@frontmcp/sdk 0.4.1 → 0.5.0

package/src/scope/flows/http.request.flow.js

@@ -4,10 +4,11 @@ exports.httpRequestStateSchema = void 0;
 const tslib_1 = require("tslib");
 const common_1 = require("../../common");
 const zod_1 = require("zod");
-const path_utils_1 = require("../../auth/path.utils");
 const session_verify_flow_1 = require("../../auth/flows/session.verify.flow");
 const plan = {
     pre: [
+        // request tracing
+        'traceRequest',
         // rate limiting / concurrency
         'acquireQuota',
         'acquireSemaphore',
@@ -21,6 +22,7 @@ const plan = {
         'handleStreamableHttp',
         'handleStatefulHttp',
         'handleStatelessHttp',
+        'handleDeleteSession',
     ],
     finalize: [
         // audit/metrics
@@ -31,7 +33,7 @@ const plan = {
         'releaseQuota',
         'finalize',
     ],
-    error: ['error'],
+    error: [],
 };
 exports.httpRequestStateSchema = zod_1.z.object({
     decision: common_1.decisionSchema,
@@ -42,106 +44,318 @@ const name = 'http:request';
 const { Stage } = (0, common_1.FlowHooksOf)('http:request');
 let HttpRequestFlow = class HttpRequestFlow extends common_1.FlowBase {
     logger = this.scope.logger.child('HttpRequestFlow');
+    requestStartTime = 0;
+    requestId = '';
     static canActivate(request, scope) {
-        const requestPath = (0, path_utils_1.normalizeEntryPrefix)(request.path);
-        const prefix = (0, path_utils_1.normalizeEntryPrefix)(scope.entryPath);
-        const scopePath = (0, path_utils_1.normalizeScopeBase)(scope.routeBase);
-        return requestPath === `${prefix}${scopePath}` || requestPath === `${prefix}${scopePath}/message`;
+        const requestPath = (0, common_1.normalizeEntryPrefix)(request.path);
+        const prefix = (0, common_1.normalizeEntryPrefix)(scope.entryPath);
+        const scopePath = (0, common_1.normalizeScopeBase)(scope.routeBase);
+        const basePath = `${prefix}${scopePath}`;
+        return (requestPath === basePath || // Modern transports: /
+            requestPath === `${basePath}/sse` || // Legacy SSE: /sse
+            requestPath === `${basePath}/message` // Legacy SSE: /message
+        );
+    }
+    async traceRequest() {
+        const { request } = this.rawInput;
+        this.requestStartTime = Date.now();
+        this.requestId = `req-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+        // Extract useful tracing info
+        const userAgent = request.headers?.['user-agent'];
+        const sessionId = request.headers?.['mcp-session-id'];
+        const contentType = request.headers?.['content-type'];
+        const accept = request.headers?.['accept'];
+        const body = request.body;
+        this.logger.info(`[${this.requestId}] ▶ ${request.method} ${request.path}`, {
+            requestId: this.requestId,
+            method: request.method,
+            path: request.path,
+            userAgent: userAgent?.slice(0, 50),
+            sessionId: sessionId?.slice(0, 20),
+            contentType,
+            accept,
+            hasBody: !!request.body,
+            bodyMethod: body?.['method'],
+        });
+        // Log sanitized headers for debugging connection issues
+        const headers = request.headers ?? {};
+        const sanitizedHeaders = Object.fromEntries(Object.entries(headers).map(([key, value]) => {
+            // Redact clearly sensitive headers
+            if (/^(authorization|proxy-authorization|cookie|set-cookie|x-api-key)$/i.test(key)) {
+                return [key, '[REDACTED]'];
+            }
+            // Truncate session identifiers instead of logging full values
+            if (key === 'mcp-session-id') {
+                return [key, String(value).slice(0, 8) + '...'];
+            }
+            return [key, value];
+        }));
+        this.logger.debug(`[${this.requestId}] HEADERS`, { headers: sanitizedHeaders });
     }
     async checkAuthorization() {
         const { request } = this.rawInput;
-        this.logger.info(`New request: ${request.method} ${request.path}`);
-        const result = await this.scope.runFlow('session:verify', { request });
-        if (!result) {
-            this.logger.error('failed to to verify session');
-            throw new Error('Session verification failed');
+        this.logger.verbose(`[${this.requestId}] checkAuthorization: verifying session`);
+        try {
+            const result = await this.scope.runFlow('session:verify', { request });
+            if (!result) {
+                this.logger.error(`[${this.requestId}] failed to verify session`);
+                throw new Error('Session verification failed');
+            }
+            this.state.set({
+                verifyResult: result,
+            });
+        }
+        catch (error) {
+            // FlowControl is expected control flow, not an error
+            if (!(error instanceof common_1.FlowControl)) {
+                this.logError(error, 'checkAuthorization');
+            }
+            throw error;
         }
-        this.state.set({
-            verifyResult: result,
-        });
     }
     async router() {
-        const { request } = this.rawInput;
-        this.logger.verbose('check request decision');
-        const decision = (0, common_1.decideIntent)(request, {
-            enableLegacySSE: true,
-            enableSseListener: true,
-            enableStatelessHttp: false,
-            enableStatefulHttp: false,
-            enableStreamableHttp: true,
-            requireSessionForStreamable: true,
-            tolerateMissingAccept: true,
-        });
-        const { verifyResult } = this.state.required;
-        if (verifyResult.kind === 'authorized') {
-            const { authorization } = verifyResult;
-            request[common_1.ServerRequestTokens.auth] = authorization;
-            if (authorization.session) {
-                request[common_1.ServerRequestTokens.sessionId] = authorization.session.id;
-                const intent = authorization.session.payload.protocol;
-                this.logger.info(`decision from session: ${intent}`);
-                this.state.set('intent', intent);
+        try {
+            const { request } = this.rawInput;
+            this.logger.verbose(`[${this.requestId}] router: check request decision`);
+            // Use transport config directly from auth (already parsed with defaults by Zod)
+            const transport = this.scope.auth.transport;
+            const decision = (0, common_1.decideIntent)(request, { ...transport, tolerateMissingAccept: true });
+            // Handle DELETE method immediately - it's for session termination
+            // regardless of what protocol the session was created with
+            if (request.method.toUpperCase() === 'DELETE') {
+                this.logger.verbose(`[${this.requestId}] DELETE request, using decision intent: ${decision.intent}`);
+                if (decision.intent === 'unknown') {
+                    // DELETE without session ID - forward to next middleware
+                    // to allow custom DELETE handlers by developers
+                    this.logger.verbose(`[${this.requestId}] DELETE with unknown intent, forwarding to next middleware`);
+                    this.next();
+                    return;
+                }
+                this.state.set('intent', decision.intent);
                 return;
             }
-            if (decision.intent === 'unknown') {
-                // continue to other middleware
-                // with authentication (public/authorized routes)
-                this.logger.verbose(`decision is unknown, continue to next http middleware`);
-                this.next();
+            const { verifyResult } = this.state.required;
+            if (verifyResult.kind === 'authorized') {
+                const { authorization } = verifyResult;
+                request[common_1.ServerRequestTokens.auth] = authorization;
+                if (authorization.session) {
+                    const sessionId = authorization.session.id;
+                    request[common_1.ServerRequestTokens.sessionId] = sessionId;
+                    // Check if the session has been terminated (via DELETE)
+                    // Per MCP spec, requests to terminated sessions should return 404
+                    if (this.scope.notifications.isSessionTerminated(sessionId)) {
+                        this.logger.warn(`[${this.requestId}] Request to terminated session: ${sessionId.slice(0, 20)}...`);
+                        this.respond(common_1.httpRespond.notFound('Session not found'));
+                        return;
+                    }
+                    // Safely access payload.protocol with null check
+                    const protocol = authorization.session.payload?.protocol;
+                    if (protocol) {
+                        this.logger.info(`[${this.requestId}] decision from session: ${protocol}`);
+                        this.state.set('intent', protocol);
+                        return;
+                    }
+                }
+                if (decision.intent === 'unknown') {
+                    // continue to other middleware
+                    // with authentication (public/authorized routes)
+                    this.logger.verbose(`[${this.requestId}] decision is unknown, continue to next http middleware`);
+                    this.next();
+                    return; // Explicit return for clarity (this.next() throws FlowControl)
+                }
+                // register decision intent to state
+                // and move to next stage
+                this.logger.verbose(`[${this.requestId}] decision is request info: ${decision.intent}`);
+                this.state.set('intent', decision.intent);
+            }
+            else {
+                this.logger.verbose(`[${this.requestId}] not authorized request, check decision intent: ${decision.intent}`);
+                if (decision.intent === 'unknown') {
+                    this.logger.verbose(`[${this.requestId}] decision is unknown, continue to other public http middleware`);
+                    // continue to other middleware
+                    // without authentication (public routes)
+                    this.next();
+                    return; // Explicit return for clarity (this.next() throws FlowControl)
+                }
+                this.logger.warn(`[${this.requestId}] decision is ${decision.intent}, but not authorized, respond with 401`);
+                // if the decision is specific mcp transport and no auth
+                // then respond with 401
+                this.respond(common_1.httpRespond.unauthorized({
+                    headers: {
+                        'WWW-Authenticate': verifyResult.prmMetadataHeader,
+                    },
+                }));
             }
-            // register decision intent to state
-            // and move to next stage
-            this.logger.verbose(`decision is request info: ${decision.intent}`);
-            this.state.set('intent', decision.intent);
         }
-        else {
-            this.logger.verbose(`not authorized request, check decision intent: ${decision.intent}`);
-            if (decision.intent === 'unknown') {
-                this.logger.verbose(`decision is unknown, continue to other public http middleware`);
-                // continue to other middleware
-                // without authentication (public routes)
-                this.next();
-            }
-            this.logger.warn(`decision is ${decision.intent}, but not authorized, respond with 401`);
-            // if the decision is specific mcp transport and no auth
-            // then respond with 401
-            this.respond(common_1.httpRespond.unauthorized({
-                headers: {
-                    'WWW-Authenticate': verifyResult.prmMetadataHeader,
-                },
-            }));
+        catch (error) {
+            // FlowControl is expected control flow, not an error
+            if (!(error instanceof common_1.FlowControl)) {
+                this.logError(error, 'router');
+            }
+            throw error;
         }
     }
     async handleLegacySse() {
-        const response = await this.scope.runFlow('handle:legacy-sse', this.rawInput);
-        if (response) {
-            this.respond(response);
+        try {
+            const response = await this.scope.runFlow('handle:legacy-sse', this.rawInput);
+            if (response) {
+                this.respond(response);
+            }
+            this.handled();
+        }
+        catch (error) {
+            // FlowControl is expected control flow, not an error
+            if (!(error instanceof common_1.FlowControl)) {
+                this.logError(error, 'handleLegacySse');
+            }
+            throw error;
         }
-        this.handled();
     }
     async handleSse() {
-        const response = await this.scope.runFlow('handle:streamable-http', this.rawInput);
-        if (response) {
-            this.respond(response);
+        try {
+            const response = await this.scope.runFlow('handle:streamable-http', this.rawInput);
+            if (response) {
+                this.respond(response);
+            }
+            this.next();
+        }
+        catch (error) {
+            // FlowControl is expected control flow, not an error
+            if (!(error instanceof common_1.FlowControl)) {
+                this.logError(error, 'handleSse');
+            }
+            throw error;
         }
-        this.next();
     }
     async handleStreamableHttp() {
-        const response = await this.scope.runFlow('handle:streamable-http', this.rawInput);
-        if (response) {
-            this.respond(response);
+        try {
+            const response = await this.scope.runFlow('handle:streamable-http', this.rawInput);
+            if (response) {
+                this.respond(response);
+            }
+            this.next();
+        }
+        catch (error) {
+            // FlowControl is expected control flow, not an error
+            if (!(error instanceof common_1.FlowControl)) {
+                this.logError(error, 'handleStreamableHttp');
+            }
+            throw error;
         }
-        this.next();
     }
     async handleStatefulHttp() {
         // this.scope.runFlow('mcp:transport:stateful-http', this.rawInput);
         this.next();
     }
     async handleStatelessHttp() {
-        // this.scope.runFlow('mcp:transport:stateless-http', this.rawInput);
-        this.next();
+        try {
+            const response = await this.scope.runFlow('handle:stateless-http', this.rawInput);
+            if (response) {
+                this.respond(response);
+            }
+            this.handled();
+        }
+        catch (error) {
+            // FlowControl is expected control flow, not an error
+            if (!(error instanceof common_1.FlowControl)) {
+                this.logError(error, 'handleStatelessHttp');
+            }
+            throw error;
+        }
+    }
+    async handleDeleteSession() {
+        try {
+            const { request } = this.rawInput;
+            // Headers are normalized to lowercase by the adapter
+            const sessionId = request[common_1.ServerRequestTokens.sessionId] ?? request.headers['mcp-session-id'];
+            if (!sessionId || typeof sessionId !== 'string') {
+                this.logger.warn(`[${this.requestId}] DELETE request without valid session ID`);
+                this.respond(common_1.httpRespond.rpcError('No valid session ID provided'));
+                return;
+            }
+            this.logger.info(`[${this.requestId}] DELETE session: ${sessionId}`);
+            // Terminate the session - this unregisters the server AND adds to terminated set
+            // This prevents future requests with this session ID from being accepted
+            const wasRegistered = this.scope.notifications.terminateSession(sessionId);
+            if (!wasRegistered) {
+                // Session not found - per MCP spec, return 404
+                // Note: We still added it to terminated set to prevent future use
+                this.logger.warn(`[${this.requestId}] Session not found for DELETE: ${sessionId}`);
+                this.respond(common_1.httpRespond.notFound('Session not found'));
+                return;
+            }
+            this.logger.info(`[${this.requestId}] Session terminated: ${sessionId}`);
+            this.respond(common_1.httpRespond.noContent());
+        }
+        catch (error) {
+            // FlowControl is expected control flow, not an error
+            if (!(error instanceof common_1.FlowControl)) {
+                this.logError(error, 'handleDeleteSession');
+            }
+            throw error;
+        }
+    }
+    async finalize() {
+        const { request } = this.rawInput;
+        const duration = Date.now() - this.requestStartTime;
+        const intent = this.state.get('intent') ?? 'unknown';
+        this.logger.info(`[${this.requestId}] ◀ ${request.method} ${request.path} completed in ${duration}ms`, {
+            requestId: this.requestId,
+            method: request.method,
+            path: request.path,
+            duration,
+            intent,
+        });
+    }
+    /**
+     * Log an error that occurred during request processing.
+     * Called from stage handlers that catch errors.
+     */
+    logError(error, context) {
+        const { request } = this.rawInput;
+        const duration = Date.now() - this.requestStartTime;
+        // Extract error details - handle various error shapes
+        const errorMessage = error instanceof Error ? error.message : String(error);
+        const errorName = error instanceof Error ? error.name : 'UnknownError';
+        const errorStack = error instanceof Error ? error.stack : undefined;
+        const body = request.body;
+        // For errors with empty messages, try to extract more info
+        const errorCode = error?.code;
+        const errorCause = error?.cause;
+        // Log comprehensive error info including stack trace
+        this.logger.error(`[${this.requestId}] ✖ ${request.method} ${request.path} failed${context ? ` in ${context}` : ''} after ${duration}ms: ${errorMessage || '(no message)'}`, {
+            requestId: this.requestId,
+            method: request.method,
+            path: request.path,
+            duration,
+            context,
+            error: {
+                name: errorName,
+                message: errorMessage || '(no message)',
+                code: errorCode,
+                cause: errorCause instanceof Error ? errorCause.message : errorCause,
+                stack: errorStack,
+            },
+            request: {
+                userAgent: request.headers?.['user-agent']?.slice(0, 50),
+                sessionId: request.headers?.['mcp-session-id']?.slice(0, 20),
+                contentType: request.headers?.['content-type'],
+                bodyMethod: body?.['method'],
+                bodyId: body?.['id'],
+            },
+            state: {
+                intent: this.state.get('intent'),
+                hasVerifyResult: !!this.state.get('verifyResult'),
+            },
+        });
     }
 };
+tslib_1.__decorate([
+    Stage('traceRequest'),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", []),
+    tslib_1.__metadata("design:returntype", Promise)
+], HttpRequestFlow.prototype, "traceRequest", null);
 tslib_1.__decorate([
     Stage('checkAuthorization'),
     tslib_1.__metadata("design:type", Function),
@@ -156,7 +370,7 @@ tslib_1.__decorate([
 ], HttpRequestFlow.prototype, "router", null);
 tslib_1.__decorate([
     Stage('handleLegacySse', {
-        filter: ({ state: { required: { intent } } }) => intent === 'legacy-sse',
+        filter: ({ state: { required: { intent }, }, }) => intent === 'legacy-sse',
     }),
     tslib_1.__metadata("design:type", Function),
     tslib_1.__metadata("design:paramtypes", []),
@@ -164,7 +378,7 @@ tslib_1.__decorate([
 ], HttpRequestFlow.prototype, "handleLegacySse", null);
 tslib_1.__decorate([
     Stage('handleSse', {
-        filter: ({ state: { required: { intent } } }) => intent === 'sse',
+        filter: ({ state: { required: { intent }, }, }) => intent === 'sse',
     }),
     tslib_1.__metadata("design:type", Function),
     tslib_1.__metadata("design:paramtypes", []),
@@ -172,7 +386,7 @@ tslib_1.__decorate([
 ], HttpRequestFlow.prototype, "handleSse", null);
 tslib_1.__decorate([
     Stage('handleStreamableHttp', {
-        filter: ({ state: { required: { intent } } }) => intent === 'streamable-http',
+        filter: ({ state: { required: { intent }, }, }) => intent === 'streamable-http',
     }),
     tslib_1.__metadata("design:type", Function),
     tslib_1.__metadata("design:paramtypes", []),
@@ -180,7 +394,7 @@ tslib_1.__decorate([
 ], HttpRequestFlow.prototype, "handleStreamableHttp", null);
 tslib_1.__decorate([
     Stage('handleStatefulHttp', {
-        filter: ({ state: { required: { intent } } }) => intent === 'stateful-http',
+        filter: ({ state: { required: { intent }, }, }) => intent === 'stateful-http',
     }),
     tslib_1.__metadata("design:type", Function),
     tslib_1.__metadata("design:paramtypes", []),
@@ -188,12 +402,26 @@ tslib_1.__decorate([
 ], HttpRequestFlow.prototype, "handleStatefulHttp", null);
 tslib_1.__decorate([
     Stage('handleStatelessHttp', {
-        filter: ({ state: { required: { intent } } }) => intent === 'stateless-http',
+        filter: ({ state: { required: { intent }, }, }) => intent === 'stateless-http',
     }),
     tslib_1.__metadata("design:type", Function),
     tslib_1.__metadata("design:paramtypes", []),
     tslib_1.__metadata("design:returntype", Promise)
 ], HttpRequestFlow.prototype, "handleStatelessHttp", null);
+tslib_1.__decorate([
+    Stage('handleDeleteSession', {
+        filter: ({ state: { required: { intent }, }, }) => intent === 'delete-session',
+    }),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", []),
+    tslib_1.__metadata("design:returntype", Promise)
+], HttpRequestFlow.prototype, "handleDeleteSession", null);
+tslib_1.__decorate([
+    Stage('finalize'),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", []),
+    tslib_1.__metadata("design:returntype", Promise)
+], HttpRequestFlow.prototype, "finalize", null);
 HttpRequestFlow = tslib_1.__decorate([
     (0, common_1.Flow)({
         name,

package/src/scope/flows/http.request.flow.js.map

@@ -1 +1 @@
-{"version":3,"file":"http.request.flow.js","sourceRoot":"","sources":["../../../../src/scope/flows/http.request.flow.ts"],"names":[],"mappings":";;;;AAAA,yCAMsB;AACtB,6BAAsB;AACtB,sDAA+E;AAC/E,8EAA+E;AAE/E,MAAM,IAAI,GAAG;IACX,GAAG,EAAE;QACH,8BAA8B;QAC9B,cAAc;QACd,kBAAkB;QAClB,oCAAoC;QACpC,oBAAoB;QACpB,QAAQ;KACT;IACD,OAAO,EAAE;QACP,iBAAiB;QACjB,WAAW;QACX,sBAAsB;QACtB,oBAAoB;QACpB,qBAAqB;KACtB;IACD,QAAQ,EAAE;QACR,gBAAgB;QAChB,OAAO;QACP,SAAS;QAET,UAAU;QACV,kBAAkB;QAClB,cAAc;QACd,UAAU;KACX;IACD,KAAK,EAAE,CAAC,OAAO,CAAC;CACmB,CAAC;AAGzB,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,QAAQ,EAAE,uBAAc;IACxB,MAAM,EAAE,qBAAY;IACpB,YAAY,EAAE,+CAAyB;CACxC,CAAC,CAAC;AAGH,MAAM,IAAI,GAAG,cAAuB,CAAC;AACrC,MAAM,EAAC,KAAK,EAAC,GAAG,IAAA,oBAAW,EAAC,cAAc,CAAC,CAAC;AAyB7B,IAAM,eAAe,GAArB,MAAM,eAAgB,SAAQ,iBAAqB;IAEhE,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAEpD,MAAM,CAAC,WAAW,CAAC,OAAsB,EAAE,KAAiB;QAC1D,MAAM,WAAW,GAAG,IAAA,iCAAoB,EAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,IAAA,iCAAoB,EAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACrD,MAAM,SAAS,GAAG,IAAA,+BAAkB,EAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACtD,OAAO,WAAW,KAAK,GAAG,MAAM,GAAG,SAAS,EAAE,IAAI,WAAW,KAAK,GAAG,MAAM,GAAG,SAAS,UAAU,CAAC;IACpG,CAAC;IAGK,AAAN,KAAK,CAAC,kBAAkB;QACtB,MAAM,EAAC,OAAO,EAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAChC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;QAEnE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAC,OAAO,EAAC,CAAC,CAAC;QACrE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;YACjD,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;YACb,YAAY,EAAE,MAAM;SACrB,CAAC,CAAC;IAEL,CAAC;IAIK,AAAN,KAAK,CAAC,MAAM;QACV,MAAM,EAAC,OAAO,EAAC,GAAG,IAAI,CAAC,QAAQ,CAAC;QAChC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,wBAAwB,CAAC,CAAC;QAC9C,MAAM,QAAQ,GAAG,IAAA,qBAAY,EAAC,OAAO,EAAE;YACrC,eAAe,EAAE,IAAI;YACrB,iBAAiB,EAAE,IAAI;YACvB,mBAAmB,EAAE,KAAK;YAC1B,kBAAkB,EAAE,KAAK;YACzB,oBAAoB,EAAE,IAAI;YAC1B,2BAA2B,EAAE,IAAI;YACjC,qBAAqB,EAAE,IAAI;SAC5B,CAAC,CAAC;QAEH,MAAM,EAAC,YAAY,EAAC,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC3C,IAAI,YAAY,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YACvC,MAAM,EAAC,aAAa,EAAC,GAAG,YAAY,CAAC;YACrC,OAAO,CAAC,4BAAmB,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC;YAClD,IAAI,aAAa,CAAC,OAAO,EAAE,CAAC;gBAC1B,OAAO,CAAC,4BAAmB,CAAC,SAAS,CAAC,GAAG,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;gBAElE,MAAM,MAAM,GAAG,aAAa,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC;gBACtD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,0BAA0B,MAAM,EAAE,CAAC,CAAC;gBACrD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBACjC,OAAO;YACT,CAAC;YAED,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBAClC,+BAA+B;gBAC/B,iDAAiD;gBACjD,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,uDAAuD,CAAC,CAAC;gBAC7E,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,CAAC;YAED,oCAAoC;YACpC,yBAAyB;YACzB,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,6BAA6B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YACpE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC5C,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,kDAAkD,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;YACzF,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;gBAClC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,+DAA+D,CAAC,CAAC;gBACrF,+BAA+B;gBAC/B,yCAAyC;gBACzC,IAAI,CAAC,IAAI,EAAE,CAAC;YACd,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,eAAe,QAAQ,CAAC,MAAM,wCAAwC,CAAC,CAAC;YACzF,wDAAwD;YACxD,wBAAwB;YACxB,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,YAAY,CAAC;gBACpC,OAAO,EAAE;oBACP,kBAAkB,EAAE,YAAY,CAAC,iBAAiB;iBACnD;aACF,CAAC,CAAC,CAAC;QACN,CAAC;IAEH,CAAC;IAOK,AAAN,KAAK,CAAC,eAAe;QACnB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,mBAAmB,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC9E,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACzB,CAAC;QACD,IAAI,CAAC,OAAO,EAAE,CAAC;IACjB,CAAC;IAKK,AAAN,KAAK,CAAC,SAAS;QACb,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,wBAAwB,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnF,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACzB,CAAC;QACD,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAKK,AAAN,KAAK,CAAC,oBAAoB;QACxB,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,wBAAwB,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;QACnF,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACzB,CAAC;QACD,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAKK,AAAN,KAAK,CAAC,kBAAkB;QACtB,oEAAoE;QACpE,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IAKK,AAAN,KAAK,CAAC,mBAAmB;QACvB,qEAAqE;QACrE,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;CAEF,CAAA;AA9HO;IADL,KAAK,CAAC,oBAAoB,CAAC;;;;yDAc3B;AAIK;IADL,KAAK,CAAC,QAAQ,CAAC;;;;6CAyDf;AAOK;IAJL,KAAK,CAAC,iBAAiB,EAAE;QACxB,MAAM,EAAE,CAAC,EAAC,KAAK,EAAE,EAAC,QAAQ,EAAE,EAAC,MAAM,EAAC,EAAC,EAAC,EAAE,EAAE,CACxC,MAAM,KAAK,YAAY;KAC1B,CAAC;;;;sDAOD;AAKK;IAHL,KAAK,CAAC,WAAW,EAAE;QAClB,MAAM,EAAE,CAAC,EAAC,KAAK,EAAE,EAAC,QAAQ,EAAE,EAAC,MAAM,EAAC,EAAC,EAAC,EAAE,EAAE,CAAC,MAAM,KAAK,KAAK;KAC5D,CAAC;;;;gDAOD;AAKK;IAHL,KAAK,CAAC,sBAAsB,EAAE;QAC7B,MAAM,EAAE,CAAC,EAAC,KAAK,EAAE,EAAC,QAAQ,EAAE,EAAC,MAAM,EAAC,EAAC,EAAC,EAAE,EAAE,CAAC,MAAM,KAAK,iBAAiB;KACxE,CAAC;;;;2DAOD;AAKK;IAHL,KAAK,CAAC,oBAAoB,EAAE;QAC3B,MAAM,EAAE,CAAC,EAAC,KAAK,EAAE,EAAC,QAAQ,EAAE,EAAC,MAAM,EAAC,EAAC,EAAC,EAAE,EAAE,CAAC,MAAM,KAAK,eAAe;KACtE,CAAC;;;;yDAID;AAKK;IAHL,KAAK,CAAC,qBAAqB,EAAE;QAC5B,MAAM,EAAE,CAAC,EAAC,KAAK,EAAE,EAAC,QAAQ,EAAE,EAAC,MAAM,EAAC,EAAC,EAAC,EAAE,EAAE,CAAC,MAAM,KAAK,gBAAgB;KACvE,CAAC;;;;0DAID;AAxIkB,eAAe;IAVnC,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI;QACJ,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,wBAAe;QAC5B,YAAY,EAAE,yBAAgB;QAC9B,UAAU,EAAE;YACV,IAAI,EAAE,GAAG;SACV;KACF,CAAC;GACmB,eAAe,CA0InC;kBA1IoB,eAAe","sourcesContent":["import {\n  Flow, httpInputSchema, FlowRunOptions,\n  httpOutputSchema,\n  FlowPlan, FlowBase, ScopeEntry, FlowHooksOf, ServerRequest, ServerRequestTokens,\n  httpRespond,\n  decideIntent, decisionSchema, intentSchema,\n} from '../../common';\nimport {z} from 'zod';\nimport {normalizeEntryPrefix, normalizeScopeBase} from '../../auth/path.utils';\nimport {sessionVerifyOutputSchema} from '../../auth/flows/session.verify.flow';\n\nconst plan = {\n  pre: [\n    // rate limiting / concurrency\n    'acquireQuota',\n    'acquireSemaphore',\n    // route request to the correct flow\n    'checkAuthorization',\n    'router',\n  ],\n  execute: [\n    'handleLegacySse',\n    'handleSse',\n    'handleStreamableHttp',\n    'handleStatefulHttp',\n    'handleStatelessHttp',\n  ],\n  finalize: [\n    // audit/metrics\n    'audit',\n    'metrics',\n\n    // cleanup\n    'releaseSemaphore',\n    'releaseQuota',\n    'finalize',\n  ],\n  error: ['error'],\n} as const satisfies FlowPlan<string>;\n\n\nexport const httpRequestStateSchema = z.object({\n  decision: decisionSchema,\n  intent: intentSchema,\n  verifyResult: sessionVerifyOutputSchema,\n});\n\n\nconst name = 'http:request' as const;\nconst {Stage} = FlowHooksOf('http:request');\n\ndeclare global {\n    interface ExtendFlows {\n      'http:request': FlowRunOptions<\n        HttpRequestFlow,\n        typeof plan,\n        typeof httpInputSchema,\n        typeof httpOutputSchema,\n        typeof httpRequestStateSchema\n      >;\n    }\n}\n\n\n@Flow({\n  name,\n  plan,\n  access: 'public',\n  inputSchema: httpInputSchema,\n  outputSchema: httpOutputSchema,\n  middleware: {\n    path: '/',\n  },\n})\nexport default class HttpRequestFlow extends FlowBase<typeof name> {\n\n  logger = this.scope.logger.child('HttpRequestFlow');\n\n  static canActivate(request: ServerRequest, scope: ScopeEntry) {\n    const requestPath = normalizeEntryPrefix(request.path);\n    const prefix = normalizeEntryPrefix(scope.entryPath);\n    const scopePath = normalizeScopeBase(scope.routeBase);\n    return requestPath === `${prefix}${scopePath}` || requestPath === `${prefix}${scopePath}/message`;\n  }\n\n  @Stage('checkAuthorization')\n  async checkAuthorization() {\n    const {request} = this.rawInput;\n    this.logger.info(`New request: ${request.method} ${request.path}`);\n\n    const result = await this.scope.runFlow('session:verify', {request});\n    if (!result) {\n      this.logger.error('failed to to verify session');\n      throw new Error('Session verification failed');\n    }\n    this.state.set({\n      verifyResult: result,\n    });\n\n  }\n\n\n  @Stage('router')\n  async router() {\n    const {request} = this.rawInput;\n    this.logger.verbose('check request decision');\n    const decision = decideIntent(request, {\n      enableLegacySSE: true,\n      enableSseListener: true,\n      enableStatelessHttp: false,\n      enableStatefulHttp: false,\n      enableStreamableHttp: true,\n      requireSessionForStreamable: true,\n      tolerateMissingAccept: true,\n    });\n\n    const {verifyResult} = this.state.required;\n    if (verifyResult.kind === 'authorized') {\n      const {authorization} = verifyResult;\n      request[ServerRequestTokens.auth] = authorization;\n      if (authorization.session) {\n        request[ServerRequestTokens.sessionId] = authorization.session.id;\n\n        const intent = authorization.session.payload.protocol;\n        this.logger.info(`decision from session: ${intent}`);\n        this.state.set('intent', intent);\n        return;\n      }\n\n      if (decision.intent === 'unknown') {\n        // continue to other middleware\n        // with authentication (public/authorized routes)\n        this.logger.verbose(`decision is unknown, continue to next http middleware`);\n        this.next();\n      }\n\n      // register decision intent to state\n      // and move to next stage\n      this.logger.verbose(`decision is request info: ${decision.intent}`);\n      this.state.set('intent', decision.intent);\n    } else {\n      this.logger.verbose(`not authorized request, check decision intent: ${decision.intent}`);\n      if (decision.intent === 'unknown') {\n        this.logger.verbose(`decision is unknown, continue to other public http middleware`);\n        // continue to other middleware\n        // without authentication (public routes)\n        this.next();\n      }\n\n      this.logger.warn(`decision is ${decision.intent}, but not authorized, respond with 401`);\n      // if the decision is specific mcp transport and no auth\n      // then respond with 401\n      this.respond(httpRespond.unauthorized({\n        headers: {\n          'WWW-Authenticate': verifyResult.prmMetadataHeader,\n        },\n      }));\n    }\n\n  }\n\n\n  @Stage('handleLegacySse', {\n    filter: ({state: {required: {intent}}}) =>\n      intent === 'legacy-sse',\n  })\n  async handleLegacySse() {\n    const response = await this.scope.runFlow('handle:legacy-sse', this.rawInput);\n    if (response) {\n      this.respond(response);\n    }\n    this.handled();\n  }\n\n  @Stage('handleSse', {\n    filter: ({state: {required: {intent}}}) => intent === 'sse',\n  })\n  async handleSse() {\n    const response = await this.scope.runFlow('handle:streamable-http', this.rawInput);\n    if (response) {\n      this.respond(response);\n    }\n    this.next();\n  }\n\n  @Stage('handleStreamableHttp', {\n    filter: ({state: {required: {intent}}}) => intent === 'streamable-http',\n  })\n  async handleStreamableHttp() {\n    const response = await this.scope.runFlow('handle:streamable-http', this.rawInput);\n    if (response) {\n      this.respond(response);\n    }\n    this.next();\n  }\n\n  @Stage('handleStatefulHttp', {\n    filter: ({state: {required: {intent}}}) => intent === 'stateful-http',\n  })\n  async handleStatefulHttp() {\n    // this.scope.runFlow('mcp:transport:stateful-http', this.rawInput);\n    this.next();\n  }\n\n  @Stage('handleStatelessHttp', {\n    filter: ({state: {required: {intent}}}) => intent === 'stateless-http',\n  })\n  async handleStatelessHttp() {\n    // this.scope.runFlow('mcp:transport:stateless-http', this.rawInput);\n    this.next();\n  }\n\n}\n"]}
+{"version":3,"file":"http.request.flow.js","sourceRoot":"","sources":["../../../../src/scope/flows/http.request.flow.ts"],"names":[],"mappings":";;;;AAAA,yCAkBsB;AACtB,6BAAwB;AACxB,8EAAiF;AAEjF,MAAM,IAAI,GAAG;IACX,GAAG,EAAE;QACH,kBAAkB;QAClB,cAAc;QACd,8BAA8B;QAC9B,cAAc;QACd,kBAAkB;QAClB,oCAAoC;QACpC,oBAAoB;QACpB,QAAQ;KACT;IACD,OAAO,EAAE;QACP,iBAAiB;QACjB,WAAW;QACX,sBAAsB;QACtB,oBAAoB;QACpB,qBAAqB;QACrB,qBAAqB;KACtB;IACD,QAAQ,EAAE;QACR,gBAAgB;QAChB,OAAO;QACP,SAAS;QAET,UAAU;QACV,kBAAkB;QAClB,cAAc;QACd,UAAU;KACX;IACD,KAAK,EAAE,EAAE;CAC0B,CAAC;AAEzB,QAAA,sBAAsB,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7C,QAAQ,EAAE,uBAAc;IACxB,MAAM,EAAE,qBAAY;IACpB,YAAY,EAAE,+CAAyB;CACxC,CAAC,CAAC;AAEH,MAAM,IAAI,GAAG,cAAuB,CAAC;AACrC,MAAM,EAAE,KAAK,EAAE,GAAG,IAAA,oBAAW,EAAC,cAAc,CAAC,CAAC;AAwB/B,IAAM,eAAe,GAArB,MAAM,eAAgB,SAAQ,iBAAqB;IAChE,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IAC5C,gBAAgB,GAAG,CAAC,CAAC;IACrB,SAAS,GAAG,EAAE,CAAC;IAEvB,MAAM,CAAC,WAAW,CAAC,OAAsB,EAAE,KAAiB;QAC1D,MAAM,WAAW,GAAG,IAAA,6BAAoB,EAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACvD,MAAM,MAAM,GAAG,IAAA,6BAAoB,EAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACrD,MAAM,SAAS,GAAG,IAAA,2BAAkB,EAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACtD,MAAM,QAAQ,GAAG,GAAG,MAAM,GAAG,SAAS,EAAE,CAAC;QAEzC,OAAO,CACL,WAAW,KAAK,QAAQ,IAAI,uBAAuB;YACnD,WAAW,KAAK,GAAG,QAAQ,MAAM,IAAI,mBAAmB;YACxD,WAAW,KAAK,GAAG,QAAQ,UAAU,CAAC,uBAAuB;SAC9D,CAAC;IACJ,CAAC;IAGK,AAAN,KAAK,CAAC,YAAY;QAChB,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAClC,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACnC,IAAI,CAAC,SAAS,GAAG,OAAO,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;QAE/E,8BAA8B;QAC9B,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,YAAY,CAAuB,CAAC;QACxE,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAuB,CAAC;QAC5E,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,cAAc,CAAuB,CAAC;QAC5E,MAAM,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,QAAQ,CAAuB,CAAC;QAEjE,MAAM,IAAI,GAAG,OAAO,CAAC,IAA2C,CAAC;QACjE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,OAAO,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,IAAI,EAAE,EAAE;YAC1E,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,SAAS,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;YAClC,SAAS,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;YAClC,WAAW;YACX,MAAM;YACN,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI;YACvB,UAAU,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;SAC7B,CAAC,CAAC;QAEH,wDAAwD;QACxD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC;QACtC,MAAM,gBAAgB,GAAG,MAAM,CAAC,WAAW,CACzC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE;YAC3C,mCAAmC;YACnC,IAAI,oEAAoE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnF,OAAO,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;YAC7B,CAAC;YACD,8DAA8D;YAC9D,IAAI,GAAG,KAAK,gBAAgB,EAAE,CAAC;gBAC7B,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC,CAAC;YAClD,CAAC;YACD,OAAO,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACtB,CAAC,CAAC,CACH,CAAC;QACF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,SAAS,WAAW,EAAE,EAAE,OAAO,EAAE,gBAAgB,EAAE,CAAC,CAAC;IAClF,CAAC;IAGK,AAAN,KAAK,CAAC,kBAAkB;QACtB,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAClC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,SAAS,yCAAyC,CAAC,CAAC;QAEjF,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,gBAAgB,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;YACvE,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,SAAS,4BAA4B,CAAC,CAAC;gBAClE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;YACjD,CAAC;YACD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC;gBACb,YAAY,EAAE,MAAM;aACrB,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qDAAqD;YACrD,IAAI,CAAC,CAAC,KAAK,YAAY,oBAAW,CAAC,EAAE,CAAC;gBACpC,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,oBAAoB,CAAC,CAAC;YAC7C,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAGK,AAAN,KAAK,CAAC,MAAM;QACV,IAAI,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;YAClC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,SAAS,kCAAkC,CAAC,CAAC;YAE1E,gFAAgF;YAChF,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC;YAC5C,MAAM,QAAQ,GAAG,IAAA,qBAAY,EAAC,OAAO,EAAE,EAAE,GAAG,SAAS,EAAE,qBAAqB,EAAE,IAAI,EAAE,CAAC,CAAC;YAEtF,kEAAkE;YAClE,2DAA2D;YAC3D,IAAI,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,QAAQ,EAAE,CAAC;gBAC9C,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,SAAS,4CAA4C,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;gBACrG,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;oBAClC,yDAAyD;oBACzD,gDAAgD;oBAChD,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,SAAS,6DAA6D,CAAC,CAAC;oBACrG,IAAI,CAAC,IAAI,EAAE,CAAC;oBACZ,OAAO;gBACT,CAAC;gBACD,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;gBAC1C,OAAO;YACT,CAAC;YAED,MAAM,EAAE,YAAY,EAAE,GAAG,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC;YAC7C,IAAI,YAAY,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBACvC,MAAM,EAAE,aAAa,EAAE,GAAG,YAAY,CAAC;gBACvC,OAAO,CAAC,4BAAmB,CAAC,IAAI,CAAC,GAAG,aAAa,CAAC;gBAClD,IAAI,aAAa,CAAC,OAAO,EAAE,CAAC;oBAC1B,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC3C,OAAO,CAAC,4BAAmB,CAAC,SAAS,CAAC,GAAG,SAAS,CAAC;oBAEnD,wDAAwD;oBACxD,kEAAkE;oBAClE,IAAI,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,mBAAmB,CAAC,SAAS,CAAC,EAAE,CAAC;wBAC5D,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,oCAAoC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;wBACpG,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;wBACxD,OAAO;oBACT,CAAC;oBAED,iDAAiD;oBACjD,MAAM,QAAQ,GAAG,aAAa,CAAC,OAAO,CAAC,OAAO,EAAE,QAAQ,CAAC;oBACzD,IAAI,QAAQ,EAAE,CAAC;wBACb,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,4BAA4B,QAAQ,EAAE,CAAC,CAAC;wBAC3E,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;wBACnC,OAAO;oBACT,CAAC;gBACH,CAAC;gBAED,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;oBAClC,+BAA+B;oBAC/B,iDAAiD;oBACjD,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,SAAS,yDAAyD,CAAC,CAAC;oBACjG,IAAI,CAAC,IAAI,EAAE,CAAC;oBACZ,OAAO,CAAC,+DAA+D;gBACzE,CAAC;gBAED,oCAAoC;gBACpC,yBAAyB;gBACzB,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,SAAS,+BAA+B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;gBACxF,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;YAC5C,CAAC;iBAAM,CAAC;gBACN,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,SAAS,oDAAoD,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;gBAC7G,IAAI,QAAQ,CAAC,MAAM,KAAK,SAAS,EAAE,CAAC;oBAClC,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,IAAI,CAAC,SAAS,iEAAiE,CAAC,CAAC;oBACzG,+BAA+B;oBAC/B,yCAAyC;oBACzC,IAAI,CAAC,IAAI,EAAE,CAAC;oBACZ,OAAO,CAAC,+DAA+D;gBACzE,CAAC;gBAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,iBAAiB,QAAQ,CAAC,MAAM,wCAAwC,CAAC,CAAC;gBAC7G,wDAAwD;gBACxD,wBAAwB;gBACxB,IAAI,CAAC,OAAO,CACV,oBAAW,CAAC,YAAY,CAAC;oBACvB,OAAO,EAAE;wBACP,kBAAkB,EAAE,YAAY,CAAC,iBAAiB;qBACnD;iBACF,CAAC,CACH,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qDAAqD;YACrD,IAAI,CAAC,CAAC,KAAK,YAAY,oBAAW,CAAC,EAAE,CAAC;gBACpC,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;YACjC,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IASK,AAAN,KAAK,CAAC,eAAe;QACnB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,mBAAmB,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC9E,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;YACD,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qDAAqD;YACrD,IAAI,CAAC,CAAC,KAAK,YAAY,oBAAW,CAAC,EAAE,CAAC;gBACpC,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,iBAAiB,CAAC,CAAC;YAC1C,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IASK,AAAN,KAAK,CAAC,SAAS;QACb,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,wBAAwB,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;YACnF,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;YACD,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qDAAqD;YACrD,IAAI,CAAC,CAAC,KAAK,YAAY,oBAAW,CAAC,EAAE,CAAC;gBACpC,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;YACpC,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IASK,AAAN,KAAK,CAAC,oBAAoB;QACxB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,wBAAwB,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;YACnF,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;YACD,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qDAAqD;YACrD,IAAI,CAAC,CAAC,KAAK,YAAY,oBAAW,CAAC,EAAE,CAAC;gBACpC,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,sBAAsB,CAAC,CAAC;YAC/C,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IASK,AAAN,KAAK,CAAC,kBAAkB;QACtB,oEAAoE;QACpE,IAAI,CAAC,IAAI,EAAE,CAAC;IACd,CAAC;IASK,AAAN,KAAK,CAAC,mBAAmB;QACvB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,uBAAuB,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;YAClF,IAAI,QAAQ,EAAE,CAAC;gBACb,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;YACD,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qDAAqD;YACrD,IAAI,CAAC,CAAC,KAAK,YAAY,oBAAW,CAAC,EAAE,CAAC;gBACpC,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,qBAAqB,CAAC,CAAC;YAC9C,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IASK,AAAN,KAAK,CAAC,mBAAmB;QACvB,IAAI,CAAC;YACH,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;YAClC,qDAAqD;YACrD,MAAM,SAAS,GAAG,OAAO,CAAC,4BAAmB,CAAC,SAAS,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;YAE9F,IAAI,CAAC,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,EAAE,CAAC;gBAChD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,2CAA2C,CAAC,CAAC;gBAChF,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,8BAA8B,CAAC,CAAC,CAAC;gBACnE,OAAO;YACT,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,qBAAqB,SAAS,EAAE,CAAC,CAAC;YAErE,iFAAiF;YACjF,yEAAyE;YACzE,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;YAE3E,IAAI,CAAC,aAAa,EAAE,CAAC;gBACnB,+CAA+C;gBAC/C,kEAAkE;gBAClE,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,mCAAmC,SAAS,EAAE,CAAC,CAAC;gBACnF,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC;gBACxD,OAAO;YACT,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,yBAAyB,SAAS,EAAE,CAAC,CAAC;YACzE,IAAI,CAAC,OAAO,CAAC,oBAAW,CAAC,SAAS,EAAE,CAAC,CAAC;QACxC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,qDAAqD;YACrD,IAAI,CAAC,CAAC,KAAK,YAAY,oBAAW,CAAC,EAAE,CAAC;gBACpC,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE,qBAAqB,CAAC,CAAC;YAC9C,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAGK,AAAN,KAAK,CAAC,QAAQ;QACZ,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAClC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,gBAAgB,CAAC;QACpD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC;QAErD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,SAAS,OAAO,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,IAAI,iBAAiB,QAAQ,IAAI,EAAE;YACrG,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,QAAQ;YACR,MAAM;SACP,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACK,QAAQ,CAAC,KAAc,EAAE,OAAgB;QAC/C,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC,QAAQ,CAAC;QAClC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,gBAAgB,CAAC;QAEpD,sDAAsD;QACtD,MAAM,YAAY,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAC5E,MAAM,SAAS,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC;QACvE,MAAM,UAAU,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;QACpE,MAAM,IAAI,GAAG,OAAO,CAAC,IAA2C,CAAC;QAEjE,2DAA2D;QAC3D,MAAM,SAAS,GAAI,KAAoC,EAAE,IAAI,CAAC;QAC9D,MAAM,UAAU,GAAI,KAA6B,EAAE,KAAK,CAAC;QAEzD,qDAAqD;QACrD,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,IAAI,IAAI,CAAC,SAAS,OAAO,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,IAAI,UACrD,OAAO,CAAC,CAAC,CAAC,OAAO,OAAO,EAAE,CAAC,CAAC,CAAC,EAC/B,UAAU,QAAQ,OAAO,YAAY,IAAI,cAAc,EAAE,EACzD;YACE,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,QAAQ;YACR,OAAO;YACP,KAAK,EAAE;gBACL,IAAI,EAAE,SAAS;gBACf,OAAO,EAAE,YAAY,IAAI,cAAc;gBACvC,IAAI,EAAE,SAAS;gBACf,KAAK,EAAE,UAAU,YAAY,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,UAAU;gBACpE,KAAK,EAAE,UAAU;aAClB;YACD,OAAO,EAAE;gBACP,SAAS,EAAG,OAAO,CAAC,OAAO,EAAE,CAAC,YAAY,CAAY,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;gBACpE,SAAS,EAAG,OAAO,CAAC,OAAO,EAAE,CAAC,gBAAgB,CAAY,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;gBACxE,WAAW,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,cAAc,CAAC;gBAC9C,UAAU,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC;gBAC5B,MAAM,EAAE,IAAI,EAAE,CAAC,IAAI,CAAC;aACrB;YACD,KAAK,EAAE;gBACL,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,QAAQ,CAAC;gBAChC,eAAe,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC;aAClD;SACF,CACF,CAAC;IACJ,CAAC;CACF,CAAA;AAlXO;IADL,KAAK,CAAC,cAAc,CAAC;;;;mDAyCrB;AAGK;IADL,KAAK,CAAC,oBAAoB,CAAC;;;;yDAqB3B;AAGK;IADL,KAAK,CAAC,QAAQ,CAAC;;;;6CA0Ff;AASK;IAPL,KAAK,CAAC,iBAAiB,EAAE;QACxB,MAAM,EAAE,CAAC,EACP,KAAK,EAAE,EACL,QAAQ,EAAE,EAAE,MAAM,EAAE,GACrB,GACF,EAAE,EAAE,CAAC,MAAM,KAAK,YAAY;KAC9B,CAAC;;;;sDAeD;AASK;IAPL,KAAK,CAAC,WAAW,EAAE;QAClB,MAAM,EAAE,CAAC,EACP,KAAK,EAAE,EACL,QAAQ,EAAE,EAAE,MAAM,EAAE,GACrB,GACF,EAAE,EAAE,CAAC,MAAM,KAAK,KAAK;KACvB,CAAC;;;;gDAeD;AASK;IAPL,KAAK,CAAC,sBAAsB,EAAE;QAC7B,MAAM,EAAE,CAAC,EACP,KAAK,EAAE,EACL,QAAQ,EAAE,EAAE,MAAM,EAAE,GACrB,GACF,EAAE,EAAE,CAAC,MAAM,KAAK,iBAAiB;KACnC,CAAC;;;;2DAeD;AASK;IAPL,KAAK,CAAC,oBAAoB,EAAE;QAC3B,MAAM,EAAE,CAAC,EACP,KAAK,EAAE,EACL,QAAQ,EAAE,EAAE,MAAM,EAAE,GACrB,GACF,EAAE,EAAE,CAAC,MAAM,KAAK,eAAe;KACjC,CAAC;;;;yDAID;AASK;IAPL,KAAK,CAAC,qBAAqB,EAAE;QAC5B,MAAM,EAAE,CAAC,EACP,KAAK,EAAE,EACL,QAAQ,EAAE,EAAE,MAAM,EAAE,GACrB,GACF,EAAE,EAAE,CAAC,MAAM,KAAK,gBAAgB;KAClC,CAAC;;;;0DAeD;AASK;IAPL,KAAK,CAAC,qBAAqB,EAAE;QAC5B,MAAM,EAAE,CAAC,EACP,KAAK,EAAE,EACL,QAAQ,EAAE,EAAE,MAAM,EAAE,GACrB,GACF,EAAE,EAAE,CAAC,MAAM,KAAK,gBAAgB;KAClC,CAAC;;;;0DAoCD;AAGK;IADL,KAAK,CAAC,UAAU,CAAC;;;;+CAajB;AAjVkB,eAAe;IAVnC,IAAA,aAAI,EAAC;QACJ,IAAI;QACJ,IAAI;QACJ,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,wBAAe;QAC5B,YAAY,EAAE,yBAAgB;QAC9B,UAAU,EAAE;YACV,IAAI,EAAE,GAAG;SACV;KACF,CAAC;GACmB,eAAe,CAqYnC;kBArYoB,eAAe","sourcesContent":["import {\n  Flow,\n  httpInputSchema,\n  FlowRunOptions,\n  httpOutputSchema,\n  FlowPlan,\n  FlowBase,\n  ScopeEntry,\n  FlowHooksOf,\n  ServerRequest,\n  ServerRequestTokens,\n  httpRespond,\n  decideIntent,\n  decisionSchema,\n  intentSchema,\n  normalizeEntryPrefix,\n  normalizeScopeBase,\n  FlowControl,\n} from '../../common';\nimport { z } from 'zod';\nimport { sessionVerifyOutputSchema } from '../../auth/flows/session.verify.flow';\n\nconst plan = {\n  pre: [\n    // request tracing\n    'traceRequest',\n    // rate limiting / concurrency\n    'acquireQuota',\n    'acquireSemaphore',\n    // route request to the correct flow\n    'checkAuthorization',\n    'router',\n  ],\n  execute: [\n    'handleLegacySse',\n    'handleSse',\n    'handleStreamableHttp',\n    'handleStatefulHttp',\n    'handleStatelessHttp',\n    'handleDeleteSession',\n  ],\n  finalize: [\n    // audit/metrics\n    'audit',\n    'metrics',\n\n    // cleanup\n    'releaseSemaphore',\n    'releaseQuota',\n    'finalize',\n  ],\n  error: [],\n} as const satisfies FlowPlan<string>;\n\nexport const httpRequestStateSchema = z.object({\n  decision: decisionSchema,\n  intent: intentSchema,\n  verifyResult: sessionVerifyOutputSchema,\n});\n\nconst name = 'http:request' as const;\nconst { Stage } = FlowHooksOf('http:request');\n\ndeclare global {\n  interface ExtendFlows {\n    'http:request': FlowRunOptions<\n      HttpRequestFlow,\n      typeof plan,\n      typeof httpInputSchema,\n      typeof httpOutputSchema,\n      typeof httpRequestStateSchema\n    >;\n  }\n}\n\n@Flow({\n  name,\n  plan,\n  access: 'public',\n  inputSchema: httpInputSchema,\n  outputSchema: httpOutputSchema,\n  middleware: {\n    path: '/',\n  },\n})\nexport default class HttpRequestFlow extends FlowBase<typeof name> {\n  logger = this.scope.logger.child('HttpRequestFlow');\n  private requestStartTime = 0;\n  private requestId = '';\n\n  static canActivate(request: ServerRequest, scope: ScopeEntry) {\n    const requestPath = normalizeEntryPrefix(request.path);\n    const prefix = normalizeEntryPrefix(scope.entryPath);\n    const scopePath = normalizeScopeBase(scope.routeBase);\n    const basePath = `${prefix}${scopePath}`;\n\n    return (\n      requestPath === basePath || // Modern transports: /\n      requestPath === `${basePath}/sse` || // Legacy SSE: /sse\n      requestPath === `${basePath}/message` // Legacy SSE: /message\n    );\n  }\n\n  @Stage('traceRequest')\n  async traceRequest() {\n    const { request } = this.rawInput;\n    this.requestStartTime = Date.now();\n    this.requestId = `req-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;\n\n    // Extract useful tracing info\n    const userAgent = request.headers?.['user-agent'] as string | undefined;\n    const sessionId = request.headers?.['mcp-session-id'] as string | undefined;\n    const contentType = request.headers?.['content-type'] as string | undefined;\n    const accept = request.headers?.['accept'] as string | undefined;\n\n    const body = request.body as Record<string, unknown> | undefined;\n    this.logger.info(`[${this.requestId}] ▶ ${request.method} ${request.path}`, {\n      requestId: this.requestId,\n      method: request.method,\n      path: request.path,\n      userAgent: userAgent?.slice(0, 50),\n      sessionId: sessionId?.slice(0, 20),\n      contentType,\n      accept,\n      hasBody: !!request.body,\n      bodyMethod: body?.['method'],\n    });\n\n    // Log sanitized headers for debugging connection issues\n    const headers = request.headers ?? {};\n    const sanitizedHeaders = Object.fromEntries(\n      Object.entries(headers).map(([key, value]) => {\n        // Redact clearly sensitive headers\n        if (/^(authorization|proxy-authorization|cookie|set-cookie|x-api-key)$/i.test(key)) {\n          return [key, '[REDACTED]'];\n        }\n        // Truncate session identifiers instead of logging full values\n        if (key === 'mcp-session-id') {\n          return [key, String(value).slice(0, 8) + '...'];\n        }\n        return [key, value];\n      }),\n    );\n    this.logger.debug(`[${this.requestId}] HEADERS`, { headers: sanitizedHeaders });\n  }\n\n  @Stage('checkAuthorization')\n  async checkAuthorization() {\n    const { request } = this.rawInput;\n    this.logger.verbose(`[${this.requestId}] checkAuthorization: verifying session`);\n\n    try {\n      const result = await this.scope.runFlow('session:verify', { request });\n      if (!result) {\n        this.logger.error(`[${this.requestId}] failed to verify session`);\n        throw new Error('Session verification failed');\n      }\n      this.state.set({\n        verifyResult: result,\n      });\n    } catch (error) {\n      // FlowControl is expected control flow, not an error\n      if (!(error instanceof FlowControl)) {\n        this.logError(error, 'checkAuthorization');\n      }\n      throw error;\n    }\n  }\n\n  @Stage('router')\n  async router() {\n    try {\n      const { request } = this.rawInput;\n      this.logger.verbose(`[${this.requestId}] router: check request decision`);\n\n      // Use transport config directly from auth (already parsed with defaults by Zod)\n      const transport = this.scope.auth.transport;\n      const decision = decideIntent(request, { ...transport, tolerateMissingAccept: true });\n\n      // Handle DELETE method immediately - it's for session termination\n      // regardless of what protocol the session was created with\n      if (request.method.toUpperCase() === 'DELETE') {\n        this.logger.verbose(`[${this.requestId}] DELETE request, using decision intent: ${decision.intent}`);\n        if (decision.intent === 'unknown') {\n          // DELETE without session ID - forward to next middleware\n          // to allow custom DELETE handlers by developers\n          this.logger.verbose(`[${this.requestId}] DELETE with unknown intent, forwarding to next middleware`);\n          this.next();\n          return;\n        }\n        this.state.set('intent', decision.intent);\n        return;\n      }\n\n      const { verifyResult } = this.state.required;\n      if (verifyResult.kind === 'authorized') {\n        const { authorization } = verifyResult;\n        request[ServerRequestTokens.auth] = authorization;\n        if (authorization.session) {\n          const sessionId = authorization.session.id;\n          request[ServerRequestTokens.sessionId] = sessionId;\n\n          // Check if the session has been terminated (via DELETE)\n          // Per MCP spec, requests to terminated sessions should return 404\n          if (this.scope.notifications.isSessionTerminated(sessionId)) {\n            this.logger.warn(`[${this.requestId}] Request to terminated session: ${sessionId.slice(0, 20)}...`);\n            this.respond(httpRespond.notFound('Session not found'));\n            return;\n          }\n\n          // Safely access payload.protocol with null check\n          const protocol = authorization.session.payload?.protocol;\n          if (protocol) {\n            this.logger.info(`[${this.requestId}] decision from session: ${protocol}`);\n            this.state.set('intent', protocol);\n            return;\n          }\n        }\n\n        if (decision.intent === 'unknown') {\n          // continue to other middleware\n          // with authentication (public/authorized routes)\n          this.logger.verbose(`[${this.requestId}] decision is unknown, continue to next http middleware`);\n          this.next();\n          return; // Explicit return for clarity (this.next() throws FlowControl)\n        }\n\n        // register decision intent to state\n        // and move to next stage\n        this.logger.verbose(`[${this.requestId}] decision is request info: ${decision.intent}`);\n        this.state.set('intent', decision.intent);\n      } else {\n        this.logger.verbose(`[${this.requestId}] not authorized request, check decision intent: ${decision.intent}`);\n        if (decision.intent === 'unknown') {\n          this.logger.verbose(`[${this.requestId}] decision is unknown, continue to other public http middleware`);\n          // continue to other middleware\n          // without authentication (public routes)\n          this.next();\n          return; // Explicit return for clarity (this.next() throws FlowControl)\n        }\n\n        this.logger.warn(`[${this.requestId}] decision is ${decision.intent}, but not authorized, respond with 401`);\n        // if the decision is specific mcp transport and no auth\n        // then respond with 401\n        this.respond(\n          httpRespond.unauthorized({\n            headers: {\n              'WWW-Authenticate': verifyResult.prmMetadataHeader,\n            },\n          }),\n        );\n      }\n    } catch (error) {\n      // FlowControl is expected control flow, not an error\n      if (!(error instanceof FlowControl)) {\n        this.logError(error, 'router');\n      }\n      throw error;\n    }\n  }\n\n  @Stage('handleLegacySse', {\n    filter: ({\n      state: {\n        required: { intent },\n      },\n    }) => intent === 'legacy-sse',\n  })\n  async handleLegacySse() {\n    try {\n      const response = await this.scope.runFlow('handle:legacy-sse', this.rawInput);\n      if (response) {\n        this.respond(response);\n      }\n      this.handled();\n    } catch (error) {\n      // FlowControl is expected control flow, not an error\n      if (!(error instanceof FlowControl)) {\n        this.logError(error, 'handleLegacySse');\n      }\n      throw error;\n    }\n  }\n\n  @Stage('handleSse', {\n    filter: ({\n      state: {\n        required: { intent },\n      },\n    }) => intent === 'sse',\n  })\n  async handleSse() {\n    try {\n      const response = await this.scope.runFlow('handle:streamable-http', this.rawInput);\n      if (response) {\n        this.respond(response);\n      }\n      this.next();\n    } catch (error) {\n      // FlowControl is expected control flow, not an error\n      if (!(error instanceof FlowControl)) {\n        this.logError(error, 'handleSse');\n      }\n      throw error;\n    }\n  }\n\n  @Stage('handleStreamableHttp', {\n    filter: ({\n      state: {\n        required: { intent },\n      },\n    }) => intent === 'streamable-http',\n  })\n  async handleStreamableHttp() {\n    try {\n      const response = await this.scope.runFlow('handle:streamable-http', this.rawInput);\n      if (response) {\n        this.respond(response);\n      }\n      this.next();\n    } catch (error) {\n      // FlowControl is expected control flow, not an error\n      if (!(error instanceof FlowControl)) {\n        this.logError(error, 'handleStreamableHttp');\n      }\n      throw error;\n    }\n  }\n\n  @Stage('handleStatefulHttp', {\n    filter: ({\n      state: {\n        required: { intent },\n      },\n    }) => intent === 'stateful-http',\n  })\n  async handleStatefulHttp() {\n    // this.scope.runFlow('mcp:transport:stateful-http', this.rawInput);\n    this.next();\n  }\n\n  @Stage('handleStatelessHttp', {\n    filter: ({\n      state: {\n        required: { intent },\n      },\n    }) => intent === 'stateless-http',\n  })\n  async handleStatelessHttp() {\n    try {\n      const response = await this.scope.runFlow('handle:stateless-http', this.rawInput);\n      if (response) {\n        this.respond(response);\n      }\n      this.handled();\n    } catch (error) {\n      // FlowControl is expected control flow, not an error\n      if (!(error instanceof FlowControl)) {\n        this.logError(error, 'handleStatelessHttp');\n      }\n      throw error;\n    }\n  }\n\n  @Stage('handleDeleteSession', {\n    filter: ({\n      state: {\n        required: { intent },\n      },\n    }) => intent === 'delete-session',\n  })\n  async handleDeleteSession() {\n    try {\n      const { request } = this.rawInput;\n      // Headers are normalized to lowercase by the adapter\n      const sessionId = request[ServerRequestTokens.sessionId] ?? request.headers['mcp-session-id'];\n\n      if (!sessionId || typeof sessionId !== 'string') {\n        this.logger.warn(`[${this.requestId}] DELETE request without valid session ID`);\n        this.respond(httpRespond.rpcError('No valid session ID provided'));\n        return;\n      }\n\n      this.logger.info(`[${this.requestId}] DELETE session: ${sessionId}`);\n\n      // Terminate the session - this unregisters the server AND adds to terminated set\n      // This prevents future requests with this session ID from being accepted\n      const wasRegistered = this.scope.notifications.terminateSession(sessionId);\n\n      if (!wasRegistered) {\n        // Session not found - per MCP spec, return 404\n        // Note: We still added it to terminated set to prevent future use\n        this.logger.warn(`[${this.requestId}] Session not found for DELETE: ${sessionId}`);\n        this.respond(httpRespond.notFound('Session not found'));\n        return;\n      }\n\n      this.logger.info(`[${this.requestId}] Session terminated: ${sessionId}`);\n      this.respond(httpRespond.noContent());\n    } catch (error) {\n      // FlowControl is expected control flow, not an error\n      if (!(error instanceof FlowControl)) {\n        this.logError(error, 'handleDeleteSession');\n      }\n      throw error;\n    }\n  }\n\n  @Stage('finalize')\n  async finalize() {\n    const { request } = this.rawInput;\n    const duration = Date.now() - this.requestStartTime;\n    const intent = this.state.get('intent') ?? 'unknown';\n\n    this.logger.info(`[${this.requestId}] ◀ ${request.method} ${request.path} completed in ${duration}ms`, {\n      requestId: this.requestId,\n      method: request.method,\n      path: request.path,\n      duration,\n      intent,\n    });\n  }\n\n  /**\n   * Log an error that occurred during request processing.\n   * Called from stage handlers that catch errors.\n   */\n  private logError(error: unknown, context?: string) {\n    const { request } = this.rawInput;\n    const duration = Date.now() - this.requestStartTime;\n\n    // Extract error details - handle various error shapes\n    const errorMessage = error instanceof Error ? error.message : String(error);\n    const errorName = error instanceof Error ? error.name : 'UnknownError';\n    const errorStack = error instanceof Error ? error.stack : undefined;\n    const body = request.body as Record<string, unknown> | undefined;\n\n    // For errors with empty messages, try to extract more info\n    const errorCode = (error as { code?: string | number })?.code;\n    const errorCause = (error as { cause?: unknown })?.cause;\n\n    // Log comprehensive error info including stack trace\n    this.logger.error(\n      `[${this.requestId}] ✖ ${request.method} ${request.path} failed${\n        context ? ` in ${context}` : ''\n      } after ${duration}ms: ${errorMessage || '(no message)'}`,\n      {\n        requestId: this.requestId,\n        method: request.method,\n        path: request.path,\n        duration,\n        context,\n        error: {\n          name: errorName,\n          message: errorMessage || '(no message)',\n          code: errorCode,\n          cause: errorCause instanceof Error ? errorCause.message : errorCause,\n          stack: errorStack,\n        },\n        request: {\n          userAgent: (request.headers?.['user-agent'] as string)?.slice(0, 50),\n          sessionId: (request.headers?.['mcp-session-id'] as string)?.slice(0, 20),\n          contentType: request.headers?.['content-type'],\n          bodyMethod: body?.['method'],\n          bodyId: body?.['id'],\n        },\n        state: {\n          intent: this.state.get('intent'),\n          hasVerifyResult: !!this.state.get('verifyResult'),\n        },\n      },\n    );\n  }\n}\n"]}

package/src/scope/scope.instance.d.ts

@@ -5,6 +5,10 @@ import ProviderRegistry from '../provider/provider.registry';
 import { AuthRegistry } from '../auth/auth.registry';
 import { TransportService } from '../transport/transport.registry';
 import ToolRegistry from '../tool/tool.registry';
+import ResourceRegistry from '../resource/resource.registry';
+import PromptRegistry from '../prompt/prompt.registry';
+import { NotificationService } from '../notification';
+import { ToolUIRegistry } from '../tool/ui';
 export declare class Scope extends ScopeEntry {
     readonly id: string;
     private readonly globalProviders;
@@ -15,7 +19,11 @@ export declare class Scope extends ScopeEntry {
     private scopeApps;
     private scopeHooks;
     private scopeTools;
+    private scopeResources;
+    private scopePrompts;
     transportService: TransportService;
+    notificationService: NotificationService;
+    private toolUIRegistry;
     readonly entryPath: string;
     readonly routeBase: string;
     readonly orchestrated: boolean;
@@ -29,6 +37,10 @@ export declare class Scope extends ScopeEntry {
     get providers(): ProviderRegistry;
     get apps(): AppRegistry;
     get tools(): ToolRegistry;
+    get toolUI(): ToolUIRegistry;
+    get resources(): ResourceRegistry;
+    get prompts(): PromptRegistry;
+    get notifications(): NotificationService;
     registryFlows(...flows: FlowType[]): Promise<void>;
     runFlow<Name extends FlowName>(name: Name, input: FlowInputOf<Name>, deps?: Map<Token, Type>): Promise<FlowOutputOf<Name> | undefined>;
     runFlowForOutput<Name extends FlowName>(name: Name, input: FlowInputOf<Name>, deps?: Map<Token, Type>): Promise<FlowOutputOf<Name>>;