@exileum/meta-mcp 7.0.0 → 8.0.0

package/README.md

@@ -71,9 +71,25 @@ npm run build
 | `META_APP_SECRET` | For token/webhook tools | Meta App Secret |
 | `META_API_VERSION` | Optional | Meta Graph API version for Instagram and Facebook endpoints — defaults to `v25.0` (verified 2026-05-06). Override only when Meta deprecates a version before meta-mcp ships a new release. Format: `vMAJOR.MINOR` (e.g., `v26.0`); malformed values fall back to the default with a stderr warning. OAuth token endpoints are unversioned and unaffected by this setting |
 | `THREADS_API_VERSION` | Optional | Threads API version — defaults to `v1.0` (verified 2026-05-06). Threads runs a separate single-major-version track and is not bumped in lockstep with the Graph API. Same `vMAJOR.MINOR` format and fallback behavior as `META_API_VERSION` |
+| `MCP_TRANSPORT` | Optional | Transport to serve MCP over — `stdio` (default) or `http`. See [HTTP Transport](#http-transport) |
+| `MCP_HTTP_PORT` | Optional (http) | TCP port for the HTTP transport — defaults to `3000`. Must be an integer 1–65535 |
+| `MCP_HTTP_HOST` | Optional (http) | Bind address for the HTTP transport — defaults to `127.0.0.1` (loopback only). Set to `0.0.0.0` to accept connections from other hosts (e.g. in Docker), but only behind a TLS/auth reverse proxy |
+| `MCP_HTTP_ALLOWED_HOSTS` | Optional (http) | Comma-separated `host:port` allowlist for DNS-rebinding protection. Defaults to loopback variants at the bound port; set this when binding to a non-loopback host so legitimate requests pass the Host check |
 
 The server validates these at startup. Malformed values for `INSTAGRAM_USER_ID`, `THREADS_USER_ID`, or `META_APP_ID` cause the process to exit with `Invalid meta-mcp configuration: …`. Setting only one half of a credential pair (e.g., `INSTAGRAM_ACCESS_TOKEN` without `INSTAGRAM_USER_ID`) prints a stderr warning and continues; related tool invocations still fail at call time.
 
+## HTTP Transport
+
+By default the server speaks MCP over **stdio** — the right choice for local clients (Claude Desktop, Claude Code, etc.). Set `MCP_TRANSPORT=http` to instead serve the SDK's **Streamable HTTP** transport, which enables remote/web-based MCP clients, cloud deployments, and multiple concurrent client sessions.
+
+```bash
+MCP_TRANSPORT=http MCP_HTTP_PORT=3000 npx @exileum/meta-mcp
+```
+
+The server then listens on `http://127.0.0.1:3000/mcp`: `POST` to send messages, `GET` for the server→client SSE stream, `DELETE` to end a session. Each client gets an isolated session keyed by the `Mcp-Session-Id` header, so multiple clients can connect at once.
+
+**Security.** The transport binds to `127.0.0.1` (loopback) by default and enables DNS-rebinding protection scoped to localhost, so it is not reachable off-host out of the box. To expose it to other machines (e.g. a container), set `MCP_HTTP_HOST=0.0.0.0` and run it **behind a reverse proxy that terminates TLS and handles authentication** — the server itself performs no auth. When bound to a non-loopback address, set `MCP_HTTP_ALLOWED_HOSTS` to the `host:port` values clients will use so the Host-header check passes (otherwise rebinding protection is disabled with a stderr warning).
+
 ## Account Requirements
 
 | Platform | Account Type | Notes |
@@ -93,6 +109,10 @@ The server validates these at startup. Malformed values for `INSTAGRAM_USER_ID`,
 - Rate limit tracking via `x-app-usage` header — and **automatic client-side throttling** at 80% (1s slowdown) / 90% (5s backoff) so a burst of tool calls stays under Meta's per-app quota
 - **Automatic retry** for transient Meta API failures (HTTP `429`/`500`/`502`/`503`/`504`, network errors, `fetch` timeouts) with exponential backoff and `Retry-After` honoring; tunable via `MetaClient`'s `maxRetries` option (default 3, set to 0 to disable)
 - **Structured error responses** with `error_type` (`auth`, `validation`, `rate_limit`, `server`, `network`, `internal`), HTTP status, Meta API code/subcode/type, and a `remediation` hint where actionable — see [`CHANGELOG.md`](./CHANGELOG.md) for the JSON shape
+- **MCP server `instructions`** sent during `initialize` so clients know required env vars, the two-step publish flow, expected video processing times, and the `_rateLimit` envelope without re-reading the README
+- **MCP `notifications/progress`** emitted while polling container status during publishing — attach a `progressToken` to `ig_publish_*` / `threads_publish_image|video|carousel` calls and the server reports each poll attempt
+- **Structured MCP logging** via the `notifications/message` channel (the server declares the `logging` capability) — each API call logs `debug` (method + path, never the token-bearing URL), terminal failures log `error` (status/code/sanitized message), rate-limit pressure logs `warning`, and `DELETE`/publish operations log an `info` audit line. Clients can raise the floor with `logging/setLevel` (default emits all levels, including `debug`)
+- **Optional HTTP transport** — set `MCP_TRANSPORT=http` to serve the MCP Streamable HTTP transport (stateful multi-session, localhost-bound by default) instead of stdio, for remote/cloud deployments — see [HTTP Transport](#http-transport)
 
 ## Tools
 
@@ -230,14 +250,14 @@ The server validates these at startup. Malformed values for `INSTAGRAM_USER_ID`,
 | Resource URI | Description |
 |-------------|-------------|
 | `meta-mcp://instagram/profile` | Instagram account profile data |
-| `meta-mcp://threads/profile` | Threads account profile data (includes is_verified) |
+| `meta-mcp://threads/profile` | Threads account profile data (includes is_verified and is_eligible_for_geo_gating) |
 
 ## Prompts
 
-| Prompt | Description |
-|--------|-------------|
-| `content_publish` | Cross-post content to Instagram and Threads |
-| `analytics_report` | Generate combined analytics report |
+| Prompt | Description | Arguments (all optional) |
+|--------|-------------|--------------------------|
+| `content_publish` | Cross-post content to Instagram and Threads | `platform` (`instagram` \| `threads` \| `both`), `content_type` (`text` \| `image` \| `video` \| `carousel`), `media_url`, `caption` |
+| `analytics_report` | Generate combined analytics report | `platform` (`instagram` \| `threads` \| `both`), `time_range` (`7d` \| `30d` \| `90d`), `focus` (`engagement` \| `growth` \| `content`) |
 
 ## Setup Guide
 
@@ -333,11 +353,15 @@ Access tokens expire after ~60 days. Refresh before expiration (token must be at
     &access_token=CURRENT_LONG_LIVED_TOKEN
   ```
 
+When you rotate a token through `meta_refresh_token` or `meta_exchange_token`, the new token is **automatically applied in-memory** to the running MCP server — subsequent tool calls use it immediately, no server restart needed. The new token is still returned in the response so you can persist it in your environment for the next process restart. A single `[meta-mcp] <Platform> access token updated in-memory after <tool>…` line is logged to stderr when this happens.
+
 Check token status anytime with `meta_debug_token`.
 
 ## Troubleshooting
 
-Tool failures return `isError: true` with a JSON body in `content[0].text` matching the envelope documented in [`CHANGELOG.md`](./CHANGELOG.md): `{ error: true, error_type, http_status, code, subcode, type, message, remediation, fbtrace_id, raw }`. The fastest path to a fix is to read `error_type` and the Meta API `code`, then jump to the matching subsection below. The full code reference is the [Meta Graph API error handling guide](https://developers.facebook.com/docs/graph-api/guides/error-handling/).
+Tool failures return `isError: true` with a JSON body in `content[0].text` matching the envelope documented in [`CHANGELOG.md`](./CHANGELOG.md): `{ error: true, error_type, http_status, code, subcode, type, step, container_id, message, remediation, fbtrace_id, raw }`. The fastest path to a fix is to read `error_type` and the Meta API `code`, then jump to the matching subsection below. The full code reference is the [Meta Graph API error handling guide](https://developers.facebook.com/docs/graph-api/guides/error-handling/).
+
+On the publish tools (`ig_publish_*`, `threads_publish_*`, `threads_reply`), errors also include `step` (`container creation` / `processing` / `publishing`, plus `child container creation` / `child processing` / `parent container creation` / `parent processing` on carousels) and `container_id` when one was created. The `message` mirrors them: `"Publish photo failed at processing (container: 17889615324): Container processing timed out after 30s"`. Use these to decide whether to retry the publish, clean up an orphaned container, or treat the existing container as still reusable.
 
 ### `error_type: "auth"` — expired, revoked, or under-scoped token
 
@@ -362,7 +386,7 @@ Triggered by Meta API codes `4`, `17`, `32`, `341`, `613`, the business-use-case
 What to do:
 
 1. Inspect the `_rateLimit` field on prior successful tool responses. `callCount`, `totalCpuTime`, and `totalTime` come from Meta's `x-app-usage` header; when any approaches `100` you are near the per-app threshold.
-2. meta-mcp already self-throttles once `max(callCount, totalCpuTime, totalTime)` crosses 80% (1s slowdown) or 90% (5s backoff) — see the `[meta-mcp] x-app-usage at N%…` lines on stderr. If you are still hitting `rate_limit` errors despite that, reduce request volume further and cache profile metadata between calls.
+2. meta-mcp already self-throttles once `max(callCount, totalCpuTime, totalTime)` crosses 80% (1s slowdown) or 90% (5s backoff) — watch for the `warning`-level MCP log message (`logger: "meta-client"`, with `usage_pct` and `delay_ms`) the server emits before each throttled call. Profile reads (`ig_get_profile`, `threads_get_profile`, and the matching `meta-mcp://*/profile` resources) and hashtag-name lookups (`ig_search_hashtag`) are also cached in-process for 5 minutes / 7 days respectively, with cache hits skipping the network entirely. If you are still hitting `rate_limit` errors despite all that, reduce request volume further.
 3. Threads has hard daily quotas (250 publishes, 100 deletes) — query the remaining quota with `threads_get_publishing_limit` before bulk operations.
 
 ### `error_type: "validation"` — bad parameter, wrong ID, or unsupported field

package/dist/constants/fields.d.ts

@@ -0,0 +1,6 @@
+export declare const IG_PROFILE_FIELDS = "id,name,username,biography,followers_count,follows_count,media_count,profile_picture_url,website";
+export declare const IG_MEDIA_FIELDS = "id,caption,media_type,media_url,permalink,thumbnail_url,timestamp,like_count,comments_count";
+export declare const IG_HASHTAG_MEDIA_FIELDS = "id,caption,media_type,media_url,permalink,timestamp,like_count,comments_count";
+export declare const THREADS_PROFILE_FIELDS = "id,username,name,threads_profile_picture_url,threads_biography,is_verified,is_eligible_for_geo_gating";
+export declare const THREADS_MEDIA_FIELDS: string;
+//# sourceMappingURL=fields.d.ts.map

package/dist/constants/fields.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"fields.d.ts","sourceRoot":"","sources":["../../src/constants/fields.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,iBAAiB,qGACsE,CAAC;AAErG,eAAO,MAAM,eAAe,gGACmE,CAAC;AAIhG,eAAO,MAAM,uBAAuB,kFAC6C,CAAC;AAElF,eAAO,MAAM,sBAAsB,0GACsE,CAAC;AAE1G,eAAO,MAAM,oBAAoB,QAiBtB,CAAC"}

package/dist/constants/fields.js

@@ -0,0 +1,25 @@
+export const IG_PROFILE_FIELDS = "id,name,username,biography,followers_count,follows_count,media_count,profile_picture_url,website";
+export const IG_MEDIA_FIELDS = "id,caption,media_type,media_url,permalink,thumbnail_url,timestamp,like_count,comments_count";
+// thumbnail_url is intentionally omitted — the Instagram Hashtag Search API
+// does not return it on hashtag media results, only on user-owned media.
+export const IG_HASHTAG_MEDIA_FIELDS = "id,caption,media_type,media_url,permalink,timestamp,like_count,comments_count";
+export const THREADS_PROFILE_FIELDS = "id,username,name,threads_profile_picture_url,threads_biography,is_verified,is_eligible_for_geo_gating";
+export const THREADS_MEDIA_FIELDS = [
+    "id",
+    "media_product_type",
+    "media_type",
+    "media_url",
+    "permalink",
+    "text",
+    "timestamp",
+    "shortcode",
+    "is_quote_post",
+    "has_replies",
+    "reply_audience",
+    "topic_tag",
+    "link_attachment_url",
+    "poll_attachment{option_a,option_b,option_c,option_d,option_a_votes_percentage,option_b_votes_percentage,option_c_votes_percentage,option_d_votes_percentage,total_votes,expiration_timestamp}",
+    "gif_url",
+    "alt_text",
+].join(",");
+//# sourceMappingURL=fields.js.map

package/dist/constants/fields.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fields.js","sourceRoot":"","sources":["../../src/constants/fields.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,iBAAiB,GAC5B,kGAAkG,CAAC;AAErG,MAAM,CAAC,MAAM,eAAe,GAC1B,6FAA6F,CAAC;AAEhG,4EAA4E;AAC5E,yEAAyE;AACzE,MAAM,CAAC,MAAM,uBAAuB,GAClC,+EAA+E,CAAC;AAElF,MAAM,CAAC,MAAM,sBAAsB,GACjC,uGAAuG,CAAC;AAE1G,MAAM,CAAC,MAAM,oBAAoB,GAAG;IAClC,IAAI;IACJ,oBAAoB;IACpB,YAAY;IACZ,WAAW;IACX,WAAW;IACX,MAAM;IACN,WAAW;IACX,WAAW;IACX,eAAe;IACf,aAAa;IACb,gBAAgB;IAChB,WAAW;IACX,qBAAqB;IACrB,+LAA+L;IAC/L,SAAS;IACT,UAAU;CACX,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC"}

package/dist/http-transport.d.ts

@@ -0,0 +1,20 @@
+import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+export declare const DEFAULT_HTTP_HOST = "127.0.0.1";
+export declare const DEFAULT_HTTP_PORT = 3000;
+export declare const MCP_ENDPOINT = "/mcp";
+export interface HttpTransportConfig {
+    host: string;
+    port: number;
+    allowedHosts: string[] | undefined;
+}
+export interface StartHttpTransportOptions extends HttpTransportConfig {
+    createServer: () => McpServer;
+    log?: (msg: string) => void;
+}
+export interface HttpTransportHandle {
+    port: number;
+    close(): Promise<void>;
+}
+export declare function parseHttpTransportConfig(env: NodeJS.ProcessEnv): HttpTransportConfig;
+export declare function startHttpTransport(options: StartHttpTransportOptions): Promise<HttpTransportHandle>;
+//# sourceMappingURL=http-transport.d.ts.map

package/dist/http-transport.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-transport.d.ts","sourceRoot":"","sources":["../src/http-transport.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAIzE,eAAO,MAAM,iBAAiB,cAAc,CAAC;AAC7C,eAAO,MAAM,iBAAiB,OAAO,CAAC;AACtC,eAAO,MAAM,YAAY,SAAS,CAAC;AAKnC,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IAEb,YAAY,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC;CACpC;AAED,MAAM,WAAW,yBAA0B,SAAQ,mBAAmB;IAEpE,YAAY,EAAE,MAAM,SAAS,CAAC;IAC9B,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,mBAAmB;IAClC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC;CACxB;AAED,wBAAgB,wBAAwB,CAAC,GAAG,EAAE,MAAM,CAAC,UAAU,GAAG,mBAAmB,CAsBpF;AAED,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,yBAAyB,GACjC,OAAO,CAAC,mBAAmB,CAAC,CAoI9B"}

package/dist/http-transport.js

@@ -0,0 +1,228 @@
+import { randomUUID } from "node:crypto";
+import { createServer } from "node:http";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
+export const DEFAULT_HTTP_HOST = "127.0.0.1";
+export const DEFAULT_HTTP_PORT = 3000;
+export const MCP_ENDPOINT = "/mcp";
+// Node's http server imposes no body limit; cap reads to avoid memory exhaustion.
+const MAX_BODY_BYTES = 4 * 1024 * 1024;
+export function parseHttpTransportConfig(env) {
+    const host = env.MCP_HTTP_HOST?.trim() || DEFAULT_HTTP_HOST;
+    let port = DEFAULT_HTTP_PORT;
+    const rawPort = env.MCP_HTTP_PORT?.trim();
+    if (rawPort) {
+        // Number() (unlike parseInt) rejects "3000abc" as NaN.
+        const parsed = Number(rawPort);
+        if (!Number.isInteger(parsed) || parsed < 1 || parsed > 65535) {
+            throw new Error(`MCP_HTTP_PORT must be an integer between 1 and 65535 (got "${rawPort}")`);
+        }
+        port = parsed;
+    }
+    const rawAllowed = env.MCP_HTTP_ALLOWED_HOSTS?.trim();
+    const allowedHosts = rawAllowed
+        ? rawAllowed.split(",").map((h) => h.trim()).filter(Boolean)
+        : undefined;
+    return { host, port, allowedHosts };
+}
+export async function startHttpTransport(options) {
+    const { host, createServer: createMcpServer } = options;
+    const log = options.log ?? ((msg) => console.error(msg));
+    const sessions = new Map();
+    // Resolved after listen() so DNS-rebinding allowlists can include the actual
+    // bound port (matters when port is 0, e.g. in tests).
+    let allowedHosts = [];
+    let dnsRebindingProtection = false;
+    const httpServer = createServer((req, res) => {
+        void handleRequest(req, res).catch((err) => {
+            log(`[meta-mcp] HTTP handler error — ${errMessage(err)}`);
+            sendJsonRpcError(res, 500, -32603, "Internal server error");
+        });
+    });
+    async function handleRequest(req, res) {
+        const url = new URL(req.url ?? "/", `http://${req.headers.host ?? host}`);
+        if (url.pathname !== MCP_ENDPOINT) {
+            sendJsonRpcError(res, 404, -32601, `Not found: ${url.pathname}`);
+            return;
+        }
+        const method = req.method ?? "GET";
+        const sessionId = headerValue(req.headers["mcp-session-id"]);
+        if (method === "POST") {
+            let body;
+            try {
+                body = await readJsonBody(req);
+            }
+            catch (err) {
+                // Fixed messages only — never echo exception text back to a remote client.
+                if (err instanceof PayloadTooLargeError) {
+                    sendJsonRpcError(res, 413, -32600, "Request body too large");
+                }
+                else {
+                    sendJsonRpcError(res, 400, -32700, "Invalid JSON in request body");
+                }
+                return;
+            }
+            if (sessionId) {
+                const transport = sessions.get(sessionId);
+                if (!transport) {
+                    sendJsonRpcError(res, 404, -32001, "Session not found");
+                    return;
+                }
+                await transport.handleRequest(req, res, body);
+                return;
+            }
+            if (isInitializeRequest(body)) {
+                const transport = new StreamableHTTPServerTransport({
+                    sessionIdGenerator: () => randomUUID(),
+                    enableDnsRebindingProtection: dnsRebindingProtection,
+                    allowedHosts,
+                    onsessioninitialized: (sid) => {
+                        sessions.set(sid, transport);
+                    },
+                });
+                // Drop the session on close (DELETE or client drop) so the map can't leak.
+                transport.onclose = () => {
+                    const sid = transport.sessionId;
+                    if (sid)
+                        sessions.delete(sid);
+                };
+                try {
+                    await createMcpServer().connect(transport);
+                    await transport.handleRequest(req, res, body);
+                }
+                catch (err) {
+                    // Close so onclose evicts a half-initialized session from the map.
+                    await transport.close().catch(() => undefined);
+                    throw err;
+                }
+                return;
+            }
+            sendJsonRpcError(res, 400, -32000, "Bad Request: missing or invalid session ID");
+            return;
+        }
+        if (method === "GET" || method === "DELETE") {
+            if (!sessionId) {
+                sendJsonRpcError(res, 400, -32000, "Bad Request: missing session ID");
+                return;
+            }
+            const transport = sessions.get(sessionId);
+            if (!transport) {
+                sendJsonRpcError(res, 404, -32001, "Session not found");
+                return;
+            }
+            await transport.handleRequest(req, res);
+            return;
+        }
+        sendJsonRpcError(res, 405, -32601, `Method not allowed: ${method}`);
+    }
+    await new Promise((resolve, reject) => {
+        const onListenError = (err) => reject(err);
+        httpServer.once("error", onListenError);
+        httpServer.listen(options.port, host, () => {
+            httpServer.removeListener("error", onListenError);
+            resolve();
+        });
+    });
+    const actualPort = httpServer.address().port;
+    if (options.allowedHosts && options.allowedHosts.length > 0) {
+        allowedHosts = options.allowedHosts;
+        dnsRebindingProtection = true;
+    }
+    else if (isLoopbackHost(host)) {
+        allowedHosts = loopbackHosts(actualPort);
+        dnsRebindingProtection = true;
+    }
+    else {
+        // Bound to a routable interface (e.g. 0.0.0.0 in Docker) with no allowlist —
+        // a Host allowlist can't be derived, so leave protection off and tell the
+        // operator to front it with a proxy or set MCP_HTTP_ALLOWED_HOSTS.
+        log(`[meta-mcp] Warning: HTTP transport bound to non-loopback host ${host} without ` +
+            `MCP_HTTP_ALLOWED_HOSTS — DNS-rebinding protection is disabled. Run behind a ` +
+            `reverse proxy and/or set MCP_HTTP_ALLOWED_HOSTS.`);
+    }
+    log(`[meta-mcp] HTTP transport listening on http://${host}:${actualPort}${MCP_ENDPOINT}`);
+    return {
+        port: actualPort,
+        close: () => closeHttpTransport(httpServer, sessions),
+    };
+}
+async function closeHttpTransport(httpServer, sessions) {
+    // Close transports first: each open SSE stream holds a socket that
+    // httpServer.close() would otherwise wait on forever.
+    for (const transport of sessions.values()) {
+        try {
+            await transport.close();
+        }
+        catch {
+            // best-effort — keep tearing down the rest
+        }
+    }
+    sessions.clear();
+    httpServer.closeIdleConnections();
+    await new Promise((resolve, reject) => {
+        httpServer.close((err) => (err ? reject(err) : resolve()));
+    });
+}
+class PayloadTooLargeError extends Error {
+}
+function readJsonBody(req) {
+    return new Promise((resolve, reject) => {
+        const chunks = [];
+        let size = 0;
+        let settled = false;
+        const settle = (fn) => {
+            if (settled)
+                return;
+            settled = true;
+            fn();
+        };
+        req.on("data", (chunk) => {
+            size += chunk.length;
+            if (size > MAX_BODY_BYTES) {
+                // Reject and stop buffering, but keep draining the socket so the 413
+                // response writes cleanly — destroying req here would kill res too.
+                settle(() => reject(new PayloadTooLargeError(`Request body exceeds ${MAX_BODY_BYTES} bytes`)));
+                return;
+            }
+            chunks.push(chunk);
+        });
+        req.on("end", () => {
+            settle(() => {
+                const raw = Buffer.concat(chunks).toString("utf8");
+                if (!raw) {
+                    resolve(undefined);
+                    return;
+                }
+                try {
+                    resolve(JSON.parse(raw));
+                }
+                catch {
+                    reject(new SyntaxError("Invalid JSON in request body"));
+                }
+            });
+        });
+        req.on("error", (err) => settle(() => reject(err)));
+    });
+}
+function sendJsonRpcError(res, status, code, message) {
+    if (res.headersSent || res.writableEnded || res.destroyed)
+        return;
+    res.writeHead(status, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ jsonrpc: "2.0", error: { code, message }, id: null }));
+}
+function headerValue(value) {
+    if (Array.isArray(value))
+        return value[0];
+    return value;
+}
+function isLoopbackHost(host) {
+    // The whole 127.0.0.0/8 range is loopback, plus localhost and IPv6 ::1.
+    return host === "localhost" || host === "::1" || /^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/.test(host);
+}
+function loopbackHosts(port) {
+    return [`127.0.0.1:${port}`, `localhost:${port}`, `[::1]:${port}`];
+}
+function errMessage(err) {
+    return err instanceof Error ? err.message : String(err);
+}
+//# sourceMappingURL=http-transport.js.map

package/dist/http-transport.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-transport.js","sourceRoot":"","sources":["../src/http-transport.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,YAAY,EAA0D,MAAM,WAAW,CAAC;AAGjG,OAAO,EAAE,6BAA6B,EAAE,MAAM,oDAAoD,CAAC;AACnG,OAAO,EAAE,mBAAmB,EAAE,MAAM,oCAAoC,CAAC;AAEzE,MAAM,CAAC,MAAM,iBAAiB,GAAG,WAAW,CAAC;AAC7C,MAAM,CAAC,MAAM,iBAAiB,GAAG,IAAI,CAAC;AACtC,MAAM,CAAC,MAAM,YAAY,GAAG,MAAM,CAAC;AAEnC,kFAAkF;AAClF,MAAM,cAAc,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC;AAoBvC,MAAM,UAAU,wBAAwB,CAAC,GAAsB;IAC7D,MAAM,IAAI,GAAG,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,IAAI,iBAAiB,CAAC;IAE5D,IAAI,IAAI,GAAG,iBAAiB,CAAC;IAC7B,MAAM,OAAO,GAAG,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC;IAC1C,IAAI,OAAO,EAAE,CAAC;QACZ,uDAAuD;QACvD,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;QAC/B,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,MAAM,GAAG,CAAC,IAAI,MAAM,GAAG,KAAK,EAAE,CAAC;YAC9D,MAAM,IAAI,KAAK,CACb,8DAA8D,OAAO,IAAI,CAC1E,CAAC;QACJ,CAAC;QACD,IAAI,GAAG,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,UAAU,GAAG,GAAG,CAAC,sBAAsB,EAAE,IAAI,EAAE,CAAC;IACtD,MAAM,YAAY,GAAG,UAAU;QAC7B,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;QAC5D,CAAC,CAAC,SAAS,CAAC;IAEd,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,YAAY,EAAE,CAAC;AACtC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAAkC;IAElC,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC;IACxD,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,CAAC,CAAC,GAAW,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;IAEjE,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAyC,CAAC;IAElE,6EAA6E;IAC7E,sDAAsD;IACtD,IAAI,YAAY,GAAa,EAAE,CAAC;IAChC,IAAI,sBAAsB,GAAG,KAAK,CAAC;IAEnC,MAAM,UAAU,GAAG,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;QAC3C,KAAK,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;YAClD,GAAG,CAAC,mCAAmC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC1D,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,uBAAuB,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,KAAK,UAAU,aAAa,CAAC,GAAoB,EAAE,GAAmB;QACpE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,GAAG,IAAI,GAAG,EAAE,UAAU,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC,CAAC;QAC1E,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;YAClC,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,cAAc,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;YACjE,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,KAAK,CAAC;QACnC,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC,CAAC;QAE7D,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;YACtB,IAAI,IAAa,CAAC;YAClB,IAAI,CAAC;gBACH,IAAI,GAAG,MAAM,YAAY,CAAC,GAAG,CAAC,CAAC;YACjC,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,2EAA2E;gBAC3E,IAAI,GAAG,YAAY,oBAAoB,EAAE,CAAC;oBACxC,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,wBAAwB,CAAC,CAAC;gBAC/D,CAAC;qBAAM,CAAC;oBACN,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,8BAA8B,CAAC,CAAC;gBACrE,CAAC;gBACD,OAAO;YACT,CAAC;YAED,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;gBAC1C,IAAI,CAAC,SAAS,EAAE,CAAC;oBACf,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;oBACxD,OAAO;gBACT,CAAC;gBACD,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;gBAC9C,OAAO;YACT,CAAC;YAED,IAAI,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC9B,MAAM,SAAS,GAAG,IAAI,6BAA6B,CAAC;oBAClD,kBAAkB,EAAE,GAAG,EAAE,CAAC,UAAU,EAAE;oBACtC,4BAA4B,EAAE,sBAAsB;oBACpD,YAAY;oBACZ,oBAAoB,EAAE,CAAC,GAAG,EAAE,EAAE;wBAC5B,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;oBAC/B,CAAC;iBACF,CAAC,CAAC;gBACH,2EAA2E;gBAC3E,SAAS,CAAC,OAAO,GAAG,GAAG,EAAE;oBACvB,MAAM,GAAG,GAAG,SAAS,CAAC,SAAS,CAAC;oBAChC,IAAI,GAAG;wBAAE,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAChC,CAAC,CAAC;gBACF,IAAI,CAAC;oBACH,MAAM,eAAe,EAAE,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;oBAC3C,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,CAAC;gBAChD,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACb,mEAAmE;oBACnE,MAAM,SAAS,CAAC,KAAK,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;oBAC/C,MAAM,GAAG,CAAC;gBACZ,CAAC;gBACD,OAAO;YACT,CAAC;YAED,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,4CAA4C,CAAC,CAAC;YACjF,OAAO;QACT,CAAC;QAED,IAAI,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC5C,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,iCAAiC,CAAC,CAAC;gBACtE,OAAO;YACT,CAAC;YACD,MAAM,SAAS,GAAG,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAC1C,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;gBACxD,OAAO;YACT,CAAC;YACD,MAAM,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YACxC,OAAO;QACT,CAAC;QAED,gBAAgB,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,KAAK,EAAE,uBAAuB,MAAM,EAAE,CAAC,CAAC;IACtE,CAAC;IAED,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,MAAM,aAAa,GAAG,CAAC,GAAU,EAAQ,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACxD,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;QACxC,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,GAAG,EAAE;YACzC,UAAU,CAAC,cAAc,CAAC,OAAO,EAAE,aAAa,CAAC,CAAC;YAClD,OAAO,EAAE,CAAC;QACZ,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,MAAM,UAAU,GAAI,UAAU,CAAC,OAAO,EAAkB,CAAC,IAAI,CAAC;IAE9D,IAAI,OAAO,CAAC,YAAY,IAAI,OAAO,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5D,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QACpC,sBAAsB,GAAG,IAAI,CAAC;IAChC,CAAC;SAAM,IAAI,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,YAAY,GAAG,aAAa,CAAC,UAAU,CAAC,CAAC;QACzC,sBAAsB,GAAG,IAAI,CAAC;IAChC,CAAC;SAAM,CAAC;QACN,6EAA6E;QAC7E,0EAA0E;QAC1E,mEAAmE;QACnE,GAAG,CACD,iEAAiE,IAAI,WAAW;YAC9E,8EAA8E;YAC9E,kDAAkD,CACrD,CAAC;IACJ,CAAC;IAED,GAAG,CAAC,iDAAiD,IAAI,IAAI,UAAU,GAAG,YAAY,EAAE,CAAC,CAAC;IAE1F,OAAO;QACL,IAAI,EAAE,UAAU;QAChB,KAAK,EAAE,GAAG,EAAE,CAAC,kBAAkB,CAAC,UAAU,EAAE,QAAQ,CAAC;KACtD,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,UAAkB,EAClB,QAAoD;IAEpD,mEAAmE;IACnE,sDAAsD;IACtD,KAAK,MAAM,SAAS,IAAI,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC;QAC1C,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,KAAK,EAAE,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,2CAA2C;QAC7C,CAAC;IACH,CAAC;IACD,QAAQ,CAAC,KAAK,EAAE,CAAC;IACjB,UAAU,CAAC,oBAAoB,EAAE,CAAC;IAClC,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QAC1C,UAAU,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IAC7D,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,oBAAqB,SAAQ,KAAK;CAAG;AAE3C,SAAS,YAAY,CAAC,GAAoB;IACxC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAa,EAAE,CAAC;QAC5B,IAAI,IAAI,GAAG,CAAC,CAAC;QACb,IAAI,OAAO,GAAG,KAAK,CAAC;QACpB,MAAM,MAAM,GAAG,CAAC,EAAc,EAAQ,EAAE;YACtC,IAAI,OAAO;gBAAE,OAAO;YACpB,OAAO,GAAG,IAAI,CAAC;YACf,EAAE,EAAE,CAAC;QACP,CAAC,CAAC;QAEF,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;YAC/B,IAAI,IAAI,KAAK,CAAC,MAAM,CAAC;YACrB,IAAI,IAAI,GAAG,cAAc,EAAE,CAAC;gBAC1B,qEAAqE;gBACrE,oEAAoE;gBACpE,MAAM,CAAC,GAAG,EAAE,CACV,MAAM,CAAC,IAAI,oBAAoB,CAAC,wBAAwB,cAAc,QAAQ,CAAC,CAAC,CACjF,CAAC;gBACF,OAAO;YACT,CAAC;YACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;YACjB,MAAM,CAAC,GAAG,EAAE;gBACV,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;gBACnD,IAAI,CAAC,GAAG,EAAE,CAAC;oBACT,OAAO,CAAC,SAAS,CAAC,CAAC;oBACnB,OAAO;gBACT,CAAC;gBACD,IAAI,CAAC;oBACH,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC3B,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,CAAC,IAAI,WAAW,CAAC,8BAA8B,CAAC,CAAC,CAAC;gBAC1D,CAAC;YACH,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,gBAAgB,CACvB,GAAmB,EACnB,MAAc,EACd,IAAY,EACZ,OAAe;IAEf,IAAI,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,aAAa,IAAI,GAAG,CAAC,SAAS;QAAE,OAAO;IAClE,GAAG,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;IAC9D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAClF,CAAC;AAED,SAAS,WAAW,CAAC,KAAoC;IACvD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;IAC1C,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,cAAc,CAAC,IAAY;IAClC,wEAAwE;IACxE,OAAO,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,KAAK,IAAI,kCAAkC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACjG,CAAC;AAED,SAAS,aAAa,CAAC,IAAY;IACjC,OAAO,CAAC,aAAa,IAAI,EAAE,EAAE,aAAa,IAAI,EAAE,EAAE,SAAS,IAAI,EAAE,CAAC,CAAC;AACrE,CAAC;AAED,SAAS,UAAU,CAAC,GAAY;IAC9B,OAAO,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;AAC1D,CAAC"}

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAGA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAqCpE,wBAAgB,mBAAmB,cAmBlC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAKA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAwEpE,wBAAgB,mBAAmB,IAAI,SAAS,CAU/C"}

package/dist/index.js

@@ -1,40 +1,72 @@
 #!/usr/bin/env node
+import { realpathSync } from "node:fs";
 import { createRequire } from "node:module";
+import { pathToFileURL } from "node:url";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { loadConfig } from "./config.js";
+import { parseHttpTransportConfig, startHttpTransport, } from "./http-transport.js";
 import { MetaClient } from "./services/meta-client.js";
 import { registerAll } from "./register-all.js";
+import { setupFatalErrorHandlers, setupShutdownHandlers } from "./shutdown.js";
+import { createMcpLogger } from "./utils/logger.js";
 const require = createRequire(import.meta.url);
 const { version: SERVER_VERSION } = require("../package.json");
-const server = new McpServer({
-    name: "meta-mcp",
-    version: SERVER_VERSION,
-});
-let config;
-try {
-    config = loadConfig();
-}
-catch (err) {
-    console.error(err instanceof Error ? err.message : String(err));
-    process.exit(1);
+const SERVER_INSTRUCTIONS = [
+    "Meta MCP server for managing Instagram and Threads via the Meta Graph API.",
+    "Instagram tools require INSTAGRAM_ACCESS_TOKEN and INSTAGRAM_USER_ID; Threads tools require THREADS_ACCESS_TOKEN and THREADS_USER_ID.",
+    "Token-rotation tools (meta_exchange_token, meta_refresh_token) additionally need META_APP_ID and META_APP_SECRET.",
+    "Most publishing tools follow a two-step flow internally: create a container, wait for processing (up to 30s for images, up to 5 minutes for videos), then publish — exposed as a single MCP tool call.",
+    "When the client sets a progressToken on a publish call, the server emits notifications/progress events while polling container status.",
+    "Tool responses include a _rateLimit field when the Meta API returns rate-limit headers; check it to throttle subsequent calls.",
+].join(" ");
+// Server is built before the client so the client can be handed a logger that
+// emits to the MCP `notifications/message` channel. `capabilities.logging`
+// must be declared or sendLoggingMessage is a silent no-op (#62).
+function buildServer(config) {
+    const server = new McpServer({
+        name: "meta-mcp",
+        version: SERVER_VERSION,
+    }, {
+        instructions: SERVER_INSTRUCTIONS,
+        capabilities: { logging: {} },
+    });
+    const client = new MetaClient(config, { logger: createMcpLogger(server, "meta-client") });
+    registerAll(server, client);
+    return server;
 }
-const client = new MetaClient(config);
-registerAll(server, client);
 async function main() {
-    const transport = new StdioServerTransport();
-    await server.connect(transport);
+    let config;
+    let httpConfig = null;
+    try {
+        config = loadConfig();
+        const kind = (process.env.MCP_TRANSPORT ?? "stdio").trim().toLowerCase();
+        if (kind === "http") {
+            httpConfig = parseHttpTransportConfig(process.env);
+        }
+        else if (kind !== "stdio") {
+            throw new Error(`MCP_TRANSPORT must be "stdio" or "http" (got "${kind}")`);
+        }
+    }
+    catch (err) {
+        console.error(err instanceof Error ? err.message : String(err));
+        process.exit(1);
+    }
+    if (httpConfig) {
+        const handle = await startHttpTransport({
+            ...httpConfig,
+            createServer: () => buildServer(config),
+        });
+        setupShutdownHandlers(handle);
+    }
+    else {
+        const server = buildServer(config);
+        await server.connect(new StdioServerTransport());
+        setupShutdownHandlers(server);
+    }
 }
-main().catch((err) => {
-    console.error("Fatal error:", err);
-    process.exit(1);
-});
 // ── Smithery Sandbox ──
 export function createSandboxServer() {
-    const sandbox = new McpServer({
-        name: "meta-mcp",
-        version: SERVER_VERSION,
-    });
     const mockConfig = {
         appId: "",
         appSecret: "",
@@ -43,8 +75,26 @@ export function createSandboxServer() {
         threadsAccessToken: "",
         threadsUserId: "",
     };
-    const mockClient = new MetaClient(mockConfig);
-    registerAll(sandbox, mockClient);
-    return sandbox;
+    return buildServer(mockConfig);
+}
+// Guard keeps `import { createSandboxServer }` and test imports side-effect-free —
+// without it, importing this module would always run main() and connect stdio.
+function isInvokedAsCli() {
+    const entry = process.argv[1];
+    if (!entry)
+        return false;
+    try {
+        return import.meta.url === pathToFileURL(realpathSync(entry)).href;
+    }
+    catch {
+        return false;
+    }
+}
+if (isInvokedAsCli()) {
+    setupFatalErrorHandlers();
+    main().catch((err) => {
+        console.error("Fatal error:", err);
+        process.exit(1);
+    });
 }
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,UAAU,EAAc,MAAM,aAAa,CAAC;AACrD,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAEhD,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/C,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,OAAO,CAAC,iBAAiB,CAAwB,CAAC;AAEtF,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,IAAI,EAAE,UAAU;IAChB,OAAO,EAAE,cAAc;CACxB,CAAC,CAAC;AAEH,IAAI,MAAkB,CAAC;AACvB,IAAI,CAAC;IACH,MAAM,GAAG,UAAU,EAAE,CAAC;AACxB,CAAC;AAAC,OAAO,GAAG,EAAE,CAAC;IACb,OAAO,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAChE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AACD,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAEtC,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAE5B,KAAK,UAAU,IAAI;IACjB,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;AAClC,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;IACnB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;IACnC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC;AAEH,yBAAyB;AAEzB,MAAM,UAAU,mBAAmB;IACjC,MAAM,OAAO,GAAG,IAAI,SAAS,CAAC;QAC5B,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,cAAc;KACxB,CAAC,CAAC;IAEH,MAAM,UAAU,GAAe;QAC7B,KAAK,EAAE,EAAE;QACT,SAAS,EAAE,EAAE;QACb,oBAAoB,EAAE,EAAE;QACxB,eAAe,EAAE,EAAE;QACnB,kBAAkB,EAAE,EAAE;QACtB,aAAa,EAAE,EAAE;KAClB,CAAC;IACF,MAAM,UAAU,GAAG,IAAI,UAAU,CAAC,UAAU,CAAC,CAAC;IAE9C,WAAW,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAEjC,OAAO,OAAO,CAAC;AACjB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,UAAU,EAAc,MAAM,aAAa,CAAC;AACrD,OAAO,EAEL,wBAAwB,EACxB,kBAAkB,GACnB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,uBAAuB,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAC/E,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AAEpD,MAAM,OAAO,GAAG,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAC/C,MAAM,EAAE,OAAO,EAAE,cAAc,EAAE,GAAG,OAAO,CAAC,iBAAiB,CAAwB,CAAC;AAEtF,MAAM,mBAAmB,GAAG;IAC1B,4EAA4E;IAC5E,uIAAuI;IACvI,mHAAmH;IACnH,wMAAwM;IACxM,wIAAwI;IACxI,gIAAgI;CACjI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;AAEZ,8EAA8E;AAC9E,2EAA2E;AAC3E,kEAAkE;AAClE,SAAS,WAAW,CAAC,MAAkB;IACrC,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;QAC3B,IAAI,EAAE,UAAU;QAChB,OAAO,EAAE,cAAc;KACxB,EAAE;QACD,YAAY,EAAE,mBAAmB;QACjC,YAAY,EAAE,EAAE,OAAO,EAAE,EAAE,EAAE;KAC9B,CAAC,CAAC;IACH,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,MAAM,EAAE,EAAE,MAAM,EAAE,eAAe,CAAC,MAAM,EAAE,aAAa,CAAC,EAAE,CAAC,CAAC;IAC1F,WAAW,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC5B,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,IAAI,MAAkB,CAAC;IACvB,IAAI,UAAU,GAA+B,IAAI,CAAC;IAClD,IAAI,CAAC;QACH,MAAM,GAAG,UAAU,EAAE,CAAC;QACtB,MAAM,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,aAAa,IAAI,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACzE,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;YACpB,UAAU,GAAG,wBAAwB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACrD,CAAC;aAAM,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,iDAAiD,IAAI,IAAI,CAAC,CAAC;QAC7E,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QAChE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC;YACtC,GAAG,UAAU;YACb,YAAY,EAAE,GAAG,EAAE,CAAC,WAAW,CAAC,MAAM,CAAC;SACxC,CAAC,CAAC;QACH,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;QACnC,MAAM,MAAM,CAAC,OAAO,CAAC,IAAI,oBAAoB,EAAE,CAAC,CAAC;QACjD,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAChC,CAAC;AACH,CAAC;AAED,yBAAyB;AAEzB,MAAM,UAAU,mBAAmB;IACjC,MAAM,UAAU,GAAe;QAC7B,KAAK,EAAE,EAAE;QACT,SAAS,EAAE,EAAE;QACb,oBAAoB,EAAE,EAAE;QACxB,eAAe,EAAE,EAAE;QACnB,kBAAkB,EAAE,EAAE;QACtB,aAAa,EAAE,EAAE;KAClB,CAAC;IACF,OAAO,WAAW,CAAC,UAAU,CAAC,CAAC;AACjC,CAAC;AAED,mFAAmF;AACnF,+EAA+E;AAC/E,SAAS,cAAc;IACrB,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,IAAI,CAAC,KAAK;QAAE,OAAO,KAAK,CAAC;IACzB,IAAI,CAAC;QACH,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,aAAa,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;IACrE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,IAAI,cAAc,EAAE,EAAE,CAAC;IACrB,uBAAuB,EAAE,CAAC;IAC1B,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACnB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,GAAG,CAAC,CAAC;QACnC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/prompts/index.d.ts

@@ -1,3 +1,59 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { z } from "zod";
+/**
+ * Tool names referenced by prompts. Cross-checked against the registered tool
+ * list in `src/prompts/index.test.ts` — if any tool is renamed/removed/split,
+ * the test fails and forces both the registration site and the prompt to
+ * update together. `ig_publish_video` is deliberately omitted: it's deprecated
+ * (CHANGELOG v4.0.0 / #118) and the prompt steers callers to
+ * `ig_publish_reel` for video content instead.
+ */
+export declare const PROMPT_TOOL_NAMES: {
+    readonly IG_PUBLISH_PHOTO: "ig_publish_photo";
+    readonly IG_PUBLISH_REEL: "ig_publish_reel";
+    readonly IG_PUBLISH_CAROUSEL: "ig_publish_carousel";
+    readonly THREADS_PUBLISH_TEXT: "threads_publish_text";
+    readonly THREADS_PUBLISH_IMAGE: "threads_publish_image";
+    readonly THREADS_PUBLISH_VIDEO: "threads_publish_video";
+    readonly THREADS_PUBLISH_CAROUSEL: "threads_publish_carousel";
+    readonly IG_GET_PROFILE: "ig_get_profile";
+    readonly IG_GET_ACCOUNT_INSIGHTS: "ig_get_account_insights";
+    readonly IG_GET_MEDIA_LIST: "ig_get_media_list";
+    readonly THREADS_GET_PROFILE: "threads_get_profile";
+    readonly THREADS_GET_USER_INSIGHTS: "threads_get_user_insights";
+    readonly THREADS_GET_POSTS: "threads_get_posts";
+};
+export declare const contentPublishArgsSchema: {
+    platform: z.ZodOptional<z.ZodEnum<{
+        instagram: "instagram";
+        threads: "threads";
+        both: "both";
+    }>>;
+    content_type: z.ZodOptional<z.ZodEnum<{
+        text: "text";
+        image: "image";
+        video: "video";
+        carousel: "carousel";
+    }>>;
+    media_url: z.ZodOptional<z.ZodString>;
+    caption: z.ZodOptional<z.ZodString>;
+};
+export declare const analyticsReportArgsSchema: {
+    platform: z.ZodOptional<z.ZodEnum<{
+        instagram: "instagram";
+        threads: "threads";
+        both: "both";
+    }>>;
+    time_range: z.ZodOptional<z.ZodEnum<{
+        "7d": "7d";
+        "30d": "30d";
+        "90d": "90d";
+    }>>;
+    focus: z.ZodOptional<z.ZodEnum<{
+        content: "content";
+        engagement: "engagement";
+        growth: "growth";
+    }>>;
+};
 export declare function registerPrompts(server: McpServer): void;
 //# sourceMappingURL=index.d.ts.map

package/dist/prompts/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/prompts/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AAEpE,wBAAgB,eAAe,CAAC,MAAM,EAAE,SAAS,QAuEhD"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/prompts/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;;;;;;GAOG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;CAcpB,CAAC;AAEX,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;CAkBpC,CAAC;AAEF,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;CAerC,CAAC;AAsQF,wBAAgB,eAAe,CAAC,MAAM,EAAE,SAAS,QAwChD"}