@expanse-ade/mcp 0.9.0

package/dist/index.js

@@ -0,0 +1,1028 @@
+// src/server/mcpHttp.ts
+import { createServer } from "http";
+import express from "express";
+import { requireBearerAuth } from "@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js";
+
+// src/constants.ts
+var MCP_PATH = "/mcp";
+var HEADER_SESSION_ID = "mcp-session-id";
+var TOOL_PING = "ping";
+var TOOL_ORCHESTRATOR_PING = "orchestrator_ping";
+var TOOL_SPAWN_BOARD = "spawn_board";
+var TOOL_CLOSE_BOARD = "close_board";
+var TOOL_CONFIGURE_BOARD = "configure_board";
+var TOOL_HANDOFF_PROMPT = "handoff_prompt";
+var TOOL_ASSIGN_PROMPT = "assign_prompt";
+var TOOL_INTERRUPT = "interrupt";
+var TOOL_RELAY_PROMPT = "relay_prompt";
+var TOOL_WRITE_RESULT = "write_result";
+var SPAWNABLE_BOARD_TYPES = ["terminal", "browser", "planning"];
+var MAX_OUTPUT_PAGE = 25e3;
+var TOOL_WAIT_FOR_IDLE = "wait_for_idle";
+var TOOL_WAIT_FOR_ALL = "wait_for_all";
+var DEFAULT_BARRIER_TIMEOUT_MS = 30 * 6e4;
+
+// src/auth/verifier.ts
+import { InvalidTokenError } from "@modelcontextprotocol/sdk/server/auth/errors.js";
+function createVerifier(store) {
+  return {
+    async verifyAccessToken(token) {
+      const row = store.get(token);
+      if (!row) throw new InvalidTokenError("Unknown or revoked token");
+      return {
+        token,
+        clientId: row.boardId,
+        scopes: row.scopes,
+        expiresAt: row.expiresAt,
+        extra: { tier: row.tier, boardId: row.boardId }
+      };
+    }
+  };
+}
+
+// src/security/origin.ts
+function originGuard(getAllowed) {
+  return (req, res, next) => {
+    const origin = req.headers.origin;
+    if (origin === void 0) {
+      next();
+      return;
+    }
+    if (getAllowed().includes(origin)) {
+      next();
+      return;
+    }
+    res.status(403).json({ error: "forbidden_origin" });
+  };
+}
+
+// src/security/host.ts
+import { isIP } from "net";
+var LOOPBACK_HOSTS = /* @__PURE__ */ new Set(["localhost", "127.0.0.1", "::1", "0:0:0:0:0:0:0:1"]);
+function parseHostname(host) {
+  const h = host.trim();
+  if (h.startsWith("[")) {
+    const end = h.indexOf("]");
+    return end === -1 ? h.slice(1) : h.slice(1, end);
+  }
+  if ((h.match(/:/g)?.length ?? 0) > 1) return h;
+  const idx = h.indexOf(":");
+  return idx === -1 ? h : h.slice(0, idx);
+}
+function isLoopbackHost(host) {
+  if (host === "") return false;
+  const h = parseHostname(host).toLowerCase();
+  if (LOOPBACK_HOSTS.has(h)) return true;
+  if (isIP(h) === 4 && h.startsWith("127.")) return true;
+  return false;
+}
+function hostGuard() {
+  return (req, res, next) => {
+    const host = req.headers.host;
+    if (host !== void 0 && isLoopbackHost(host)) {
+      next();
+      return;
+    }
+    res.status(403).json({ error: "forbidden_host" });
+  };
+}
+
+// src/server/factory.ts
+import { McpServer as McpServer5 } from "@modelcontextprotocol/sdk/server/mcp.js";
+
+// package.json
+var package_default = {
+  name: "@expanse-ade/mcp",
+  version: "0.9.0",
+  packageManager: "pnpm@9.15.9",
+  description: "MCP server layer for Canvas ADE \xE2\u20AC\u201D lets AI agents in Terminal boards orchestrate the canvas (command board / swarm).",
+  type: "module",
+  repository: {
+    type: "git",
+    url: "git+https://github.com/ch923dev/canvas-ade-mcp.git"
+  },
+  publishConfig: {
+    access: "public"
+  },
+  main: "./dist/index.js",
+  types: "./dist/index.d.ts",
+  exports: {
+    ".": {
+      types: "./dist/index.d.ts",
+      import: "./dist/index.js"
+    }
+  },
+  files: [
+    "dist"
+  ],
+  engines: {
+    node: ">=20"
+  },
+  scripts: {
+    build: "tsup",
+    typecheck: "tsc --noEmit",
+    test: "vitest run --project contract",
+    "test:live": "vitest run --project live",
+    lint: "eslint .",
+    format: "prettier --write .",
+    "format:check": "prettier --check ."
+  },
+  license: "MIT",
+  dependencies: {
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    express: "^5.2.1",
+    zod: "^4.4.3"
+  },
+  devDependencies: {
+    "@eslint/js": "^10.0.1",
+    "@modelcontextprotocol/inspector": "^0.21.2",
+    "@types/express": "^5.0.6",
+    "@types/node": "^25.9.1",
+    eslint: "^10.4.1",
+    "eslint-config-prettier": "^10.1.8",
+    prettier: "^3.8.3",
+    tsup: "^8.5.1",
+    typescript: "^6.0.3",
+    "typescript-eslint": "^8.60.0",
+    vitest: "^4.1.7"
+  }
+};
+
+// src/resources/boards.ts
+import { ResourceTemplate as ResourceTemplate4 } from "@modelcontextprotocol/sdk/server/mcp.js";
+
+// src/resources/boardStates.ts
+function groupBoardsByStatus(boards) {
+  const grouped = {};
+  for (const b of boards) {
+    ;
+    (grouped[b.status] ??= []).push(b.id);
+  }
+  return grouped;
+}
+function registerBoardStatesResource(server, orchestrator) {
+  server.registerResource(
+    "board-states",
+    "canvas://board-states",
+    {
+      description: "Boards on the canvas grouped by status bucket ({ bucket: boardId[] }).",
+      mimeType: "application/json"
+    },
+    async (uri) => ({
+      contents: [
+        {
+          uri: uri.href,
+          text: JSON.stringify(groupBoardsByStatus(await orchestrator.listBoards()))
+        }
+      ]
+    })
+  );
+}
+
+// src/resources/attention.ts
+var ATTENTION_URI = "canvas://attention";
+var ATTENTION_BUCKETS = /* @__PURE__ */ new Set([
+  "blocked",
+  "awaiting-review",
+  "failed"
+]);
+function selectAttention(boards) {
+  return boards.filter((b) => ATTENTION_BUCKETS.has(b.status));
+}
+function registerAttentionResource(server, orchestrator) {
+  server.registerResource(
+    "attention",
+    ATTENTION_URI,
+    {
+      description: "Boards needing a human (blocked / awaiting-review / failed).",
+      mimeType: "application/json"
+    },
+    async (uri) => ({
+      contents: [
+        { uri: uri.href, text: JSON.stringify(selectAttention(await orchestrator.listBoards())) }
+      ]
+    })
+  );
+}
+
+// src/resources/output.ts
+import { ResourceTemplate } from "@modelcontextprotocol/sdk/server/mcp.js";
+function first(v) {
+  return Array.isArray(v) ? v[0] : v;
+}
+async function readPage(orchestrator, uriHref, variables) {
+  const id = first(variables.id);
+  if (!id) throw new Error("canvas://board/{id}/output: missing board id");
+  const rawCursor = first(variables.cursor);
+  let opts;
+  if (rawCursor !== void 0) {
+    const cursor = Number(rawCursor);
+    if (!Number.isInteger(cursor) || cursor < 0) {
+      throw new Error(`canvas://board/${id}/output: invalid cursor "${rawCursor}"`);
+    }
+    opts = { cursor };
+  }
+  const out = await orchestrator.boardOutput(id, opts);
+  let page = out;
+  if (out.text.length > MAX_OUTPUT_PAGE) {
+    const text = out.text.slice(-MAX_OUTPUT_PAGE);
+    page = {
+      ...out,
+      text,
+      returned: text.length,
+      nextCursor: (opts?.cursor ?? 0) + text.length
+    };
+  }
+  return { contents: [{ uri: uriHref, text: JSON.stringify(page) }] };
+}
+function registerBoardOutputResource(server, orchestrator) {
+  const meta = {
+    description: "A capped, paginated, ANSI-stripped page of a board's recent output (tail-anchored; pass nextCursor as ?cursor for older).",
+    mimeType: "application/json"
+  };
+  server.registerResource(
+    "board-output",
+    new ResourceTemplate("canvas://board/{id}/output", { list: void 0 }),
+    meta,
+    (uri, variables) => readPage(orchestrator, uri.href, variables)
+  );
+  server.registerResource(
+    "board-output-paged",
+    new ResourceTemplate("canvas://board/{id}/output{?cursor}", { list: void 0 }),
+    meta,
+    (uri, variables) => readPage(orchestrator, uri.href, variables)
+  );
+}
+
+// src/resources/result.ts
+import { ResourceTemplate as ResourceTemplate2 } from "@modelcontextprotocol/sdk/server/mcp.js";
+function registerBoardResultResource(server, orchestrator) {
+  server.registerResource(
+    "board-result",
+    new ResourceTemplate2("canvas://board/{id}/result", { list: void 0 }),
+    {
+      description: "A board's structured last result (verdict + summary + references, not raw logs). Empty shell until a result is recorded.",
+      mimeType: "application/json"
+    },
+    async (uri, variables) => {
+      const id = Array.isArray(variables.id) ? variables.id[0] : variables.id;
+      if (!id) throw new Error("canvas://board/{id}/result: missing board id");
+      const result = await orchestrator.boardResult(id);
+      return { contents: [{ uri: uri.href, text: JSON.stringify(result) }] };
+    }
+  );
+}
+
+// src/resources/memory.ts
+import { ResourceTemplate as ResourceTemplate3 } from "@modelcontextprotocol/sdk/server/mcp.js";
+function registerMemoryResources(server, orchestrator) {
+  server.registerResource(
+    "memory",
+    "canvas://memory",
+    {
+      description: "Project memory index (passive context). Empty shell when no memory exists.",
+      mimeType: "application/json"
+    },
+    async (uri) => ({
+      contents: [{ uri: uri.href, text: JSON.stringify(await orchestrator.projectMemory()) }]
+    })
+  );
+  server.registerResource(
+    "board-summary",
+    new ResourceTemplate3("canvas://board/{id}/summary", { list: void 0 }),
+    {
+      description: "A board's memory summary (passive context). Empty shell when none exists.",
+      mimeType: "application/json"
+    },
+    async (uri, variables) => {
+      const id = Array.isArray(variables.id) ? variables.id[0] : variables.id;
+      if (!id) throw new Error("canvas://board/{id}/summary: missing board id");
+      return { contents: [{ uri: uri.href, text: JSON.stringify(await orchestrator.boardSummary(id)) }] };
+    }
+  );
+}
+
+// src/resources/boards.ts
+function registerBoardResources(server, orchestrator) {
+  server.registerResource(
+    "boards",
+    "canvas://boards",
+    { description: "List of boards currently on the canvas.", mimeType: "application/json" },
+    async (uri) => ({
+      contents: [{ uri: uri.href, text: JSON.stringify(await orchestrator.listBoards()) }]
+    })
+  );
+  server.registerResource(
+    "board-status",
+    new ResourceTemplate4("canvas://board/{id}/status", { list: void 0 }),
+    {
+      description: "A single board's coarse status bucket (idle/running/awaiting-review/blocked/failed/static).",
+      mimeType: "application/json"
+    },
+    async (uri, variables) => {
+      const id = Array.isArray(variables.id) ? variables.id[0] : variables.id;
+      if (!id) throw new Error("canvas://board/{id}/status: missing board id");
+      const status = await orchestrator.boardStatus(id);
+      return { contents: [{ uri: uri.href, text: JSON.stringify({ id, status }) }] };
+    }
+  );
+  registerBoardStatesResource(server, orchestrator);
+  registerAttentionResource(server, orchestrator);
+  registerBoardOutputResource(server, orchestrator);
+  registerBoardResultResource(server, orchestrator);
+  registerMemoryResources(server, orchestrator);
+}
+
+// src/prompts/index.ts
+function registerPrompts(_server) {
+}
+
+// src/server/tools/spawnBoard.ts
+import { z } from "zod";
+function registerSpawnBoard(server, orchestrator) {
+  server.registerTool(
+    TOOL_SPAWN_BOARD,
+    {
+      description: "Create a new board on the canvas. type is one of terminal | browser | planning. Optional prompt (terminal launch command / agent task) and cwd (working directory). Returns the new board id. Subject to a concurrency cap.",
+      inputSchema: {
+        type: z.enum(SPAWNABLE_BOARD_TYPES),
+        prompt: z.string().optional(),
+        cwd: z.string().optional()
+      }
+    },
+    async (args) => {
+      const { id } = await orchestrator.spawnBoard({
+        type: args.type,
+        prompt: args.prompt,
+        cwd: args.cwd
+      });
+      return { content: [{ type: "text", text: id }] };
+    }
+  );
+}
+
+// src/server/tools/closeBoard.ts
+import { z as z2 } from "zod";
+function registerCloseBoard(server, orchestrator) {
+  server.registerTool(
+    TOOL_CLOSE_BOARD,
+    {
+      description: "Close a board by id (graceful PTY drain, then removed from the canvas). Idempotent \u2014 closing an already-gone board succeeds.",
+      inputSchema: { id: z2.string().min(1) }
+    },
+    async (args) => {
+      await orchestrator.closeBoard(args.id);
+      return { content: [{ type: "text", text: `closed ${args.id}` }] };
+    }
+  );
+}
+
+// src/server/tools/configureBoard.ts
+import { z as z3 } from "zod";
+function registerConfigureBoard(server, orchestrator) {
+  server.registerTool(
+    TOOL_CONFIGURE_BOARD,
+    {
+      description: "Change a board config by id. At least one of shell | launchCommand | cwd is required. Applies to the board type that owns the key (shell/launchCommand/cwd are terminal config).",
+      inputSchema: {
+        id: z3.string().min(1),
+        shell: z3.string().optional(),
+        launchCommand: z3.string().optional(),
+        cwd: z3.string().optional()
+      }
+    },
+    async (args) => {
+      const config = {};
+      if (args.shell !== void 0) config.shell = args.shell;
+      if (args.launchCommand !== void 0) config.launchCommand = args.launchCommand;
+      if (args.cwd !== void 0) config.cwd = args.cwd;
+      if (Object.keys(config).length === 0) {
+        return {
+          isError: true,
+          content: [
+            { type: "text", text: "configure_board: at least one of shell/launchCommand/cwd required" }
+          ]
+        };
+      }
+      await orchestrator.configureBoard(args.id, config);
+      return { content: [{ type: "text", text: `configured ${args.id}` }] };
+    }
+  );
+}
+
+// src/server/tools/handoffPrompt.ts
+import { z as z5 } from "zod";
+
+// src/server/tools/promptSchema.ts
+import { z as z4 } from "zod";
+function hasControlChar(s) {
+  for (let i = 0; i < s.length; i++) {
+    const c = s.charCodeAt(i);
+    if (c === 9) continue;
+    if (c < 32 || c === 127) return true;
+  }
+  return false;
+}
+var dispatchPromptSchema = z4.string().min(1).refine((s) => !hasControlChar(s), {
+  message: "prompt must not contain control characters (CR/LF/C0/DEL)"
+});
+
+// src/server/tools/handoffPrompt.ts
+function registerHandoffPrompt(server, orchestrator) {
+  server.registerTool(
+    TOOL_HANDOFF_PROMPT,
+    {
+      description: "Hand off a prompt to a target terminal board by id: write it into that board and block until the board goes idle, then return its structured last result. Terminal targets only; requires human confirmation. boardId + prompt are required.",
+      inputSchema: {
+        boardId: z5.string().min(1),
+        prompt: dispatchPromptSchema
+      }
+    },
+    async (args) => {
+      const result = await orchestrator.handoffPrompt(args.boardId, args.prompt);
+      return { content: [{ type: "text", text: JSON.stringify(result) }] };
+    }
+  );
+}
+
+// src/server/tools/assignPrompt.ts
+import { z as z6 } from "zod";
+function registerAssignPrompt(server, orchestrator) {
+  server.registerTool(
+    TOOL_ASSIGN_PROMPT,
+    {
+      description: "Assign a prompt to a target terminal board by id: write it into that board and return immediately (fire-and-forget \u2014 no waiting for the board to finish). Terminal targets only; requires human confirmation. boardId + prompt are required.",
+      inputSchema: {
+        boardId: z6.string().min(1),
+        prompt: dispatchPromptSchema
+      }
+    },
+    async (args) => {
+      await orchestrator.dispatchPrompt(args.boardId, args.prompt);
+      return { content: [{ type: "text", text: `assigned prompt to ${args.boardId}` }] };
+    }
+  );
+}
+
+// src/server/tools/writeResult.ts
+import { z as z7 } from "zod";
+function registerWriteResult(server, orchestrator, ctx) {
+  server.registerTool(
+    TOOL_WRITE_RESULT,
+    {
+      description: "Record THIS board's structured last result (status / summary / references). All fields optional. Writes only the calling board (no target id is accepted).",
+      inputSchema: {
+        status: z7.string().optional(),
+        summary: z7.string().optional(),
+        refs: z7.array(z7.string()).optional()
+      }
+    },
+    async (args) => {
+      if (!ctx.boardId) {
+        return {
+          isError: true,
+          content: [{ type: "text", text: "write_result: no board bound to this session" }]
+        };
+      }
+      await orchestrator.writeResult(ctx.boardId, {
+        status: args.status,
+        summary: args.summary,
+        refs: args.refs
+      });
+      return { content: [{ type: "text", text: "result recorded" }] };
+    }
+  );
+}
+
+// src/server/tools/interrupt.ts
+import { z as z8 } from "zod";
+function registerInterrupt(server, orchestrator) {
+  server.registerTool(
+    TOOL_INTERRUPT,
+    {
+      description: "Interrupt a target terminal board by id: send Ctrl-C to stop its running command. Terminal targets only; requires human confirmation. boardId is required.",
+      inputSchema: {
+        boardId: z8.string().min(1)
+      }
+    },
+    async (args) => {
+      await orchestrator.interrupt(args.boardId);
+      return { content: [{ type: "text", text: `interrupted ${args.boardId}` }] };
+    }
+  );
+}
+
+// src/server/tools/relayPrompt.ts
+import { z as z9 } from "zod";
+function registerRelayPrompt(server, orchestrator, ctx, commandBoardId) {
+  server.registerTool(
+    TOOL_RELAY_PROMPT,
+    {
+      description: "Relay a prompt from one terminal board to another along an orchestration connector (sourceId \u2192 targetId): the cable must already exist and both boards must be terminals. Requires human confirmation. sourceId, targetId, prompt required.",
+      inputSchema: {
+        sourceId: z9.string().min(1),
+        targetId: z9.string().min(1),
+        prompt: dispatchPromptSchema
+      }
+    },
+    async (args) => {
+      if (commandBoardId !== void 0 && ctx.boardId !== commandBoardId) {
+        return {
+          isError: true,
+          content: [
+            { type: "text", text: "relay_prompt: caller is not the designated command orchestrator" }
+          ]
+        };
+      }
+      await orchestrator.relayPrompt(args.sourceId, args.targetId, args.prompt);
+      return { content: [{ type: "text", text: `relayed ${args.sourceId} \u2192 ${args.targetId}` }] };
+    }
+  );
+}
+
+// src/server/tools/barriers.ts
+import { z as z10 } from "zod";
+
+// src/server/barrierWaiter.ts
+var isSettled = (status) => status !== "running";
+function waitForBoards(opts) {
+  const { orchestrator, targets, timeoutMs } = opts;
+  const order = targets.slice();
+  const pending = new Set(targets);
+  const settled = /* @__PURE__ */ new Map();
+  let done = false;
+  let unsub = () => {
+  };
+  let timer;
+  let resolveFn;
+  const promise = new Promise((resolve) => {
+    resolveFn = resolve;
+  });
+  const finish = (fillStatus) => {
+    if (done) return;
+    done = true;
+    unsub();
+    if (timer) clearTimeout(timer);
+    resolveFn(order.map((id) => settled.get(id) ?? { id, status: fillStatus }));
+  };
+  const recordSettle = async (id, status) => {
+    if (done || !pending.has(id)) return;
+    let entry = { id, status };
+    if (status === "idle") {
+      const r = await orchestrator.boardResult(id);
+      if (r.present) entry = { id, status, result: r };
+    }
+    if (done || !pending.has(id)) return;
+    settled.set(id, entry);
+    pending.delete(id);
+    if (pending.size === 0) finish("timed-out");
+  };
+  unsub = orchestrator.subscribeStatus((change) => {
+    if (isSettled(change.status)) void recordSettle(change.id, change.status);
+  });
+  void (async () => {
+    const boards = await orchestrator.listBoards();
+    if (done) return;
+    const current = new Map(boards.map((b) => [b.id, b.status]));
+    for (const id of order) {
+      if (done) return;
+      const st = current.get(id);
+      if (st === void 0) await recordSettle(id, "gone");
+      else if (isSettled(st)) await recordSettle(id, st);
+    }
+  })();
+  if (Number.isFinite(timeoutMs) && timeoutMs > 0) {
+    timer = setTimeout(() => finish("timed-out"), timeoutMs);
+    timer.unref?.();
+  }
+  return { promise, cancel: () => finish("gone") };
+}
+
+// src/server/tools/barriers.ts
+function resolveBarrierTimeout(arg) {
+  if (arg !== void 0) return arg;
+  const env = process.env.CANVAS_ADE_BARRIER_TIMEOUT_MS;
+  if (env !== void 0) {
+    const n = Number(env);
+    if (Number.isFinite(n) && n > 0) return n;
+  }
+  return DEFAULT_BARRIER_TIMEOUT_MS;
+}
+function registerBarrierTools(server, orchestrator) {
+  const active = /* @__PURE__ */ new Set();
+  const run = async (targets, timeoutMs) => {
+    const handle = waitForBoards({ orchestrator, targets, timeoutMs });
+    active.add(handle.cancel);
+    try {
+      return await handle.promise;
+    } finally {
+      active.delete(handle.cancel);
+    }
+  };
+  server.registerTool(
+    TOOL_WAIT_FOR_IDLE,
+    {
+      description: "Block until a target board leaves the running state, then report how it settled (idle/awaiting-review/blocked/failed/static/gone, or timed-out). Returns the board id + status (+ the board's last write_result when idle). boardId is required; optional timeoutMs (omit for the default backstop; <=0 to wait indefinitely).",
+      inputSchema: {
+        boardId: z10.string().min(1),
+        timeoutMs: z10.number().optional()
+      }
+    },
+    async (args) => {
+      const results = await run([args.boardId], resolveBarrierTimeout(args.timeoutMs));
+      const r = results[0] ?? { id: args.boardId, status: "timed-out" };
+      return { content: [{ type: "text", text: JSON.stringify(r) }] };
+    }
+  );
+  server.registerTool(
+    TOOL_WAIT_FOR_ALL,
+    {
+      description: "Block until EVERY target board has left the running state, then report each one (same statuses as wait_for_idle) plus allIdle (true when every target settled to idle). boardIds is a non-empty array; optional timeoutMs (omit for the default backstop; <=0 to wait indefinitely).",
+      inputSchema: {
+        boardIds: z10.array(z10.string().min(1)).min(1),
+        timeoutMs: z10.number().optional()
+      }
+    },
+    async (args) => {
+      const boards = await run(args.boardIds, resolveBarrierTimeout(args.timeoutMs));
+      const allIdle = boards.every((b) => b.status === "idle");
+      return { content: [{ type: "text", text: JSON.stringify({ boards, allIdle }) }] };
+    }
+  );
+  return () => {
+    for (const cancel of active) cancel();
+  };
+}
+
+// src/server/resourceSubscriptions.ts
+import {
+  SubscribeRequestSchema,
+  UnsubscribeRequestSchema
+} from "@modelcontextprotocol/sdk/types.js";
+function installResourceSubscriptions(server) {
+  const uris = /* @__PURE__ */ new Set();
+  server.server.registerCapabilities({ resources: { subscribe: true } });
+  server.server.setRequestHandler(SubscribeRequestSchema, async (req) => {
+    uris.add(req.params.uri);
+    return {};
+  });
+  server.server.setRequestHandler(UnsubscribeRequestSchema, async (req) => {
+    uris.delete(req.params.uri);
+    return {};
+  });
+  return { isSubscribed: (uri) => uris.has(uri) };
+}
+
+// src/server/attentionNotifier.ts
+function createAttentionNotifier(deps) {
+  const { server, orchestrator, isSubscribed } = deps;
+  const inAttention = /* @__PURE__ */ new Set();
+  const unsub = orchestrator.subscribeStatus((change) => {
+    const nowAttn = ATTENTION_BUCKETS.has(change.status);
+    const wasAttn = inAttention.has(change.id);
+    if (nowAttn === wasAttn) return;
+    if (nowAttn) inAttention.add(change.id);
+    else inAttention.delete(change.id);
+    if (!isSubscribed(ATTENTION_URI)) return;
+    try {
+      server.server.sendResourceUpdated({ uri: ATTENTION_URI });
+    } catch {
+    }
+  });
+  return { dispose: unsub };
+}
+
+// src/server/factory.ts
+var SERVER_INFO = { name: "canvas-ade-mcp", version: package_default.version };
+var ServerFactory = class {
+  /**
+   * @param commandBoardId Optional single command-orchestrator board id (BUG-021). When set,
+   *   `relay_prompt` is restricted to that token-bound identity so a second orchestrator-tier
+   *   token can't drive cables it doesn't own. Left undefined → relay open to any orchestrator
+   *   (the prior single-token behaviour).
+   */
+  constructor(orchestrator, commandBoardId) {
+    this.orchestrator = orchestrator;
+    this.commandBoardId = commandBoardId;
+  }
+  orchestrator;
+  commandBoardId;
+  getServer(ctx) {
+    const server = new McpServer5(SERVER_INFO);
+    const disposers = [];
+    server.registerTool(TOOL_PING, { description: 'Health check. Returns "pong".' }, async () => ({
+      content: [{ type: "text", text: "pong" }]
+    }));
+    if (ctx.tier === "orchestrator") {
+      server.registerTool(
+        TOOL_ORCHESTRATOR_PING,
+        { description: 'Orchestrator-only health check. Returns "orchestrator-pong".' },
+        async () => ({ content: [{ type: "text", text: "orchestrator-pong" }] })
+      );
+      registerSpawnBoard(server, this.orchestrator);
+      registerCloseBoard(server, this.orchestrator);
+      registerConfigureBoard(server, this.orchestrator);
+      registerHandoffPrompt(server, this.orchestrator);
+      registerAssignPrompt(server, this.orchestrator);
+      registerInterrupt(server, this.orchestrator);
+      registerRelayPrompt(server, this.orchestrator, ctx, this.commandBoardId);
+      disposers.push(registerBarrierTools(server, this.orchestrator));
+    }
+    registerWriteResult(server, this.orchestrator, ctx);
+    registerBoardResources(server, this.orchestrator);
+    registerPrompts(server);
+    const subs = installResourceSubscriptions(server);
+    const notifier = createAttentionNotifier({
+      server,
+      orchestrator: this.orchestrator,
+      isSubscribed: subs.isSubscribed
+    });
+    disposers.push(() => notifier.dispose());
+    return {
+      server,
+      dispose: () => {
+        for (const d of disposers) d();
+      }
+    };
+  }
+};
+
+// src/server/transport.ts
+import { randomUUID } from "crypto";
+import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
+import { isInitializeRequest } from "@modelcontextprotocol/sdk/types.js";
+function rpcError(code, message) {
+  return { jsonrpc: "2.0", error: { code, message }, id: null };
+}
+var SessionManager = class {
+  constructor(factory) {
+    this.factory = factory;
+  }
+  factory;
+  transports = /* @__PURE__ */ new Map();
+  /** Per-session teardown (M5 notifier unsubscribe + in-flight barrier cancel). */
+  disposers = /* @__PURE__ */ new Map();
+  /** POST /mcp: reuse an existing session, or open a new one on initialize. */
+  async handlePost(req, res, ctx) {
+    const sid = req.header(HEADER_SESSION_ID);
+    if (sid !== void 0) {
+      const existing = this.transports.get(sid);
+      if (!existing) {
+        res.status(404).json(rpcError(-32001, "Session not found"));
+        return;
+      }
+      await existing.handleRequest(req, res, req.body);
+      return;
+    }
+    if (!isInitializeRequest(req.body)) {
+      res.status(400).json(rpcError(-32e3, "Bad Request: no session ID and not an initialize request"));
+      return;
+    }
+    const { server, dispose } = this.factory.getServer(ctx);
+    const transport = new StreamableHTTPServerTransport({
+      sessionIdGenerator: () => randomUUID(),
+      onsessioninitialized: (id) => {
+        this.transports.set(id, transport);
+        this.disposers.set(id, dispose);
+      }
+    });
+    transport.onclose = () => {
+      const id = transport.sessionId;
+      if (id !== void 0) {
+        this.transports.delete(id);
+        this.disposers.get(id)?.();
+        this.disposers.delete(id);
+      }
+    };
+    await server.connect(transport);
+    await transport.handleRequest(req, res, req.body);
+  }
+  /** GET (SSE) and DELETE /mcp: route to the named session. */
+  async handleSession(req, res) {
+    const sid = req.header(HEADER_SESSION_ID);
+    if (sid === void 0) {
+      res.status(400).json(rpcError(-32e3, "Missing session ID"));
+      return;
+    }
+    const transport = this.transports.get(sid);
+    if (!transport) {
+      res.status(404).json(rpcError(-32001, "Session not found"));
+      return;
+    }
+    await transport.handleRequest(req, res);
+  }
+  /**
+   * Tear down every live session (called on app quit). Uses `allSettled` so one
+   * transport whose `close()` rejects can't short-circuit the loop and leak the
+   * remaining sessions; the map is always cleared.
+   */
+  async closeAll() {
+    try {
+      await Promise.allSettled([...this.transports.values()].map((t) => t.close()));
+    } finally {
+      for (const dispose of this.disposers.values()) {
+        try {
+          dispose();
+        } catch {
+        }
+      }
+      this.disposers.clear();
+      this.transports.clear();
+    }
+  }
+};
+
+// src/server/mcpHttp.ts
+function ctxFromAuth(auth) {
+  const extra = auth?.extra ?? {};
+  const tier = extra.tier === "orchestrator" ? "orchestrator" : "worker";
+  const boardId = typeof extra.boardId === "string" ? extra.boardId : "";
+  return { tier, scopes: auth?.scopes ?? [], boardId };
+}
+async function createMcpHttpServer(deps) {
+  const app = express();
+  app.use(hostGuard());
+  let allowedOrigins = [];
+  app.use(originGuard(() => allowedOrigins));
+  const verifier = createVerifier(deps.tokens);
+  app.use(MCP_PATH, requireBearerAuth({ verifier }));
+  app.use(MCP_PATH, express.json({ limit: "1mb" }));
+  const sessions = new SessionManager(new ServerFactory(deps.orchestrator, deps.commandBoardId));
+  app.post(MCP_PATH, (req, res, next) => {
+    sessions.handlePost(req, res, ctxFromAuth(req.auth)).catch(next);
+  });
+  app.get(MCP_PATH, (req, res, next) => {
+    sessions.handleSession(req, res).catch(next);
+  });
+  app.delete(MCP_PATH, (req, res, next) => {
+    sessions.handleSession(req, res).catch(next);
+  });
+  const httpServer = createServer(app);
+  await new Promise((resolve) => httpServer.listen(0, "127.0.0.1", () => resolve()));
+  const address = httpServer.address();
+  const port = typeof address === "object" && address !== null ? address.port : 0;
+  allowedOrigins = [`http://127.0.0.1:${port}`, `http://localhost:${port}`];
+  return {
+    app,
+    httpServer,
+    port,
+    setAllowedOrigins(origins) {
+      allowedOrigins = origins;
+    },
+    async close() {
+      await sessions.closeAll();
+      await new Promise((resolve, reject) => {
+        httpServer.close((err) => err ? reject(err) : resolve());
+      });
+    }
+  };
+}
+
+// src/auth/tokens.ts
+var TokenStore = class {
+  rows = /* @__PURE__ */ new Map();
+  mint(token, row) {
+    this.rows.set(token, row);
+  }
+  revoke(token) {
+    this.rows.delete(token);
+  }
+  get(token) {
+    return this.rows.get(token);
+  }
+};
+
+// src/auth/mint.ts
+import { randomBytes } from "crypto";
+
+// src/auth/scopes.ts
+var SCOPE_READ = "read";
+var SCOPE_DISPATCH = "dispatch";
+var SCOPE_SPAWN = "spawn";
+var SCOPE_GIT_WRITE = "git:write";
+var SCOPE_ANSWER_PERMISSION = "answer_permission";
+var WORKER_SCOPES = [SCOPE_READ];
+var ORCHESTRATOR_SCOPES = [
+  SCOPE_READ,
+  SCOPE_DISPATCH,
+  SCOPE_SPAWN,
+  SCOPE_GIT_WRITE,
+  SCOPE_ANSWER_PERMISSION
+];
+function defaultScopesFor(tier) {
+  return [...tier === "orchestrator" ? ORCHESTRATOR_SCOPES : WORKER_SCOPES];
+}
+
+// src/auth/mint.ts
+var DEFAULT_TTL_SECONDS = 365 * 24 * 60 * 60;
+function mintBoardToken(store, input) {
+  const token = randomBytes(32).toString("hex");
+  const ttl = input.ttlSeconds ?? DEFAULT_TTL_SECONDS;
+  const row = {
+    boardId: input.boardId,
+    tier: input.tier,
+    scopes: defaultScopesFor(input.tier),
+    expiresAt: Math.floor(Date.now() / 1e3) + ttl
+  };
+  store.mint(token, row);
+  return { token, row };
+}
+
+// src/config/mcpJson.ts
+import { writeFileSync } from "fs";
+import { join } from "path";
+function buildMcpJson(port, token) {
+  return {
+    mcpServers: {
+      "canvas-ade": {
+        type: "http",
+        url: `http://127.0.0.1:${port}/mcp`,
+        headers: { Authorization: `Bearer ${token}` }
+      }
+    }
+  };
+}
+function writeMcpJson(dir, port, token) {
+  const file = join(dir, ".mcp.json");
+  writeFileSync(file, JSON.stringify(buildMcpJson(port, token), null, 2) + "\n", {
+    encoding: "utf8",
+    mode: 384
+  });
+  return file;
+}
+
+// src/orchestrator/mock.ts
+var MockOrchestrator = class {
+  async listBoards() {
+    return [];
+  }
+  async spawnBoard(_input) {
+    return { id: "mock-board" };
+  }
+  async closeBoard(_boardId) {
+  }
+  async configureBoard(_boardId, _config) {
+  }
+  async dispatchPrompt(_boardId, _text) {
+  }
+  async writeResult(_boardId, _result) {
+  }
+  async interrupt(_boardId) {
+  }
+  async relayPrompt(_sourceId, _targetId, _text) {
+  }
+  async handoffPrompt(_boardId, _text) {
+    return { present: false };
+  }
+  async gitDiff(_boardId) {
+    return "";
+  }
+  async boardStatus(_boardId) {
+    return "idle";
+  }
+  async boardOutput(_boardId, _opts) {
+    return { text: "", total: 0, returned: 0, droppedOlder: false };
+  }
+  async boardResult(_boardId) {
+    return { present: false };
+  }
+  async projectMemory() {
+    return { present: false, text: "" };
+  }
+  async boardSummary(_boardId) {
+    return { present: false, text: "" };
+  }
+  /** @internal subscribers for the M5 status stream. */
+  statusListeners = /* @__PURE__ */ new Set();
+  subscribeStatus(listener) {
+    this.statusListeners.add(listener);
+    return () => {
+      this.statusListeners.delete(listener);
+    };
+  }
+  /** Test seam: drive a status change through the subscription fan-out. */
+  __emitStatus(change) {
+    for (const cb of this.statusListeners) {
+      try {
+        cb(change);
+      } catch {
+      }
+    }
+  }
+};
+export {
+  MAX_OUTPUT_PAGE,
+  MockOrchestrator,
+  SCOPE_ANSWER_PERMISSION,
+  SCOPE_DISPATCH,
+  SCOPE_GIT_WRITE,
+  SCOPE_READ,
+  SCOPE_SPAWN,
+  TokenStore,
+  buildMcpJson,
+  createMcpHttpServer,
+  defaultScopesFor,
+  mintBoardToken,
+  writeMcpJson
+};
+//# sourceMappingURL=index.js.map