth-callback.js","sourceRoot":"","sources":["../../src/http/http-auth-callback.ts"],"names":[],"mappings":"AAKA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,qBAAqB,EACrB,cAAc,EACd,kBAAkB,EAClB,sBAAsB,EACtB,cAAc,EACd,mBAAmB,EACpB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AACjE,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,2BAA2B,CAAC;AAE/E,SAAS,WAAW,CAAC,OAMpB;IACC,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC9E,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAC/F,OAAO,GAAG,UAAU,IAAI,GAAG,EAAE,CAAC;AAChC,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC5C,MAAM,OAAO,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC;IACnE,OAAO,OAAO,OAAO,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,SAAS,CAAC;AAC3D,CAAC;AAED,MAAM,iBAAiB,GAAG;;;;;;;;;;;;;;;;;;;;CAoBzB,CAAC;AAEF,MAAM,oBAAoB,GAAG;;;;;;;;;;;;;;;;;;;;CAoB5B,CAAC;AAEF,uGAAuG;AACvG,MAAM,oBAAoB,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,KAAc,EAAE,CAAC;AAErF,MAAM,UAAU,iBAAiB,CAAC,GAAoB;IACpD,GAAG,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;QACxD,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;QAC1D,GAAG,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;QACvD,GAAG,CAAC,WAAW,CAAC,mBAAmB,EAAE,oBAAoB,CAAC,CAAC;QAC3D,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC,IAAa,EAAE,GAAa,EAAE,EAAE;QAC3D,GAAG,CAAC,SAAS,CAAC,cAAc,EAAE,0BAA0B,CAAC,CAAC;QAC1D,GAAG,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,GAAG,CAAC,GAAG,CAAC,gBAAgB,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QAC9D,IAAI,CAAC,YAAY,IAAI,CAAC,YAAY,IAAI,CAAC,cAAc,IAAI,CAAC,sBAAsB,EAAE,CAAC;YACjF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,qBAAqB;gBAC5B,OAAO,EAAE,yHAAyH;aACnI,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC,KAA0C,CAAC;QACvE,IAAI,CAAC,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YACpB,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,+BAA+B,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QACD,MAAM,KAAK,GAAG,aAAa,EAAE,CAAC;QAC9B,MAAM,KAAK,GAAG,KAAK,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC/B,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACpB,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,gBAAgB,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;YACjE,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,uBAAuB,CAAC,CAAC;YAC3C,OAAO;QACT,CAAC;QACD,MAAM,YAAY,GAAG,CAAC,qBAAqB,IAAI,YAAY,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAChF,MAAM,WAAW,GAAG,GAAG,sBAAsB,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,gBAAgB,CAAC;QACjF,MAAM,IAAI,GAAG,IAAI,eAAe,CAAC;YAC/B,UAAU,EAAE,oBAAoB;YAChC,SAAS,EAAE,kBAAkB;YAC7B,IAAI;YACJ,YAAY,EAAE,WAAW;YACzB,aAAa,EAAE,KAAK,CAAC,YAAY;SAClC,CAAC,CAAC;QACH,IAAI,QAA6B,CAAC;QAClC,IAAI,CAAC;YACH,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,YAAY,WAAW,cAAc,gCAAgC,EAAE;gBAC/F,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;gBAChE,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE;aACtB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,gBAAgB,CAAC,KAAK,CAAC,qCAAqC,EAAE,GAAG,CAAC,CAAC;YACnE,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAC;YAClD,OAAO;QACT,CAAC;QACD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;YACnC,gBAAgB,CAAC,IAAI,CAAC,8BAA8B,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC;YAC/G,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,+BAA+B,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QACD,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAiD,CAAC;QACvF,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC;QAChC,MAAM,WAAW,GAAG,MAAM,CAAC,YAAY,CAAC;QACxC,MAAM,aAAa,GAAG,OAAO,IAAI,WAAW,CAAC;QAC7C,IAAI,CAAC,aAAa,IAAI,OAAO,aAAa,KAAK,QAAQ,EAAE,CAAC;YACxD,gBAAgB,CAAC,IAAI,CAAC,wDAAwD,CAAC,CAAC;YAChF,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,mBAAmB,CAAC,CAAC;YACvC,OAAO;QACT,CAAC;QACD,IAAI,GAAG,GAAkB,IAAI,CAAC;QAC9B,IAAI,MAAM,GAAa,EAAE,CAAC;QAC1B,IAAI,KAAK,GAAG,cAAc,CAAC;QAC3B,IAAI,SAA+B,CAAC;QACpC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC5C,MAAM,OAAO,GAAG,OAAO;gBACrB,CAAC,CAAE,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAMtD;gBACJ,CAAC,CAAC,IAAI,CAAC;YACT,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC5E,gBAAgB,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;gBACzE,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,2BAA2B,CAAC,CAAC;gBAC/C,OAAO;YACT,CAAC;YACD,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;YAClB,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC;gBAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;iBACxG,IAAI,OAAO,CAAC,YAAY,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC;gBACxE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC;YACxF,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ;gBAAE,KAAK,GAAG,eAAe,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;YAC1E,MAAM,CAAC,GAAG,OAAO,CAAC,SAAS,CAAC;YAC5B,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;gBACrB,MAAM,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;gBAChF,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;oBAAE,SAAS,GAAG,GAAG,CAAC;YACtC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,gBAAgB,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;YACnE,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,+BAA+B,CAAC,CAAC;YACnD,OAAO;QACT,CAAC;QACD,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;YACjB,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,2BAA2B,CAAC,CAAC;YAC/C,OAAO;QACT,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,mBAAmB,CAAC;QAChE,MAAM,cAAc,GAAwF;YAC1G,GAAG;YACH,MAAM;YACN,KAAK;YACL,GAAG;SACJ,CAAC;QACF,IAAI,SAAS,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC;YAAE,cAAc,CAAC,SAAS,GAAG,SAAS,CAAC;QAC5E,MAAM,WAAW,GAAG,WAAW,CAAC,cAAc,CAAC,CAAC;QAChD,GAAG,CAAC,SAAS,CAAC,YAAY,EAAE;YAC1B,GAAG,mBAAmB,IAAI,kBAAkB,CAAC,WAAW,CAAC,6CAA6C,mBAAmB,EAAE;SAC5H,CAAC,CAAC;QACH,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,eAAe,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/http/http-auth-middleware.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Auth middleware: when AUTH_ENABLED, require session or Bearer for /api and /mcp.
+ * Unauthenticated browser GET -> redirect to Keycloak; otherwise 401 with login_url.
+ * When AUTH_MODE=oidc_bearer, Bearer tokens are validated (issuer, audience, exp); req.auth is set from session or validated Bearer.
+ */
+import type { Request, Response, NextFunction } from 'express';
+import { type AuthPayload } from './bearer-validate.js';
+import { type SpaceContext } from '../utils/tenant-context.js';
+export type { AuthPayload };
+declare const SESSION_COOKIE_NAME = "kairos_session";
+interface StateEntry {
+    codeVerifier: string;
+    createdAt: number;
+}
+export declare function setWwwAuthenticate(res: Response, opts?: {
+    error?: 'invalid_token';
+    error_description?: string;
+}): void;
+declare global {
+    namespace Express {
+        interface Request {
+            auth?: AuthPayload;
+            spaceContext?: SpaceContext;
+        }
+    }
+}
+export declare function authMiddleware(req: Request, res: Response, next: NextFunction): Promise<void>;
+export declare function getStateStore(): Map<string, StateEntry>;
+export { SESSION_COOKIE_NAME };
+//# sourceMappingURL=http-auth-middleware.d.ts.map

package/dist/http/http-auth-middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-auth-middleware.d.ts","sourceRoot":"","sources":["../../src/http/http-auth-middleware.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAa/D,OAAO,EAAuB,KAAK,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAC7E,OAAO,EAAwC,KAAK,YAAY,EAAE,MAAM,4BAA4B,CAAC;AAGrG,YAAY,EAAE,WAAW,EAAE,CAAC;AAE5B,QAAA,MAAM,mBAAmB,mBAAmB,CAAC;AAG7C,UAAU,UAAU;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;CACnB;AAmGD,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,QAAQ,EAAE,IAAI,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,eAAe,CAAC;IAAC,iBAAiB,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAGtH;AAED,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,OAAO,CAAC;QAChB,UAAU,OAAO;YACf,IAAI,CAAC,EAAE,WAAW,CAAC;YACnB,YAAY,CAAC,EAAE,YAAY,CAAC;SAC7B;KACF;CACF;AAED,wBAAsB,cAAc,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,CA6HnG;AAED,wBAAgB,aAAa,IAAI,GAAG,CAAC,MAAM,EAAE,UAAU,CAAC,CAEvD;AAED,OAAO,EAAE,mBAAmB,EAAE,CAAC"}

package/dist/http/http-auth-middleware.js

@@ -0,0 +1,224 @@
+import crypto from 'crypto';
+import { AUTH_ENABLED, KEYCLOAK_URL, KEYCLOAK_REALM, KEYCLOAK_CLIENT_ID, AUTH_CALLBACK_BASE_URL, SESSION_SECRET, AUTH_MODE, AUTH_TRUSTED_ISSUERS, AUTH_ALLOWED_AUDIENCES } from '../config.js';
+import { validateBearerToken } from './bearer-validate.js';
+import { getSpaceContext, runWithSpaceContext } from '../utils/tenant-context.js';
+import { structuredLogger } from '../utils/structured-logger.js';
+const SESSION_COOKIE_NAME = 'kairos_session';
+const STATE_TTL_MS = 600_000; // 10 min
+const stateStore = new Map();
+function pruneStateStore() {
+    const now = Date.now();
+    for (const [k, v] of stateStore.entries()) {
+        if (now - v.createdAt > STATE_TTL_MS)
+            stateStore.delete(k);
+    }
+}
+function buildLoginUrl(state, codeChallenge) {
+    const base = KEYCLOAK_URL.replace(/\/$/, '');
+    const redirectUri = `${AUTH_CALLBACK_BASE_URL.replace(/\/$/, '')}/auth/callback`;
+    const params = new URLSearchParams({
+        client_id: KEYCLOAK_CLIENT_ID,
+        redirect_uri: redirectUri,
+        response_type: 'code',
+        scope: 'openid',
+        state,
+        code_challenge: codeChallenge,
+        code_challenge_method: 'S256',
+        // Force login page so a second browser gets a fresh login instead of SSO "already logged in" errors.
+        prompt: 'login'
+    });
+    return `${base}/realms/${KEYCLOAK_REALM}/protocol/openid-connect/auth?${params.toString()}`;
+}
+function getSessionCookie(req) {
+    const raw = req.get('cookie');
+    if (!raw)
+        return null;
+    const match = raw.split(';').map((s) => s.trim()).find((s) => s.startsWith(SESSION_COOKIE_NAME + '='));
+    if (!match)
+        return null;
+    const value = match.slice((SESSION_COOKIE_NAME + '=').length).trim();
+    return value ? decodeURIComponent(value) : null;
+}
+function hasValidSession(req) {
+    return getSessionPayload(req) !== null;
+}
+/** Decode and verify session cookie; returns AuthPayload or null. */
+function getSessionPayload(req) {
+    const cookie = getSessionCookie(req);
+    if (!cookie || !SESSION_SECRET)
+        return null;
+    try {
+        const [payloadB64, sig] = cookie.split('.');
+        if (!payloadB64 || !sig)
+            return null;
+        const expectedSig = crypto.createHmac('sha256', SESSION_SECRET).update(payloadB64).digest('base64url');
+        if (sig !== expectedSig)
+            return null;
+        const payload = JSON.parse(Buffer.from(payloadB64, 'base64url').toString());
+        if (payload.exp && payload.exp < Date.now() / 1000)
+            return null;
+        const sub = typeof payload.sub === 'string' ? payload.sub : '';
+        if (!sub)
+            return null;
+        const groups = Array.isArray(payload.groups) ? payload.groups.filter((g) => typeof g === 'string') : [];
+        const realm = typeof payload.realm === 'string' ? payload.realm : 'default';
+        const group_ids = Array.isArray(payload.group_ids)
+            ? payload.group_ids.filter((g) => typeof g === 'string' && g.length > 0)
+            : undefined;
+        const result = { sub, groups, realm };
+        if (group_ids && group_ids.length > 0)
+            result.group_ids = group_ids;
+        return result;
+    }
+    catch {
+        return null;
+    }
+}
+function getBearerToken(req) {
+    const auth = req.get('authorization');
+    if (!auth || !auth.toLowerCase().startsWith('bearer '))
+        return null;
+    return auth.slice(7).trim() || null;
+}
+function hasBearer(req) {
+    return getBearerToken(req) !== null;
+}
+/** Paths that require auth when AUTH_ENABLED: /api, /api/*, and /mcp (MCP-over-HTTP). */
+function isProtectedPath(path) {
+    return path === '/api' || path.startsWith('/api/') || path === '/mcp';
+}
+/** Build WWW-Authenticate value. Use error=invalid_token so MCP clients clear stored token and restart OAuth (e.g. after Keycloak session cleanup). */
+function buildWwwAuthenticate(opts) {
+    if (!AUTH_CALLBACK_BASE_URL)
+        return '';
+    const resourceMetadataUrl = `${AUTH_CALLBACK_BASE_URL.replace(/\/$/, '')}/.well-known/oauth-protected-resource`;
+    const parts = [`Bearer realm="mcp"`, `resource_metadata="${resourceMetadataUrl}"`, 'scope="openid"'];
+    if (opts?.error) {
+        parts.unshift(`error="${opts.error}"`);
+        if (opts.error_description)
+            parts.push(`error_description="${opts.error_description.replace(/"/g, '\\"')}"`);
+    }
+    return parts.join(', ');
+}
+export function setWwwAuthenticate(res, opts) {
+    const value = buildWwwAuthenticate(opts);
+    if (value)
+        res.setHeader('WWW-Authenticate', value);
+}
+export async function authMiddleware(req, res, next) {
+    if (!AUTH_ENABLED) {
+        next();
+        return;
+    }
+    if (req.path === '/auth/callback') {
+        next();
+        return;
+    }
+    if (!isProtectedPath(req.path)) {
+        next();
+        return;
+    }
+    const hasSession = hasValidSession(req);
+    const hasBearerReq = hasBearer(req);
+    structuredLogger.debug(`[auth] protected ${req.method} ${req.path} session=${hasSession} bearer=${!!hasBearerReq}`);
+    function runNext(ctx) {
+        const spaceParam = (req.query?.['space'] ?? req.query?.['space_id']);
+        if (spaceParam && typeof spaceParam === 'string') {
+            if (!ctx.allowedSpaceIds.includes(spaceParam)) {
+                res.status(403).json({ error: 'forbidden', message: 'Requested space is not in your allowed spaces' });
+                return;
+            }
+            ctx = {
+                ...ctx,
+                allowedSpaceIds: [spaceParam],
+                defaultWriteSpaceId: spaceParam
+            };
+        }
+        req.spaceContext = ctx;
+        runWithSpaceContext(ctx, () => next());
+    }
+    if (hasSession) {
+        const payload = getSessionPayload(req);
+        if (payload)
+            req.auth = payload;
+        structuredLogger.debug(`[auth] allowed session ${req.method} ${req.path}`);
+        runNext(getSpaceContext(req));
+        return;
+    }
+    if (hasBearerReq) {
+        if (process.env['AUTH_TRACE'] === 'true' || process.env['LOG_LEVEL'] === 'trace') {
+            structuredLogger.info(`[auth] TRACE raw call ${req.method} ${req.path} bearer=true trusted_issuers=${JSON.stringify(AUTH_TRUSTED_ISSUERS)} allowed_audiences=${JSON.stringify(AUTH_ALLOWED_AUDIENCES)}`);
+        }
+        const hasIssuerAndAudience = AUTH_TRUSTED_ISSUERS.length > 0 && AUTH_ALLOWED_AUDIENCES.length > 0;
+        const canValidateBearer = hasIssuerAndAudience && (AUTH_MODE === 'oidc_bearer' || AUTH_ENABLED);
+        structuredLogger.info(`[auth] Bearer check path=${req.path} canValidate=${canValidateBearer} AUTH_MODE=${AUTH_MODE} trusted_issuers=${AUTH_TRUSTED_ISSUERS.length} allowed_audiences=${AUTH_ALLOWED_AUDIENCES.length}`);
+        if (!canValidateBearer) {
+            structuredLogger.info(`[auth] 401 ${req.method} ${req.path} bearer_not_validated (config missing)`);
+            setWwwAuthenticate(res);
+            res.status(401).json({
+                error: 'bearer_not_validated',
+                message: 'Bearer tokens are not validated when issuer/audience are not configured. Set AUTH_TRUSTED_ISSUERS and AUTH_ALLOWED_AUDIENCES (and AUTH_MODE=oidc_bearer or AUTH_ENABLED) to use Bearer auth.'
+            });
+            return;
+        }
+        const token = getBearerToken(req);
+        try {
+            const payload = await validateBearerToken(token, AUTH_TRUSTED_ISSUERS, AUTH_ALLOWED_AUDIENCES);
+            if (payload) {
+                req.auth = payload;
+                structuredLogger.debug(`[auth] allowed bearer ${req.method} ${req.path}`);
+                runNext(getSpaceContext(req));
+            }
+            else {
+                structuredLogger.info(`[auth] 401 ${req.method} ${req.path} bearer invalid or expired`);
+                setWwwAuthenticate(res, {
+                    error: 'invalid_token',
+                    error_description: 'Token expired or invalid; re-authenticate to obtain a new token'
+                });
+                res.status(401).json({ error: 'invalid_token', message: 'Bearer token invalid or expired' });
+            }
+        }
+        catch {
+            structuredLogger.info(`[auth] 401 ${req.method} ${req.path} bearer validation failed`);
+            setWwwAuthenticate(res, {
+                error: 'invalid_token',
+                error_description: 'Token validation failed; re-authenticate to obtain a new token'
+            });
+            res.status(401).json({ error: 'invalid_token', message: 'Bearer token validation failed' });
+        }
+        return;
+    }
+    if (!AUTH_CALLBACK_BASE_URL) {
+        res.status(503).json({
+            error: 'Auth misconfigured',
+            message: 'AUTH_CALLBACK_BASE_URL is required when AUTH_ENABLED is true. Set it in .env (e.g. http://localhost:3500).'
+        });
+        return;
+    }
+    const loginUrl = (s, cc) => buildLoginUrl(s, cc);
+    const state = crypto.randomBytes(16).toString('base64url');
+    const codeVerifier = crypto.randomBytes(32).toString('base64url');
+    const codeChallenge = crypto.createHash('sha256').update(codeVerifier).digest('base64url').replace(/=/g, '');
+    stateStore.set(state, { codeVerifier, createdAt: Date.now() });
+    pruneStateStore();
+    // MCP client must receive 401 + WWW-Authenticate to show "Needs authentication" / Connect.
+    // Redirect (302) would prevent discovery; always return 401 for /mcp.
+    const isMcp = req.path === '/mcp';
+    if (req.method === 'GET' && !isMcp) {
+        structuredLogger.info(`[auth] 302 ${req.method} ${req.path} redirect to login`);
+        res.redirect(302, loginUrl(state, codeChallenge));
+        return;
+    }
+    structuredLogger.info(`[auth] 401 ${req.method} ${req.path}${isMcp ? ' (announcing auth need for MCP client)' : ''}`);
+    setWwwAuthenticate(res);
+    res.status(401).json({
+        error: 'Unauthorized',
+        message: 'Authentication required',
+        login_url: loginUrl(state, codeChallenge)
+    });
+}
+export function getStateStore() {
+    return stateStore;
+}
+export { SESSION_COOKIE_NAME };
+//# sourceMappingURL=http-auth-middleware.js.map

package/dist/http/http-auth-middleware.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-auth-middleware.js","sourceRoot":"","sources":["../../src/http/http-auth-middleware.ts"],"names":[],"mappings":"AAMA,OAAO,MAAM,MAAM,QAAQ,CAAC;AAC5B,OAAO,EACL,YAAY,EACZ,YAAY,EACZ,cAAc,EACd,kBAAkB,EAClB,sBAAsB,EACtB,cAAc,EACd,SAAS,EACT,oBAAoB,EACpB,sBAAsB,EACvB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,mBAAmB,EAAoB,MAAM,sBAAsB,CAAC;AAC7E,OAAO,EAAE,eAAe,EAAE,mBAAmB,EAAqB,MAAM,4BAA4B,CAAC;AACrG,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AAIjE,MAAM,mBAAmB,GAAG,gBAAgB,CAAC;AAC7C,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,SAAS;AAMvC,MAAM,UAAU,GAAG,IAAI,GAAG,EAAsB,CAAC;AAEjD,SAAS,eAAe;IACtB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;QAC1C,IAAI,GAAG,GAAG,CAAC,CAAC,SAAS,GAAG,YAAY;YAAE,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC7D,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,KAAa,EAAE,aAAqB;IACzD,MAAM,IAAI,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAC7C,MAAM,WAAW,GAAG,GAAG,sBAAsB,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,gBAAgB,CAAC;IACjF,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC;QACjC,SAAS,EAAE,kBAAkB;QAC7B,YAAY,EAAE,WAAW;QACzB,aAAa,EAAE,MAAM;QACrB,KAAK,EAAE,QAAQ;QACf,KAAK;QACL,cAAc,EAAE,aAAa;QAC7B,qBAAqB,EAAE,MAAM;QAC7B,qGAAqG;QACrG,MAAM,EAAE,OAAO;KAChB,CAAC,CAAC;IACH,OAAO,GAAG,IAAI,WAAW,cAAc,iCAAiC,MAAM,CAAC,QAAQ,EAAE,EAAE,CAAC;AAC9F,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAY;IACpC,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAC;IACtB,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,mBAAmB,GAAG,GAAG,CAAC,CAAC,CAAC;IACvG,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACxB,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,mBAAmB,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;IACrE,OAAO,KAAK,CAAC,CAAC,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AAClD,CAAC;AAED,SAAS,eAAe,CAAC,GAAY;IACnC,OAAO,iBAAiB,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC;AACzC,CAAC;AAED,qEAAqE;AACrE,SAAS,iBAAiB,CAAC,GAAY;IACrC,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;IACrC,IAAI,CAAC,MAAM,IAAI,CAAC,cAAc;QAAE,OAAO,IAAI,CAAC;IAC5C,IAAI,CAAC;QACH,MAAM,CAAC,UAAU,EAAE,GAAG,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC5C,IAAI,CAAC,UAAU,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACrC,MAAM,WAAW,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACvG,IAAI,GAAG,KAAK,WAAW;YAAE,OAAO,IAAI,CAAC;QACrC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,EAAE,CAMzE,CAAC;QACF,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI;YAAE,OAAO,IAAI,CAAC;QAChE,MAAM,GAAG,GAAG,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QACtB,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACrH,MAAM,KAAK,GAAG,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QAC5E,MAAM,SAAS,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC;YAChD,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAe,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC;YACrF,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,MAAM,GAAgB,EAAE,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC;QACnD,IAAI,SAAS,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC;YAAE,MAAM,CAAC,SAAS,GAAG,SAAS,CAAC;QACpE,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,GAAY;IAClC,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACtC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IACpE,OAAO,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC;AACtC,CAAC;AAED,SAAS,SAAS,CAAC,GAAY;IAC7B,OAAO,cAAc,CAAC,GAAG,CAAC,KAAK,IAAI,CAAC;AACtC,CAAC;AAED,yFAAyF;AACzF,SAAS,eAAe,CAAC,IAAY;IACnC,OAAO,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,IAAI,KAAK,MAAM,CAAC;AACxE,CAAC;AAED,uJAAuJ;AACvJ,SAAS,oBAAoB,CAAC,IAA8D;IAC1F,IAAI,CAAC,sBAAsB;QAAE,OAAO,EAAE,CAAC;IACvC,MAAM,mBAAmB,GAAG,GAAG,sBAAsB,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,uCAAuC,CAAC;IAChH,MAAM,KAAK,GAAG,CAAC,oBAAoB,EAAE,sBAAsB,mBAAmB,GAAG,EAAE,gBAAgB,CAAC,CAAC;IACrG,IAAI,IAAI,EAAE,KAAK,EAAE,CAAC;QAChB,KAAK,CAAC,OAAO,CAAC,UAAU,IAAI,CAAC,KAAK,GAAG,CAAC,CAAC;QACvC,IAAI,IAAI,CAAC,iBAAiB;YAAE,KAAK,CAAC,IAAI,CAAC,sBAAsB,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC;IAC/G,CAAC;IACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,GAAa,EAAE,IAA8D;IAC9G,MAAM,KAAK,GAAG,oBAAoB,CAAC,IAAI,CAAC,CAAC;IACzC,IAAI,KAAK;QAAE,GAAG,CAAC,SAAS,CAAC,kBAAkB,EAAE,KAAK,CAAC,CAAC;AACtD,CAAC;AAWD,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB;IAClF,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IACD,IAAI,GAAG,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;QAClC,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IACD,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/B,IAAI,EAAE,CAAC;QACP,OAAO;IACT,CAAC;IAED,MAAM,UAAU,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACxC,MAAM,YAAY,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IACpC,gBAAgB,CAAC,KAAK,CACpB,oBAAoB,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,YAAY,UAAU,WAAW,CAAC,CAAC,YAAY,EAAE,CAC5F,CAAC;IAEF,SAAS,OAAO,CAAC,GAAiB;QAChC,MAAM,UAAU,GAAG,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC,UAAU,CAAC,CAAuB,CAAC;QAC3F,IAAI,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;YACjD,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC9C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,OAAO,EAAE,+CAA+C,EAAE,CAAC,CAAC;gBACvG,OAAO;YACT,CAAC;YACD,GAAG,GAAG;gBACJ,GAAG,GAAG;gBACN,eAAe,EAAE,CAAC,UAAU,CAAC;gBAC7B,mBAAmB,EAAE,UAAU;aAChC,CAAC;QACJ,CAAC;QACD,GAAG,CAAC,YAAY,GAAG,GAAG,CAAC;QACvB,mBAAmB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,OAAO,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,OAAO;YAAE,GAAG,CAAC,IAAI,GAAG,OAAO,CAAC;QAChC,gBAAgB,CAAC,KAAK,CAAC,0BAA0B,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;QAC3E,OAAO,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC;QAC9B,OAAO;IACT,CAAC;IAED,IAAI,YAAY,EAAE,CAAC;QACjB,IAAI,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,KAAK,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,OAAO,EAAE,CAAC;YACjF,gBAAgB,CAAC,IAAI,CACnB,yBAAyB,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,gCAAgC,IAAI,CAAC,SAAS,CAAC,oBAAoB,CAAC,sBAAsB,IAAI,CAAC,SAAS,CAAC,sBAAsB,CAAC,EAAE,CAClL,CAAC;QACJ,CAAC;QACD,MAAM,oBAAoB,GAAG,oBAAoB,CAAC,MAAM,GAAG,CAAC,IAAI,sBAAsB,CAAC,MAAM,GAAG,CAAC,CAAC;QAClG,MAAM,iBAAiB,GACrB,oBAAoB,IAAI,CAAC,SAAS,KAAK,aAAa,IAAI,YAAY,CAAC,CAAC;QACxE,gBAAgB,CAAC,IAAI,CACnB,4BAA4B,GAAG,CAAC,IAAI,gBAAgB,iBAAiB,cAAc,SAAS,oBAAoB,oBAAoB,CAAC,MAAM,sBAAsB,sBAAsB,CAAC,MAAM,EAAE,CACjM,CAAC;QACF,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACvB,gBAAgB,CAAC,IAAI,CAAC,cAAc,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,wCAAwC,CAAC,CAAC;YACpG,kBAAkB,CAAC,GAAG,CAAC,CAAC;YACxB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACnB,KAAK,EAAE,sBAAsB;gBAC7B,OAAO,EACL,8LAA8L;aACjM,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QACD,MAAM,KAAK,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;QAClC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,mBAAmB,CAAC,KAAM,EAAE,oBAAoB,EAAE,sBAAsB,CAAC,CAAC;YAChG,IAAI,OAAO,EAAE,CAAC;gBACZ,GAAG,CAAC,IAAI,GAAG,OAAO,CAAC;gBACnB,gBAAgB,CAAC,KAAK,CAAC,yBAAyB,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;gBAC1E,OAAO,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,CAAC;YAChC,CAAC;iBAAM,CAAC;gBACN,gBAAgB,CAAC,IAAI,CAAC,cAAc,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,4BAA4B,CAAC,CAAC;gBACxF,kBAAkB,CAAC,GAAG,EAAE;oBACtB,KAAK,EAAE,eAAe;oBACtB,iBAAiB,EAAE,iEAAiE;iBACrF,CAAC,CAAC;gBACH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,iCAAiC,EAAE,CAAC,CAAC;YAC/F,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,gBAAgB,CAAC,IAAI,CAAC,cAAc,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,2BAA2B,CAAC,CAAC;YACvF,kBAAkB,CAAC,GAAG,EAAE;gBACtB,KAAK,EAAE,eAAe;gBACtB,iBAAiB,EAAE,gEAAgE;aACpF,CAAC,CAAC;YACH,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,OAAO,EAAE,gCAAgC,EAAE,CAAC,CAAC;QAC9F,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,CAAC,sBAAsB,EAAE,CAAC;QAC5B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,KAAK,EAAE,oBAAoB;YAC3B,OAAO,EAAE,4GAA4G;SACtH,CAAC,CAAC;QACH,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,CAAC,CAAS,EAAE,EAAU,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IACjE,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC3D,MAAM,YAAY,GAAG,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAClE,MAAM,aAAa,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC7G,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,EAAE,YAAY,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;IAC/D,eAAe,EAAE,CAAC;IAElB,2FAA2F;IAC3F,sEAAsE;IACtE,MAAM,KAAK,GAAG,GAAG,CAAC,IAAI,KAAK,MAAM,CAAC;IAClC,IAAI,GAAG,CAAC,MAAM,KAAK,KAAK,IAAI,CAAC,KAAK,EAAE,CAAC;QACnC,gBAAgB,CAAC,IAAI,CAAC,cAAc,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,oBAAoB,CAAC,CAAC;QAChF,GAAG,CAAC,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC;QAClD,OAAO;IACT,CAAC;IACD,gBAAgB,CAAC,IAAI,CACnB,cAAc,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,wCAAwC,CAAC,CAAC,CAAC,EAAE,EAAE,CAC/F,CAAC;IACF,kBAAkB,CAAC,GAAG,CAAC,CAAC;IACxB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;QACnB,KAAK,EAAE,cAAc;QACrB,OAAO,EAAE,yBAAyB;QAClC,SAAS,EAAE,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC;KAC1C,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,aAAa;IAC3B,OAAO,UAAU,CAAC;AACpB,CAAC;AAED,OAAO,EAAE,mBAAmB,EAAE,CAAC"}

package/dist/http/http-error-handlers.d.ts

@@ -0,0 +1,7 @@
+import express from 'express';
+/**
+ * Set up error handlers and additional routes
+ * @param app Express application instance
+ */
+export declare function setupErrorHandlers(app: express.Express): void;
+//# sourceMappingURL=http-error-handlers.d.ts.map

package/dist/http/http-error-handlers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-error-handlers.d.ts","sourceRoot":"","sources":["../../src/http/http-error-handlers.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,SAAS,CAAC;AAG9B;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,QA6BtD"}

package/dist/http/http-error-handlers.js

@@ -0,0 +1,35 @@
+import { structuredLogger } from '../utils/structured-logger.js';
+/**
+ * Set up error handlers and additional routes
+ * @param app Express application instance
+ */
+export function setupErrorHandlers(app) {
+    // Global error handler for Express routes
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
+    app.use((err, req, res, next) => {
+        try {
+            const rid = req?.headers?.['x-request-id'] || 'unknown';
+            const method = req?.method || 'UNKNOWN';
+            const url = req?.url || 'UNKNOWN';
+            structuredLogger.error(`HTTP error on ${method} ${url} [id: ${rid}]`, err);
+        }
+        catch { }
+        if (!res.headersSent) {
+            res.status(500).json({ error: 'Internal server error' });
+        }
+        else {
+            res.end();
+        }
+    });
+    // MCP endpoint - reject GET requests (must be POST)
+    app.get('/mcp', (req, res) => {
+        res.status(405).set('Allow', 'POST').json({
+            error: 'Method Not Allowed - use POST /mcp'
+        });
+    });
+    // Catch-all 404 handler (must be last)
+    app.use((req, res) => {
+        res.status(404).json({ error: 'Not found' });
+    });
+}
+//# sourceMappingURL=http-error-handlers.js.map

package/dist/http/http-error-handlers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-error-handlers.js","sourceRoot":"","sources":["../../src/http/http-error-handlers.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAC;AAEjE;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,GAAoB;IACnD,0CAA0C;IAC1C,6DAA6D;IAC7D,GAAG,CAAC,GAAG,CAAC,CAAC,GAAQ,EAAE,GAAQ,EAAE,GAAQ,EAAE,IAAS,EAAE,EAAE;QAChD,IAAI,CAAC;YACD,MAAM,GAAG,GAAG,GAAG,EAAE,OAAO,EAAE,CAAC,cAAc,CAAC,IAAI,SAAS,CAAC;YACxD,MAAM,MAAM,GAAG,GAAG,EAAE,MAAM,IAAI,SAAS,CAAC;YACxC,MAAM,GAAG,GAAG,GAAG,EAAE,GAAG,IAAI,SAAS,CAAC;YAClC,gBAAgB,CAAC,KAAK,CAAC,iBAAiB,MAAM,IAAI,GAAG,SAAS,GAAG,GAAG,EAAE,GAAG,CAAC,CAAC;QAC/E,CAAC;QAAC,MAAM,CAAC,CAAC,CAAC;QAEX,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC;YACnB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QAC7D,CAAC;aAAM,CAAC;YACJ,GAAG,CAAC,GAAG,EAAE,CAAC;QACd,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,oDAAoD;IACpD,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACzB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,IAAI,CAAC;YACtC,KAAK,EAAE,oCAAoC;SAC9C,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,uCAAuC;IACvC,GAAG,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACjB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/http/http-health-routes.d.ts

@@ -0,0 +1,9 @@
+import express from 'express';
+import { MemoryQdrantStore } from '../services/memory/store.js';
+/**
+ * Set up health check and basic info routes
+ * @param app Express application instance
+ * @param memoryStore Memory store instance for health checks
+ */
+export declare function setupHealthRoutes(app: express.Express, memoryStore: MemoryQdrantStore): void;
+//# sourceMappingURL=http-health-routes.d.ts.map

package/dist/http/http-health-routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-health-routes.d.ts","sourceRoot":"","sources":["../../src/http/http-health-routes.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,SAAS,CAAC;AAC9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,6BAA6B,CAAC;AAMhE;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,WAAW,EAAE,iBAAiB,QAgHrF"}

package/dist/http/http-health-routes.js

@@ -0,0 +1,117 @@
+import { embeddingService } from '../services/embedding/service.js';
+import { keyValueStore } from '../services/key-value-store-factory.js';
+import { getBuildVersion } from '../utils/build-version.js';
+import { AUTH_ENABLED, USE_REDIS } from '../config.js';
+/**
+ * Set up health check and basic info routes
+ * @param app Express application instance
+ * @param memoryStore Memory store instance for health checks
+ */
+export function setupHealthRoutes(app, memoryStore) {
+    // Health check endpoint (non-MCP)
+    app.get('/health', async (req, res) => {
+        // Qdrant is the critical dependency for store functionality tests.
+        const qdrantHealthy = await memoryStore.checkHealth().catch(() => false);
+        // Redis and embedding providers are non-critical for allowing tests to proceed,
+        // but reported for diagnostics.
+        const redisHealthy = keyValueStore.isConnected();
+        let teiHealth = { healthy: false, message: 'Embedding provider not configured' };
+        // Run embedding health check but bound it with a short timeout so /health is responsive
+        try {
+            const teiCheck = (async () => {
+                if (typeof embeddingService.teiHealthCheck === 'function') {
+                    return await embeddingService.teiHealthCheck().catch(() => ({ healthy: false, message: 'TEI check failed' }));
+                }
+                else {
+                    return await embeddingService.healthCheck().catch(() => ({ healthy: false, message: 'Embedding health check failed' }));
+                }
+            })();
+            // Timeout after 2000ms to avoid blocking during test setup
+            let timeoutId;
+            const timeout = new Promise(resolve => {
+                timeoutId = setTimeout(() => resolve({ healthy: false, message: 'Embedding health check timed out' }), 2000);
+            });
+            teiHealth = (await Promise.race([teiCheck, timeout]));
+            if (timeoutId) {
+                clearTimeout(timeoutId);
+            }
+        }
+        catch {
+            teiHealth = { healthy: false, message: 'Embedding health check failed' };
+        }
+        const teiHealthy = !!teiHealth.healthy;
+        const embeddingCfg = embeddingService.getConfig ? embeddingService.getConfig() : { provider: 'unknown' };
+        // Only treat Qdrant as a blocking failure so tests that exercise store functionality can proceed.
+        const criticalHealthy = qdrantHealthy;
+        const nonCriticalAllHealthy = redisHealthy && teiHealthy;
+        const healthStatus = criticalHealthy ? (nonCriticalAllHealthy ? 'healthy' : 'degraded') : 'unhealthy';
+        const statusCode = criticalHealthy ? 200 : 503;
+        const buildVersion = getBuildVersion();
+        const uptime = Math.floor(process.uptime());
+        const dependencies = {
+            qdrant: qdrantHealthy ? 'healthy' : 'unhealthy',
+            embedding: teiHealthy ? 'healthy' : 'unhealthy'
+        };
+        if (USE_REDIS) {
+            dependencies['redis'] = redisHealthy ? 'healthy' : 'unhealthy';
+        }
+        else {
+            dependencies['cache'] = 'healthy (memory)';
+        }
+        res.status(statusCode).json({
+            status: healthStatus,
+            service: 'KAIROS',
+            version: buildVersion,
+            transport: 'http',
+            uptime: uptime,
+            dependencies,
+            details: {
+                embedding: teiHealth.message,
+                provider: embeddingCfg.provider || 'auto',
+                providerPref: embeddingCfg.providerPref || 'auto',
+                cacheBackend: USE_REDIS ? 'redis' : 'memory'
+            }
+        });
+    });
+    // Basic info endpoint (non-MCP)
+    app.get('/', (req, res) => {
+        const body = {
+            service: 'KAIROS MCP Server',
+            version: getBuildVersion(),
+            transports: ['http'],
+            endpoints: {
+                health: '/health',
+                mcp: '/mcp',
+                api: '/api'
+            },
+            note: 'Use POST /mcp for MCP protocol communication'
+        };
+        if (AUTH_ENABLED) {
+            body['api_note'] = 'GET /api and POST /api/* require authentication (session or Bearer). Use login_url from 401 or /auth/callback flow.';
+        }
+        res.json(body);
+    });
+    // API root (when AUTH_ENABLED, only reached when authenticated)
+    app.get('/api', (req, res) => {
+        const body = {
+            service: 'KAIROS API',
+            version: getBuildVersion(),
+            endpoints: {
+                kairos_search: 'POST /api/kairos_search',
+                kairos_begin: 'POST /api/kairos_begin',
+                kairos_next: 'POST /api/kairos_next',
+                kairos_attest: 'POST /api/kairos_attest',
+                kairos_mint: 'POST /api/kairos_mint/raw',
+                kairos_update: 'POST /api/kairos_update',
+                kairos_delete: 'POST /api/kairos_delete',
+                kairos_dump: 'POST /api/kairos_dump'
+            }
+        };
+        if (AUTH_ENABLED) {
+            body['auth_required'] = true;
+            body['note'] = 'These endpoints require a valid session or Bearer token. Unauthenticated requests receive 401 with login_url.';
+        }
+        res.json(body);
+    });
+}
+//# sourceMappingURL=http-health-routes.js.map

package/dist/http/http-health-routes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-health-routes.js","sourceRoot":"","sources":["../../src/http/http-health-routes.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,gBAAgB,EAAE,MAAM,kCAAkC,CAAC;AACpE,OAAO,EAAE,aAAa,EAAE,MAAM,wCAAwC,CAAC;AACvE,OAAO,EAAE,eAAe,EAAE,MAAM,2BAA2B,CAAC;AAC5D,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEvD;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAoB,EAAE,WAA8B;IAClF,kCAAkC;IAClC,GAAG,CAAC,GAAG,CAAC,SAAS,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAClC,mEAAmE;QACnE,MAAM,aAAa,GAAG,MAAM,WAAW,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC;QACzE,gFAAgF;QAChF,gCAAgC;QAChC,MAAM,YAAY,GAAG,aAAa,CAAC,WAAW,EAAE,CAAC;QACjD,IAAI,SAAS,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,mCAA6C,EAAE,CAAC;QAE3F,wFAAwF;QACxF,IAAI,CAAC;YACD,MAAM,QAAQ,GAAG,CAAC,KAAK,IAAI,EAAE;gBACzB,IAAI,OAAQ,gBAAwB,CAAC,cAAc,KAAK,UAAU,EAAE,CAAC;oBACjE,OAAO,MAAO,gBAAwB,CAAC,cAAc,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,kBAAkB,EAAE,CAAC,CAAC,CAAC;gBAC3H,CAAC;qBAAM,CAAC;oBACJ,OAAO,MAAM,gBAAgB,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC,CAAC,CAAC;gBAC5H,CAAC;YACL,CAAC,CAAC,EAAE,CAAC;YAEL,2DAA2D;YAC3D,IAAI,SAAqC,CAAC;YAC1C,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC,EAAE;gBAClC,SAAS,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC,EAAE,IAAI,CAAC,CAAC;YACjH,CAAC,CAAC,CAAC;YACH,SAAS,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC,CAA0C,CAAC;YAC/F,IAAI,SAAS,EAAE,CAAC;gBACZ,YAAY,CAAC,SAAS,CAAC,CAAC;YAC5B,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACL,SAAS,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;QAC7E,CAAC;QAED,MAAM,UAAU,GAAG,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC;QACvC,MAAM,YAAY,GAAG,gBAAgB,CAAC,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAC,SAAS,EAAE,CAAC,CAAC,CAAE,EAAE,QAAQ,EAAE,SAAS,EAAU,CAAC;QAElH,kGAAkG;QAClG,MAAM,eAAe,GAAG,aAAa,CAAC;QACtC,MAAM,qBAAqB,GAAG,YAAY,IAAI,UAAU,CAAC;QACzD,MAAM,YAAY,GAAG,eAAe,CAAC,CAAC,CAAC,CAAC,qBAAqB,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;QACtG,MAAM,UAAU,GAAG,eAAe,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC;QAE/C,MAAM,YAAY,GAAG,eAAe,EAAE,CAAC;QACvC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QAE5C,MAAM,YAAY,GAA2B;YACzC,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW;YAC/C,SAAS,EAAE,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW;SAClD,CAAC;QACF,IAAI,SAAS,EAAE,CAAC;YACZ,YAAY,CAAC,OAAO,CAAC,GAAG,YAAY,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,WAAW,CAAC;QACnE,CAAC;aAAM,CAAC;YACJ,YAAY,CAAC,OAAO,CAAC,GAAG,kBAAkB,CAAC;QAC/C,CAAC;QAED,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC;YACxB,MAAM,EAAE,YAAY;YACpB,OAAO,EAAE,QAAQ;YACjB,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE,MAAM;YACjB,MAAM,EAAE,MAAM;YACd,YAAY;YACZ,OAAO,EAAE;gBACL,SAAS,EAAE,SAAS,CAAC,OAAO;gBAC5B,QAAQ,EAAE,YAAY,CAAC,QAAQ,IAAI,MAAM;gBACzC,YAAY,EAAG,YAAoB,CAAC,YAAY,IAAI,MAAM;gBAC1D,YAAY,EAAE,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ;aAC/C;SACJ,CAAC,CAAC;IACP,CAAC,CAAC,CAAC;IAEH,gCAAgC;IAChC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACtB,MAAM,IAAI,GAA4B;YAClC,OAAO,EAAE,mBAAmB;YAC5B,OAAO,EAAE,eAAe,EAAE;YAC1B,UAAU,EAAE,CAAC,MAAM,CAAC;YACpB,SAAS,EAAE;gBACP,MAAM,EAAE,SAAS;gBACjB,GAAG,EAAE,MAAM;gBACX,GAAG,EAAE,MAAM;aACd;YACD,IAAI,EAAE,8CAA8C;SACvD,CAAC;QACF,IAAI,YAAY,EAAE,CAAC;YACf,IAAI,CAAC,UAAU,CAAC,GAAG,qHAAqH,CAAC;QAC7I,CAAC;QACD,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC,CAAC,CAAC;IAEH,gEAAgE;IAChE,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QACzB,MAAM,IAAI,GAA4B;YAClC,OAAO,EAAE,YAAY;YACrB,OAAO,EAAE,eAAe,EAAE;YAC1B,SAAS,EAAE;gBACP,aAAa,EAAE,yBAAyB;gBACxC,YAAY,EAAE,wBAAwB;gBACtC,WAAW,EAAE,uBAAuB;gBACpC,aAAa,EAAE,yBAAyB;gBACxC,WAAW,EAAE,2BAA2B;gBACxC,aAAa,EAAE,yBAAyB;gBACxC,aAAa,EAAE,yBAAyB;gBACxC,WAAW,EAAE,uBAAuB;aACvC;SACJ,CAAC;QACF,IAAI,YAAY,EAAE,CAAC;YACf,IAAI,CAAC,eAAe,CAAC,GAAG,IAAI,CAAC;YAC7B,IAAI,CAAC,MAAM,CAAC,GAAG,+GAA+G,CAAC;QACnI,CAAC;QACD,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACnB,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/http/http-mcp-handler.d.ts

@@ -0,0 +1,8 @@
+import express from 'express';
+/**
+ * Set up MCP endpoint handling
+ * @param app Express application instance
+ * @param server MCP server instance
+ */
+export declare function setupMcpRoutes(app: express.Express, server: any): void;
+//# sourceMappingURL=http-mcp-handler.d.ts.map

package/dist/http/http-mcp-handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-mcp-handler.d.ts","sourceRoot":"","sources":["../../src/http/http-mcp-handler.ts"],"names":[],"mappings":"AAAA,OAAO,OAAO,MAAM,SAAS,CAAC;AAW9B;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,QA8I/D"}

package/dist/http/http-mcp-handler.js

@@ -0,0 +1,136 @@
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
+import { structuredLogger } from '../utils/structured-logger.js';
+import { LOG_LEVEL, AUTH_ENABLED } from '../config.js';
+import { setWwwAuthenticate } from './http-auth-middleware.js';
+/**
+ * Track request start times by ID for accurate cancellation timing
+ */
+const requestTimestamps = new Map();
+/**
+ * Set up MCP endpoint handling
+ * @param app Express application instance
+ * @param server MCP server instance
+ */
+export function setupMcpRoutes(app, server) {
+    // MCP endpoint using StreamableHTTPServerTransport
+    app.post('/mcp', async (req, res) => {
+        const requestStart = Date.now();
+        const requestId = req.body?.id || 'unknown';
+        const method = req.body?.method || 'unknown';
+        const toolName = req.body?.params?.name || 'unknown';
+        // Store timestamp for non-notification requests
+        if (method !== 'notifications/cancelled' && requestId !== 'unknown') {
+            requestTimestamps.set(requestId, requestStart);
+        }
+        // Log incoming request with level control
+        const logLevel = LOG_LEVEL;
+        if (logLevel === 'debug' || method !== 'notifications/cancelled') {
+            structuredLogger.info(`→ MCP ${method}${toolName !== 'unknown' ? ` (${toolName})` : ''} [id: ${requestId}]`);
+        }
+        // listOfferingsForUI (MCP Apps / UI discovery): not implemented by SDK. Handle here so the client
+        // gets a proper auth-related response when auth is required, instead of -32601 Method not found.
+        if (method === 'listOfferingsForUI') {
+            const id = req.body?.id ?? null;
+            if (AUTH_ENABLED && !req.auth) {
+                setWwwAuthenticate(res, {
+                    error: 'invalid_token',
+                    error_description: 'Authentication required for UI offerings'
+                });
+                res.status(401).json({
+                    jsonrpc: '2.0',
+                    error: {
+                        code: -32001,
+                        message: 'Authentication required for UI offerings'
+                    },
+                    id
+                });
+                return;
+            }
+            res.status(200).json({
+                jsonrpc: '2.0',
+                result: { tools: [], prompts: [], resources: [] },
+                id
+            });
+            return;
+        }
+        try {
+            // Create new transport for each request to prevent request ID collisions
+            const transport = new StreamableHTTPServerTransport({
+                enableJsonResponse: true
+            });
+            // Track request timeout - log at 25s (before typical 30s client timeout)
+            let requestCompleted = false;
+            const timeoutHandler = setTimeout(() => {
+                if (!requestCompleted) {
+                    const duration = Date.now() - requestStart;
+                    structuredLogger.requestTimeout(`${method} ${toolName ? `(${toolName})` : ''} [id: ${requestId}]`, duration);
+                }
+            }, 25000); // Log at 25s (before typical 30s client timeout)
+            res.on('close', () => {
+                requestCompleted = true;
+                clearTimeout(timeoutHandler);
+                const duration = Date.now() - requestStart;
+                if (method === 'notifications/cancelled') {
+                    // For cancellation notifications, find the original request's start time
+                    const originalStart = requestTimestamps.get(requestId);
+                    const actualDuration = originalStart ? Date.now() - originalStart : duration;
+                    structuredLogger.warn(`⚡ Client cancelled request after ${actualDuration}ms [id: ${requestId}] - operation may continue in background`);
+                    // Clean up timestamp
+                    if (requestId !== 'unknown') {
+                        requestTimestamps.delete(requestId);
+                    }
+                }
+                else if (duration > 20000) {
+                    structuredLogger.warn(`← Request closed after ${duration}ms: ${method}${toolName !== 'unknown' ? ` (${toolName})` : ''} [id: ${requestId}]`);
+                    // Clean up timestamp
+                    if (requestId !== 'unknown') {
+                        requestTimestamps.delete(requestId);
+                    }
+                }
+                else if (logLevel === 'debug') {
+                    structuredLogger.info(`← Request closed ${duration}ms [id: ${requestId}]`);
+                }
+                transport.close();
+            });
+            res.on('finish', () => {
+                requestCompleted = true;
+                clearTimeout(timeoutHandler);
+                const duration = Date.now() - requestStart;
+                if (duration > 10000 && method !== 'notifications/cancelled') {
+                    structuredLogger.info(`✓ Request completed in ${duration}ms: ${method}${toolName !== 'unknown' ? ` (${toolName})` : ''} [id: ${requestId}]`);
+                }
+                else if (logLevel === 'debug') {
+                    structuredLogger.info(`✓ Completed ${duration}ms [id: ${requestId}]`);
+                }
+            });
+            // Connect server with request context for tool handlers
+            await server.connect(transport);
+            // Set up request context for model identity detection
+            transport._requestContext = req;
+            // Set up global context for tools to access
+            globalThis._mcpRequestContext = req;
+            globalThis._mcpTransport = transport;
+            await transport.handleRequest(req, res, req.body);
+            // Clean up context after request
+            delete globalThis._mcpRequestContext;
+            delete globalThis._mcpTransport;
+            requestCompleted = true;
+            clearTimeout(timeoutHandler);
+        }
+        catch (error) {
+            const duration = Date.now() - requestStart;
+            structuredLogger.error(`✗ MCP error: ${method}${toolName !== 'unknown' ? ` (${toolName})` : ''} after ${duration}ms`, error, { request_id: requestId });
+            if (!res.headersSent) {
+                res.status(500).json({
+                    jsonrpc: '2.0',
+                    error: {
+                        code: -32603,
+                        message: 'Internal server error'
+                    },
+                    id: requestId === 'unknown' ? null : requestId
+                });
+            }
+        }
+    });
+}
+//# sourceMappingURL=http-mcp-handler.js.map