@fnet/cli 0.118.4 → 0.119.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fnet/cli",
-  "version": "0.118.4",
+  "version": "0.119.1",
   "files": [
     "dist",
     "template"

package/template/fnode/node/src/cli/index.js.njk

@@ -71,34 +71,90 @@
     if (transportType === 'stdio') {
       // Use stdio transport
       transport = new StdioServerTransport();
-    } else if (transportType === 'sse') {
-      // Use SSE transport
+    } else if (transportType === 'http') {
+      // Use Streamable HTTP transport (official transport as of MCP 2025-03-26)
       const app = express();
       app.use(express.json());
 
       const port = args['cli-port'] || args.cli_port || 3000;
-      const server = app.listen(port, () => {
-        console.log(`MCP server started with SSE transport on port ${port}`);
+      const host = args['cli-host'] || args.cli_host || 'localhost';
+      const mcpEndpoint = '/mcp';
+
+      // Security: Validate Origin header to prevent DNS rebinding attacks
+      app.use((req, res, next) => {
+        const origin = req.get('origin');
+        if (origin && host === 'localhost') {
+          const originUrl = new URL(origin);
+          if (originUrl.hostname !== 'localhost' && originUrl.hostname !== '127.0.0.1') {
+            return res.status(403).json({ error: 'Forbidden: Invalid origin' });
+          }
+        }
+        next();
       });
 
+      // Middleware to check session ID (except for initialization)
+      const checkSessionId = (req, res, next) => {
+        // Skip session check for initialization requests
+        if (req.method === 'POST' && req.body) {
+          const body = req.body;
+          // Check if this is an initialization request
+          if (body.method === 'initialize' ||
+              (Array.isArray(body) && body.some(item => item.method === 'initialize'))) {
+            return next();
+          }
+        }
+
+        // For non-initialization requests, require session ID
+        const sessionId = req.get('Mcp-Session-Id');
+        if (!sessionId) {
+          return res.status(400).json({
+            jsonrpc: '2.0',
+            error: {
+              code: -32000,
+              message: 'Bad Request: Mcp-Session-Id header is required'
+            },
+            id: null
+          });
+        }
+        next();
+      };
+
+      app.use(mcpEndpoint, checkSessionId);
+
       transport = new StreamableHTTPServerTransport({
-        sessionIdGenerator: () => Math.random().toString(36).substring(2, 15),
+        sessionIdGenerator: () => {
+          // Generate cryptographically secure session ID
+          return require('crypto').randomBytes(16).toString('hex');
+        },
       });
 
-      app.post('/sse', async (req, res) => {
+      // Handle POST requests for client-to-server messages
+      app.post(mcpEndpoint, async (req, res) => {
         await transport.handleRequest(req, res, req.body);
       });
 
-      app.get('/sse', async (req, res) => {
+      // Handle GET requests for server-to-client SSE stream
+      app.get(mcpEndpoint, async (req, res) => {
         await transport.handleRequest(req, res);
       });
 
-      app.delete('/sse', async (req, res) => {
+      // Handle DELETE requests for session termination
+      app.delete(mcpEndpoint, async (req, res) => {
         await transport.handleRequest(req, res);
       });
+
+      const httpServer = app.listen(port, host, () => {
+        console.log(`MCP server started with Streamable HTTP transport`);
+        console.log(`Endpoint: http://${host}:${port}${mcpEndpoint}`);
+        console.log(`Listening on ${host}:${port}`);
+      });
+
+      // Connect transport to server
+      await server.connect(transport);
+      return;
     } else {
       console.error(`Unknown MCP transport type: ${transportType}`);
-      console.error(`Supported types: stdio, sse`);
+      console.error(`Supported types: stdio, http`);
       process.exit(1);
     }