@desplega.ai/agent-swarm 1.83.1 → 1.84.0

package/src/commands/resume-session.ts

@@ -0,0 +1,118 @@
+import type { ProviderName } from "../types";
+
+export type ResumeSessionSource = "task" | "parent";
+
+export interface ResumeSessionCandidate {
+  source: ResumeSessionSource;
+  sessionId?: string | null;
+  taskId?: string;
+  provider?: ProviderName;
+  providerMeta?: Record<string, unknown>;
+}
+
+export interface ResumeSessionSkip {
+  source: ResumeSessionSource;
+  sessionId: string;
+  provider?: ProviderName;
+  reason: string;
+}
+
+export interface ResumeSessionResolution {
+  resumeSessionId?: string;
+  source?: ResumeSessionSource;
+  provider?: ProviderName;
+  skipped: ResumeSessionSkip[];
+}
+
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+
+const RESUMABLE_PROVIDERS = new Set<ProviderName>(["claude", "claude-managed", "codex"]);
+
+export function isClaudeCliSessionId(sessionId: string): boolean {
+  return UUID_RE.test(sessionId);
+}
+
+function normalizeStoredProvider(candidate: ResumeSessionCandidate): ProviderName | undefined {
+  if (candidate.provider === "claude" && candidate.providerMeta?.managed === true) {
+    return "claude-managed";
+  }
+  return candidate.provider;
+}
+
+function providerSupportsResume(provider: ProviderName): boolean {
+  return RESUMABLE_PROVIDERS.has(provider);
+}
+
+export function resolveResumeSession(
+  currentProvider: ProviderName,
+  candidates: ResumeSessionCandidate[],
+): ResumeSessionResolution {
+  const skipped: ResumeSessionSkip[] = [];
+
+  for (const candidate of candidates) {
+    const sessionId = candidate.sessionId?.trim();
+    if (!sessionId) continue;
+
+    const storedProvider = normalizeStoredProvider(candidate);
+
+    if (!storedProvider) {
+      if (currentProvider === "claude" && isClaudeCliSessionId(sessionId)) {
+        return {
+          resumeSessionId: sessionId,
+          source: candidate.source,
+          provider: "claude",
+          skipped,
+        };
+      }
+
+      skipped.push({
+        source: candidate.source,
+        sessionId,
+        reason:
+          currentProvider === "claude"
+            ? "legacy Claude resume requires a UUID session id"
+            : "stored session provider is unknown",
+      });
+      continue;
+    }
+
+    if (storedProvider !== currentProvider) {
+      skipped.push({
+        source: candidate.source,
+        sessionId,
+        provider: storedProvider,
+        reason: `stored session provider ${storedProvider} does not match current provider ${currentProvider}`,
+      });
+      continue;
+    }
+
+    if (!providerSupportsResume(currentProvider)) {
+      skipped.push({
+        source: candidate.source,
+        sessionId,
+        provider: storedProvider,
+        reason: `provider ${currentProvider} does not support runner resume`,
+      });
+      continue;
+    }
+
+    if (currentProvider === "claude" && !isClaudeCliSessionId(sessionId)) {
+      skipped.push({
+        source: candidate.source,
+        sessionId,
+        provider: storedProvider,
+        reason: "Claude CLI --resume requires a UUID session id",
+      });
+      continue;
+    }
+
+    return {
+      resumeSessionId: sessionId,
+      source: candidate.source,
+      provider: storedProvider,
+      skipped,
+    };
+  }
+
+  return { skipped };
+}

package/src/commands/runner.ts

@@ -38,7 +38,11 @@ import { getApiKey } from "../utils/api-key.ts";
 import { computeBudgetBackoffMs } from "../utils/budget-backoff.ts";
 import { getContextWindowSize } from "../utils/context-window.ts";
 import { type CredentialSelection, resolveCredentialPools } from "../utils/credentials.ts";
-import { parseRateLimitResetTime } from "../utils/error-tracker.ts";
+import {
+  isRateLimitMessage,
+  MAX_RATE_LIMIT_RESET_MS,
+  parseRateLimitResetTime,
+} from "../utils/error-tracker.ts";
 import { resolveHarnessProvider } from "../utils/harness-provider.ts";
 import { prettyPrintLine, prettyPrintStderr } from "../utils/pretty-print.ts";
 import { scrubSecrets } from "../utils/secret-scrubber.ts";
@@ -53,6 +57,11 @@ import {
   reportCredStatus,
   reportLatestModel,
 } from "./provider-credentials.ts";
+import {
+  type ResumeSessionCandidate,
+  type ResumeSessionResolution,
+  resolveResumeSession,
+} from "./resume-session.ts";
 // Side-effect import: registers runner trigger/resumption templates
 import "./templates.ts";
 
@@ -990,6 +999,8 @@ async function getPausedTasksFromAPI(config: ApiConfig): Promise<
     task: string;
     progress?: string;
     claudeSessionId?: string;
+    provider?: ProviderName;
+    providerMeta?: Record<string, unknown>;
     parentTaskId?: string;
     dir?: string;
     vcsRepo?: string;
@@ -1022,6 +1033,8 @@ async function getPausedTasksFromAPI(config: ApiConfig): Promise<
         task: string;
         progress?: string;
         claudeSessionId?: string;
+        provider?: ProviderName;
+        providerMeta?: Record<string, unknown>;
         parentTaskId?: string;
         dir?: string;
         vcsRepo?: string;
@@ -1424,24 +1437,51 @@ async function saveProviderSessionIdOnActiveSession(
   });
 }
 
-/** Fetch Claude session ID for a task (for --resume) */
-async function fetchProviderSessionId(
+interface ProviderSessionInfo {
+  sessionId: string | null;
+  provider?: ProviderName;
+  providerMeta?: Record<string, unknown>;
+}
+
+/** Fetch provider session metadata for a task (for resume continuity). */
+async function fetchProviderSessionInfo(
   apiUrl: string,
   apiKey: string,
   taskId: string,
-): Promise<string | null> {
+): Promise<ProviderSessionInfo | null> {
   const headers: Record<string, string> = {};
   if (apiKey) headers.Authorization = `Bearer ${apiKey}`;
   try {
     const response = await fetch(`${apiUrl}/api/tasks/${taskId}`, { headers });
     if (!response.ok) return null;
-    const data = (await response.json()) as { claudeSessionId?: string };
-    return data.claudeSessionId || null;
+    const data = (await response.json()) as {
+      claudeSessionId?: string;
+      provider?: ProviderName;
+      providerMeta?: Record<string, unknown>;
+    };
+    return {
+      sessionId: data.claudeSessionId || null,
+      provider: data.provider,
+      providerMeta: data.providerMeta,
+    };
   } catch {
     return null;
   }
 }
 
+function logResumeResolution(role: string, resolution: ResumeSessionResolution): void {
+  for (const skipped of resolution.skipped) {
+    console.warn(
+      `[${role}] Skipping ${skipped.source} session resume ${skipped.sessionId.slice(0, 8)}: ${skipped.reason}`,
+    );
+  }
+
+  if (resolution.resumeSessionId) {
+    const source = resolution.source === "parent" ? "parent session" : "task's own session";
+    console.log(`[${role}] Resuming ${source} ${resolution.resumeSessionId.slice(0, 8)}`);
+  }
+}
+
 /** Register an active session with the API (fire-and-forget) */
 async function registerActiveSession(
   config: ApiConfig,
@@ -2102,6 +2142,7 @@ async function spawnProviderProcess(
     iteration: number;
     taskId?: string;
     model?: string;
+    resumeSessionId?: string;
     harnessProvider: ProviderName;
     cwd?: string;
     vcsRepo?: string;
@@ -2167,6 +2208,7 @@ async function spawnProviderProcess(
     vcsRepo: opts.vcsRepo,
     logFile: opts.logFile,
     additionalArgs: opts.additionalArgs,
+    resumeSessionId: opts.resumeSessionId,
     iteration: opts.iteration,
     env: freshEnv as Record<string, string>,
     // Propagate the selected OAuth slot so the adapter refreshes back to the
@@ -2813,54 +2855,61 @@ async function checkCompletedProcesses(
       if (result.exitCode !== 0 && result.failureReason) {
         failureReason = result.failureReason;
         console.log(`[${role}] Detected error for task ${taskId.slice(0, 8)}: ${failureReason}`);
+      }
 
-        // If rate-limited and we know which key was used, report it.
-        // Codex adapter prefixes failure reasons with `[rate-limit]` /
-        // `[usage-limit]` (see codex-adapter.formatTerminalError); Claude
-        // surfaces "rate limit" / "hit your limit" via SessionErrorTracker.
-        if (
-          credentialInfo &&
-          /rate.?limit|hit your limit|usage[ _-]?limit|too many requests/i.test(failureReason)
-        ) {
-          // Three-tier reset-time resolver (most to least precise):
-          // Tier 1: structured rate_limit_event from Claude CLI (resetsAt epoch sec)
-          // Tier 2: regex on the error message (e.g. "resets 3pm (UTC)")
-          // Tier 3: 5-min hard fallback — only when both structured and regex fail
-          // Tiers 1 & 2 are clamped to [now+60s, now+6h] at their source.
-          const clampResetTime = (isoString: string): string => {
-            const nowMs = Date.now();
-            const minMs = nowMs + 60_000;
-            const maxMs = nowMs + 6 * 60 * 60 * 1000;
-            const candidateMs = new Date(isoString).getTime();
-            return new Date(Math.min(Math.max(candidateMs, minMs), maxMs)).toISOString();
-          };
+      // If rate-limited and we know which key was used, report it.
+      // Codex adapter prefixes failure reasons with `[rate-limit]` /
+      // `[usage-limit]` (see codex-adapter.formatTerminalError); Claude
+      // surfaces "rate limit" / "hit your limit" via SessionErrorTracker.
+      //
+      // The gate must also fire on a bare structured rate_limit_event: a
+      // `status: "rejected"` event sets result.rateLimitResetAt but does NOT
+      // set hasErrors(), so failureReason can be empty even though the key is
+      // exhausted. Gating on rateLimitResetAt != null ensures the structured
+      // event alone still triggers the cooldown.
+      if (
+        credentialInfo &&
+        (result.rateLimitResetAt != null ||
+          (failureReason != null && isRateLimitMessage(failureReason)))
+      ) {
+        // Three-tier reset-time resolver (most to least precise):
+        // Tier 1: structured rate_limit_event from Claude CLI (resetsAt epoch sec)
+        // Tier 2: regex on the error message (e.g. "resets 3pm (UTC)")
+        // Tier 3: 5-min hard fallback — only when both structured and regex fail
+        // Tiers 1 & 2 are clamped to [now+60s, now+7d] (weekly limits reset ~2 days out).
+        const clampResetTime = (isoString: string): string => {
+          const nowMs = Date.now();
+          const minMs = nowMs + 60_000;
+          const maxMs = nowMs + MAX_RATE_LIMIT_RESET_MS;
+          const candidateMs = new Date(isoString).getTime();
+          return new Date(Math.min(Math.max(candidateMs, minMs), maxMs)).toISOString();
+        };
 
-          let rateLimitedUntil: string;
-          if (result.rateLimitResetAt) {
-            rateLimitedUntil = clampResetTime(result.rateLimitResetAt);
+        let rateLimitedUntil: string;
+        if (result.rateLimitResetAt) {
+          rateLimitedUntil = clampResetTime(result.rateLimitResetAt);
+          console.log(`[credentials] Rate limit reset from rate_limit_event: ${rateLimitedUntil}`);
+        } else if (failureReason != null) {
+          const parsedResetTime = parseRateLimitResetTime(failureReason);
+          if (parsedResetTime) {
+            rateLimitedUntil = clampResetTime(parsedResetTime);
             console.log(
-              `[credentials] Rate limit reset from rate_limit_event: ${rateLimitedUntil}`,
+              `[credentials] Parsed rate limit reset time from error: ${rateLimitedUntil}`,
             );
           } else {
-            const parsedResetTime = parseRateLimitResetTime(failureReason);
-            if (parsedResetTime) {
-              rateLimitedUntil = clampResetTime(parsedResetTime);
-              console.log(
-                `[credentials] Parsed rate limit reset time from error: ${rateLimitedUntil}`,
-              );
-            } else {
-              rateLimitedUntil = new Date(Date.now() + 5 * 60 * 1000).toISOString();
-            }
+            rateLimitedUntil = new Date(Date.now() + 5 * 60 * 1000).toISOString();
           }
-          reportKeyRateLimit(
-            apiConfig.apiUrl,
-            apiConfig.apiKey,
-            credentialInfo.keyType,
-            credentialInfo.keySuffix,
-            credentialInfo.keyIndex,
-            rateLimitedUntil,
-          ).catch(() => {});
+        } else {
+          rateLimitedUntil = new Date(Date.now() + 5 * 60 * 1000).toISOString();
         }
+        reportKeyRateLimit(
+          apiConfig.apiUrl,
+          apiConfig.apiKey,
+          credentialInfo.keyType,
+          credentialInfo.keySuffix,
+          credentialInfo.keyIndex,
+          rateLimitedUntil,
+        ).catch(() => {});
       }
       await ensureTaskFinished(
         apiConfig,
@@ -3703,18 +3752,30 @@ export async function runAgent(config: RunnerConfig, opts: RunnerOptions) {
           console.log(`[${role}] Injected relevant memories into resumed task prompt`);
         }
 
-        // Resolve --resume: prefer own session ID, then parent's
-        let resumeAdditionalArgs = opts.additionalArgs || [];
-        if (task.claudeSessionId) {
-          resumeAdditionalArgs = [...resumeAdditionalArgs, "--resume", task.claudeSessionId];
-          console.log(`[${role}] Resuming task's own session ${task.claudeSessionId.slice(0, 8)}`);
-        } else if (task.parentTaskId) {
-          const parentSessionId = await fetchProviderSessionId(apiUrl, apiKey, task.parentTaskId);
-          if (parentSessionId) {
-            resumeAdditionalArgs = [...resumeAdditionalArgs, "--resume", parentSessionId];
-            console.log(`[${role}] Resuming parent session ${parentSessionId.slice(0, 8)}`);
+        // Resolve provider-aware resume: prefer own session, then parent.
+        const resumeCandidates: ResumeSessionCandidate[] = [
+          {
+            source: "task",
+            taskId: task.id,
+            sessionId: task.claudeSessionId,
+            provider: task.provider,
+            providerMeta: task.providerMeta,
+          },
+        ];
+        if (task.parentTaskId) {
+          const parentSession = await fetchProviderSessionInfo(apiUrl, apiKey, task.parentTaskId);
+          if (parentSession?.sessionId) {
+            resumeCandidates.push({
+              source: "parent",
+              taskId: task.parentTaskId,
+              sessionId: parentSession.sessionId,
+              provider: parentSession.provider,
+              providerMeta: parentSession.providerMeta,
+            });
           }
         }
+        const resumeResolution = resolveResumeSession(state.harnessProvider, resumeCandidates);
+        logResumeResolution(role, resumeResolution);
 
         // Spawn Claude process for resumed task
         iteration++;
@@ -3780,7 +3841,8 @@ export async function runAgent(config: RunnerConfig, opts: RunnerOptions) {
               prompt: resumePrompt,
               logFile,
               systemPrompt: resolvedSystemPrompt,
-              additionalArgs: resumeAdditionalArgs,
+              additionalArgs: opts.additionalArgs,
+              resumeSessionId: resumeResolution.resumeSessionId,
               role,
               apiUrl,
               apiKey,
@@ -4045,20 +4107,27 @@ export async function runAgent(config: RunnerConfig, opts: RunnerOptions) {
           }
         }
 
-        // Resolve --resume for child tasks with parentTaskId
-        let effectiveAdditionalArgs = opts.additionalArgs || [];
+        // Resolve provider-aware resume for child tasks with parentTaskId.
+        let resumeSessionId: string | undefined;
         const taskObj = trigger.task as { parentTaskId?: string } | undefined;
         if (taskObj?.parentTaskId) {
-          const parentSessionId = await fetchProviderSessionId(
+          const parentSession = await fetchProviderSessionInfo(
             apiUrl,
             apiKey,
             taskObj.parentTaskId,
           );
-          if (parentSessionId) {
-            effectiveAdditionalArgs = [...effectiveAdditionalArgs, "--resume", parentSessionId];
-            console.log(
-              `[${role}] Child task — resuming parent session ${parentSessionId.slice(0, 8)}`,
-            );
+          if (parentSession?.sessionId) {
+            const resumeResolution = resolveResumeSession(state.harnessProvider, [
+              {
+                source: "parent",
+                taskId: taskObj.parentTaskId,
+                sessionId: parentSession.sessionId,
+                provider: parentSession.provider,
+                providerMeta: parentSession.providerMeta,
+              },
+            ]);
+            logResumeResolution(role, resumeResolution);
+            resumeSessionId = resumeResolution.resumeSessionId;
           } else {
             console.log(`[${role}] Child task — parent session ID not found, starting fresh`);
           }
@@ -4197,7 +4266,8 @@ export async function runAgent(config: RunnerConfig, opts: RunnerOptions) {
               prompt: triggerPrompt,
               logFile,
               systemPrompt: taskSystemPrompt,
-              additionalArgs: effectiveAdditionalArgs,
+              additionalArgs: opts.additionalArgs,
+              resumeSessionId,
               role,
               apiUrl,
               apiKey,

package/src/http/core.ts

@@ -240,7 +240,10 @@ export async function handleCore(
   // fall through to the bearer check (fail-closed).
   if (apiKey) {
     const pathSegments = getPathSegments(req.url || "");
-    if (!isPublicRoute(req.method, pathSegments)) {
+    const isUserMcpRoute = req.url === "/mcp-user";
+    // `/mcp-user` runs its own `aswt_`-token auth in `handleMcpUser`; the swarm
+    // API key must not gate it.
+    if (!isUserMcpRoute && !isPublicRoute(req.method, pathSegments)) {
       const authHeader = req.headers.authorization;
       const providedKey = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
 

package/src/http/index.ts

@@ -43,6 +43,7 @@ import { handleKv } from "./kv";
 import { handleMcp } from "./mcp";
 import { handleMcpOAuth, startMcpOAuthPendingGc, stopMcpOAuthPendingGc } from "./mcp-oauth";
 import { handleMcpServers } from "./mcp-servers";
+import { handleMcpUser } from "./mcp-user";
 import { handleMemory } from "./memory";
 import { handlePageProxy } from "./page-proxy";
 import { handlePages } from "./pages";
@@ -89,6 +90,8 @@ const apiKey = getApiKey();
 const globalState = globalThis as typeof globalThis & {
   __httpServer?: Server<typeof IncomingMessage, typeof ServerResponse>;
   __transports?: Record<string, StreamableHTTPServerTransport>;
+  __transportsUser?: Record<string, StreamableHTTPServerTransport>;
+  __sessionUsers?: Record<string, string>;
   __sigintRegistered?: boolean;
   __runId?: string;
 };
@@ -100,6 +103,9 @@ if (globalState.__httpServer) {
 }
 
 const transports: Record<string, StreamableHTTPServerTransport> = globalState.__transports ?? {};
+const transportsUser: Record<string, StreamableHTTPServerTransport> =
+  globalState.__transportsUser ?? {};
+const sessionUsers: Record<string, string> = globalState.__sessionUsers ?? {};
 
 const httpServer = createHttpServer(async (req, res) => {
   const startTime = performance.now();
@@ -234,6 +240,7 @@ const httpServer = createHttpServer(async (req, res) => {
         () => handleInboxState(req, res, pathSegments, queryParams),
         () => handleTaskTemplates(req, res, pathSegments, queryParams),
         () => handleMcp(req, res, transports),
+        () => handleMcpUser(req, res, transportsUser, sessionUsers),
       ];
 
       try {
@@ -271,6 +278,8 @@ const httpServer = createHttpServer(async (req, res) => {
 // Store references in globalThis for hot reload persistence
 globalState.__httpServer = httpServer;
 globalState.__transports = transports;
+globalState.__transportsUser = transportsUser;
+globalState.__sessionUsers = sessionUsers;
 
 async function shutdown() {
   console.log("Shutting down HTTP server...");
@@ -303,6 +312,13 @@ async function shutdown() {
     delete transports[id];
   }
 
+  for (const [id, transport] of Object.entries(transportsUser)) {
+    console.log(`[HTTP] Closing user transport ${id}`);
+    transport.close();
+    delete transportsUser[id];
+    delete sessionUsers[id];
+  }
+
   // Close all active connections forcefully
   httpServer.closeAllConnections();
   httpServer.close(() => {

package/src/http/integrations.ts

@@ -45,6 +45,20 @@ const claudeManagedTestRoute = route({
   },
 });
 
+const mcpUserConfigRoute = route({
+  method: "get",
+  path: "/api/integrations/mcp-user/config",
+  pattern: ["api", "integrations", "mcp-user", "config"],
+  summary: "Get server-derived config for end-user MCP clients.",
+  tags: ["Integrations"],
+  responses: {
+    200: {
+      description:
+        "Server-derived MCP user config. `mcpBaseUrl` is the API server base URL and `mcpUserUrl` appends `/mcp-user`.",
+    },
+  },
+});
+
 // ─── Helpers ─────────────────────────────────────────────────────────────────
 
 /**
@@ -73,6 +87,12 @@ function resolveConfigValue(key: string): string | null {
   return null;
 }
 
+function resolveMcpBaseUrl(): string {
+  const configured = resolveConfigValue("MCP_BASE_URL");
+  const fallback = `http://localhost:${process.env.PORT || "3013"}`;
+  return (configured || fallback).replace(/\/+$/, "");
+}
+
 // ─── Public handler factory ──────────────────────────────────────────────────
 
 /**
@@ -89,6 +109,12 @@ export function createIntegrationsHandler(deps: TestConnectionDeps = {}) {
     res: ServerResponse,
     pathSegments: string[],
   ): Promise<boolean> {
+    if (mcpUserConfigRoute.match(req.method, pathSegments)) {
+      const mcpBaseUrl = resolveMcpBaseUrl();
+      json(res, { mcpBaseUrl, mcpUserUrl: `${mcpBaseUrl}/mcp-user` });
+      return true;
+    }
+
     if (claudeManagedTestRoute.match(req.method, pathSegments)) {
       const apiKey = resolveConfigValue("ANTHROPIC_API_KEY");
       const agentId = resolveConfigValue("MANAGED_AGENT_ID");

package/src/http/mcp-user.ts

@@ -0,0 +1,111 @@
+import { randomUUID } from "node:crypto";
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
+import { resolveUserByToken } from "@/be/users";
+import { createUserServer } from "@/server-user";
+import type { User } from "@/types";
+
+function unauthorized(res: ServerResponse): true {
+  res.writeHead(401, { "Content-Type": "application/json" });
+  res.end(JSON.stringify({ error: "Unauthorized" }));
+  return true;
+}
+
+function extractBearer(req: IncomingMessage): string | null {
+  const header = req.headers.authorization;
+  if (!header?.startsWith("Bearer ")) return null;
+  const token = header.slice("Bearer ".length).trim();
+  return token.startsWith("aswt_") ? token : null;
+}
+
+function resolveActiveUser(req: IncomingMessage): User | null {
+  const token = extractBearer(req);
+  if (!token) return null;
+  const user = resolveUserByToken(token);
+  if (!user || user.status !== "active") return null;
+  return user;
+}
+
+export async function handleMcpUser(
+  req: IncomingMessage,
+  res: ServerResponse,
+  transports: Record<string, StreamableHTTPServerTransport>,
+  sessionUsers: Record<string, string>,
+): Promise<boolean> {
+  const sessionId = req.headers["mcp-session-id"] as string | undefined;
+
+  if (req.url !== "/mcp-user") {
+    return false;
+  }
+
+  const user = resolveActiveUser(req);
+  if (!user) return unauthorized(res);
+
+  if (sessionId && transports[sessionId] && sessionUsers[sessionId] !== user.id) {
+    return unauthorized(res);
+  }
+
+  if (req.method === "POST") {
+    const chunks: Buffer[] = [];
+    for await (const chunk of req) {
+      chunks.push(chunk);
+    }
+    const body = JSON.parse(Buffer.concat(chunks).toString());
+
+    let transport: StreamableHTTPServerTransport;
+
+    if (sessionId && transports[sessionId]) {
+      transport = transports[sessionId];
+    } else if (!sessionId && isInitializeRequest(body)) {
+      transport = new StreamableHTTPServerTransport({
+        sessionIdGenerator: () => randomUUID(),
+        onsessioninitialized: (id) => {
+          transports[id] = transport;
+          sessionUsers[id] = user.id;
+        },
+        onsessionclosed: (id) => {
+          delete transports[id];
+          delete sessionUsers[id];
+        },
+      });
+
+      transport.onclose = () => {
+        if (transport.sessionId) {
+          delete transports[transport.sessionId];
+          delete sessionUsers[transport.sessionId];
+        }
+      };
+
+      const server = createUserServer(user);
+      await server.connect(transport);
+    } else {
+      res.writeHead(400, { "Content-Type": "application/json" });
+      res.end(
+        JSON.stringify({
+          jsonrpc: "2.0",
+          error: { code: -32000, message: "Invalid session" },
+          id: null,
+        }),
+      );
+      return true;
+    }
+
+    await transport.handleRequest(req, res, body);
+    return true;
+  }
+
+  if (req.method === "GET" || req.method === "DELETE") {
+    if (sessionId && transports[sessionId]) {
+      await transports[sessionId].handleRequest(req, res);
+      return true;
+    }
+    res.writeHead(400);
+    res.end("Invalid session");
+    return true;
+  }
+
+  res.writeHead(405);
+  res.end("Method not allowed");
+  return true;
+}