@frontmcp/sdk 0.4.0 → 0.5.0

package/src/transport/flows/handle.stateless-http.flow.js

@@ -0,0 +1,102 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.stateSchema = exports.plan = void 0;
+const tslib_1 = require("tslib");
+const common_1 = require("../../common");
+const zod_1 = require("zod");
+const types_js_1 = require("@modelcontextprotocol/sdk/types.js");
+exports.plan = {
+    pre: ['parseInput', 'router'],
+    execute: ['handleRequest'],
+    post: [],
+    finalize: ['cleanup'],
+};
+exports.stateSchema = zod_1.z.object({
+    token: zod_1.z.string().optional(),
+    isAuthenticated: zod_1.z.boolean(),
+    requestType: zod_1.z.enum(['initialize', 'message']).optional(),
+});
+const name = 'handle:stateless-http';
+const { Stage } = (0, common_1.FlowHooksOf)(name);
+let HandleStatelessHttpFlow = class HandleStatelessHttpFlow extends common_1.FlowBase {
+    name = name;
+    async parseInput() {
+        const { request } = this.rawInput;
+        // Check if we have auth info
+        const auth = request[common_1.ServerRequestTokens.auth];
+        const token = auth?.token;
+        const isAuthenticated = !!token && token.length > 0;
+        this.state.set(exports.stateSchema.parse({
+            token: token || undefined,
+            isAuthenticated,
+        }));
+    }
+    async router() {
+        const { request } = this.rawInput;
+        const body = request.body;
+        const method = body?.method;
+        // Use method-based detection for routing (more permissive than strict schema)
+        // The actual schema validation happens in the MCP SDK's transport layer
+        if (method === 'initialize') {
+            this.state.set('requestType', 'initialize');
+        }
+        else if (method && types_js_1.RequestSchema.safeParse(request.body).success) {
+            this.state.set('requestType', 'message');
+        }
+        else {
+            this.respond(common_1.httpRespond.rpcError('Invalid Request'));
+        }
+    }
+    async handleRequest() {
+        const transportService = this.scope.transportService;
+        const { request, response } = this.rawInput;
+        const { token, isAuthenticated, requestType } = this.state;
+        // Get or create the stateless transport
+        // For anonymous: shared singleton transport
+        // For authenticated: singleton per token
+        const transport = isAuthenticated && token
+            ? await transportService.getOrCreateAuthenticatedStatelessTransport('stateless-http', token, response)
+            : await transportService.getOrCreateAnonymousStatelessTransport('stateless-http', response);
+        // For stateless mode, inject the well-known session ID
+        // This satisfies the MCP SDK's session header requirement while keeping requests stateless
+        if (!request.headers['mcp-session-id']) {
+            request.headers['mcp-session-id'] = '__stateless__';
+        }
+        if (requestType === 'initialize') {
+            await transport.initialize(request, response);
+        }
+        else {
+            await transport.handleRequest(request, response);
+        }
+        this.handled();
+    }
+};
+tslib_1.__decorate([
+    Stage('parseInput'),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", []),
+    tslib_1.__metadata("design:returntype", Promise)
+], HandleStatelessHttpFlow.prototype, "parseInput", null);
+tslib_1.__decorate([
+    Stage('router'),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", []),
+    tslib_1.__metadata("design:returntype", Promise)
+], HandleStatelessHttpFlow.prototype, "router", null);
+tslib_1.__decorate([
+    Stage('handleRequest'),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", []),
+    tslib_1.__metadata("design:returntype", Promise)
+], HandleStatelessHttpFlow.prototype, "handleRequest", null);
+HandleStatelessHttpFlow = tslib_1.__decorate([
+    (0, common_1.Flow)({
+        name,
+        plan: exports.plan,
+        access: 'public', // Can be accessed without full auth
+        inputSchema: common_1.httpInputSchema,
+        outputSchema: common_1.httpOutputSchema,
+    })
+], HandleStatelessHttpFlow);
+exports.default = HandleStatelessHttpFlow;
+//# sourceMappingURL=handle.stateless-http.flow.js.map

package/src/transport/flows/handle.stateless-http.flow.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handle.stateless-http.flow.js","sourceRoot":"","sources":["../../../../src/transport/flows/handle.stateless-http.flow.ts"],"names":[],"mappings":";;;;AAAA,yCAWsB;AACtB,6BAAwB;AACxB,iEAAmE;AAGtD,QAAA,IAAI,GAAG;IAClB,GAAG,EAAE,CAAC,YAAY,EAAE,QAAQ,CAAC;IAC7B,OAAO,EAAE,CAAC,eAAe,CAAC;IAC1B,IAAI,EAAE,EAAE;IACR,QAAQ,EAAE,CAAC,SAAS,CAAC;CACc,CAAC;AAEzB,QAAA,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;IAC5B,eAAe,EAAE,OAAC,CAAC,OAAO,EAAE;IAC5B,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,SAAS,CAAC,CAAC,CAAC,QAAQ,EAAE;CAC1D,CAAC,CAAC;AAEH,MAAM,IAAI,GAAG,uBAAgC,CAAC;AAC9C,MAAM,EAAE,KAAK,EAAE,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAqBrB,IAAM,uBAAuB,GAA7B,MAAM,uBAAwB,SAAQ,iBAAqB;IACxE,IAAI,GAAG,IAAI,CAAC;IAGN,AAAN,KAAK,CAAC,UAAU;QACd,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAElC,6BAA6B;QAC7B,MAAM,IAAI,GAAG,OAAO,CAAC,4BAAmB,CAAC,IAAI,CAA8B,CAAC;QAC5E,MAAM,KAAK,GAAG,IAAI,EAAE,KAAK,CAAC;QAC1B,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC;QAEpD,IAAI,CAAC,KAAK,CAAC,GAAG,CACZ,mBAAW,CAAC,KAAK,CAAC;YAChB,KAAK,EAAE,KAAK,IAAI,SAAS;YACzB,eAAe;SAChB,CAAC,CACH,CAAC;IACJ,CAAC;IAGK,AAAN,KAAK,CAAC,MAAM;QACV,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAClC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAuC,CAAC;QAC7D,MAAM,MAAM,GAAG,IAAI,EAAE,MAAM,CAAC;QAE5B,8EAA8E;QAC9E,wEAAwE;QACxE,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;QAC9C,CAAC;aAAM,IAAI,MAAM,IAAI,wBAAa,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YACnE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAGK,AAAN,KAAK,CAAC,aAAa;QACjB,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAChE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC;QAE3D,wCAAwC;QACxC,4CAA4C;QAC5C,yCAAyC;QACzC,MAAM,SAAS,GACb,eAAe,IAAI,KAAK;YACtB,CAAC,CAAC,MAAM,gBAAgB,CAAC,0CAA0C,CAAC,gBAAgB,EAAE,KAAK,EAAE,QAAQ,CAAC;YACtG,CAAC,CAAC,MAAM,gBAAgB,CAAC,sCAAsC,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAC;QAEhG,uDAAuD;QACvD,2FAA2F;QAC3F,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;YACvC,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,GAAG,eAAe,CAAC;QACtD,CAAC;QAED,IAAI,WAAW,KAAK,YAAY,EAAE,CAAC;YACjC,MAAM,SAAS,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAChD,CAAC;aAAM,CAAC;YACN,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACnD,CAAC;QAED,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;CACF,CAAA;AA7DO;IADL,KAAK,CAAC,YAAY,CAAC;;;;yDAenB;AAGK;IADL,KAAK,CAAC,QAAQ,CAAC;;;;qDAef;AAGK;IADL,KAAK,CAAC,eAAe,CAAC;;;;4DA2BtB;AAhEkB,uBAAuB;IAP3C,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI,EAAJ,YAAI;QACJ,MAAM,EAAE,QAAQ,EAAE,oCAAoC;QACtD,WAAW,EAAE,wBAAe;QAC5B,YAAY,EAAE,yBAAgB;KAC/B,CAAC;GACmB,uBAAuB,CAiE3C;kBAjEoB,uBAAuB","sourcesContent":["import {\n  Flow,\n  httpInputSchema,\n  FlowRunOptions,\n  httpOutputSchema,\n  FlowPlan,\n  FlowBase,\n  FlowHooksOf,\n  httpRespond,\n  ServerRequestTokens,\n  Authorization,\n} from '../../common';\nimport { z } from 'zod';\nimport { RequestSchema } from '@modelcontextprotocol/sdk/types.js';\nimport { Scope } from '../../scope';\n\nexport const plan = {\n  pre: ['parseInput', 'router'],\n  execute: ['handleRequest'],\n  post: [],\n  finalize: ['cleanup'],\n} as const satisfies FlowPlan<string>;\n\nexport const stateSchema = z.object({\n  token: z.string().optional(),\n  isAuthenticated: z.boolean(),\n  requestType: z.enum(['initialize', 'message']).optional(),\n});\n\nconst name = 'handle:stateless-http' as const;\nconst { Stage } = FlowHooksOf(name);\n\ndeclare global {\n  interface ExtendFlows {\n    'handle:stateless-http': FlowRunOptions<\n      HandleStatelessHttpFlow,\n      typeof plan,\n      typeof httpInputSchema,\n      typeof httpOutputSchema,\n      typeof stateSchema\n    >;\n  }\n}\n\n@Flow({\n  name,\n  plan,\n  access: 'public', // Can be accessed without full auth\n  inputSchema: httpInputSchema,\n  outputSchema: httpOutputSchema,\n})\nexport default class HandleStatelessHttpFlow extends FlowBase<typeof name> {\n  name = name;\n\n  @Stage('parseInput')\n  async parseInput() {\n    const { request } = this.rawInput;\n\n    // Check if we have auth info\n    const auth = request[ServerRequestTokens.auth] as Authorization | undefined;\n    const token = auth?.token;\n    const isAuthenticated = !!token && token.length > 0;\n\n    this.state.set(\n      stateSchema.parse({\n        token: token || undefined,\n        isAuthenticated,\n      }),\n    );\n  }\n\n  @Stage('router')\n  async router() {\n    const { request } = this.rawInput;\n    const body = request.body as { method?: string } | undefined;\n    const method = body?.method;\n\n    // Use method-based detection for routing (more permissive than strict schema)\n    // The actual schema validation happens in the MCP SDK's transport layer\n    if (method === 'initialize') {\n      this.state.set('requestType', 'initialize');\n    } else if (method && RequestSchema.safeParse(request.body).success) {\n      this.state.set('requestType', 'message');\n    } else {\n      this.respond(httpRespond.rpcError('Invalid Request'));\n    }\n  }\n\n  @Stage('handleRequest')\n  async handleRequest() {\n    const transportService = (this.scope as Scope).transportService;\n    const { request, response } = this.rawInput;\n    const { token, isAuthenticated, requestType } = this.state;\n\n    // Get or create the stateless transport\n    // For anonymous: shared singleton transport\n    // For authenticated: singleton per token\n    const transport =\n      isAuthenticated && token\n        ? await transportService.getOrCreateAuthenticatedStatelessTransport('stateless-http', token, response)\n        : await transportService.getOrCreateAnonymousStatelessTransport('stateless-http', response);\n\n    // For stateless mode, inject the well-known session ID\n    // This satisfies the MCP SDK's session header requirement while keeping requests stateless\n    if (!request.headers['mcp-session-id']) {\n      request.headers['mcp-session-id'] = '__stateless__';\n    }\n\n    if (requestType === 'initialize') {\n      await transport.initialize(request, response);\n    } else {\n      await transport.handleRequest(request, response);\n    }\n\n    this.handled();\n  }\n}\n"]}

package/src/transport/flows/handle.streamable-http.flow.d.ts

@@ -2,7 +2,7 @@ import { httpInputSchema, FlowRunOptions, httpOutputSchema, FlowBase } from '../
 import { z } from 'zod';
 export declare const plan: {
     readonly pre: ["parseInput", "router"];
-    readonly execute: ["onInitialize", "onMessage", "onElicitResult"];
+    readonly execute: ["onInitialize", "onMessage", "onElicitResult", "onSseListener"];
     readonly post: [];
     readonly finalize: ["cleanup"];
 };
@@ -10,72 +10,39 @@ export declare const stateSchema: z.ZodObject<{
     token: z.ZodString;
     session: z.ZodObject<{
         id: z.ZodString;
-        payload: z.ZodObject<{
+        payload: z.ZodOptional<z.ZodObject<{
             nodeId: z.ZodString;
             authSig: z.ZodString;
             uuid: z.ZodString;
             iat: z.ZodNumber;
-            protocol: z.ZodEnum<["legacy-sse", "sse", "streamable-http", "stateful-http", "stateless-http"]>;
-        }, "strip", z.ZodTypeAny, {
-            uuid: string;
-            nodeId: string;
-            authSig: string;
-            iat: number;
-            protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-        }, {
-            uuid: string;
-            nodeId: string;
-            authSig: string;
-            iat: number;
-            protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-        }>;
-    }, "strip", z.ZodTypeAny, {
-        id: string;
-        payload: {
-            uuid: string;
-            nodeId: string;
-            authSig: string;
-            iat: number;
-            protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-        };
-    }, {
-        id: string;
-        payload: {
-            uuid: string;
-            nodeId: string;
-            authSig: string;
-            iat: number;
-            protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-        };
-    }>;
-    requestType: z.ZodOptional<z.ZodEnum<["initialize", "message", "elicitResult"]>>;
-}, "strip", z.ZodTypeAny, {
-    session: {
-        id: string;
-        payload: {
-            uuid: string;
-            nodeId: string;
-            authSig: string;
-            iat: number;
-            protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-        };
-    };
-    token: string;
-    requestType?: "message" | "initialize" | "elicitResult" | undefined;
-}, {
-    session: {
-        id: string;
-        payload: {
-            uuid: string;
-            nodeId: string;
-            authSig: string;
-            iat: number;
-            protocol: "sse" | "legacy-sse" | "streamable-http" | "stateful-http" | "stateless-http";
-        };
-    };
-    token: string;
-    requestType?: "message" | "initialize" | "elicitResult" | undefined;
-}>;
+            protocol: z.ZodOptional<z.ZodEnum<{
+                "legacy-sse": "legacy-sse";
+                sse: "sse";
+                "streamable-http": "streamable-http";
+                "stateful-http": "stateful-http";
+                "stateless-http": "stateless-http";
+            }>>;
+            isPublic: z.ZodOptional<z.ZodBoolean>;
+            platformType: z.ZodOptional<z.ZodEnum<{
+                unknown: "unknown";
+                continue: "continue";
+                openai: "openai";
+                claude: "claude";
+                gemini: "gemini";
+                cursor: "cursor";
+                cody: "cody";
+                "generic-mcp": "generic-mcp";
+                "ext-apps": "ext-apps";
+            }>>;
+        }, z.core.$strip>>;
+    }, z.core.$strip>;
+    requestType: z.ZodOptional<z.ZodEnum<{
+        message: "message";
+        initialize: "initialize";
+        elicitResult: "elicitResult";
+        sseListener: "sseListener";
+    }>>;
+}, z.core.$strip>;
 declare const name: "handle:streamable-http";
 declare global {
     interface ExtendFlows {
@@ -84,10 +51,11 @@ declare global {
 }
 export default class HandleStreamableHttpFlow extends FlowBase<typeof name> {
     name: "handle:streamable-http";
-    paseInput(): Promise<void>;
+    parseInput(): Promise<void>;
     router(): Promise<void>;
     onInitialize(): Promise<void>;
     onElicitResult(): Promise<void>;
     onMessage(): Promise<void>;
+    onSseListener(): Promise<void>;
 }
 export {};

package/src/transport/flows/handle.streamable-http.flow.js

@@ -7,47 +7,94 @@ const zod_1 = require("zod");
 const types_js_1 = require("@modelcontextprotocol/sdk/types.js");
 const session_id_utils_1 = require("../../auth/session/utils/session-id.utils");
 exports.plan = {
-    pre: [
-        'parseInput',
-        'router',
-    ],
-    execute: [
-        'onInitialize',
-        'onMessage',
-        'onElicitResult',
-    ],
+    pre: ['parseInput', 'router'],
+    execute: ['onInitialize', 'onMessage', 'onElicitResult', 'onSseListener'],
     post: [],
-    finalize: [
-        'cleanup',
-    ],
+    finalize: ['cleanup'],
 };
+// Relaxed session schema for state - payload is optional when using mcp-session-id header directly
+const stateSessionSchema = zod_1.z.object({
+    id: zod_1.z.string(),
+    payload: zod_1.z
+        .object({
+        nodeId: zod_1.z.string(),
+        authSig: zod_1.z.string(),
+        uuid: zod_1.z.string().uuid(),
+        iat: zod_1.z.number(),
+        protocol: zod_1.z.enum(['legacy-sse', 'sse', 'streamable-http', 'stateful-http', 'stateless-http']).optional(),
+        isPublic: zod_1.z.boolean().optional(),
+        platformType: zod_1.z
+            .enum(['openai', 'claude', 'gemini', 'cursor', 'continue', 'cody', 'generic-mcp', 'ext-apps', 'unknown'])
+            .optional(),
+    })
+        .optional(),
+});
 exports.stateSchema = zod_1.z.object({
     token: zod_1.z.string(),
-    session: common_1.sessionIdSchema,
-    requestType: zod_1.z.enum(['initialize', 'message', 'elicitResult']).optional(),
+    session: stateSessionSchema,
+    requestType: zod_1.z.enum(['initialize', 'message', 'elicitResult', 'sseListener']).optional(),
 });
 const name = 'handle:streamable-http';
 const { Stage } = (0, common_1.FlowHooksOf)(name);
 let HandleStreamableHttpFlow = class HandleStreamableHttpFlow extends common_1.FlowBase {
     name = name;
-    async paseInput() {
+    async parseInput() {
         const { request } = this.rawInput;
-        let { token, session } = request[common_1.ServerRequestTokens.auth];
-        if (!session) {
-            session = (0, session_id_utils_1.createSessionId)('streamable-http', token);
-            request[common_1.ServerRequestTokens.auth].session = session;
+        const authorization = request[common_1.ServerRequestTokens.auth];
+        const { token } = authorization;
+        // CRITICAL: The mcp-session-id header is the client's reference to their session.
+        // We MUST use this exact ID for transport registry lookup.
+        //
+        // Priority 1: Use mcp-session-id header if present (client's session ID for lookup)
+        //             This is the ID the client received from initialize and is referencing.
+        // Priority 2: Use session from authorization if header matches or is absent
+        // Priority 3: Create new session (first request - no header, no authorization.session)
+        const mcpSessionHeader = request.headers?.['mcp-session-id'];
+        let session;
+        if (mcpSessionHeader) {
+            // Client sent session ID - ALWAYS use it for transport lookup
+            // If authorization.session exists and matches, use its payload for protocol detection
+            // If authorization.session differs or is missing, still use header ID (payload may be undefined)
+            if (authorization.session?.id === mcpSessionHeader) {
+                session = authorization.session;
+            }
+            else {
+                session = { id: mcpSessionHeader };
+            }
+        }
+        else if (authorization.session) {
+            // No header but authorization has session - use it (shouldn't happen in normal flow)
+            session = authorization.session;
+        }
+        else {
+            // No session - create new one (initialize request)
+            session = (0, session_id_utils_1.createSessionId)('streamable-http', token, {
+                userAgent: request.headers?.['user-agent'],
+                platformDetectionConfig: this.scope.metadata?.session?.platformDetection,
+            });
         }
         this.state.set(exports.stateSchema.parse({ token, session }));
     }
     async router() {
         const { request } = this.rawInput;
-        if (types_js_1.InitializeRequestSchema.safeParse(request.body).success) {
+        // GET requests are SSE listener streams - no body expected
+        // Per MCP spec, clients can open SSE stream with GET + Accept: text/event-stream
+        if (request.method.toUpperCase() === 'GET') {
+            this.state.set('requestType', 'sseListener');
+            return;
+        }
+        // POST requests have MCP JSON-RPC body
+        const body = request.body;
+        const method = body?.method;
+        // Use method-based detection for routing (more permissive than strict schema)
+        // The actual schema validation happens in the MCP SDK's transport layer
+        if (method === 'initialize') {
             this.state.set('requestType', 'initialize');
         }
         else if (types_js_1.ElicitResultSchema.safeParse(request.body).success) {
             this.state.set('requestType', 'elicitResult');
         }
-        else if (types_js_1.RequestSchema.safeParse(request.body).success) {
+        else if (method && types_js_1.RequestSchema.safeParse(request.body).success) {
             this.state.set('requestType', 'message');
         }
         else {
@@ -56,25 +103,102 @@ let HandleStreamableHttpFlow = class HandleStreamableHttpFlow extends common_1.F
     }
     async onInitialize() {
         const transportService = this.scope.transportService;
+        const logger = this.scope.logger.child('handle:streamable-http:onInitialize');
         const { request, response } = this.rawInput;
         const { token, session } = this.state.required;
-        const transport = await transportService.createTransporter('streamable-http', token, session.id, response);
-        await transport.initialize(request, response);
-        this.handled();
+        logger.info('onInitialize: creating transport', {
+            sessionId: session.id.slice(0, 30),
+            hasToken: !!token,
+            tokenPrefix: token?.slice(0, 10),
+        });
+        try {
+            const transport = await transportService.createTransporter('streamable-http', token, session.id, response);
+            logger.info('onInitialize: transport created, calling initialize');
+            await transport.initialize(request, response);
+            logger.info('onInitialize: completed successfully');
+            this.handled();
+        }
+        catch (error) {
+            // FlowControl is expected control flow (from this.handled()), not an error
+            if (error instanceof common_1.FlowControl) {
+                throw error;
+            }
+            logger.error('onInitialize: failed', {
+                error: error instanceof Error ? error.message : String(error),
+                stack: error instanceof Error ? error.stack : undefined,
+            });
+            throw error;
+        }
     }
     async onElicitResult() {
         this.fail(new Error('Not implemented'));
     }
     async onMessage() {
+        const transportService = this.scope.transportService;
+        const logger = this.scopeLogger.child('handle:streamable-http:onMessage');
+        const { request, response } = this.rawInput;
+        const { token, session } = this.state.required;
+        const transport = await transportService.getTransporter('streamable-http', token, session.id);
+        if (!transport) {
+            // Check if session was ever created to differentiate error types per MCP Spec 2025-11-25
+            const wasCreated = transportService.wasSessionCreated('streamable-http', token, session.id);
+            const body = request.body;
+            if (wasCreated) {
+                // Session existed but was terminated/evicted → HTTP 404 (client should re-initialize)
+                logger.info('Session expired - client should re-initialize', {
+                    sessionId: session.id?.slice(0, 20),
+                    tokenHash: token.slice(0, 8),
+                    method: body?.['method'],
+                    requestId: body?.['id'],
+                    mcpSessionId: request.headers?.['mcp-session-id'],
+                });
+                this.respond(common_1.httpRespond.sessionExpired('session expired'));
+            }
+            else {
+                // Session was never created → HTTP 404 (per user requirement: invalid/missing session = 404)
+                logger.warn('Session not initialized - client attempted request without initializing', {
+                    sessionId: session.id?.slice(0, 20),
+                    tokenHash: token.slice(0, 8),
+                    method: body?.['method'],
+                    requestId: body?.['id'],
+                    mcpSessionId: request.headers?.['mcp-session-id'],
+                    userAgent: request.headers?.['user-agent']?.slice(0, 50),
+                });
+                this.respond(common_1.httpRespond.sessionNotFound('session not initialized'));
+            }
+            return;
+        }
+        try {
+            await transport.handleRequest(request, response);
+            this.handled();
+        }
+        catch (error) {
+            // FlowControl is expected control flow, not an error
+            if (!(error instanceof common_1.FlowControl)) {
+                const body = request.body;
+                logger.error('handleRequest failed', {
+                    error: error instanceof Error ? { name: error.name, message: error.message, stack: error.stack } : error,
+                    method: body?.['method'],
+                    id: body?.['id'],
+                    sessionId: session.id?.slice(0, 20),
+                });
+            }
+            throw error;
+        }
+    }
+    async onSseListener() {
         const transportService = this.scope.transportService;
         const { request, response } = this.rawInput;
         const { token, session } = this.state.required;
+        // Get existing transport for this session - SSE listener requires existing session
         const transport = await transportService.getTransporter('streamable-http', token, session.id);
         if (!transport) {
-            this.respond(common_1.httpRespond.rpcError('session not initialized'));
+            this.respond(common_1.httpRespond.notFound('Session not found'));
             return;
         }
+        // Forward GET request to transport (opens SSE stream for server→client notifications)
         await transport.handleRequest(request, response);
+        this.handled();
     }
 };
 tslib_1.__decorate([
@@ -82,7 +206,7 @@ tslib_1.__decorate([
     tslib_1.__metadata("design:type", Function),
     tslib_1.__metadata("design:paramtypes", []),
     tslib_1.__metadata("design:returntype", Promise)
-], HandleStreamableHttpFlow.prototype, "paseInput", null);
+], HandleStreamableHttpFlow.prototype, "parseInput", null);
 tslib_1.__decorate([
     Stage('router'),
     tslib_1.__metadata("design:type", Function),
@@ -113,6 +237,14 @@ tslib_1.__decorate([
     tslib_1.__metadata("design:paramtypes", []),
     tslib_1.__metadata("design:returntype", Promise)
 ], HandleStreamableHttpFlow.prototype, "onMessage", null);
+tslib_1.__decorate([
+    Stage('onSseListener', {
+        filter: ({ state: { requestType } }) => requestType === 'sseListener',
+    }),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", []),
+    tslib_1.__metadata("design:returntype", Promise)
+], HandleStreamableHttpFlow.prototype, "onSseListener", null);
 HandleStreamableHttpFlow = tslib_1.__decorate([
     (0, common_1.Flow)({
         name,

package/src/transport/flows/handle.streamable-http.flow.js.map

@@ -1 +1 @@
-{"version":3,"file":"handle.streamable-http.flow.js","sourceRoot":"","sources":["../../../../src/transport/flows/handle.streamable-http.flow.ts"],"names":[],"mappings":";;;;AAAA,yCAGsB;AACtB,6BAAsB;AACtB,iEAA8G;AAE9G,gFAA0E;AAE7D,QAAA,IAAI,GAAG;IAClB,GAAG,EAAE;QACH,YAAY;QACZ,QAAQ;KACT;IACD,OAAO,EAAE;QACP,cAAc;QACd,WAAW;QACX,gBAAgB;KACjB;IACD,IAAI,EAAE,EAAE;IACR,QAAQ,EAAE;QACR,SAAS;KACV;CACkC,CAAC;AAGzB,QAAA,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE;IACjB,OAAO,EAAE,wBAAe;IACxB,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,SAAS,EAAE,cAAc,CAAC,CAAC,CAAC,QAAQ,EAAE;CAC1E,CAAC,CAAC;AAEH,MAAM,IAAI,GAAG,wBAAiC,CAAC;AAC/C,MAAM,EAAC,KAAK,EAAC,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAsBnB,IAAM,wBAAwB,GAA9B,MAAM,wBAAyB,SAAQ,iBAAqB;IACzE,IAAI,GAAG,IAAI,CAAC;IAGN,AAAN,KAAK,CAAC,SAAS;QACb,MAAM,EAAC,OAAO,EAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAEhC,IAAI,EAAC,KAAK,EAAE,OAAO,EAAC,GAAG,OAAO,CAAC,4BAAmB,CAAC,IAAI,CAAkB,CAAC;QAE1E,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,GAAG,IAAA,kCAAe,EAAC,iBAAiB,EAAE,KAAK,CAAC,CAAC;YACpD,OAAO,CAAC,4BAAmB,CAAC,IAAI,CAAC,CAAC,OAAO,GAAG,OAAO,CAAC;QACtD,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,mBAAW,CAAC,KAAK,CAAC,EAAC,KAAK,EAAE,OAAO,EAAC,CAAC,CAAC,CAAC;IACtD,CAAC;IAGK,AAAN,KAAK,CAAC,MAAM;QACV,MAAM,EAAC,OAAO,EAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAEhC,IAAI,kCAAuB,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YAC5D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;QAC9C,CAAC;aAAM,IAAI,6BAAkB,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YAC9D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;QAChD,CAAC;aAAM,IAAI,wBAAa,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YACzD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,YAAY;QAChB,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAEhE,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC1C,MAAM,EAAC,KAAK,EAAE,OAAO,EAAC,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC7C,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,iBAAiB,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QAC3G,MAAM,SAAS,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC9C,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAKK,AAAN,KAAK,CAAC,cAAc;QAClB,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAC1C,CAAC;IAKK,AAAN,KAAK,CAAC,SAAS;QACb,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAEhE,MAAM,EAAC,OAAO,EAAE,QAAQ,EAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC1C,MAAM,EAAC,KAAK,EAAE,OAAO,EAAC,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC7C,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QAC9F,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,yBAAyB,CAAC,CAAC,CAAC;YAC9D,OAAO;QACT,CAAC;QACD,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IACnD,CAAC;CAGF,CAAA;AAhEO;IADL,KAAK,CAAC,YAAY,CAAC;;;;yDAWnB;AAGK;IADL,KAAK,CAAC,QAAQ,CAAC;;;;sDAaf;AAKK;IAHL,KAAK,CAAC,cAAc,EAAE;QACrB,MAAM,EAAE,CAAC,EAAC,KAAK,EAAE,EAAC,WAAW,EAAC,EAAC,EAAE,EAAE,CAAC,WAAW,KAAK,YAAY;KACjE,CAAC;;;;4DASD;AAKK;IAHL,KAAK,CAAC,gBAAgB,EAAE;QACvB,MAAM,EAAE,CAAC,EAAC,KAAK,EAAE,EAAC,WAAW,EAAC,EAAC,EAAE,EAAE,CAAC,WAAW,KAAK,cAAc;KACnE,CAAC;;;;8DAGD;AAKK;IAHL,KAAK,CAAC,WAAW,EAAE;QAClB,MAAM,EAAE,CAAC,EAAC,KAAK,EAAE,EAAC,WAAW,EAAC,EAAC,EAAE,EAAE,CAAC,WAAW,KAAK,SAAS;KAC9D,CAAC;;;;yDAYD;AAjEkB,wBAAwB;IAP5C,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI,EAAJ,YAAI;QACJ,MAAM,EAAE,YAAY;QACpB,WAAW,EAAE,wBAAe;QAC5B,YAAY,EAAE,yBAAgB;KAC/B,CAAC;GACmB,wBAAwB,CAoE5C;kBApEoB,wBAAwB","sourcesContent":["import {\n  Flow, httpInputSchema, FlowRunOptions, httpOutputSchema, FlowPlan,\n  FlowBase, FlowHooksOf, sessionIdSchema, httpRespond, ServerRequestTokens, Authorization,\n} from '../../common';\nimport {z} from 'zod';\nimport {ElicitResultSchema, InitializeRequestSchema, RequestSchema} from '@modelcontextprotocol/sdk/types.js';\nimport {Scope} from '../../scope';\nimport {createSessionId} from '../../auth/session/utils/session-id.utils';\n\nexport const plan = {\n  pre: [\n    'parseInput',\n    'router',\n  ],\n  execute: [\n    'onInitialize',\n    'onMessage',\n    'onElicitResult',\n  ],\n  post: [],\n  finalize: [\n    'cleanup',\n  ],\n} as const satisfies FlowPlan<string>;\n\n\nexport const stateSchema = z.object({\n  token: z.string(),\n  session: sessionIdSchema,\n  requestType: z.enum(['initialize', 'message', 'elicitResult']).optional(),\n});\n\nconst name = 'handle:streamable-http' as const;\nconst {Stage} = FlowHooksOf(name);\n\n\ndeclare global {\n  interface ExtendFlows {\n    'handle:streamable-http': FlowRunOptions<\n      HandleStreamableHttpFlow,\n      typeof plan,\n      typeof httpInputSchema,\n      typeof httpOutputSchema,\n      typeof stateSchema\n    >;\n  }\n}\n\n@Flow({\n  name,\n  plan,\n  access: 'authorized',\n  inputSchema: httpInputSchema,\n  outputSchema: httpOutputSchema,\n})\nexport default class HandleStreamableHttpFlow extends FlowBase<typeof name> {\n  name = name;\n\n  @Stage('parseInput')\n  async paseInput() {\n    const {request} = this.rawInput;\n\n    let {token, session} = request[ServerRequestTokens.auth] as Authorization;\n\n    if (!session) {\n      session = createSessionId('streamable-http', token);\n      request[ServerRequestTokens.auth].session = session;\n    }\n    this.state.set(stateSchema.parse({token, session}));\n  }\n\n  @Stage('router')\n  async router() {\n    const {request} = this.rawInput;\n\n    if (InitializeRequestSchema.safeParse(request.body).success) {\n      this.state.set('requestType', 'initialize');\n    } else if (ElicitResultSchema.safeParse(request.body).success) {\n      this.state.set('requestType', 'elicitResult');\n    } else if (RequestSchema.safeParse(request.body).success) {\n      this.state.set('requestType', 'message');\n    } else {\n      this.respond(httpRespond.rpcError('Invalid Request'));\n    }\n  }\n\n  @Stage('onInitialize', {\n    filter: ({state: {requestType}}) => requestType === 'initialize',\n  })\n  async onInitialize() {\n    const transportService = (this.scope as Scope).transportService;\n\n    const {request, response} = this.rawInput;\n    const {token, session} = this.state.required;\n    const transport = await transportService.createTransporter('streamable-http', token, session.id, response);\n    await transport.initialize(request, response);\n    this.handled();\n  }\n\n  @Stage('onElicitResult', {\n    filter: ({state: {requestType}}) => requestType === 'elicitResult',\n  })\n  async onElicitResult() {\n    this.fail(new Error('Not implemented'));\n  }\n\n  @Stage('onMessage', {\n    filter: ({state: {requestType}}) => requestType === 'message',\n  })\n  async onMessage() {\n    const transportService = (this.scope as Scope).transportService;\n\n    const {request, response} = this.rawInput;\n    const {token, session} = this.state.required;\n    const transport = await transportService.getTransporter('streamable-http', token, session.id);\n    if (!transport) {\n      this.respond(httpRespond.rpcError('session not initialized'));\n      return;\n    }\n    await transport.handleRequest(request, response);\n  }\n\n\n}\n"]}
+{"version":3,"file":"handle.streamable-http.flow.js","sourceRoot":"","sources":["../../../../src/transport/flows/handle.streamable-http.flow.ts"],"names":[],"mappings":";;;;AAAA,yCAasB;AACtB,6BAAwB;AACxB,iEAAuF;AAEvF,gFAA4E;AAE/D,QAAA,IAAI,GAAG;IAClB,GAAG,EAAE,CAAC,YAAY,EAAE,QAAQ,CAAC;IAC7B,OAAO,EAAE,CAAC,cAAc,EAAE,WAAW,EAAE,gBAAgB,EAAE,eAAe,CAAC;IACzE,IAAI,EAAE,EAAE;IACR,QAAQ,EAAE,CAAC,SAAS,CAAC;CACc,CAAC;AAEtC,mGAAmG;AACnG,MAAM,kBAAkB,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE;IACd,OAAO,EAAE,OAAC;SACP,MAAM,CAAC;QACN,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE;QAClB,OAAO,EAAE,OAAC,CAAC,MAAM,EAAE;QACnB,IAAI,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE;QACvB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE;QACf,QAAQ,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,KAAK,EAAE,iBAAiB,EAAE,eAAe,EAAE,gBAAgB,CAAC,CAAC,CAAC,QAAQ,EAAE;QACxG,QAAQ,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE;QAChC,YAAY,EAAE,OAAC;aACZ,IAAI,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,CAAC,CAAC;aACxG,QAAQ,EAAE;KACd,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAC;AAEU,QAAA,WAAW,GAAG,OAAC,CAAC,MAAM,CAAC;IAClC,KAAK,EAAE,OAAC,CAAC,MAAM,EAAE;IACjB,OAAO,EAAE,kBAAkB;IAC3B,WAAW,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,YAAY,EAAE,SAAS,EAAE,cAAc,EAAE,aAAa,CAAC,CAAC,CAAC,QAAQ,EAAE;CACzF,CAAC,CAAC;AAEH,MAAM,IAAI,GAAG,wBAAiC,CAAC;AAC/C,MAAM,EAAE,KAAK,EAAE,GAAG,IAAA,oBAAW,EAAC,IAAI,CAAC,CAAC;AAqBrB,IAAM,wBAAwB,GAA9B,MAAM,wBAAyB,SAAQ,iBAAqB;IACzE,IAAI,GAAG,IAAI,CAAC;IAGN,AAAN,KAAK,CAAC,UAAU;QACd,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAElC,MAAM,aAAa,GAAG,OAAO,CAAC,4BAAmB,CAAC,IAAI,CAAkB,CAAC;QACzE,MAAM,EAAE,KAAK,EAAE,GAAG,aAAa,CAAC;QAEhC,kFAAkF;QAClF,2DAA2D;QAC3D,EAAE;QACF,oFAAoF;QACpF,qFAAqF;QACrF,4EAA4E;QAC5E,uFAAuF;QACvF,MAAM,gBAAgB,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAuB,CAAC;QAEnF,IAAI,OAAoF,CAAC;QAEzF,IAAI,gBAAgB,EAAE,CAAC;YACrB,8DAA8D;YAC9D,sFAAsF;YACtF,iGAAiG;YACjG,IAAI,aAAa,CAAC,OAAO,EAAE,EAAE,KAAK,gBAAgB,EAAE,CAAC;gBACnD,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;YAClC,CAAC;iBAAM,CAAC;gBACN,OAAO,GAAG,EAAE,EAAE,EAAE,gBAAgB,EAAE,CAAC;YACrC,CAAC;QACH,CAAC;aAAM,IAAI,aAAa,CAAC,OAAO,EAAE,CAAC;YACjC,qFAAqF;YACrF,OAAO,GAAG,aAAa,CAAC,OAAO,CAAC;QAClC,CAAC;aAAM,CAAC;YACN,mDAAmD;YACnD,OAAO,GAAG,IAAA,kCAAe,EAAC,iBAAiB,EAAE,KAAK,EAAE;gBAClD,SAAS,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,YAAY,CAAuB;gBAChE,uBAAuB,EAAG,IAAI,CAAC,KAAe,CAAC,QAAQ,EAAE,OAAO,EAAE,iBAAiB;aACpF,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,mBAAW,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;IACxD,CAAC;IAGK,AAAN,KAAK,CAAC,MAAM;QACV,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAElC,2DAA2D;QAC3D,iFAAiF;QACjF,IAAI,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,KAAK,EAAE,CAAC;YAC3C,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;YAC7C,OAAO;QACT,CAAC;QAED,uCAAuC;QACvC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAuC,CAAC;QAC7D,MAAM,MAAM,GAAG,IAAI,EAAE,MAAM,CAAC;QAE5B,8EAA8E;QAC9E,wEAAwE;QACxE,IAAI,MAAM,KAAK,YAAY,EAAE,CAAC;YAC5B,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;QAC9C,CAAC;aAAM,IAAI,6BAAkB,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YAC9D,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,cAAc,CAAC,CAAC;QAChD,CAAC;aAAM,IAAI,MAAM,IAAI,wBAAa,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,CAAC;YACnE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,aAAa,EAAE,SAAS,CAAC,CAAC;QAC3C,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,YAAY;QAChB,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAChE,MAAM,MAAM,GAAI,IAAI,CAAC,KAAe,CAAC,MAAM,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;QAEzF,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAE/C,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE;YAC9C,SAAS,EAAE,OAAO,CAAC,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;YAClC,QAAQ,EAAE,CAAC,CAAC,KAAK;YACjB,WAAW,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;SACjC,CAAC,CAAC;QAEH,IAAI,CAAC;YACH,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,iBAAiB,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;YAC3G,MAAM,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAC;YACnE,MAAM,SAAS,CAAC,UAAU,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YAC9C,MAAM,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;YACpD,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,2EAA2E;YAC3E,IAAI,KAAK,YAAY,oBAAW,EAAE,CAAC;gBACjC,MAAM,KAAK,CAAC;YACd,CAAC;YACD,MAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE;gBACnC,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gBAC7D,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;aACxD,CAAC,CAAC;YACH,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,cAAc;QAClB,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAC1C,CAAC;IAKK,AAAN,KAAK,CAAC,SAAS;QACb,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAChE,MAAM,MAAM,GAAG,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,kCAAkC,CAAC,CAAC;QAE1E,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC/C,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QAC9F,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,yFAAyF;YACzF,MAAM,UAAU,GAAG,gBAAgB,CAAC,iBAAiB,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;YAC5F,MAAM,IAAI,GAAG,OAAO,CAAC,IAA2C,CAAC;YAEjE,IAAI,UAAU,EAAE,CAAC;gBACf,sFAAsF;gBACtF,MAAM,CAAC,IAAI,CAAC,+CAA+C,EAAE;oBAC3D,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBACnC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC5B,MAAM,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;oBACxB,SAAS,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;oBACvB,YAAY,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAC;iBAClD,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,cAAc,CAAC,iBAAiB,CAAC,CAAC,CAAC;YAC9D,CAAC;iBAAM,CAAC;gBACN,6FAA6F;gBAC7F,MAAM,CAAC,IAAI,CAAC,yEAAyE,EAAE;oBACrF,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;oBACnC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC5B,MAAM,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;oBACxB,SAAS,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;oBACvB,YAAY,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAC;oBACjD,SAAS,EAAG,OAAO,CAAC,OAAO,EAAE,CAAC,YAAY,CAAwB,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACjF,CAAC,CAAC;gBACH,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,eAAe,CAAC,yBAAyB,CAAC,CAAC,CAAC;YACvE,CAAC;YACD,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;YACjD,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qDAAqD;YACrD,IAAI,CAAC,CAAC,KAAK,YAAY,oBAAW,CAAC,EAAE,CAAC;gBACpC,MAAM,IAAI,GAAG,OAAO,CAAC,IAA2C,CAAC;gBACjE,MAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE;oBACnC,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,KAAK,EAAE,KAAK,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,KAAK;oBACxG,MAAM,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;oBACxB,EAAE,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;oBAChB,SAAS,EAAE,OAAO,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;iBACpC,CAAC,CAAC;YACL,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAKK,AAAN,KAAK,CAAC,aAAa;QACjB,MAAM,gBAAgB,GAAI,IAAI,CAAC,KAAe,CAAC,gBAAgB,CAAC;QAEhE,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC5C,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAE/C,mFAAmF;QACnF,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,cAAc,CAAC,iBAAiB,EAAE,KAAK,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QAC9F,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;YACxD,OAAO;QACT,CAAC;QAED,sFAAsF;QACtF,MAAM,SAAS,CAAC,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACjD,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;CACF,CAAA;AA5LO;IADL,KAAK,CAAC,YAAY,CAAC;;;;0DAuCnB;AAGK;IADL,KAAK,CAAC,QAAQ,CAAC;;;;sDA0Bf;AAKK;IAHL,KAAK,CAAC,cAAc,EAAE;QACrB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,YAAY;KACrE,CAAC;;;;4DA+BD;AAKK;IAHL,KAAK,CAAC,gBAAgB,EAAE;QACvB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,cAAc;KACvE,CAAC;;;;8DAGD;AAKK;IAHL,KAAK,CAAC,WAAW,EAAE;QAClB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,SAAS;KAClE,CAAC;;;;yDAsDD;AAKK;IAHL,KAAK,CAAC,eAAe,EAAE;QACtB,MAAM,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,CAAC,WAAW,KAAK,aAAa;KACtE,CAAC;;;;6DAiBD;AA/LkB,wBAAwB;IAP5C,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI,EAAJ,YAAI;QACJ,MAAM,EAAE,YAAY;QACpB,WAAW,EAAE,wBAAe;QAC5B,YAAY,EAAE,yBAAgB;KAC/B,CAAC;GACmB,wBAAwB,CAgM5C;kBAhMoB,wBAAwB","sourcesContent":["import {\n  Flow,\n  httpInputSchema,\n  FlowRunOptions,\n  httpOutputSchema,\n  FlowPlan,\n  FlowBase,\n  FlowHooksOf,\n  sessionIdSchema,\n  httpRespond,\n  ServerRequestTokens,\n  Authorization,\n  FlowControl,\n} from '../../common';\nimport { z } from 'zod';\nimport { ElicitResultSchema, RequestSchema } from '@modelcontextprotocol/sdk/types.js';\nimport { Scope } from '../../scope';\nimport { createSessionId } from '../../auth/session/utils/session-id.utils';\n\nexport const plan = {\n  pre: ['parseInput', 'router'],\n  execute: ['onInitialize', 'onMessage', 'onElicitResult', 'onSseListener'],\n  post: [],\n  finalize: ['cleanup'],\n} as const satisfies FlowPlan<string>;\n\n// Relaxed session schema for state - payload is optional when using mcp-session-id header directly\nconst stateSessionSchema = z.object({\n  id: z.string(),\n  payload: z\n    .object({\n      nodeId: z.string(),\n      authSig: z.string(),\n      uuid: z.string().uuid(),\n      iat: z.number(),\n      protocol: z.enum(['legacy-sse', 'sse', 'streamable-http', 'stateful-http', 'stateless-http']).optional(),\n      isPublic: z.boolean().optional(),\n      platformType: z\n        .enum(['openai', 'claude', 'gemini', 'cursor', 'continue', 'cody', 'generic-mcp', 'ext-apps', 'unknown'])\n        .optional(),\n    })\n    .optional(),\n});\n\nexport const stateSchema = z.object({\n  token: z.string(),\n  session: stateSessionSchema,\n  requestType: z.enum(['initialize', 'message', 'elicitResult', 'sseListener']).optional(),\n});\n\nconst name = 'handle:streamable-http' as const;\nconst { Stage } = FlowHooksOf(name);\n\ndeclare global {\n  interface ExtendFlows {\n    'handle:streamable-http': FlowRunOptions<\n      HandleStreamableHttpFlow,\n      typeof plan,\n      typeof httpInputSchema,\n      typeof httpOutputSchema,\n      typeof stateSchema\n    >;\n  }\n}\n\n@Flow({\n  name,\n  plan,\n  access: 'authorized',\n  inputSchema: httpInputSchema,\n  outputSchema: httpOutputSchema,\n})\nexport default class HandleStreamableHttpFlow extends FlowBase<typeof name> {\n  name = name;\n\n  @Stage('parseInput')\n  async parseInput() {\n    const { request } = this.rawInput;\n\n    const authorization = request[ServerRequestTokens.auth] as Authorization;\n    const { token } = authorization;\n\n    // CRITICAL: The mcp-session-id header is the client's reference to their session.\n    // We MUST use this exact ID for transport registry lookup.\n    //\n    // Priority 1: Use mcp-session-id header if present (client's session ID for lookup)\n    //             This is the ID the client received from initialize and is referencing.\n    // Priority 2: Use session from authorization if header matches or is absent\n    // Priority 3: Create new session (first request - no header, no authorization.session)\n    const mcpSessionHeader = request.headers?.['mcp-session-id'] as string | undefined;\n\n    let session: { id: string; payload?: z.infer<typeof stateSchema>['session']['payload'] };\n\n    if (mcpSessionHeader) {\n      // Client sent session ID - ALWAYS use it for transport lookup\n      // If authorization.session exists and matches, use its payload for protocol detection\n      // If authorization.session differs or is missing, still use header ID (payload may be undefined)\n      if (authorization.session?.id === mcpSessionHeader) {\n        session = authorization.session;\n      } else {\n        session = { id: mcpSessionHeader };\n      }\n    } else if (authorization.session) {\n      // No header but authorization has session - use it (shouldn't happen in normal flow)\n      session = authorization.session;\n    } else {\n      // No session - create new one (initialize request)\n      session = createSessionId('streamable-http', token, {\n        userAgent: request.headers?.['user-agent'] as string | undefined,\n        platformDetectionConfig: (this.scope as Scope).metadata?.session?.platformDetection,\n      });\n    }\n\n    this.state.set(stateSchema.parse({ token, session }));\n  }\n\n  @Stage('router')\n  async router() {\n    const { request } = this.rawInput;\n\n    // GET requests are SSE listener streams - no body expected\n    // Per MCP spec, clients can open SSE stream with GET + Accept: text/event-stream\n    if (request.method.toUpperCase() === 'GET') {\n      this.state.set('requestType', 'sseListener');\n      return;\n    }\n\n    // POST requests have MCP JSON-RPC body\n    const body = request.body as { method?: string } | undefined;\n    const method = body?.method;\n\n    // Use method-based detection for routing (more permissive than strict schema)\n    // The actual schema validation happens in the MCP SDK's transport layer\n    if (method === 'initialize') {\n      this.state.set('requestType', 'initialize');\n    } else if (ElicitResultSchema.safeParse(request.body).success) {\n      this.state.set('requestType', 'elicitResult');\n    } else if (method && RequestSchema.safeParse(request.body).success) {\n      this.state.set('requestType', 'message');\n    } else {\n      this.respond(httpRespond.rpcError('Invalid Request'));\n    }\n  }\n\n  @Stage('onInitialize', {\n    filter: ({ state: { requestType } }) => requestType === 'initialize',\n  })\n  async onInitialize() {\n    const transportService = (this.scope as Scope).transportService;\n    const logger = (this.scope as Scope).logger.child('handle:streamable-http:onInitialize');\n\n    const { request, response } = this.rawInput;\n    const { token, session } = this.state.required;\n\n    logger.info('onInitialize: creating transport', {\n      sessionId: session.id.slice(0, 30),\n      hasToken: !!token,\n      tokenPrefix: token?.slice(0, 10),\n    });\n\n    try {\n      const transport = await transportService.createTransporter('streamable-http', token, session.id, response);\n      logger.info('onInitialize: transport created, calling initialize');\n      await transport.initialize(request, response);\n      logger.info('onInitialize: completed successfully');\n      this.handled();\n    } catch (error) {\n      // FlowControl is expected control flow (from this.handled()), not an error\n      if (error instanceof FlowControl) {\n        throw error;\n      }\n      logger.error('onInitialize: failed', {\n        error: error instanceof Error ? error.message : String(error),\n        stack: error instanceof Error ? error.stack : undefined,\n      });\n      throw error;\n    }\n  }\n\n  @Stage('onElicitResult', {\n    filter: ({ state: { requestType } }) => requestType === 'elicitResult',\n  })\n  async onElicitResult() {\n    this.fail(new Error('Not implemented'));\n  }\n\n  @Stage('onMessage', {\n    filter: ({ state: { requestType } }) => requestType === 'message',\n  })\n  async onMessage() {\n    const transportService = (this.scope as Scope).transportService;\n    const logger = this.scopeLogger.child('handle:streamable-http:onMessage');\n\n    const { request, response } = this.rawInput;\n    const { token, session } = this.state.required;\n    const transport = await transportService.getTransporter('streamable-http', token, session.id);\n    if (!transport) {\n      // Check if session was ever created to differentiate error types per MCP Spec 2025-11-25\n      const wasCreated = transportService.wasSessionCreated('streamable-http', token, session.id);\n      const body = request.body as Record<string, unknown> | undefined;\n\n      if (wasCreated) {\n        // Session existed but was terminated/evicted → HTTP 404 (client should re-initialize)\n        logger.info('Session expired - client should re-initialize', {\n          sessionId: session.id?.slice(0, 20),\n          tokenHash: token.slice(0, 8),\n          method: body?.['method'],\n          requestId: body?.['id'],\n          mcpSessionId: request.headers?.['mcp-session-id'],\n        });\n        this.respond(httpRespond.sessionExpired('session expired'));\n      } else {\n        // Session was never created → HTTP 404 (per user requirement: invalid/missing session = 404)\n        logger.warn('Session not initialized - client attempted request without initializing', {\n          sessionId: session.id?.slice(0, 20),\n          tokenHash: token.slice(0, 8),\n          method: body?.['method'],\n          requestId: body?.['id'],\n          mcpSessionId: request.headers?.['mcp-session-id'],\n          userAgent: (request.headers?.['user-agent'] as string | undefined)?.slice(0, 50),\n        });\n        this.respond(httpRespond.sessionNotFound('session not initialized'));\n      }\n      return;\n    }\n\n    try {\n      await transport.handleRequest(request, response);\n      this.handled();\n    } catch (error) {\n      // FlowControl is expected control flow, not an error\n      if (!(error instanceof FlowControl)) {\n        const body = request.body as Record<string, unknown> | undefined;\n        logger.error('handleRequest failed', {\n          error: error instanceof Error ? { name: error.name, message: error.message, stack: error.stack } : error,\n          method: body?.['method'],\n          id: body?.['id'],\n          sessionId: session.id?.slice(0, 20),\n        });\n      }\n      throw error;\n    }\n  }\n\n  @Stage('onSseListener', {\n    filter: ({ state: { requestType } }) => requestType === 'sseListener',\n  })\n  async onSseListener() {\n    const transportService = (this.scope as Scope).transportService;\n\n    const { request, response } = this.rawInput;\n    const { token, session } = this.state.required;\n\n    // Get existing transport for this session - SSE listener requires existing session\n    const transport = await transportService.getTransporter('streamable-http', token, session.id);\n    if (!transport) {\n      this.respond(httpRespond.notFound('Session not found'));\n      return;\n    }\n\n    // Forward GET request to transport (opens SSE stream for server→client notifications)\n    await transport.handleRequest(request, response);\n    this.handled();\n  }\n}\n"]}

package/src/transport/legacy/legacy.sse.tranporter.d.ts

@@ -34,6 +34,8 @@ export declare class SSEServerTransport implements Transport {
     private _sseResponse?;
     private _sessionId;
     private _options;
+    /** Incrementing event ID counter for SSE events (MCP 2025-11-25 spec compliance) */
+    private _eventIdCounter;
     onclose?: () => void;
     onerror?: (error: Error) => void;
     onmessage?: (message: JSONRPCMessage, extra?: MessageExtraInfo) => void;
@@ -72,4 +74,11 @@ export declare class SSEServerTransport implements Transport {
      * This can be used to route incoming POST requests.
      */
     get sessionId(): string;
+    /**
+     * Returns the current event ID counter value.
+     *
+     * This is the ID that was used for the last sent event.
+     * Useful for testing and debugging reconnection scenarios.
+     */
+    get lastEventId(): number;
 }

package/src/transport/legacy/legacy.sse.tranporter.js

@@ -19,6 +19,8 @@ class SSEServerTransport {
     _sseResponse;
     _sessionId;
     _options;
+    /** Incrementing event ID counter for SSE events (MCP 2025-11-25 spec compliance) */
+    _eventIdCounter = 0;
     onclose;
     onerror;
     onmessage;
@@ -78,7 +80,9 @@ class SSEServerTransport {
         endpointUrl.searchParams.set('sessionId', this._sessionId);
         // Reconstruct the relative URL string (pathname + search + hash)
         const relativeUrlWithSession = endpointUrl.pathname + endpointUrl.search + endpointUrl.hash;
-        this.res.write(`event: endpoint\ndata: ${relativeUrlWithSession}\n\n`);
+        // Include event ID per MCP 2025-11-25 spec for client reconnection support
+        const eventId = ++this._eventIdCounter;
+        this.res.write(`id: ${eventId}\nevent: endpoint\ndata: ${relativeUrlWithSession}\n\n`);
         this._sseResponse = this.res;
         this.res.on('close', () => {
             this._sseResponse = undefined;
@@ -155,7 +159,9 @@ class SSEServerTransport {
         if (!this._sseResponse) {
             throw new Error('Not connected');
         }
-        this._sseResponse.write(`event: message\ndata: ${JSON.stringify(message)}\n\n`);
+        // Include event ID per MCP 2025-11-25 spec for client reconnection support
+        const eventId = ++this._eventIdCounter;
+        this._sseResponse.write(`id: ${eventId}\nevent: message\ndata: ${JSON.stringify(message)}\n\n`);
     }
     /**
      * Returns the session ID for this transport.
@@ -165,6 +171,15 @@ class SSEServerTransport {
     get sessionId() {
         return this._sessionId;
     }
+    /**
+     * Returns the current event ID counter value.
+     *
+     * This is the ID that was used for the last sent event.
+     * Useful for testing and debugging reconnection scenarios.
+     */
+    get lastEventId() {
+        return this._eventIdCounter;
+    }
 }
 exports.SSEServerTransport = SSEServerTransport;
 //# sourceMappingURL=legacy.sse.tranporter.js.map